RE: version error rlm_exec module
Hi, Well there are hundreds of files with 1.1.7 specially in /usr/local/lib, I tried to use something like rm *1.1.7.* and there are things like radtest depoending on the previous version files which are no more there since i removed them :S Date: Fri, 1 Apr 2011 07:30:07 +0200 From: al...@deployingradius.com To: freeradius-users@lists.freeradius.org Subject: Re: version error rlm_exec module Raheel Itrat wrote: I am getting this error while I installed a 2.1.0 version. How do I delete the older version of freeradius? Kindly let me know the exact command to remove all files of older version. rm Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: access challenge on empty password
I did not configure so (it must be a default). Where is that configuration entry? -- View this message in context: http://freeradius.1045715.n5.nabble.com/access-challenge-on-empty-password-tp4273381p4274862.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: access challenge on empty password
izotov wrote: I did not configure so (it must be a default). Where is that configuration entry? Have you tried running the server in debugging mode as suggested in the FAQ, README, INSTALL, man page, and daily on this list? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius mysql acct copy
Is it right that my freeradius go down after home server was down? Regards, Alexander. 2011/3/31 Fajar A. Nugraha l...@fajar.net On Thu, Mar 31, 2011 at 2:45 PM, Alexander Kosykh avkos...@gmail.com wrote: Hi. I need to copy acct packets to my billing server and save acct in standart freeradius radacct table in mysql. I'm saving acct in radacct table now, but can't duplicate them to other (billing) radius server. I've tried to use copy-acct-to-home-server but no success. As I understand, virtual server from copy-acct-to-home-server use a detail files to read acct information from default server. Is the way to don't use detail file and use mysql? See http://freeradius.1045715.n5.nabble.com/Sending-accounting-packets-to-more-than-one-server-td3408816.html -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sqlcounter returning Gigawords?
YvesDM wrote: We 're about to upgrade our radius which is still running 1.1.7 We use monthly datalimits so we patched the sqlcounter in order to make it reply max 4GB of left quota (to avoid wrapping), even if the user still has 10GB quota left. Of course this results in a logged out user when he reaches a session of 4GB. As general datatraffic increases we would like to avoid this in our new radius setup. In the newest version, is there a way to reply gigawords from sqlcounter? If not, is there another solution to this? The latest version has rlm_expr, which is 64-bit clean. You can use it to split the counters into 32-bit pieces. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: access challenge on empty password
Alan DeKok-2 wrote: Have you tried running the server in debugging mode as suggested in the FAQ, README, INSTALL, man page, and daily on this list? Yes, I always do so. But this time it did not help me to find the answer. -- View this message in context: http://freeradius.1045715.n5.nabble.com/access-challenge-on-empty-password-tp4273381p4274962.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: access challenge on empty password
On Fri, Apr 1, 2011 at 3:43 PM, izotov karoly.arnhof...@gmail.com wrote: Alan DeKok-2 wrote: Have you tried running the server in debugging mode as suggested in the FAQ, README, INSTALL, man page, and daily on this list? Yes, I always do so. But this time it did not help me to find the answer. I think what Alan means, if you have a problem, post the output of debug mode (radiusd -X) so others can help you troubleshoot the issue by reading and interpreting what's in the output. Simply saying I always do so but not providing the log is like saying I have a problem, I don't know how to solve it, and I don't want to give any details about it either. Can you help me? -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 2.1.10 WARNING: Internal sanity check failed
Hi,
I have followed your advise and I went back to the default config. I have
read the:
http://deployingradius.com/documents/configuration/certificates.html
And I have followed it step by step. Testing first the PAP auth with an
entry in users.conf and it worked fine. Next I add the Wireless LAN
Controller in clients.conf and change the default eap_type with peap.
I get the next warning:
Debug: WARNING:
!!
Debug: WARNING: !! EAP session for state 0xc729a88ac72ab1dd did not finish!
Debug: WARNING: !! Please read
http://wiki.freeradius.org/Certificate_Compatibility
Debug: WARNING:
!!
