ads questions and multiple values
Greetings, A few more questions :) I've now gone through the book ( I feel like such a snob reading it on the bus ==) and have a better understanding of how Freeradius works. I have gotten it to search for an attribute in LDAP and return it the NAS. What I would like to do is to have it be able to query the memberOf attribute in the acrtive directory server and then verify if the user is in any of those groups and than permit access based on that membership. Heres what im wondering a) When I query the attribute it returns multiple cn=... results. In the debug log I see it setting this as xxx. which is understood by our nas equipment. It does it four times, But in the reply packet I only see it sending one and not four. Am I correct to assume that it will only send one of the responses to the Nas. b) I think I can use the Users file to determine which group the user is a member of and then have it send an attribute back to the Nas telling it which role to set. Is the the attribute returning multiple groups a problem (not multiple attributes, one attribute several bits of data seperated by a delimiter) ? c) can I strip the leading cn= bit from the response the ldap server sends ( I saw an article somewhere about using an operator in the LDAP.attrmap file) and once thats done can it use the groups returned in the users file? Thanks! Liz - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sql_log question
On Sat 08 Apr 2006 00:36, Miguel wrote:
hi, i have a reporting system, this will perform intensive calculations,
agregate functions etc using accounting data, so i dont want to run this
system in the same server where the account is stored, i plan to use the
sql_log/sql-relay combo, however i do need that the account data be
stored online in the database running in the radius server, because i
have triggers in the stoptable that calculate the h323-credit-amount
using a modified excelent peter nixon's voip schema.
the line in radius.conf says
accounting {
#
# Instead of sending the query to the SQL server,
# write it into a log file.
#
sql_log
}
cant i have both sql account feature and sql_log at the same time?
Hi Miguel
I am glad you like my schema :-)
If you have any modifications that you think would be of general use to
others, please report them back to me so that I can check them out.
I personally have not used sql_log in combination with sql however I see no
reason why you wouldn't be able to use both at the same time.
Regards
--
Peter Nixon
http://www.peternixon.net/
PGP Key: http://www.peternixon.net/public.asc
pgpi9k2d8ek5h.pgp
Description: PGP signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius - Cisco 7204 - L2TP Tunnel
Hi all Im having major issues with getting Freeradius to authenticate from a Cisco 7204 that is terminating an L2TP tunnel and sending radius auth to a FreeRadius server. Using a default install of Freeradius and configuring it to accept auth requests from the Cisco in clients.conf it just fails on authentication. Even though the username and password in the users files is correct, proven using radtest. From radius -X without changing any config options it gives me Login is incorrect sending a plain text password. No matter what I change in the config files it always fails. I've tried adding Auth-Type's to the users entry such as Local and this gives me things like no password is configured for the user. Removing the Default Auth-Type from the top of the users file and setting an Auth-Type in the users entry gives me no Auth-Type set. Really not sure where the error is. So I guess my question is does anyone use FreeRadius to authenticate from a Cisco 7200 series with success? If so is it possible to supply: - The virtual template section that specifies the ppp authentication? - A copy of the radius.conf file? - The users file with an example users entry that works. Then I can see if I've got it all setup correctly. This used to work fine when I was using a Linux server to terminate the L2TP tunnel, I used L2TPNS to do the termination and it sent radius authentication to the FreeRadius server. Thanks Tony -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius - Cisco 7204 - L2TP Tunnel
TS wrote: So I guess my question is does anyone use FreeRadius to authenticate from a Cisco 7200 series with success? Almost certainly. If so is it possible to supply: I don't know about the 7204 but if you post the output of radiusd -X and the users file, someone can probably spot the problem. Since you're terminating L2TP and radtest works, I'll take a guess that possibly the L2TP is using CHAP, whereas radtest sends PAP requests. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRadius - Cisco 7204 - L2TP Tunnel
Here's hoping
The radius -X debug is:
###
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /etc/raddb/proxy.conf
Config: including file: /etc/raddb/clients.conf
Config: including file: /etc/raddb/snmp.conf
Config: including file: /etc/raddb/eap.conf
