Re: don't wait rlm_sql response
On Tue, Apr 2, 2013 at 9:13 AM, Mitsuhiro Nakamura nakam...@1pacific.ddo.jp wrote: Alan, Thank you. Our database has some problem and the response is slow. Since the problem itself seems to take long time to fix it, we wanted to avoid it. Are you using sql ONLY for accounting? If yes, then Olivier's suggestion on using decoupled accounting might help. In fact, on some scenarios where the db is actually fast but has a somewhat high latency (e.g. mysql cluster), I'd highly recommend that. However, since you say the db response is slow, you'd only be putting band-aid on the wound. The detail file reader may very likely end up hours or days behind the actual accounting packet. If there is no way to do, then we will try to find the otherway. Fix the db. It's the right thing to do. The usual causes are: - too much data (e.g. tens of millions of rows from years of accounting data in a single table) - inefficient indices (too many index which slows down writes, or no index used which slows down reads) - not enough disk IOPS available (e.g. using 2 x HDD in mirror mode for a db with hundreds of writes requirement per second) - default, untuned db A qualified dba should be able to help you. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: don't wait rlm_sql response
Yes we use sql only for accounting. We will try decoupled accounting then. There are some complex problems on our DB, the team and DBA are working on it too.Thank you for the advice. Thank you all for your help :) Nakamura On Tue, Apr 2, 2013 at 9:13 AM, Mitsuhiro Nakamura [hidden email] wrote: Alan, Thank you. Our database has some problem and the response is slow. Since the problem itself seems to take long time to fix it, we wanted to avoid it. Are you using sql ONLY for accounting? If yes, then Olivier's suggestion on using decoupled accounting might help. In fact, on some scenarios where the db is actually fast but has a somewhat high latency (e.g. mysql cluster), I'd highly recommend that. However, since you say the db response is slow, you'd only be putting band-aid on the wound. The detail file reader may very likely end up hours or days behind the actual accounting packet. If there is no way to do, then we will try to find the otherway. Fix the db. It's the right thing to do. The usual causes are: - too much data (e.g. tens of millions of rows from years of accounting data in a single table) - inefficient indices (too many index which slows down writes, or no index used which slows down reads) - not enough disk IOPS available (e.g. using 2 x HDD in mirror mode for a db with hundreds of writes requirement per second) - default, untuned db A qualified dba should be able to help you. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius Expire-After How To .. ?
Hi, Have you tried expiration module? sqlcounter expiration { count-attribute = Acct-Session-Time counter-name = Max-Allowed-Session check-name = Expiration sqlmod-inst = sql key = User-Name reset = never query = SELECT IFNULL(TIME_TO_SEC(TIMEDIFF(NOW(), \ MIN(AcctStartTime))),0) FROM radacct WHERE \ UserName='${key}' ORDER BY AcctStartTime LIMIT 1; } of course you have to put expiration (without quotes) in: instantiate portion of radiusd.conf accounting section of sql.conf (or sites-available/default file in debian) You may have to add Expiration in the check attributes as well. From what i have looked within daloradius code, you will need to set the time settings in Plan. Regards, Muhammad Nuzaihan Bin Kamal Luddin On Mon, 2013-04-01 at 17:12 +, Russell Mike wrote: Hi List, i need to expire the prepaid card after three months of first login. after reading mail achieves, i was able to figured out that i need to use Expire-After FR attribute and value in seconds. i was bit of unclear how to bring the module in to the action because i am unable to locate Expire-After attribute to users (Through Daloradius). Someone please help ... # Default Module Came With FR v2.2 sqlcounter expire_on_login { counter-name = Expire-After-Initial-Login check-name = Expire-After sqlmod-inst = sql key = User-Name reset = never query = SELECT TIME_TO_SEC(TIMEDIFF(NOW(), acctstarttime)) \ FROM radacct \ WHERE UserName='%{${key}}' \ ORDER BY acctstarttime \ LIMIT 1; } Thanks / Regards RM -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Don't log user pass to database
Hi, Guys, please tell - how prevent freeradius to log pass to radpostauth mysql (MariaDB) table? I have modified /etc/freeradius/modules section to: Post-Auth = INSERT INTO ${postauth_table} \ (username, reply, authdate) VALUES\ ('%{User-Name}', \ %{reply:Packet-Type}', '%S'); But, seems this not helps, as i see user passwords in database. Best Regards, Dmitry --- Dmitry KORZHEVIN System Administrator STIDIA S.A. - Luxembourg e: dmitry.korzhe...@stidia.com m: +38 093 874 5453 w: http://www.stidia.com smime.p7s Description: ÐÑипÑогÑаÑиÑеÑÐºÐ°Ñ Ð¿Ð¾Ð´Ð¿Ð¸ÑÑ S/MIME - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Don't log user pass to database
On 04/02/2013 11:09 AM, Dmitry Korzhevin wrote: Hi, Guys, please tell - how prevent freeradius to log pass to radpostauth mysql (MariaDB) table? I have modified /etc/freeradius/modules section to: Post-Auth = INSERT INTO ${postauth_table} \ (username, reply, authdate) VALUES\ ('%{User-Name}', \ %{reply:Packet-Type}', '%S'); But, seems this not helps, as i see user passwords in database. Have you restarted the server? Are you sure you're editing the file that FreeRADIUS is reading? Run radiusd -X and look at the debug output to see what files it is really reading. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius Expire-After How To .. ?
