Re: rlm_ippool vs rlm_sqlippool
On 2013-04-30 14:17, stefan.pae...@diamond.ac.uk wrote: Here's an entry from the archives where Alan (sort-of) suggests using rlm_sqlippool to fix the same problem you're having: http://lists.cistron.nl/pipermail/freeradius-users/2009-July/039544.html SQL does appear to have better performance/ With Regards Stefan Thank you Stefan for your quick response. Best Regards, -- George Chelidze Software Developer Magticom Ltd. 5, A. Politkovskaya St. 0186 Tbilisi, Georgia Office: +995 322171376 Mobile: +995 599117900 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ippool vs rlm_sqlippool
On 2013-04-30 16:30, Alan DeKok wrote: George Chelidze wrote: We use rlm_ippool for pool management. Each pool is configured with 16K addresses. About 10K are used in the peek time (per pool). The DBM files underlying IP pools really aren't that scalable. I believe we have almost reached our IO capacity, because heavy IO operations like gzipping a 300M file cause freeradius to throw errors like: Error: Discarding duplicate request from client C port 65038 - ID: 109 due to unfinished request 34797335 Error: Discarding duplicate request from client C port 65035 - ID: 98 due to unfinished request 34797336 Yeah. Starving FreeRADIUS isn't a good idea. Will it make any sense to switch to rlm_sqlippool? Will it be less IO sensitive? You should be using SQL. It will still be IO sensitive, but maybe less so. The short answer is that you shouldn't overload critical systems while they're running. Perhaps a simpler solution is to move FreeRADIUS + DB into a dedicated machine. And don't do ANYTHING ELSE on it. Use syslog to get all logs off of the machine. So there are really no cron jobs, user logins, etc. That is by far and away the safest way of running a RADIUS server. Alan DeKok. Thank you Alan, I will switch to rlm_sqlipool and will try to avoid any extra IO load. Best Regards, -- George Chelidze - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_ippool vs rlm_sqlippool
Greetings, We use rlm_ippool for pool management. Each pool is configured with 16K addresses. About 10K are used in the peek time (per pool). I believe we have almost reached our IO capacity, because heavy IO operations like gzipping a 300M file cause freeradius to throw errors like: Error: Discarding duplicate request from client C port 65038 - ID: 109 due to unfinished request 34797335 Error: Discarding duplicate request from client C port 65035 - ID: 98 due to unfinished request 34797336 and a bit later: Error: WARNING: Unresponsive child for request 34797366, in component post-auth module ippool-A Error: WARNING: Unresponsive child for request 34797382, in component post-auth module ippool-A Will it make any sense to switch to rlm_sqlippool? Will it be less IO sensitive? I know it's worth a try, however any additional information would be helpful. Thank you in advance, -- George Chelidze - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session-Timeout
On 2013-04-27 02:46, David Peterson wrote: Sorry about that, they say its 16 bit. I have seen this once with a HUAWEI nas. The max value for 16bit unsigned integer is 65535. it's about 18 hours. BR, -- George Chelidze - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC Address Auth
On 2013-04-08 15:18, Mulindwa wrote: Hi good pple, have been reading on how to enforce the attribute of Mac-Addr and i have not seen it anywhere. You don't read carefully what "good pple" reply to you. Ironically, the reply to your question is attached to your question. As Matthias already pointed out: 1. Put *Mac-Addr* to your dictionary (or make sure it's already there). 2. Remove it from your reply list and put it into the check list. *From:* Matthias Nagel *To:* freeradius-users@lists.freeradius.org *Sent:* Thursday, April 4, 2013 5:41 PM *Subject:* Re: MAC Address Auth Hello, add the correct check item to your user database. In the case below (User-Name = user2000@ut3) you should have the check item Attr-2352-145 == "5c-7d-5e-3f-d0-f7" for this speicifc user in your user database. Then you repeat this for every user/mac-address pair you want. Best regards, Matthias -- George Chelidze - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_detail alternatives?
On 2013-03-28 17:41, Konstantin Chekushin wrote: Hi! Does freeradius have some rlm_detail alternatives? We need wont to save information about packets to the syslog, but rlm_details doesn't have this possibility, as I understand. Thanks! Konstantin, Depends on what kind of information you would like to send to the syslog. As Alan already noted, you can use rlm_linelog, however keep in mind, that syslog packet size is limited to 1024 bytes, which means that in some cases your messages will be truncated. BR, -- George Chelidze Software Developer Magticom Ltd. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Opposite of Expiraton attribute?
