Re: rlm_python
Peter Nixon wrote: Hi Guys Is anyone actually using rlm_python in production? Unlike rlm_perl we don't seem to have any example code or any decent documentation. I am looking at using it myself and just looking for some feedback.. Apply the patches from bugs.freeradius.org. They've been sitting there for a while. I think as-is, the module isn't that useful. It definitely needs attention before production use. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Change of Authorization
On Sat 27 Jan 2007 02:08, Jeffrey Sewell wrote: Apologies if this has been addressed before, but I can't find any references in the Wiki or the archives for the use of rfc 3576 Change of Authorization messages. Does FreeRADIUS have any built in way to trigger and/or send a CoA? How have others dealt with users who have exceeded certain limits but have not yet reached session-timout? Hi Jeffrey As it would turn out I was reading RFC 3576 yesterday and added support for CoA and Disconnect packets to pyrad (A python RADIUS library not part of the FreeRADIUS project, but written by Wichert who is one of the FR developers also) radiusd does not currently respond to or natively send CoA or Disconnect packets however radclient DOES suport them. This means that you can quite happily write an exec/perl/python module which executes radclient (or uses the pyrad library) to send CoA or Disconnect packets.. Please read my thread titled RADIUS Disconnect support on the freeradius-devel list which started on Tuesday this week for a little more dicussion of how I think this could be added natively to radiusd... If you have any further suggestions please reply to that thread.. -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc pgpHI2SjAQ5c8.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Log notfound users
Hello,
In authorize section I have the following:
sql {
notfound = reject
}
In post-auth:
Post-Auth-Type REJECT {
sql
attr_filter.access_reject
}
Both works correctly but I would like to log notfound users into
radpostauth table as well, just like in post-auth.
How may I do this, please?
Thank you.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LAN accounting
I'm newbie,I wanna know that can i use FreeRadius+Dialup_admin as a LAN accounting? --Mohsen - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_python
On Sat 27 Jan 2007 09:38, Alan DeKok wrote: Peter Nixon wrote: Hi Guys Is anyone actually using rlm_python in production? Unlike rlm_perl we don't seem to have any example code or any decent documentation. I am looking at using it myself and just looking for some feedback.. Apply the patches from bugs.freeradius.org. They've been sitting there for a while. I think as-is, the module isn't that useful. It definitely needs attention before production use. Hmm.. the only open bug I see against rlm_python is: http://bugs.freeradius.org/show_bug.cgi?id=182 Are there some others that I didn't manage to find? Cheers -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc pgpravRImuG1l.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_python
Peter Nixon wrote: Hmm.. the only open bug I see against rlm_python is: http://bugs.freeradius.org/show_bug.cgi?id=182 Are there some others that I didn't manage to find? I recall someone re-writing much of the module to make it work. But I didn't have time to look over the patches, and so it didn't go anywhere. I'll see if I can dig up the code. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Change of Authorization
Thank you both for your replies. Sounds like my next step is to subscribe to the freeradius-devel list. I've not used python much (no particular reason, just circumstance) but I'm all about using whatever tool fits the need. Edge device vendors have some very creative solutions for this problem (read there bloated and clunky for creative), but it seems to me that it makes more sense to happen at the AAA/RADIUS side of things. Thanks again, Jeffrey On 1/27/07, Peter Nixon [EMAIL PROTECTED] wrote: On Sat 27 Jan 2007 02:08, Jeffrey Sewell wrote: Apologies if this has been addressed before, but I can't find any references in the Wiki or the archives for the use of rfc 3576 Change of Authorization messages. Does FreeRADIUS have any built in way to trigger and/or send a CoA? How have others dealt with users who have exceeded certain limits but have not yet reached session-timout? Hi Jeffrey As it would turn out I was reading RFC 3576 yesterday and added support for CoA and Disconnect packets to pyrad (A python RADIUS library not part of the FreeRADIUS project, but written by Wichert who is one of the FR developers also) radiusd does not currently respond to or natively send CoA or Disconnect packets however radclient DOES suport them. This means that you can quite happily write an exec/perl/python module which executes radclient (or uses the pyrad library) to send CoA or Disconnect packets.. Please read my thread titled RADIUS Disconnect support on the freeradius-devel list which started on Tuesday this week for a little more dicussion of how I think this could be added natively to radiusd... If you have any further suggestions please reply to that thread.. -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SEVERE! radiusd 2.0 and 1.1.4 dying! Segmentation fault
Hi,
Freeradius 2.0 alpha was working correctly since November 1st.
Then, this month, suddenly the server started to die, complaining of
Info: rlm_sql (sql): There are no DB handles to use! skipped 0, tried
to connect 0.
The server runs threaded with max_servers = 32 and num_sql_socks = 32
(there are 5 reqs per seconds, no more than that).
