Re: Exec-Program-Wait problem
Thank you for your reply,
to make it more precise, I'm trying to execute a script that checks the
users accounting (hours and minutes generated from radiusreport tool). And
when the users passes his limit he is then blocked access.
The exec module allows only this syntax: Attribute-Name =
`%{exec:/etc/freeradius/somescript}`,
(this is passed as an AV pair to the client/nas, the freeradius is running
as freerad user not root).
how can I make this happen with this syntax?
Thanks in advance.
Alan DeKok-2 wrote:
enid wrote:
DEFAULT Simultaneous-Use := 1
Idle-Timeout = 600,
Session-Timeout = 5400,
Framed-IP-Address = 255.255.255.254,
Framed-Compression = Van-Jacobson-TCP-IP,
Exec-Program-Wait = /etc/freeradius/somescript,
Fall-Through = Yes
but I want that the output of it to append to the AV pair reply that
goes
back to the client. So I have the problem that when the script is
executed,
its output doesn't append to the AV pair reply. (For example:
Reply-Message=Email Only Account)
I can post here my configuration files, if you tell me which.
Use the exec module instead. It gives you a much more fine-grained
control over the behavior of the program.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
View this message in context:
http://www.nabble.com/Exec-Program-Wait-problem-tp23161038p23171482.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: failover and load balancing
Postgres does supposedly have a version in beta for full master-master replication, but every time we've tried to get it running it's crashed on us as soon as we tried to actually write any data. Postgres in general seemed much slower than MySQL for reading the data we needed as well. I use a PostgreSQL DB form my three AAA server and the DB is enough quick for serveral request per second. However, I am looking for a (free) master-master DB, and the replication in postgres crashes. And the problem in MySQL it was told before. I admit suggestions for a BETTER free DB. _ ¿Quieres crear tus propios emoticonos gratis? Descubre cómo hacerlo en el Club Oficial de Messenger http://vivelive.com/ilovemessenger/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program-Wait problem
enid wrote:
to make it more precise, I'm trying to execute a script that checks the
users accounting (hours and minutes generated from radiusreport tool). And
when the users passes his limit he is then blocked access.
The exec module can do that.
The exec module allows only this syntax: Attribute-Name =
`%{exec:/etc/freeradius/somescript}`,
No.
Go back and read raddb/modules/echo
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap filter depending on NAS
Alan DeKok a écrit :
Matthieu Lazaro wrote:
It all happens as if the if () { ... } else { ... } is completely
ignored
(and thus it defaults to check if the uid exists)
Yes.
(ie: neither filter1 nor filter2 appears when debugging.
But when we only put filter, it appears when debugging)
I think I'm missing a lot of details in the configuration and I have not
figured out how to do this with hints|huntgroups|clients files.
Any help on why this is not working or an other simple solution is welcome.
You cannot dynamically change the module configuration. Those are
static. The unlang policies can only go in the authorize,
authenticate, etc. sections.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
OK. I have understood now why it was not working. However, this should
be clarified in http://freeradius.org/radiusd/man/unlang.html .
But I have good news, I have found the solution using the huntgroups
file and activating groupmembership in the LDAP module:
WIFI NAS-IP-Address == 10.1.1.2
Ldap-Group = WIFI_FR,
Ldap-Group = WIFI_ALL
VPNNAS-IP-Address == 10.1.1.3
Ldap-Group = VPN
Flexibility comes when modifying the groupmembership_attribute so that
you can use what ever you want in your LDAP.
Still I find a lot of points in Freeradius that are obscure because it's
not enough documented.
For example: filtering with more than on attribute in checkval ( MAC /
TUNNEL TYPE), sending orders to the NAS to change VLAN depending on the
user, etc...
Thanks for your help.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap filter depending on NAS
Matthieu Lazaro wrote: OK. I have understood now why it was not working. However, this should be clarified in http://freeradius.org/radiusd/man/unlang.html . Feel free to submit suggested text. Still I find a lot of points in Freeradius that are obscure because it's not enough documented. Feel free to submit documentation. Other people have, and it has been included in the server. For example: filtering with more than on attribute in checkval ( MAC / TUNNEL TYPE), sending orders to the NAS to change VLAN depending on the user, etc... Write down the policies, and then implement them in the policy language. Feel free to submit example policies and configurations. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap filter depending on NAS
Alan DeKok a écrit : Matthieu Lazaro wrote: For example: filtering with more than on attribute in checkval ( MAC / TUNNEL TYPE), sending orders to the NAS to change VLAN depending on the user, etc... Write down the policies, and then implement them in the policy language. Feel free to submit example policies and configurations. Alan DeKok. Yet, I have not been able to: - Tell the NAS to change the VLAN depending on LDAP account info, - Tell the NAS to change the SSiD + VLAN depending on user LDAP account - Filter MAC + MEDIUM TYPE + PORT Number depending on LDAP account info Also, the reply messages like call your helpdesk doesn't work. And honestly, I don't know where to start. Matt - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: failover and load balancing
snip I use a PostgreSQL DB form my three AAA server and the DB is enough quick for serveral request per second. Aah. We were wanting to handle 100 or so requests a second. Postgres might well have done this, but we wanted room for expansion and our tests with 10'000 requests at ~100 a second showed Postgres being noticeably slower than MySQL. As long as it's good enough for your purposes there's no reason to switch though. However, I am looking for a (free) master-master DB, and the replication in postgres crashes. And the problem in MySQL it was told before. I admit suggestions for a BETTER free DB. We had a good look and were unfortunately unable to find anything for free. If you can deal with master-slave, MySQL seems to be the best bet. If you must have master-master, you're out of luck until Postgres gets it working or someone else implements it. It seems that to get something like this you'll have to end up paying Oracle or someone similar a fat pile of money. I could be wrong, there might be one we've missed. If so, i'd love to know as well, as master-master replication would make our lives easier too :) -- Dan Meyers Network Specialist, Lancaster University E-Mail: d.mey...@lancaster.ac.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap filter depending on NAS
Matthieu Lazaro wrote: Yet, I have not been able to: - Tell the NAS to change the VLAN depending on LDAP account info, - Tell the NAS to change the SSiD + VLAN depending on user LDAP account - Filter MAC + MEDIUM TYPE + PORT Number depending on LDAP account info Perhaps part of the problem is that your requirements are vague to the point of being unhelpful. Also, the reply messages like call your helpdesk doesn't work. Who's told you that And honestly, I don't know where to start. Start by defining your policies in a DETAILED manner: - when I see a packet containing User-Name foo - look up THIS in THAT database using SOME information - return these attributes to the NAS: (Foo = Bar, Other = whatever) If you don't have a clear definition of what you want to do and when you want to do it, you will be unable to get *anything* done. e.g. Tell the NAS to change the VLAN depending on LDAP account info, WHAT ldap account info? Figure that out. Figure out what information you need to query that data in LDAP. Figure out what you are going to do with the results. And then find out how to assign VLANs. And you can't tell the NAS to change SSID's. It's impossible. What does this mean? Filter MAC + MEDIUM TYPE + PORT Number depending on LDAP account info What is Filter mac? Allow? Disallow? Do... what? Your examples are pretty close to do stuff when I see stuff. It's a grammatically correct English sentence, but nearly meaningless. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: failover and load balancing