On 06/17/2011 09:23 AM, Matthew George wrote: Is there an attribute that is the opposite of expiration? I'm trying to setup accounts to have a specific login time range. For example; Start-Time >= 5 June 2011 00:00:00 Expiration == 5 June 2011 02:00:00 I've been hunting googling for hours but I've been unable to find an attribute that would let me specific a "start-time" or a "valid-after" attribute. Any suggestions? check modules/logintime BR, George Chelidze - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can't get checkrad to be called
On 06/04/2011 06:28 AM, Dan Brisson wrote: Just finished setting up the latest Freeradius - 2.1.10. Checkrad is working. I've replicated the settings from 2.1.7 so I have to think something has changed from 2.1.7 to 2.1.10. hm.. I would compare both setups to eliminate any typos in 2.1.7 configuration. As far as it works with 2.1.10 you can build it on CentOS from source. Glad to hear you figured it out. Best Regards, George Chelidze - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Slow Mysql Queries
On 06/06/2011 05:05 AM, OzSpots - Carl Sawers wrote: Thanks Guys, The slow query log has a lot of entry's in it. It's not obvious which are causing the most issues but I have found a script that was always slowish so have removed it. The line read # Query_time: 5 Lock_time: 0 Rows_sent: 3 Rows_examined: 17286222 No idea where it thinks there are that may rows... A script which outputs all the active users from radcheck shows this in the slow query log # Query_time: 0 Lock_time: 0 Rows_sent: 84 Rows_examined: 32992 Are all the slow query entries potentially a problem, I mean should there be any entries in there at all? While the scripts have changed slightly this DB worked fine on the last server - could it have been corrupted from the sql txt file import perhaps? (via phpadmin) Regards Carl Hello Carl, try: "CHECK TABLE " to check whether it's corrupted */ Drop output from "SHOW CREATE TABLE " and a sample script which takes a long time to execute here. Best Regards, George Chelidze - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can't get checkrad to be called
On 06/03/2011 02:35 PM, Dan Brisson wrote: It really seems like this line in the radutmp "modules" file is not being executed: check_with_nas = yes But from radiusd -X, it does seem to be: It's a configuration option not a command to be executed check_with_nas = yes So, it's there Can you post authorize/accounting sections from your configuration? Best Regards, George Chelidze - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius not releasing IPs from pool
On 06/01/2011 04:02 PM, Angel L. Mateo wrote: Hello, I have a problem with my pools in freeradius. The problems is that it is not releasing IPs from the pools. At least, not all of them, so after a while my users can't connect because the pool is full. Several quick questions: 1. Are you sure your pool is large enough? Average duration of a session/Number of new sessions per second should be taken in account. 2. Are you sure you don't miss any accounting messages? 3. Which attributes do you use to construct a pool key? Make sure all attributes exist in Accounting messages. Best Regards, George Chelidze - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can't get checkrad to be called
On 06/03/2011 03:59 AM, Dan Brisson wrote: # simul_verify_query = "SELECT radacctid, acctsessionid, username, \ # nasipaddress, nasportid, framedipaddress, \ # callingstationid, framedprotocol \ # FROM ${acct_table1} \ # WHERE username = '%{SQL-User-Name}' \ # AND acctstoptime IS NULL" as your verify_query is commented out, it will never check it with nas, just compare result of count_query with configured max value (1 in your case), so uncomment it. sites-enabled/default: # Session database, used for checking Simultaneous-Use. Either the radutmp # or rlm_sql module can handle this. # The rlm_sql module is *much* faster session { radutmp # # See "Simultaneous Use Checking Queries" in sql.conf sql } Do you really need both? modules/perl: func_checksimul = checksimul I would enable checkrad statement in radiusd.conf as it seems to be used with radutmp/sql modules for sumult checks. Best Regards, George Chelidze - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Free radius installation
On 01/25/2010 02:37 PM, José Campos wrote: Ok, that's a good observation, but this is a fresh new installation... I did not change anything prior the installation of (yum install freeradius*). I thing the default is listen { ... ipaddr = * ... } which means to listen for every ipv4 interface. you can also file the following comments in your configuration: # OR, you can use an IPv6 address, but not both # at the same time so, your radius server is _not_ listening for ipv6 interfeces. Should I change something before testing it? Why is radtest doing queries to ::1 (ipv6 address). cat /etc/hosts I think you have something like this: ::1 localhost ip6-localhost ip6-loopback either map 127.0.0.1 to localhost, or use radtest test test 127.0.0.1 0 testing123 George - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Free radius installation
Scanning localhost (127.0.0.1) [1000 ports] Completed UDP Scan at 09:36, 1.21s elapsed (1000 total ports) Host localhost (127.0.0.1) is up (0.090s latency). Interesting ports on localhost (127.0.0.1): Not shown: 996 closed ports PORT STATE SERVICE 111/udp open|filtered rpcbind 1812/udp open|filtered radius 1813/udp open|filtered radacct 5353/udp open|filtered zeroconf ... Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on command file /var/run/radiusd/radiusd.sock Listening on proxy address * port 1814 Ready to process requests. ... [r...@localhost ~]# radtest test test localhost 0 testing123 Sending Access-Request of id 42 to ::1 port 1812 User-Name = "test" User-Password = "test" NAS-IP-Address = 127.0.0.1 NAS-Port = 0 you are nmapping 127.0.0.1 which is ipv4 interface to check whether radiusd is listening (why not try neststat -lnp instead?), while sending radtest queries to ::1 which is ipv6. are you sure your radiusd is listening for ::1 as well? my 2 cents. George - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Free radius installation
On 01/25/2010 01:18 PM, Alan Buxey wrote: Hi, not really - did you read what I wrote? How can you do a state check on what is a stateless protocol? I think you can still do state checks for UDP: there are ways and means - sure - but in the first throes of getting some test traffic to the daemon, surely the easiest thing is to just allow UDP port 1812 and 1813 traffic and THEN start learning what firewall flags work with the traffic. I just stated that it's possible, I didn't mean it should be configured like this while debugging something. George - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to charge based on accounting correctly
