Re: DEFAULT realm proxy fail over
Bertalan Voros wrote: > There is a freeradius server that is proxying every mschapv2 request to > a homeserver using the DEFAULT realm. > > The same server is also handling EAP requests and then proxying the > inner request through the DEFAULT realm. > > Is is possible to set up fail-over using two home servers in this scenario? Yes. You configure fail-over as documented in proxy.conf. Do you have a *specific* question about it? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
DEFAULT realm proxy fail over
Hello All, I would like to get help with the following. There is a freeradius server that is proxying every mschapv2 request to a homeserver using the DEFAULT realm. The same server is also handling EAP requests and then proxying the inner request through the DEFAULT realm. Is is possible to set up fail-over using two home servers in this scenario? Thank you and best regards, Bertalan Voros - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius AAA running in fail over mode
On 15 Oct 2012, at 10:16, Shiv. Nath wrote: > Dear Community of FreeRadius Greetings, > > i am not new to open source Linux / Unix system but new to FreeRadius. > Have anyone got FreeRadius AAA running in fail over mode (replication)? If you mean replicating packets to multiple realms and failing over between servers within those realms? Then no. If you mean forwarding packets to a realm and failing over between multiple servers within that realm? Then yes. > it > is possible to download .ovf template from some where, already configured > up and running FreeRadius? Maybe, but I don't know of one. -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius AAA running in fail over mode
> Dear Community of FreeRadius Greetings, > > i am not new to open source Linux / Unix system but new to FreeRadius. > Have anyone got FreeRadius AAA running in fail over mode (replication)? Yes. > it > is possible to download .ovf template from some where, already configured > up and running FreeRadius? Install freeradius. Nearly everything works out of the box. -- Dr. Michael Schwartzkopff Guardinistr. 63 81375 München Tel: (0163) 172 50 98 Fax: (089) 620 304 13 signature.asc Description: This is a digitally signed message part. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius AAA running in fail over mode
Dear Community of FreeRadius Greetings, i am not new to open source Linux / Unix system but new to FreeRadius. Have anyone got FreeRadius AAA running in fail over mode (replication)? it is possible to download .ovf template from some where, already configured up and running FreeRadius? Thanks / Regards Nath Thanks / Shiv. Nath - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL Fail Over Error When 1 DB is Down
Thanks so much! I understand it now. And thanks for the suggestions and additional inputs. BRegards, Det Sent from my iPad On Aug 29, 2011, at 10:56 PM, Rich Graves wrote: >> When I shutdown one of the DB, it generates an error. How do I tell >> freeradius to ignore that and proceed if it can connect to at least one >> of the DB? /etc/freeradius/sql2.conf[22]: Instantiation failed for >> module "sql2" > > Both databases must be up at the time of radiusd startup. This seems > reasonable; if you have no redundancy, wouldn't you want to know? > > Either one may go down while radiusd is running. > > It looks like you could force a radiusd startup to "succeed" if one database > fails to instantiate, but then it would never retry the connection, and you > would be solely dependent on the database(s) that were available at startup. > > Bottom line, don't start your radius server unless both databases are up. > On many Linux platforms, you could add an appropriate wrapper script at > /etc/sysconfig/radiusd to block startup, or perhaps to move a configuration > specific to the situation into place. > > I think you're better off doing redundancy a layer up, though, like > >_->radius1 ->db1 > NAS<_ X | > ->radius2 ->db2 > > i.e., if db1 is down, go ahead and allow radius1 to return failure to the NAS, > which will then fail over to radius2. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL Fail Over Error When 1 DB is Down
Hi, Sorry, I honestly don't mean it that way. I just want to clarify some of that thoughts/concepts. I understand now what you mean by this. > Fail-over is for when something goes wrong while the server is running. Thanks, Det Sent from my iPad On Aug 29, 2011, at 9:34 PM, Alan DeKok wrote: > Det Det wrote: >> Really? > >If you think I'm lying, why ask questions? > >> What is the failover feature for? > > Read the docs. It's explained. > >> I can specify multiple DBs but >> if FreeRADIUS cannot connect to at least one of the DBs it will have an >> error and will not be able to start. There is no way to get around this? > > And again... what did my message say? Did you read it? > >> That is use first DB if first DB is up. If second DB is down and first >> DB is up, don't bother, continue to operate, and vice versa, so long as >> it still has a DB to use. I saw this link but I can't get it to work. It >> is using the rlm_always module. >> >> http://wiki.freeradius.org/Fail-over > > Fail-over is for when something goes wrong while the server is running. > > Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL Fail Over Error When 1 DB is Down
> When I shutdown one of the DB, it generates an error. How do I tell > freeradius to ignore that and proceed if it can connect to at least one > of the DB? /etc/freeradius/sql2.conf[22]: Instantiation failed for > module "sql2" Both databases must be up at the time of radiusd startup. This seems reasonable; if you have no redundancy, wouldn't you want to know? Either one may go down while radiusd is running. It looks like you could force a radiusd startup to "succeed" if one database fails to instantiate, but then it would never retry the connection, and you would be solely dependent on the database(s) that were available at startup. Bottom line, don't start your radius server unless both databases are up. On many Linux platforms, you could add an appropriate wrapper script at /etc/sysconfig/radiusd to block startup, or perhaps to move a configuration specific to the situation into place. I think you're better off doing redundancy a layer up, though, like _->radius1 ->db1 NAS<_ X | ->radius2 ->db2 i.e., if db1 is down, go ahead and allow radius1 to return failure to the NAS, which will then fail over to radius2. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL Fail Over Error When 1 DB is Down
Det Det wrote: > Really? If you think I'm lying, why ask questions? > What is the failover feature for? Read the docs. It's explained. > I can specify multiple DBs but > if FreeRADIUS cannot connect to at least one of the DBs it will have an > error and will not be able to start. There is no way to get around this? And again... what did my message say? Did you read it? > That is use first DB if first DB is up. If second DB is down and first > DB is up, don't bother, continue to operate, and vice versa, so long as > it still has a DB to use. I saw this link but I can't get it to work. It > is using the rlm_always module. > > http://wiki.freeradius.org/Fail-over Fail-over is for when something goes wrong while the server is running. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL Fail Over Error When 1 DB is Down
Really? What is the failover feature for? I can specify multiple DBs but if FreeRADIUS cannot connect to at least one of the DBs it will have an error and will not be able to start. There is no way to get around this? That is use first DB if first DB is up. If second DB is down and first DB is up, don't bother, continue to operate, and vice versa, so long as it still has a DB to use. I saw this link but I can't get it to work. It is using the rlm_always module. http://wiki.freeradius.org/Fail-over thanks, det From: Alan DeKok To: Det Det ; FreeRadius users mailing list Sent: Monday, August 29, 2011 6:21 PM Subject: Re: MySQL Fail Over Error When 1 DB is Down Det Det wrote: > When I shutdown one of the DB, it generates an error. How do I tell > freeradius to ignore that and proceed if it can connect to at least one > of the DB? You don't. The only way to change this is via source code patches. Alan DeKok.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL Fail Over Error When 1 DB is Down
Det Det wrote: > When I shutdown one of the DB, it generates an error. How do I tell > freeradius to ignore that and proceed if it can connect to at least one > of the DB? You don't. The only way to change this is via source code patches. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MySQL Fail Over Error When 1 DB is Down
When I shutdown one of the DB, it generates an error. How do I tell freeradius to ignore that and proceed if it can connect to at least one of the DB? /etc/freeradius/sql2.conf[22]: Instantiation failed for module "sql2" /etc/freeradius/radiusd.conf[75]: Failed to find module "sql2". /etc/freeradius/radiusd.conf[75]: Failed to parse "sql2" entry. /etc/freeradius/sites-enabled/default[1]: Errors parsing authorize section. From: Det Det To: FreeRadius mailing list Sent: Monday, August 29, 2011 2:05 PM Subject: MySQL Fail Over Error When 1 DB is Down Hi there, I can't get FreeRADIUS to ignore error and continue processing when 1 DB is down even when it can connect to the other DB. Below is my config. # radiusd.conf instantiate { ... redundant redundant_sql { sql1 sql2 handled } } modules { ... $INCLUDE sql1.conf $INCLUDE sql2.conf } # sql1.conf sql sql1 { database = "mysql" … } # sql2.conf sql sql2 { ... database = "mysql" } # sites-enabled/default authorize { redundant_sql } accounting { redundant_sql } session { redundant_sql } post-auth { redundant_sql Post-Auth-Type REJECT { redundant_sql attr_filter.access_reject } } bregards, det - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MySQL Fail Over Error When 1 DB is Down
Hi there, I can't get FreeRADIUS to ignore error and continue processing when 1 DB is down even when it can connect to the other DB. Below is my config. # radiusd.conf instantiate { ... redundant redundant_sql { sql1 sql2 handled } } modules { ... $INCLUDE sql1.conf $INCLUDE sql2.conf } # sql1.conf sql sql1 { database = "mysql" … } # sql2.conf sql sql2 { ... database = "mysql" } # sites-enabled/default authorize { redundant_sql } accounting { redundant_sql } session { redundant_sql } post-auth { redundant_sql Post-Auth-Type REJECT { redundant_sql attr_filter.access_reject } } bregards, det - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR 2.1.10, fail-over not working
魏景鹏 wrote: > I've configured two home_server for a pool with type=fail-over, when the > 1st one not start,FR didn't send the request to the 2nd one. FreeRADIUS doesn't check if a home server "starts". RADIUS doesn't work that way. The fail-over code works. Fail-over occurs when a home server is down for an extended period of time, and when the proxy keeps trying to send packets to the home server. If you're not seeing failover, it's likely because you're only sending a few testing packets. Send more packets. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR 2.1.10, fail-over not working
Hi Alan & all, I found that when radiusd started with -X, the config-item of type = fail-over in proxy.conf will not take effect. Anyone to confirm that? B.R. Wei JingPeng Wei JingPeng wrote: > Hi Alan & all, > > I've configured two home_server for a pool with type=fail-over, when the > 1st one not start,FR didn't send the request to the 2nd one. > > Works fine when configured with type=load-balance. > > following is my proxy.conf section: > > home_server svr1st { > type = auth+acct > ipaddr = 192.168.0.2 > port = 11812 > secret = testing123 > response_window = 5 > zombie_period = 120 > revive_interval = 120 > } > > home_server svr2nd { > type = auth+acct > ipaddr = 192.168.0.3 > port = 11812 > secret = testing123 > response_window = 5 > zombie_period = 120 > revive_interval = 120 > } > > home_server_pool authpool { > type = fail-over > home_server = svr1st > home_server = svr2nd > } > > > > Any Ideas? > > B.R. > Wei JingPeng > > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FR 2.1.10, fail-over not working
