Accounting freeradius
Hello, freeradius 1.0.1 is fine working. Authentifikation is over winbind to a M$ Domain. With Radiusreport i see Logon and Logoff times and total times for any Users. But i will the accounting for traffic off all users. any help, for settings in radius.conf or must i installed any other packages. from radiusd -X: Processing the preacct section of radiusd.conf modcall: entering group preacct for request 33 modcall[preacct]: module "preprocess" returns noop for request 33 rlm_acct_unique: WARNING: Attribute NAS-Port was not found in request, unique ID MAY be inconsistent rlm_acct_unique: Hashing ',Client-IP-Address = 172.20.49.102,NAS-IP-Address = 172.20.49.102,Acct-Session-Id = "0061",User-Name = "panekm"' rlm_acct_unique: Acct-Unique-Session-ID = "040f6e4aaad7aa47". modcall[preacct]: module "acct_unique" returns ok for request 33 rlm_realm: No '@' in User-Name = "panekm", looking up realm NULL rlm_realm: No such realm "NULL" modcall[preacct]: module "suffix" returns noop for request 33 modcall[preacct]: module "files" returns noop for request 33 modcall: group preacct returns ok for request 33 Processing the accounting section of radiusd.conf modcall: entering group accounting for request 33 radius_xlat: '/var/log/freeradius/radacct/172.20.49.102/detail-2004' rlm_detail: /var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y expands to /var/log/freeradius/radacct/172.20.49.102/detail-2004 modcall[accounting]: module "detail" returns ok for request 33 modcall[accounting]: module "unix" returns noop for request 33 radius_xlat: '/var/log/freeradius/radutmp' radius_xlat: 'panekm' rlm_radutmp: No NAS-Port seen. Cannot do anything. rlm_radumtp: WARNING: checkrad will probably not work! modcall[accounting]: module "radutmp" returns noop for request 33 modcall: group accounting returns ok for request 33 Sending Accounting-Response of id 76 to 172.20.49.102:1037 Finished request 33 Going to the next request --- Walking the entire request list --- Cleaning up request 33 ID 76 with timestamp 417d1d45 Is this all okay, or is ist false ?? THX Regards / Grüße / Danke Marco Panek ... Smurfit Europa Carton GmbH Information Systems (IS) Tilsiter Straße 144 D-22047 Hamburg Tel:+49 (0)40 30901 191 Fax: +49 (0)40 30901 5191 [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ip pool in mysql
Hi, I'm trying to use mysql with freeradius, my problem is, it looks like ip pool doesn't work, I'm not sure with my schema though, can anyone give me a sample of the schema for this? Thanks. Lito - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 3 LDAP questions!
You could just add it and send it back through a bugs report in bugs.freeradius.org I did so. 3) how can equivalent of the following users file be implemented with LDAP: chel Auth-Type := MS-CHAP, NAS-IP-Address == 192.168.201.1 Service-Type = Framed-User, Simultaneous-Use = 1, Framed-Protocol = PPP, Framed-IP-Address = 192.168.201.2, Framed-IP-Netmask = 255.255.255.0, Framed-Routing = Broadcast-Listen, Framed-Filter-Id = "std.ppp", Framed-MTU = 1400, Framed-Compression = Van-Jacobson-TCP-IP chel Auth-Type := MS-CHAP, NAS-IP-Address == 192.168.202.1 Service-Type = Framed-User, Simultaneous-Use = 1, Framed-Protocol = PPP, Framed-IP-Address = 192.168.202.2, Framed-IP-Netmask = 255.255.255.0, Framed-Routing = Broadcast-Listen, Framed-Filter-Id = "std.ppp", Framed-MTU = 1400, Framed-Compression = Van-Jacobson-TCP-IP so, I need to records for "chel" user depending on NAS-IP-Address they come from. In ldap you have only *one* record for each user. If you need different Framed-IP-Address attributes for each user depending on the NAS then you need to either: Create multiple user entries and use a filter to find them: (&(uid=%u)(nasipaddress=%{NAS-IP-Address})) Create multiple ldap module instances with different attribute mappings and depending on the NAS select the corresponding instance: DEFAULT NAS-IP-Address == 192.168.201.1, Autz-Type := ldap1 two different LDAP servers ? Cheers, Ilia Chipitsine - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: forward request on port 80
why don't you assign a particular subnet for non-proxy users and another for proxy users? that way you can assign subnet by group via your pptpd and via the router and firewall dictate who needs to go through the proxy. cb From: "Bartosz Jozwiak" <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] To: <[EMAIL PROTECTED]> Subject: Re: forward request on port 80 Date: Sun, 24 Oct 2004 14:40:44 -0300 Bartosz Jozwiak wrote: I have a cisco router for dial-up. I will look on cisco website if my router supports it somehow. Does anybody tried to set up something like that before ? Look for Cisco SSG feature - it isn't exactly what you need, but maybe will help you find some similar solutions Michal What I am trying to do is "safe internet for children" So some customers can turn on feature for example "website context filtering" for their account. And these users when they dial-in, router should know that website traffic should be redirected to http proxy. This is what I am trying to do and I started making my research with radius. bartosz - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Exec-Program output: freeradius not reading response?