Ok so I've tried to run it single threaded (-X), but then, it's slow
and it missess some access requests, due to processing the accounting.
I've uninstalled it and installed 1.1.4, but the same occurs!
Restarting radiusd when it fails gives another 15 minutes before it dies again.
Also, disabling accounting helps prolong the server lifetime.
Any clue on that? Thanks.
Sat Jan 27 19:13:16 2007 : Debug: modsingle[accounting]: returned
from detail (rlm_detail) for request 108
Sat Jan 27 19:13:16 2007 : Debug: modcall[accounting]: module
detail returns ok for request 108
Sat Jan 27 19:13:16 2007 : Debug: modsingle[accounting]: calling
ippool (rlm_sqlippool) for request 108
Sat Jan 27 19:13:16 2007 : Debug: rlm_sql (sql_postgresql): Reserving
sql socket id: 11
Sat Jan 27 19:13:16 2007 : Debug: radius_xlat: 'BEGIN'
** Internal heap ERROR 17177 addr=(nil) *
**
HEAP DUMP heap name=Alloc statemen desc=0x77e2b8
extent sz=0x1040 alt=32767 het=32767 rec=0 flg=2 opc=3
parent=0x77adb0 owner=(nil) nex=(nil) xsz=0x1040
EXTENT 0 addr=0x788818
Chunk000788828 sz= 3752free
Chunk0007896d0 sz= 312freeable assoc with mark
prv=(nil) nxt=(nil)
Chunk000789808 sz= 80freeable assoc with mark
prv=(nil) nxt=(nil)
EXTENT 1 addr=0x77d3e8
Chunk00077d3f8 sz= 2448perm perm alo=32
Total heap size= 6592
FREE LISTS:
Bucket 0 size=160
Bucket 1 size=288
Bucket 2 size=544
Bucket 3 size=1056
Bucket 4 size=2080
Chunk000788828 sz= 3752free
Bucket 5 size=4128
Bucket 6 size=16416
Bucket 7 size=32800
Total free space = 3752
UNPINNED RECREATABLE CHUNKS (lru first):
PERMANENT CHUNKS:
Chunk00077d3f8 sz= 2448perm perm alo=32
Permanent space= 2448
**
Hla: 255
ORA-21500: internal error code, arguments: [17177], [0x0], [],
[], [], [], [], []
Errors in file :
ORA-21500: internal error code, arguments: [17177], [0x0], [],
[], [], [], [], []
- Call Stack Trace -
calling call entryargument values in hex
location type point(? means dubious value)
Cannot seek to string table section header in /proc/11022/exe.
Cannot seek to string table section header in /proc/11022/exe.
9688CDEF CALL 9660C588 0 ? 0 ? 774EC8 ? 0 ? 1 ? 0 ?
96DA64D8 CALLr 0 ? 0 ? 655680 ? 0 ?
4FA13060 ? 0 ?
96DA6CD4 CALL 965ED0E8 Sat Jan 27 19:13:16
2007 : Debug: radius_xlat: 'SELECT id,UserName,Attribute,Value,op
FROM radreply WHERE Username = '[EMAIL PROTECTED]' ORDER BY id'
0 ? 0 ? FF ? 0 ? 0 ? 0 ?
96DA6898 CALL 96605AC8 4FA13090 ? 0 ? 655680 ? 0 ?
FF ? 0 ?
96D75B7F CALL 965FF0C8 0 ? 0 ? 0 ? 0 ? 788ED0 ? 0 ?
96D9135D CALL 96D757AA 0 ? 0 ? 0 ? 0 ? 0 ? 0 ?
966CA4FA CALL 96607898 0 ? 0 ? 0 ? 0 ? 0 ? 0 ?
966DF8CE CALL 966070F8 77DDA8 ? 0 ? 781BF0 ? 0 ?
4FA15E50 ? 0 ?
966DF582 CALL 965F7D68 0 ? 0 ? B0D0A8C0 ? 3E ?
B0D0AE20 ? 3E ?
966DBF1E CALL 965FEC88 0 ? 0 ? 0 ? 0 ? 0 ? 0 ?
9678A292 CALL 9660F088 0 ? 0 ? 4FA161D0 ? 0 ?
772E10 ?Sat Jan 27
19:13:16 2007 : Debug: radius_xlat: 'SELECT
id,UserName,Attribute,Value,op FROM radreply WHERE Username =
'[EMAIL PROTECTED]' ORDER BY id'
0 ?
962BB4F6 CALL 962BAD60 4FA160C0 ? 0 ? 6536A4 ? 0 ?
4FA162E2 ? 0 ?
