Question regarding retrying of requests in detail-combined file

2009-10-15 Thread Patric

Hi all  :)

FreeRADIUS 2.1.7
CentOS 5.2

I am not too sure where to start here so I will describe the symptoms 
first:


I have 2 freeradius servers that both receive accounting requests, and 
proxy these requests to each other, as well as log these requests to a 
detail file.
I have noticed now that while server A is processing the detail-combined 
file and proxying the requests to server B, server B will fail to get a 
lock on its detail file, and the request will fail. When this happens it 
is not passing anything back to server A, and server A does not seem to 
be timing out the request, so it stops processing the detail-combined 
file and just sits there.


A bit more in depth, server B is still running FR 1.1.6. I am in the 
process of updating to 2.1.7 but am being delayed due to outdated OS, so 
am moving this lot to a new server. The lock fail is occurring when 
server B tries to get a lock on the detail-combined file, so it is very 
likely that I have had the proxying setup incorrectly here all along, 
but since it is 1.1.6 I do not expect help here...


What I would like to try figure out is how to get server A (2.1.7) to 
time out a proxy request and retry it...


Any pointers to sections/docs would be great as always,

Thanks a mill!
Patric

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


RE: Question regarding retrying of requests in detail-combined file

2009-10-15 Thread Tim Sylvester
Add this line to the home server configuration of Server A (running 2.1.7):

no_response_fail = yes

Tim

> -Original Message-
> From: freeradius-users-
> bounces+tim.sylvester=networkradius@lists.freeradius.org
> [mailto:freeradius-users-
> bounces+tim.sylvester=networkradius@lists.freeradius.org] On Behalf
> Of Patric
> Sent: Thursday, October 15, 2009 12:05 AM
> To: FreeRadius users mailing list
> Subject: Question regarding retrying of requests in detail-combined
> file
> 
> Hi all  :)
> 
> FreeRADIUS 2.1.7
> CentOS 5.2
> 
> I am not too sure where to start here so I will describe the symptoms
> first:
> 
> I have 2 freeradius servers that both receive accounting requests, and
> proxy these requests to each other, as well as log these requests to a
> detail file.
> I have noticed now that while server A is processing the detail-
> combined
> file and proxying the requests to server B, server B will fail to get a
> lock on its detail file, and the request will fail. When this happens
> it
> is not passing anything back to server A, and server A does not seem to
> be timing out the request, so it stops processing the detail-combined
> file and just sits there.
> 
> A bit more in depth, server B is still running FR 1.1.6. I am in the
> process of updating to 2.1.7 but am being delayed due to outdated OS,
> so
> am moving this lot to a new server. The lock fail is occurring when
> server B tries to get a lock on the detail-combined file, so it is very
> likely that I have had the proxying setup incorrectly here all along,
> but since it is 1.1.6 I do not expect help here...
> 
> What I would like to try figure out is how to get server A (2.1.7) to
> time out a proxy request and retry it...
> 
> Any pointers to sections/docs would be great as always,
> 
> Thanks a mill!
> Patric
> 
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: Question regarding retrying of requests in detail-combined file

2009-10-15 Thread Patric

Tim Sylvester wrote:

Add this line to the home server configuration of Server A (running 2.1.7):

no_response_fail = yes
  


Hi Tim,

That worked perfectly! Thank you :)

Rejecting request 191 (proxy Id 218) due to lack of any response from 
home server xxx.xxx.xxx.xxx port 1813

No response configured for request 191.  Will retry in 30 seconds
Finished request 191.
Cleaning up request 191 ID 56389 with timestamp +140
PROXY: Marking home server xxx.xxx.xxx.xxx port 1813 as zombie (it looks 
like it is dead).

Sending Status-Server of id 46 to xxx.xxx.xxx.xxx port 1813
   Message-Authenticator := 0x
   NAS-Identifier := "Status Check. Are you alive?"
Waking up in 0.8 seconds.
Waking up in 3.9 seconds.
rad_recv: Access-Accept packet from host xxx.xxx.xxx.xxx port 1813, 
id=46, length=49



And 30 seconds later the request is retried and succeeds :)
Is there any way for me to decrease the retry delay? In my specific case 
I know why its failing so retrying sooner should not be a problem.


Also, since both servers are mine, I have setup my virtual server with 
the following parameters. Any suggestions or tweaks would be appreciated :)


home_server copy-acct-to-server-b {
   type = acct
   ipaddr = xxx.xxx.xxx.xxx
   port = 1813
   secret = my_secret
   response_window = 10
   zombie_period = 20
   #revive_interval = 120 (read in the docs that use of this is not 
recommended?)

   status_check = status-server
   check_interval = 10
   num_answers_to_alive = 1
   no_response_fail = yes
}

Thanks again!
Patric
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: Problems with bootstrapping certificates

2009-10-15 Thread Petr Uzel
On Wed, Oct 14, 2009 at 07:07:59PM +0100, Alan Buxey wrote:
> Hi,

Hello Alan,
thanks for the response.

> 
> > I have a question regarding bootstrapping default certificates using
> > bootstrap script in raddb/certs directory.
> 
> Ideally once you've used the bootstrap you would remove the script that
> makes them from the eap.conf and then thats done.
> 
> even better, you dont use the boostrap script at all and instead install
> a proper CA, server.crt file etc 
> 
> the boostrap is really only there to get a test server up and running
> quickly - you wouldnt want a snakeoil and very low timescale certificate
> to be used in production :-)

I completely agree with you. However, there is still an issue that
bootstrap script does IMHO something different than what is described
in the README.


To be more specific: I work on packaging freeradius server RPM. The
README explictly states that "This bootstrap script SHOULD be run on
installation of any pre-built binary package for your OS." I
understand that it should be ran automatically in the %post section,
like in the suse spec file included in the tarball. This leads to two
problems:
- if the user runs bootstrap script manually after installation, the
  certificates get corrupted
- if the user performs upgrade of the package, the certificates get
  corrupted - this is worse than the first problem, since the user
  might already have his 'production' certificates installed.

So I suggest either to
1) do not recommend running the bootstrap script automatically and
force the user to run it manually
or
2) fix the bootstrap script and/or Makefile to do nothing if
the required files already exist.



-- 
Best regards / s pozdravem

Petr Uzel, openSUSE Boosters Team
-
SUSE LINUX, s.r.o.  e-mail: pu...@suse.cz
Lihovarská 1060/12  http://www.suse.cz
190 00 Prague 9, CR 


pgpZUGX0BQGOp.pgp
Description: PGP signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Small suggestion for FreeRadius debug output

2009-10-15 Thread Patric

Hi again,

Alan I have a very small suggestion, if I may - what about adding a 
timestamp to the debug output?
I am not familiar with C, so dont know how difficult it would be to 
implement though...