Problem exists, when posting multiple requests to radiusd it occasionally will not receive or somehow omit the exit status of Exec-Program-Wait. -- log snippet - radius_xlat: '/etc/raddb/scripts/test.pl' Exec-Program: /etc/raddb/scripts/test.pl Waking up in 3 seconds... Exec-Program output: --- Walking the entire request list --- And later the process blorts.. --- log snippet --- WARNING: Unresponsive child (id 1098905952) for request 6 Server rejecting request 6. A good request looks like: Exec-Program output: 0 (for success) or Exec-Program output: 1 (for reject) I can duplicate this over and over on various machines and platforms. Problem cannot be duplicated in -s mode. I have tons of extra logs available (and previously posted in list) if that will help diagnose this issue. Anyone's help is greatly appreciated. - Nathan Miller - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Failure to link rlm_ldap
I am attempting to configure FreeRadius to use our LDAP directory for authentication and have made the necessary modifications to radiusd.conf, but get the following error when starting radiusd: radiusd.conf[724] Failed to link to module 'rlm_ldap': ld.so.1: ./radiusd: fatal: relocation error: file /usr/local/lib/libldap_r-2.2.so.7: symbol __udivdi3: referenced symbol not found I'm using FreeRADIUS Version 1.0.1 on Solaris 9, everything appeared to compile okay, and without the LDAP entries in the authenticate section, the daemon starts fine and authenticates users against the unix passwd file fine. I am using openldap-2.2.17 and both were compiled using gcc v3.4.0. An 'ldd rlm_ldap.so' produces the following: libsasl.so.7 => ./libsasl.so.7 liblber-2.2.so.7 => ./liblber-2.2.so.7 libldap_r-2.2.so.7 =>./libldap_r-2.2.so.7 libnsl.so.1 => /usr/lib/libnsl.so.1 libresolv.so.2 =>/usr/lib/libresolv.so.2 libsocket.so.1 =>/usr/lib/libsocket.so.1 librt.so.1 =>/usr/lib/librt.so.1 libpthread.so.1 => /usr/lib/libpthread.so.1 libc.so.1 => /usr/lib/libc.so.1 libdl.so.1 =>/usr/lib/libdl.so.1 libpam.so.1 => /usr/lib/libpam.so.1 libgen.so.1 => /usr/lib/libgen.so.1 libsasl2.so.2 => ./libsasl2.so.2 libmp.so.2 =>/usr/lib/libmp.so.2 libaio.so.1 => /usr/lib/libaio.so.1 libmd5.so.1 => /usr/lib/libmd5.so.1 libcmd.so.1 => /usr/lib/libcmd.so.1 libthread.so.1 =>/usr/lib/libthread.so.1 /usr/platform/SUNW,Sun-Fire-V440/lib/libc_psr.so.1 /usr/platform/SUNW,Sun-Fire-V440/lib/libmd5_psr.so.1 And an 'ldd libldap_r-2.2.so.7' produces: liblber-2.2.so.7 => ./liblber-2.2.so.7 libresolv.so.2 =>/usr/lib/libresolv.so.2 libgen.so.1 => /usr/lib/libgen.so.1 libnsl.so.1 => /usr/lib/libnsl.so.1 libsocket.so.1 =>/usr/lib/libsocket.so.1 libsasl2.so.2 => ./libsasl2.so.2 libc.so.1 => /usr/lib/libc.so.1 libdl.so.1 =>/usr/lib/libdl.so.1 libmp.so.2 =>/usr/lib/libmp.so.2 /usr/platform/SUNW,Sun-Fire-V440/lib/libc_psr.so.1 So it would appear that the necessary libraries are being found. Any suggestions would be most appreciated. Regards James ><> ><> ><> ><> ><> ~ <>< <>< <>< <>< <>< Systems Administrator Australian Institute of Marine Science Townsville, FNQ, Australia Ph: 0747534400 Mobile: 0439916246 Email: sysadmin (at) aims.gov.au Fax: 0747725852 ><> ><> ><> ><> ><> ~ <>< <>< <>< <>< <>< - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radrelay - filelock problem
Hi.. OS: FreeBSD 4.9p4 Version: Freeradius 1.0.1 My radrelay seem not fully working well... Receive a lot of below error.. I've followed all the doc given regarding how to setup radrelay Tue Oct 26 05:30:32 2004 : Error: rlm_detail: Failed to aquire filelock for /var/adm/radacct/detail-combined-radius8, giving upTue Oct 26 05:50:52 2004 : Error: rlm_detail: Failed to aquire filelock for /var/adm/radacct/detail-combined-radius7, giving upTue Oct 26 05:58:16 2004 : Error: rlm_detail: Failed to aquire filelock for /var/adm/radacct/detail-combined-radius5, giving upTue Oct 26 05:58:38 2004 : Error: rlm_detail: Failed to aquire filelock for /var/adm/radacct/detail-combined-radius6, giving upTue Oct 26 06:11:36 2004 : Error: rlm_detail: Failed to aquire filelock for /var/adm/radacct/detail-combined-radius7, giving