Re: Bugzilla with freeradius support

[Alan DeKok]

freerad...@corwyn.net wrote:
> I see that bugzilla has added Freeradius support. Went looking for any
> type of guide, and seems obscured by freeradius using bugzilla for bug
> tracking.

  Search for "bugzilla radius".

> Can someone point me to anything that has pointers for using freeradius
> to support my bugzilla implementation?

  The first URL:

http://www.bugzilla.org/docs/tip/en/html/parameters.html

  Past that, my guess is that they send PAP requests.  So configuring
FreeRADIUS to "support bugzilla" should be as complicated as configuring
a realm, and users/passwords in that realm.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Bugzilla with freeradius support

[freeradius]

I see that bugzilla has added Freeradius support. Went looking for 
any type of guide, and seems obscured by freeradius using bugzilla 
for bug tracking.


Can someone point me to anything that has pointers for using 
freeradius to support my bugzilla implementation?


Rick


Rick Steeves
http://www.sinister.net

In reality nothing is more damaging to the adventurous spirit within 
a man than a secure future -  Alexander Supertramp


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: unlang after chap returns reject [RESOLVED]

[EasyHorpak.com]

Arran Cudbard-Bell wrote:

  -BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

chap {
	reject = 1
}



  
  
I try search about unlang and write it to accept user even though wrong
password and chap reject.
i need to set wrong password user to ip group and then redirect them to
html explain about the problem.



i try this unlang in chap


authenticate {
# 
#  PAP authentication, when a back-end database listed
#  in the 'authorize' section supplies a password.  The
#  password can be clear-text, or encrypted.
Auth-Type PAP {
pap
}

#
#  Most people want CHAP authentication
#  A back-end database listed in the 'authorize' section
#  MUST supply a CLEAR TEXT password.  Encrypted passwords
#  won't work.
Auth-Type CHAP {
chap


if (reject) {

   update reply {

   Framed-IP-Address = "13.0.0.0+"
   Framed-IP-Netmask = "255.255.255.0"

}

update control {
  Auth-Type := "Accept"

}
}

}


and it 's not work...

Could any one point me how to solve this?
Or what i should change on  if (reject) {  
Or What section should it put this unlang.

Or give me some unlang scripts.


Thank you in advance.



-- 
http://www.EasyHorpak.com - ??��??�??�??�??�??�?�,?��??—??€?�??—??�,??�?�??�?�??�,??�?�??�??”,??�?�??�??
http://www.EasyZoneCorp.net - ??�?�??��??�?”??�?? internet ??�?“�� Hotpsot ??�??
PPPoE ,Anti NetCut, Mac spoof
http://www.thai-school.net - ??€?�??�??�??�??•??�??�?�??€???�,??�??€??�??�??? €?�??��
EasyZone SuperLink  - ??�?�???�??��??�??�?�??�??�
�??�??€??”?



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

  
  
- -- 
Arran Cudbard-Bell ,
Systems Administrator (AAA),
Infrastructure Services (IT Services),
E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT
DDI+FAX: +44 1273 873900 | INT: 3900
GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkspH74ACgkQcaklux5oVKLE+gCePfzCo4HQSXidGjotxSMS42ic
8IUAmwVLU44TbE/Ezz3FiS84vrarFwEF
=acnc
-END PGP SIGNATURE-

  

Thank you Arran Cudbard-Bell.

with your short reply i try this.

authenticate {
??? #
??? #? PAP authentication, when a back-end database listed
??? #? in the 'authorize' section supplies a password.? The
??? #? password can be clear-text, or encrypted.
??? Auth-Type PAP {
??? pap
??? }

??? #
??? #? Most people want CHAP authentication
??? #? A back-end database listed in the 'authorize' section
??? #? MUST supply a CLEAR TEXT password.? Encrypted passwords
??? #? won't work.
??? Auth-Type CHAP {
??? chap {
reject = 1
}

if (reject) {

?? update reply {

?? Framed-IP-Address = "13.0.0.0+"
?? Framed-IP-Netmask = "255.255.255.0"

??? }

??? update control {
? Auth-Type := "Accept"

??? }
ok
??? }



??? }



it works? now !! GREAT !!

bad password user can accept and get ip 13.0.0.0+
good user? can accept and get ip 192.168.99.1+

and then i create iptables to redirect bad password to html to explain
what happen.


I spent many night with panda eyes to find this unlang. now it resolved.

Thank you so much Arran Cudbard-Bell . You are Great!!.


-- 
http://www.EasyHorpak.com
- ???,???,???,?,??
http://www.EasyZoneCorp.net
- ? internet ? Hotpsot ??? PPPoE ,Anti NetCut, Mac
spoof
http://www.thai-school.net
- ,? ? 
EasyZone
SuperLink  - ?? 



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Accounting question

[Alan DeKok]

David Peterson wrote:
> However the NAS is overrriding the username and replying with:
...

  Buy a NAS that works.

> Any other thoughts?  

  Follow the other suggestions that would solve the problem.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius 2.7 virtual memory

[Alan DeKok]

Dinh Pham Cong wrote:
> Hi Alan
> 
> The version I am using is 2.1.7

  Try 2.1.8 when it comes out.  It has some fixes which should help.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius 2.1.7 crashes

[Alan DeKok]

Dinh Pham Cong wrote:
> Do you think that it is MySQL client library bug? How can I do now?

  It looks like a MySQL client library bug.  I'd suggest asking MySQL
about it.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Trying to get tunneling to work

[Alan DeKok]

Mike Bernhardt wrote:
> Sorry about the delay, I haven't been able to get back to this until today.
> I'm using 2.1.7.

  OK, that issue should be fixed in 2.1.8.  We should release it this week.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius db.ippool is FULL Error : rlm_ippool: No available ip addresses in pool.

[Alan DeKok]

Gökhan ORHON wrote:
> Help, again message here,
> 
> Note: I test Cisco Secure ACS, no problem. But freeradius not release pool 
> ips. Thank you.

  You have been very careful to *not* follow the instructions in the
FAQ.  You have been very careful to *not* pay attention to the responses
on this list.

  Why?

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Rejecting User By their Calling-Station-Id (Mac Address)

[Alex M]

ok fair enough =) will go dig config file...
How can I send the reason for rejection? Just add reply command somewhere
along the lines? Can I link reply message to the reply message associated
with reply in groups?
Tnx again!


On Wed, Dec 16, 2009 at 3:25 AM, Alan DeKok wrote:

> Alex M wrote:
> > Well i guess i'm back to my problem :(
> > I tried group thing and i'm  getting som strange un-constant results :(
> >
> > Can some one tell me how the logic works for groupcheck?
>
>   Why?  You were given a simple solution.  I suggest trying that.
> Trying to figure out how to get groups to do what you want is a waste of
> time when you *already* have a solution.
>
>  Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Trying to get tunneling to work

[Mike Bernhardt]

Sorry about the delay, I haven't been able to get back to this until today.
I'm using 2.1.7.