Hi, Meyers, Dan schrieb: snip I use a PostgreSQL DB form my three AAA server and the DB is enough quick for serveral request per second. I could be wrong, there might be one we've missed. If so, i'd love to know as well, as master-master replication would make our lives easier too :) What is your need? More Read than write? Mabye think about mysql proxy or some free cluster option. BR Uwe -- kiste lat: 54.322684, lon: 10.13586 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl behavior
If any changes are to be made to the current implementation to support multiple interpreters (one per thread) would they show up in a 2.1.x release or a future one (2.2.x or something)? Meyers, Dan wrote: It should be running one Perl thread per system thread. The server core already manages min/max spare threads, idle threads, etc. snip I hope this implementation will satisfy Borislav too. Will he be able to instantiate different perl scripts for different needs? So, when do I start testing :) Just to say, we're currently using FreeRadius 2.1.3 with rlm_perl in a project currently in active development, and having read this i'm holding off upgrading to 2.1.4 as we also use the multiple perl threads functionality of the module to parallel process and increase throughput. We have a specific development server/environment, and would be more than happy to test any patches designed to fix this 2.1.4 issue on it. -- Dan Meyers Network Specialist, Lancaster University E-Mail: d.mey...@lancaster.ac.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- --- Apostolos Pantsiopoulos Kinetix Tele.com R D email: r...@kinetix.gr --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap filter depending on NAS
Yet, I have not been able to: - Tell the NAS to change the VLAN depending on LDAP account info, Have you read you NAS documentation regarding assigning VLANs? If you know which attributes you need to pass you map them to ldap attributes in ldap.attrmap as reply items. - Tell the NAS to change the SSiD + VLAN depending on user LDAP account Same as above. - Filter MAC + MEDIUM TYPE + PORT Number depending on LDAP account info Mac should be in the Calling-Station-Id, medium type is unlikely to be in the request and Port-Number is. Add them and map them to ldap attributes in ldap.attrmap as check items. Use of ldap.attrmap is commented on in ldap module configuration file (raddb/modules/ldap). But that is for those who bother to read existing documentation. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl behavior
Apostolos Pantsiopoulos wrote: If any changes are to be made to the current implementation to support multiple interpreters (one per thread) would they show up in a 2.1.x release or a future one (2.2.x or something)? They will show up in the next release, whatever that is. i.e. next after the changes have been made. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap filter depending on NAS
Alan DeKok a écrit : Your examples are pretty close to do stuff when I see stuff. It's a grammatically correct English sentence, but nearly meaningless. Alan DeKok. - Ok, So I will try to make myself clear. Here is one policy that I wish to make work. 1- a client connects to a 802.1x protected VLAN ID 10 ( per port basis configuration on the switch) -- this client has some of the following LDAP attributes: uid = bobalice radiusTunnelPrivateGroupID = 20 radiusTunnelType = VLAN radiusMediumType = IEEE-802 radiusCallingStationId = 00-21-42-42-87-b1 radiusUserCategory = ADMIN 2- Fisrt I want to checkthe following attributes, and if not correct, reject the user: radiusTunnelType = VLAN radiusMediumType = IEEE-802 radiusCallingStationId = 00-21-42-42-87-b1 radiusUserCategory = ADMIN 3- Then I want to authenticate and authorise the user if login/password are correct 4 - Then Move him into the appropriate VLAN ID 20 instead of ID10 based on this attribute: radiusTunnelPrivateGroupID = 20 For now, I only have been able to make work the RadiusCallingStationId using checkval. Hoping this is much much more precise and clearer, I really wish to discover what am I missing. Best Regards, Matt - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: failover and load balancing
Uwe Kastens wrote: Hi, Meyers, Dan schrieb: snip I use a PostgreSQL DB form my three AAA server and the DB is enough quick for serveral request per second. I could be wrong, there might be one we've missed. If so, i'd love to know as well, as master-master replication would make our lives easier too :) What is your need? More Read than write? Mabye think about mysql proxy or some free cluster option. BR Uwe First the disclaimer: I have not used this only read about it! What about pgpoolII? supposedly a PostgreSQL master-master replication package -- JohnM - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap filter depending on NAS
Matthieu Lazaro wrote: 1- a client connects to a 802.1x protected VLAN ID 10 ( per port basis configuration on the switch) The client connects via 802.1X. It doesn't connect on a VLAN. VLAN assignment comes *after* the client has been authenticated. -- this client has some of the following LDAP attributes: uid = bobalice radiusTunnelPrivateGroupID = 20 radiusTunnelType = VLAN radiusMediumType = IEEE-802 If you list those in raddb/ldap.attrmap, they should automatically be returned. But they're not in the default ldap.attrmap. radiusCallingStationId = 00-21-42-42-87-b1 radiusUserCategory = ADMIN There is no such thing as radiusUserCategory in the default configuration. Part of the issue is that you're confusing *reply* attributes with *check* attributes. See ldap.attrmap for more information on how LDAP attributes are used. 2- Fisrt I want to checkthe following attributes, and if not correct, reject the user: radiusTunnelType = VLAN radiusMediumType = IEEE-802 radiusCallingStationId = 00-21-42-42-87-b1 radiusUserCategory = ADMIN What do you mean Not correct? Those are *LDAP* attributes. The RADIUS server receives *RADIUS* attributes. *PLEASE* ensure that you use the correct terminology. Using the wrong terminology is bad. i.e. referring to RADIUS concepts by LDAP names. And the RADIUS request will *not* contain Tunnel-Type, Tunnel-Medium-Type, or user category. It *will* contain the Calling-Station-Id. Maybe you missed the part of my email where I said look at the contents of the *RADIUS* packet. You don't seem to have done that. I don't give suggestions at random. They're here for a *reason*. 3- Then I want to authenticate and authorise the user if login/password are correct OK. 4 - Then Move him into the appropriate VLAN ID 20 instead of ID10 based on this attribute: radiusTunnelPrivateGroupID = 20 If you add that as a replyItem to ldap.attrmap, it should work. For now, I only have been able to make work the RadiusCallingStationId using checkval. That shouldn't be necessary. The LDAP module will treat it as a checkItem all by itself. See ldap.attrmap. Hoping this is much much more precise and clearer, I really wish to discover what am I missing. You're using the wrong terminology. You're not following instructions. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Exec-Program problem
Hi,
I am running freeradius-server-2.1.1-7.