Hello Alan, Why not just update the users credit when the session is closed? Good question. The short answer is to charge as soon as possible. Store the last "session length" for a session. If the current packet has a smaller session length, ignore the packet. Otherwise, look at the difference between the stored session length, and the session length in the current packet. Use that time for billing, rather than the time you received the packet. That's the way it's implemented right now. Thanks 2. Is it a correct behavior of a NAS to store accounting information on it's internal disk if it can't get acknowledgment for accounting request/s and resend it later? Yes. How much time can it keep the data? I don't think it's a good idea to resend the data after several hours. Best Regards, George - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Free radius installation
Hello Alan, not really - did you read what I wrote? How can you do a state check on what is a stateless protocol? I think you can still do state checks for UDP: http://www.sns.ias.edu/~jns/wp/2006/01/12/iptables-connection-tracking-udp/ Best Regards, George - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to charge based on accounting correctly
Hello, We have a system which sends radius accounting messages to our radius. Based on this accounting we charge subscribers. Interim accounting is enabled so for a normal session we get one Start, zero or more Interim-Update and one Stop packets. Every accounting packet except Start contains Acct-Session-Time which is "how many seconds the user has received service for" according to rfc2866. That means that it's always incrementing during a session. To charge a session in chunks we calculate a difference between the recent value and the previous one. In our case we get Interim-Update records every 15 minutes, so this difference between 2 sequential Interim-Update records is 900 secs +/- 2-3 secs. What happens when for some reason one Interim-Update records is lost? In such case we get diff - 1800 secs and everything is fine. However recently we discovered that a system which is sending accounting records will resend unconfirmed packets after some time (I do not mean Retransmit-Interval/Retransmit-Count feature which exists on most if not all NAS-es). The later means that in some cases we can get an Interim-Update packet with Acct-Session-Timeout = 1800 calculate a difference against a Start record (that is 1800 secs) and charge it, later get Interim-Update with Acct-Session-Timeout = 900. So my questions can be stated like this: 1. Is it better to charge the whole difference between current and previous Session-Timeout values and later ignore any previous packets which arrive out of order, or it's better to charge last 15 minutes (I get Interim-Update records every 15 minutes as already stated above) and do not care about missing parts (if any) of a session? 2. Is it a correct behavior of a NAS to store accounting information on it's internal disk if it can't get acknowledgment for accounting request/s and resend it later? Best Regards, George Chelidze - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: howto pstack running freeradius process
On Fri, 2009-07-24 at 09:15 -0400, John Dennis wrote: > On 07/24/2009 04:27 AM, George Chelidze wrote: > > On Fri, 2009-07-24 at 08:08 +0200, Alan DeKok wrote: > >> George Chelidze wrote: > >>> I didn't say it's an issue with freeradius. > >>If it's not a FreeRADIUS issue, then the question doesn't belong > on > >> the list. > > > > I have just realized that this question should have been posted to > > freeradius-devel list. Sorry for mistake. > > > >>You're asking us to support (for free) a module you wrote, > and/or an > >> OS that someone else wrote. > >> > >>Why? > > > > What kind of answer you would like to get? I am afraid I missed > > something while building freeradius the way I did so I asked what I > > asked. If I knew that I have built freeradius with enough parameters > to > > get the stack trace and I can't get it because I have some other OS > > related problem I would never asked this question on this list. I > still > > do not know it, so if someone can give me a hint, I'll be thankful. > > I have to agree with Alan, this is not a FreeRADIUS issue. It is > clearly > an OS and software development environment issue. You haven't even > stated what OS and architecture it is and your description of the > error is vague at best. No, It's not a FreeRADIUS issue, it's an issue with my custom module. Let me say it again - I posted to the wrong list, sorry. > The man page for ptrace states it has architecture > specific limitations. You built a local copy using your own toolchain > and installed it in in a non-standard location, the ball is in your > court. My original question was about pstack not ptrace. If you mean pstack and "__pthread_threads_debug" stuff, I checked it before posting to this list. > Here is a hint which is appropriate for Linux. I assume the process is > aborting No, it's not, however your hists are useful. Thank you. Best Regards, George - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: howto pstack running freeradius process
On Fri, 2009-07-24 at 08:08 +0200, Alan DeKok wrote: > George Chelidze wrote: > > I didn't say it's an issue with freeradius. > > If it's not a FreeRADIUS issue, then the question doesn't belong on > the list. I have just realized that this question should have been posted to freeradius-devel list. Sorry for mistake. > You're asking us to support (for free) a module you wrote, and/or an > OS that someone else wrote. > > Why? What kind of answer you would like to get? I am afraid I missed something while building freeradius the way I did so I asked what I asked. If I knew that I have built freeradius with enough parameters to get the stack trace and I can't get it because I have some other OS related problem I would never asked this question on this list. I still do not know it, so if someone can give me a hint, I'll be thankful. Best Regards, George - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: howto pstack running freeradius process
On Thu, 2009-07-23 at 22:27 -0700, Doug Hardie wrote: > On 23 July 2009, at 22:09, George Chelidze wrote: > > > > > On Thu, 2009-07-23 at 16:10 +0200, Alan DeKok wrote: > >> George Chelidze wrote: > >>> Hello, > >>> > >>> I am investigating one issue with freeradius 2.1.6 custom module and > >>> would like to get a stack trace of running process. > >> > >> This is a local OS issue. It has nothing to do with FreeRADIUS. > > > > Hello Alan, > > > > I didn't say it's an issue with freeradius. I said it's an issue > > with a > > custom module and I am trying to find the reason that's why I asked > > about stack trace. > > The approach I use to debug a module is to compile it with gdb (helps > to also compile freeradius with gdb). Then run it under gdb with -X. > You can then set breakpoints or other gdb trace commands and then feed > it the input that causes the problem. Hello Doug, Thanks for reply. Unfortunately when I start freeradiusd with -X problem is gone, it only exists when I start it in background, so I'd like to attach to the running daemon and get the stack trace if possible. Best Regards, George - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: howto pstack running freeradius process
