Accounting freeradius

[Marco . Panek]

Hello,

freeradius 1.0.1 is fine working. Authentifikation is over winbind to a M$
Domain.
With Radiusreport i see Logon and Logoff times and total times for any
Users.
But i will the accounting for traffic off all users.

any help, for settings in radius.conf or must i installed any other
packages.

from radiusd -X:


  Processing the preacct section of radiusd.conf
modcall: entering group preacct for request 33
  modcall[preacct]: module "preprocess" returns noop for request 33
rlm_acct_unique: WARNING: Attribute NAS-Port was not found in request,
unique ID MAY be inconsistent
rlm_acct_unique: Hashing ',Client-IP-Address = 172.20.49.102,NAS-IP-Address
= 172.20.49.102,Acct-Session-Id = "0061",User-Name = "panekm"'
rlm_acct_unique: Acct-Unique-Session-ID = "040f6e4aaad7aa47".
  modcall[preacct]: module "acct_unique" returns ok for request 33
rlm_realm: No '@' in User-Name = "panekm", looking up realm NULL
rlm_realm: No such realm "NULL"
  modcall[preacct]: module "suffix" returns noop for request 33
  modcall[preacct]: module "files" returns noop for request 33
modcall: group preacct returns ok for request 33
  Processing the accounting section of radiusd.conf
modcall: entering group accounting for request 33
radius_xlat:  '/var/log/freeradius/radacct/172.20.49.102/detail-2004'
rlm_detail: /var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y
expands to /var/log/freeradius/radacct/172.20.49.102/detail-2004
  modcall[accounting]: module "detail" returns ok for request 33
  modcall[accounting]: module "unix" returns noop for request 33
radius_xlat:  '/var/log/freeradius/radutmp'
radius_xlat:  'panekm'
  rlm_radutmp: No NAS-Port seen.  Cannot do anything.
  rlm_radumtp: WARNING: checkrad will probably not work!
  modcall[accounting]: module "radutmp" returns noop for request 33
modcall: group accounting returns ok for request 33
Sending Accounting-Response of id 76 to 172.20.49.102:1037
Finished request 33
Going to the next request
--- Walking the entire request list ---
Cleaning up request 33 ID 76 with timestamp 417d1d45



Is this all okay, or is ist false ??

THX

Regards / Grüße / Danke

Marco Panek

...
Smurfit Europa Carton GmbH
Information Systems (IS)
Tilsiter Straße 144
D-22047 Hamburg

Tel:+49 (0)40  30901 191
Fax:  +49 (0)40  30901 5191
[EMAIL PROTECTED]


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

ip pool in mysql

[ral]

Hi,

I'm trying to use mysql with freeradius, my problem is, it looks like ip
pool doesn't work, I'm not sure with my schema though, can anyone give
me a sample of the schema for this?


Thanks.

Lito 


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: 3 LDAP questions!

[Ilia Chipitsine]

You could just add it and send it back through a bugs report in 
bugs.freeradius.org
I did so.

3) how can equivalent of the following users file be implemented with
  LDAP:
chel   Auth-Type := MS-CHAP, NAS-IP-Address == 192.168.201.1
  Service-Type = Framed-User,
  Simultaneous-Use = 1,
  Framed-Protocol = PPP,
  Framed-IP-Address = 192.168.201.2,
  Framed-IP-Netmask = 255.255.255.0,
  Framed-Routing = Broadcast-Listen,
  Framed-Filter-Id = "std.ppp",
  Framed-MTU = 1400,
  Framed-Compression = Van-Jacobson-TCP-IP
chel   Auth-Type := MS-CHAP, NAS-IP-Address == 192.168.202.1
  Service-Type = Framed-User,
  Simultaneous-Use = 1,
  Framed-Protocol = PPP,
  Framed-IP-Address = 192.168.202.2,
  Framed-IP-Netmask = 255.255.255.0,
  Framed-Routing = Broadcast-Listen,
  Framed-Filter-Id = "std.ppp",
  Framed-MTU = 1400,
  Framed-Compression = Van-Jacobson-TCP-IP
so, I need to records for "chel" user depending on NAS-IP-Address they come 
from.
In ldap you have only *one* record for each user. If you need different 
Framed-IP-Address attributes for each user depending on the NAS then you need 
to either:

Create multiple user entries and use a filter to find them:
(&(uid=%u)(nasipaddress=%{NAS-IP-Address}))
Create multiple ldap module instances with different attribute mappings and 
depending on the NAS select the corresponding instance:

DEFAULT	NAS-IP-Address == 192.168.201.1, Autz-Type := ldap1
two different LDAP servers ?