Config: including file: /etc/raddb/sql.conf
main: prefix = /usr
main: localstatedir = /var
main: logdir = /var/log/radius
main: libdir = /usr/lib
main: radacctdir = /var/log/radius/radacct
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = yes
main: log_file = /var/log/radius/radius.log
main: log_auth = yes
main: log_auth_badpass = yes
main: log_auth_goodpass = yes
main: pidfile = /var/run/radiusd/radiusd.pid
main: bind_address = 192.168.0.3 IP address [192.168.0.3]
main: user = radiusd
main: group = radiusd
main: usercollide = no
main: lower_user = no
main: lower_pass = no
main: nospace_user = no
main: nospace_pass = no
main: checkrad = /usr/sbin/checkrad
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = yes
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/lib
Module: Loaded exec
exec: wait = yes
exec: program = (null)
exec: input_pairs = request
exec: output_pairs = (null)
exec: packet_type = (null)
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = crypt
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: with_ntdomain_hack = no
mschap: passwd = (null)
mschap: authtype = MS-CHAP
mschap: ntlm_auth = (null)
Module: Instantiated mschap (mschap)
Module: Loaded System
unix: cache = no
unix: passwd = (null)
unix: shadow = /etc/shadow
unix: group = (null)
unix: radwtmp = /var/log/radius/radwtmp
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded eap
eap: default_eap_type = md5
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
gtc: challenge = Password:
gtc: auth_type = PAP
rlm_eap: Loaded and initialized type gtc
mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded preprocess
preprocess: huntgroups = /etc/raddb/huntgroups
preprocess: hints = /etc/raddb/hints
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
realm: format = suffix
realm: delimiter = @
realm: ignore_default = no
realm: ignore_null = no
Module: Instantiated realm (suffix)
Module: Loaded files
files: usersfile = /etc/raddb/users
files: acctusersfile = /etc/raddb/acct_users
files: preproxy_usersfile = /etc/raddb/preproxy_users
files: compat = no
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
acct_unique: key = User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port
Module: Instantiated acct_unique (acct_unique)
Module: Loaded detail
detail: detailfile =
/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded radutmp
radutmp: filename = /var/log/radius/radutmp
radutmp: username = %{User-Name}
radutmp: case_sensitive = yes
radutmp: check_with_nas = yes
radutmp: perm = 384
radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
Listening on authentication 192.168.0.3:1645
Listening on accounting 192.168.0.3:1646
Listening on proxy 192.168.0.3:1647
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.0.250:1645, id=168,
length=97
Framed-Protocol = PPP
User-Name = [EMAIL PROTECTED]
User-Password = mysecret
NAS-Port-Type = Virtual
NAS-Port = 726
Service-Type = Framed-User
NAS-IP-Address =
Re: FreeRadius - Cisco 7204 - L2TP Tunnel
Ok, I see the problem: users: Matched DEFAULT at 171 users: Matched DEFAULT at 183 modcall[authorize]: module files returns ok for request 6 My users file (without all the commented out lines) DEFAULT Service-Type == Framed-User Framed-IP-Address = 255.255.255.254, Framed-MTU = 576, Service-Type = Framed-User, Fall-Through = Yes DEFAULT Framed-Protocol == PPP Framed-Protocol = PPP, Framed-Compression = Van-Jacobson-TCP-IP There's no Fall-Through = Yes on this entry (the default entries in the users file in current release are a bit historic and not especially helpful to be in there uncommented by default, but compatibility concerns I imagine block their removal). So processing stops here, and never reaches the desired entry: [EMAIL PROTECTED] Auth-Type = Local, User-Password == mysecret Service-Type = Framed-User, Framed-Protocol = PPP, Framed-Address = 10.0.0.1, Framed-Netmask = 255.255.255.255, Framed-Compression = Van-Jacobsen-TCP-IP So, you can either add a Fall-Though = Yes to the PPP entry, or delete it (since you've got the attributes defined on the users entry anyway you don't need it, or the Framed-Protocol match further up). Personally I tend to do: cp users users.example users ...and start with a clean slate, reading the examples from the old file. FYI the users file in CVS has by default none of these semi-historic uncommented examples. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ads questions and multiple values
liz wrote:
What I would like to do is to have it be able to query the memberOf
attribute in the acrtive directory server and then verify if the user is
in any of those groups and than permit access based on that membership.
The memberOf attribute (groups on the user entry) is supported by the
groupmembership_attribute config item, which it seems from reading the
code is ONLY consulted AFTER the searches for group objects returns no
values. Since AD maintains the group objects and the memberOf in
concert, you'll never reach there.
