Wimax AAA Session ID
Hi, Is there a way to generate WiMAX-AAA-Session-Id inside freeRADIUS? Thanks, Victor - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL Huntgroup only work with user check, not group check
On Thu, Sep 03, 2009 at 07:36:31AM -0300, Carlos Eduardo Tavares Terra wrote: On Thu, Sep 3, 2009 at 6:30 AM, George Koulyabinju...@vinf.ru wrote: I wrote the rules for huntgroup here because the rules in groupcheck didn't work. If I take this out, just keeping the groupcheck, 'jack' will connect from any hardware. The groupcheck is ignoring the huntgroups. You must to use huntgroups for consolidation of Your hardware by identical properties. For examle, You can create huntgroup for wireless hardware and huntgroup for access-servers. Groups, sql-groups (radusergroup/radgroupcheck/radgroupreply) are intended for consolidation of users. In Your 'sql-rules' You wrote: User has 'wireless' sql-group membership. But user has this membership when he'll connected from the hardware (member of 'wireless' huntgroup). See FreeRADIUS documentation, file rlm_sql. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pre-release of 2.1.7
Arran Cudbard-Bell wrote: Here's the full output for those lines: OK... so it's using the *system* libltdl. Ugh. How about this: - edit the top-level Make.inc - make it look like this: LIBLTDL = -lltdl INCLTDL = LTDL_SUBDIRS= Do a make clean, and rm -rf ./libltdl Then make. I suspect that will work, if you have libltdl-dev installed for the header files. If it does, then the problem is likely in libtool. It has this *magic* property where it will happily build things using the local libltdl include files... and then *link* to the system libltdl, EVEN THOUGH the link line points directly to the local libltl. Ugh. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wimax AAA Session ID
Is there a way to generate WiMAX-AAA-Session-Id inside freeRADIUS? Generate - yes. But that's a bit of a pointless exercise. How would you track the session if id is not provided by NAS? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pre-release of 2.1.7
On Thu, Sep 03, 2009 at 12:02:08PM -0400, Matt Garretson wrote: Builds okay on Fedora 7 and Fedora 10: Also builds ok on CentOS 5.3 with the new RHEL/Fedora spec file for FreeRADIUS2 (modified to bump the version and add cui module) -- szymon roczniak si...@dischaos.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius possible memory leak
On Thu, Sep 03, 2009 at 03:02:23PM +0200, Alan DeKok wrote: You should add -m to the radiusd command line, so that it will try to clean up as much memory as possible before exiting. Output with -m and some more debugging information: 34,944 bytes in 112 blocks are definitely lost in loss record 38 of 44 at 0x4C20809: malloc (vg_replace_malloc.c:149) by 0x4E38DCE: pairalloc (in /usr/lib64/freeradius/libfreeradius-radius-2.1.6.so) by 0x4E39160: pairmake (in /usr/lib64/freeradius/libfreeradius-radius-2.1.6.so) by 0x6A393E1: sql_userparse (in /usr/lib64/freeradius/rlm_sql-2.1.6.so) by 0x6A395D4: sql_getvpdata (in /usr/lib64/freeradius/rlm_sql-2.1.6.so) by 0x6A37741: (within /usr/lib64/freeradius/rlm_sql-2.1.6.so) by 0x419B2B: modcall (modcall.c:286) by 0x417040: indexed_modcall (modules.c:631) by 0x40853A: rad_authenticate (auth.c:554) by 0x423D87: radius_handle_request (event.c:3646) by 0x41C7C7: request_handler_thread (threads.c:492) by 0x5478366: start_thread (in /lib64/libpthread-2.5.so) LEAK SUMMARY: definitely lost: 34,944 bytes in 112 blocks. possibly lost: 3,040 bytes in 10 blocks. still reachable: 3,752,939 bytes in 21,575 blocks. suppressed: 0 bytes in 0 blocks. I think the problem is somewhere in our configuration for the sql module as it only affects one particular radius setup we have and not others (all running 2.1.6). In fact one of our servers has two different sql modules called depending on realm. It shows high memory usage when radius uses one of them (the one tested with the above valgrind output) and it doesn't when the other module is used. I'm trying to find out what exactly makes the difference in memory usage between these modules. $ valgrind --tool=massif /usr/sbin/radiusd -fm That will print out where it *allocates* memory. This helps to catch cases where the memory isn't leaked, but also isn't being free'd. Output is available here: http://dischaos.com/radius/massif.out -- szymon roczniak si...@dischaos.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Deployment
Sir, I am trying to move to the production server after due tests. I installed version 2.1.6 on CentOS 5.2. Funnily I am getting Segmentation fault error when my hints file is to be loaded. The debug message is: server { modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating preprocess preprocess { huntgroups = /etc/raddb/huntgroups hints = /etc/raddb/hints with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Segmentation fault My Hints file gives error when this is inserted: DEFAULT User-Name =~ '^([...@]+)(@zmobile.com)?$', NAS-IP-Address == 10.76.100.69 User-Name := %{1} Kindly assist. Cheers, Chris. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ippool or sqlippool support for EAP/TLS or TTLS on Wimax
