Re: reply messages in access-reject
Hegedus Gabor wrote:
Hi I have a question.
How can I send attributes(for example reply-message, cvpn3000, ...) in
access-reject packet.
I tried to put my exec to the post-auth section Post-Auth-Type
REJECT{}, but in this
section radius dosen't send the attribs in the reject packet.
Radius send only if i run the exec program in the files modul:
DEFAULT NAS-Port-Type == "Virtual", Autz-Type = "LDAP"
exec-program-wait ="/usr/local/etc/raddb/scripts/vpn.php"
debug:
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> test
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
++? if (NAS-Port-Type=="Virtual")
? Evaluating (NAS-Port-Type=="Virtual") -> TRUE
++? if (NAS-Port-Type=="Virtual") -> TRUE
++- entering if (NAS-Port-Type=="Virtual") {...}
[script-bad]expand: %{User-Name} -> test
[sctipt-bad]expand: %{User-Password} -> test
Exec-Program output: CVPN3000-IPSec-Banner2 = 'sorry',
Exec-Program-Wait: value-pairs: CVPN3000-IPSec-Banner2 = 'sorry',
Exec-Program: returned: 0
+++[script-bad] returns ok
++- if (NAS-Port-Type=="Virtual") returns ok
Delaying reject of request 7 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 7
Sending Access-Reject of id 79 to 192.168.1.1 port 1147
Waking up in 4.9 seconds.
Cleaning up request 7 ID 79 with timestamp +388
Ready to process requests.
what is wrong?
what is the solution?
thank you!
br
Gabor
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
any idea?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No MySQL queries with freeradius 2.x from Lenny
hi, sorry for my late answer: in short: Am Donnerstag, den 05.03.2009, 10:05 +0100 schrieb t...@kalik.net: > Queries are in raddb/sql/mysql/dialup.conf. Have you made changes to that > file? no, it was commented out from myself ..., bad idea. Undo it, was the trick. :-) My long answer follows later, especially "Password" and "Plain-Password" in DB cu denny signature.asc Description: Dies ist ein digital signierter Nachrichtenteil - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: failed to receive Accounting Response
>but cisco log about accounting evrytime send message like this > >Mar 6 08:57:48 192.168.255.10 210: 000207: Mar 6 08:57:48 MSK: > %RADIUS-3-NOACCOUNTINGRESPONS >Stop for session 0074 failed to receive Accounting Response. > You are wondering about accounting on your radius server - but you have posted the log from your NAS. How about the debug from the radius server? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Config. Help please - ldap and Active Directory
Hi,
I'm new to freeradius (3 weeks experience) and mailing lists (second attempt)
so please have patience.
I have freeradius 1.1.7 (prebuilt package) on Solaris 10 configured to
authenticate against Active Directory using ntlm-auth.
All working OK.
Now I'm trying to return different reply attributes depending on Active
Directory group membership and restrict which groups can authenticate. Ldap
lookups against the active directory root fail with operation error.
Reconfiguring Active Directory is not a viable option so I have to specify an
OU= in the query. I have configured two instances of the ldap module for
authorisation, one to query the staff ou and the other to query the student ou.
Both work OK for valid queries but if the user does not exist in the ou the
server still authenticates the username/password and grants access if valid.
Relevant debug output:
rlm_ldap: performing search in ou=students, dc=ad, dc=hud, dc=ac, dc=uk, with
filter (sAMAccountName=stafftest)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap_student" returns notfound for request 8
modcall: leaving group student (returns notfound) for request 8
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 8
rlm_eap: Request found, released from the list
...
rlm_eap_peap: Tunneled data is valid.
rlm_eap_peap: Success
rlm_eap: Freeing handler
modcall[authenticate]: module "eap" returns ok for request 8
modcall: leaving group authenticate (returns ok) for request 8
Sending Access-Accept of id 104 to 10.127.240.217 port 1645
Relevant bits of radiusd.conf:
ldap ldap_student{
server = "server.hud.ac.uk"
identity =
"cn=user,ou=Specials,ou=Staff,dc=ad,dc=hud,dc=ac,dc=uk"
password = secret
port = 636
basedn = "ou=students, dc=ad, dc=hud, dc=ac, dc=uk"
filter = "(sAMAccountName=%{mschap:User-Name:-%{User-Name}})"
start_tls = no
access_attr = "dialupAccess"
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
groupname_attribute = cn
groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
groupmembership_attribute = radiusGroupName
timeout = 4
timelimit = 3
net_timeout = 1
}
instantiate {
exec
expr
ldap_staff
ldap_student
}
authorize {
preprocess
mschap
suffix
eap
Autz-Type staff{
ldap_staff
}
Autz-Type student{
ldap_student
}
files
}
authenticate {
Auth-Type MS-CHAP {
mschap
}
eap
}
I want to reject the user if they are not in the relevant ou. I must be missing
something obvious. Can anyone help please?
Thanks in advance,
Leighton
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Config. Help please - ldap and Active Directory
Am 06.03.2009 um 12:20 schrieb Leighton Man:
Hi,
I'm new to freeradius (3 weeks experience) and mailing lists
(second attempt) so please have patience.
I have freeradius 1.1.7 (prebuilt package) on Solaris 10 configured
to authenticate against Active Directory using ntlm-auth.
All working OK.
