Re: DEFAULT realm proxy fail over
Bertalan Voros wrote: > There is a freeradius server that is proxying every mschapv2 request to > a homeserver using the DEFAULT realm. > > The same server is also handling EAP requests and then proxying the > inner request through the DEFAULT realm. > > Is is possible to set up fail-over using two home servers in this scenario? Yes. You configure fail-over as documented in proxy.conf. Do you have a *specific* question about it? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
DEFAULT realm proxy fail over
Hello All, I would like to get help with the following. There is a freeradius server that is proxying every mschapv2 request to a homeserver using the DEFAULT realm. The same server is also handling EAP requests and then proxying the inner request through the DEFAULT realm. Is is possible to set up fail-over using two home servers in this scenario? Thank you and best regards, Bertalan Voros - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius AAA running in fail over mode
On 15 Oct 2012, at 10:16, Shiv. Nath wrote: > Dear Community of FreeRadius Greetings, > > i am not new to open source Linux / Unix system but new to FreeRadius. > Have anyone got FreeRadius AAA running in fail over mode (replication)? If you mean replicating packets to multiple realms and failing over between servers within those realms? Then no. If you mean forwarding packets to a realm and failing over between multiple servers within that realm? Then yes. > it > is possible to download .ovf template from some where, already configured > up and running FreeRadius? Maybe, but I don't know of one. -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius AAA running in fail over mode
> Dear Community of FreeRadius Greetings, > > i am not new to open source Linux / Unix system but new to FreeRadius. > Have anyone got FreeRadius AAA running in fail over mode (replication)? Yes. > it > is possible to download .ovf template from some where, already configured > up and running FreeRadius? Install freeradius. Nearly everything works out of the box. -- Dr. Michael Schwartzkopff Guardinistr. 63 81375 München Tel: (0163) 172 50 98 Fax: (089) 620 304 13 signature.asc Description: This is a digitally signed message part. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius AAA running in fail over mode
Dear Community of FreeRadius Greetings, i am not new to open source Linux / Unix system but new to FreeRadius. Have anyone got FreeRadius AAA running in fail over mode (replication)? it is possible to download .ovf template from some where, already configured up and running FreeRadius? Thanks / Regards Nath Thanks / Shiv. Nath - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL Fail Over Error When 1 DB is Down
Thanks so much! I understand it now. And thanks for the suggestions and additional inputs. BRegards, Det Sent from my iPad On Aug 29, 2011, at 10:56 PM, Rich Graves wrote: >> When I shutdown one of the DB, it generates an error. How do I tell >> freeradius to ignore that and proceed if it can connect to at least one >> of the DB? /etc/freeradius/sql2.conf[22]: Instantiation failed for >> module "sql2" > > Both databases must be up at the time of radiusd startup. This seems > reasonable; if you have no redundancy, wouldn't you want to know? > > Either one may go down while radiusd is running. > > It looks like you could force a radiusd startup to "succeed" if one database > fails to instantiate, but then it would never retry the connection, and you > would be solely dependent on the database(s) that were available at startup. > > Bottom line, don't start your radius server unless both databases are up. > On many Linux platforms, you could add an appropriate wrapper script at > /etc/sysconfig/radiusd to block startup, or perhaps to move a configuration > specific to the situation into place. > > I think you're better off doing redundancy a layer up, though, like > >_->radius1 ->db1 > NAS<_ X | > ->radius2 ->db2 > > i.e., if db1 is down, go ahead and allow radius1 to return failure to the NAS, > which will then fail over to radius2. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL Fail Over Error When 1 DB is Down
Hi, Sorry, I honestly don't mean it that way. I just want to clarify some of that thoughts/concepts. I understand now what you mean by this. > Fail-over is for when something goes wrong while the server is running. Thanks, Det Sent from my iPad On Aug 29, 2011, at 9:34 PM, Alan DeKok wrote: > Det Det wrote: >> Really? > >If you think I'm lying, why ask questions? > >> What is the failover feature for? > > Read the docs. It's explained. > >> I can specify multiple DBs but >> if FreeRADIUS cannot connect to at least one of the DBs it will have an >> error and will not be able to start. There is no way to get around this? > > And again... what did my message say? Did you read it? > >> That is use first DB if first DB is up. If second DB is down and first >> DB is up, don't bother, continue to operate, and vice versa, so long as >> it still has a DB to use. I saw this link but I can't get it to work. It >> is using the rlm_always module. >> >> http://wiki.freeradius.org/Fail-over > > Fail-over is for when something goes wrong while the server is running. > > Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL Fail Over Error When 1 DB is Down
> When I shutdown one of the DB, it generates an error. How do I tell > freeradius to ignore that and proceed if it can connect to at least one > of the DB? /etc/freeradius/sql2.conf[22]: Instantiation failed for > module "sql2" Both databases must be up at the time of radiusd startup. This seems reasonable; if you have no redundancy, wouldn't you want to know? Either one may go down while radiusd is running. It looks like you could force a radiusd startup to "succeed" if one database fails to instantiate, but then it would never retry the connection, and you would be solely dependent on the database(s) that were available at startup. Bottom line, don't start your radius server unless both databases are up. On many Linux platforms, you could add an appropriate wrapper script at /etc/sysconfig/radiusd to block startup, or perhaps to move a configuration specific to the situation into place. I think you're better off doing redundancy a layer up, though, like _->radius1 ->db1 NAS<_ X | ->radius2 ->db2 i.e., if db1 is down, go ahead and allow radius1 to return failure to the NAS, which will then fail over to radius2. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL Fail Over Error When 1 DB is Down
Det Det wrote: > Really? If you think I'm lying, why ask questions? > What is the failover feature for? Read the docs. It's explained. > I can specify multiple DBs but > if FreeRADIUS cannot connect to at least one of the DBs it will have an > error and will not be able to start. There is no way to get around this? And again... what did my message say? Did you read it? > That is use first DB if first DB is up. If second DB is down and first > DB is up, don't bother, continue to operate, and vice versa, so long as > it still has a DB to use. I saw this link but I can't get it to work. It > is using the rlm_always module. > > http://wiki.freeradius.org/Fail-over Fail-over is for when something goes wrong while the server is running. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL Fail Over Error When 1 DB is Down
Really? What is the failover feature for? I can specify multiple DBs but if FreeRADIUS cannot connect to at least one of the DBs it will have an error and will not be able to start. There is no way to get around this? That is use first DB if first DB is up. If second DB is down and first DB is up, don't bother, continue to operate, and vice versa, so long as it still has a DB to use. I saw this link but I can't get it to work. It is using the rlm_always module. http://wiki.freeradius.org/Fail-over thanks, det From: Alan DeKok To: Det Det ; FreeRadius users mailing list Sent: Monday, August 29, 2011 6:21 PM Subject: Re: MySQL Fail Over Error When 1 DB is Down Det Det wrote: > When I shutdown one of the DB, it generates an error. How do I tell > freeradius to ignore that and proceed if it can connect to at least one > of the DB? You don't. The only way to change this is via source code patches. Alan DeKok.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL Fail Over Error When 1 DB is Down
Det Det wrote: > When I shutdown one of the DB, it generates an error. How do I tell > freeradius to ignore that and proceed if it can connect to at least one > of the DB? You don't. The only way to change this is via source code patches. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MySQL Fail Over Error When 1 DB is Down
When I shutdown one of the DB, it generates an error. How do I tell freeradius
to ignore that and proceed if it can connect to at least one of the DB?
/etc/freeradius/sql2.conf[22]: Instantiation failed for module "sql2"
/etc/freeradius/radiusd.conf[75]: Failed to find module "sql2".
/etc/freeradius/radiusd.conf[75]: Failed to parse "sql2" entry.
/etc/freeradius/sites-enabled/default[1]: Errors parsing authorize section.
From: Det Det
To: FreeRadius mailing list
Sent: Monday, August 29, 2011 2:05 PM
Subject: MySQL Fail Over Error When 1 DB is Down
Hi there,
I can't get FreeRADIUS to ignore error and continue processing when 1 DB is
down even when it can connect to the other DB. Below is my config.
# radiusd.conf
instantiate {
...
redundant redundant_sql {
sql1
sql2
handled
}
}
modules {
...
$INCLUDE sql1.conf
$INCLUDE sql2.conf
}
# sql1.conf
sql sql1 {
database = "mysql"
…
}
# sql2.conf
sql sql2 {
...
database = "mysql"
}
# sites-enabled/default
authorize {
redundant_sql
}
accounting {
redundant_sql
}
session {
redundant_sql
}
post-auth {
redundant_sql
Post-Auth-Type REJECT {
redundant_sql
attr_filter.access_reject
}
}
bregards,
det
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MySQL Fail Over Error When 1 DB is Down
Hi there,
I can't get FreeRADIUS to ignore error and continue processing when 1 DB is
down even when it can connect to the other DB. Below is my config.
# radiusd.conf
instantiate {
...
redundant redundant_sql {
sql1
sql2
handled
}
}
modules {
...
$INCLUDE sql1.conf
$INCLUDE sql2.conf
}
# sql1.conf
sql sql1 {
database = "mysql"
…
}
# sql2.conf
sql sql2 {
...
database = "mysql"
}
# sites-enabled/default
authorize {
redundant_sql
}
accounting {
redundant_sql
}
session {
redundant_sql
}
post-auth {
redundant_sql
Post-Auth-Type REJECT {
redundant_sql
attr_filter.access_reject
}
}
bregards,
det
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR 2.1.10, fail-over not working
魏景鹏 wrote: > I've configured two home_server for a pool with type=fail-over, when the > 1st one not start,FR didn't send the request to the 2nd one. FreeRADIUS doesn't check if a home server "starts". RADIUS doesn't work that way. The fail-over code works. Fail-over occurs when a home server is down for an extended period of time, and when the proxy keeps trying to send packets to the home server. If you're not seeing failover, it's likely because you're only sending a few testing packets. Send more packets. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR 2.1.10, fail-over not working
Hi Alan & all,
I found that when radiusd started with -X, the config-item of type =
fail-over in proxy.conf will not take effect.