Thanks Muhammed, Expiration module (Attribute) works for me already, if i want to expie a account on the calendar date. it does the job just fine. i need to expire the account after 90 days but count must start after first login. Your help is appreciated / Thanks On Tue, Apr 2, 2013 at 9:58 AM, Muhammad Nuzaihan bin Kamal Luddin muham...@taqisystems.com wrote: Hi, Have you tried expiration module? sqlcounter expiration { count-attribute = Acct-Session-Time counter-name = Max-Allowed-Session check-name = Expiration sqlmod-inst = sql key = User-Name reset = never query = SELECT IFNULL(TIME_TO_SEC(TIMEDIFF(NOW(), \ MIN(AcctStartTime))),0) FROM radacct WHERE \ UserName='${key}' ORDER BY AcctStartTime LIMIT 1; } of course you have to put expiration (without quotes) in: instantiate portion of radiusd.conf accounting section of sql.conf (or sites-available/default file in debian) You may have to add Expiration in the check attributes as well. From what i have looked within daloradius code, you will need to set the time settings in Plan. Regards, Muhammad Nuzaihan Bin Kamal Luddin On Mon, 2013-04-01 at 17:12 +, Russell Mike wrote: Hi List, i need to expire the prepaid card after three months of first login. after reading mail achieves, i was able to figured out that i need to use Expire-After FR attribute and value in seconds. i was bit of unclear how to bring the module in to the action because i am unable to locate Expire-After attribute to users (Through Daloradius). Someone please help ... # Default Module Came With FR v2.2 sqlcounter expire_on_login { counter-name = Expire-After-Initial-Login check-name = Expire-After sqlmod-inst = sql key = User-Name reset = never query = SELECT TIME_TO_SEC(TIMEDIFF(NOW(), acctstarttime)) \ FROM radacct \ WHERE UserName='%{${key}}' \ ORDER BY acctstarttime \ LIMIT 1; } Thanks / Regards RM -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Don't log user pass to database
Hi, Guys, please tell - how prevent freeradius to log pass to radpostauth mysql (MariaDB) table? I have modified /etc/freeradius/modules section to: Post-Auth = INSERT INTO ${postauth_table} \ (username, reply, authdate) VALUES\ ('%{User-Name}', \ %{reply:Packet-Type}', '%S'); But, seems this not helps, as i see user passwords in database. as already said, ensure that you are editing the correct file (check what is happening/read with 'radiusd -X' for debug mode (or freeradiusd -X on debian/ubuntu) and ensure you have actually restarted the server (it doesnt just use a new SQL config when you edit the file). I changed the query to specifically state 'password' as the User-Password Post-Auth = INSERT INTO ${postauth_table} \ (username, password, reply, authdate) VALUES\ ('%{User-Name}', 'password'\ %{reply:Packet-Type}', '%S'); alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Real server certificate for PEAP
Hi, Iam using freeradius 2.1.10 with a self-signed certificate with PEAP and mschapv2 and LDAP-authentification. Ive copied my CA-Certificate to all clients to be sure that Iam using really the right network and not a fake SSID. But this is a little inconvenient. Is it possible to use a real certificate. What do I bear in mind for that? Thanx in advance Rudolf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Real server certificate for PEAP
A self-signed is real. It's just that you are the CA...which actually gives you greater security and keeps your authentication under your own destiny control. If you believe that having a RADIUS server signed by a CA that is in the OS of your clients is the way you want to go, then simply go and buy a cert from eg thawte, verisign etc. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Real server certificate for PEAP
On 02/04/2013 15:22, Rudolf Henze wrote: Hi, Iam using freeradius 2.1.10 with a self-signed certificate with PEAP and mschapv2 and LDAP-authentification. Ive copied my CA-Certificate to all clients to be sure that Iam using really the right network and not a fake SSID. But this is a little inconvenient. Is it possible to use a real certificate. What do I bear in mind for that? Several things: First, anyone can get certs from public CAs, so you should ensure that your client is a) validating the server cert against the specific CA and b) validating the cert CN. Otherwise you are vulnerable to SSID spoofing and credential capture. Note that some platforms (Android?) can't validate cert CN, so can't be made secure. Second, your cert will need to have the right OIDs and such. If you want it to be hassle free deployment, it'll need to be from a CA widely trusted by your client base, and ideally one that's easy to identify - specifically easy to pick from the validate cert list. Verisign have been bad at this - they've got lots of certs with friendly names all starting VeriSign Class 3 which get truncated on narrow (mobile) screens. Guess the cert! Third, note that commercial CAs have a nasty habit of rotating their intermediate and top-level certs far more often than you would expect. We're in the irritating position of having a public cert (to avoid the deployment nightmare of a private cert on 10k unmanaged devices) and Verisign have just changed their root cert, despite it having 7 more years to run. So, all of those clients now have to re-trust the cert. Sigh. X.509 really is the pits... It's a shame the TLS-based EAP methods are the only vaguely usable ones. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
