Re: Help:TLS connection between Freeradius and Openldap
tls_certfile= usr/local/freeradius/etc/raddb/radius-ssl-ldap/radius.crt You're missing the heading / in the above line. Bye, gc -- Giulio Casella [EMAIL PROTECTED] System and network manager Computer Science Dept. - University of Milano - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Tcpdump Attribute Question
It means its being truncated. Try adjusting the snaplen. You should be able to do -s 0 to make sure you capture the entire packet or you can specify a length such as -s 1024. Do a man tcpdump and search for snaplen. ie: tcpdump -i fxp0 -s 0 udp port 1812 -Dusty Doris Thanks for the information, i just read about it in the manual and the tcpdump guys said me the same! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Low cost APs that support EAP/TLS Freeradius??
David Mitton wrote: On 11/16/2004 09:27 PM, Paul wrote: Yeah, that's a good price. I use the WRT54GS with the tinyPEAP embedded RADIUS server. The firmware is based on Sveasoft's version 4.0, because it's freely available I guess. Works for me. Dumb question time: - where do you store the users? in flash? is there a virtual disk system? - Who did tinyPEAP? Good questions. I found the tinyPEAP users in /tmp/peapusers . I don't know the fine details of the device and firmware. (I'm pathetic.) One thing that I do know is that reseting the router to defaults does not remove the tinyPEAP users. More info at http://www.tinypeap.com/ Virtual disk system? I guess. I mean, I can ssh in and navigate a filesystem. The specs say that the WRT54GS has 32MB RAM and 8MB flash; twice as much as the WRT54G (without the S). - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: debian with freeradius and securid PAM Module
freeradius says the following:
rad_check_password: Found Auth-Type pam
auth: type PAM
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
pam_pass: using pamauth string radiusd for pam.conf lookup
pam_pass: function pam_authenticate FAILED for wolfmar. Reason: Module is
unknown
modcall[authenticate]: module pam returns reject for request 0
But i think pam and radius is correctly configured.
users:
DEFAULT Auth-Type=PAM
radius.conf:
pam {
pam_auth = radiusd
}
pam is uncommented in authentication section
pam.d/radiusd:
auth required pam_securid.so
the path is now in the libdir and in /etc/ld.so.conf.
ssh works fine with the module.
Is ist possible to debug PAM?
Markus Wintruff
i want to use securid with freeradius on my debian.
I have choosen and installed the pam_securid.so Module from RSA und
set up pam and freeradius.
PAM may have memory leaks. If at all possible, I would
suggest using a command-line tool from SecurID to do the
authentication.
if a make a radtest everytime a get the following errors in syslog:
Nov 17 14:31:49 abrakadabra freeradius: PAM unable to
dlopen(/lib/security/pam_securid.so)
It's probably not in the default library path. See
/etc/ld.so.conf, or edit radiusd.conf, and add
':/lib/security' to the end of the 'libdir' directive.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help:TLS connection between Freeradius and Openldap
I have modify the tls_certfile to
tls_certfile=/usr/local/freeradius/etc/raddb/radius-ssl-ldap/radius.crt
But still no success.
The debug info is as follows: (Still TLS error)
rad_recv: Access-Request packet from host 192.168.80.1:1812, id=31, length=135
NAS-IP-Address = 192.168.80.1
NAS-Port = 50009
NAS-Port-Type = Ethernet
User-Name = ISP-1\\test
Called-Station-Id = 00-0D-ED-11-89-C9
Calling-Station-Id = 00-50-BA-7B-BE-8F
Service-Type = Framed-User
Framed-MTU = 1500
EAP-Message = 0x020f014953502d315c68667775
Message-Authenticator = 0xf418f027e10d9fff416739014a16f27f
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
modcall[authorize]: module preprocess returns ok for request 1
radius_xlat:
'/usr/local/freeradius/var/log/radius/radacct/192.168.80.1/auth-detail-20041118'
rlm_detail:
/usr/local/freeradius/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to
/usr/local/freeradius/var/log/radius/radacct/192.168.80.1/auth-detail-20041118
modcall[authorize]: module auth_log returns ok for request 1
modcall[authorize]: module mschap returns noop for request 1
rlm_realm: Looking up realm ISP-1 for User-Name = ISP-1\test
rlm_realm: Found realm isp-1
rlm_realm: Adding Stripped-User-Name = test
rlm_realm: Proxying request from user test to realm isp-1
rlm_realm: Adding Realm = isp-1
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module isp-1 returns noop for request 1
rlm_realm: Request already proxied. Ignoring.
modcall[authorize]: module isp-2 returns noop for request 1
rlm_eap: EAP packet type response id 0 length 15
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module eap returns updated for request 1
users: Matched DEFAULT at 159
users: Matched DEFAULT at 178
modcall[authorize]: module files returns ok for request 1
rlm_ldap: - authorize
rlm_ldap: performing user authorization for test
radius_xlat: '(uid=test)'
radius_xlat: 'dc=mydc'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to x.x.x.x:389, authentication 0
ldap_create
rlm_ldap: setting TLS mode to 1
rlm_ldap: setting TLS CACert File to
/usr/local/freeradius/etc/raddb/radius-ssl-ldap/cacert.pem
rlm_ldap: setting TLS Require Cert to never
rlm_ldap: setting TLS Cert File to
usr/local/freeradius/etc/raddb/radius-ssl-ldap/radiusservercert.pem
rlm_ldap: setting TLS Key File to
/usr/local/freeradius/etc/raddb/radius-ssl-ldap/radiusservercertkey.pem
rlm_ldap: setting TLS Key File to /dev/urandom
rlm_ldap: starting TLS
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection
ldap_int_open_connection
ldap_connect_to_host: TCP 202.119.24.37:389
ldap_new_socket: 9
ldap_prepare_socket: 9
ldap_connect_to_host: Trying 202.119.24.37:389
ldap_connect_timeout: fd: 9 tm: 1 async: 0
ldap_ndelay_on: 9
ldap_is_sock_ready: 9
ldap_ndelay_off: 9
ldap_int_sasl_open: host=hostexample.com
TLS: could not use certificate
`usr/local/freeradius/etc/raddb/radius-ssl-ldap/radiusservercert.pem'.
