Re: Freeradius + DHCP +vlans ???
On Thu, 2007-07-26 at 02:00 +0100, George Beitis wrote: > Hey guys > I am a bit new to the scene and i am having a few problems with > configuring freeradius. In essence what i want is that the user, once > verified to be assigned to a specific vlan and get an ip address from a > dhcp server, which will be aware of the vlans and there for assign > different address and subnets to each. Does this scenario make any yes > sense? Will it be the freeradius server that will be notifying the dhcp > server to aquire an address for the client? Will the dhcp server then No > contact the access point to let it know what address the client has been > given and it in its turn give it to the client? Or will it be that the No > access point will contact the dhcp server once it has the reply from the > freeradius server, giving it the vlan id/number and requesting an ip > address and other info? No The way it works is: 1. Client does either 802.1x 2. Access point forwards authentication to radius server 3. Multiple 802.1x round-trips between client and radius server, via AP 4. When authentication is complete, the radius server returns an Access-Accept with the vlan tag 5. Access point reads the vlan tag, assigns it 6. Client brings up it's IP stack, and emits a DHCP DISCOVER 7. AP forwards the clients packet into the vlan at layer2 8. The vlan/subnet router forwards the DHCP DISCOVER to the DHCP server 9. DHCP server assigns an IP address based on source subnet & mac address There's no interaction between DHCP and Radius, no interaction between a layer2 access point and DHCP (possibly dhcp option-82 insertion), and no real interaction with a layer2 access point and any IP protocol. Basically - you just configure the AP with >1 vlan, configure a router for each VLAN with dhcp relay enabled, and configure the radius server to tell the AP the right vlan number. BEWARE: not all APs support vlan assignment. > > Is this the right or wrong way of going about this? > > regards > George > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
debug_level
Hi everyone, I can't find anything the various documentation sources related to the debug_level parameter. Made a grep on the doc folder, searched Google and FreeRadius Wiki... It seems to be usually put to a value of 0. Can you explain what are the relevant values for this parameter and what it is supposed to control ? My need is to get debug information on ldap communication but could not start FreeRadius in debug mode because the resulting logs must be stored in a file for further analysis (I can't stay in front of my display waiting for a random crash to happen). Does this paramter allow this ? If not, is there another way ? Thanks in advance, Vincent ** ATTENTION : Nouvelle adresse et nouveaux numéros de telephone ** Vous pouvez dorénavant nous joindre ou nous écrire aux coordonnées suivantes : Tél : 01 70 56 51 51 Fax : 01 70 56 51 52 Nouvelle Adresse: 7 place Marcel Rebuffat Parc d'activités de Villejust 91971 Courtaboeuf 7 cedex - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SQL and different accounting records by NAS
Hi, We are using freeradius 1.1.6, now, to provide access for our wireless network only. The accounting is very detailed and comprehensive: IP addresses, usernames, packets, roles, APs, SSIDs, etc. Now, we are starting to use the same radius to give 802.1x access to our wired network. The key is that the accounting records for a wired switch are VERY different. Now, AP and SSID, are nonsense items, for example. But we need another records. Can freeradius use different accounting sql inserts depending on NAS? Is there any document showing something like this? I have read many documents but I can not find a clear answer. This was the main question. A related tiny question is as follows. The most comfortable configuration will be to use different accounting inserts depending on huntgroups. Then we could select sql inserts for one huntgroup (all our wired NASes) and different sql insert for another huntgroup (all our wireless NASes). The addition, remove or change of the different NASes could be made modifying only the lists contained in the huntgroups file. It could be very clean and useful. But, when I read the huntgroups documentation I have the strong suspect I can´t do this. Thank you very much in advance, Nicolas Velazquez - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQLIPPool performance issue
Roy Walker wrote: > Ok chaning the indexes definately made some difference. The database load > still went off the charts, but the radius logs were much better with DB > errors connect errors. This still seems horribly slow. The problem is that RADIUS servers take less time to do things than an SQL server needs. So when you hammer the RADIUS server with requests, the SQL server is getting 5-10x the load. > Here is the command I am using to test: /radclient -p 2 -d > /usr/src/freeradius-server-snapshot-20070725/share -f /tmp/radclient-test > 1.1.1.10 auth testing123 > Where the radclient-test file has 5000 client requests seperated by the > necessary blank lines. FreeRADIUS should really be a little smarter about loading the SQL server. But it's a very hard problem to solve in a good way. i.e. "if SQL server is busy, stop processing the current request, BUT remember to wake up later to keep processing it." The only real solution is to get a bigger machine to handle the database, OR slow down on the RADIUS traffic. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius Multiple VLAN assigment
Hi everyone, does freeradius support multiple vlan assigment? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radiusd startup problem
On Thu 26 Jul 2007, ram wrote: > On 7/26/07, Alan DeKok <[EMAIL PROTECTED]> wrote: > > ram wrote: > > > iam have installed fresh copy with freeradius+mysql document > > > > What document? To install the server the server, you just follow the > > instructions in the INSTALL. > > http://www.frontios.com/freeradius.html That document is greater than 2 years old and there are several parts of it that were ALWAYS wrong :-( -- Peter Nixon http://peternixon.net/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radiusd startup problem
On Fri 27 Jul 2007, Alan DeKok wrote: > ram wrote: > > What document? To install the server the server, you just follow > > the instructions in the INSTALL. > > > > http://www.frontios.com/freeradius.html > > Please explain why you would prefer to follow third-party instructions > that talk about a version YEARS out of date. > > Even if it *is* referenced in doc/rlm_sql, it's obvious what you did. > You installed the server, and then BEFORE trying to see if it works, > you spent a lot of time mangling the installation. > > It's like buying a car, and then tearing it to pieces because the fat > kid down the street gave you some "cool ideas". If the car doesn't work > after that, don't complain to the dealership. They'll laugh at you, and > then charge you tons of money to fix it. I just spent 15min trying to come up with an updated version of that page in our wiki: http://wiki.freeradius.org/SQL_HOWTO Everyone, please feel free to fix it up and add Postgresql and Oracle info etc. Cheers -- Peter Nixon http://peternixon.net/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Nas Type
Hi, I was starting to look at checkrad, and found (based on http://www.freeradius.org/radiusd/doc/Simultaneous-Use) that using "other" as the NAS-type will actually check only radutmp instead of looking at the actual NAS. Now, Could someone point me what would be the proper NAS type to use for each of the devices below(or the proper reference document to use)? I'm using the following NASes in my network: Monowall pfSense (3Com) Total Control PopTop (in Linux) What I want to do is to use checkrad as one of the steps to make sure that whoever appears as logged is really logged in, because I'm trying to use Simultaneous-use check, and some of the above (notably monowall) doesn't seem to be clearing properly sometimes. Thank you very much, Roberto Greiner -- - Marcos Roberto Greiner The optimists believe we are in the best of worlds The pessimists are afraid that this is true Murphy - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQLIPPool performance issue
Roy, The obvious really bad ones I have noted below. Ken On Thu, Jul 26, 2007 at 12:57:15PM -0500, Roy Walker wrote: > Here is the config lines: > > max_connections = 100 > shared_buffers = 400MB Could be as much as 25% of RAM or 2GB. > temp_buffers = 32MB > work_mem = 1MB Running EXPLAIN ANALYZE for the logged queries will let you know if this value is too small. In particular, it is used to evaluate whether or not a hash/merge join can be used. You may need to raise it depending on what your query analysis shows. > maintenance_work_mem = 128MB Bump this up to 256MB or 512MB or more. Otherwise maintaenance actions can become disk I/O bound. > max_fsm_pages = 204800 This needs to be large enough to handle the size of your DB. > > Didn't change any of these as for my testing I don't have autovacuum > enabled. You definitely need to enable autovacuum. Poor plans due to poor statistics can hamstring your performance. > #vacuum_cost_delay = 0 # 0-1000 milliseconds > #vacuum_cost_page_hit = 1 # 0-1 credits > #vacuum_cost_page_miss = 10 # 0-1 credits > #vacuum_cost_page_dirty = 20# 0-1 credits > #vacuum_cost_limit = 200# 0-1 credits > You may need the bgwriter to smooth out checkpoint I/O. Check to see if you are getting checkpoint errors in your logs. > #bgwriter_delay = 200ms # 10-1ms between rounds > #bgwriter_lru_percent = 1.0 # 0-100% of LRU buffers > scanned/round > #bgwriter_lru_maxpages = 5 # 0-1000 buffers max > written/round > #bgwriter_all_percent = 0.333 # 0-100% of all buffers > scanned/round > #bgwriter_all_maxpages = 5 # 0-1000 buffers max > written/round > > #wal_buffers = 64kB Bump this to 256kB. > > #commit_delay = 0 # range 0-10, in > microseconds > #commit_siblings = 5# range 1-1000 > > checkpoint_segments = 32# in logfile segments, min 1, > 16MB each > #checkpoint_timeout = 5min # range 30s-1h > > #random_page_cost = 4.0 > > autovacuum = off# enable autovacuum subprocess? Should be on. > # 'on' requires > stats_start_collector > # and stats_row_level to also be > on On, and stats_row_level should be on too. > #autovacuum_naptime = 1min # time between autovacuum runs > #autovacuum_vacuum_threshold = 500 # min # of tuple updates before > # vacuum > #autovacuum_analyze_threshold = 250 # min # of tuple updates before > # analyze > #autovacuum_vacuum_scale_factor = 0.2 # fraction of rel size before > # vacuum > #autovacuum_analyze_scale_factor = 0.1 # fraction of rel size before > # analyze > #autovacuum_freeze_max_age = 2 # maximum XID age before forced > vacuum > # (change requires restart) > #autovacuum_vacuum_cost_delay = -1 # default vacuum cost delay for > # autovacuum, -1 means use > # vacuum_cost_delay > #autovacuum_vacuum_cost_limit = -1 # default vacuum cost limit for > # autovacuum, -1 means use > # vacuum_cost_limit > > -Original Message- > From: > [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] > s.org] On Behalf Of Peter Nixon > Sent: Thursday, July 26, 2007 9:53 AM > To: FreeRadius users mailing list > Subject: Re: SQLIPPool performance issue > > On Thu 26 Jul 2007, Kenneth Marshall wrote: > > Roy, > > > > It sounds like you may need to adjust the DB parameters. The defaults, > > even in 8.2, are still fairly conservative. Would you post your > current > > settings for things like: > > > > max_connections > > shared_buffers > > work_mem > > maintenance_work_mem > > max_fsm_pages > > vacuum_cost_* > > bgwriter_* > > wal_buffers > > commit_delay > > commit_siblings > > checkpoint_segments > > checkpoint_timeout > > random_page_cost > > effective_cache_size > > autovacuum > > autovacuum_* > > > > Basically, anything you have changed from the default configuration > > file. Proper choices for these parameters can make a huge difference > > in baseline performance. > > Yep. My guess is, on that box, if he is running a default Postgresql > config > he should get 10-100 times greater performance after tuning it correctly > for > the ram and cpu setup.. > > Cheers > > -- > > Peter Nixon > http://peternixon.net/ > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe?
