Config for proxying based on auth-protocol

[Nitin Bhardwaj]

Hello ,

I want to configure FreeRADIUS to do the following two things:

(1)  Handle tunnel for PEAP authentication requested by any supplicant(s),
  and do mschapv2 auth with another RADIUS server.  (Irrespective 
of the realm in the user-name)


(2) Transparently proxy all other non-PEAP requests to another RADIUS 
server (like LEAP, EAP-FAST etc etc).

 ( Again, Irrespective of the realm in the user-name).

My config for (1) is already working (eap.conf below) and FreeRADIUS is 
properly doing
ms-chapv2 auth with another RADIUS server. However, I tried many changes 
in config, but could not
configure it to do (2). FreeRADIUS itself tries to handle LEAP and 
EAP-FAST requests.


Please guide me in configuring FreeRADIUS for (2) above.


My eap.conf:
eap {
default_eap_type = mschapv2
timer_expire = 60
ignore_unknown_eap_types = yes
cisco_accounting_username_bug = no
max_sessions = 2048
tls {
certdir = ${confdir}/certs
cadir = ${confdir}/certs
private_key_file = ${certdir}/server.key
certificate_file = ${certdir}/server.pem
CA_file = ${certdir}/ca.pem
dh_file = ${certdir}/dh
random_file = ${certdir}/random
cipher_list = "DEFAULT"
make_cert_command = "${certdir}/bootstrap"
cache {
  enable = no
  lifetime = 24
  max_entries = 255
}
}

peap {
default_eap_type = mschapv2
copy_request_to_tunnel = yes
use_tunneled_reply = yes
proxy_tunneled_request_as_eap = no
virtual_server = "proxy-inner-tunnel"
}

   leap {
   }

mschapv2 {
}
}

--

//Nitin Bhardwaj|//**//**

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: PEAP/MSCHAPv2 failing with Windows 7

[Gary Gatten]

I may be misunderstanding you, but FR still auths against a centralized AD 
(ntlm_auth).

I will look into this further though, because it obviously won't honor any 
DVLAN assignments we have in AD if it's not asking for / expecting them.

G


-Original Message-
From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org 
[mailto:freeradius-users-bounces+ggatten=waddell@lists.freeradius.org] On 
Behalf Of Alan Buxey
Sent: Monday, May 09, 2011 5:11 PM
To: FreeRadius users mailing list
Subject: Re: PEAP/MSCHAPv2 failing with Windows 7

Hi,

>I should note, it appears the Aruba gear is terminating the PEAP - FR only
>sees an MSCHAP request.

I would change that behaviour with a quick reconfig - its possible because we 
have
sites in the UK using Aruba kit with 'eduroam' - and 'eduroam' would break if 
the
remote client was presented with the local sites RADIUS server or EAP 
termination.

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html








"This email is intended to be reviewed by only the intended recipient
 and may contain information that is privileged and/or confidential.
 If you are not the intended recipient, you are hereby notified that
 any review, use, dissemination, disclosure or copying of this email
 and its attachments, if any, is strictly prohibited.  If you have
 received this email in error, please immediately notify the sender by
 return email and delete this email from your system."



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: PEAP/MSCHAPv2 failing with Windows 7

[Alan Buxey]

Hi,

>I should note, it appears the Aruba gear is terminating the PEAP – FR only
>sees an MSCHAP request.

I would change that behaviour with a quick reconfig - its possible because we 
have
sites in the UK using Aruba kit with 'eduroam' - and 'eduroam' would break if 
the
remote client was presented with the local sites RADIUS server or EAP 
termination.

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

PEAP/MSCHAPv2 failing with Windows 7

[Gary Gatten]

Hello,

We use Aruba Wireless gear.  We're using 802.1x PEAP, MSCHAPv2, use windows 
credentials.  Everything is working great with this setup until we started 
testing / trying Windows 7 clients.  They fail with:

Exec-Program output: Logon failure (0xc06d)
Exec-Program-Wait: plaintext: Logon failure (0xc06d)
Exec-Program: returned: 1

[mschap] External script failed.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
Failed to authenticate the user.


The same exact username / password works great on XP.  What really weird is 
this:

In the PEAP properties, EAP-MSCHAP v2, if you DISABLE "automatically use my 
windows logon name and password" and instead enter the credentials manually it 
works.

It appears to me this is some sort of bug in the Windows7 PEAP/EAPcode that 
grabs the credentials from "windows" that was previously entered and passes 
them to the EAP/PEAP process.  Somewhere along the way they're getting mashed 
or something?

