Re: Freeradius - MySQL Update problem
Hi musoket, rad_recv: Accounting-Request packet from host n.a.s.1:1646, id=239, length=531 Acct-Session-Id = 0024F8FF Calling-Station-Id = 442098765432 Called-Station-Id = 0002561234567 h323-setup-time = h323-setup-time=16:53:14.471 GMT+3 Mon Aug 6 2007 h323-gw-id = h323-gw-id=Rotelkom_Gateway.www.nas.co.ug h323-conf-id = h323-conf-id=B4550CDC FAA011D6 887DF94C E05F1EEE h323-call-origin = h323-call-origin=answer h323-call-type = h323-call-type=VoIP Cisco-AVPair = h323-incoming-conf-id=B4550CDC FAA011D6 887DF94C E05F1EEE Cisco-AVPair = subscriber=Unknown Cisco-AVPair = session-protocol=cisco Cisco-AVPair = gw-rxd-cdn=ton:0,npi:1,#:0002561234567 User-Name = rem.ote.add.ress Cisco-AVPair = connect-progress=Call Up Acct-Authentic = 0 Acct-Status-Type = Start Service-Type = Login-User NAS-IP-Address = n.a.s.1 Acct-Delay-Time = 10 At the beginning of this thread you said that you saw in logs h323-remote-address, but not in the sql database. From this snapshot, I dont see an entry with h323-remote-address = h323-remote-address=x.y.z.t If you get the remote-address as User-Name, you can store that field in db. Regards, Claudiu Filip @: [EMAIL PROTECTED] Http://www.globtel.ro T:+40344880100 F:+40344880113 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help in double logins in radacct
Thursday, August 9, 2007, 10:38:27 AM, you wrote: could help me distinguish why it has double record in mysql. But when in radius logs,it has one request only. | RadAcctId | AcctSessionId | UserName | |517069 | 3C001FC0 | foo| |517071 | 3C001FC0 | foo| |517075 | 3C001FC0 | foo| Hi Nelson, RadAcctId is an autoincrement field, so it will be different for sure. There is no reason to have those dups unless the INSERT query is run multiple times. 1) Are you sure that you have only one request coming to fr? If no, the duplicates can be generated by the radius client if it doesnt get a reply quick enough. Decreasing database response time and increasing radius timeout on client can help. 2) AcctStopTime is different? If no, check 1) again :D If yes, maybe the radius client sends a weak AcctSessionId (you can create one using the acct_unique) Best regards, Claudiu Filip @: [EMAIL PROTECTED] Http://www.globtel.ro T:+40344880100 F:+40344880113 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[2]: Freeradius - MySQL Update problem
For Cisco, please be sure that you have in your config radius-server vsa send accounting gw-accounting aaa (or gw-accounting h323 aaa for an older IOS) Best regards, Claudiu Filip @: [EMAIL PROTECTED] Http://www.globtel.ro T:+40344880100 F:+40344880113 Monday, August 6, 2007, 6:58:06 PM, Ivan Kalik wrote: PS. BTW there is no h323-remote-address attribute in those requests. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[2]: Freeradius - MySQL Update problem
Hi musoket, You should use the %{h323-remote-address} variable That is in fact the variable that I am using in my insert and update Dont forget that you have (at least) 2 call legs for each call. With as5350, I guess you will have one voip call leg and one PSTN call leg. The PSTN call leg wont have any h323-remote-address, because it's not VoIP. The AS will notify the radius for each call leg, so you should have two STOPs for each call. I dont see anything wrong with your insert query. It should work. Be sure to have in the dictionary the ATTRIBUTE h323-remote-address for vendor cisco (but if your logs contain h323-remote-address, then you probably have that). Best regards, Claudiu Filip sorry, I ran out of business cards - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[2]: Freeradius as a proxy to Windows IAS - reserved characters in shared secret?