-Original Message-
From: Alan DeKok [mailto:al...@deployingradius.com] 
Sent: Thursday, December 10, 2009 11:03 PM
To: FreeRadius users mailing list
Subject: Re: Trying to get tunneling to work

Mike Bernhardt wrote:
> I am trying to set up freeradius to proxy requests 802.11 MSCHAPv2 to an
> IAS server. The IAS requests are authenticated by a Safeword server,
> which doesn't support 802.11. So the idea is that freeradius takes the
> request, proxies it to IAS as if it was a non-802.11 client, IAS passes
> it to the integrated Safeword server, and everything is happy.

  OK.

> ERROR: Failed to create a new socket for proxying requests. 
> ERROR: Failed inserting request into proxy hash.

  Hmm... which version are you using?  That shouldn't happen in a
released version of the code.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Trying to get tunneling to work

[Mike Bernhardt]

-Original Message-
From: t...@kalik.net [mailto:t...@kalik.net] 
Sent: Thursday, December 10, 2009 5:05 PM
To: FreeRadius users mailing list
Subject: Re: Trying to get tunneling to work

> I am trying to set up freeradius to proxy requests 802.11 MSCHAPv2 to an
> IAS
> server. The IAS requests are authenticated by a Safeword server, which
> doesn't support 802.11. So the idea is that freeradius takes the request,
> proxies it to IAS as if it was a non-802.11 client, IAS passes it to the
> integrated Safeword server, and everything is happy.
>
>
>
> My configuration works from a 802.11 supplicant if the user exist locally
> in
> freeradius, but no proxying happens when the user doesn't exist locally.

Read comments in peap section of eap.conf. Replace LOCAL in Proxy-To-Realm
statement in inner-tunnel virtual server with the name of the realm
pointing to IAS server.

Ivan Kalik

As far as I know, this is the case. It is replaced in the users file. I did
a little cleanup on the other config files too. Here is the new output,
though the result is the same.


radiusd:  Loading Realms and Home Servers 
 proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
 }
 realm safeword.eng {
authhost = 192.168.30.29:1812
accthost = 192.168.30.29:1813
secret = Testing_Testing
 }
 home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = "testing123"
response_window = 20
max_outstanding = 65536
require_message_authenticator = no
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
irt = 2
mrt = 16
mrc = 5
mrd = 30
 }
 home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
 }
radiusd:  Loading Clients 
 client 192.168.7.139/32 {
require_message_authenticator = no
secret = "Testing_Testing"
 }
 client 127.0.0.1/32 {
require_message_authenticator = no
secret = "testing123"
 }

radiusd:  Loading Virtual Servers 
server inner-tunnel {
 modules {
 Module: Checking authenticate {...} for more modules to load
 Module: Linked to module rlm_pap
 Module: Instantiating pap
  pap {
encryption_scheme = "auto"
auto_header = no
  }
 Module: Linked to module rlm_chap
 Module: Instantiating chap
 Module: Linked to module rlm_mschap
 Module: Instantiating mschap
  mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = no
  }
 Module: Linked to module rlm_unix
 Module: Instantiating unix
  unix {
radwtmp = "/usr/local/var/log/radius/radwtmp"
  }
 Module: Linked to module rlm_eap
 Module: Instantiating eap
  eap {
default_eap_type = "peap"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 2048
  }
 Module: Linked to sub-module rlm_eap_md5
 Module: Instantiating eap-md5
 Module: Linked to sub-module rlm_eap_leap
 Module: Instantiating eap-leap
 Module: Linked to sub-module rlm_eap_gtc
 Module: Instantiating eap-gtc
   gtc {
challenge = "Password: "
auth_type = "PAP"
   }
 Module: Linked to sub-module rlm_eap_tls
 Module: Instantiating eap-tls
   tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
pem_file_type = yes
private_key_file = "/usr/local/etc/raddb/certs/server.pem"
certificate_file = "/usr/local/etc/raddb/certs/server.pem"
CA_file = "/usr/local/etc/raddb/certs/ca.pem"
private_key_password = "whatever"
dh_file = "/usr/local/etc/raddb/certs/dh"
random_file = "/usr/local/etc/raddb/certs/random"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
make_cert_command = "/usr/local/etc/raddb/certs/bootstrap"
cache {
enable = no
lifetime = 24
max_entries = 255
}
   }
 Module: Linked to sub-module rlm_eap_ttls
 Module: Instantiating eap-ttls
   ttls {
default_eap_type = "md5"
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
include_length = yes
   }
 Module: Linked to sub-module rlm_eap_peap
 Module: Instantiating eap-peap
   peap {
default_eap_type = "mschapv2"
copy_request_to_tunnel = yes
use_tunneled_reply = yes
proxy_tunneled_request_as_eap = no
virtual_server = "inner-tunnel"
   }
 Module: Linked to sub-module rlm_eap_mschapv2
 Module: Instantiating eap-mschapv2
   mschapv2 {

Re: rlm_perl

[Bjørn Mork]

Коньков Евгений  writes:

> How to send multiple parametrs with perl like next:
>> 1)  $RAD_REPLY{'mpd-table-static'}= "14=192.168.1.7 2";
>> 2)  $RAD_REPLY{'mpd-table-static'}= "15=192.168.1.7 3";


$RAD_REPLY{'mpd-table-static'} = ["14=192.168.1.7 2", "15=192.168.1.7 3"];


Bjørn


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

rlm_perl

[Коньков Евгений]

Hello, Freeradius-users.

How to send multiple parametrs with perl like next:
> 1)  $RAD_REPLY{'mpd-table-static'}= "14=192.168.1.7 2";
> 2)  $RAD_REPLY{'mpd-table-static'}= "15=192.168.1.7 3";

now 1 is overriden with 2.

-- 
С уважением,
 Коньков  mailto:kes-...@yandex.ru

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius won't start with my configs

[Nicolas Goutte]

Am 16.12.2009 um 20:39 schrieb J Brandon Polley:

I can't get FreeRadius to start. No other instance of FreeRadius is  
running when I try to start FreeRadius.

I'm using FreeRadius 1.1.7-21.4.47


Here is my debug info when I enter radiusd -x

Module: Loaded exec
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
Module: Instantiated mschap (mschap)
Module: Loaded System
Module: Instantiated unix (unix)
Module: Loaded eap
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
rlm_eap: Loaded and initialized type gtc
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded preprocess
rlm_preprocess: Error reading /etc/raddb/huntgroups (didnt change  
anything in this file)


Do you really have a file in this path? Are the rights of the file in  
a way that the daemon can read them, as the user that is being used?


Have a nice day!