Anyone to confirm that?
B.R.
Wei JingPeng
Wei JingPeng wrote:
> Hi Alan & all,
>
> I've configured two home_server for a pool with type=fail-over, when the
> 1st one not start,FR didn't send the request to the 2nd one.
>
> Works fine when configured with type=load-balance.
>
> following is my proxy.conf section:
>
> home_server svr1st {
> type = auth+acct
> ipaddr = 192.168.0.2
> port = 11812
> secret = testing123
> response_window = 5
> zombie_period = 120
> revive_interval = 120
> }
>
> home_server svr2nd {
> type = auth+acct
> ipaddr = 192.168.0.3
> port = 11812
> secret = testing123
> response_window = 5
> zombie_period = 120
> revive_interval = 120
> }
>
> home_server_pool authpool {
> type = fail-over
> home_server = svr1st
> home_server = svr2nd
> }
>
>
>
> Any Ideas?
>
> B.R.
> Wei JingPeng
>
>
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FR 2.1.10, fail-over not working
Hi Alan & all,
I've configured two home_server for a pool with type=fail-over, when the
1st one not start,FR didn't send the request to the 2nd one.
Works fine when configured with type=load-balance.
following is my proxy.conf section:
home_server svr1st {
type = auth+acct
ipaddr = 192.168.0.2
port = 11812
secret = testing123
response_window = 5
zombie_period = 120
revive_interval = 120
}
home_server svr2nd {
type = auth+acct
ipaddr = 192.168.0.3
port = 11812
secret = testing123
response_window = 5
zombie_period = 120
revive_interval = 120
}
home_server_pool authpool {
type = fail-over
home_server = svr1st
home_server = svr2nd
}
Any Ideas?
B.R.
Wei JingPeng
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question about configurable module fail-over
Ana Gallardo wrote:
> I want to return an error code if my freeradius can't contact with the
> backend.
>
> Here is my authorize section:
>
> authorize {
> . . .
> switch "%{Realm}" {
...
> }
>
> if (fail) {
That won't work, unfortunately. The return codes of *modules* can be
over-written. The return code of a "switch" statement cannot be.
This issue is largely due to the fact that the configuration files
have had functionality piled on top of old code. We want to be
backwards compatible, so breaking existing systems isn't an option. But
this limits the capabilities of the new functions.
In short: re-write the rules so that you don't use "switch".
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Question about configurable module fail-over
Hello,
I have Freeradius 2.1.8.
I want to return an error code if my freeradius can't contact with the
backend.
Here is my authorize section:
authorize {
. . .
switch "%{Realm}" {
case 'temp.unex.es' {
sql {
fail = 1
}
if (!fail && ("%D" < "%{control:Expiration-Init}")) {
update reply {
Codigo-Reject := Cuenta-Inactiva
}
reject
}
}
case 'unex.es' {
ldap {
fail = 1
}
}
case {
update reply {
Codigo-Reject := Error-Dominio
}
reject
}
}
if (fail) {
update reply {
Codigo-Reject := Imposible-Contactar-Backend
}
reject
}
expiration {
userlock = 1
}
if (userlock) {
update reply {
Codigo-Reject := Cuenta-Expirada
}
}
pap
}
My problem is when Freeradius can't contact ldap. Here is my debug info:
rad_recv: Access-Request packet from host X.X.X.X port 48454, id=116,
length=56
User-Name = "usua...@unex.es"
User-Password = "1631"
server rinuex {
. . .
++- entering switch %{Realm} {...}
+++- entering case unex.es {...}
[ldap] performing user authorization for usuario
[ldap] expand: %{Stripped-User-Name} -> usuario
[ldap] expand: (cn=%{%{Stripped-User-Name}:-%{User-Name}}) ->
(cn=usuario)
[ldap] expand: ou=saser,dc=unex,dc=es -> ou=saser,dc=unex,dc=es
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] attempting LDAP reconnection
[ldap] (re)connect to X.X.X.X, authentication 0
[ldap] bind as cn=...
[ldap] waiting for bind result ...
[ldap] LDAP login failed: check identity, password settings in ldap
section of radiusd.conf
[ldap] (re)connection attempt failed
[ldap] search failed
[ldap] ldap_release_conn: Release Id: 0
[ldap] returns fail
+++- case unex.es returns fail
++- switch %{Realm} returns fail
} # server rinuex
Using Post-Auth-Type Reject
+- entering group REJECT {...}
++[reply] returns noop
++? if ("%{reply:Codigo-Reject}")
expand: %{reply:Codigo-Reject} -> Credenciales-Erroneas
? Evaluating ("%{reply:Codigo-Reject}") -> TRUE
++? if ("%{reply:Codigo-Reject}") -> TRUE
++- entering if ("%{reply:Codigo-Reject}") {...}
+++- if ("%{reply:Codigo-Reject}") returns noop
++- group REJECT returns noop
[sql] expand: %{Stripped-User-Name} -> usuario
[sql] expand: %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}} ->
usuario
[sql] sql_set_user escaped user --> 'usuario'
[sql] expand: INSERT INTO radpostauth
(username, mac, client, reply, authdate,codreject)
VALUES ( '%{User-Name}',
LOWER('%{Calling-Station-Id}'),
'%C', '%{reply:Packet-Type}', NOW(),
'%{reply:Codigo-Reject}') -> INSERT INTO
radpostauth (username, mac, client, reply,
authdate,codreject) VALUES
( 'usua...@unex.es', LOWER(''),
'CAU2', 'Access-Reject', NOW(),
'Credenciales-Erroneas')
rlm_sql (sql) in sql_postauth: query is INSERT INTO
radpostauth (username, mac, client, reply,
authdate,codreject) VALUES
( 'usuario
@unex.es', LOWER(''), 'CAU2',
'Access-Reject', NOW(), 'Credenciales-Erroneas')
rlm_sql (sql): Reserving sql socket id: 2
rlm_sql (sql): Released sql socket id: 2
++[sql] returns ok
[attr_filter.access_reject] expand: %{User-Name} -> usua...@unex.es
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 116 to X.X.X.X port 48454
Codigo-Reject = Credenciales-Erroneas
I need help. Thank you and sorry for y english.
--
Ana Gallardo Gómez
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius and fail over
Fabien COMBERNOUS wrote: > In the freeradius wiki a page give informations about failover [1]. It > explains how to setup two sql modules pointing to two dbms. But in this > setup, the radius server is a single point of failure. How to setup two > radius servers speaking with two dbms ? Configure the failover twice. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radius and fail over
Hi there, In the freeradius wiki a page give informations about failover [1]. It explains how to setup two sql modules pointing to two dbms. But in this setup, the radius server is a single point of failure. How to setup two radius servers speaking with two dbms ? Thank you for your help. [1] http://wiki.freeradius.org/Fail-over -- *Fabien COMBERNOUS* /unix system engineer/ www.kezia.com <http://www.kezia.com/> *Tel: +33 (0) 467 992 986* Kezia Group - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius2 Proxy fail-over issues
Ivan Kalik wrote: As I at first assumed...So, this is a bug after all. If I put ipaddr = localhost in a home_server definition I get the failed authentication I described in my first note. You can see in proxy.conf configuration lines I included, where ipaddr is set to localhost for all four home_server definitions. As soon as I changed the ipaddr parameter in all four home_server definitions, and reset the server, I was able to properly authenticate. Nothing else was changed. Are you sure your name resolution isn't broken so localhost doesn't resolve to 127.0.0.1 but to something else, which then causes authentication to fail? I can substitute localhost for 127.0.0.1 in proxy.conf in 2.1.6 with no effect to authentication. Ivan Kalik Kalik Informatika ISP I just spent the last hour or so attempting to repeat and debug the problem I observed in the free radius client. Then when I couldn't make it fail I switched the 127.0.0.1 IP address for localhost in the proxy.conf file of the server, and it worked as well. So, as you suggested, I must have had a misconfigured system when I attempted to test this before. Thanks for the help and sorry for the false alarm... BTW, I am using version 2.1.6. Thanks for all your hard work. Emmett - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius2 Proxy fail-over issues
Emmett Culley wrote: > As soon as I changed the ipaddr parameter in all four home_server > definitions, and reset the server, I was able to properly authenticate. > Nothing else was changed. You may also try using the 2.1.7-pre code: http://git.freeradius.org/pre/ It contains a fix where the server would still send packets when "status_check = none". Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius2 Proxy fail-over issues
> As I at first assumed...So, this is a bug after all. If I put ipaddr = > localhost in a home_server definition I get the failed authentication I > described in my first note. You can see in proxy.conf configuration lines > I included, where ipaddr is set to localhost for all four home_server > definitions. > > As soon as I changed the ipaddr parameter in all four home_server > definitions, and reset the server, I was able to properly authenticate. > Nothing else was changed. Are you sure your name resolution isn't broken so localhost doesn't resolve to 127.0.0.1 but to something else, which then causes authentication to fail? I can substitute localhost for 127.0.0.1 in proxy.conf in 2.1.6 with no effect to authentication. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius2 Proxy fail-over issues
Alan DeKok wrote: Emmett Culley wrote: It's not a bug. Hostname lookups are disabled by default in radiusd.conf. Along with explanation why enabling it is a bad idea. ... Ah, I didn't occur to me that host name look ups off would prevent the server from looking up hosts defined in the configuration files. Well, now I know. No... if you give it a hostname in the config files, it always looks it up to find the IP. That configuration controls whether or not it *prints* hostnames. i.e. If it sees an IP address in a RADIUS packet, the default is to print it as an IP address. If you turn hostname lookups on, it will try to look up that IP to find a host name. Alan DeKok. - As I at first assumed...So, this is a bug after all. If I put ipaddr = localhost in a home_server definition I get the failed authentication I described in my first note. You can see in proxy.conf configuration lines I included, where ipaddr is set to localhost for all four home_server definitions. As soon as I changed the ipaddr parameter in all four home_server definitions, and reset the server, I was able to properly authenticate. Nothing else was changed. I'll write a bug report on the freeradius.org site. BTW, I found a similar issue in the radius client library. Using a host name in the configuration file causes a crash. I need to report that as well. I've run it in a debugger and can tell you where it fails. Emmett - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius2 Proxy fail-over issues
