Ippool assigns duplicate ip address

[Paolo Ercolani]

hi

i'm a newbie with freeradius. I'm managing a FreeRadius 0.9 box and i'm
trying to solve a problem.
On this box the ippool is configured, but it gives duplicate ips. I'm trying
to understand if it's always or just sometimes. Anyway, it seems that
rebooting freeradius it goes ok!

Anyone can help me?

It's some of the configuration files (if you need more, just tell me):

usercollide = no
..
 ippool vaslab_pool {

#  range-start,range-stop: The start and end ip
#  addresses for the ip pool
 range-start = xx.xx.xx.131
 range-stop = xx.xx.xx.190

 #  netmask: The network mask used for the ip's
 netmask = 255.255.255.128

 #  cache-size: The gdbm cache size for the db
 #  files. Should be equal to the number of ip's
 #  available in the ip pool
 cache-size = 800

 # session-db: The main db file used to allocate ip's to clients
 session-db = ${raddbdir}/db.ippool

 # ip-index: Helper db index file used in multilink
 ip-index = ${raddbdir}/db.ipindex
 }



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re[6]: ippool issue

[Alexander Lunyov]

Hello Paul,

Sunday, November 2, 2003, 9:49:54 AM, you wrote:

>> From: Alexander Lunyov
>> Sent: Saturday, 1 November 2003 6:32 AM

>> Thursday, October 30, 2003, 6:52:58 AM, you wrote:

>> rlm_ippool: Searching for an entry for nas/port: mynas.domain.ru/17
>> rlm_ippool: Allocating ip to nas/port: mynas.domain.ru/17
>> rlm_ippool: num: 1
>> rlm_ippool: Allocated ip 192.168.254.213 to client on nas mynas.domain.ru,port 17
>>   modcall[post-auth]: module "main_pool" returns ok for request 0
>> modcall: group post-auth returns ok for request 0
>> Sending Access-Accept of id 251 to x.x.x.2:4921
>> Framed-Compression = Van-Jacobson-TCP-IP
>> Idle-Timeout = 900
>> Framed-MTU = 576
>> Framed-Protocol = PPP
>> Service-Type = Framed-User
>> Framed-IP-Address = 192.168.254.213
>> Framed-IP-Netmask = 255.255.255.0
>> Finished request 0
>> Going to the next request
>> Thread 1 waiting to be assigned a request
>> rad_recv: Accounting-Request packet from host x.x.x.2:4924, id=101, length=11 5
>> Thread 2 assigned request 1
>> Waking up in 5 seconds...
>> Thread 2 handling request 1, (1 handled so far)
>> User-Name = "lan"
>> Service-Type = Framed-User
>> Framed-Protocol = PPP
>> Framed-IP-Address = 192.168.254.213
>> Framed-IP-Netmask = 0.0.0.0
>> NAS-Identifier = "mynas.domain.ru"
>> NAS-Port-Type = Async
>> NAS-Port = 17
>> Acct-Status-Type = Start
>> Acct-Session-Id = "11080-lan1067627926"
>> Acct-Multi-Session-Id = ""
>> Acct-Delay-Time = 0
>> 
>> But why Framed-IP-Netmask changed from 255.255.255.0 to 0.0.0.0?

PH> Deranged NAS? What Netmask does the _client_ get?


Nov  3 07:51:14 zeus ppp[26241]: Phase: Radius: Request sent
Nov  3 07:51:14 zeus ppp[26241]: Phase: Radius(auth): ACCEPT received
Nov  3 07:51:14 zeus ppp[26241]: Phase:  VJ enabled
Nov  3 07:51:14 zeus ppp[26241]: Phase:  MTU 576
Nov  3 07:51:14 zeus ppp[26241]: Phase:  IP 192.168.254.235
Nov  3 07:51:14 zeus ppp[26241]: Phase:  Netmask 255.255.255.0


 I seams that client is getting right netmask.


-- 
Best regards,
 Alexandermailto:[EMAIL PROTECTED]


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Re[4]: ippool issue

[Paul Hampson]

> From: Alexander Lunyov
> Sent: Saturday, 1 November 2003 6:32 AM

> Thursday, October 30, 2003, 6:52:58 AM, you wrote:

> rlm_ippool: Searching for an entry for nas/port: mynas.domain.ru/17
> rlm_ippool: Allocating ip to nas/port: mynas.domain.ru/17
> rlm_ippool: num: 1
> rlm_ippool: Allocated ip 192.168.254.213 to client on nas mynas.domain.ru,port 17
>   modcall[post-auth]: module "main_pool" returns ok for request 0
> modcall: group post-auth returns ok for request 0
> Sending Access-Accept of id 251 to x.x.x.2:4921
> Framed-Compression = Van-Jacobson-TCP-IP
> Idle-Timeout = 900
> Framed-MTU = 576
> Framed-Protocol = PPP
> Service-Type = Framed-User
> Framed-IP-Address = 192.168.254.213
> Framed-IP-Netmask = 255.255.255.0
> Finished request 0
> Going to the next request
> Thread 1 waiting to be assigned a request
> rad_recv: Accounting-Request packet from host x.x.x.2:4924, id=101, length=11 5
> Thread 2 assigned request 1
> Waking up in 5 seconds...
> Thread 2 handling request 1, (1 handled so far)
> User-Name = "lan"
> Service-Type = Framed-User
> Framed-Protocol = PPP
> Framed-IP-Address = 192.168.254.213
> Framed-IP-Netmask = 0.0.0.0
> NAS-Identifier = "mynas.domain.ru"
> NAS-Port-Type = Async
> NAS-Port = 17
> Acct-Status-Type = Start
> Acct-Session-Id = "11080-lan1067627926"
> Acct-Multi-Session-Id = ""
> Acct-Delay-Time = 0
> 
> But why Framed-IP-Netmask changed from 255.255.255.0 to 0.0.0.0?

Deranged NAS? What Netmask does the _client_ get?

--
Paul "TBBle" Hampson
Bubblesworth Pty Ltd (ABN: 51 095 284 361)
[EMAIL PROTECTED]

On a sidewalk near Portland State
University someone wrote `Trust Jesus', and
someone else wrote `But Cut the Cards'.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re[4]: ippool issue

[Alexander Lunyov]

Hello Paul,

Thursday, October 30, 2003, 6:52:58 AM, you wrote:

>> rlm_ippool: Searching for an entry for nas/port: zeus.domain.ru/61
>>   modcall[post-auth]: module "main_pool" returns noop for request 0
PH> The only NOOP between these two lines is the one that checks if you've
PH> already got a Framed-IP-Address. As the below output indicates, you do
PH> already have one, so the rlm_ippool module NOOPs instead. If you set
PH> override=yes instead of override=no, the existing Framed-IP-Address in
PH> the response will be _replaced_ with one from the IP pool.

I have to be more careful with configuration next time. Thanks for showing
me the light :) Without any network configuration it works with
"override=yes"

rlm_ippool: Searching for an entry for nas/port: mynas.domain.ru/17
rlm_ippool: Allocating ip to nas/port: mynas.domain.ru/17
rlm_ippool: num: 1
rlm_ippool: Allocated ip 192.168.254.213 to client on nas mynas.domain.ru,port 17
  modcall[post-auth]: module "main_pool" returns ok for request 0
modcall: group post-auth returns ok for request 0
Sending Access-Accept of id 251 to x.x.x.2:4921
Framed-Compression = Van-Jacobson-TCP-IP
Idle-Timeout = 900
Framed-MTU = 576
Framed-Protocol = PPP
Service-Type = Framed-User
Framed-IP-Address = 192.168.254.213
Framed-IP-Netmask = 255.255.255.0
Finished request 0
Going to the next request
Thread 1 waiting to be assigned a request
rad_recv: Accounting-Request packet from host x.x.x.2:4924, id=101, length=11 5
Thread 2 assigned request 1
Waking up in 5 seconds...
Thread 2 handling request 1, (1 handled so far)
User-Name = "lan"
Service-Type = Framed-User
Framed-Protocol = PPP
Framed-IP-Address = 192.168.254.213
Framed-IP-Netmask = 0.0.0.0
NAS-Identifier = "mynas.domain.ru"
NAS-Port-Type = Async
NAS-Port = 17
Acct-Status-Type = Start
Acct-Session-Id = "11080-lan1067627926"
Acct-Multi-Session-Id = ""
Acct-Delay-Time = 0

But why Framed-IP-Netmask changed from 255.255.255.0 to 0.0.0.0?

PH> Alternatively, work out where the value 255.255.255.254 is coming from.
PH> It _might_ be a hint from the NAS, or there may be another module adding
PH> it (probably incorrectly).

It's coming from my LDAP radiusProfile and 'users' file, and i don't know why
it was there, a long time ago i've configured radius with help of some howto,
and i don't know by now, what is that magic address should mean. I removed it
from LDAP and 'users' file for now.

-- 
Best regards,
 Alexandermailto:[EMAIL PROTECTED]


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Two questions about ippool

[Agustín Orviz Camblor]

Hello everybody:

We have up un running freeradius 0.9.2 with rlm_ippool and rlm_sql
(MySQL). We want to use the same server to do the accounting too.

We have a Nortel CVX 1800 with a L2TP tunnel against a ASN Bay Networks
router.

1.- The ASN doesn't pass the nas port information in the access request,
so rlm_ippool returns NOOP. We have bypassed this check and it seems it
is working ok with the IP assignaments. It is a critical parameter to
manage correctly de IP pools?

2.- There are not "Framed-IP-Address" in the "Start" and "Stop"
accounting packets. I have not found a solution to record the IP
assigned from the module rlm_ippool in the MySQL database according with
the "Start" and "Stop" packets. Any ideas?

Thank you very much.

Regards.


-- 
 --
 Agustín Orviz Camblorcorreo-e: [EMAIL PROTECTED]
 Servicios Avanzados - ISPTeleCable de Asturias S.A.
 Parque Científico y Tecnológico  Edificio TeleCable
 Carretera de Cabueñes s/nTlf: +34 984191000
 33203 - Gijón - Asturias Fax: +34 984191001
 ---


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Re[2]: ippool issue

[Paul Hampson]

> From: Alexander Lunyov
> Sent: Thursday, 30 October 2003 12:14 PM

>  What do you mean? NAS in the same logical network or radius server in the
>  same logical network?

>  For example, i want this ippool working with NAS.
> 
> ippool main_pool {
> range-start = 192.168.253.1
> range-stop = 192.168.253.254
> netmask = 255.255.0.0
> cache-size = 800
> session-db = ${raddbdir}/db.ippool
> ip-index = ${raddbdir}/db.ipindex
> override = no
> } 
> 
>  NAS is a FreeBSD box with 3 multiport cards and 2 network
>  interfaces. First iface is 192.168.33.127/24, second is
>  x.x.x.2/24 ('white' network). So when authentification of ppp session is done 
> and
>  it's time to receive IP address for this session, radiusd cannot
>  find range for this NAS. It says
> 
> rad_recv: Access-Request packet from host x.x.x.2:2740, id=239, length=105
> Thread 1 assigned request 0
> --- Walking the entire request list ---
> Threads: total/active/spare threads = 5/1/4
> Waking up in 5 seconds...
> Thread 1 handling request 0, (1 handled so far)
> User-Name = "lan"
> Service-Type = Framed-User
> Framed-Protocol = PPP
> CHAP-Password = 0x0176a7169a89a0a8s8aa34a03e630f1ead
> CHAP-Challenge = 0x38328232349865433746313036313635
> NAS-Identifier = "zeus.domain.ru"
> NAS-Port-Type = Ethernet
> NAS-Port = 61
> 
> [authentification and other skip]
> 
> rlm_ippool: Searching for an entry for nas/port: zeus.domain.ru/61
>   modcall[post-auth]: module "main_pool" returns noop for request 0

The only NOOP between these two lines is the one that checks if you've
already got a Framed-IP-Address. As the below output indicates, you do
already have one, so the rlm_ippool module NOOPs instead. If you set
override=yes instead of override=no, the existing Framed-IP-Address in
the response will be _replaced_ with one from the IP pool.

I guess a debug output at that point would be useful... Hmm.

Alternatively, work out where the value 255.255.255.254 is coming from.
It _might_ be a hint from the NAS, or there may be another module adding
it (probably incorrectly).

This is completely unrelated to the network configuration of the NAS,
I think the confusion was caused by asking the (wrong) question, rather
than describing the problem, leading to a whole lot of unuseful answers,
and the confusion expressed at the top of this email.

> modcall: group post-auth returns noop for request 0
> Sending Access-Accept of id 239 to x.x.x.2:2740
> Framed-Compression = Van-Jacobson-TCP-IP
> Idle-Timeout = 10
> Framed-MTU = 576
> Framed-IP-Address = 255.255.255.254
> Framed-Protocol = PPP
> Service-Type = Framed-User
> Finished request 0

--
Paul "TBBle" Hampson
Bubblesworth Pty Ltd (ABN: 51 095 284 361)
[EMAIL PROTECTED]

On a sidewalk near Portland State
University someone wrote `Trust Jesus', and
someone else wrote `But Cut the Cards'.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Re[2]: ippool issue

[Gustavo A. Lozano]

You need an address in the RAS to act as a gateway...

You can configure any pool in whatever RAS but for example if the RAS is
a cisco you will need to do something like:

interface eth0 ip add xxx.xxx.xxx.1 secondary
interface eth0 ip add yyy.yyy.yyy.1 secondary 
..
...


and now you can assign address within the blocks xxx.xxx.xxx.xxx and
yyy.yyy.yyy.yyy

The thing is you need to RAS as gateway for the  dialin users

On Wed, 2003-10-29 at 20:14, Alexander Lunyov wrote:
> Hello Gustavo,
> 
> Wednesday, October 29, 2003, 8:42:51 AM, you wrote:
> 
> 
> 
> GAL> Sure you can.
> GAL> But if you do that you cant get routed to any place.
> 
> GAL> You need a gateway address within the same logical network.
> 
>  What do you mean? NAS in the same logical network or radius server in the
>  same logical network?
> 
>  For example, i want this ippool working with NAS.
> 
> ippool main_pool {
> range-start = 192.168.253.1
> range-stop = 192.168.253.254
> netmask = 255.255.0.0
> cache-size = 800
> session-db = ${raddbdir}/db.ippool
> ip-index = ${raddbdir}/db.ipindex
> override = no
> } 
> 
>  NAS is a FreeBSD box with 3 multiport cards and 2 network
>  interfaces. First iface is 192.168.33.127/24, second is
>  x.x.x.2/24 ('white' network). So when authentification of ppp session is done 
> and
>  it's time to receive IP address for this session, radiusd cannot
>  find range for this NAS. It says
> 
> rad_recv: Access-Request packet from host x.x.x.2:2740, id=239, length=105
> Thread 1 assigned request 0
> --- Walking the entire request list ---
> Threads: total/active/spare threads = 5/1/4
> Waking up in 5 seconds...
> Thread 1 handling request 0, (1 handled so far)
> User-Name = "lan"
> Service-Type = Framed-User
> Framed-Protocol = PPP
> CHAP-Password = 0x0176a7169a89a0a8s8aa34a03e630f1ead
> CHAP-Challenge = 0x38328232349865433746313036313635
> NAS-Identifier = "zeus.domain.ru"
> NAS-Port-Type = Ethernet
> NAS-Port = 61
> 
> [authentification and other skip]
> 
> rlm_ippool: Searching for an entry for nas/port: zeus.domain.ru/61
>   modcall[post-auth]: module "main_pool" returns noop for request 0
> modcall: group post-auth returns noop for request 0
> Sending Access-Accept of id 239 to x.x.x.2:2740
> Framed-Compression = Van-Jacobson-TCP-IP
> Idle-Timeout = 10
> Framed-MTU = 576
> Framed-IP-Address = 255.255.255.254
> Framed-Protocol = PPP
> Service-Type = Framed-User
> Finished request 0
> 
>   What should i do? Is there any 'magic word'? :)
> 
> 
> 
> GAL> On Wed, 2003-10-29 at 19:29, Alexander Lunyov wrote:
> >> Hello freeradius-users,
> >> 
> >>   Is there a possibility to pool range of IP addresses for NAS
> >>   while NAS is not in that range? For example, if i try to pool
> >>   192.168.253.0/24 network for NAS with address 192.168.3.3 - it
> >>   says that nas/port not found for that NAS address (192.168.3.3).
> >>   is it possible to assign to NAS client IP address not from NAS
> >>   network?
> 
> 
> GAL> - 
> GAL> List info/subscribe/unsubscribe? See
> GAL> http://www.freeradius.org/list/users.html
> 
> 


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re[2]: ippool issue

[Alexander Lunyov]

Hello Gustavo,

Wednesday, October 29, 2003, 8:42:51 AM, you wrote:



GAL> Sure you can.
GAL> But if you do that you cant get routed to any place.

GAL> You need a gateway address within the same logical network.

 What do you mean? NAS in the same logical network or radius server in the
 same logical network?

 For example, i want this ippool working with NAS.

    ippool main_pool {
range-start = 192.168.253.1
range-stop = 192.168.253.254
netmask = 255.255.0.0
cache-size = 800
session-db = ${raddbdir}/db.ippool
ip-index = ${raddbdir}/db.ipindex
override = no
} 

 NAS is a FreeBSD box with 3 multiport cards and 2 network
 interfaces. First iface is 192.168.33.127/24, second is
 x.x.x.2/24 ('white' network). So when authentification of ppp session is done and
 it's time to receive IP address for this session, radiusd cannot
 find range for this NAS. It says

rad_recv: Access-Request packet from host x.x.x.2:2740, id=239, length=105
Thread 1 assigned request 0
--- Walking the entire request list ---
Threads: total/active/spare threads = 5/1/4
Waking up in 5 seconds...
Thread 1 handling request 0, (1 handled so far)
User-Name = "lan"
Service-Type = Framed-User
Framed-Protocol = PPP
CHAP-Password = 0x0176a7169a89a0a8s8aa34a03e630f1ead
CHAP-Challenge = 0x38328232349865433746313036313635
NAS-Identifier = "zeus.domain.ru"
NAS-Port-Type = Ethernet
NAS-Port = 61

[authentification and other skip]

rlm_ippool: Searching for an entry for nas/port: zeus.domain.ru/61
  modcall[post-auth]: module "main_pool" returns noop for request 0
modcall: group post-auth returns noop for request 0
Sending Access-Accept of id 239 to x.x.x.2:2740
Framed-Compression = Van-Jacobson-TCP-IP
Idle-Timeout = 10
Framed-MTU = 576
Framed-IP-Address = 255.255.255.254
Framed-Protocol = PPP
Service-Type = Framed-User
Finished request 0

  What should i do? Is there any 'magic word'? :)



GAL> On Wed, 2003-10-29 at 19:29, Alexander Lunyov wrote:
>> Hello freeradius-users,
>> 
>>   Is there a possibility to pool range of IP addresses for NAS
>>   while NAS is not in that range? For example, if i try to pool
>>   192.168.253.0/24 network for NAS with address 192.168.3.3 - it
>>   says that nas/port not found for that NAS address (192.168.3.3).
>>   is it possible to assign to NAS client IP address not from NAS
>>   network?