Cheers,
Ilia Chipitsine
- List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html

--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED]   National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf
- List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: forward request on port 80

[Cameron Birky]

why don't you assign a particular subnet for non-proxy users and another for 
proxy users?  that way
you can assign subnet by group via your pptpd and via the router and 
firewall dictate who needs
to go through the proxy.

cb

From: "Bartosz Jozwiak" <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
To: <[EMAIL PROTECTED]>
Subject: Re: forward request on port 80
Date: Sun, 24 Oct 2004 14:40:44 -0300
Bartosz Jozwiak wrote:
I have a cisco router for dial-up.
I will look on cisco website if my router supports it somehow.
Does anybody tried to set up something like that before ?
Look for Cisco SSG feature - it isn't exactly what you need,
but maybe will help you find some similar solutions
Michal
What I am trying to do is "safe internet for children"
So some customers can turn on feature for example "website context 
filtering" for their account.
And these users when they dial-in, router should know that website traffic 
should be
redirected to http proxy.
This is what I am trying to do and I started making my research with 
radius.

bartosz
- List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Exec-Program output: freeradius not reading response?

[Nate M]

Problem exists, when posting multiple requests to radiusd it occasionally
will not receive or somehow omit the exit status of Exec-Program-Wait.

-- log snippet -
radius_xlat:  '/etc/raddb/scripts/test.pl'
Exec-Program: /etc/raddb/scripts/test.pl
Waking up in 3 seconds...
Exec-Program output: 
--- Walking the entire request list ---

And later the process blorts.. 

--- log snippet ---
WARNING: Unresponsive child (id 1098905952) for request 6
Server rejecting request 6.

A good request looks like:

Exec-Program output: 0 (for success)
or
Exec-Program output: 1 (for reject)

I can duplicate this over and over on various machines and platforms.
Problem cannot be duplicated in -s mode.

I have tons of extra logs available (and previously posted in list) if that
will help diagnose this issue.

Anyone's help is greatly appreciated.


- Nathan Miller



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Failure to link rlm_ldap

[James Smith]

I am attempting to configure FreeRadius to use our LDAP directory for
authentication and have made the necessary modifications to radiusd.conf,
but get the following error when starting radiusd:

radiusd.conf[724] Failed to link to module 'rlm_ldap': ld.so.1: ./radiusd:
fatal: relocation error: file /usr/local/lib/libldap_r-2.2.so.7: symbol
__udivdi3: referenced symbol not found

I'm using FreeRADIUS Version 1.0.1 on Solaris 9, everything appeared to
compile okay, and without the LDAP entries in the authenticate section, the
daemon starts fine and authenticates users against the unix passwd file
fine. I am using openldap-2.2.17 and both were compiled using gcc v3.4.0. An
'ldd rlm_ldap.so' produces the following:

libsasl.so.7 =>  ./libsasl.so.7
liblber-2.2.so.7 =>  ./liblber-2.2.so.7
libldap_r-2.2.so.7 =>./libldap_r-2.2.so.7
libnsl.so.1 =>   /usr/lib/libnsl.so.1
libresolv.so.2 =>/usr/lib/libresolv.so.2
libsocket.so.1 =>/usr/lib/libsocket.so.1
librt.so.1 =>/usr/lib/librt.so.1
libpthread.so.1 =>   /usr/lib/libpthread.so.1
libc.so.1 => /usr/lib/libc.so.1
libdl.so.1 =>/usr/lib/libdl.so.1
libpam.so.1 =>   /usr/lib/libpam.so.1
libgen.so.1 =>   /usr/lib/libgen.so.1
libsasl2.so.2 => ./libsasl2.so.2
libmp.so.2 =>/usr/lib/libmp.so.2
libaio.so.1 =>   /usr/lib/libaio.so.1
libmd5.so.1 =>   /usr/lib/libmd5.so.1
libcmd.so.1 =>   /usr/lib/libcmd.so.1
libthread.so.1 =>/usr/lib/libthread.so.1
/usr/platform/SUNW,Sun-Fire-V440/lib/libc_psr.so.1
/usr/platform/SUNW,Sun-Fire-V440/lib/libmd5_psr.so.1