Emmett Culley wrote: >> It's not a bug. Hostname lookups are disabled by default in radiusd.conf. >> Along with explanation why enabling it is a bad idea. ... > Ah, I didn't occur to me that host name look ups off would prevent the > server from looking up hosts defined in the configuration files. Well, > now I know. No... if you give it a hostname in the config files, it always looks it up to find the IP. That configuration controls whether or not it *prints* hostnames. i.e. If it sees an IP address in a RADIUS packet, the default is to print it as an IP address. If you turn hostname lookups on, it will try to look up that IP to find a host name. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius2 Proxy fail-over issues
Ivan Kalik wrote: I was using ipaddr = domain_name in the home_server definitions. I remembered a problem I had with the freeradius client library wherein if I used a domain name, like localhost, instead of a "real" IP address to describe the server I needed to connect with, I'd get a failure. Using the same proxy.conf file I sent in my first note and changing the ipaddr variable to 127.0.0.1 instead of localhost for each home server allowed me to successfully connect to the primary radius server. I won't have a secondary server set up until next week, at which time I'll test if the fail over to the secondary server work. As I fully expect it to. I assume it is a bug to be required to use and IP address instead of a domain name, so can you please point me to where I can file a bug report on this? It's not a bug. Hostname lookups are disabled by default in radiusd.conf. Along with explanation why enabling it is a bad idea. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Ah, I didn't occur to me that host name look ups off would prevent the server from looking up hosts defined in the configuration files. Well, now I know. Thanks Ivan! Emmett - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius2 Proxy fail-over issues
> I was using ipaddr = domain_name in the home_server definitions. I > remembered a problem I had with the freeradius client library wherein if I > used a domain name, like localhost, instead of a "real" IP address to > describe the server I needed to connect with, I'd get a failure. > > Using the same proxy.conf file I sent in my first note and changing the > ipaddr variable to 127.0.0.1 instead of localhost for each home server > allowed me to successfully connect to the primary radius server. I won't > have a secondary server set up until next week, at which time I'll test if > the fail over to the secondary server work. As I fully expect it to. > > I assume it is a bug to be required to use and IP address instead of a > domain name, so can you please point me to where I can file a bug report > on this? It's not a bug. Hostname lookups are disabled by default in radiusd.conf. Along with explanation why enabling it is a bad idea. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius2 Proxy fail-over issues
Alan DeKok wrote: Emmett Culley wrote: However, as soon as I attempt to define a set of main and backup servers, then use the auth_pool and acct_pool variables I get the following error: "Ignoring spoofed proxy reply. Signature is invalid" That's pretty definitive. It means that the shared secret is wrong. Of course, the main reason I upgraded at all was to be able to define a pool of servers. I've searched Google and cannot find any references to this issue. Here is the proxy.conf lines that matter: Which doesn't show the primary && secondary server configuration that causes the problem. My guess is that you've configured the *same* shared secret for both home servers. Then, the home servers have been configured with *different* shared secrets for the proxy. Use "radclient" from the proxy to send packets to the home servers. It will need to use the same shared secret that the proxy *should* have. If you can get radclient working, the same shared secret will work with the proxy. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Thanks Alan... I finally found the time to work on this issue, and so finally figured it out. I was using ipaddr = domain_name in the home_server definitions. I remembered a problem I had with the freeradius client library wherein if I used a domain name, like localhost, instead of a "real" IP address to describe the server I needed to connect with, I'd get a failure. Using the same proxy.conf file I sent in my first note and changing the ipaddr variable to 127.0.0.1 instead of localhost for each home server allowed me to successfully connect to the primary radius server. I won't have a secondary server set up until next week, at which time I'll test if the fail over to the secondary server work. As I fully expect it to. I assume it is a bug to be required to use and IP address instead of a domain name, so can you please point me to where I can file a bug report on this? Emmett - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: [freeradius] fail-over ldap + reply-item missing
Hum, now all works perfectly. My reply-item are present now, I will try now to
understand why it works. Thanks to Ivan Kalik for his help and all freeradius
project.
Ldap.attrmap:
[...]
checkItem Cleartext-Password userPassword
Users:
DEFAULT ldaplabobe2-Ldap-Group == administrateur, User-Profile :=
"cn=administrateur,ou=Profiles,dc=netplus,dc=fr"
Reply-Message = "Utilisateur: %{User-name}, group: Administrateur",
Fall-Through = yes
DEFAULT ldaplabobe2-Ldap-Group == stagiaire, User-Profile :=
"cn=stagiaire,ou=Profiles,dc=netplus,dc=fr"
Reply-Message = "Utilisateur: %{User-name}, group: Stagiaire",
Fall-Through = yes
DEFAULT ldaplabobe1-Ldap-Group == administrateur, User-Profile :=
"cn=administrateur,ou=Profiles,dc=netplus,dc=fr"
Reply-Message = "Utilisateur: %{User-name}, group: Administrateur",
Fall-Through = yes
DEFAULT ldaplabobe1-Ldap-Group == stagiaire, User-Profile :=
"cn=stagiaire,ou=Profiles,dc=netplus,dc=fr"
Reply-Message = "Utilisateur: %{User-name}, group: Stagiaire",
Fall-Through = yes
Radiusd.conf:
Instantiate {
[...]
ldaplabobe2
ldaplabobe1
}
/site-available/default:
Redundant { ldaplabobe2 ldaplabobe1} in section authorize and authenticate
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: [freeradius] fail-over ldap + reply-item missing
(following my last mail)
I read in my log:
No authenticate method (Auth-Type) configuration found for the request:
Rejecting the user
So in the user file I replace
DEFAULT ldaplabobe2-Ldap-Group == administrateur, User-Profile :=
"cn=administrateur,ou=Profiles,dc=netplus,dc=fr
Reply-Message = "Utilisateur: %{User-name}, group: Administrateur",
Fall-Through = yes
By
DEFAULT ldaplabobe2-Ldap-Group == administrateur, User-Profile :=
"cn=administrateur,ou=Profiles,dc=netplus,dc=fr", Auth-Type := LDAP
Reply-Message = "Utilisateur: %{User-name}, group: Administrateur",
Fall-Through = yes
And I start radiud -X and I have :
/usr/local/etc/raddb/users[247]: Parse error (check) for entry DEFAULT: Unknown
value LDAP for attribute Auth-Type
Errors reading /usr/local/etc/raddb/users
/usr/local/etc/raddb/modules/files[7]: Instantiation failed for module "files"
/usr/local/etc/raddb/sites-enabled/inner-tunnel[111]: Failed to find module
"files".
/usr/local/etc/raddb/sites-enabled/inner-tunnel[34]: Errors parsing authorize
section.
}
}
Errors initializing modules
But in raddb/site-available/default, in section authenticate i have Auth-Type
LDAP :
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
unix
Auth-Type LDAP {
redundant {
ldaplabobe2
ldaplabobe1
}
}
eap
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: [freeradius] fail-over ldap + reply-item missing
Thanks for your responce, I read http://freeradius.org/radiusd/doc/rlm_ldap , I
am focus on section GROUP SUPPORT.
So I have two ldap module instances in raddb/modules/ldap :
ldap ldaplabobe2 { [...] }
ldap ldaplabobe1 { [...] }
I added the ldap module in the instantiate{} block in radiusd.conf.
instantiate {
exec
expr
expiration
logintime
ldaplabobe2
ldaplabobe1
}
I use this form in my raddb/users :
DEFAULT ldaplabobe2-Ldap-Group == administrateur, User-Profile :=
"cn=administrateur,ou=Profiles,dc=netplus,dc=fr"
Reply-Message = "Utilisateur: %{User-name}, group: Administrateur",
Fall-Through = yes
DEFAULT ldaplabobe2-Ldap-Group == stagiaire, User-Profile :=
"cn=stagiaire,ou=Profiles,dc=netplus,dc=fr"
Reply-Message = "Utilisateur: %{User-name}, group: Stagiaire",
Fall-Through = yes
DEFAULT ldaplabobe1-Ldap-Group == administrateur, User-Profile :=
"cn=administrateur,ou=Profiles,dc=netplus,dc=fr"
Reply-Message = "Utilisateur: %{User-name}, group: Administrateur",
Fall-Through = yes
DEFAULT ldaplabobe1-Ldap-Group == stagiaire, User-Profile :=
"cn=stagiaire,ou=Profiles,dc=netplus,dc=fr"
Reply-Message = "Utilisateur: %{User-name}, group: Stagiaire",
Fall-Through = yes
Instead of
DEFAULT Ldap-Group == administrateur, User-Profile :=
"cn=administrateur,ou=Profiles,dc=netplus,dc=fr"
Reply-Message = "Utilisateur: %{User-name}, group: Administrateur",
Fall-Through = yes
DEFAULT Ldap-Group == stagiaire, User-Profile :=
"cn=stagiaire,ou=Profiles,dc=netplus,dc=fr"
Reply-Message = "Utilisateur: %{User-name}, group: Stagiaire",
Fall-Through = yes
Then I still use redundant in authorize and authenticate section in
raddb/site-available/default (I test whithout also)
And now I have Access-Reject for all, some reply-item are in the users file,
others are in my openldap (I use radiusgroupname with
ou=profiles,dc=netplus,dc=fr + radiusprofile attribute ...)
