Error: Dropping conflicting packet due to unfinished request
Hello, I run freeradius server (1.0.2) with ldap support in a debian sarge server. Last days I'm having the error message Error: Dropping conflicting packet due to unfinished request a lot of times and the server dies too frequently. I've seen in previous threads (http://lists.freeradius.org/archives/freeradius-users/2005/04/frm00119.html and http://lists.freeradius.org/archives/freeradius-users/2005/05/msg7.html) about this message related whith a bug in external commands, but I don't use any external command, I just use an ldap server as the users' database. Any idea? -- Angel L. Mateo Martínez Sección de Telemática Área de Tecnologías de la Información _o) y las Comunicaciones Aplicadas (ATICA)/ \\ http://www.um.es/atica _(___V Tfo: 968367590 Fax: 968398337 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Event-Timestamp attribute
Hi. The Event-Timestamp attribute is now (according to yesterday CVS snapshot) in separate file dictionary.rfc2869. This RFC says the attribute to be unsigned integer. Why is it date in dictionary.rfc2869? If we name the file with rfc number, then why didn't we follow it ? It's not difficult to change the attribute every time i upgrade, but ... -- Alexander - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Acct-Session-Id
Hello guys and girls, I have a small quick question. Is the attribute Acct-Session-Id (number 44) modifiable manually (can I set it to what I want)? If so where should it be modified (in witch file)? sanx a lot! -- Vicky - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
reading reply-message with cisco
Hi all, This is not related to freeradius directly, but to Cisco. I thought somebody could have had the same problem. I'm willing to send a reply-message to Cisco ( which I'm allready sending using radius ) and, according to what string I'm sending along with reply-message, I'm willing to reproduce some IVR or other. Has anybody done this before ? I think it is using TCL ... could anybody read this atribute using TCL ? Thanx a lot Regards, Lucas -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.308 / Virus Database: 266.11.11 - Release Date: 16/05/2005 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
HuntGroups MySql
I'm having a problem with huntgroups and mysql, i see other threads about it but they just die so i'm posting again with as much information as i can give about what i've done for testing. I have 1 huntgroup Authentium NAS-IP-Address == 127.0.0.1 and a user in 3 groups +---+--++ | id| UserName | GroupName | +---+--++ | 10494 | sdgusler | Propel | | 10726 | sdgusler | Authentium | | 10485 | sdgusler | V92| +---+--++ the groups are laid out as follows +++---++-+--+ | id | GroupName | Attribute | op | Value | prio | +++---++-+--+ | 1 | Propel | Propel-Accelerate | = | 1 |0 | | 2 | V92| Framed-IP-Address | = | 255.255.255.255 |0 | | 3 | V92| Framed-Protocol | = | PPP |0 | | 4 | V92| Idle-Timeout | = | 1200|0 | | 5 | V92| Service-Type | = | 1 |0 | | 6 | V92| Session-Timeout | = | 28800 |0 | | 8 | Authentium | Propel-Accelerate | = | 0 |0 | +++---++-+--+ and their check attributes ++---++++ | id | GroupName | Attribute | op | Value | ++---++++ | 2 | Propel| Auth-Type | := | Local | | 3 | V92 | Auth-Type | := | Local | | 1 | Authentium| Huntgroup-Name | == | Authentium | | 6 | Authentium| Auth-Type | := | Local | ++---++++ Now if i do a radtest from the box (localhost) while my user is in the authentium group and the huntgroup settings is set on it, it works but sends attributed from every groupname, if i radtest from anywhere else (the client config is right) it only sends me a reject. But if i take the huntgroup off of the authentium group it will work from localhost or other machines, sending me all attributes from every group... And furthermore when i get the attributes back when a huntgroup is matched (or not) it throws out whatever is found last, so if i define my group as Propel first (lower recordid in sql), and i send the Propel-Accelerate = 1 then define authentium has a higher recordid and Propel-Accelerate = 0, it will send back whatever it finds first, the propel group attribute, when it should send back only my huntgroup attributes, or atleast send all attributes and override matching attributes with my huntgroups what i'm looking for is radius to send me only the attributes from the huntgroup matched, if it comes from a match, and if not from one of the huntgroups it will either send whatever attributes from whatever groups i'm in or whatever attributes from whatever groups the user is in that doesn't have a huntgroup I'm not sure if that possible or even supposed to work like that but I don't think it's supposed to reject everyone but the huntgroup if you stick a user in a group with a huntgroup Thanks, Scott - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: Dropping conflicting packet due to unfinished request