And an 'ldd libldap_r-2.2.so.7' produces:

liblber-2.2.so.7 =>  ./liblber-2.2.so.7
libresolv.so.2 =>/usr/lib/libresolv.so.2
libgen.so.1 =>   /usr/lib/libgen.so.1
libnsl.so.1 =>   /usr/lib/libnsl.so.1
libsocket.so.1 =>/usr/lib/libsocket.so.1
libsasl2.so.2 => ./libsasl2.so.2
libc.so.1 => /usr/lib/libc.so.1
libdl.so.1 =>/usr/lib/libdl.so.1
libmp.so.2 =>/usr/lib/libmp.so.2
/usr/platform/SUNW,Sun-Fire-V440/lib/libc_psr.so.1

So it would appear that the necessary libraries are being found. Any
suggestions would be most appreciated.


Regards
James

><> ><> ><> ><> ><> ~ <>< <>< <>< <>< <><
Systems Administrator
Australian Institute of Marine Science
Townsville, FNQ, Australia
Ph: 0747534400  Mobile: 0439916246
Email: sysadmin (at) aims.gov.au  Fax: 0747725852
><> ><> ><> ><> ><> ~ <>< <>< <>< <>< <><

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

radrelay - filelock problem

[Rohaizam Abu Bakar]

Hi..
 
OS:         
    FreeBSD 4.9p4
Version:    
   Freeradius 1.0.1
 
My radrelay seem not fully working well... Receive 
a lot of below error..  I've followed all the doc given regarding how to 
setup radrelay
 
 
Tue Oct 26 05:30:32 2004 : Error: rlm_detail: 
Failed to aquire filelock for /var/adm/radacct/detail-combined-radius8, giving 
upTue Oct 26 05:50:52 2004 : Error: rlm_detail: Failed to aquire filelock 
for /var/adm/radacct/detail-combined-radius7, giving upTue Oct 26 05:58:16 
2004 : Error: rlm_detail: Failed to aquire filelock for 
/var/adm/radacct/detail-combined-radius5, giving upTue Oct 26 05:58:38 2004 
: Error: rlm_detail: Failed to aquire filelock for 
/var/adm/radacct/detail-combined-radius6, giving upTue Oct 26 06:11:36 2004 
: Error: rlm_detail: Failed to aquire filelock for 
/var/adm/radacct/detail-combined-radius7, giving upTue Oct 26 06:17:02 2004 
: Error: rlm_detail: Failed to aquire filelock for 
/var/adm/radacct/detail-combined-radius6, giving up
 
My setting as below:
 
radius1 ---> radius2
        
    > radius3
        
    -> radius4
 
then
 
radius2 -> radius1
---> 
radius3
    
> radius4
 
and so on... until all 4 has the same full 
accounting record
 
I ran 3 of below command for 
replication
 

       
/usr/local/bin/radrelay -a /var/adm/radacct -d /usr/local/etc/raddb 
\    -S /usr/local/etc/raddb/radrelay_secret -r radiusX:1646 
\    detail-combined
 
But it not working well... the accounting seems 
been relayed but got missing accounting...the detail file not rotated properly 
and will grow too big. and receive a lot above error... Please 
help..!!
 
 
--haizam

Re: Is there a good web based administration tool

[Adi Linden]

> Yes. Dialup Admin.  It's bundled with freeradius too!

Thanks! I am running an older version of freeradius on a box. It
authenticates against users in LDAP. The LDAP directory and userdatabase
existed before freeradius entered the picture. Now I am looking for a
standalone raduis, management, accounting box for a dialin pool. I see
that there is a HOWTO document. Perhaps I can just pass all the
information to the organization needing the server and just offer support.

Thanks,
Adi

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

FreeRadius -> Ldap -> Novell DS

[[EMAIL PROTECTED]]

Hi List
 
I'm hoping that someone out there has done a 
similar setup to this.
I am wanting to authenticate wireless users 
primarily, against the Novell Directory (NDS) that we have of all the 
users.
I have installed and configured FreeRadius to work 
using eap-tls with peap but only using the users file on the 
server.
Does anyone use this kind of setup and would kindly 
offer some advice and guidance ?
 