upTue Oct 26 06:17:02 2004 : Error: rlm_detail: Failed to aquire filelock for /var/adm/radacct/detail-combined-radius6, giving up My setting as below: radius1 ---> radius2 > radius3 -> radius4 then radius2 -> radius1 ---> radius3 > radius4 and so on... until all 4 has the same full accounting record I ran 3 of below command for replication /usr/local/bin/radrelay -a /var/adm/radacct -d /usr/local/etc/raddb \ -S /usr/local/etc/raddb/radrelay_secret -r radiusX:1646 \ detail-combined But it not working well... the accounting seems been relayed but got missing accounting...the detail file not rotated properly and will grow too big. and receive a lot above error... Please help..!! --haizam
Re: Is there a good web based administration tool
> Yes. Dialup Admin. It's bundled with freeradius too! Thanks! I am running an older version of freeradius on a box. It authenticates against users in LDAP. The LDAP directory and userdatabase existed before freeradius entered the picture. Now I am looking for a standalone raduis, management, accounting box for a dialin pool. I see that there is a HOWTO document. Perhaps I can just pass all the information to the organization needing the server and just offer support. Thanks, Adi - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius -> Ldap -> Novell DS
Hi List I'm hoping that someone out there has done a similar setup to this. I am wanting to authenticate wireless users primarily, against the Novell Directory (NDS) that we have of all the users. I have installed and configured FreeRadius to work using eap-tls with peap but only using the users file on the server. Does anyone use this kind of setup and would kindly offer some advice and guidance ? I expect to have to configure FreeRadius to use ldap as its mechanism and then install OpenLDAP on the same server. While at the Novell side I expect to have installed eDIR (Novell's ldap server) and hopefully the Netware guys at work will sort the rest of that side out. Am I barking up the wrong tree in terms of what is needed ? Absolutely any help appreciated. Regards Dave
Re: Is there a good web based administration tool
Yes. Dialup Admin. It's bundled with freeradius too! --- Adi Linden <[EMAIL PROTECTED]> wrote: > Hi, > > Just a quick question, is there a good web based administration tool to > manage and account dialup users? > > Adi > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > = Julius Igugu SouthWork Co. Ltd. __ Do you Yahoo!? Yahoo! Mail Address AutoComplete - You start. We finish. http://promotions.yahoo.com/new_mail - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : Is there a good web based administration tool
Yes dialup_admin It is in the same package with radius -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Adi Linden Envoyé : lundi 25 octobre 2004 20:56 À : [EMAIL PROTECTED] Objet : Is there a good web based administration tool Hi, Just a quick question, is there a good web based administration tool to manage and account dialup users? Adi - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Is there a good web based administration tool
Hi, Just a quick question, is there a good web based administration tool to manage and account dialup users? Adi - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help with Cisco AVPair Attributes
To answer my own question, I found out that if I: 1) set with_cisco_vsa_hack = yes in radiusd.conf 2) add the attributes I want to have stripped from the AVPair fields to cisco.dictionary in /usr/local/share/freeradius, freeradius will create new attributes with these names. - Original Message - From: "Mikel Beck" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, October 22, 2004 2:23 PM Subject: Help with Cisco AVPair Attributes I've got accounting data coming into my freeradius from a bunch of Cisco 1200AP Wireless access points. I'd like to log the data included in the Cisco-AVPair attributes. I changed the 1200's to report their data to the freeradius as "non-standard". This helped somewhat, some of the attributes came in as "X-Ascend", but others are still listed as "Cisco-AVPair". Here's an "start" packet example: Acct-Session-Id = "0099" Called-Station-Id = "mac-address1" Calling-Station-Id = "mac-address2" Cisco-AVPair = "ssid=cisco-ssid" Cisco-AVPair = "nas-location=unspecified" X-Ascend-Connect-Progress = 10 Cisco-AVPair = "connect-progress=Call Up" User-Name = "mac-address2" Acct-Status-Type = Start NAS-Port-Type = Wireless-802.11 Cisco-NAS-Port = "330" NAS-Port = 330 Service-Type = Framed-User NAS-IP-Address = nas-ip-address Acct-Delay-Time = 0 Client-IP-Address = 192.168.3.242 Acct-Unique-Session-Id = "sessionid" Timestamp = 1098456793 I'd like to log the data contained in the Cisco-AVPair fields. On the "stop" packet there are more fields than are shown here. How do I go about doing this? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP and multiples LDAP
Sergio Sagliocco <[EMAIL PROTECTED]> wrote: > In the authorize section I had also included "files"...but it doesn't > work. Yes, it does. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP and multiples LDAP
Sorry In the authorize section I had also included "files"...but it doesn't work. thanks Sergio Sagliocco Alan DeKok wrote: Sergio Sagliocco <[EMAIL PROTECTED]> wrote: My users file is: .. The authorize section is: authorize { .. Which doesn't include the "files" module. I'm not sure why you would delete it. List "files" in "authorize", and it will work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Sergio SAGLIOCCO SecureLAB - System & Network Security CSP s.c. a r.l. __ Villa Gualino Viale Settimo Severo, 63 - 10133 Torino [IT] tel. +39 011 481 5140 - Mobile +39 348 6024078 fax +39 011 481 5001 __ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP and multiples LDAP
Sergio Sagliocco <[EMAIL PROTECTED]> wrote: > My users file is: ... > The authorize section is: > > authorize { ... Which doesn't include the "files" module. I'm not sure why you would delete it. List "files" in "authorize", and it will work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP and multiples LDAP
Hi freeradius-users, I'm using PEAP with LDAP and it works fine. Now I have to authorize another NAS with another LDAP server, but I've some problems. My users file is: DEFAULT NAS-IP-Address == 192.168.1.1, Autz-Type:=LDAP1 ## The access point DEFAULT NAS-IP-Address == 192.168.1.2, Autz-Type:=LDAP2 ## Access server The authorize section is: authorize { Autz-Type LDAP1 { ldap1 } Autz-Type LDAP2 { ldap2 } eap } I also tried authorize { Autz-Type LDAP1 { ldap1 eap } Autz-Type LDAP2 { ldap2 } } but it doesn't work. Any idea? Thamks -- Sergio SAGLIOCCO SecureLAB - System & Network Security CSP s.c. a r.l. __ Villa Gualino Viale Settimo Severo, 63 - 10133 Torino [IT] tel. +39 011 481 5140 - Mobile +39 348 6024078 fax +39 011 481 5001 __ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
accounting file question
can someone tell me what kind of information is kept in the 'radutmp' and 'radwtmp' files? Edgars - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Adding dictionary entry
On Fri, Oct 22, 2004 at 11:05:38AM -0400, Alan DeKok wrote: > Erik Immers <[EMAIL PROTECTED]> wrote: > > I am trying to add new attribute entries, but it seems it is failing on the MACRO > > function. > > Does freeradius support this ? > > grep through the dictionaries. No MACRO. > > Read the "man dictionary" page. No MACRO. > > > And does my dictionary file make any sense at all (in case of freeradius) > > No. > > Seeing as FreeRADIUS already includes a "dictionary.erx" file, which > has many more attributes than the one you posted, I don't see why you > would even bother trying to user another dictionary. > Thanks for the little push forward, Its workin now. Thanks, Erik > Alan DeKok. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- Wanadoo Nederland BV, http://www.wanadoo.nl/ & http://www.euronet.nl/ Erik Immers, System Engineer Muiderstraat 1; Postbus 11095, 1001 GB Amsterdam T +31 20 535 55 55, F +31 20 535 52 49, E [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 1 or 2 issues...