TLS: error:02001002:system library:fopen:No such file or directory
bss_file.c:276
TLS: error:20074002:BIO routines:FILE_CTRL:system lib bss_file.c:278
TLS: error:140AD002:SSL routines:SSL_CTX_use_certificate_file:system lib
ssl_rsa.c:515
rlm_ldap: ldap_start_tls_s()
ldap_err2string
rlm_ldap: could not start TLS Can't contact LDAP server
rlm_ldap: (re)connection attempt failed
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module ldap returns fail for request 1
modcall: group authorize returns fail for request 1
Finished request 1
[EMAIL PROTECTED]
2004-11-18
RE: Patch for 0.8.1 supporting IPv6
just curious - but are there any hardware radius clients (cisco, lucent, redback, other) that can use radius over ipv6? i realise it is not a common scenario. perhaps radius over ipv6 using its mandatory ipsec encryption? tariq -Original Message- From: Alan DeKok [mailto:[EMAIL PROTECTED] Sent: 17 November 2004 22:06 To: [EMAIL PROTECTED] Subject: Re: Patch for 0.8.1 supporting IPv6 Shawn [EMAIL PROTECTED] wrote: Could any one tell me how to find the patch for 0.8.1 supporting IPv6? There is no such patch, and there will never be a patch. 1.0.1 supports IPv6 attributes in RADIUS, but not listening on an IPv6 socket. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
NAS-IP-Address and Shortname
Hello, Does NAS-IP-Address (in huntgroups) could be equals to the shortname defined in the clients.conf ? So I can declare in one line a subnet as a huntgroup in the huntgroups file. I did a quick grep in the source and didn't find anything useful. Thanks. PS: sorry, this is a repost -- Nicolas Justin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AW: debian with freeradius and securid PAM Module
[EMAIL PROTECTED] wrote: pam_pass: function pam_authenticate FAILED for wolfmar. Reason: Module is unknown And it doesn't tell you which module. Wonderful. People actually use this stuff? And get it to work? Wow... Is ist possible to debug PAM? Not really. Now you know why I'm so insistent on adding debugging messages to FreeRADIUS, and on asking people to look at them. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS-IP-Address and Shortname
Nicolas Justin [EMAIL PROTECTED] wrote: Does NAS-IP-Address (in huntgroups) could be equals to the shortname defined in the clients.conf ? No. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Patch for 0.8.1 supporting IPv6
Tariq Rashid [EMAIL PROTECTED] wrote: just curious - but are there any hardware radius clients (cisco, lucent, redback, other) that can use radius over ipv6? Probably, but I can't recall any. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: error in compilation (make)
Costas, Thanks a lot for your answer. I am seeing to the matter in a great detail, as I still have problems with the version of the S/W components used. Eva Kolega NOC -TEI of ATHENS Kostas Kalevras wrote: On Thu, 11 Nov 2004, Eva Kolega wrote: Paul , I enclose the whole make report. The problem starts where the lines are in bold format. To be precise, I have installed mysql-standard-4.0.21-sun-solaris2.9-sparc-64bit.tar.gz with nothing else. I mean no mysql client, no devel, no share. But I guess this is the full mysql installation. I mean we run mysql on a number of machines for various services. We have not faced any problems yet. The ps command output follows: root 2159 20585 0 16:16:07 pts/10:00 grep mysql root 26783 1 0Oct 11 ?0:00 /bin/sh /usr/local/mysql/bin/mysqld_safe --user=mysql mysql 26800 26783 0 Oct 11 ?8:20 /usr/local/mysql/bin/mysqld --defaults-extra-file=/usr/local/mysql/data/my.cnf And this is the configure command for freeradius: ./configure --prefix=/usr/local/freeradius --exec-prefix=/usr/local/freeradius --with-mysql-include-dir=/usr/local/mysql/include with-openldap-include-dir=/usr/local/openldap Every time I do a google search I find answers consearning freeradius installation on Linux !! Well, I am using Sol 9. The mysql package probably does not contain the mysql includes and dynamic libraries. You need to also install the devel package in order to get rlm_mysql compiled. Thanks in advance, Eva Kolega NOC - TEI of ATHENS Paul Hampson wrote: On Tue, Nov 09, 2004 at 05:49:56PM +0200, Eva Kolega at NTUA wrote: I have installed mysql-standard-4.0.21-sun-solaris2.9-sparc-64bit.tar.gz, Apache2, php4.3.9 and openldap. The problem is when I try to run make, though configure run ok, gcc: sql_mysql.c: linker input file unused because linking not done Can we have the lines above this? At this point whatever the problem is has already occurred and so we get the error messages below. /usr/local/src/freeradius-1.0.1/libtool --mode=link ld -module -static -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5 -Wall -D_GNU_SOURCE -g -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -W -Wredundant-decls -Wundef -I../.. -I../../../../include -I/usr/local/mysql/include -Xa -xstrconst -mt -D_FORTEC_ -xarch=v9 sql_mysql.o -o rlm_sql_mysql.a mkdir .libs (cd . ln -s sql_mysql.lo sql_mysql.o) ar cru rlm_sql_mysql.a sql_mysql.o ar: cannot open sql_mysql.o No such file or directory ar: sql_mysql.o not found make[10]: *** [rlm_sql_mysql.a] Error 1 make[1]: Entering directory `/usr/local/src/freeradius-1.0.1' Making all in src... make[2]: Entering directory `/usr/local/src/freeradius-1.0.1/src' make[3]: Entering directory `/usr/local/src/freeradius-1.0.1/src' Making all in include... make[4]: Entering directory `/usr/local/src/freeradius-1.0.1/src/include' make[4]: Nothing to be done for `all'. make[4]: Leaving directory `/usr/local/src/freeradius-1.0.1/src/include' Making all in lib... make[4]: Entering directory `/usr/local/src/freeradius-1.0.1/src/lib' make[4]: Nothing to be done for `all'. make[4]: Leaving directory `/usr/local/src/freeradius-1.0.1/src/lib' Making all in modules... make[4]: Entering directory `/usr/local/src/freeradius-1.0.1/src/modules' make[5]: Entering directory `/usr/local/src/freeradius-1.0.1/src/modules' Making static dynamic in rlm_acct_unique... make[6]: Entering directory `/usr/local/src/freeradius-1.0.1/src/modules/rlm_acct_unique' make[6]: Leaving directory `/usr/local/src/freeradius-1.0.1/src/modules/rlm_acct_unique' Making static dynamic in rlm_always... make[6]: Entering directory `/usr/local/src/freeradius-1.0.1/src/modules/rlm_always' make[6]: Leaving directory `/usr/local/src/freeradius-1.0.1/src/modules/rlm_always' Making static dynamic in rlm_attr_filter... make[6]: Entering directory `/usr/local/src/freeradius-1.0.1/src/modules/rlm_attr_filter' make[6]: Leaving directory `/usr/local/src/freeradius-1.0.1/src/modules/rlm_attr_filter' Making static dynamic in rlm_attr_rewrite... make[6]: Entering directory `/usr/local/src/freeradius-1.0.1/src/modules/rlm_attr_rewrite' make[6]: Leaving directory `/usr/local/src/freeradius-1.0.1/src/modules/rlm_attr_rewrite' Making static dynamic in rlm_chap... make[6]: Entering directory `/usr/local/src/freeradius-1.0.1/src/modules/rlm_chap' make[6]: Leaving directory `/usr/local/src/freeradius-1.0.1/src/modules/rlm_chap' Making static dynamic in rlm_counter... make[6]: Entering directory `/usr/local/src/freeradius-1.0.1/src/modules/rlm_counter' make[6]: Leaving directory `/usr/local/src/freeradius-1.0.1/src/modules/rlm_counter' Making static dynamic in rlm_dbm... make[6]: Entering directory `/usr/local/src/freeradius-1.0.1/src/modules/rlm_dbm' make[6]: Leaving directory `/usr/local/src/freeradius-1.0.1/src/modules/rlm_dbm'
Re: Realmbased Relaying
On Wed, 17 Nov 2004, jesk wrote:
Hello again,
i have question about Relaying Accounting Data. We have a customer, which
want to have all related accounting data of his realm.
Is there a way to relay the accounting data of his realm to his radiusserver?
i thought about creating a seperate detail logfile and then setting up a
seperate radrelay which works on the file and relay the data to him. Are
there other kinds of solution to solve this scenario? When not, how can i
create a seperate logfile with only his realm related data in it?
radrelay is the solution. As for a detail file, either use Acct-Type like:
acct_users: DEFAULT Realm == myrealm.com, Acct-Type := myrealm
detail {
detailfile = ${radacctdir}/detail
[...]
}
accounting{
Acct-Type myrealm {
detail
}
}
or just use the Realm attribute in the detail file path:
detail {
detailfile = ${radacctdir}/%{Realm:-DEFAULT}/detail
[...]
}
Thanks for any hints!
- List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED] National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: help groups and LDAP
Just some words:
It's starting to work, but I found that this is case sensitive:
DEFAULT Ldap-Group == SCEco, Pool-Name := ScEco_pool
So If the user get a group ScEco, it won't work..
Am I obliged to activate regular expression and do:
LDAP-Group =~ /sceco/i
?.
Or is there a more efficient way?.
Thanks
dom
Dustin Doris a crit :
You'll still need to configure the ippool modules and include those in the
accounting section and post-auth section. Forgot to include that in the
last email. A radiusd -X will show you exactly what is going on. If it
doesn't work, please post that to the list will all output.
ie:
accounting {
...
u2labo
u3labo
...
}
post_auth {
...
u2labo
u3labo
...
}
On Wed, 17 Nov 2004, LALOT Dominique wrote:
Thanks,
I have to leave, but the quick and last test I did with your advice,
gave me bad results. See tomorrow..
Using radtest, I don't get any IP, and there is very little doc about
ippool and the way it works.
I suppose that the NAS is completely relying on radius for IP delivery.
I'm wondering what happen in case of the failure of the main radius server.
Dom
Dustin Doris a crit :
Hello all,
I've spent quite a long time trying to understand how freeradius works
and trying to get everything I want working.
I am using Openldap since 2001 and I've no problems to understand LDAP
as I wrote many programs around LDAP. In fact I don't understand how
groups are working under radius.
My aim: I would like to distribute different IP pool for users.
The best for me: In the users DN, we already have an attribute for a
laboratory, ie u2labo
I would like to say:
1. authenticate the user in ldap (works ok)
2. Get the attribute u2labo
3 use that value to get the ip range (somewhere even outside ldap
(users)) to distribute the IP.
I've tried many configurations without success. The debugging of ldap
show me just bind successfull without search for groups. I tried to
add radiusprofile Objectclass without success. So what is the meaning
of groups in radius?.
can we say:
user fred attributes XXX member of group test
group test the rest of attributes.
Could you give me the minimum to set in conf files to get it working?
Thanks
Dom
--
Dominique LALOT
Ingnieur Systme Rseau CISCAM Pole Rseau
Universit de la Mditerrane http://annuaire.univ-mrs.fr/showuser.php?uid=lalot
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Question regarding checkrad
Am I correct in that checkrad does NOT refer to the sql database on how to talk to the NAS? Wade - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question regarding checkrad
On Thu, 18 Nov 2004, Wade Kemp wrote: Am I correct in that checkrad does NOT refer to the sql database on how to talk to the NAS? No. And it *would* be nice to find a secure way to pass the community strings (or telnet login/password) to checkrad instead of having to maintain text files only for that. Wade - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
(no subject)
Title: Message I just installed freeradius 1.0.1 and wish to configureLDAP supportto authenticate users against Novell's eDirectory as well as several MAC servers. Wherecan I start my learning process? BTW...I have 4 weeks to get this up and running! attachment: Winmail.dat
Re: Realmbased Relaying
radrelay is the solution. As for a detail file, either use Acct-Type like:
acct_users: DEFAULT Realm == myrealm.com, Acct-Type := myrealm
detail {
detailfile = ${radacctdir}/detail
[...]
}
accounting{
Acct-Type myrealm {
detail
}
}
or just use the Realm attribute in the detail file path:
detail {
detailfile = ${radacctdir}/%{Realm:-DEFAULT}/detail
[...]