I expect to have to configure FreeRadius to use 
ldap as its mechanism and then install OpenLDAP on the same server.
While at the Novell side I expect to have 
installed eDIR (Novell's ldap server) and hopefully the Netware guys at 
work will sort the rest of that side out.
 
Am I barking up the wrong tree in terms of what is 
needed ?
 
Absolutely any help appreciated.
 
Regards
Dave

Re: Is there a good web based administration tool

[Julius Igugu]

Yes. Dialup Admin.  It's bundled with freeradius too!

--- Adi Linden <[EMAIL PROTECTED]> wrote:

> Hi,
> 
> Just a quick question, is there a good web based administration tool to
> manage and account dialup users?
> 
> Adi
> 
> - 
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> 


=
Julius Igugu
SouthWork Co. Ltd.



__
Do you Yahoo!?
Yahoo! Mail Address AutoComplete - You start. We finish.
http://promotions.yahoo.com/new_mail 

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE : Is there a good web based administration tool

[EROS]

Yes dialup_admin 

It is in the same package with radius

-Message d'origine-
De : [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] De la part de Adi
Linden
Envoyé : lundi 25 octobre 2004 20:56
À : [EMAIL PROTECTED]
Objet : Is there a good web based administration tool


Hi,

Just a quick question, is there a good web based administration tool to
manage and account dialup users?

Adi

- 
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Is there a good web based administration tool

[Adi Linden]

Hi,

Just a quick question, is there a good web based administration tool to
manage and account dialup users?

Adi

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Help with Cisco AVPair Attributes

[Mikel Beck]

To answer my own question, I found out that if I:
1) set with_cisco_vsa_hack = yes in radiusd.conf
2) add the attributes I want to have stripped from the AVPair fields to 
cisco.dictionary in /usr/local/share/freeradius, freeradius will create new 
attributes with these names.

- Original Message - 
From: "Mikel Beck" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, October 22, 2004 2:23 PM
Subject: Help with Cisco AVPair Attributes


I've got accounting data coming into my freeradius from a bunch of Cisco 
1200AP Wireless access points. I'd like to log the data included in the 
Cisco-AVPair attributes.

I changed the 1200's to report their data to the freeradius as 
"non-standard". This helped somewhat, some of the attributes came in as 
"X-Ascend", but others are still listed as "Cisco-AVPair".

Here's an "start" packet example:
 Acct-Session-Id = "0099"
   Called-Station-Id = "mac-address1"
   Calling-Station-Id = "mac-address2"
   Cisco-AVPair = "ssid=cisco-ssid"
   Cisco-AVPair = "nas-location=unspecified"
   X-Ascend-Connect-Progress = 10
   Cisco-AVPair = "connect-progress=Call Up"
   User-Name = "mac-address2"
   Acct-Status-Type = Start
   NAS-Port-Type = Wireless-802.11
   Cisco-NAS-Port = "330"
   NAS-Port = 330
   Service-Type = Framed-User
   NAS-IP-Address = nas-ip-address
   Acct-Delay-Time = 0
   Client-IP-Address = 192.168.3.242
   Acct-Unique-Session-Id = "sessionid"
   Timestamp = 1098456793
I'd like to log the data contained in the Cisco-AVPair fields. On the 
"stop" packet there are more fields than are shown here.

How do I go about doing this?
- List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP and multiples LDAP

[Alan DeKok]

Sergio Sagliocco <[EMAIL PROTECTED]> wrote:
> In the authorize section I had also included "files"...but it doesn't 
> work.

  Yes, it does.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP and multiples LDAP

[Sergio Sagliocco]

Sorry
In the authorize section I had also included "files"...but it doesn't 
work.

thanks
Sergio Sagliocco
Alan DeKok wrote:
Sergio Sagliocco <[EMAIL PROTECTED]> wrote:
 

My users file is:
   

..
 