http://www.mail-archive.com/[EMAIL PROTECTED]/msg09655.html Thanks :) -- Chris. - Original Message - From: "Kostas Kalevras" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, October 25, 2004 2:35 PM Subject: Re: 1 or 2 issues... On Mon, 25 Oct 2004, Chris Knipe wrote: Lo everyone, It's been long since I've sent a mail here... I guess that means (almost) everything is well - :) Just one or two issues I have with my brand new FR 1.0.1 installation 1) I get allot of these: Mon Oct 25 08:25:43 2004 : Error: Discarding duplicate request from client xxx:1397 - ID: 217 due to unfinished request 142 Mon Oct 25 08:25:43 2004 : Error: Dropping conflicting packet from client xxx1397 - ID: 217 due to unfinished request 142 As I understand it, this is the NAS sending accounting updates to quickly? It surely can't be latency related, the NAS reports a mere 8ms from the NAS to the Radius server Is there something (like a database) slowing down the request processing? Check out the maximum return time of the radius packets. 2) Question two was deleted because I believe it is NAS specific and not related to FR. 3) I've checked and double checked radrelay, and it does not do what I want it to do I wish to forward accounting data to remote hosts, but ONLY for specific realms i.e. myrealm1 -> 123.123.123.123 myrealm2 -> 321.321.321.312 myrealm3 -> 213.213.213.213 etc Pointers, suggestions, HOWTOs, examples? :) Radrelay seems to be sending ALL the accounting data to the remote server, which is bad to say the least. I can't let one of my customers see another customer's accounding data now, can I ? You should create a detail file for each realm and a corresponding radrelay process. Thanks, -- Chris. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 1 or 2 issues...
Hi Kostas, 1) I get allot of these: Mon Oct 25 08:25:43 2004 : Error: Discarding duplicate request from client xxx:1397 - ID: 217 due to unfinished request 142 Mon Oct 25 08:25:43 2004 : Error: Dropping conflicting packet from client xxx1397 - ID: 217 due to unfinished request 142 As I understand it, this is the NAS sending accounting updates to quickly? It surely can't be latency related, the NAS reports a mere 8ms from the NAS to the Radius server Is there something (like a database) slowing down the request processing? Check out the maximum return time of the radius packets. A MySQL Database on the same host yes, running InnoDB (Quote small, currently a 13MB odd DB). I will investigate, thanks for the tip. 3) I've checked and double checked radrelay, and it does not do what I want it to do I wish to forward accounting data to remote hosts, but ONLY for specific realms i.e. myrealm1 -> 123.123.123.123 myrealm2 -> 321.321.321.312 myrealm3 -> 213.213.213.213 etc Pointers, suggestions, HOWTOs, examples? :) Radrelay seems to be sending ALL the accounting data to the remote server, which is bad to say the least. I can't let one of my customers see another customer's accounding data now, can I ? You should create a detail file for each realm and a corresponding radrelay process. Ok, now I did spend the last 2 or 3 hours on google before replying to this post Can I ask for a quick example??? I'm not sure how to tell FR which realm needs to go to which detail file - frankly, I don't have a glue how to be honest -- Chris. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 3 LDAP questions!