}
Thanks for this clear answer!
regards,
christian
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
learning freeradius + ldap + for mac and novell directory server
You can read the readme files and documentation included in doc directory of the distribution I guess... Evren Michael Basso wrote: I just installed freeradius 1.0.1 and wish to configure LDAP support to authenticate users against Novell's eDirectory as well as several MAC servers. Where can I start my learning process? BTW...I have 4 weeks to get this up and running! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Changing the way I proxy
Below is an example of how I run my central freeradius server. It is nothing
but a central point for proxy to other servers. ISP2 ISP3 are customers
that we provide the RAS connections, but send AAA off to them to handle
their customers. I am ISP1 and send my users off to my other freeRADIUS
server. As obvious by my users file, I do handle this all by CLID.
Here is my boggle. We have just purchased ISP2 and need to integrate them
into our RADIUS. We are going to require them to add a domain to their login
([EMAIL PROTECTED]) so that we don't have duplicates to our current users
(their current dialup customers just use a username).
The problem is that ISP2 also does a bit of proxy for a satellite ISP based
on having a domain attached (@sat.newdomain.com). What would I add to my
users file to send any customer with @sat.newdomain.com in the username off
to a different realm, no matter what number they dialed?
*users*
DEFAULT Called-Station-Id == 1234567890, Proxy-To-Realm := isp1
DEFAULT Called-Station-Id == 1230987654, Proxy-To-Realm := isp2
DEFAULT Called-Station-Id == 123000, Proxy-To-Realm := isp2
DEFAULT Called-Station-Id == 1239991234, Proxy-To-Realm := isp3
*proxy.conf*
realm isp1 {
type= radius
authhost= 1.1.1.1:1812
accthost= 1.1.1.1:1813
secret = mydirtylittlesecret
nostrip
}
realm isp2 {
type= radius
authhost= 2.2.2.2:1645
accthost= 2.2.2.2:1646
secret = donttellanyone
}
realm isp3 {
type= radius
authhost= 3.3.3.3:1645
accthost= 3.3.3.3:1646
secret = youdontknow
nostrip
}
Anson Rinesmith
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: General question on Radius/802.1x
The supplicant needs to authenticate anytime it wishes to get L2 access. It is an extention of the Authenticate Associate MAC processes. Why the authentication is done every single time L2 handoff occurs? Usually for 802.11b, I can cover a building floor with about two or three APs and for 802.11a each AP covers even a smaller area. This means that I will have to authenticate even if I move from one room to another (exageration!). This to me sounds like an uneccesary overhead. There is a fundamental authentication/security problem you are glossing over: How does the AP you roam to know who you are? How does one AP know you authenticated against another? How does the new AP know the session key you were using with the prior one? If it doesn't how to make a new one? How does that AP trust the other AP? How does it know you are really the same station? and not some hacker spoofing the same MAC address? Answer those questions throughly and you will be on the way to solving the roaming problem. The assumption made here is that the authenticator is the AP. I believe things would be much easier and still safe if one authenticator would control a group of APs and not just be one itself. This group of APs could be a subnet or a smaller group, but at least within this group the handoff would be much faster. The authenticator would act in the same way except that it would do the job for a group of APs and not for just one. If this would be done than all the questions above would have their answers. What is your opinion? Andrea - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: General question on Radius/802.1x
The assumption made here is that the authenticator is the AP. I believe things would be much easier and still safe if one authenticator would control a group of APs and not just be one itself. This group of APs could be a subnet or a smaller group, but at least within this group the handoff would be much faster. The authenticator would act in the same way except that it would do the job for a group of APs and not for just one. If this would be done than all the questions above would have their answers. What is your opinion? This is how some of the switched wireless systems work. However, if you roam from an AP on one switch to an AP on another switch, you still have the same issue. It reduces the volume of traffic but doesn't make it disappear altogether. You can also reduce the amount of reauthentication traffic if your supplicant, authenticator and authentication server all support Session Resumption. This works on the premise that at the point where the Session-Timeout times out, if the supplicant and the authenticator both know the master key, then there's no need to trouble the authentication server. Normally, there is a time and/or number of reauthentications limit on this process before a complete reauthentication has to take place. Regards, Guy Andrea - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html This e-mail is private and may be confidential and is for the intended recipient only. If misdirected, please notify us by telephone and confirm that it has been deleted from your system and any copies destroyed. If you are not the intended recipient you are strictly prohibited from using, printing, copying, distributing or disseminating this e-mail or any information contained in it. We use reasonable endeavours to virus scan all e-mails leaving the Company but no warranty is given that this e-mail and any attachments are virus free. You should undertake your own virus checking. The right to monitor e-mail communications through our network is reserved by us. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: help groups and LDAP