Re: radiusd startup problem
> > Please explain why you would prefer to follow third-party instructions > that talk about a version YEARS out of date. > > Even if it *is* referenced in doc/rlm_sql, it's obvious what you did. > You installed the server, and then BEFORE trying to see if it works, > you spent a lot of time mangling the installation. > > It's like buying a car, and then tearing it to pieces because the fat > kid down the street gave you some "cool ideas". If the car doesn't work > after that, don't complain to the dealership. They'll laugh at you, and > then charge you tons of money to fix it. This document found in other new group, where people integrated and working, that is the reason as per the recomendation i have followed install the same, I just spent 15min trying to come up with an updated version of that page in our wiki: http://wiki.freeradius.org/SQL_HOWTO This URL should be reasonable, let me try again with this document and revert back ram - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Nas Type
On Fri 27 Jul 2007, Roberto Greiner wrote: > Hi, > > I was starting to look at checkrad, and found (based on > http://www.freeradius.org/radiusd/doc/Simultaneous-Use) that using > "other" as the NAS-type will actually check only radutmp instead of > looking at the actual NAS. Now, Could someone point me what would be the > proper NAS type to use for each of the devices below(or the proper > reference document to use)? I'm using the following NASes in my network: > > Monowall > pfSense > (3Com) Total Control > PopTop (in Linux) > > What I want to do is to use checkrad as one of the steps to make sure > that whoever appears as logged is really logged in, because I'm trying > to use Simultaneous-use check, and some of the above (notably monowall) > doesn't seem to be clearing properly sometimes. As you have already found the docs you know the answer. The 3Com is obviously type "tc". If its not on the list it's "other". However, if you write a patch to support the devices you mention, we would be happy to include it in FreeRADIUS. Cheers -- Peter Nixon http://peternixon.net/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radiusd startup problem
Peter Nixon wrote: >> That document is greater than 2 years old and there are several parts of >> it that were ALWAYS wrong :-( > > Oh... And we list it as a source in doc/rlm_sql > > Alan we have to remove it immediately! Done. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQLIPPool performance issue
Oh. I forgot to add: effective_cache_size = 196608 # 3x shared_buffers Cheers Peter On Thu 26 Jul 2007, Peter Nixon wrote: > Well, I have a pretty small, single core SunFire x2100 with 2GB ram and > SATA disks as my DB server. Your 8 Core box with 8g of ram and hardware > RAID should therefore at least 4 times faster, possibly up to 10 times > faster. > > The major differences I have are: > > max_connections = 400 > shared_buffers = 65536 # Should be at > max_connections*2. 8KB each. > # Recommend 25% of RAM > work_mem = 1 # min 64, size in KB > > Your shared_buffers are WAY to low for a box with 8GB ram. The Postgresql > tuning guide clearly recommends 25% of ram so you need to make that 2GB > instead of 400MB. I guess you will see significant performance gains. > > I would also enable autovacuum as the radippool and radacct tables are > constantly changing.. > > Let me know how it goes.. > > Cheers > > Peter > > On Thu 26 Jul 2007, Roy Walker wrote: > > Here is the config lines: > > > > max_connections = 100 > > shared_buffers = 400MB > > temp_buffers = 32MB > > work_mem = 1MB > > maintenance_work_mem = 128MB > > max_fsm_pages = 204800 > > > > Didn't change any of these as for my testing I don't have autovacuum > > enabled. > > #vacuum_cost_delay = 0 # 0-1000 milliseconds > > #vacuum_cost_page_hit = 1 # 0-1 credits > > #vacuum_cost_page_miss = 10 # 0-1 credits > > #vacuum_cost_page_dirty = 20# 0-1 credits > > #vacuum_cost_limit = 200# 0-1 credits > > > > #bgwriter_delay = 200ms # 10-1ms between rounds > > #bgwriter_lru_percent = 1.0 # 0-100% of LRU buffers > > scanned/round > > #bgwriter_lru_maxpages = 5 # 0-1000 buffers max > > written/round > > #bgwriter_all_percent = 0.333 # 0-100% of all buffers > > scanned/round > > #bgwriter_all_maxpages = 5 # 0-1000 buffers max > > written/round > > > > #wal_buffers = 64kB > > > > #commit_delay = 0 # range 0-10, in > > microseconds > > #commit_siblings = 5# range 1-1000 > > > > checkpoint_segments = 32# in logfile segments, min 1, > > 16MB each > > #checkpoint_timeout = 5min # range 30s-1h > > > > #random_page_cost = 4.0 > > > > autovacuum = off# enable autovacuum subprocess? > > # 'on' requires > > stats_start_collector > > # and stats_row_level to also be > > on > > #autovacuum_naptime = 1min # time between autovacuum runs > > #autovacuum_vacuum_threshold = 500 # min # of tuple updates before > > # vacuum > > #autovacuum_analyze_threshold = 250 # min # of tuple updates before > > # analyze > > #autovacuum_vacuum_scale_factor = 0.2 # fraction of rel size before > > # vacuum > > #autovacuum_analyze_scale_factor = 0.1 # fraction of rel size before > > # analyze > > #autovacuum_freeze_max_age = 2 # maximum XID age before forced > > vacuum > > # (change requires restart) > > #autovacuum_vacuum_cost_delay = -1 # default vacuum cost delay for > > # autovacuum, -1 means use > > # vacuum_cost_delay > > #autovacuum_vacuum_cost_limit = -1 # default vacuum cost limit for > > # autovacuum, -1 means use > > # vacuum_cost_limit > > > > -Original Message- > > From: > > [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] > > s.org] On Behalf Of Peter Nixon > > Sent: Thursday, July 26, 2007 9:53 AM > > To: FreeRadius users mailing list > > Subject: Re: SQLIPPool performance issue > > > > On Thu 26 Jul 2007, Kenneth Marshall wrote: > > > Roy, > > > > > > It sounds like you may need to adjust the DB parameters. The defaults, > > > even in 8.2, are still fairly conservative. Would you post your > > > > current > > > > > settings for things like: > > > > > > max_connections > > > shared_buffers > > > work_mem > > > maintenance_work_mem > > > max_fsm_pages > > > vacuum_cost_* > > > bgwriter_* > > > wal_buffers > > > commit_delay > > > commit_siblings > > > checkpoint_segments > > > checkpoint_timeout > > > random_page_cost > > > effective_cache_size > > > autovacuum > > > autovacuum_* > > > > > > Basically, anything you have changed from the default configuration > > > file. Proper choices for these parameters can make a huge difference > > > in baseline performance. > > > > Yep. My guess is, on that box, if he is running a default Postgresql > > config > > he should get 10-100 times greater per
Re: Freeradius Multiple VLAN assigment
George Beitis wrote: > Hi everyone, > does freeradius support multiple vlan assigment? What do you mean by that? FreeRADIUS allows you to put just about anything in a response. See your NAS documentation for what it expects, and what to send. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius Multiple VLAN assigment
On Thu 26 Jul 2007, George Beitis wrote: > Hi everyone, > does freeradius support multiple vlan assigment yes -- Peter Nixon http://peternixon.net/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQLIPPool performance issue
Well, I have a pretty small, single core SunFire x2100 with 2GB ram and SATA disks as my DB server. Your 8 Core box with 8g of ram and hardware RAID should therefore at least 4 times faster, possibly up to 10 times faster. The major differences I have are: max_connections = 400 shared_buffers = 65536 # Should be at > max_connections*2. 8KB each. # Recommend 25% of RAM work_mem = 1 # min 64, size in KB Your shared_buffers are WAY to low for a box with 8GB ram. The Postgresql tuning guide clearly recommends 25% of ram so you need to make that 2GB instead of 400MB. I guess you will see significant performance gains. I would also enable autovacuum as the radippool and radacct tables are constantly changing.. Let me know how it goes.. Cheers Peter On Thu 26 Jul 2007, Roy Walker wrote: > Here is the config lines: > > max_connections = 100 > shared_buffers = 400MB > temp_buffers = 32MB > work_mem = 1MB > maintenance_work_mem = 128MB > max_fsm_pages = 204800 > > Didn't change any of these as for my testing I don't have autovacuum > enabled. > #vacuum_cost_delay = 0 # 0-1000 milliseconds > #vacuum_cost_page_hit = 1 # 0-1 credits > #vacuum_cost_page_miss = 10 # 0-1 credits > #vacuum_cost_page_dirty = 20# 0-1 credits > #vacuum_cost_limit = 200# 0-1 credits > > #bgwriter_delay = 200ms # 10-1ms between rounds > #bgwriter_lru_percent = 1.0 # 0-100% of LRU buffers > scanned/round > #bgwriter_lru_maxpages = 5 # 0-1000 buffers max > written/round > #bgwriter_all_percent = 0.333 # 0-100% of all buffers > scanned/round > #bgwriter_all_maxpages = 5 # 0-1000 buffers max > written/round > > #wal_buffers = 64kB > > #commit_delay = 0 # range 0-10, in > microseconds > #commit_siblings = 5# range 1-1000 > > checkpoint_segments = 32# in logfile segments, min 1, > 16MB each > #checkpoint_timeout = 5min # range 30s-1h > > #random_page_cost = 4.0 > > autovacuum = off# enable autovacuum subprocess? > # 'on' requires > stats_start_collector > # and stats_row_level to also be > on > #autovacuum_naptime = 1min # time between autovacuum runs > #autovacuum_vacuum_threshold = 500 # min # of tuple updates before > # vacuum > #autovacuum_analyze_threshold = 250 # min # of tuple updates before > # analyze > #autovacuum_vacuum_scale_factor = 0.2 # fraction of rel size before > # vacuum > #autovacuum_analyze_scale_factor = 0.1 # fraction of rel size before > # analyze > #autovacuum_freeze_max_age = 2 # maximum XID age before forced > vacuum > # (change requires restart) > #autovacuum_vacuum_cost_delay = -1 # default vacuum cost delay for > # autovacuum, -1 means use > # vacuum_cost_delay > #autovacuum_vacuum_cost_limit = -1 # default vacuum cost limit for > # autovacuum, -1 means use > # vacuum_cost_limit > > -Original Message- > From: > [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] > s.org] On Behalf Of Peter Nixon > Sent: Thursday, July 26, 2007 9:53 AM > To: FreeRadius users mailing list > Subject: Re: SQLIPPool performance issue > > On Thu 26 Jul 2007, Kenneth Marshall wrote: > > Roy, > > > > It sounds like you may need to adjust the DB parameters. The defaults, > > even in 8.2, are still fairly conservative. Would you post your > > current > > > settings for things like: > > > > max_connections > > shared_buffers > > work_mem > > maintenance_work_mem > > max_fsm_pages > > vacuum_cost_* > > bgwriter_* > > wal_buffers > > commit_delay > > commit_siblings > > checkpoint_segments > > checkpoint_timeout > > random_page_cost > > effective_cache_size > > autovacuum > > autovacuum_* > > > > Basically, anything you have changed from the default configuration > > file. Proper choices for these parameters can make a huge difference > > in baseline performance. > > Yep. My guess is, on that box, if he is running a default Postgresql > config > he should get 10-100 times greater performance after tuning it correctly > for > the ram and cpu setup.. > > Cheers -- Peter Nixon http://peternixon.net/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radiusd startup problem
