performance report?
Does anybody know the performance on Sun T-1000? Just noticed that radius cannot reach more than 20% CPU time when we ran a heavy traffic with nas simulations. We have tested some other programs and could reach even more than 90% so just curious anybody experienced the similar result. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: performance report?
Well, Radius protocol is not just machine-to-machine issue. I think you don't understand how request protocol can be simulated by hammering with our tool. We have tested various protocols by this tool. Per our test results, radius can reach the limit of requests by hammering easily but CPU was still low. We have various statistics on all these. My point is that radius was not able to use full cpu resource until reaching max number of handful requests. Your point with more clients does not make sense because we already reached max reqeusts hammering by our tool and that was same regardless of adding more clients under multi-threaded enviroment. - Original Message From: Anders Holm [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Wednesday, August 20, 2008 12:52:20 PM Subject: Re: performance report? Re: performance report? I still do ... I’ve had 10 multi core boxes hammering one server, still not enough .. You need more clients .. ;) RADIUS as such requires very little from the server side in terms of CPU. All it really does is compare x with y and then respond yes or no, once you strip down all the various variants of auth protocols. That’s not a high requirement. I’m confident if you use a SSL enabled protocol, your CPU on the server is spending more time per request doing the necessary SSL stuff than RADIUS related work .. A pint of unspecified beverage says you’ll need more client CPU .. I’ll agree with the pint .. //anders On 20/08/2008 20:45, Kevin J [EMAIL PROTECTED] wrote: Well, that's why I am saying we used the nas simulation tool. We can hammer a lot of traffic with this multi-threaded tool and also we tried at least three client boxes so don't assume our traffic was not enough. - Original Message From: Anders Holm [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Wednesday, August 20, 2008 12:25:19 PM Subject: Re: performance report? Re: performance report? It is not likely your actually putting too much strain on the server side. You’ll need quite a lot of machines hammering the RADIUS server before it’ll break into a sweat. The client side would have higher CPU utilization then the server side, per request. Comparing one program to another is not exactly comparing apples with apples. It’s more like comparing a duck with a fork lift. One flies, the other just doesn’t (or rather, when it does, you don’t want to be there to see it) ... //anders On 20/08/2008 20:18, Kevin J [EMAIL PROTECTED] wrote: Does anybody know the performance on Sun T-1000? Just noticed that radius cannot reach more than 20% CPU time when we ran a heavy traffic with nas simulations. We have tested some other programs and could reach even more than 90% so just curious anybody experienced the similar result. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Two Daemons on One Box?
Folks, I need to run two different configurations on one box. I guess the only way is to run two daemons on different ports. Any advice or concern? I also want to hear if there is known issues, bugs, or performance matters when more than one daemon run on the same box. Thanks, Kevin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
regular expression
Is there a way that I can use for a regular expression to validate the username attribute? Something like User-Name =~ [0-9a-zA-Z.#_] I think . or # does not work. Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_ldap.c
In ldap.c:2660, there is a condition check to see if vals_idx is zero
2660if (!vals_idx){
2661pairdelete(pairs,
newpair-attribute);
2662}
2663pairadd(pairlist, newpair);
this code line makes Radius not appending any reply attribute if the number of
attribute is greater than 1. any thought in why we need this here?
-
Never miss a thing. Make Yahoo your homepage.-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
iCHAP?
Does anybody know about iCHAP? Kevin, - Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
how to use both 1645 and 1812?
Is there a way to open two ports (1645 and 1812) for auth at the same time? We want to find a way to open 1645, 1812, 1646, and 1813 for auth and acct in parallel. Thanks, Kevin - Never miss a thing. Make Yahoo your homepage.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
healthcheck?
We want to reject slb health checks immediately. What is the best way to do that? tried to add healthcheck Auth := Reject but it still go through all authorization/authentication modules. Is there anyway that we can immediately reject it so we can make it lighter? Thanks in advance. Kevin - Be a better Globetrotter. Get better travel answers from someone who knows. Yahoo! Answers - Check it out.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Statistics tool?
If you meant that I have to restart radius whenever I need the statistics, I will not do that. Is there a way that we can rotate radius.log then? Dennis Skinner [EMAIL PROTECTED] wrote: Kevin J wrote: I am wondering if there is a tool or way to check the statistics in real time. I need something that can tell me how many users got accepted and rejected so far since Radius started. Rotate the log whenever you restart radius then: grep -c OK radius.log grep -c Failed radius.log -- Dennis Skinner Systems Administrator BlueFrog Internet http://www.bluefrog.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - Yahoo! oneSearch: Finally, mobile search that gives answers, not web links. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Statistics tool?