Hi clive, Wednesday, August 1, 2007, 11:10:41 AM, you wrote: 2) If I use a secret key (similar to the one set on the IAS server) containing characters such as $\[ then the key is rejected and Character Escape from Alcatraz, a classic movie with Clint Eastwood.. Be careful with character escaping and bash cli (always use single quotes to pass to radtest what you want). Also avoid ${foo} as a secret client 127.0.0.1 { secret = \044{prefix} } radtest gigi kent 127.0.0.1 1 '/radiusd' = OK!! ($prefix = /radiusd) client 127.0.0.1 { secret = \\testing123 } radtest gigi kent 127.0.0.1 1 '\testing123' = OK radtest gigi kent 127.0.0.1 1 \testing123 = OK (because bash does not expand \t) radtest gigi kent 127.0.0.1 1 \\testing123 = OK (because bash expands \\t to \t) radtest gigi kent 127.0.0.1 1 '\\testing123' = NOT ok client 127.0.0.1 { secret = $\[ } radtest gigi kent 127.0.0.1 1 '$[' = OK client 127.0.0.1 { secret = $\\[ } radtest gigi kent 127.0.0.1 1 '$\[' = OK Have fun! Best regards, Claudiu Filip @: [EMAIL PROTECTED] Http://www.globtel.ro T:+40344880100 F:+40344880113 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: billing freeradius
Hi zahra, Wednesday, August 1, 2007, 1:02:58 PM, you wrote: I want to use freeraidus in billing. Be more specific. If you are thinking of freeraiders Billing Land Rover show, some of us spent time looking at NAS-car. Someone on this list is using freeradius for the birds billing and freeradius is the best solution to keep track of your black woodpeckers, even if each woodpecker strikes its bill against the tree 8k-12k times a day. I currently run freeraidus for billing chocolates and icecreams to my children. My dad runs freeraidus to charge me for beers and car expenses. what module do this ? Most of them, but you will probably use the _accounting_ of 1 or 2 of them. I guess your next question will be how could I do accounting? how could I do this? Oh, here is the next question. We (the guy with the birds and me) will HELP you, not TEACH you. Please read the docs first. Is there any document for using freeradius for billing? How did you subscribe here? My advice is: = post a reply with what are you trying to bill (please be explicit about the equipments and technologies involved) = after you get a yes, you can do that with freeradius, start reading the docs. = create a config and see if you have a working version = if something is not working, search the archives of this list. probably 90% of your questions would be answered 90 times before by the 9 guys most active on the list since '99. Regards, Claudiu Filip @: [EMAIL PROTECTED] Http://www.globtel.ro T:+40344880100 F:+40344880113 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + postgresql for cisco voip
Hi nix, Wednesday, August 1, 2007, 2:56:13 PM, you wrote: inserted in the database. Now the problem here is how to retrieve the data from the database. Is there any pre-made front end of this kind of things? I need to calculate daily/weekly/monthly voip CDR. Daily run at 12:01 can be something like #!/bin/bash DAY=`date -d yesterday +%Y/%m/%d` psql -d voipdb -c SELECT count,sum... WHERE h323connecttime '$DAY 00:00' | mail -s Daily traffic for $DAY [EMAIL PROTECTED] Replace h323connecttime with h323disconnecttime or h323setuptime for the info you need or the db index used. For weekly use date -d last week +%Y/%m/%d 00:00 and for monthly use date -d last month +%Y/%m/%d 00:00 If you need to sumarize by destinations (let say first 3 digits), you can change the SELECT into something like SELECT substr(CalledStationId, 0, 3), count( GROUP BY substr(CalledStationId, 0, 3); This is not the complex and powerful front end you were looking for, but maybe it gives you an ideea to make yourself exactly what you need. One more thing can i insert my syslog cisco CDR to above database? Yes, you can do that. Pay attention to duplicates. It will be better to create a unique index based on h323-conf-id, called-station-id and a timestamp. Check for relevant info between syslog entries and db. Good luck, Claudiu Filip @: [EMAIL PROTECTED] Http://www.globtel.ro T:+40344880100 F:+40344880113 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius - MySQL Update problem