On Thu, 2009-07-23 at 16:10 +0200, Alan DeKok wrote: > George Chelidze wrote: > > Hello, > > > > I am investigating one issue with freeradius 2.1.6 custom module and > > would like to get a stack trace of running process. > > This is a local OS issue. It has nothing to do with FreeRADIUS. Hello Alan, I didn't say it's an issue with freeradius. I said it's an issue with a custom module and I am trying to find the reason that's why I asked about stack trace. Best Regards, George - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
howto pstack running freeradius process
Hello, I am investigating one issue with freeradius 2.1.6 custom module and would like to get a stack trace of running process. pstack fails with the following error: 23246: /usr/local/freeradius-2.1.6/sbin/radiusd '': opening object file: No such file or directory Could not open object file. The following commands was used to build the freeradius server: ./configure --prefix=/usr/local/freeradius-2.1.6 --enable-developer make make install Please point me to the right direction. Thanks in advance, George Chelidze - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radiusd -f flag - how it affects custom freeradius module
Hello, Recently I have developed a custom module for freeradius 2.1.6 following http://wiki.freeradius.org/Modules2 document. The purpose of this module is to translate authorization requests to Tibco Rendezvous messages (Commercial software - Message Bus), send them to some external application, get the reply back and accept or reject based on this reply. I use client libraries to communicate with tibco rendezvous daemon (rvd) through some IPC mechanism (I think it's tcp sockets). The problem is that when I start freeradius with -f flag client application can send and receive data without any problem. When I start freeradius without any arguments, it can send data but can't receive it, while sniffing the network indicates that response is actually delivered back from rvd. So what's so specific with -f? How can fork()/setsid() break something? Below is a piece of problematic code: rv_status = tibrvTransport_SendRequest(transport, tibrv_msg, &tibrv_msg_reply, request_timeout * 1.0 / 1000); if (rv_status != TIBRV_OK && rv_status != TIBRV_TIMEOUT) { radlog(L_ERR, "rlm_custom_auth: tibrvTransport_SendRequest() failed. Error = \"%s\"", tibrvStatus_GetText(rv_status)); tibrvMsg_destroy(tibrv_msg); return RLM_MODULE_REJECT; } if (rv_status == TIBRV_TIMEOUT) { radlog(L_ERR, "rlm_custom_auth: tibrvTransport_SendRequest() timed out"); tibrvMsg_destroy(tibrv_msg); return RLM_MODULE_REJECT; } so, every time I start freeradius without -f I get: rlm_custom_auth: tibrvTransport_SendRequest() timed out I understand that this problem is very specific to tibco rendezvous which isn't the open source. It will be great if you can share your ideas about the issue. Thanks in advance, George Chelidze - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 2.1.1 - locked processes
Alan DeKok wrote: It doesn't. That's likely a side-effect of function call trampolines, or something similar. can you explain this in more details in a couple of words, thinking about this problem for 4-5 days:) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 2.1.1 - locked processes
Alan DeKok wrote: Alan DeKok wrote: Honestly, I wouldn't try to debug it. No one else is reporting similar issues in FreeRADIUS, and debugging RHEL will be an exercise in frustration. Or, just replace the call to localtime_r with something else. The time strings won't be correct, but the function won't lock the server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html The weird thing with this problem is that localtime_r() calls fr_hash_table_finddata() as you mentioned. I have removed strftime()/localtime_r() calls from print.c and it seems to be fixed. Thanks for suggestion. Best Regards, George Chelidze - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius 2.1.1 - locked processes
Hello, I have recently install freeradius 2.1.1 on our old RHEL (Red Hat Enterprise Linux ES release 4 (Nahant Update 2), libc-2.3.4) server which already runs multiple radiator instances. The last time I started freeradius was Friday. Since then there are 66 freeradius processes, among them 65 are locked: # strace -p 7833 Process 7833 attached - interrupt to quit futex(0x263ecc, FUTEX_WAIT, 2, NULL I have googled the issue and investigated the gdb backtrace, however the only idea I have right now is to upgrade a system to more recent one (I know, running outdated system is stupid idea, however why we still run it is a long story). As it's not an easy task, I'd like to be sure that the reason is old libraries or stuff like that. I have attached a gdb backtrace, ldd output, freeradius configuration. I am ready to debug a system further and provide more information, if this isn't enough. Any help is appreciated. Thanks in advace George Chelidze # /usr/local/freeradius/etc/raddb/sites-enabled/default preacct { fillrealm acct_unique } accounting { sql billing detail } # /usr/local/freeradius/etc/raddb/modules/acct_unique acct_unique { key = "Calling-Station-Id, Acct-Session-Id, 3GPP2-Correlation-Id" } # /usr/local/freeradius/etc/raddb/modules/detail detail { detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d detailperm = 0600 } # /usr/local/freeradius/etc/raddb/modules/exec exec billing { wait = no program = "/usr/local/freeradius/scripts/billing.pl" input_pairs = request } # /usr/local/freeradius/etc/raddb/modules/realm realm fillrealm { format = suffix delimiter = "@" } # /usr/local/freeradius/etc/raddb/radiusd.conf ... thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 } modules { $INCLUDE ${confdir}/modules/ $INCLUDE sql.conf } $INCLUDE sites-enabled/ # /usr/local/freeradius/scripts/billing.pl #!