Now I'm trying to return different reply attributes depending on
Active Directory group membership and restrict which groups can
authenticate. Ldap lookups against the active directory root fail
with operation error. Reconfiguring Active Directory is not a
viable option so I have to specify an OU= in the query. I have
configured two instances of the ldap module for authorisation, one
to query the staff ou and the other to query the student ou. Both
work OK for valid queries but if the user does not exist in the ou
the server still authenticates the username/password and grants
access if valid. Relevant debug output:
rlm_ldap: performing search in ou=students, dc=ad, dc=hud, dc=ac,
dc=uk, with filter (sAMAccountName=stafftest)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap_student" returns notfound for
request 8
modcall: leaving group student (returns notfound) for request 8
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 8
rlm_eap: Request found, released from the list
...
rlm_eap_peap: Tunneled data is valid.
rlm_eap_peap: Success
rlm_eap: Freeing handler
modcall[authenticate]: module "eap" returns ok for request 8
modcall: leaving group authenticate (returns ok) for request 8
Sending Access-Accept of id 104 to 10.127.240.217 port 1645
Relevant bits of radiusd.conf:
ldap ldap_student{
server = "server.hud.ac.uk"
identity =
"cn=user,ou=Specials,ou=Staff,dc=ad,dc=hud,dc=ac,dc=uk"
password = secret
Try using := instead of = or == You have to assign the password, not
compare to it. Also perhaps you should use Cleartext-Password if the
password is in clear here.
port = 636
basedn = "ou=students, dc=ad, dc=hud,
dc=ac, dc=uk"
filter = "(sAMAccountName=%{mschap:User-Name:-%
{User-Name}})"
start_tls = no
access_attr = "dialupAccess"
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
groupname_attribute = cn
groupmembership_filter = "(|(&
(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&
(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
groupmembership_attribute = radiusGroupName
timeout = 4
timelimit = 3
net_timeout = 1
}
instantiate {
exec
expr
ldap_staff
ldap_student
}
authorize {
preprocess
mschap
suffix
eap
Autz-Type staff{
ldap_staff
}
Autz-Type student{
ldap_student
}
files
}
authenticate {
Auth-Type MS-CHAP {
mschap
}
eap
}
I want to reject the user if they are not in the relevant ou. I
must be missing something obvious. Can anyone help please?
Thanks in advance,
Leighton
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/
users.html
Nicolas Goutte
extragroup GmbH - Karlsruhe
Waldstr. 49
76133 Karlsruhe
Germany
Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle
Registergericht: Amtsgericht Münster / HRB: 5624
Steuer Nr.: 337/5903/0421 / UstID: DE 204607841
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Config. Help please - ldap and Active Directory
>I'm new to freeradius (3 weeks experience) and mailing lists (second attempt)
>so please have patience.
>I have freeradius 1.1.7 (prebuilt package) on Solaris 10 configured to
>authenticate against Active Directory using ntlm-auth.
>All working OK.
>Now I'm trying to return different reply attributes depending on Active
>Directory group membership and restrict which groups can authenticate. Ldap
>lookups against the active directory root fail with operation error.
>Reconfiguring Active Directory is not a viable option so I have to specify an
>OU= in the query. I have configured two instances of the ldap module for
>authorisation, one to query the staff ou and the other to query the student
>ou. Both work OK for valid queries but if the user does not exist in the ou
>the server still authenticates the username/password and grants access if
>valid.
You need to upgrade to 2.x and use unlang. See man unlang on freeradius
site. You need something like:
if Ldap-Group == staff { do something }
elsif Ldap-Group == student { do something else}
else update control { to reject }
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius with CoA
Thank you for your answers. I've solved my problem, but now i have another
one. Does anybody know, can freeradius server recieve CoA requests (using
port 3799 or 1700) according to the rfc 3576? And how can i configure it if
it does?
2009/3/4 Evgeniy Kozhuhovskiy
> M K wrote:
>
>> Hello all!
>>
>> I have freeradius 2.1.3 installed on my FreeBSD 7.1 OS. And i have cisco
>> 7201 with ISG module. When i try to send CoA (Change of authorization)
>> account-logon request like this
>>
>> /bin/echo
>> "User-Name='cisco',User-Password='cisco',cisco-avpair='subscriber:command=account-logon',Cisco-Account-Info='S172.16.xx.xx'"
>> | /usr/local/bin/radclient -x 172.16.yy.yy coa secret
>>
>
>
> http://www.cisco.com/en/US/docs/ios/12_2sb/isg/coa/guide/isgcaapb.html#wp1009738
> The following example is a typical Service Active profile:
> Service = Framed
> Cisco: Account-Info = "S12.1.1.2
> Cisco: Service-Info = "Ncoa_service"
> Cisco: Command-Code = "0bservice_coa"
> where 0b is symbol with 0xb code.
> i.e.
>#define IP "192.168.10.50"
>int c = 0xb;
>printf("Cisco-Command-Code = '%cP1024x512_SERVICE'\n",c);
>printf("Cisco-Account-Info = S%s\n", ip);
>
>
> --
> With best regards, Evgeniy Kozhuhovskiy
> Leader, Services team
> Minsk State Phone Network, RUE Beltelecom.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius with CoA
M K wrote: > Thank you for your answers. I've solved my problem, but now i have > another one. Does anybody know, can freeradius server recieve CoA > requests (using port 3799 or 1700) according to the rfc 3576? And how > can i configure it if it does? It does not receive CoA requests. If it did, this would be documented in radiusd.conf. Maybe in a few months. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Variables' content as a reply
> Where does the cookbook say that you should put that in ldap.attrmap?
> Where are those radius attributes defined? Some additional dictionary?