I have been going through debug output for the last couple of days now 
attempting to resolve various configuration problems, and while not 
essential, it would be nice to see how much time has elapsed between a 
request and response for example...


Something like this:

[2009-10-15 10:00:00] Sending Accounting-Response of id 0 to 
xxx.xxx.xxx.xxx port 59807

 Proxy-State = 0x323138
[2009-10-15 10:00:00] Finished request 701.
[2009-10-15 10:00:01] Cleaning up request 701 ID 0 with timestamp +1286
[2009-10-15 10:00:01] Going to the next request
[2009-10-15 10:00:02] Waking up in 0.3 seconds.

Just a thought :)

Thanks for everything!
Patric
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Default Proxy and Domain

2009-10-15 Thread Andreas M.
Hello,
i have a working setup but following question:
In my proxy.conf i have one entry with our company nt domain (for wlan auth)

   realm ZB {
type= radius
authhost= LOCAL
accthost= LOCAL
strip
}

Why does it not work, if i configure the same with "realm DEFAULT", does the 
DEFAULT realm not match
all realms, known or unknown  ?

regards,
Andreas M.

-- 
g,
Andreas M.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: Small suggestion for FreeRadius debug output

2009-10-15 Thread Alan Buxey
Hi,

> I have been going through debug output for the last couple of days now  
> attempting to resolve various configuration problems, and while not  
> essential, it would be nice to see how much time has elapsed between a  
> request and response for example...

add a small 'x'  ie radiusd -Xx

(this was mentioned on this list a couple of days back)

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: Small suggestion for FreeRadius debug output

2009-10-15 Thread Patric

Alan Buxey wrote:

add a small 'x'  ie radiusd -Xx

(this was mentioned on this list a couple of days back)
  

Arg, Im a dumbass... Sorry I must have missed it :)

Thanks!
Patric
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: Default Proxy and Domain

2009-10-15 Thread Alan Buxey
Hi,

> i have a working setup but following question:
> In my proxy.conf i have one entry with our company nt domain (for wlan auth)
> 
>realm ZB {
> type= radius
> authhost= LOCAL
> accthost= LOCAL
> strip
> }
> 
> Why does it not work, if i configure the same with "realm DEFAULT", does the 
> DEFAULT realm not match
> all realms, known or unknown  ?

which version of FreeRADIUS and are you using eg the preprocess call in the 
config?

if you run in full debug mode, you will see the realm being handledand more 
importantly
SEE how/why it is being handled.

I moved away from 'DEFAULT' some time back - and instead use unlang to check 
the realm information
and if the realm is blank or one of my own, i set the proxy-to-realm control 
stuff and if its not
one of mine, i set the proxy-to-realm stuff accordingly too. that way the 
policy is defined
and i know how things are going to be dealt with.

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Postgres

2009-10-15 Thread Sparkes, David
Hi,

I would like to get Freeradius working with a PostgreSQL database: are
there any handy HOWTOs or Tutorials that explain how to do this?

I am running RedHet EL5.

Relevant Packages:
freeradius2.x86_64  2.1.7-2.el5
installed
freeradius2-libs.x86_64 2.1.7-2.el5
installed
freeradius2-postgresql.x86_64   2.1.7-2.el5
installed
freeradius2-python.x86_64   2.1.7-2.el5
installed
freeradius2-utils.x86_642.1.7-2.el5
installed
postgresql.x86_648.1.11-1.el5_1.1
installed
postgresql-libs.i386 8.1.11-1.el5_1.1
installed
postgresql-libs.x86_64   8.1.11-1.el5_1.1
installed
postgresql-server.x86_64 8.1.11-1.el5_1.1
installed

Regards,

Dave


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: EAP session matching the State variable

2009-10-15 Thread Alan DeKok
marco perugini wrote:
> hi list, i use freeradius [v 2.1.1] in wimax context and from yesterday
> this message is driving me crazy: "EAP session matching the State variable".

  That's "NO eap session matching..."

> here's the use-case: i do auth and connection all right but if/when i lost my
> connection and i try to reconnect that massage shows me up in radius' debug;

  Then your supplicant and/or access point is broken.  If the supplicant
loses association with the AP, then EAP *must* be re-started from
scratch.  Re-using State attributes from previous EAP sessions will
cause authentication to fail on *every* single RADIUS server that exists.

> in about 20 min i succeed in reconnecting. i thought radius was stateless..

  No.  EAP requires state.  The AP maintains state for EAP sessions.

> do you know if there is some config changes to do to avoid this trouble?

  Fix the AP so that it doesn't re-use old State attributes.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: Postgres

2009-10-15 Thread Vegard Svanberg
* Sparkes, David  [2009-10-15 11:21]:

> I would like to get Freeradius working with a PostgreSQL database: are
> there any handy HOWTOs or Tutorials that explain how to do this?

It's pretty easy, just study the docs and sample configs.

Just a warning: You might run into the same problem as me, so test it
thorougly before putting it in production. I'm running Freeradius
(latest version) against a PostgreSQL database, and it crashes every
other day or so when running normally (as a deamon). It doesn't crash in
debug mode (-X), so I have to let it run like that for a while more,
until I have the time to debug it. Can't risk a sudden stop for the time
being.

-- 
Vegard Svanberg  [*tak...@irc (EFnet)]

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: Postgres

2009-10-15 Thread Alan Buxey
Hi,

> I would like to get Freeradius working with a PostgreSQL database: are
> there any handy HOWTOs or Tutorials that explain how to do this?

some stuff here:

http://wiki.freeradius.org/Rlm_sql


basically, FreeRADIUS comes with the required SQL schema for RADIUS and
NAS access with SQL (postgres, mysql, oracle or mssql).  you will need to
apply this schema to your SQL - after creating a suitable user and database
for it. then you need to configure the relevant $raddb/sql/* stuff and
add the required bit to $raddb/sql.conf   once you have configured
the SQL, you can then add it as a call in the main server(s) - either 'sql'
or with whatever name you called the SQL instance (if you have multiple
SQL configs).

basically,

configure sql.conf
configure sql/postgresql/*

edit sites-enabled/* (as appropriate) to call the SQL stuff in
authen/author/acct/etc

check debug logs thoroughly to see why/what and how things work/dont work

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


RE: Postgres

2009-10-15 Thread Sparkes, David
Sorry, I should clarify.  I have spent some time looking through the
docs including, http://wiki.freeradius.org/SQL_HOWTO, but that is the
wrong version of FreeRadius (1.1.7) and doesn't work.

I was looking for something a bit more up-to-date.

