Re: don't wait rlm_sql response

2013-04-02 Thread Fajar A. Nugraha 
On Tue, Apr 2, 2013 at 9:13 AM, Mitsuhiro Nakamura nakam...@1pacific.ddo.jp
 wrote:


 Alan,

 Thank you.
 Our database has some problem and the response is slow.
 Since the problem itself seems to take long time to fix it, we wanted to
 avoid it.



Are you using sql ONLY for accounting?

If yes, then Olivier's suggestion on using decoupled accounting might help.
In fact, on some scenarios where the db is actually fast but has a somewhat
high latency (e.g. mysql cluster), I'd highly recommend that.

However, since you say the db response is slow, you'd only be putting
band-aid on the wound. The detail file reader may very likely end up hours
or days behind the actual accounting packet.

If there is no way to do, then we will try to find the otherway.


Fix the db. It's the right thing to do.

The usual causes are:
- too much data (e.g. tens of millions of rows from years of accounting
data in a single table)
- inefficient indices (too many index which slows down writes, or no index
used which slows down reads)
- not enough disk IOPS available (e.g. using 2 x HDD in mirror mode for a
db with hundreds of writes requirement per second)
- default, untuned db

A qualified dba should be able to help you.

-- 
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: don't wait rlm_sql response

2013-04-02 Thread Mitsuhiro Nakamura 

Yes we use sql only for accounting. We will try decoupled accounting then.

There are some complex problems on our DB, the team and DBA are working
on it too.Thank you for the advice.


Thank you all for your help :)

Nakamura


 On Tue, Apr 2, 2013 at 9:13 AM, Mitsuhiro Nakamura [hidden email] wrote:

 Alan,

 Thank you.
 Our database has some problem and the response is slow.
 Since the problem itself seems to take long time to fix it, we wanted to
 avoid it.



 Are you using sql ONLY for accounting?

 If yes, then Olivier's suggestion on using decoupled accounting might
help. In fact, on some scenarios where the db is actually fast but has a
somewhat high latency (e.g. mysql cluster), I'd highly recommend that.

 However, since you say the db response is slow, you'd only be putting
band-aid on the wound. The detail file reader may very likely end up
hours or days behind the actual accounting packet.

 If there is no way to do, then we will try to find the otherway.


 Fix the db. It's the right thing to do.

 The usual causes are:
 - too much data (e.g. tens of millions of rows from years of
accounting data in a single table)
 - inefficient indices (too many index which slows down writes, or no
index used which slows down reads)
 - not enough disk IOPS available (e.g. using 2 x HDD in mirror mode
for a db with hundreds of writes requirement per second)
 - default, untuned db

 A qualified dba should be able to help you.

 --
 Fajar

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius Expire-After How To .. ?

2013-04-02 Thread Muhammad Nuzaihan bin Kamal Luddin 
Hi,

Have you tried expiration module?

sqlcounter expiration {
   count-attribute = Acct-Session-Time
   counter-name = Max-Allowed-Session
   check-name = Expiration
   sqlmod-inst = sql
   key = User-Name
   reset = never
   query = SELECT IFNULL(TIME_TO_SEC(TIMEDIFF(NOW(), \
 MIN(AcctStartTime))),0) FROM radacct WHERE \
 UserName='${key}' ORDER BY AcctStartTime LIMIT 1;
}

of course you have to put expiration (without quotes) in:

instantiate portion of radiusd.conf
accounting section of sql.conf (or sites-available/default file in
debian)

You may have to add Expiration in the check attributes as well.


From what i have looked within daloradius code, you will need to set the
time settings in Plan.

Regards,
Muhammad Nuzaihan Bin Kamal Luddin

On Mon, 2013-04-01 at 17:12 +, Russell Mike wrote:
 Hi List,
 
 
 i need to expire the prepaid card after three months of first login.
 after reading mail achieves, i was able to figured out that i need to
 use Expire-After  FR attribute and value in seconds. i was bit of
 unclear how to bring the module in to the action because i am unable
 to locate Expire-After attribute to users (Through Daloradius).
 Someone please help ...
 