++--+---++-+
| id | username | attribute | op | value |
++--+---++-+
| 1 | spark | Exec-Program-Wait | := | /etc/raddb/getmac %u %i |
++--+---++-+
radisud -XX -d /etc/raddb/
Wed Apr 22 17:05:03 2009 : Auth: Login OK: [spark] (from client localhost port
2 cli 00:19:D1:4A:53:F8)
Wed Apr 22 17:05:03 2009 : Info: +- entering group post-auth {...}
Wed Apr 22 17:05:03 2009 : Info: [exec] expand: %u - spark
Wed Apr 22 17:05:03 2009 : Info: [exec] expand: %i - 00:19:D1:4A:53:F8
Wed Apr 22 17:05:03 2009 : Debug: Exec-Program output: Wed Apr 22 17:05:03 2009
: Error: Exec-Program: FAILED to execute /etc/raddb/getmac: Exec format error
Wed Apr 22 17:05:03 2009 : Debug: Exec-Program-Wait: plaintext: Wed Apr 22
17:05:03 2009 : Error: Exec-Program: FAILED to execute /etc/raddb/getmac: Exec
format error
Wed Apr 22 17:05:03 2009 : Debug: Exec-Program: returned: 1
Wed Apr 22 17:05:03 2009 : Info: [exec] Login incorrect (external check said so)
Wed Apr 22 17:05:03 2009 : Info: ++[exec] returns reject
Wed Apr 22 17:05:03 2009 : Info: Delaying reject of request 1 for 1 seconds
file /etc/raddb/getmac contains following with execute+radiusd permission
#/bin/bash
echo $1 --- $2 - done /etc/raddb/mac_entries
What could be wrong?
Nirmal Patel | Mumbai
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap filter depending on NAS
Here is one policy that I wish to make work. 1- a client connects to a 802.1x protected VLAN ID 10 ( per port basis configuration on the switch) -- this client has some of the following LDAP attributes: uid = bobalice radiusTunnelPrivateGroupID = 20 radiusTunnelType = VLAN radiusMediumType = IEEE-802 radiusCallingStationId = 00-21-42-42-87-b1 radiusUserCategory = ADMIN 2- Fisrt I want to checkthe following attributes, and if not correct, reject the user: radiusTunnelType = VLAN radiusMediumType = IEEE-802 Are those two attributes in the access request? If they are, map them as check items in ldap.attrmap. radiusCallingStationId = 00-21-42-42-87-b1 This is already in ldap.attrmap. radiusUserCategory = ADMIN Where is that suposed to come from? 3- Then I want to authenticate and authorise the user if login/password are correct Fine. Nothing to do. 4 - Then Move him into the appropriate VLAN ID 20 instead of ID10 based on this attribute: radiusTunnelPrivateGroupID = 20 Map that as reply item in ldap.attrmap. You will need tunnel and medium type in the reply as well. So add them too. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program problem
Nirmal wrote: ... Wed Apr 22 17:05:03 2009 : Debug: Exec-Program-Wait: plaintext: Wed Apr 22 17:05:03 2009 : Error: Exec-Program: FAILED to execute /etc/raddb/getmac: Exec format error ... #/bin/bash You can't run that program from a shell prompt, either. You have a typo. It should be: #!/bin/bash Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: failover and load balancing
On Wed, Apr 22, 2009 at 2:58 PM, Santiago Balaguer García santiago...@hotmail.com wrote: However, I am looking for a (free) master-master DB, and the replication in postgres crashes. And the problem in MySQL it was told before. I admit suggestions for a BETTER free DB. MySQL can do master-master replication just fine, when configured correctly. Then there's MySQL cluster, which requires more powerful hardware and more complex setup, but it should be pretty ideal to hold user login information (not so ideal for acct though). If that's not enough, you can always combine both to have master-master replicated MySQL cluster, but that would be overkill for radius needs. Regards, Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: failover and load balancing
Am Mittwoch, 22. April 2009 11:54:00 schrieb Meyers, Dan: snip I use a PostgreSQL DB form my three AAA server and the DB is enough quick for serveral request per second. Aah. We were wanting to handle 100 or so requests a second. Postgres might well have done this, but we wanted room for expansion and our tests with 10'000 requests at ~100 a second showed Postgres being noticeably slower than MySQL. As long as it's good enough for your purposes there's no reason to switch though. However, I am looking for a (free) master-master DB, and the replication in postgres crashes. And the problem in MySQL it was told before. I admit suggestions for a BETTER free DB. We had a good look and were unfortunately unable to find anything for free. If you can deal with master-slave, MySQL seems to be the best bet. If you must have master-master, you're out of luck until Postgres gets it working or someone else implements it. It seems that to get something like this you'll have to end up paying Oracle or someone similar a fat pile of money. I could be wrong, there might be one we've missed. If so, i'd love to know as well, as master-master replication would make our lives easier too :) -- Dan Meyers Hi, I never tried it myself, but I know the author. He is quite good. so my advise would be cybercluster. See: http://www.postgresql.at/english/pr_cybercluster_e.html -- Dr. Michael Schwartzkopff MultiNET Services GmbH Addresse: Bretonischer Ring 7; 85630 Grasbrunn; Germany Tel: +49 - 89 - 45 69 11 0 Fax: +49 - 89 - 45 69 11 21 mob: +49 - 174 - 343 28 75 mail: mi...@multinet.de web: www.multinet.de Sitz der Gesellschaft: 85630 Grasbrunn Registergericht: Amtsgericht München HRB 114375 Geschäftsführer: Günter Jurgeneit, Hubert Martens --- PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B Skype: misch42 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program problem
Thanks man, done. --- On Wed, 4/22/09, Alan DeKok al...@deployingradius.com wrote: From: Alan DeKok al...@deployingradius.com Subject: Re: Exec-Program problem To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Date: Wednesday, April 22, 2009, 5:25 PM Nirmal wrote: ... Wed Apr 22 17:05:03 2009 : Debug: Exec-Program-Wait: plaintext: Wed Apr 22 17:05:03 2009 : Error: Exec-Program: FAILED to execute /etc/raddb/getmac: Exec format error ... #/bin/bash You can't run that program from a shell prompt, either. You have a typo. It should be: #!/bin/bash Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program problem
changed permission of /etc/raddb/mac_entries
now getting wrong format error.