I should note, it appears the Aruba gear is terminating the PEAP - FR only sees 
an MSCHAP request.

Anyone else having a similar issue?

TIA

G









"This email is intended to be reviewed by only the intended recipient
 and may contain information that is privileged and/or confidential.
 If you are not the intended recipient, you are hereby notified that
 any review, use, dissemination, disclosure or copying of this email
 and its attachments, if any, is strictly prohibited.  If you have
 received this email in error, please immediately notify the sender by
 return email and delete this email from your system."


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Error: User-Name is not the same as MS-CHAP name

[Alan DeKok]

Robert Mc Cready wrote:
> I do not rewrite the User-name attribute I rewrite only the
> Stripped-User-Name attribute with these:

  No.  Go READ the debug log you posted.  The "inner-tunnel" virtual
server gets:

Sending tunneled request
EAP-Message = 0x020800421a0208003d314cc241739d871a4cb33b6338671202 ...
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "CAD08862\\ldapuser"

  You then RE-WRITE the User-Name.

  Don't do that.

  As you were told, re-writing the User-Name for EAP is wrong.  Don't do it.

> The User-Name attribute is untouch.

  You can believe what you *think* happens.  Or you can believe the
debug output of the server.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: acct segfault in git v2.1.x

[Alan DeKok]

James J J Hooper wrote:
> It now seems to create a *directory* with the name that should be the
> detail *file*...

  I've pushed a fix.  The change missed one line..

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Error: User-Name is not the same as MS-CHAP name

[Robert Mc Cready]

I do not rewrite the User-name attribute I rewrite only the
Stripped-User-Name attribute with these:

attr_rewrite copy.user-name {
attribute = Stripped-User-Name
new_attribute = yes
searchfor = ""
searchin = packet
replacewith = "%{User-Name}"
}

attr_rewrite remove-domain-name {
attribute = Stripped-User-Name
searchfor = "(\.nw2\.test\.local)"
searchin = packet
new_attribute = no
replacewith = ""
}

attr_rewrite add-dollar-sign {
attribute = Stripped-User-Name
searchfor = "^(host/.*)"
searchin = packet
new_attribute = no
replacewith = "%{1}$"
}

attr_rewrite strip-realm-name {
attribute = Stripped-User-Name
new_attribute = no
searchin = packet
searchfor = "^(.*[\\/]+)"
replacewith = ""
max_matches = 1
}


This is where I use Stripped-User-Name:

freeradius:/etc/raddb # grep -ir Stripped-User-Name * | grep -v \#
modules/attr_rewrite:attribute = Stripped-User-Name
modules/attr_rewrite:attribute = Stripped-User-Name
modules/attr_rewrite:attribute = Stripped-User-Name
modules/attr_rewrite:attribute = Stripped-User-Name
modules/ldap:   filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"


The User-Name attribute is untouch.

[mschap] ERROR: User-Name (CAD08862\ldapuser) is not the same as MS-CHAP
Name (ldapuser) from EAP-MSCHAPv2

As I mentionned before the host name (CAD08862) is not a domain name it's a
computer account name.


I tried with_ntdomain_hack, no luck.

freeradius:/etc/raddb # grep -ir with_ntdomain_hack * | grep -v \#
modules/preprocess: with_ntdomain_hack = no
modules/mschap: with_ntdomain_hack = yes


Windows XP debug:  http://www.cspi.qc.ca/sinfrmc/windowsxp.htm

Windows 7 debug: http://www.cspi.qc.ca/sinfrmc/windows7.htm




On 05/07/2011 07:50 PM, Robert Mc Cready wrote:
> The "MS-CHAP-Use-NTLM-Auth := no"  did the job but I still have one
> problem with Windows XP clients, I get a " [mschap] ERROR: User-Name
> (CAD08862\ldapuser) is not the same as MS-CHAP Name (ldapuser) from
> EAP-MSCHAPv2". Users log on locally, the host name is not a domain name.
> Windows 7 clients work fine because they send only the username. I do
> some rewrites so I can get the username for the LDAP authentication and
> the computers name for computer account authentication (I'm not familiar
> with unlang yet). We use FR 2.1.10.
>
> Any idea how to fix this ?
>

You CANNOT rewrite the User-Name attribute, or you will have this problem.