WiMAX can also works in DHCP proxy mode: acquire IP address from ip pool in RADIUS and convert to DHCP message format for the R6 interface. IP address assignment has nothing to do with the EAP method (EAP-TLS) you are using. I make the ip pool assignment working using sqlippool. What is your particular concern regarding ip pool assignment using sqlipppol? Thanks, Jay On Fri, Sep 4, 2009 at 1:51 AM, Alan DeKok al...@deployingradius.comwrote: Victor Tangendjaja wrote: I read from a post back in 2007 that freeRADIUS ippool or sqlippool does not support assigning IP via EAP/TLS. I was wondering if this is still the case? Yes. Because when 802.1X is used, IP address assignment is done via DHCP. Alan mentioned that there would be options that might be part of 2.0 release. Is there any solution for this with the current release? No. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius possible memory leak
Szymon Roczniak wrote: Output with -m and some more debugging information: OK, that helps... 34,944 bytes in 112 blocks are definitely lost in loss record 38 of 44 at 0x4C20809: malloc (vg_replace_malloc.c:149) by 0x4E38DCE: pairalloc (in /usr/lib64/freeradius/libfreeradius-radius-2.1.6.so) by 0x4E39160: pairmake (in /usr/lib64/freeradius/libfreeradius-radius-2.1.6.so) by 0x6A393E1: sql_userparse (in /usr/lib64/freeradius/rlm_sql-2.1.6.so) by 0x6A395D4: sql_getvpdata (in /usr/lib64/freeradius/rlm_sql-2.1.6.so) by 0x6A37741: (within /usr/lib64/freeradius/rlm_sql-2.1.6.so) Ugh. That line doesn't help. It would be nice to know WHICH function had the problem. Can you re-build the rlm_sql module with debugging symbols? (-g, and DELETE any -O2 flags you find). That way, it will print out line numbers like the following: by 0x419B2B: modcall (modcall.c:286) by 0x417040: indexed_modcall (modules.c:631) Here we know exactly which line is being used... I think the problem is somewhere in our configuration for the sql module as it only affects one particular radius setup we have and not others (all running 2.1.6). What are the attributes in the DB for the one that leaks memory? In fact one of our servers has two different sql modules called depending on realm. It shows high memory usage when radius uses one of them (the one tested with the above valgrind output) and it doesn't when the other module is used. So... the content of the DB is what matters here. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
1 question
hi list,... i have set 2 numbers Called-Station-Id in my work and one of them is pay for my users as normal when their calling throught Telephony Enterprise, and the other one is pay revert and that users not pay the phone else my Work it is as feature... but in both case i set Max-Monthly-Session with 200 hrs and when theirs hit into 200 obviusly can't connect .. that's ok.. i want to need to for the free phone can hit and stop to 200 hrs and with the other phone number (thay pay) can connect and i can up their hours to 400hr. more specify in short history my work have 2 phone numbers to can connect number-free-for-users-not-pay number-to-users-pay both case by max-monthly-session - 200hrs i want by some if condition if exist into radius.conf to make this number-free-for-users-not-pay - 200hrs number-to-users-pay - 400 hrs it-s possible that? by the way i'm using freeradius 1.1.3 i know to have to upgrade by that want to make it soon... really need solve my trouble as priority Thaxs for any suggest Regards Tony signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: How to proxy accounting requests to multiple destinations
Yes, this has also been my assumption and I've tried this but I've failed in making both instances proxy the packet. So what does the debug log say? There must be something I'm not getting because I don't see how I can have two realms with one pool and home_server each in proxy.conf and match the accounting packet against both realms? I think you're missing something simple. The suggestion was to use two detail files. It looks like you're not doing that. 1) write incoming packets to 2 detail files 2) configure TWO versions of copy-acct-to-home-server 3) profit I did already do step 1 and 2 - but was missing 3 Currently I'm testing with this line in acct_users: DEFAULTProxy-To-Realm := myrealm You need to do that *differently* for *each* virtual server. Delete the files entry from the preaccounting section of each virtual server, and replace it with: update control { Proxy-To-Realm := foo } You can then change the destination realm in each virtual server. Yes! This was exactly what I was missing...kachiiing..!!! -- Dánial - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 1 question
i have set 2 numbers Called-Station-Id in my work and one of them is pay for my users as normal when their calling throught Telephony Enterprise, and the other one is pay revert and that users not pay the phone else my Work it is as feature... but in both case i set Max-Monthly-Session with 200 hrs and when theirs hit into 200 obviusly can't connect .. that's ok.. i want to need to for the free phone can hit and stop to 200 hrs and with the other phone number (thay pay) can connect and i can up their hours to 400hr. more specify in short history my work have 2 phone numbers to can connect number-free-for-users-not-pay number-to-users-pay both case by max-monthly-session - 200hrs i want by some if condition if exist into radius.conf to make this number-free-for-users-not-pay - 200hrs number-to-users-pay - 400 hrs it-s possible that? by the way i'm using freeradius 1.1.3 i know to have to upgrade by that want to make it soon... really need solve my trouble as priority Yes. Upgrade. Use two sqlcounters and modify query to include Called-Station-Id. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Deployment