Cheers,

Dave


-Original Message-
From:
freeradius-users-bounces+david.sparkes=keymile@lists.freeradius.org
[mailto:freeradius-users-bounces+david.sparkes=keymile@lists.freerad
ius.org] On Behalf Of Vegard Svanberg
Sent: Thursday, October 15, 2009 11:31 AM
To: FreeRadius users mailing list
Subject: Re: Postgres

* Sparkes, David  [2009-10-15 11:21]:

> I would like to get Freeradius working with a PostgreSQL database: are
> there any handy HOWTOs or Tutorials that explain how to do this?

It's pretty easy, just study the docs and sample configs.

Just a warning: You might run into the same problem as me, so test it
thorougly before putting it in production. I'm running Freeradius
(latest version) against a PostgreSQL database, and it crashes every
other day or so when running normally (as a deamon). It doesn't crash in
debug mode (-X), so I have to let it run like that for a while more,
until I have the time to debug it. Can't risk a sudden stop for the time
being.

-- 
Vegard Svanberg  [*tak...@irc (EFnet)]

-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: Postgres

2009-10-15 Thread Alan Buxey
Hi,

> Sorry, I should clarify.  I have spent some time looking through the
> docs including, http://wiki.freeradius.org/SQL_HOWTO, but that is the
> wrong version of FreeRadius (1.1.7) and doesn't work.

had a quick look through - seems to be reasonbly fine - which bit didnt work?

whats your issue - eg radiusd -X

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


To proxy, or not to proxy, that is the question ...

2009-10-15 Thread Dean, Barry
I currently run two virtual servers, one for our local secure wireless  
and one for eduroam customers.

The local one receives RADIUS packets from Bradford Campus Manager,  
which is responsible for Network Access Control and stamps Auth-OK  
replies with the VLAN for the user.

What I want to do is combine these wireless services, so that we just  
have eduroam.

The functionality we will need, will be:

The requests will come to the eduroam server address.

if (no domain specified) then
who are ya?
fi

if (domain is non-local) then
proxy to user's home site.
fi

if (domain is local AND authenticating from a local NAS) then
authenticate locally by proxy to Bradford Campus Manager
(Campus Manager will receive the stripped u...@realm as user and  
proxy to the local server address)
else
authenticate and return ACK/NACK to remote server in usual way for  
one of our users visiting remote site
fi

The part I am not sure how to do is the last part, a conditional proxy  
based on source NAS. I assume I need to dip into unlang, but can I put  
that into the proxy.conf file?

realm local.site.ac.uk {
   if( NAS-IP-Address ~= /192.168.*/ ) then # match my likely clients...
  set-up A
   else
  set-up B
   fi
}

Or whatever (I don't speak unlang, yet!), or have I got to determine  
the source of the request somewhere else and use unlang to re-write  
the realm to some special sentinel value that would be caught in  
proxy.conf like:

realm local.site.ac.uk {
do the normal thing
}

realm special.local.site.ac.uk {
do the clever NAC proxy stuff
}

As usual, thanks for your time and hope someone can steer me in the  
right direction before my head explodes.

(Yes I did read the docs, didn't help in this case!)

--
Barry Dean
Principal Programmer/Analyst
Networks Group
Computing Services Department
<>

---
Nice boy, but about as sharp as a sack of wet mice.
-- Foghorn Leghorn

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Postgres

2009-10-15 Thread Sparkes, David
Hi again,

Radius works fine.  I've been using it for a few weeks with no hitches.

I was working through the example to set up PostGres; I just was thrown
when I tried to set up the database ("Setting up the RADIUS database"
section), as I reached these lines:

cd /usr/share/doc/packages/freeradius/doc/examples/
psql -U radius radius < postgresql.sql

Of which I couldn't find the equivalent.  The closest I could find was
/usr/share/doc/freeradius-2.1.7/examples/postgresql_update_radacct_group
_trigger.sql, which caused all kinds of scary error messages, which put
me off.

It occurs to me in the cold light of day that maybe this section
probably just creates the example tables, and the above example file is
completely inappropriate, but, at the time, I was in black box mysticism
mode.  I wrote the SQL to create similar tables to those shown, but
stopped, because I thought that the basic database part was importing
something more clever into the database.  I've probably overthought it
and can just get on with the configuration, then.

Thanks,

Dave

  






-Original Message-
From:
freeradius-users-bounces+david.sparkes=keymile@lists.freeradius.org
[mailto:freeradius-users-bounces+david.sparkes=keymile@lists.freerad
ius.org] On Behalf Of Alan Buxey
Sent: Thursday, October 15, 2009 12:11 PM
To: FreeRadius users mailing list
Subject: Re: Postgres

Hi,

> Sorry, I should clarify.  I have spent some time looking through the
> docs including, http://wiki.freeradius.org/SQL_HOWTO, but that is the
> wrong version of FreeRadius (1.1.7) and doesn't work.

had a quick look through - seems to be reasonbly fine - which bit didnt
work?

whats your issue - eg radiusd -X

alan
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: To proxy, or not to proxy, that is the question ...

2009-10-15 Thread Bob Franklin

On Thu, 15 Oct 2009, Dean, Barry wrote:


if (domain is local AND authenticating from a local NAS) then
authenticate locally by proxy to Bradford Campus Manager
(Campus Manager will receive the stripped u...@realm as user and
proxy to the local server address)
else
authenticate and return ACK/NACK to remote server in usual way for
one of our users visiting remote site
fi

The part I am not sure how to do is the last part, a conditional proxy 
based on source NAS. I assume I need to dip into unlang, but can I put 
that into the proxy.conf file?


We're doing this by using a syntax in the client shortname ('client ... { 
shortname = ... }' in clients.conf).  We declare our RADIUS clients with 
names such as:


  @

So all our things are someth...@net.cam.ac.uk; things from internal 
colleges or departments are someth...@college.cam.ac.uk or whatever.  The 
things from JANET Roaming are j...@ja.net.


Then, we can do things like:

if ("%{Client-Shortname}" =~ /\.cam\.ac\.uk$/) {
# do something special when NAS in Cambridge
}

Using literal matching or regexps, we've found we can do all sorts of 
things here.


  - Bob


--
 Bob Franklin   +44 1223 748479
 Network Division, University of Cambridge Computing Service
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: Postgres

2009-10-15 Thread Alan DeKok
Sparkes, David wrote:
> I was working through the example to set up PostGres; I just was thrown
> when I tried to set up the database ("Setting up the RADIUS database"
> section), as I reached these lines:
> 
> cd /usr/share/doc/packages/freeradius/doc/examples/
> psql -U radius radius < postgresql.sql

  See raddb/sql/postgresql/.  Everything for postgres is there.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: Problems with bootstrapping certificates

2009-10-15 Thread Alan DeKok
Petr Uzel wrote:
> To be more specific: I work on packaging freeradius server RPM. The
> README explictly states that "This bootstrap script SHOULD be run on
> installation of any pre-built binary package for your OS." I
> understand that it should be ran automatically in the %post section,
> like in the suse spec file included in the tarball. This leads to two
> problems:
> - if the user runs bootstrap script manually after installation, the
>   certificates get corrupted

  Yes.  Re-generating the certs causes them to be regenerated.