/usr/bin/perl use strict; use POSIX ':sys_wait_h'; require '/usr/local/freeradius/scripts/inc/common.pm'; require '/usr/local/freeradius/scripts/inc/mysql.pm'; require '/usr/local/freeradius/scripts/inc/tibrv.pm'; my $pid = fork(); unless (defined $pid) { common::log("Error: top level fork() failed: $!"); exit(1); } # exit in parent, become child of init exit(0) if ($pid); # 2nd level fork in child $pid = fork(); unless (defined $pid) { common::log("Error: 2nd level fork() failed: $!"); exit(1); } if ($pid > 0) { # wait for child exit code waitpid($pid, 0); exit(0); } # do the main job in 2nd level child ... #0 0x0087a7a2 in _dl_sysinfo_int80 () from /lib/ld-linux.so.2 #1 0x002103ce in __lll_mutex_lock_wait () from /lib/tls/libc.so.6 #2 0x001b89c9 in _L_mutex_lock_1945 () from /lib/tls/libc.so.6 #3 0xb75f4c32 in ?? () #4 0xb75f4718 in ?? () #5 0x009017e9 in fr_hash_table_finddata (ht=0xfffc, data=0x261ff4) at hash.c:491 #6 0x001b69dd in localtime_r () from /lib/tls/libc.so.6 #7 0x00904647 in vp_prints_value (out=0xb75f4c30 "", outlen=1008, vp=0x2103ce, delimitst=1) at print.c:267 #8 0x08053a28 in radius_exec_program (cmd=0x8dcae28 "/usr/local/freeradius/scripts/billing.pl", request=0xb4c00768, exec_wait=0, user_msg=0x0, msg_len=0, input_pairs=0xb4a03220, output_pairs=0x0, shell_escape=1) at exec.c:330 #9 0x003dae26 in exec_dispatch (instance=0x8dcae00, request=0xb4c00768) at rlm_exec.c:315 #10 0x0805bb8c in modcall (component=3, c=0xfffc, request=0xb4c00768) at modcall.c:285 #11 0x0805a91b in indexed_modcall (comp=3, idx=0, request=0xb4c00768) at modules.c:541 #12 0x0805b6b0 in module_accounting (acct_type=0, request=0xb4c00768) at modules.c:1221 #13 0x0804dda7 in rad_accounting (request=0xb4c00768) at acct.c:93 #14 0x08065f1f in radius_handle_request (request=0xb4c00768, fun=0x804dd0c ) at event.c:3027 #15 0x0805fc3a in request_handler_thread (arg=0x8dd9060) at threads.c:490 #16 0x00a01341 in start_thread () from /lib/tls/libpthread.so.0 #17 0x002036fe in clone () from /lib/tls/libc.so.6 # ldd /usr/local/freeradius/sbin/radiusd libfreeradius-radius-2.1.1.so => /usr/local/freeradius/lib/libfreeradius-radius-2.1.1.so (0x00ae6000) libnsl.so.1 => /lib/libnsl.so.1 (0x00845000) libresolv.so.2 => /lib/libresolv.so.2 (0x00709000) libpthread.so.0 => /lib/tls/libpthread.so.0 (0x009fc000) libreadline.so.4 => /usr/lib/libreadline.so.4 (0x00111000) libtermcap.so.2 => /lib/libtermcap.so.2 (0x009ea000) libcrypt.so.1 => /lib/libcrypt.so.1 (0x00c19000) libltdl.so.3 => /usr/lib/libltdl.so.3 (0x00a1) libdl.so.2 => /lib/libdl.so.2 (0x009bf000) libssl.so.4 => /lib/libssl.so.4 (0x005d2000) libcrypto.so.4 => /lib/libcrypto.so.4 (0x0
Re: Debian + Exec-Program = Zombie process
Alan DeKok wrote: George Chelidze <[EMAIL PROTECTED]> wrote: Zombies add up even when I recompile without --without-threads option. That sounds like a serious problem. Looking at the source, I don't see why, though. If I understood things correctly, if I compile radius without threads support reap_children() won't be called and zombies will add up? No. See radiusd.c, look for waitpid(). That code reaps the zombies when there are no threads. I have checked the source, waitpid() is really there but I don't understand why zombies add up when 1.0.1 is compiled without threads. I found a solution (compiled 1.0.1 with --with-threads option) and it works for me, but I'd like to help freeradius team (if I can) to find the reason why it's broken (at least in my environment) in newer versions. Can I make some tests to narrow down the problem, or some other actions. Best Regards, George - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Debian + Exec-Program = Zombie process
Rashad Rustamoff wrote: as soon as I send accounting stop packet to radius, test.pl executes and becomes a zombie. (I tried bash script, c program with the same result.) 3890 ?Ss 0:00 /usr/local/freeradius/sbin/radiusd 3893 ?Z 0:00 \_ [test.pl] As far as I know, this should have been fixed in 1.0.3 and I doubt it's debian specific, as I know 0.93 works on another RH 7.3 without a problem (In fact zombie is listed there as well but disappears after several seconds). Any ideas/suggestions? Did you try version 1.0.1 indeed? I had this problem several monthes ago with versions 1.0.4 and 1.0.5, but in case of 1.0.1 it works. As I know version 1.0.1 hasn't this problem. My server configuration is similar with yours: Debian 3.1 (Sarge) Rashad, Seems 1.0.1 really works when compiled with --with-threads=yes (default). However it doesn't with --with-threads=no flag. 1.0.5 doesn't in both cases, neither does 1.1.0. At least I found a working version - 1.0.1 which is not broken. Thanks. Best Regards to all who helped to eliminate this problem and whole freeradius team. George - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Debian + Exec-Program = Zombie process
Bjørn Mork wrote: George Chelidze <[EMAIL PROTECTED]> writes: as soon as I send accounting stop packet to radius, test.pl executes and becomes a zombie. (I tried bash script, c program with the same result.) 3890 ?Ss 0:00 /usr/local/freeradius/sbin/radiusd 3893 ?Z 0:00 \_ [test.pl] As far as I know, this should have been fixed in 1.0.3 and I doubt it's debian specific, as I know 0.93 works on another RH 7.3 without a problem (In fact zombie is listed there as well but disappears after several seconds). Any ideas/suggestions? Is it replaced by a new zombie the next time you send an accounting packet, or do the zombies add up? Zombies add up even when I recompile without --without-threads option. The way I read rad_fork(), it will call reap_children() every time it is called. But there's not necessarily anything calling reap_children() inbetween. This means that zombies will only live forever on servers without traffic. You should probably read the comment in front of reap_children() in src/main/threads.c. I believe it explains why this design was chosen. If I understood things correctly, if I compile radius without threads support reap_children() won't be called and zombies will add up? I am not against compiling it with threads support, but unfortunately I get something like this: 18439 ?Ss 0:00 /usr/local/freeradius/sbin/radiusd 18440 ?S 0:00 \_ /usr/local/freeradius/sbin/radiusd 18441 ?S 0:00 \_ /usr/local/freeradius/sbin/radiusd 18460 ?Z 0:00 | \_ [test.pl] 18492 ?Z 0:00 | \_ [test.pl] 18442 ?S 0:00 \_ /usr/local/freeradius/sbin/radiusd 18480 ?Z 0:00 | \_ [test.pl] 18443 ?S 0:00 \_ /usr/local/freeradius/sbin/radiusd 18483 ?Z 0:00 | \_ [test.pl] 18444 ?S 0:00 \_ /usr/local/freeradius/sbin/radiusd 18486 ?Z 0:00 | \_ [test.pl] 18445 ?S 0:00 \_ /usr/local/freeradius/sbin/radiusd 18489 ?Z 0:00 \_ [test.pl] Bjørn Thanks a lot for your reply - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Debian + Exec-Program = Zombie process
Hello, I am using Debian GNU/Linux 3.1, libc6 2.3.2.ds1-22. I have compiled freeradius 0.93, 1.0.1, 1.0.5, 1.1.0 in turn with the following options: ./configure --prefix=/usr/local/freeradius --without-threads compilation/installation went fine, radius started up fine. /usr/local/freeradius/etc/raddb/acct_users content: DEFAULT Acct-Status-Type == Stop Exec-Program = "/usr/local/bin/test.pl" /usr/local/bin/test.pl content: #-- #!/usr/bin/perl exit(0); #-- as soon as I send accounting stop packet to radius, test.pl executes and becomes a zombie. (I tried bash script, c program with the same result.) 3890 ?Ss 0:00 /usr/local/freeradius/sbin/radiusd 3893 ?Z 0:00 \_ [test.pl] As far as I know, this should have been fixed in 1.0.3 and I doubt it's debian specific, as I know 0.93 works on another RH 7.3 without a problem (In fact zombie is listed there as well but disappears after several seconds). Any ideas/suggestions? Thanks in advance, George - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program-Wait multiple reply items