Testing with an WinXP and Win7 client, so I do not think its a Supplicant
issue.
The supplicant config is PEAP with MSCHAPv2, and no certificate validation.
I have a look to certs/README file, and I have studied the ./bootstrap
script I make sure xpextensions are applied.I also launch
rm -f *.pem *.der *.csr *.crt *.key *.p12 serial* index.txt*
Before modifying the server.cnf and ca.cnf and launch bootstrap script
again.
I always get the same warning, I do no undestand why. In
http://deployingradius.com says it just worked, but not in my enviorment.
I attach the output:
Thu Mar 31 13:14:25 2011 : Info: Ready to process requests.
rad_recv: Access-Request packet from host 10.118.249.20 port 32768, id=51,
length=173
User-Name = bob
Calling-Station-Id = 00-1B-77-8E-1E-A4
Called-Station-Id = 00-1E-4A-90-5F-30:eduroam
NAS-Port = 29
NAS-IP-Address = 10.118.249.20
NAS-Identifier = WLC_2_SCC_LAB
Airespace-Wlan-Id = 1
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = 911
EAP-Message = 0x0202000801626f62
Message-Authenticator = 0xfabf4ce8269ee315494653e616f244ce
Thu Mar 31 13:14:26 2011 : Info: # Executing section authorize from file
/etc/raddb/sites-enabled/default
Thu Mar 31 13:14:26 2011 : Info: +- entering group authorize {...}
Thu Mar 31 13:14:26 2011 : Info: ++[preprocess] returns ok
Thu Mar 31 13:14:26 2011 : Info: ++[chap] returns noop
Thu Mar 31 13:14:26 2011 : Info: ++[mschap] returns noop
Thu Mar 31 13:14:26 2011 : Info: ++[digest] returns noop
Thu Mar 31 13:14:26 2011 : Info: [suffix] No '@' in User-Name = bob,
looking up realm NULL
Thu Mar 31 13:14:26 2011 : Info: [suffix] No such realm NULL
Thu Mar 31 13:14:26 2011 : Info: ++[suffix] returns noop
Thu Mar 31 13:14:26 2011 : Info: [eap] EAP packet type response id 2 length
8
Thu Mar 31 13:14:26 2011 : Info: [eap] No EAP Start, assuming it's an
on-going EAP conversation
Thu Mar 31 13:14:26 2011 : Info: ++[eap] returns updated
Thu Mar 31 13:14:26 2011 : Info: [files] users: Matched entry bob at line 1
Thu Mar 31 13:14:26 2011 : Info: ++[files] returns ok
Thu Mar 31 13:14:26 2011 : Info: ++[expiration] returns noop
Thu Mar 31 13:14:26 2011 : Info: ++[logintime] returns noop
Thu Mar 31 13:14:26 2011 : Info: [pap] WARNING: Auth-Type already set. Not
setting to PAP
Thu Mar 31 13:14:26 2011 : Info: ++[pap] returns noop
Thu Mar 31 13:14:26 2011 : Info: Found Auth-Type = EAP
Thu Mar 31 13:14:26 2011 : Info: # Executing group from file
/etc/raddb/sites-enabled/default
Thu Mar 31 13:14:26 2011 : Info: +- entering group authenticate {...}
Thu Mar 31 13:14:26 2011 : Info: [eap] EAP Identity
Thu Mar 31 13:14:26 2011 : Info: [eap] processing type tls
Thu Mar 31 13:14:26 2011 : Info: [tls] Initiate
Thu Mar 31 13:14:26 2011 : Info: [tls] Start returned 1
Thu Mar 31 13:14:26 2011 : Info: ++[eap] returns handled
Sending Access-Challenge of id 51 to 10.118.249.20 port 32768
EAP-Message = 0x010300061920
Message-Authenticator = 0x
State = 0xc729a88ac72ab1dd3e4f8d4fc2851f1c
Thu Mar 31 13:14:26 2011 : Info: Finished request 9.