If you want to manipulate the username, you must do so in a separate 
attribute, like so:

  if (User-Name =~ /^(.+)\\(.+)/) {
update request {
  Stripped-User-Name := "%{2}"
}
  }

An easier alternative is to not mangle the username at all, and instead 
update any string expansions to use:

  %{mschap:User-Name}

...including your LDAP filters. This will "just work"
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

 

__ Information provenant d'ESET NOD32 Antivirus, version de la base
des signatures de virus 6106 (20110509) __

Le message a été vérifié par ESET NOD32 Antivirus.

http://www.eset.com
  

__ Information provenant d'ESET NOD32 Antivirus, version de la base
des signatures de virus 6107 (20110509) __

Le message a été vérifié par ESET NOD32 Antivirus.

http://www.eset.com
 
 

__ Information provenant d'ESET NOD32 Antivirus, version de la base
des signatures de virus 6107 (20110509) __

Le message a été vérifié par ESET NOD32 Antivirus.

http://www.eset.com
 


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: acct segfault in git v2.1.x

[James J J Hooper]

On 09/05/2011 12:22, Alan DeKok wrote:

Alexander Clouter wrote:

Updating to git's v2.1.x to go on a post-Easter bughunt and found the
following accounting packet[1] seems to segfault freeradius:

...

#1  0x403075d8 in fnmatch () from /lib/libc.so.6
#2  0x409da598 in do_detail (instance=0x114e50, request=0x43443240, 
packet=0x43446dd8, compat=) at rlm_detail.c:301


   Hmm... calling fnmatch() when the packet was *not* read from the
detail file is a bad idea.  Oops.

   On closer inspection, much of the logic in rlm_detail is broken.


If you need the FreeRADIUS -X malarkey, then do ask, it is just tricker
to get on a production box... :)


   Nah.  I think the Feynman method is fine.

1) look at problem
2) think hard
3) write down solution

   Give me a bit and I'll push a change to "git".


It now seems to create a *directory* with the name that should be the 
detail *file*...


custard radius # find ./ -type d
./
./radacct
./radacct/eduroamalien-soh-bsql
./radacct/vpi-soh-bsql
./radacct/eduroamlocal-soh-bsql
./radacct/nomadicvpn-bsql
./radacct/uobgear
./radacct/eduroamlocal-inner
./radacct/eduroamlocal-bsql
./radacct/vpi
./radacct/eduroamalien-inner
./radacct/eduroamlocal
./radacct/vpi-inner
./radacct/eduroamalien
./radacct/nomadicvpn
custard radius # killall -9 radiusd ; /usr/local/sbin/radiusd
custard radius # tail -n 0 -f radius*.log

==> radiusd-eduroamlocal.log <==
Mon May  9 17:50:25 2011 : Error: [detail-bsql] rlm_detail: Couldn't open 
file /var/log/radius/radacct/eduroamlocal-bsql/detail-bsql.log: Is a directory
Mon May  9 17:50:25 2011 : Error: [detail-bsql] rlm_detail: Couldn't open 
file /var/log/radius/radacct/eduroamlocal-bsql/detail-bsql.log: Is a directory



ls -la also shows that radiusd has indeed created a directory with what 
should have been the file name.


module config:
custard radius # cat /usr/local/etc/serviceraddb/modules/detail-bsql | 
grep '[[:print:]]' | grep -v '#'

detail detail-bsql {
detailfile = 
${radacctdir}/%{%{Virtual-Server}:-UNKNOWN}-bsql/detail-bsql.log
detailperm = 0600
header = "%t"
}


-James

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Simultaneous logins

[qbik]

I got it working by changing the query to count if the MAC requesting access
is different than the one that got access cranted. Another question I had
was if a user is allowed access only for let say 5 hours a Day, if he is
connected just for 1 hour and decides to connect 3 hours later, I think the
counter will have count 4 hours, is there a way to make the counter just
pick up where it left off?

Thanks

--
View this message in context: 
http://freeradius.1045715.n5.nabble.com/Simultaneous-logins-tp4380660p4381821.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: acct segfault in git v2.1.x

[Alexander Clouter]

Alan Buxey  wrote:
> 
>>   NAS Port Attribute (5), length: 6, Value: 0
> 
> NAS-Port 0 
> 
> are you serious?  ;-)
>
Hey, *you* are the proxying it ;P
 
>>   Vendor Specific Attribute (26), length: 12, Value: Vendor: Unknown 
>> (14823)
>> Vendor Attribute: 2, Length: 4, Value: 
> 
> ..thats an interesting one.
> 
>>   Unknown Attribute (103), length: 6, Value:
> 
> as is that. unpopulated/corrupt attributes.
>
Just unprintable, check the pcap file linked to in the original email 
for  and giggles.
 