This part is not from the cookbook, it's something we intend to use
internally here at the university. The setup is based on the eduroam
guide, though, except for these attributes and the need to return the
inner User-Name on the outside of the tunnel.
> >
>
> Why don't you map those in ldap.attrmap.
That had actually never ocurred to me. I thought ldap.attrmap was used
to create the variables and populate them with values, but it never
ocurred me to use it just for attribution. That has worked flawlessly,
thank you.
Just so it's posted on the list, my solution in this case is as follows:
on ldap.attrmap:
[...]
replyItem University-LDAP-organizationUnit ou
replyItem University-LDAP-departmentNumber departmentNumber
replyItem University-LDAP-affiliation eduPersonPrimaryAffiliation
[...]
> >
> >on the inner-tunnel configuration file:
> >> post-auth {
> >> update outer.reply {
> >> User-Name := %{reply:User-Name}
> >> University-LDAP-departmentNumber :=
> >> %{rLDAPdepartmentNumber}
> >> }
>
> That should be:
>
> User-Name := '%{reply:User-Name}'
> University-LDAP-departmentNumber :=
> '%{rLDAPdepartmentNumber}'
Now, this is still not working:
having it as User-Name := '%{reply:User-Name}' still gives me an
Access-Accept with text instead of variable value.
Also, using double quotes yields the exact same result.
> Sending Access-Accept of id 127 to xx.xx.xx.xx port 32785
> User-Name = "%{reply:User-Name}"
> University-LDAP-organizationUnit = "cc"
> University-LDAP-affiliation = "staff"
> University-LDAP-departmentNumber = "20.5.2.4.0.0.0"
> MS-MPPE-Recv-Key =
> 0xecf20a153c749b7fa673b83360456fc9d5eb3080eaacdce7034dc6a69fe3ec3a
> MS-MPPE-Send-Key =
> 0x19632e43f61546fc38a26e0e71ef134ecd45dae99873af6040606bc2772bbd75
> EAP-Message = 0x03190004
> Message-Authenticator = 0x
> Finished request 6.
My need is to return the inner username (from within the TTLS tunnel) to
the outside of the access-accept response.. Is there any other simpler
way of doing this that I'm not aware?
Thanks again for the help
>
> Ivan Kalik
> Kalik Informatika ISP
Guto
smime.p7s
Description: S/MIME cryptographic signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: proxy acct records best practices
Sorry I wasn't more clear.I am not using 1.x but most of the documentation refers to how things were done in 1.x and because of this means nothing to me. I am not using syslog. Accounting packets are being written to disk using the detail function. Then I am shipping them off to the other radius by setting the listen object on the detail file. Even with load_factor set to 100 the speed at which the detail is read is very slow. There are some notes in the copy-acct-to-home-server example that talk about automatic throttling of the reads depending on the backend. This is what led me to question latency. Is there any way to speed up the reading and shipping of acct records to another FR instance? Thanks again. TR On Fri, Mar 6, 2009 at 2:39 AM, Alan DeKok wrote: > TR Missner wrote: > > I am a new user of freeradius ( no experience with the 1.x version at all > ). > > Don't use 1.x. Use the latest version. > > > I am in the process of setting up radius for accounting of voip records. > > Due to the nature of my system blocking must be avoided at all costs. > > With this in mind I have configure FR to write accounting records > > locally to a file then I have the records proxied to a remote freeradius > > instance where the records are written to a database. > > My question revolves around best practices and speed. > > Reading and shipping the records off box is very slow ( somewhere around > > 5 - 10 records per second ). > > You've configured the server to use syslog. Don't. Syslog on some > systems is limited to 5-10 log entries per second. This is because it > syncs the logs to disk after each line of text. > > > I believe this may be caused by the latency between the proxy and the > > master which is around 150ms. > > No. > > > Of course I could just insert the records in the DB across the WAN but > > am not sure whether this would be any faster. > > I'm convinced latency is the issue because even when I turn off the > > databasing of records on the master and only write to flat files the > > speed remains in the same range. > > syslog. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Config. Help please - ldap and Active Directory
>I'm new to freeradius (3 weeks experience) and mailing lists (second attempt)
>so please have patience.
>I have freeradius 1.1.7 (prebuilt package) on Solaris 10 configured to
>authenticate against Active Directory using ntlm-auth.
>All working OK.
>Now I'm trying to return different reply attributes depending on Active
>Directory group membership and restrict which groups can authenticate. Ldap
>lookups against the active directory root fail with operation error.
>Reconfiguring Active Directory is not a viable option so I have to specify an
>OU= in the query. I have configured two instances of the ldap module for
>authorisation, one to query the staff ou and the other to query the student
>ou. Both work OK for valid queries but if the user does not exist in the ou
>the server still authenticates the username/password and grants access if
>valid.
You need to upgrade to 2.x and use unlang. See man unlang on freeradius site.
You need something like:
if Ldap-Group == staff { do something }
elsif Ldap-Group == student { do something else} else update control { to
reject }
Ivan Kalik
Kalik Informatika ISP
Many thanks for this. I'm using 1.1.7 because it's available as a pre-built
package on solaris for both sparc and x86 architectures. The idea is to get
freeradius configured and working as fast as possible so it can be demo'd to
management (I'm trying to retire Cisco ACS). Then to test it on x86 standard
build which is being developed in parallel. Then, if all works, upgrade to
latest version.
Version 2.1.3 won't compile on my solaris box and the problem looks, to me,
non-trivial. (dict.c:83: error: `PW_TYPE_STRING' undeclared here (not in a
function))
Is there any way to do what I want without upgrading?