So I progress I think but it doesn't work for now. Sorry if I need some help, I
begin with openldap, I read lot of documentation freeradius, openldap, PAM (my
head will explose) and all is new for me , so maybe I read the solution at my
problem but don't remember :s
Thansk for your help.
Regards,
François
rad_recv: Access-Request packet from host 192.168.0.50 port 1812, id=253,
length=80
NAS-IP-Address = 192.168.0.50
NAS-Port = 1
NAS-Port-Type = Virtual
User-Name = "fmehault"
Calling-Station-Id = "192.168.0.80"
User-Password = "toto"
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand:
/var/log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d ->
/var/log/radacct/192.168.0.50/auth-detail-20090609
[auth_log] /var/log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to
/var/log/radacct/192.168.0.50/auth-detail-20090609
[auth_log] expand: %t -> Tue Jun 9 16:27:02 2009
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "fmehault", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
rlm_ldap: Entering ldap_groupcmp()
[files] expand: dc=netplus,dc=fr -> dc=netplus,dc=fr
[files] WARNING: Deprecated conditional expansion ":-". See "man unlang" for
details
[files] expand:
(&(uid=%{Stripped-User-Name:-%{User-Name}})(radiusHuntgroupName=%{Huntgroup-name}))
-> (&(uid=fmehault)(radiusHuntgroupName=swLabo))
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to 10.96.18.10:389, authentication 0
rlm_ldap: bind as cn=root,dc=netplus,dc=fr/secret to 10.96.18.10:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=netplus,dc=fr, with filter
(&(uid=fmehault)(radiusHuntgroupName=swLabo))
rlm_ldap: ldap_release_conn: Release Id: 0
[files] expand:
(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))
-> (|(&(objectClass=GroupOfNames)(member=cn\3dFrancois
MEHAULT\2cou\3dUtilisateurs\2cdc\3dnetplus\2cdc\3dfr))(&(objectClass=GroupOfUniqueNames)(uniquemember=cn\3dFrancois
MEHAULT\2cou\3dUtilisateurs\2cdc\3dnetplus\2cdc\3dfr)))
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=netplus,dc=fr, with filter
(&(cn=administrateur)(|(&(objectClass=GroupOfNames)(member=cn\3dFrancois
MEHAULT\2cou\3dUtilisateurs\2cdc\3dnetplus\2cdc\3dfr))(&(objectClass=GroupOfUniqueNames)(uniquemember=cn\3dFrancois
MEHAULT\2cou\3dUtilisateurs\2cdc\3dnetplus\2cdc\3dfr
rlm_ldap: object not found
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap:
Re: [freeradius] fail-over ldap + reply-item missing
> I try to do a fail-over with two ldap on my freeradius. I read this
> article http://wiki.freeradius.org/Fail-over, I instantiated two openldap
> modules and i use the keyword redundant in my
> /raddb/site-available/default in authorize and authenticate section.
>
> redundant {
> Primary-ldap
> Secondary-ldap
> }
>
> I also enabled reply_log
> When the two ldap are launched, it works.
>
> reply log :
>
> Tue Jun 9 11:45:53 2009
> Packet-Type = Access-Accept
> Reply-Message = "Utilisateur: fmehault, group: Administrateur"
> Cisco-AVPair = "shell:priv-lvl=15"
> Service-Type = NAS-Prompt-User
>
> But if i stop the Secondary-ldap, I have just :
>
> reply log :
>
> Tue Jun 9 11:49:19 2009
> Packet-Type = Access-Accept
>
> I can see in my log that radiusd try to contact Secondary-ldap at first.
> Why ? Then it test 3 times, rather than test Primary-ldap, why ?
Read rlm_ldap documentation about group support. You are not using
instances in groups.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[freeradius] fail-over ldap + reply-item missing
Hi all
I try to do a fail-over with two ldap on my freeradius. I read this article
http://wiki.freeradius.org/Fail-over, I instantiated two openldap modules and i
use the keyword redundant in my /raddb/site-available/default in authorize and
authenticate section.
redundant {
Primary-ldap
Secondary-ldap
}
I also enabled reply_log
When the two ldap are launched, it works.
reply log :
Tue Jun 9 11:45:53 2009
Packet-Type = Access-Accept
Reply-Message = "Utilisateur: fmehault, group: Administrateur"
Cisco-AVPair = "shell:priv-lvl=15"
Service-Type = NAS-Prompt-User
But if i stop the Secondary-ldap, I have just :
reply log :
Tue Jun 9 11:49:19 2009
Packet-Type = Access-Accept
I can see in my log that radiusd try to contact Secondary-ldap at first. Why ?
Then it test 3 times, rather than test Primary-ldap, why ?
I will be please to give you more information about my problem to help me to
fix it,
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
rlm_ldap: Entering ldap_groupcmp()
[files] expand: dc=netplus,dc=fr -> dc=netplus,dc=fr
[files] WARNING: Deprecated conditional expansion ":-". See "man unlang" for
details
[files] expand:
(&(uid=%{Stripped-User-Name:-%{User-Name}})(radiusHuntgroupName=%{Huntgroup-name}))
-> (&(uid=fmehault)(radiusHuntgroupName=swLabo))
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to 10.96.18.4:389, authentication 0
rlm_ldap: bind as cn=root,dc=netplus,dc=fr/secret to 10.96.18.4:389
rlm_ldap: cn=root,dc=netplus,dc=fr bind to 10.96.18.4:389 failed: Can't contact
LDAP server
rlm_ldap: (re)connection attempt failed
rlm_ldap::ldap_groupcmp: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
[...]
rlm_ldap: cn=root,dc=netplus,dc=fr bind to 10.96.18.4:389 failed: Can't contact
LDAP server
[...]
rlm_ldap: cn=root,dc=netplus,dc=fr bind to 10.96.18.4:389 failed: Can't contact
LDAP server
resume :
Primary-ldap started
Secondary-ldap started
It works
Primary-ldap stoped
Secondary-ldap started
It works
Primary-ldap started
Secondary-ldap stoped
Access-Accept without reply-item ...
If someone can explain me what is my problem
Regards,
François
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fail-over. Send the request directly to Server2
> My scenario is: > > > >--> Radius Server > 1 > > Radius Client --> Radius Proxy --- > >--> Radius Server > 2 > > > > Radius Proxy sends the request to the first live home server in the list > (fail-over method). > > Can RadiusProxy send the request directly towards Server2, if Server1 is > down? > Yes. Read instructions in proxy.conf. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Fail-over. Send the request directly to Server2
Hi guys, My scenario is: --> Radius Server 1 Radius Client --> Radius Proxy --- --> Radius Server 2 Radius Proxy sends the request to the first live home server in the list (fail-over method). Radius Proxy sends the request towards Server1. Server 1 is down. Now the Radius Proxy rejects the Request. Radius Client Radius Proxy Radius Server1 |Request -->| Request--> | | <-- Reject | | Can RadiusProxy send the request directly towards Server2, if Server1 is down? Radius Client Radius Proxy Radius Server1 |Request -->| Request --> | (Server1 is down, Radius Proxy sends packet towards Server2) Radius Server2 | | Request -->| | | <-- Accept | Thanks in advance Marco - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius2 Proxy fail-over issues
Emmett Culley wrote: > However, as soon as I attempt to define a set of main and backup > servers, then use the auth_pool and acct_pool variables I get the > following error: > > "Ignoring spoofed proxy reply. Signature is invalid" That's pretty definitive. It means that the shared secret is wrong. > Of course, the main reason I upgraded at all was to be able to define a > pool of servers. I've searched Google and cannot find any references to > this issue. Here is the proxy.conf lines that matter: Which doesn't show the primary && secondary server configuration that causes the problem. My guess is that you've configured the *same* shared secret for both home servers. Then, the home servers have been configured with *different* shared secrets for the proxy. Use "radclient" from the proxy to send packets to the home servers. It will need to use the same shared secret that the proxy *should* have. If you can get radclient working, the same shared secret will work with the proxy. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius2 Proxy fail-over issues
I just upgraded one of our CentOS 5 systems from FreeRadius 1.x to FreeRadius
2.1.6. It was all working before the upgrade and I have it working on the new
version. That is, by using the deprecated authhost and accthost variables in
the realm definition I can successfully authenticate and process accounting
with the new version.
However, as soon as I attempt to define a set of main and backup servers, then
use the auth_pool and acct_pool variables I get the following error:
"Ignoring spoofed proxy reply. Signature is invalid"
Here is a status query that results in the error, like any other query:
Sending Access-Request of id 136 to x.x.x.x port 1812
User-Name := ""
User-Password := ""
Service-Type := Authenticate-Only
Message-Authenticator := 0x
NAS-Identifier := "Status Check. Are you alive?"