The Ldap-Group support allows you to check if a user is in a group at
the server, and works like so (you probably know this):
DEFAULT Ldap-Group = shortname
Or:
DEFAULT Ldap-Group = cn=shortname,ou=path,dc=domain,dc=com
If you use the first form, the search that's done is:
base: standard LDAP baseDN
filter: cn=shortname AND (GROUPMEMBERSHIP_FILTER)
If you use the 2nd form, the search that's done is:
base: cn=shortname,ou=path,dc=domain,dc=com
filter: GROUPMEMBERSHIP_FILTER
GROUPMEMBERSHIP_FILTER being the config item of the same name in the
radiusd.conf - in the case of AD, an appropriate config is:
groupmembership_filter = ((objectClass=group)(member=%{Ldap-UserDn}))
As I say, only after those searches have been done and returned no
entries is memberOf consulted, which will never happen for an AD LDAP
server. But the results of looking up the group entry versus looking up
memberOf on the user entry should be identical.
Heres what im wondering
a) When I query the attribute it returns multiple cn=... results. In the
debug log I see it setting this as xxx. which is understood by our
nas equipment. It does it four times, But in the reply packet I only see
it sending one and not four. Am I correct to assume that it will only
send one of the responses to the Nas.
I'm not sure I understand this part - could you expand on it? How are
you putting the LDAP groups into the reply (that's not the normal
use-case - you would normally do group-based checks at the server rather
than the NAS, not that there's anything wrong with the latter)
b) I think I can use the Users file to determine which group the user is
a member of and then have it send an attribute back to the Nas telling
it which role to set. Is the the attribute returning multiple groups a
problem (not multiple attributes, one attribute several bits of data
seperated by a delimiter) ?
When doing LDAP group checks at the server side, you would normally have
something like (examples using the long/DN form for group - you can just
put the short name, see above):
DEFAULT Ldap-Group == cn=nasadmin,dc=domain,dc=com
NAS-Role = Administrator
DEFAULT Ldap-Group == cn=nasoper,dc=domain,dc=com
NAS-Role = Operator
DEFAULT Auth-Type := Reject
Reply-Message = You are not able to admin the NAS
The fact the user may be in 1 group is not a problem - the LDAP search
looks for the user and the group combination.
c) can I strip the leading cn= bit from the response the ldap server
sends ( I saw an article somewhere about using an operator in the
LDAP.attrmap file) and once thats done can it use the groups returned
in the users file?
I'm not sure I understand this. The rlm_ldap module does not by default
put the groups into the reply.
Via the ldap.attrmap entry you can put anything you like into the
reply, but modifying the value that comes out of the LDAP server is
non-trivial.
If you could describe more precisely what you're trying to do I may be
able to give a more specific answer.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ads questions and multiple values
Phil Mayers wrote:
If you could describe more precisely what you're trying to do I may be
able to give a more specific answer.
Actually I've just had a quick look at your earlier email and it's a bit
clearer what you want to do - take NT groups from AD via LDAP, send them
to your Aruba after stripping the name from cn=name,ou=path and have
it process them - correct?