[...]



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Nicolas Goutte


extragroup GmbH - Karlsruhe
Waldstr. 49
76133 Karlsruhe
Germany

Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle
Registergericht: Amtsgericht Münster / HRB: 5624
Steuer Nr.: 337/5903/0421 / UstID: DE 204607841



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

FreeRadius won't start with my configs

[J Brandon Polley]

I can't get FreeRadius to start. No other instance of FreeRadius is running 
when I try to start FreeRadius.
I'm using FreeRadius 1.1.7-21.4.47
 
 
Here is my debug info when I enter radiusd -x
 
Module: Loaded exec
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
Module: Instantiated mschap (mschap)
Module: Loaded System
Module: Instantiated unix (unix)
Module: Loaded eap
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
rlm_eap: Loaded and initialized type gtc
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded preprocess
rlm_preprocess: Error reading /etc/raddb/huntgroups (didnt change anything in 
this file)
radiusd.conf[1019]: preprocess: Module instantiation failed.
radiusd.conf[1800] Unknown module "preprocess".
radiusd.conf[1790] Failed to parse authorize section.
radius:~ #

Here is line 1019:
preprocess {
huntgroups = ${confdir}/huntgroups
hints = ${confdir}/hints

# This hack changes Ascend's wierd port numberings
# to standard 0-??? port numbers so that the "+" works
# for IP address assignments.
with_ascend_hack = no
ascend_channels_per_line = 23

# Windows NT machines often authenticate themselves as
# NT_DOMAIN\username
#
# If this is set to 'yes', then the NT_DOMAIN portion
# of the user-name is silently discarded.
#
# This configuration entry SHOULD NOT be used.
# See the "realms" module for a better way to handle
# NT domains.
with_ntdomain_hack = no

# Specialix Jetstream 8500 24 port access server.
#
# If the user name is 10 characters or longer, a "/"
# and the excess characters after the 10th are
# appended to the user name.
#
# If you're not running that NAS, you don't need
# this hack.
with_specialix_jetstream_hack = no

# Cisco (and Quintum in Cisco mode) sends it's VSA attributes
# with the attribute name *again* in the string, like:
#
#   H323-Attribute = "h323-attribute=value".
#
# If this configuration item is set to 'yes', then
# the redundant data in the the attribute text is stripped
# out.  The result is:
#
#  H323-Attribute = "value"
#
# If you're not running a Cisco or Quintum NAS, you don't
# need this hack.
with_cisco_vsa_hack = no
}


Here is line 1800:
preprocess

#
#  If you want to have a log of authentication requests,
#  un-comment the following line, and the 'detail auth_log'
#  section, above.
#auth_log

#attr_filter

#
#  The chap module will set 'Auth-Type := CHAP' if we are
#  handling a CHAP request and Auth-Type has not already been set
chap

#
#  If the users are logging in with an MS-CHAP-Challenge
#  attribute for authentication, the mschap module will find
#  the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP'
#  to the request, which will cause the server to then use
#  the mschap module for authentication.
mschap

#
#  If you have a Cisco SIP server authenticating against
#  FreeRADIUS, uncomment the following line, and the 'digest'
#  line in the 'authenticate' section.
#digest

#
#  Look for IPASS style 'realm/', and if not found, look for
#  '@realm', and decide whether or not to proxy, based on
#  that.
#IPASS

#
#  If you are using multiple kinds of realms, you probably
#  want to set "ignore_null = yes" for all of them.
#  Otherwise, when the first style of realm doesn't match,
#  the other styles won't be checked.
#
suffix
#ntdomain

Here is line 1790:
authorize {
#
#  The preprocess module takes care of sanitizing some bizarre
#  attributes in the request, and turning them into attributes
#  which are more standard.
#
#  It takes care of processing the 'raddb/hints' and the
#  'raddb/huntgroups' files.
#
#  It also adds the %{Client-IP-Address} attribute to the request.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius db.ippool is FULL Error : rlm_ippool: No available ip addresses in pool.

[tnt]

> Note: I test Cisco Secure ACS, no problem. But freeradius not release pool
> ips. Thank you.

Because it will not release IPs without notification that user is offline
(accounting stop packet). If you want limited lifespan of assigned IP
address don't use ippool - use dhcp.

Ivan Kalik

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problem with EAP TLS authentication in Freeradius

[tnt]

> I have copied MAKE file from the 2.1.8 pre version.But not able to
> generate
> certificates.
> When I try to run ./bootstrap , it throws error related to MAKE.in file
>
> Please let me know the procedure to generate a certificate.

Read the README file in certs directory.

Ivan Kalik

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: windows domain\user change to u...@domain

[tnt]

> Have already uncomment (remove the # infront of the ntdomain under
> /etc/raddb/sites-enabled/default), still not working. H1\user1 get proxy
> to
> NULL realm instead of H1 realm.

Post the debug with nidomain enabled. Do you have NULL realm defined in
proxy.conf?

Ivan Kalik

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Accounting question

[David Peterson]

OK I added the reply update and see the acknowledgement go out:

Sending Access-Accept of id 8 to 172.16.4.2 port 1812
Service-Type = Framed-User
User-Name = "testtest"
Framed-Filter-Id = "Bronze"
Class = 0x7465737474657374
EAP-Message = 0x03080004
Message-Authenticator = 0x
WiMAX-IP-Technology = CMIP4
WiMAX-hHA-IP-MIP4 = 192.168.10.3
WiMAX-MSK = 
0x686ea51099d982afffe6d3555b34d6a9ae889284f3e2db6eeab05848838fd290d00925dd068d797a09eb3b4d17b5a90ad00ab5291ce7ba9a519440b480bb3943
WiMAX-MN-hHA-MIP4-Key = 0x4e96fdcb6522057bfefbe762e274dbc33640f2ff
WiMAX-MN-hHA-MIP4-SPI = 1824920104

However the NAS is overrriding the username and replying with:

rad_recv: Accounting-Request packet from host 172.16.4.2 port 1813, id=31, 
length=262
Acct-Status-Type = Start
WiMAX-Beginning-Of-Session = 1
Class = 0x7465737474657374
WiMAX-IP-Technology = Reserved-0
Acct-Session-Id = 
"00-12-cf-c3-fb-8c16\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000"
Framed-IP-Address = 64.186.195.5
User-Name = "{am=1}2d0e1fba7e14896968495d723d41a...@test.com"
Calling-Station-Id = "00-12-cf-c3-fb-8c"
NAS-Identifier = "WC_LAB"
WiMAX-hHA-IP-MIP4 = 192.168.10.3
NAS-IP-Address = 172.16.4.2
WiMAX-BS-Id = 0x02030209
Framed-Pool = "alias"
Event-Timestamp = "Dec 16 2009 13:15:14 CST"
WiMAX-GMT-Timezone-offset = 21600
Acct-Authentic = RADIUS

Any other thoughts?  