Waking up in 3.9 seconds.
rad_recv: Access-Reject packet from host x.x.x.x port 1812, id=136, length=64
Ignoring spoofed proxy reply. Signature is invalid
Of course, the main reason I upgraded at all was to be able to define a pool of
servers. I've searched Google and cannot find any references to this issue.
Here is the proxy.conf lines that matter:
home_server my_rlm_auth {
ipaddr = x.x.x.x
port = 1812
type = "auth"
secret = "bignewsecret"
response_window = 30
max_outstanding = 65536
zombie_period = 40
status_check = "none"
ping_check = "none"
#ping_interval = 30
#check_interval = 30
#num_answers_to_alive = 3
#num_pings_to_alive = 3
revive_interval = 300
status_check_timeout = 4
}
home_server my_rlm_acct {
ipaddr = x.x.x.x
port = 1813
type = "acct"
secret = "bignewsecret"
response_window = 30
max_outstanding = 65536
zombie_period = 40
status_check = "none"
ping_check = "none"
#ping_interval = 30
#check_interval = 30
#num_answers_to_alive = 3
#num_pings_to_alive = 3
revive_interval = 300
status_check_timeout = 4
}
server_pool my_rlm_auth_pool {
type = fail-over
home_server = my_rlm_auth
#home_server = Primary_my_rlm_auth
#home_server = Secondary_my_rlm_auth
}
server_pool my_rlm_acct_pool {
type = fail-over
home_server = my_rl_acct
#home_server = Primary_my_rlm_acct
#home_server = Secondary_my_rlm_acct
}
realm my_rlm {
nostrip
auth_pool = my_rlm_auth_pool
acct_pool = my_rlm_acct_pool
# authhost = x.x.x.x:1812
# accthost = x.x.x.x:1813
# secret = "bignewsecret"
type = radius
}
Any ideas or pointers?
Regards,
Emmett
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mysql fail over
Peter Ellens wrote: > Would it be possible to implement time outs on the calls to the mysql > libraries? The MySQL reference API suggests that this is possible: http://dev.mysql.com/doc/refman/5.1/en/mysql-options.html Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: mysql fail over
Hi Alan Would it be possible to implement time outs on the calls to the mysql libraries? Thanks -Original Message- From: freeradius-users-bounces+peter=bccnz@lists.freeradius.org [mailto:freeradius-users-bounces+peter=bccnz@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Thursday, 11 December 2008 8:32 a.m. To: FreeRadius users mailing list Subject: Re: mysql fail over Peter Ellens wrote: > If I stop the first sql server service, freeradius starts to use the > second sql server, as expected. > > But if I stop the entire first server (ie poweroff) freeradius still > continues to try and use sql1, hanging... FreeRADIUS is at the mercy of the MySQL client libraries. It asks them to connect, and if they never return... there's little that the server can do. > Any ideas how to get it working correctly? I presume that there's some magic MySQL client setting, saying "don't screw up this badly", but I don't know what it is. > We would really like to be able to use a read/write master and read only > slave, but it looks to me that the sqlippool needs to be writeable to > mark the IP address as used and avoid duplicate IP allocation. Yes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mysql fail over
Peter Ellens wrote: > If I stop the first sql server service, freeradius starts to use the > second sql server, as expected. > > But if I stop the entire first server (ie poweroff) freeradius still > continues to try and use sql1, hanging... FreeRADIUS is at the mercy of the MySQL client libraries. It asks them to connect, and if they never return... there's little that the server can do. > Any ideas how to get it working correctly? I presume that there's some magic MySQL client setting, saying "don't screw up this badly", but I don't know what it is. > We would really like to be able to use a read/write master and read only > slave, but it looks to me that the sqlippool needs to be writeable to > mark the IP address as used and avoid duplicate IP allocation. Yes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
mysql fail over
Hi Everyone I've been trying to setup MySQL fail over with freeradius I've followed http://wiki.freeradius.org/SQL_HOWTO#Additional_Snippets But I get weird results. If I stop the first sql server service, freeradius starts to use the second sql server, as expected. But if I stop the entire first server (ie poweroff) freeradius still continues to try and use sql1, hanging... I have tryed this with real servers and with virtual servers, both react the same, if you take down the first sql service it will start to use the second, but if you power off or suspecd the first sql server, radius hangs trying to get to the server. I have tryed freeradius 2.1.0., 2.1.1 and 2.1.3, on redhat enterprise 4 compiled from source. Restarting freeradius it will notice the first sql server is down and use the second sql server. Can anyone confirm this behaviour? Any ideas how to get it working correctly? Secondly, I have been looking into sqlippool and MySQL fail over. We would really like to be able to use a read/write master and read only slave, but it looks to me that the sqlippool needs to be writeable to mark the IP address as used and avoid duplicate IP allocation. Can someone confirm this? Thanks Peter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuration trouble with fail-over
Guillaume Rousse wrote: > What's wrong with just looking recursively for the name under which the > module has been instanciated in the authorization section, without > interpreting fail-over behaviour at all ? Because it may be listed under multiple Auth-Type sections. This is something that people do, and is valid. >> The problem is a common one in computer science: write a program that >> "understands" what another program is doing. This problem is generally >> known to be impossible. > Here the communication occurs between the main program, and one of its > module, the relationship is a bit tighter. The problem is interpreting the meaning of the configuration in an "authenticate" section, including sections, sub-sections, "unlang", and redundant sections. Then, automatically making the server do the "right thing" in the authorize section, based on it's interpretation of the "authenticate" section. This is hard. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuration trouble with fail-over
Alan DeKok a écrit :
> Guillaume Rousse wrote:
>> It is not documented in the rlm_ldap file shipped in top-level directory
>> (at least for release 2.0.0). The fact that there is a huge redundancy
>> between this file and comments in default configuration files doesn't
>> help maintaining a reference documentation.
>
> The configuration files are up-to-date. Other documentation files may
> not be.
>
> As always, we welcome patches to help fix code or documentation.
Here is a trivial one.
>>> ... if you have suggestions for how to make
>>> that determination, I'm interested.
>> No, especially as I got no clue about freeradius internals.
>
> There's no need to understand the internals. All you need to do is
> understand the configuration, and to come up with some simple logic for
> the "right" thing to do.
What's wrong with just looking recursively for the name under which the
module has been instanciated in the authorization section, without
interpreting fail-over behaviour at all ?
> The problem is a common one in computer science: write a program that
> "understands" what another program is doing. This problem is generally
> known to be impossible.
Here the communication occurs between the main program, and one of its
module, the relationship is a bit tighter.
--
Guillaume Rousse
Moyens Informatiques - INRIA Futurs
Tel: 01 69 35 69 62
diff -Naur freeradius-server-2.0.3/doc/rlm_ldap
freeradius-server-2.0.3-drop-redundant-documentation/doc/rlm_ldap
--- freeradius-server-2.0.3/doc/rlm_ldap2008-02-14 08:03:42.0
+0100
+++ freeradius-server-2.0.3-drop-redundant-documentation/doc/rlm_ldap
2008-04-30 11:23:20.0 +0200
@@ -26,236 +26,7 @@
3. CONFIGURATION
-Add following subsection to the modules{} section of radiusd.conf to control
-the rlm_ldap module:
-
- modules { ...
-
- ldap {
-
-# server: LDAP server hostname/ip address
-#
-# Optionaly could contain space separated list of host[:port], but
-# redundancy/resiliency is better acheived configuring multiple rlm_ldap
-# module instances and invocing them in redundand/failover
-# configuration in authorize/authenticate sections
-#
-# You can also pass an ldap url like ldap://localhost
-# That way you can also specify alternative ldap schemas like
-# ldaps:// or ldapi://
-# The port directive will be ignored in that case
-#
-# default: settings for your system, as set in etc/openldap/ldap.conf
-#
- server = localhost
-
-# port: LDAP server port
-#
-# If LDAP server port is set to 636 (ldaps), SSL connection is enforced.
-# This feature is useful for LDAP servers which support SSL, but don't
-# do TLS negotiation (like Novell eDirectory).
-#
-# default: 389 (ldap)
-#
- port = 636
-
-# net_timeout: # of seconds to wait for response of the server (network
-# failures) default: 10
-#
- net_timeout = 1
-
-# timeout: # seconds to wait for LDAP query to finish default: 20
-#
- timeout = 2
-
-# timelimit: # of seconds server has to process the query (server-side
-# time limit) default: 20
-#
- timelimit = 5
-
-# ldap_debug: debug flag for LDAP SDK (see OpenLDAP documentation)
-# default: 0x (no debugging messages)
-# Example:(LDAP_DEBUG_FILTER+LDAP_DEBUG_CONNS)
- ldap_debug = 0x0028
-
-# identity: DN under which LDAP searches are done password: pasword
-# which authenticate this DN default: anonymous bind, no password
-# required NOTE: searches are done now over unencrypted connection!
-#
-# identity = "cn=admin,o=My Org,c=UA" password = mypass
-
-
-# ldap_connections_number: The number of ldap connections that the
-# module will keep open to use in requests. Usually it will not need to
-# be larger than 5-10 connections default: 5
-
- ldap_connections_number = 5
-
-# basedn =
-#
- basedn = "o=My Org,c=UA"
-
-# filter: LDAP search filter, to locate user object using name supplied
-# by client during Radius authentication
-#
-# default: filter = "(uid=%u)"
-
-# base_filter: The LDAP search filter used for base scope searches, like
-# when searching for the default or regular profiles
-#
-# deafault: base_filter = "(objectclass=radiusprofile)"
-
- filter = "(uid=%u)"
-
-# start_tls: When set to "yes" the StartTLS extended operation is used to
-# start TLS transport encryption.
