Exec-Program-Wait w/ FreeRADIUS 2.1.3
I'm having trouble getting FreeRADIUS to run programs called by
Exec-Program-Wait in the newest version of FreeRADIUS (version 2.1.3).
I'm using a custom C script that used to work with all versions of
FreeRADIUS prior to version 2.
I have an entry like this in the users file which is matching my
access-requests:
DEFAULT Suffix == @test.net, Auth-Type := Accept
Exec-Program-Wait = /usr/local/sbin/checkradacct
%{Stripped-User-Name} %{Password},
Ascend-Data-Filter += ip in forward tcp est,
Ascend-Data-Filter += ip in forward dstip 10.0.0.0/24 tcp,
Ascend-Data-Filter += ip in drop tcp dstport = 25,
Ascend-Data-Filter += ip in forward,
Fall-Through = No
Here is my debugging output when I attempt to authenticate (doesn't
appear to execute my program):
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 10.1.1.1 port 49411, id=74,
length=76
User-Name = jmil...@test.net
User-Password = blah
NAS-IP-Address = 255.255.255.255
NAS-Port = 0
Framed-Protocol = PPP
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand:
/var/log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -
/var/log/radacct/10.1.1.1/auth-detail-20090317
[auth_log] /var/log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/radacct/10.1.1.1/auth-detail-20090317
[auth_log] expand: %t - Tue Mar 17 13:58:23 2009
++[auth_log] returns ok
[suffix] Looking up realm test.net for User-Name = jmil...@test.net
[suffix] Found realm test.net
[suffix] Adding Stripped-User-Name = jmillay
[suffix] Adding Realm = test.net
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[files] users: Matched entry DEFAULT at line 26
[files] expand: /usr/local/sbin/checkradacct
%{Stripped-User-Name} %{Password} - /usr/local/sbin/checkradacct
jmillay blah
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = Accept
Auth-Type = Accept, accepting the user
Login OK: [jmil...@test.net] (from client 10.1.1.1 port 0)
Sending Access-Accept of id 74 to 10.1.1.1 port 49411
Ascend-Data-Filter += ip in forward tcp est
Ascend-Data-Filter += ip in forward dstip 10.0.0.0/24 tcp
Ascend-Data-Filter += ip in drop tcp dstport = 25
Ascend-Data-Filter += ip in forward 0
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 74 with timestamp +21
Any suggestions? I read in the docs that Exec-Program and
Exec-Program-Wait are deprecated but I haven't found any clear
documentation on how to configure rlm_exec to duplicate what I am trying
to do.
Thanks in advance,
Jeremiah
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program-Wait w/ FreeRADIUS 2.1.3
Replying to myself... I missed uncommenting exec from the post-auth section of default site. Everything is working now. Sorry for the wasting your valuable mailbox space. Jeremiah - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius performance settings or bug?
Hi,
I'm seeing some odd behavior running freeradius-1.1.7 in a freebsd 6.3
environment. I see a lot of these in the radius log:
Tue Apr 22 09:27:44 2008 : Error: Discarding duplicate request from
client arc3.wnskvtao.sover.net:1645 - ID: 208 due to unfinished request 1267
Tue Apr 22 09:27:44 2008 : Error: Discarding duplicate request from
client arc3.wnskvtao.sover.net:1645 - ID: 209 due to unfinished request 1268
as well as the cputime constantly increasing the longer I leave radiusd
running:
last pid: 34247; load averages: 0.29, 0.32,
0.39
up 4+22:29:48 09:27:05
30 processes: 2 running, 28 sleeping
CPU states: 2.6% user, 0.0% nice, 10.5% system, 0.0% interrupt, 86.8%
idle
Mem: 17M Active, 447M Inact, 173M Wired, 20K Cache, 112M Buf, 2618M Free
Swap: 4096M Total, 4096M Free
PID USERNAME PRI NICE SIZERES STATE C TIME WCPU COMMAND
34011 root 200 9852K 6904K kserel 2 8:09 1.61% radiusd
34011 root 960 9852K 6904K select 0 8:09 0.00% radiusd
34011 root 200 9852K 6904K kserel 2 8:09 0.00% radiusd
34011 root 200 9852K 6904K kserel 2 8:09 0.00% radiusd
34011 root 200 9852K 6904K ksesig 0 8:09 0.00% radiusd
34011 root 980 9852K 6904K CPU0 0 8:09 0.00% radiusd
Looking at older messages posted to the list, I see Alan suggests that
the duplicate requests are related to radiusd not replying quickly
enough due to either having hostname lookups enabled or due to sql
backend slowness. I'm not using sql in my configuration and do not have
hostname lookups enabled.