disconnect packet
Hi All we can use Update control in unlang? so if that possible in witch file or tables parameter of coa such as port and ip address is set? i read orginate COA but it not be clear that how i can use coa for disconnect user in unlang . can explane step of work to use update coa in unlang.. please. Best regards. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: disconnect packet
Mehdi Ravanbakhsh wrote: can explane step of work to use update coa in unlang.. please. Read raddb/sites-available/originate-coa Most of your questions you ask are answered in the documentation. If you don't care enough to read the documentation, we won't care enough to answer your questions. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
originate-coa virtual server for each NAS
Hi All do we need separated originate-coa in site enable for each NAS ? Do we need to define coa_server = coa in client.conf for each client? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: CoA proxy error
Mehdi Ravanbakhsh wrote: Hi All : i have get this error in log after setup COA-originate in site-enable : WARNING: No previous template for proxy socket. Source IP address may be chosen by the OS Don't edit the configuration files and break the server. If you do edit them, ensure you know what you're doing. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: CoA proxy error
i fond that : in radius.conf : proxy_requests = yes it is work now for update disconnect but for update coa it is not work , i do not know if i use it correctly : *default config :* preacct { update coa { User-Name = %{User-Name} Acct-Session-Id = %{Acct-Session-Id} NAS-IP-Address = %{NAS-IP-Address} Session-Timeout := 5 } } On Wed, Apr 3, 2013 at 12:23 AM, Mehdi Ravanbakhsh baba...@gmail.comwrote: Hi All : i have get this error in log after setup COA-originate in site-enable : WARNING: No previous template for proxy socket. Source IP address may be chosen by the OS ... adding new socket proxy address * port 16288 ERROR: Failed to insert CoA request into proxy list. * clent.conf : * client lar { ipaddr = 5.190.103.4 secret = testing123 require_message_authenticator = no nastype = other coa_server = lar } *coa-originate :* home_server lar { type = coa ipaddr = 5.190.103.4 port = 1700 secret = testing123 coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } } home_server_pool main { type = fail-over home_server = lar } *default config :* preacct { update disconnect { User-Name = %{User-Name} Acct-Session-Id = %{Acct-Session-Id} NAS-IP-Address = %{NAS-IP-Address} } } - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Real server certificate for PEAP
Hi, You will need to purchase a Unified Communications certificate from a CA. To generate the CSR, here is the guide: http://langui.sh/2009/02/27/creating-a-subjectaltname-sanucc-csr/ Regards, Muhammad Nuzaihan Bin Kamal Luddin On Tue, 2013-04-02 at 16:22 +0100, Phil Mayers wrote: On 02/04/2013 15:22, Rudolf Henze wrote: Hi, Iam using freeradius 2.1.10 with a self-signed certificate with PEAP and mschapv2 and LDAP-authentification. Ive copied my CA-Certificate to all clients to be sure that Iam using really the right network and not a fake SSID. But this is a little inconvenient. Is it possible to use a real certificate. What do I bear in mind for that? Several things: First, anyone can get certs from public CAs, so you should ensure that your client is a) validating the server cert against the specific CA and b) validating the cert CN. Otherwise you are vulnerable to SSID spoofing and credential capture. Note that some platforms (Android?) can't validate cert CN, so can't be made secure. Second, your cert will need to have the right OIDs and such. If you want it to be hassle free deployment, it'll need to be from a CA widely trusted by your client base, and ideally one that's easy to identify - specifically easy to pick from the validate cert list. Verisign have been bad at this - they've got lots of certs with friendly names all starting VeriSign Class 3 which get truncated on narrow (mobile) screens. Guess the cert! Third, note that commercial CAs have a nasty habit of rotating their intermediate and top-level certs far more often than you would expect. We're in the irritating position of having a public cert (to avoid the deployment nightmare of a private cert on 10k unmanaged devices) and Verisign have just changed their root cert, despite it having 7 more years to run. So, all of those clients now have to re-trust the cert. Sigh. X.509 really is the pits... It's a shame the TLS-based EAP methods are the only vaguely usable ones. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html