Dusty Doris wrote: Hello, I have recently migrated to freeradius (latest stable on debian sarge - 1.0.2-4) and faced with the following problem: I use Exec-Program-Wait attribute as a reply item in users file. It returns 3 attributes: NAS-Identifier, Framed-IP-Address and Framed-Route. These attributes are printed on stdout with trailing "\n". However they are not returned to the NAS as are not comma separated. Is there any known workaround for this problem? Thanks in advance. There was a thread about this in the end of December. I believe you have to return the attributes comma seperated, like in the users file. Instead of something like printf "Some-Attribute = Somevalue\nAnother-Attribute = Anothervalue\n" It should be printf "Some-Attribute = Somevalue, Another-Attribute = Anothervalue\n" If that doesn't work, please show your debug (radius -X). - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Thanks to all who replied to my question. I knew I forgot something, now I know - search the archives :-) Always suggested others to do so and it happened with me. The solution seems to be replacing \n -s by commas as adviced here and in the archives, but there is a piese of code in exec.c which replaces \n-s with commas. I thought it handles situations where multiple items are returned delimited by \n-s, but I was wrong. Perhaps I have to learn the code further. Best Regards, George - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pppoe-server and Framed-Route
Hello Alan, Alan DeKok wrote: George Chelidze <[EMAIL PROTECTED]> wrote: I'd like to add a route to my ppp server box so I add Framed-Route to reply items. All attributes are passed back to pppd as it creates /var/run/radattr.pppX which contains all attributes but route is not added to the system. I understand it's not radius question but it's at least related and maybe someone has seen this before and solved it. It's a problem with PPPoE. Yes it is. I posted this question in hope that someone here has already seen it and slved the problem Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Thanks, -- George Chelidze - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pppoe-server and Framed-Route
Hello Ken, Ken A wrote: We've added framed routes with freeradius like so: Framed-IP-Address = x.x.x.1, Framed-Route += "x.x.x.2/32 x.x.x.1 1", Framed-Route += "x.x.x.2/32 x.x.x.1 2", Framed-Route += "x.x.x.2/32 x.x.x.1 3", or Framed-IP-Address = x.x.x.1, Framed-Route = "x.x.x.x/30 x.x.x.1 1" This is using pppoe, but with redback as terminal server for dsl, so it's a bit different than what you are doing. I am adding them exactly the same way. Thanks for your input anyway Ken Alan DeKok wrote: George Chelidze <[EMAIL PROTECTED]> wrote: I'd like to add a route to my ppp server box so I add Framed-Route to reply items. All attributes are passed back to pppd as it creates /var/run/radattr.pppX which contains all attributes but route is not added to the system. I understand it's not radius question but it's at least related and maybe someone has seen this before and solved it. It's a problem with PPPoE. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- George Chelidze - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
pppoe-server and Framed-Route
Hello, Debian Woody, ppp-2.4.2, rp-pppoe-3.5, radius server. I'd like to add a route to my ppp server box so I add Framed-Route to reply items. All attributes are passed back to pppd as it creates /var/run/radattr.pppX which contains all attributes but route is not added to the system. I understand it's not radius question but it's at least related and maybe someone has seen this before and solved it. Thanks in advance. -- George Chelidze - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Telnet access via Radius
Hello, Costas Christonis wrote: Hi to all, i'm trying to set the telnet access to my users through radius and ldap server. What i did untill now is that everyone tha has the attribute "Service-type" with the value "exec-user" can telnet to my cisco switches and routers in privilege level 5. I insert the attribute "Ciscoavpair" with the value "exec:priv-lvl=0" or with the value "exec:privilege-level=0" but nothing happens, everyone can telnet to my switches and logon privilege level 5. It's called Cisco-AVPair not CiscoAVPair. Can anyone help me? Best regards Best Regards, -- George Chelidze - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius backup
Hello, Kostas Kalevras wrote: On Wed, 10 Nov 2004, George Chelidze wrote: Hello, I have read a lot of docs around, searched among many different archives on the net but still feel I have not correct solution to my problem: Very common setup: I have a cisco router which required radius for authentication and accounting. MySQL is used as backend database. Everything is configured and is working just fine. The task is to configure secondary radius server which will act as backup server if primary server fails. I have found out that I can configure secondary server the same way I did with primary, set up mysql replication to make sure secondary server has the same data that primary has. I also should add secondary radius details to router and whe primary fails, router will fall back to secondary server. But the failures can be of different types: 1. primary server crashed and won't come back without human's help. This is the best case from my point of view, because secondary server contains all data it requires for operation. 2. primary server can't be reached because of network problems which may be solved after a while. If primary server comes back, router will switch back to it and here is a problem: primary server contains different data from secondary server so it can't contain operations properly before data is synced again. Bidirectional replication is not a solution because for example accounting updates or inserts records into accounting table according to already inserted rows, so order matters. I know I am not the first and not the last who faced with this problem and I would like to hear from people who solved such problems. Any suggestions are welcome. The solution is to configure radrelay on both servers. See doc/radrelay. That way you can have exactly the same accounting information on both servers and also avoid the troubles of setting up and maintaining sql replication. Thank you very much for your quick reply. Seems it's what I am looking for. Best Regards, -- George Chelidze - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Radius backup