On Mon, 25 Oct 2004, Ilia Chipitsine wrote: Dear Sirs, the questions are: 1) I have samba-3 working with LDAP, objectClass=sambaSamAccount, it has attribute: sambaNTPassword, which is exactly the password which is needed by MSCHAP, but it is NOT in the form 0x..., is it possible to manage freeradius working with that form of NT password ? 2) NAS-IP-Address is missing in RADIUS-LDAPv3.schema what steps should I take in order to add that attrinute ? is it described in some RFC or I just add it to schema and send patch back to developers ? You could just add it and send it back through a bugs report in bugs.freeradius.org 3) how can equivalent of the following users file be implemented with LDAP: chel Auth-Type := MS-CHAP, NAS-IP-Address == 192.168.201.1 Service-Type = Framed-User, Simultaneous-Use = 1, Framed-Protocol = PPP, Framed-IP-Address = 192.168.201.2, Framed-IP-Netmask = 255.255.255.0, Framed-Routing = Broadcast-Listen, Framed-Filter-Id = "std.ppp", Framed-MTU = 1400, Framed-Compression = Van-Jacobson-TCP-IP chel Auth-Type := MS-CHAP, NAS-IP-Address == 192.168.202.1 Service-Type = Framed-User, Simultaneous-Use = 1, Framed-Protocol = PPP, Framed-IP-Address = 192.168.202.2, Framed-IP-Netmask = 255.255.255.0, Framed-Routing = Broadcast-Listen, Framed-Filter-Id = "std.ppp", Framed-MTU = 1400, Framed-Compression = Van-Jacobson-TCP-IP so, I need to records for "chel" user depending on NAS-IP-Address they come from. In ldap you have only *one* record for each user. If you need different Framed-IP-Address attributes for each user depending on the NAS then you need to either: Create multiple user entries and use a filter to find them: (&(uid=%u)(nasipaddress=%{NAS-IP-Address})) Create multiple ldap module instances with different attribute mappings and depending on the NAS select the corresponding instance: DEFAULT NAS-IP-Address == 192.168.201.1, Autz-Type := ldap1 Cheers, Ilia Chipitsine - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 1 or 2 issues...
On Mon, 25 Oct 2004, Chris Knipe wrote: Lo everyone, It's been long since I've sent a mail here... I guess that means (almost) everything is well - :) Just one or two issues I have with my brand new FR 1.0.1 installation 1) I get allot of these: Mon Oct 25 08:25:43 2004 : Error: Discarding duplicate request from client xxx:1397 - ID: 217 due to unfinished request 142 Mon Oct 25 08:25:43 2004 : Error: Dropping conflicting packet from client xxx1397 - ID: 217 due to unfinished request 142 As I understand it, this is the NAS sending accounting updates to quickly? It surely can't be latency related, the NAS reports a mere 8ms from the NAS to the Radius server Is there something (like a database) slowing down the request processing? Check out the maximum return time of the radius packets. 2) Question two was deleted because I believe it is NAS specific and not related to FR. 3) I've checked and double checked radrelay, and it does not do what I want it to do I wish to forward accounting data to remote hosts, but ONLY for specific realms i.e. myrealm1 -> 123.123.123.123 myrealm2 -> 321.321.321.312 myrealm3 -> 213.213.213.213 etc Pointers, suggestions, HOWTOs, examples? :) Radrelay seems to be sending ALL the accounting data to the remote server, which is bad to say the least. I can't let one of my customers see another customer's accounding data now, can I ? You should create a detail file for each realm and a corresponding radrelay process. Thanks, -- Chris. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting without storing the data
On Mon, 25 Oct 2004, Michael Kopp wrote: Hi all, maybe somewhat unusal request : How could I setup freeradius in order to answer accouting radius packets but don`t record them anywhere Currently when i comment out all entries in the accounting section, then the radius server is not answering accounting packets at all. (and I think it is supposed to work in that way). I need a way to answer accounting packets but don?t process it (this means I don`t want to store any accounting data, not in a file and also not in and database) Background : We are running performance tests for some NAS devices, and we are not interessted in the accounting data, but we need the accounting-ACK for the device to work correctly. Is there any way to do this ? You could use the always module for that.. Michael PS : just as a side node, we tested Freeradius on a SunFire 280R with 2 GB of RAM, and could handle more than 1000 Auth + Accoutings / second !!! We couldn`t test any higher rate , cause our test system couldn`t handle more logins per second :-)) So great job you did with this radius !!! -- +++ GMX DSL Premiumtarife 3 Monate gratis* + WLAN-Router 0,- EUR* +++ Clevere DSL-Nutzer wechseln jetzt zu GMX: http://www.gmx.net/de/go/dsl - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Memory leak in rlm_perl