On Tue, 17 May 2005, Angel L. Mateo wrote: Hello, I run freeradius server (1.0.2) with ldap support in a debian sarge server. Last days I'm having the error message Error: Dropping conflicting packet due to unfinished request a lot of times and the server dies too frequently. I've seen in previous threads (http://lists.freeradius.org/archives/freeradius-users/2005/04/frm00119.html and http://lists.freeradius.org/archives/freeradius-users/2005/05/msg7.html) about this message related whith a bug in external commands, but I don't use any external command, I just use an ldap server as the users' database. Any idea? Perhaps your ldap server might be running a little slow. Are you using openldap? If so, what version? Also, do you have the attributes you are searching with indexed? Finally, if you are using a BDB backend, what does your DB_CONFIG file show? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Acct-Session-Id
On Tue, 17 May 2005, vicky wrote: Hello guys and girls, I have a small quick question. Is the attribute Acct-Session-Id (number 44) modifiable manually (can I set it to what I want)? If so where should it be modified (in witch file)? What do you mean by modifiable? Acct-Session-Id is sent by the NAS and should be unique. You can play with acct-unique-id which is defined in radiusd.conf. This is a hash of whatever you want to put in there that will help create uniqueness if your NAS seems to be re-using numbers. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Traffic limits
On Tue, 2005-17-05 at 15:52 +0300, Varlaam Sobakkin wrote: Hello! I have a very simple question. Maybe there's an answer for it in the archive, but there are no search function in archive =( Few years ago I've used an IC-Radius with octets-patch. Is there any way to limit traffic to user? Some kind of Total-Octets-Limit and Octets-Direction reply items. I haven't found any of that in dictionaries and anywhere else in distro =( Hope for short answer. Not really. It is a decision of the NAS or the end user to end a session. If your NAS supports an attribute that allows the radius server to send an octet limit, then it is possible to use rlm_counter to sum up the current usage and send the remaining amount. Read the docs on your NAS and for the rlm_counter module. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: reading reply-message with cisco
Lucas Aimaretto wrote: Hi all, This is not related to freeradius directly, but to Cisco. I thought somebody could have had the same problem. I'm willing to send a reply-message to Cisco ( which I'm allready sending using radius ) and, according to what string I'm sending along with reply-message, I'm willing to reproduce some IVR or other. Has anybody done this before ? I think it is using TCL ... could anybody read this atribute using TCL ? Yes, search for the tcl/ivr scripts on yhe cisco web site, I have implemented a full ivr system using cisco (h323) vsas and tcl scripts. Regards, Lucas --- Miguel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Setting up Dialup_admin
Douglas, In this section of your php.conf file add the last line to it. It should be located in the httpd directory. Hope this helps. # # Cause the PHP interpreter to handle files with a .php extension. # AddType application/x-httpd-php .php AddType application/x-httpd-php .php3 Joel - Original Message - From: Douglas Huber [EMAIL PROTECTED] To: freeradius-users@lists.freeradius.org Sent: Tuesday, May 17, 2005 1:10 PM Subject: Setting up Dialup_admin I am have setup freeradius 1.0.2. The php web interface seems to have a problem. When I launch it, I get the page, but the sidebar where options/button should be is blank with scraps of php code in it. Any advice on what is wrong ? dch -- dch - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Event-Timestamp attribute
Alexander [EMAIL PROTECTED] wrote: This RFC says the attribute to be unsigned integer. Why is it date in dictionary.rfc2869? Because it's a date. See RFC 2866 for a definition of the time type. It's the same as date, and is stored as a 32-bit integer. If we name the file with rfc number, then why didn't we follow it ? It's not difficult to change the attribute every time i upgrade, but ... Why the heck are you changing the attribute? It's a date. It gets printed and parsed like a date. What goes into the RADIUS packet is a 32-bit integer, because that's how dates are represented in the protocol. Do you really want to see and type in all dates in your system as 32-bit integers? That's how they're represented internally in Unix. I'm at a complete loss for why you would want to change the type of the attribute. What do you hope to gain by it? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
lil problem with running radiusd :S