Hi musoket, Wednesday, August 1, 2007, 3:17:15 PM, you wrote: I am having trouble populating the MySQL database with a certain attribute h323-remote-address. A tail of the radius logs shows me that this attribute is being received by radius. It however does not How does your INSERT look like? AFAIK, in logs you get something like h323-remote-address = h323-remote-address=re.mo.te.ip You should use the %{h323-remote-address} variable Regards, Claudiu Filip @: [EMAIL PROTECTED] Http://www.globtel.ro T:+40344880100 F:+40344880113 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Adding a NAS via SQL
Hi Santiago, Tuesday, July 31, 2007, 11:21:36 AM, you wrote: I have one question to this, you suposed that RADIUS and DataBase services are in the same machine, what happens if these services are in severa or there are replicate servers? Most probably you will have the radius and the database on separate machines. If you have replication or if you have many updates (a farm of dyndns radius clients) or if you dont want to HUP the server too often, you will have to create a simple program to just NOTIFY another application responsible with HUPing the freeradius. Example from a fantasy world: == database trigger CREATE OR REPLACE FUNCTION restart_radiusd() RETURNS TRIGGER AS $rr_rad$ use IO::Socket; my($sock, $SERVER_IP, $SERVER_PORT); $SERVER_IP = '1.2.3.4'; $SERVER_PORT = 1818; $sock = IO::Socket::INET-new(Proto = 'udp', PeerPort = $SERVER_PORT, PeerAddr = $SERVER_IP); $sock-send(please restart); return; $rr_rad$ LANGUAGE plperlu; === This trigger will send an udp packet to 1.2.3.4:1818 with the text please restart. On the 1.2.3.4 end, we'll have a little gipsy opening the door every min_restart_interval seconds to check for stickies.. He's very sensitive and we must be polite to him. == freeradius machine = #!/usr/bin/perl use IO::Socket; my ($server, $request, $server_port, $min_restart_interval, $need_to_restart, $msg_max_length, $message); $min_restart_interval = 300; #seconds $server_port = 1818; $need_to_restart = 0; $msg_max_length = 1024; $server = IO::Socket::INET-new(LocalPort = $server_port, Proto = udp) or die Couldn't bind udp server on port $server_port : [EMAIL PROTECTED]; $SIG{ALRM} = sub { if ($need_to_restart == 1) { system(/usr/bin/sudo /usr/bin/killall -HUP radiusd); $need_to_restart = 0; } alarm $min_restart_interval; }; alarm $min_restart_interval; while (1) { $request = $server-recv($message, $msg_max_length); $need_to_restart = 1 if ($message =~ /please/); } === In the real world, you also have many other ways, like using ssh, RPC - rsh... If you are paranoic about opening a port, i guess you can also make freeradius to shoot itself in the leg by using rlm_exec and %{Client-IP-Address}. Best regards, Claudiu Filip @: [EMAIL PROTECTED] Http://www.globtel.ro T:+40344880100 F:+40344880113 My advice is to create a database trigger on INSERTs, UPDATEs, DELETEs. For example, my postgresql trigger written in plperlu: CREATE OR REPLACE FUNCTION restart_radiusd() RETURNS TRIGGER AS $rr_rad$ system(/usr/bin/sudo /usr/bin/killall -HUP radiusd); return; $rr_rad$ LANGUAGE plperlu; DROP TRIGGER IF EXISTS need_to_restart_radiusd ON nas_table; CREATE TRIGGER need_to_restart_radiusd AFTER INSERT OR UPDATE OR DELETE ON nas_table FOR EACH STATEMENT EXECUTE PROCEDURE restart_radiusd(); - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[2]: Adding a NAS via SQL
Hi Paul, Saturday, July 28, 2007, 6:08:23 PM, you wrote: I however just tried hitting radiusd with a SIGHUP and it really didn't like it Output attached, I just got a segfault when I hit it with the next radius request. Currently, I'm able to run a SIGHUPed freeradius 20070420 snapshot, with postgresql backend. If you search through the archives, I've sent a rude email to the list back in March 2007 (containing 3 questions in one message).. I'm sorry for that email, but I'll be very happy (even now) to get an advice about the workarounds. The server seems to run ok so far, without any problems but I didnt put too much stress on it. My solution to let the freeradius handle a SIGHUP was: 1) I solved this problem by commenting out the we do other magic in mainconfig.c lines 1059-1064. This will disable debug level change on the fly facility, it's not that important anyway 