ram wrote: > rlm_acct_unique: Cannot find attribute 'NAS-IP-Address' in dictionary Huh? a) you didn't install the server correctly b) you installed the server on top of a pre-existing server that was broken Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL and different accounting records by NAS
In 1.1.6 you can make several sql.conf modules with different accounting queries. Then sort out which NAS uses which in acct_users file. Read about multiple sql instances : http://wiki.freeradius.org/Rlm_sql Ivan Kalik Kalik Informatika ISP Dana 26/7/2007, "Nicolas Velazquez" <[EMAIL PROTECTED]> piše: > > >Thank you very much Ivan. >It´s very useful to know that 2.0 could include this features. > >But, also, it's very useful to know if 1.1.6 includes or not any of these. >And this is an important question. >In the past I wasted so much time reading, >searching and testing features that finally were >impossible for a certain version of software . > >Another key is the stability. >2.0 is a pre-release and the service must not support outages or bugs. >Of course, we shall update to 2.0 as soon as the >software can be reasonably stable. >But now, the only programmed update in the next future is 1.1.7. > >Thanks again for such useful information > > Nicolas > > > > >Have a look at 2.0. It can do if/than/else in .conf files > >so you should > >be able to define different sql statements for different > >cases. > > > >Ivan Kalik > >Kalik Informatika ISP > > > > > >Dana 26/7/2007, "Nicolas Velazquez" >uam.es> pi�e: > > > >>Hi, > >> > >>We are using freeradius 1.1.6, now, to provide > >>access for our wireless network only. > >>The accounting is very detailed and > >>comprehensive: IP addresses, usernames, packets, roles, > >APs, SSIDs, etc. > >> > >>Now, we are starting to use the same radius to > >>give 802.1x access to our wired network. > >> > >>The key is that the accounting records for a wired switch > >are VERY different. > >>Now, AP and SSID, are nonsense items, for example. > >>But we need another records. > >> > >>Can freeradius use different accounting sql inserts > >depending on NAS? > >> > >>Is there any document showing something like this? > >>I have read many documents but I can not find a clear > >answer. > >> > >>This was the main question. > >> > >>A related tiny question is as follows. > >>The most comfortable configuration will be to use > >>different accounting inserts depending on huntgroups. > >>Then we could select sql inserts for one > >>huntgroup (all our wired NASes) and different sql > >>insert for another huntgroup (all our wireless NASes). > >>The addition, remove or change of the different > >>NASes could be made modifying only the lists contained in > >the huntgroups file. > >>It could be very clean and useful. > >>But, when I read the huntgroups documentation I > >>have the strong suspect I can´t do this. > >> > >>Thank you very much in advance, > >> > >>Nicolas Velazquez > >> > > > > > > >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Openldap - Freeradius - auto vlan
Hi all, i need to configure a system that works with openldap + freeradius and that assign the vlan automatic to the users... does anybody has any howto to do it? I read this one: http://www.freeradius.org/radiusd/doc/ldap_howto.txt but, the versions of the softwares is very old, and in some parts of the howto some options does not work. Regards, Fabio - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SQL and different accounting records by NAS
>Date: Thu, 26 Jul 2007 13:31:37 +0100 >From: <[EMAIL PROTECTED]> >Subject: Re: SQL and different accounting records by NAS >To: "FreeRadius users mailing list" > >Message-ID: <[EMAIL PROTECTED]> >Content-Type: text/plain; charset=ISO-8859-2 > >Have a look at 2.0. It can do if/than/else in .conf files >so you should >be able to define different sql statements for different >cases. > >Ivan Kalik >Kalik Informatika ISP > Thank you very much Ivan. It´s very useful to know that 2.0 could include this features. But, also, it's very useful to know if 1.1.6 includes or not any of these. And this is an important question. In the past I wasted so much time reading, searching and testing features that finally were impossible for a certain version of software . Another key is the stability. 2.0 is a pre-release and the service must not support outages or bugs. Of course, we shall update to 2.0 as soon as the software can be reasonably stable. But now, the only programmed update in the next future is 1.1.7. Thanks again for such useful information Nicolas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Fwd: final rlm_perl question, hopefully...
Hi All,
Ok, after reviewing all the information that was received, I've setup my
FreeRadius
as following:
1. The authorize and authenticate sections are setup to activate digest and
perl.
2. My rlm_perl script utilizes the following lines in order to return the
unencrypted
user password back to FreeRadius for digest authentication:
$RAD_CHECK{'Cleartext-Password'} = "xx"; # Remove this line for
production
$RAD_CHECK{'User-Password'}="xx"; # Remove this line for
production
I just put these inside my script for checking, later on this information
will be
retrieved from an external source.
Now, FreeRadius activates my rlm_perl module, no problem, as I can see the
various
reply fields being setup, however, I'm still getting the following error:
rlm_perl: RAD_REQUEST: Client-IP-Address = 192.168.2.80
rlm_perl: RAD_REQUEST: Digest-Response = 632905a2325f672f049800eda7df9ee4
rlm_perl: RAD_REQUEST: User-Name = [EMAIL PROTECTED]
rlm_perl: RAD_REQUEST: Service-Type = IAPP-Register
rlm_perl: RAD_REQUEST: NAS-IP-Address = 192.168.2.80
rlm_perl: RAD_REQUEST: NAS-Port = 5060
rlm_perl: RAD_REQUEST: Sip-Uri-User = z2l
rlm_perl: RAD_REQUEST: Digest-Attributes = ARRAY(0xbbc93f0)
rlm_perl: RAD_REPLY: Reply-Message = User accepted by z2l WSDL
rlm_perl: RAD_REPLY: z2l-Duration = 60
rlm_perl: RAD_REPLY: z2l-Status = 2
rlm_perl: RAD_REPLY: z2l-Session = 833abb3d-d047-4d0d-a40e-2e147049f96d
rlm_perl: Added pair Reply-Message = User accepted by z2l
rlm_perl: Added pair z2l-Duration = 60
rlm_perl: Added pair z2l-Status = 2
rlm_perl: Added pair z2l-Session = 833abb3d-d047-4d0d-a40e-2e147049f96d
rlm_perl: Added pair Cleartext-Password = z2l
rlm_perl: Added pair User-Password = z2l
rlm_perl: Added pair Auth-Type = digest
perl_pool total/active/spare [32/0/32]
Unreserve perl at address 0xb933260
modcall[authorize]: module "perl" returns ok for request 5
rlm_realm: Looking up realm "192.168.2.80" for User-Name = "[EMAIL
PROTECTED]"
rlm_realm: No such realm "192.168.2.80"
modcall[authorize]: module "suffix" returns noop for request 5
modcall: leaving group authorize (returns ok) for request 5
rad_check_password: Found Auth-Type DIGEST
auth: type "digest"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 5
rlm_digest: Configuration item "User-Password" or Digest-HA1 is required for
authentication.
modcall[authenticate]: module "digest" returns invalid for request 5
modcall: leaving group authenticate (returns invalid) for request 5
auth: Failed to validate the user.
Login incorrect: [EMAIL PROTECTED]/] (from client
192.168.2.80 port 5060)
Delaying request 5 for 1 seconds
Finished request 5
Going to the next request
Waking up in 3 seconds...
Now, my configuration is very very simple. In the authorize I have digest and
perl
enabled, in authenticate I have only digest enabled. If I read the debug
correctly, the
authorization is going ok:
modcall[authorize]: module "perl" returns ok for request 5
rlm_realm: Looking up realm "192.168.2.80" for User-Name = "[EMAIL
PROTECTED]"
rlm_realm: No such realm "192.168.2.80"
modcall[authorize]: module "suffix" returns noop for request 5
modcall: leaving group authorize (returns ok) for request 5
However, the authentication section fails:
rad_check_password: Found Auth-Type DIGEST
auth: type "digest"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 5
rlm_digest: Configuration item "User-Password" or Digest-HA1 is required for
authentication.
modcall[authenticate]: module "digest" returns invalid for request 5
modcall: leaving group authenticate (returns invalid) for request 5
auth: Failed to validate the user.
Login incorrect: [EMAIL PROTECTED]/] (from client
192.168.2.80 port 5060)
So, I'm either returning something in the wrong way, or I've broken something
again.
Any pointers on the issue would be highly appreciated.
Regards,
Z2L
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQLIPPool performance issue
On Thu 26 Jul 2007, Kenneth Marshall wrote: > Roy, > > It sounds like you may need to adjust the DB parameters. The defaults, > even in 8.2, are still fairly conservative. Would you post your current > settings for things like: > > max_connections > shared_buffers > work_mem > maintenance_work_mem > max_fsm_pages > vacuum_cost_* > bgwriter_* > wal_buffers > commit_delay > commit_siblings > checkpoint_segments > checkpoint_timeout > random_page_cost > effective_cache_size > autovacuum > autovacuum_* > > Basically, anything you have changed from the default configuration > file. Proper choices for these parameters can make a huge difference > in baseline performance. Yep. My guess is, on that box, if he is running a default Postgresql config he should get 10-100 times greater performance after tuning it correctly for the ram and cpu setup.. Cheers -- Peter Nixon http://peternixon.net/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: debug_level
VM wrote: > I can't find anything the various documentation sources > related to the debug_level parameter. There is none. > It seems to be usually put to a value of 0. > Can you explain what are the relevant values for this parameter > and what it is supposed to control ? It controls debugging. > My need is to get debug information on ldap communication but > could not start FreeRadius in debug mode because the resulting logs > must be stored in a file for further analysis (I can't stay in front of my > display waiting for a random crash to happen). > > Does this paramter allow this ? > If not, is there another way ? $ script log.txt $ radiusd -X $ exit $ more log.txt Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + DHCP +vlans ???