GAL> - 
GAL> List info/subscribe/unsubscribe? See
GAL> http://www.freeradius.org/list/users.html



-- 
Best regards,
 Alexandermailto:[EMAIL PROTECTED]


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: ippool issue

[Gustavo A. Lozano]

Sure you can.
But if you do that you cant get routed to any place.

You need a gateway address within the same logical network.


On Wed, 2003-10-29 at 19:29, Alexander Lunyov wrote:
> Hello freeradius-users,
> 
>   Is there a possibility to pool range of IP addresses for NAS
>   while NAS is not in that range? For example, if i try to pool
>   192.168.253.0/24 network for NAS with address 192.168.3.3 - it
>   says that nas/port not found for that NAS address (192.168.3.3).
>   is it possible to assign to NAS client IP address not from NAS
>   network?


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

ippool issue

[Alexander Lunyov]

Hello freeradius-users,

  Is there a possibility to pool range of IP addresses for NAS
  while NAS is not in that range? For example, if i try to pool
  192.168.253.0/24 network for NAS with address 192.168.3.3 - it
  says that nas/port not found for that NAS address (192.168.3.3).
  is it possible to assign to NAS client IP address not from NAS
  network?

-- 
Best regards,
 Alexander  mailto:[EMAIL PROTECTED]


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Huntgroups and IPPOOL allocation based on NAS Request

[Jim Watts]

Hi

Currently attempting to set-up multiple ippools, which are correctly
assigned due to the NAS making the request.

--start huntgroups-

llgcis01-hunt   NAS-IP-Address == 127.0.0.1
btsurf01-hunt   NAS-IP-Address == 10.1.1.100


---end huntgroups


---start users

DEFAULT Huntgroup-Name == "llgcis01-hunt", Pool-Name := "llgcis01"
Fall-Through = Yes

DEFAULT Huntgroup-Name == "btsurf01-hunt", Pool-Name := "btsurf01"
Fall-Through = Yes

q4xvzfm0 Auth-Type := Local, User-Password =="5e7lvwqh"


---end users-



When using radtest, no dynamic ip is allocated



rad_recv: Access-Request packet from host 127.0.0.1:1968, id=235, length=60
User-Name = "q4xvzfm0"
User-Password = "5e7lvwqh"
NAS-IP-Address = 255.255.255.255
NAS-Port = 10
modcall: entering group authorize
  modcall[authorize]: module "preprocess" returns ok
  modcall[authorize]: module "chap" returns noop
  modcall[authorize]: module "mschap" returns noop
rlm_realm: No '@' in User-Name = "q4xvzfm0", looking up realm NULL
rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop
users: Matched q4xvzfm0 at 7
  modcall[authorize]: module "files" returns ok
modcall: group authorize returns ok
  rad_check_password:  Found Auth-Type Local
auth: type Local
auth: user supplied User-Password matches local User-Password
Login OK: [q4xvzfm0] (from client localhost port 10)
modcall: entering group post-auth
rlm_ippool: Could not find Pool-Name attribute.
  modcall[post-auth]: module "llgcis01" returns noop
rlm_ippool: Could not find Pool-Name attribute.
  modcall[post-auth]: module "btsurf01" returns noop
modcall: group post-auth returns noop
Sending Access-Accept of id 235 to 127.0.0.1:1968
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 235 with timestamp 3f8bceb2
Nothing to do.  Sleeping until we see a request.





Although if I change the users file to be ( the difference being huntgoup :=
)

---start users

DEFAULT Huntgroup-Name := "llgcis01-hunt", Pool-Name := "llgcis01"
Fall-Through = Yes

DEFAULT Huntgroup-Name := "btsurf01-hunt", Pool-Name := "btsurf01"
Fall-Through = Yes

q4xvzfm0 Auth-Type := Local, User-Password =="5e7lvwqh"


---end users---

An Ip Pool Address is returned, although from the incorrect pool. Since the
radtest is from 127.0.0.1, I would expect that the correct huntgroup
llgcis01-hunt determined and hence an ip address being returned from the
correct pool.

Any help would be appreciated.

--Jim









- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: ippool - several subnets

[Paul Hampson]

> From: Alfred Dahl
> Sent: Friday, 10 October 2003 9:58 PM

> I want to create one large IP-pool consisting of several subnets (not
> neccessary sequenced), and then distribute IP-addresses to all my clients
> from this pool (i.e. 1.2.3.0/24 + 1.2.10.0/22)

> What would be the simplest way to accomodate this?

The simplest way would be have two pool instances, and set override=no.

_I_ would suggest a grouping of two ippool instances where a NOOP result
gets failed over, and any other result is returned immediately... And
with override=no set.

See doc/configurable-failover for instructions.

However, these both assume that you don't mind if one pool fills before
the other is emptied... If that's a problem, you'd have to create a
custom db file that contains all the IPs you want, and none of the ones
you don't want. Once the DB exists, rlm_ippool doesn't care if they're
contigious or not, it just picks the first free entry from the DB.

--
Paul "TBBle" Hampson
Bubblesworth Pty Ltd (ABN: 51 095 284 361)
[EMAIL PROTECTED]

On a sidewalk near Portland State
University someone wrote `Trust Jesus', and
someone else wrote `But Cut the Cards'.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

ippool - several subnets

[Alfred Dahl]

Hello,

could someone help me figure out this:

I want to create one large IP-pool consisting of several subnets (not
neccessary sequenced), and then distribute IP-addresses to all my clients
from this pool (i.e. 1.2.3.0/24 + 1.2.10.0/22)

What would be the simplest way to accomodate this?



--
Med vennlig hilsen/Sincerely
Alfred H. Dahl
Hostmaster
Élla Kommunikasjon
Tlf: +47 3860 8575 Fax: +47 3860 8501



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: rlm-ippool not deallocating ip addresses

[Gustavo A. Lozano]

Use 0.9

then you need to constantly see what IP is being used (using radwho) and
rebuilding the dbs.

Also you can test the CVS branch, the team is asking for people to test
the new module as soon as possible.

If you will use the CVS branch ok, if you will use the standard 0.9 post
again and I will post the programs and scripts needed to have the
database up to date.




On Thu, 2003-08-28 at 04:39, Mohsen Chirara wrote:
> Hi, I installed freeradius version 9. pre-1 (just before the version 9
> was released) on a debian system.
>  
> Everything is working fine except for the deallocation on rlm-ippool.
>  
> I have a pool defined in radiusd.conf :
>  
> ippool private_pool {
>  
> range-start = 172.16.4.1
> range-stop = 172.16.4.254
> netmask = 255.255.255.0
> cache-size = 5000
> session-db = ${raddbdir}/db.privatepool
> ip-index = ${raddbdir}/db.privateindex
> override = yes
> }
> 
>  
> The problem is after a day or 2, no more IP address are available, at
> first, freeradius deallocates IP addresses
> then it stops deallocating for some reason.
>  
> Any clue ?
>  
> Regards
> Mohsen
> ---
> Ce mail ne contient pas de virus. This mail is virus free
> Scanné par Escan Checked by Escan
-- 
Gustavo A. Lozano Noldata Corporation
[EMAIL PROTECTED]   Calle 46 No. 40-19
CTO   Bogota D.C. Colombia
Noldata Corporation   http://noldata.com

I know not with what weapons World War III will be fought,
   but World War IV will be fought with sticks and stones.
   Albert Einstein




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: rlm-ippool not deallocating ip addresses

[Paul Hampson]

From: Mohsen Chirara
Sent: Thursday, 28 August 2003 7:40 PM

> Hi, I installed freeradius version 9. pre-1 (just before the
> version 9 was released) on a debian system.

> Everything is working fine except for the deallocation on rlm-ippool.

> The problem is after a day or 2, no more IP address are available,
> at first, freeradius deallocates IP addresses then it stops
> deallocating for some reason.

Try using ippooltool (available on the 'net, you'll need to stop
FreeRADIUS to use it though) to see if your ippool has been
shrinking. If so, grab the latest CVS snapshot, and see if that
fixed the problem. (If you want to be safer, just grab rlm_ippool.c
from the latest CVS snapshot. It can just drop into place)

If the ippool's shrunk, rather than just having a whole bunch of
addresses that haven't been marked inactive, then the newer
rlm_ippool.c _should_ fix it.

Basically, this might be a known bug, and we're trying to find
people who're sufferring it to test our solution before we
release 0.9.1.

--
=
Paul "TBBle" Hampson
Bubblesworth Pty Ltd (ABN: 51 095 284 361)
[EMAIL PROTECTED]

This is a one line proof...if we start
sufficiently far to the left.
-- Cambridge University Math Department
-
Random signature generator 3.0 by Paul "TBBle" Hampson
=


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

rlm-ippool not deallocating ip addresses

[Mohsen Chirara]

Hi, I installed freeradius version 9. pre-1 (just 
before the version 9 was released) on a debian system.
 
Everything is working fine except for the 
deallocation on rlm-ippool.
 
I have a pool defined in radiusd.conf 
:
 
ippool private_pool {
 
    
range-start = 
172.16.4.1    
range-stop = 
172.16.4.254    
netmask = 
255.255.255.0    
cache-size = 
5000    
session-db = 
${raddbdir}/db.privatepool    
ip-index = 
${raddbdir}/db.privateindex    
override = yes    }
 
The problem is after a day or 2, no more IP address 
are available, at first, freeradius deallocates IP addresses
then it stops deallocating for some 
reason.
 
Any clue ?
 
Regards
Mohsen


---
Ce mail ne contient pas de virus.   This mail is virus free
Scanné par Escan Checked by Escan

patch: Caller Id not stored in ippool files

[Jonathan Ruano]

Hello all (TGiF!):

Not yet assimilated the rlm_ippool pseudo-code Paul posted (I haven't 
spent much time with it either), but I solved a little flaw in rlm_ippool.
While dumping the contents of the files (so to trace "the strange case
of disappearing IPs"), I noticed that no caller ids were stored.

I did a little patch that fixes it. While it's not very useful
(except for MPP detection, but the latter is proved not to be
working smoothly), at least gives more info about session log.

Jonathan.

--
Jonathan Ruano diff -urN org.freeradius-0.8.1/src/modules/rlm_ippool/rlm_ippool.c 
new.freeradius-0.8.1/src/modules/rlm_ippool/rlm_ippool.c
--- org.freeradius-0.8.1/src/modules/rlm_ippool/rlm_ippool.c2002-10-11 
15:26:20.0 +0200
+++ new.freeradius-0.8.1/src/modules/rlm_ippool/rlm_ippool.c2003-06-20 
17:37:49.0 +0200
@@ -67,6 +67,7 @@
 
 #define ALL_ONES 4294967295
 #define MAX_NAS_NAME_SIZE 64
+#define MAX_CLI_SIZE 32
 
 static const char rcsid[] = "$Id: rlm_ippool.c,v 1.12 2002/10/11 13:26:20 kkalev Exp 
$";
 
@@ -94,7 +95,7 @@
 typedef struct ippool_info {
uint32_tipaddr;
charactive;
-   charcli[32];
+   charcli[MAX_CLI_SIZE];
 } ippool_info;
 
 typedef struct ippool_key {
@@ -571,6 +572,11 @@
 */
if (key_datum.dptr){
entry.active = 1;
+
+   memset(entry.cli,0,MAX_CLI_SIZE);
+   if (cli != NULL)
+strncpy( entry.cli, cli, MAX_CLI_SIZE - 1);
+
data_datum.dptr = (ippool_info *) &entry;
data_datum.dsize = sizeof(ippool_info);
 

ippool error next!

[[EMAIL PROTECTED]]

We make lot of test i can now explain one thing
This is the test

killall radiusd
rm -f /var/log/radius/radacct/db.ippool /var/log/radius/radacct/db.ipindex
radiusd
./test_cree.sh
./test_free.sh
/usr/bin/iptool /var/log/radius/radacct/db.ippool /var/log/radius/radacct/db.ipindex 
-v | wc

 the final result is 32 = size of my pool
./test_cree.sh  -> simulate 40 ask for an auth ip ppp   
./test_free.sh   -> and 40 release acct

all entry are good
like this 
NAS:192.168.100.22 port:0x20 - ipaddr:195.167.230.59 active:0 cli:0 num:0
NAS:192.168.100.22 port:0x10 - ipaddr:195.167.230.35 active:0 cli:0 num:0
NAS:192.168.100.22 port:0x19 - ipaddr:195.167.230.61 active:0 cli:0 num:0
NAS:192.168.100.22 port:0x9 - ipaddr:195.167.230.55 active:0 cli:0 num:0
NAS:192.168.100.22 port:0x12 - ipaddr:195.167.230.42 active:0 cli:0 num:0
NAS:192.168.100.22 port:0x2 - ipaddr:195.167.230.50 active:0 cli:0 num:0
NAS:192.168.100.22 port:0x1b - ipaddr:195.167.230.31 active:0 cli:0 num:0
NAS:192.168.100.22 port:0xb - ipaddr:195.167.230.62 active:0 cli:0 num:0
NAS:192.168.100.22 port:0x14 - ipaddr:195.167.230.33 active:0 cli:0 num:0
NAS:192.168.100.22 port:0x4 - ipaddr:195.167.230.36 active:0 cli:0 num:0
NAS:192.168.100.22 port:0x1d - ipaddr:195.167.230.47 active:0 cli:0 num:0
NAS:192.168.100.22 port:0xd - ipaddr:195.167.230.53 active:0 cli:0 num:0
NAS:192.168.100.22 port:0x16 - ipaddr:195.167.230.49 active:0 cli:0 num:0
NAS:192.168.100.22 port:0x1 - ipaddr:195.167.230.34 active:0 cli:0 num:0
NAS:192.168.100.22 port:0x6 - ipaddr:195.167.230.32 active:0 cli:0 num:0
NAS:192.168.100.22 port:0x1f - ipaddr:195.167.230.38 active:0 cli:0 num:0
NAS:192.168.100.22 port:0xa - ipaddr:195.167.230.46 active:0 cli:0 num:0
NAS:192.168.100.22 port:0xf - ipaddr:195.167.230.60 active:0 cli:0 num:0
NAS:192.168.100.22 port:0x18 - ipaddr:195.167.230.40 active:0 cli:0 num:0
NAS:192.168.100.22 port:0x3 - ipaddr:195.167.230.41 active:0 cli:0 num:0
NAS:192.168.100.22 port:0x8 - ipaddr:195.167.230.39 active:0 cli:0 num:0
NAS:192.168.100.22 port:0xc - ipaddr:195.167.230.37 active:0 cli:0 num:0
NAS:192.168.100.22 port:0x11 - ipaddr:195.167.230.51 active:0 cli:0 num:0
NAS:192.168.100.22 port:0x15 - ipaddr:195.167.230.54 active:0 cli:0 num:0
NAS:192.168.100.22 port:0x1a - ipaddr:195.167.230.56 active:0 cli:0 num:0
NAS:192.168.100.22 port:0x5 - ipaddr:195.167.230.57 active:0 cli:0 num:0
NAS:192.168.100.22 port:0x1e - ipaddr:195.167.230.43 active:0 cli:0 num:0
NAS:192.168.100.22 port:0xe - ipaddr:195.167.230.44 active:0 cli:0 num:0
NAS:192.168.100.22 port:0x13 - ipaddr:195.167.230.58 active:0 cli:0 num:0
NAS:192.168.100.22 port:0x17 - ipaddr:195.167.230.45 active:0 cli:0 num:0
NAS:192.168.100.22 port:0x1c - ipaddr:195.167.230.52 active:0 cli:0 num:0
NAS:192.168.100.22 port:0x7 - ipaddr:195.167.230.48 active:0 cli:0 num:0


if i make another test with only test_cree.sh who create  40 auth asking

i will have 
NAS:192.168.100.22 port:0x10 - ipaddr:195.167.230.54 active:1 cli:0 num:1
NAS:192.168.100.22 port:0x9 - ipaddr:195.167.230.47 active:1 cli:0 num:1
NAS:192.168.100.22 port:0x12 - ipaddr:195.167.230.43 active:1 cli:0 num:1
NAS:192.168.100.22 port:0x2 - ipaddr:195.167.230.35 active:1 cli:0 num:1
NAS:192.168.100.22 port:0xb - ipaddr:195.167.230.49 active:1 cli:0 num:1
NAS:192.168.100.22 port:0x14 - ipaddr:195.167.230.45 active:1 cli:0 num:1
NAS:192.168.100.22 port:0x4 - ipaddr:195.167.230.55 active:1 cli:0 num:1
NAS:192.168.100.22 port:0xd - ipaddr:195.167.230.60 active:1 cli:0 num:1
NAS:192.168.100.22 port:0x1 - ipaddr:195.167.230.59 active:1 cli:0 num:1
NAS:192.168.100.22 port:0x6 - ipaddr:195.167.230.31 active:1 cli:0 num:1
NAS:192.168.100.22 port:0xa - ipaddr:195.167.230.53 active:1 cli:0 num:1
NAS:192.168.100.22 port:0xf - ipaddr:195.167.230.51 active:1 cli:0 num:1
NAS:192.168.100.22 port:0x3 - ipaddr:195.167.230.61 active:1 cli:0 num:1
NAS:192.168.100.22 port:0x8 - ipaddr:195.167.230.33 active:1 cli:0 num:1
NAS:192.168.100.22 port:0xc - ipaddr:195.167.230.38 active:1 cli:0 num:1
NAS:192.168.100.22 port:0x11 - ipaddr:195.167.230.56 active:1 cli:0 num:1
NAS:192.168.100.22 port:0x15 - ipaddr:195.167.230.52 active:1 cli:0 num:1
NAS:192.168.100.22 port:0x5 - ipaddr:195.167.230.42 active:1 cli:0 num:1
NAS:192.168.100.22 port:0xe - ipaddr:195.167.230.40 active:1 cli:0 num:1
NAS:192.168.100.22 port:0x13 - ipaddr:195.167.230.58 active:1 cli:0 num:1
NAS:192.168.100.22 port:0x7 - ipaddr:195.167.230.62 active:1 cli:0 num:1

this mean that something are deleted inside the database and i don't  find why

Lionel Drevon   [EMAIL PROTECTED]
Adeli   http://www.adeli.fr
618 Av. Gal de Gaulle   Tel 04 78 66 11 85
69760 Limonest  Fax 04 78 66 04 33


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: ippool-tool

[Kostas Kalevras]

On Tue, 11 Mar 2003, Edwin Groothuis wrote:

> On Mon, Mar 10, 2003 at 02:19:48PM +0200, Kostas Kalevras wrote:
> > On Sun, 9 Mar 2003, Edwin Groothuis wrote:
> >
> > > Greetings,
> > >
> > > In the past three months or so since we've used FreeRadius we found
> > > out that our IP-Pool is running out of free addresses. Most likely
> > > because of the way we get packets in combination with the way our
> > > dialin-service is handled.
> >
> > There was a problem in versions older than 1.12 (cvs revision) of the ippool
> > module.
> > The module will free an ip address when it receives an accounting-stop
> > for an active nas/port combination or an access-request for the same
> > combination. So normally it should not run out of ip addresses.
>
> I'm running 0.8.1, but it's still in there.
> Maybe it's semothing weird with our setup, we get all accounting
> packets double: one from the NAS, one from the Accounting server
> and the stop-packets don't have the right NAS-IPaddress in the
> packet. What a mess

Well the ippool module relies on the NAS-IP-Address and NAS-Port attributes
being correct. It seems quite strange though that the NAS-IP-Address is
incorrect.