> what are you doing with this accounting packet when it arrives? 'detail' 
> module? SQL ?
> 
Journalled accounting, it's picked up by decoupled account virtual 
server.

Cheers

-- 
Alexander Clouter
.sigmonster says: Generic Fortune.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Nexus Configurations

[Darren Shaw]

Hello,

Is the user you are testing with configured on the switch? No, this is my 
username that is allowed to access the switches. It authenticates me with AD 
and makes sure I belong to a certain group within AD.

If so, as what type of user?  Admin user.

Have you tried a username which is not configured on the switch? Yes mine, and 
my colleagues, all work on 6500, 2960, 2950 3524, etc etc.


Rgds
Darren Shaw
The Network Team
Computing Services
University of Huddersfield
Queensgate
Huddersfield
HD1 3DH

TEL: 01484 471317
MOBILE: 07792 773807


-Original Message-
From: freeradius-users-bounces+d.shaw=hud.ac...@lists.freeradius.org 
[mailto:freeradius-users-bounces+d.shaw=hud.ac...@lists.freeradius.org] On 
Behalf Of David Mitchell
Sent: 06 May 2011 15:34
To: FreeRadius users mailing list
Subject: Re: Nexus Configurations


On May 6, 2011, at 2:50 AM, Darren Shaw wrote:

> Good morning David,
>
> To answer your questions
>
> We do have a local username; all our switches have, 500 of them.

Is the user you are testing with configured on the switch? If so, as what type
of user? Have you tried a username which is not configured on the switch?

>
> I have traced the request and response between the FreeRadius server and the 
> N5K, the server returns a service-type (6) AVP of Shell user (6) which 
> according to the Free Radius documentation at 
> http://freeradius.org/rfc/attributes.html is an Administrative user.

Is the Cisco-AVPair also in that response packet? Also, I put the syntax for 
adding those
attributes into the 'users' file. It's probably possible to get them crammed in 
via the
'default' configuration but it's not necessarily the right place. It may also 
be the case that
you need to make sure you are *not* sending the Cisco-AVPair 
'shell:priv-lvl=15'. I know that
I needed to put my IOS and NX-OS devices into different huntgroups so that I 
could assign
different AVPair's. I tried just sending both values to both types of devices 
and did not
get the desired effect.

-David Mitchell

>
> The syntax that I have placed into the following file
>
> Cisco-AVPair += "shell:roles=network-admin",
>>   Service-Type := Administrative-User,
>
> I have also tried
>
>  Hint == "XX", Auth-Type := Accept
>Reply-Message = "ACCEPT: Authorizing enable access",
>Cisco-AVPair = "shell:roles*\"network-admin\"",
>Cisco-AVPair += "shell:priv-lvl=15",
>Service-Type = Administrative-User,
>Fall-Through = No
>
> Cisco-AVPair = "shell:roles=\"network-operator vdc-admin\""
>>> Cisco-AVPair = "shell:roles*\"network-operator vdc-admin\""
>>> Cisco-AVPair = "shell:roles=\"network-admin vdc-admin\""
>>> Cisco-AVPair = "shell:roles*\"network-admin\""
>
> The configuration I have on the 5K
>
> radius-server host  key 7 "XX" authentication accounting
> aaa group server radius FreeRadius
>server x
>use-vrf management
> aaa authentication login default group FreeRadius
> source address x
>
> It looks as though the 5K is not interpreting the attribute correctly, or I 
> am not editing the correct file. Whatever syntax I use I get the same 
> results, I get authenticated but the nexus places me as an operator.
>
> The file I am editing is  /usr/local/etc/raddb/sites-available/default
>
> Rgds
> Darren Shaw
> The Network Team
> Computing Services
> University of Huddersfield
> Queensgate
> Huddersfield
> HD1 3DH
>
> TEL: 01484 471317
> MOBILE: 07792 773807
>
>
> -Original Message-
> From: freeradius-users-bounces+d.shaw=hud.ac...@lists.freeradius.org 
> [mailto:freeradius-users-bounces+d.shaw=hud.ac...@lists.freeradius.org] On 
> Behalf Of David Mitchell
> Sent: 05 May 2011 15:35
> To: FreeRadius users mailing list
> Subject: Re: Nexus Configurations
>
>
> On May 5, 2011, at 4:47 AM, Darren Shaw wrote:
>
>> Hello David,
>>
>> Thanks for the syntax. Sadly this still does not work. The free radius 
>> server will authenticate me as a user but the 5K wants me as an operator and 
>> not admin.
>>
>> If you have the 5K working, could I be cheeky and ask if you could mail me 
>> the radius config on your 5K
>
> There isn't anything in the radius config that enables this as far as I can 
> tell. Do you have a
> local account on the 5K? That might override the info from the RADIUS server. 
> Run the command
> 'show user-account' after logging in. For me, it indicates that the account 
> was created via remote
> authentication. I assume you have run the radius server in debug mode to 
> verify that the attributes
> are actually in the access accept packets sent back to the switch?
>
>
> -David Mitchell
>
>>
>> thanks
>>
>> Rgds
>> Darren Shaw
>> The Network Team
>> Computing Services
>> University of Huddersfield
>> Queensgate
>> Huddersfield
>> HD1 3DH
>>
>> TEL: 01484 471317
>> MOBILE: 07792 773807
>>
>> -Original Message-
>> From: freeradius-users-bounces+d.shaw=hud.ac...@lists.freeradius.org 
>> [mailto:freeradius-users-bounces+d.shaw=hud