 
 # Default Module Came With FR v2.2
 
 
 sqlcounter expire_on_login {
 counter-name = Expire-After-Initial-Login
 check-name = Expire-After
 sqlmod-inst = sql
 key = User-Name
 reset = never
 query = SELECT TIME_TO_SEC(TIMEDIFF(NOW(), acctstarttime)) \
  FROM radacct \
  WHERE UserName='%{${key}}' \
  ORDER BY acctstarttime \
  LIMIT 1;
 }
 
 
 
 
 Thanks / Regards
 
 
 RM --
 -
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Don't log user pass to database

2013-04-02 Thread Dmitry Korzhevin 

Hi,

Guys, please tell - how prevent freeradius to log pass to radpostauth 
mysql (MariaDB) table?


I have modified /etc/freeradius/modules section to:


Post-Auth = INSERT INTO ${postauth_table}   \
(username, reply, authdate) VALUES\
('%{User-Name}', \
%{reply:Packet-Type}', '%S');


But, seems this not helps, as i see user passwords in database.



Best Regards,
Dmitry

---
Dmitry KORZHEVIN
System Administrator
STIDIA S.A. - Luxembourg

e: dmitry.korzhe...@stidia.com
m: +38 093 874 5453
w: http://www.stidia.com



smime.p7s
Description: ÐÑипÑогÑаÑиÑеÑÐºÐ°Ñ Ð¿Ð¾Ð´Ð¿Ð¸ÑÑ S/MIME
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Don't log user pass to database

2013-04-02 Thread Phil Mayers 

On 04/02/2013 11:09 AM, Dmitry Korzhevin wrote:

Hi,

Guys, please tell - how prevent freeradius to log pass to radpostauth
mysql (MariaDB) table?

I have modified /etc/freeradius/modules section to:


Post-Auth = INSERT INTO ${postauth_table}   \
(username, reply, authdate) VALUES\
('%{User-Name}', \
%{reply:Packet-Type}', '%S');


But, seems this not helps, as i see user passwords in database.



Have you restarted the server? Are you sure you're editing the file that 
FreeRADIUS is reading? Run radiusd -X and look at the debug output to 
see what files it is really reading.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius Expire-After How To .. ?

2013-04-02 Thread Russell Mike 
Thanks Muhammed,

Expiration module (Attribute) works for me already, if i want to expie a
account on the calendar date. it does the job just fine. i need to expire
the account after 90 days but count must start after first login.
Your help is appreciated / Thanks


On Tue, Apr 2, 2013 at 9:58 AM, Muhammad Nuzaihan bin Kamal Luddin 
muham...@taqisystems.com wrote:

 Hi,

 Have you tried expiration module?

 sqlcounter expiration {
count-attribute = Acct-Session-Time
counter-name = Max-Allowed-Session
check-name = Expiration
sqlmod-inst = sql
key = User-Name
reset = never
query = SELECT IFNULL(TIME_TO_SEC(TIMEDIFF(NOW(), \
  MIN(AcctStartTime))),0) FROM radacct WHERE \
  UserName='${key}' ORDER BY AcctStartTime LIMIT 1;
 }

 of course you have to put expiration (without quotes) in:

 instantiate portion of radiusd.conf
 accounting section of sql.conf (or sites-available/default file in
 debian)

 You may have to add Expiration in the check attributes as well.


 From what i have looked within daloradius code, you will need to set the
 time settings in Plan.

 Regards,
 Muhammad Nuzaihan Bin Kamal Luddin

 On Mon, 2013-04-01 at 17:12 +, Russell Mike wrote:
  Hi List,
 
 
  i need to expire the prepaid card after three months of first login.
  after reading mail achieves, i was able to figured out that i need to
  use Expire-After  FR attribute and value in seconds. i was bit of
  unclear how to bring the module in to the action because i am unable
  to locate Expire-After attribute to users (Through Daloradius).
  Someone please help ...
 
 
  # Default Module Came With FR v2.2
 
 
  sqlcounter expire_on_login {
  counter-name = Expire-After-Initial-Login
  check-name = Expire-After
  sqlmod-inst = sql
  key = User-Name
  reset = never
  query = SELECT TIME_TO_SEC(TIMEDIFF(NOW(), acctstarttime)) \
   FROM radacct \
   WHERE UserName='%{${key}}' \
   ORDER BY acctstarttime \
   LIMIT 1;
  }
 
 
 
 
  Thanks / Regards
 
 
  RM --
  -
  List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html


 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Don't log user pass to database

2013-04-02 Thread A . L . M . Buxey 
Hi,

 Guys, please tell - how prevent freeradius to log pass to
 radpostauth mysql (MariaDB) table?
 