David

From: Arran Cudbard-Bell [a.cudbard-b...@sussex.ac.uk]
Sent: Tuesday, December 15, 2009 5:32 PM
To: David Peterson-WirelessConnections; FreeRadius users mailing list
Subject: Re: Accounting question

David Peterson wrote:
> Forgive my newbieness but where would I put that code?  I tried adding it to 
> the sites-available/default file under accounting but I am guessing that's 
> not right.

That'll stop any potential problems arising from the malformed Acct-Session-ID 
yes.

Regarding the username, try putting the following in postauth.

update reply {
User-Name := 'testtest'
Class := 'testtest'
}

See if either of those values are included in accounting sessions. If they are 
then there are ways to work around the User-Name in accounting packets.

-Arran
> David
>
> -Original Message-
> From: Arran Cudbard-Bell [mailto:a.cudbard-b...@sussex.ac.uk]
> Sent: Tuesday, December 15, 2009 10:56 AM
> To: David Peterson-WirelessConnections; FreeRadius users mailing list
> Subject: Re: Accounting question
>
> David Peterson wrote:
>> Here is the accounting packet information I am getting:
>> rad_recv: Accounting-Request packet from host 172.16.4.2 port 1813, id=5,
>> length=239
>> Acct-Status-Type = Start
>> WiMAX-Beginning-Of-Session = 1
>> WiMAX-IP-Technology = Reserved-0
>> Acct-Session-Id =
>> "00-12-cf-c3-fb-8c3\000\000\000\000\000\000\000\000\000\000\000\000\000\000\
>> 000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000"
>> Framed-IP-Address = 64.186.195.5
>> User-Name = "{am=1}33ac5579ce57217426e7434fa60e4...@test.com"
>> Calling-Station-Id = "00-12-cf-c3-fb-8c"
>> NAS-Identifier = "WC_LAB"
>> NAS-IP-Address = 172.16.4.2
>> WiMAX-BS-Id = 0x02030209
>> Framed-Pool = "alias"
>> Event-Timestamp = "Dec 15 2009 09:04:15 CST"
>> WiMAX-GMT-Timezone-offset = 21600
>> Acct-Authentic = RADIUS
>>
>> What I don't get is why the authentication works with clear text and the
>> accounting has the "hex stuff".  Is this pretty much controlled by the NAS?
>
> The "hex stuff" is the NAS appending 31 null chars to the session id.
> FreeRADIUS is converting the unprintable characters into escape codes so that 
> they're visible.
>
> The RFC recommendation is that:
>
> "The Acct-Session-Id SHOULD contain UTF-8 encoded 10646 [7] characters."
>
> Which SHOULD limit it to printable chars.
>
> Really this is something your NAS vendor should fix, as it's a bug in their 
> code.
>
> ...Though if you really want you can trim off the superfluous nulls with:
>
> if(Acct-Session-ID =~ /(.*)/){
>   update request {
>   Acct-Session-ID := "%{1}"
>   }
> }
>
>
> -Arran
>
>
>> David
>>
>> -Original Message-
>> From: Alan DeKok [mailto:al...@deployingradius.com]
>> Sent: Tuesday, December 15, 2009 9:44 AM
>> To: David Peterson-WirelessConnections; FreeRadius users mailing list
>> Subject: Re: Accounting question
>>
>> David Peterson wrote:
>>> From what I can determine, the username is encrypted even though the
>>> authentication is done in clear text during the EAP authentication.
>>   It's not "encrypted".  My guess is that you are using WiMAX.
>>
>>   As always, run the server in debug

Re: unlang after chap returns reject

[Arran Cudbard-Bell]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

chap {
reject = 1
}



> 
> I try search about unlang and write it to accept user even though wrong
> password and chap reject.
> i need to set wrong password user to ip group and then redirect them to
> html explain about the problem.
> 
> 
> 
> i try this unlang in chap
> 
> 
> authenticate {
> # 
> #  PAP authentication, when a back-end database listed
> #  in the 'authorize' section supplies a password.  The
> #  password can be clear-text, or encrypted.
> Auth-Type PAP {
> pap
> }
> 
> #
> #  Most people want CHAP authentication
> #  A back-end database listed in the 'authorize' section
> #  MUST supply a CLEAR TEXT password.  Encrypted passwords
> #  won't work.
> Auth-Type CHAP {
> chap
> 
> 
> if (reject) {
> 
>update reply {
> 
>Framed-IP-Address = "13.0.0.0+"
>Framed-IP-Netmask = "255.255.255.0"
> 
> }
> 
> update control {
>   Auth-Type := "Accept"
> 
> }
> }
> 
> }
> 
> 
> and it 's not work...
> 
> Could any one point me how to solve this?
> Or what i should change on  if (reject) {  
> Or What section should it put this unlang.
> 
> Or give me some unlang scripts.
> 
> 
> Thank you in advance.
> 
> 
> 
> -- 
> http://www.EasyHorpak.com - แหล่งค้นหาหอพัก,อพาร์ทเมนท์,แมนชั่น,คอนโด,โรงแรม
> http://www.EasyZoneCorp.net - ซอฟแวร์จัดการ internet คุณภาพสูง Hotpsot และ
> PPPoE ,Anti NetCut, Mac spoof
> http://www.thai-school.net - เว็บไซต์โรงเรียน,ศิษย์เก่า สำเร็จรูป
> EasyZone SuperLink  - แลกหมื่นลิ้งคืในค
> ลิ๊กเดียว
> 
> 
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

- -- 
Arran Cudbard-Bell ,
Systems Administrator (AAA),
Infrastructure Services (IT Services),
E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT
DDI+FAX: +44 1273 873900 | INT: 3900
GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkspH74ACgkQcaklux5oVKLE+gCePfzCo4HQSXidGjotxSMS42ic
8IUAmwVLU44TbE/Ezz3FiS84vrarFwEF
=acnc
-END PGP SIGNATURE-
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

[SOLVED] [PARTIALLY] Request for directions: WinXP + Samba + LDAP + 802.1x

[Fabiano Caixeta Duarte]

>Well, default eap module knows about this type. Have you been playing with
>eap.conf?


I touched, yes. But I had stripped mschap conf from default vhost and
that was just wrong...

Now everything is partially working.

If client has already logged on (auth info cached by XP), he needs to
restart the network connection for it to authenticate against
freeradius.

So, I'll try to understand what do I have to do so XP machines uses
auth info during logon process to auth against freeradius.


-- 
Fabiano Caixeta Duarte
Especialista em Redes de Computadores
Linux User #195299
Ribeirão Preto - SP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: unlang after chap returns reject

[EasyHorpak.com]

Alan Buxey wrote:

  Hi,

  
  
i try this unlang in chap


authenticate {

  
  



you seem to have ignored the 3 lines directly above what you cut and pasted... I'll
remind you

#  Please do not put "unlang" configurations into the "authenticate"
#  section.  Put them in the "post-auth" section instead.  That's what
#  the post-auth section is for.