Thu Mar 31 13:14:26 2011 : Debug: Going to the next request
Thu Mar 31 13:14:26 2011 : Debug: Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.118.249.20 port 32768, id=51,
length=173
Thu Mar 31 13:14:28 2011 : Info: Sending duplicate reply to client WiSM port
32768 - ID: 51
Sending Access-Challenge of id 51 to 10.118.249.20 port 32768
Thu Mar 31 13:14:28 2011 : Debug: Waking up in 2.9 seconds.
rad_recv: Access-Request packet from host 10.118.249.20 port 32768, id=51,
length=173
Thu Mar 31 13:14:30 2011 : Info: Sending duplicate reply to client WiSM port
32768 - ID: 51
Sending Access-Challenge of id 51 to 10.118.249.20 port 32768
Thu Mar 31 13:14:30 2011 : Debug: Waking up in 0.9 seconds.
Thu Mar 31 13:14:31 2011 : Info: Cleaning up request 9 ID 51 with timestamp
+60
Thu Mar 31 13:14:31 2011 : Debug: WARNING:
!!
Thu Mar 31 13:14:31 2011 : Debug: WARNING: !! EAP
Re: version error rlm_exec module
I didn't have any problems with those files... If you installed FR from distro repo try to remove it with yum, apt-get, For ./configure, make, make install you can simple remove raddb dir... This work for me because I tried every combination for upgrade and downgrade On 4/1/2011 8:22 AM, Raheel Itrat wrote: Hi, Well there are hundreds of files with 1.1.7 specially in /usr/local/lib, I tried to use something like rm *1.1.7.* and there are things like radtest depoending on the previous version files which are no more there since i removed them :S Date: Fri, 1 Apr 2011 07:30:07 +0200 From: al...@deployingradius.com To: freeradius-users@lists.freeradius.org Subject: Re: version error rlm_exec module Raheel Itrat wrote: I am getting this error while I installed a 2.1.0 version. How do I delete the older version of freeradius? Kindly let me know the exact command to remove all files of older version. rm Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Question about authentication
Hello list, suppose I want to authenticate a device capable of using PEAP with EAP-MS-CHAP v2 or EAP-GTC and TTLS with EAP-MS-CHAP v2 or MS-CHAPv2 and I have user password stored in LDAP (linux) with the crypt scheme and freeradius server 2.1.9. Is there any mechanism to successfully authenticate the client? for example getting user password from ldap, and comparing with the one in the request packet (previously encrypted)? Thanks in advance. Matteo - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Strip off the domain part from the User-Name
On Wednesday 30 March 2011 15:52:31 Phil Mayers wrote:
First, there's no need to email me directly; I read the list.
I totally agree with you I just missed to exchange the recipient address (and
after noticing that i also sent it to the list)... sorry!
You *only* set:
with_ntdomain_hack = yes
...in modules/mschap.
DO NOT set it anywhere else - this basically does exactly the same thing
you were doing earlier (rewriting the *real* username) and causes EAP to
break.
Sorry but that didn't help either. I did -- like you suggested -- set
'with_ntdomain_hack' back to 'no' everywhere except for modules/mschap but I
still get that '[...] not the same as [...]' error message.