- start_tls = no
-
-# tls_mode: When set to "yes" OR the server port is 636 we try to connect
with TLS
-# Start TLS should be prefered, tls_mode is p
Re: Configuration trouble with fail-over
Guillaume Rousse wrote: > It is not documented in the rlm_ldap file shipped in top-level directory > (at least for release 2.0.0). The fact that there is a huge redundancy > between this file and comments in default configuration files doesn't > help maintaining a reference documentation. The configuration files are up-to-date. Other documentation files may not be. As always, we welcome patches to help fix code or documentation. >>... if you have suggestions for how to make >> that determination, I'm interested. > No, especially as I got no clue about freeradius internals. There's no need to understand the internals. All you need to do is understand the configuration, and to come up with some simple logic for the "right" thing to do. The problem is a common one in computer science: write a program that "understands" what another program is doing. This problem is generally known to be impossible. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuration trouble with fail-over
Alan DeKok a écrit : > Guillaume Rousse wrote: >> It does. But clarification between what's old and what's new syntax >> doesn't harm. > > The new syntax is documented, and is preferred. If you try the old > one (undocumented and deprecated), it works. What needs clarification? It is not documented in the rlm_ldap file shipped in top-level directory (at least for release 2.0.0). The fact that there is a huge redundancy between this file and comments in default configuration files doesn't help maintaining a reference documentation. >> Right, but that seems to be only a syntax difference, refering to a >> named instance of the LDAP module. One would expect the code to be more >> robust, or at least the problem documented somewhere. > > It is very difficult to determine what is *supposed* to happen inside > of an authentication section. if you have suggestions for how to make > that determination, I'm interested. No, especially as I got no clue about freeradius internals. > And the problem is documented: the debug log prints out a warning > message, as you saw. > >> If I understand correctly, there no way to help the rlm_module >> understand I'm using it for autentication, as I use a complex synta, so >> I have to set it up explicitely, right ? > > Yes. > >> In this case, I think this >> deserve some explanation in the rlm_ldap documentation, such as: >> "Warning, if the LDAP module is not directly referenced to in >> authentication section, such as a failover configuration using named >> aliases, this setting will be disabled". > > The same problem applies to other modules, so it needs to be > documented in one place. Indeed. -- Guillaume Rousse Moyens Informatiques - INRIA Futurs Tel: 01 69 35 69 62 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuration trouble with fail-over
Guillaume Rousse wrote: > It does. But clarification between what's old and what's new syntax > doesn't harm. The new syntax is documented, and is preferred. If you try the old one (undocumented and deprecated), it works. What needs clarification? > Right, but that seems to be only a syntax difference, refering to a > named instance of the LDAP module. One would expect the code to be more > robust, or at least the problem documented somewhere. It is very difficult to determine what is *supposed* to happen inside of an authentication section. if you have suggestions for how to make that determination, I'm interested. And the problem is documented: the debug log prints out a warning message, as you saw. > If I understand correctly, there no way to help the rlm_module > understand I'm using it for autentication, as I use a complex synta, so > I have to set it up explicitely, right ? Yes. > In this case, I think this > deserve some explanation in the rlm_ldap documentation, such as: > "Warning, if the LDAP module is not directly referenced to in > authentication section, such as a failover configuration using named > aliases, this setting will be disabled". The same problem applies to other modules, so it needs to be documented in one place. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuration trouble with fail-over
Alan DeKok a écrit :
>> I think this ought to be documented in rlm_ldap documentation (as well
>> as minor other changes, such as the new tls subsection).
>
> The new tls sub-section isn't required. The old-style configuration
> *should* work.
It does. But clarification between what's old and what's new syntax
doesn't harm.
>> I also tried to clean up my configuration a little bit. I think a found
>> a bug in the handling of set_auth_type directive. From what I
>> understood, this directive governs the setting of the Auth-Type
>> attribute to 'LDAP' during the authorisation phase. However, whatever
>> its value, it's automatically disabled when launching radius at startup:
>>
>> Tue Apr 29 14:07:17 2008 : Debug: rlm_ldap: Over-riding set_auth_type,
>> as we're not listed in the "authenticate" section.
>
> Yes... the LDAP module is now aware that you may have *multiple*
> copies of the LDAP module running.
I guess you mean 'not aware'
>> Here is my autenticate section, using two ldap modules in fail-over:
>> authenticate {
>> Auth-Type LDAP {
>> redundant {
>> ldap1
>> ldap2
>
> ldap1 != "LDAP".
Right, but that seems to be only a syntax difference, refering to a
named instance of the LDAP module. One would expect the code to be more
robust, or at least the problem documented somewhere.
[..]
>> Which one should I believe ?
>
> All of them. There are generalizations, which are usually true. In
> addition, there are specific corner cases where the generalizations
> aren't true.
I need the second solution (ldap as an autentication server), so I need
to have Auth-Type set.
If I understand correctly, there no way to help the rlm_module
understand I'm using it for autentication, as I use a complex synta, so
I have to set it up explicitely, right ? In this case, I think this
deserve some explanation in the rlm_ldap documentation, such as:
"Warning, if the LDAP module is not directly referenced to in
authentication section, such as a failover configuration using named
aliases, this setting will be disabled".
--
Guillaume Rousse
Moyens Informatiques - INRIA Futurs
Tel: 01 69 35 69 62
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuration trouble with fail-over
Guillaume Rousse wrote:
> I've recently upgraded my freeradius servers from 1.1.7 to 2.0.0,
2.0.3 has been out for a while...
>
and
> I've been hit badly by the change in the handling of LDAP-UserDn
> attribute, as detailed in
> http://www.nabble.com/Re%3A-LDAP-Groups-and-EAP-p14886209.html
This was fixed in CVS head, in what will be 2.0.4.
> I think this ought to be documented in rlm_ldap documentation (as well
> as minor other changes, such as the new tls subsection).
The new tls sub-section isn't required. The old-style configuration
*should* work.
> I also tried to clean up my configuration a little bit. I think a found
> a bug in the handling of set_auth_type directive. From what I
> understood, this directive governs the setting of the Auth-Type
> attribute to 'LDAP' during the authorisation phase. However, whatever
> its value, it's automatically disabled when launching radius at startup:
>
> Tue Apr 29 14:07:17 2008 : Debug: rlm_ldap: Over-riding set_auth_type,
> as we're not listed in the "authenticate" section.
Yes... the LDAP module is now aware that you may have *multiple*
copies of the LDAP module running.
> Here is my autenticate section, using two ldap modules in fail-over:
> authenticate {
> Auth-Type LDAP {
> redundant {
> ldap1
> ldap2
ldap1 != "LDAP".
> handled
> }
> }
> }
>
> If I drop failover, everything work as expected. Should I report this as
> a bug ?
No.
> So far, the only workaround I found is to force the Auth-Type attribute
> in the user file:
Yes. The old behavior was wrong.
> But I can't make my mind if it is a good solution or not. According to
> the comment in default configuration file: "In general, you SHOULD NOT
> set the Auth-Type attribute".
In general. In some cases, it works. In this case, the knowledge
that you want to do LDAP authentication is buried inside of a
"redundant" section.
> According to Alan answer in
> http://www.nabble.com/Re%3A-Force-Auth-Type-p15069162.html
> "The LDAP module setting Auth-Type to LDAP is a bit of a hack."
Yes. If you use the LDAP server as a *database*, then there's no need
to set Auth-Type. The FreeRADIUS just figures it out.
The only reasons to use Auth-Type = LDAP is when you're using LDAP as
an *authentication* server, not as a database.
> Which one should I believe ?
All of them. There are generalizations, which are usually true. In
addition, there are specific corner cases where the generalizations
aren't true.
Alan deKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Configuration trouble with fail-over
Hello list.
I've recently upgraded my freeradius servers from 1.1.7 to 2.0.0, and
I've been hit badly by the change in the handling of LDAP-UserDn
attribute, as detailed in
http://www.nabble.com/Re%3A-LDAP-Groups-and-EAP-p14886209.html
I think this ought to be documented in rlm_ldap documentation (as well
as minor other changes, such as the new tls subsection).
I also tried to clean up my configuration a little bit. I think a found
a bug in the handling of set_auth_type directive. From what I
understood, this directive governs the setting of the Auth-Type
attribute to 'LDAP' during the authorisation phase. However, whatever
its value, it's automatically disabled when launching radius at startup:
Tue Apr 29 14:07:17 2008 : Debug: rlm_ldap: Over-riding set_auth_type,
as we're not listed in the "authenticate" section.
Here is my autenticate section, using two ldap modules in fail-over:
authenticate {
Auth-Type LDAP {
redundant {
ldap1
ldap2
handled
}
}
}
If I drop failover, everything work as expected. Should I report this as
a bug ?
So far, the only workaround I found is to force the Auth-Type attribute
in the user file:
DEFAULT ldap1-LDAP-Group == admins, Auth-Type := LDAP, Huntgroup-Name ==
AdminNet
Service-Type = Login,
Cisco-AVPair = "shell:priv-lvl=15"
DEFAULT ldap2-LDAP-Group == admins, Auth-Type := LDAP, Huntgroup-Name ==
AdminNet
Service-Type = Login,
Cisco-AVPair = "shell:priv-lvl=15"
But I can't make my mind if it is a good solution or not. According to
the comment in default configuration file: "In general, you SHOULD NOT
set the Auth-Type attribute". According to Alan answer in
http://www.nabble.com/Re%3A-Force-Auth-Type-p15069162.html
"The LDAP module setting Auth-Type to LDAP is a bit of a hack."
Which one should I believe ?
