Re: Installing FR 1.05
During the configure/make process, was the module actually built? If not,
then you are missing the mysql driver stuff.
- Original Message -
From: Bill Neely
To: freeradius-users@lists.freeradius.org
Sent: Friday, September 23, 2005 7:28 PM
Subject: Installing FR 1.05
Am installing Free Radius 1.0.5 on Free BSD 5.4 OS
Installation went alright, but when I fire it up, it fails to load the sql
module.
Here is the radiusd -x string:
radiusd -x
Starting - reading configuration files ...
Module: Loaded exec
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
Module: Instantiated mschap (mschap)
Module: Loaded System
Module: Instantiated unix (unix)
Module: Loaded eap
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
rlm_eap: Loaded and initialized type gtc
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded preprocess
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
Module: Instantiated realm (suffix)
Module: Loaded files
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
Module: Instantiated acct_unique (acct_unique)
Module: Loaded detail
Module: Instantiated detail (detail)
Module: Loaded radutmp
Module: Instantiated radutmp (radutmp)
Initializing the thread pool...
Listening on authentication *:1645
Listening on accounting *:1646
Ready to process requests.
In radiusd.conf, I have
$INCLUDE ${confdir}/sql.conf
What else do I need to do?
Bill
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Usage of pam_radius_auth
All, Has anybody had the experience using pam_radius_auth for authenticating services like http/https, ssh, telnet. I tried running the sample application but authentication failed. my configuration is like this. /etc/raddb/server # server[:port] shared_secret timeout (s) # 127.0.0.1 secret 1 192.168.1.100 testing123-2 3 /etc/pam.d/other/pam.conf authsufficient /lib/security/pam_radius_auth.so debug account sufficient /lib/security/pam_radius_auth.so my radius server is free radius version 1.0.5 The request does not even get to radius server running on 192.168.1.100 port 1812. Am I missing anything in the configuration ? Please let me know. Thanks, N - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Installing FR 1.05
Am installing Free Radius 1.0.5 on Free BSD 5.4
OS
Installation went alright, but when I fire it up,
it fails to load the sql module.
Here is the radiusd -x string:
radiusd -xStarting - reading configuration
files ...Module: Loaded exec rlm_exec: Wait=yes but no output defined.
Did you mean output=none?Module: Instantiated exec (exec) Module: Loaded
expr Module: Instantiated expr (expr) Module: Loaded PAP Module:
Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap
(chap) Module: Loaded MS-CHAP Module: Instantiated mschap (mschap)
Module: Loaded System Module: Instantiated unix (unix) Module:
Loaded eap rlm_eap: Loaded and initialized type md5rlm_eap: Loaded and
initialized type leaprlm_eap: Loaded and initialized type gtcrlm_eap:
Loaded and initialized type mschapv2Module: Instantiated eap (eap)
Module: Loaded preprocess Module: Instantiated preprocess (preprocess)
Module: Loaded realm Module: Instantiated realm (suffix) Module:
Loaded files Module: Instantiated files (files) Module: Loaded
Acct-Unique-Session-Id Module: Instantiated acct_unique (acct_unique)
Module: Loaded detail Module: Instantiated detail (detail) Module:
Loaded radutmp Module: Instantiated radutmp (radutmp) Initializing the
thread pool...Listening on authentication *:1645Listening on accounting
*:1646Ready to process requests.
In radiusd.conf, I have
$INCLUDE ${confdir}/sql.conf
What else do I need to do?
