Re: How to configure redundant radius?
Christ Schlacta wrote: > I have about 8 users, with on average 2.2 systems per, for a total of > about 20 clients, but I'm setting up redundency because I've got > basically two systems, both of which have fairly low uptime by > enterprise standards, and downtime is met with much headache and > griping. Maybe you should concentrate on fixing those systems rather than trying to add complexity. > Is there no other way to coerce these single-ip devices to > work with a pair or more of radius servers, or no other way to configure > reliable failover ? Magic. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to configure redundant radius?
hi, u can build oracle solaris cluster ( two servers are in cluster with same IP) or u can use brodhop device to use one IP for two different servers. anatolii 30 декабря 2011, 23:02 от Christ Schlacta : > I've got a number of devices all of which only have the option for one > radius IP address (not hostname!) to be configured. How can I configure > this type of device for failover (and optionally balance)? is there > some PROPER way to do this? or am I limited to only being able to have > one fr server configured for these particular devices? > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to configure redundant radius?
I have about 8 users, with on average 2.2 systems per, for a total of about 20 clients, but I'm setting up redundency because I've got basically two systems, both of which have fairly low uptime by enterprise standards, and downtime is met with much headache and griping. Is there no other way to coerce these single-ip devices to work with a pair or more of radius servers, or no other way to configure reliable failover ? On 12/30/2011 11:37, Alan DeKok wrote: Christ Schlacta wrote: I've got a number of devices all of which only have the option for one radius IP address (not hostname!) to be configured. How can I configure this type of device for failover (and optionally balance)? is there some PROPER way to do this? or am I limited to only being able to have one fr server configured for these particular devices? If the devices only allow one IP for the RADIUS server, you can only have one RADIUS server. You need to make sure the server is running. See various HA systems for redundancy. But if you have less than 10K users, it's probably not worth it. Just monitor the system to be sure it doesn't go down. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to configure redundant radius?
Christ Schlacta wrote: > I've got a number of devices all of which only have the option for one > radius IP address (not hostname!) to be configured. How can I configure > this type of device for failover (and optionally balance)? is there > some PROPER way to do this? or am I limited to only being able to have > one fr server configured for these particular devices? If the devices only allow one IP for the RADIUS server, you can only have one RADIUS server. You need to make sure the server is running. See various HA systems for redundancy. But if you have less than 10K users, it's probably not worth it. Just monitor the system to be sure it doesn't go down. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy Radius - Deny user based on username preproxy
Nathan M wrote: > I operate a proxy radius server which proxies requests downstream. A > few particular usernames are repeating far more frequently than they > should and I have no way to eliminate this upstream. I do need to > authenticate the users though and not deny them. The goal would be to > authenticate them at the proxy level so it does not send the request > downstream at all. > > Ideally an entry something to the tune of: > userx Cleartext-Password := "xxx" >Session-Timeout = 604800, >Idle-Timeout = 604800, >Acct-Interim-Interval = 4084, >Fall-Through = No That should work. > I've reviewed and done dozens of attempts using the preproxy_users, > and users file (by trying with files above and below the suffix line > in authorize{}); however, none of my attempts have been successful. See the FAQ for "it doesn't work". > The lines match when viewing debug; however, by entering anything > other than Auth-Type := Reject within the users file, the > authentication proceeds on it's merry way to the proxy process > downstream. > > Any advice on a config which will accomplish this? Read the debug output. It will tell you why it's being proxied. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxy Radius - Deny user based on username preproxy
To any freeradius guru, I operate a proxy radius server which proxies requests downstream. A few particular usernames are repeating far more frequently than they should and I have no way to eliminate this upstream. I do need to authenticate the users though and not deny them. The goal would be to authenticate them at the proxy level so it does not send the request downstream at all. Ideally an entry something to the tune of: userx Cleartext-Password := "xxx" Session-Timeout = 604800, Idle-Timeout = 604800, Acct-Interim-Interval = 4084, Fall-Through = No I've reviewed and done dozens of attempts using the preproxy_users, and users file (by trying with files above and below the suffix line in authorize{}); however, none of my attempts have been successful. The lines match when viewing debug; however, by entering anything other than Auth-Type := Reject within the users file, the authentication proceeds on it's merry way to the proxy process downstream. Any advice on a config which will accomplish this? Thanks, N - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to configure redundant radius?