Re: acct segfault in git v2.1.x

[Alan DeKok]

Alexander Clouter wrote:
> Updating to git's v2.1.x to go on a post-Easter bughunt and found the 
> following accounting packet[1] seems to segfault freeradius:
...
> #1  0x403075d8 in fnmatch () from /lib/libc.so.6
> #2  0x409da598 in do_detail (instance=0x114e50, request=0x43443240, 
> packet=0x43446dd8, compat=) at rlm_detail.c:301

  Hmm... calling fnmatch() when the packet was *not* read from the
detail file is a bad idea.  Oops.

  On closer inspection, much of the logic in rlm_detail is broken.

> If you need the FreeRADIUS -X malarkey, then do ask, it is just tricker 
> to get on a production box... :)

  Nah.  I think the Feynman method is fine.

1) look at problem
2) think hard
3) write down solution

  Give me a bit and I'll push a change to "git".

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: acct segfault in git v2.1.x

[Alan Buxey]

Hi,

>   NAS Port Attribute (5), length: 6, Value: 0

NAS-Port 0 


are you serious?  ;-)


>   Vendor Specific Attribute (26), length: 12, Value: Vendor: Unknown 
> (14823)
> Vendor Attribute: 2, Length: 4, Value: 

..thats an interesting one.

>   Unknown Attribute (103), length: 6, Value:

as is that. unpopulated/corrupt attributes.

what are you doing with this accounting packet when it arrives? 'detail' 
module? SQL ?

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

acct segfault in git v2.1.x

[Alexander Clouter]

Updating to git's v2.1.x to go on a post-Easter bughunt and found the 
following accounting packet[1] seems to segfault freeradius:

tcpdump: listening on bond0, link-type EN10MB (Ethernet), capture size 65535 
bytes
11:30:34.398885 IP6 (hlim 51, next-header UDP (17) payload length: 258) 
2001:630:1:128::185.42390 > 2001:630:1b:6003:90c0:802a:d873:c284.1813: [bad udp 
cksum 51b1!] RADIUS, length: 250
Accounting Request (4), id: 0x1b, Authenticator: 
44b81fb81af404cb48816ad0c2afc497
  NAS IP Address Attribute (4), length: 6, Value: 128.86.129.105
  Accounting Status Attribute (40), length: 6, Value: Stop
  Username Attribute (1), length: 19, Value: 223...@soas.ac.uk
  NAS Port Attribute (5), length: 6, Value: 0
  NAS Port Type Attribute (61), length: 6, Value: Wireless - IEEE 802.11
  Accounting Session ID Attribute (44), length: 27, Value: 
223313@s7CC5376FE7E3-C189
  Accounting Input Octets Attribute (42), length: 6, Value: 42426
  Accounting Output Octets Attribute (43), length: 6, Value: 351596
  Accounting Input Packets Attribute (47), length: 6, Value: 301
  Accounting Output Packets Attribute (48), length: 6, Value: 379
  Accounting Termination Cause Attribute (49), length: 6, Value: Idle 
Timeout
  Framed IP Address Attribute (8), length: 6, Value: 128.86.184.37
  Calling Station Attribute (31), length: 14, Value: 7CC5376FE7E3
  Called Station Attribute (30), length: 14, Value: 000B860E5100
  Accounting Session Time Attribute (46), length: 6, Value: 06:40 min
  Accounting Delay Attribute (41), length: 6, Value: 00 secs
  Vendor Specific Attribute (26), length: 15, Value: Vendor: Unknown 
(14823)
Vendor Attribute: 5, Length: 7, Value: eduroam
  Vendor Specific Attribute (26), length: 11, Value: Vendor: Unknown 
(14823)
Vendor Attribute: 6, Length: 3, Value: N/A
  Vendor Specific Attribute (26), length: 20, Value: Vendor: Unknown 
(14823)
Vendor Attribute: 1, Length: 12, Value: pre-employee
  Vendor Specific Attribute (26), length: 12, Value: Vendor: Unknown 
(14823)
Vendor Attribute: 2, Length: 4, Value: 
  Unknown Attribute (103), length: 6, Value:
  Proxy State Attribute (33), length: 20, Value: OSC-Extended-Id=27