Bill
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No appropriate error message ("rlm_ldap: could not start TLS Connect error")
Alan DeKok wrote: > Linus van Geuns <[EMAIL PROTECTED]> wrote: > >>3.) Did I claim someone _has_ to fix it, because I don't 'like' it? > > > Pretty much, yes. And you then got upset when I said you could fix it. Hm, AFAIR... ah, maybe I got upset by this one: ---8<-- _And_ maybe this mail inspires some of the developers to report the appropriate error message instead of "rlm_ldap: could not start TLS Connect error". >>> >>> You just volunteered to write the patch. >>> Please mail it to the list when it's ready. >> >> I'm sorry, but I am bound to another software project atm. > > That's terrible! > When can we expect a fix? > > Alan DeKok. ---8<-- >>4.) I think, the error message from freeradius does obviously contain no >>useful degub information. > >Sure. Have you ever tried using a *commercial* server? > They have *no* useful debugging or error messages. Ah! There is no need to care about it, because others don't care about appropriate error messages. I think, that's all I need to know by now. Linus van Geuns. signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No appropriate error message ("rlm_ldap: could not start TLS Connect error")
Linus van Geuns <[EMAIL PROTECTED]> wrote: > 3.) Did I claim someone _has_ to fix it, because I don't 'like' it? Pretty much, yes. And you then got upset when I said you could fix it. > 4.) I think, the error message from freeradius does obviously contain no > useful degub information. Sure. Have you ever tried using a *commercial* server? They have *no* useful debugging or error messages. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius Ldap
Cris Boisvert wrote:
> I'm setting up freeradius to talk to a Ipswitch Imail server for
> authetication.
>
> Just needs to do the basic User Pass... Ok.
>
>
[..]
> A snippet of the config.
> ---
> ldap {
> server = "192.168.77.6"
> #identity = "cn=root,o=My Org,c=UA"
> #password = test1234
> basedn = "o=My Org,c=UA"
> #filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
> # base_filter = "(objectclass=radiusprofile)"
>
> # set this to 'yes' to use TLS encrypted connections
> __--
>
[..]
> Below is a Cut form radiusd -X debug..
>
> Anyone have any reccomendations>?
>
>
>
> modcall: group authorize returns ok for request 0
> rad_check_password: Found Auth-Type LDAP
> auth: type "LDAP"
> Processing the authenticate section of radiusd.conf
> modcall: entering group Auth-Type for request 0
> rlm_ldap: - authenticate
> rlm_ldap: login attempt by "[EMAIL PROTECTED]" with password "test"
> radius_xlat: '([EMAIL PROTECTED])'
> radius_xlat: 'o=My Org,c=UA'
Do you really have an object with attribute iud="[EMAIL PROTECTED]"?
I think you should split the username with delimiter '@', so you search
for uid=test,dc=pork,dc=com (or similiar).
But if you have such objects, try ldap_debug=0x between ldap { } in
your radiusd.conf.
Linus van Geuns.
signature.asc
Description: OpenPGP digital signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No appropriate error message ("rlm_ldap: could not start TLS Connect error")
Alan DeKok wrote: > Linus van Geuns <[EMAIL PROTECTED]> wrote: > >>Did I forget to tell you, I'm very sorry for intending to help others >>and mentioning that the error message is not appropriate? It was my >>fault, I should not even think of saving other peoples' time without >>getting payed for it. > > > The issue was that you were asking other people to fix a problem you > ran into. > > Where is the incentive for us to fix something you don't like? 1.) The developers of freeradius declared their intend to provide a radius daemon, so other people may _use_ (not develope) it. 2.) I mailed the solution to my problem so others, running into the same one, may find this mail useful. 3.) Did I claim someone _has_ to fix it, because I don't 'like' it? 4.) I think, the error message from freeradius does obviously contain no useful degub information. So what? signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeRadius with LDAP for MSCHAP & mac auth
Hello everyone...
Ive set up a freeradius server with LDAP backend for MSCHAP, but now I have
to set up a mac based auth on the same server also with the same LDAP
backend ( but the mac info is found in another subtree ). So I have made two
ldap instances under modules including MSCHAP...