Thanks for all, because it's starting to work. But: I noticed that I call ldap for each group before founding the right one. An for me the group name is just an ldap attr to read. Then when finding the group, for the IP pool, I have to read all the pools even when it return ok. Hopefully, I have less than 10 groupes!. groupmembership is supannaffectation. Is there something else to do?. Thanks dom users: DEFAULT Ldap-Group == IUT, Pool-Name := IUT_pool Service-Type == Framed-User, Fall-Through = no DEFAULT Ldap-Group == Medecine, Pool-Name := Medecine_pool Service-Type == Framed-User, Fall-Through = no DEFAULT Ldap-Group == ESIL, Pool-Name := Esil_pool Service-Type == Framed-User, Fall-Through = no DEFAULT Ldap-Group == Pharo, Pool-Name := Pharo_pool Service-Type == Framed-User, Fall-Through = no DEFAULT Ldap-Group == Sciences, Pool-Name := Sciences_pool Service-Type == Framed-User, Fall-Through = no DEFAULT Ldap-Group == Pharmacie, Pool-Name := Pharmacie_pool Service-Type == Framed-User, Fall-Through = no DEFAULT Ldap-Group == OSU, Pool-Name := OSU_pool Service-Type == Framed-User, Fall-Through = no DEFAULT Ldap-Group == IM2, Pool-Name := IM2_pool Service-Type == Framed-User, Fall-Through = no DEFAULT Ldap-Group == STAPS, Pool-Name := STAPS_pool Service-Type == Framed-User, Fall-Through = no rlm_ldap: user fred authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 2 rlm_ldap: Entering ldap_groupcmp() radius_xlat: 'ou=people,ou=u2,dc=univ-mrs,dc=fr' radius_xlat: '(uid=fred)' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=people,ou=u2,dc=univ,dc=fr, with filter ((supannaffectation=ScEco)(uid=fred)) rlm_ldap: object not found or got ambiguous search result rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in uid=fred,ou=people,ou=u2,dc=univ,dc=fr, with filter (objectclass=*) rlm_ldap::groupcmp: Group ScEco not found or user not a member rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: Entering ldap_groupcmp() radius_xlat: 'ou=people,ou=u2,dc=univ-mrs,dc=fr' radius_xlat: '(uid=fred)' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=people,ou=u2,dc=univ,dc=fr, with filter ((supannaffectation=IUT)(uid=fred)) rlm_ldap: object not found or got ambiguous search result rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in uid=fred,ou=people,ou=u2,dc=univ,dc=fr, with filter (objectclass=*) rlm_ldap::groupcmp: Group IUT not found or user not a member rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: Entering ldap_groupcmp() radius_xlat: 'ou=people,ou=u2,dc=univ-mrs,dc=fr' radius_xlat: '(uid=fred)' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=people,ou=u2,dc=univ,dc=fr, with filter ((supannaffectation=Medecine)(uid=fred)) rlm_ldap: object not found or got ambiguous search result rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in uid=fred,ou=people,ou=u2,dc=univ,dc=fr, with filter (objectclass=*) rlm_ldap::groupcmp: Group Medecine not found or user not a member rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: Entering ldap_groupcmp() radius_xlat: 'ou=people,ou=u2,dc=univ-mrs,dc=fr' radius_xlat: '(uid=fred)' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=people,ou=u2,dc=univ,dc=fr, with filter ((supannaffectation=ESIL)(uid=fred)) rlm_ldap: object not found or got ambiguous search result rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in uid=fred,ou=people,ou=u2,dc=univ,dc=fr, with filter (objectclass=*) rlm_ldap::groupcmp: Group ESIL not found or user not a member rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: Entering ldap_groupcmp() radius_xlat: 'ou=people,ou=u2,dc=univ,dc=fr' radius_xlat: '(uid=fred)' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=people,ou=u2,dc=univ,dc=fr, with filter ((supannaffectation=Pharo)(uid=fred)) rlm_ldap: object not found or got ambiguous search result rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in uid=fred,ou=people,ou=u2,dc=univ,dc=fr, with filter (objectclass=*) rlm_ldap::groupcmp: Group Pharo not found or user not a member rlm_ldap:
Re: help groups and LDAP
What happens if you do this. Add the following to ldap.attrmap checkItem Pool-Name supannaffectation Then remove all those users file entries with Ldap-Group, so it just does an LDAP lookup, not specifically matching on groups. This should pool the supannafecction attribute from ldap and make that the Pool-Name check item, which should then fire ippool. -Dusty Doris On Thu, 18 Nov 2004, LALOT Dominique wrote: Thanks for all, because it's starting to work. But: I noticed that I call ldap for each group before founding the right one. An for me the group name is just an ldap attr to read. Then when finding the group, for the IP pool, I have to read all the pools even when it return ok. Hopefully, I have less than 10 groupes!. groupmembership is supannaffectation. Is there something else to do?. Thanks dom users: DEFAULT Ldap-Group == IUT, Pool-Name := IUT_pool Service-Type == Framed-User, Fall-Through = no DEFAULT Ldap-Group == Medecine, Pool-Name := Medecine_pool Service-Type == Framed-User, Fall-Through = no DEFAULT Ldap-Group == ESIL, Pool-Name := Esil_pool Service-Type == Framed-User, Fall-Through = no DEFAULT Ldap-Group == Pharo, Pool-Name := Pharo_pool Service-Type == Framed-User, Fall-Through = no DEFAULT Ldap-Group == Sciences, Pool-Name := Sciences_pool Service-Type == Framed-User, Fall-Through = no DEFAULT Ldap-Group == Pharmacie, Pool-Name := Pharmacie_pool Service-Type == Framed-User, Fall-Through = no DEFAULT Ldap-Group == OSU, Pool-Name := OSU_pool Service-Type == Framed-User, Fall-Through = no DEFAULT Ldap-Group == IM2, Pool-Name := IM2_pool Service-Type == Framed-User, Fall-Through = no DEFAULT Ldap-Group == STAPS, Pool-Name := STAPS_pool Service-Type == Framed-User, Fall-Through = no rlm_ldap: user fred authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 2 rlm_ldap: Entering ldap_groupcmp() radius_xlat: 'ou=people,ou=u2,dc=univ-mrs,dc=fr' radius_xlat: '(uid=fred)' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=people,ou=u2,dc=univ,dc=fr, with filter ((supannaffectation=ScEco)(uid=fred)) rlm_ldap: object not found or got ambiguous search result rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in uid=fred,ou=people,ou=u2,dc=univ,dc=fr, with filter (objectclass=*) rlm_ldap::groupcmp: Group ScEco not found or user not a member rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: Entering ldap_groupcmp() radius_xlat: 'ou=people,ou=u2,dc=univ-mrs,dc=fr' radius_xlat: '(uid=fred)' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=people,ou=u2,dc=univ,dc=fr, with filter ((supannaffectation=IUT)(uid=fred)) rlm_ldap: object not found or got ambiguous search result rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in uid=fred,ou=people,ou=u2,dc=univ,dc=fr, with filter (objectclass=*) rlm_ldap::groupcmp: Group IUT not found or user not a member rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: Entering ldap_groupcmp() radius_xlat: 'ou=people,ou=u2,dc=univ-mrs,dc=fr' radius_xlat: '(uid=fred)' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=people,ou=u2,dc=univ,dc=fr, with filter ((supannaffectation=Medecine)(uid=fred)) rlm_ldap: object not found or got ambiguous search result rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in uid=fred,ou=people,ou=u2,dc=univ,dc=fr, with filter (objectclass=*) rlm_ldap::groupcmp: Group Medecine not found or user not a member rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: Entering ldap_groupcmp() radius_xlat: 'ou=people,ou=u2,dc=univ-mrs,dc=fr' radius_xlat: '(uid=fred)' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=people,ou=u2,dc=univ,dc=fr, with filter ((supannaffectation=ESIL)(uid=fred)) rlm_ldap: object not found or got ambiguous search result rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in uid=fred,ou=people,ou=u2,dc=univ,dc=fr, with filter (objectclass=*) rlm_ldap::groupcmp: Group ESIL not found or user not a member rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: Entering ldap_groupcmp() radius_xlat: 'ou=people,ou=u2,dc=univ,dc=fr'