Hello, I have read a lot of docs around, searched among many different archives on the net but still feel I have not correct solution to my problem: Very common setup: I have a cisco router which required radius for authentication and accounting. MySQL is used as backend database. Everything is configured and is working just fine. The task is to configure secondary radius server which will act as backup server if primary server fails. I have found out that I can configure secondary server the same way I did with primary, set up mysql replication to make sure secondary server has the same data that primary has. I also should add secondary radius details to router and whe primary fails, router will fall back to secondary server. But the failures can be of different types: 1. primary server crashed and won't come back without human's help. This is the best case from my point of view, because secondary server contains all data it requires for operation. 2. primary server can't be reached because of network problems which may be solved after a while. If primary server comes back, router will switch back to it and here is a problem: primary server contains different data from secondary server so it can't contain operations properly before data is synced again. Bidirectional replication is not a solution because for example accounting updates or inserts records into accounting table according to already inserted rows, so order matters. I know I am not the first and not the last who faced with this problem and I would like to hear from people who solved such problems. Any suggestions are welcome. Best Regards, -- George Chelidze - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Regarding ip pools
You can return VSA with poolname. It depends on your NAS vendor. For example we use: USR-Framed_IP_Address_Pool_Name = "poolname" for our HiperArc. Hope this helps. Best Regards, athif abdul aziz wrote: Hi , Can anyone please give me idea as to how i can configure freeradius to assign addressess to dial-in users from an ip-pool ? Regards Athif -- George Chelidze - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: stupid question
Hello, First, you should place Auth-Type := Accept in your radcheck not radreply Second, please show us your configuration files. Best Regards, Brian Ammons wrote: I am a radius rookie. I have FreeRadius 1.0.0 installed on Slack 9.1 and have the mySql compatibility working as well. I ran the script that was included with the source code to create the mySql tables. My problem is not with getting the server running - it's that I can't make it deny access when I want, or accept when I want. I'm using NTRadPing for testing. For example...there's only one username defined (bammons) in the table "usergroup", and that user is a member of groupname "administrators". In the table "radcheck", I setup "username" = "bammons", "Attribute" = "Password", "op" = "==" and "Value" = "wtfover". So at that point I've setup a user and a password for that user, right? After it validates, it's supposed to look @ the table "radreply" for what to do, right? In "radreply", I define "username" = "bammons", "Attribute" = "Auth-Type", "op" = "==" and "Value" = "Accept". You may know that that does NOT result in the "Access-Accept" message I expected to see, but I can't figure out why. I'm running radiusd in full debug mode (radiusd -xxyz -l stdout) and I see the following: modcall: entering group authenticate for request 34 modcall [authenticate]: module "unix" returns notfound for request 34 modcall: group authenticate returns notfound for request 34 auth: Failed to validate the user. OK, so I see that it wants to find an entry for the group "administrators" in the "radgroupcheck" table. So I add that - "groupname" = "administrators", "attribute" = Auth-Type, "op" = "==" and "Value" = "Local" (I picked "local" because it's listed as an "Auth-Type" value in the Hassell Radius book) and then that works, I get "Access-Accept" back from the server. WHY is that required? WHAT can I do about the error message that appears, "Warning: Found 2 auth-types on request for user 'bammons'"? I've tried putting "Service-Type" in place of "Auth-Type" in "radgroupcheck" but that doesn't work...what am I missing here? Back to the working config...I change the Auth-Type in "radreply" to "Reject", but I still get an "Access - Accept" reply - this is (I suspect) because any Auth-Type entries found in "radgroupcheck" take precedence over any others...except that just doesn't seem right, what am I missing? I guess ultimately despite trying to read everything I could find, I just don't get how the RADIUS system steps through the different tables. Thanks for your gentle replies. Brian Ammons - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- George Chelidze - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with nostrip
Hello Alan, Alan DeKok wrote: George Chelidze <[EMAIL PROTECTED]> wrote: Please read "sql.conf", and look for "sql_user_name" sql_user_name = "%{User-Name}" but As I understatnd User-Name should be equal Stripped-User-Name, seems I am wrong... No. They are different attributes. I know they are different, and I think you mean to use sql_user_name = "%{Stripped-User-Name:-%{User-Name:-DEFAULT}} instead of sql_user_name = "%{User-Name}" The only thing I don't understand in this case is the following comments from proxy.conf # A standard realm entry. A request from "[EMAIL PROTECTED]" will be # sent to radius.company.com as "user", unless the 'nostrip' # configuration item is specified. If the 'nostrip' configuration # item is specified, then the request will be proxied as # "[EMAIL PROTECTED]" doesn't that mean that User-Name which is "[EMAIL PROTECTED]" before proxying will became "test" in proxy request? Go back and read the REST of "sql.conf", and KEEP LOOKING for "sql_user_name". There are instructions in the comments which tell you how to solve your problem. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Best Regards, -- George Chelidze - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with nostrip
Alan DeKok wrote: George Chelidze <[EMAIL PROTECTED]> wrote: as I haven't specified nostrip directive I thought radius would query database with User-Name = 'test' but it uses User-Name = '[EMAIL PROTECTED]'. I looked at debug output and I found that 'test' is assigned to Stripped-User-Name, 'localhost' is assigned to Realm but sql module still uses [EMAIL PROTECTED] as User-Name. Please read "sql.conf", and look for "sql_user_name" sql_user_name = "%{User-Name}" but As I understatnd User-Name should be equal Stripped-User-Name, seems I am wrong... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Best Regards, -- George Chelidze - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem with nostrip
Hello, I use freeradius 0.9.3 from fedora core 2 distro. I'd like to use mysql tables to store users information. I test my configuration against User-Name = "[EMAIL PROTECTED]" proxy.conf listing: realm localhost { type = radius authhost = LOCAL } as I haven't specified nostrip directive I thought radius would query database with User-Name = 'test' but it uses User-Name = '[EMAIL PROTECTED]'. I looked at debug output and I found that 'test' is assigned to Stripped-User-Name, 'localhost' is assigned to Realm but sql module still uses [EMAIL PROTECTED] as User-Name. I tried to add files section like this: files { preproxy_usersfile = ${confgir}/preproxy_users } and place "files" between "REALM" and "sql" in authorize section but the result is the same. radiusd.conf is listed below (I have removed not needed lines to make it shorter). What can be done to correct this problem? proxy_requests = yes $INCLUDE ${confdir}/proxy.conf modules { realm REALM { format = suffix delimiter = "@" } detail acct_detail { detailfile = ${radacctdir}/%{Client-IP-Address}/acct-detail-%Y%m%d detailperm = 0600 } detail auth_detail { detailfile = ${radacctdir}/%{Client-IP-Address}/auth-detail-%Y%m%d detailperm = 0600 } acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port-Id" } $INCLUDE ${confdir}/sql.conf } authorize { REALM sql auth_detail } accounting { acct_unique sql acct_detail } Thanks in advance. Best Regards, -- George Chelidze - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Executing External Program