Wed Apr 22 17:21:27 2009 : Auth: Login OK: [spark] (from client localhost port
0 cli 00:19:D1:4A:53:F8)
Wed Apr 22 17:21:27 2009 : Info: +- entering group post-auth {...}
Wed Apr 22 17:21:27 2009 : Info: [exec] expand: %u - spark
Wed Apr 22 17:21:27 2009 : Info: [exec] expand: %i - 00:19:D1:4A:53:F8
Wed Apr 22 17:21:27 2009 : Debug: Exec-Program output: Wed Apr 22 17:21:27 2009
: Error: Exec-Program: FAILED to execute /etc/raddb/getmac: Exec format error
Wed Apr 22 17:21:27 2009 : Debug: Exec-Program-Wait: plaintext: Wed Apr 22
17:21:27 2009 : Error: Exec-Program: FAILED to execute /etc/raddb/getmac: Exec
format error
Wed Apr 22 17:21:27 2009 : Debug: Exec-Program: returned: 1
in my previous version i was using the same format.
++--+---++-+
| id | username | attribute | op | value |
++--+---++-+
| 1 | spark | Exec-Program-Wait | := | /etc/raddb/getmac %u %i |
++--+---++-+
where to check syntax for exec-program ?
--- On Wed, 4/22/09, Nirmal nirmal_...@yahoo.com wrote:
From: Nirmal nirmal_...@yahoo.com
Subject: Exec-Program problem
To: freeradius users freeradius-users@lists.freeradius.org
Date: Wednesday, April 22, 2009, 5:11 PM
Hi,
I am running freeradius-server-2.1.1-7.
++--+---++-+
| id | username | attribute | op | value |
++--+---++-+
| 1 | spark | Exec-Program-Wait | := | /etc/raddb/getmac %u %i |
++--+---++-+
radisud -XX -d /etc/raddb/
Wed Apr 22 17:05:03 2009 : Auth: Login OK: [spark] (from client localhost port
2 cli 00:19:D1:4A:53:F8)
Wed Apr 22 17:05:03 2009 : Info: +- entering group post-auth {...}
Wed Apr 22 17:05:03 2009 : Info: [exec] expand: %u - spark
Wed Apr 22 17:05:03 2009 : Info: [exec] expand: %i - 00:19:D1:4A:53:F8
Wed Apr 22 17:05:03 2009 : Debug: Exec-Program output: Wed Apr 22 17:05:03 2009
: Error: Exec-Program: FAILED to execute /etc/raddb/getmac: Exec format error
Wed Apr 22 17:05:03 2009 : Debug: Exec-Program-Wait: plaintext: Wed Apr 22
17:05:03 2009 : Error: Exec-Program: FAILED to execute /etc/raddb/getmac: Exec
format error
Wed Apr 22 17:05:03 2009 : Debug: Exec-Program: returned: 1
Wed Apr 22 17:05:03 2009 : Info: [exec] Login incorrect (external check said so)
Wed Apr 22 17:05:03 2009 : Info: ++[exec] returns reject
Wed Apr 22 17:05:03 2009 : Info: Delaying reject of request 1 for 1 seconds
file /etc/raddb/getmac contains following with execute+radiusd permission
#/bin/bash
echo $1 --- $2 - done /etc/raddb/mac_entries
What could be wrong?
Nirmal Patel | Mumbai
-Inline Attachment Follows-
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap filter depending on NAS
t...@kalik.net a écrit : Here is one policy that I wish to make work. 1- a client connects to a 802.1x protected VLAN ID 10 ( per port basis configuration on the switch) -- this client has some of the following LDAP attributes: uid = bobalice radiusTunnelPrivateGroupID = 20 radiusTunnelType = VLAN radiusMediumType = IEEE-802 radiusCallingStationId = 00-21-42-42-87-b1 radiusUserCategory = ADMIN 2- Fisrt I want to checkthe following attributes, and if not correct, reject the user: radiusTunnelType = VLAN radiusMediumType = IEEE-802 Are those two attributes in the access request? If they are, map them as check items in ldap.attrmap. radiusCallingStationId = 00-21-42-42-87-b1 This is already in ldap.attrmap. radiusUserCategory = ADMIN Where is that suposed to come from? 3- Then I want to authenticate and authorise the user if login/password are correct Fine. Nothing to do. 4 - Then Move him into the appropriate VLAN ID 20 instead of ID10 based on this attribute: radiusTunnelPrivateGroupID = 20 Map that as reply item in ldap.attrmap. You will need tunnel and medium type in the reply as well. So add them too. Ivan Kalik Kalik Informatika ISP Here is the content of a packet received by radiusd: rad_recv: Access-Request packet from host 10.1.1.2 port 1692, id=171, length=302 Framed-MTU = 1480 NAS-IP-Address = 10.1.1.2 NAS-Identifier = Test Switch User-Name = bobalice Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 1 NAS-Port-Type = Ethernet NAS-Port-Id = 20 Called-Station-Id = 00-11-f3-1d-5d-00 Calling-Station-Id = 00-14-b2-7a-87-b4 Connect-Info = CONNECT Ethernet 100Mbps Full duplex Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = 1 State = 0xff747043ff76690706eed2dfa8b93b90 EAP-Message = 0x020200501980098100461603010041013d030149dce2350a464fb33bb5333ee36c942769f84056fcb49ef5371ee91f050310381600040005000a000990640062000300060013001200630100 Message-Authenticator = 0xec90edc178afb509db4131a36bfe42fe Futhermore, to reply to Alan about the radiusUserCategory, it is given with the radius.schema for ldap. Is it a useless attribute then? I'll be checking this afternoon and testing about putting more info in ldap.attrmap to see if the filters work. I let you know. Regards, Matt - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap filter depending on NAS
Matthieu Lazaro wrote: Here is the content of a packet received by radiusd: Weird, but OK. Futhermore, to reply to Alan about the radiusUserCategory, it is given with the radius.schema for ldap. Is it a useless attribute then? Yes. I'll be checking this afternoon and testing about putting more info in ldap.attrmap to see if the filters work. See also doc/rlm_ldap. This *is* documented. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: failover and load balancing
Hello, I could be wrong, there might be one we've missed. If so, i'd love to know as well, as master-master replication would make our lives easier too :) What is your need? More Read than write? Mabye think about mysql proxy or some free cluster option. First the disclaimer: I have not used this only read about it! What about pgpoolII? supposedly a PostgreSQL master-master replication package I think there might be much more read access then write access by using a DB backend for RADIUS. If so it might be enough to have one master to write and many slaves to read from. Or many master with a kind of sql proxy like Sequoia or mysql-proxy. The problem with master master for mysql is, that you have to resync each time you are dropping a table, a view etc.pp. BR uwe -- kiste lat: 54.322684, lon: 10.13586 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: failover and load balancing
Michael, supposedly a PostgreSQL master-master replication package I think there might be much more read access then write access by using a DB backend for RADIUS. If so it might be enough to have one master to write and many slaves to read from. Or many master with a kind of sql proxy like Sequoia or mysql-proxy. The problem with master master for mysql is, that you have to resync each time you are dropping a table, a view etc.pp. BR uwe It depends on what you are doing. If you want to read out you user database for authentication you are right. But If you want to write accouting you have a lot of writes. I have seen up to 300 writes/sec for a small national provider. Ok. That is true. In that case you are talking about loosing money if the database is offline. But that is not an application issue, therefore you will need a real database cluster. And I am not talking about oracle RAC :-) I would prefer to have some fallback solution to write data to a flat file if the database is offline (which should be a question of minutes or an hour) and import it later on. Or try to find out, how much performance sqltrace option in freeradius will cost. BR Uwe -- kiste lat: 54.322684, lon: 10.13586 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap filter depending on NAS
Alan DeKok a écrit :
Matthieu Lazaro wrote:
Here is the content of a packet received by radiusd:
Weird, but OK.