 I have modified /etc/freeradius/modules section to:
 
 
 Post-Auth = INSERT INTO ${postauth_table}   \
 (username, reply, authdate) VALUES\
 ('%{User-Name}', \
 %{reply:Packet-Type}', '%S');
 
 
 But, seems this not helps, as i see user passwords in database.

as already said, ensure that you are editing the correct file (check what is
happening/read with 'radiusd -X' for debug mode (or freeradiusd -X on 
debian/ubuntu)
and ensure you have actually restarted the server (it doesnt just use a new SQL
config when you edit the file).  I changed the query to specifically state 
'password'
as the User-Password 

Post-Auth = INSERT INTO ${postauth_table}   \
(username, password, reply, authdate) VALUES\
('%{User-Name}', 'password'\
%{reply:Packet-Type}', '%S');

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Real server certificate for PEAP

2013-04-02 Thread Rudolf Henze 

Hi,

Iam using freeradius 2.1.10 with a self-signed certificate with PEAP and mschapv2 and LDAP-authentification.

Ive copied my CA-Certificate to all clients to be sure that Iam using really the right network and not a fake SSID.


But this is a little inconvenient. Is it possible to use a real certificate. What do I bear in mind for that?


Thanx in advance
Rudolf

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Real server certificate for PEAP

2013-04-02 Thread Alan Buxey 
A self-signed is real. It's just that you are the CA...which actually gives you 
greater security and keeps your authentication under your own destiny control.

If you believe that having a RADIUS server signed by a CA that is in the OS of 
your clients is the way you want to go, then simply go and buy a cert from eg 
thawte, verisign etc.

alan

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Real server certificate for PEAP

2013-04-02 Thread Phil Mayers 

On 02/04/2013 15:22, Rudolf Henze wrote:

Hi,
Iam using freeradius 2.1.10 with a self-signed certificate with PEAP and
mschapv2 and LDAP-authentification.
Ive copied my CA-Certificate to all clients to be sure that Iam using
really the right network and not a fake SSID.

But this is a little inconvenient. Is it possible to use a real
certificate. What do I bear in mind for that?


Several things:

First, anyone can get certs from public CAs, so you should ensure that 
your client is a) validating the server cert against the specific CA and 
b) validating the cert CN. Otherwise you are vulnerable to SSID spoofing 
and credential capture. Note that some platforms (Android?) can't 
validate cert CN, so can't be made secure.


Second, your cert will need to have the right OIDs and such. If you want 
it to be hassle free deployment, it'll need to be from a CA widely 
trusted by your client base, and ideally one that's easy to identify - 
specifically easy to pick from the validate cert list. Verisign have 
been bad at this - they've got lots of certs with friendly names all 
starting VeriSign Class 3 which get truncated on narrow (mobile) 
screens. Guess the cert!


Third, note that commercial CAs have a nasty habit of rotating their 
intermediate and top-level certs far more often than you would expect. 
We're in the irritating position of having a public cert (to avoid the 
deployment nightmare of a private cert on 10k unmanaged devices) and 
Verisign have just changed their root cert, despite it having 7 more 
years to run. So, all of those clients now have to re-trust the cert.


Sigh. X.509 really is the pits... It's a shame the TLS-based EAP methods 
are the only vaguely usable ones.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

disconnect packet

2013-04-02 Thread Mehdi Ravanbakhsh 
Hi All

we can use  Update control in unlang? so if that possible in witch file or
tables parameter of coa such as port and ip address is set?

i read orginate COA  but it not be clear that how i can use coa for
disconnect user in unlang .

can  explane  step of work to use update coa in unlang.. please.

Best regards.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: disconnect packet

2013-04-02 Thread Alan DeKok 
Mehdi Ravanbakhsh wrote:
 can  explane  step of work to use update coa in unlang.. please.

  Read raddb/sites-available/originate-coa

  Most of your questions you ask are answered in the documentation.

  If you don't care enough to read the documentation, we won't care
enough to answer your questions.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

originate-coa virtual server for each NAS

2013-04-02 Thread Mehdi Ravanbakhsh 
Hi All

do we need separated originate-coa in site enable for each NAS ?