>
> Anyway, I'm using the ippooltool to keep us up and running :-)
>
> Edwin
> --
> Edwin Groothuis  |Personal website: http://www.mavetju.org
> [EMAIL PROTECTED]|Weblog: http://www.mavetju.org/weblog/weblog.php
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>

--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED]   National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: ippool-tool

[Edwin Groothuis]

On Mon, Mar 10, 2003 at 02:19:48PM +0200, Kostas Kalevras wrote:
> On Sun, 9 Mar 2003, Edwin Groothuis wrote:
> 
> > Greetings,
> >
> > In the past three months or so since we've used FreeRadius we found
> > out that our IP-Pool is running out of free addresses. Most likely
> > because of the way we get packets in combination with the way our
> > dialin-service is handled.
> 
> There was a problem in versions older than 1.12 (cvs revision) of the ippool
> module.
> The module will free an ip address when it receives an accounting-stop
> for an active nas/port combination or an access-request for the same
> combination. So normally it should not run out of ip addresses.

I'm running 0.8.1, but it's still in there.
Maybe it's semothing weird with our setup, we get all accounting
packets double: one from the NAS, one from the Accounting server
and the stop-packets don't have the right NAS-IPaddress in the
packet. What a mess

Anyway, I'm using the ippooltool to keep us up and running :-)

Edwin
-- 
Edwin Groothuis  |Personal website: http://www.mavetju.org
[EMAIL PROTECTED]|Weblog: http://www.mavetju.org/weblog/weblog.php 

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: ippool-tool

[Kostas Kalevras]

On Mon, 10 Mar 2003, Javier Castillo Alcibar wrote:

>
> Hello,
>
> What problem did you find in versions older than 1.12?? I cannot access web 
> cvs.. 

The code did not do a memset(0) on a few values before doing searches. As a
result it could not find open sessions.

>
>
> Javier.
>
>
> -Mensaje original-
> De: Kostas Kalevras [mailto:[EMAIL PROTECTED]
> Enviado el: lunes, 10 de marzo de 2003 13:20
> Para: [EMAIL PROTECTED]
> Asunto: Re: ippool-tool
>
> On Sun, 9 Mar 2003, Edwin Groothuis wrote:
>
> > Greetings,
> >
> > In the past three months or so since we've used FreeRadius we found
> > out that our IP-Pool is running out of free addresses. Most likely
> > because of the way we get packets in combination with the way our
> > dialin-service is handled.
>
> There was a problem in versions older than 1.12 (cvs revision) of the ippool
> module.
> The module will free an ip address when it receives an accounting-stop
> for an active nas/port combination or an access-request for the same
> combination. So normally it should not run out of ip addresses.
>
> >
> > To monitor and overcome this problem, I've written a small tool to
> > dump the database and/or remove the active entries. It runs on any
> > system with the GDBM libraries installed and is available from:
> >
> > http://www.mavetju.org/unix/general.php
> >
> > at the bottom, called FreeRadius IP Pool Tool.
> >
> > Suggestions, comments et al are appriciated.
>
> If it's ok with you i 'll add it in the cvs.
>
> >
> > Edwin
> >
> > --
> > Edwin Groothuis  |Personal website: http://www.mavetju.org
> > [EMAIL PROTECTED]|Weblog: http://www.mavetju.org/weblog/weblog.php
> >
> > -
> > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> >
>
> --
> Kostas Kalevras   Network Operations Center
> [EMAIL PROTECTED] National Technical University of Athens, Greece
> Work Phone:   +30 210 7721861
> 'Go back to the shadow'   Gandalf
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>

--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED]   National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: ippool-tool

[Javier Castillo Alcibar]

Hello,

What problem did you find in versions older than 1.12?? I cannot access web cvs.. 
¿?¿?


Javier.


-Mensaje original-
De: Kostas Kalevras [mailto:[EMAIL PROTECTED] 
Enviado el: lunes, 10 de marzo de 2003 13:20
Para: [EMAIL PROTECTED]
Asunto: Re: ippool-tool

On Sun, 9 Mar 2003, Edwin Groothuis wrote:

> Greetings,
>
> In the past three months or so since we've used FreeRadius we found
> out that our IP-Pool is running out of free addresses. Most likely
> because of the way we get packets in combination with the way our
> dialin-service is handled.

There was a problem in versions older than 1.12 (cvs revision) of the ippool
module.
The module will free an ip address when it receives an accounting-stop
for an active nas/port combination or an access-request for the same
combination. So normally it should not run out of ip addresses.

>
> To monitor and overcome this problem, I've written a small tool to
> dump the database and/or remove the active entries. It runs on any
> system with the GDBM libraries installed and is available from:
>
> http://www.mavetju.org/unix/general.php
>
> at the bottom, called FreeRadius IP Pool Tool.
>
> Suggestions, comments et al are appriciated.

If it's ok with you i 'll add it in the cvs.

>
> Edwin
>
> --
> Edwin Groothuis  |Personal website: http://www.mavetju.org
> [EMAIL PROTECTED]|Weblog: http://www.mavetju.org/weblog/weblog.php
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>

--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED]   National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: ippool-tool

[Kostas Kalevras]

On Sun, 9 Mar 2003, Edwin Groothuis wrote:

> Greetings,
>
> In the past three months or so since we've used FreeRadius we found
> out that our IP-Pool is running out of free addresses. Most likely
> because of the way we get packets in combination with the way our
> dialin-service is handled.

There was a problem in versions older than 1.12 (cvs revision) of the ippool
module.
The module will free an ip address when it receives an accounting-stop
for an active nas/port combination or an access-request for the same
combination. So normally it should not run out of ip addresses.

>
> To monitor and overcome this problem, I've written a small tool to
> dump the database and/or remove the active entries. It runs on any
> system with the GDBM libraries installed and is available from:
>
> http://www.mavetju.org/unix/general.php
>
> at the bottom, called FreeRadius IP Pool Tool.
>
> Suggestions, comments et al are appriciated.

If it's ok with you i 'll add it in the cvs.

>
> Edwin
>
> --
> Edwin Groothuis  |Personal website: http://www.mavetju.org
> [EMAIL PROTECTED]|Weblog: http://www.mavetju.org/weblog/weblog.php
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>

--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED]   National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

ippool-tool

[Edwin Groothuis]

Greetings,

In the past three months or so since we've used FreeRadius we found
out that our IP-Pool is running out of free addresses. Most likely
because of the way we get packets in combination with the way our
dialin-service is handled.

To monitor and overcome this problem, I've written a small tool to
dump the database and/or remove the active entries. It runs on any
system with the GDBM libraries installed and is available from:

http://www.mavetju.org/unix/general.php

at the bottom, called FreeRadius IP Pool Tool.

Suggestions, comments et al are appriciated.

Edwin

-- 
Edwin Groothuis  |Personal website: http://www.mavetju.org
[EMAIL PROTECTED]|Weblog: http://www.mavetju.org/weblog/weblog.php 

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

IPPOOL PROBLEM

[Javier Castillo Alcibar]

Hello All,

I have a problem with rlm_ippool module It doesn't give
ip addresses... :(
This is my radiusd.conf:

modules {
..
    ippool ippool {
name = ippool
range-start = 194.69.251.128
range-stop = 194.69.251.254
netmask = 255.255.252.0
session-db = /usr/local/etc/raddb/ippool-sess-db
ip-index = /usr/local/etc/raddb/ippool-idx-db
cache-size = 1000
}

}
accounting {
acct_unique
detail
unix 
radutmp
    ippool
}
post-auth {
    ippool
}


When the radius gets an incoming auth.req :

Thread 4 handling request 3, (1 handled so far)
User-Name = "tec-javiere"
User-Password = "1"
NAS-IP-Address = 194.69.248.50
NAS-Port = 2
Framed-Protocol = PPP
Service-Type = 0

modcall: entering group authorize
  modcall[authorize]: module "preprocess" returns ok
rlm_chap: Could not find proper Chap-Password attribute in request
  modcall[authorize]: module "chap" returns noop
  modcall[authorize]: module "mschap" returns notfound
rlm_realm: No '@' in User-Name = "tec-javiere", looking up realm
NULL
rlm_realm: No such realm NULL
  modcall[authorize]: module "suffix" returns noop
users: Matched tec-javiere at 5123
  modcall[authorize]: module "files" returns ok
modcall: group authorize returns ok
  rad_check_password:  Found Auth-Type Local
auth: type Local
auth: user supplied User-Password matches local User-Password Login OK:
[tec-javiere] (from client alhproxy port 2)
modcall: entering group post-auth
rlm_ippool: Searching for an entry for nas/port: 194.69.248.50/2
  modcall[post-auth]: module "ippool" returns noop
modcall: group post-auth returns noop
Sending Access-Accept of id 36 to 194.69.248.50:2761
Service-Type = Framed-User
Framed-Protocol = PPP
Framed-MTU = 1500
Framed-Address = 255.255.255.255
Framed-Netmask = 255.255.255.255
Ascend-Metric = 2
Framed-Routing = None
Framed-Compression = None
Ascend-Idle-Limit = 14400
Ascend-Maximum-Time = 36000
Finished request 3

 

Why ippool modules returns NOOP??

Thx in advance.
Javier.



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

IPPOOL configuration on freeradius-0.7.1

[ian]

Sir/Madam

I have downloaded and installed freeradius-0.7.1 on a linux system

It is all working except I am having trouble 
   - allocating IP address dynamically

it is my believe this is done using ippool 

which is where my problem is.
I can't seem to set up ippool successfully.

Do I need to issue a particular flag on my configure statement ?

I used 

 ./configure 
--with-experimentalmodules
--prefix
--exec-prefix
--program prefix
--with-logdir
--with-radacctdir
--with-raddbdir

Any help would be much appreciated

I Taylor
ForemostIT

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: IPPool problem, again. (Kostas Kalevras)

[Pierluigi Frullani]

> It was fixed today. Check the CVS. It needed a memset(0) for key.nas
> before the strcpy().
>

I can confirm that now it works.
Thanx alot
Pigi



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: IPPool problem, again.

[Kostas Kalevras]

On Fri, 11 Oct 2002, Pierluigi Frullani wrote:

> Do you remember my previuos mails ?
> > Hi all,
> > I' m having problem with the Ippool module ( rlm_ippool ).
> > When authorizing, the module is able to allocate the correct IP
> > address, but on the account "Stop" does not set the ip free.
> ...
> Well, I did some more investigation, but yet doesn't work.
> I added some comments on the rlm_ippool module to check what kind of data
> were passing through the module.
> Here is the output:
> In authorize "side":
> rlm_ippool: Searching for an entry for nas/port: 10.128.255.3/1054
> rlm_ippool: num: 1
> rlm_ippool: Allocated ip 10.128.10.2 to client on nas 10.128.255.3,port 1054
>
> In accounting side, when the request is a stop, at the end of the
> "if (data_datum.dptr != NULL){"
> I' ve added a cicle on the gdbm file and I see:
>
> rlm_ippool: THERE IS A NAS INFORMATION IN PACKET 10.128.255.3 1054.
> rlm_ippool: Values: active = 1, key.nas = 10.128.255.3, nasport= 1054
> rlm_ippool: Dati 0 NOT_EXIST -2
> rlm_ippool: Exiting from function accounting no results
>
> So it seems that the gdbm_fetch fails when searching in the file.
> The behaviour is the same on linux and solaris 8 machine.
> Have you any idea ?
>
> In the mean time i will try to modify the source to work with a cicle, but
> this could be expensive for the time needed by the scan.
>
> Pigi

It was fixed today. Check the CVS. It needed a memset(0) for key.nas before the
strcpy().


--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED]  National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

IPPool problem, again.

[Pierluigi Frullani]

Do you remember my previuos mails ?
> Hi all,
> I' m having problem with the Ippool module ( rlm_ippool ).
> When authorizing, the module is able to allocate the correct IP
> address, but on the account "Stop" does not set the ip free.
...
Well, I did some more investigation, but yet doesn't work.
I added some comments on the rlm_ippool module to check what kind of data
were passing through the module.
Here is the output:
In authorize "side":
rlm_ippool: Searching for an entry for nas/port: 10.128.255.3/1054
rlm_ippool: num: 1
rlm_ippool: Allocated ip 10.128.10.2 to client on nas 10.128.255.3,port 1054

In accounting side, when the request is a stop, at the end of the
"if (data_datum.dptr != NULL){"
I' ve added a cicle on the gdbm file and I see:

rlm_ippool: THERE IS A NAS INFORMATION IN PACKET 10.128.255.3 1054.
rlm_ippool: Values: active = 1, key.nas = 10.128.255.3, nasport= 1054
rlm_ippool: Dati 0 NOT_EXIST -2
rlm_ippool: Exiting from function accounting no results

So it seems that the gdbm_fetch fails when searching in the file.
The behaviour is the same on linux and solaris 8 machine.
Have you any idea ?

In the mean time i will try to modify the source to work with a cicle, but
this could be expensive for the time needed by the scan.

Pigi



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Ippool problem on 0.7.1.Don't deallocate ip addresses

[Pierluigi Frullani]

Ok, I reply to my self.
I' ve noticed that the NAS ( a VPN 3000 Concentrator ) sends out two
different authorize request, on two different ports ( 1020 and 1038 in my
trace ) then when gives out a stop request will use the second request
parameters.
The rlm_ippoll module, correctly check for the second request and doesn' t
gives out the new ip address, and also correctly doesn't free the ipaddress
on stop due to the different port in request.
This would be a really problem for me, but the module is OK.

Sorry again
Pigi



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Ippool problem on 0.7.1.Don't deallocate ip addresses

[Pierluigi Frullani]

Hi all,
 I' m having problem with the Ippool module ( rlm_ippool ).
When authorizing, the module is able to allocate the correct IP address, but
on the account "Stop" does not set the ip free.

relevant part of radiusd.conf
...
...
modules {
...
...
ippool Prova0 {
range-start = 10.128.1.0
range-stop = 10.128.1.3
netmask = 255.255.255.252
cache-size = 800
session-db = ${raddbdir}/db.ippool.0
ip-index = ${raddbdir}/db.ipindex.0
}
...
}
authorize {
...
Prova0
...
}
accounting {
...
Prova0
...
}

users file:
...
steve   Auth-Type := Local, User-Password == "testing", Pool-Name :=
"Prova1"
...

log, from radiusd -X > log says:
...

Module: Instantiated ippool (Prova0)
 ippool: session-db = "/usr/local/freeradius/etc/raddb/db.ippool.1"
 ippool: ip-index = "/usr/local/freeradius/etc/raddb/db.ipindex.1"
 ippool: range-start = 10.128.10.0 IP address [10.128.10.0]
 ippool: range-stop = 10.128.10.3 IP address [10.128.10.3]
 ippool: netmask = 255.255.255.252 IP address [255.255.255.252]
 ippool: cache-size = 800
...
...
  modcall[authorize]: module "files" returns ok
rad_recv: Access-Request packet from host 10.128.255.4:1024, id=78,
length=92
User-Name = "steve"
User-Password = "\r\021\353N\315\021 s\023.8]O\002F\010"
NAS-Port = 1020
Service-Type = Framed-User
Framed-Protocol = PPP
Tunnel-Client-Endpoint:0 = "212.239.118.116"
NAS-IP-Address = 10.128.255.4
NAS-Port-Type = Virtual
modcall: entering group authorize
  modcall[authorize]: module "preprocess" returns ok
rlm_realm: Looking up realm NULL for User-Name = "steve"
rlm_realm: No such realm NULL
  modcall[authorize]: module "suffix" returns noop
users: Matched steve at 99
  modcall[authorize]: module "files" returns ok
rlm_ippool: Entering in function authorize
rlm_ippool: Searching for an entry for nas/port: 10.128.255.4/1020
rlm_ippool: num: 1
rlm_ippool: Allocated ip 10.128.10.2 to client on nas 10.128.255.4,port 1020
  modcall[authorize]: module "Prova0" returns ok
...
...
rad_recv: Accounting-Request packet from host 10.128.255.4:1038, id=24,
length=155
User-Name = "steve"
NAS-Port = 1020
Service-Type = Framed-User
Framed-Protocol = PPP
Framed-IP-Address = 10.128.10.2
Class = 0x47727570706f526164
Acct-Status-Type = Stop
Acct-Input-Octets = 312
Acct-Output-Octets = 0
Acct-Session-Id = "0C400010"
Acct-Session-Time = 8
Acct-Input-Packets = 3
Acct-Output-Packets = 0
Acct-Terminate-Cause = User-Request
Tunnel-Client-Endpoint:0 = "212.239.118.116"
Acct-Authentic = RADIUS
Acct-Delay-Time = 0
NAS-IP-Address = 10.128.255.4
NAS-Port-Type = Virtual
modcall: entering group preacct
  modcall[preacct]: module "preprocess" returns noop
rlm_realm: Looking up realm NULL for User-Name = "steve"
rlm_realm: No such realm NULL
  modcall[preacct]: module "suffix" returns noop
  modcall[preacct]: module "files" returns noop
modcall: group preacct returns noop
modcall: entering group accounting
radius_xlat:
'/usr/local/freeradius/var/log/radius/radacct/10.128.255.4/detail'
rlm_detail:
/usr/local/freeradius/var/log/radius/radacct/%{Client-IP-Address}/detail
expands to /usr/local/freeradius/var/log/radius/radacct/1
0.128.255.4/detail
  modcall[accounting]: module "detail" returns ok
  modcall[accounting]: module "counter" returns ok
radius_xlat:  'steve'
  modcall[accounting]: module "radutmp" returns ok
  modcall[accounting]: module "Prova0" returns ok
modcall: group accounting returns ok
Sending Accounting-Response of id 24 to 10.128.255.4:1038
Finished request 12
Going to the next request


This problem is driving me crazy.
Have you any idea ?