Futhermore, to reply to Alan about the radiusUserCategory, it is given
with the radius.schema for ldap. Is it a useless attribute then?
Yes.
I'll be checking this afternoon and testing about putting more info in
ldap.attrmap to see if the filters work.
See also doc/rlm_ldap. This *is* documented.
Alan DeKok.
When filling the ldap.attrmap, here is what I get:
Info: [ldap] WARNING: Deprecated conditional expansion :-. See man
unlang for details
Info: [ldap] expand: (uid=%{Stripped-User-Name:-%{User-Name}})
- (uid=bobalice)
Info: [ldap] expand: dc=testbed,dc=lan - dc=testbed,dc=lan
Debug: rlm_ldap: ldap_get_conn: Checking Id: 0
Debug: rlm_ldap: ldap_get_conn: Got Id: 0
Debug: rlm_ldap: performing search in dc=testbed,dc=lan, with filter
(uid=bobalice)
Info: [ldap] checking if remote access for bobalice is allowed by
radiusTunnelPrivateGroupId
Info: [ldap] Added User-Password =
in check items
Info: [ldap] No default NMAS login sequence
Info: [ldap] looking for check items in directory...
Debug: rlm_ldap: radiusTunnelPrivateGroupId - Tunnel-Private-Group-Id:0
== 34
Debug: rlm_ldap: radiusTunnelMediumType - Tunnel-Medium-Type:0 == IEEE-802
Debug: rlm_ldap: radiusTunnelType - Tunnel-Type:0 == VLAN
Debug: rlm_ldap: userPassword - User-Password ==
Debug: rlm_ldap: radiusNASIpAddress - NAS-IP-Address == 10.1.1.2
Debug: rlm_ldap: sambaNtPassword - NT-Password ==
Debug: rlm_ldap: sambaLmPassword - LM-Password ==
Debug: rlm_ldap: ntPassword - NT-Password ==
Debug: rlm_ldap: lmPassword - LM-Password ==
Debug: rlm_ldap: radiusCallingStationId - Calling-Station-Id ==
00-15-42-7a-82-b4
Info: [ldap] looking for reply items in directory...
Info: [ldap] user bobalice authorized to use remote access
Debug: rlm_ldap: ldap_release_conn: Release Id: 0
Info: ++[ldap] returns ok
The thing is, it is just READING the ldap content and not comparing
to what the NAS is sending.
Tunnel-Private-Group-Id:0 == 34 actually I logged in using
Tunnel-Private-Group-Id:0 == 1 .
I tried to add those check in the users file, but it didn't work.
I read the rlm_ldap manual, and it's not talking about those types of
attributes
So I'm wondering where to tell radius: compare the ldap attributes with
what the NAS sent you, and if anything is different, reject the packet.
I guess that I'll have to wait this is resolved before trying to have
radius putting the user in the proper vlan. (doing things in the right
order???)
Regards,
Matt
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Releasing 2.1.5 or 2.1.6
I'd like to package up the current release but I can't because the current tar files have version problems. What is currently on the download link is 2.1.4 but builds as 2.1.5. There have been two different versions of the 2.1.4 tar file. This means we can never release a 2.1.4 RPM because it's versioning is ambiguous. IMHO the 2.1.4 release should be considered defunct. There is a 2.1.5 trial version on the build server that I've lightly tested, perhaps others should as well. Can we move the next release forward to an official release so we can get a release out to supercede the current version, which to my thinking is 2.1.3 (because 2.1.4 is not identifiable). P.S.: We also need to be careful, if what becomes 2.1.5 is not identical to what's in the 2.1.4 tar file we should go to 2.1.6 because we won't be able to disambiguate between a 2.1.5 built from a 2.1.4 tar file and the actual 2.1.5 built from a 2.1.5 tar file. This means the next release should probably be 2.1.6 with 2.14 and 2.1.5 marked as suspect in the changelog. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[OT (possibly)] problem with WinXP SP3 connecting, reconnecting
It's possible that this is my laptop that is causing this and not the Wireless AP or FreeRadius but I thought I would ask because my laptop doesn't do this on WPA-PSK on my home setup. Using Windows supplicant, clearly connects using PEAP and am given an IP address via LAN DHCP server. If I try to ping LAN devices, I get dropouts, perhaps as high as 100% but usally get at least 1 out of four, sometimes 3 out of 4 pings returned and frequently, the status try indicates reconnecting. I tried shutting off fast reconnect but it seems to not matter either way. I presume that this is somehow a problem between my Linksys Wireless AP and my laptop wireless (Atheros) and nothing at all to do with FreeRadius but I'm wondering if others have experienced this issue and might suggest something that I could try to remedy the problem. Craig -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Releasing 2.1.5 or 2.1.6
John Dennis wrote: I'd like to package up the current release but I can't because the current tar files have version problems. What is currently on the download link is 2.1.4 but builds as 2.1.5. There have been two different versions of the 2.1.4 tar file. This means we can never release a 2.1.4 RPM because it's versioning is ambiguous. IMHO the 2.1.4 release should be considered defunct. Yes. P.S.: We also need to be careful, if what becomes 2.1.5 is not identical to what's in the 2.1.4 tar file we should go to 2.1.6 because we won't be able to disambiguate between a 2.1.5 built from a 2.1.4 tar file and the actual 2.1.5 built from a 2.1.5 tar file. This means the next release should probably be 2.1.6 with 2.14 and 2.1.5 marked as suspect in the changelog. The next release will be 2.1.6. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap filter depending on NAS
Matthieu Lazaro wrote: The thing is, it is just READING the ldap content and not comparing to what the NAS is sending. Yes.. because you (or the defaults) configured those LDAP attributes in ldap.attrmap as replyItems. This means that they are read from LDAP, and added to the RADIUS reply. That's how it works. That's how it's documented as working. Can you PLEASE stop expecting the server to behave like you *think* it works, and instead believe that it behaves the way it's *documented* as working, as they way that we are *telling* you it works? That confusion is the cause of the vast majority of the problems you are running into. If you can't get past that, then there is no point in anyone answering your questions. Tunnel-Private-Group-Id:0 == 34 actually I logged in using Tunnel-Private-Group-Id:0 == 1 . Yes. And it was explained WHY that happens. I tried to add those check in the users file, but it didn't work. Again, see the FAQ for it doesn't work. I read the rlm_ldap manual, and it's not talking about those types of attributes What does that mean? Could be be any less vague? So I'm wondering where to tell radius: compare the ldap attributes with what the NAS sent you, and if anything is different, reject the packet. The checkItem attributes in ldap.attrmap either match, or they don't match. You can then configure policies based on that match. You CANNOT have an attribute as both a checkItem and a replyItem. I guess that I'll have to wait this is resolved before trying to have radius putting the user in the proper vlan. (doing things in the right order???) You need to test SMALL changes from the default configuration. You need to test SMALL pieces of your policy. See man radiusd for a suggested method of creating policies. Right now, it looks like you've configured your entire policy, and are then wondering why it doesn't work. The policy is made up of a number of tiny pieces, all of which have to work together. Test the pieces in isolation *before* creating your final policy. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Releasing 2.1.5 or 2.1.6