Hi Alan & all, I've configured two home_server for a pool with type=fail-over, when the 1st one not start,FR didn't send the request to the 2nd one. Works fine when configured with type=load-balance. following is my proxy.conf section: home_server svr1st { type = auth+acct ipaddr = 192.168.0.2 port = 11812 secret = testing123 response_window = 5 zombie_period = 120 revive_interval = 120 } home_server svr2nd { type = auth+acct ipaddr = 192.168.0.3 port = 11812 secret = testing123 response_window = 5 zombie_period = 120 revive_interval = 120 } home_server_pool authpool { type = fail-over home_server = svr1st home_server = svr2nd } Any Ideas? B.R. Wei JingPeng - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question about configurable module fail-over
Ana Gallardo wrote: > I want to return an error code if my freeradius can't contact with the > backend. > > Here is my authorize section: > > authorize { > . . . > switch "%{Realm}" { ... > } > > if (fail) { That won't work, unfortunately. The return codes of *modules* can be over-written. The return code of a "switch" statement cannot be. This issue is largely due to the fact that the configuration files have had functionality piled on top of old code. We want to be backwards compatible, so breaking existing systems isn't an option. But this limits the capabilities of the new functions. In short: re-write the rules so that you don't use "switch". Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Question about configurable module fail-over
Hello, I have Freeradius 2.1.8. I want to return an error code if my freeradius can't contact with the backend. Here is my authorize section: authorize { . . . switch "%{Realm}" { case 'temp.unex.es' { sql { fail = 1 } if (!fail && ("%D" < "%{control:Expiration-Init}")) { update reply { Codigo-Reject := Cuenta-Inactiva } reject } } case 'unex.es' { ldap { fail = 1 } } case { update reply { Codigo-Reject := Error-Dominio } reject } } if (fail) { update reply { Codigo-Reject := Imposible-Contactar-Backend } reject } expiration { userlock = 1 } if (userlock) { update reply { Codigo-Reject := Cuenta-Expirada } } pap } My problem is when Freeradius can't contact ldap. Here is my debug info: rad_recv: Access-Request packet from host X.X.X.X port 48454, id=116, length=56 User-Name = "usua...@unex.es" User-Password = "1631" server rinuex { . . . ++- entering switch %{Realm} {...} +++- entering case unex.es {...} [ldap] performing user authorization for usuario [ldap] expand: %{Stripped-User-Name} -> usuario [ldap] expand: (cn=%{%{Stripped-User-Name}:-%{User-Name}}) -> (cn=usuario) [ldap] expand: ou=saser,dc=unex,dc=es -> ou=saser,dc=unex,dc=es [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] (re)connect to X.X.X.X, authentication 0 [ldap] bind as cn=... [ldap] waiting for bind result ... [ldap] LDAP login failed: check identity, password settings in ldap section of radiusd.conf [ldap] (re)connection attempt failed [ldap] search failed [ldap] ldap_release_conn: Release Id: 0 [ldap] returns fail +++- case unex.es returns fail ++- switch %{Realm} returns fail } # server rinuex Using Post-Auth-Type Reject +- entering group REJECT {...} ++[reply] returns noop ++? if ("%{reply:Codigo-Reject}") expand: %{reply:Codigo-Reject} -> Credenciales-Erroneas ? Evaluating ("%{reply:Codigo-Reject}") -> TRUE ++? if ("%{reply:Codigo-Reject}") -> TRUE ++- entering if ("%{reply:Codigo-Reject}") {...} +++- if ("%{reply:Codigo-Reject}") returns noop ++- group REJECT returns noop [sql] expand: %{Stripped-User-Name} -> usuario [sql] expand: %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}} -> usuario [sql] sql_set_user escaped user --> 'usuario' [sql] expand: INSERT INTO radpostauth (username, mac, client, reply, authdate,codreject) VALUES ( '%{User-Name}', LOWER('%{Calling-Station-Id}'), '%C', '%{reply:Packet-Type}', NOW(), '%{reply:Codigo-Reject}') -> INSERT INTO radpostauth (username, mac, client, reply, authdate,codreject) VALUES ( 'usua...@unex.es', LOWER(''), 'CAU2', 'Access-Reject', NOW(), 'Credenciales-Erroneas') rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth (username, mac, client, reply, authdate,codreject) VALUES ( 'usuario @unex.es', LOWER(''), 'CAU2', 'Access-Reject', NOW(), 'Credenciales-Erroneas') rlm_sql (sql): Reserving sql socket id: 2 rlm_sql (sql): Released sql socket id: 2 ++[sql] returns ok [attr_filter.access_reject] expand: %{User-Name} -> usua...@unex.es attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 116 to X.X.X.X port 48454 Codigo-Reject = Credenciales-Erroneas I need help. Thank you and sorry for y english. -- Ana Gallardo Gómez - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius and fail over
Fabien COMBERNOUS wrote: > In the freeradius wiki a page give informations about failover [1]. It > explains how to setup two sql modules pointing to two dbms. But in this > setup, the radius server is a single point of failure. How to setup two > radius servers speaking with two dbms ? Configure the failover twice. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radius and fail over
Hi there, In the freeradius wiki a page give informations about failover [1]. It explains how to setup two sql modules pointing to two dbms. But in this setup, the radius server is a single point of failure. How to setup two radius servers speaking with two dbms ? Thank you for your help. [1] http://wiki.freeradius.org/Fail-over -- *Fabien COMBERNOUS* /unix system engineer/ www.kezia.com <http://www.kezia.com/> *Tel: +33 (0) 467 992 986* Kezia Group - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius2 Proxy fail-over issues
Ivan Kalik wrote: As I at first assumed...So, this is a bug after all. If I put ipaddr = localhost in a home_server definition I get the failed authentication I described in my first note. You can see in proxy.conf configuration lines I included, where ipaddr is set to localhost for all four home_server definitions. As soon as I changed the ipaddr parameter in all four home_server definitions, and reset the server, I was able to properly authenticate. Nothing else was changed. Are you sure your name resolution isn't broken so localhost doesn't resolve to 127.0.0.1 but to something else, which then causes authentication to fail? I can substitute localhost for 127.0.0.1 in proxy.conf in 2.1.6 with no effect to authentication. Ivan Kalik Kalik Informatika ISP I just spent the last hour or so attempting to repeat and debug the problem I observed in the free radius client. Then when I couldn't make it fail I switched the 127.0.0.1 IP address for localhost in the proxy.conf file of the server, and it worked as well. So, as you suggested, I must have had a misconfigured system when I attempted to test this before. Thanks for the help and sorry for the false alarm... BTW, I am using version 2.1.6. Thanks for all your hard work. Emmett - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius2 Proxy fail-over issues
Emmett Culley wrote: > As soon as I changed the ipaddr parameter in all four home_server > definitions, and reset the server, I was able to properly authenticate. > Nothing else was changed. You may also try using the 2.1.7-pre code: http://git.freeradius.org/pre/ It contains a fix where the server would still send packets when "status_check = none". Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius2 Proxy fail-over issues
> As I at first assumed...So, this is a bug after all. If I put ipaddr = > localhost in a home_server definition I get the failed authentication I > described in my first note. You can see in proxy.conf configuration lines > I included, where ipaddr is set to localhost for all four home_server > definitions. > > As soon as I changed the ipaddr parameter in all four home_server > definitions, and reset the server, I was able to properly authenticate. > Nothing else was changed. Are you sure your name resolution isn't broken so localhost doesn't resolve to 127.0.0.1 but to something else, which then causes authentication to fail? I can substitute localhost for 127.0.0.1 in proxy.conf in 2.1.6 with no effect to authentication. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius2 Proxy fail-over issues
Alan DeKok wrote: Emmett Culley wrote: It's not a bug. Hostname lookups are disabled by default in radiusd.conf. Along with explanation why enabling it is a bad idea. ... Ah, I didn't occur to me that host name look ups off would prevent the server from looking up hosts defined in the configuration files. Well, now I know. No... if you give it a hostname in the config files, it always looks it up to find the IP. That configuration controls whether or not it *prints* hostnames. i.e. If it sees an IP address in a RADIUS packet, the default is to print it as an IP address. If you turn hostname lookups on, it will try to look up that IP to find a host name. Alan DeKok. - As I at first assumed...So, this is a bug after all. If I put ipaddr = localhost in a home_server definition I get the failed authentication I described in my first note. You can see in proxy.conf configuration lines I included, where ipaddr is set to localhost for all four home_server definitions. As soon as I changed the ipaddr parameter in all four home_server definitions, and reset the server, I was able to properly authenticate. Nothing else was changed. I'll write a bug report on the freeradius.org site. BTW, I found a similar issue in the radius client library. Using a host name in the configuration file causes a crash. I need to report that as well. I've run it in a debugger and can tell you where it fails. Emmett - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius2 Proxy fail-over issues
Emmett Culley wrote: >> It's not a bug. Hostname lookups are disabled by default in radiusd.conf. >> Along with explanation why enabling it is a bad idea. ... > Ah, I didn't occur to me that host name look ups off would prevent the > server from looking up hosts defined in the configuration files. Well, > now I know. No... if you give it a hostname in the config files, it always looks it up to find the IP. That configuration controls whether or not it *prints* hostnames. i.e. If it sees an IP address in a RADIUS packet, the default is to print it as an IP address. If you turn hostname lookups on, it will try to look up that IP to find a host name. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius2 Proxy fail-over issues
Ivan Kalik wrote: I was using ipaddr = domain_name in the home_server definitions. I remembered a problem I had with the freeradius client library wherein if I used a domain name, like localhost, instead of a "real" IP address to describe the server I needed to connect with, I'd get a failure. Using the same proxy.conf file I sent in my first note and changing the ipaddr variable to 127.0.0.1 instead of localhost for each home server allowed me to successfully connect to the primary radius server. I won't have a secondary server set up until next week, at which time I'll test if the fail over to the secondary server work. As I fully expect it to. I assume it is a bug to be required to use and IP address instead of a domain name, so can you please point me to where I can file a bug report on this? It's not a bug. Hostname lookups are disabled by default in radiusd.conf. Along with explanation why enabling it is a bad idea. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Ah, I didn't occur to me that host name look ups off would prevent the server from looking up hosts defined in the configuration files. Well, now I know. Thanks Ivan! Emmett - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius2 Proxy fail-over issues