2) clients.c - if (clients) return clients; + if (clients) clients_free(clients); mainconfig.c -clients_free(old_clients); +if ((void *)old_clients != (void *)clients) + clients_free(old_clients); solved the problem. Do I still need the clients_free(old_clients)? Is there a way to automatically activate a new NAS device that I add to the SQL database? cron ;-) My advice is to create a database trigger on INSERTs, UPDATEs, DELETEs. For example, my postgresql trigger written in plperlu: CREATE OR REPLACE FUNCTION restart_radiusd() RETURNS TRIGGER AS $rr_rad$ system(/usr/bin/sudo /usr/bin/killall -HUP radiusd); return; $rr_rad$ LANGUAGE plperlu; DROP TRIGGER IF EXISTS need_to_restart_radiusd ON nas_table; CREATE TRIGGER need_to_restart_radiusd AFTER INSERT OR UPDATE OR DELETE ON nas_table FOR EACH STATEMENT EXECUTE PROCEDURE restart_radiusd(); /etc/sudoers: postgresqluser ALL=(radiususer) NOPASSWD: /usr/bin/killall -HUP radiusd This way, you will restart freeradius only when needed. You said that your backend is mysql, you will probably be able to come up with the mysql version, but your main issue is not that. SIGHUP must work. Best regards, Claudiu Filip @: [EMAIL PROTECTED] Http://www.globtel.ro T:+40344880100 F:+40344880113 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[OT] Out of Office AutoReply: Re[2]: Adding a NAS via SQL
[Out of Topic AutoReply] ATMEL is still in vacation! ARM rulz :) Claudiu Filip @: [EMAIL PROTECTED] Http://www.globtel.ro T:+40344880100 F:+40344880113 This is a forwarded message From: [EMAIL PROTECTED] [EMAIL PROTECTED] To: [EMAIL PROTECTED] Date: Monday, July 30, 2007, 7:11:02 PM Subject: Out of Office AutoReply: Re[2]: Adding a NAS via SQL ===8==Original message text=== danke für ihre mail, aber ich bin bis einschliesslich 19.08.2007 nicht im büro. wenden Sie sich bei dringenden anfragen bitte an [EMAIL PROTECTED] i'm out of office until 19.08.2007 in urgent cases please send your email to [EMAIL PROTECTED] Ulrich Hofacker IT2 ===8===End of original message text=== - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Second level authentication.
Hi ashish, First of all, WHY you will need such a setup? Afaik, cisco will send a request to radius for user '$enable15$' whenever someone tries to "enable". Run freeradius in debug mode (radiusd -X) and then login as one of your users. Type "enable" and the cisco will send a request to the radiusd. From the debugging session, save that request. Logout, login on cisco as another username. Type "enable" and the same password. From the debugging radius session, save the new request. If you see any relevant differences between the two requests, you may be able to make freeradius do what you want. If the requests are the same, you realize there is no way to figure out the user behind each request. Best regards, Claudiu Filip @:[EMAIL PROTECTED] Http://www.globtel.ro T:+40344880100 F:+40344880113 Thursday, July 19, 2007, 7:51:30 PM, you wrote: I dont want the user to go directly in priv mode. through priv level = 15 we direclty get into priv level right. what i am looking for is first the user get into user level and then with another password in level 2. (not with enable password)..it should be through RADIUS server. Ashish - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS restart without proper client logout on radius (mysql)
Hi Nataniel, If you have a NASty which doesn't send accounting-off when rebooting, I guess you have three options: 1) use checkrad script to test if the user is indeed logged in. The NASty should have a way to check for connected users or sessions by using snmp/telnet/etc. If you have many auth requests and many NAStys, it will consume a lot of CPU on both sides. Result: no angry customers, but high cpu usage and no billing 2) run every N minutes a script to get the list of connected users for every NASty. compare that list with the db entries and delete lost sessions from db. Result: low cpu usage, better billing (if your customers pay by time usage, you can still charge now() - N minutes - acct_start), but 'already logged in' will last N minutes (at most) 3) use petitiononline.com service to management with a subject Network.Access.Server.TY must be replaced with