The authorize section is:
authorize {
   

..
 Which doesn't include the "files" module.  I'm not sure why you
would delete it.
 List "files" in "authorize", and it will work.
 Alan DeKok.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


 

--
Sergio SAGLIOCCO
SecureLAB - System & Network Security 
CSP s.c. a r.l. 
__
Villa Gualino
Viale Settimo Severo, 63 - 10133 Torino [IT]
tel. +39 011 481 5140 - Mobile +39 348 6024078 
fax  +39 011 481 5001 
__


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP and multiples LDAP

[Alan DeKok]

Sergio Sagliocco <[EMAIL PROTECTED]> wrote:
> My users file is:
...
> The authorize section is:
> 
> authorize {
...

  Which doesn't include the "files" module.  I'm not sure why you
would delete it.

  List "files" in "authorize", and it will work.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

EAP and multiples LDAP

[Sergio Sagliocco]

Hi freeradius-users,
I'm using PEAP with LDAP and it works fine.
Now I have to authorize another NAS with another LDAP server, but I've 
some problems.

My users file is:
DEFAULT NAS-IP-Address == 192.168.1.1, Autz-Type:=LDAP1 ## The 
access point
DEFAULT NAS-IP-Address == 192.168.1.2, Autz-Type:=LDAP2 ## Access server

The authorize section is:
authorize {
   Autz-Type LDAP1 {
   ldap1
   }
   Autz-Type LDAP2 {
   ldap2
   }
   eap
}
I also tried
authorize {
   Autz-Type LDAP1 {
   ldap1
   eap
   }
   Autz-Type LDAP2 {
   ldap2
   }
}
but it doesn't work.
Any idea?
Thamks
--
Sergio SAGLIOCCO
SecureLAB - System & Network Security 
CSP s.c. a r.l. 
__
Villa Gualino
Viale Settimo Severo, 63 - 10133 Torino [IT]
tel. +39 011 481 5140 - Mobile +39 348 6024078 
fax  +39 011 481 5001 
__


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

accounting file question

[Edgars]

can someone tell me what kind of information is kept in the 'radutmp' 
and 'radwtmp' files?

Edgars
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Adding dictionary entry

[Erik Immers]

On Fri, Oct 22, 2004 at 11:05:38AM -0400, Alan DeKok wrote:
> Erik Immers <[EMAIL PROTECTED]> wrote:
> > I am trying to add new attribute entries, but it seems it is failing on the MACRO 
> > function.
> > Does freeradius support this ?
> 
>   grep through the dictionaries.  No MACRO.
> 
>   Read the "man dictionary" page.  No MACRO.
> 
> > And does my dictionary file make any sense at all (in case of freeradius)
> 
>   No.
> 
>   Seeing as FreeRADIUS already includes a "dictionary.erx" file, which
> has many more attributes than the one you posted, I don't see why you
> would even bother trying to user another dictionary.
> 
Thanks for the little push forward,
Its workin now.

Thanks,

Erik 



>   Alan DeKok.
> 
> - 
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> 

-- 
Wanadoo Nederland BV, http://www.wanadoo.nl/ & http://www.euronet.nl/
Erik Immers, System Engineer
Muiderstraat 1; Postbus 11095, 1001 GB Amsterdam
T +31 20 535 55 55, F +31 20 535 52 49, E [EMAIL PROTECTED]

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: 1 or 2 issues...

[Chris Knipe]

http://www.mail-archive.com/[EMAIL PROTECTED]/msg09655.html
Thanks :)
--
Chris.
- Original Message - 
From: "Kostas Kalevras" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, October 25, 2004 2:35 PM
Subject: Re: 1 or 2 issues...


On Mon, 25 Oct 2004, Chris Knipe wrote:
Lo everyone,
It's been long since I've sent a mail here... I guess that means (almost) 
everything is well - :)

Just one or two issues I have with my brand new FR 1.0.1 installation
1) I get allot of these:
Mon Oct 25 08:25:43 2004 : Error: Discarding duplicate request from 
client xxx:1397 - ID: 217 due to unfinished request 142
Mon Oct 25 08:25:43 2004 : Error: Dropping conflicting packet from client 
xxx1397 - ID: 217 due to unfinished request 142

As I understand it, this is the NAS sending accounting updates to 
quickly? It surely can't be latency related, the NAS reports a mere 8ms 
from the NAS to the Radius server
Is there something (like a database) slowing down the request processing? 
Check out the maximum return time of the radius packets.