[mschapv2] # Executing group from file
/etc/freeradius/sites-enabled/inner-tunnel
[mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] Found NT-Password
[mschap] ERROR: User-Name (winmac\tom1) is not the same as MS-CHAP Name (tom1)
from EAP-MSCHAPv2
++[mschap] returns reject
Again a full log is appended. My modules/mschap currently looks like this (i
suppose that the above problems might arise from it):
mschap {
use_mppe = yes
require_encryption = yes
require_strong = yes
with_ntdomain_hack = yes
}
Regards
Tom
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: access challenge on empty password
http://freeradius.1045715.n5.nabble.com/file/n4275090/radius.log radius.log Fajar A. Nugraha-2 wrote: if you have a problem, post the output of debug mode (radiusd -X) I am sorry. I try to get the rhythm. Log is attached. -- View this message in context: http://freeradius.1045715.n5.nabble.com/access-challenge-on-empty-password-tp4273381p4275090.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question about authentication
matteo wrote: Hello list, suppose I want to authenticate a device capable of using PEAP with EAP-MS-CHAP v2 or EAP-GTC and TTLS with EAP-MS-CHAP v2 or MS-CHAPv2 and I have user password stored in LDAP (linux) with the crypt scheme and freeradius server 2.1.9. Is there any mechanism to successfully authenticate the client? No. It's impossible. http://deployingradius.com/documents/protocols/compatibility.html Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Installing to pfsense
On Wed, Mar 30, 2011 at 06:37:59PM -0400, Franz wrote: /usr/local/etc/raddb/sql.conf[22]: Instantiation failed for module sql /usr/local/etc/raddb/sites-enabled/inner-tunnel[131]: Failed to load module sql. /usr/local/etc/raddb/sites-enabled/inner-tunnel[47]: Errors parsing authorize section. and when I check all fles are in here: /usr/local/lib/freeradius-2.1.10 [1]rlm_sql_mysql-2.1.10.la rlm_sql_mysql.so [2]rlm_sql_mysql.la rlm_sql_mysql.a [3]rlm_sql_mysql-2.1.10.so under radiusd.conf the shared lib points to: libdir = /usr/local/lib/freeradius-2.1.10 Any clue as to why it does not see the files? I note that the error above is for failing to load sql (i.e. rlm_sql), but your listing above shows only rlm_sql_mysql. You need both. Anyway, what do these commands show? ldd /usr/local/lib/rlm_sql.so ldd /usr/local/lib/rlm_sql_mysql.so Possibly you are missing some library which rlm_sql_mysql in turn depends on (such as the correct version of libmysqlclient) Regards, Brian. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: same username different password on different NAS
On Wed, Mar 16, 2011 at 01:16:22PM -0700, Richard Thornton wrote:
Without using virtual servers, is there a way to link the username
manager to the NAS name or IP of the location?
Yep. I suggest you first map the NAS-IP-Address to a Huntgroup-Name (see the
'preprocess' module and 'huntgroups' file for one way of doing this). This
allows you to control the NAS-IP-Address mappings separately.
Then use a combination of (Huntgroup-Name, User-Name) when looking up the
user in whatever database you're using. For example, if it's SQL you can use
a query like:
authorize_check_query = SELECT id, username, attribute, value, op \
FROM ${authcheck_table} \
WHERE username = '%{SQL-User-Name}' \
AND huntgroup = '%{Huntgroup-Name}' \
ORDER BY id
HTH,
Brian.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sqlcounter returning Gigawords?
On Fri, Apr 1, 2011 at 10:40 AM, Alan DeKok al...@deployingradius.com wrote: The latest version has rlm_expr, which is 64-bit clean. You can use it to split the counters into 32-bit pieces. Alan DeKok. Tnx Alan, will check it out. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Strip off the domain part from the User-Name
On 01/04/11 11:08, Thomas Wunder wrote:
On Wednesday 30 March 2011 15:52:31 Phil Mayers wrote:
First, there's no need to email me directly; I read the list.
I totally agree with you I just missed to exchange the recipient address (and
after noticing that i also sent it to the list)... sorry!
You *only* set:
with_ntdomain_hack = yes
...in modules/mschap.
DO NOT set it anywhere else - this basically does exactly the same thing
you were doing earlier (rewriting the *real* username) and causes EAP to
break.
Sorry but that didn't help either. I did -- like you suggested -- set
'with_ntdomain_hack' back to 'no' everywhere except for modules/mschap but I
still get that '[...] not the same as [...]' error message.
[mschapv2] # Executing group from file
/etc/freeradius/sites-enabled/inner-tunnel
[mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] Found NT-Password
[mschap] ERROR: User-Name (winmac\tom1) is not the same as MS-CHAP Name (tom1)
from EAP-MSCHAPv2
Eh? I've never seen that before.
++[mschap] returns reject
Again a full log is appended. My modules/mschap currently looks like this (i
suppose that the above problems might arise from it):
Don't see the logfile...