You could do this:
ldap.attrmap:
# append memberOf to radius reply as Whatever-Attribute
replyItem Whatever-Attribute memberOf +=
radiusd.conf:
modules {
# bulk of modules, then
ldap {
# ldap config
}
# chop end off
attr_rewrite stripGroupDn1 {
attribute = Whatever-Attribute
searchin = reply
searchfor = ,.*
replacewith =
ignore_case = yes
new_attribute = no
max_matches = 1
append = no
}
# chop start off
attr_rewrite stripGroupDn2 {
attribute = Whatever-Attribute
searchin = reply
searchfor = ^cn=
replacewith =
ignore_case = yes
new_attribute = no
max_matches = 1
append = no
}
# rest of modules
}
authorize {
preprocess
ldap
stripGroupDn1
stripGroupDn2
files
}
# rest of radiusd.conf
...however, you'll need CVS HEAD for the ldap.attrmap 4th item
(operator) and for fixes to the extraction of replyItems from LDAP
attributes - or the (scantily tested) backport I've just written to
1.1.0 (attached)
--- src/modules/rlm_ldap/rlm_ldap.c~ 2005-12-29 21:52:53.0 +
+++ src/modules/rlm_ldap/rlm_ldap.c 2006-04-08 13:01:49.0 +0100
@@ -919,7 +919,7 @@
return 1;
}
-if (!radius_xlat(basedn, sizeof(basedn), inst-basedn, req, NULL)) {
+if (!radius_xlat(basedn, sizeof(basedn), inst-basedn, req, ldap_escape_func)) {
DEBUG(rlm_ldap::ldap_groupcmp: unable to create basedn.);
return 1;
}
@@ -964,7 +964,7 @@
ldap_msgfree(result);
}
-if(!radius_xlat(gr_filter, sizeof(gr_filter), inst-groupmemb_filt, req, NULL)){
+if(!radius_xlat(gr_filter, sizeof(gr_filter), inst-groupmemb_filt, req, ldap_escape_func)){
DEBUG(rlm_ldap::ldap_groupcmp: unable to create filter.);
return 1;
}
@@ -1235,7 +1235,7 @@
}
if (!radius_xlat(basedn, sizeof(basedn), inst-basedn,
- request, NULL)) {
+ request, ldap_escape_func)) {
radlog (L_ERR, rlm_ldap: unable to create basedn.\n);
return RLM_MODULE_INVALID;
}
@@ -1703,13 +1703,13 @@
while((vp_user_dn = pairfind(request-packet-vps, PW_LDAP_USERDN)) == NULL) {
if (!radius_xlat(filter, sizeof(filter), inst-filter,
-request, NULL)) {
+request, ldap_escape_func)) {
radlog (L_ERR, rlm_ldap: unable to create filter.\n);
return RLM_MODULE_INVALID;
}
if (!radius_xlat(basedn, sizeof(basedn), inst-basedn,
- request, NULL)) {
+ request, ldap_escape_func)) {
radlog (L_ERR, rlm_ldap: unable to create basedn.\n);
return RLM_MODULE_INVALID;
}
--- src/modules/rlm_ldap/rlm_ldap.c 2006-04-08 15:12:28.0 +0100
+++ src/modules/rlm_ldap/rlm_ldap.c 2006-04-08 15:17:17.0 +0100
@@ -248,6 +248,7 @@
struct TLDAP_RADIUS {
char* attr;
char* radius_attr;
+ LRAD_TOKENoperator;
struct TLDAP_RADIUS* next;
};
typedef struct TLDAP_RADIUS TLDAP_RADIUS;
@@ -657,6 +658,8 @@
/* all buffers are of MAX_LINE_LEN so we can use sscanf without being afraid of buffer overflows */
char buf[MAX_LINE_LEN], itemType[MAX_LINE_LEN], radiusAttribute[MAX_LINE_LEN], ldapAttribute[MAX_LINE_LEN];
int linenumber;
+ LRAD_TOKEN operator;
+ char opstring[MAX_LINE_LEN];
/* open the mappings file for reading */
@@ -688,23 +691,39 @@
if (buf[0] == 0) continue;
/* extract tokens from the string */
- token_count = sscanf(buf, %s %s %s, itemType, radiusAttribute, ldapAttribute);
+ token_count = sscanf(buf, %s %s %s %s, itemType, radiusAttribute, ldapAttribute, opstring);
if (token_count = 0) /* no tokens */
continue;
- if (token_count != 3) {
- radlog(L_ERR, rlm_ldap: Skipping %s line %i: %s, filename, linenumber, buf);
- radlog(L_ERR, rlm_ldap: Expected 3 tokens
- (Item type, RADIUS Attribute and LDAP Attribute) but found only %i, token_count);
+ if ((token_count 3) || (token_count 4)) {
+ radlog(L_ERR, rlm_ldap: Skipping %s line %i: %s,
+ filename, linenumber, buf);
+ radlog(L_ERR, rlm_ldap: Expected 3 to 4 tokens
+ (Item type, RADIUS Attribute and LDAP Attribute) but found only %i, token_count);
continue;
}
+
+ if (token_count == 3) {
+ operator = T_INVALID; /* use defaults */
+ } else {
+ char *ptr;
+
+ ptr = opstring;
+ operator = gettoken(ptr, buf, sizeof(buf));
+ if ((operator T_OP_ADD) || (operator T_OP_CMP_EQ)) {
+radlog(L_ERR, rlm_ldap: file %s: skipping line %i: unknown or
RE: FreeRadius - Cisco 7204 - L2TP Tunnel
Hi Phil Good call. Thanks for that. Works a treat now. Tony -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] ] On Behalf Of Phil Mayers Sent: 08 April 2006 13:17 To: FreeRadius users mailing list Subject: Re: FreeRadius - Cisco 7204 - L2TP Tunnel Ok, I see the problem: users: Matched DEFAULT at 171 users: Matched DEFAULT at 183 modcall[authorize]: module files returns ok for request 6 My users file (without all the commented out lines) DEFAULT Service-Type == Framed-User Framed-IP-Address = 255.255.255.254, Framed-MTU = 576, Service-Type = Framed-User, Fall-Through = Yes DEFAULT Framed-Protocol == PPP Framed-Protocol = PPP, Framed-Compression = Van-Jacobson-TCP-IP There's no Fall-Through = Yes on this entry (the default entries in the users file in current release are a bit historic and not especially helpful to be in there uncommented by default, but compatibility concerns I imagine block their removal). So processing stops here, and never reaches the desired entry: [EMAIL PROTECTED] Auth-Type = Local, User-Password == mysecret Service-Type = Framed-User, Framed-Protocol = PPP, Framed-Address = 10.0.0.1, Framed-Netmask = 255.255.255.255, Framed-Compression = Van-Jacobsen-TCP-IP So, you can either add a Fall-Though = Yes to the PPP entry, or delete it (since you've got the attributes defined on the users entry anyway you don't need it, or the Framed-Protocol match further up). Personally I tend to do: cp users users.example users ...and start with a clean slate, reading the examples from the old file. FYI the users file in CVS has by default none of these semi-historic uncommented examples. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Version 1.1.1 stops responding
I'm seeing the same thing here with 1.1.1. I have 2 servers with identical hardware/software configs. Both servers hang at the same time. stopping/starting the daemon doesn't resolve the issue, rebooting the box does. I was assuming it had something to do with the sql module because that is where it paused (see: sql hangs, was (conflicts/duplicates need)) - Original Message - From: King, Michael [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Thursday, March 23, 2006 9:24 AM Subject: Version 1.1.1 stops responding So I built 1.1.1 on Debian. After a period of so many hours (variable) it stops responding. (Sometimes 2hours, sometimes 16hours) Now here's where it get's weird, (and makes me suspect it might not be freeRADIUS at the root cause) If I stop and restart the freeRADIUS service, it continues to ignore RADIUS packets. But if I restart the server (hard reboot) it works fine. Till it stops responding again. Obviously this is not enough information to help you diagnose the problem. How do I gather that information? The box is a 233 Pentium with 64 megs of ram. Has about 15 AP's, with around 100 users (not simultaneous, maybe 30 simultaneous) So what's the suggested way of gathering more info? Running debug mode piping to a text file? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RADIUS stops responding after a while
Alex M [EMAIL PROTECTED] wrote: I'm using MySQL 4.1.7 and it is located on remote server (not even on the same subnet as the radius) I have seen it before where a firewall drops state, and it looks like the SQL server is down. New connections go through fine, but old connections are dead. One way to test this would be to edit rlm_sql so that it opens a new connection to the SQL server for *every* request. That would be slower than what it does now, but it might work. I would also suggest putting a test SQL server on the same subnet as the RADIUS server. Havr it do nothing more than log data, and if connections to it are OK, the problem is most likely the firewall. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Allow linking against OpenSSL? (Was Re: [GENERAL] Debian package for freeradius_postgresql module)
Tyler MacDonald [EMAIL PROTECTED] wrote: Thanks Alan!!! Can we look forward to this clause in the next version of FreeRadius? Is the next version due to come out anytime soon? The developers have to discuss this, and we have to get buy-in from people, but I don't expect there's too much of a problem. As for the next release, it may be a month or so. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: RADIUS stops responding after a while
What do you mean by Have it do nothing more than log data? And how would I do that? -Original Message- From: [EMAIL PROTECTED] .org [mailto:[EMAIL PROTECTED] eeradius.org] On Behalf Of Alan DeKok Sent: Saturday, April 08, 2006 1:24 PM To: FreeRadius users mailing list Subject: Re: RADIUS stops responding after a while Alex M [EMAIL PROTECTED] wrote: I'm using MySQL 4.1.7 and it is located on remote server (not even on the same subnet as the radius) I have seen it before where a firewall drops state, and it looks like the SQL server is down. New connections go through fine, but old connections are dead. One way to test this would be to edit rlm_sql so that it opens a new connection to the SQL server for *every* request. That would be slower than what it does now, but it might work. I would also suggest putting a test SQL server on the same subnet as the RADIUS server. Havr it do nothing more than log data, and if connections to it are OK, the problem is most likely the firewall. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Allow linking against OpenSSL? (Was Re: [GENERAL] Debian package for freeradius_postgresql module)