> - if the user performs upgrade of the package, the certificates get
>   corrupted - this is worse than the first problem, since the user
>   might already have his 'production' certificates installed.

  So don't regenerate them...

> So I suggest either to
> 1) do not recommend running the bootstrap script automatically and
> force the user to run it manually
> or
> 2) fix the bootstrap script and/or Makefile to do nothing if
> the required files already exist.

  That's already in the "makefile".  I suggest a patch to the bootstrap
script.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Proxy based on Multiple Realms

2009-10-15 Thread Bob Brandt
What I want to do is proxy requests based on being in multiple realms.  For
example:
Realm1/username.Realm2

Where is Realm1 is "host" AND Realm2 is "some.fqdn" then proxy to
xxx.xxx.xxx.xxx

Specifically what I am doing is trying to use FreeRadius to proxy for AD
Domains.  I want to enable host based authentication (i.e. host/
workstation.domain.name ) but for multiple domains.  I believe proxying is
the only why to accomplish this.

All I can find are references/warnings to making sure that I DON'T do this
by mistake.  Problem is I believe this is what I must do.

Is this even possible with FreeRadius?

Thanks
Bob
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Question regarding retrying of requests in detail-combined file

2009-10-15 Thread Alan DeKok
Patric wrote:
> And 30 seconds later the request is retried and succeeds :)
> Is there any way for me to decrease the retry delay? 

  See the "retry_interval" configuration in the detail listener.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: Question regarding retrying of requests in detail-combined file

2009-10-15 Thread Patric

Alan DeKok wrote:

Patric wrote:
  

And 30 seconds later the request is retried and succeeds :)
Is there any way for me to decrease the retry delay? 



  See the "retry_interval" configuration in the detail listener.
  

Hi Alan,

Would I be correct in my understanding that I add that here:

sites-enabled/copy-acct-to-home-server:
-

server copy-acct-to-home-server {
   listen {
   type = detail
   filename = ${radacctdir}/detail-combined
   load_factor = 10
   retry_interval = 10   <-

   }
}


Thank you :)
Patric
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: Postgres

2009-10-15 Thread John Dennis

On 10/15/2009 07:01 AM, Alan DeKok wrote:

Sparkes, David wrote:

I was working through the example to set up PostGres; I just was thrown
when I tried to set up the database ("Setting up the RADIUS database"
section), as I reached these lines:

cd /usr/share/doc/packages/freeradius/doc/examples/
psql -U radius radius<  postgresql.sql


   See raddb/sql/postgresql/.  Everything for postgres is there.


Just for clarity, using the Red Hat packages (sice the OP did state this 
is RHEL) that would be /etc/raddb/sql/postgresql and requires the 
freeradius-postgresql subpackage to be installed.


--
John Dennis 

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: wpa/wpa2 on logs

2009-10-15 Thread Arran Cudbard-Bell
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 14/10/2009 14:38, Alan Buxey wrote:
> Hi,
> 
>> Hmm, just thought, some vendors may include the information in the RADIUS 
>> packet as VSAs (Vendor Specific Attributes).
>>
>> Might be worth running the server in debugging mode (radiusd -X) and see 
>> what your wireless controllers
>> are actually sending in Access-Request packets.
>>
>> So although you won't get the info in the EAP Tunnel, you may find it's 
>> available in the RADIUS Access-request
>> packets.
> 
> I thought the same thing - so had a quick look at our incoming RADIUS 
> Access-Requests etc...
> and nothing useful buried there - but there again, I havent looked at the 
> other end
> yet to see if there are other options or VSAs that can be used -  we can 
> currently get
> such info from the wireless control system - so that information is being 
> passed from
> the LWAPP/CAPWAP systems to the controller - and a suitable SNMP to the WCS 
> from the
> RADIUS server would allow you to tie the two together (best done out of 
> band!) ..
> this is probably a useful step for any site wondering whether to drop WPA/TKIP
> support for example (for security - move to WPA2/AES) - you'd need to see how
> many non-AES clients you had before the change..
> 
> 

Slightly off topic:

I've seen discussions about this on the Educase list, and it appears
quite a few of our American counterparts have already dropped TKIP...

The problem with trying to do something intelligent like you suggested, is that 
although many clients
can be made to support WPA2/AES, they don't currently.

For example the Intel 2200B/G Mini-Pci card used in many older laptops doesn't 
have WPA2 support
in its older 2006 drivers. But a quick run of the Intel driver package and 
they'll happily connect
to any WPA2-Enterprise network.

Also WPA2 support only made it into Windows XP SP3 (or SP2 with KB KB917021), 
there are many
unpatched clients out there, who'll connect to your network and select WPA/TKIP 
even though
the hardware is capable of better.

Until you actually make the switch over, you won't know how many clients really 
really can't
support WPA2.

- -

We bit the bullet and turned off TKIP support on all Wireless networks at the 
beginning of September.
So far we've had no real complaints.

Arran
- -- 
Arran Cudbard-Bell ,
Systems Administrator (AAA),
Infrastructure Services (IT Services),
E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT
DDI+FAX: +44 1273 873900 | INT: 3900
GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkrXGX8ACgkQcaklux5oVKIvcwCfZ+qvD9A7njXJWYcZW7Lp3Ei4
yrkAn35UiYh3USKnMmianlNoPdUJSJtT
=CPRf
-END PGP SIGNATURE-
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Several LDAP searches

2009-10-15 Thread Francisco Javier Valdera Garcia

Hello,

I am configuring a freeradius server (version 2.1.7). I need two listen 
sections, both to authenticate users using the same LDAP server. The 
thing is that I need to do different searches with different filters, 
depending on which listen section is asked. What is the best way to 
configure this, if there is one? I have read the documentation, the wiki 
and the configuration files and I couldn't figure it out.


Thanks in advance.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


3GPP string Attributes, containing encapsulated information...

2009-10-15 Thread Stefan A.
Hi there,

Is there a way to get Information out of the
3GPP-GPRS-Negotiated-QoS-profile?

The Attribute is defined in the dictionary as:
ATTRIBUTE   3GPP-GPRS-Negotiated-QoS-profile5   string

The Value of a String might be: 99-0B811F739687877401

To get the encapsulated "Traffic Class", I will need the most left 3 bits of
the first '7' of the string.
It would be 7 --> 0111  -->  011  -->  3

Is there a function available, to do this?