> I was using ipaddr = domain_name in the home_server definitions. I > remembered a problem I had with the freeradius client library wherein if I > used a domain name, like localhost, instead of a "real" IP address to > describe the server I needed to connect with, I'd get a failure. > > Using the same proxy.conf file I sent in my first note and changing the > ipaddr variable to 127.0.0.1 instead of localhost for each home server > allowed me to successfully connect to the primary radius server. I won't > have a secondary server set up until next week, at which time I'll test if > the fail over to the secondary server work. As I fully expect it to. > > I assume it is a bug to be required to use and IP address instead of a > domain name, so can you please point me to where I can file a bug report > on this? It's not a bug. Hostname lookups are disabled by default in radiusd.conf. Along with explanation why enabling it is a bad idea. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius2 Proxy fail-over issues
Alan DeKok wrote: Emmett Culley wrote: However, as soon as I attempt to define a set of main and backup servers, then use the auth_pool and acct_pool variables I get the following error: "Ignoring spoofed proxy reply. Signature is invalid" That's pretty definitive. It means that the shared secret is wrong. Of course, the main reason I upgraded at all was to be able to define a pool of servers. I've searched Google and cannot find any references to this issue. Here is the proxy.conf lines that matter: Which doesn't show the primary && secondary server configuration that causes the problem. My guess is that you've configured the *same* shared secret for both home servers. Then, the home servers have been configured with *different* shared secrets for the proxy. Use "radclient" from the proxy to send packets to the home servers. It will need to use the same shared secret that the proxy *should* have. If you can get radclient working, the same shared secret will work with the proxy. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Thanks Alan... I finally found the time to work on this issue, and so finally figured it out. I was using ipaddr = domain_name in the home_server definitions. I remembered a problem I had with the freeradius client library wherein if I used a domain name, like localhost, instead of a "real" IP address to describe the server I needed to connect with, I'd get a failure. Using the same proxy.conf file I sent in my first note and changing the ipaddr variable to 127.0.0.1 instead of localhost for each home server allowed me to successfully connect to the primary radius server. I won't have a secondary server set up until next week, at which time I'll test if the fail over to the secondary server work. As I fully expect it to. I assume it is a bug to be required to use and IP address instead of a domain name, so can you please point me to where I can file a bug report on this? Emmett - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: [freeradius] fail-over ldap + reply-item missing
Hum, now all works perfectly. My reply-item are present now, I will try now to understand why it works. Thanks to Ivan Kalik for his help and all freeradius project. Ldap.attrmap: [...] checkItem Cleartext-Password userPassword Users: DEFAULT ldaplabobe2-Ldap-Group == administrateur, User-Profile := "cn=administrateur,ou=Profiles,dc=netplus,dc=fr" Reply-Message = "Utilisateur: %{User-name}, group: Administrateur", Fall-Through = yes DEFAULT ldaplabobe2-Ldap-Group == stagiaire, User-Profile := "cn=stagiaire,ou=Profiles,dc=netplus,dc=fr" Reply-Message = "Utilisateur: %{User-name}, group: Stagiaire", Fall-Through = yes DEFAULT ldaplabobe1-Ldap-Group == administrateur, User-Profile := "cn=administrateur,ou=Profiles,dc=netplus,dc=fr" Reply-Message = "Utilisateur: %{User-name}, group: Administrateur", Fall-Through = yes DEFAULT ldaplabobe1-Ldap-Group == stagiaire, User-Profile := "cn=stagiaire,ou=Profiles,dc=netplus,dc=fr" Reply-Message = "Utilisateur: %{User-name}, group: Stagiaire", Fall-Through = yes Radiusd.conf: Instantiate { [...] ldaplabobe2 ldaplabobe1 } /site-available/default: Redundant { ldaplabobe2 ldaplabobe1} in section authorize and authenticate - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: [freeradius] fail-over ldap + reply-item missing
(following my last mail) I read in my log: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user So in the user file I replace DEFAULT ldaplabobe2-Ldap-Group == administrateur, User-Profile := "cn=administrateur,ou=Profiles,dc=netplus,dc=fr Reply-Message = "Utilisateur: %{User-name}, group: Administrateur", Fall-Through = yes By DEFAULT ldaplabobe2-Ldap-Group == administrateur, User-Profile := "cn=administrateur,ou=Profiles,dc=netplus,dc=fr", Auth-Type := LDAP Reply-Message = "Utilisateur: %{User-name}, group: Administrateur", Fall-Through = yes And I start radiud -X and I have : /usr/local/etc/raddb/users[247]: Parse error (check) for entry DEFAULT: Unknown value LDAP for attribute Auth-Type Errors reading /usr/local/etc/raddb/users /usr/local/etc/raddb/modules/files[7]: Instantiation failed for module "files" /usr/local/etc/raddb/sites-enabled/inner-tunnel[111]: Failed to find module "files". /usr/local/etc/raddb/sites-enabled/inner-tunnel[34]: Errors parsing authorize section. } } Errors initializing modules But in raddb/site-available/default, in section authenticate i have Auth-Type LDAP : authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } unix Auth-Type LDAP { redundant { ldaplabobe2 ldaplabobe1 } } eap } - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: [freeradius] fail-over ldap + reply-item missing
Thanks for your responce, I read http://freeradius.org/radiusd/doc/rlm_ldap , I am focus on section GROUP SUPPORT. So I have two ldap module instances in raddb/modules/ldap : ldap ldaplabobe2 { [...] } ldap ldaplabobe1 { [...] } I added the ldap module in the instantiate{} block in radiusd.conf. instantiate { exec expr expiration logintime ldaplabobe2 ldaplabobe1 } I use this form in my raddb/users : DEFAULT ldaplabobe2-Ldap-Group == administrateur, User-Profile := "cn=administrateur,ou=Profiles,dc=netplus,dc=fr" Reply-Message = "Utilisateur: %{User-name}, group: Administrateur", Fall-Through = yes DEFAULT ldaplabobe2-Ldap-Group == stagiaire, User-Profile := "cn=stagiaire,ou=Profiles,dc=netplus,dc=fr" Reply-Message = "Utilisateur: %{User-name}, group: Stagiaire", Fall-Through = yes DEFAULT ldaplabobe1-Ldap-Group == administrateur, User-Profile := "cn=administrateur,ou=Profiles,dc=netplus,dc=fr" Reply-Message = "Utilisateur: %{User-name}, group: Administrateur", Fall-Through = yes DEFAULT ldaplabobe1-Ldap-Group == stagiaire, User-Profile := "cn=stagiaire,ou=Profiles,dc=netplus,dc=fr" Reply-Message = "Utilisateur: %{User-name}, group: Stagiaire", Fall-Through = yes Instead of DEFAULT Ldap-Group == administrateur, User-Profile := "cn=administrateur,ou=Profiles,dc=netplus,dc=fr" Reply-Message = "Utilisateur: %{User-name}, group: Administrateur", Fall-Through = yes DEFAULT Ldap-Group == stagiaire, User-Profile := "cn=stagiaire,ou=Profiles,dc=netplus,dc=fr" Reply-Message = "Utilisateur: %{User-name}, group: Stagiaire", Fall-Through = yes Then I still use redundant in authorize and authenticate section in raddb/site-available/default (I test whithout also) And now I have Access-Reject for all, some reply-item are in the users file, others are in my openldap (I use radiusgroupname with ou=profiles,dc=netplus,dc=fr + radiusprofile attribute ...) So I progress I think but it doesn't work for now. Sorry if I need some help, I begin with openldap, I read lot of documentation freeradius, openldap, PAM (my head will explose) and all is new for me , so maybe I read the solution at my problem but don't remember :s Thansk for your help. Regards, François rad_recv: Access-Request packet from host 192.168.0.50 port 1812, id=253, length=80 NAS-IP-Address = 192.168.0.50 NAS-Port = 1 NAS-Port-Type = Virtual User-Name = "fmehault" Calling-Station-Id = "192.168.0.80" User-Password = "toto" +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radacct/192.168.0.50/auth-detail-20090609 [auth_log] /var/log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radacct/192.168.0.50/auth-detail-20090609 [auth_log] expand: %t -> Tue Jun 9 16:27:02 2009 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "fmehault", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop rlm_ldap: Entering ldap_groupcmp() [files] expand: dc=netplus,dc=fr -> dc=netplus,dc=fr [files] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [files] expand: (&(uid=%{Stripped-User-Name:-%{User-Name}})(radiusHuntgroupName=%{Huntgroup-name})) -> (&(uid=fmehault)(radiusHuntgroupName=swLabo)) rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 10.96.18.10:389, authentication 0 rlm_ldap: bind as cn=root,dc=netplus,dc=fr/secret to 10.96.18.10:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=netplus,dc=fr, with filter (&(uid=fmehault)(radiusHuntgroupName=swLabo)) rlm_ldap: ldap_release_conn: Release Id: 0 [files] expand: (|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn}))) -> (|(&(objectClass=GroupOfNames)(member=cn\3dFrancois MEHAULT\2cou\3dUtilisateurs\2cdc\3dnetplus\2cdc\3dfr))(&(objectClass=GroupOfUniqueNames)(uniquemember=cn\3dFrancois MEHAULT\2cou\3dUtilisateurs\2cdc\3dnetplus\2cdc\3dfr))) rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=netplus,dc=fr, with filter (&(cn=administrateur)(|(&(objectClass=GroupOfNames)(member=cn\3dFrancois MEHAULT\2cou\3dUtilisateurs\2cdc\3dnetplus\2cdc\3dfr))(&(objectClass=GroupOfUniqueNames)(uniquemember=cn\3dFrancois MEHAULT\2cou\3dUtilisateurs\2cdc\3dnetplus\2cdc\3dfr rlm_ldap: object not found rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap:
Re: [freeradius] fail-over ldap + reply-item missing
> I try to do a fail-over with two ldap on my freeradius. I read this > article http://wiki.freeradius.org/Fail-over, I instantiated two openldap > modules and i use the keyword redundant in my > /raddb/site-available/default in authorize and authenticate section. > > redundant { > Primary-ldap > Secondary-ldap > } > > I also enabled reply_log > When the two ldap are launched, it works. > > reply log : > > Tue Jun 9 11:45:53 2009 > Packet-Type = Access-Accept > Reply-Message = "Utilisateur: fmehault, group: Administrateur" > Cisco-AVPair = "shell:priv-lvl=15" > Service-Type = NAS-Prompt-User > > But if i stop the Secondary-ldap, I have just : > > reply log : > > Tue Jun 9 11:49:19 2009 > Packet-Type = Access-Accept > > I can see in my log that radiusd try to contact Secondary-ldap at first. > Why ? Then it test 3 times, rather than test Primary-ldap, why ? Read rlm_ldap documentation about group support. You are not using instances in groups. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[freeradius] fail-over ldap + reply-item missing