I am wondering if there is a tool or way to check the statistics in real time. I need something that can tell me how many users got accepted and rejected so far since Radius started. - Looking for a deal? Find great prices on flights and hotels with Yahoo! FareChase.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MAC Authentication
Does anybody know if FreeRadius supports the MAC Authentication? If so, how? Thanks in advance, Kevin - Building a website is a piece of cake. Yahoo! Small Business gives you all the tools to get online.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Sig HUP?
I saw some email threads about HUP. Can we use kill -HUP pid in the latest version or is it still not stable? Thanks, Kevin - Ahhh...imagining that irresistible new car smell? Check outnew cars at Yahoo! Autos.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
performace on chainging clients.conf and huntgroup
Alan, I noticed that more IPs I add to clients.conf and huntgroups, more steep performance declines FreeRadius got. Guessing the linked-list. Have we considered other data structures like hashing or btree? -Kevin Never miss an email again! Yahoo! Toolbar alerts you the instant new Mail arrives. http://tools.search.yahoo.com/toolbar/features/mail/- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RFC 4590 Compliant?
Hi, I just noticed a email thread http://arcknowledge.com/gmane.comp.freeradius.devel/2006-11/msg00040.html Any update on it? Can we say FreeRadius is RFC 4590 compliant? Kevin Don't get soaked. Take a quick peek at the forecast with the Yahoo! Search weather shortcut. http://tools.search.yahoo.com/shortcuts/#loc_weather- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
race condition?
I am running freeradius 1.0.5 version. I know this is old.ldap is used in authorization and pap is usually used in authentication. We made a client tool which can send 1000 packets per second (from data file) to freeradius. What we noticed that in multi-thread, there was a race condition which makes some ldapsearch failures. We are positive in that there is no problem in our ldap because we already tested our ldaps with a similar tool and verified that our ldap can support much more load. Do you have any idea what part of things that I need to check or was there any update in ldap with this kind of issue?Kevin- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ldap configuration error
I don't know the reason but it still has a problem. I double checked all links but couldn't find any lber link in sys. I am not sure if there is any version dependency in rlm_ldap. Kevin L.C. (Laurentiu C. Badea) wrote: Looks like it's loading a newer libldap with an older liblber. Make sure you do not have liblber.so/liblber.a somewhere else on the system where the linker could pick it up instead of the one you compiled. -- L.C. (Laurentiu C. Badea) I compiled the latest version of openssl and berkeleydb, and compiled openldap and installed it to openldap-tmp. When I do the following for freeradius compilation: ./configure --enable-shared=no --prefix=`pwd`/../freeradius --with-openssl-includes=`pwd`/../openssl-0.9.7e/include --with-openssl-libraries=`pwd`/../openssl-0.9.7e --with-rlm-ldap-include-dir=`pwd`/../openldap-tmp/includes --with-rlm-ldap-lib-dir=`pwd`/../openldap-tmp/lib --with-snmp=no But, libldap was not recognized as the following: checking for gcc option to accept ANSI C... none needed checking for inet_aton in -lresolv... yes checking for lber.h... yes checking for ldap.h... yes checking for sasl_encode in -lsasl... no checking for DH_new in -lcrypto... yes checking for SSL_new in -lssl... yes checking for ber_init in -llber... yes checking for ldap_init in -lldap... no configure: WARNING: silently not building rlm_ldap. configure: WARNING: FAILURE: rlm_ldap requires: libldap. Do you know what is wrong? I put rlm_ldap/config.log below. -kevin -- rlm_ldap/config.log -- This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. It was created by configure, which was generated by GNU Autoconf 2.59. Invocation command line was $ ./configure --prefix=/usr/home/kevin/Build/radiusd/../freeradius --enable-shared=no --prefix=/usr/home/kevin/Build/radiusd/../freeradius --with-openssl-includes=/usr/home/kevin/Build/radiusd/../openssl-0.9.7e/include --with-openssl-libraries=/usr/home/kevin/Build/radiusd/../openssl-0.9.7e --with-rlm-ldap-include-dir=/usr/home/kevin/Build/radiusd/../openldap-tmp/include --with-rlm-ldap-lib-dir=/usr/home/kevin/Build/radiusd/../openldap-tmp/lib --with-snmp=no --enable-ltdl-install --cache-file=/dev/null --srcdir=. ## - ## ## Platform. ## ## - ## hostname = mycom uname -m = sun4u uname -r = 5.8 uname -s = SunOS uname -v = Generic_108528-13 /usr/bin/uname -p = sparc /bin/uname -X = System = SunOS Node = mycom Release = 5.8 KernelID = Generic_108528-13 Machine = sun4u BusType = unknown Serial = unknown Users = unknown OEM# = 0 Origin# = 1 NumCPU = 1 /bin/arch = sun4 /usr/bin/arch -k = sun4u /usr/convex/getsysinfo = unknown hostinfo = unknown /bin/machine = unknown /usr/bin/oslevel = unknown /bin/universe = unknown PATH: /usr/j2se/bin PATH: /ms/bin PATH: . PATH: /usr/xpg4/bin PATH: /usr/bin PATH: /usr/local/bin PATH: /usr/local/ssl/bin PATH: /home/kevin/bin PATH: /usr/openwin/bin PATH: /usr/local/etc PATH: /usr/sbin PATH: /usr/local/sbin PATH: /usr/local/lib PATH: /usr/local/ssl PATH: /usr/etc PATH: /usr/ucb PATH: /opt/gnu/bin PATH: /usr/ccs/bin PATH: /home/kevin/splint-3.1.1/bin PATH: /usr/j2se/bin PATH: /ms/bin PATH: . PATH: /usr/xpg4/bin PATH: /usr/bin PATH: /usr/local/bin PATH: /usr/local/ssl/bin PATH: /home/kevin/bin PATH: /usr/openwin/bin PATH: /usr/local/etc PATH: /usr/sbin PATH: /usr/local/sbin PATH: /usr/local/lib PATH: /usr/local/ssl PATH: /usr/etc PATH: /usr/ucb PATH: /opt/gnu/bin PATH: /usr/ccs/bin PATH: /home/kevin/splint-3.1.1/bin PATH: /usr/bin PATH: /bin PATH: /usr/sbin PATH: /sbin PATH: /usr/local/bin PATH: /home/kevin/ant/bin PATH: /home/kevin/ant/bin ## --- ## ## Core tests. ## ## --- ## configure:1306: checking for gcc configure:1322: found /usr/local/bin/gcc configure:1332: result: gcc configure:1576: checking for C compiler version configure:1579: gcc --version /dev/null 5 gcc (GCC) 3.4.1 Copyright (C) 2004 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. configure:1582: $? = 0 configure:1584: gcc -v /dev/null 5 Reading specs from /usr/local/lib/gcc/sparc-sun-solaris2.8/3.4.1/specs Configured with: ../configure --with-as=/usr/ccs/bin/as --with-ld=/usr/ccs/bin/ld --disable-nls Thread model: posix gcc version 3.4.1 configure:1587: $? = 0 configure:1589: gcc -V /dev/null 5 gcc: `-V' option must have argument configure:1592: $? = 1 configure:1615: checking for C compiler default output file name configure:1618: gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5 -I/usr/home/kevin/Build/radiusd/../openssl-0.9.7e/include -Wall -D_GNU_SOURCE -g -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -W -Wredundant-decls -Wundef conftest.c -lnsl -lresolv -lsocket -lposix4 -lpthread -lcrypto 5
rlm_ldap configuration error
Somebody tried to help me out but I am still having this problem. Can anybody have a solution or suggestion? Thanks, Kihoon I compiled the latest version of openssl and berkeleydb, and compiled openldap and installed it to openldap-tmp. When I do the following for freeradius compilation: ./configure --enable-shared=no --prefix=`pwd`/../freeradius --with-openssl-includes=`pwd`/../openssl-0.9.7e/include --with-openssl-libraries=`pwd`/../openssl-0.9.7e --with-rlm-ldap-include-dir=`pwd`/../openldap-tmp/includes --with-rlm-ldap-lib-dir=`pwd`/../openldap-tmp/lib --with-snmp=no But, libldap was not recognized as the following: checking for gcc option to accept ANSI C... none needed checking for inet_aton in -lresolv... yes checking for lber.h... yes checking for ldap.h... yes checking for sasl_encode in -lsasl... no checking for DH_new in -lcrypto... yes checking for SSL_new in -lssl... yes checking for ber_init in -llber... yes checking for ldap_init in -lldap... no configure: WARNING: silently not building rlm_ldap. configure: WARNING: FAILURE: rlm_ldap requires: libldap. Do you know what is wrong? I put rlm_ldap/config.log below. -kevin -- rlm_ldap/config.log -- This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. It was created by configure, which was generated by GNU Autoconf 2.59. Invocation command line was $ ./configure --prefix=/usr/home/kevin/Build/radiusd/../freeradius --enable-shared=no --prefix=/usr/home/kevin/Build/radiusd/../freeradius --with-openssl-includes=/usr/home/kevin/Build/radiusd/../openssl-0.9.7e/include --with-openssl-libraries=/usr/home/kevin/Build/radiusd/../openssl-0.9.7e --with-rlm-ldap-include-dir=/usr/home/kevin/Build/radiusd/../openldap-tmp/include --with-rlm-ldap-lib-dir=/usr/home/kevin/Build/radiusd/../openldap-tmp/lib --with-snmp=no --enable-ltdl-install --cache-file=/dev/null --srcdir=. ## - ## ## Platform. ## ## - ## hostname = mycom uname -m = sun4u uname -r = 5.8 uname -s = SunOS uname -v = Generic_108528-13 /usr/bin/uname -p = sparc /bin/uname -X = System = SunOS Node = mycom Release = 5.8 KernelID = Generic_108528-13 Machine = sun4u BusType = unknown Serial = unknown Users = unknown OEM# = 0 Origin# = 1 NumCPU = 1 /bin/arch = sun4 /usr/bin/arch -k = sun4u /usr/convex/getsysinfo = unknown hostinfo = unknown /bin/machine = unknown /usr/bin/oslevel = unknown /bin/universe = unknown PATH: /usr/j2se/bin PATH: /ms/bin PATH: . PATH: /usr/xpg4/bin PATH: /usr/bin PATH: /usr/local/bin PATH: /usr/local/ssl/bin PATH: /home/kevin/bin PATH: /usr/openwin/bin PATH: /usr/local/etc PATH: /usr/sbin PATH: /usr/local/sbin PATH: /usr/local/lib PATH: /usr/local/ssl PATH: /usr/etc PATH: /usr/ucb PATH: /opt/gnu/bin PATH: /usr/ccs/bin PATH: /home/kevin/splint-3.1.1/bin PATH: /usr/j2se/bin PATH: /ms/bin PATH: . PATH: /usr/xpg4/bin PATH: /usr/bin PATH: /usr/local/bin PATH: /usr/local/ssl/bin PATH: /home/kevin/bin PATH: /usr/openwin/bin PATH: /usr/local/etc PATH: /usr/sbin PATH: /usr/local/sbin PATH: /usr/local/lib PATH: /usr/local/ssl PATH: /usr/etc PATH: /usr/ucb PATH: /opt/gnu/bin PATH: /usr/ccs/bin PATH: /home/kevin/splint-3.1.1/bin PATH: /usr/bin PATH: /bin PATH: /usr/sbin PATH: /sbin PATH: /usr/local/bin PATH: /home/kevin/ant/bin PATH: /home/kevin/ant/bin ## --- ## ## Core tests. ## ## --- ## configure:1306: checking for gcc configure:1322: found /usr/local/bin/gcc configure:1332: result: gcc configure:1576: checking for C compiler version configure:1579: gcc --version /dev/null 5 gcc (GCC) 3.4.1 Copyright (C) 2004 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. configure:1582: $? = 0 configure:1584: gcc -v /dev/null 5 Reading specs from /usr/local/lib/gcc/sparc-sun-solaris2.8/3.4.1/specs Configured with: ../configure --with-as=/usr/ccs/bin/as --with-ld=/usr/ccs/bin/ld --disable-nls Thread model: posix gcc version 3.4.1 configure:1587: $? = 0 configure:1589: gcc -V /dev/null 5 gcc: `-V' option must have argument configure:1592: $? = 1 configure:1615: checking for C compiler default output file name configure:1618: gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5 -I/usr/home/kevin/Build/radiusd/../openssl-0.9.7e/include -Wall -D_GNU_SOURCE -g -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -W -Wredundant-decls -Wundef conftest.c -lnsl -lresolv -lsocket -lposix4 -lpthread -lcrypto 5 conftest.c:12: warning: function declaration isn't a prototype configure:1621: $? = 0 configure:1667: result: a.out configure:1672: checking whether the C compiler works configure:1678: ./a.out configure:1681: $? = 0 configure:1698: result: yes configure:1705: checking whether we are cross compiling configure:1707:
rlm_ldap configuration error
Hi I compiled the latest version of openssl and berkeleydb, and compiled openldap and installed it to openldap-tmp. When I do the following for freeradius compilation: ./configure --enable-shared=no --prefix=`pwd`/../freeradius --with-openssl-includes=`pwd`/../openssl-0.9.7e/include --with-openssl-libraries=`pwd`/../openssl-0.9.7e --with-rlm-ldap-include-dir=`pwd`/../openldap-tmp/includes --with-rlm-ldap-lib-dir=`pwd`/../openldap-tmp/lib --with-snmp=no But, libldap was not recognized as the following: checking for gcc option to accept ANSI C... none needed checking for inet_aton in -lresolv... yes checking for lber.h... yes checking for ldap.h... yes checking for sasl_encode in -lsasl... no checking for DH_new in -lcrypto... yes checking for SSL_new in -lssl... yes checking for ber_init in -llber... yes checking for ldap_init in -lldap... no configure: WARNING: silently not building rlm_ldap. configure: WARNING: FAILURE: rlm_ldap requires: libldap. Do you know what is wrong? I put rlm_ldap/config.log below. -kevin -- rlm_ldap/config.log -- This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. It was created by configure, which was generated by GNU Autoconf 2.59. Invocation command line was $ ./configure --prefix=/usr/home/kevin/Build/radiusd/../freeradius --enable-shared=no --prefix=/usr/home/kevin/Build/radiusd/../freeradius --with-openssl-includes=/usr/home/kevin/Build/radiusd/../openssl-0.9.7e/include --with-openssl-libraries=/usr/home/kevin/Build/radiusd/../openssl-0.9.7e --with-rlm-ldap-include-dir=/usr/home/kevin/Build/radiusd/../openldap-tmp/include --with-rlm-ldap-lib-dir=/usr/home/kevin/Build/radiusd/../openldap-tmp/lib --with-snmp=no --enable-ltdl-install --cache-file=/dev/null --srcdir=. ## - ## ## Platform. ## ## - ## hostname = mycom uname -m = sun4u uname -r = 5.8 uname -s = SunOS uname -v = Generic_108528-13 /usr/bin/uname -p = sparc /bin/uname -X = System = SunOS Node = mycom Release = 5.8 KernelID = Generic_108528-13 Machine = sun4u BusType = unknown Serial = unknown Users = unknown OEM# = 0 Origin# = 1 NumCPU = 1 /bin/arch = sun4 /usr/bin/arch -k = sun4u /usr/convex/getsysinfo = unknown hostinfo = unknown /bin/machine = unknown /usr/bin/oslevel = unknown /bin/universe = unknown PATH: /usr/j2se/bin PATH: /ms/bin PATH: . PATH: /usr/xpg4/bin PATH: /usr/bin PATH: /usr/local/bin PATH: /usr/local/ssl/bin PATH: /home/kevin/bin PATH: /usr/openwin/bin PATH: /usr/local/etc PATH: /usr/sbin PATH: /usr/local/sbin PATH: /usr/local/lib PATH: /usr/local/ssl PATH: /usr/etc PATH: /usr/ucb PATH: /opt/gnu/bin PATH: /usr/ccs/bin PATH: /home/kevin/splint-3.1.1/bin PATH: /usr/j2se/bin PATH: /ms/bin PATH: . PATH: /usr/xpg4/bin PATH: /usr/bin PATH: /usr/local/bin PATH: /usr/local/ssl/bin PATH: /home/kevin/bin PATH: /usr/openwin/bin PATH: /usr/local/etc PATH: /usr/sbin PATH: /usr/local/sbin PATH: /usr/local/lib PATH: /usr/local/ssl PATH: /usr/etc PATH: /usr/ucb PATH: /opt/gnu/bin PATH: /usr/ccs/bin PATH: /home/kevin/splint-3.1.1/bin PATH: /usr/bin PATH: /bin PATH: /usr/sbin PATH: /sbin PATH: /usr/local/bin PATH: /home/kevin/ant/bin PATH: /home/kevin/ant/bin ## --- ## ## Core tests. ## ## --- ## configure:1306: checking for gcc configure:1322: found /usr/local/bin/gcc configure:1332: result: gcc configure:1576: checking for C compiler version configure:1579: gcc --version /dev/null 5 gcc (GCC) 3.4.1 Copyright (C) 2004 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. configure:1582: $? = 0 configure:1584: gcc -v /dev/null 5 Reading specs from /usr/local/lib/gcc/sparc-sun-solaris2.8/3.4.1/specs Configured with: ../configure --with-as=/usr/ccs/bin/as --with-ld=/usr/ccs/bin/ld --disable-nls Thread model: posix gcc version 3.4.1 configure:1587: $? = 0 configure:1589: gcc -V /dev/null 5 gcc: `-V' option must have argument configure:1592: $? = 1 configure:1615: checking for C compiler default output file name configure:1618: gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5 -I/usr/home/kevin/Build/radiusd/../openssl-0.9.7e/include -Wall -D_GNU_SOURCE -g -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -W -Wredundant-decls -Wundef conftest.c -lnsl -lresolv -lsocket -lposix4 -lpthread -lcrypto 5 conftest.c:12: warning: function declaration isn't a prototype configure:1621: $? = 0 configure:1667: result: a.out configure:1672: checking whether the C compiler works configure:1678: ./a.out configure:1681: $? = 0 configure:1698: result: yes configure:1705: checking whether we are cross compiling configure:1707: result: no configure:1710: checking for suffix of executables configure:1712: gcc -o conftest -g -O2 -D_REENTRANT
MS-CHAP2-Response is incorrect
Hi all, I tried to use MSCHAP v2 in freeradius 1.0.0 but got rlm_mschap: FAILED: MS-CHAP2-Response is incorrect I guess this can happen only when response is not matched with calculated. But MSCHAP v2 worked with freeradius 0.9.3 version and the same NAS. Take a look at the log below and let me know your thought. Thanks Kevin rad_recv: Access-Request packet from host 1.2.3.4:1645, id=1, length=189 Framed-Protocol = PPP User-Name = [EMAIL PROTECTED] MS-CHAP-Challenge = 0xc1cf72bd0daa9cd9bc695811264ae8c6 MS-CHAP2-Response = 0x010080914194e9ca506a41b2dfd66c76af4df9ac2d5de4e08ae2f85dca84f2f47b5877eea11177308811 NAS-Port-Type = Virtual Cisco-NAS-Port = Uniq-Sess-ID735 NAS-Port = 735 Service-Type = Framed-User NAS-IP-Address = 1.2.3.3 Proxy-State = 0xdeadbeef0001 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module attr_filter returns noop for request 0 rlm_realm: Looking up