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

  

yes !! sure that 's why.
i ask next question . 

What section should it put this unlang?


Cause if i put on 

Post-Auth-Type REJECT {


update reply is work.

but update control it is not work.

if i put in authorize section after pap

it run before chap . so unlang can not get result of chap reject.

where should it put it?

Or unlang can not change result of chap reject !!?




-- 
http://www.EasyHorpak.com
- ???,???,???,?,??
http://www.EasyZoneCorp.net
- ? internet ? Hotpsot ??? PPPoE ,Anti NetCut, Mac
spoof
http://www.thai-school.net
- ,? ? 
EasyZone
SuperLink  - ?? 



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

FreeRadius 2.1.7 crashes

[Dinh Pham Cong]

Hi all,

I had run FreeRadius 2.1.7 in gdb and got this core dump

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x2aac59f0e940 (LWP 23452)]
0x00309a85306b in ?? () from /usr/lib64/mysql/libmysqlclient_r.so.15
(gdb) bt
#0  0x00309a85306b in ?? () from /usr/lib64/mysql/libmysqlclient_r.so.15
#1  0x00309a8533e9 in my_net_read () from
/usr/lib64/mysql/libmysqlclient_r.so.15
#2  0x00309a84cd1f in cli_safe_read () from
/usr/lib64/mysql/libmysqlclient_r.so.15
#3  0x00309a84e673 in mysql_real_connect () from
/usr/lib64/mysql/libmysqlclient_r.so.15
#4  0x2ae5ed7663fb in sql_init_socket (sqlsocket=0x4428d90,
config=0x42d81f0) at sql_mysql.c:89
#5  0x2ae5ed561e42 in connect_single_socket (sqlsocket=0x4428d90,
inst=0x42d8180) at sql.c:56
#6  0x2ae5ed562049 in rlm_sql_query (sqlsocket=0x4428d90,
inst=0x42d8180,
query=0x2aac59f0c2f0 " DELETE FROM  radacct", ' ' , "WHERE acctuniqueid =  'bffb320ed0f4f462'") at sql.c:523
#7  0x2ae5ed560987 in rlm_sql_accounting (instance=0x42d8180,
request=0x2aabb4033a20) at rlm_sql.c:1337
#8  0x00419da9 in modcall (component=3, c=,
request=0x2aabb4033a20) at modcall.c:292
#9  0x0041733d in indexed_modcall (comp=3, idx=0,
request=0x2aabb4033a20) at modules.c:691
#10 0x00407f37 in rad_accounting (request=0x2aabb4033a20) at
acct.c:93
#11 0x00423ad1 in radius_handle_request (request=0x2aabb4033a20,
fun=0x407ea0 ) at event.c:3693
#12 0x0041cc83 in request_handler_thread (arg=)
at threads.c:492
#13 0x003e10206367 in start_thread () from /lib64/libpthread.so.0
#14 0x003e0f6d2f7d in clone () from /lib64/libc.so.6

Do you think that it is MySQL client library bug? How can I do now?

Regards,

Dinh
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Freeradius db.ippool is FULL Error : rlm_ippool: No available ip addresses in pool.

[Gökhan ORHON]

Help, again message here,

Note: I test Cisco Secure ACS, no problem. But freeradius not release pool ips. 
Thank you.


> Hello,
>
> I have a big problem please HELP.
>
> I newbee for Radius,
>
> I am use freeradius 2.x on the Suse 11.1. (Vmware ESXi 3.5)
> I use ippool. (254 IP) I have a gprs POS machine. POS is work no problem
> but,
>
> When connect POS machine to radius server, and disconnect, ippool not free
> ip on the db.
>
> I look
>
> rlm_ippool_tool -avc db.ippool db.ipindex
>
> ip's still here. Many times db file is full and radius not give ip to POS.
> I manualy remove
>
> this rlm_ippool_tool -r command and Radius give IP to POS.
>
> I look Radius -Xx command,
>
> i see on the log file error : rlm_ippool: No available ip addresses in
> pool.
>
> Q1: How release IP on the db.ippool file auto? or any disconnection
> timeout value?
>
> Note: I use crontab now, but is this true way?
> Thank you.
>
> Some Information from Radius
>
> ippool main_pool {
>
> range-start = 172.20.3.1
> range-stop = 172.20.3.254
> netmask = 255.255.255.0
> cache-size = 254
> session-db = /var/lib/radiusd/db.ippool
> ip-index = /var/lib/radiusd/db.ipindex
> override = no
> maximum-timeout = 600 (Not work..)
> }


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problem with EAP TLS authentication in Freeradius

[senthil kumar]

Hi

I have copied MAKE file from the 2.1.8 pre version.But not able to generate
certificates.
When I try to run ./bootstrap , it throws error related to MAKE.in file

Please let me know the procedure to generate a certificate.


Regards
Senthil

On Wed, Dec 9, 2009 at 1:00 AM,  wrote:

> > Actually I copied the file from /usr/share/doc/freeradius/examples/certs
> > folder
> > But I didnt change any in MAKE file
>
> >From which version? 2.1.7 or 2.1.8? 2.1.8 has the new Makefile which signs
> client certificates with ca certificate.
>
> > Is there anyother way to debug it???
>
> That's openSSL stuff. Ask them.
>
> Ivan Kalik
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>



-- 
"Adversity always presents opportunity for Introspection"

Regards
Senthil
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: unlang after chap returns reject

[Alan Buxey]

Hi,

> i try this unlang in chap
> 
> 
> authenticate {




you seem to have ignored the 3 lines directly above what you cut and pasted... 
I'll
remind you

#  Please do not put "unlang" configurations into the "authenticate"
#  section.  Put them in the "post-auth" section instead.  That's what
#  the post-auth section is for.

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: windows domain\user change to u...@domain

[Alan Buxey]

Hi,
> in the /etc/raddb/modules/realm file,
> 
> realm ntdomain {
> format = prefix
> delimiter = "\\"
> }
> 
> In the proxy.conf
> realm H1 {
>type = radius
> nostrip
> authhost= 1.2.3.4:1812
>accthost= 1.2.3.4:1813
>secret  = secret1
> retry_delay = 3
> retry_count = 1
> }
> 
> 
> There are no # infront, thus already uncomment. Can you advise if anything 
> new thing need to do at the proxy.conf

read the other replies _carefully_ - its not just the realm file
and the proxy.conf - you need to also edit sites-enabled/default and
find the commented out ntdomain and prefix part in the authorize section
and enable them

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: radiusd -X

[kachin Agarwal]

Hey,

I am new to this.. wat does this hardware SSL accelerator card do???  where do 
u get this???