Deny Access for users
Hi. Sorry for disturbing. I'm Using FreeRadius 0.9.3 and I've two question I can't solve by myself. 1) When Using Radwho It is not usedshort name ofNas. The output display the IP addresses. I've the clients.conf well configured has also the naslist file. What can I do to solve this ? DoI have to enable the resolution of names on radiusd.conf ? 2) Is It possible todeny users ifthey connect from a specific NAS ? For example, I've have twoNAS (access1 and access2), how can I tell that the users can do a login from access1 but not from access2 ? Is this configuration possible? Thanks for the help and for your time. Kindly Bruno
PEAP Authentication Failing with JetDirect 680n
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I have freeradius configured to do PEAP and EAP-TTLS, searching the user data in LDAP. All is working well, except one device, a wireless network printer that refuses to authenticate. The freeradius debug output is attached. Does anyone have any idea? I'm stumped by the 'Got something weird' message... - -- Hugo Chasqueira Public Key: http://www.fcee.ucp.pt/docentes/url/hbc/pubkey.txt -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBnO09jFeRi4vRS4IRAtaDAJ4kfGMZrCDOWNTXuHkGUpLnZQNBlACfbFB2 r+nciB8Am4fdzvfAtzZ9uIs= =ZRlH -END PGP SIGNATURE- rad_recv: Access-Request packet from host 172.17.0.2:21656, id=202, length=131 User-Name = impressoras Framed-MTU = 1400 Called-Station-Id = 000e.83df.54e0 Calling-Station-Id = 000e.7f3a.bf7b Message-Authenticator = 0x22593e6002c7c256b8041ed4ff07b523 EAP-Message = 0x0202001001696d70726573736f726173 NAS-Port-Type = Wireless-802.11 NAS-Port = 370 Service-Type = Framed-User NAS-IP-Address = 172.17.0.2 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 150 modcall[authorize]: module preprocess returns ok for request 150 modcall[authorize]: module chap returns noop for request 150 modcall[authorize]: module mschap returns noop for request 150 rlm_realm: No '@' in User-Name = impressoras, looking up realm NULL rlm_realm: Found realm NULL rlm_realm: Adding Stripped-User-Name = impressoras rlm_realm: Proxying request from user impressoras to realm NULL rlm_realm: Adding Realm = NULL rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module suffix returns noop for request 150 rlm_realm: Request already proxied. Ignoring. modcall[authorize]: module ntdomain returns noop for request 150 rlm_eap: EAP packet type response id 2 length 16 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 150 rlm_ldap: - authorize rlm_ldap: performing user authorization for impressoras radius_xlat: '(uid=impressoras)' radius_xlat: 'dc=ucp,dc=pt' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=ucp,dc=pt, with filter (uid=impressoras) rlm_ldap: looking for check items in directory... rlm_ldap: Adding acctFlags as SMB-Account-CTRL-TEXT, value [UX op=21 rlm_ldap: Adding ntPassword as NT-Password, value BB4C23CC9852DA1DDF3A750EE4A1B2D6 op=21 rlm_ldap: Adding lmPassword as LM-Password, value 210AB2216E60A5FC985E1393CED001C9 op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: user impressoras authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 150 modcall: group authorize returns updated for request 150 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 150 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module eap returns handled for request 150 modcall: group authenticate returns handled for request 150 Sending Access-Challenge of id 202 to 172.17.0.2:21656 EAP-Message = 0x010300061920 Message-Authenticator = 0x State = 0xd7f17d64474b7ef6783758e8fa710f28 Finished request 150 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 172.17.0.2:21656, id=203, length=199 User-Name = impressoras Framed-MTU = 1400 Called-Station-Id = 000e.83df.54e0 Calling-Station-Id = 000e.7f3a.bf7b Message-Authenticator = 0x0b4dc6f72fc4fe910e1c8ce3323d7713 EAP-Message = 0x02030042198000381603010033012f03010567fbaa172dd22a046dd101f70daeefd92afcd35a35f58cbecc6cda879508000a0005000400090100 NAS-Port-Type = Wireless-802.11 NAS-Port = 370 State = 0xd7f17d64474b7ef6783758e8fa710f28 Service-Type = Framed-User NAS-IP-Address = 172.17.0.2 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 151 modcall[authorize]: module preprocess returns ok for request 151 modcall[authorize]: module chap returns noop for request 151 modcall[authorize]: module mschap returns noop for request 151 rlm_realm: No '@' in User-Name = impressoras, looking up realm NULL rlm_realm: Found realm NULL rlm_realm: Adding Stripped-User-Name = impressoras rlm_realm: Proxying request from user impressoras to realm NULL rlm_realm: Adding Realm = NULL rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module suffix returns noop for request 151 rlm_realm:
Re: PEAP Authentication Failing with JetDirect 680n
Hugo Chasqueira [EMAIL PROTECTED] wrote: rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Got something weird. The data inside of the PEAP session isn't what it's supposed to be. The message is in src/modules/rlm_eap/types/rlm_eap_peap/peap.c You could edit the code to print out the hex data of what it receives, which would help a little. But until you know how to parse it, there's not much anyone can do. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Changing the way I proxy
Anson Rinesmith [EMAIL PROTECTED] wrote: The problem is that ISP2 also does a bit of proxy for a satellite ISP based on having a domain attached (@sat.newdomain.com). What would I add to my users file to send any customer with @sat.newdomain.com in the username off to a different realm, no matter what number they dialed? DEFAULT User-Name =~ @sat\.newdomain\.com$, Proxy-To-Realm := foo Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: General question on Radius/802.1x
On Thu, 18 Nov 2004, Andrea G. Forte wrote: The assumption made here is that the authenticator is the AP. I believe things would be much easier and still safe if one authenticator would control a group of APs and not just be one itself. This group of APs could be a subnet or a smaller group, but at least within this group the handoff would be much faster. The authenticator would act in the same way except that it would do the job for a group of APs and not for just one. Thats pretty much what Wireless Domain Services (WDS) on the Cisco Aironet APs does. One of the APs does the direct communication to the radius server and then caches that for its client APs. Take a look at: http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801c951f.shtml Joe Matuscak Rohrer Corporation 717 Seville Road Wadsworth, Ohio 44281 (330)335-1541 [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Missing pgsql-voip.conf file