2) Question two was deleted because I believe it is NAS specific and not 
related to FR.

3) I've checked and double checked radrelay, and it does not do what I 
want it to do I wish to forward accounting data to remote hosts, but 
ONLY for specific realms i.e.
  myrealm1 -> 123.123.123.123
  myrealm2 -> 321.321.321.312
  myrealm3 -> 213.213.213.213
  etc

Pointers, suggestions, HOWTOs, examples? :)  Radrelay seems to be sending 
ALL the accounting data to the remote server, which is bad to say the 
least. I can't let one of my customers see another customer's accounding 
data now, can I ?
You should create a detail file for each realm and a corresponding 
radrelay process.

Thanks,
--
Chris.
- List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html

--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED] National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf
- List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: 1 or 2 issues...

[Chris Knipe]

Hi Kostas,
1) I get allot of these:
Mon Oct 25 08:25:43 2004 : Error: Discarding duplicate request from 
client xxx:1397 - ID: 217 due to unfinished request 142
Mon Oct 25 08:25:43 2004 : Error: Dropping conflicting packet from client 
xxx1397 - ID: 217 due to unfinished request 142

As I understand it, this is the NAS sending accounting updates to 
quickly? It surely can't be latency related, the NAS reports a mere 8ms 
from the NAS to the Radius server
Is there something (like a database) slowing down the request processing? 
Check out the maximum return time of the radius packets.
A MySQL Database on the same host yes, running InnoDB (Quote small, 
currently a 13MB odd DB).  I will investigate, thanks for the tip.


3) I've checked and double checked radrelay, and it does not do what I 
want it to do I wish to forward accounting data to remote hosts, but 
ONLY for specific realms i.e.
  myrealm1 -> 123.123.123.123
  myrealm2 -> 321.321.321.312
  myrealm3 -> 213.213.213.213
  etc

Pointers, suggestions, HOWTOs, examples? :)  Radrelay seems to be sending 
ALL the accounting data to the remote server, which is bad to say the 
least. I can't let one of my customers see another customer's accounding 
data now, can I ?
You should create a detail file for each realm and a corresponding 
radrelay process.
Ok, now I did spend the last 2 or 3 hours on google before replying to this 
post Can I ask for a quick example???  I'm not sure how to tell FR which 
realm needs to go to which detail file - frankly, I don't have a glue how to 
be honest

--
Chris.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: 3 LDAP questions!

[Kostas Kalevras]

On Mon, 25 Oct 2004, Ilia Chipitsine wrote:
Dear Sirs,
the questions are:
1) I have samba-3 working with LDAP, objectClass=sambaSamAccount,
  it has attribute: sambaNTPassword, which is exactly the password
  which is needed by MSCHAP, but it is NOT in the form 0x...,
  is it possible to manage freeradius working with that form
  of NT password ?
2) NAS-IP-Address is missing in RADIUS-LDAPv3.schema
  what steps should I take in order to add that attrinute ?
  is it described in some RFC or I just add it to schema and send
  patch back to developers ?
You could just add it and send it back through a bugs report in 
bugs.freeradius.org

3) how can equivalent of the following users file be implemented with
  LDAP:
chel   Auth-Type := MS-CHAP, NAS-IP-Address == 192.168.201.1
  Service-Type = Framed-User,
  Simultaneous-Use = 1,
  Framed-Protocol = PPP,
  Framed-IP-Address = 192.168.201.2,
  Framed-IP-Netmask = 255.255.255.0,
  Framed-Routing = Broadcast-Listen,
  Framed-Filter-Id = "std.ppp",
  Framed-MTU = 1400,
  Framed-Compression = Van-Jacobson-TCP-IP
chel   Auth-Type := MS-CHAP, NAS-IP-Address == 192.168.202.1
  Service-Type = Framed-User,
  Simultaneous-Use = 1,
  Framed-Protocol = PPP,
  Framed-IP-Address = 192.168.202.2,
  Framed-IP-Netmask = 255.255.255.0,
  Framed-Routing = Broadcast-Listen,
  Framed-Filter-Id = "std.ppp",
  Framed-MTU = 1400,
  Framed-Compression = Van-Jacobson-TCP-IP
so, I need to records for "chel" user depending on NAS-IP-Address they come 
from.
In ldap you have only *one* record for each user. If you need different 
Framed-IP-Address attributes for each user depending on the NAS then you need 
to either:

Create multiple user entries and use a filter to find them:
(&(uid=%u)(nasipaddress=%{NAS-IP-Address}))
Create multiple ldap module instances with different attribute mappings and 
depending on the NAS select the corresponding instance:

DEFAULT NAS-IP-Address == 192.168.201.1, Autz-Type := ldap1
Cheers,
Ilia Chipitsine
- List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html

--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED]   National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: 1 or 2 issues...