whether I run radiusd or radtest I get this error message.. : /usr/local/bin/radclient: error while loading shared libraries: libcrypto.so.0.9.7: cannot open shared object file: No such file or directory this is the command I run for config: [EMAIL PROTECTED] freeradius-1.0.2]# ./configure --with-openssl-includes=/usr/share/ssl-certgen/include/openssl/ --with-openssl-libraries=/usr/share/ssl-certgen/lib/ --disable-shared --sysconfdir=/etc then I issue a make make install. Everything goes fine.. then I get the error message above when running radiusd or radtest.. :S any ideas? thanks, JSNicaise
RE: Traffic limits
Just FYI :) Archive of the list There is an archive of the list available on the web. The list can be searched at The Mail Archive... http://www.mail-archive.com/freeradius-users@lists.cistron.nl/ ... Miles Mawyer -=- Webmaster . Centralva.net ... ... [EMAIL PROTECTED] ... ... 434.385.5053 ... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Varlaam Sobakkin Sent: Tuesday, May 17, 2005 8:53 AM To: freeradius-users@lists.freeradius.org Subject: Traffic limits Hello! I have a very simple question. Maybe there's an answer for it in the archive, but there are no search function in archive =( Few years ago I've used an IC-Radius with octets-patch. Is there any way to limit traffic to user? Some kind of Total-Octets-Limit and Octets-Direction reply items. I haven't found any of that in dictionaries and anywhere else in distro =( Hope for short answer. -- Regards, Varlaam mailto:[EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RADIUS LDAP Problem
Hello, it does not function, ( Authentification Win XP to Radius). Errorlog: rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 192.168.0.101:389, authentication 0 rlm_ldap: bind as cn=admin,dc=,dc=xx/ to 192.168.0.101:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=,dc=xxx, with filter (uid=test1) rlm_ldap: checking if remote access for test1 is allowed by dialupAccess rlm_ldap: looking for check items in directory... rlm_ldap: Adding ntPassword as NT-Password, value test1 op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: user test1 authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 0 modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type LDAP auth: type LDAP Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 0 rlm_ldap: - authenticate rlm_ldap: Attribute User-Password is required for authentication. modcall[authenticate]: module ldap returns invalid for request 0 modcall: group Auth-Type returns invalid for request 0 auth: Failed to validate the user. Login incorrect: [test1/no User-Password attribute] thanks, Christian - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: HuntGroups MySql
I believe the reason these SQL Group discussions die is that it is hard to explain what it really happening. I will attempt to do so but cannot devote much time to followups if this is not clear. Also my understanding is based on FR 1.0.0 as we haven't moved up to 1.0.2 yet. FreeRADIUS' use of groups in the sql module is not the same as using Unix groups in the users file. You cannot create separate check conditions in separate SQL groups and then send only the reply elements from that same group. Look at the SQL queries in sql.conf - specifically, the authorize_group_check_query and authorize_group_reply_query settings. These queries return check and reply attributes for a user based on the settings in usergroup. IT DOES NOT RETURN THE GROUP NAMES THEMSELVES. As far as FreeRADIUS is concerned this is one large group of check and reply attributes. I have implemented two possible solutions and I'm sure there are plenty of others. One solution is to use Autz-Type and implement a different sql.conf definition for each Autz-Type. The downside is that many more SQL connections are opened when FR starts up. Another solution is to redefine the SQL queries in sql.conf. I have implemented this approach by adding a HuntGroup column to the table definitions. I then add the appropriate clients to the huntgroup file and have the SQL queries use the HuntGroup name as part of the query to find the appropriate check and reply attributes to return to FreeRADIUS. As example of our setup is as follows: +---+---+++---+ | GroupName | Attribute | op | Value | HuntGroup | +---+---+++---+ | DEFAULT | Auth-Type | = | Local | wlusers | | DEFAULT | Auth-Type | = | Reject | dial800 | | tollfree | Auth-Type | := | Local | dial800 | +---+---+++---+ +---+++-+---+ | GroupName | Attribute | op | Value | HuntGroup | +---+++-+---+ | DEFAULT | Service-Type | = | Framed-User | wlusers | | DEFAULT | Framed-Protocol| = | PPP | wlusers | | DEFAULT | Framed-IP-Address | = | 255.255.255.254 | wlusers | | DEFAULT | Framed-IP-Netmask | = | 255.255.255.255 | wlusers | | DEFAULT | Framed-Compression | = | Van-Jacobson-TCP-IP | wlusers | | tollfree | Service-Type | = | Framed-User | dial800 | | tollfree | Framed-Protocol| = | PPP | dial800 | | tollfree | Framed-IP-Address | = | 255.255.255.254 | dial800 | | tollfree | Framed-IP-Netmask | = | 255.255.255.255 | dial800 | | tollfree | Framed-Compression | = | Van-Jacobson-TCP-IP | dial800 | +---+++-+---+ A similar approach could be implemented using IP addresses, hints or realms. Cheers, _Mike (not a FreeRADIUS developer) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: lil problem with running radiusd :S