Thanks & Regards,
Kachin



  The INTERNET now has a personality. YOURS! See your Yahoo! Homepage. 
http://in.yahoo.com/-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: radiusd -X

[Paul Ryszka]

Hi,

Get yourself hardware SSL accelerator card supported by openssl
libraries or increase cpu speed.


On Wed, 2009-12-16 at 15:38 +0530, kachin Agarwal wrote:
> Hi,
>  After a lot of investigation, i have found the reason for my low
> auth-rate.
> The auth-rate i m gettin now is 3/sec. so approx. 330 ms per
> authentication.
> 
> this is a radiusd -X :
> 
> eap] processing type peap
> [peap] processing EAP-TLS
> [peap] eaptls_verify returned 7 
> [peap] Done initial handshake
> [peap] (other): before/accept initialization 
> [peap] TLS_accept: before/accept initialization 
> [peap] <<< TLS 1.0 Handshake [length 005f], ClientHello  
> [peap] TLS_accept: SSLv3 read client hello A 
> [peap] >>> TLS 1.0 Handshake [length 002a], ServerHello  
> [peap] TLS_accept: SSLv3 write server hello A 
> [peap] >>> TLS 1.0 Handshake [length 0278], Certificate  
> [peap] TLS_accept: SSLv3 write certificate A 
> [peap] >>> TLS 1.0 Handshake [length 018d], ServerKeyExchange  
> [peap] TLS_accept: SSLv3 write key exchange A 
> [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone  
> [peap] TLS_accept: SSLv3 write server done A 
> [peap] TLS_accept: SSLv3 flush data 
> [peap] TLS_accept: Need to read more data: SSLv3 read client
> certificate A
> In SSL Handshake Phase 
> In SSL Accept mode  
> [peap] eaptls_process returned 13 
> [peap] EAPTLS_HANDLED
> ++[eap] returns handled
> 
> 
> But in this 300 millisec, 200 ms is taken up by the above SSL
> operation. why does this take more time? how can i reduce this time
> consumed by SSL?
> 
> Thanks & Regards,
> Kachin
> 
> 
> 
> __
> The INTERNET now has a personality. YOURS! See your Yahoo! Homepage.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: radiusd -X

[kachin Agarwal]

Hi,
 After a lot of investigation, i have found the reason for my low auth-rate.
The auth-rate i m gettin now is 3/sec. so approx. 330 ms per authentication.

this is a radiusd -X :

eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7 
[peap] Done initial handshake
[peap] (other): before/accept initialization 
[peap] TLS_accept: before/accept initialization 
[peap] <<< TLS 1.0 Handshake [length 005f], ClientHello  
[peap] TLS_accept: SSLv3 read client hello A 
[peap] >>> TLS 1.0 Handshake [length 002a], ServerHello  
[peap] TLS_accept: SSLv3 write server hello A 
[peap] >>> TLS 1.0 Handshake [length 0278], Certificate  
[peap] TLS_accept: SSLv3 write certificate A 
[peap] >>> TLS 1.0 Handshake [length 018d], ServerKeyExchange  
[peap] TLS_accept: SSLv3 write key exchange A 
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone  
[peap] TLS_accept: SSLv3 write server done A 
[peap] TLS_accept: SSLv3 flush data 
[peap] TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase 
In SSL Accept mode  
[peap] eaptls_process returned 13 
[peap] EAPTLS_HANDLED
++[eap] returns handled


But in this 300 millisec, 200 ms is taken up by the above SSL operation. why 
does this take more time? how can i reduce this time consumed by SSL?

Thanks & Regards,
Kachin



  The INTERNET now has a personality. YOURS! See your Yahoo! Homepage. 
http://in.yahoo.com/-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Help on debugging Freeradius

[Dinh Pham Cong]

Hi,

I can view thread information of radiusd process by attaching its process ID
into gdb as follows

gdb -q - 19201

After that

(gdb) bt
#0  0x0037ed8cc4c2 in select () from /lib64/libc.so.6
#1  0x2aefb56dd817 in fr_event_loop (el=0x72848a0) at event.c:378
#2  0x0041a877 in main (argc=, argv=0x3ec) at
radiusd.c:398

Does it have any implication on Radius crashes that happened before?

Regards,

Dinh


On Wed, Dec 16, 2009 at 4:13 PM, Dinh Pham Cong  wrote:

> Hi all,
>
> My Freeradiusd 2.1.7 got crashed a lot of times today so I decided to run
> radiusd in gdb
>
> /etc/init.d/radiusd stop
> # gdb /usr/local/sbin/radiusd
> GNU gdb Fedora (6.8-27.el5)
> Copyright (C) 2008 Free Software Foundation, Inc.
> License GPLv3+: GNU GPL version 3 or later <
> http://gnu.org/licenses/gpl.html>
> This is free software: you are free to change and redistribute it.
> There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
> and "show warranty" for details.
> This GDB was configured as "x86_64-redhat-linux-gnu"...
> (gdb) set logging file gdb-radiusd.log
> (gdb) set logging on
> Copying output to gdb-radiusd.log.
> (gdb) run
> Starting program: /usr/local/sbin/radiusd
> [Thread debugging using libthread_db enabled]
> [New Thread 0x2b34e4b7fe10 (LWP 27411)]
> [New Thread 0x41c8b940 (LWP 27414)]
> [Thread 0x41c8b940 (LWP 27414) exited]
> Detaching after fork from child process 27416.
>
> Program exited normally.
> (gdb)
> (gdb)
> (gdb)
> (gdb) info threads
> No registers.
> (gdb) thread apply all bt full
> No registers.
> (gdb) info threads
> No registers.
> (gdb) bt
> No stack.
>
> I already re-compiled FreeRadius with -enable-developer and set
> allows_core_dump = yes in the configuration file. But I don't know why I can
> not get the back trace when the segmentation fault happens
>
> Dec 16 13:10:01 MobileTV-6 kernel: radiusd[1639]: segfault at
> 00c8 rip 003daee5306b rsp 2aabfeef5180 error 4
> Dec 16 15:14:06 MobileTV-6 kernel: radiusd[5486]: segfault at
> 00c8 rip 003daee5306b rsp 2aab4b7d6180 error 4
> Dec 16 15:14:06 MobileTV-6 kernel: radiusd[11466]: segfault at
> 00c8 rip 003daee5306b rsp 2aaf2c785180 error 4
> Dec 16 15:27:16 MobileTV-6 kernel: radiusd[16567]: segfault at
> 0098 rip 003daee530f1 rsp 2aacc4820180 error 4
> Dec 16 15:27:16 MobileTV-6 kernel: radiusd[24913]: segfault at
> 00c8 rip 003daee5306b rsp 2aae33d64180 error 4
> Dec 16 15:31:42 MobileTV-6 kernel: radiusd[26558]: segfault at
> 0002 rip 003daee51b35 rsp 2aab453bb150 error 6
> Dec 16 15:31:42 MobileTV-6 kernel: radiusd[27347]: segfault at
> 0002 rip 003daee51b35 rsp 2aad3da66150 error 6
> Dec 16 15:31:42 MobileTV-6 kernel: radiusd[27322]: segfault at
> 0002 rip 003daee51b35 rsp 2aad2e04d150 error 6
> Dec 16 15:31:42 MobileTV-6 kernel: radiusd[26487]: segfault at
> 0002 rip 003daee51b35 rsp 2aab18d74150 error 6
> Dec 16 15:32:21 MobileTV-6 kernel: radiusd[30883]: segfault at
> 0002 rip 003daee51b35 rsp 2aabc3896150 error 6
> Dec 16 15:32:21 MobileTV-6 kernel: radiusd[31407]: segfault at
> 0002 rip 003daee51b35 rsp 2aad1742f150 error 6
> Dec 16 15:32:21 MobileTV-6 kernel: radiusd[31156]: segfault at
> 0002 rip 003daee51b35 rsp 2aac6e3a7150 error 6
> Dec 16 15:32:21 MobileTV-6 kernel: radiusd[31460]: segfault at
> 0002 rip 003daee51b35 rsp 2aad38665150 error 6
> Dec 16 15:35:53 MobileTV-6 kernel: radiusd[32595]: segfault at
> 00c8 rip 003daee5306b rsp 2aab7740b180 error 4
> Dec 16 15:43:55 MobileTV-6 kernel: radiusd[4822]: segfault at
> 00c8 rip 003daee5306b rsp 2aac53f7c780 error 4
> Dec 16 15:44:07 MobileTV-6 kernel: radiusd[14485]: segfault at
> 00c8 rip 003daee5306b rsp 2aaecf241180 error 4
> Dec 16 15:44:20 MobileTV-6 kernel: radiusd[15346]: segfault at
> 00c8 rip 003daee5306b rsp 2aab2ff99180 error 4
> Dec 16 15:44:33 MobileTV-6 kernel: radiusd[18676]: segfault at
> 00c8 rip 003daee5306b rsp 2aae233e5180 error 4
> Dec 16 15:57:44 MobileTV-6 kernel: radiusd[27191]: segfault at
> 00c8 rip 003daee5306b rsp 2aae381a2180 error 4
> Dec 16 15:57:56 MobileTV-6 kernel: radiusd[31469]: segfault at
> 00c8 rip 003daee5306b rsp 2aaacbef9180 error 4
>
>
> uname -a
> Linux MobileTV-6 2.6.18-128.el5 #1 SMP Wed Jan 21 10:41:14 EST 2009 x86_64
> x86_64 x86_64 GNU/Linux
>
> free -m
>  total   used   free sharedbuffers cached
> Mem: 16044   4825  11219  0158   3332
> -/+ buffers/cache:   1334  14710
> Swap: 2047  0   2047
>
> ulimit -a
> core file size  (blocks, -c) 0
> data seg size   (kbytes, -d) unlimited
> scheduling pr

Help on debugging Freeradius

[Dinh Pham Cong]

Hi all,

My Freeradiusd 2.1.7 got crashed a lot of times today so I decided to run
radiusd in gdb

/etc/init.d/radiusd stop
# gdb /usr/local/sbin/radiusd
GNU gdb Fedora (6.8-27.el5)
Copyright (C) 2008 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later 
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu"...
(gdb) set logging file gdb-radiusd.log
(gdb) set logging on
Copying output to gdb-radiusd.log.
(gdb) run
Starting program: /usr/local/sbin/radiusd
[Thread debugging using libthread_db enabled]
[New Thread 0x2b34e4b7fe10 (LWP 27411)]
[New Thread 0x41c8b940 (LWP 27414)]
[Thread 0x41c8b940 (LWP 27414) exited]
Detaching after fork from child process 27416.

Program exited normally.
(gdb)
(gdb)
(gdb)
(gdb) info threads
No registers.
(gdb) thread apply all bt full
No registers.
(gdb) info threads
No registers.
(gdb) bt
No stack.

I already re-compiled FreeRadius with -enable-developer and set
allows_core_dump = yes in the configuration file. But I don't know why I can
not get the back trace when the segmentation fault happens

Dec 16 13:10:01 MobileTV-6 kernel: radiusd[1639]: segfault at
00c8 rip 003daee5306b rsp 2aabfeef5180 error 4
Dec 16 15:14:06 MobileTV-6 kernel: radiusd[5486]: segfault at
00c8 rip 003daee5306b rsp 2aab4b7d6180 error 4
Dec 16 15:14:06 MobileTV-6 kernel: radiusd[11466]: segfault at
00c8 rip 003daee5306b rsp 2aaf2c785180 error 4
Dec 16 15:27:16 MobileTV-6 kernel: radiusd[16567]: segfault at
0098 rip 003daee530f1 rsp 2aacc4820180 error 4
Dec 16 15:27:16 MobileTV-6 kernel: radiusd[24913]: segfault at
00c8 rip 003daee5306b rsp 2aae33d64180 error 4
Dec 16 15:31:42 MobileTV-6 kernel: radiusd[26558]: segfault at
0002 rip 003daee51b35 rsp 2aab453bb150 error 6
Dec 16 15:31:42 MobileTV-6 kernel: radiusd[27347]: segfault at
0002 rip 003daee51b35 rsp 2aad3da66150 error 6
Dec 16 15:31:42 MobileTV-6 kernel: radiusd[27322]: segfault at
0002 rip 003daee51b35 rsp 2aad2e04d150 error 6
Dec 16 15:31:42 MobileTV-6 kernel: radiusd[26487]: segfault at
0002 rip 003daee51b35 rsp 2aab18d74150 error 6
Dec 16 15:32:21 MobileTV-6 kernel: radiusd[30883]: segfault at
0002 rip 003daee51b35 rsp 2aabc3896150 error 6
Dec 16 15:32:21 MobileTV-6 kernel: radiusd[31407]: segfault at
0002 rip 003daee51b35 rsp 2aad1742f150 error 6
Dec 16 15:32:21 MobileTV-6 kernel: radiusd[31156]: segfault at
0002 rip 003daee51b35 rsp 2aac6e3a7150 error 6
Dec 16 15:32:21 MobileTV-6 kernel: radiusd[31460]: segfault at
0002 rip 003daee51b35 rsp 2aad38665150 error 6
Dec 16 15:35:53 MobileTV-6 kernel: radiusd[32595]: segfault at
00c8 rip 003daee5306b rsp 2aab7740b180 error 4
Dec 16 15:43:55 MobileTV-6 kernel: radiusd[4822]: segfault at
00c8 rip 003daee5306b rsp 2aac53f7c780 error 4
Dec 16 15:44:07 MobileTV-6 kernel: radiusd[14485]: segfault at
00c8 rip 003daee5306b rsp 2aaecf241180 error 4
Dec 16 15:44:20 MobileTV-6 kernel: radiusd[15346]: segfault at
00c8 rip 003daee5306b rsp 2aab2ff99180 error 4
Dec 16 15:44:33 MobileTV-6 kernel: radiusd[18676]: segfault at
00c8 rip 003daee5306b rsp 2aae233e5180 error 4
Dec 16 15:57:44 MobileTV-6 kernel: radiusd[27191]: segfault at
00c8 rip 003daee5306b rsp 2aae381a2180 error 4
Dec 16 15:57:56 MobileTV-6 kernel: radiusd[31469]: segfault at
00c8 rip 003daee5306b rsp 2aaacbef9180 error 4