Following the complete Attribute:

AVP: l=33 v=3GPP(10415) t=3GPP-GPRS-Negotiated-QoS-profile(5): UMTS
GTP QoS Profile
Length: 25
UMTS GTP QoS Profile
Version: 99
Hyphen separator: -
00..  = Spare: 0
..00 1... = QoS delay: Delay class 1 (1)
 .011 = QoS reliability: Unack GTP/LLC, Ack RLC,
Protected data (3)
1000  = QoS peak: Up to 128 000 oct/s (8)
 0... = Spare: 0
 .001 = QoS precedence: High priority (1)
000.  = Spare: 0
...1  = QoS mean: Best effort (31)
011.  = Traffic class: Interactive class (3)
...1 0... = Delivery order: Without delivery order ('no')
(2)
 .011 = Delivery of erroneous SDU: Erroneous SDUs are
not delivered ('no') (3)
Maximum SDU size : 1500 octets
Maximum bit rate for uplink : 1024 kbps
Maximum bit rate for downlink : 1024 kbps
0111  = Residual BER: 1/100 000 = 1x10^-5 (7)
 0100 = SDU Error ratio: 1/10 000 = 1x10^-4 (4)
 00.. = Transfer delay: Subscribed Transfer Delay (in MS
to network direction) (0)
 ..01 = Traffic handling priority: Priority level 1 (1)
Guaranteed bit rate for uplink: Subscribed guaranteed bit
rate for uplink (in MS to network direction) (0)
Guaranteed bit rate for downlink: Subscribed guaranteed bit
rate for downlink (in MS to network direction) (0)

Thank You.

Stefan

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


RE: Postgres

2009-10-15 Thread Sparkes, David
Hi again,

Ok... well I have created the tables using
/etc/raddb/sql/postgresql/schema.sql and populated the tables manually.

However no postgresql.conf file exists in either
/etc/raddb/sql/postgresql or /etc/raddb/postgresql.  Have I missed a
package that would include this or should I just create it from scratch?
Looking at the examples that I've found, it seems to be a fairly
straightforward file to understand, if large.  If I'd known that the
table name and SQL queries were defined in postgresql.conf, I wouldn't
have bothered to recreate the tables according to the schema. ;)

For the record, all of the configuration files are in
/etc/raddb/postgresql in this install.

Regards,

Dave


-Original Message-
From:
freeradius-users-bounces+david.sparkes=keymile@lists.freeradius.org
[mailto:freeradius-users-bounces+david.sparkes=keymile@lists.freerad
ius.org] On Behalf Of John Dennis
Sent: Thursday, October 15, 2009 2:35 PM
To: FreeRadius users mailing list
Subject: Re: Postgres

On 10/15/2009 07:01 AM, Alan DeKok wrote:
> Sparkes, David wrote:
>> I was working through the example to set up PostGres; I just was
thrown
>> when I tried to set up the database ("Setting up the RADIUS database"
>> section), as I reached these lines:
>>
>> cd /usr/share/doc/packages/freeradius/doc/examples/
>> psql -U radius radius<  postgresql.sql
>
>See raddb/sql/postgresql/.  Everything for postgres is there.

Just for clarity, using the Red Hat packages (sice the OP did state this

is RHEL) that would be /etc/raddb/sql/postgresql and requires the 
freeradius-postgresql subpackage to be installed.

-- 
John Dennis 

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


acct_users WARNING in 2.1.7

2009-10-15 Thread Craig Campbell
I've upgraded from 2.1.6 to 2.1.7 and the following error is now appearing in 
my debug output.

[/usr/local/etc/raddb/acct_users]:36 WARNING! Check item "Tmp-String-0" 
found in reply item list for user "DEFAULT".This attribute MUST go on the 
first line with the other check items

acct_users contains the following, (Line 36 is the line beginning with DEFAULT)

#CECExec-Program = "%{exec:/usr/local/sbin/acctstop.sh}",
DEFAULT Acct-Status-Type == Stop
Tmp-String-0 = "%{exec:/usr/local/sbin/acctstop.sh}",
Fall-Through = no


What have I done wrong?  It seems to be ok, and be doing what I desire.  
but I want the config to be CLEAN.
All I really want is to run a script when an accounting STOP record is 
received.  Am I doing it wrong?

Thanks,
-craig



Craig Campbell 
craig.campb...@ccraft.ca 
CampbellCraft Consulting Inc
2 Kenny Court 
Whitby, Ontario 
Canada 
L1R 2L8 
905 922-2789 

 



__ Information from ESET Smart Security, version of virus signature 
database 4509 (20091015) __

The message was checked by ESET Smart Security.

http://www.eset.com

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Postgres

2009-10-15 Thread John Dennis

On 10/15/2009 09:17 AM, Sparkes, David wrote:

Hi again,

Ok... well I have created the tables using
/etc/raddb/sql/postgresql/schema.sql and populated the tables manually.

However no postgresql.conf file exists in either
/etc/raddb/sql/postgresql or /etc/raddb/postgresql.  Have I missed a
package that would include this or should I just create it from scratch?


There isn't a postgresql.conf file. You edit /etc/raddb/sql.conf and set 
the database to postgresql.



For the record, all of the configuration files are in
/etc/raddb/postgresql in this install.


Not if you're using our packages.

--
John Dennis 

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: Proxy based on Multiple Realms

2009-10-15 Thread Alan Buxey
Hi,
> What I want to do is proxy requests based on being in multiple realms.  For
> example:
> Realm1/username.Realm2

so long as the second part with always be username.realm2 (and you dont get
into user.name.realm2 then you can use 2.1.x with unlang to configure what
you need. you need to use a decent regex parttern to match 

$1/[string].$2(in fact, you can simply ignore $1 as it will always
be host/ if dealing with type of traffic i expect)...and then you can simply
set the proxy-to-realm to be equal to the $2 value.

however, this is not a trivial 'it'll just work' and the realm details
might not be the sites real NAI realm (as it might be an internal AD realm
that has no basis on real world name, for example).

PS in eduroam we only allow the authentication of users via RFC NAI values -
this stops this nasty machine authentication mess (which most RADIUS servers
will not be able to handle) - i guess this is a demonstration of FR 
power/flexibility
rather than common use :-)

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: To proxy, or not to proxy, that is the question ...