Regards,
Leighton
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Config. Help please - ldap and Active Directory
Leighton Man wrote: > Many thanks for this. I'm using 1.1.7 because it's available as a pre-built > package on solaris for both sparc and x86 architectures. The idea is to get > freeradius configured and working as fast as possible so it can be demo'd to > management (I'm trying to retire Cisco ACS). Then to test it on x86 standard > build which is being developed in parallel. Then, if all works, upgrade to > latest version. > Version 2.1.3 won't compile on my solaris box and the problem looks, to me, > non-trivial. (dict.c:83: error: `PW_TYPE_STRING' undeclared here (not in a > function)) Huh? It compiles on 3-4 different Solaris boxes that I have access to. Did you run "make" from the TOP directory, or by cd'ing to src/lib? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Config. Help please - ldap and Active Directory
Huh? It compiles on 3-4 different Solaris boxes that I have access to. Did you run "make" from the TOP directory, or by cd'ing to src/lib? Alan DeKok. Tried "gmake" from the top directory and "gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -Wall -D_GNU_SOURCE -DNDEBUG -D_LIBRADIUS -I/export/home/cmsxljm/freeradius-server-2.1.3/src -c dict.c -fPIC -DPIC -o .libs/dict.o" (copy and paste from the gmake output) from the src/libs directory. Same error both times. Leighton - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Variables' content as a reply
>Now, this is still not working:
>
>having it as User-Name := '%{reply:User-Name}' still gives me an
>Access-Accept with text instead of variable value.
>Also, using double quotes yields the exact same result.
>
>
>> Sending Access-Accept of id 127 to xx.xx.xx.xx port 32785
>> User-Name = "%{reply:User-Name}"
>> University-LDAP-organizationUnit = "cc"
>> University-LDAP-affiliation = "staff"
>> University-LDAP-departmentNumber = "20.5.2.4.0.0.0"
>> MS-MPPE-Recv-Key =
>> 0xecf20a153c749b7fa673b83360456fc9d5eb3080eaacdce7034dc6a69fe3ec3a
>> MS-MPPE-Send-Key =
>> 0x19632e43f61546fc38a26e0e71ef134ecd45dae99873af6040606bc2772bbd75
>> EAP-Message = 0x03190004
>> Message-Authenticator = 0x
Sorry, it's "%{reply:User-Name}". From man unlang about strings:
"Double-quoted strings are expanded by inserting the value of any
variables (see VARIABLES, below) before being evaluated. If the result
is a number it is evaluated in a numerical context.
..
Single-quoted strings are evaluated as-is. Their values are not expanded
as with double-quoted strings above, and they are not interpreted as
attribute references."
Ivan Kalik
Kalik Informatika ISP
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Config. Help please - ldap and Active Directory
> >Is there any way to do what I want without upgrading? > You can try users file: DEFAULT Ldap-Group == staff some reply DEFAULT Ldap-Group == student some other reply DEFAULT Auth-Type := Reject That should be at the end of the users file (ie. anything below this will never match) and you need to fall through if there are other user file entries. These can't have Fall-Through. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Config. Help please - ldap and Active Directory
Leighton Man wrote: > Tried "gmake" from the top directory and "gcc -g -O2 -D_REENTRANT > -D_POSIX_PTHREAD_SEMANTICS -Wall -D_GNU_SOURCE -DNDEBUG -D_LIBRADIUS > -I/export/home/cmsxljm/freeradius-server-2.1.3/src -c dict.c -fPIC -DPIC -o > .libs/dict.o" (copy and paste from the gmake output) from the src/libs > directory. Same error both times. Hmm... would it be possible to have to give *more* output? i.e. start from a fresh directory: $ tar -zxf freeradius-server-2.1.3.tar.gz $ cd freeradius-server 2.1.3 $ ./configure $ gmake And show the errors (not the dozens of lines saying "building foo", or the last dozen lines saying "error"), but the real informative errors about building dict.c, and what errors were encountered building dict.c. The only way I can see that error happening is if the source and/or build process is broken. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Config. Help please - ldap and Active Directory
Hmm... would it be possible to have to give *more* output? i.e. start from a fresh directory: $ tar -zxf freeradius-server-2.1.3.tar.gz $ cd freeradius-server 2.1.3 $ ./configure $ gmake And show the errors (not the dozens of lines saying "building foo", or the last dozen lines saying "error"), but the real informative errors about building dict.c, and what errors were encountered building dict.c. The only way I can see that error happening is if the source and/or build process is broken. Alan DeKok. >From the beginning: rm -rf freeradius-server-2.1.3 tar xvf freeradius-server-2.1.3.tar (it's already been unzipped with "gzip -d") cd freeradius-server-2.1.3 ./configure | grep configure ...Lots of output including: configure: WARNING: pcap library not found, silently disabling the RADIUS sniffer. config.status: WARNING: ./Make.inc.in seems to ignore the --datarootdir setting config.status: WARNING: ./src/include/build-radpaths-h.in seems to ignore the --datarootdir setting configure: WARNING: silently not building rlm_counter. configure: WARNING: FAILURE: rlm_counter requires: libgdbm. configure: WARNING: EVP_sha256 not found, may have issues wirh WiMAX certificates configure: WARNING: the TNCS libraryconfigure: WARNING: silently not building rlm_ippool. configure: WARNING: FAILURE: rlm_ippool requires: libgdbm. isn't found! configure: WARNING: silently not building rlm_perl. configure: WARNING: FAILURE: rlm_perl requires: EXTERN.h perl.h libperl.so. configure: WARNING: silently not building rlm_eap_tnc. configure: WARNING: FAILURE: rlm_eap_tnc requires: -lTNCS. configure: WARNING: silently not building rlm_eap_ikev2. configure: WARNING: FAILURE: rlm_eap_ikev2 requires: libeap-ikev2 EAPIKEv2/connector.h. configure: WARNING: the comm_err library isn't found! configure: WARNING: silently not building rlm_krb5. configure: WARNING: FAILURE: rlm_krb5 requires: krb5.h.configure: WARNING: silently not building rlm_python. configure: WARNING: FAILURE: rlm_python requires: Python.h libpython2.3. configure: WARNING: silently not building rlm_sql_iodbc. configure: WARNING: FAILURE: rlm_sql_iodbc requires: libiodbc isql.h. configure: WARNING: oracle headers not found. Use --with-oracle-home-dir=. configure: WARNING: silently not building rlm_sql_oracle. configure: WARNING: FAILURE: rlm_sql_oracle requires: oci.h. configure: WARNING: silently not building rlm_sql_unixodbc. configure: WARNING: FAILURE: rlm_sql_unixodbc requires: libodbc sql.h. Then: gmake Got the error about undefined symbol SUN_LEN Edited src/include/radiusd.h Gmake ...and it all compiles OK. Not sure what I did wrong the first time but many thanks for your help. Leighton - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: proxy acct records best practices