Alan DeKok wrote: John Dennis wrote: I'd like to package up the current release but I can't because the current tar files have version problems. What is currently on the download link is 2.1.4 but builds as 2.1.5. There have been two different versions of the 2.1.4 tar file. This means we can never release a 2.1.4 RPM because it's versioning is ambiguous. IMHO the 2.1.4 release should be considered defunct. Yes. P.S.: We also need to be careful, if what becomes 2.1.5 is not identical to what's in the 2.1.4 tar file we should go to 2.1.6 because we won't be able to disambiguate between a 2.1.5 built from a 2.1.4 tar file and the actual 2.1.5 built from a 2.1.5 tar file. This means the next release should probably be 2.1.6 with 2.14 and 2.1.5 marked as suspect in the changelog. The next release will be 2.1.6. Do we have a target date? Do we need to get volunteers testing a trial 2.1.6 so we can move forward? -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Releasing 2.1.5 or 2.1.6
John Dennis wrote: Do we have a target date? Do we need to get volunteers testing a trial 2.1.6 so we can move forward? The target date is a week or two. As of now (and moving on), the page at: http://git.freeradius.org/pre/ Will contain the latest pre-release tar files. These files may not exist from time to time (as they are rebuilt), but they should be there most of the time. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Releasing 2.1.5 or 2.1.6
I noticed this version mismatch too: radiusd -v returns 2.1.5 when built from the 2.1.4 tarball. On 22.04.2009, at 17:25, Alan DeKok wrote: John Dennis wrote: I'd like to package up the current release but I can't because the current tar files have version problems. What is currently on the download link is 2.1.4 but builds as 2.1.5. There have been two different versions of the 2.1.4 tar file. This means we can never release a 2.1.4 RPM because it's versioning is ambiguous. IMHO the 2.1.4 release should be considered defunct. Yes. P.S.: We also need to be careful, if what becomes 2.1.5 is not identical to what's in the 2.1.4 tar file we should go to 2.1.6 because we won't be able to disambiguate between a 2.1.5 built from a 2.1.4 tar file and the actual 2.1.5 built from a 2.1.5 tar file. This means the next release should probably be 2.1.6 with 2.14 and 2.1.5 marked as suspect in the changelog. The next release will be 2.1.6. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap filter depending on NAS
Alan DeKok a écrit : Matthieu Lazaro wrote: The thing is, it is just READING the ldap content and not comparing to what the NAS is sending. Yes.. because you (or the defaults) configured those LDAP attributes in ldap.attrmap as replyItems. This means that they are read from LDAP, and added to the RADIUS reply. No, I have set them up to checkItems: checkItem Tunnel-Type:0 radiusTunnelType checkItem Tunnel-Medium-Type:0radiusTunnelMediumType checkItem Tunnel-Private-Group-Id:0 radiusTunnelPrivateGroupId So if there are configured somewhere by default, how can I change that? That's how it works. That's how it's documented as working. Can you PLEASE stop expecting the server to behave like you *think* it works, and instead believe that it behaves the way it's *documented* as working, as they way that we are *telling* you it works? That confusion is the cause of the vast majority of the problems you are running into. If you can't get past that, then there is no point in anyone answering your questions. Tunnel-Private-Group-Id:0 == 34 actually I logged in using Tunnel-Private-Group-Id:0 == 1 . Yes. And it was explained WHY that happens. Because it just read the info from the ldap, so it's not considered like a checkItem: understood. I tried to add those check in the users file, but it didn't work. Again, see the FAQ for it doesn't work. I inspired my configuration based on man 5 users and I didn't find an FAQ article that covers using policies with an LDAP backend. I read the rlm_ldap manual, and it's not talking about those types of attributes What does that mean? Could be be any less vague? rlm_ldap manual covers the options to use with the ldap module like server , tls binding, basic filters, etc... not how to use extended ldap attributes based on the content of the RADIUS-LDAPv3.schema. At least, the ldap_howto.txt covers some parts about huntgroups and users files that seem to stick more to what I want to do. So I'm wondering where to tell radius: compare the ldap attributes with what the NAS sent you, and if anything is different, reject the packet. The checkItem attributes in ldap.attrmap either match, or they don't match. You can then configure policies based on that match. You CANNOT have an attribute as both a checkItem and a replyItem. I guess that I'll have to wait this is resolved before trying to have radius putting the user in the proper vlan. (doing things in the right order???) You need to test SMALL changes from the default configuration. You need to test SMALL pieces of your policy. See man radiusd for a suggested method of creating policies. This is true, and I'm sometimes too impatient to do little by little. Right now, it looks like you've configured your entire policy, and are then wondering why it doesn't work. The policy is made up of a number of tiny pieces, all of which have to work together. Test the pieces in isolation *before* creating your final policy. I have my basic policy depending on NAS and groups working. Now I'm putting small bricks to filter the requests and clients. When I show you all the attributs, it's to tell you what I have been using. But I have tested them one by one. For sure I'm confused because radius is so huge and does many many things. Regards, Matt - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Releasing 2.1.5 or 2.1.6
Hi, I noticed this version mismatch too: radiusd -v returns 2.1.5 when built from the 2.1.4 tarball. thats exactly what John was talking about I'd expect the next version to be 2.1.6 with 2.1.5 marked in changelog as a short-term interim release. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
performance freeradius with psql (auth only)
Hi lists, I am just measuring (maybe more guessing) some performance figures. I started 3 radclients (1 on localhost, 2 on different remote hosts) with 12K different user and credentials. I am working with virtual hosts under XEN. I am just counting the logfile entries from logfile for Auth: Login entries. With a single radclient from a remote host its something between 10 to 15 auth per sec. With 3 radclients its something between 30 to 45 auth per sec. There is no change in that values, if I increase the max database connections. So I think it might be a problem, that there are not enough requests produced from the radclient(s) aprox 800 per minute. Could that be? Any other figures measured by someone? BR Uwe -- kiste lat: 54.322684, lon: 10.13586 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap filter depending on NAS