Do we need to define coa_server = coa  in client.conf for each client?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: CoA proxy error

2013-04-02 Thread Alan DeKok 
Mehdi Ravanbakhsh wrote:
 Hi All :
 
 i have get this error in log after setup COA-originate in site-enable :
 
 WARNING: No previous template for proxy socket.  Source IP address may
 be chosen by the OS

  Don't edit the configuration files and break the server.

  If you do edit them, ensure you know what you're doing.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: CoA proxy error

2013-04-02 Thread Mehdi Ravanbakhsh 
i fond that :

in radius.conf :  proxy_requests  = yes

it is work now for update disconnect but for update coa it is not work , i
do not know if i use it correctly :


*default config :*

preacct {
  update coa {
User-Name = %{User-Name}
Acct-Session-Id = %{Acct-Session-Id}
   NAS-IP-Address = %{NAS-IP-Address}
 Session-Timeout := 5
}
}



On Wed, Apr 3, 2013 at 12:23 AM, Mehdi Ravanbakhsh baba...@gmail.comwrote:

 Hi All :

 i have get this error in log after setup COA-originate in site-enable :

 WARNING: No previous template for proxy socket.  Source IP address may be
 chosen by the OS
  ... adding new socket proxy address * port 16288
 ERROR: Failed to insert CoA request into proxy list.


 

 * clent.conf :
 *

 client lar {
 ipaddr = 5.190.103.4
 secret = testing123
 require_message_authenticator = no
 nastype = other
 coa_server = lar
 }


 *coa-originate :*

 home_server lar {
type = coa
ipaddr = 5.190.103.4
port = 1700
secret = testing123
coa {
  irt = 2
  mrt = 16
  mrc = 5
  mrd = 30
}
 }

 home_server_pool main {
  type = fail-over
  home_server = lar
 }


 *default config :*

 preacct {
   update disconnect {
User-Name = %{User-Name}
Acct-Session-Id = %{Acct-Session-Id}
   NAS-IP-Address = %{NAS-IP-Address}
  }
 }

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Real server certificate for PEAP

2013-04-02 Thread Muhammad Nuzaihan Kamal Luddin 
Hi,

You will need to purchase a Unified Communications certificate from a
CA. 

To generate the CSR, here is the guide:

http://langui.sh/2009/02/27/creating-a-subjectaltname-sanucc-csr/

Regards,
Muhammad Nuzaihan Bin Kamal Luddin

On Tue, 2013-04-02 at 16:22 +0100, Phil Mayers wrote:
 On 02/04/2013 15:22, Rudolf Henze wrote:
  Hi,
  Iam using freeradius 2.1.10 with a self-signed certificate with PEAP and
  mschapv2 and LDAP-authentification.
  Ive copied my CA-Certificate to all clients to be sure that Iam using
  really the right network and not a fake SSID.
 
  But this is a little inconvenient. Is it possible to use a real
  certificate. What do I bear in mind for that?
 
 Several things:
 
 First, anyone can get certs from public CAs, so you should ensure that 
 your client is a) validating the server cert against the specific CA and 
 b) validating the cert CN. Otherwise you are vulnerable to SSID spoofing 
 and credential capture. Note that some platforms (Android?) can't 
 validate cert CN, so can't be made secure.
 
 Second, your cert will need to have the right OIDs and such. If you want 
 it to be hassle free deployment, it'll need to be from a CA widely 
 trusted by your client base, and ideally one that's easy to identify - 
 specifically easy to pick from the validate cert list. Verisign have 
 been bad at this - they've got lots of certs with friendly names all 
 starting VeriSign Class 3 which get truncated on narrow (mobile) 
 screens. Guess the cert!
 
 Third, note that commercial CAs have a nasty habit of rotating their 
 intermediate and top-level certs far more often than you would expect. 
 We're in the irritating position of having a public cert (to avoid the 
 deployment nightmare of a private cert on 10k unmanaged devices) and 
 Verisign have just changed their root cert, despite it having 7 more 
 years to run. So, all of those clients now have to re-trust the cert.
 
 Sigh. X.509 really is the pits... It's a shame the TLS-based EAP methods 
 are the only vaguely usable ones.
 -
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html