TR Missner wrote: > Accounting packets are being written to disk using the detail function. > Then I am shipping them off to the other radius by setting the listen > object on the detail file. That should be fine. > Even with load_factor set to 100 the speed at which the detail is read > is very slow. > There are some notes in the copy-acct-to-home-server example that talk > about automatic throttling of the reads depending on the backend. This > is what led me to question latency. It might be a latency issue. > Is there any way to speed up the reading and shipping of acct records to > another FR instance? Find out what the delay is, and fix it. I think we can add time statistics to a future version of the server: e.g. Where is it spending time? Which module? How fast does a home server respond? That kind of information can be used to debug this sort of issue. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Production servers num_sql_socks
On Thu, Mar 05, 2009 at 09:19:19AM -0600, Ben Wiechman wrote: > We set num_sql_socks to 25. We had them set to 10 but ran into issues when > massive numbers of subscribers were attempting to enter the network at once > - for example when we would power cycle a base station with 400 subscribers > on it for maintenance. > > Ben Wiechman > > > > > > From: freeradius-users-bounces+ben=wisper-wireless@lists.freeradius.org > [mailto:freeradius-users-bounces+ben=wisper-wireless@lists.freeradius.or > g] On Behalf Of Stelio Gouveia > Sent: Thursday, March 05, 2009 8:55 AM > To: freeradius-users@lists.freeradius.org > Subject: Production servers num_sql_socks > > > > I've read a few posts about increasing this value when " There are no DB > handles to use" occur. Not sure if it's a good idea. > > Granted your DB is fast enough to query quickly. > Upping this value on a slow DB will severely degrade performance. > > What's sort of values are you guys using for production servers? > > -- > Regards > Stelio Gouveia The value depends on three inter-dependent factors: 1. the time to answer a query by your DB backend 2. how many queries can be handled reasonably by your backend 3. your request rate Typically, there is a sweet spot, performance-wise for this setting. If your backends are not available when needed, you will have people unable to connect. If you increase the number above which your backend DB can safely handle, you will have a total service outage in a high load situation. A load test with your setup is the best option. Good luck. Cheers, Ken - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: failed to receive Accounting Response
Of course I debuged information from radius server:
netstat -an -p udp:
udp4 0 0 *.1814 *.*
udp4 0 0 *.1813 *.*
udp4 0 0 *.1812 *.*
radiusd.conf:
prefix = /usr/local
exec_prefix = ${prefix}
sysconfdir = ${prefix}/etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = /var/log
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
name = radiusd
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd
db_dir = ${raddbdir}
libdir = /usr/local/lib/freeradius-2.1.3
pidfile = ${run_dir}/${name}.pid
user = freeradius
group = freeradius
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
listen {
type = auth
ipaddr = *
port = 0
}
listen {
ipaddr = *
port = 0
type = acct
}
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions = yes
log {
destination = files
file = ${logdir}/radius.log
#requests = ${logdir}/radiusd-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d.log
syslog_facility = daemon
stripped_names = yes
auth = yes
auth_badpass = yes
auth_goodpass = yes
}
checkrad = ${sbindir}/checkrad
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
proxy_requests = yes
$INCLUDE proxy.conf
$INCLUDE clients.conf
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
modules {
$INCLUDE ${confdir}/modules/
#$INCLUDE sql/postgresql/counter.conf
#$INCLUDE sqlippool.conf
# $INCLUDE otp.conf
}
instantiate {
exec
expr
expiration
logintime
#redundant redundant_sql {
# sql1
# sql2
#}
}
$INCLUDE policy.conf
$INCLUDE sites-enabled/default
$INCLUDE sites-enabled/inner-tunnel
$INCLUDE sites-available/status
Part what's to happen when freeradius users login to cisco:
rad_recv: Access-Request packet from host 192.168.255.10 port 1812,
id=160, length=78
NAS-IP-Address = 192.168.255.10
NAS-Port = 1
NAS-Port-Type = Virtual
User-Name = "userA"
Calling-Station-Id = "192.168.255.116"
User-Password = "passwA"
+- entering group authorize {...}
++[preprocess] returns ok
[suffix] No '@' in User-Name = "userA", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[unix] returns notfound
[files] users: Matched entry userA at line 9
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
+- entering group PAP {...}
[pap] login attempt with password "passwA"
[pap] Using clear text password "passwA"
[pap] User authenticated successfully
++[pap] returns ok
Login OK: [userA/passwA] (from client csp port 1 cli 192.168.255.116)
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 160 to 192.168.255.10 port 1812
Service-Type = Administrative-User
Cisco-AVPair = "shell:priv-lvl=15"
Finished request 4.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Accounting-Request packet from host 192.168.255.10 port 1813,
id=161, length=94
NAS-IP-Address = 192.168.255.10
NAS-Port = 1
NAS-Port-Type = Virtual
User-Name = "userA"
Calling-Station-Id = "192.168.255.116"
Acct-Status-Type = Start
Acct-Authentic = RADIUS
Service-Type = NAS-Prompt-User
Acct-Session-Id = "008D"
Acct-Delay-Time = 0
+- entering group preacct {...}
++[preprocess] returns ok
[acct_unique] Hashing 'NAS-Port = 1,Client-IP-Address =
192.168.255.10,NAS-IP-Address = 192.168.255.10,Acct-Session-Id =
"008D",User-Name = "userA"'
[acct_unique] Acct-Unique-Session-ID = "e2a4910d828919b0".