Hi, I was just looking at the voip billing db... the pgsql-voip.conf is not correct with respect of the tablenames. The database schema creates tables | CREATE TABLE StartVoIP ( | CREATE TABLE StartTelephony ( | CREATE TABLE StopVoIP ( | CREATE TABLE StopTelephony ( | CREATE TABLE gateways ( | CREATE TABLE customers ( | CREATE TABLE cust_gw ( | CREATE VIEW customerip AS | CREATE OR REPLACE FUNCTION strip_dot (VARCHAR) RETURNS TIMESTAMPTZ AS ' | CREATE OR REPLACE FUNCTION pick_id (VARCHAR, VARCHAR) RETURNS VARCHAR AS ' | CREATE TABLE isdn_error_codes ( whereas the pgsql-voip.conf file refers to tablenames... | # Database configuration | radius_db = radius | | # Database table configuration | acct_table1 = Start | acct_table2 = Stop | | authcheck_table = radcheck | authreply_table = radreply | | groupcheck_table = radgroupcheck | groupreply_table = radgroupreply | | usergroup_table = usergroup Am I missing something glareingly obvious? Alasdair Alan DeKok wrote: | Chhai Thach [EMAIL PROTECTED] wrote: | |I can't seem to find the /src/billing/pgsql-voi.conf file on the FR |1.0.1 source. | | | See the raddb directory. | | Alan DeKok. | | - | List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html | | This message has been comprehensively scanned for viruses, | please visit http://virus.e2e-filter.com/ for details. | - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Discarding new Request
I have a problem where the freeradius server that Im running is is slow responding and I have a bunch of these errors in the radius.log discarding new request from client nas1.test.net due to live request Does anyone know why? Thanx Cris --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.797 / Virus Database: 541 - Release Date: 11/15/2004
Multiple processing heads...
Has anyone here got a setup with multiple processing servers connected to a single DB (mySQL) server? The only issue I can think of is when its writing accounting Anyone got any experience of doing this?
RE: Multiple processing heads...
I have it running with multiple servers connecting to one mysql server ..so all the accounting goes to the same place.. Then I have all the servers synchronize (locally) with it nightly and fail over to the local one if the primary stopped working? Im redoing it now because my server motherboard died. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Stuart Harris Sent: Thursday, November 18, 2004 4:16 PM To: [EMAIL PROTECTED] Subject: Multiple processing heads... Has anyone here got a setup with multiple processing servers connected to a single DB (mySQL) server? The only issue I can think of is when its writing accounting Anyone got any experience of doing this? --- Incoming mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.797 / Virus Database: 541 - Release Date: 11/15/2004 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.797 / Virus Database: 541 - Release Date: 11/15/2004
RE: Multiple processing heads...
For me having an SQL server fail isnt a problem, Im lucky in a way as Ive got too many servers and not enough to do with them ;) if our radius SQL server failed, I could have a replacement up within 30 minutes as Ive got a slave that polls all our other SQL servers to keep a current transaction log all I need to know is that Im not going to get problems with accounting packet duplication or some other weird thing ;) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Cris Boisvert Sent: 18 November 2004 21:36 To: [EMAIL PROTECTED] Subject: RE: Multiple processing heads... I have it running with multiple servers connecting to one mysql server ..so all the accounting goes to the same place.. Then I have all the servers synchronize (locally) with it nightly and fail over to the local one if the primary stopped working? Im redoing it now because my server motherboard died. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Stuart Harris Sent: Thursday, November 18, 2004 4:16 PM To: [EMAIL PROTECTED] Subject: Multiple processing heads... Has anyone here got a setup with multiple processing servers connected to a single DB (mySQL) server? The only issue I can think of is when its writing accounting Anyone got any experience of doing this? --- Incoming mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.797 / Virus Database: 541 - Release Date: 11/15/2004 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.797 / Virus Database: 541 - Release Date: 11/15/2004
rlm_exec fail V reject
Hi All, I'm calling a external script via the rlm_exec module, when I return a non 0 (ie -1) value from my script I need radius to send a access-reject response the the client. I came across this thread: http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg10671.html Was a patch ever committed for this, or is there another solution that can satisfy my requirement? I'm running 1.0.0 right now. Thanks, -Jev - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple processing heads...
Can you describe a bit more? Like: Redundant database? How? Redundant radius servers? How? How many radius servers? Expected load of requests? ... -- Regards, Thor Spruyt E: [EMAIL PROTECTED] W: www.thor-spruyt.com M: +32 (0)475 67 22 65 Bestel nu uw exemplaar van Operationele verkoop (Walter Spruyt - Liesbeth Huysmans) via www.salesguide.be Ontdek de Telenet Hotspot service op www.telenet.be/hotspots - Original Message - From: Stuart Harris To: [EMAIL PROTECTED] Sent: Thursday, November 18, 2004 10:15 PM Subject: Multiple processing heads... Has anyone here got a setup with multiple processing servers connected to a single DB (mySQL) server? The only issue I can think of is when it's writing accounting. Anyone got any experience of doing this? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Discarding new Request
Cris Boisvert [EMAIL PROTECTED] wrote: discarding new request from client nas1.test.net due to live request Does anyone know why? Your back-end DB is slow. Search the list archives for that error message, in order to find many, many cases where others have run into the same problem. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_exec fail V reject
Ok, great Paul, thank you! Is it this patch: http://lists.freeradius.org/archives/freeradius-users/2004/09/frm00132.html that you plan to apply? Is the patch in that post the most recent? I ask because I may attempt to apply and build it my self, so I can proceed with some testing that I need this feature for... Thanks! -Jev Paul Hampson wrote: On Thu, Nov 18, 2004 at 02:52:35PM -0800, Jev wrote: I'm calling a external script via the rlm_exec module, when I return a non 0 (ie -1) value from my script I need radius to send a access-reject response the the client. I came across this thread: http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg10671.html Was a patch ever committed for this, or is there another solution that can satisfy my requirement? I'm running 1.0.0 right now. I intend to test and commit that patch this weekend, but it'll be to CVS HEAD, so you'll have to build your own FreeRADIUS until 1.1.0 is released. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Multiple processing heads...