No, I have set them up to checkItems: checkItem Tunnel-Type:0 radiusTunnelType checkItem Tunnel-Medium-Type:0radiusTunnelMediumType checkItem Tunnel-Private-Group-Id:0 radiusTunnelPrivateGroupId And what is the point of that? Why do you care what VLAN is in the request? You should set up VLAN in the reply. Also, checking NAS-Port makes very little sense. NAS-Port has a role in accounting but it's of very little use during authentication. Mac (Calling-Station-Id) is the only thing worth checking. Don't bother with checking tunnel attributes - use them just in the reply. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius 2.1.5 and Solaris gmake install problem. (Solved)
Hi, I try to make gmake clean and try again. Now everything went fine. Maybe Moon is moving again for new position :) Br, Ville -Original Message- From: freeradius-users-bounces+ville.leinonen=solodel@lists.freeradius.org on behalf of Alan DeKok Sent: Mon 20/04/2009 14:42 To: FreeRadius users mailing list Subject: Re: Freeradius 2.1.5 and Solaris gmake install problem. Ville Leinonen wrote: Yes i go make gmake before 2gmake install and i went fine. shrug It works for me on the Solaris Sparc / x86 boxes I have access to. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: failover and load balancing POSTGRESQL
Yes, man. We know the PostgreSQL solution does not work. ORACLE is expensive. MySQL is one master and serveral slaves. Do you know another master-master database management system which is cheap? Santiago Ok. That is true. In that case you are talking about loosing money if the database is offline. But that is not an application issue, therefore you will need a real database cluster. And I am not talking about oracle RAC :-) I would prefer to have some fallback solution to write data to a flat file if the database is offline (which should be a question of minutes or an hour) and import it later on. Or try to find out, how much performance sqltrace option in freeradius will cost. BR Uwe -- kiste lat: 54.322684, lon: 10.13586 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ Más rápido, sencillo y seguro. Descárgate ya el nuevo Internet Explorer 8 ¡Es gratis! http://www.vivelive.com/ie8 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
username with sereral passwords. Which op value?
Hi, I want the 'san0001' user has two passwords. There is in my radcheck table: Username | Attribute | op | value san0001 Password ?? santi1 san0001 Password ?? santi2 Which op value have to use (=, :=, +=, ==) ? Thanks, Santiago _ ¿Quieres crear tus propios emoticonos gratis? Descubre cómo hacerlo en el Club Oficial de Messenger http://vivelive.com/ilovemessenger/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl behavior
On 22.04.2009, at 13:23, Alan DeKok wrote:
Apostolos Pantsiopoulos wrote:
If any changes are to be made to the current
implementation to support multiple interpreters (one per thread)
would they show up in a 2.1.x release or a future one (2.2.x or
something)?
They will show up in the next release, whatever that is.
i.e. next after the changes have been made.
I suppose Apostolos Pantsiopoulos ment the multiple rlm_perl instances
( modules { perl inst1 { } perl inst2 { } } capability inside each
thread, that we discussed a lot some time ago. Just to clarify...
Anyways that's really cool ;-) and I'm looking forward to seeing it
implemented. I'll do my best to help with testing.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: username with sereral passwords. Which op value?
Santiago Balaguer García wrote: I want the 'san0001' user has two passwords. This is a VERY uncommon situation. Which op value have to use (=, :=, +=, ==) ? You don't. You will need to write a custom module to authenticate users with multiple passwords. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap filter depending on NAS
Matthieu Lazaro wrote: No, I have set them up to checkItems: I agree with Ivan here: don't do this. I inspired my configuration based on man 5 users and I didn't find an FAQ article that covers using policies with an LDAP backend. There is a FAQ entry for it doesn't work. rlm_ldap manual covers the options to use with the ldap module like server , tls binding, basic filters, etc... not how to use extended ldap attributes based on the content of the RADIUS-LDAPv3.schema. Exactly. It describes how the LDAP module works. It does NOT describe how to implement complex policies that cannot be implemented with the LDAP module. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: username with sereral passwords. Which op value?
Santiago Balaguer García wrote: Hi, I want the 'san0001' user has two passwords. There is in my radcheck table: Username | Attribute | op | value san0001 Password ?? santi1 san0001 Password ?? santi2 Which op value have to use (=, :=, +=, ==) ? Multiple valid passwords for a single user is a bad idea for a host of reasons. On top of that the username field should be a unique primary key disallowing duplicates enforced by the SQL database. I have no clue what it means to query a username and get multiple rows back and I suspect the internal code would be confused by this as well (note I have not looked at the code in question, but I would suspect it would do one of two things, use the first row returned or fail with an error if multiple rows). The concept of iterating over multiple rows until a password finally works is so dubious I would be most surprised if it were coded this way (and if it was I'd consider it a bug and security flaw). The short answer is don't do this and don't expect the server to work this way. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: failover and load balancing POSTGRESQL
Santiago, Yes, man. We know the PostgreSQL solution does not work. ORACLE is expensive. MySQL is one master and serveral slaves. I don't think that the price of oracle is the problem. Without 3rd party there is no way to have a real cluster solution. Do you know another master-master database management system which is cheap? 1) Try to use a sql proxy which cares about replication for you. For example http://community.continuent.com/community/sequoia . 2) Try to split your database for different tasks. 3) Ask a good database consultant for a solution. BR Uwe -- kiste lat: 54.322684, lon: 10.13586 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: performance freeradius with psql (auth only)
Hi lists, I am just measuring (maybe more guessing) some performance figures. I started 3 radclients (1 on localhost, 2 on different remote hosts) with 12K different user and credentials. I am working with virtual hosts under XEN. I am just counting the logfile entries from logfile for Auth: Login entries. With a single radclient from a remote host its something between 10 to 15 auth per sec. With 3 radclients its something between 30 to 45 auth per sec. There is no change in that values, if I increase the max database connections. So I think it might be a problem, that there are not enough requests produced from the radclient(s) aprox 800 per minute. Could that be? Yes. Database will start coming into play with some 100 requests per second. Single client on localhost should be able to handle that. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: failover and load balancing POSTGRESQL
Yes, man. We know the PostgreSQL solution does not work. ORACLE is expensive. MySQL is one master and serveral slaves. You can set up MySQL as master1-slave2 == slave1-master2. That works sort of like master-master replication. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: username with sereral passwords. Which op value?