realm test.com for User-Name = [EMAIL PROTECTED] rlm_realm: No such realm test.com modcall[authorize]: module suffix returns noop for request 0 users: Matched [EMAIL PROTECTED] at 102 modcall[authorize]: module files returns ok for request 0 rlm_mschap: Found MS-CHAP attributes. Setting 'Auth-Type = MS-CHAP' modcall[authorize]: module mschap returns ok for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type MS-CHAP auth: type MS-CHAP Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 0 rlm_mschap: Told to do MS-CHAPv2 for [EMAIL PROTECTED] with NT-Password rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module mschap returns reject for request 0 modcall: group Auth-Type returns reject for request 0 auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 1 to 1.2.3.4:1645 MS-CHAP-Error = \001E=691 R=1 Proxy-State = 0xdeadbeef0001 Waking up in 4 seconds... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP2-Response is incorrect
Have we found the solution? If so, can I get it? Kevin. Alan DeKok wrote: kevin J [EMAIL PROTECTED] wrote: I tried to use MSCHAP v2 in freeradius 1.0.0 but got rlm_mschap: FAILED: MS-CHAP2-Response is incorrect I guess this can happen only when "response" is not matched with "calculated". But MSCHAP v2 worked with freeradius 0.9.3 version and the same NAS. If you're running Solaris, this is a bug in 1.0.x. We hope to have it fixed in 1.0.2. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: CHAP works but not PAP
Hi Muenz, I think your DEFAULT profile has a wrong link. Why don't you try to set DEFAULT with Auth-Type = PAP and check how it works for both CHAP and PAP? Kevin Muenz, Michael wrote: modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type System auth: type System Please read the FAQ. CHAP doesn't work with system passwords. I use MySQL stored users and passwords for authentication. CHAP works .. PAP not modcall[authenticate]: module unix returns notfound for request 0 What is unclear about that message? Because I only use MySQL ... - Michael - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
benchmark
Do we have any report about load testing or benchmark testing? Kevin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to exclude default attributes from a reject packet
I am resending this because I still don't know how to configure two different DEFAULT lists for accept and reject. When I add DEFAULT Auth-Type == Reject on the top of DEAULT lists, it just fails everything. Kevin Kevin J wrote: Alan DeKok wrote: kevin J [EMAIL PROTECTED] wrote: I just found that all reject packets include DEFAULT attributes as well. If I don't want to include these DEFAULT attributes from a reject packet, what do I need to do? I tried the following but I don't think this is correct. It's a little difficult to remove attributes from a packet. Perhaps what the server should do is to maintain *two* lists of attributes, one for an Access-Accept, and another for Access-Reject. Alternately, it could wipe out all of the attributes in the reply, as soon as it sees a reject. Could you explain how to make two different lists for accept and reject? Thanks for your help. Kevin The problem is that the users file isn't really designed to do that kind of thing. To do it properly, we'll probably need a new configuration file, with a more complicated language. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to exclude default attributes from a reject packet
Thanks Alan and Thor, Thor, can you show me your auth.pl? Kevin Thor Spruyt wrote: kevin J wrote: I am resending this because I still don't know how to configure two different DEFAULT lists for accept and reject. When I add DEFAULT Auth-Type == Reject on the top of DEAULT lists, it just fails everything. I have radius server that gets the user's password from a postgresql database. If it's a valid user, then an external script is executed which can either accept or reject the user with whatever attributes. If it's not a valid user, then a reject is sent with a specific Reply-Message. I only configured this in the users file: DEFAULT Auth-Type := Reject Reply-Message = Invalid Account, Fall-Through = Yes DEFAULT Auth-Type := Local Exec-Program-Wait = /opt/radius1/bin/auth.pl - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
complexed conf failover?