++[acct_unique] returns ok
[suffix] No '@' in User-Name = "userA", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[files] returns noop
+- entering group accounting {...}
[detail] expand: /var/log/radacct/%{Client-IP-Address}/detail-%Y%m%d ->
/var/log/radacct/192.168.255.10/detail-20090306
[detail] /var/log/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to
/var/log/radacct/192.168.255.10/detail-20090306
[detail] expand: %t -> Fri Mar 6 11:43:15 2009
++[detail] returns ok
rlm_counter: We only run on Accounting-Stop packets.
++[daily] returns noop
++[unix] returns fail
Finished request 5.
Cleaning up request 5 ID 161 with timestamp +65
Going to the next request
Waking up in 4.9 seconds.
When I type any command on cisco shell:
- in debug mode on freeradius NOTHING
- cisco generate only one time message like this: -
"%RADIUS-3-NOACCOUNTINGRESPONSE: Accounting message Start for session
008D failed to receive Accounting Response"
When user logoff from cisco:
rad_recv: Accounting-Request packet from host 192.168.255.10 port 1813,
id=174, length=106
NAS-IP-Address = 192.168.255.10
NAS-Port = 1
NAS-Port-Type = Virtual
User-Name = "userA"
Calling-Station-Id = "192.168.255.116"
Acct-Status-Type = Stop
Acct-Authentic = RADIUS
Service-Type = NAS-
Re: failed to receive Accounting Response
>++[detail] returns ok >rlm_counter: We only run on Accounting-Stop packets. >++[daily] returns noop >++[unix] returns fail >Finished request 5. unix module is failing. If you are not using it comment it out from the accounting section. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: failed to receive Accounting Response
OK, I comment all unix section in site-enable/default, but result is the same! In pucture below I thurned on debug on cisco about accounting, therefore cisco work correctly, but radius server not recieve Accounting-Request? Why? 001534: Mar 6 22:38:57: tty2 AAA/AUTHOR/EXEC (3942780195): Port='tty2' list='' service=EXEC 001535: Mar 6 22:38:57: AAA/AUTHOR/EXEC: tty2 (3942780195) user='userA' 001536: Mar 6 22:38:57: tty2 AAA/AUTHOR/EXEC (3942780195): send AV service=shell 001537: Mar 6 22:38:57: tty2 AAA/AUTHOR/EXEC (3942780195): send AV cmd* 001538: Mar 6 22:38:57: tty2 AAA/AUTHOR/EXEC (3942780195): found list "default" 001539: Mar 6 22:38:57: tty2 AAA/AUTHOR/EXEC (3942780195): Method=radius (radius) 001540: Mar 6 22:38:57: AAA/AUTHOR (3942780195): Post authorization status = PASS_ADD 001541: Mar 6 22:38:57: AAA/AUTHOR/EXEC: Processing AV service=shell 001542: Mar 6 22:38:57: AAA/AUTHOR/EXEC: Processing AV cmd* 001543: Mar 6 22:38:57: AAA/AUTHOR/EXEC: Processing AV priv-lvl=1 001544: Mar 7 01:39:17 MSK: %RADIUS-3-NOACCOUNTINGRESPONSE: Accounting message Start for session 00FB failed to receive Accounting Response. 001545: Mar 6 22:39:34: AAA/ACCT/CMD: User userA, Port tty2, Priv 1: "ping 192.168.101.147 " 001546: Mar 6 22:39:34: AAA/ACCT/CMD: Found list "default" 001547: Mar 6 22:39:34: AAA/ACCT: user userA, acct type 3 (2924816630): Method=radius (radius) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Reject problems w/ v 2.1.3
Alan DeKok wrote: >> "00093701a89d" Cleartext-Password == "66e3c1cd773f487d" > > Use: > 00093701a89d" Cleartext-Password := "66e3c1cd773f487d Holy cow! That was it!! And to think that I spent days looking at config files and log files before I thought of posting to this list. Thank you Alan for your awesome help. Regards, - Harshal - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: failed to receive Accounting Response