Hi all I try to do a fail-over with two ldap on my freeradius. I read this article http://wiki.freeradius.org/Fail-over, I instantiated two openldap modules and i use the keyword redundant in my /raddb/site-available/default in authorize and authenticate section. redundant { Primary-ldap Secondary-ldap } I also enabled reply_log When the two ldap are launched, it works. reply log : Tue Jun 9 11:45:53 2009 Packet-Type = Access-Accept Reply-Message = "Utilisateur: fmehault, group: Administrateur" Cisco-AVPair = "shell:priv-lvl=15" Service-Type = NAS-Prompt-User But if i stop the Secondary-ldap, I have just : reply log : Tue Jun 9 11:49:19 2009 Packet-Type = Access-Accept I can see in my log that radiusd try to contact Secondary-ldap at first. Why ? Then it test 3 times, rather than test Primary-ldap, why ? I will be please to give you more information about my problem to help me to fix it, ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop rlm_ldap: Entering ldap_groupcmp() [files] expand: dc=netplus,dc=fr -> dc=netplus,dc=fr [files] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [files] expand: (&(uid=%{Stripped-User-Name:-%{User-Name}})(radiusHuntgroupName=%{Huntgroup-name})) -> (&(uid=fmehault)(radiusHuntgroupName=swLabo)) rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 10.96.18.4:389, authentication 0 rlm_ldap: bind as cn=root,dc=netplus,dc=fr/secret to 10.96.18.4:389 rlm_ldap: cn=root,dc=netplus,dc=fr bind to 10.96.18.4:389 failed: Can't contact LDAP server rlm_ldap: (re)connection attempt failed rlm_ldap::ldap_groupcmp: search failed rlm_ldap: ldap_release_conn: Release Id: 0 [...] rlm_ldap: cn=root,dc=netplus,dc=fr bind to 10.96.18.4:389 failed: Can't contact LDAP server [...] rlm_ldap: cn=root,dc=netplus,dc=fr bind to 10.96.18.4:389 failed: Can't contact LDAP server resume : Primary-ldap started Secondary-ldap started It works Primary-ldap stoped Secondary-ldap started It works Primary-ldap started Secondary-ldap stoped Access-Accept without reply-item ... If someone can explain me what is my problem Regards, François - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fail-over. Send the request directly to Server2
> My scenario is: > > > >--> Radius Server > 1 > > Radius Client --> Radius Proxy --- > >--> Radius Server > 2 > > > > Radius Proxy sends the request to the first live home server in the list > (fail-over method). > > Can RadiusProxy send the request directly towards Server2, if Server1 is > down? > Yes. Read instructions in proxy.conf. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Fail-over. Send the request directly to Server2
Hi guys, My scenario is: --> Radius Server 1 Radius Client --> Radius Proxy --- --> Radius Server 2 Radius Proxy sends the request to the first live home server in the list (fail-over method). Radius Proxy sends the request towards Server1. Server 1 is down. Now the Radius Proxy rejects the Request. Radius Client Radius Proxy Radius Server1 |Request -->| Request--> | | <-- Reject | | Can RadiusProxy send the request directly towards Server2, if Server1 is down? Radius Client Radius Proxy Radius Server1 |Request -->| Request --> | (Server1 is down, Radius Proxy sends packet towards Server2) Radius Server2 | | Request -->| | | <-- Accept | Thanks in advance Marco - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius2 Proxy fail-over issues
Emmett Culley wrote: > However, as soon as I attempt to define a set of main and backup > servers, then use the auth_pool and acct_pool variables I get the > following error: > > "Ignoring spoofed proxy reply. Signature is invalid" That's pretty definitive. It means that the shared secret is wrong. > Of course, the main reason I upgraded at all was to be able to define a > pool of servers. I've searched Google and cannot find any references to > this issue. Here is the proxy.conf lines that matter: Which doesn't show the primary && secondary server configuration that causes the problem. My guess is that you've configured the *same* shared secret for both home servers. Then, the home servers have been configured with *different* shared secrets for the proxy. Use "radclient" from the proxy to send packets to the home servers. It will need to use the same shared secret that the proxy *should* have. If you can get radclient working, the same shared secret will work with the proxy. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius2 Proxy fail-over issues
I just upgraded one of our CentOS 5 systems from FreeRadius 1.x to FreeRadius 2.1.6. It was all working before the upgrade and I have it working on the new version. That is, by using the deprecated authhost and accthost variables in the realm definition I can successfully authenticate and process accounting with the new version. However, as soon as I attempt to define a set of main and backup servers, then use the auth_pool and acct_pool variables I get the following error: "Ignoring spoofed proxy reply. Signature is invalid" Here is a status query that results in the error, like any other query: Sending Access-Request of id 136 to x.x.x.x port 1812 User-Name := "" User-Password := "" Service-Type := Authenticate-Only Message-Authenticator := 0x NAS-Identifier := "Status Check. Are you alive?" Waking up in 3.9 seconds. rad_recv: Access-Reject packet from host x.x.x.x port 1812, id=136, length=64 Ignoring spoofed proxy reply. Signature is invalid Of course, the main reason I upgraded at all was to be able to define a pool of servers. I've searched Google and cannot find any references to this issue. Here is the proxy.conf lines that matter: home_server my_rlm_auth { ipaddr = x.x.x.x port = 1812 type = "auth" secret = "bignewsecret" response_window = 30 max_outstanding = 65536 zombie_period = 40 status_check = "none" ping_check = "none" #ping_interval = 30 #check_interval = 30 #num_answers_to_alive = 3 #num_pings_to_alive = 3 revive_interval = 300 status_check_timeout = 4 } home_server my_rlm_acct { ipaddr = x.x.x.x port = 1813 type = "acct" secret = "bignewsecret" response_window = 30 max_outstanding = 65536 zombie_period = 40 status_check = "none" ping_check = "none" #ping_interval = 30 #check_interval = 30 #num_answers_to_alive = 3 #num_pings_to_alive = 3 revive_interval = 300 status_check_timeout = 4 } server_pool my_rlm_auth_pool { type = fail-over home_server = my_rlm_auth #home_server = Primary_my_rlm_auth #home_server = Secondary_my_rlm_auth } server_pool my_rlm_acct_pool { type = fail-over home_server = my_rl_acct #home_server = Primary_my_rlm_acct #home_server = Secondary_my_rlm_acct } realm my_rlm { nostrip auth_pool = my_rlm_auth_pool acct_pool = my_rlm_acct_pool # authhost = x.x.x.x:1812 # accthost = x.x.x.x:1813 # secret = "bignewsecret" type = radius } Any ideas or pointers? Regards, Emmett - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mysql fail over
Peter Ellens wrote: > Would it be possible to implement time outs on the calls to the mysql > libraries? The MySQL reference API suggests that this is possible: http://dev.mysql.com/doc/refman/5.1/en/mysql-options.html Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: mysql fail over
Hi Alan Would it be possible to implement time outs on the calls to the mysql libraries? Thanks -Original Message- From: freeradius-users-bounces+peter=bccnz@lists.freeradius.org [mailto:freeradius-users-bounces+peter=bccnz@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Thursday, 11 December 2008 8:32 a.m. To: FreeRadius users mailing list Subject: Re: mysql fail over Peter Ellens wrote: > If I stop the first sql server service, freeradius starts to use the > second sql server, as expected. > > But if I stop the entire first server (ie poweroff) freeradius still > continues to try and use sql1, hanging... FreeRADIUS is at the mercy of the MySQL client libraries. It asks them to connect, and if they never return... there's little that the server can do. > Any ideas how to get it working correctly? I presume that there's some magic MySQL client setting, saying "don't screw up this badly", but I don't know what it is. > We would really like to be able to use a read/write master and read only > slave, but it looks to me that the sqlippool needs to be writeable to > mark the IP address as used and avoid duplicate IP allocation. Yes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mysql fail over
Peter Ellens wrote: > If I stop the first sql server service, freeradius starts to use the > second sql server, as expected. > > But if I stop the entire first server (ie poweroff) freeradius still > continues to try and use sql1, hanging... FreeRADIUS is at the mercy of the MySQL client libraries. It asks them to connect, and if they never return... there's little that the server can do. > Any ideas how to get it working correctly? I presume that there's some magic MySQL client setting, saying "don't screw up this badly", but I don't know what it is. > We would really like to be able to use a read/write master and read only > slave, but it looks to me that the sqlippool needs to be writeable to > mark the IP address as used and avoid duplicate IP allocation. Yes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
mysql fail over
Hi Everyone I've been trying to setup MySQL fail over with freeradius I've followed http://wiki.freeradius.org/SQL_HOWTO#Additional_Snippets But I get weird results. If I stop the first sql server service, freeradius starts to use the second sql server, as expected. But if I stop the entire first server (ie poweroff) freeradius still continues to try and use sql1, hanging... I have tryed this with real servers and with virtual servers, both react the same, if you take down the first sql service it will start to use the second, but if you power off or suspecd the first sql server, radius hangs trying to get to the server. I have tryed freeradius 2.1.0., 2.1.1 and 2.1.3, on redhat enterprise 4 compiled from source. Restarting freeradius it will notice the first sql server is down and use the second sql server. Can anyone confirm this behaviour? Any ideas how to get it working correctly? Secondly, I have been looking into sqlippool and MySQL fail over. We would really like to be able to use a read/write master and read only slave, but it looks to me that the sqlippool needs to be writeable to mark the IP address as used and avoid duplicate IP allocation. Can someone confirm this? Thanks Peter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuration trouble with fail-over
Guillaume Rousse wrote: > What's wrong with just looking recursively for the name under which the > module has been instanciated in the authorization section, without > interpreting fail-over behaviour at all ? Because it may be listed under multiple Auth-Type sections. This is something that people do, and is valid. >> The problem is a common one in computer science: write a program that >> "understands" what another program is doing. This problem is generally >> known to be impossible. > Here the communication occurs between the main program, and one of its > module, the relationship is a bit tighter. The problem is interpreting the meaning of the configuration in an "authenticate" section, including sections, sub-sections, "unlang", and redundant sections. Then, automatically making the server do the "right thing" in the authorize section, based on it's interpretation of the "authenticate" section. This is hard. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuration trouble with fail-over