I've got a number of devices all of which only have the option for one radius IP address (not hostname!) to be configured. How can I configure this type of device for failover (and optionally balance)? is there some PROPER way to do this? or am I limited to only being able to have one fr server configured for these particular devices? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Rlm_ippool provides invalid IP
On Fri, Dec 30, 2011 at 11:16 PM, Arlindo F. Neto wrote: > On some > systems, these addresses do not work. Looking for a way to make > the freeradius does not provide addresses in .0 or .255. rlm_sqlipool might suit you better. Every ip address is a table row, so you can easily exclude whatever ip you don't want by simply not having a row with that ip address. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Error Reading Certificate file
That got it thanks. I had changed the permission on the files but not the certs directory. Joseph R. McSparin Network Administrator Hill Country Memorial Hospital 830 990 6638 phone 830 990 6623 fax jmcspa...@hillcountrymemorial.org -Original Message- From: freeradius-users-bounces+jmcsparin=hillcountrymemorial.org@lists.freerad ius.org [mailto:freeradius-users-bounces+jmcsparin=hillcountrymemorial.org@lists .freeradius.org] On Behalf Of Alan DeKok Sent: Friday, December 30, 2011 10:22 AM To: FreeRadius users mailing list Subject: Re: Error Reading Certificate file McSparin, Joe wrote: > Get this error when running radiusd -X I checked my passwords in > eap.cnf, ca.cnf, server.cnf and client.cnf > > rlm_eap: SSL error error:0200100D:system library:fopen:Permission denied > rlm_eap_tls: Error reading certificate file > /usr/local/etc/raddb/certs/server.pem' Well... check the permissions. You're likely running the server as "radiusd", and the files are readable only by "root" Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- This email message and any attachments are for the sole use of the intended recipient(s) and contain confidential and/or privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message and any attachments. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Rlm_ippool provides invalid IP
Arlindo F. Neto wrote: > I agree with you, it should not be a problem, but it is! On some > systems, these addresses do not work. Looking for a way to make > the freeradius does not provide addresses in .0 or .255. Modify the source code to rlm_ippool. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error Reading Certificate file
McSparin, Joe wrote: > Get this error when running radiusd -X I checked my passwords in > eap.cnf, ca.cnf, server.cnf and client.cnf > > rlm_eap: SSL error error:0200100D:system library:fopen:Permission denied > rlm_eap_tls: Error reading certificate file > /usr/local/etc/raddb/certs/server.pem' Well... check the permissions. You're likely running the server as "radiusd", and the files are readable only by "root" Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Rlm_ippool provides invalid IP
Hi Alan, Thanks for you help. I agree with you, it should not be a problem, but it is! On some systems, these addresses do not work. Looking for a way to make the freeradius does not provide addresses in .0 or .255. Regards, 2011/12/30 Alan DeKok > Arlindo F. Neto wrote: > > When I use a range of addresses greater than one network /24, > > the ippool provides IP to the client with zero end (eg 192.168.10.0). > > Yes. > > > Is there any configuration to be done to solve this problem? > > No. > > It's not a problem. 192.168.10.0 is a valid IP address. > > It's true that many systems *assume* that .0 is invalid. Those > systems are broken. > > Similarly, .255 is a valid IP address. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Error Reading Certificate file
Get this error when running radiusd -X I checked my passwords in eap.cnf, ca.cnf, server.cnf and client.cnf rlm_eap: SSL error error:0200100D:system library:fopen:Permission denied rlm_eap_tls: Error reading certificate file /usr/local/etc/raddb/certs/server.pem rlm_eap: Failed to initialize type tls /usr/local/etc/raddb/eap.conf[17]: Instantiation failed for module "eap" /usr/local/etc/raddb/sites-enabled/default[314]: Failed to load module "eap". /usr/local/etc/raddb/sites-enabled/default[252]: Errors parsing authenticate section. Joseph R. McSparin Network Administrator Hill Country Memorial Hospital 830 990 6638 phone 830 990 6623 fax jmcspa...@hillcountrymemorial.org -- This email message and any attachments are for the sole use of the intended recipient(s) and contain confidential and/or privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message and any attachments. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Rlm_ippool provides invalid IP
Arlindo F. Neto wrote: > When I use a range of addresses greater than one network /24, > the ippool provides IP to the client with zero end (eg 192.168.10.0). Yes. > Is there any configuration to be done to solve this problem? No. It's not a problem. 192.168.10.0 is a valid IP address. It's true that many systems *assume* that .0 is invalid. Those systems are broken. Similarly, .255 is a valid IP address. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Rlm_ippool provides invalid IP
Hi, When I use a range of addresses greater than one network /24, the ippool provides IP to the client with zero end (eg 192.168.10.0). The IP Pool configuration on radiusd.conf ippool pool1 { range-start = xxx.xxx.36.1 range-stop = xxx.xxx.39.152 netmask = 255.255.255.255 cache-size = 922 session-db = ${raddbdir}/ippool/db.pool1 ip-index = ${raddbdir}/ippool/db.pool1index override = no maximum-timeout = 30 } Nesta configuração, frequentemente o freeradius fornece endereços IPs inválidos, exemplo: xxx.xxx.37.0 xxx.xxx.38.0 xxx.xxx.39.0 Is there any configuration to be done to solve this problem? Regards, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: jradius onfail FAIL and REJECT
Christian Springer wrote: > Hello, > > in the jRadius config there are the options FAIL and REJECT for the onfail > parameter. Can someone explain the difference? These are module return codes as defined in "man unlang" Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
jradius onfail FAIL and REJECT
Hello, in the jRadius config there are the options FAIL and REJECT for the onfail parameter. Can someone explain the difference? Behaviour seems identical in wireshark traces, sending an Access Reject in both cases. Thanks Christian - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html