uname -a
Linux MobileTV-6 2.6.18-128.el5 #1 SMP Wed Jan 21 10:41:14 EST 2009 x86_64
x86_64 x86_64 GNU/Linux

free -m
 total   used   free sharedbuffers cached
Mem: 16044   4825  11219  0158   3332
-/+ buffers/cache:   1334  14710
Swap: 2047  0   2047

ulimit -a
core file size  (blocks, -c) 0
data seg size   (kbytes, -d) unlimited
scheduling priority (-e) 0
file size   (blocks, -f) unlimited
pending signals (-i) 137216
max locked memory   (kbytes, -l) 32
max memory size (kbytes, -m) unlimited
open files  (-n) 10
pipe size(512 bytes, -p) 8
POSIX message queues (bytes, -q) 819200
real-time priority  (-r) 0
stack size  (kbytes, -s) 10240
cpu time   (seconds, -t) unlimited
max user processes  (-u) 137216
virtual memory  (kbytes, -v) unlimited
file locks  (-x) unlimited

Could you kindly point me the right direction?

Thanks,

Dinh
-
List in

Re: FreeRadius 2.7 virtual memory

[Dinh Pham Cong]

Hi Alan

The version I am using is 2.1.7

Regards,

Dinh

On Wed, Dec 16, 2009 at 3:24 PM, Alan DeKok wrote:

> Dinh Pham Cong wrote:
> > Hi all,
> >
> > My Radiusd seems to take a lot of virtual memory. Here is what shows up
> > in "top" command
> >
> >  4799 mysql 15   0 2606m 697m 3616 S 50.6  4.3  31:46.85 mysqld
> > 14959 root  15   0 10.1g  46m 1456 S 11.1  0.3   1:24.67 radiusd
> >
> > Do you think that I have kind of abnomal operations here?
>
>   Yes.  Could you say which version of the server you're running?
>
>  Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Accounting question

[Alan DeKok]

David Peterson wrote:
> What I am not understanding at this point is how the authentication works 
> with the username "hashed" or using "hex stuff" but the accounting doesn't.  
> You can see on this debug that the username looks the same when its 
> authenticated as it does when it's used for accounting yet the username in 
> the database is clear text.

  Because it's using TTLS, and there is *another* name inside of the TLS
 tunnel.

  This *should* be clear from the debug output.  Read it.  *All*.

  Once you have the inner User-Name, you can write both it, and the
outer "hex" stuff to a table for later correlation.  You were told this.

  Now stop trying to understand the problem.  Find the "good" User-Name,
and then write it and the "hex" version to an SQL table.  Use that table
to "fix" the accounting records.

  *Nothing* else will solve the problem.

  You're stuck on "oh my god, the user name is hex".  Get over it.
Ignore the hex nonsense, and go fix the problem.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Managing the RADIUS database

[Alan DeKok]

Steve Bertrand wrote:
> I'm curious to know what you use to manage your RADIUS database,
> particularly the accounting tables.

  "cron", and custom Perl scripts.

> Since then, I've written (ie. been writing) an ISP mgmt/accounting
> system that relies very heavily on the RADIUS accounting information for
> billing and statistics, but only after the data has been aggregated.

  That would make about 4 admin systems, I think.  It would be good to
consolidate them.  We could then replace the un-maintained
"dialup-admin" with a newer, and maintained version.

> Because I need to make some functional changes to it, I thought I'd ask
> here if others would be interested in such a Perl module (and its
> scripts), and if so, I'll extend it with further functionality after
> updating the code with the stuff I just didn't know then  ;)

  Yes.  If it's useful, we'll add it to the main FreeRADIUS repository.

> Currently, it uses plain DBI and only supports MySQL, but I'm going to
> incorporate much from my other work whereby DBIx::Class is used (to more
> easily support multiple dbs), expand on the config file, the installer
> and the documentation.
> 
> Is using RADIUS accounting stats for billing/logging even done anymore?

  Many, many, people use it.  But a lot of people have "historical"
solutions that they are used to, so they don't develop newer solutions.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Rejecting User By their Calling-Station-Id (Mac Address)

[Alan DeKok]

Alex M wrote:
> Well i guess i'm back to my problem :(
> I tried group thing and i'm  getting som strange un-constant results :(
>
> Can some one tell me how the logic works for groupcheck?

  Why?  You were given a simple solution.  I suggest trying that.
Trying to figure out how to get groups to do what you want is a waste of
time when you *already* have a solution.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: accounting

[Santiago Balaguer García]

1. Can freeradius log accounting info in a local file, meaning not to use a sql 
database? If yes, how to enable that and where the log files will be 
(configurable?)

  You needn't use a database if you do ot want. Depend on the level of the 
detail you want there is the var/log/freeradius directory where you can find 
log files. You can find the exact directory in radiusd.conf.

2. I loaded freeradius 2.13.fc9.i386. "rpm -qa" shows that 
freeradius-mysql-2.1.3-1.fc9.i386 is installed. However, "which mysql: shows 
this command is not available. Do I need to download mysql and install it or 
does this version of freeradius install mysql automatically?


You needn't. 

In the file radiusd.conf you can see the file you need.
  
_
Date una vuelta por Sietes y conoce el pueblo de los expertos en Windows 7
http://www.sietesunpueblodeexpertos.com/-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius 2.7 virtual memory

[Alan DeKok]

Dinh Pham Cong wrote:
> Hi all,
> 
> My Radiusd seems to take a lot of virtual memory. Here is what shows up
> in "top" command
> 
>  4799 mysql 15   0 2606m 697m 3616 S 50.6  4.3  31:46.85 mysqld
> 14959 root  15   0 10.1g  46m 1456 S 11.1  0.3   1:24.67 radiusd
> 
> Do you think that I have kind of abnomal operations here?

  Yes.  Could you say which version of the server you're running?

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html