In access points it does not do any routing from what i can tell so far Phil Mayers wrote: > On Thu, 2007-07-26 at 14:09 +0100, [EMAIL PROTECTED] wrote: > >> Are you sure? Type: >> >> ip dhcp pool whatever(pool name) >> >> in configuration mode and you should go into dhcp pool configuration. You >> should be able to configure IP range (network), gateway >> (derfault-router) and DNS (dns-server) from there. I am sure dhcp is >> included in IOS. >> > > Sure, in IOS for routers. Does the IOS on the APs do routing? I've never > tried it. > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Dusty Doris
Dusty doris are you here? i need talk to you. and your mail [EMAIL PROTECTED] doesnt work... Sorry for all, Regards - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + DHCP +vlans ???
PS. In real life case you would send your dynamic vlan configuration with IP addresses etc. from radius and keep your authentication, accounting and IP administration in one place. That scales best. Ivan Kalik Kalik Informatika ISP Dana 26/7/2007, "George Beitis" <[EMAIL PROTECTED]> piše: >Hey Ivan >no i dont have to use an external one, but it seems like the only choice >as the Aironet 1200 access point does not come with one bundled it, >which would have made my life easier, but on the other hand it wouldn't >be extensible or simulate a real life case > >thanks for your reply >regards >George > >[EMAIL PROTECTED] wrote: >> Do you have to use an external DHCP server (project requirement)? Aironet >> has one (Cisco IOS). You can define DHCP pools on the AP and pass avpair >> for the pool with your vlan configuration from Freeradius. You can also >> do away withDHCP, define ip_pools in Freeradius and pass addresses, DNS >> etc. with vlan configuration directly from radius. >> >> Ivan Kalik >> Kalik Informatika ISP >> >> >> Dana 26/7/2007, "George Beitis" <[EMAIL PROTECTED]> piše: >> >> >>> Dear Phil >>> Firstly thank you for taking the time to reply and for your straight >>> forward reply to this matter. I 'm doing this as part of my MSc >>> project, well this is actually part of the initial setup, not the >>> project it self, and i have in my disposal a limited number of >>> devices. I borrowed a cisco aeronet 1200 access point from my >>> department, which supports vlans and i also have a linksys router >>> (wrt54gl) (which i will use as a switch) and i have an old computer with >>> one ethernet card which i intend to install freeradius on and a dhcp >>> server. From there on i might add some more devices each belonging to a >>> different vlan. >>> >>> My thinking from what you said is to setup the vlans/tunnels on the >>> access point, setup freeradius and then run a dhcp server on the old >>> computer. If i want to add the dhcp server to many virtual lans do i >>> need to create some sort of virtual interface for each? Or does the >>> router need to be aware of where to forward dhcp packets coming from >>> different vlans? >>> >>> thank you for your help >>> >>> regards >>> George >>> >>> Phil Mayers wrote: >>> On Thu, 2007-07-26 at 02:00 +0100, George Beitis wrote: > Hey guys > I am a bit new to the scene and i am having a few problems with > configuring freeradius. In essence what i want is that the user, once > verified to be assigned to a specific vlan and get an ip address from a > dhcp server, which will be aware of the vlans and there for assign > different address and subnets to each. Does this scenario make any > > yes > sense? Will it be the freeradius server that will be notifying the dhcp > server to aquire an address for the client? Will the dhcp server then > > No > contact the access point to let it know what address the client has been > given and it in its turn give it to the client? Or will it be that the > > No > access point will contact the dhcp server once it has the reply from the > freeradius server, giving it the vlan id/number and requesting an ip > address and other info? > > No The way it works is: 1. Client does either 802.1x 2. Access point forwards authentication to radius server 3. Multiple 802.1x round-trips between client and radius server, via AP 4. When authentication is complete, the radius server returns an Access-Accept with the vlan tag 5. Access point reads the vlan tag, assigns it 6. Client brings up it's IP stack, and emits a DHCP DISCOVER 7. AP forwards the clients packet into the vlan at layer2 8. The vlan/subnet router forwards the DHCP DISCOVER to the DHCP server 9. DHCP server assigns an IP address based on source subnet & mac address There's no interaction between DHCP and Radius, no interaction between a layer2 access point and DHCP (possibly dhcp option-82 insertion), and no real interaction with a layer2 access point and any IP protocol. Basically - you just configure the AP with >1 vlan, configure a router for each VLAN with dhcp relay enabled, and configure the radius server to tell the AP the right vlan number. BEWARE: not all APs support vlan assignment. > Is this the right or wrong way of going about this? > > regards > George > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/usershtml > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html >>> - >>> List info/subscribe/unsubscribe? See >>> http://www.fre
Wrong behaviour of rlm_ldap module + users file
Hi,
this problem is simple (everything not shown here is v1.1.6
out-f-the-box radiusd configuration):
users file line:
[EMAIL PROTECTED] Auth-Type := EAP, User-Password == "a", Ldap-Group == "wifi"
this is a test line, [EMAIL PROTECTED] uses EAP-MD5 , but I want to
check if he's in the Ldap-Group named 'wifi'.
radiusd.conf lines, ldap section:
filter ="(uid=%{User-Name})"
edir_account_policy_check=no
password_attribute = userPassword
groupmembership_filter = "(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))"
This is where I actually suck. I think this is correct, but it won't
work as expected because:
rad_recv: Access-Request packet from host 149.132.5.108:35285, id=0, length=160
User-Name = "[EMAIL PROTECTED]"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message =
0x021f0170616f6c6f2e676169617264656c6c6940756e696d69622e6974
Message-Authenticator = 0x14b3675352d738629cc1bb21695f3122
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
radius_xlat: '/var/log/radius/radacct/127.0.0.1/auth-detail-20070726'
rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/127.0.0.1/auth-detail-20070726
modcall[authorize]: module "auth_log" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
modcall[authorize]: module "mschap" returns noop for request 0
rlm_realm: Looking up realm "test.com" for User-Name = "[EMAIL PROTECTED]"
rlm_realm: Found realm "test.com"
rlm_realm: Proxying request from user john.doe to realm test.com
rlm_realm: Adding Realm = "test.com"
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module "suffix" returns noop for request 0
rlm_eap: EAP packet type response id 0 length 31
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 0
rlm_ldap: Entering ldap_groupcmp()
radius_xlat: 'dc=test,dc=com
radius_xlat: '([EMAIL PROTECTED])'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to ldap.test.com:636, authentication 0
rlm_ldap: setting TLS mode to 1
rlm_ldap: setting TLS CACert File to /usr/local/etc/raddb/certs/crl/root.pem
rlm_ldap: bind as cn=ldapreader,ou=servizi,dc=test,dc=com/blargh to
ldap.test.com:636
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=test,dc=com, with filter
([EMAIL PROTECTED])
rlm_ldap: ldap_release_conn: Release Id: 0
radius_xlat: '(&(objectClass=GroupOfNames)([EMAIL PROTECTED]))'
This is where the problem arises. I don't want to check if
[EMAIL PROTECTED] esists.
rlm_ldap wants to, but that's not what I told him to do. I never told
rlm_ldap to verify if [EMAIL PROTECTED] is an LDAP user. Now he is,
but only because I created him.
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=test,dc=com, with filter
(&(cn=wifi)(&(objectClass=GroupOfNames)([EMAIL PROTECTED])))
rlm_ldap::ldap_groupcmp: User found in group wifi
and THIS is what I want rlm_ldap to do.
I want to check this and only this, since [EMAIL PROTECTED] is a
member of wifi and doesn't exist anywhere else in the LDAP tree. He
isn't a user. He's just an object in group wifi.
That's what happens in my production environment. john'doe's login
fails because the first useless search fails.
I know I'm doing something horribly wrong, and I can't find out what's
my major malfunction.
Help!
rlm_ldap: ldap_release_conn: Release Id: 0
users: Matched entry [EMAIL PROTECTED] at line 32
Bye,
Inverse.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL and different accounting records by NAS
Have a look at 2.0. It can do if/than/else in .conf files so you should be able to define different sql statements for different cases. Ivan Kalik Kalik Informatika ISP Dana 26/7/2007, "Nicolas Velazquez" <[EMAIL PROTECTED]> piše: >Hi, > >We are using freeradius 1.1.6, now, to provide >access for our wireless network only. >The accounting is very detailed and >comprehensive: IP addresses, usernames, packets, roles, APs, SSIDs, etc. > >Now, we are starting to use the same radius to >give 802.1x access to our wired network. > >The key is that the accounting records for a wired switch are VERY different. >Now, AP and SSID, are nonsense items, for example. >But we need another records. > >Can freeradius use different accounting sql inserts depending on NAS? > >Is there any document showing something like this? >I have read many documents but I can not find a clear answer. > >This was the main question. > >A related tiny question is as follows. >The most comfortable configuration will be to use >different accounting inserts depending on huntgroups. >Then we could select sql inserts for one >huntgroup (all our wired NASes) and different sql >insert for another huntgroup (all our wireless NASes). >The addition, remove or change of the different >NASes could be made modifying only the lists contained in the huntgroups file. >It could be very clean and useful. >But, when I read the huntgroups documentation I >have the strong suspect I can´t do this. > >Thank you very much in advance, > >Nicolas Velazquez > > >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + DHCP +vlans ???