modules {
mschap {
authtype = MS-CHAP
use_mppe = yes
require_encryption = yes
require_strong = yes
}
ldap ldap_users
{
server = "81.yyy.xxx.xxx"
basedn = "ou=People,dc=xxx,dc=xxx"
filter = "(&(objectClass=posixAccount)(uid=%u))"
start_tls = no
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 10
timeout = 4
timelimit = 3
net_timeout = 1
}
ldap ldap_mac
{
server = "81.xxx.xxx.xxx"
basedn = "ou=Hosts,dc=xxx,dc=xxx"
filter = "(&(objectClass=ipHost)(ipHostNumber=%u))"
start_tls = no
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 10
timeout = 4
timelimit = 3
net_timeout = 1
}
... } // modules end
instantiate {
weekly_traffic // just a counter
}
authorize {
mschap
ldap_users
ldap_mac
weekly_traffic
}
authenticate {
# MSCHAP authentication.
Auth-Type MS-CHAP {
mschap
}
Auth-Type LDAP {
ldap_mac
ldap_users
}
}
So what I actually need is - when my vpn server sends Access-Request packets
with MS-CHAP attributes, I would like mschap module to use the "ldap_users"
part. And when an Access-Request packet with the mac address is recieved I
would like to use ldap_mac ONLY ! here is a part of my log file...
rad_recv: Access-Request packet from host 172.19.10.2:1024, id=22,
length=193
Framed-MTU = 1480
NAS-IP-Address = 172.19.10.2
NAS-Identifier = "HP2626-Verwaltung"
User-Name = "00:0a:e4:22:c5:9d"
Service-Type = Administrative-User
Framed-Protocol = PPP
NAS-Port = 10
NAS-Port-Type = Ethernet
NAS-Port-Id = "10"
Called-Station-Id = "00-14-38-2e-2c-76"
Calling-Station-Id = "00-0a-e4-22-c5-9d"
Connect-Info = "CONNECT Ethernet 100Mbps Full duplex"
CHAP-Password = 0x1525d56e4e21bbbc83d5e49fa3be8173a5
Debug: Processing the authorize section of radiusd.conf
Debug: modcall: entering group authorize for request 0
Debug: modsingle[authorize]: calling mschap (rlm_mschap) for request 0
Debug: modsingle[authorize]: returned from mschap (rlm_mschap) for request
0
Debug: modcall[authorize]: module "mschap" returns noop for request 0
Debug: modsingle[authorize]: calling ldap_users (rlm_ldap) for request 0
Debug: rlm_ldap: - authorize
Debug: rlm_ldap: performing user authorization for 00:0a:e4:22:c5:9d
Debug: radius_xlat: '(&(objectClass=posixAccount)(uid=00:0a:e4:22:c5:9d))'
Debug: radius_xlat: 'ou=People,dc=kolp,dc=at'
Debug: rlm_ldap: ldap_get_conn: Checking Id: 0
Debug: rlm_ldap: ldap_get_conn: Got Id: 0
Debug: rlm_ldap: attempting LDAP reconnection
Debug: rlm_ldap: (re)connect to 81.189.101.10:389, authentication 0
Debug: rlm_ldap: bind as / to 81.189.101.10:389
Debug: rlm_ldap: waiting for bind result ...
Debug: rlm_ldap: Bind was successful
Debug: rlm_ldap: performing search in ou=People,dc=kolp,dc=at, with filter
(&(objectClass=posixAccount)(uid=00:0a:e4:22:c5:9d))
Debug: rlm_ldap: object not found or got ambiguous search result
Debug: rlm_ldap: search failed
Debug: rlm_ldap: ldap_release_conn: Release Id: 0
Debug: modsingle[authorize]: returned from ldap_users (rlm_ldap) for
request 0
Debug: modcall[authorize]: module "ldap_users" returns notfound for
request 0
Debug: modsingle[authorize]: calling ldap_mac (rlm_ldap) for request 0
Debug: rlm_ldap: - authorize
Debug: rlm_ldap: performing user authorization for 00:0a:e4:22:c5:9d
Debug: radius_xlat:
'(&(objectClass=ipHost)(ipHostNumber=00:0a:e4:22:c5:9d))'
Debug: radius_xlat: 'ou=Hosts,dc=kolp,dc=at'
Debug: rlm_ldap: ldap_get_conn: Checking Id: 0
Debug: rlm_ldap: ldap_get_conn: Got Id: 0
Debug: rlm_ldap: attempting LDAP reconnection
Debug: rlm_ldap: (re)connect to 81.189.101.10:389, authentication 0
Debug: rlm_ldap: bind as / to 81.189.101.10:389
Debug: rlm_ldap: waiting for bind result ...