tech.subscripti...@shepherdhill.biz wrote: I am trying to move to the production server after due tests. I installed version 2.1.6 on CentOS 5.2. Funnily I am getting Segmentation fault error when my hints file is to be loaded. The debug message is: ... Segmentation fault Please see doc/bugs My Hints file gives error when this is inserted: DEFAULT User-Name =~ '^([...@]+)(@zmobile.com)?$', NAS-IP-Address == 10.76.100.69 User-Name := %{1} It's not a problem on any system I have access to. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRADIUS proxy - Is Proxy-State (AVP 33) mandatory in the Acct Response?
Dear FreeRADIUS Users, I have one FreeRADIUS server proxying accounting RADIUS to two different hosts. One of the remote hosts is receiving the requests and answering the responses, but processing the details file very slowly (keeps being marked as dead all the time). I realized that this host doesn't responds the accounting request with the Proxy-State (AVP 33). I checked the RFC2865 and it seems that it is mandatory the remote server responds the accounting response with the Proxy-State (AVP 33). My questions are: 1) Is FreeRADIUS really correlating the accounting requests/response correctly for this remote host that doesn't add the AVP 33 in the response for a proxied request? 2) What is the expected behavior of the FreeRADIUS and effects in the described situation (proxied requests being responded with no Proxy-State attribute). Appreciate any help and Thanks in advance! Cristina Miyata - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS proxy - Is Proxy-State (AVP 33) mandatory in the Acct Response?
Cristina Miyata wrote: I realized that this host doesn't responds the accounting request with the Proxy-State (AVP 33). I checked the RFC2865 and it seems that it is mandatory the remote server responds the accounting response with the Proxy-State (AVP 33). While the attribute is mandatory, FreeRADIUS doesn't use it for anything. My questions are: 1) Is FreeRADIUS really correlating the accounting requests/response correctly for this remote host that doesn't add the AVP 33 in the response for a proxied request? Yes. 2) What is the expected behavior of the FreeRADIUS and effects in the described situation (proxied requests being responded with no Proxy-State attribute). It will work. FreeRADIUS will work if it (a) proxies a request containing Proxy-State (b) receives a valid response (src/dst ip/port, etc.) with no Proxy-State. In your case, the home server is being marked dead because it isn't responding. Nothing else will cause it to me marked dead. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
sql.authorize
Is it possible to call sql.authorize on a group of SQL modules? This is needed to reduce number of calls to SQL in EAP-TLS transaction There was a recommendation to cal sql.authorize in post-auth section instead of authorize section, this is fine, but we need the same behavior for SQL groups that handle failover. Do you have any recommendation how to achieve that? post-auth { sql1.authorize } group redundant_sql { sql1 { fail = 1 handled = 3 notfound = return ok = return reject = return } sql2 { fail = 1 handled = 3 notfound = return ok = return reject = return } # if we reach here then all databases are unreachable # do not respond to NAS so that NAS marks RADIUS server # as unavalable and retry another RADIUS server update control { Response-Packet-Type = 'Do-Not-Respond' } handled } -- View this message in context: http://www.nabble.com/sql.authorize-tp25300863p25300863.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sql.authorize
Hi, authorise functions should be called in authorize section...only final things should be called in the post-authorize section..what is the sql stuff doing? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sql.authorize
How else can I save on number of SQL calls when doing EAPTLS? In my case there are 4 (authorize_check_query,group_membership_query,authorize_group_check_query,authorize_group_reply_query)*11)number of challenge/responses)=44 calls to SQL for every EAPTLS authentication I need to call sql.authorize only in the end when EAPTLS finishes. There are a lot of challenge/response messages and there is no need to call SQL each time for every challenge. I found this thread http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg52560.html and it was very helpful, however I need to have a redundant group of SQL servers and be able to call sqlgroup.authorize in post-auth section Thanks! Alan Buxey wrote: Hi, authorise functions should be called in authorize section...only final things should be called in the post-authorize section..what is the sql stuff doing? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- View this message in context: http://www.nabble.com/sql.authorize-tp25300863p25301519.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[RE]FreeRADIUS proxy - Is Proxy-State (AVP 33) mandatory in the Acct Response?