Dear Phil Firstly thank you for taking the time to reply and for your straight forward reply to this matter. I 'm doing this as part of my MSc project, well this is actually part of the initial setup, not the project it self, and i have in my disposal a limited number of devices. I borrowed a cisco aeronet 1200 access point from my department, which supports vlans and i also have a linksys router (wrt54gl) (which i will use as a switch) and i have an old computer with one ethernet card which i intend to install freeradius on and a dhcp server. From there on i might add some more devices each belonging to a different vlan. My thinking from what you said is to setup the vlans/tunnels on the access point, setup freeradius and then run a dhcp server on the old computer. If i want to add the dhcp server to many virtual lans do i need to create some sort of virtual interface for each? Or does the router need to be aware of where to forward dhcp packets coming from different vlans? thank you for your help regards George Phil Mayers wrote: > On Thu, 2007-07-26 at 02:00 +0100, George Beitis wrote: > >> Hey guys >> I am a bit new to the scene and i am having a few problems with >> configuring freeradius. In essence what i want is that the user, once >> verified to be assigned to a specific vlan and get an ip address from a >> dhcp server, which will be aware of the vlans and there for assign >> different address and subnets to each. Does this scenario make any >> > > yes > > >> sense? Will it be the freeradius server that will be notifying the dhcp >> server to aquire an address for the client? Will the dhcp server then >> > > No > > >> contact the access point to let it know what address the client has been >> given and it in its turn give it to the client? Or will it be that the >> > > No > > >> access point will contact the dhcp server once it has the reply from the >> freeradius server, giving it the vlan id/number and requesting an ip >> address and other info? >> > > No > > The way it works is: > > 1. Client does either 802.1x > 2. Access point forwards authentication to radius server > 3. Multiple 802.1x round-trips between client and radius server, via AP > 4. When authentication is complete, the radius server returns an > Access-Accept with the vlan tag > 5. Access point reads the vlan tag, assigns it > 6. Client brings up it's IP stack, and emits a DHCP DISCOVER > 7. AP forwards the clients packet into the vlan at layer2 > 8. The vlan/subnet router forwards the DHCP DISCOVER to the DHCP server > 9. DHCP server assigns an IP address based on source subnet & mac > address > > There's no interaction between DHCP and Radius, no interaction between a > layer2 access point and DHCP (possibly dhcp option-82 insertion), and no > real interaction with a layer2 access point and any IP protocol. > > Basically - you just configure the AP with >1 vlan, configure a router > for each VLAN with dhcp relay enabled, and configure the radius server > to tell the AP the right vlan number. > > BEWARE: not all APs support vlan assignment. > > > >> Is this the right or wrong way of going about this? >> >> regards >> George >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html >> > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radiusd startup problem
ram wrote: > What document? To install the server the server, you just follow the > instructions in the INSTALL. > > http://www.frontios.com/freeradius.html Please explain why you would prefer to follow third-party instructions that talk about a version YEARS out of date. Even if it *is* referenced in doc/rlm_sql, it's obvious what you did. You installed the server, and then BEFORE trying to see if it works, you spent a lot of time mangling the installation. It's like buying a car, and then tearing it to pieces because the fat kid down the street gave you some "cool ideas". If the car doesn't work after that, don't complain to the dealership. They'll laugh at you, and then charge you tons of money to fix it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQLIPPool performance issue
On Thu 26 Jul 2007, Alan DeKok wrote: > Roy Walker wrote: > > Ok chaning the indexes definately made some difference. The database > > load still went off the charts, but the radius logs were much better > > with DB errors connect errors. This still seems horribly slow. > > The problem is that RADIUS servers take less time to do things than an > SQL server needs. So when you hammer the RADIUS server with requests, > the SQL server is getting 5-10x the load. > > > Here is the command I am using to test: /radclient -p 2 -d > > /usr/src/freeradius-server-snapshot-20070725/share -f > > /tmp/radclient-test 1.1.1.10 auth testing123 Where the radclient-test > > file has 5000 client requests seperated by the necessary blank lines. > > FreeRADIUS should really be a little smarter about loading the SQL > server. But it's a very hard problem to solve in a good way. > > i.e. "if SQL server is busy, stop processing the current request, BUT > remember to wake up later to keep processing it." > > The only real solution is to get a bigger machine to handle the > database, OR slow down on the RADIUS traffic. Yep. there are a few things you can do to limit disastrous situations though. * Turn off any SQL query that you don't need... * Run Accounting and Auth queries through different sql module instances so a flood of auth doesn't kill accounting and visa versa. SQLIPPool can be on a 3rd instance... * Give the radippool table a dedicated disk spindle, or even a dedicated server.. * Likewise for radacct vs all the auth tables.. Auth is read intensive, acct is write intensive.. (You can use different types of RAID even...) * Use radrelay for accounting if possible. Queueing is good for your health.. Given that as far as I can tell you are ONLY testing Auth performance at present, most of these wont help you :-( Cheers -- Peter Nixon http://peternixon.net/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radiusd startup problem
On 7/26/07, Alan DeKok <[EMAIL PROTECTED]> wrote: ram wrote: > rlm_acct_unique: Cannot find attribute 'NAS-IP-Address' in dictionary Huh? a) you didn't install the server correctly b) you installed the server on top of a pre-existing server that was broken Hi iam have installed fresh copy with freeradius+mysql document iam trying to integrate with openser any suggestion what documents to follow ram - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Openldap - Freeradius - auto vlan
Fabio Silva wrote: > Hi all, i need to configure a system that works with openldap + > freeradius and that assign the vlan automatic to the users... does > anybody has any howto to do it? Read your NAS documentation on what attributes it needs to assign a VLAN. Then, make FreeRADIUS send them. > I read this one: http://www.freeradius.org/radiusd/doc/ldap_howto.txt > but, the versions of the softwares is very old, and in some parts of > the howto some options does not work. The server includes that document, along with doc/rlm_ldap. The comments in the radiusd.conf file document the configuration items, and are up to date. Do you have a *specific* question? i.e. Saying "it doesn't work" doesn't help. What did you do? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radiusd startup problem
Hi all I have installed freeradius-1.1.6 with mysql when i run radiusd -X i get the following error rlm_sql (sql): Connected new DB handle, #4 Module: Instantiated sql (sql) Module: Loaded Acct-Unique-Session-Id acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" rlm_acct_unique: Cannot find attribute 'NAS-IP-Address' in dictionary radiusd.conf[1159]: acct_unique: Module instantiation failed. radiusd.conf[1753] Unknown module "acct_unique". radiusd.conf[1747] Failed to parse preacct section. any suggestions ram - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SQL and different accounting records by NAS
>Date: Thu, 26 Jul 2007 13:31:37 +0100 >From: <[EMAIL PROTECTED]> >Subject: Re: SQL and different accounting records by NAS >To: "FreeRadius users mailing list" > >Message-ID: <[EMAIL PROTECTED]> >Content-Type: text/plain; charset=ISO-8859-2 > >Have a look at 2.0. It can do if/than/else in .conf files >so you should >be able to define different sql statements for different >cases. > >Ivan Kalik >Kalik Informatika ISP > Thank you very much Ivan. It´s very useful to know that 2.0 could include this features. But, also, it's very useful to know if 1.1.6 includes or not any of these. And this is an important question. In the past I wasted so much time reading, searching and testing features that finally were impossible for a certain version of software . Another key is the stability. 2.0 is a pre-release and the service must not support outages or bugs. Of course, we shall update to 2.0 as soon as the software can be reasonably stable. But now, the only programmed update in the next future is 1.1.7. Thanks again for such useful information Nicolas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: final rlm_perl question, hopefully...
Hi all,
Please disregard, I've solved the thing ;-) Silly typo in the return.
Z2L
- Original Message -
From: "FreeRadius-ML" <[EMAIL PROTECTED]>
To: "freeradius-users"
Sent: Thursday, July 26, 2007 6:41:21 PM (GMT+0200) Asia/Jerusalem
Subject: Fwd: final rlm_perl question, hopefully...
Hi All,
Ok, after reviewing all the information that was received, I've setup my
FreeRadius
as following:
1. The authorize and authenticate sections are setup to activate digest and
perl.
2. My rlm_perl script utilizes the following lines in order to return the
unencrypted
user password back to FreeRadius for digest authentication:
$RAD_CHECK{'Cleartext-Password'} = "xx"; # Remove this line for
production
$RAD_CHECK{'User-Password'}="xx"; # Remove this line for
production
I just put these inside my script for checking, later on this information
will be
retrieved from an external source.
Now, FreeRadius activates my rlm_perl module, no problem, as I can see the
various
reply fields being setup, however, I'm still getting the following error:
rlm_perl: RAD_REQUEST: Client-IP-Address = 192.168.2.80
rlm_perl: RAD_REQUEST: Digest-Response = 632905a2325f672f049800eda7df9ee4
rlm_perl: RAD_REQUEST: User-Name = [EMAIL PROTECTED]
rlm_perl: RAD_REQUEST: Service-Type = IAPP-Register
rlm_perl: RAD_REQUEST: NAS-IP-Address = 192.168.2.80
rlm_perl: RAD_REQUEST: NAS-Port = 5060
rlm_perl: RAD_REQUEST: Sip-Uri-User = z2l
rlm_perl: RAD_REQUEST: Digest-Attributes = ARRAY(0xbbc93f0)
rlm_perl: RAD_REPLY: Reply-Message = User accepted by z2l WSDL
rlm_perl: RAD_REPLY: z2l-Duration = 60
rlm_perl: RAD_REPLY: z2l-Status = 2
rlm_perl: RAD_REPLY: z2l-Session = 833abb3d-d047-4d0d-a40e-2e147049f96d
rlm_perl: Added pair Reply-Message = User accepted by z2l
rlm_perl: Added pair z2l-Duration = 60
rlm_perl: Added pair z2l-Status = 2
rlm_perl: Added pair z2l-Session = 833abb3d-d047-4d0d-a40e-2e147049f96d
rlm_perl: Added pair Cleartext-Password = z2l
rlm_perl: Added pair User-Password = z2l
rlm_perl: Added pair Auth-Type = digest
perl_pool total/active/spare [32/0/32]
Unreserve perl at address 0xb933260
modcall[authorize]: module "perl" returns ok for request 5
rlm_realm: Looking up realm "192.168.2.80" for User-Name = "[EMAIL
PROTECTED]"
rlm_realm: No such realm "192.168.2.80"
modcall[authorize]: module "suffix" returns noop for request 5
modcall: leaving group authorize (returns ok) for request 5
rad_check_password: Found Auth-Type DIGEST
auth: type "digest"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 5
rlm_digest: Configuration item "User-Password" or Digest-HA1 is required for
authentication.
modcall[authenticate]: module "digest" returns invalid for request 5
modcall: leaving group authenticate (returns invalid) for request 5
auth: Failed to validate the user.
Login incorrect: [EMAIL PROTECTED]/] (from client
192.168.2.80 port 5060)
Delaying request 5 for 1 seconds
Finished request 5
Going to the next request
Waking up in 3 seconds...
