Re: Freeradius Clustering
Am Dienstag, 16. Oktober 2007 04:32 schrieb Fred Zinsli: > Hello everyone > > Sorry if this has been covered, but I have googled without finding. > > I am looking to replace our current servers and am looking to > reconfigure the network. > > I am wanting to know if Freeradius can be clustered? and if so can > someone point me to some documentation on the subject. > > I am also wanting to know how the calculate the new specs for the new > servers. > > Many thanks in advance. > > Regards > > Fred Hi, high availability clustering is possible with Linux-HA (heartbeat). It can cluster everything what starts with an init script. -- Dr. Michael Schwartzkopff MultiNET Services GmbH Addresse: Bretonischer Ring 7; 85630 Grasbrunn; Germany Tel: +49 - 89 - 45 69 11 0 Fax: +49 - 89 - 45 69 11 21 mob: +49 - 174 - 343 28 75 mail: [EMAIL PROTECTED] web: www.multinet.de Sitz der Gesellschaft: 85630 Grasbrunn Registergericht: Amtsgericht München HRB 114375 Geschäftsführer: Günter Jurgeneit, Hubert Martens --- PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B Skype: misch42 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius Clustering
Hello everyone Sorry if this has been covered, but I have googled without finding. I am looking to replace our current servers and am looking to reconfigure the network. I am wanting to know if Freeradius can be clustered? and if so can someone point me to some documentation on the subject. I am also wanting to know how the calculate the new specs for the new servers. Many thanks in advance. Regards Fred - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
答复: freeradius password expiry
Question: 1. I just want to check the freeradius attribute ("Expiration ") by radius request, not change database directly. In this case, can I get value of "Expiration" in advance? 2. How to change the value of "Expiration"? Just give me some keyword. (I put this attribute into database manually first time). Thank you very much. Expected for your feedback. -邮件原件- 发件人: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 代表 [EMAIL PROTECTED] 发送时间: Monday, October 15, 2007 8:00 PM 收件人: FreeRadius users mailing list 主题: Re: freeradius password expiry 1. Yes. Your sign-on program can check for that attribute in the database. If it's expired, than prompt for password change (and not send access request to the radius server). 2. The same way you put it in there in the first place. Ivan Kalik Kalik Informatika ISP Dana 15/10/2007, "yangcuilin" <[EMAIL PROTECTED]> piše: >My requirement: > >1. At FreeRADIUS (java) client side, judge the current user whether is >password expiry in advance. If user password is expiry, prompt user to >change password. > >My question: FreeRADIUS have an attribute of "Expiration" to judge whether >the password is expiry, but can I get value of "Expiration" in advance? > > > >2. User can send request (which is the FreeRADIUS attribute of >"Expiration") to FreeRADIUS Server. > >My question: How do I change the value of FreeRADIUS attribute of >"Expiration"? > > > >Two questions. Thanks in advance. > > > > > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FATAL: Thread create failed: Cannot allocate memory
On Fri, 2007-10-12 at 14:55 +0200, Alan DeKok wrote: > Phil Mayers wrote: > > We had one of our MAC-auth radius server instances hang up with this > > error at about 0200 this morning. > > Ouch. > > > That server receives pretty heavy load, and it's bursty, so we see this > > a couple of times a day: > > > > The maximum number of threads (32) are active, cannot spawn new thread > > to handle request > > That shouldn't be a problem. The request will just get queued. Indeed. It does not seem to cause problems. > > > ...but it does not cause problems. An inability to create a new thread > > is an entirely different matter though; it implies > running, the server tried to create a new one, and the OS couldn't > > allocate a thread. > > > > Any ideas how to resolve this? Version is FreeRadius 1.1.6 (only reason > > we haven't upgraded is change control, it's due shortly) > > Set all of the thread information to the same numbers: > > start_servers = 32 > max_servers = 32 > min_spare_servers = 0 > max_spare_servers = 32 > > That way threads won't be created, but they also won't be deleted. I > suspect it's the deletion of threads that is causing the problem. i.e. > delete/create/delete/create/.../panic ! We just had a repeat of the on the *other* server. Given the relative loads, uptimes of the processes, and burst nature of the load, I am wondering if there is some limit on the total number of thread creates over the lifetime of a process (e.g. 2^16, 2^24). Since the load is bursty, I suspect with the default settings the pool would have been resizing frequently. (For info, OS is Linux 2.6.9, RHEL4 kernel -22.0.1ELsmp, glibc 2.3.4 RPM release 2.16) Anyway, I've implemented this suggestion and we'll see how things go. It seems likely fixing the thread pool size would be trouble-free. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using freeradius and 802.1x for dynamic VLAN