The gdb backtrace is:

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x42b7b470 (LWP 9963)]
0x402dc2bc in strnlen () from /lib/libc.so.6
(gdb) where
#0  0x402dc2bc in strnlen () from /lib/libc.so.6
#1  0x403075d8 in fnmatch () from /lib/libc.so.6
#2  0x409da598 in do_detail (instance=0x114e50, request=0x43443240, 
packet=0x43446dd8, compat=) at rlm_detail.c:301
#3  0x00022110 in call_modsingle (component=3, c=, 
request=0x43443240) at modcall.c:297
#4  modcall (component=3, c=, request=0x43443240) at 
modcall.c:670
#5  0x0001ec94 in indexed_modcall (comp=3, idx=0, request=0x43443240) at 
modules.c:737
#6  0xeefc in rad_accounting (request=0x43443240) at acct.c:93
#7  0x0002f16c in radius_handle_request (request=0x43443240, fun=0xee60 
) at event.c:3780
#8  0x00026a4c in request_handler_thread (arg=) at 
threads.c:525
#9  0x400818cc in start_thread () from /lib/libpthread.so.0
#10 0x40330bdc in clone () from /lib/libc.so.6
#11 0x40330bdc in clone () from /lib/libc.so.6
Backtrace stopped: previous frame identical to this frame (corrupt stack?)


If you need the FreeRADIUS -X malarkey, then do ask, it is just tricker 
to get on a production box... :)

Cheers

[1] http://stuff.digriz.org.uk/freeradius-acct-segfault.pcap

-- 
Alexander Clouter
.sigmonster says: Preserve the old, but know the new.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Radius Database

[SC@]

Thank you

--
View this message in context: 
http://freeradius.1045715.n5.nabble.com/Radius-Database-tp4375341p4381272.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Simultaneous logins

[Franz]

The query is ok for my purpose, when I execute it it returns 1 when a
session is active and 0 when no session is available. However when i
uncomment the simul query, all logins are terminated by User-Error afer 10
seconds and not Session-Timeout after x time as it's supposed to be, if a
commented the simul query, all work ok again. Do I need a specific
configuration in authorize section?

On Mon, May 9, 2011 at 2:49 AM, Fajar A. Nugraha  wrote:

> On Mon, May 9, 2011 at 12:46 PM, Franz  wrote:
> > What I meant on the second part is that i am using localhost on
> > clients.conf,
>
> Please don't top-post.
>
> > so now when i am just checking session with sql
> > simul_count_query, and as soon as the request is received by server it
> says
> > the user is already logged in, even is is not logged in:
> > checkrad: No NAS type, or type "other" not checking
>
> if you only store session on sql, you don't need checkrad. You can
> just comment-out radutmp from session sectoin.
>
> > rlm_sql (sql): Released sql socket id: 1
> > ++[sql] returns ok
> > expand: good -> good
> > Multiple logins (max 1) [MPP attempt]: [C8P7G6/C8P7G6] (from client
> > localhost port 7 cli 192.168.0.7) good
> > Using Post-Auth-Type Reject
> > # Executing group from file /usr/local/etc/raddb/sites-enabled/default
> > +- entering group REJECT {...}
>
> You can try executing the query manually and see if the query is doing
> the right thing.
> Also, the query is customizable, so if you know that all acct entries
> from localhost are dummy entries you can just modify the query to
> exclude them.
>
> --
> Fajar
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html