Alan DeKok a écrit : > Guillaume Rousse wrote: >> It is not documented in the rlm_ldap file shipped in top-level directory >> (at least for release 2.0.0). The fact that there is a huge redundancy >> between this file and comments in default configuration files doesn't >> help maintaining a reference documentation. > > The configuration files are up-to-date. Other documentation files may > not be. > > As always, we welcome patches to help fix code or documentation. Here is a trivial one. >>> ... if you have suggestions for how to make >>> that determination, I'm interested. >> No, especially as I got no clue about freeradius internals. > > There's no need to understand the internals. All you need to do is > understand the configuration, and to come up with some simple logic for > the "right" thing to do. What's wrong with just looking recursively for the name under which the module has been instanciated in the authorization section, without interpreting fail-over behaviour at all ? > The problem is a common one in computer science: write a program that > "understands" what another program is doing. This problem is generally > known to be impossible. Here the communication occurs between the main program, and one of its module, the relationship is a bit tighter. -- Guillaume Rousse Moyens Informatiques - INRIA Futurs Tel: 01 69 35 69 62 diff -Naur freeradius-server-2.0.3/doc/rlm_ldap freeradius-server-2.0.3-drop-redundant-documentation/doc/rlm_ldap --- freeradius-server-2.0.3/doc/rlm_ldap2008-02-14 08:03:42.0 +0100 +++ freeradius-server-2.0.3-drop-redundant-documentation/doc/rlm_ldap 2008-04-30 11:23:20.0 +0200 @@ -26,236 +26,7 @@ 3. CONFIGURATION -Add following subsection to the modules{} section of radiusd.conf to control -the rlm_ldap module: - - modules { ... - - ldap { - -# server: LDAP server hostname/ip address -# -# Optionaly could contain space separated list of host[:port], but -# redundancy/resiliency is better acheived configuring multiple rlm_ldap -# module instances and invocing them in redundand/failover -# configuration in authorize/authenticate sections -# -# You can also pass an ldap url like ldap://localhost -# That way you can also specify alternative ldap schemas like -# ldaps:// or ldapi:// -# The port directive will be ignored in that case -# -# default: settings for your system, as set in etc/openldap/ldap.conf -# - server = localhost - -# port: LDAP server port -# -# If LDAP server port is set to 636 (ldaps), SSL connection is enforced. -# This feature is useful for LDAP servers which support SSL, but don't -# do TLS negotiation (like Novell eDirectory). -# -# default: 389 (ldap) -# - port = 636 - -# net_timeout: # of seconds to wait for response of the server (network -# failures) default: 10 -# - net_timeout = 1 - -# timeout: # seconds to wait for LDAP query to finish default: 20 -# - timeout = 2 - -# timelimit: # of seconds server has to process the query (server-side -# time limit) default: 20 -# - timelimit = 5 - -# ldap_debug: debug flag for LDAP SDK (see OpenLDAP documentation) -# default: 0x (no debugging messages) -# Example:(LDAP_DEBUG_FILTER+LDAP_DEBUG_CONNS) - ldap_debug = 0x0028 - -# identity: DN under which LDAP searches are done password: pasword -# which authenticate this DN default: anonymous bind, no password -# required NOTE: searches are done now over unencrypted connection! -# -# identity = "cn=admin,o=My Org,c=UA" password = mypass - - -# ldap_connections_number: The number of ldap connections that the -# module will keep open to use in requests. Usually it will not need to -# be larger than 5-10 connections default: 5 - - ldap_connections_number = 5 - -# basedn = -# - basedn = "o=My Org,c=UA" - -# filter: LDAP search filter, to locate user object using name supplied -# by client during Radius authentication -# -# default: filter = "(uid=%u)" - -# base_filter: The LDAP search filter used for base scope searches, like -# when searching for the default or regular profiles -# -# deafault: base_filter = "(objectclass=radiusprofile)" - - filter = "(uid=%u)" - -# start_tls: When set to "yes" the StartTLS extended operation is used to -# start TLS transport encryption. - start_tls = no - -# tls_mode: When set to "yes" OR the server port is 636 we try to connect with TLS -# Start TLS should be prefered, tls_mode is p
Re: Configuration trouble with fail-over
Guillaume Rousse wrote: > It is not documented in the rlm_ldap file shipped in top-level directory > (at least for release 2.0.0). The fact that there is a huge redundancy > between this file and comments in default configuration files doesn't > help maintaining a reference documentation. The configuration files are up-to-date. Other documentation files may not be. As always, we welcome patches to help fix code or documentation. >>... if you have suggestions for how to make >> that determination, I'm interested. > No, especially as I got no clue about freeradius internals. There's no need to understand the internals. All you need to do is understand the configuration, and to come up with some simple logic for the "right" thing to do. The problem is a common one in computer science: write a program that "understands" what another program is doing. This problem is generally known to be impossible. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuration trouble with fail-over
Alan DeKok a écrit : > Guillaume Rousse wrote: >> It does. But clarification between what's old and what's new syntax >> doesn't harm. > > The new syntax is documented, and is preferred. If you try the old > one (undocumented and deprecated), it works. What needs clarification? It is not documented in the rlm_ldap file shipped in top-level directory (at least for release 2.0.0). The fact that there is a huge redundancy between this file and comments in default configuration files doesn't help maintaining a reference documentation. >> Right, but that seems to be only a syntax difference, refering to a >> named instance of the LDAP module. One would expect the code to be more >> robust, or at least the problem documented somewhere. > > It is very difficult to determine what is *supposed* to happen inside > of an authentication section. if you have suggestions for how to make > that determination, I'm interested. No, especially as I got no clue about freeradius internals. > And the problem is documented: the debug log prints out a warning > message, as you saw. > >> If I understand correctly, there no way to help the rlm_module >> understand I'm using it for autentication, as I use a complex synta, so >> I have to set it up explicitely, right ? > > Yes. > >> In this case, I think this >> deserve some explanation in the rlm_ldap documentation, such as: >> "Warning, if the LDAP module is not directly referenced to in >> authentication section, such as a failover configuration using named >> aliases, this setting will be disabled". > > The same problem applies to other modules, so it needs to be > documented in one place. Indeed. -- Guillaume Rousse Moyens Informatiques - INRIA Futurs Tel: 01 69 35 69 62 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuration trouble with fail-over
Guillaume Rousse wrote: > It does. But clarification between what's old and what's new syntax > doesn't harm. The new syntax is documented, and is preferred. If you try the old one (undocumented and deprecated), it works. What needs clarification? > Right, but that seems to be only a syntax difference, refering to a > named instance of the LDAP module. One would expect the code to be more > robust, or at least the problem documented somewhere. It is very difficult to determine what is *supposed* to happen inside of an authentication section. if you have suggestions for how to make that determination, I'm interested. And the problem is documented: the debug log prints out a warning message, as you saw. > If I understand correctly, there no way to help the rlm_module > understand I'm using it for autentication, as I use a complex synta, so > I have to set it up explicitely, right ? Yes. > In this case, I think this > deserve some explanation in the rlm_ldap documentation, such as: > "Warning, if the LDAP module is not directly referenced to in > authentication section, such as a failover configuration using named > aliases, this setting will be disabled". The same problem applies to other modules, so it needs to be documented in one place. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuration trouble with fail-over
Alan DeKok a écrit : >> I think this ought to be documented in rlm_ldap documentation (as well >> as minor other changes, such as the new tls subsection). > > The new tls sub-section isn't required. The old-style configuration > *should* work. It does. But clarification between what's old and what's new syntax doesn't harm. >> I also tried to clean up my configuration a little bit. I think a found >> a bug in the handling of set_auth_type directive. From what I >> understood, this directive governs the setting of the Auth-Type >> attribute to 'LDAP' during the authorisation phase. However, whatever >> its value, it's automatically disabled when launching radius at startup: >> >> Tue Apr 29 14:07:17 2008 : Debug: rlm_ldap: Over-riding set_auth_type, >> as we're not listed in the "authenticate" section. > > Yes... the LDAP module is now aware that you may have *multiple* > copies of the LDAP module running. I guess you mean 'not aware' >> Here is my autenticate section, using two ldap modules in fail-over: >> authenticate { >> Auth-Type LDAP { >> redundant { >> ldap1 >> ldap2 > > ldap1 != "LDAP". Right, but that seems to be only a syntax difference, refering to a named instance of the LDAP module. One would expect the code to be more robust, or at least the problem documented somewhere. [..] >> Which one should I believe ? > > All of them. There are generalizations, which are usually true. In > addition, there are specific corner cases where the generalizations > aren't true. I need the second solution (ldap as an autentication server), so I need to have Auth-Type set. If I understand correctly, there no way to help the rlm_module understand I'm using it for autentication, as I use a complex synta, so I have to set it up explicitely, right ? In this case, I think this deserve some explanation in the rlm_ldap documentation, such as: "Warning, if the LDAP module is not directly referenced to in authentication section, such as a failover configuration using named aliases, this setting will be disabled". -- Guillaume Rousse Moyens Informatiques - INRIA Futurs Tel: 01 69 35 69 62 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuration trouble with fail-over
Guillaume Rousse wrote: > I've recently upgraded my freeradius servers from 1.1.7 to 2.0.0, 2.0.3 has been out for a while... > and > I've been hit badly by the change in the handling of LDAP-UserDn > attribute, as detailed in > http://www.nabble.com/Re%3A-LDAP-Groups-and-EAP-p14886209.html This was fixed in CVS head, in what will be 2.0.4. > I think this ought to be documented in rlm_ldap documentation (as well > as minor other changes, such as the new tls subsection). The new tls sub-section isn't required. The old-style configuration *should* work. > I also tried to clean up my configuration a little bit. I think a found > a bug in the handling of set_auth_type directive. From what I > understood, this directive governs the setting of the Auth-Type > attribute to 'LDAP' during the authorisation phase. However, whatever > its value, it's automatically disabled when launching radius at startup: > > Tue Apr 29 14:07:17 2008 : Debug: rlm_ldap: Over-riding set_auth_type, > as we're not listed in the "authenticate" section. Yes... the LDAP module is now aware that you may have *multiple* copies of the LDAP module running. > Here is my autenticate section, using two ldap modules in fail-over: > authenticate { > Auth-Type LDAP { > redundant { > ldap1 > ldap2 ldap1 != "LDAP". > handled > } > } > } > > If I drop failover, everything work as expected. Should I report this as > a bug ? No. > So far, the only workaround I found is to force the Auth-Type attribute > in the user file: Yes. The old behavior was wrong. > But I can't make my mind if it is a good solution or not. According to > the comment in default configuration file: "In general, you SHOULD NOT > set the Auth-Type attribute". In general. In some cases, it works. In this case, the knowledge that you want to do LDAP authentication is buried inside of a "redundant" section. > According to Alan answer in > http://www.nabble.com/Re%3A-Force-Auth-Type-p15069162.html > "The LDAP module setting Auth-Type to LDAP is a bit of a hack." Yes. If you use the LDAP server as a *database*, then there's no need to set Auth-Type. The FreeRADIUS just figures it out. The only reasons to use Auth-Type = LDAP is when you're using LDAP as an *authentication* server, not as a database. > Which one should I believe ? All of them. There are generalizations, which are usually true. In addition, there are specific corner cases where the generalizations aren't true. Alan deKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Configuration trouble with fail-over