> >How you see this is the configuration from my switch. >In the file users I have the following configuration. >+ >carlos User-Password == "carlos" > Service-Type = Framed-User, > Tunnel-Type = VLAN, > Tunnel-Medium-Type = IEEE-802, > Tunnel-Private-Group-Id = 2 > >saulUser-Password == "saul" > Service-Type = Framed-User, > Tunnel-Type = VLAN, > Tunnel-Medium-Type = IEEE-802, > Tunnel-Private-Group-ID = 4 > >+ > >Now the problem is that: The PC client (WindowsXP) is connected to the >port 17 for that it is included in the vlan 4. When I intro the user: >carlos and his password: carlos it shouldn't autenticate becauses it >user is asigned to the vlan 2. But the problem is that the user is >autenticate and has access to the vlan4. > >My conclution is that: Tunnel-Type = VLAN, >Tunnel-Medium-Type = IEEE-802, >Tunnel-Private-Group-Id = 2 >don work. Your conclusion is most likely wrong. It sounds like you don't have dynamic VLANs. Tunnel attributes will then get ignored and only username & password will be relevant. So client will connect. Tunnel attributes are sent in the reply to the switch. If the switch doesn't support dynamic VLAN assignment ... Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using freeradius and 802.1x for dynamic VLAN
Hi, > carlos User-Password == "carlos" > Service-Type = Framed-User, > Tunnel-Type = VLAN, > Tunnel-Medium-Type = IEEE-802, > Tunnel-Private-Group-Id = 2 > > saulUser-Password == "saul" > Service-Type = Framed-User, > Tunnel-Type = VLAN, > Tunnel-Medium-Type = IEEE-802, > Tunnel-Private-Group-ID = 4 > > + > > Now the problem is that: The PC client (WindowsXP) is connected to the > port 17 for that it is included in the vlan 4. When I intro the user: > carlos and his password: carlos it shouldn't autenticate becauses it > user is asigned to the vlan 2. But the problem is that the user is > autenticate and has access to the vlan4. > > My conclution is that: Tunnel-Type = VLAN, >Tunnel-Medium-Type = IEEE-802, >Tunnel-Private-Group-Id = 2 > don work. err, no. not at all. with the config that you have posted what you are saying is 'if the user is Carlos and the password is correct then set the vlan to be 2' you certainly arent checking that the VLAN is 2 - and if it isnt then fail the authentication. i can understand what you are trying to do...but do do THAT sort of thing you will need to use checking attributes, not setting attributes. you should find that the port which carlos is attached to is being put onto VLAN 2 is the config is correct. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using freeradius and 802.1x for dynamic VLAN
Hi, carlos Auth-Type = EAP, User-Password == "carlos" I remove the parte indicated carlos User-Password == "carlos" The problem continue i did thefollowing: In my swich I form three vlan 2,3,4 After I signed ip to the vlans and ports too. This is all the configuration from the switch: === console# show running-config interface ethernet g1 exit vlan database vlan 2-4 exit interface range ethernet g(2-8) switchport access vlan 2 exit interface range ethernet g(9-14) switchport access vlan 3 exit interface range ethernet g(15-20) switchport access vlan 4 exit dot1x system-auth-control interface range ethernet g(2-8,10-14,16-20) dot1x port-control auto exit interface range ethernet g(2-8,10-14,16-20) dot1x re-authentication exit interface vlan 2 ip address 192.168.2.2 255.255.255.0 exit interface vlan 3 ip address 192.168.3.3 255.255.255.0 exit interface vlan 4 ip address 10.20.10.251 255.255.255.0 exit ip default-gateway 10.20.10.1 radius-server host 10.20.10.13 auth-port 1645 timeout 3 radius-server host 10.20.10.251 auth-port 1645 timeout 3 retransmit 3 key mi secreto radius-server host 192.168.2.2 auth-port 1645 timeout 3 retransmit 3 key mis ecreto radius-server host 192.168.3.3 auth-port 1645 timeout 3 retransmit 3 key mis ecreto radius-server key misecreto aaa authentication dot1x default radius username admin password 7d8c9c8b116cdfe3fb091f4c1ac684de level 15 encrypted Vlan Name PortsType Authorization - --- - 1 1 g(1,21-24),ch(1-8) other Required 2 2 g(1-8) permanent Required 3 3 g(1,9-14) permanent Required 4 4 g(15-20)permanent Required console# show ip interface Gateway IP AddressActivity status Type --- --- 10.20.10.1 Active static IP Address I/F Type --- -- - 10.20.10.251/24 vlan 4 Static 192.168.2.2/24 vlan 2 Static 192.168.3.3/24 vlan 3 Static === How you see this is the configuration from my switch. In the file users I have the following configuration. + carlos User-Password == "carlos" Service-Type = Framed-User, Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 2 saulUser-Password == "saul" Service-Type = Framed-User, Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-ID = 4 + Now the problem is that: The PC client (WindowsXP) is connected to the port 17 for that it is included in the vlan 4. When I intro the user: carlos and his password: carlos it shouldn't autenticate becauses it user is asigned to the vlan 2. But the problem is that the user is autenticate and has access to the vlan4. My conclution is that: Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 2 don work. I probably need to configure something. This message was sent using IMP, the Internet Messaging Program. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x & kerberos
