Re: FreeRadius with Eduroam - Accounting
On 5 Oct 2011, at 02:20, Mike Diggins wrote:
>
> I'm running FreeRadius 2.1.3 on RedHat Enterprise Linux configured as an
> Eduroam Radius proxy server. My Cisco Wireless Lan Controllers are constantly
> failing over the Accounting Servers, due to lack of response from the Home
> Servers, or so says the log. However, I believe the issue is that some remote
> institutions Radius Servers are ignoring the Accounting packets, and timing
> out my end, making it believe the Home Servers have failed to respond.
> FreeRadius responds by marking the Home server dead. It then sends a
> status-server query, to which is gets a reply, and enables the Dead Home
> server. I believe that's the sequence of events anyway. I captured some of
> that in debug mode:
>
> Rejecting request 288 due to lack of any response from home server x.x.x.x
> port 1813
>
> Finished request 288.
>
> Cleaning up request 288 ID 205 with timestamp +1161
>
> PROXY: Marking home server x.x.x.x port 1813 as zombie (it looks like it is
> dead).
>
> Sending Status-Server of id 55 to x.x.x.x port 1813
>Message-Authenticator := 0x
>NAS-Identifier := "Status Check. Are you alive?"
> Waking up in 3.9 seconds.
>
> rad_recv: Access-Accept packet from host x.x.x.x port 1813, id=55, length=806
>
> I don't have any control over Accounting Packets being accepted, or not, by
> other Eduroam members. Some do, some don't I imagine. Is there a
> configuration for FreeRadius that handles this situation cleanly? Seems to me
> that FR should check the Home server first, before marking it dead (at least).
No i've talked about this with Alan. The proposed solution is an enhancement to
the detail writer/reader functionality where the server automagically spawns
new reader instances to listen on per domain detail files.
For now i'd recommend using rlm_replicate, this allows you to send an entirely
new request to the homeserver, whilst sending an Accounting-Response to the
NAS. FR does not track the new request and so won't be able to retransmit.
Just use something like:
preacct {
if(Realm && Realm != 'local'){
update control {
Proxy-To-Realm := 'local'
Replicate-To-Realm = 'eduroam'
}
}
}
accounting {
replicate
}
Arran Cudbard-Bell
a.cudba...@freeradius.org
Betelwiki, Betelwiki, Betelwiki http://wiki.freeradius.org/ !
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius with Eduroam - Accounting
I'm running FreeRadius 2.1.3 on RedHat Enterprise Linux configured as an Eduroam Radius proxy server. My Cisco Wireless Lan Controllers are constantly failing over the Accounting Servers, due to lack of response from the Home Servers, or so says the log. However, I believe the issue is that some remote institutions Radius Servers are ignoring the Accounting packets, and timing out my end, making it believe the Home Servers have failed to respond. FreeRadius responds by marking the Home server dead. It then sends a status-server query, to which is gets a reply, and enables the Dead Home server. I believe that's the sequence of events anyway. I captured some of that in debug mode: Rejecting request 288 due to lack of any response from home server x.x.x.x port 1813 Finished request 288. Cleaning up request 288 ID 205 with timestamp +1161 PROXY: Marking home server x.x.x.x port 1813 as zombie (it looks like it is dead). Sending Status-Server of id 55 to x.x.x.x port 1813 Message-Authenticator := 0x NAS-Identifier := "Status Check. Are you alive?" Waking up in 3.9 seconds. rad_recv: Access-Accept packet from host x.x.x.x port 1813, id=55, length=806 I don't have any control over Accounting Packets being accepted, or not, by other Eduroam members. Some do, some don't I imagine. Is there a configuration for FreeRadius that handles this situation cleanly? Seems to me that FR should check the Home server first, before marking it dead (at least). -Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Version 2.1.12 has been released
FYI: I have built 2.1.12 RPM packages for Fedora 14, Fedora 15 & Fedora 16. They have been pushed into the updates-testing channel (not updates). They will move into stable in two weeks or if they achieve the necessary "karma" before then. You can add a "karma vote" by visiting the updates page for freeradius. https://admin.fedoraproject.org/updates/search/freeradius Note: at the time of this mail only F16 has actually made it out into the channel, the others are waiting in the queue, but I expect they will appear within a few hours (you can check by viewing the updates page. -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL and FreeRADIUS environment