Debug: rlm_ldap: Bind was successful
Debug: rlm_ldap: performing search in ou=Hosts,dc=kolp,dc=at, with filter
(&(objectClass=ipHost)(ipHostNumber=00:0a:e4:22:c5:9d))
Debug: rlm_ldap: looking for check items in directory...
Debug: rlm_ldap: looking for reply items in directory...
Debug: rlm_ldap: Adding description as vid, value 20 & op=11
Debug: rlm_ldap: user 00:0a:e4:22:c5:9d authorized to use remote access
Debug: rlm_ldap: ldap_release_conn: Release Id: 0
Debug: modsingle[authorize]: returned from ldap_mac (rlm_ldap) for request
0
Debug: modcall[authorize]: module "ldap_mac" returns ok for request 0
Debug: modsingle[
Re: Cant make in openbsd3.7 freeradius 1.0.5
"Lou Goddard" <[EMAIL PROTECTED]> wrote: > Is anyone else having issues compiling freeradius under openbsd? Can you say what the errors are? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No appropriate error message ("rlm_ldap: could not start TLS Connect error")
Linus van Geuns <[EMAIL PROTECTED]> wrote: > Did I forget to tell you, I'm very sorry for intending to help others > and mentioning that the error message is not appropriate? It was my > fault, I should not even think of saving other peoples' time without > getting payed for it. The issue was that you were asking other people to fix a problem you ran into. Where is the incentive for us to fix something you don't like? > Is there something else that I may learn by reading your mails, Mr. > DeKok? If not, they'll be read by /dev/null.. Too bad it isn't a two-way pipe. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius Ldap
I'm setting up freeradius to talk to a Ipswitch Imail server for
authetication.
Just needs to do the basic User Pass... Ok.
LDAP Server is 192.168.77.6 (this is all private testing) (the imail
server)
Domain on the server is pork.com
A snippet of the config.
---
ldap {
server = "192.168.77.6"
#identity = "cn=root,o=My Org,c=UA"
#password = test1234
basedn = "o=My Org,c=UA"
#filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
# base_filter = "(objectclass=radiusprofile)"
# set this to 'yes' to use TLS encrypted connections
__--
I suspect that I'm having a problem with the Basedn.. On the imail server
the LDAP user and pass is
Root and test1234
The actual mail account that I'm trying to autorize against is [EMAIL PROTECTED]
pass test
Below is a Cut form radiusd -X debug..
Anyone have any reccomendations>?
modcall: group authorize returns ok for request 0
rad_check_password: Found Auth-Type LDAP
auth: type "LDAP"
Processing the authenticate section of radiusd.conf
modcall: entering group Auth-Type for request 0
rlm_ldap: - authenticate
rlm_ldap: login attempt by "[EMAIL PROTECTED]" with password "test"
radius_xlat: '([EMAIL PROTECTED])'
radius_xlat: 'o=My Org,c=UA'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to 192.168.77.6:389, authentication 0
rlm_ldap: bind as / to 192.168.77.6:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in o=My Org,c=UA, with filter
([EMAIL PROTECTED])
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authenticate]: module "ldap" returns notfound for request 0
modcall: group Auth-Type returns notfound for request 0
auth: Failed to validate the user.
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 37 to 192.168.77.6:2686
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 37 with timestamp 43345c56
Nothing to do. Sleeping until we see a request.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No appropriate error message ("rlm_ldap: could not start TLS Connect error")
Alan DeKok wrote: > Linus van Geuns <[EMAIL PROTECTED]> wrote: > >>> Please mail it to the list when it's ready. >> >>I'm sorry, but I am bound to another software project atm. > > > That's terrible! > > When can we expect a fix? I'm working on a daemon that aims to implement PXE 2.1 and to be easily configurable. As I have to learn C++, network programming and programming for Linux/*nix by creating this daemon, and as this project is nothing official or something I get payed for, it will be done when it's done. Did I forget to tell you, I'm very sorry for intending to help others and mentioning that the error message is not appropriate? It was my fault, I should not even think of saving other peoples' time without getting payed for it. Is there something else that I may learn by reading your mails, Mr. DeKok? If not, they'll be read by /dev/null.. Linus van Geuns. signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Cant make in openbsd3.7 freeradius 1.0.5
Greetings, Is anyone else having issues compiling freeradius under openbsd? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to deal with this ...