Hello list. I've recently upgraded my freeradius servers from 1.1.7 to 2.0.0, and I've been hit badly by the change in the handling of LDAP-UserDn attribute, as detailed in http://www.nabble.com/Re%3A-LDAP-Groups-and-EAP-p14886209.html I think this ought to be documented in rlm_ldap documentation (as well as minor other changes, such as the new tls subsection). I also tried to clean up my configuration a little bit. I think a found a bug in the handling of set_auth_type directive. From what I understood, this directive governs the setting of the Auth-Type attribute to 'LDAP' during the authorisation phase. However, whatever its value, it's automatically disabled when launching radius at startup: Tue Apr 29 14:07:17 2008 : Debug: rlm_ldap: Over-riding set_auth_type, as we're not listed in the "authenticate" section. Here is my autenticate section, using two ldap modules in fail-over: authenticate { Auth-Type LDAP { redundant { ldap1 ldap2 handled } } } If I drop failover, everything work as expected. Should I report this as a bug ? So far, the only workaround I found is to force the Auth-Type attribute in the user file: DEFAULT ldap1-LDAP-Group == admins, Auth-Type := LDAP, Huntgroup-Name == AdminNet Service-Type = Login, Cisco-AVPair = "shell:priv-lvl=15" DEFAULT ldap2-LDAP-Group == admins, Auth-Type := LDAP, Huntgroup-Name == AdminNet Service-Type = Login, Cisco-AVPair = "shell:priv-lvl=15" But I can't make my mind if it is a good solution or not. According to the comment in default configuration file: "In general, you SHOULD NOT set the Auth-Type attribute". According to Alan answer in http://www.nabble.com/Re%3A-Force-Auth-Type-p15069162.html "The LDAP module setting Auth-Type to LDAP is a bit of a hack." Which one should I believe ? -- Guillaume Rousse Moyens Informatiques - INRIA Futurs Tel: 01 69 35 69 62 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR2: combining round-robin and fail-over home server pools
John Horne wrote: > I am in the process of configuring FreeRADIUS 2.0.1. For some realms we > proxy the authentication request to three other servers (svr-1, svr-2, > svr-3). However, what we wanted was to, in effect, round-robin two of > the servers (svr1 and svr-2), and then only use the third server (svr-3) > if the other two were not available. That can't really be done in the current config. > Note that 'local_IAS' is actually a home_server_pool name, and not an > actual home server. I was then going to configure FR to use > 'local_proxies' for the relevant realms. However, starting FR gives an > error: > >/usr/local/etc/raddb/proxy.conf[87]: Unknown home_server "local_IAS". Yes. The "home_server" is not a "home_server_pool". > Anyone any ideas how to mix round-robin servers with fail-over? Edit the source code. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FR2: combining round-robin and fail-over home server pools
Hello, I am in the process of configuring FreeRADIUS 2.0.1. For some realms we proxy the authentication request to three other servers (svr-1, svr-2, svr-3). However, what we wanted was to, in effect, round-robin two of the servers (svr1 and svr-2), and then only use the third server (svr-3) if the other two were not available. I have configured the proxy.conf 'home_server_pool's as: home_server_pool local_IAS { type = client-port-balance home_server = svr-1 home_server = svr-2 } home_server_pool local_proxies { type = fail-over home_server = local_IAS home_server = svr-3 } Note that 'local_IAS' is actually a home_server_pool name, and not an actual home server. I was then going to configure FR to use 'local_proxies' for the relevant realms. However, starting FR gives an error: /usr/local/etc/raddb/proxy.conf[87]: Unknown home_server "local_IAS". Anyone any ideas how to mix round-robin servers with fail-over? Thanks, John. -- --- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fail-Over to sql-lost file
I Already found the documentation, thank you very much. Wilmar On 11/30/06, Alan DeKok <[EMAIL PROTECTED]> wrote: Wilmar Campos wrote: > Can you please give me an example how to use it? It has documentation, and comments in it's configuration, I believe. Do you have specific questions? Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Wilmar Campos - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fail-Over to sql-lost file
Wilmar Campos wrote: > Can you please give me an example how to use it? It has documentation, and comments in it's configuration, I believe. Do you have specific questions? Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fail-Over to sql-lost file
Can you please give me an example how to use it? Thanks, WIlmar On 11/30/06, Alan DeKok <[EMAIL PROTECTED]> wrote: Wilmar Campos wrote: > Hello, > I Just move from OpenRadius to Freeradius and I couldn't find any > place to tell the accounting module to write the sql insert command > into a file if the MySQL server is not available. rlm_sql_log. It's another module, rather than being part of rlm_sql, but it should work. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Wilmar Campos - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fail-Over to sql-lost file
Wilmar Campos wrote: > Hello, > I Just move from OpenRadius to Freeradius and I couldn't find any > place to tell the accounting module to write the sql insert command > into a file if the MySQL server is not available. rlm_sql_log. It's another module, rather than being part of rlm_sql, but it should work. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Fail-Over to sql-lost file
Hello, I Just move from OpenRadius to Freeradius and I couldn't find any place to tell the accounting module to write the sql insert command into a file if the MySQL server is not available. I found a way to do it on the detail file, but not on a file to leave all the INSERT querys for later insertion. I am running freeradius 1.1.2 on a Slackweare 10.1. Kerner 2.6 Thanks for your support. Wilmar Campos - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : Fail over mysql backend
I've tried to let the sql {} but it said rlm_sql_sql is not a valid sql driver or something like that. -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Alan DeKok Envoyé : lundi 20 septembre 2004 21:11 À : [EMAIL PROTECTED] Objet : Re: RE : Fail over mysql backend "EROS" <[EMAIL PROTECTED]> wrote: > If you need redondant your sql1 and sql2 .conf must be : > You should remove the sql { } > > Tis is what i've must done to make this working I *really* don't recommend doing that. If it works, it's an accident, and the server is NOT intended to work that way. Please follow the directions in "doc/configurable_failover", and NOT the above instructions. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RE : Fail over mysql backend
"EROS" <[EMAIL PROTECTED]> wrote: > If you need redondant your sql1 and sql2 .conf must be : ... > You should remove the sql { } > > Tis is what i've must done to make this working I *really* don't recommend doing that. If it works, it's an accident, and the server is NOT intended to work that way. Please follow the directions in "doc/configurable_failover", and NOT the above instructions. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : Fail over mysql backend
A standard sql.conf is : Sql { ... ... ... } If you need redondant your sql1 and sql2 .conf must be : ... ... ... You should remove the sql { } Tis is what i've must done to make this working -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Alan DeKok Envoyé : lundi 20 septembre 2004 16:23 À : [EMAIL PROTECTED] Objet : Re: Fail over mysql backend "Cris Boisvert" <[EMAIL PROTECTED]> wrote: > In the radiusd.conf > In the authorize section I have > redundant{ > sql > sql2 > } Ok... > Mon Sep 20 08:37:16 2004 : Error: radiusd.conf[14] Failed linking to > rlm_sql2 structure in radiusd.conf: /usr/lib/rlm_sql2.so: undefined > symbol: rlm_sql2 Please read doc/configurable_failover. It contains examples of doing this. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fail over mysql backend
"Cris Boisvert" <[EMAIL PROTECTED]> wrote: > In the radiusd.conf > In the authorize section I have > redundant{ > sql > sql2 > } Ok... > Mon Sep 20 08:37:16 2004 : Error: radiusd.conf[14] Failed linking to > rlm_sql2 structure in radiusd.conf: /usr/lib/rlm_sql2.so: undefined symbol: > rlm_sql2 Please read doc/configurable_failover. It contains examples of doing this. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Fail over mysql backend
I 'm trying to setup Freeradius with 2 sql servers for a failover. In the radiusd.conf In the authorize section I have redundant{ sql sql2 } Then I start it I get Mon Sep 20 08:37:16 2004 : Info: rlm_sql (sql): Attempting to connect to [EMAIL PROTECTED]:/database Mon Sep 20 08:37:16 2004 : Info: rlm_sql_mysql: Starting connect to MySQL server for #0 Mon Sep 20 08:37:16 2004 : Info: rlm_sql_mysql: Starting connect to MySQL server for #1 Mon Sep 20 08:37:16 2004 : Info: rlm_sql_mysql: Starting connect to MySQL server for #2 Mon Sep 20 08:37:16 2004 : Info: rlm_sql_mysql: Starting connect to MySQL server for #3 Mon Sep 20 08:37:16 2004 : Info: rlm_sql_mysql: Starting connect to MySQL server for #4 Mon Sep 20 08:37:16 2004 : Error: radiusd.conf[14] Failed linking to rlm_sql2 structure in radiusd.conf: /usr/lib/rlm_sql2.so: undefined symbol: rlm_sql2 It can link to the first database although when it tries to connect to the second it has problems. Looking for another instance of rlm_sql.so Thanx Cris --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.755 / Virus Database: 505 - Release Date: 9/8/2004 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: module timeout when using configurable fail-over
ROY <[EMAIL PROTECTED]> wrote: > Ok. If this should be added, where should it be done? I might try, but, > you must be right.. it's hard to do. Everywhere, in all of the modules. It's *very* hard. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: module timeout when using configurable fail-over
On Mon, 2004-08-16 at 23:06, Alan DeKok wrote: > ROY <[EMAIL PROTECTED]> wrote: > > is there a way to force a module to fail within specific period by > > setting a timeout param? say, if the module doesn't send a return value > > in X seconds, fail code will be in effect? > > No. That should be added, but it will be hard to do. Ok. If this should be added, where should it be done? I might try, but, you must be right.. it's hard to do. > > > the current setup seems to work if the ff are true: > > 1. db server is down > > 2. no more sockets could be setup between radius and db > > But it won't work if the DB connection locks up. I'd have to check that out. Haven't seen such an occurrence yet. See, i'm testing 3 servers as an accounting system for several nas'es which receives rapid voice call attempts from a dialer. > > Alan DeKok. many thanks, Roy - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: module timeout when using configurable fail-over
ROY <[EMAIL PROTECTED]> wrote: > is there a way to force a module to fail within specific period by > setting a timeout param? say, if the module doesn't send a return value > in X seconds, fail code will be in effect? No. That should be added, but it will be hard to do. > the current setup seems to work if the ff are true: > 1. db server is down > 2. no more sockets could be setup between radius and db But it won't work if the DB connection locks up. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