Tyler MacDonald wrote: It appears that several other GPL apps have added a special clause to their license that allows them to be linked against OpenSSL. Could this be done for freeradius/freeradius-postgresql as well? Personally I really dislike the idea: FreeRADIUS code is released under the GPL and there is nothing wrong with that. I note there are many other ways to get a freeradius-postgresql package in Debian. - Ask Debian to provide a SSL-free package of the PostgreSQL libraries, so our freeradius-postgresql package can depend on that. - Add GnuTLS support to PostgreSQL (someone suggested to work on that in the pgsql-general mailing list) http://archives.postgresql.org/pgsql-general/2006-04/msg00367.php - Ask OpenSSL to remove the advertising clause from their license. I also note the current situation is really a minor problem for our users, because we're maintaining the necessary files to build the Debian packages in our CVS. Anybody can easily build a Debian package of the freeradius-postgresql module from a sources tarball with a single command line. (dpkg-buildpackage) -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Allow linking against OpenSSL? (Was Re: [GENERAL] Debian package for freeradius_postgresql module)
Nicolas Baradakis [EMAIL PROTECTED] wrote: - Ask OpenSSL to remove the advertising clause from their license. This is the most compelling alternative on your list, since this clause is the reason why all these other software packages have had to add special clauses to their own licenses. Has this been attempted before, I wonder... I also note the current situation is really a minor problem for our users, because we're maintaining the necessary files to build the Debian packages in our CVS. Anybody can easily build a Debian package of the freeradius-postgresql module from a sources tarball with a single command line. (dpkg-buildpackage) I agree that it's still trivial to get freeradius-postgresql *onto* a server, but I don't think that makes the problem minor. It requires that the user has development tools installed on their server, which is not the most secure thing to do. Either that, or they have to roll their own package on one system and upload it to their server and maintain that separately from the rest of their installation. This can have security implications too, since the end user will have to manually keep an eye out for security updates instead of just upgrading against security.debian.org. So you provide a way of debianizing freeradius packages easily, even ones that aren't included with debian. Given that, another alternative (admittedly with it's own set of problems) would be an official freeradius apt repository. Cheers, Tyler - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Allow linking against OpenSSL? (Was Re: [GENERAL] Debian package for freeradius_postgresql module)
Nicolas Baradakis [EMAIL PROTECTED] wrote: Personally I really dislike the idea: FreeRADIUS code is released under the GPL and there is nothing wrong with that. You are right, there is nothing wrong with that. But is there anything wrong with the FreeRADIUS code released under the GPL with an additional clause allowing linking against OpenSSL, even as a temporary measure until either OpenSSL fixes it's license or PostgreSQL supports gnu TLS? I can't think of anybody or anything that would hurt, and it would have the immediate practical benefit of allowing the freeradius-postgresql package into the official debian repo. - Tyler - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RADIUS stops responding after a while
Alex M [EMAIL PROTECTED] wrote: What do you mean by Have it do nothing more than log data? And how would I do that? You can configure the SQL module in either the authorize section, where it will affect user authentication, or in the accounting section, where it won't affect anything. Alan DEKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: RADIUS stops responding after a while
Ok, will do that and post back with results Thanks! -Original Message- From: [EMAIL PROTECTED] .org [mailto:[EMAIL PROTECTED] eeradius.org] On Behalf Of Alan DeKok Sent: Saturday, April 08, 2006 3:54 PM To: FreeRadius users mailing list Subject: Re: RADIUS stops responding after a while Alex M [EMAIL PROTECTED] wrote: What do you mean by Have it do nothing more than log data? And how would I do that? You can configure the SQL module in either the authorize section, where it will affect user authentication, or in the accounting section, where it won't affect anything. Alan DEKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Allow linking against OpenSSL? (Was Re: [GENERAL] Debian package for freeradius_postgresql module)
On 4/8/06, Tyler MacDonald [EMAIL PROTECTED] wrote: I can't think of anybody or anything that would hurt, and it would have the immediate practical benefit of allowing the freeradius-postgresql package into the official debian repo. Beside the postgresql support, this also opens the door to peap/eap-tls enabled Debian FreeRadius packages. All those 802.1x Debian users currently have to build their own packages for this support (although that's really easy with Debian ready upstream source, as Nicolas mentioned earlier) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Allow linking against OpenSSL? (Was Re: [GENERAL] Debian package for freeradius_postgresql module)