tonimanel wrote: > Is possible to make the data replica with TCP protocol with FreeRADIUS? Do > you prefer FreeRADIUS replica or mysql replica? What is the best solution to > make the replica? The best solution is to use RADIUS replication. FreeRADIUS knows how to do conflict resolution in the database. MySQL does not. See "raddb/radrelay.conf", and the detail file readers for examples. Also, raddb/sites-available/copy-acct-to-home-server Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL and FreeRADIUS environment
Hi again, I have a doubt, what happen if in my company we want to have two servers, both with freeradius service and mysql service and this two servers could be actives with mysql data replicated? We would like to have two servers as actives with the ability to be both functional. I think that is more difficult than the other solution but this is best. Is possible to make the data replica with TCP protocol with FreeRADIUS? Do you prefer FreeRADIUS replica or mysql replica? What is the best solution to make the replica? Thank you very much!!! I hope your answers!! -- View this message in context: http://freeradius.1045715.n5.nabble.com/MySQL-and-FreeRADIUS-environment-tp4845985p4868964.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sql_mysql UTF-8 encoding
>
> however as it gets to the rlm_sql_mysql module it shows
> # [sql] expand: %{User-Name} -> g.?up.wór
> # [sql] sql_set_user escaped user --> 'g.?up.wór'
>
> It does seem that the UserName string is iterated byte by byte and not UTF-8
> aware way.
>
> hence it shows:
>
> # [sql] expand: SELECT id, username, attribute, value, op FROM #
> radcheck WHERE username = '%{SQL-User-Name}' ORDER # BY
> id -> SELECT id, username, attribute, value, op FROM # radcheck
> WHERE username = 'g=C5=82up.w=C3=B3r' ORDER BY id
> # rlm_sql_mysql: query: SELECT id, username, attribute, value, op # FROM
> radcheck WHERE username = 'g=C5=82up.w=C3=B3r' # ORDER BY id
> # [sql] expand: SELECT groupname FROM radusergroup # WHERE
> username = '%{SQL-User-Name}' ORDER BY priority -> # SELECT
> groupname FROM radusergroup WHERE username = # 'g=C5=82up.w=C3=B3r'
> ORDER BY priority
> # rlm_sql_mysql: query: SELECT groupname FROM radusergroup # WHERE
> username = 'g=C5=82up.w=C3=B3r' ORDER BY priority
>
>
> the username is encoded as
> g=C5=82up.w=C3=B3r
> both UTF-8 encoded characters (=C5=82, =C3=B3) were treated as separate
> characters (=C5, =82, =C3, =B3).
>
> I found sth about the problem I am facing:
> http://freeradius.1045715.n5.nabble.com/rlm-sql-and-UTF8-encoded-strings-td2794683.html
>
The problem is the safe chars check is not UTF8 capable, so it's looking at
each byte of the User-Name string, comparing it to the list of safe chars,
finding it doesn't match and mime encoding it.
Patches welcome.
Arran Cudbard-Bell
a.cudba...@freeradius.org
Betelwiki, Betelwiki, Betelwiki http://wiki.freeradius.org/ !
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Version 2.1.12 has been released
Jakob Hirsch wrote: > Alan DeKok, 2011-09-30 16:33: > >> * Added support for PCRE from Phil Mayers > > Sorry for not stepping up before, but it seems to me that this only went > into the master, not in the 2.1.x branch. Oh well. Maybe the next rev. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_sql_mysql UTF-8 encoding
I am trying to setup FR with Mysql as backend.
FR is 2.1.10
The username that is sent to the FR contains the UTF-8 encoded characters.
From debugging:
# the rad_recv: Access-Request packet from host 127.0.0.1 # port 59305, id=76,
length=62
#User-Name = "głup.wór"
#User-Password = "12345678"
#NAS-IP-Address = 192.168.1.56
#NAS-Port = 10
The username is properly shown (at least in my console)
This is hex from tcpdump packet capture
67;C582;75;70;2E,77,C3B3,72 - it seems to be properly UTF-8 encoded
however as it gets to the rlm_sql_mysql module it shows
# [sql] expand: %{User-Name} -> g.?up.wór
# [sql] sql_set_user escaped user --> 'g.?up.wór'
It does seem that the UserName string is iterated byte by byte and not UTF-8
aware way.