Guy Fraser wrote: On Fri, 2005-23-09 at 11:55 -0300, Ezequiel O. Block wrote: Hi Guys, Using Freeradius for authorization, accounting and ip pools management. By mistake i turned off my NAS, and when this NAS came back online then freeradius began rejecting my users as if they were still connected, should my NAS send some kind of "Accounting restart let's start again" packet to Freeradius in order to let him know that those users are no longer connected? am i right? if not how can i deal with this kind of problems? apart from not being so stupid again to turn off a nas by mistake Yes your NAS probably should, but many vendors do not include support for Accounting on and Accounting off. I'm using MPD on FreeBSD as PPPoe AC, I'm going to ask on their mailing list to see if it does support accounting on/off. If your NAS does not support Accounting On/Off there is little you can do. If your NAS supports remote syslog, you could monitor the log and watch for something that occurs at startup or shutdown. You could also set up up some kind of "heart beat" monitor that checks to see if the NAS shuts down. You can use these to close the open accounts on the affected NAS. You will need to be careful how you account for the interuption in your billing system because you will not have any accurate accounting information or stop time. In the past when we have had NAS failures we did not bill for the session that failed, but to limit our exposure we set a 100 hour maximum session time, that way users have to connect at least 7 times per month so we don't loose a complete billing cycle. Thanks a lot for the tip, I just switched back to plain text validation over the NAS itself, to recover from this situation I'm just about to 1. DELETE FROM radacct WHERE AcctStopTime is NULL and NASIPAddress = 'a.b.c.d'; 2. Restart freeRadius to clean up those ips no longer in use? 3. did I forget something? Good luck. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Thanks, Ezequiel. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Maximum size Input-Octets/Output-Octets
> What "radacct" are you talking about? The Acct-Input-Octets stops >at 2G because the RFC dictates that it's a 32-bit integer. That's why >the Acct-Input-Gigawords attribute was defined. It goes past 2G. I'm talking about the detail file from freeradius. This is what I found in RFC2869 5.1. Acct-Input-Gigawords Description This attribute indicates how many times the Acct-Input-Octets counter has wrapped around 2^32 over the course of this service being provided, and can only be present in Accounting-Request records where the Acct-Status-Type is set to Stop or Interim- Update. So I assumed that the wrapping went @ 4GB instead of 2GB >From RFC2866: Value The Value field is four octets. Also: integer 32 bit unsigned value, most significant octet first. So its 32bit. (4GB right??) I will use 2147483647 for now. But I can't find the definition which says that it should be 2GB so I need to be sure. J. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Authorization how to
Hi I have setup radius to have authentication. How do I authorize users to access specific resources for some and allow full access to others. Regards & Thanks Mahesh S Kudva --- Robosoft Technologies - Partners in Product Development - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Maximum size Input-Octets/Output-Octets
"Jonathan De Graeve" <[EMAIL PROTECTED]> wrote: > I also have another question: > > Freeradius seems to use signed integers for the Acc-Input/Output-Octets Nope. The debug log you posted doesn't show that, and the server source uses unsigned ints. > The source really sends unsigned 32bit. Any idea why radacct just stops > @ 2GB What "radacct" are you talking about? The Acct-Input-Octets stops at 2G because the RFC dictates that it's a 32-bit integer. That's why the Acct-Input-Gigawords attribute was defined. It goes past 2G. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to deal with this ...