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Ippool

[Homer Parker]

On Fri, 20 Sep 2002 11:45:51 +0300 (EEST)
Kostas Kalevras <[EMAIL PROTECTED]> wrote:


> 
> I am not sure that you can do group membership checks with the pam
> module. Try using the unix module for that (just put it in the
> instantiate section to register it's groupcmp function).

That was it, thanks!

--- 
Homer Parker

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re[2]: ippool bug or config problem?

[magmike]

Tuesday, September 24, 2002, 7:29:03 PM, [EMAIL PROTECTED] wrote:

> On Tue, 24 Sep 2002 [EMAIL PROTECTED] wrote:

>>
>> ippool assign the same ip address for two different users.
>> May be my config is broken?
>> When i use large pool (1-254), i have the same bug after restarting
>> radiusd.
>> - Now I try send auth packet with radclient (user 
>mmike):
>>
>> Thread 1 handling request 0, (1 handled so far)
>> Service-Type = Framed-User
>> Framed-Protocol = PPP
>> User-Name = "mmike"
>> MS-CHAP-Challenge = 0xb9ca50b535f1d25c8d22873d4c203565
>> MS-CHAP2-Response = 
>0x01002bbf1007dc607b833af3cdd279ece38b2284ae758753dd9cd3e78d98dfcdde06a8db899b56543336
>> NAS-IP-Address = 192.168.0.5
>> NAS-Port = 0

> All Access-Requests contain the same NAS/Port pair. rlm_ippool will consider the
> corresponding ip allocated stale and will free it. As a result it will get
> reallocated to another user.

Whith large pool (1-254) ippool returns differ ip for the same
requests.

(old db-files removed)
Auth-request:
Service-Type = Framed-User
Framed-Protocol = PPP
User-Name = "mmike"
MS-CHAP-Challenge = 0xb9ca50b535f1d25c8d22873d4c203565
MS-CHAP2-Response = 
0x01002bbf1007dc607b833af3cdd279ece38b000000002284ae758753dd9cd3e78d98dfcdde06a8db899b56543336
NAS-IP-Address = 192.168.0.5
NAS-Port = 0


# radiusd -xx | grep ippool

 ippool: session-db = "/etc/raddb/pools/db.pool-1-fast"
 ippool: ip-index = "/etc/raddb/pools/db.pool-1-fast.idx"
 ippool: range-start = 192.168.5.1 IP address [192.168.5.1]
 ippool: range-stop = 192.168.5.254 IP address [192.168.5.254]
 ippool: netmask = 255.255.255.0 IP address [255.255.255.0]
 ippool: cache-size = 800
rlm_ippool: Initializing database
Module: Instantiated ippool (ippool-1-fast)

REQUEST #1
rlm_ippool: Searching for an entry for nas/port: 192.168.0.5/0
rlm_ippool: num: 1
rlm_ippool: Allocated ip 192.168.5.55 to client on nas 192.168.0.5,port 0
  modcall[post-auth]: module "ippool-1-fast" returns ok

REQUEST #2
rlm_ippool: Searching for an entry for nas/port: 192.168.0.5/0
rlm_ippool: Found a stale entry for ip/port: 192.168.5.55/0
rlm_ippool: num: 0
rlm_ippool: num: 1
rlm_ippool: Allocated ip 192.168.5.217 to client on nas 192.168.0.5,port 0
  modcall[post-auth]: module "ippool-1-fast" returns ok

REQUEST #3
rlm_ippool: Searching for an entry for nas/port: 192.168.0.5/0
rlm_ippool: Found a stale entry for ip/port: 192.168.5.217/0
rlm_ippool: num: 0
rlm_ippool: num: 1
rlm_ippool: Allocated ip 192.168.5.92 to client on nas 192.168.0.5,port 0
  modcall[post-auth]: module "ippool-1-fast" returns ok

REQUEST #4
rlm_ippool: Searching for an entry for nas/port: 192.168.0.5/0
rlm_ippool: Found a stale entry for ip/port: 192.168.5.92/0
rlm_ippool: num: 0
rlm_ippool: num: 1
rlm_ippool: Allocated ip 192.168.5.233 to client on nas 192.168.0.5,port 0
  modcall[post-auth]: module "ippool-1-fast" returns ok



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: ippool bug or config problem?

[Kostas Kalevras]

On Tue, 24 Sep 2002 [EMAIL PROTECTED] wrote:

>
> ippool assign the same ip address for two different users.
> May be my config is broken?
> When i use large pool (1-254), i have the same bug after restarting
> radiusd.
> - Now I try send auth packet with radclient (user 
>mmike):
>
> Thread 1 handling request 0, (1 handled so far)
> Service-Type = Framed-User
> Framed-Protocol = PPP
> User-Name = "mmike"
> MS-CHAP-Challenge = 0xb9ca50b535f1d25c8d22873d4c203565
> MS-CHAP2-Response = 
>0x01002bbf1007dc607b833af3cdd279ece38b2284ae758753dd9cd3e78d98dfcdde06a8db899b56543336
> NAS-IP-Address = 192.168.0.5
> NAS-Port = 0

All Access-Requests contain the same NAS/Port pair. rlm_ippool will consider the
corresponding ip allocated stale and will free it. As a result it will get
reallocated to another user.

--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED]  National Technical University of Athens, Greece
Work Phone: +30 10 7721861
'Go back to the shadow' Gandalf


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

ippool bug or config problem?

[magmike]

ippool assign the same ip address for two different users.
May be my config is broken?
When i use large pool (1-254), i have the same bug after restarting
radiusd.


- radiusd.conf
modules {

ippool ippool-1-fast {
range-start = 192.168.5.1
range-stop = 192.168.5.6
netmask = 255.255.255.0
cache-size = 800
session-db = ${raddbdir}/pools/db.pool-1-fast
ip-index = ${raddbdir}/pools/db.pool-1-fast.idx
}
}

accounting {
detail
unix
radutmp
ippool-1-fast
}

post-auth {
ippool-1-fast
}
- end of radiusd.conf

- users
DEFAULT  NAS-IP-Address == "192.168.0.5",  Service-Type == Framed-User,  Pool-Name := 
"ippool-1-fast"
Framed-MTU = 1500,
Service-Type = Framed-User,
Fall-Through = 1
- end of users

Now run radiusd:

root@vpn:/etc/raddb# radiusd -xx
Starting - reading configuration files ...
...
Module: Loaded IPPOOL
 ippool: session-db = "/etc/raddb/pools/db.pool-1-fast"
 ippool: ip-index = "/etc/raddb/pools/db.pool-1-fast.idx"
 ippool: range-start = 192.168.5.1 IP address [192.168.5.1]
 ippool: range-stop = 192.168.5.6 IP address [192.168.5.6]
 ippool: netmask = 255.255.255.0 IP address [255.255.255.0]
 ippool: cache-size = 800
rlm_ippool: Initializing database
Module: Instantiated ippool (ippool-1-fast)
Initializing the thread pool...
 thread: start_servers = 5
 thread: max_servers = 32
 thread: min_spare_servers = 3
 thread: max_spare_servers = 10
 thread: max_requests_per_server = 0
 thread: cleanup_delay = 5

Ready to process requests.
Thread 5 waiting to be assigned a request
rad_recv: Access-Request packet from host 192.168.0.5:1026, id=70, length=133
Thread 1 assigned request 0
--- Walking the entire request list ---
Threads: total/active/spare threads = 5/1/4
Nothing to do.  Sleeping until we see a request.

- Now I try send auth packet with radclient (user 
mmike):

Thread 1 handling request 0, (1 handled so far)
Service-Type = Framed-User
Framed-Protocol = PPP
User-Name = "mmike"
MS-CHAP-Challenge = 0xb9ca50b535f1d25c8d22873d4c203565
MS-CHAP2-Response = 
0x01002bbf1007dc607b833af3cdd279ece38b2284ae758753dd9cd3e78d98dfcdde06a8db899b56543336
NAS-IP-Address = 192.168.0.5
NAS-Port = 0
modcall: entering group authorize
  modcall[authorize]: module "preprocess" returns ok
rlm_passwd: Added User-Password: mike
rlm_passwd: Added Group: fast
rlm_passwd: Adding Auth-Type: MS-CHAP
  modcall[authorize]: module "raddb_userlist" returns ok
  modcall[authorize]: module "mschap" returns ok
rlm_realm: No '@' in User-Name = "mmike", looking up realm NULL
rlm_realm: No such realm NULL
  modcall[authorize]: module "suffix" returns noop
users: Matched DEFAULT at 201
  modcall[authorize]: module "files" returns ok
modcall: group authorize returns ok
  rad_check_password:  Found Auth-Type MS-CHAP
auth: type "MS-CHAP"
modcall: entering group authenticate
rlm_mschap: doing MS-CHAPv2 with NT-Password
rlm_mschap: adding MS-CHAPv2 MPPE keys
  modcall[authenticate]: module "mschap" returns ok
modcall: group authenticate returns ok
Login OK: [mmike] (from client 192.168.0.5 port 0)
modcall: entering group post-auth
rlm_ippool: Searching for an entry for nas/port: 192.168.0.5/0
rlm_ippool: num: 1
rlm_ippool: Allocated ip 192.168.5.3 to client on nas 192.168.0.5,port 0
  modcall[post-auth]: module "ippool-1-fast" returns ok
modcall: group post-auth returns ok
Sending Access-Accept of id 70 to 192.168.0.5:1026
Framed-MTU = 1500
Service-Type = Framed-User
MS-CHAP2-Success = 0x01533d453742313241354342463337383533443044383236383
73933463331363332363844463839414236
MS-MPPE-Recv-Key = 0xe3464568c260d4f054599eac8c270f89762624d03837024c13e
53c392029a3ca21c2
MS-MPPE-Send-Key = 0xe345be695620746dcc14948143420d08d333dd86889a5a66f9a
1e084b1c5a4b6d723
MS-MPPE-Encryption-Policy = 0x0002
MS-MPPE-Encryption-Types = 0x0004
Framed-IP-Address = 192.168.5.3

 OK ip assigned 192.168.5.3
 Now I try to connect with pppd+radiusclient (user mmmike)

Nothing to do.  Sleeping until we see a request.
Thread 1 handling request 5, (2 handled so far)
Service-Type = Framed-User
Framed-Protocol = PPP
User-Name = "mmmike"
MS-CHAP-Challenge = 0x35a4ce64ebf19fc25af6921225399273
MS-CHAP2-Response = 0x010068295ca3c0f2c063e229225a129b53df00
00405f88f247c0d22d083286a7123eb6cc61415f5401ad09fc
NAS-IP-Address = 192.168.0.5
NAS-Port = 0
modcall: entering group authorize
  modcall[authoriz

Re: Ippool

[Homer Parker]

On Fri, 20 Sep 2002 11:45:51 +0300 (EEST)
Kostas Kalevras <[EMAIL PROTECTED]> wrote:


> I am not sure that you can do group membership checks with the pam
> module. Try using the unix module for that (just put it in the
> instantiate section to register it's groupcmp function).

I'll give that a try, thanks!

--- 
Homer Parker

LAN/WAN, Wireless Networking, PC Sales/Service
Linux, OS/2, Windows9x, Windows NT/2000 Support

PC Services
129 W 8th #101
Russell, KS 67665

785.483.7602
[EMAIL PROTECTED]
http://www.pcsrvc.com

Either you can say I'm for Open Source, open standards, or I'm against
standards. Either you can say I'm for giving customers and communities
a choice or I'm against giving customers and communities a choice.
  - Sam Palmisano, IBM President and COO at LinuxWorld Expo 2001

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Ippool

[Kostas Kalevras]

On Thu, 19 Sep 2002, Homer Parker wrote:

>   Having a bit of a time getting an Orinoco AS-2000 to get an ip address
> from the ippool module.. I authenticate just fine, it just falls through
> the users file to the dial-up stuff before it gets a match... Here's some
> info:
>
> 
>
> DEFAULT NAS-IP-Address == 172.16.1.8, Auth-Type := Pam, Group ==
> "wireless64", Pool-Name := "wireless64"
>
> DEFAULT Auth-Type := Pam, Group == "wireless64", Pool-Name := "wireless64"
> DEFAULT Group == "wireless128", Pool-Name := "wireless128"
> DEFAULT Group == "wireless192", Pool-Name := "wireless192"
> DEFAULT Group == "wireless256", Pool-Name := "wireless256"
>
> DEFAULT Auth-Type := Pam, Huntgroup-Name == "wireless64", Pool-Name :=
> "wireless64"
> DEFAULT Huntgroup-Name == "wireless128", Pool-Name := "wireless128"
> DEFAULT Huntgroup-Name == "wireless192", Pool-Name := "wireless192"
> DEFAULT Huntgroup-Name == "wireless256", Pool-Name := "wireless256"
>
> 
>
> authorize {
>   preprocess
>   files
> }
> authenticate {
>   pam
> }

I am not sure that you can do group membership checks with the pam module. Try
using the unix module for that (just put it in the instantiate section to
register it's groupcmp function).

--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED]  National Technical University of Athens, Greece
Work Phone: +30 10 7721861
'Go back to the shadow' Gandalf



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Ippool

[Homer Parker]

On Thu, 19 Sep 2002 15:02:45 -0500
Homer Parker <[EMAIL PROTECTED]> wrote:

>   Having a bit of a time getting an Orinoco AS-2000 to get an ip
>   address
> from the ippool module.. I authenticate just fine, it just falls through
> the users file to the dial-up stuff before it gets a match... Here's
> some info:

I forgot the versions... Have tried with .70 and CVS as of 1pm CST
9-19...

--- 
Homer Parker

LAN/WAN, Wireless Networking, PC Sales/Service
Linux, OS/2, Windows9x, Windows NT/2000 Support

PC Services
129 W 8th #101
Russell, KS 67665

785.483.7602
[EMAIL PROTECTED]
http://www.pcsrvc.com

Either you can say I'm for Open Source, open standards, or I'm against
standards. Either you can say I'm for giving customers and communities
a choice or I'm against giving customers and communities a choice.
  - Sam Palmisano, IBM President and COO at LinuxWorld Expo 2001

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Ippool

[Homer Parker]

Having a bit of a time getting an Orinoco AS-2000 to get an ip address
from the ippool module.. I authenticate just fine, it just falls through
the users file to the dial-up stuff before it gets a match... Here's some
info:



DEFAULT NAS-IP-Address == 172.16.1.8, Auth-Type := Pam, Group ==
"wireless64", Pool-Name := "wireless64"

DEFAULT Auth-Type := Pam, Group == "wireless64", Pool-Name := "wireless64"
DEFAULT Group == "wireless128", Pool-Name := "wireless128"
DEFAULT Group == "wireless192", Pool-Name := "wireless192"
DEFAULT Group == "wireless256", Pool-Name := "wireless256"

DEFAULT Auth-Type := Pam, Huntgroup-Name == "wireless64", Pool-Name :=
"wireless64"
DEFAULT Huntgroup-Name == "wireless128", Pool-Name := "wireless128"
DEFAULT Huntgroup-Name == "wireless192", Pool-Name := "wireless192"
DEFAULT Huntgroup-Name == "wireless256", Pool-Name := "wireless256"


#DEFAULTSimultaneous-Use := 2
#   Fall-Through = 1

#DEFAULT Auth-Type := Reject, Huntgroup-Name == "mail"

#DEFAULT Huntgroup-Name := "local", Pool-Name := "wireless64"
#Filter-Id = "locallan",
#Fall-Through = 1

#DEFAULTAuth-Type := Pam
#Service-Type = Framed-User,
#Framed-Protocol = PPP,
#Framed-IP-Address = 255.255.255.254,
#Framed-IP-Netmask = 255.255.255.255,
#Framed-Compression = Van-Jacobson-TCP-IP,
#Session-Timeout = 36,
#Idle-Timeout = 900,
#Framed-MTU = 576

With the dialup stuff commented, I do not get authenticated.. As you can
see, I'm trying several different ways to get a hit... 



pop1NAS-IP-Address == 172.16.1.8
wireless64  Group = wireless64

wireless128 Group = wireless128

wireless192 Group = wireless192

wireless256 Group = wireless256

The user I'm testing with is in group wireless64 on the radius server. I
used something similar with Cistron to put people into groups that were
mail only (no Internet access), etc... Can't find any documentation that
says it works any differently now...



modules {
ippool wireless64 {
range-start = 64.123.115.131
range-stop = 64.123.115.143
netmask = 255.255.255.128
cache-size = 800
session-db = ${raddbdir}/db.wireless64
ip-index = ${raddbdir}/db.wireless64
}
ippool wireless128 {
range-start = 64.123.115.193
range-stop = 64.123.115.254
netmask = 255.255.255.128
cache-size = 800
session-db = ${raddbdir}/db.wireless128
ip-index = ${raddbdir}/db.wireless128
}
ippool wireless192 {
range-start = 64.123.115.149
range-stop = 64.123.115.160
netmask = 255.255.255.128
cache-size = 800
session-db = ${raddbdir}/db.wireless192
ip-index = ${raddbdir}/db.wireless192
}
ippool wireless256 {
range-start = 64.123.115.162
range-stop = 64.123.115.187
netmask = 255.255.255.128
cache-size = 800
session-db = ${raddbdir}/db.wireless256
ip-index = ${raddbdir}/db.wireless256
}
pam {
pam_auth = radiusd
}
files {
usersfile = ${confdir}/users
acctusersfile = ${confdir}/acct_users
compat = no
}

authorize {
preprocess
files
}
authenticate {
pam
}

accounting {
detail
radutmp
wireless64
wireless128
wireless192
wireless256
}
session {
radutmp
}
post-auth {
wireless64
wireless128
wireless192
wireless256
}

Any help appreciated...