Can you describe a bit more? Like: Redundant database? How? MySQL Supports read-only (one way) replication, we replicate all our live databases (customer hosting, internal, etc...) to a single backup DB which has a 'live' copy, it doesn't normally have writes to it, but it can quickly be used to build up a replacement DB that is current as of the time of departure of a dead server.. Redundant radius servers? How? Let me give you an overview first ;) We use processing heads to handle inbound (and outbound) queries for everything from database lookups to mail processing... we currently use 4 servers that process common incoming requests (dns, inbound mail, etc..), our network is designed be 'plug and play', that is.. we have setup the network for us to be able to rapidly deploy new servers for the high throughput services to ensure responsiveness, and we've also setup redundancy to be able to totally restore service very quickly where we cannot stop failure short of spending a LOT more money than we have now. What I'd like to do is move our 'single point of failure' Free Radius server off a dedicated server and onto to the farm (m00)... Basically, each of these 4 servers would connect to our mySQL server that's used to manage customer accounts, so initially 4 servers connected to one mySQL DB, this server in turn is backed up on an ongoing basis... this 'backup' server would (currently, and probably never!) however serve requests... I'd also be interested in ideas of how I could actually have a continually live radius solution that can query the 'backup' server if the primary goes down... but queue accounting until the master is up... (I can hope :P) How many radius servers? 4 currently if I do this ;) Expected load of requests? 10,000+ daily at least. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_exec fail V reject
On Thu, Nov 18, 2004 at 05:14:47PM -0800, Jev wrote:
Ok, great Paul, thank you!
Is it this patch:
http://lists.freeradius.org/archives/freeradius-users/2004/09/frm00132.html
that you plan to apply? Is the patch in that post the most recent? I ask
because I may attempt to apply and build it my self, so I can proceed
with some testing that I need this feature for...
That patch, with the changes described here:
http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg10746.html
except the line number in rlm_exec is wrong...
Oh heck, here's the patch as it sits in my source tree. ^_^
(No documentation changes yet though. That'll come, but the
changes are pretty much fully descriped in the above threads.
Index: src/main/exec.c
===
RCS file: /source/radiusd/src/main/exec.c,v
retrieving revision 1.44
diff -u -r1.44 exec.c
--- src/main/exec.c 12 Oct 2004 17:46:39 - 1.44
+++ src/main/exec.c 19 Nov 2004 02:40:46 -
@@ -562,5 +562,5 @@
radlog(L_ERR|L_CONS, Exec-Program: Abnormal child exit: %s,
strerror(errno));
- return 1;
+ return 2;
}
Index: src/modules/rlm_exec/rlm_exec.c
===
RCS file: /source/radiusd/src/modules/rlm_exec/rlm_exec.c,v
retrieving revision 1.11
diff -u -r1.11 rlm_exec.c
--- src/modules/rlm_exec/rlm_exec.c 26 Feb 2004 19:04:32 - 1.11
+++ src/modules/rlm_exec/rlm_exec.c 19 Nov 2004 02:40:47 -
@@ -332,7 +332,7 @@
result = radius_exec_program(inst-program, request,
inst-wait, NULL, 0,
*input_pairs, answer);
- if (result != 0) {
+ if (result 0) {
radlog(L_ERR, rlm_exec (%s): External script failed,
inst-xlat_name);
return RLM_MODULE_FAIL;
@@ -347,7 +347,13 @@
pairfree(answer);
- return RLM_MODULE_OK;
+ if (result == 0) {
+ return RLM_MODULE_OK;
+ }
+ if (result RLM_MODULE_NUMCODES) {
+ return RLM_MODULE_FAIL;
+ }
+ return result-1;
}
--
Paul TBBle Hampson, on an alternate email client.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Multiple Stop Packets for same AcctSessionId
Hi All, I am currently using freeradius version 0.8.1. I have been getting this strange record in my radacct table. I am using a Wireless Subscriber Gateway. Kindly refer to the sample log below. + | AcctSessionId| UserName | AcctStartTime | AcctStopTime | AcctSessionTime | +--+--+-+--- --+-+ | 00904b538dda0c03 | zainal | 2004-10-18 16:29:25 | 2004-10-18 16:48:35 |1140 | | 00904b538dda0c03 | zainal | -00-00 00:00:00 | 2004-10-19 12:52:56 | 16779 | | 00904b538dda0c03 | zainal | -00-00 00:00:00 | 2004-10-20 08:29:08 | 16779 | | 00904b538dda0c03 | zainal | -00-00 00:00:00 | 2004-10-21 08:23:18 | 16779 | | 00904b538dda0c03 | zainal | -00-00 00:00:00 | 2004-10-26 11:39:54 | 16779 | | 00904b538dda0c03 | zainal | -00-00 00:00:00 | 2004-11-03 09:32:03 | 16778 | | 00904b538dda0c03 | zainal | -00-00 00:00:00 | 2004-11-04 17:47:06 | 16779 | | 00904b538dda0c03 | zainal | -00-00 00:00:00 | 2004-11-10 09:38:39 | 16779 | | 00904b538dda0c03 | zainal | -00-00 00:00:00 | 2004-11-10 14:13:53 | 16779 | | 00904b538dda0c03 | zainal | -00-00 00:00:00 | 2004-11-19 08:24:13 | 16779 | +--+--+-+--- --+-+ This user 'zainal' actually has his final login session on 2004-10-18 16:29:25. His account expired on the following day. However, the later records were found added to my radacct table. I am surprised to see the same AcctSessionId for all the logs. Anyone has similar problem or have any idea on why this situation occurs ? Would appreciate help. Thanks a lot ! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_ippool - not releasing ip addresses
Hi All I have an issue with freeradius 1.0.1 not releasing some ip address back to the non active pool. There are 30 address in the pool and at this time 13 of these are listed as active but the radacct record show that the users using these address's have logged off. The rlm_ippool_tool has an option '-r' which I thought would fix this but it removed the ip address from the database instead. Any help with this would be greatly appreciated Thanks Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