hence it shows:
# [sql] expand: SELECT id, username, attribute, value, op FROM #
radcheck WHERE username = '%{SQL-User-Name}' ORDER # BY id
-> SELECT id, username, attribute, value, op FROM # radcheck WHERE
username = 'g=C5=82up.w=C3=B3r' ORDER BY id
# rlm_sql_mysql: query: SELECT id, username, attribute, value, op # FROM
radcheck WHERE username = 'g=C5=82up.w=C3=B3r' # ORDER BY id
# [sql] expand: SELECT groupname FROM radusergroup # WHERE username
= '%{SQL-User-Name}' ORDER BY priority -> # SELECT groupname
FROM radusergroup WHERE username = # 'g=C5=82up.w=C3=B3r'
ORDER BY priority
# rlm_sql_mysql: query: SELECT groupname FROM radusergroup # WHERE
username = 'g=C5=82up.w=C3=B3r' ORDER BY priority
the username is encoded as
g=C5=82up.w=C3=B3r
both UTF-8 encoded characters (=C5=82, =C3=B3) were treated as separate
characters (=C5, =82, =C3, =B3).
I found sth about the problem I am facing:
http://freeradius.1045715.n5.nabble.com/rlm-sql-and-UTF8-encoded-strings-td2794683.html
but there is no solution.
Am I doing sth wrong, sth is misconfigured?
Any ideas?
regards,
tomek.
Below is the full debug output from FR
root@ubuntu:~# /usr/sbin/freeradius -X
FreeRADIUS Version 2.1.10, for host i686-pc-linux-gnu, built on Dec 9 2010 at
17:54:26
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/proxy.conf
including configuration file /etc/freeradius/clients.conf
including files in directory /etc/freeradius/modules/
including configuration file /etc/freeradius/modules/smsotp
including configuration file /etc/freeradius/modules/unix
including configuration file /etc/freeradius/modules/ntlm_auth
including configuration file /etc/freeradius/modules/inner-eap
including configuration file /etc/freeradius/modules/expr
including configuration file /etc/freeradius/modules/counter
including configuration file /etc/freeradius/modules/radutmp
including configuration file /etc/freeradius/modules/attr_rewrite
including configuration file /etc/freeradius/modules/checkval
including configuration file /etc/freeradius/modules/perl
including configuration file /etc/freeradius/modules/mschap
including configuration file /etc/freeradius/modules/files
including configuration file /etc/freeradius/modules/ldap
including configuration file /etc/freeradius/modules/otp
including configuration file /etc/freeradius/modules/detail
including configuration file /etc/freeradius/modules/realm
including configuration file /etc/freeradius/modules/detail.example.com
including configuration file /etc/freeradius/modules/pap
including configuration file /etc/freeradius/modules/passwd
including configuration file /etc/freeradius/modules/policy
including configuration file /etc/freeradius/modules/always
including configuration file /etc/freeradius/modules/mac2vlan
including configuration file /etc/freeradius/modules/expiration
including configuration file /etc/freeradius/modules/wimax
including configuration file /etc/freeradius/modules/logintime
including configuration file /etc/freeradius/modules/acct_unique
including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login
including configuration file /etc/freeradius/modules/sql_log
including configuration file /etc/freeradius/modules/opendirectory
including configuration file /etc/freeradius/modules/preprocess
including configuration file /etc/freeradius/modules/pam
including configuration file /etc/freeradius/modules/chap
including configuration file /etc/freeradius/modules/dynamic_clients
including configuration file /etc/freeradius/modules/exec
including configuration file /etc/freeradius/modules/sradutmp
including configuration file /etc/freeradius/modules/linelog
including configuration file /etc/freeradius/modules/detail.l
Re: Version 2.1.12 has been released
Alan DeKok, 2011-09-30 16:33: > * Added support for PCRE from Phil Mayers Sorry for not stepping up before, but it seems to me that this only went into the master, not in the 2.1.x branch. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple NAS freeradius
Thanks very much for the fastest and efectivest answer.
2011/10/4 Arran Cudbard-Bell
>
> On 4 Oct 2011, at 13:32, Alejandro Gandara wrote:
>
> Hi list,
>
> Im using freeradius 2.1.10 with ldap and I have a doubt.
>
> Im testing radius with two NAS , first one an openvpn service and the
> other one is a switch Procurve.