--- 
Homer Parker


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

ippool : dealocation problem

[Cassiano Aquino]

Hi,
I´m using freeradius 0.5+cvs20020408-1 in my debian box.
Checking my logs ippool tell me it´s clear the ip address from your
db, but I create one pool with 3 ip addresses, when I connect on the
4 time ippol doesn´t return any ip for me.
My NAS send Start and Stop acct packets for the radius, in debug radius 
tell-me :

rlm_ippool: Deallocated entry for ip/port: xxx.xxx.28.252/82
rlm_ippool: num: 0

If you need more detailed debug output tell-me, I prefer do not put it here to 
keep my mail small.  

my config is something like:

modules {
ippool classe28 {
range-start = xxx.xxx.28.131
range-stop = xxx.xxx.28.246
netmask = 255.255.255.128
cache-size = 115
session-db = ${raddbdir}/db.classe28
ip-index = ${raddbdir}/db.ndx_classe28
}

ippool sidenet {
range-start = xxx.xxx.28.249
range-stop  = xxx.xxx.28.252
netmask = 255.255.255.248
cache-size = 3
session-db = ${raddbdir}/db.sidenet
ip-index = ${raddbdir}/db.ndx_sidenet
}
...
}

authorize {
...
classe28
sidenet
...
}

accouting {
...
classe28
sidenet
...
}

and in my db I have the following config:
mysql> select * from radcheck where UserName = 'cassiano';
++--+---+--+--+
| id | UserName | Attribute | Value| op   |
++--+---+--+--+
|  1 | cassiano | User-Password |  | ==   |
++--+---+--+--+
1 row in set (0.00 sec)

mysql> select * from usergroup where UserName = 'cassiano';
++--+---+
| id | UserName | GroupName |
++--+---+
|  1 | cassiano | DEFAULT   |
|  2 | cassiano | 768k  |
| 39 | cassiano | sidenet   |
++--+---+
3 rows in set (0.00 sec)

mysql> select * from radgroupcheck;
++---+--+--+--+
| id | GroupName | Attribute| Value| op   |
++---+--+--+--+
|  1 | DEFAULT   | Simultaneous-Use | 1| :=   |
|  2 | DEFAULT   | Auth-Type| PAP  | :=   |
|  6 | home  | Pool-Name| classe28 | :=   |
|  7 | sidenet   | Pool-Name| sidenet  | :=   |
++---+--+--+--+
4 rows in set (0.00 sec)

mysql> select * from radgroupreply;
++---+---+-+--+--+
| id | GroupName | Attribute | Value   | op   | prio |
++---+---+-+--+--+
| 16 | DEFAULT   | Idle-Timeout  | 0   | =|0 |
|  6 | DEFAULT   | Fall-Through  | Yes | =|0 |
|  8 | 256k  | X-Ascend-Data-Rate| 256000  | =|0 |
|  9 | 128k  | X-Ascend-Data-Rate| 10  | =|0 |
| 10 | 64k   | X-Ascend-Data-Rate| 62000   | =|0 |
| 13 | 768k  | X-Ascend-Data-Rate| 768000  | =|0 |
| 14 | 1024k | X-Ascend-Data-Rate| 100 | =|0 |
| 15 | 384k  | X-Ascend-Data-Rate| 38  | =|0 |
| 17 | DEFAULT   | Session-Timeout   | 0   | =|0 |
| 18 | DEFAULT   | Acct-Interim-Interval | 0   | =|0 |
++---+---+-+--+--+
10 rows in set (0.00 sec)

mysql>

I have missed something?
Thank´s for freeradiu´s people (core and modules) for your great software.
PS: sorry about my tarzan´s english :P  

-- 
Cassiano Aquino <[EMAIL PROTECTED]>
World Wide Security Networks <http://www.wwsecurity.net>
KeyID# C9FD0B69 @ wwwkeys.nl.pgp.net
VoIP# 5524311

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

IPPOOL modified to use SQL...

[Abel Alejandro]

If anyone interested, i modified rlm_ippool.c to work
with SQL. This code was made to solve my problem, I needed

Ippool to work (it worked, but wasn’t releasing ip
for some reason) and I needed a database that I could access

From the
web. This code will NOT work with other
method for authorize than SQL. If you use another method with this code

The module will NOT release ip’s from bad username/passwords. Also the sql information is hard coded you will need to edit it.

And the last thing, to avoid running
the STOP multiple times, I hard coded the code to run the STOP on one instance
only.

For example, if you have three
instances called a, b and c, you can edit the code to do the STOP for a only. Otherwise it will run

For the tree of them which is
unnecessary.

 

http://core.friendspr.com/~elec/rlm_ipsql.c

http://core.friendspr.com/~elec/Makefile.in

http://core.friendspr.com/~elec/configure.in

 

Abel Alejandro

 

RE: IPPOOL is not giving all the ip addresses.

[Abel Alejandro]

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Kostas
Kalevras
Sent: Wednesday, May 22, 2002 9:41 AM
To: [EMAIL PROTECTED]
Subject: RE: IPPOOL is not giving all the ip addresses.

On Wed, 22 May 2002, Abel Alejandro wrote:

>> Forgot to mention, I am running radiusd -X > radius.log

>Stupid question. Is the ippool module listed in the accounting section
in
>radiusd.conf?
>The accounting packet should be an accounting stop for a nas/port
>combination
>that has an allocated ip assigned to it.

Yes its. The ippool module is called 'arecibo' and its in both authorize
and accounting. 

For example, when I started radiusd this morning the first IP to be
assigned was 196.12.182.73. Then radiusd got the Acct-Status-Type = Stop
for 196.12.182.73 and it said "modcall[accounting]: module "arecibo"
returns ok"
But no deallocationg was done.


***
***
Scanned by an email protection software that checks: Content, Attachments, Security 
and Viruses
Brought to you by ICENetworks.com, eScan and MailScan
***
***

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: IPPOOL is not giving all the ip addresses.

[Kostas Kalevras]

On Wed, 22 May 2002, Abel Alejandro wrote:

> Forgot to mention, I am running radiusd -X > radius.log
>

Stupid question. Is the ippool module listed in the accounting section in
radiusd.conf?
The accounting packet should be an accounting stop for a nas/port combination
that has an allocated ip assigned to it.

--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED]  National Technical University of Athens, Greece
Work Phone: +30 10 7721861
'Go back to the shadow' Gandalf


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: IPPOOL is not giving all the ip addresses.

[Abel Alejandro]

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Kostas
Kalevras
Sent: Wednesday, May 22, 2002 9:31 AM
To: [EMAIL PROTECTED]
Subject: RE: IPPOOL is not giving all the ip addresses.

On Wed, 22 May 2002, Abel Alejandro wrote:

>> Okay one more thing I got now from the logs. Right now I have rm -rf
the
>> db*
>> And restarted radiusd, a (cmd: cat radius.log | grep "= Stop" | wc
-l)
>> reports 66 stop's, but I don't see a "rlm_ippool: Deallocated entry
for
>> ip/port:" not even one in the radius.log
>>
>> It seems radiusd can not deallocate ip's?

>That is a debugging message and it will not normally show up in the
radius.log

Forgot to mention, I am running radiusd -X > radius.log

***
***
Scanned by an email protection software that checks: Content, Attachments, Security 
and Viruses
Brought to you by ICENetworks.com, eScan and MailScan
***
***

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: IPPOOL is not giving all the ip addresses.

[Kostas Kalevras]

On Wed, 22 May 2002, Abel Alejandro wrote:

> Okay one more thing I got now from the logs. Right now I have rm -rf the
> db*
> And restarted radiusd, a (cmd: cat radius.log | grep "= Stop" | wc -l)
> reports 66 stop's, but I don't see a "rlm_ippool: Deallocated entry for
> ip/port:" not even one in the radius.log
>
> It seems radiusd can not deallocate ip's?

That is a debugging message and it will not normally show up in the radius.log

--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED]  National Technical University of Athens, Greece
Work Phone: +30 10 7721861
'Go back to the shadow' Gandalf


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: IPPOOL is not giving all the ip addresses.

[Abel Alejandro]

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Kostas
Kalevras
Sent: Wednesday, May 22, 2002 9:06 AM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: Re: IPPOOL is not giving all the ip addresses.

On Wed, 22 May 2002, Abel Alejandro wrote:

>> IPPOOL seems that it cannot give all the ip addresses on the range,
>> it starts giving addresses but if there are 50 ip's it only gives 10.

>Hmm, from what i tested right now it will give out all the ips.

Okay one more thing I got now from the logs. Right now I have rm -rf the
db*
And restarted radiusd, a (cmd: cat radius.log | grep "= Stop" | wc -l)
reports 66 stop's, but I don't see a "rlm_ippool: Deallocated entry for
ip/port:" not even one in the radius.log

It seems radiusd can not deallocate ip's?


***
***
Scanned by an email protection software that checks: Content, Attachments, Security 
and Viruses
Brought to you by ICENetworks.com, eScan and MailScan
***
***

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: IPPOOL is not giving all the ip addresses.

[Kostas Kalevras]

On Wed, 22 May 2002, Abel Alejandro wrote:

> IPPOOL seems that it cannot give all the ip addresses on the range,
> it starts giving addresses but if there are 50 ip's it only gives 10.

Hmm, from what i tested right now it will give out all the ips.

>
> FreeBSD 4.5-STABLE running Freeradius from of 19/05/02 (cvs).
>
> ippool arecibo {
> session-db = ${dbdir}/arecibo.db
> ip-index = ${dbdir}/arecibo-ip.db
> range-start = 196.12.182.65
> range-stop = 196.12.182.121
> netmask = 255.255.255.192
> cache-size = 1024
> }
>
> That is the configuration for the ippool, it runs fine, it assigns addresses
> and everything looks okay.
> However looking it in debug mode, I see a not very normal behaviour. It
> start giving the address
> on random sequences for example, instead of first assign 196.12.182.65 it
> give 196.12.182.73 (first time, with virgin db).

That has to do with the gdbm library. The db is not a linked list but a hash and
there isn't any way to tell how they will be ordered inside the file.

--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED]  National Technical University of Athens, Greece
Work Phone: +30 10 7721861
'Go back to the shadow' Gandalf

>
> I modified rlm_ippool.c to be a little more verbose, and on the creation of
> the database it does create
> the ip address list in order. Like this:
>
> Adding IP 196.12.182.65 state 0
> Adding IP 196.12.182.66 state 0
> Adding IP 196.12.182.67 state 0
> Adding IP 196.12.182.68 state 0
> 
> Until it reaches 196.12.182.121 (which is correct.)
>
> In the other hand when looking for ip address (virgin db, all ip are suposed
> to be state 0)
> it search them in random order.  Like this:
>
> rlm_ippool: Searching for an entry for nas/port: 10.50.2.1/3328
> Found IP 196.12.182.114 state 1
> Found IP 196.12.182.82 state 0
>
> It started with 114 then jumped back to 82.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

IPPOOL is not giving all the ip addresses.

[Abel Alejandro]

IPPOOL seems that it cannot give all the ip addresses on the range,
it starts giving addresses but if there are 50 ip's it only gives 10.

FreeBSD 4.5-STABLE running Freeradius from of 19/05/02 (cvs).

    ippool arecibo {
session-db = ${dbdir}/arecibo.db
ip-index = ${dbdir}/arecibo-ip.db
range-start = 196.12.182.65
range-stop = 196.12.182.121
netmask = 255.255.255.192
cache-size = 1024
}

That is the configuration for the ippool, it runs fine, it assigns addresses
and everything looks okay.
However looking it in debug mode, I see a not very normal behaviour. It
start giving the address
on random sequences for example, instead of first assign 196.12.182.65 it
give 196.12.182.73 (first time, with virgin db).

I modified rlm_ippool.c to be a little more verbose, and on the creation of
the database it does create
the ip address list in order. Like this:

Adding IP 196.12.182.65 state 0
Adding IP 196.12.182.66 state 0
Adding IP 196.12.182.67 state 0
Adding IP 196.12.182.68 state 0

Until it reaches 196.12.182.121 (which is correct.)

In the other hand when looking for ip address (virgin db, all ip are suposed
to be state 0)
it search them in random order.  Like this:

rlm_ippool: Searching for an entry for nas/port: 10.50.2.1/3328
Found IP 196.12.182.114 state 1
Found IP 196.12.182.82 state 0

It started with 114 then jumped back to 82.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Using ippool with two radius servers?

[Miquel van Smoorenburg]

In article <00a101c1fd56$61050be0$b800a8c0@kelvindell>,
Echo FreeRadius <[EMAIL PROTECTED]> wrote:
>For example we are in the process of putting in 4 Nortel CVX 1800's with
>1288 lines each all in one large roll over (5152 lines) in the GTA (Greater
>Toronto Area)
>
>From those 4 CVX's we are going to provide wholesale dialup port for 4 - 10
>different ISP's  Each ISP wants their customers to receive an address form
>their IP block so it resolves back to their company.  This is done for
>several reasons controlling access to SMTP servers and other resources as
>well as just for appearance so that their customers can't see that we use
>the same dial-up ports.

So you create 1 pool for each ISP on each CVX. The CVX supports
multiple pools, and you can tell it which pool to use using a
radius attribute. If you have 4 CVXes, just make each pool 25%
of the max. number of dialin lines an ISP may use. Well maybe
a bit larger to allow for not-perfect distribution of clients
over the 4 CVXes.

Mike.
-- 
"Insanity -- a perfectly rational adjustment to an insane world."
  - R.D. Lang


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Using ippool with two radius servers?

[Alan DeKok]

"Echo FreeRadius" <[EMAIL PROTECTED]> wrote:
> For example we are in the process of putting in 4 Nortel CVX 1800's with
> 1288 lines each all in one large roll over (5152 lines) in the GTA (Greater
> Toronto Area)
> 
> >From those 4 CVX's we are going to provide wholesale dialup port for 4 - 10
> different ISP's
...
> Anyway we wouldn't want each ISP to have to assign 1288 IP's to each NAS as
> this would be a large waste of IP addresses.  If we can have radius assign
> IP's then this greatly reduces the number of IP's allocated.

  This means that a particular IP address can be assigned on the fly
to any one of 4 NAS boxes.  In order to route the packet to the
correct NAS, you've got to add a new route for that IP.  This means
(as Miquel said) thousands of routes, and hundreds of route flaps.

  I'm not sure how else to do it.  Bridging and a smart switch may
help, but then you've got to forcibly expire arp entries in the
switch, and add new ones, when an IP address moves from NAS to NAS.
That may be hard.

> Again for redundancy and performance we will likely have 2-4 radius
> servers per company depending on the redundancy level they
> require. The sharing of IP's between radius server IPpools is a
> great asset.

  It's also hard.  You get into consistency issues, where the
"sharing" may only done every so often, but customers may switch IP's
and re-dial more often than that.


  I would think about the issues VERY carefully before implementing
such a large and complicated network.  Be very sure that you can do
everything needed to make it work.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Using ippool with two radius servers?

[Echo FreeRadius]

Another example of where you would need IP's assigned from radius instead of
a NAS is in the case of VPOP's / Virtual ISP's


For example we are in the process of putting in 4 Nortel CVX 1800's with
1288 lines each all in one large roll over (5152 lines) in the GTA (Greater
Toronto Area)

>From those 4 CVX's we are going to provide wholesale dialup port for 4 - 10
different ISP's  Each ISP wants their customers to receive an address form
their IP block so it resolves back to their company.  This is done for
several reasons controlling access to SMTP servers and other resources as
well as just for appearance so that their customers can't see that we use
the same dial-up ports.

Anyway we wouldn't want each ISP to have to assign 1288 IP's to each NAS as
this would be a large waste of IP addresses.  If we can have radius assign
IP's then this greatly reduces the number of IP's allocated.  Again for
redundancy and performance we will likely have 2-4 radius servers per
company depending on the redundancy level they require. The sharing of IP's
between radius server IPpools is a great asset.

Kelvin Hockin
Echo OnLine Internet Inc.
http://www.eol.ca

- Original Message -
From: "Simon Allard" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, May 16, 2002 5:36 PM
Subject: RE: Using ippool with two radius servers?


> > > > Ah, you only have one terminal server with 30.000 ports on it?
> > > > In that case, route the /17 to that NAS and be done with it.
> > > > But you likely have tens or hundreds of NASes.
> > > >
> > > > Either you're way ahead of me, or you really need to think this
over.
> > >
> > > I think I'm ahead of you :-) Believe me, routing is not an
issue
> > > here, I do have a /17 block with summarized pools in a way that I only
> > > need one static route per NAS (there are 20 of them). No need to use
> > > dinamic routing.
> >
> > Okay, you have a fixed pool assigned to each NAS.  I still fail to see
> > why you don't want the NAS to each handle the assignment of their own
> > pools?  But then what the heck do I know about building a big network...
>
>
> I have the same requirment (ippool over multiple radius servers).
> SOmetimes allocating IPs from the NAS will just not work.
>
> For example say we have 4000 dialin ports. We allocate the IPs from the
> NAS for those users. All good.
>
> But we have a different bunch of users. Eg Sat routed users. They need a
> different IP Pool. There are not enough customers to warrent putting
> another pool on each NAS box. This is where IPpool works nicley.
>
> Most bighish ISP's need more than 1 radius server. We have 6 load
> balanced behind a layer 4 switch.
>
>
>
> Simon Allard (Senior Tool Monkey)
> IHUG
> Ph (09) 358-5067   Email: [EMAIL PROTECTED]
>
> I'm out of my mind right now, but feel free to leave a message.
>
>
> -
> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
>
>


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Using ippool with two radius servers?

[Simon Allard]

> > > Ah, you only have one terminal server with 30.000 ports on it?
> > > In that case, route the /17 to that NAS and be done with it.
> > > But you likely have tens or hundreds of NASes.
> > >
> > > Either you're way ahead of me, or you really need to think this over.
> >
> > I think I'm ahead of you :-) Believe me, routing is not an issue
> > here, I do have a /17 block with summarized pools in a way that I only
> > need one static route per NAS (there are 20 of them). No need to use
> > dinamic routing.
>
> Okay, you have a fixed pool assigned to each NAS.  I still fail to see
> why you don't want the NAS to each handle the assignment of their own
> pools?  But then what the heck do I know about building a big network...


I have the same requirment (ippool over multiple radius servers).
SOmetimes allocating IPs from the NAS will just not work.

For example say we have 4000 dialin ports. We allocate the IPs from the
NAS for those users. All good.

But we have a different bunch of users. Eg Sat routed users. They need a
different IP Pool. There are not enough customers to warrent putting
another pool on each NAS box. This is where IPpool works nicley.

Most bighish ISP's need more than 1 radius server. We have 6 load
balanced behind a layer 4 switch.



Simon Allard (Senior Tool Monkey)
IHUG
Ph (09) 358-5067   Email: [EMAIL PROTECTED]

I'm out of my mind right now, but feel free to leave a message.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Using ippool with two radius servers?