Are there any settings I could tweak in radiusd.conf to help? Maybe
there is a bug I am not aware of relating to running freeradius under
freebsd (I know there are some SMP related issues).
Here are some configuration snippets that may be relevant:
cleanup_delay = 2
max_requests = 10240
hostname_lookups = no
thread pool {
start_servers = 20
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
Any help or suggestions would be greatly appreciated.
Jeremiah
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius performance settings or bug?
Phil Mayers wrote:
Jeremiah Millay wrote:
Hi,
I'm seeing some odd behavior running freeradius-1.1.7 in a freebsd
6.3 environment. I see a lot of these in the radius log:
Tue Apr 22 09:27:44 2008 : Error: Discarding duplicate request from
client arc3.wnskvtao.sover.net:1645 - ID: 208 due to unfinished
request 1267
Tue Apr 22 09:27:44 2008 : Error: Discarding duplicate request from
client arc3.wnskvtao.sover.net:1645 - ID: 209 due to unfinished
request 1268
as well as the cputime constantly increasing the longer I leave
radiusd running:
Well yes; the process runs, and accumulates CPU time.
Sorry, that was dumb of me.
What OS is this?
FreeBSD 6.3-p2 ( I applied a patch to p1 which fixed a bug in
libthread which seemed to help out cpu utilization significantly). Still
seeing these duplicate request errors however.
Looking at older messages posted to the list, I see Alan suggests
that the duplicate requests are related to radiusd not replying
quickly enough due to either having hostname lookups enabled or due
to sql backend slowness. I'm not using sql in my configuration and do
not have hostname lookups enabled.
Are you using wtmp i.e. radlast. Don't. It's slow.
Here are some more snippets related to wtmp (from what I can tell):
unix {
cache = no
cache_reload = 600
radwtmp = ${logdir}/radwtmp
}
accounting {
detail
unix
radutmp
}
session {
radutmp
}
I'm guessing it won't harm anything to remove the radwtmp line from the
unix configuration. Correct? I suppose its also ok to remove unix and
radutmp from the accounting section?
Thanks so much for your suggestions. I think you are on to something!
Let me know if you want me to send you the whole config... (I'll need to
clean it up first).
Jeremiah
Here are some configuration snippets that may be relevant:
cleanup_delay = 2
max_requests = 10240
hostname_lookups = no
thread pool {
start_servers = 20
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
That looks OK as a first cut. What's the full config?
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
mod_auth_radius question
I have a question regarding mod_auth_radius which doesn't seem to be addressed by the included documentation or anything I have found with a google search. When configuring the module in the apache configuration (I'm using the latest 1.3 branch) is it possible to specify more than one radius server so that it will fail over in the even that the first is down? Something like this: IfModule mod_auth_radius.c # # AddRadiusAuth server[:port] shared-secret [ timeout [ : retries ]] # AddRadiusAuth server1.example.com:1645 secret 5:3 AddRadiusAuth server2.example.com:1645 secret 5:3 AddRadiusCookieValid 60 /IfModule It seems as though this doesn't work or it wants to use only the last one specified. Am I missing something? Anybody have experience trying to use this module in a similar setup? It would be great to be able to get this working with both of my radius servers. Thanks in advance! Jeremiah - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