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: multiple authentication methods
Nick Kalen wrote: looking at the docs, it looks like it's not possible to try to authenticate against a local LDAP server and in case it failes send it to another radius server? That won't work. Maybe in 3.0. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Dial up error and freeraius is down
Hi Friends, I met a problem with FreeRADIUS2.1.9 (Mysql+centos, about 500 pppoe users)as below: In general, I found some users couldn't dial to radius and log information as below - Fri Apr 1 19:22:09 2011 : Error: Discarding duplicate request from client mpth12 port 40039 - ID: 129 due to unfinished request 10524 - Fri Apr 1 19:22:10 2011 : Error: Discarding conflicting packet from client mpth12 port 40039 - ID: 129 due to recent request 10524. - I have two guesses: - Brand width is insufficient from pppoe server to radius server; - Server running radius of capability is insufficient. Could you help me? Thank you very much. Robin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Dial up error and freeraius is down
Hi, - Brand width is insufficient from pppoe server to radius server; - Server running radius of capability is insufficient. You don't say what bandwith etc you are on or what spec the server is, but unless it's pretty low end I'd be surprised if that was the issue if you only have 500 users. Cheers, Mark -Original Message- From: freeradius-users-bounces+mark.holmes=nuffield.ox.ac...@lists.freeradius.org [mailto:freeradius-users-bounces+mark.holmes=nuffield.ox.ac...@lists.freeradius.org] On Behalf Of Robin Sent: 01 April 2011 15:52 To: freeradius-users@lists.freeradius.org Subject: Dial up error and freeraius is down Hi Friends, I met a problem with FreeRADIUS2.1.9 (Mysql+centos, about 500 pppoe users)as below: In general, I found some users couldn't dial to radius and log information as below - Fri Apr 1 19:22:09 2011 : Error: Discarding duplicate request from client mpth12 port 40039 - ID: 129 due to unfinished request 10524 - Fri Apr 1 19:22:10 2011 : Error: Discarding conflicting packet from client mpth12 port 40039 - ID: 129 due to recent request 10524. - I have two guesses: - Brand width is insufficient from pppoe server to radius server; - Server running radius of capability is insufficient. Could you help me? Thank you very much. Robin Nuffield College is a Registered Charity No. 1137506. Registered Office: Nuffield College, New Road, Oxford, OX1 1NF - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Strip off the domain part from the User-Name
Hi, call it crude or whatever you want ;-) but that was my last resort: After fiddling with the code of rlm_mschap I found that all I need to do is to comment out line 1201 of rlm_mschap.c (where it says 'return RLM_MODULE_REJECT;') Maybe it has something to do with the conditions (which look a bit complicated) that are checked in the if-statement that surrounds that return clause, maybe I've misconfigured something or maybe it's actually a bug... I don't know. I virtually did every possible combination of 'yes' and 'no' settings for 'with_ntdomain_hack' in all of the four locations where you can set this option and none worked out. I'd really appreciate a non-local solution, i.e. something better than my nasty 'comment-out-everything-evil' hack and I would do it if I knew a little more about the internals of all that. Hopefully somebody finds some time to do it... Please let me know when there's an official solution. Thanks anyway! Regards Tom On Friday 01 April 2011 14:43:40 you wrote: On Friday 01 April 2011 14:37:34 Phil Mayers wrote: Don't see the logfile... sorry my bad... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: MLPPP Acct-Session-Id