module timeout when using configurable fail-over
hi list, i'm trying to do configurable fail-over on the accounting section using sql: modules { sql cdr1 { server = x.x.x.x radiusdb = cdr blah blah } sql cdr2 { server = y.y.y.y radiusdb = cdr blah blah } } accounting { group { cdr1 { fail = 1 ok = return } cdr2 { fail = 1 ok = return } } } parallel table schema are in effect on two db servers. is there a way to force a module to fail within specific period by setting a timeout param? say, if the module doesn't send a return value in X seconds, fail code will be in effect? the goal is to send the request to the next module (cdr2). the current setup seems to work if the ff are true: 1. db server is down 2. no more sockets could be setup between radius and db any comments? tia, roy - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: fail-over configration
Thanks for your reply. Alan. You showed the follow process. > > 1.Checking users file > > If the User-Name is not found, go to "Checking SQL(Mysql) DataBase." > > Check the Calling-Station-Id. > > if the Calling-Station-Id is correct, continue to "authenticate" > > if the Calling-Station-Id is incorrect,reject the user. > > > 2.Checking SQL(Mysql) DataBase. > > If the User-Name is not found, reject the user. > > > > Check the Calling-Station-Id. > > if the Calling-Station-Id is correct, continue to "authenticate" > > if the Calling-Station-Id is incorrect,reject the user. > > In "authenticate", check the User-password. If correct, the user is > authenticated. > > if the User-Password is incorrect,reject the user Then, I have a question. What means, the User-Name is not found? I thought the User-Name value in resquest is not found in users file. But the freeradius does not operate such. It looks like follow. case 1 (this case is OK(found!)) User-Name(value) in Users file equals User-Name(value) in Access-Request. and User-Password(value) in Users file equals User-Password(value) in Access-Request. and Calling-Station-Id(value) in Users file equals Calling-Station-Id(value) in Access-Request. case 2 (this case is not found) User-Name(value) in Users file equals User-Name(value) in Access-Request. and User-Password(value) in Users file do not equal User-Password(value) in Access-Request. and Calling-Station-Id(value) in Users file equals Calling-Station-Id(value) in Access-Request. case 3 (this case is not found) User-Name(value) in Users file equals User-Name(value) in Access-Request. and User-Password(value) in Users file equals User-Password(value) in Access-Request. and Calling-Station-Id(value) in Users file do not equal Calling-Station-Id(value) in Access-Request. case 4 (this case is not found) User-Name(value) in Users file equals User-Name(value) in Access-Request. and User-Password(value) in Users file do not equal User-Password(value) in Access-Request. and Calling-Station-Id(value) in Users file do not equal Calling-Station-Id(value) in Access-Request. Does "The User-Name is not found" mean what all the radius attributes that should be compared are matched?, not only the User-Name value does not matched? IF that is right, does checking the User-Password in authenticate always succeed? -- Access-Request: User-Name = "testusr" User-Password = "usrpass00" NAS-Port = 1 NAS-IP-Address = 192.168.100.20 Framed-Protocol = PPP Service-Type = Framed-User NAS-Port-Type = ISDN Calling-Station-Id = "0123456789" -- Users file: testusr Auth-Type := Local, User-Password == "usrpass", Calling-Station-Id =="0123456789" User-Service = Framed-User , Framed-Protocol = PPP , Framed-IP-Address = 10.0.0.1 , Framed-IP-Netmask = 255.255.255.255 , Ascend-Idle-Limit = 600 , Ascend-Data-Filter = "ip in forward dstip 10.0.1.0/24" , Ascend-Data-Filter += "ip in forward dstip 172.16.1.0/24" , Ascend-Data-Filter += "ip in drop dstip 0.0.0.0" , Ascend-Data-Filter += "ip out forward" sorry for my poor english regards -- baffy200y <[EMAIL PROTECTED]> __ Do You Yahoo!? http://bb.yahoo.co.jp/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fail-Over
On Mon, 31 May 2004, Alan DeKok wrote: > "Juan" <[EMAIL PROTECTED]> wrote: > > i have read configurable_failover for three times but i can not do > > that freeradius failover with ippool. I have two pools that i want > > to use then for all my users. I need that freradius start to asign > > IPs from the second Pool whe the first is full. I do not known what > > i must read to do it. > > It looks like it's a problem with the IP pool module... Try using the latest version of the ippool module (revision 1.31). That one should work. > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: Fail-Over
g!"; exit -1; fi # stop localserver rad_stop # save pool-state mv $POOL.pool $POOL.pool.back mv $POOL.index $POOL.index.back # test config if ! reload_server;then rad_stop mv $POOL.pool.back $POOL.pool mv $POOL.index.back $POOL.index else rad_stop files="$POOL.pool $POOL.index" if ! scp $files $REMOTE:$POOL_DIR > /dev/null; then echo -e $rc_failed; echo "-- error when copying $files!"; fi sync_files $DB_DIR $REMOTE fi rad_start if ! ssh $REMOTE "PATH=$PATH":/sbin";/usr/sbin/radcontrol start"; then echo -e $rc_failed; echo "-- Fehler bei der Remoteausführung!"; exit -1; fi rad_status } function rad_syncpools { # stop remoteserver if ! ssh $REMOTE "PATH=$PATH":/sbin";/usr/sbin/radcontrol stop"; then echo -e $rc_failed; echo "-- Fehler bei der Remoteausführung!"; exit -1; fi rad_stop echo "sync ippools from $POOL_DIR to $REMOTE" sync_files $POOL_DIR $REMOTE rad_start if ! ssh $REMOTE "PATH=$PATH":/sbin";/usr/sbin/radcontrol start"; then echo -e $rc_failed; echo "-- Fehler bei der Remoteausführung!"; exit -1; fi } function rad_help { cat<<"EOF" usage: radcontrol options are: help- give short description of the program stop- stop local server start - start local server reload [] - reload both servers with updated config files use [] argument if ippool definition changed !! if is given, it is interpreted as ippool name name prefix. *** pool DB is removed on both servers *** local_reload- reload only local server with updated config files *** do not use if existing ippool definition changed !! syncpools - stop/start servers and syncronise ippools this is needed if stale ip-adresses at backup or if master is to restart after crash status - show status of all proccesses on both machines iptrans- transfer ipaddresses from stuck transferfiles only transfer addressses from files not older than minutes - delete older files EOF } function usage { cat<<"EOF" usage: radcontrol options are: help - give short description of the program stop - stop local server start- start local server reload [] - reload both servers - optional remove ippool local_reload - reload local server syncpools- stop/start servers and syncronise ippools status - show status of all proccesses on both machines iptrans - transfer stuck ipaddresses EOF } ## if ! lock $RADCONTROL_SEM;then echo -e "another instance running... $rc_failed" exit; fi if [[ $# == 0 ]];then usage;exit;fi if [[ $1 == status ]];then rad_$1 elif [[ $1 == stop ]];then rad_$1 elif [[ $1 == start ]];then rad_$1 elif [[ $1 == local_reload ]];then rad_$1 elif [[ $1 == reload ]] && [[ $# == 1 ]] ;then rad_$1 elif [[ $1 == reload ]] && [[ $# == 2 ]] ;then rad_clearpool $2 elif [[ $1 == syncpools ]];then rad_$1 elif [[ $1 == help ]];then rad_$1 elif [[ $1 == iptrans ]] && [[ $# == 2 ]] ;then rad_$1 $2 else usage 1>&2 fi The crux with this system is that - because of race conditions - under rare circumstances some ip addresses could get lost. But i think without modifikations to the freeradius server, there is no chance to change that. regards arne PS.: Feel free to tell me about any bug in these scripts :) I would also appriciate any enhancements :) > Message: 1 > Date: Thu, 27 May 2004 18:28:14 +0200 > To: [EMAIL PROTECTED] > From: "Juan" <[EMAIL PROTECTED]> > Subject: Fail-Over > Reply-To: [EMAIL PROTECTED] > > Hello, > > i have read configurable_failover for three times > but i > can not do that freeradius failover with ippool. I > have > two pools that i want to use then for all my > users. I > need that freradius start to asign IPs from the > second > Pool whe the first is full. I do not known what i > must > read to do it. > > Can somebody help me? > > Thank you. > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fail-Over
"Juan" <[EMAIL PROTECTED]> wrote: > i have read configurable_failover for three times but i can not do > that freeradius failover with ippool. I have two pools that i want > to use then for all my users. I need that freradius start to asign > IPs from the second Pool whe the first is full. I do not known what > i must read to do it. It looks like it's a problem with the IP pool module... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: fail-over configration
baffy200y <[EMAIL PROTECTED]> wrote: > 1.Checking users file > If the User-Name is found,check the User-Password. The server can't do that. The "authorize" section doesn't do any authentication. I would re-write your request as: > 1.Checking users file > If the User-Name is not found, go to "Checking SQL(Mysql) DataBase." > Check the Calling-Station-Id. > if the Calling-Station-Id is correct, continue to "authenticate" > if the Calling-Station-Id is incorrect,reject the user. > 2.Checking SQL(Mysql) DataBase. > If the User-Name is not found, reject the user. > > Check the Calling-Station-Id. > if the Calling-Station-Id is correct, continue to "authenticate" > if the Calling-Station-Id is incorrect,reject the user. In "authenticate", check the User-password. If correct, the user is authenticated. > if the User-Password is incorrect,reject the user The server can do this. See doc/configurable_failover for how to configure the "authorize" section to do "check files, if not found, check sql". Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
fail-over configration
Hi,all. (B (BI want to set up freeradius which use users file and sql database for (Buser authenticating. (B (BBut I can not set up well. (BCan I set up freeradius as follow? (B (B (B1.Checking users file (B If the User-Name is found,check the User-Password. (B if the User-Password is correct,check the Calling-Station-Id. (Bif the Calling-Station-Id is correct,the user is authenticated. (Bif the Calling-Station-Id is incorrect,reject the user. (B if the User-Password is incorrect,reject the user (B If the User-Name is not found, go to "Checking SQL(Mysql) DataBase." (B (B2.Checking SQL(Mysql) DataBase. (B (B If the User-Name is found,check the User-Password. (B if the User-Password is correct,check the Calling-Station-Id. (Bif the Calling-Station-Id is correct,the user is authenticated. (Bif the Calling-Station-Id is incorrect,reject the user. (B if the User-Password is incorrect,reject the user (B If the User-Name is not found, reject the user. (B (BMy image process figure (B-- (B Start (B | (B+++ (B| |user found (B| users +---+ (B| file | | (B+++ | (B |user not found | (B || (B || (B+++ | (B| |user found | (B| sql +---+ (B| (MySql) | | (B+++ | (B |user not found +++ (B | | |false (B reject | Password+-reject (B | check | (B +++ (B |ok (B | (B ++---+ (B | Calling- |false (B | Station-Id +--reject (B | check | (B ++---+ (B |ok (B | (B user authenticated (B (Bfigure 1 (B-- (B (Bmy authorize section in radiusd.conf is below (B-- (Bauthorize { (Bpreprocess (Bgroup { (Bfiles { (Bok = return (B} (Bsql { (Bok = return (B} (B} (B} (B (Bmy users file (B-- (Btest Auth-Type := Local, User-Password == "test", Calling-Station-Id=="00" (B User-Service = Framed-User , (B Framed-Protocol = PPP , (B Framed-IP-Address = 10.0.0.1 , (B Framed-IP-Netmask = 255.255.255.255 (B (B (BResult I tested. (B-- (B |User-Name|User-Password|Calling-Station-Id| (B--+-+-+--+ (B (1)|$B!{(B | $B!_(B | - | (B--+-+-+--+ (B (2)|$B!{(B | $B!{(B | $B!_(B | (B--+-+-+--+ $B!{(B:correct $B!_(B:incorrect (B (BCase (1) (B files(rlm_files) returns notfound but reject. (B and sql db has been checked. (B and group returns notfound but reject. (B (Bcase (2) (B files(rlm_files) returns notfound but reject. (B and sql db has been checked. (B and group returns notfound but reject. (B (B (B (B (B (Bsorry for my poor english (Bregards (B (B-- (Bbaffy200y <[EMAIL PROTECTED]> (B (B__ (BDo You Yahoo!? (Bhttp://bb.yahoo.co.jp/ (B (B (B- (BList info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Fail-Over