Hi If I want to do something like 1) ldapsearch for a-table 1-1) if the user exists in a-table, do pap or chap 2) if any of above fails, ldapsearch for b-table 2-1) if the user exists in b-table, do chap or pap 3) if any of above fails, ldapsearch for c-table 3-1) if the user exists in c-table, do chap or pap Is this possible? I think if 1-1) fails it cannot reach 2) if 2-1) fails it cannot reach 3). Am I wrong? If this is possible, how should I configure this in radiusd.conf? Thanks, Kevin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to exclude default attributes from a reject packet
Alan DeKok wrote: kevin J [EMAIL PROTECTED] wrote: I just found that all reject packets include DEFAULT attributes as well. If I don't want to include these DEFAULT attributes from a reject packet, what do I need to do? I tried the following but I don't think this is correct. It's a little difficult to remove attributes from a packet. Perhaps what the server should do is to maintain *two* lists of attributes, one for an Access-Accept, and another for Access-Reject. Alternately, it could wipe out all of the attributes in the reply, as soon as it sees a reject. Could you explain how to make two different lists for accept and reject? Also, how can I wipe out all of the attributes from the reply for reject? Thanks for your help. Kevin The problem is that the users file isn't really designed to do that kind of thing. To do it properly, we'll probably need a new configuration file, with a more complicated language. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAP not working with ldap
Is it true? So, PAP and some other module can't work with ldap-authorize??? What about persistant connection in my question below? Is it that radius binds ldap per authentication? Kevin, Alexandre Durand wrote: It posible that i ve the same probleme because i can't working PEAP MS-CHAP with LDAP base. Error with NTPassword or LmPAssword. But password in LDAP stored by clear In this day, i didn't found the solution !! - Original Message - From: kevin J [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, August 19, 2004 4:08 AM Subject: Re: CHAP not working with ldap Alan DeKok wrote: kevin J [EMAIL PROTECTED] wrote: I found the line 1441 of rlm_ldap.c returns RLM_MODULE_INVALID if the password is not pap: ... What you're missing is that's the *authentication* function. The LDAP database doesn't know how to do CHAP, it only knows how to do PAP. So the rlm_ldap module can send ONLY a PAP password to an LDAP database. Thanks Alan. CHAP is working with ldap now. I have two more questions though. 1) I found that PAP is not working with ldap. RADIUS just tried ldap authentication. I don't know why. Is there anything that I have to do for PAP? 2) It looks that ldap connection is not persistant which mean re-bind ldap per authentication. Is this true or am I missing something? Thanks, Kevin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAP not working with ldap
Alan DeKok wrote: kevin J [EMAIL PROTECTED] wrote: Is it true? So, PAP and some other module can't work with ldap-authorize??? No. CHAP worked but PAP did not work. What configuration should I check? RADIUS did not bring PAP but tried LDAP for authentication. Kevin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAP not working with ldap
kevin J wrote: Alan DeKok wrote: kevin J [EMAIL PROTECTED] wrote: Is it true? So, PAP and some other module can't work with ldap-authorize??? No. CHAP worked but PAP did not work. What configuration should I check? RADIUS did not bring PAP but tried LDAP for authentication. Kevin I am still having this problem. Anybody who had worked for PAP with LDAP? Kevin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAP not working with ldap
Thanks Alastair,
But, I just want to do ldap-athorize and pap-authenticate. So, I
uncommented only ldap in authorize
and uncommented only pap in authenticate. I am using clear-txt so I put
{clear} in module def.
It looks like that pap is not found for auth-type.
:
rad_check_password: Found Auth-Type LDAP
auth: type LDAP
ERROR: Unknown value specified for Auth-Type. Cannot perform
requested action.
auth: Failed to validate the user.
I guess this is authorize issue and chap or eap can work because they
have authorize function. I guess radius does not run a module in
authenticate if it is not identified in authorize. Give me an advice
if I am wrong.