>OK, I comment all unix section in site-enable/default, but result is the >same! > >In pucture below I thurned on debug on cisco about accounting, therefore >cisco work correctly, but radius server not recieve Accounting-Request? Why? > >001534: Mar 6 22:38:57: tty2 AAA/AUTHOR/EXEC (3942780195): Port='tty2' >list='' service=EXEC >001535: Mar 6 22:38:57: AAA/AUTHOR/EXEC: tty2 (3942780195) user='userA' >001536: Mar 6 22:38:57: tty2 AAA/AUTHOR/EXEC (3942780195): send AV >service=shell >001537: Mar 6 22:38:57: tty2 AAA/AUTHOR/EXEC (3942780195): send AV cmd* >001538: Mar 6 22:38:57: tty2 AAA/AUTHOR/EXEC (3942780195): found list >"default" >001539: Mar 6 22:38:57: tty2 AAA/AUTHOR/EXEC (3942780195): >Method=radius (radius) >001540: Mar 6 22:38:57: AAA/AUTHOR (3942780195): Post authorization >status = PASS_ADD >001541: Mar 6 22:38:57: AAA/AUTHOR/EXEC: Processing AV service=shell >001542: Mar 6 22:38:57: AAA/AUTHOR/EXEC: Processing AV cmd* >001543: Mar 6 22:38:57: AAA/AUTHOR/EXEC: Processing AV priv-lvl=1 >001544: Mar 7 01:39:17 MSK: %RADIUS-3-NOACCOUNTINGRESPONSE: Accounting >message Start for session 00FB failed to receive Accounting Response. >001545: Mar 6 22:39:34: AAA/ACCT/CMD: User userA, Port tty2, Priv 1: > "ping 192.168.101.147 " >001546: Mar 6 22:39:34: AAA/ACCT/CMD: Found list "default" >001547: Mar 6 22:39:34: AAA/ACCT: user userA, acct type 3 (2924816630): >Method=radius (radius) >- Stop posting cisco debugs. Post the one from radius. On last log radius server recieved the accounting request but failed to process it. Let's see what is going on now. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
stop old open session and star new..
Hello, How i can solve this problem: sometimes, some users connections stay "locked" on radius.. and with, Simutaneous-Use resulting = 1 ... Fri Mar 6 20:29:11 2009 : Auth: Multiple logins (max 1) [MPP attempt]: [alines] (from client Orbit port 256018 cli xxx) Fri Mar 6 20:29:11 2009 : Auth: Multiple logins (max 1) [MPP attempt]: [alines] (from client Orbit port 256018 cli xxx) Fri Mar 6 20:29:12 2009 : Auth: Multiple logins (max 1) [MPP attempt]: [cacildof] (from client Orbit port 256019 cli ) Fri Mar 6 20:29:12 2009 : Auth: Multiple logins (max 1) [MPP attempt]: [cacildof] (from client Orbit port 256019 cli ) Fri Mar 6 20:29:17 2009 : Auth: Multiple logins (max 1) [MPP attempt]: [arnaldo] (from client Orbit port 256021 cli xxx) Fri Mar 6 20:29:17 2009 : Auth: Multiple logins (max 1) [MPP attempt]: [arnaldo] (from client Orbit port 256021 cli ) Fri Mar 6 20:29:17 2009 : Auth: Multiple logins (max 1) [MPP attempt]: [vanessam] (from client Orbit port 256020 cli xxx) how to disconnect previous session and create a new ? -- Sds. Alexandre Jeronimo Correa Onda Internet www.onda.net.br Linux User ID #142329 UNOTEL S/A - http://www.unotel.com.br - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: failed to receive Accounting Response
If you mean when I type a some command on cisco shell, in the cisco
console already I show you (much more), else you mean a radius server
then I must disappoint you there is a silent, nothing to do!
If you consider for important all debug information on radius when user
login-run some command-log
rad_recv: Access-Request packet from host 192.168.255.10 port 1812,
id=91, length=77
NAS-IP-Address = 192.168.255.10
NAS-Port = 1
NAS-Port-Type = Virtual
User-Name = "userA"
Calling-Station-Id = "192.168.255.116"
User-Password = "passwA"
+- entering group authorize {...}
++[preprocess] returns ok
[suffix] No '@' in User-Name = "userA", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[files] users: Matched entry userA at line 7
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
+- entering group PAP {...}
[pap] login attempt with password "passwA"
[pap] Using clear text password "passwA"
[pap] User authenticated successfully
++[pap] returns ok
Login OK: [userA/passwA] (from client csp port 1 cli 192.168.255.116)
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 91 to 192.168.255.10 port 1812
Service-Type = NAS-Prompt-User
Cisco-AVPair = "shell:priv-lvl=1"
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Accounting-Request packet from host 192.168.255.10 port 1813,
id=92, length=93
NAS-IP-Address = 192.168.255.10
NAS-Port = 1
NAS-Port-Type = Virtual
User-Name = "userA"
Calling-Station-Id = "192.168.255.116"
Acct-Status-Type = Start
Acct-Authentic = RADIUS
Service-Type = NAS-Prompt-User
Acct-Session-Id = "0108"
Acct-Delay-Time = 0
+- entering group preacct {...}
++[preprocess] returns ok
[acct_unique] Hashing 'NAS-Port = 1,Client-IP-Address =
192.168.255.10,NAS-IP-Address = 192.168.255.10,Acct-Session-Id =
"0108",User-Name = "userA"'
[acct_unique] Acct-Unique-Session-ID = "37c9ff46441cf46b".