Now, my configuration is very very simple. In the authorize I have digest and
perl
enabled, in authenticate I have only digest enabled. If I read the debug
correctly, the
authorization is going ok:
modcall[authorize]: module "perl" returns ok for request 5
rlm_realm: Looking up realm "192.168.2.80" for User-Name = "[EMAIL
PROTECTED]"
rlm_realm: No such realm "192.168.2.80"
modcall[authorize]: module "suffix" returns noop for request 5
modcall: leaving group authorize (returns ok) for request 5
However, the authentication section fails:
rad_check_password: Found Auth-Type DIGEST
auth: type "digest"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 5
rlm_digest: Configuration item "User-Password" or Digest-HA1 is required for
authentication.
modcall[authenticate]: module "digest" returns invalid for request 5
modcall: leaving group authenticate (returns invalid) for request 5
auth: Failed to validate the user.
Login incorrect: [EMAIL PROTECTED]/] (from client
192.168.2.80 port 5060)
So, I'm either returning something in the wrong way, or I've broken something
again.
Any pointers on the issue would be highly appreciated.
Regards,
Z2L
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wrong behaviour of rlm_ldap module + users file
> > > > users file line: > > [EMAIL PROTECTED] Auth-Type := EAP, User-Password == "a", Ldap-Group == > > "wifi" > > Totally wrong. You want: > > [EMAIL PROTECTED] Cleartext-Password := "a", Ldap-Group == "wifi" > Thanks, I owe you one Bye, Inverse. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + DHCP +vlans ???
On Thu, 2007-07-26 at 14:09 +0100, [EMAIL PROTECTED] wrote: > Are you sure? Type: > > ip dhcp pool whatever(pool name) > > in configuration mode and you should go into dhcp pool configuration. You > should be able to configure IP range (network), gateway > (derfault-router) and DNS (dns-server) from there. I am sure dhcp is > included in IOS. Sure, in IOS for routers. Does the IOS on the APs do routing? I've never tried it. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + DHCP +vlans ???
> My thinking from what you said is to setup the vlans/tunnels on the > access point, setup freeradius and then run a dhcp server on the old > computer. If i want to add the dhcp server to many virtual lans do i > need to create some sort of virtual interface for each? Or does the > router need to be aware of where to forward dhcp packets coming from > different vlans? Yes. If you're running linux, you can create them manually: vconfig set_name_type DEV_PLUS_VID vconfig add eth0 10 ifconfig eth0.10 up ifconfig eth0.10 address 10.10.0.1 255.255.255.0 ...better yet, most Linux distributions have vlan-aware init scripts e.g. on Fedora/Redhat: echo "VLAN=yes" >>/etc/sysconfig/network cat >>/etc/sysconfig/network-scripts/ifcfg-eth0.10
Re: Freeradius + DHCP +vlans ???
Are you sure? Type: ip dhcp pool whatever(pool name) in configuration mode and you should go into dhcp pool configuration. You should be able to configure IP range (network), gateway (derfault-router) and DNS (dns-server) from there. I am sure dhcp is included in IOS. Ivan Kalik Kalik Informatika ISP Dana 26/7/2007, "George Beitis" <[EMAIL PROTECTED]> piše: >Hey Ivan >no i dont have to use an external one, but it seems like the only choice >as the Aironet 1200 access point does not come with one bundled it, >which would have made my life easier, but on the other hand it wouldn't >be extensible or simulate a real life case > >thanks for your reply >regards >George > >[EMAIL PROTECTED] wrote: >> Do you have to use an external DHCP server (project requirement)? Aironet >> has one (Cisco IOS). You can define DHCP pools on the AP and pass avpair >> for the pool with your vlan configuration from Freeradius. You can also >> do away withDHCP, define ip_pools in Freeradius and pass addresses, DNS >> etc. with vlan configuration directly from radius. >> >> Ivan Kalik >> Kalik Informatika ISP >> >> >> Dana 26/7/2007, "George Beitis" <[EMAIL PROTECTED]> piše: >> >> >>> Dear Phil >>> Firstly thank you for taking the time to reply and for your straight >>> forward reply to this matter. I 'm doing this as part of my MSc >>> project, well this is actually part of the initial setup, not the >>> project it self, and i have in my disposal a limited number of >>> devices. I borrowed a cisco aeronet 1200 access point from my >>> department, which supports vlans and i also have a linksys router >>> (wrt54gl) (which i will use as a switch) and i have an old computer with >>> one ethernet card which i intend to install freeradius on and a dhcp >>> server. From there on i might add some more devices each belonging to a >>> different vlan. >>> >>> My thinking from what you said is to setup the vlans/tunnels on the >>> access point, setup freeradius and then run a dhcp server on the old >>> computer. If i want to add the dhcp server to many virtual lans do i >>> need to create some sort of virtual interface for each? Or does the >>> router need to be aware of where to forward dhcp packets coming from >>> different vlans? >>> >>> thank you for your help >>> >>> regards >>> George >>> >>> Phil Mayers wrote: >>> On Thu, 2007-07-26 at 02:00 +0100, George Beitis wrote: > Hey guys > I am a bit new to the scene and i am having a few problems with > configuring freeradius. In essence what i want is that the user, once > verified to be assigned to a specific vlan and get an ip address from a > dhcp server, which will be aware of the vlans and there for assign > different address and subnets to each. Does this scenario make any > > yes > sense? Will it be the freeradius server that will be notifying the dhcp > server to aquire an address for the client? Will the dhcp server then > > No > contact the access point to let it know what address the client has been > given and it in its turn give it to the client? Or will it be that the > > No > access point will contact the dhcp server once it has the reply from the > freeradius server, giving it the vlan id/number and requesting an ip > address and other info? > > No The way it works is: 1. Client does either 802.1x 2. Access point forwards authentication to radius server 3. Multiple 802.1x round-trips between client and radius server, via AP 4. When authentication is complete, the radius server returns an Access-Accept with the vlan tag 5. Access point reads the vlan tag, assigns it 6. Client brings up it's IP stack, and emits a DHCP DISCOVER 7. AP forwards the clients packet into the vlan at layer2 8. The vlan/subnet router forwards the DHCP DISCOVER to the DHCP server 9. DHCP server assigns an IP address based on source subnet & mac address There's no interaction between DHCP and Radius, no interaction between a layer2 access point and DHCP (possibly dhcp option-82 insertion), and no real interaction with a layer2 access point and any IP protocol. Basically - you just configure the AP with >1 vlan, configure a router for each VLAN with dhcp relay enabled, and configure the radius server to tell the AP the right vlan number. BEWARE: not all APs support vlan assignment. > Is this the right or wrong way of going about this? > > regards > George > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/usershtml > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + DHCP +vlans ???
Hey Ivan no i dont have to use an external one, but it seems like the only choice as the Aironet 1200 access point does not come with one bundled it, which would have made my life easier, but on the other hand it wouldn't be extensible or simulate a real life case thanks for your reply regards George [EMAIL PROTECTED] wrote: > Do you have to use an external DHCP server (project requirement)? Aironet > has one (Cisco IOS). You can define DHCP pools on the AP and pass avpair > for the pool with your vlan configuration from Freeradius. You can also > do away withDHCP, define ip_pools in Freeradius and pass addresses, DNS > etc. with vlan configuration directly from radius. > > Ivan Kalik > Kalik Informatika ISP > > > Dana 26/7/2007, "George Beitis" <[EMAIL PROTECTED]> piše: > > >> Dear Phil >> Firstly thank you for taking the time to reply and for your straight >> forward reply to this matter. I 'm doing this as part of my MSc >> project, well this is actually part of the initial setup, not the >> project it self, and i have in my disposal a limited number of >> devices. I borrowed a cisco aeronet 1200 access point from my >> department, which supports vlans and i also have a linksys router >> (wrt54gl) (which i will use as a switch) and i have an old computer with >> one ethernet card which i intend to install freeradius on and a dhcp >> server. From there on i might add some more devices each belonging to a >> different vlan. >> >> My thinking from what you said is to setup the vlans/tunnels on the >> access point, setup freeradius and then run a dhcp server on the old >> computer. If i want to add the dhcp server to many virtual lans do i >> need to create some sort of virtual interface for each? Or does the >> router need to be aware of where to forward dhcp packets coming from >> different vlans? >> >> thank you for your help >> >> regards >> George >> >> Phil Mayers wrote: >> >>> On Thu, 2007-07-26 at 02:00 +0100, George Beitis wrote: >>> >>> Hey guys I am a bit new to the scene and i am having a few problems with configuring freeradius. In essence what i want is that the user, once verified to be assigned to a specific vlan and get an ip address from a dhcp server, which will be aware of the vlans and there for assign different address and subnets to each. Does this scenario make any >>> yes >>> >>> >>> sense? Will it be the freeradius server that will be notifying the dhcp server to aquire an address for the client? Will the dhcp server then >>> No >>> >>> >>> contact the access point to let it know what address the client has been given and it in its turn give it to the client? Or will it be that the >>> No >>> >>> >>> access point will contact the dhcp server once it has the reply from the freeradius server, giving it the vlan id/number and requesting an ip address and other info? >>> No >>> >>> The way it works is: >>> >>> 1. Client does either 802.1x >>> 2. Access point forwards authentication to radius server >>> 3. Multiple 802.1x round-trips between client and radius server, via AP >>> 4. When authentication is complete, the radius server returns an >>> Access-Accept with the vlan tag >>> 5. Access point reads the vlan tag, assigns it >>> 6. Client brings up it's IP stack, and emits a DHCP DISCOVER >>> 7. AP forwards the clients packet into the vlan at layer2 >>> 8. The vlan/subnet router forwards the DHCP DISCOVER to the DHCP server >>> 9. DHCP server assigns an IP address based on source subnet & mac >>> address >>> >>> There's no interaction between DHCP and Radius, no interaction between a >>> layer2 access point and DHCP (possibly dhcp option-82 insertion), and no >>> real interaction with a layer2 access point and any IP protocol. >>> >>> Basically - you just configure the AP with >1 vlan, configure a router >>> for each VLAN with dhcp relay enabled, and configure the radius server >>> to tell the AP the right vlan number. >>> >>> BEWARE: not all APs support vlan assignment. >>> >>> >>> >>> Is this the right or wrong way of going about this? regards George - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/usershtml >>> - >>> List info/subscribe/unsubscribe? See >>> http://www.freeradius.org/list/users.html >>> >>> >>> >>> >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html >> >> >> > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQLIPPool performance issue