2009-10-15 Thread Alan Buxey
Hi,

> if (domain is local AND authenticating from a local NAS) then
>   authenticate locally by proxy to Bradford Campus Manager
>   (Campus Manager will receive the stripped u...@realm as user and  
> proxy to the local server address)
> else
>   authenticate and return ACK/NACK to remote server in usual way for  
> one of our users visiting remote site
> fi
> 
> The part I am not sure how to do is the last part, a conditional proxy  
> based on source NAS. I assume I need to dip into unlang, but can I put  
> that into the proxy.conf file?

with 2.x ?   just ensure that clients are defined correctly - either by
doing as the other post said, or create a new virtual server (copy your
current one and rename it eg 'eduroam' and then define the proxies as being 
handled by that server ie

internal stuff -> [RADIUS server  {default/inner}] -> return attributes etc

external stuff -> [RADIUS server  {eduroam/inner}] -> no return attributes etc

look at the virtual_server definition in the clients.conf - that says, 
basically,
for any request from that client, slap it through that virtual server.

this means you can actually have a very stripped down virtual server... no need 
for
anything wierd...anything coming from the proxies will be solely for you 
(because
the proxy has done the realm work already and decided on suitable target) and
you dont need to deal with settings VLANs etc. the only thing you may want in 
place
is an authorise section to deal with people who cannot remotely authenticate - 
eg
they've broken AUP or are infected with virus/reported as bad etc

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: acct_users WARNING in 2.1.7

2009-10-15 Thread Ivan Kalik
> I've upgraded from 2.1.6 to 2.1.7 and the following error is now appearing
> in my debug output.
>
> [/usr/local/etc/raddb/acct_users]:36 WARNING! Check item "Tmp-String-0"
>  found in reply item list for user "DEFAULT".This attribute MUST
> go on the first line with the other check items
>
> acct_users contains the following, (Line 36 is the line beginning with
> DEFAULT)
>
> #CECExec-Program = "%{exec:/usr/local/sbin/acctstop.sh}",
> DEFAULT Acct-Status-Type == Stop
> Tmp-String-0 = "%{exec:/usr/local/sbin/acctstop.sh}",
> Fall-Through = no
>
>
> What have I done wrong?  It seems to be ok, and be doing what I
> desire.  but I want the config to be CLEAN.
> All I really want is to run a script when an accounting STOP record is
> received.  Am I doing it wrong?

You can't use Tmp-String-0 as a reply item. Use Exec-Program-Wait.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


PAP / ntlm_auth fails unless "DEFAULT Auth-Type = ntlm_auth" in users.

2009-10-15 Thread Gary Gatten
I've been jacking around trying to fix this for several hours - but no
go.  I've RTFM several times, and read several docs such as:
http://wiki.freeradius.org/Combining_authentication_of_AD_accounts_%28nt
lm_auth%29_with_accounts_stored_elsewhere

 

When I say "fix" - it's always been "broken" - it's never worked without
the DEFAULT entry in users.  Most all my accounts are in AD so the
DEFAULT works for me, but I'm using this issue as a learning
opportunity, but instead it's just a frustration opportunity.

 

I'll post all my confs (2.1.6) and -X output if needed, but just looking
for some hints to help determine why when the process fails through to
PAP, it won't use ntlm_auth - it will only use "files"

 

Thanks!

 

Gary

 









"This email is intended to be reviewed by only the intended recipient
 and may contain information that is privileged and/or confidential.
 If you are not the intended recipient, you are hereby notified that
 any review, use, dissemination, disclosure or copying of this email
 and its attachments, if any, is strictly prohibited.  If you have
 received this email in error, please immediately notify the sender by
 return email and delete this email from your system."


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: To proxy, or not to proxy, that is the question ...

2009-10-15 Thread Dean, Barry
Thanks for this, and thanks to Bob Franklin to. I have something  
working now by selecting on client name and re-writing the User-Name  
to append "bcm", then proxying that alone to the NAC servers. This  
leaves all the config I had before for my existing domains alone.

I might try the other virtual server approach as well as that is quite  
neat.

All I need now is for the blasted NAC server to recognise me as a  
client and actually do something instead of ignoring me!

Thanks again.

(I now speak some unlang!)

On 15 Oct 2009, at 15:50, Alan Buxey wrote:

> Hi,
>
>> if (domain is local AND authenticating from a local NAS) then
>>  authenticate locally by proxy to Bradford Campus Manager
>>  (Campus Manager will receive the stripped u...@realm as user and
>> proxy to the local server address)
>> else
>>  authenticate and return ACK/NACK to remote server in usual way for
>> one of our users visiting remote site
>> fi
>>
>> The part I am not sure how to do is the last part, a conditional  
>> proxy
>> based on source NAS. I assume I need to dip into unlang, but can I  
>> put
>> that into the proxy.conf file?
>
> with 2.x ?   just ensure that clients are defined correctly - either  
> by
> doing as the other post said, or create a new virtual server (copy  
> your
> current one and rename it eg 'eduroam' and then define the proxies  
> as being
> handled by that server ie
>
> internal stuff -> [RADIUS server  {default/inner}] -> return  
> attributes etc
>
> external stuff -> [RADIUS server  {eduroam/inner}] -> no return  
> attributes etc
>
> look at the virtual_server definition in the clients.conf - that  
> says, basically,
> for any request from that client, slap it through that virtual server.
>
> this means you can actually have a very stripped down virtual  
> server... no need for
> anything wierd...anything coming from the proxies will be solely for  
> you (because
> the proxy has done the realm work already and decided on suitable  
> target) and
> you dont need to deal with settings VLANs etc. the only thing you  
> may want in place
> is an authorise section to deal with people who cannot remotely  
> authenticate - eg
> they've broken AUP or are infected with virus/reported as bad etc
>
> alan
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

--
Barry Dean
Principal Programmer/Analyst
Networks Group
Computing Services Department
<>

---
Nice boy, but about as sharp as a sack of wet mice.
-- Foghorn Leghorn

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Postgres

2009-10-15 Thread Sparkes, David
Hi again,

Thanks for the help.  It is running correctly.

Regards,

Dave


-Original Message-
From:
freeradius-users-bounces+david.sparkes=keymile@lists.freeradius.org
[mailto:freeradius-users-bounces+david.sparkes=keymile@lists.freerad
ius.org] On Behalf Of John Dennis
Sent: Thursday, October 15, 2009 3:45 PM
To: FreeRadius users mailing list
Subject: Re: Postgres

On 10/15/2009 09:17 AM, Sparkes, David wrote:
> Hi again,
>
> Ok... well I have created the tables using
> /etc/raddb/sql/postgresql/schema.sql and populated the tables
manually.
>
> However no postgresql.conf file exists in either
> /etc/raddb/sql/postgresql or /etc/raddb/postgresql.  Have I missed a
> package that would include this or should I just create it from
scratch?

There isn't a postgresql.conf file. You edit /etc/raddb/sql.conf and set

the database to postgresql.

> For the record, all of the configuration files are in
> /etc/raddb/postgresql in this install.

Not if you're using our packages.

-- 
John Dennis 

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: PAP / ntlm_auth fails unless "DEFAULT Auth-Type = ntlm_auth" in users.