On Fri, 2005-23-09 at 11:55 -0300, Ezequiel O. Block wrote: > Hi Guys, > > Using Freeradius for authorization, accounting and ip pools management. > > By mistake i turned off my NAS, and when this NAS came back online then > freeradius began rejecting my users as if they were still connected, > should my NAS send some kind of "Accounting restart let's start again" > packet to Freeradius in order to let him know that those users are no > longer connected? am i right? if not how can i deal with this kind of > problems? apart from not being so stupid again to turn off a nas by > mistake > Yes your NAS probably should, but many vendors do not include support for Accounting on and Accounting off. If your NAS does not support Accounting On/Off there is little you can do. If your NAS supports remote syslog, you could monitor the log and watch for something that occurs at startup or shutdown. You could also set up up some kind of "heart beat" monitor that checks to see if the NAS shuts down. You can use these to close the open accounts on the affected NAS. You will need to be careful how you account for the interuption in your billing system because you will not have any accurate accounting information or stop time. In the past when we have had NAS failures we did not bill for the session that failed, but to limit our exposure we set a 100 hour maximum session time, that way users have to connect at least 7 times per month so we don't loose a complete billing cycle. Good luck. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Maximum size Input-Octets/Output-Octets
Ok,
I also have another question:
Freeradius seems to use signed integers for the Acc-Input/Output-Octets
Fri Sep 23 16:59:03 2005
Service-Type = Login-User
User-Name = "jonathan"
NAS-Identifier = "hotspot-2.wlan.imz.be"
NAS-Port = 0
NAS-Port-Type = Ethernet
Acct-Status-Type = Alive
Acct-Authentic = RADIUS
Acct-Session-Id = "4bd8b325bdeafd2d"
Acct-Terminate-Cause = User-Request
Acct-Session-Time = 1353
Acct-Input-Octets = 46596288
Acct-Input-Packets = 1163323
Acct-Input-Gigawords = 0
Acct-Output-Octets = 2147483647
Acct-Output-Packets = 1787355
Acct-Output-Gigawords = 0
Called-Station-Id = "194.8.52.38"
Calling-Station-Id = "192.168.2.255"
Framed-IP-Address = 192.168.2.255
NAS-IP-Address = 194.8.52.38
Proxy-State = 0x3836
Client-IP-Address = 194.8.52.85
Acct-Unique-Session-Id = "925f85fa82a0afb0"
Timestamp = 1127487543
The source really sends unsigned 32bit. Any idea why radacct just stops
@ 2GB
I've implemented Gigawords as follows:
function gigawords($bytes) {
/* We use BCMath functions since normal integers don't work */
$gigawords = bcdiv( bcsub( $bytes, remainder($bytes) ) ,
4294967295);
return $gigawords;
}
function remainder($bytes) {
/* Calculate the remainder */
$bytes = bcmod($bytes, 4294967295);
return $bytes;
--
Jonathan De Graeve
Network/System Administrator
Imelda vzw
Informatica Dienst
015/50.52.98
[EMAIL PROTECTED]
-
Always read the manual for the correct way to do things because the
number of incorrect ways to do things is almost infinite
-
-Oorspronkelijk bericht-
Van: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Namens Alan DeKok
Verzonden: vrijdag 23 september 2005 16:39
Aan: FreeRadius users mailing list
Onderwerp: Re: Maximum size Input-Octets/Output-Octets
"Jonathan De Graeve" <[EMAIL PROTECTED]> wrote:
> Is it 2^32 or (2^32 - 1)
2^32 can't be represented in a 32-bit number. It has 33 bits of
data...
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to deal with this ...