Roy, It sounds like you may need to adjust the DB parameters. The defaults, even in 8.2, are still fairly conservative. Would you post your current settings for things like: max_connections shared_buffers work_mem maintenance_work_mem max_fsm_pages vacuum_cost_* bgwriter_* wal_buffers commit_delay commit_siblings checkpoint_segments checkpoint_timeout random_page_cost effective_cache_size autovacuum autovacuum_* Basically, anything you have changed from the default configuration file. Proper choices for these parameters can make a huge difference in baseline performance. Ken On Wed, Jul 25, 2007 at 11:27:53PM -0500, Roy Walker wrote: > Ok chaning the indexes definately made some difference. The database load > still went off the charts, but the radius logs were much better with DB > errors connect errors. This still seems horribly slow. > > I can take it down to 2 simultaneous connections on the radclient test and > will still get some IP Allocation FAILED (although way less than I was) > messages in the radius logs. With only 2 simultaneous connections the DB > load hovers around 1 so that seems fine. > > Here is the command I am using to test: /radclient -p 2 -d > /usr/src/freeradius-server-snapshot-20070725/share -f /tmp/radclient-test > 1.1.1.10 auth testing123 > Where the radclient-test file has 5000 client requests seperated by the > necessary blank lines. > > I guess I will spend some time tomorrow and enable postgres query logging. I > already have an idea of what I am going to find, there is just an insane > number of queries running per auth request and the subsequent IP allocation... > > Peter: If you can share any query changes you have, I would be most > appreciative. > > Roy > > > > > From: [EMAIL PROTECTED] on behalf of Peter Nixon > Sent: Wed 7/25/2007 6:30 PM > To: FreeRadius users mailing list > Subject: Re: SQLIPPool performance issue > > > > Hi Roy > > The default indexes are: > > CREATE INDEX radippool_poolname_ipaadr ON radippool USING btree (pool_name, > framedipaddress); > CREATE INDEX radippool_poolname_expire ON radippool USING btree (pool_name, > expiry_time); > CREATE INDEX radippool_nasipaddr_poolkey ON radippool USING btree > (nasipaddress, pool_key); > CREATE INDEX radippool_nasipaddr_calling ON radippool USING btree > (nasipaddress, callingstationid); > > After reading though them, I think they need some work... (My production > queries are a little different and so are my indexes) > > I think a better index set would be: > > CREATE INDEX radippool_poolname_expire ON radippool USING btree (pool_name, > expiry_time); > CREATE INDEX radippool_framedipaddress ON radippool USING btree > (framedipaddress); > CREATE INDEX radippool_nasip_poolkey_ipaddress ON radippool USING btree > (nasipaddress, pool_key, framedipaddress); > > Therefore, please run to fullowing on your postgresql database, and report > back to me what difference it makes: > > DROP INDEX radippool_poolname_ipaadr; > DROP INDEX radippool_nasipaddr_poolkey; > DROP INDEX radippool_nasipaddr_calling; > CREATE INDEX radippool_nasip_poolkey_ipaddress ON radippool USING btree > (nasipaddress, pool_key, framedipaddress); > CREATE INDEX radippool_framedipaddress ON radippool USING btree > (framedipaddress); > > Cheers > > Peter > > On Thu 26 Jul 2007, Roy Walker wrote: > > Using freeradius-server-snapshot-20070705. > > > > I have setup a test scenario where radclient is sending 500 simultaneous > > requests to the radius server. This drives the load on the radius and > > postgres database to pretty much max. The Postgres database is an 8 > > Core (4 dual cpu) Sun Opteron with 8g of ram and 3 x 15k SAS drives on > > an LSI Megaraid controller. So the database box is a decent machine. > > > > Here is the indexes on the postgres database: > > radius=# \di > >List of relations > > Schema |Name | Type | Owner | Table > > +-+---++--- > > public | badusers_incidentdate_idx | index | dialup | badusers > > public | badusers_pkey | index | dialup | badusers > > public | badusers_username_idx | index | dialup | badusers > > public | mtotacct_acctdate_idx | index | dialup | mtotacct > > public | mtotacct_nasipaddress_idx | index | dialup | mtotacct > > public | mtotacct_pkey | index | dialup | mtotacct > > public | mtotacct_username_idx | index | dialup | mtotacct > > public | mtotacct_userondate_idx | index | dialup | mtotacct > > public | nas_nasname | index | dialup | nas > > public | nas_pkey| index | dialup | nas > > public | radacct_active_user_idx | index | dialup | radacct > > public | radacct_pkey| index | dialup | radacct > > public | radacct_start_user_idx | index | dialup | radacct > > public | ra
Re: Freeradius + DHCP +vlans ???
Do you have to use an external DHCP server (project requirement)? Aironet has one (Cisco IOS). You can define DHCP pools on the AP and pass avpair for the pool with your vlan configuration from Freeradius. You can also do away withDHCP, define ip_pools in Freeradius and pass addresses, DNS etc. with vlan configuration directly from radius. Ivan Kalik Kalik Informatika ISP Dana 26/7/2007, "George Beitis" <[EMAIL PROTECTED]> piše: >Dear Phil >Firstly thank you for taking the time to reply and for your straight >forward reply to this matter. I 'm doing this as part of my MSc >project, well this is actually part of the initial setup, not the >project it self, and i have in my disposal a limited number of >devices. I borrowed a cisco aeronet 1200 access point from my >department, which supports vlans and i also have a linksys router >(wrt54gl) (which i will use as a switch) and i have an old computer with >one ethernet card which i intend to install freeradius on and a dhcp >server. From there on i might add some more devices each belonging to a >different vlan. > >My thinking from what you said is to setup the vlans/tunnels on the >access point, setup freeradius and then run a dhcp server on the old >computer. If i want to add the dhcp server to many virtual lans do i >need to create some sort of virtual interface for each? Or does the >router need to be aware of where to forward dhcp packets coming from >different vlans? > >thank you for your help > >regards >George > >Phil Mayers wrote: >> On Thu, 2007-07-26 at 02:00 +0100, George Beitis wrote: >> >>> Hey guys >>> I am a bit new to the scene and i am having a few problems with >>> configuring freeradius. In essence what i want is that the user, once >>> verified to be assigned to a specific vlan and get an ip address from a >>> dhcp server, which will be aware of the vlans and there for assign >>> different address and subnets to each. Does this scenario make any >>> >> >> yes >> >> >>> sense? Will it be the freeradius server that will be notifying the dhcp >>> server to aquire an address for the client? Will the dhcp server then >>> >> >> No >> >> >>> contact the access point to let it know what address the client has been >>> given and it in its turn give it to the client? Or will it be that the >>> >> >> No >> >> >>> access point will contact the dhcp server once it has the reply from the >>> freeradius server, giving it the vlan id/number and requesting an ip >>> address and other info? >>> >> >> No >> >> The way it works is: >> >> 1. Client does either 802.1x >> 2. Access point forwards authentication to radius server >> 3. Multiple 802.1x round-trips between client and radius server, via AP >> 4. When authentication is complete, the radius server returns an >> Access-Accept with the vlan tag >> 5. Access point reads the vlan tag, assigns it >> 6. Client brings up it's IP stack, and emits a DHCP DISCOVER >> 7. AP forwards the clients packet into the vlan at layer2 >> 8. The vlan/subnet router forwards the DHCP DISCOVER to the DHCP server >> 9. DHCP server assigns an IP address based on source subnet & mac >> address >> >> There's no interaction between DHCP and Radius, no interaction between a >> layer2 access point and DHCP (possibly dhcp option-82 insertion), and no >> real interaction with a layer2 access point and any IP protocol. >> >> Basically - you just configure the AP with >1 vlan, configure a router >> for each VLAN with dhcp relay enabled, and configure the radius server >> to tell the AP the right vlan number. >> >> BEWARE: not all APs support vlan assignment. >> >> >> >>> Is this the right or wrong way of going about this? >>> >>> regards >>> George >>> - >>> List info/subscribe/unsubscribe? See >>> http://www.freeradius.org/list/usershtml >>> >> >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html >> >> >> > >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radiusd startup problem
On 7/26/07, Alan DeKok <[EMAIL PROTECTED]> wrote: ram wrote: > iam have installed fresh copy with freeradius+mysql document What document? To install the server the server, you just follow the instructions in the INSTALL. http://www.frontios.com/freeradius.html ram - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radiusd startup problem
On Thu 26 Jul 2007, Peter Nixon wrote: > On Thu 26 Jul 2007, ram wrote: > > On 7/26/07, Alan DeKok <[EMAIL PROTECTED]> wrote: > > > ram wrote: > > > > iam have installed fresh copy with freeradius+mysql document > > > > > > What document? To install the server the server, you just follow the > > > instructions in the INSTALL. > > > > http://www.frontios.com/freeradius.html > > That document is greater than 2 years old and there are several parts of > it that were ALWAYS wrong :-( Oh... And we list it as a source in doc/rlm_sql Alan we have to remove it immediately! -- Peter Nixon http://peternixon.net/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radiusd startup problem
ram wrote: > iam have installed fresh copy with freeradius+mysql document What document? To install the server the server, you just follow the instructions in the INSTALL. It appears you edited the dictionaries, and broke them. Don't do that. > iam trying to integrate with openser > > any suggestion what documents to follow Follow the documentation included with the server. I have no idea why people prefer to follow third-party documents instead of following the documentation included with the server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: SQLIPPool performance issue
Here is the config lines: max_connections = 100 shared_buffers = 400MB temp_buffers = 32MB work_mem = 1MB maintenance_work_mem = 128MB max_fsm_pages = 204800 Didn't change any of these as for my testing I don't have autovacuum enabled. #vacuum_cost_delay = 0 # 0-1000 milliseconds #vacuum_cost_page_hit = 1 # 0-1 credits #vacuum_cost_page_miss = 10 # 0-1 credits #vacuum_cost_page_dirty = 20# 0-1 credits #vacuum_cost_limit = 200# 0-1 credits #bgwriter_delay = 200ms # 10-1ms between rounds #bgwriter_lru_percent = 1.0 # 0-100% of LRU buffers scanned/round #bgwriter_lru_maxpages = 5 # 0-1000 buffers max written/round #bgwriter_all_percent = 0.333 # 0-100% of all buffers scanned/round #bgwriter_all_maxpages = 5 # 0-1000 buffers max written/round #wal_buffers = 64kB #commit_delay = 0 # range 0-10, in microseconds #commit_siblings = 5# range 1-1000 checkpoint_segments = 32# in logfile segments, min 1, 16MB each #checkpoint_timeout = 5min # range 30s-1h #random_page_cost = 4.0 autovacuum = off# enable autovacuum subprocess? # 'on' requires stats_start_collector # and stats_row_level to also be on #autovacuum_naptime = 1min # time between autovacuum runs #autovacuum_vacuum_threshold = 500 # min # of tuple updates before # vacuum #autovacuum_analyze_threshold = 250 # min # of tuple updates before # analyze #autovacuum_vacuum_scale_factor = 0.2 # fraction of rel size before # vacuum #autovacuum_analyze_scale_factor = 0.1 # fraction of rel size before # analyze #autovacuum_freeze_max_age = 2 # maximum XID age before forced vacuum # (change requires restart) #autovacuum_vacuum_cost_delay = -1 # default vacuum cost delay for # autovacuum, -1 means use # vacuum_cost_delay #autovacuum_vacuum_cost_limit = -1 # default vacuum cost limit for # autovacuum, -1 means use # vacuum_cost_limit -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] s.org] On Behalf Of Peter Nixon Sent: Thursday, July 26, 2007 9:53 AM To: FreeRadius users mailing list Subject: Re: SQLIPPool performance issue On Thu 26 Jul 2007, Kenneth Marshall wrote: > Roy, > > It sounds like you may need to adjust the DB parameters. The defaults, > even in 8.2, are still fairly conservative. Would you post your current > settings for things like: > > max_connections > shared_buffers > work_mem > maintenance_work_mem > max_fsm_pages > vacuum_cost_* > bgwriter_* > wal_buffers > commit_delay > commit_siblings > checkpoint_segments > checkpoint_timeout > random_page_cost > effective_cache_size > autovacuum > autovacuum_* > > Basically, anything you have changed from the default configuration > file. Proper choices for these parameters can make a huge difference > in baseline performance. Yep. My guess is, on that box, if he is running a default Postgresql config he should get 10-100 times greater performance after tuning it correctly for the ram and cpu setup.. Cheers -- Peter Nixon http://peternixon.net/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: final rlm_perl question, hopefully...