[Chris Parker]

At 04:58 PM 5/16/2002 -0300, Gelson Dias Santos wrote:

> > From: Miquel van Smoorenburg 
> [mailto:[EMAIL PROTECTED]]
>
> > Ah, you only have one terminal server with 30.000 ports on it?
> > In that case, route the /17 to that NAS and be done with it.
> > But you likely have tens or hundreds of NASes.
> >
> > Either you're way ahead of me, or you really need to think this over.
>
> I think I'm ahead of you :-) Believe me, routing is not an issue 
> here, I do have a /17 block with summarized pools in a way that I only 
> need one static route per NAS (there are 20 of them). No need to use 
> dinamic routing.

Okay, you have a fixed pool assigned to each NAS.  I still fail to see
why you don't want the NAS to each handle the assignment of their own
pools?  But then what the heck do I know about building a big network...

I've spoken my bit here, so I'll stop flogging the deceased equine.

-Chris
--
\\\|||///  \  StarNet Inc.  \ Chris Parker
\ ~   ~ /   \   WX *is* Wireless!\   Director, Engineering
| @   @ |\   http://www.starnetwx.net \  (847) 963-0116
oOo---(_)---oOo--\--
   \ Wholesale Internet Services - http://www.megapop.net



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Using ippool with two radius servers?

[Gelson Dias Santos]

Title: RE: Using ippool with two radius servers?







> From: Miquel van Smoorenburg [mailto:[EMAIL PROTECTED]]


> > Why should I have 30.000 host routes
> 
> Well, you're talking about 30.000 ports. If you are going to
> assign each of them an IP address using radius, you need
> a routing protocol to get the packets to the NAS.
> 
> >All I have is one /17
> >summarized route. All those IP's are on the same CIDR block.
> 
> Ah, you only have one terminal server with 30.000 ports on it?
> In that case, route the /17 to that NAS and be done with it.
> But you likely have tens or hundreds of NASes.
> 
> Either you're way ahead of me, or you really need to think this over.


    I think I'm ahead of you :-) Believe me, routing is not an issue here, I do have a /17 block with summarized pools in a way that I only need one static route per NAS (there are 20 of them). No need to use dinamic routing.

    Chris also suggested I should learn a bit more about ip routing. Well, we should always learn more, isn't it? But after 18 years of experience in IP networks I think I known how to route packets. 

    The answer I was looking for was given by Chris: the ip pool module can't handle a pool so large. Anyway, it can't syncronize pools of any size between two Radius servers, so I'll need to find another solution, or another Radius server.

    Thanks all,
--
Gelson Dias Santos  ([EMAIL PROTECTED])
Backbone & Network Security
Vant Telecomunicações S.A.
http://www.vant.com.br





  
 

Re: Using ippool with two radius servers?

[Miquel van Smoorenburg]

In article <[EMAIL PROTECTED]>,
Gelson Dias Santos  <[EMAIL PROTECTED]> wrote:
>> -Original Message-
>> From: Miquel van Smoorenburg [mailto:[EMAIL PROTECTED]]
>
>> >Yes, I kown I can have 'N' different ip pools 
>> configured, one for
>> >each NAS , but I'm talking about 30.000 dial ports, so I 
>> can't allocate
>> >30.000 * N ips available.
>> 
>> In that case you are also talking about 30.000 routes in your
>> internal routing protocol - and with that many dialup ports,
>> hundreds of route-flaps per second.
>> 
>> It won't work. Your network and routers will fall over
>> and die screaming.
>
>   Why should I have 30.000 host routes

Well, you're talking about 30.000 ports. If you are going to
assign each of them an IP address using radius, you need
a routing protocol to get the packets to the NAS.

>All I have is one /17
>summarized route. All those IP's are on the same CIDR block.

Ah, you only have one terminal server with 30.000 ports on it?
In that case, route the /17 to that NAS and be done with it.
But you likely have tens or hundreds of NASes.

Either you're way ahead of me, or you really need to think this over.

Mike.
-- 
"Insanity -- a perfectly rational adjustment to an insane world."
  - R.D. Lang


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Using ippool with two radius servers?

[Gelson Dias Santos]

Title: RE: Using ippool with two radius servers?







> -Original Message-
> From: Chris Parker [mailto:[EMAIL PROTECTED]]
 
> > Is there a way to syncronize the ip databases 
> between two (or 
> > more) radius servers when using module ippool? If not, how 
> do we avoid 
> > giving the same ip to two users at the same time if the primay and 
> > secondary radius does not share infop about the ips already in use?


> 
> Why would you not want the NAS to handle their own ip pools?
> 
> -Chris


    This is the way things work right now, but I need to add different classes of services, like dial backup and VPDN using the same dial ports, and these services require different ip addresses than those in the NAS pools. So, I have to set different pools for different classes of users. 

    I was thinking about use hints to differentiate users, so a user xxx.vpdn could match an entry like this:


    DEFAULT Hint == "vpdn", Pool-Name := vpdnpool


    But then, how do I avoid conflict when allocating IP's from pool vpdnpool if I have two Radius servers?


    Gelson 

Re: Using ippool with two radius servers?

[Alan DeKok]

Gelson Dias Santos <[EMAIL PROTECTED]> wrote:
>   Back to the original question; can I have two Radius server managing
> the same IP address pool?

  It's difficult.  Both RADIUS servers have to be kep in PERFECT
synchronization, otherwise duplicate IP's are assigned.

  Your best bet may be to come up with some other solution...

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Using ippool with two radius servers?

[Chris Parker]

At 05:28 PM 5/15/2002 -0300, Gelson Dias Santos wrote:


> > -Original Message-
> > From: Miquel van Smoorenburg 
> [mailto:[EMAIL PROTECTED]]
>
> > > Yes, I kown I can have 'N' different ip pools
> > configured, one for
> > >each NAS , but I'm talking about 30.000 dial ports, so I
> > can't allocate
> > >30.000 * N ips available.
> >
> > In that case you are also talking about 30.000 routes in your
> > internal routing protocol - and with that many dialup ports,
> > hundreds of route-flaps per second.
> >
> > It won't work. Your network and routers will fall over
> > and die screaming.
>
> Why should I have 30.000 host routes All I have is one /17 
> summarized route. All those IP's are on the same CIDR block.

Uhm.  Unless you have only one NAS, you'll have major issues.  Each
user will get a /32 ip.  If you have many NAS and the /32's are handed
out by the radius server, then you need to have all the NAS telling
each other about which /32's they have connected.

If that is not clear, you need to study routing, route summarization,
and ip subnetting some more.

>Back to the original question; can I have two Radius server 
> managing the same IP address pool?

No.  ( And you really really really don't want to for 30,000 ips ).

-Chris
--
\\\|||///  \  StarNet Inc.  \ Chris Parker
\ ~   ~ /   \   WX *is* Wireless!\   Director, Engineering
| @   @ |\   http://www.starnetwx.net \  (847) 963-0116
oOo---(_)---oOo--\--
   \ Wholesale Internet Services - http://www.megapop.net



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Using ippool with two radius servers?

[Gelson Dias Santos]

Title: RE: Using ippool with two radius servers?







> -Original Message-
> From: Miquel van Smoorenburg [mailto:[EMAIL PROTECTED]]


> > Yes, I kown I can have 'N' different ip pools 
> configured, one for
> >each NAS , but I'm talking about 30.000 dial ports, so I 
> can't allocate
> >30.000 * N ips available.
> 
> In that case you are also talking about 30.000 routes in your
> internal routing protocol - and with that many dialup ports,
> hundreds of route-flaps per second.
> 
> It won't work. Your network and routers will fall over
> and die screaming.


    Why should I have 30.000 host routes All I have is one /17 summarized route. All those IP's are on the same CIDR block.

    Back to the original question; can I have two Radius server managing the same IP address pool?


    Gelson

Re: Using ippool with two radius servers?

[Miquel van Smoorenburg]

In article <[EMAIL PROTECTED]>,
Gelson Dias Santos  <[EMAIL PROTECTED]> wrote:
>   Is there a way to syncronize the ip databases between two (or more)
>radius servers when using module ippool? If not, how do we avoid giving the
>same ip to two users at the same time if the primay and secondary radius
>does not share infop about the ips already in use?
>   Yes, I kown I can have 'N' different ip pools configured, one for
>each NAS , but I'm talking about 30.000 dial ports, so I can't allocate
>30.000 * N ips available.

In that case you are also talking about 30.000 routes in your
internal routing protocol - and with that many dialup ports,
hundreds of route-flaps per second.

It won't work. Your network and routers will fall over
and die screaming.

Mike.
-- 
"Insanity -- a perfectly rational adjustment to an insane world."
  - R.D. Lang


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Using ippool with two radius servers?

[Chris Parker]

At 03:51 PM 5/15/2002 -0300, Gelson Dias Santos wrote:

> Is there a way to syncronize the ip databases between two (or 
> more) radius servers when using module ippool? If not, how do we avoid 
> giving the same ip to two users at the same time if the primay and 
> secondary radius does not share infop about the ips already in use?
>
> Yes, I kown I can have 'N' different ip pools configured, one for 
> each NAS , but I'm talking about 30.000 dial ports, so I can't allocate 
> 30.000 * N ips available.

Why would you not want the NAS to handle their own ip pools?

-Chris
--
\\\|||///  \  StarNet Inc.  \ Chris Parker
\ ~   ~ /   \   WX *is* Wireless!\   Director, Engineering
| @   @ |\   http://www.starnetwx.net \  (847) 963-0116
oOo---(_)---oOo--\--
   \ Wholesale Internet Services - http://www.megapop.net



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Using ippool with two radius servers?

[Gelson Dias Santos]

Title: Using ippool with two radius servers?





    Is there a way to syncronize the ip databases between two (or more) radius servers when using module ippool? If not, how do we avoid giving the same ip to two users at the same time if the primay and secondary radius does not share infop about the ips already in use?

    Yes, I kown I can have 'N' different ip pools configured, one for each NAS , but I'm talking about 30.000 dial ports, so I can't allocate 30.000 * N ips available.

    Gelson

Re: IPPOOL

[Kostas Kalevras]

On Fri, 10 May 2002, Ben Casado wrote:

> Guys;
>
> Every so often I need to reboot the server because the system accepts the
> requests, authenticates the users, but it doesn't assign anymore addresses.
>
> The client dies as ppp cannot complete.
>
>
> Any suggestions
>
>
> Ben

>From what i 've seen from the logs you 've sent the access server will send a
NAS-Identifier attribute and not a NAS-IP-Address attribute in Access and
Accounting requests. I 've changed the module to be able to handle this case
(the key is now a string instead of an uint32). Do a cvs update and see how it
works. Remember though to first delete the ip pool databases you may have since
their structure has changed.

--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED]  National Technical University of Athens, Greece
Work Phone: +30 10 7721861
'Go back to the shadow' Gandalf


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: IPPOOL

[Ben Casado]

Guys;

Every so often I need to reboot the server because the system accepts the
requests, authenticates the users, but it doesn't assign anymore addresses.

The client dies as ppp cannot complete.


Any suggestions


Ben
***
***
Scanned by an email protection software that checks: Content, Attachments, Security 
and Viruses
Brought to you by ICENetworks.com, eScan and MailScan
***
***

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: IPPOOL

[Kostas Kalevras]

On Tue, 7 May 2002, Ben Casado wrote:

> #0  0xfef706a0 in exit () from /usr/platform/SUNW,Ultra-60/lib/libc_psr.so.1
> #1  0x397f4 in ippool_authorize (instance=0x12e748, request=0x821bfb8) at
> rlm_ippool.c:495
> #2  0x1fb54 in call_modsingle (component=4, sp=0x12e4a0, request=0x821bfb8,
> default_result=6) at modcall.c:205
> #3  0x1fcfc in modcall (component=1, c=0x12e4a0, request=0x821bfb8) at
> modcall.c:288
> #4  0x1fba8 in call_modgroup (component=1, g=0x12e4a0, request=0x821bfb8,
> default_result=3) at modcall.c:227
> #5  0x1fcac in modcall (component=1, c=0x129118, request=0x821bfb8) at
> modcall.c:281
> #6  0x1f370 in indexed_modcall (comp=1, idx=0, request=0x821bfb8) at
> modules.c:456
> #7  0x1f6e4 in module_authorize (autz_type=0, request=0x821bfb8) at
> modules.c:633
> #8  0x1c084 in rad_authenticate (request=0x821bfb8) at auth.c:518
> #9  0x17340 in rad_respond (request=0x821bfb8, fun=0x1bf24
> ) at radiusd.c:1526
> #10 0x21af4 in request_handler_thread (arg=0x821bd38) at threads.c:172
>

Ok, do a cvs update and see what happens now.

--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED]  National Technical University of Athens, Greece
Work Phone: +30 10 7721861
'Go back to the shadow' Gandalf


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: IPPOOL

[Ben Casado]

#0  0xfef706a0 in exit () from /usr/platform/SUNW,Ultra-60/lib/libc_psr.so.1
#1  0x397f4 in ippool_authorize (instance=0x12e748, request=0x821bfb8) at
rlm_ippool.c:495
#2  0x1fb54 in call_modsingle (component=4, sp=0x12e4a0, request=0x821bfb8,
default_result=6) at modcall.c:205
#3  0x1fcfc in modcall (component=1, c=0x12e4a0, request=0x821bfb8) at
modcall.c:288
#4  0x1fba8 in call_modgroup (component=1, g=0x12e4a0, request=0x821bfb8,
default_result=3) at modcall.c:227
#5  0x1fcac in modcall (component=1, c=0x129118, request=0x821bfb8) at
modcall.c:281
#6  0x1f370 in indexed_modcall (comp=1, idx=0, request=0x821bfb8) at
modules.c:456
#7  0x1f6e4 in module_authorize (autz_type=0, request=0x821bfb8) at
modules.c:633
#8  0x1c084 in rad_authenticate (request=0x821bfb8) at auth.c:518
#9  0x17340 in rad_respond (request=0x821bfb8, fun=0x1bf24
) at radiusd.c:1526
#10 0x21af4 in request_handler_thread (arg=0x821bd38) at threads.c:172



- Original Message -
From: "Kostas Kalevras" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, May 07, 2002 8:04 AM
Subject: Re: IPPOOL


> On Tue, 7 May 2002, Ben Casado wrote:
>
> > Nope guys the real output from the core could not be read. The earlier
> > results were NOT from the core, we get:
> >
> > # crash core
> > dumpfile = core, namelist = /dev/ksyms, outfile = stdout
> > crash: core is not a kernel core file (bad magic number 7f454c46)
> > crash: cannot open kvm - dump file core
> >
> > # act -d core
> >
> > act 7.17
> >
> > (Source code Copyright (c) 1997-2000 Sun Microsystems Inc.)
> >
> > kvm_open: core is not a kernel core file (bad magic number 7f454c46)
> > kvm_open failed
> >
>
> gdb radiusd core
> bt
>
> --
> Kostas Kalevras Network Operations Center
> [EMAIL PROTECTED]  National Technical University of Athens, Greece
> Work Phone: +30 10 7721861
> 'Go back to the shadow' Gandalf
>
>
>
>
> -
> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
>

***
>

***
> Scanned by an email protection software that checks: Content, Attachments,
Security and Viruses
> Brought to you by ICENetworks.com, eScan and
MailScan
>

***
>

***
***
***
Scanned by an email protection software that checks: Content, Attachments, Security 
and Viruses
Brought to you by ICENetworks.com, eScan and MailScan
***
***

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: IPPOOL

[Kostas Kalevras]

On Tue, 7 May 2002, Ben Casado wrote:

> Nope guys the real output from the core could not be read. The earlier
> results were NOT from the core, we get:
>
> # crash core
> dumpfile = core, namelist = /dev/ksyms, outfile = stdout
> crash: core is not a kernel core file (bad magic number 7f454c46)
> crash: cannot open kvm - dump file core
>
> # act -d core
>
> act 7.17
>
> (Source code Copyright (c) 1997-2000 Sun Microsystems Inc.)
>
> kvm_open: core is not a kernel core file (bad magic number 7f454c46)
> kvm_open failed
>

gdb radiusd core
bt

--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED]  National Technical University of Athens, Greece
Work Phone: +30 10 7721861
'Go back to the shadow' Gandalf




- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: IPPOOL

[Ben Casado]

Nope guys the real output from the core could not be read. The earlier
results were NOT from the core, we get:

# crash core
dumpfile = core, namelist = /dev/ksyms, outfile = stdout
crash: core is not a kernel core file (bad magic number 7f454c46)
crash: cannot open kvm - dump file core

# act -d core

act 7.17

(Source code Copyright (c) 1997-2000 Sun Microsystems Inc.)

kvm_open: core is not a kernel core file (bad magic number 7f454c46)
kvm_open failed



- Original Message -
From: "Ben Casado" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, May 07, 2002 7:36 AM
Subject: Re: IPPOOL


> here is some of the usual crash output. I would like to
help
> as much as i can to get this resolved.
>
> Ben
>
>
> > stat
> system name:SunOS
> release:5.8
> node name:  radius
> version:Generic_108528-13
> machine name:   sun4u
> time of crash:  Tue May  7 10:38:39 2002
> age of system:  23 min.
> panicstr:
> panic registers:
> pc: 0  sp: 0
> > u
> PER PROCESS USER AREA FOR PROCESS 0
> PROCESS MISC:
> command: sched, psargs: sched
> start: Tue May  7 10:15:30 2002
> mem: 0, type: exec
> vnode of current directory: 359fe18
> OPEN FILES, FLAGS, AND THREAD REFCNT:
>  cmask: 0022
> RESOURCE LIMITS:
> cpu time: unlimited/unlimited
> file size: unlimited/unlimited
> swap size: unlimited/unlimited
> stack size: 8388608/unlimited
> coredump size: unlimited/unlimited
> file descriptors: 256/1024
> address space: unlimited/unlimited
> SIGNAL DISPOSITION:
>1:  default   2:  default   3:  default   4:  default
>5:  default   6:  default   7:  default   8:  default
>9:  default  10:  default  11:  default  12:  default
>   13:  default  14:  default  15:  default  16:  default
>   17:  default  18:  default  19:  default  20:  default
>   21:  default  22:  default  23:  default  24:  default
>   25:  default  26:  default  27:  default  28:  default
>   29:  default  30:  default  31:  default  32:  default
>   33:  default  34:  default  35:  default  36:  default
>   37:  default  38:  default  39:  default  40:  default
>   41:  default  42:  default  43:  default  44:  default
>   45:  default
>
> > proc list
> PROC TABLE SIZE = 3898
> SLOT ST  PID  PPID  PGID   SID   UID PRI   NAMEFLAGS
> list not found in symbol table
> > proc
> PROC TABLE SIZE = 3898
> SLOT ST  PID  PPID  PGID   SID   UID PRI   NAMEFLAGS
>0 t 0 0 0 0 0  96 sched  load sys lock
>1 s 1 0 0 0 0  58 init   load
>2 s 2 0 0 0 0  98 pageoutload sys lock
nowait
>3 s 3 0 0 0 0  60 fsflushload sys lock
nowait
>4 s   261 1   261   261 0  58 sacload jctl
>5 s   206 1   206   206 0  58 utmpd  load
>6 s   153 1   153   153 0  58 automountd load
>7 s44 14444 0  52 syseventd  load
>8 s46 14646 0  51 syseventconfd  load
>9 s   151 1   151   151 1  40 statd  load
>   10 s   110 1   110   110 0  58 rpcbindload
>   11 s   198 1   198   198 0  58 powerd load
>   12 s   168 1   168   168 0  58 syslogdload
>   13 s   179 1   179   179 0  51 nscd   load
>   14 s   145 1   145   145 0  58 inetd  load
>   15 s   185 1   185   185 0  58 lpschedload nowait
>   16 s   149 1   149   149 0  50 lockd  load
>   17 s   176 1   176   176 0  53 cron   load
>   18 s   305   145   305   305 0  48 in.telnetd load
>   19 s   287   244   287   287 0  58 mibiisaload
>   20 s   215   213   213 0 0  42 smcbootload jctl
>   21 s   213 1   213 0 0  32 smcbootload jctl
>   22 s   216 1   216   216 0  48 vold   load jctl
>   23 s   253 1   253   253 0  58 snmpXdmid  load nowait
>   24 s   252 1   252   252 0  54 dmispd load
>   25 s   258 1 0 0 0   0 safe_mysqldload
>   26 s   242 1   242   242 0  48 dtloginload jctl
>   27 s   244 1   244   244 0  58 snmpdx load nowait
>   28 s   266   242   266   266 0  59 Xsun   load
>   29 s   262 1   262   262 0  54 ttymon load
>   30 s   267   261   261   261 0  58 ttymon load jctl
>   31 s   286   258 0 0   101  

Re: IPPOOL

[Ben Casado]

here is some of the usual crash output. I would like to help
as much as i can to get this resolved.