Thanks,
Kevin
Alastair Grant wrote:
Kevin,
I have it working. Well I use EAP-TTLS to create a secure tunnel between
RADIUS and my supplicant first but then I send the data from supplicant to
Radius via PAP and do LDAP authentication. In this case it is alfa-ariss on
Windows 2000. I am at home and won't be back at the office until monday but
I'll do my best to explain my set up.
RADIUS:
my default_eap_type in the eap module is TTLS
in my authorize section I have preprocess, eap and ldap uncommented.
Everything else is commented out.
in my authenticate section I have the LDAP block and eap uncommented.
Everything else is commented out even the PAP stuff.
Supplicant
I use an anonymous outer identity
My inner authentication method is PAP.
Basically this allows the client to send a clear text password to the
server (even though it is encrypted in the tunnel) and the server can then
use this clear text password to do an LDAP bind for authentication.
This might not seem very clear but I am doing it all from memory. If
this is at all waht you are trying to do, send me an email monday and I'll
send you some documentation I have on the actual setup. Good luck.
-Al
- Original Message -
From: kevin J [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Thursday, August 19, 2004 5:50 PM
Subject: Re: PAP not working with ldap
kevin J wrote:
Alan DeKok wrote:
kevin J [EMAIL PROTECTED] wrote:
Is it true? So, PAP and some other module can't work with
ldap-authorize???
No.
CHAP worked but PAP did not work.
What configuration should I check? RADIUS did not bring PAP but tried
LDAP for authentication.
Kevin
I am still having this problem. Anybody who had worked for PAP with LDAP?
Kevin
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
how to exclude default attributes from a reject packet
Hi, I just found that all reject packets include DEFAULT attributes as well. If I don't want to include these DEFAULT attributes from a reject packet, what do I need to do? I tried the following but I don't think this is correct. DEFAULT Post-Auth-Type == REJECT Fall-Through = No Kevin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: CHAP not working with ldap
kevin J wrote:
Our ldap has USER-CTPASSWORD for clear-text. I properly modified
ldap.attrmap and dictionary. I put password_header = {clear} in
ldap of module (radiusd.conf) but I got
rlm_ldap: Attribute: User-Password is required for authentication.
Cannot use CHAP-Password
Anybody know how to do CHAP with a password which is extracted from ldap?
Kevin
I found the line 1441 of rlm_ldap.c returns RLM_MODULE_INVALID if the
password is not pap:
if(request-password-attribute != PW_PASSWORD) {
radlog(L_AUTH, rlm_ldap: Attribute \User-Password\ is
required for \
authentication. Cannot use \%s\.,
request-password-name);
return RLM_MODULE_INVALID;
}
Should I change the line if I want to make ldap working with CHAP?
Another question is if I want to use a persistant connection to ldap
then what should I do?
It looks that radius binds ldap per authentication.
Thanks,
Kevin
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: CHAP not working with ldap
Alan DeKok wrote: kevin J [EMAIL PROTECTED] wrote: I found the line 1441 of rlm_ldap.c returns RLM_MODULE_INVALID if the password is not pap: ... What you're missing is that's the *authentication* function. The LDAP database doesn't know how to do CHAP, it only knows how to do PAP. So the rlm_ldap module can send ONLY a PAP password to an LDAP database. Thanks Alan. CHAP is working with ldap now. I have two more questions though. 1) I found that PAP is not working with ldap. RADIUS just tried ldap authentication. I don't know why. Is there anything that I have to do for PAP? 2) It looks that ldap connection is not persistant which mean re-bind ldap per authentication. Is this true or am I missing something? Thanks, Kevin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
CHAP not working with ldap
Our ldap has USER-CTPASSWORD for clear-text. I properly modified
ldap.attrmap and dictionary. I put password_header = {clear} in ldap
of module (radiusd.conf) but I got
rlm_ldap: Attribute: User-Password is required for authentication.
Cannot use CHAP-Password
Anybody know how to do CHAP with a password which is extracted from ldap?
Kevin
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to send reply for some client ip groups
Alan, I could not find those cases in the users file. What I want is to configure and send different reply packets based on nas type (ie, USR, ASCEND, PM...). I also want to configure some filters based on the clients' ip. You know client ip is different from nas ip if we do proxy, right? So, I think I cannot use huntgroup for this. You think those are in the examples in the users file? Kevin Alan DeKok wrote: kevin J [EMAIL PROTECTED] wrote: I want to send some reply attributes based on client's ip and its nas type. For example, I want to add some filters to the reply packet which will be sent to usr nas. I also want to add some special attributes to the reply packet for level3's ip-addresses . How can I configure it? Read the users file, and follow the examples there. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
