Re: Problem with authentication with rlm_perl
++[eap] returns noop ++[expiration] returns noop ++[logintime] returns noop You've removed the PAP module from the sites-available/default "authorize" stanza, so this happens: auth: No authenticate method (Auth-Type) configuration found for the Put the "pap" module back where it was. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem with authentication with rlm_perl
hi,
I am using free Radius 2.0. I want to try to authenticate with the perl
module, I've done all the necessary configurations in sites-enabled/default
directory and in radiusd.conf and it reads my perl script when running my
radius, unfortunately my radius server rejects all the time no matter what
i've put the return value rlm_module_ok in my perl script. Please tell me is
there any other things what i've to do to authenticate the username from
perl module.
Here is the output after running the radius server in debugging mode
FreeRADIUS Version 2.0.2, for host i686-pc-linux-gnu, built on Feb 25 2008
at 09:51:36
Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License.
Starting - reading configuration files ...
including configuration file /usr/local/etc/raddb/radiusd.conf
including configuration file /usr/local/etc/raddb/proxy.conf
including configuration file /usr/local/etc/raddb/clients.conf
including configuration file /usr/local/etc/raddb/snmp.conf
including configuration file /usr/local/etc/raddb/eap.conf
including configuration file /usr/local/etc/raddb/sql.conf
including configuration file /usr/local/etc/raddb/policy.conf
including files in directory /usr/local/etc/raddb/sites-enabled/
including configuration file /usr/local/etc/raddb/sites-enabled/default
including dictionary file /usr/local/etc/raddb/dictionary
main {
prefix = "/usr/local"
localstatedir = "/usr/local/var"
logdir = "/usr/local/var/log/radius"
libdir = "/usr/local/lib"
radacctdir = "/usr/local/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
allow_core_dumps = no
pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
checkrad = "/usr/local/sbin/checkrad"
debug_level = 0
proxy_requests = yes
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "testing123"
nastype = "other"
}
radiusd: Loading Realms and Home Servers
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = "testing123"
response_window = 20
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_check = "none"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: Instantiating modules
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating exec
exec {
wait = yes
input_pairs = "request"
shell_escape = yes
}
Module: Linked to module rlm_expr
Module: Instantiating expr
Module: Linked to module rlm_expiration
Module: Instantiating expiration
expiration {
reply-message = "Password Has Expired "
}
Module: Linked to module rlm_logintime
Module: Instantiating logintime
logintime {
reply-message = "You are calling outside your allowed timespan "
minimum-timeout = 60
}
}
radiusd: Loading Virtual Servers
server {
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_perl
Module: Instantiating perl
perl {
module = "/usr/local/etc/raddb/example.pm"
func_authorize = "authorize"
func_authenticate = "authenticate"
func_accounting = "accounting"
func_preacct = "preacct"
func_checksimul = "checksimul"
func_detach = "detach"
func_xlat = "xlat"
func_pre_proxy = "pre_proxy"
func_post_proxy = "post_proxy"
func_post_auth = "post_auth"
}
perl {
max_clones = 32
start_clones = 32
min_spare_clones = 0
max_spare_clones = 32
cleanup_delay = 5
max_request_per_clone = 0
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating preprocess
preprocess {
huntgroups = "/usr/local/etc/raddb/huntgroups"
hints = "/usr/local/etc/raddb/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
wit
Re: FreeRADIUS MIB
Lemaster, Rob wrote: > I've reviewed the SNMP MIB and I can't find traps for the following events: > > * Proxy Failure > * Database Connection Broken > * Restart/HUP > > Are these traps available? No. You can catch proxy failures via other methods (see previous message). For the others, it's possible, but not currently implemented. As always, patches are welcome. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Advanced Queuing?
Lemaster, Rob wrote: > Does FreeRADIUS have any advanced queuing abilities? If we restart a BRAS, it > will try to authenticate between 30,000 to 60,000 users all at once. This can > crash our RADIUS server. Does FreeRADIUS have any advanced queuing > functionality that will enable it handle this sudden surge of traffic, or > should we plan to upgrade our hardware? "Advanced" queuing? That's just simple queues... The server can queue up to 64k requests, and then pull requests out of the queue for processing. This queue size can be increased, but it's generally not a good idea, because there are usually other factors that mean a large queue won't help. i.e. see below. > If advanced queuing functionality is available, can you point me to some > documentation on this feature? There's no documentation, because it "just works". I fail to understand why some software has a configuration that says "please don't die under heavy load". See also: http://freeradius.org/features/scalability.html As a side note, do some performance tests on your system. If the maximum authentication rate is 100 requests/s (say because of a database), then it will take 600 seconds to authenticate 60,000 users. At that point, you might look into running multiple machines. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRADIUS MIB
I've reviewed the SNMP MIB and I can't find traps for the following events: * Proxy Failure * Database Connection Broken * Restart/HUP Are these traps available? Thanks! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dead Proxy Detection?
Lemaster, Rob wrote: > Can FreeRADIUS detect and remove dead proxies from the round-robin rotation > and then add them back after it detects that the proxy is alive again? Yes. See raddb/proxy.conf > Can FreeRADIUS automatically set all subcribers to "authenticate all" if all > proxies are unavailable, and then authenticate normally automatically after > the proxies come back online? Yes. See raddb/sites-available/default. Look for Post-Proxy "fail". You can have actions triggered when no home server is available. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Advanced Queuing?
Does FreeRADIUS have any advanced queuing abilities? If we restart a BRAS, it will try to authenticate between 30,000 to 60,000 users all at once. This can crash our RADIUS server. Does FreeRADIUS have any advanced queuing functionality that will enable it handle this sudden surge of traffic, or should we plan to upgrade our hardware? If advanced queuing functionality is available, can you point me to some documentation on this feature? Thanks! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Dead Proxy Detection?
Can FreeRADIUS detect and remove dead proxies from the round-robin rotation and then add them back after it detects that the proxy is alive again? Can FreeRADIUS automatically set all subcribers to "authenticate all" if all proxies are unavailable, and then authenticate normally automatically after the proxies come back online? If these settings are available, can you reply with a link for more information? Thanks! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 2.0.2 Radius stop work with Error...
banga wrote: > After detail debug I have found that sometimes Radius tries to insert more > then 50 Updates/sec. That shouldn't be a problem. I've successfully tested it with 5000 requests per second. > [EMAIL PROTECTED]:# grep ": Acct-U" failure.log | wc -l > 59 > [EMAIL PROTECTED]:# > > So it really HI Load. I'm not sure I agree. > I use next settings: ... > Wed Mar 12 05:45:14 2008 : Debug: max_requests_per_server = 8192 Set this to zero. > May be I'm wrong with "thread settings" or it's better to degrease number of > SQL sock. If you decrease the number of SQL sockets, the problem will get worse. > In any case Radius should not die anyway . Isn't it? Isn't that what I said? > My system : > Kernel 2.6.22, 2G RAM, Xeon 2.00 Ghz. > Is that parameters enough to process 50-100 SQL updates/sec ? It should be fine. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