Ben


> stat
system name:SunOS
release:5.8
node name:  radius
version:Generic_108528-13
machine name:   sun4u
time of crash:  Tue May  7 10:38:39 2002
age of system:  23 min.
panicstr:
panic registers:
pc: 0  sp: 0
> u
PER PROCESS USER AREA FOR PROCESS 0
PROCESS MISC:
command: sched, psargs: sched
start: Tue May  7 10:15:30 2002
mem: 0, type: exec
vnode of current directory: 359fe18
OPEN FILES, FLAGS, AND THREAD REFCNT:
 cmask: 0022
RESOURCE LIMITS:
cpu time: unlimited/unlimited
file size: unlimited/unlimited
swap size: unlimited/unlimited
stack size: 8388608/unlimited
coredump size: unlimited/unlimited
file descriptors: 256/1024
address space: unlimited/unlimited
SIGNAL DISPOSITION:
   1:  default   2:  default   3:  default   4:  default
   5:  default   6:  default   7:  default   8:  default
   9:  default  10:  default  11:  default  12:  default
  13:  default  14:  default  15:  default  16:  default
  17:  default  18:  default  19:  default  20:  default
  21:  default  22:  default  23:  default  24:  default
  25:  default  26:  default  27:  default  28:  default
  29:  default  30:  default  31:  default  32:  default
  33:  default  34:  default  35:  default  36:  default
  37:  default  38:  default  39:  default  40:  default
  41:  default  42:  default  43:  default  44:  default
  45:  default

> proc list
PROC TABLE SIZE = 3898
SLOT ST  PID  PPID  PGID   SID   UID PRI   NAMEFLAGS
list not found in symbol table
> proc
PROC TABLE SIZE = 3898
SLOT ST  PID  PPID  PGID   SID   UID PRI   NAMEFLAGS
   0 t 0 0 0 0 0  96 sched  load sys lock
   1 s 1 0 0 0 0  58 init   load
   2 s 2 0 0 0 0  98 pageoutload sys lock nowait
   3 s 3 0 0 0 0  60 fsflushload sys lock nowait
   4 s   261 1   261   261 0  58 sacload jctl
   5 s   206 1   206   206 0  58 utmpd  load
   6 s   153 1   153   153 0  58 automountd load
   7 s44 14444 0  52 syseventd  load
   8 s46 14646 0  51 syseventconfd  load
   9 s   151 1   151   151 1  40 statd  load
  10 s   110 1   110   110 0  58 rpcbindload
  11 s   198 1   198   198 0  58 powerd load
  12 s   168 1   168   168 0  58 syslogdload
  13 s   179 1   179   179 0  51 nscd   load
  14 s   145 1   145   145 0  58 inetd  load
  15 s   185 1   185   185 0  58 lpschedload nowait
  16 s   149 1   149   149 0  50 lockd  load
  17 s   176 1   176   176 0  53 cron   load
  18 s   305   145   305   305 0  48 in.telnetd load
  19 s   287   244   287   287 0  58 mibiisaload
  20 s   215   213   213 0 0  42 smcbootload jctl
  21 s   213 1   213 0 0  32 smcbootload jctl
  22 s   216 1   216   216 0  48 vold   load jctl
  23 s   253 1   253   253 0  58 snmpXdmid  load nowait
  24 s   252 1   252   252 0  54 dmispd load
  25 s   258 1 0 0 0   0 safe_mysqldload
  26 s   242 1   242   242 0  48 dtloginload jctl
  27 s   244 1   244   244 0  58 snmpdx load nowait
  28 s   266   242   266   266 0  59 Xsun   load
  29 s   262 1   262   262 0  54 ttymon load
  30 s   267   261   261   261 0  58 ttymon load jctl
  31 s   286   258 0 0   101  58 mysqld load
  32 s   288   242   288   288 0  10 dtloginload
  33 s   312   307   312   307 0  48 kshload
  34 s   290 1   288   288 0  59 fbconsole  load
  35 s   302   288   302   302 0  59 dtgreetload
  36 s   307   305   307   307   100  42 sh load
  37 s   303 1   303   303 0  58 sendmail   load jctl
  38 p   349   312   349   307 0  58 crash  load
> kmastat
cachebufbufbufmemory alloc alloc
namesize in use  totalin use   succeed  fail
- -- -- -- - - -
kmem_magazine_1   16 58508  819258 0
kmem_magazine_3   32333508 16384   333 0
kmem_magazine_7   64113127  8192   113 0
kmem_magazine_15 128177189 24576   177 0
kmem_magazine_31 256  0  0 0 0 0
kmem_magazine_47 384 

Re: IPPOOL

[Ben Casado]

I have the core..

It is 139mb which is what I had left of memory, what can we do now?
- Original Message -
From: "Kostas Kalevras" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, May 07, 2002 6:23 AM
Subject: Re: IPPOOL


> On Mon, 6 May 2002, Ben Casado wrote:
>
> > We fixed an issue that we had with accounting and the daemon ran ok for
a
> > bit, but then it crashed with a segmentation fault.
> >
> > The only way that we were able to bring it up was by cleaning all the
.db
> > files but we are sure that this is not the right way to get this fixed.
> >
> > Any ideas/suggestions
> >
> >
> > Ben
>
> gdb sbin/radiusd core
>
> When sending an email dont just write a one line description of what
happened.
> Send back debuging output. Remember that the ip pool module is in
experimental
> state. It is allowed to crash at this stage.
>
> --
> Kostas Kalevras Network Operations Center
> [EMAIL PROTECTED] National Technical University of Athens, Greece
> Work Phone: +30 10 7721861
> 'Go back to the shadow' Gandalf
>
>
> -
> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
>

***
>

***
> Scanned by an email protection software that checks: Content, Attachments,
Security and Viruses
> Brought to you by ICENetworks.com, eScan and
MailScan
>

***
>

***
***
***
Scanned by an email protection software that checks: Content, Attachments, Security 
and Viruses
Brought to you by ICENetworks.com, eScan and MailScan
***
***

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: IPPOOL

[Kostas Kalevras]

On Mon, 6 May 2002, Ben Casado wrote:

> Acct-Status-Type = Stop
> NAS-Identifier = "Arecibo"
> Attr-172818435 = "01002D41D706939B"
> Service-Type = Framed-User
> NAS-Port = 16387
> NAS-Port-Type = Async
> Class = 0x653934
> Called-Station-Id = "7879594236"
> Calling-Station-Id = "7878159057"
> Acct-Delay-Time = 0
> Framed-IP-Address = 196.12.182.107
> User-Name = "go42r10"
> Framed-Protocol = PPP
> Acct-Input-Octets = 146103
> Acct-Output-Octets = 1032717
> Acct-Session-Id = "C07FCD70:0A71"
> Acct-Session-Time = 1223
> Acct-Input-Packets = 1332
> Acct-Output-Packets = 1246
> Acct-Authentic = RADIUS
> Acct-Link-Count = 1
> Login-IP-Host = 0.0.0.0
> Login-Service = PortMaster
> Login-TCP-Port = 0
> X-Ascend-Modem-PortNo = 33619970
> X-Ascend-Modem-SlotNo = 5
> X-Ascend-Disconnect-Cause = 45
> X-Ascend-Data-Rate = 28800
> X-Ascend-Xmit-Rate = 50667
> X-Ascend-PreSession-Time = 25
> rlm_ippool: Deallocated entry for ip/port: 196.12.182.92/16387
> rlm_ippool: num: 0
> Accounting: logout: login entry for NAS UNKNOWN-NAS port 16387 not found
> Sending Accounting-Response of id 139 to 10.50.2.1:2048
> rad_recv: Accounting-Request packet from host 10.50.2.1:2048, id=141,
> length=252
> Accounting-Request packet sent to a non-accounting port from client
> 10.50.2.1:2048 - ID 141 : IGNORED
> rad_recv: Accounting-Request packet from host 10.50.2.1:2048, id=146,
> length=252
> Accounting-Request packet sent to a non-accounting port from client
> 10.50.2.1:2048 - ID 146 : IGNORED
> rad_recv: Access-Request packet from host 10.50.2.1:2048, id=195, length=104
> User-Password = "\200e\3558\212Q\266\345e#\323{\270-'\202"
> NAS-Identifier = "Arecibo"
> User-Name = "go42r10"
> Called-Station-Id = "7879594236"
> Calling-Station-Id = "7878956159"
> NAS-Port = 16392
> NAS-Port-Type = Async
> Framed-Protocol = PPP
> Service-Type = Framed-User
> rlm_sql: Reserving sql socket id: 4
> rlm_sql: Released sql socket id: 4
> rlm_ippool: Searching for an entry for nas/port: 10.50.2.1/16392
> rlm_ippool: num: 1
> rlm_ippool: Allocated ip 196.12.182.92 to client on nas 10.50.2.1,p

>From the output you sent it seems to be working just great. It deallocates ip
196.12.182.92 and then it reassigns it to another user.

--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED]  National Technical University of Athens, Greece
Work Phone: +30 10 7721861
'Go back to the shadow' Gandalf


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: IPPOOL

[Kostas Kalevras]

On Mon, 6 May 2002, Ben Casado wrote:

> We fixed an issue that we had with accounting and the daemon ran ok for a
> bit, but then it crashed with a segmentation fault.
>
> The only way that we were able to bring it up was by cleaning all the .db
> files but we are sure that this is not the right way to get this fixed.
>
> Any ideas/suggestions
>
>
> Ben

gdb sbin/radiusd core

When sending an email dont just write a one line description of what happened.
Send back debuging output. Remember that the ip pool module is in experimental
state. It is allowed to crash at this stage.

--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED]  National Technical University of Athens, Greece
Work Phone: +30 10 7721861
'Go back to the shadow' Gandalf


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

IPPOOL

[Ben Casado]

We fixed an issue that we had with accounting and the daemon ran ok for a
bit, but then it crashed with a segmentation fault.

The only way that we were able to bring it up was by cleaning all the .db
files but we are sure that this is not the right way to get this fixed.

Any ideas/suggestions


Ben
***
***
Scanned by an email protection software that checks: Content, Attachments, Security 
and Viruses
Brought to you by ICENetworks.com, eScan and MailScan
***
***

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: IPPOOL

[Ben Casado]

Acct-Status-Type = Stop
NAS-Identifier = "Arecibo"
Attr-172818435 = "01002D41D706939B"
Service-Type = Framed-User
NAS-Port = 16387
NAS-Port-Type = Async
Class = 0x653934
Called-Station-Id = "7879594236"
Calling-Station-Id = "7878159057"
Acct-Delay-Time = 0
Framed-IP-Address = 196.12.182.107
User-Name = "go42r10"
Framed-Protocol = PPP
Acct-Input-Octets = 146103
Acct-Output-Octets = 1032717
Acct-Session-Id = "C07FCD70:0A71"
Acct-Session-Time = 1223
Acct-Input-Packets = 1332
Acct-Output-Packets = 1246
Acct-Authentic = RADIUS
Acct-Link-Count = 1
Login-IP-Host = 0.0.0.0
Login-Service = PortMaster
Login-TCP-Port = 0
X-Ascend-Modem-PortNo = 33619970
X-Ascend-Modem-SlotNo = 5
X-Ascend-Disconnect-Cause = 45
X-Ascend-Data-Rate = 28800
X-Ascend-Xmit-Rate = 50667
X-Ascend-PreSession-Time = 25
rlm_ippool: Deallocated entry for ip/port: 196.12.182.92/16387
rlm_ippool: num: 0
Accounting: logout: login entry for NAS UNKNOWN-NAS port 16387 not found
Sending Accounting-Response of id 139 to 10.50.2.1:2048
rad_recv: Accounting-Request packet from host 10.50.2.1:2048, id=141,
length=252
Accounting-Request packet sent to a non-accounting port from client
10.50.2.1:2048 - ID 141 : IGNORED
rad_recv: Accounting-Request packet from host 10.50.2.1:2048, id=146,
length=252
Accounting-Request packet sent to a non-accounting port from client
10.50.2.1:2048 - ID 146 : IGNORED
rad_recv: Access-Request packet from host 10.50.2.1:2048, id=195, length=104
User-Password = "\200e\3558\212Q\266\345e#\323{\270-'\202"
NAS-Identifier = "Arecibo"
User-Name = "go42r10"
Called-Station-Id = "7879594236"
Calling-Station-Id = "7878956159"
NAS-Port = 16392
NAS-Port-Type = Async
Framed-Protocol = PPP
Service-Type = Framed-User
rlm_sql: Reserving sql socket id: 4
rlm_sql: Released sql socket id: 4
rlm_ippool: Searching for an entry for nas/port: 10.50.2.1/16392
rlm_ippool: num: 1
rlm_ippool: Allocated ip 196.12.182.92 to client on nas 10.50.2.1,p
- Original Message -
From: "Kostas Kalevras" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, May 06, 2002 6:33 PM
Subject: Re: IPPOOL


> On Mon, 6 May 2002, Ben Casado wrote:
>
> > psss... i thought it worked but
> >
> > something weird,
> >
> > Seems that people connect, and disconnect, but the ip's from the people
that
> > disconnect do not become available for reuse???
> >
> > Can you guys check that?
> >
> > Ben
>
> Could you please send some debuging output. I would be especially
interested in
> the debug output of the handling of an accounting-stop packet for one of
those
> disconnects.
>
> --
> Kostas Kalevras Network Operations Center
> [EMAIL PROTECTED] National Technical University of Athens, Greece
> Work Phone: +30 10 7721861
> 'Go back to the shadow' Gandalf
>
>
>
> -
> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
>

***
>

***
> Scanned by an email protection software that checks: Content, Attachments,
Security and Viruses
> Brought to you by ICENetworks.com, eScan and
MailScan
>

***
>

***
***
***
Scanned by an email protection software that checks: Content, Attachments, Security 
and Viruses
Brought to you by ICENetworks.com, eScan and MailScan
***
***

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: IPPOOL

[Kostas Kalevras]

On Mon, 6 May 2002, Ben Casado wrote:

> psss... i thought it worked but
>
> something weird,
>
> Seems that people connect, and disconnect, but the ip's from the people that
> disconnect do not become available for reuse???
>
> Can you guys check that?
>
> Ben

Could you please send some debuging output. I would be especially interested in
the debug output of the handling of an accounting-stop packet for one of those
disconnects.

--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED]  National Technical University of Athens, Greece
Work Phone: +30 10 7721861
'Go back to the shadow' Gandalf



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: IPPOOL

[Chris Parker]

At 05:33 PM 5/6/2002 -0300, Gelson Dias Santos wrote:

> >> we have tried various things but cannot get it to give addresses based on
> >> the nas identifier. what are we doing wrong?
> >
> >That's not the idea behind the ip_pool module. The idea is to assign 
> ip's from
> >the same pool to all the access servers and not maintain separate pools 
> for each
> >nas. In any case if you want to assign different addresses to each nas 
> you can
>
> Hummm... how do I route ip packets to users on different nas 
> servers if they are on the same pool, hence on the same subnet? I mean, 
> if user 1 connects on nas 1 and gets ip 192.168.1.1, then users 2 
> connects on nas 2 and gets the next ip, 192.168.1.2, how will my routers, 
> servers etc know where to send their reply packets?

Generally handled by a dynamic routing protocol between your NAS and/or
a common router.  Dynamic routing protocols include OSPF, RIPv1, RIPv2,
IS-IS, ...

The exact choice is up to you ( as is the NAS configuration ).

The main concept to remember is that each of your users is *NOT* on the
same subnet, though their IP's may come from a sequential block of addresses.
Each user is on their own /32 ( 255.255.255.255 ) "subnet".

>Wen we have two different pools it's easy, just set a static route 
> pointing the whole pool to the right server. With one big pool, how do I 
> do it? I don't want to use RIP or anything like that to propagate 
> tousands of host routes.

Then let your NAS assign the addresses.  You can run NAS assigned dynamic
addresses with a dynamic protocol just fine.

If you don't want to announce ( and withdraw ) thousands of host routes
into your IGP, then don't user server assigned addresses, let the NAS
handle it.

-Chris

--
\\\|||///  \  StarNet Inc.  \Chris Parker
\ ~   ~ /   \   WX *is* Wireless!\   Director, Engineering
| @   @ |\   http://www.starnetwx.net \  (847) 963-0116
oOo---(_)---oOo--\--
   \ Wholesale Internet Services - http://www.megapop.net



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: IPPOOL

[Gelson Dias Santos]

Title: Re: IPPOOL





>> we have tried various things but cannot get it to give addresses based on
>> the nas identifier. what are we doing wrong?
>
>That's not the idea behind the ip_pool module. The idea is to assign ip's from
>the same pool to all the access servers and not maintain separate pools for each
>nas. In any case if you want to assign different addresses to each nas you can


    Hummm... how do I route ip packets to users on different nas servers if they are on the same pool, hence on the same subnet? I mean, if user 1 connects on nas 1 and gets ip 192.168.1.1, then users 2 connects on nas 2 and gets the next ip, 192.168.1.2, how will my routers, servers etc know where to send their reply packets?