=?ISO-8859-1?Q?Jean-S=E9bastien_Nicaise?= [EMAIL PROTECTED] wrote: /usr/local/bin/radclient: error while loading shared libraries: libcrypto.so.0.9.7: cannot open shared object file: No such file or directory You installed openssl in a place where your dynamic linker can't find it. This has little to do with FreeRADIUS. Update ld.so.conf, if you have one. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RADIUS LDAP Problem
Christian Zawada [EMAIL PROTECTED] wrote: rad_check_password: Found Auth-Type LDAP Don't set Auth-Type LDAP, and it will work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: Dropping conflicting packet due to unfinished request
Dustin Doris wrote: I run freeradius server (1.0.2) with ldap support in a debian sarge server. Last days I'm having the error message Error: Dropping conflicting packet due to unfinished request a lot of times and the server dies too frequently. [...] Perhaps your ldap server might be running a little slow. Are you using openldap? If so, what version? Also, do you have the attributes you are searching with indexed? Finally, if you are using a BDB backend, what does your DB_CONFIG file show? I suppose that if you're seeing it lots of times, and it dies frequently, may be more related to LDAP and what Dustin tells you But I also add, that besides the external commands bug, I also saw some of those errors too, while NOT using external commands, which disappeared after upgrading to latest 1.0.x version form CVS. Regards, Juan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: radius crash
What versions are you guys running? I am running 1.0.0-pre3 and have exactly the same problem. I am in the process of upgrading to 1.0.2, but I am starting to wonder if that is going to actually fix the problem. What I see is the radius server is still running, but using a lot of CPU (70-90%). It doesn't responds to any packets and the only way to kill it is to kill -9 it. When I run it in debug mode it doesn't happen (typical!). -Original Message- From: [EMAIL PROTECTED] [mailto:freeradius- [EMAIL PROTECTED] On Behalf Of Lucas Aimaretto Sent: Saturday, 14 May 2005 3:21 a.m. To: freeradius-users@lists.freeradius.org Subject: RE: radius crash you mean radiusd -X? Can this full debug information somehow be saved in a file instead of dirrectly on the console? Edgars, you can try 'radiusd -X radius.log 21 ' with this you're a redirecting everything to radius.log. please, let us know how did you do, because yesterday I had same problem. Radius stoped working, but I could see the listening sockets when 'netstat -putan' was executed. But, when I send to radius an access-request with nt-radping ( app to test radius ) I had no answer from it ... and it kind of worried me ... Regards, Lucas -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.308 / Virus Database: 266.11.9 - Release Date: 12/05/2005 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius crash
What you're likely seeing is something that has already been fixed in the CVS snapshots. Previously, if one of the worker threads died, it could go into a segfault loop that would block the server and send the CPU to near 100%. That was fixed a while back in CVS. I'm not sure if it's included in 1.0.2 or not... --Mike Simon Allard wrote: What versions are you guys running? I am running 1.0.0-pre3 and have exactly the same problem. I am in the process of upgrading to 1.0.2, but I am starting to wonder if that is going to actually fix the problem. What I see is the radius server is still running, but using a lot of CPU (70-90%). It doesn't responds to any packets and the only way to kill it is to kill -9 it. When I run it in debug mode it doesn't happen (typical!). -Original Message- From: [EMAIL PROTECTED] [mailto:freeradius- [EMAIL PROTECTED] On Behalf Of Lucas Aimaretto Sent: Saturday, 14 May 2005 3:21 a.m. To: freeradius-users@lists.freeradius.org Subject: RE: radius crash you mean radiusd -X? Can this full debug information somehow be saved in a file instead of dirrectly on the console? Edgars, you can try 'radiusd -X radius.log 21 ' with this you're a redirecting everything to radius.log. please, let us know how did you do, because yesterday I had same problem. Radius stoped working, but I could see the listening sockets when 'netstat -putan' was executed. But, when I send to radius an access-request with nt-radping ( app to test radius ) I had no answer from it ... and it kind of worried me ... Regards, Lucas -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.308 / Virus Database: 266.11.9 - Release Date: 12/05/2005 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html