Hi Guys, Using Freeradius for authorization, accounting and ip pools management. By mistake i turned off my NAS, and when this NAS came back online then freeradius began rejecting my users as if they were still connected, should my NAS send some kind of "Accounting restart let's start again" packet to Freeradius in order to let him know that those users are no longer connected? am i right? if not how can i deal with this kind of problems? apart from not being so stupid again to turn off a nas by mistake Thanks in advance, Ezequiel. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Maximum size Input-Octets/Output-Octets
"Jonathan De Graeve" <[EMAIL PROTECTED]> wrote: > Is it 2^32 or (2^32 - 1) 2^32 can't be represented in a 32-bit number. It has 33 bits of data... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No appropriate error message ("rlm_ldap: could not start TLS Connect error")
Linus van Geuns <[EMAIL PROTECTED]> wrote: > > Please mail it to the list when it's ready. > > I'm sorry, but I am bound to another software project atm. That's terrible! When can we expect a fix? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Maximum size Input-Octets/Output-Octets
Is it 2^32 or (2^32 - 1) I'm programming a radius client and i'm at the gigawords stuff... J. -- Jonathan De Graeve Network/System Administrator Imelda vzw Informatica Dienst 015/50.52.98 [EMAIL PROTECTED] - Always read the manual for the correct way to do things because the number of incorrect ways to do things is almost infinite - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Wrong sequence of packets during re-authentication
Hello all, During my 802.1X Supplicant's re-authentication (using EAP-TTLS) with FreeRADIUS using DLINK switch, I face the following scenario: Sometimes "during re-authentication", one of the FreeRADIUS's replies does not reach the DLINK switch. When DLINK's RADIUS timer expires, it re-starts the re-authentication by sending the Supplicant's identity to FreeRADIUS. At this time, an initial couple of packets are exchanges correctly, however then it seems that FreeRADIUS wants to skip some of the packets and complete the authentication whereas my Supplicant wants to re-do everything. For example, during a 'correct re-authentication", FreeRADIUS sends the following packet: TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 0067], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 05ca], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone TLS_accept: SSLv3 write server done A TLS_accept: SSLv3 flush data TLS_accept:error in SSLv3 read client certificate A However, during the "incorrect" re-authentication cycle, which has been started due to a packet loss in the middle as explained above, FreeRADIUS send the following packet: TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 0067], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001] TLS_accept: SSLv3 write change cipher spec A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 write finished A TLS_accept: SSLv3 flush data TLS_accept:error in SSLv3 read finished A Note that this time FreeRADIUS has sent ChangeCipherSpec and Finished instead of Certificate and ServerHelloDone. Is this the normal and correct behavior? My Supplicant's response to this packet is then liked by the FreeRADIUS and its sends an alert. Could someone please help me understanding this problem. Thanks, Bilal _ Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No appropriate error message ("rlm_ldap: could not start TLS Connect error")
Alan DeKok wrote: > Linus van Geuns <[EMAIL PROTECTED]> wrote: > >>_And_ maybe this mail inspires some of the developers to report the >>appropriate error message instead of "rlm_ldap: could not start TLS >>Connect error". > > > You just volunteered to write the patch. > > Please mail it to the list when it's ready. I'm sorry, but I am bound to another software project atm. Linus van Geuns. signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: howto reset rlm_sqlcounter
Bart van Daal <[EMAIL PROTECTED]> writes: > thanks for your reply Alan, > > I didn't mean the max-all-sessions value but the actual counter value. > If a user has 15600seconds of online time ad is online for e.g. 3600 > seconds, > where do these 3600 seconds get stored with rlm_sqlcounter? It doesn't. From raddb/experimental.conf: # This module is an SQL enabled version of the counter module. # # Rather than maintaining seperate (GDBM) databases of # accounting info for each counter, this module uses the data # stored in the raddacct table by the sql modules. This # module NEVER does any database INSERTs or UPDATEs. It is # totally dependent on the SQL module to process Accounting # packets. Bjørn - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: howto reset rlm_sqlcounter
thanks for your reply Alan, I didn't mean the max-all-sessions value but the actual counter value. If a user has 15600seconds of online time ad is online for e.g. 3600 seconds, where do these 3600 seconds get stored with rlm_sqlcounter? thanks, kind regards, Bart van Daal -Original Message- From: Alan DeKok [mailto:[EMAIL PROTECTED] Sent: donderdag 22 september 2005 19:36 To: FreeRadius users mailing list Subject: Re: howto reset rlm_sqlcounter Bart van Daal <[EMAIL PROTECTED]> wrote: > two possible options I think of to reset the counter are: > 1. write a program to manipulate the gdbm file. Where is this file stored? If you're using rlm_sqlcounter, it's not in a GDBM file. It's in SQL. If you're using rlm_counter, the location of the GDBM file is set in the configuration file. > 2. keep adding the minutes to the allready existing value for the > session-time. You can't do that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
