Re: Problem with authentication with rlm_perl
++[eap] returns noop ++[expiration] returns noop ++[logintime] returns noop You've removed the PAP module from the sites-available/default "authorize" stanza, so this happens: auth: No authenticate method (Auth-Type) configuration found for the Put the "pap" module back where it was. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem with authentication with rlm_perl
hi, I am using free Radius 2.0. I want to try to authenticate with the perl module, I've done all the necessary configurations in sites-enabled/default directory and in radiusd.conf and it reads my perl script when running my radius, unfortunately my radius server rejects all the time no matter what i've put the return value rlm_module_ok in my perl script. Please tell me is there any other things what i've to do to authenticate the username from perl module. Here is the output after running the radius server in debugging mode FreeRADIUS Version 2.0.2, for host i686-pc-linux-gnu, built on Feb 25 2008 at 09:51:36 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License. Starting - reading configuration files ... including configuration file /usr/local/etc/raddb/radiusd.conf including configuration file /usr/local/etc/raddb/proxy.conf including configuration file /usr/local/etc/raddb/clients.conf including configuration file /usr/local/etc/raddb/snmp.conf including configuration file /usr/local/etc/raddb/eap.conf including configuration file /usr/local/etc/raddb/sql.conf including configuration file /usr/local/etc/raddb/policy.conf including files in directory /usr/local/etc/raddb/sites-enabled/ including configuration file /usr/local/etc/raddb/sites-enabled/default including dictionary file /usr/local/etc/raddb/dictionary main { prefix = "/usr/local" localstatedir = "/usr/local/var" logdir = "/usr/local/var/log/radius" libdir = "/usr/local/lib" radacctdir = "/usr/local/var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 allow_core_dumps = no pidfile = "/usr/local/var/run/radiusd/radiusd.pid" checkrad = "/usr/local/sbin/checkrad" debug_level = 0 proxy_requests = yes security { max_attributes = 200 reject_delay = 1 status_server = yes } } client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "testing123" nastype = "other" } radiusd: Loading Realms and Home Servers proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "testing123" response_window = 20 max_outstanding = 65536 zombie_period = 40 status_check = "status-server" ping_check = "none" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: Instantiating modules instantiate { Module: Linked to module rlm_exec Module: Instantiating exec exec { wait = yes input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating expr Module: Linked to module rlm_expiration Module: Instantiating expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: Loading Virtual Servers server { modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_perl Module: Instantiating perl perl { module = "/usr/local/etc/raddb/example.pm" func_authorize = "authorize" func_authenticate = "authenticate" func_accounting = "accounting" func_preacct = "preacct" func_checksimul = "checksimul" func_detach = "detach" func_xlat = "xlat" func_pre_proxy = "pre_proxy" func_post_proxy = "post_proxy" func_post_auth = "post_auth" } perl { max_clones = 32 start_clones = 32 min_spare_clones = 0 max_spare_clones = 32 cleanup_delay = 5 max_request_per_clone = 0 } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating preprocess preprocess { huntgroups = "/usr/local/etc/raddb/huntgroups" hints = "/usr/local/etc/raddb/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no wit
Re: FreeRADIUS MIB
Lemaster, Rob wrote: > I've reviewed the SNMP MIB and I can't find traps for the following events: > > * Proxy Failure > * Database Connection Broken > * Restart/HUP > > Are these traps available? No. You can catch proxy failures via other methods (see previous message). For the others, it's possible, but not currently implemented. As always, patches are welcome. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Advanced Queuing?
Lemaster, Rob wrote: > Does FreeRADIUS have any advanced queuing abilities? If we restart a BRAS, it > will try to authenticate between 30,000 to 60,000 users all at once. This can > crash our RADIUS server. Does FreeRADIUS have any advanced queuing > functionality that will enable it handle this sudden surge of traffic, or > should we plan to upgrade our hardware? "Advanced" queuing? That's just simple queues... The server can queue up to 64k requests, and then pull requests out of the queue for processing. This queue size can be increased, but it's generally not a good idea, because there are usually other factors that mean a large queue won't help. i.e. see below. > If advanced queuing functionality is available, can you point me to some > documentation on this feature? There's no documentation, because it "just works". I fail to understand why some software has a configuration that says "please don't die under heavy load". See also: http://freeradius.org/features/scalability.html As a side note, do some performance tests on your system. If the maximum authentication rate is 100 requests/s (say because of a database), then it will take 600 seconds to authenticate 60,000 users. At that point, you might look into running multiple machines. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRADIUS MIB
I've reviewed the SNMP MIB and I can't find traps for the following events: * Proxy Failure * Database Connection Broken * Restart/HUP Are these traps available? Thanks! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dead Proxy Detection?
Lemaster, Rob wrote: > Can FreeRADIUS detect and remove dead proxies from the round-robin rotation > and then add them back after it detects that the proxy is alive again? Yes. See raddb/proxy.conf > Can FreeRADIUS automatically set all subcribers to "authenticate all" if all > proxies are unavailable, and then authenticate normally automatically after > the proxies come back online? Yes. See raddb/sites-available/default. Look for Post-Proxy "fail". You can have actions triggered when no home server is available. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Advanced Queuing?
Does FreeRADIUS have any advanced queuing abilities? If we restart a BRAS, it will try to authenticate between 30,000 to 60,000 users all at once. This can crash our RADIUS server. Does FreeRADIUS have any advanced queuing functionality that will enable it handle this sudden surge of traffic, or should we plan to upgrade our hardware? If advanced queuing functionality is available, can you point me to some documentation on this feature? Thanks! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Dead Proxy Detection?
Can FreeRADIUS detect and remove dead proxies from the round-robin rotation and then add them back after it detects that the proxy is alive again? Can FreeRADIUS automatically set all subcribers to "authenticate all" if all proxies are unavailable, and then authenticate normally automatically after the proxies come back online? If these settings are available, can you reply with a link for more information? Thanks! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 2.0.2 Radius stop work with Error...
banga wrote: > After detail debug I have found that sometimes Radius tries to insert more > then 50 Updates/sec. That shouldn't be a problem. I've successfully tested it with 5000 requests per second. > [EMAIL PROTECTED]:# grep ": Acct-U" failure.log | wc -l > 59 > [EMAIL PROTECTED]:# > > So it really HI Load. I'm not sure I agree. > I use next settings: ... > Wed Mar 12 05:45:14 2008 : Debug: max_requests_per_server = 8192 Set this to zero. > May be I'm wrong with "thread settings" or it's better to degrease number of > SQL sock. If you decrease the number of SQL sockets, the problem will get worse. > In any case Radius should not die anyway . Isn't it? Isn't that what I said? > My system : > Kernel 2.6.22, 2G RAM, Xeon 2.00 Ghz. > Is that parameters enough to process 50-100 SQL updates/sec ? It should be fine. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html