Alan DeKok wrote: DEFAULT Auth-Type := Kerberos Fall-Through = 1 An earlier message in this thread said "Auth-Type = Kerberos". What you have above is different. An here in lies the problem. I just went back and tested this. I had been working with Walt Reynolds on the issue and we had shared some files and after that things started working with a Mac client but not with my Win XP client (one of the Xsupplicants we had installed had hosed the system so I couldn't tell when things had gotten better). According to the man 5 users page: Auth-Type = Kerberos is allowed for a server configuration variable such as Auth-Type, where as Auth-Type := Kerberos (note the Colon before the equal sign) is a check item and replaces in the configuration items any attribute of the same name. Having the colon there or not there made a very big difference in how it behaved. I really appreciate every one that took the time to help figure this out. We actually had it working before I saw Alans message but it's nice to know exactly what that tiny piece did. Thanks, LB - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: userfile username:password
Joe Mom wrote: > I'm using Freeradius 1.1.6 on gentoo, I remember there being a way to > drop in a user list in the format of "username:password" exported from > another server, but cant for the life of me, remember what or how to > do it. rlm_passwd. There's a "man" page, too. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
userfile username:password
Sorry its been a while since i've setup a freeradius server. I'm using Freeradius 1.1.6 on gentoo, I remember there being a way to drop in a user list in the format of "username:password" exported from another server, but cant for the life of me, remember what or how to do it. I've scoured the google and what not, but without a name of a module or method i'm just spinning my tires at this point. any help at all will be greatly appreciated. -- Regards Joe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Manel Berencia Trull wrote: > I use radius cistron > And i need move to freeradius with mysql (radius cistron not support ippool) > > Hot to put in mysql this > Read the "rlm_sql" text document included in FreeRADIUS source tree. It may be under /usr/share/doc/freeradius*/ (depending on your distro) - -- == +-+ Martin Gadbois | "Please answer by yes or no.| Sr. SW Designer| Uncooperative user waste precious CPU time" | Colubris Networks Inc. | -- The Andromeda Strain, M. Crichton, 1969 | -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHE2ua9Y3/iTTCEDkRAiYuAKCYHQx5siVZgOYXURHpm83s3bZFEQCgslZJ NQXmHN1wD0UMJrh9x436A/k= =NiWJ -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius password expiry
1. Yes. Your sign-on program can check for that attribute in the database. If it's expired, than prompt for password change (and not send access request to the radius server). 2. The same way you put it in there in the first place. Ivan Kalik Kalik Informatika ISP Dana 15/10/2007, "yangcuilin" <[EMAIL PROTECTED]> piše: >My requirement: > >1. At FreeRADIUS (java) client side, judge the current user whether is >password expiry in advance. If user password is expiry, prompt user to >change password. > >My question: FreeRADIUS have an attribute of "Expiration" to judge whether >the password is expiry, but can I get value of "Expiration" in advance? > > > >2. User can send request (which is the FreeRADIUS attribute of >"Expiration") to FreeRADIUS Server. > >My question: How do I change the value of FreeRADIUS attribute of >"Expiration"? > > > >Two questions. Thanks in advance. > > > > > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_realm doesn't strip the username
One more time radius looping log but in the zipped form. (hope this time will arive) -tomasz On 10/14/07, Tomasz Zieleniewski <[EMAIL PROTECTED]> wrote: > > I forgot to attach the file. > > On 10/14/07, Tomasz Zieleniewski <[EMAIL PROTECTED]> wrote: > > > > I moved from database configuration to clients.conf file for pre-2.0.02and > > there is a strange situation because radius falls into the loop. > > Detailed log from this in the attached file. > > I used radtest for testing. > > > > Cheers > > tomasz > > > > On 10/13/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > > > > > > I can't see anything wrong. Try to replace the localhost entry in home > > > server with an IP address of the real interface. It might be that > > > there > > > is a problem when home server and client have the same IP address. > > > > > > Ivan Kalik > > > Kalik Informatika ISP > > > > > > > > > Dana 13/10/2007, "Tomasz Zieleniewski" < [EMAIL PROTECTED] > > > > piše: > > > > > > >Alan and what about this previous error: > > > >Ignoring request to authentication address * 1812 from unknown client > > > > 127.0.0.1 port 37391. > > > >I am using database with the same configuration for 2.0.0-pre0 and > > > pre2 and > > > >in case of pre0 it work without any problem. > > > > > > > >Tomasz > > > > > > > >On 10/13/07, Alan DeKok < [EMAIL PROTECTED]> wrote: > > > >> > > > >> Tomasz Zieleniewski wrote: > > > >> > I forgot about the atachment:) > > > >> > > > >> In which the server never receives a request. > > > >> > > > >> That part of the code was re-written recently, and may have > > > issues in > > > >> CVS head. I'll take a look. > > > >> > > > >> Alan DeKok. > > > >> - > > > >> List info/subscribe/unsubscribe? See > > > >> http://www.freeradius.org/list/users.html > > > >> > > > > > > > > > > > > > > - > > > List info/subscribe/unsubscribe? See > > > http://www.freeradius.org/list/users.html > > > > > > > > > > > > radiusdX_loop.tar.gz Description: GNU Zip compressed data - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html