On Mon, 25 Oct 2004 10:27:14 +0200 Nils Rønhovde <[EMAIL PROTECTED]> wrote: > On Tue, 14 Sep 2004 13:29:23 -0400 > "Alan DeKok" <[EMAIL PROTECTED]> wrote: > > > =?ISO-8859-1?Q?Jo=E3o_S=E1?= <[EMAIL PROTECTED]> wrote: > > > Until now everything is fine but now I need to use a module in > > > perl to do credit control. > > > > > > I verified that when I start, the freeradius process begins with > > > about 26 Mb in memory growing until I eat all memory available (I > > > already had a process with 400 Mb). > > > > The Perl module has issues in 0.9.3. There's a patch for 1.0.0 on > > bugs.freeradius.org, which will go into 1.1.0. > > > > Alan DeKok. > > Forgive me for asking a maybe stupid question (or request). I have > tried to apply the patch for bug 111 found on bugs.freeradius.org > (after some careful editing of html-tags etc.), but patch fails after > some "hunks". I am not very experienced in using patch, so it may be > my problem. After a few hours more, and some lunch, I figured it out. Don't ask me how, though.. > BTW is it tested and found OK? This still applies... -- best regards Nils Rønhovde - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Accounting without storing the data
Hi all, maybe somewhat unusal request : How could I setup freeradius in order to answer accouting radius packets but don`t record them anywhere Currently when i comment out all entries in the accounting section, then the radius server is not answering accounting packets at all. (and I think it is supposed to work in that way). I need a way to answer accounting packets but don´t process it (this means I don`t want to store any accounting data, not in a file and also not in and database) Background : We are running performance tests for some NAS devices, and we are not interessted in the accounting data, but we need the accounting-ACK for the device to work correctly. Is there any way to do this ? Michael PS : just as a side node, we tested Freeradius on a SunFire 280R with 2 GB of RAM, and could handle more than 1000 Auth + Accoutings / second !!! We couldn`t test any higher rate , cause our test system couldn`t handle more logins per second :-)) So great job you did with this radius !!! -- +++ GMX DSL Premiumtarife 3 Monate gratis* + WLAN-Router 0,- EUR* +++ Clevere DSL-Nutzer wechseln jetzt zu GMX: http://www.gmx.net/de/go/dsl - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Memory leak in rlm_perl
On Tue, 14 Sep 2004 13:29:23 -0400 "Alan DeKok" <[EMAIL PROTECTED]> wrote: > =?ISO-8859-1?Q?Jo=E3o_S=E1?= <[EMAIL PROTECTED]> wrote: > > Until now everything is fine but now I need to use a module in perl > > to do credit control. > > > > I verified that when I start, the freeradius process begins with > > about 26 Mb in memory growing until I eat all memory available (I > > already had a process with 400 Mb). > > The Perl module has issues in 0.9.3. There's a patch for 1.0.0 on > bugs.freeradius.org, which will go into 1.1.0. > > Alan DeKok. Forgive me for asking a maybe stupid question (or request). I have tried to apply the patch for bug 111 found on bugs.freeradius.org (after some careful editing of html-tags etc.), but patch fails after some "hunks". I am not very experienced in using patch, so it may be my problem. so my humble request is : does anybody have rlm_perl.c with the patch applied to it? And willing to send it to me? BTW is it tested and found OK? -- best regards Nils Rønhovde - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
1 or 2 issues...
Lo everyone, It's been long since I've sent a mail here... I guess that means (almost) everything is well - :) Just one or two issues I have with my brand new FR 1.0.1 installation 1) I get allot of these: Mon Oct 25 08:25:43 2004 : Error: Discarding duplicate request from client xxx:1397 - ID: 217 due to unfinished request 142 Mon Oct 25 08:25:43 2004 : Error: Dropping conflicting packet from client xxx1397 - ID: 217 due to unfinished request 142 As I understand it, this is the NAS sending accounting updates to quickly? It surely can't be latency related, the NAS reports a mere 8ms from the NAS to the Radius server 2) Question two was deleted because I believe it is NAS specific and not related to FR. 3) I've checked and double checked radrelay, and it does not do what I want it to do I wish to forward accounting data to remote hosts, but ONLY for specific realms i.e. myrealm1 -> 123.123.123.123 myrealm2 -> 321.321.321.312 myrealm3 -> 213.213.213.213 etc Pointers, suggestions, HOWTOs, examples? :) Radrelay seems to be sending ALL the accounting data to the remote server, which is bad to say the least. I can't let one of my customers see another customer's accounding data now, can I ? Thanks, -- Chris. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html