Tyler MacDonald wrote: This can have security implications too, since the end user will have to manually keep an eye out for security updates instead of just upgrading against security.debian.org. In theory, you're right. In reality, FreeRADIUS has disclosed a security problem on 20 March and there's still no official Debian package available yet :( So finally if you really care about security you'd better build packages from sources anyway. So you provide a way of debianizing freeradius packages easily, even ones that aren't included with debian. Given that, another alternative (admittedly with it's own set of problems) would be an official freeradius apt repository. This doesn't solve anything. The problem is that such packages aren't distributable in binary form. If someone provides a repository, he becomes an outlaw. (exaggeratedly) -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Allow linking against OpenSSL? (Was Re: [GENERAL] Debian package for freeradius_postgresql module)
Nicolas Baradakis [EMAIL PROTECTED] wrote: So you provide a way of debianizing freeradius packages easily, even ones that aren't included with debian. Given that, another alternative (admittedly with it's own set of problems) would be an official freeradius apt repository. This doesn't solve anything. The problem is that such packages aren't distributable in binary form. If someone provides a repository, he becomes an outlaw. (exaggeratedly) *sigh* You're right. And I wouldn't want to suggest an illegal apt repo either (although I've used ones in the past, like one that provides a nice .deb full of win32 codec dlls for use with mplayer). It's rediculous that this is so simple to achieve technically, and all products involved are being provided for free, yet there's still all this beaurocratic red tape involved in getting them to play nice together... - Tyler - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Allow linking against OpenSSL? (Was Re: [GENERAL] Debian package for freeradius_postgresql module)
Tyler MacDonald wrote: Personally I really dislike the idea: FreeRADIUS code is released under the GPL and there is nothing wrong with that. You are right, there is nothing wrong with that. But is there anything wrong with the FreeRADIUS code released under the GPL with an additional clause allowing linking against OpenSSL, even as a temporary measure until either OpenSSL fixes it's license or PostgreSQL supports gnu TLS? Well, I'm not in position to decide for a FreeRADIUS license change or not, I'm just manifesting my personal opinion. If the other developpers agree, I won't go against them, of course. However I believe it's better for FreeRADIUS to keep a plain GPL license (without any modification) because it simplifies any legal issue: - license violation with our code in another non-GPL software (it has already happened in the past) - adding contribution from an external company (they have questions concerning the license of the submitted material) Even if it's based on the GPL, a FreeRADIUS license is more confusing. I can't think of anybody or anything that would hurt, and it would have the immediate practical benefit of allowing the freeradius-postgresql package into the official debian repo. Altering the FreeRADIUS license will make only *one* package enter in the Debian repository. I'm not inclined to choose this solution while other solutions could solve the problem for *all* GPL programs depending on the PostgreSQL libraries. -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Allow linking against OpenSSL? (Was Re: [GENERAL] Debian package for freeradius_postgresql module)
Jorgen Rosink wrote: Beside the postgresql support, this also opens the door to peap/eap-tls enabled Debian FreeRadius packages. All those 802.1x Debian users currently have to build their own packages for this support (although that's really easy with Debian ready upstream source, as Nicolas mentioned earlier) Indeed, these modules are a problem in Debian as well, for legal and technical reasons too: until version 1.1.1 I didn't manage to build rlm_eap_peap and rlm_eap_ttls properly. After the technical problems have been solved, we discussed the legal issues on the developpement mailing list a few weeks ago, and we planed to add support for GnuTLS, which is released under the LGPL. It will take more time to write source code than to edit the license, but I believe it's a better solution in the long term. -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radaccounting, what does octets mean?
In accounting, what does an octet mean? Thanks! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radaccounting, what does octets mean?
Alex M wrote: In accounting, what does an octet mean? An octet is 8 bits. A byte is almost always 8 bits, but can be other sizes in some obscure circumstances. Which is why the term octet exists. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