Network.Access.Upgraded.Good.Hardware.TY. Result: no problems at all. using good hardware is always the best option. You can implement all three options IN THE SAME TIME to minimize the impact. Best regards, Claudiu Filip @: [EMAIL PROTECTED] Http://www.globtel.ro T:+40344880100 F:+40344880113 Monday, July 16, 2007, 7:37:08 PM, you wrote: Hello all, I have a question: when a nas restart without sending client logout to the freeradius server the clients stay connected in radacct table (AcctStopTime=0). What can I do to solve this kind of problem? What could happen is that when a nas reboot my clients keep logged and when the nas start again they will get You are already logged in (simultaneous-use). - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using two tables (postgreSql) to validate users
Hi Daniel, It is very easy to use as many tables you need. You can have in config: authorize_check_query = SELECT * FROM pl_AUTHORIZE_CHECK('%{SQL-User-Name}', '%{User-Password}', '%{Client-IP-Address}') pl_AUTHORIZE_CHECK will be a stored procedure on the postgresql backend. For example, I used something like this: sql CREATE TYPE radius_check_pairs AS (id integer, username text, attrname text, attrval text, attrop text); sql CREATE OR REPLACE FUNCTION pl_AUTHORIZE_CHECK (text, text, text) RETURNS SETOF radius_check_pairs AS $$ $user = $_[0]; $pass = $_[1]; $nasip = $_[2]; my $rv = spi_exec_query(SELECT status FROM accounts WHERE username = '$user' AND password='$pass';, 1); $status = $rv-{rows}[0]{status}; if ($rv-{processed} 1) { elog(NOTICE, AUTHCHECK: User $user / $pass NOT FOUND); return [ { id = 0, username = $_[0], attrname = 'Auth-Type', attrval= 'Reject', attrop = ':=' } ]; } if ($status != '1') { elog(NOTICE, AUTHCHECK: User $user not active); push @$reply, { id = 0, username = $_[0], attrname = 'Auth-Type', attrval = 'Reject', attrop = ':=' }; push @$reply, { id = 1, username = $_[0], attrname = 'Reply-Message', attrval = 'Acccount suspended!', attrop = ':=' }; return($reply); } elog(NOTICE, AUTHCHECK: User $user - login ok); return [ { id = 0, username = $_[0], attrname = 'Auth-Type', attrval = 'Accept', attrop = ':=' } ]; $$ LANGUAGE plperl; The advantages of this scenario.. You can have anything you want in this procedure, including cpan modules : and you can still run the radius server on your favorite pentium II with load average 0. Claudiu Filip @: [EMAIL PROTECTED] Http://www.globtel.ro T:+40344880100 F:+40344880113 Hi again... I have a doubt: Is it possible to use two tables to check the users? I need to do something like this... Freeradius checks if the user is valid on the table 1, if it returns true the user is validated, but if the return is false, freeradius checks the table 2, trying to validate the user once again. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with logging detail-log to syslog
Hi Mark, Wednesday, May 23, 2007, 2:47:10 PM, you wrote: logdir = syslog [...] rlm_detail: Failed to create directory syslog/radacct: No such file or directory LOGDIR means... log dir : regards, Claudiu Filip - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem connecting to a router via RADIUS Server authentication
Hi prajakta, Be sure you have in clients.conf something like: client 192.168.6.15 { secret = working789 shortname = mylinksys nastype = other } Restart radiusd if you changed something here. Then http://192.168.6.15 to configure your linksys and in the radius section set the radius password/shared secret to working789 Use your own password instead of wokring789 Regards, Claudiu Filip @: [EMAIL PROTECTED] Http://www.globtel.ro T:+40344880100 F:+40344880113 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[2]: Problem with logging detail-log to syslog
Hi Mark, it seems that you forgot a line with radacctdir = ${logdir}/radacct if you have no line with radacctdir, then add one with the correct path. best regards, Claudiu Filip @: [EMAIL PROTECTED] Http://www.globtel.ro T:+40344880100 F:+40344880113 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC Authentication