--
Guillaume Rousse
Moyens Informatiques - INRIA Futurs
Tel: 01 69 35 69 62
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR2: combining round-robin and fail-over home server pools
John Horne wrote: > I am in the process of configuring FreeRADIUS 2.0.1. For some realms we > proxy the authentication request to three other servers (svr-1, svr-2, > svr-3). However, what we wanted was to, in effect, round-robin two of > the servers (svr1 and svr-2), and then only use the third server (svr-3) > if the other two were not available. That can't really be done in the current config. > Note that 'local_IAS' is actually a home_server_pool name, and not an > actual home server. I was then going to configure FR to use > 'local_proxies' for the relevant realms. However, starting FR gives an > error: > >/usr/local/etc/raddb/proxy.conf[87]: Unknown home_server "local_IAS". Yes. The "home_server" is not a "home_server_pool". > Anyone any ideas how to mix round-robin servers with fail-over? Edit the source code. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FR2: combining round-robin and fail-over home server pools
Hello,
I am in the process of configuring FreeRADIUS 2.0.1. For some realms we
proxy the authentication request to three other servers (svr-1, svr-2,
svr-3). However, what we wanted was to, in effect, round-robin two of
the servers (svr1 and svr-2), and then only use the third server (svr-3)
if the other two were not available.
I have configured the proxy.conf 'home_server_pool's as:
home_server_pool local_IAS {
type = client-port-balance
home_server = svr-1
home_server = svr-2
}
home_server_pool local_proxies {
type = fail-over
home_server = local_IAS
home_server = svr-3
}
Note that 'local_IAS' is actually a home_server_pool name, and not an
actual home server. I was then going to configure FR to use
'local_proxies' for the relevant realms. However, starting FR gives an
error:
/usr/local/etc/raddb/proxy.conf[87]: Unknown home_server "local_IAS".
Anyone any ideas how to mix round-robin servers with fail-over?
Thanks,
John.
--
---
John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914
E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fail-Over to sql-lost file
I Already found the documentation, thank you very much. Wilmar On 11/30/06, Alan DeKok <[EMAIL PROTECTED]> wrote: Wilmar Campos wrote: > Can you please give me an example how to use it? It has documentation, and comments in it's configuration, I believe. Do you have specific questions? Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Wilmar Campos - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fail-Over to sql-lost file
Wilmar Campos wrote: > Can you please give me an example how to use it? It has documentation, and comments in it's configuration, I believe. Do you have specific questions? Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fail-Over to sql-lost file
Can you please give me an example how to use it? Thanks, WIlmar On 11/30/06, Alan DeKok <[EMAIL PROTECTED]> wrote: Wilmar Campos wrote: > Hello, > I Just move from OpenRadius to Freeradius and I couldn't find any > place to tell the accounting module to write the sql insert command > into a file if the MySQL server is not available. rlm_sql_log. It's another module, rather than being part of rlm_sql, but it should work. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Wilmar Campos - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fail-Over to sql-lost file
Wilmar Campos wrote: > Hello, > I Just move from OpenRadius to Freeradius and I couldn't find any > place to tell the accounting module to write the sql insert command > into a file if the MySQL server is not available. rlm_sql_log. It's another module, rather than being part of rlm_sql, but it should work. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Fail-Over to sql-lost file
Hello, I Just move from OpenRadius to Freeradius and I couldn't find any place to tell the accounting module to write the sql insert command into a file if the MySQL server is not available. I found a way to do it on the detail file, but not on a file to leave all the INSERT querys for later insertion. I am running freeradius 1.1.2 on a Slackweare 10.1. Kerner 2.6 Thanks for your support. Wilmar Campos - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : Fail over mysql backend
I've tried to let the sql {} but it said rlm_sql_sql is not a valid sql
driver or something like that.
-Message d'origine-
De : [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] De la part de Alan
DeKok
Envoyé : lundi 20 septembre 2004 21:11
À : [EMAIL PROTECTED]
Objet : Re: RE : Fail over mysql backend
"EROS" <[EMAIL PROTECTED]> wrote:
> If you need redondant your sql1 and sql2 .conf must be :
> You should remove the sql { }
>
> Tis is what i've must done to make this working
I *really* don't recommend doing that. If it works, it's an accident,
and the server is NOT intended to work that way.
Please follow the directions in "doc/configurable_failover", and NOT
the above instructions.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RE : Fail over mysql backend
"EROS" <[EMAIL PROTECTED]> wrote:
> If you need redondant your sql1 and sql2 .conf must be :
...
> You should remove the sql { }
>
> Tis is what i've must done to make this working
I *really* don't recommend doing that. If it works, it's an
accident, and the server is NOT intended to work that way.
Please follow the directions in "doc/configurable_failover", and NOT
the above instructions.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : Fail over mysql backend
A standard sql.conf is :
Sql {
...
...
...
}
If you need redondant your sql1 and sql2 .conf must be :
...
...
...
You should remove the sql { }
Tis is what i've must done to make this working
-Message d'origine-
De : [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] De la part de Alan
DeKok
Envoyé : lundi 20 septembre 2004 16:23
À : [EMAIL PROTECTED]
Objet : Re: Fail over mysql backend
"Cris Boisvert" <[EMAIL PROTECTED]> wrote:
> In the radiusd.conf
> In the authorize section I have
> redundant{
> sql
> sql2
> }
Ok...
> Mon Sep 20 08:37:16 2004 : Error: radiusd.conf[14] Failed linking to
> rlm_sql2 structure in radiusd.conf: /usr/lib/rlm_sql2.so: undefined
> symbol: rlm_sql2
Please read doc/configurable_failover. It contains examples of doing
this.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fail over mysql backend
"Cris Boisvert" <[EMAIL PROTECTED]> wrote:
> In the radiusd.conf
> In the authorize section I have
> redundant{
> sql
> sql2
> }
Ok...
> Mon Sep 20 08:37:16 2004 : Error: radiusd.conf[14] Failed linking to
> rlm_sql2 structure in radiusd.conf: /usr/lib/rlm_sql2.so: undefined symbol:
> rlm_sql2
Please read doc/configurable_failover. It contains examples of
doing this.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Fail over mysql backend
I 'm trying to setup Freeradius with 2 sql servers for a failover.
In the radiusd.conf
In the authorize section I have
redundant{
sql
sql2
}
Then I start it I get
Mon Sep 20 08:37:16 2004 : Info: rlm_sql (sql): Attempting to connect to
[EMAIL PROTECTED]:/database
Mon Sep 20 08:37:16 2004 : Info: rlm_sql_mysql: Starting connect to MySQL
server for #0
Mon Sep 20 08:37:16 2004 : Info: rlm_sql_mysql: Starting connect to MySQL
server for #1
Mon Sep 20 08:37:16 2004 : Info: rlm_sql_mysql: Starting connect to MySQL
server for #2
Mon Sep 20 08:37:16 2004 : Info: rlm_sql_mysql: Starting connect to MySQL
server for #3
Mon Sep 20 08:37:16 2004 : Info: rlm_sql_mysql: Starting connect to MySQL
server for #4
Mon Sep 20 08:37:16 2004 : Error: radiusd.conf[14] Failed linking to
rlm_sql2 structure in radiusd.conf: /usr/lib/rlm_sql2.so: undefined symbol:
rlm_sql2
It can link to the first database although when it tries to connect to the
second it has problems.
Looking for another instance of rlm_sql.so
Thanx
Cris
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.755 / Virus Database: 505 - Release Date: 9/8/2004
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: module timeout when using configurable fail-over
ROY <[EMAIL PROTECTED]> wrote: > Ok. If this should be added, where should it be done? I might try, but, > you must be right.. it's hard to do. Everywhere, in all of the modules. It's *very* hard. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: module timeout when using configurable fail-over
On Mon, 2004-08-16 at 23:06, Alan DeKok wrote: > ROY <[EMAIL PROTECTED]> wrote: > > is there a way to force a module to fail within specific period by > > setting a timeout param? say, if the module doesn't send a return value > > in X seconds, fail code will be in effect? > > No. That should be added, but it will be hard to do. Ok. If this should be added, where should it be done? I might try, but, you must be right.. it's hard to do. > > > the current setup seems to work if the ff are true: > > 1. db server is down > > 2. no more sockets could be setup between radius and db > > But it won't work if the DB connection locks up. I'd have to check that out. Haven't seen such an occurrence yet. See, i'm testing 3 servers as an accounting system for several nas'es which receives rapid voice call attempts from a dialer. > > Alan DeKok. many thanks, Roy - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: module timeout when using configurable fail-over
ROY <[EMAIL PROTECTED]> wrote: > is there a way to force a module to fail within specific period by > setting a timeout param? say, if the module doesn't send a return value > in X seconds, fail code will be in effect? No. That should be added, but it will be hard to do. > the current setup seems to work if the ff are true: > 1. db server is down > 2. no more sockets could be setup between radius and db But it won't work if the DB connection locks up. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
module timeout when using configurable fail-over
hi list,
i'm trying to do configurable fail-over on the accounting section using
sql:
modules {
sql cdr1 {
server = x.x.x.x
radiusdb = cdr
blah blah
}
sql cdr2 {
server = y.y.y.y
radiusdb = cdr
blah blah
}
}
accounting {
group {
cdr1 {
fail = 1
ok = return
}
cdr2 {
fail = 1
ok = return
}
}
}
parallel table schema are in effect on two db servers.
is there a way to force a module to fail within specific period by
setting a timeout param? say, if the module doesn't send a return value
in X seconds, fail code will be in effect?
the goal is to send the request to the next module (cdr2).