On Thu 26 Jul 2007, FreeRadius-ML wrote:
> Hi all,
>
> Please disregard, I've solved the thing ;-) Silly typo in the return.
>
> Z2L
>
> - Original Message -
> From: "FreeRadius-ML" <[EMAIL PROTECTED]>
> To: "freeradius-users"
> Sent: Thursday, July 26, 2007 6:41:21 PM (GMT+0200) Asia/Jerusalem
> Subject: Fwd: final rlm_perl question, hopefully...
>
> Hi All,
>
> Ok, after reviewing all the information that was received, I've setup my
> FreeRadius as following:
>
> 1. The authorize and authenticate sections are setup to activate digest
> and perl. 2. My rlm_perl script utilizes the following lines in order to
> return the unencrypted user password back to FreeRadius for digest
> authentication:
>
>$RAD_CHECK{'Cleartext-Password'} = "xx"; # Remove this line for
> production $RAD_CHECK{'User-Password'}="xx"; # Remove this
> line for production
In any case you should not need to use both 'User-Password'
and 'Cleartext-Password'. In newer versions of
FreeRADIUS 'Cleartext-Password' has replaced 'User-Password'...
Cheers
--
Peter Nixon
http://peternixon.net/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SQL and different accounting records by NAS
Thank you very much Ivan. It´s very useful to know that 2.0 could include this features. But, also, it's very useful to know if 1.1.6 includes or not any of these. And this is an important question. In the past I wasted so much time reading, searching and testing features that finally were impossible for a certain version of software . Another key is the stability. 2.0 is a pre-release and the service must not support outages or bugs. Of course, we shall update to 2.0 as soon as the software can be reasonably stable. But now, the only programmed update in the next future is 1.1.7. Thanks again for such useful information Nicolas > >Have a look at 2.0. It can do if/than/else in .conf files >so you should >be able to define different sql statements for different >cases. > >Ivan Kalik >Kalik Informatika ISP > > >Dana 26/7/2007, "Nicolas Velazquez" uam.es> pie: > >>Hi, >> >>We are using freeradius 1.1.6, now, to provide >>access for our wireless network only. >>The accounting is very detailed and >>comprehensive: IP addresses, usernames, packets, roles, >APs, SSIDs, etc. >> >>Now, we are starting to use the same radius to >>give 802.1x access to our wired network. >> >>The key is that the accounting records for a wired switch >are VERY different. >>Now, AP and SSID, are nonsense items, for example. >>But we need another records. >> >>Can freeradius use different accounting sql inserts >depending on NAS? >> >>Is there any document showing something like this? >>I have read many documents but I can not find a clear >answer. >> >>This was the main question. >> >>A related tiny question is as follows. >>The most comfortable configuration will be to use >>different accounting inserts depending on huntgroups. >>Then we could select sql inserts for one >>huntgroup (all our wired NASes) and different sql >>insert for another huntgroup (all our wireless NASes). >>The addition, remove or change of the different >>NASes could be made modifying only the lists contained in >the huntgroups file. >>It could be very clean and useful. >>But, when I read the huntgroups documentation I >>have the strong suspect I can´t do this. >> >>Thank you very much in advance, >> >>Nicolas Velazquez >> > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wrong behaviour of rlm_ldap module + users file
On Thu, 2007-07-26 at 14:56 +0200, inverse wrote:
> Hi,
>
> this problem is simple (everything not shown here is v1.1.6
> out-f-the-box radiusd configuration):
>
> users file line:
> [EMAIL PROTECTED] Auth-Type := EAP, User-Password == "a", Ldap-Group ==
> "wifi"
Totally wrong. You want:
[EMAIL PROTECTED] Cleartext-Password := "a", Ldap-Group == "wifi"
Don't set auth type
Don't compare the password; set the server-side one
>
> this is a test line, [EMAIL PROTECTED] uses EAP-MD5 , but I want to
> check if he's in the Ldap-Group named 'wifi'.
>
> radiusd.conf lines, ldap section:
>
> filter ="(uid=%{User-Name})"
> edir_account_policy_check=no
> password_attribute = userPassword
> groupmembership_filter =
> "(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))"
>
> This is where I actually suck. I think this is correct, but it won't
> work as expected because:
>
>
> rad_recv: Access-Request packet from host 149.132.5.108:35285, id=0,
> length=160
> User-Name = "[EMAIL PROTECTED]"
> NAS-IP-Address = 127.0.0.1
> Calling-Station-Id = "02-00-00-00-00-01"
> Framed-MTU = 1400
> NAS-Port-Type = Wireless-802.11
> Connect-Info = "CONNECT 11Mbps 802.11b"
> EAP-Message =
> 0x021f0170616f6c6f2e676169617264656c6c6940756e696d69622e6974
> Message-Authenticator = 0x14b3675352d738629cc1bb21695f3122
> Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 0
> modcall[authorize]: module "preprocess" returns ok for request 0
> radius_xlat: '/var/log/radius/radacct/127.0.0.1/auth-detail-20070726'
> rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
> expands to /var/log/radius/radacct/127.0.0.1/auth-detail-20070726
> modcall[authorize]: module "auth_log" returns ok for request 0
> modcall[authorize]: module "chap" returns noop for request 0
> modcall[authorize]: module "mschap" returns noop for request 0
> rlm_realm: Looking up realm "test.com" for User-Name = "[EMAIL PROTECTED]"
> rlm_realm: Found realm "test.com"
> rlm_realm: Proxying request from user john.doe to realm test.com
> rlm_realm: Adding Realm = "test.com"
> rlm_realm: Authentication realm is LOCAL.
> modcall[authorize]: module "suffix" returns noop for request 0
> rlm_eap: EAP packet type response id 0 length 31
> rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
> modcall[authorize]: module "eap" returns updated for request 0
> rlm_ldap: Entering ldap_groupcmp()
> radius_xlat: 'dc=test,dc=com
> radius_xlat: '([EMAIL PROTECTED])'
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: attempting LDAP reconnection
> rlm_ldap: (re)connect to ldap.test.com:636, authentication 0
> rlm_ldap: setting TLS mode to 1
> rlm_ldap: setting TLS CACert File to /usr/local/etc/raddb/certs/crl/root.pem
> rlm_ldap: bind as cn=ldapreader,ou=servizi,dc=test,dc=com/blargh to
> ldap.test.com:636
> rlm_ldap: waiting for bind result ...
> rlm_ldap: Bind was successful
> rlm_ldap: performing search in dc=test,dc=com, with filter
> ([EMAIL PROTECTED])
> rlm_ldap: ldap_release_conn: Release Id: 0
> radius_xlat: '(&(objectClass=GroupOfNames)([EMAIL PROTECTED]))'
>
> This is where the problem arises. I don't want to check if
> [EMAIL PROTECTED] esists.
> rlm_ldap wants to, but that's not what I told him to do. I never told
> rlm_ldap to verify if [EMAIL PROTECTED] is an LDAP user. Now he is,
> but only because I created him.
You've got the "ldap" module in "authorize". Remove it.
You will need to put it in "instantiate" so that it gets initialised,
but you don't want to check it during authorize.
>
>
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: performing search in dc=test,dc=com, with filter
> (&(cn=wifi)(&(objectClass=GroupOfNames)([EMAIL PROTECTED])))
> rlm_ldap::ldap_groupcmp: User found in group wifi
>
> and THIS is what I want rlm_ldap to do.
> I want to check this and only this, since [EMAIL PROTECTED] is a
> member of wifi and doesn't exist anywhere else in the LDAP tree. He
> isn't a user. He's just an object in group wifi.
> That's what happens in my production environment. john'doe's login
> fails because the first useless search fails.
> I know I'm doing something horribly wrong, and I can't find out what's
> my major malfunction.
Remove "ldap" from the "authorize" section and put it in the
"instantiate" section
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + DHCP +vlans ???
On Thu, 2007-07-26 at 13:11 +0100, [EMAIL PROTECTED] wrote: > Do you have to use an external DHCP server (project requirement)? Aironet > has one (Cisco IOS). You can define DHCP pools on the AP and pass avpair > for the pool with your vlan configuration from Freeradius. You can also > do away withDHCP, define ip_pools in Freeradius and pass addresses, DNS > etc. with vlan configuration directly from radius. Are you certain this works? What would the config look like? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