>
> My question is the following:
>
> Can I configure the openvpn nas to read some attribute from the ldap ( as
> framedipaddress) and at the same time configure switch procurve to read the
> attribute pool-name from the radius?
> How can I tell freeradius which attribute read for each nas?
>
> For example:
>
> User1 connect trhough openvpn so it will get the ip provided from
> framedipaddress attribute.
> User 1 disconnect openvpn
> User 1 connect with wired connection so it will get the IP provided for
> ippool after read poolname attribute from ldap.
>
>
> Sure...
>
> sites-available/default
>
> authorize {
> if(Client-shortname == 'openvpn'){
> update reply {
> Framed-IP-Address := "%{ldap:my ldap query}"
> }
> }
> else {
> update reply {
> My-Other-Attribute := "%{ldap:my ldap query}"
> }
> }
> }
>
> clients.conf
>
> client {
> shortname = openvpn
> }
>
>
> Arran Cudbard-Bell
> a.cudba...@freeradius.org
>
> Betelwiki, Betelwiki, Betelwiki http://wiki.freeradius.org/ !
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple NAS freeradius
On 4 Oct 2011, at 13:32, Alejandro Gandara wrote:
> Hi list,
>
> Im using freeradius 2.1.10 with ldap and I have a doubt.
>
> Im testing radius with two NAS , first one an openvpn service and the other
> one is a switch Procurve.
>
> My question is the following:
>
> Can I configure the openvpn nas to read some attribute from the ldap ( as
> framedipaddress) and at the same time configure switch procurve to read the
> attribute pool-name from the radius?
> How can I tell freeradius which attribute read for each nas?
>
> For example:
>
> User1 connect trhough openvpn so it will get the ip provided from
> framedipaddress attribute.
> User 1 disconnect openvpn
> User 1 connect with wired connection so it will get the IP provided for
> ippool after read poolname attribute from ldap.
Sure...
sites-available/default
authorize {
if(Client-shortname == 'openvpn'){
update reply {
Framed-IP-Address := "%{ldap:my ldap query}"
}
}
else {
update reply {
My-Other-Attribute := "%{ldap:my ldap query}"
}
}
}
clients.conf
client {
shortname = openvpn
}
Arran Cudbard-Bell
a.cudba...@freeradius.org
Betelwiki, Betelwiki, Betelwiki http://wiki.freeradius.org/ !
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Multiple NAS freeradius
Hi list, Im using freeradius 2.1.10 with ldap and I have a doubt. Im testing radius with two NAS , first one an openvpn service and the other one is a switch Procurve. My question is the following: Can I configure the openvpn nas to read some attribute from the ldap ( as framedipaddress) and at the same time configure switch procurve to read the attribute pool-name from the radius? How can I tell freeradius which attribute read for each nas? For example: User1 connect trhough openvpn so it will get the ip provided from framedipaddress attribute. User 1 disconnect openvpn User 1 connect with wired connection so it will get the IP provided for ippool after read poolname attribute from ldap. Thanks very much for your time and peacence. Regards, Alejandro Gándara Álvarez - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Parsing the multiple attributes with same name
> > For parsing the Cisco-Account-Info, I have wrote some unlang expression but > I don't know it's the best way for freeradius performance. This makes a loop > for every Cisco-Account-Info attribute. Is there any other ways that you can > suggest? > Yes, using the foreach construct in version 3 :) -Arran Arran Cudbard-Bell a.cudba...@freeradius.org Betelwiki, Betelwiki, Betelwiki http://wiki.freeradius.org/ ! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Parsing the multiple attributes with same name
Hi,
Cisco ISG uses same attribute with different value's for multiple purposes.
The value format defines the usages!.
Like ;
Cisco-Account-Info attribute with value beginning with V represent accouting
cookie and value beginning with S defines session identifier.