Forgot to mention, also attempted with Acct-Multi-Session-Id, which was in the accounting record but same result. -Original Message- From: freeradius-users-bounces+jkuhne=cisco@lists.freeradius.org [mailto:freeradius-users-bounces+jkuhne=cisco@lists.freeradius.org] On Behalf Of Jay Kuhne (jkuhne) Sent: Thursday, March 31, 2011 5:26 PM To: FreeRadius users mailing list Subject: RE: MLPPP Acct-Session-Id Hi Alan, Thanks again for your reply, I just wanted to follow-up with you. On the ASR1K BRAS we see the same Message-Authenticator when performing COA via PPP so that is not the issue here After enabling more debug and performing COA when the multilink bundle is established, we get Mar 28 14:32:07.078 EST: RADIUS: 4E 6F 20 76 61 6C 69 64 20 53 65 73 73 69 6F 6E [ No valid Session] Mar 28 14:32:07.078 EST: RADIUS: Dynamic-Author-Error[101] 6 Unsupported Service [405] So far the bundle appears to be reflected in cli output as having the same type of UID, AAA_id and Sesison_Id as a PPP session but obviously that does not work. So we need to work with our Cisco development to understand how to identify the bundle. The qos policies are attached to the bundles and not the underlying PPP sessions so we truly need to address the bundle with COA. Just wanted to let you know where I'm at. Thanks, Jay -Original Message- From: freeradius-users-bounces+jkuhne=cisco@lists.freeradius.org [mailto:freeradius-users-bounces+jkuhne=cisco@lists.freeradius.org] On Behalf Of Jay Kuhne (jkuhne) Sent: Tuesday, March 29, 2011 10:56 AM To: FreeRadius users mailing list Subject: RE: MLPPP Acct-Session-Id Okay thanks. I'll do some investigating and let you know. It may be a little bit but I will reply with my findings. Jay -Original Message- From: freeradius-users-bounces+jkuhne=cisco@lists.freeradius.org [mailto:freeradius-users-bounces+jkuhne=cisco@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Tuesday, March 29, 2011 10:20 AM To: FreeRadius users mailing list Subject: Re: MLPPP Acct-Session-Id Jay Kuhne (jkuhne) wrote: Do you know of a syntax on Radclient for defining the Message-Authenticator attribute? It's just like any other attribute... Message-Authenticator = I'll see if I can find it in the accounting record, get it working and then follow-up as to why the it's not as per RFC. The NAS vendors don't bother following (or even reading) the RFCs. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Strip off the domain part from the User-Name
On 01/04/11 13:43, Thomas Wunder wrote: [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] Found NT-Password [mschap] ERROR: User-Name (winmac\tom1) is not the same as MS-CHAP Name (tom1) from EAP-MSCHAPv2 What client are you using? It's sending: EAP-Identity username=winmac\tom ...then a 2nd packet: EAP-MSCHAP username=tom - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Dial up error and freeraius is down
Actually, I think I have enough bandwidth to handle 500 users request. But I can't understand what reason due to the problem and report these info in log. Thanks. Robin -Original Message- From: freeradius-users-bounces+freeradius=itpm@lists.freeradius.org [mailto:freeradius-users-bounces+freeradius=itpm@lists.freeradius.org] On Behalf Of Mark Holmes Sent: Friday, April 01, 2011 11:23 PM To: FreeRadius users mailing list Subject: RE: Dial up error and freeraius is down Hi, - Brand width is insufficient from pppoe server to radius server; - Server running radius of capability is insufficient. You don't say what bandwith etc you are on or what spec the server is, but unless it's pretty low end I'd be surprised if that was the issue if you only have 500 users. Cheers, Mark -Original Message- From: freeradius-users-bounces+mark.holmes=nuffield.ox.ac...@lists.freeradius.org [mailto:freeradius-users-bounces+mark.holmes=nuffield.ox.ac.uk@lists.freerad ius.org] On Behalf Of Robin Sent: 01 April 2011 15:52 To: freeradius-users@lists.freeradius.org Subject: Dial up error and freeraius is down Hi Friends, I met a problem with FreeRADIUS2.1.9 (Mysql+centos, about 500 pppoe users)as below: In general, I found some users couldn't dial to radius and log information as below - Fri Apr 1 19:22:09 2011 : Error: Discarding duplicate request from client mpth12 port 40039 - ID: 129 due to unfinished request 10524 - Fri Apr 1 19:22:10 2011 : Error: Discarding conflicting packet from client mpth12 port 40039 - ID: 129 due to recent request 10524. - I have two guesses: - Brand width is insufficient from pppoe server to radius server; - Server running radius of capability is insufficient. Could you help me? Thank you very much. Robin Nuffield College is a Registered Charity No. 1137506. Registered Office: Nuffield College, New Road, Oxford, OX1 1NF - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dial up error and freeraius is down