Kevin J Does anybody know if FreeRadius supports the MAC Authentication? Kevin J If so, how? Freeradius supports ANY kind of authentication, just be sure you can get the required information from the client. Run radiusd -sfX and if your NAS sends the MAC address in the request, you can use that as a check-item. Have a look at share/doc/freeradius/aaa.txt and http://wiki.freeradius.org/index.php/FAQ#What.27s_with_the_commas_in_the_raddb.2Fusers_file.3F for some guidelines. Cheers, Claudiu Filip - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dyndns.org domain in Clients.conf
Hello black, Friday, May 04, 2007, 12:18:00 PM, you wrote: black devils Hi, black devils I have created one hotspot with a openwrt router and chillispot. I use a black devils remote server radius (freeradius) for authenticate users of hotspot. Move your clients.conf to SQL database. You can use the dyndns settings of the openwrt router to send the IP address to your own server (choose custom on your dyndns configuration). On your server, have a script to parse the info, update the database with the new IP address and (this is the hardest thing :) restart FR to learn the IP. Cheers, Claudiu FILIP Globtel Internet @: [EMAIL PROTECTED] Http://www.globtel.ro - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problems with freeradius 1.1.5 (2.0.0) 20070322 with postgresql (SIGHUP = segmentation fault)
Hello freeradius-users, I'm running Freeradius 20070322 snapshot with postgresql backend. (I tried older versions too) I have 3 questions for you, all related to $subject. Everything is working fine (the radius is getting the nas clients from the database, doing db auth/acct, etc.) until we send a -HUP to the radiusd.. First one: 8x--8x- $ /radius/sbin/radiusd -fsX$ killall -HUP radiusd rlm_sql (sql): Closing sqlsocket 4 rlm_sql (sql): Closing sqlsocket 3 rlm_sql (sql): Closing sqlsocket 2 rlm_sql (sql): Closing sqlsocket 1 rlm_sql (sql): Closing sqlsocket 0 read_config_files: reading realms Thu Mar 22 16:21:23 2007 : Info: rlm_sql (sql): Driver rlm_sql_postgresql (module rlm_sql_postgresql) loaded and linked Thu Mar 22 16:21:23 2007 : Info: rlm_sql (sql): Attempting to connect to [EMAIL PROTECTED]:5432/dbradius Segmentation fault No core file.. I solved this problem by commenting out the we do other magic in mainconfig.c lines 1059-1064. This will disable debug level change on the fly facility, it's not that important anyway 8x-8x-- Second: 8x-8x-- rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: query affected rows = 3 , fields = 5 rlm_sql (sql): Read entry nasname=1.2.3.4,shortname=nume,secret=secret rlm_sql (sql): Adding client 1.2.3.4 (nume) to clients list Segmentation fault (core dumped) #0 rbtree_insert (tree=0x7d4c4c55, Data=0x80025808) at rbtree.c:246 246 Current = tree-Root; (gdb) bt #0 rbtree_insert (tree=0x7d4c4c55, Data=0x80025808) at rbtree.c:246 #1 0x8000685d in client_add (clients=0x800fbb18, client=0x80025808) at client.c:231 #2 0xb7db29ca in rlm_sql_instantiate (conf=0x8012efc8, instance=0x7d4c4c55) at rlm_sql.c:347 #3 0x8000f77c in find_module_instance (modules=0x8012e5e0, instname=0x80130100 sql) at modules.c:322 #4 0x80010243 in setup_modules (reload=1) at modules.c:917 #5 0x8000ed65 in read_mainconfig (reload=1) at mainconfig.c:1162 #6 0x80012dc0 in main (argc=2, argv=0xbfdb1a34) at radiusd.c:560 I add DEBUG2(OLD: %p,(void *)old_clients); DEBUG2(NEW: %p,(void *)clients); right before mainconfig.clients = clients; clients_free(old_clients); in mainparse.c Start radiusd -fsX OLD: (nil) NEW: 0x800fbb18 killall -HUP radiusd: OLD: 0x800fbb18 NEW: 0x800fbb18 rlm_sql (sql): Adding client 1.2.3.4 (nume) to clients list Segmentation fault (core dumped) So, we free the same location.. I guess the problem is in the clients_parse_section which doesnt return a new address space. clients.c - if (clients) return clients; + if (clients) clients_free(clients); mainconfig.c -clients_free(old_clients); +if ((void *)old_clients != (void *)clients) + clients_free(old_clients); solved the problem. Do I still need the clients_free(old_clients)? 8x--8x Three: 8x There is any other way to make the radius re-reread its clients from database, without an expensive HUP (and not so easy to send when you add entries to db)? 8x Thanks for scrolling this down.. Best wishes, Claudiu FILIP [EMAIL PROTECTED]Phone : +40344880100 http://www.globtel.ro Fax: +40344880113 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html