2009-10-15 Thread Ivan Kalik
> I've been jacking around trying to fix this for several hours - but no
> go.  I've RTFM several times, and read several docs such as:
> http://wiki.freeradius.org/Combining_authentication_of_AD_accounts_%28nt
> lm_auth%29_with_accounts_stored_elsewhere
>
>
>
> When I say "fix" - it's always been "broken" - it's never worked without
> the DEFAULT entry in users.  Most all my accounts are in AD so the
> DEFAULT works for me, but I'm using this issue as a learning
> opportunity, but instead it's just a frustration opportunity.
>
>
>
> I'll post all my confs (2.1.6) and -X output if needed, but just looking
> for some hints to help determine why when the process fails through to
> PAP, it won't use ntlm_auth - it will only use "files"

Post the debug.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


RE: PAP / ntlm_auth fails unless "DEFAULT Auth-Type = ntlm_auth" in users.

2009-10-15 Thread Gary Gatten
Working, uses DEFAULT Auth-Type = ntlm_auth in users file:

rad_recv: Access-Request packet from host 10.1.x.y port 1645, id=217,
length=85
User-Name = "myname"
User-Password = "myt0p$3cr...@$$w0rd"
NAS-Port = 1
NAS-Port-Id = "tty1"
NAS-Port-Type = Virtual
Calling-Station-Id = "192.168.x.y"
NAS-IP-Address = 10.x.y.z
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "myname", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns updated
[files] users: Matched entry DEFAULT at line 2
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = ntlm_auth
+- entering group authenticate {...}
[ntlm_auth] expand: --username=%{User-Name} -> --username=myname
[ntlm_auth] expand: --password=%{Password} ->
--password=myt0p$3cr...@$$w0rd
Exec-Program output: NT_STATUS_OK: Success (0x0)
Exec-Program-Wait: plaintext: NT_STATUS_OK: Success (0x0)
Exec-Program: returned: 0
++[ntlm_auth] returns ok
Login OK: [myname] (from client Ci$coSwitch port 1 cli 192.168.x.y)
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 217 to 10.x.y.z port 1645
Finished request 28.
Going to the next request
Waking up in 4.9 seconds.




NOT WORKING:

rad_recv: Access-Request packet from host 10.x.y.z port 1645, id=218,
length=85
User-Name = "myname"
User-Password = "myt0p$3cr...@$$w0rd"
NAS-Port = 1
NAS-Port-Id = "tty1"
NAS-Port-Type = Virtual
Calling-Station-Id = "192.168.x.y"
NAS-IP-Address = 10.x.y.z
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "myname", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
+- entering group PAP {...}
[pap] login attempt with password "myt0p$3cr...@$$w0rd"
[pap] Using CRYPT encryption.
[pap] Passwords don't match
### I have local unix account with a pw different than my AD password
###
### If I use local PW it auths me correctly ###
++[pap] returns reject
Failed to authenticate the user.
Login incorrect (rlm_pap: CRYPT password check failed): [myname] (from
client Ci$coSwitch port 1 cli 192.168.x.y)
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> myname
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 38 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 38
Sending Access-Reject of id 218 to 10.x.y.z port 1645
Waking up in 4.9 seconds.
Cleaning up request 38 ID 218 with timestamp +3237
Ready to process requests.



-Original Message-
From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org
[mailto:freeradius-users-bounces+ggatten=waddell@lists.freeradius.or
g] On Behalf Of Ivan Kalik
Sent: Thursday, October 15, 2009 10:30 AM
To: FreeRadius users mailing list
Subject: Re: PAP / ntlm_auth fails unless "DEFAULT Auth-Type =
ntlm_auth" in users.

> I've been jacking around trying to fix this for several hours - but no
> go.  I've RTFM several times, and read several docs such as:
>
http://wiki.freeradius.org/Combining_authentication_of_AD_accounts_%28nt
> lm_auth%29_with_accounts_stored_elsewhere
>
>
>
> When I say "fix" - it's always been "broken" - it's never worked
without
> the DEFAULT entry in users.  Most all my accounts are in AD so the
> DEFAULT works for me, but I'm using this issue as a learning
> opportunity, but instead it's just a frustration opportunity.
>
>
>
> I'll post all my confs (2.1.6) and -X output if needed, but just
looking
> for some hints to help determine why when the process fails through to
> PAP, it won't use ntlm_auth - it will only use "files"

Post the debug.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html








"This email is intended to be reviewed by only the intended recipient
 and may contain information that is privileged and/or confidential.
 If you are not the intended recipient, you are hereby notified that
 any review, use, dissemination, disclosure or copying of this email
 and its attachments, if any, is strictly prohibited.  If you have
 received this email in error, please immediately notify the sender by
 return email and delete this email from your system."



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Good number of Max Connections to run freeradius

2009-10-15 Thread Alisson
What is a good number of max_connections on Mysql to run FreeRadius?

i'm using

max_connections=500

-- 
Att.
Alisson F. Gonçalves
Sistemas de Informação - UFGD
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Good number of Max Connections to run freeradius

2009-10-15 Thread Alan Buxey
Hi,
> What is a good number of max_connections on Mysql to run FreeRadius?
> 
> i'm using
> 
> max_connections=500



500?  wowser. I use 10. 

i noted problems if the value was over 15 and my SQL queries are very small
and short...i use the offline accounting (buffered-sql) to do the nasty long
update/insert stuff.

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: Good number of Max Connections to run freeradius

2009-10-15 Thread Alisson
'im using 500,

and i have an error 'discarding packet'

and i dont know how fix it

2009/10/15 Alan Buxey 

> Hi,
> > What is a good number of max_connections on Mysql to run FreeRadius?
> >
> > i'm using
> >
> > max_connections=500
>
> 
>
> 500?  wowser. I use 10.
>
> i noted problems if the value was over 15 and my SQL queries are very small
> and short...i use the offline accounting (buffered-sql) to do the nasty
> long
> update/insert stuff.
>
> alan
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>



-- 
Att.
Alisson F. Gonçalves
Sistemas de Informação - UFGD
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

dialup_admin query problem

2009-10-15 Thread Whorled Services
I am using dialup_admin 1.80 from within the current freeradius 2.1.7
release.  freeradius is working fine, and some dialup_admin menu
selections are working correctly.  One that isn't is User Statistics.

I have configured dialup admin to not use the 'totacct' table by setting
"general_stats_use_totacct: no" in admin.conf
When I select User Statistics, dialup_admin is still running a query for
fields in the totacct table:

091015 10:08:21 22 Connect freerad...@localhost on
 22 Init DB radius
 22 Query   EXPLAIN SELECT * FROM nas
 22 Query   SELECT * FROM nas
 22 Init DB radius
 22 Query   EXPLAIN SELECT  * FROM radacct
WHERE acctdate >= '2009-10-08' AND acctdate <= '2009-10-15'
ORDER BY connnum desc
 22 Query   SELECT  * FROM radacct
WHERE acctdate >= '2009-10-08' AND acctdate <= '2009-10-15'
ORDER BY connnum desc

The table name 'radacct' is correct.  The query for field 'acctdate' is
incorrect, that field is in 'totacct' & not present in 'radacct'.