Hi, - Fri Apr 1 19:22:09 2011 : Error: Discarding duplicate request from client mpth12 port 40039 - ID: 129 due to unfinished request 10524 - Fri Apr 1 19:22:10 2011 : Error: Discarding conflicting packet from client mpth12 port 40039 - ID: 129 due to recent request 10524. almost always because your backend didnt answer in time. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Oracle reconnection for free radius
Hi, I have setup free radius freeradius-server-2.1.10 with an oracle back end as suggested on in the documentation. Is there a setting for Oracle connectivity retries from the free- radius S/W ie. If Oracle Server is down does freeradius retry connection after a configurable amount of time?If so which config file is this in? Please advice. Thanks JK - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Dial up error and freeraius is down
Hi, If I can understand it, my freeradius for some reason has slowed due to response behind time? Thanks. Robin -Original Message- From: freeradius-users-bounces+freeradius=itpm@lists.freeradius.org [mailto:freeradius-users-bounces+freeradius=itpm@lists.freeradius.org] On Behalf Of Alan Buxey Sent: Saturday, April 02, 2011 1:58 AM To: FreeRadius users mailing list Subject: Re: Dial up error and freeraius is down Hi, - Fri Apr 1 19:22:09 2011 : Error: Discarding duplicate request from client mpth12 port 40039 - ID: 129 due to unfinished request 10524 - Fri Apr 1 19:22:10 2011 : Error: Discarding conflicting packet from client mpth12 port 40039 - ID: 129 due to recent request 10524. almost always because your backend didnt answer in time. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dial up error and freeraius is down
On Sat, Apr 2, 2011 at 9:20 AM, Robin freerad...@itpm.net wrote: Hi, If I can understand it, my freeradius for some reason has slowed due to response behind time? I don't understand what you mean by my freeradius for some reason has slowed due to response behind time, but like Alan said, the cause of that log is usually because your backend (mysql?) didn't return timely response which cause the NAS to re-send the request. When FR received the duplicate request, it discards the request since it detects it's still processing the old one. Things you might want to check: - is there a bottleneck in your MySQL? Sometimes a reporting query locks the tables so other queries (like select/insert from FR) can't be processed. - how big is your radacct table? When unmaintained, it can have millions of records, and some FR feature (like sqlcounter, or simultaneous use checking) reads entries in radacct - how efficient is your sql schema? Having lots of indexes can speed up certain select queries, but it can kill write (insert/update/delete) performance. In other words, get a DBA, check your MySQL setup. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Dial up error and freeraius is down
Hi, Thanks your suggestion. I will clean records from radacct and check my reporting system if it effect freeradius operations. Robin -Original Message- From: freeradius-users-bounces+freeradius=itpm@lists.freeradius.org [mailto:freeradius-users-bounces+freeradius=itpm@lists.freeradius.org] On Behalf Of Fajar A. Nugraha Sent: Saturday, April 02, 2011 10:41 AM To: FreeRadius users mailing list Subject: Re: Dial up error and freeraius is down On Sat, Apr 2, 2011 at 9:20 AM, Robin freerad...@itpm.net wrote: Hi, If I can understand it, my freeradius for some reason has slowed due to response behind time? I don't understand what you mean by my freeradius for some reason has slowed due to response behind time, but like Alan said, the cause of that log is usually because your backend (mysql?) didn't return timely response which cause the NAS to re-send the request. When FR received the duplicate request, it discards the request since it detects it's still processing the old one. Things you might want to check: - is there a bottleneck in your MySQL? Sometimes a reporting query locks the tables so other queries (like select/insert from FR) can't be processed. - how big is your radacct table? When unmaintained, it can have millions of records, and some FR feature (like sqlcounter, or simultaneous use checking) reads entries in radacct - how efficient is your sql schema? Having lots of indexes can speed up certain select queries, but it can kill write (insert/update/delete) performance. In other words, get a DBA, check your MySQL setup. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