John Dennis wrote: Santiago Balaguer García wrote: Hi, I want the 'san0001' user has two passwords. There is in my radcheck table: Username | Attribute | op | value san0001 Password ?? santi1 san0001 Password ?? santi2 Which op value have to use (=, :=, +=, ==) ? := is the proper op for Cleartext-Password or for User-Password == works only for User-Password but warns you to change it to := I don't know about Password. Multiple valid passwords for a single user is a bad idea for a host of reasons. On top of that the username field should be a unique primary key disallowing duplicates enforced by the SQL database. I have no clue what it means to query a username and get multiple rows back and I suspect the internal code would be confused by this as well (note I have not looked at the code in question, but I would suspect it would do one of two things, use the first row returned or fail with an error if multiple rows). The concept of iterating over multiple rows until a password finally works is so dubious I would be most surprised if it were coded this way (and if it was I'd consider it a bug and security flaw). We just don't have enough information to make a decision. If the query returns id,Username,Attribute, op, value sorted by id, perhaps we could. If the attributes were san0001 Cleartext-Password := santi1 san0001 NAS-IP-Address == 123.123.123.123 san0001 Cleartext-Password := santi2 san0001 NAS-IP-Address == 234.234.234.234 It might make sense to have different passwords on different NAS boxes. The short answer is don't do this and don't expect the server to work this way. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: username with sereral passwords. Which op value?
We just don't have enough information to make a decision. If the query returns id,Username,Attribute, op, value sorted by id, perhaps we could. If the attributes were san0001 Cleartext-Password := santi1 san0001 NAS-IP-Address == 123.123.123.123 san0001 Cleartext-Password := santi2 san0001 NAS-IP-Address == 234.234.234.234 It might make sense to have different passwords on different NAS boxes. You can make adjusments for such a case. Extend radcheck schema with field for NAS-IP-Address and change radcheck query to include it's value. This does make sense. But a list of possible passwords for a single user ... Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: failover and load balancing POSTGRESQL
If you require synchronous replication and your queries are conducive to it there is MySQL Cluster. You might get some of the functionality you want with DRBD (but write performance hits) and MySQL, which is supported officially by MySQL, or through the use of circular replication with a pair of masters in MySQL as Ivan mentioned. This type of configuration can also be managed using the Multi master master ( http://code.google.com/p/mysql-master-master/) project. If you require support Percona will provide support for that project as well. On Wed, Apr 22, 2009 at 1:54 PM, t...@kalik.net wrote: Yes, man. We know the PostgreSQL solution does not work. ORACLE is expensive. MySQL is one master and serveral slaves. You can set up MySQL as master1-slave2 == slave1-master2. That works sort of like master-master replication. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: failover and load balancing
On Wed, Apr 22, 2009 at 8:43 PM, Uwe Kastens ki...@kiste.org wrote: The problem with master master for mysql is, that you have to resync each time you are dropping a table, a view etc.pp. No you don't. When setup correctly, all SQL statement on one node will be executed on the other node as well. That includes DDL like creating/dropping table, or adding/removing users. An exception is if you EXPLICITLY don't replicate changes to mysql schema. In that case what you say might be true. It depends on what you are doing. If you want to read out you user database for authentication you are right. But If you want to write accouting you have a lot of writes. I have seen up to 300 writes/sec for a small national provider. If you have enough memory then with Innodb engine on MySQL you can easily serve all reads from Innodb buffer pool (a.k.a. memory cache). That way only writes will be disk-bound. My db currently handles over 100k reads/s, mostly served from buufer pool. That way I only need to scale the disk enough to handle writes (currently around several hundred writes/s) I would prefer to have some fallback solution to write data to a flat file if the database is offline (which should be a question of minutes or an hour) and import it later on. which is what buffered-sql does for acct. Regards, Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
how to Simultaneous-Use
Hello, Following packages installed on my server. FreeRADIUS 2.1.4 Perl 5.8.9 p5-SNMP_Session-1.12 p5-Net-Telnet-3.03 MySQL-5.0.77 I decided to use SNMP_Session and BER modules. When I'm executing checkrad by hand then I got following message. # checkrad cisco 192.168.0.60 1645 tseveen 40 SNMP Error: Received SNMP response with error code error status: noSuchName index 1 (OID: 1.3.6.1.4.1.9.2.9.2.1.18.1645) SNMPv1_Session (remote host: 192.168.0.60 [192.168.0.60].161) community: public request ID: -17216476 PDU bufsize: 8000 bytes timeout: 2s retries: 5 backoff: 1) at /usr/local/sbin/checkrad line 221 checkrad: No SNMP answer from cisco. checkrad: not found! I thought maybe OID is not compatible for my router c3825. is it ? Can you please provide more information about NAS port and Session ID ? Tseveen. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to Simultaneous-Use
Tseveendorj wrote: checkrad: No SNMP answer from cisco. checkrad: not found! The NAS doesn't respond. I thought maybe OID is not compatible for my router c3825. is it ? Why not ask Cisco? Can you please provide more information about NAS port and Session ID ? Ask Cisco which OID you need to query, and update checkrad to use that OID. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to Simultaneous-Use
Thank you Alan DeKok. Sorry for bothering you. Have a nice day. Sincerely, Tseveen. Alan DeKok wrote: Tseveendorj wrote: checkrad: No SNMP answer from cisco. checkrad: not found! The NAS doesn't respond. I thought maybe OID is not compatible for my router c3825. is it ? Why not ask Cisco? Can you please provide more information about NAS port and Session ID ? Ask Cisco which OID you need to query, and update checkrad to use that OID. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