I  know one solution is to set "general_stats_use_totacct: yes" & run
the tot_stats scripts daily, but that it is not working with the
'radacct' table makes me concerned that I may have a configuration issue
that could lead to further problems.
Is there some other configuration option needed to make this work properly?

TIA

Linux version 2.6.27.27 (r...@darkstar) (gcc version 4.2.4) #1 SMP Wed
Jul 22 07:27:34 AKDT 2009
apache 2.2.13
php 5.2.10
zend 3.3.9
mysql 5.0.67
FreeRADIUS Version 2.2.0, for host i686-pc-linux-gnu, built on Dec  5
2008 at 10:35:21
dialup_admin 1.80






-- 
Be Yourself @ mail.com!
Choose From 200+ Email Addresses
Get a Free Account at www.mail.com!


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


RE: Freeradius + OpenLdap + WindowsXP(Wifi)

2009-10-15 Thread Ivan Kalik
>
> Previous round trip ..
>
> User-Name = "kleberl"
> NAS-IP-Address = 192.168.155.123
> NAS-Port-Type = Wireless-802.11
> State = 0x3cce0b1706ad36054f63eeb5f99e1a66
>
> EAP-Message =
> 0x029500591900170301004e6b2cc736e1b009a8b6f35c85b0f9ea9b4543a3be11f7586ffe81fb98b3eb4f61d9112c6a9a28be20ab9de173401926f7b9ee653f80ce1549b8790c6efff5a57e3d4226d46c6a6cdedcc247557cde
> Message-Authenticator = 0x1270811c8796ab07c98678904e5d93c8
...
> Tue Oct 13 12:00:45 2009 : Debug: rlm_ldap: looking for check items in
> directory...
> Tue Oct 13 12:00:45 2009 : Debug: rlm_ldap: looking for reply items in
> directory...
> Tue Oct 13 12:00:45 2009 : Debug: rlm_ldap: user kleberl authorized to use
> remote access
...
> Tue Oct 13 12:00:45 2009 : Debug:   rlm_mschap: No User-Password
> configured.  Cannot create LM-Password.
> Tue Oct 13 12:00:45 2009 : Debug:   rlm_mschap: No User-Password
> configured.  Cannot create NT-Password.
> Tue Oct 13 12:00:45 2009 : Debug:   rlm_mschap: Told to do MS-CHAPv2 for
> kleberl with NT-Password
> Tue Oct 13 12:00:45 2009 : Debug:   rlm_mschap: FAILED: No NT/LM-Password.
>  Cannot perform authentication.
> Tue Oct 13 12:00:45 2009 : Debug:   rlm_mschap: FAILED: MS-CHAP2-Response
> is incorrect

Where is your password? Ldap didn't pass it back.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: Several LDAP searches

2009-10-15 Thread Ivan Kalik
> I am configuring a freeradius server (version 2.1.7). I need two listen
> sections, both to authenticate users using the same LDAP server. The
> thing is that I need to do different searches with different filters,
> depending on which listen section is asked. What is the best way to
> configure this, if there is one? I have read the documentation, the wiki
> and the configuration files and I couldn't figure it out.

Configure two ldap instances and use them in virtual servers listen
sections point to.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


No NAS-Port seen warning

2009-10-15 Thread Robert White
Hey,
I keep getting a warning message in my Radius setup...

 WARNING: Attribute NAS-Port was not found in request, unique ID MAY be
inconsistent

This is true enough.  But I am sending a slightly different attribute:
'Quintum-NAS-Port'.  Do I have control over this 'NAS-Port prefix?  Or can I
make rlm_acct_unique look for Quintum-NAS-Port instead of just NAS-Port?

Any help appreciated.

Thanks,

Rob
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Check_item still wraps at 4gb

2009-10-15 Thread Marcel Grandemange
Good Day.

 

Hopying I can get some help.

 

I have been trying for years now too simply cap users based on data
transferred above 4gb.

It has only been now that I discovered , where the problem lies.

 

I can log data over 4gb no issue, nas sends gigawords to radius and gets
inserted into db no probs.

However, my data counter fails to authenticate customers properly is any
accounts are set to above 4Gb.

And I found why.

 

It seems that the "check_item" still wraps at 4gb!

 

 

How can I solve this?

 

 

Regards

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re : Re: Re : Re: Freeradius2 configuration challenges ( Binding IP address & failure of radtest

2009-10-15 Thread adaigle
Hi Everyone
I think I am getting ahead but now I got the following error:

[pap] WARNING! No "known good" password found for the user.  Authentication may 
fail because of this.
++[pap] returns noop
No authenticate method (Auth-Type) configuration found for the request: 
Rejecting the user
Failed to authenticate the user.


I was just trying to setup PAP (testuser) on the radius 

Would you know what the error could be ?

Thx

- Message d'origine -
De: adai...@vl.videotron.ca
Date: Mercredi, 14 Octobre 2009, 21:16
Objet: Re : Re: Re : Re: Freeradius2 configuration challenges ( Binding IP 
address &failure of  radtest
À: FreeRadius users mailing list 

> Thanks John for your patience !
> I appreciate your explanation and will double check everything 
>  
> Al
> 
> - Message d'origine -
> De: John Dennis 
> Date: Mercredi, 14 Octobre 2009, 16:19
> Objet: Re: Re : Re: Freeradius2 configuration challenges ( 
> Binding IP address & failure of radtest
> À: FreeRadius users mailing list  us...@lists.freeradius.org>
> > On 10/14/2009 03:45 PM, adai...@vl.videotron.ca wrote:
> > > Thanks John for the quick reply on my questions,
> > >
> > > I already checked on Red_Hat_FAQ and I have not seen any 
> > answers to my challenges !
> > 
> > Did you read the section"
> > How do I start and stop the FreeRADIUS service?
> > 
> > Because it's obvious you've got two radius servers running. 
> You 
> > can't 
> > have the radius server running as a daemon *and* run another 
> > copy in the 
> > foreground with -X. If you want to run a copy in the 
> foreground 
> > you 
> > *must* stop any existing copies from running first. The only 
> way 
> > you can 
> > have another copy running is if you enabled the service for 
> boot 
> > start 
> > up with chkconfig or manually started it with 
> /usr/sbin/service 
> > or your 
> > manually executed /usr/sbin/radiusd.
> > 
> > -- 
> > John Dennis 
> > 
> > Looking to carve out IT costs?
> > www.redhat.com/carveoutcosts/
> > -
> > List info/subscribe/unsubscribe? See 
> > http://www.freeradius.org/list/users.html
> > -
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: No NAS-Port seen warning

2009-10-15 Thread Patric

Robert White wrote:

Hey,

Or can I make rlm_acct_unique look for Quintum-NAS-Port instead of 
just NAS-Port?

Yup, just update modules/acct_unique

HTH
Patric
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html