    Wen we have two different pools it's easy, just set a static route pointing the whole pool to the right server. With one big pool, how do I do it? I don't want to use RIP or anything like that to propagate tousands of host routes.

    Gelson

Re: IPPOOL

[Ben Casado]

psss... i thought it worked but

something weird,

Seems that people connect, and disconnect, but the ip's from the people that
disconnect do not become available for reuse???

Can you guys check that?

Ben
- Original Message -
From: "Kostas Kalevras" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, May 06, 2002 10:25 AM
Subject: Re: IPPOOL


> On Sun, 5 May 2002, Ben Casado wrote:
>
> > we downloaded what we thought was the latest prior to making
> > it..
> >
> > we did
> >
> > a) downloaded and installed the cvs application (1.11.2)
> > b) and executed a download with it!!
> >
> > any suggestions which file to check to see if we did NOT get the latest!
> >
> > Ben
>
> In the server distribution root:
>
> 5:20pm  /src/cvs/radiusd > grep Pool-Name raddb/dictionary
> ATTRIBUTE Pool-Name 1073 string
>
> If your output is different then you need to upgrade. Either do a cvs
update or
> grab the latest CVS snapshot from the ftp site.
>
>
> Your rlm_ippool.c should also be at least revision 1.3. You can find that
by
> doing something like:
>
> 5:23pm  /src/cvs/radiusd > grep rcsid src/modules/rlm_ippool/rlm_ippool.c
> static const char rcsid[] = "$Id: rlm_ippool.c,v 1.4 2002/05/03 22:10:54
kkalev
> Exp $";
>
>
> --
> Kostas Kalevras Network Operations Center
> [EMAIL PROTECTED] National Technical University of Athens, Greece
> Work Phone: +30 10 7721861
> 'Go back to the shadow' Gandalf
>
>
> -
> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
>

***
>

***
> Scanned by an email protection software that checks: Content, Attachments,
Security and Viruses
> Brought to you by ICENetworks.com, eScan and
MailScan
>

***
>

***
***
***
Scanned by an email protection software that checks: Content, Attachments, Security 
and Viruses
Brought to you by ICENetworks.com, eScan and MailScan
***
***

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: IPPOOL

[Kostas Kalevras]

On Sun, 5 May 2002, Ben Casado wrote:

> we downloaded what we thought was the latest prior to making
> it..
>
> we did
>
> a) downloaded and installed the cvs application (1.11.2)
> b) and executed a download with it!!
>
> any suggestions which file to check to see if we did NOT get the latest!
>
> Ben

In the server distribution root:

5:20pm  /src/cvs/radiusd > grep Pool-Name raddb/dictionary
ATTRIBUTE   Pool-Name   1073string

If your output is different then you need to upgrade. Either do a cvs update or
grab the latest CVS snapshot from the ftp site.


Your rlm_ippool.c should also be at least revision 1.3. You can find that by
doing something like:

5:23pm  /src/cvs/radiusd > grep rcsid src/modules/rlm_ippool/rlm_ippool.c
static const char rcsid[] = "$Id: rlm_ippool.c,v 1.4 2002/05/03 22:10:54 kkalev
Exp $";


--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED]  National Technical University of Athens, Greece
Work Phone: +30 10 7721861
'Go back to the shadow' Gandalf


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: IPPOOL

[Ben Casado]

we downloaded what we thought was the latest prior to making
it..

we did

a) downloaded and installed the cvs application (1.11.2)
b) and executed a download with it!!

any suggestions which file to check to see if we did NOT get the latest!

Ben
- Original Message -
From: "Kostas Kalevras" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Sunday, May 05, 2002 5:52 AM
Subject: Re: IPPOOL


> On Sat, 4 May 2002, Ben Casado wrote:
>
> > also,
> >
> > I get this error now.
> >
> >
> > Module: Loaded files
> > /usr/local/etc/raddb/users[112]: Parse error (check) for entry DEFAULT:
> > Unknown attribute Pool-Name
> > Errors reading /usr/local/etc/raddb/users
> >
> > Ben
>
> You will have to upgrade to the latest cvs if you are using freeradius
0.5.
>
> Now what do I mean with an instance for each nas server:
>
> ippool nas1 {
> session-db = "manati.db"
> ip-index =  "nas1.db"
> range-start = 196.12.162.1
> range-stop = 196.12.162.127
> netmask = 255.255.255.128
> cache-size = 150
> }
>
> ippool nas2 {
> session-db = "manati2.db"
> ip-index = "nas2.db"
> range-start = 196.12.162.128
> range-stop = 196.12.162.254
> netmask = 255.255.255.128
> cache-size = 150
> }
>
> I think you get the picture. You assign a different ip range to each nas
server
> in each module instance.
>
>
> --
> Kostas Kalevras Network Operations Center
> [EMAIL PROTECTED] National Technical University of Athens, Greece
> Work Phone: +30 10 7721861
> 'Go back to the shadow' Gandalf
>
>
>
>
> -
> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
>

***
>

***
> Scanned by an email protection software that checks: Content, Attachments,
Security and Viruses
> Brought to you by ICENetworks.com, eScan and
MailScan
>

***
>

***
***
***
Scanned by an email protection software that checks: Content, Attachments, Security 
and Viruses
Brought to you by ICENetworks.com, eScan and MailScan
***
***

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: IPPOOL

[Kostas Kalevras]

On Sat, 4 May 2002, Ben Casado wrote:

> also,
>
> I get this error now.
>
>
> Module: Loaded files
> /usr/local/etc/raddb/users[112]: Parse error (check) for entry DEFAULT:
> Unknown attribute Pool-Name
> Errors reading /usr/local/etc/raddb/users
>
> Ben

You will have to upgrade to the latest cvs if you are using freeradius 0.5.

Now what do I mean with an instance for each nas server:

ippool nas1 {
session-db = "manati.db"
ip-index =  "nas1.db"
range-start = 196.12.162.1
range-stop = 196.12.162.127
netmask = 255.255.255.128
cache-size = 150
}

ippool nas2 {
session-db = "manati2.db"
ip-index = "nas2.db"
range-start = 196.12.162.128
range-stop = 196.12.162.254
netmask = 255.255.255.128
cache-size = 150
}

I think you get the picture. You assign a different ip range to each nas server
in each module instance.


--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED]  National Technical University of Athens, Greece
Work Phone: +30 10 7721861
'Go back to the shadow' Gandalf




- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: IPPOOL

[Ben Casado]

also,

I get this error now.


Module: Loaded files
/usr/local/etc/raddb/users[112]: Parse error (check) for entry DEFAULT:
Unknown attribute Pool-Name
Errors reading /usr/local/etc/raddb/users

Ben
- Original Message -
From: "Ben Casado" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Saturday, May 04, 2002 5:17 PM
Subject: Re: IPPOOL


> Ok, but what do you mean by this?
>
>     > create one instance of the ippool module for each nas
>
>
> Ben
> - Original Message -
> From: "Kostas Kalevras" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Saturday, May 04, 2002 9:54 AM
> Subject: Re: IPPOOL
>
>
> > On Fri, 3 May 2002, Ben Casado wrote:
> >
> > > This is what we have did to the radiusd.conf file. With this we only
get
> > > addresses form that range, and that is not what we want.
> > >
> > > ===
> > > ippool {
> > > session-db = "manati.db"
> > > ip-index =  196.12.162.64
> > > range-start = 196.12.162.65
> > > range-stop = 196.12.162.126
> > > netmask = 255.255.255.224
> > > cache-size = 5000
> > > }
> > >
> > > ===
> > >
> > > we have tried various things but cannot get it to give addresses based
> on
> > > the nas identifier. what are we doing wrong?
> > >
> > > Thanks
> > >
> > > Ben
> >
> > That's not the idea behind the ip_pool module. The idea is to assign
ip's
> from
> > the same pool to all the access servers and not maintain separate pools
> for each
> > nas. In any case if you want to assign different addresses to each nas
you
> can
> > create one instance of the ippool module for each nas. Then in your
> authorize
> > section make sure you have the files (users file) module before the ip
> pool
> > modules. In your users file do something like this:
> >
> > DEFAULT NAS-IP-Address == 66.108.198.79, Pool-Name := "pool1"
> >
> > DEFAULT NAS-IP-Address == 66.108.198.80, Pool-Name := "pool2"
> >
> > while your authorize section will look like this:
> >
> > authorize {
> > files
> > pool1
> > pool2
> > [...]
> > }
> >
> > --
> > Kostas Kalevras Network Operations Center
> > [EMAIL PROTECTED] National Technical University of Athens, Greece
> > Work Phone: +30 10 7721861
> > 'Go back to the shadow' Gandalf
> >
> >
> >
> >
> > -
> > List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> >
>

> ***
> >
>

> ***
> > Scanned by an email protection software that checks: Content,
Attachments,
> Security and Viruses
> > Brought to you by ICENetworks.com, eScan and
> MailScan
> >
>

> ***
> >
>

> ***
>

***
>

***
> Scanned by an email protection software that checks: Content, Attachments,
Security and Viruses
> Brought to you by ICENetworks.com, eScan and
MailScan
>

***
>

***
>
> -
> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
>

***
>

***
> Scanned by an email protection software that checks: Content, Attachments,
Security and Viruses
> Brought to you by ICENetworks.com, eScan and
Ma

Re: IPPOOL

[Ben Casado]

Ok, but what do you mean by this?

> create one instance of the ippool module for each nas


Ben
- Original Message -
From: "Kostas Kalevras" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Saturday, May 04, 2002 9:54 AM
Subject: Re: IPPOOL


> On Fri, 3 May 2002, Ben Casado wrote:
>
> > This is what we have did to the radiusd.conf file. With this we only get
> > addresses form that range, and that is not what we want.
> >
> > ===
> > ippool {
> > session-db = "manati.db"
> > ip-index =  196.12.162.64
> > range-start = 196.12.162.65
> > range-stop = 196.12.162.126
> > netmask = 255.255.255.224
> > cache-size = 5000
> > }
> >
> > ===
> >
> > we have tried various things but cannot get it to give addresses based
on
> > the nas identifier. what are we doing wrong?
> >
> > Thanks
> >
> > Ben
>
> That's not the idea behind the ip_pool module. The idea is to assign ip's
from
> the same pool to all the access servers and not maintain separate pools
for each
> nas. In any case if you want to assign different addresses to each nas you
can
> create one instance of the ippool module for each nas. Then in your
authorize
> section make sure you have the files (users file) module before the ip
pool
> modules. In your users file do something like this:
>
> DEFAULT NAS-IP-Address == 66.108.198.79, Pool-Name := "pool1"
>
> DEFAULT NAS-IP-Address == 66.108.198.80, Pool-Name := "pool2"
>
> while your authorize section will look like this:
>
> authorize {
> files
> pool1
> pool2
> [...]
> }
>
> --
> Kostas Kalevras Network Operations Center
> [EMAIL PROTECTED] National Technical University of Athens, Greece
> Work Phone: +30 10 7721861
> 'Go back to the shadow' Gandalf
>
>
>
>
> -
> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
>

***
>

***
> Scanned by an email protection software that checks: Content, Attachments,
Security and Viruses
> Brought to you by ICENetworks.com, eScan and
MailScan
>

***
>

***
***
***
Scanned by an email protection software that checks: Content, Attachments, Security 
and Viruses
Brought to you by ICENetworks.com, eScan and MailScan
***
***

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: IPPOOL

[Kostas Kalevras]

On Fri, 3 May 2002, Ben Casado wrote:

> This is what we have did to the radiusd.conf file. With this we only get
> addresses form that range, and that is not what we want.
>
> ===
> ippool {
> session-db = "manati.db"
> ip-index =  196.12.162.64
> range-start = 196.12.162.65
> range-stop = 196.12.162.126
> netmask = 255.255.255.224
> cache-size = 5000
> }
>
> ===
>
> we have tried various things but cannot get it to give addresses based on
> the nas identifier. what are we doing wrong?
>
> Thanks
>
> Ben

That's not the idea behind the ip_pool module. The idea is to assign ip's from
the same pool to all the access servers and not maintain separate pools for each
nas. In any case if you want to assign different addresses to each nas you can
create one instance of the ippool module for each nas. Then in your authorize
section make sure you have the files (users file) module before the ip pool
modules. In your users file do something like this:

DEFAULT NAS-IP-Address == 66.108.198.79, Pool-Name := "pool1"

DEFAULT NAS-IP-Address == 66.108.198.80, Pool-Name := "pool2"

while your authorize section will look like this:

authorize {
files
pool1
pool2
[...]
}

--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED]  National Technical University of Athens, Greece
Work Phone: +30 10 7721861
'Go back to the shadow' Gandalf




- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

IPPOOL

[Ben Casado]

We have a 
question about the ippools,we 
have this in the radiusd.conf: ippool 
{    
session-db = 
"${confdir}/ippool.db"    
ip-index =  
"manati"    
range-start = 
196.12.162.65    
range-stop = 
196.12.162.126    
netmask = 
255.255.255.224    
cache-size = 5000    }ippool 
pool2 
{    
session-db = 
"${confdir}/ippool.db2"    
ip-index =  
"ponce"    
range-start = 
196.12.176.1    
range-stop = 
196.12.162.126    
netmask = 
255.255.255.128    
cache-size = 5000    
}--we get in the radiusd 
-xxModule: Loaded IPPOOL ippool: session-db = 
"/usr/local/etc/raddb/ippool.db" ippool: ip-index = 
"manati" ippool: range-start = 196.12.162.65 IP address 
[196.12.162.65] ippool: range-stop = 196.12.162.126 IP address 
[196.12.162.126] ippool: netmask = 255.255.255.224 IP address 
[255.255.255.224] ippool: cache-size = 5000Module: Instantiated 
ippool 
(ippool)=Regardless of 
what nas server we use we always get:  rlm_ippool: num: 1 andIPs from 
top onerad_recv: Access-Request packet from host 66.108.198.79:4035, 
id=42,length=47    User-Name = 
"go42r10"    User-Password = 
"cj9k\310\353\332\241\201\304"_7\244\373\274"rlm_ippool: num: 
1rlm_ippool: Allocated ip 196.12.162.122 to client on nas 
66.108.198.79,port0---Can 
you help us?we have 7 nas servers are expect different addresses but it 
is not working.Ben


***
***
Scanned by an email protection software that checks: Content, Attachments, Security and Viruses
Brought to you by ICENetworks.com, eScan and MailScan
***
***

Re: IPPOOL

[Chris Parker]

At 09:20 PM 5/2/2002 -0400, Ben Casado wrote:
>We are trying to configure our radius to give out the addresses instead of 
>the comm servers. For that we have downloaded the software and compiled it 
>with the rlm_ippool.
>
>Can someone direct us to what we need to do next?

Configure rlm_ippool according to the examples and documentation provided.
You'll probably have to play with it a while.

And for the record, I'm against the radius server attempting to assign
ip's.  It may work in very small environments, but it does not scale.

-Chris
--
\\\|||///  \  StarNet Inc.  \Chris Parker
\ ~   ~ /   \   WX *is* Wireless!\   Director, Engineering
| @   @ |\   http://www.starnetwx.net \  (847) 963-0116
oOo---(_)---oOo--\--
   \ Wholesale Internet Services - http://www.megapop.net



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: IPPOOL

[Alan DeKok]

"Ben Casado" <[EMAIL PROTECTED]> wrote:
> We are trying to configure our radius to give out the addresses instead =
> of the comm servers. For that we have downloaded the software and =
> compiled it with the rlm_ippool.
> 
> Can someone direct us to what we need to do next?

  Run it in debugging mode, and send it test packets.

  The FAQ says how to do this.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: IPPOOL

[Ben Casado]

This is what we have did to the radiusd.conf file. With this we only get
addresses form that range, and that is not what we want.

===
ippool {
session-db = "manati.db"
ip-index =  196.12.162.64
range-start = 196.12.162.65
range-stop = 196.12.162.126
netmask = 255.255.255.224
cache-size = 5000
}

===

we have tried various things but cannot get it to give addresses based on
the nas identifier. what are we doing wrong?

Thanks

Ben

- Original Message -
From: "Kostas Kalevras" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, May 03, 2002 7:17 AM
Subject: Re: IPPOOL


> On Thu, 2 May 2002, Ben Casado wrote:
>
> > We are trying to configure our radius to give out the addresses instead
of
> > the comm servers. For that we have downloaded the software and compiled
it
> > with the rlm_ippool.
> >
> > Can someone direct us to what we need to do next?
> >
> >
> > Thanks in advanced,
> >
> >
> > Ben
>
> Read the comments in radiusd.conf for the ippool module? They are quite
> descriptive of what you need to do.
>
> --
> Kostas Kalevras Network Operations Center
> [EMAIL PROTECTED] National Technical University of Athens, Greece
> Work Phone: +30 10 7721861
> 'Go back to the shadow' Gandalf
>
>
> -
> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
>

***
>

***
> Scanned by an email protection software that checks: Content, Attachments,
Security and Viruses
> Brought to you by ICENetworks.com, eScan and
MailScan
>

***
>

***
***
***
Scanned by an email protection software that checks: Content, Attachments, Security 
and Viruses
Brought to you by ICENetworks.com, eScan and MailScan
***
***

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: IPPOOL

[Kostas Kalevras]

On Thu, 2 May 2002, Ben Casado wrote:

> We are trying to configure our radius to give out the addresses instead of
> the comm servers. For that we have downloaded the software and compiled it
> with the rlm_ippool.
>
> Can someone direct us to what we need to do next?
>
>
> Thanks in advanced,
>
>
> Ben

Read the comments in radiusd.conf for the ippool module? They are quite
descriptive of what you need to do.

--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED]  National Technical University of Athens, Greece
Work Phone: +30 10 7721861
'Go back to the shadow' Gandalf


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

IPPOOL

[Ben Casado]

We are trying to configure our radius to give out 
the addresses instead of the comm servers. For that we have downloaded the 
software and compiled it with the rlm_ippool.
 
Can someone direct us to what we need to do 
next?
 
 
Thanks in advanced,
 
 
Ben


***
***
Scanned by an email protection software that checks: Content, Attachments, Security and Viruses
Brought to you by ICENetworks.com, eScan and MailScan
***
***