For parsing the Cisco-Account-Info, I have wrote some unlang expression but
I don't know it's the best way for freeradius performance. This makes a loop
for every Cisco-Account-Info attribute. Is there any other ways that you can
suggest?
if ("%{request:Cisco-Account-Info[*]}" =~
/(^|\n)(S([^\n]*))/) {
update request {
Cisco-Account-Info-Subscriber-Identifier := "%{3}"
}
}
if ("%{request:Cisco-Account-Info[*]}" =~
/(^|\n)(V([^\n]*))/) {
update request {
Cisco-Account-Info-Accounting-Cookie := "%{3}"
}
}
if ("%{request:Cisco-Service-Info[*]}" =~
/(^|\n)(N([^\n]*))/) {
update request {
Cisco-Service-Info-Service-Name := "%{3}"
}
}
-
Deniz AYDIN
Senior Network Engineer
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/Parsing-the-multiple-attributes-with-same-name-tp4868088p4868088.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL IP Pool Not Accepting Redundant SQL
>
> You can't, 'redundant_sql' is not an sql-instance. You need to create two
> instances of sqlippool, then wrap them in a redundant block...
If you're using FR >= 2.1.11 or 3.*
Overload the sqlippool module
policy.conf
policy {
sqlippool {
redundant {
sqlippool1
sqlippool2
}
}
}
Arran Cudbard-Bell
a.cudba...@freeradius.org
Betelwiki, Betelwiki, Betelwiki http://wiki.freeradius.org/ !
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL IP Pool Not Accepting Redundant SQL
On 4 Oct 2011, at 12:08, Det Det wrote:
> Hi,
>
> How to make sqlippool accept redundant SQL as below?
>
> sqlippool {
> sql-instance-name = "redundant_sql"
> ippool_table = "radippool"
> ...
> }
>
> radiusd.conf
> ...
> redundant redundant_sql {
> sql1
> sql2
> }
> ...
>
> if I use sql-instance-name = "sql1" or sql-instance-name = "sql2", it works.
> But then, I'd like to do redundancy.
>
>
> sql-instance-name = "sql1 sql2" or sql-instance-name = "sql1, sql2" also does
> not work.
>
> -
You can't, 'redundant_sql' is not an sql-instance. You need to create two
instances of sqlippool, then wrap them in a redundant block...
Arran Cudbard-Bell
a.cudba...@freeradius.org
Betelwiki, Betelwiki, Betelwiki http://wiki.freeradius.org/ !
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SQL IP Pool Not Accepting Redundant SQL
Hi,
How to make sqlippool accept redundant SQL as below?
sqlippool {
sql-instance-name = "redundant_sql"
ippool_table = "radippool"
...
}
radiusd.conf
...
redundant redundant_sql {
sql1
sql2
}
...
if I use sql-instance-name = "sql1" or sql-instance-name = "sql2", it works.
But then, I'd like to do redundancy.
sql-instance-name = "sql1 sql2" or sql-instance-name = "sql1, sql2" also does
not work.
Thanks!
Det
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using DB instead of radutmp for simultaneous-use tracking
On Tue, Oct 4, 2011 at 4:47 PM, Det Det wrote:
> Hi,
> Thanks a lot! Got it working! I'd like to extend the simul-check to group
> simul value. That is a group has simul limit, then if limit is reached a
> user belonging to that group should be denied login. Any idea how to
> implement this?
That's tricky.
The easiest thing I can think of is to add a check using unlang in
authorize (use "%{sql:" expansion to get the data), and if it exceeds
the limit set Auth-Type := Reject
--
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using DB instead of radutmp for simultaneous-use tracking
Hi, Thanks a lot! Got it working! I'd like to extend the simul-check to group simul value. That is a group has simul limit, then if limit is reached a user belonging to that group should be denied login. Any idea how to implement this? Thanks! Det From: Fajar A. Nugraha To: Det Det ; FreeRadius users mailing list Sent: Friday, September 30, 2011 3:11 PM Subject: Re: Using DB instead of radutmp for simultaneous-use tracking On Fri, Sep 30, 2011 at 1:50 PM, Det Det wrote: > Hi there, > In the accounting section, radutmp is used for tracking simultaneous-use. Is > there a way to use DB::radacct table instead to check for simultaneous-use? Sure. Comment-out radutmp and uncomment sql from "session" and "accounting" section. See also sql/*/dialup.conf, look for "simul_count_query". I usually enable simul_count_query and comment-out simul_verify_query. -- Fajar- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to specify python modules used by rlm_python?
Hi, >I'm trying to use rlm_python to intergrate with my own authentication >backend, but there's so little document about rlm_python. I even cannot >find how to specify the path to the python module. radiusd.py living in PYTHONPATH - EXPORT PYTHONPATH=$location alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