Hello, If my understanding is correct, your authorize section should look similar to this: authorize { ... test ... } Have you done this? Best Regards, [EMAIL PROTECTED] wrote: Hi am trying to excecute a program before autentification so I could deny access if it is on a callingstationnumber ban list on mysql.. But Script is not being Excecuting.. what seems the problem? radiud.conf exec test{ wait = yes program = "/usr/local/bin/php -f /scriptest/test.php" input_pairs = request output_pairs = reply packet_type = Access-Request } Test.php //log to txt function logtotxt($somecontent) { $filename = 'log.txt'; $handle = fopen($filename, 'a'); fwrite($handle, $somecontent); fclose($handle); } logtotxt("Script Was Excecuted"); // Make a test if (!empty($clientcallingstation) && !empty($calledstationid)) { logtotxt("$clientcallingstation:$calledstationid"); $retval = 0; } else { // otherwise reject $retval = 1; } exit ($retval); ?> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- George Chelidze - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Acct-Unique-Session-Id and exec
Thanks, I'll try to dig in this way. Best Regards Thor Spruyt wrote: Might be caused by acct packets for the same sessions coming from different IP addresses, which causes Client-IP-Address to have a different value. - Original Message - From: "George Chelidze" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, July 26, 2004 1:37 PM Subject: Acct-Unique-Session-Id and exec Hello, I am running freeradius 0.9.3. I need to run an external program after stop record arrives. I pass %{Acct-Unique-Session-Id}, %{User-Name} and %{Calling-Station-Id} to this external program. according to this username and callingnumber it does some calculations and should update radacct table for this acctuniquesessionid. The problem is that often my external program receives uniquesessionid which is not found in radacct. As noted in config, exec is called after sql so it should be there but... Is there any obvious reason for this? Now I decided to use Acct-Session-Id instead and since then I have no problems. Any suggestions? my config: ... modules { realm RealM { format = suffix delimiter = "@" } preprocess { with_cisco_vsa_hack = yes } files { usersfile = ${confdir}/users } exec setprice { wait = no program = "/usr/local/radius/share/epw %{Acct-Status-Type} %{User-Name} %{Acct-Session-Id} %{Calling-Station-Id}" input_pairs = request } detail { detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d detailperm = 0600 } detail auth_log { detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d detailperm = 0600 } acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port-Id" } $INCLUDE ${confdir}/sql.conf } ... preacct { preprocess } accounting { acct_unique sql setprice detail } Best Regards, -- George Chelidze - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- George Chelidze - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Acct-Unique-Session-Id and exec
Hello, I am running freeradius 0.9.3. I need to run an external program after stop record arrives. I pass %{Acct-Unique-Session-Id}, %{User-Name} and %{Calling-Station-Id} to this external program. according to this username and callingnumber it does some calculations and should update radacct table for this acctuniquesessionid. The problem is that often my external program receives uniquesessionid which is not found in radacct. As noted in config, exec is called after sql so it should be there but... Is there any obvious reason for this? Now I decided to use Acct-Session-Id instead and since then I have no problems. Any suggestions? my config: ... modules { realm RealM { format = suffix delimiter = "@" } preprocess { with_cisco_vsa_hack = yes } files { usersfile = ${confdir}/users } exec setprice { wait = no program = "/usr/local/radius/share/epw %{Acct-Status-Type} %{User-Name} %{Acct-Session-Id} %{Calling-Station-Id}" input_pairs = request } detail { detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d detailperm = 0600 } detail auth_log { detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d detailperm = 0600 } acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port-Id" } $INCLUDE ${confdir}/sql.conf } ... preacct { preprocess } accounting { acct_unique sql setprice detail } Best Regards, -- George Chelidze - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: executing external program after accounting_stop_query
Hello, Paul Hampson wrote: On Mon, Jun 21, 2004 at 03:15:29PM +0500, George Chelidze wrote: Hello, I need to add one column to radacct table and set it according to values inserted into table on stop packet receipt. The external program is coded in C. What if I place acct_users after sql in accounting section? Will it work? The example of possible accounting section from radiusd.conf is listed below: accounting { sql acct_users } section from acct_users DEFAULT Acct-Status-Type == Stop Exec-Program = "/path/program arguments" Sure I can test it myself but would be great to hear your input. If it won't work, is there any other way? You might be better off using rlm_exec (if you're using a recent enough FreeRADIUS version) and testing for 'Stop' or otherwise in that script, rather than using Exec-Program, which is somewhat deprecated, and known to have threading issues (on some platforms...) Paul thanks for your quick response. I use freeradius 0.9.3. it's recent enough isn't it? I wonder if the schema I described will work or not. If it will, it will prove my understanding is correct. I'll read some docs for rlm_exec. Thanks Best Regards, -- George Chelidze - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
executing external program after accounting_stop_query
Hello, I need to add one column to radacct table and set it according to values inserted into table on stop packet receipt. The external program is coded in C. What if I place acct_users after sql in accounting section? Will it work? The example of possible accounting section from radiusd.conf is listed below: accounting { sql acct_users } section from acct_users DEFAULT Acct-Status-Type == Stop Exec-Program = "/path/program arguments" Sure I can test it myself but would be great to hear your input. If it won't work, is there any other way? Thanks in advance and best Regards, -- George Chelidze - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html