Exec-Program-Wait w/ FreeRADIUS 2.1.3
I'm having trouble getting FreeRADIUS to run programs called by Exec-Program-Wait in the newest version of FreeRADIUS (version 2.1.3). I'm using a custom C script that used to work with all versions of FreeRADIUS prior to version 2. I have an entry like this in the users file which is matching my access-requests: DEFAULT Suffix == @test.net, Auth-Type := Accept Exec-Program-Wait = /usr/local/sbin/checkradacct %{Stripped-User-Name} %{Password}, Ascend-Data-Filter += ip in forward tcp est, Ascend-Data-Filter += ip in forward dstip 10.0.0.0/24 tcp, Ascend-Data-Filter += ip in drop tcp dstport = 25, Ascend-Data-Filter += ip in forward, Fall-Through = No Here is my debugging output when I attempt to authenticate (doesn't appear to execute my program): Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 10.1.1.1 port 49411, id=74, length=76 User-Name = jmil...@test.net User-Password = blah NAS-IP-Address = 255.255.255.255 NAS-Port = 0 Framed-Protocol = PPP +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d - /var/log/radacct/10.1.1.1/auth-detail-20090317 [auth_log] /var/log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radacct/10.1.1.1/auth-detail-20090317 [auth_log] expand: %t - Tue Mar 17 13:58:23 2009 ++[auth_log] returns ok [suffix] Looking up realm test.net for User-Name = jmil...@test.net [suffix] Found realm test.net [suffix] Adding Stripped-User-Name = jmillay [suffix] Adding Realm = test.net [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [files] users: Matched entry DEFAULT at line 26 [files] expand: /usr/local/sbin/checkradacct %{Stripped-User-Name} %{Password} - /usr/local/sbin/checkradacct jmillay blah ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = Accept Auth-Type = Accept, accepting the user Login OK: [jmil...@test.net] (from client 10.1.1.1 port 0) Sending Access-Accept of id 74 to 10.1.1.1 port 49411 Ascend-Data-Filter += ip in forward tcp est Ascend-Data-Filter += ip in forward dstip 10.0.0.0/24 tcp Ascend-Data-Filter += ip in drop tcp dstport = 25 Ascend-Data-Filter += ip in forward 0 Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 74 with timestamp +21 Any suggestions? I read in the docs that Exec-Program and Exec-Program-Wait are deprecated but I haven't found any clear documentation on how to configure rlm_exec to duplicate what I am trying to do. Thanks in advance, Jeremiah - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program-Wait w/ FreeRADIUS 2.1.3
Replying to myself... I missed uncommenting exec from the post-auth section of default site. Everything is working now. Sorry for the wasting your valuable mailbox space. Jeremiah - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius performance settings or bug?
Hi, I'm seeing some odd behavior running freeradius-1.1.7 in a freebsd 6.3 environment. I see a lot of these in the radius log: Tue Apr 22 09:27:44 2008 : Error: Discarding duplicate request from client arc3.wnskvtao.sover.net:1645 - ID: 208 due to unfinished request 1267 Tue Apr 22 09:27:44 2008 : Error: Discarding duplicate request from client arc3.wnskvtao.sover.net:1645 - ID: 209 due to unfinished request 1268 as well as the cputime constantly increasing the longer I leave radiusd running: last pid: 34247; load averages: 0.29, 0.32, 0.39 up 4+22:29:48 09:27:05 30 processes: 2 running, 28 sleeping CPU states: 2.6% user, 0.0% nice, 10.5% system, 0.0% interrupt, 86.8% idle Mem: 17M Active, 447M Inact, 173M Wired, 20K Cache, 112M Buf, 2618M Free Swap: 4096M Total, 4096M Free PID USERNAME PRI NICE SIZERES STATE C TIME WCPU COMMAND 34011 root 200 9852K 6904K kserel 2 8:09 1.61% radiusd 34011 root 960 9852K 6904K select 0 8:09 0.00% radiusd 34011 root 200 9852K 6904K kserel 2 8:09 0.00% radiusd 34011 root 200 9852K 6904K kserel 2 8:09 0.00% radiusd 34011 root 200 9852K 6904K ksesig 0 8:09 0.00% radiusd 34011 root 980 9852K 6904K CPU0 0 8:09 0.00% radiusd Looking at older messages posted to the list, I see Alan suggests that the duplicate requests are related to radiusd not replying quickly enough due to either having hostname lookups enabled or due to sql backend slowness. I'm not using sql in my configuration and do not have hostname lookups enabled. Are there any settings I could tweak in radiusd.conf to help? Maybe there is a bug I am not aware of relating to running freeradius under freebsd (I know there are some SMP related issues). Here are some configuration snippets that may be relevant: cleanup_delay = 2 max_requests = 10240 hostname_lookups = no thread pool { start_servers = 20 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 } Any help or suggestions would be greatly appreciated. Jeremiah - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius performance settings or bug?
Phil Mayers wrote: Jeremiah Millay wrote: Hi, I'm seeing some odd behavior running freeradius-1.1.7 in a freebsd 6.3 environment. I see a lot of these in the radius log: Tue Apr 22 09:27:44 2008 : Error: Discarding duplicate request from client arc3.wnskvtao.sover.net:1645 - ID: 208 due to unfinished request 1267 Tue Apr 22 09:27:44 2008 : Error: Discarding duplicate request from client arc3.wnskvtao.sover.net:1645 - ID: 209 due to unfinished request 1268 as well as the cputime constantly increasing the longer I leave radiusd running: Well yes; the process runs, and accumulates CPU time. Sorry, that was dumb of me. What OS is this? FreeBSD 6.3-p2 ( I applied a patch to p1 which fixed a bug in libthread which seemed to help out cpu utilization significantly). Still seeing these duplicate request errors however. Looking at older messages posted to the list, I see Alan suggests that the duplicate requests are related to radiusd not replying quickly enough due to either having hostname lookups enabled or due to sql backend slowness. I'm not using sql in my configuration and do not have hostname lookups enabled. Are you using wtmp i.e. radlast. Don't. It's slow. Here are some more snippets related to wtmp (from what I can tell): unix { cache = no cache_reload = 600 radwtmp = ${logdir}/radwtmp } accounting { detail unix radutmp } session { radutmp } I'm guessing it won't harm anything to remove the radwtmp line from the unix configuration. Correct? I suppose its also ok to remove unix and radutmp from the accounting section? Thanks so much for your suggestions. I think you are on to something! Let me know if you want me to send you the whole config... (I'll need to clean it up first). Jeremiah Here are some configuration snippets that may be relevant: cleanup_delay = 2 max_requests = 10240 hostname_lookups = no thread pool { start_servers = 20 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 } That looks OK as a first cut. What's the full config? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
mod_auth_radius question
I have a question regarding mod_auth_radius which doesn't seem to be addressed by the included documentation or anything I have found with a google search. When configuring the module in the apache configuration (I'm using the latest 1.3 branch) is it possible to specify more than one radius server so that it will fail over in the even that the first is down? Something like this: IfModule mod_auth_radius.c # # AddRadiusAuth server[:port] shared-secret [ timeout [ : retries ]] # AddRadiusAuth server1.example.com:1645 secret 5:3 AddRadiusAuth server2.example.com:1645 secret 5:3 AddRadiusCookieValid 60 /IfModule It seems as though this doesn't work or it wants to use only the last one specified. Am I missing something? Anybody have experience trying to use this module in a similar setup? It would be great to be able to get this working with both of my radius servers. Thanks in advance! Jeremiah - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html