Thanks Alan for your answers! I still have more questions: 1) If FreeRADIUS doesn't use Proxy-State for nothing, how it matches the requests with responses? Using only the Packet Identifier (AVP 92)? 2) Since it is Packet Identifier has only 1 byte (0-254), it can only handle 255 requests (received by NAS and sent to remote hosts via Proxy) at a time? Or only handle 255 requests per NAS or remote host? Thanks for your attention! Cristina Miyata Cristina Miyata wrote: I realized that this host doesn't responds the accounting request with the Proxy-State (AVP 33). I checked the RFC2865 and it seems that it is mandatory the remote server responds the accounting response with the Proxy-State (AVP 33). While the attribute is mandatory, FreeRADIUS doesn't use it for anything. My questions are: 1) Is FreeRADIUS really correlating the accounting requests/response correctly for this remote host that doesn't add the AVP 33 in the response for a proxied request? Yes. 2) What is the expected behavior of the FreeRADIUS and effects in the described situation (proxied requests being responded with no Proxy-State attribute). It will work. FreeRADIUS will work if it (a) proxies a request containing Proxy-State (b) receives a valid response (src/dst ip/port, etc.) with no Proxy-State. In your case, the home server is being marked dead because it isn't responding. Nothing else will cause it to me marked dead! . Alan DeKok. -[ Received Mail Content ]-- Subject : FreeRADIUS proxy - Is Proxy-State (AVP 33) mandatory in the Acct Response? Date : Fri, 04 Sep 2009 13:38:38 -0400 (EDT) From : Cristina Miyata cmiy...@lycos.com To : freeradius-users@lists.freeradius.org p {margin-top:0px;margin-bottom:0px;} Dear FreeRADIUS Users, I have one FreeRADIUS server proxying accounting RADIUS to two different hosts. One of the remote hosts is receiving the requests and answering the responses, but processing the details file very slowly (keeps being marked as dead all the time). I realized that this host doesn't responds the accounting request with the Proxy-State (AVP 33). I checked the RFC2865 and it seems that it is mandatory the remote server responds the accounting response with the Proxy-State (AVP 33). My questions are: 1) Is FreeRADIUS really correlating the accounting requests/response correctly for this remote host that doesn't add the AVP 33 in the response for a proxied request? 2) What is the expected behavior of the FreeRADIUS and effects in the described situation (proxied requests being responded with no Proxy-State attribute). Appreciate any help and Thanks in advance! Cristina Miyata - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pre-release of 2.1.7
Alan DeKok wrote: Arran Cudbard-Bell wrote: ... gcc .libs/radiusdS.o -o .libs/radiusd .libs/acct.o .libs/auth.o .libs/client.o .libs/conffile.o .libs/crypt.o .libs/exec.o .libs/ .libs/modules.o: In function `setup_modules': /usr/local/src/freeradius-server-2.1.7/src/main/modules.c:1259: undefined reference to `lt__PROGRAM__LTX_preloaded_symbols' Did I mention I hate libltdl? Which version of libltdl is the compile line using? It's cut off, so I can't see it. My recent investigations lead me to believe that this error occurs when the *compile* uses the local libltdl, and the *link* stage uses the installed system libltdl. Alan DeKok. The last time I had a problem with libltdl, I has to execute a make manually in the source tree libltdl directory. After that everything worked, including rebuilds. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [RE]FreeRADIUS proxy - Is Proxy-State (AVP 33) mandatory in the Acct Response?
Cristina Miyata wrote: 1) If FreeRADIUS doesn't use Proxy-State for nothing, how it matches the requests with responses? Using only the Packet Identifier (AVP 92)? Very well, thank you. :) But really... packet src/dst ip/port, plus RADIUS code Id. Proxy-State isn't needed. 2) Since it is Packet Identifier has only 1 byte (0-254), it can only handle 255 requests (received by NAS and sent to remote hosts via Proxy) at a time? Or only handle 255 requests per NAS or remote host? No. It opens multiple source ports. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html