[Kostas Kalevras]

On Mon, 25 Oct 2004, Chris Knipe wrote:
Lo everyone,
It's been long since I've sent a mail here... I guess that means (almost) 
everything is well - :)

Just one or two issues I have with my brand new FR 1.0.1 installation
1) I get allot of these:
Mon Oct 25 08:25:43 2004 : Error: Discarding duplicate request from client 
xxx:1397 - ID: 217 due to unfinished request 142
Mon Oct 25 08:25:43 2004 : Error: Dropping conflicting packet from client 
xxx1397 - ID: 217 due to unfinished request 142

As I understand it, this is the NAS sending accounting updates to quickly? It 
surely can't be latency related, the NAS reports a mere 8ms from the NAS to 
the Radius server
Is there something (like a database) slowing down the request processing? Check 
out the maximum return time of the radius packets.

2) Question two was deleted because I believe it is NAS specific and not 
related to FR.

3) I've checked and double checked radrelay, and it does not do what I want 
it to do I wish to forward accounting data to remote hosts, but ONLY for 
specific realms i.e.
  myrealm1 -> 123.123.123.123
  myrealm2 -> 321.321.321.312
  myrealm3 -> 213.213.213.213
  etc

Pointers, suggestions, HOWTOs, examples? :)  Radrelay seems to be sending ALL 
the accounting data to the remote server, which is bad to say the least. I 
can't let one of my customers see another customer's accounding data now, can 
I ?
You should create a detail file for each realm and a corresponding radrelay 
process.

Thanks,
--
Chris. 

- List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html

--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED]   National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Accounting without storing the data

[Kostas Kalevras]

On Mon, 25 Oct 2004, Michael Kopp wrote:
Hi all,
maybe somewhat unusal request :
How could I setup freeradius in order to answer accouting radius packets but
don`t record them anywhere
Currently when i comment out all entries in the accounting section, then the
radius server is not answering accounting packets at all. (and I think it is
supposed to work in that way). I need a way to answer accounting packets but
don?t process it (this means I don`t want to store any accounting data, not
in a file and also not in and database)
Background : We are running performance tests for some NAS devices, and we
are not interessted in the accounting data, but we need the accounting-ACK
for the device to work correctly.
Is there any way to do this ?
You could use the always module for that..
Michael
PS : just as a side node, we tested Freeradius on a SunFire 280R with 2 GB
of RAM, and could handle more than 1000 Auth + Accoutings / second !!! We
couldn`t test any higher rate , cause our test system couldn`t handle more
logins per second :-)) So great job you did with this radius !!!
--
+++ GMX DSL Premiumtarife 3 Monate gratis* + WLAN-Router 0,- EUR* +++
Clevere DSL-Nutzer wechseln jetzt zu GMX: http://www.gmx.net/de/go/dsl
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED]   National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Memory leak in rlm_perl

[Nils Rønhovde]

On Mon, 25 Oct 2004 10:27:14 +0200
Nils Rønhovde <[EMAIL PROTECTED]> wrote:

> On Tue, 14 Sep 2004 13:29:23 -0400
> "Alan DeKok" <[EMAIL PROTECTED]> wrote:
> 
> > =?ISO-8859-1?Q?Jo=E3o_S=E1?= <[EMAIL PROTECTED]> wrote:
> > > Until now everything is fine but now I need to use a module in
> > > perl to do credit control.
> > > 
> > > I verified that when I start, the freeradius process begins with
> > > about 26 Mb in memory growing until I eat all memory available (I
> > > already had a process with 400 Mb).
> > 
> >   The Perl module has issues in 0.9.3.  There's a patch for 1.0.0 on
> > bugs.freeradius.org, which will go into 1.1.0.
> > 
> >   Alan DeKok.
> 
> Forgive me for asking a maybe stupid question (or request). I have
> tried to apply the patch for bug 111 found on bugs.freeradius.org
> (after some careful editing of html-tags etc.), but patch fails after
> some "hunks". I am not very experienced in using patch, so it may be
> my problem.