Hello, i have read configurable_failover for three times but i can not do that freeradius failover with ippool. I have two pools that i want to use then for all my users. I need that freradius start to asign IPs from the second Pool whe the first is full. I do not known what i must read to do it. Can somebody help me? Thank you. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
configure fail over -- docs please
Hi, Can some one respond to this issue, Its very critical for my project. Please let me know if you (list users) need any additional information on this. Thanks, Vasudevan.S Hi, Please find the output in the primary server log. I don't understand why it try's to check with the system users when it has to try with the secondry server. rad_recv: Access-Request packet from host 192.168.112.77:58298, id=2, length=90 Calling-Station-Id = "31" User-Name = "[EMAIL PROTECTED]" User-Password = "dummy" NAS-Identifier = "vasus.india.adventnet.com" Thu Apr 8 12:34:28 2004 : Debug: modcall: entering group authorize for request 0 Thu Apr 8 12:34:28 2004 : Debug: modsingle[authorize]: calling preprocess (rlm_preprocess) for request 0 Thu Apr 8 12:34:28 2004 : Debug: modsingle[authorize]: returned from preprocess (rlm_preprocess) for request 0 Thu Apr 8 12:34:28 2004 : Debug: modcall[authorize]: module "preprocess" returns ok for request 0 Thu Apr 8 12:34:28 2004 : Debug: modsingle[authorize]: calling chap (rlm_chap) for request 0 Thu Apr 8 12:34:28 2004 : Debug: modsingle[authorize]: returned from chap (rlm_chap) for request 0 Thu Apr 8 12:34:28 2004 : Debug: modcall[authorize]: module "chap" returns noop for request 0 Thu Apr 8 12:34:28 2004 : Debug: modsingle[authorize]: calling eap (rlm_eap) for request 0 Thu Apr 8 12:34:28 2004 : Debug: modsingle[authorize]: returned from eap (rlm_eap) for request 0 Thu Apr 8 12:34:28 2004 : Debug: modcall[authorize]: module "eap" returns noop for request 0 Thu Apr 8 12:34:28 2004 : Debug: modsingle[authorize]: calling suffix (rlm_realm) for request 0 Thu Apr 8 12:34:28 2004 : Debug: rlm_realm: Looking up realm "adventnet.com" for User-Name = "[EMAIL PROTECTED]" Thu Apr 8 12:34:28 2004 : Debug: rlm_realm: Found realm "DEFAULT" Thu Apr 8 12:34:28 2004 : Debug: rlm_realm: Adding Stripped-User-Name = "dummy" Thu Apr 8 12:34:28 2004 : Debug: rlm_realm: Proxying request from user dummy to realm DEFAULT Thu Apr 8 12:34:28 2004 : Debug: rlm_realm: Adding Realm = "DEFAULT" Thu Apr 8 12:34:28 2004 : Debug: rlm_realm: Authentication realm is LOCAL. Thu Apr 8 12:34:28 2004 : Debug: modsingle[authorize]: returned from suffix (rlm_realm) for request 0 Thu Apr 8 12:34:28 2004 : Debug: modcall[authorize]: module "suffix" returns noop for request 0 Thu Apr 8 12:34:28 2004 : Debug: modsingle[authorize]: calling files (rlm_files) for request 0 Thu Apr 8 12:34:28 2004 : Debug: users: Matched DEFAULT at 155 Thu Apr 8 12:34:28 2004 : Debug: modsingle[authorize]: returned from files (rlm_files) for request 0 Thu Apr 8 12:34:28 2004 : Debug: modcall[authorize]: module "files" returns ok for request 0 Thu Apr 8 12:34:28 2004 : Debug: modsingle[authorize]: calling mschap (rlm_mschap) for request 0 Thu Apr 8 12:34:28 2004 : Debug: modsingle[authorize]: returned from mschap (rlm_mschap) for request 0 Thu Apr 8 12:34:28 2004 : Debug: modcall[authorize]: module "mschap" returns noop for request 0 Thu Apr 8 12:34:28 2004 : Debug: modcall: group authorize returns ok for request 0 Thu Apr 8 12:34:28 2004 : Debug: rad_check_password: Found Auth-Type System Thu Apr 8 12:34:28 2004 : Debug: auth: type "System" Thu Apr 8 12:34:28 2004 : Debug: modcall: entering group authenticate for request 0 Thu Apr 8 12:34:28 2004 : Debug: modsingle[authenticate]: calling unix (rlm_unix) for request 0 Thu Apr 8 12:34:28 2004 : Debug: modsingle[authenticate]: returned from unix (rlm_unix) for request 0 Thu Apr 8 12:34:28 2004 : Debug: modcall[authenticate]: module "unix" returns notfound for request 0 Thu Apr 8 12:34:28 2004 : Debug: modcall: group authenticate returns notfound for request 0 Thu Apr 8 12:34:28 2004 : Debug: auth: Failed to validate the user. Thu Apr 8 12:34:28 2004 : Auth: Login incorrect: [dummy] (from client vasus.adventnet.com port 0 cli 31) Thu Apr 8 12:34:28 2004 : Debug: Delaying request 0 for 1 seconds Thanks, Vasudevan.S Hi, Can anyone help me in configuring the proxy servers for fail over. Please find the proxy configuration I have done in the primary and secondary radius servers. Primary Server (proxy.conf) realm DEFAULT{ type = radius authhost = wifi-test3.adventnet.com:1812 accthost = wifi-test3.adventnet.com:1813 secret = xydsudysdiu ldflag = fail_over } Secondry server (proxy.conf) realm DEFAULT{ type = radius authhost = vasus.adventnet.com:1812 accthost = vasus.adventnet.com:1813 secret = xydsudysdiu ldflag = fail_over } both are linux systems. I have added user in the secondary server and trying to authent
configure fail over -- docs please
Hi, Please find the output in the primary server log. I don't understand why it try's to check with the system users when it has to try with the secondry server. rad_recv: Access-Request packet from host 192.168.112.77:58298, id=2, length=90 Calling-Station-Id = "31" User-Name = "[EMAIL PROTECTED]" User-Password = "dummy" NAS-Identifier = "vasus.india.adventnet.com" Thu Apr 8 12:34:28 2004 : Debug: modcall: entering group authorize for request 0 Thu Apr 8 12:34:28 2004 : Debug: modsingle[authorize]: calling preprocess (rlm_preprocess) for request 0 Thu Apr 8 12:34:28 2004 : Debug: modsingle[authorize]: returned from preprocess (rlm_preprocess) for request 0 Thu Apr 8 12:34:28 2004 : Debug: modcall[authorize]: module "preprocess" returns ok for request 0 Thu Apr 8 12:34:28 2004 : Debug: modsingle[authorize]: calling chap (rlm_chap) for request 0 Thu Apr 8 12:34:28 2004 : Debug: modsingle[authorize]: returned from chap (rlm_chap) for request 0 Thu Apr 8 12:34:28 2004 : Debug: modcall[authorize]: module "chap" returns noop for request 0 Thu Apr 8 12:34:28 2004 : Debug: modsingle[authorize]: calling eap (rlm_eap) for request 0 Thu Apr 8 12:34:28 2004 : Debug: modsingle[authorize]: returned from eap (rlm_eap) for request 0 Thu Apr 8 12:34:28 2004 : Debug: modcall[authorize]: module "eap" returns noop for request 0 Thu Apr 8 12:34:28 2004 : Debug: modsingle[authorize]: calling suffix (rlm_realm) for request 0 Thu Apr 8 12:34:28 2004 : Debug: rlm_realm: Looking up realm "adventnet.com" for User-Name = "[EMAIL PROTECTED]" Thu Apr 8 12:34:28 2004 : Debug: rlm_realm: Found realm "DEFAULT" Thu Apr 8 12:34:28 2004 : Debug: rlm_realm: Adding Stripped-User-Name = "dummy" Thu Apr 8 12:34:28 2004 : Debug: rlm_realm: Proxying request from user dummy to realm DEFAULT Thu Apr 8 12:34:28 2004 : Debug: rlm_realm: Adding Realm = "DEFAULT" Thu Apr 8 12:34:28 2004 : Debug: rlm_realm: Authentication realm is LOCAL. Thu Apr 8 12:34:28 2004 : Debug: modsingle[authorize]: returned from suffix (rlm_realm) for request 0 Thu Apr 8 12:34:28 2004 : Debug: modcall[authorize]: module "suffix" returns noop for request 0 Thu Apr 8 12:34:28 2004 : Debug: modsingle[authorize]: calling files (rlm_files) for request 0 Thu Apr 8 12:34:28 2004 : Debug: users: Matched DEFAULT at 155 Thu Apr 8 12:34:28 2004 : Debug: modsingle[authorize]: returned from files (rlm_files) for request 0 Thu Apr 8 12:34:28 2004 : Debug: modcall[authorize]: module "files" returns ok for request 0 Thu Apr 8 12:34:28 2004 : Debug: modsingle[authorize]: calling mschap (rlm_mschap) for request 0 Thu Apr 8 12:34:28 2004 : Debug: modsingle[authorize]: returned from mschap (rlm_mschap) for request 0 Thu Apr 8 12:34:28 2004 : Debug: modcall[authorize]: module "mschap" returns noop for request 0 Thu Apr 8 12:34:28 2004 : Debug: modcall: group authorize returns ok for request 0 Thu Apr 8 12:34:28 2004 : Debug: rad_check_password: Found Auth-Type System Thu Apr 8 12:34:28 2004 : Debug: auth: type "System" Thu Apr 8 12:34:28 2004 : Debug: modcall: entering group authenticate for request 0 Thu Apr 8 12:34:28 2004 : Debug: modsingle[authenticate]: calling unix (rlm_unix) for request 0 Thu Apr 8 12:34:28 2004 : Debug: modsingle[authenticate]: returned from unix (rlm_unix) for request 0 Thu Apr 8 12:34:28 2004 : Debug: modcall[authenticate]: module "unix" returns notfound for request 0 Thu Apr 8 12:34:28 2004 : Debug: modcall: group authenticate returns notfound for request 0 Thu Apr 8 12:34:28 2004 : Debug: auth: Failed to validate the user. Thu Apr 8 12:34:28 2004 : Auth: Login incorrect: [dummy] (from client vasus.adventnet.com port 0 cli 31) Thu Apr 8 12:34:28 2004 : Debug: Delaying request 0 for 1 seconds Thanks, Vasudevan.S Hi, Can anyone help me in configuring the proxy servers for fail over. Please find the proxy configuration I have done in the primary and secondary radius servers. Primary Server (proxy.conf) realm DEFAULT{ type = radius authhost = wifi-test3.adventnet.com:1812 accthost = wifi-test3.adventnet.com:1813 secret = xydsudysdiu ldflag = fail_over } Secondry server (proxy.conf) realm DEFAULT{ type = radius authhost = vasus.adventnet.com:1812 accthost = vasus.adventnet.com:1813 secret = xydsudysdiu ldflag = fail_over } both are linux systems. I have added user in the secondary server and trying to authenticate the user. But the primary server never sends the request to the secondary server and try's to authenticate in the primary server itself and rejects the
configure fail over -- docs please
Hi, Can anyone help me in configuring the proxy servers for fail over. Please find the proxy configuration I have done in the primary and secondary radius servers. Primary Server (proxy.conf) realm DEFAULT{ type = radius authhost = wifi-test3.adventnet.com:1812 accthost = wifi-test3.adventnet.com:1813 secret = xydsudysdiu ldflag = fail_over } Secondry server (proxy.conf) realm DEFAULT{ type = radius authhost = vasus.adventnet.com:1812 accthost = vasus.adventnet.com:1813 secret = xydsudysdiu ldflag = fail_over } both are linux systems. I have added user in the secondary server and trying to authenticate the user. But the primary server never sends the request to the secondary server and try's to authenticate in the primary server itself and rejects the authentication request. EndClient -- > Primary server --> Secondary server (user info in the secondary server) Can any one shed some light on this. Hope most of the users in the list should have worked with multiple radius server configuration. Thanks a lot to one and all for the support. Regards, Vasudevan.S Dear All, Is there any document to configure failover using free radius installation if distributed setups (diff networks). If there is one please point to the doc. Thanks, Vasudevan.S - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
configure fail over -- docs please
Dear All, Is there any document to configure failover using free radius installation if distributed setups (diff networks). If there is one please point to the doc. Thanks, Vasudevan.S - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html