0077C450 CALLs
- Argument/Register Address Dump -
Argument/Register addr=774ec8. Dump of memory from 0x000774E88 to 0x000774FC8
007773F0 0077AB38 0077AEE0
Re: SEVERE! radiusd 2.0 and 1.1.4 dying! Segmentation fault
Guilherme Franco wrote: Hi, Freeradius 2.0 alpha was working correctly since November 1st. Then, this month, suddenly the server started to die, complaining of Info: rlm_sql (sql): There are no DB handles to use! skipped 0, tried to connect 0. This normally means your database is slow. Clean out old accounting records (maybe move them to another table) and execute a vacuum analyze. The server runs threaded with max_servers = 32 and num_sql_socks = 32 (there are 5 reqs per seconds, no more than that). Ok so I've tried to run it single threaded (-X), but then, it's slow and it missess some access requests, due to processing the accounting. ...indicating a high load, supporting the hypothesis. I've uninstalled it and installed 1.1.4, but the same occurs! Restarting radiusd when it fails gives another 15 minutes before it dies again. Also, disabling accounting helps prolong the server lifetime. Probably because it reduces the load, again supporting the hypothesis. However - you also say it is segfaulting? Which I would not expect. I don't really understand the format of the crash dump - can you supply one from gdb as documented in doc/bugs? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SEVERE! radiusd 2.0 and 1.1.4 dying! Segmentation fault
Thanks Mr. Mayers, The database is Oracle on a powerful machine which only do acct/ auth. All the relevant auth/ accounting queries are indexed to speed things up. There's a PostgreSQL database to take care of the sqlippool module. The strange thing is that even when the accounting is off (with low load then) the error appears randomly. Also, if the proxy realm dies the problem occurs too. That segfault was captured by running radiusd -xxx, which pinpoints to an Oracle OCI error in this case (with acct on). I can't give you a gdb because the server is running fine now, but who knows when it may happen... That setup was running fine for almost 3 months. All indicates a resource starving problem, but the load is low :( Thank you very much. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
TTLS-PAP authentication with LDAP bind
First off, I'd like to say thanks in advance to anyone who can help me here.
I've spent the past few days searching the list archives and other sites for
information on how to accomplish this. The overwhelming message from these
searches was that it should just work and that the server will figure out
what to do. Sadly, that's not the case here.
My goals here are straightforward:
-Authorize the user in LDAP if a corresponding entry exists (just checking
against uid, nothing fancy).
-Support TTLS-PAP and PEAP-GTC. The default Macintosh configuration supports
PEAP-GTC with no config. SecureW2 will be used for TTLS-PAP on Windows clients.
-Authenticate the user's clear-text password via a simple LDAP bind encrypted
via TLS. No userPassword attribute checking here. A simple bind is all.
Using version 1.14.
Here's my eap.conf with comments stripped out:
eap {
default_eap_type = ttls
timer_expire = 10
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
gtc {
challenge = Password:
auth_type = PAP
}
tls {
private_key_password = foo
private_key_file = ${raddbdir}/certs/key.pem
certificate_file = ${raddbdir}/certs/cert.pem
CA_file = ${raddbdir}/certs/sf_issuing.pem
dh_file = ${raddbdir}/certs/dh
random_file = ${raddbdir}/certs/random
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = DEFAULT
}
ttls {
default_eap_type = gtc
}
peap {
default_eap_type = gtc
}
}
Relevant sections of radius.conf are:
ldap {
server = myserverentry
basedn = myDN
filter = (uid=%{Stripped-User-Name:-%{User-Name}})
start_tls = yes
tls_cacertfile = /opt/fedora-ds/alias/intCA.pem
tls_require_cert= demand
access_attr = uid
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
}
authorize {
preprocess
suffix
ntdomain
eap
files
ldap
pap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type LDAP {
ldap
}
eap
}
If I force the Mac or Windows supplicants to use TTLS-PAP, the request is never
passed to radiusd. I don't know what's going on but my AP (Aruba 200) seems to
be detecting that something isn't right with its AAA server and not passing the
request on. If I change the supplicants to use their default settings, the
requests are sent to FreeRadius, but the requests fail. Again, the Aruba seems
to think that something is wrong and presents its certificate instead of my
server's. At one point, I had the clients seeing the server's certificate but I
can't seem to get back in that state. So I don't think my AP is broken, I'm
pretty sure it's my FreeRadius config that's broken. The users file is
unchanged and the proper entries are in clients.
Yes, I've run the server in debug mode (there are no requests coming in).
Thanks,
-richard
Have a burning question?
Go to www.Answers.yahoo.com and get answers from real people who know.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LAN accounting
Mohsen Pahlevanzadeh wrote: I'm newbie,I wanna know that can i use FreeRadius+Dialup_admin as a LAN accounting? --Mohsen - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html . It means that i use them without dialing? --Mohsen - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