After a few hours more, and some lunch, I figured it out. Don't ask me how, though..

> BTW is it tested and found OK?

This still applies...


-- 
best regards
Nils Rønhovde

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Accounting without storing the data

[Michael Kopp]

Hi all,

maybe somewhat unusal request :
How could I setup freeradius in order to answer accouting radius packets but
don`t record them anywhere
Currently when i comment out all entries in the accounting section, then the
radius server is not answering accounting packets at all. (and I think it is
supposed to work in that way). I need a way to answer accounting packets but
don´t process it (this means I don`t want to store any accounting data, not
in a file and also not in and database)

Background : We are running performance tests for some NAS devices, and we
are not interessted in the accounting data, but we need the accounting-ACK
for the device to work correctly.

Is there any way to do this ?

Michael

PS : just as a side node, we tested Freeradius on a SunFire 280R with 2 GB
of RAM, and could handle more than 1000 Auth + Accoutings / second !!! We
couldn`t test any higher rate , cause our test system couldn`t handle more
logins per second :-)) So great job you did with this radius !!! 

-- 
+++ GMX DSL Premiumtarife 3 Monate gratis* + WLAN-Router 0,- EUR* +++
Clevere DSL-Nutzer wechseln jetzt zu GMX: http://www.gmx.net/de/go/dsl


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Memory leak in rlm_perl

[Nils Rønhovde]

On Tue, 14 Sep 2004 13:29:23 -0400
"Alan DeKok" <[EMAIL PROTECTED]> wrote:

> =?ISO-8859-1?Q?Jo=E3o_S=E1?= <[EMAIL PROTECTED]> wrote:
> > Until now everything is fine but now I need to use a module in perl
> > to do credit control.
> > 
> > I verified that when I start, the freeradius process begins with
> > about 26 Mb in memory growing until I eat all memory available (I
> > already had a process with 400 Mb).
> 
>   The Perl module has issues in 0.9.3.  There's a patch for 1.0.0 on
> bugs.freeradius.org, which will go into 1.1.0.
> 
>   Alan DeKok.

Forgive me for asking a maybe stupid question (or request). I have tried to apply the 
patch for bug 111 found on bugs.freeradius.org (after some careful editing of 
html-tags etc.), but patch fails after some "hunks". I am not very experienced in 
using patch, so it may be my problem.

so my humble request is : does anybody have rlm_perl.c with the patch applied to it? 
And willing to send it to me? BTW is it tested and found OK?

-- 
best regards
Nils Rønhovde

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

1 or 2 issues...

[Chris Knipe]

Lo everyone,
It's been long since I've sent a mail here... I guess that means (almost) 
everything is well - :)

Just one or two issues I have with my brand new FR 1.0.1 installation
1) I get allot of these:
Mon Oct 25 08:25:43 2004 : Error: Discarding duplicate request from client 
xxx:1397 - ID: 217 due to unfinished request 142
Mon Oct 25 08:25:43 2004 : Error: Dropping conflicting packet from client 
xxx1397 - ID: 217 due to unfinished request 142

As I understand it, this is the NAS sending accounting updates to quickly? 
It surely can't be latency related, the NAS reports a mere 8ms from the NAS 
to the Radius server

2) Question two was deleted because I believe it is NAS specific and not 
related to FR.

3) I've checked and double checked radrelay, and it does not do what I want 
it to do I wish to forward accounting data to remote hosts, but ONLY for 
specific realms i.e.
   myrealm1 -> 123.123.123.123
   myrealm2 -> 321.321.321.312
   myrealm3 -> 213.213.213.213
   etc

Pointers, suggestions, HOWTOs, examples? :)  Radrelay seems to be sending 
ALL the accounting data to the remote server, which is bad to say the least. 
I can't let one of my customers see another customer's accounding data now, 
can I ?

Thanks,
--
Chris. 

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html