++[acct_unique] returns ok
[suffix] No '@' in User-Name = "userA", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[files] returns noop
+- entering group accounting {...}
[detail]expand:
/var/log/radacct/%{Client-IP-Address}/detail-%Y%m%d ->
/var/log/radacct/192.168.255.10/detail-20090307
[detail] /var/log/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to
/var/log/radacct/192.168.255.10/detail-20090307
[detail]expand: %t -> Sat Mar 7 02:26:33 2009
++[detail] returns ok
rlm_counter: We only run on Accounting-Stop packets.
++[daily] returns noop
[radutmp] expand: /var/log/radutmp -> /var/log/radutmp
[radutmp] expand: %{User-Name} -> userA
++[radutmp] returns ok
[sradutmp] expand: /var/log/sradutmp -> /var/log/sradutmp
[sradutmp] expand: %{User-Name} -> userA
++[sradutmp] returns ok
[attr_filter.accounting_response] expand: %{User-Name} -> userA
attr_filter: Matched entry DEFAULT at line 12
++[attr_filter.accounting_response] returns updated
Sending Accounting-Response of id 92 to 192.168.255.10 port 1813
Finished request 1.
Cleaning up request 1 ID 92 with timestamp +20
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 91 with timestamp +20
Ready to process requests.
rad_recv: Accounting-Request packet from host 192.168.255.10 port 1813,
id=93, length=105
NAS-IP-Address = 192.168.255.10
NAS-Port = 1
NAS-Port-Type = Virtual
User-Name = "userA"
Calling-Station-Id = "192.168.255.116"
Acct-Status-Type = Stop
Acct-Authentic = RADIUS
Service-Type = NAS-Prompt-User
Acct-Session-Id = "0108"
Acct-Terminate-Cause = User-Request
Acct-Session-Time = 14
Acct-Delay-Time = 0
+- entering group preacct {...}
++[preprocess] returns ok
[acct_unique] Hashing 'NAS-Port = 1,Client-IP-Address =
192.168.255.10,NAS-IP-Address = 192.168.255.10,Acct-Session-Id =
"0108",User-Name = "userA"'
[acct_unique] Acct-Unique-Session-ID = "37c9ff46441cf46b".
++[acct_unique] returns ok
[suffix] No '@' in User-Name = "userA", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[files] returns noop
+- entering group accounting {...}
[detail]expand:
/var/log/radacct/%{Client-IP-Address}/detail-%Y%m%d ->
/var/log/radacct/192.168.255.10/detail-20090307
[detail] /var/log/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to
/var/log/radacct/192.168.255.10/detail-20090307
[detail]expand: %t -> Sat Mar 7 02:26:47 2009
++[detail] returns ok
rlm_counter: Packet Unique ID = '37c9ff46441cf46b'
rlm_counter: This Service-Type is not allowed. Returning NOOP.
++[daily] returns noop
[radutmp] expand: /var/log/radutmp -> /var/log/radutmp
[radutmp] expand: %{User-Name} -> userA
++[radutmp] returns ok
[sradutmp] ex
Re: failed to receive Accounting Response
>If you mean when I type a some command on cisco shell, in the cisco >console already I show you (much more), else you mean a radius server >then I must disappoint you there is a silent, nothing to do! > >If you consider for important all debug information on radius when user >login-run some command-log > Yes, radius debug is important. It shows that radius server is sending Accounting-Response now: >rad_recv: Accounting-Request packet from host 192.168.255.10 port 1813, >id=92, length=93 >NAS-IP-Address = 192.168.255.10 >NAS-Port = 1 >NAS-Port-Type = Virtual >User-Name = "userA" >Calling-Station-Id = "192.168.255.116" >Acct-Status-Type = Start >Acct-Authentic = RADIUS >Service-Type = NAS-Prompt-User >Acct-Session-Id = "0108" >Acct-Delay-Time = 0 .. >Sending Accounting-Response of id 92 to 192.168.255.10 port 1813 >Finished request 1. .. >rad_recv: Accounting-Request packet from host 192.168.255.10 port 1813, >id=93, length=105 >NAS-IP-Address = 192.168.255.10 >NAS-Port = 1 >NAS-Port-Type = Virtual >User-Name = "userA" >Calling-Station-Id = "192.168.255.116" >Acct-Status-Type = Stop >Acct-Authentic = RADIUS >Service-Type = NAS-Prompt-User >Acct-Session-Id = "0108" >Acct-Terminate-Cause = User-Request >Acct-Session-Time = 14 >Acct-Delay-Time = 0 .. >Sending Accounting-Response of id 93 to 192.168.255.10 port 1813 >Finished request 2. Time to check firewall and routing and find out why is it not getting back to the NAS. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radius proxy senario
Hi I need some opinions. Condition: 1. I have a local realm (suffix), xyz.com. I'm using freeradius 2.1.3+mysql. 2. My own user's username in mysql radcheck table is store in usern...@xyz.com format 3. A person want me to proxy his prefix ABC/his-customer-usern...@myrealm to his radius server, i.e: ABC/his-customer-usern...@xyz.com 4. The proxy has strip both prefix and suffix, which means when ABC/his-customer-usern...@xyz.com auth request come in, i have to forward only his-customer-username to his radius. I know i can using hint to strip his prefix, but i'm stuck at proxy config. I can't proxy xyz.com to his radius, otherwise my own user's username will also proxy to his radius server. How can i proxy his-customer-username without mess up my own user's username? It's sound a bit stupid, but i still keen to find out is that possible to achieve the objective or not. Thanks a lot!! Piston - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