the current setup seems to work if the ff are true:
1. db server is down
2. no more sockets could be setup between radius and db
any comments?
tia,
roy
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: fail-over configration
Thanks for your reply. Alan. You showed the follow process. > > 1.Checking users file > > If the User-Name is not found, go to "Checking SQL(Mysql) DataBase." > > Check the Calling-Station-Id. > > if the Calling-Station-Id is correct, continue to "authenticate" > > if the Calling-Station-Id is incorrect,reject the user. > > > 2.Checking SQL(Mysql) DataBase. > > If the User-Name is not found, reject the user. > > > > Check the Calling-Station-Id. > > if the Calling-Station-Id is correct, continue to "authenticate" > > if the Calling-Station-Id is incorrect,reject the user. > > In "authenticate", check the User-password. If correct, the user is > authenticated. > > if the User-Password is incorrect,reject the user Then, I have a question. What means, the User-Name is not found? I thought the User-Name value in resquest is not found in users file. But the freeradius does not operate such. It looks like follow. case 1 (this case is OK(found!)) User-Name(value) in Users file equals User-Name(value) in Access-Request. and User-Password(value) in Users file equals User-Password(value) in Access-Request. and Calling-Station-Id(value) in Users file equals Calling-Station-Id(value) in Access-Request. case 2 (this case is not found) User-Name(value) in Users file equals User-Name(value) in Access-Request. and User-Password(value) in Users file do not equal User-Password(value) in Access-Request. and Calling-Station-Id(value) in Users file equals Calling-Station-Id(value) in Access-Request. case 3 (this case is not found) User-Name(value) in Users file equals User-Name(value) in Access-Request. and User-Password(value) in Users file equals User-Password(value) in Access-Request. and Calling-Station-Id(value) in Users file do not equal Calling-Station-Id(value) in Access-Request. case 4 (this case is not found) User-Name(value) in Users file equals User-Name(value) in Access-Request. and User-Password(value) in Users file do not equal User-Password(value) in Access-Request. and Calling-Station-Id(value) in Users file do not equal Calling-Station-Id(value) in Access-Request. Does "The User-Name is not found" mean what all the radius attributes that should be compared are matched?, not only the User-Name value does not matched? IF that is right, does checking the User-Password in authenticate always succeed? -- Access-Request: User-Name = "testusr" User-Password = "usrpass00" NAS-Port = 1 NAS-IP-Address = 192.168.100.20 Framed-Protocol = PPP Service-Type = Framed-User NAS-Port-Type = ISDN Calling-Station-Id = "0123456789" -- Users file: testusr Auth-Type := Local, User-Password == "usrpass", Calling-Station-Id =="0123456789" User-Service = Framed-User , Framed-Protocol = PPP , Framed-IP-Address = 10.0.0.1 , Framed-IP-Netmask = 255.255.255.255 , Ascend-Idle-Limit = 600 , Ascend-Data-Filter = "ip in forward dstip 10.0.1.0/24" , Ascend-Data-Filter += "ip in forward dstip 172.16.1.0/24" , Ascend-Data-Filter += "ip in drop dstip 0.0.0.0" , Ascend-Data-Filter += "ip out forward" sorry for my poor english regards -- baffy200y <[EMAIL PROTECTED]> __ Do You Yahoo!? http://bb.yahoo.co.jp/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fail-Over
On Mon, 31 May 2004, Alan DeKok wrote: > "Juan" <[EMAIL PROTECTED]> wrote: > > i have read configurable_failover for three times but i can not do > > that freeradius failover with ippool. I have two pools that i want > > to use then for all my users. I need that freradius start to asign > > IPs from the second Pool whe the first is full. I do not known what > > i must read to do it. > > It looks like it's a problem with the IP pool module... Try using the latest version of the ippool module (revision 1.31). That one should work. > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: Fail-Over
g!";
exit -1;
fi
# stop localserver
rad_stop
# save pool-state
mv $POOL.pool $POOL.pool.back
mv $POOL.index $POOL.index.back
# test config
if ! reload_server;then
rad_stop
mv $POOL.pool.back $POOL.pool
mv $POOL.index.back $POOL.index
else
rad_stop
files="$POOL.pool $POOL.index"
if ! scp $files $REMOTE:$POOL_DIR > /dev/null; then
echo -e $rc_failed;
echo "-- error when copying $files!";
fi
sync_files $DB_DIR $REMOTE
fi
rad_start
if ! ssh $REMOTE "PATH=$PATH":/sbin";/usr/sbin/radcontrol start"; then
echo -e $rc_failed;
echo "-- Fehler bei der Remoteausführung!";
exit -1;
fi
rad_status
}
function rad_syncpools
{
# stop remoteserver
if ! ssh $REMOTE "PATH=$PATH":/sbin";/usr/sbin/radcontrol stop"; then
echo -e $rc_failed;
echo "-- Fehler bei der Remoteausführung!";
exit -1;
fi
rad_stop
echo "sync ippools from $POOL_DIR to $REMOTE"
sync_files $POOL_DIR $REMOTE
rad_start
if ! ssh $REMOTE "PATH=$PATH":/sbin";/usr/sbin/radcontrol start"; then
echo -e $rc_failed;
echo "-- Fehler bei der Remoteausführung!";
exit -1;
fi
}
function rad_help
{
cat<<"EOF"
usage: radcontrol
options are:
help- give short description of the program
stop- stop local server
start - start local server
reload [] - reload both servers with updated config files
use [] argument if ippool definition changed !!
if is given, it is interpreted as ippool name
name prefix. *** pool DB is removed on both servers ***
local_reload- reload only local server with updated config files
*** do not use if existing ippool definition changed !!
syncpools - stop/start servers and syncronise ippools
this is needed if stale ip-adresses at backup or
if master is to restart after crash
status - show status of all proccesses on both machines
iptrans- transfer ipaddresses from stuck transferfiles
only transfer addressses from files not older than
minutes - delete older files
EOF
}
function usage
{
cat<<"EOF"
usage: radcontrol
options are:
help - give short description of the program
stop - stop local server
start- start local server
reload [] - reload both servers - optional remove ippool
local_reload - reload local server
syncpools- stop/start servers and syncronise ippools
status - show status of all proccesses on both machines
iptrans - transfer stuck ipaddresses
EOF
}
##
if ! lock $RADCONTROL_SEM;then
echo -e "another instance running... $rc_failed"
exit;
fi
if [[ $# == 0 ]];then usage;exit;fi
if [[ $1 == status ]];then rad_$1
elif [[ $1 == stop ]];then rad_$1
elif [[ $1 == start ]];then rad_$1
elif [[ $1 == local_reload ]];then rad_$1
elif [[ $1 == reload ]] && [[ $# == 1 ]] ;then rad_$1
elif [[ $1 == reload ]] && [[ $# == 2 ]] ;then rad_clearpool $2
elif [[ $1 == syncpools ]];then rad_$1
elif [[ $1 == help ]];then rad_$1
elif [[ $1 == iptrans ]] && [[ $# == 2 ]] ;then rad_$1 $2
else
usage 1>&2
fi
The crux with this system is that - because of race conditions -
under rare circumstances some ip addresses could get lost.
But i think without modifikations to the freeradius server, there
is no chance to change that.
regards arne
PS.: Feel free to tell me about any bug in these scripts :)
I would also appriciate any enhancements :)
> Message: 1
> Date: Thu, 27 May 2004 18:28:14 +0200
> To: [EMAIL PROTECTED]
> From: "Juan" <[EMAIL PROTECTED]>
> Subject: Fail-Over
> Reply-To: [EMAIL PROTECTED]
>
> Hello,
>
> i have read configurable_failover for three times
> but i
> can not do that freeradius failover with ippool. I
> have
> two pools that i want to use then for all my
> users. I
> need that freradius start to asign IPs from the
> second
> Pool whe the first is full. I do not known what i
> must
> read to do it.
>
> Can somebody help me?
>
> Thank you.
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fail-Over
"Juan" <[EMAIL PROTECTED]> wrote: > i have read configurable_failover for three times but i can not do > that freeradius failover with ippool. I have two pools that i want > to use then for all my users. I need that freradius start to asign > IPs from the second Pool whe the first is full. I do not known what > i must read to do it. It looks like it's a problem with the IP pool module... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: fail-over configration
baffy200y <[EMAIL PROTECTED]> wrote: > 1.Checking users file > If the User-Name is found,check the User-Password. The server can't do that. The "authorize" section doesn't do any authentication. I would re-write your request as: > 1.Checking users file > If the User-Name is not found, go to "Checking SQL(Mysql) DataBase." > Check the Calling-Station-Id. > if the Calling-Station-Id is correct, continue to "authenticate" > if the Calling-Station-Id is incorrect,reject the user. > 2.Checking SQL(Mysql) DataBase. > If the User-Name is not found, reject the user. > > Check the Calling-Station-Id. > if the Calling-Station-Id is correct, continue to "authenticate" > if the Calling-Station-Id is incorrect,reject the user. In "authenticate", check the User-password. If correct, the user is authenticated. > if the User-Password is incorrect,reject the user The server can do this. See doc/configurable_failover for how to configure the "authorize" section to do "check files, if not found, check sql". Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
fail-over configration
Hi,all.
(B
(BI want to set up freeradius which use users file and sql database for
(Buser authenticating.
(B
(BBut I can not set up well.
(BCan I set up freeradius as follow?
(B
(B
(B1.Checking users file
(B If the User-Name is found,check the User-Password.
(B if the User-Password is correct,check the Calling-Station-Id.
(Bif the Calling-Station-Id is correct,the user is authenticated.
(Bif the Calling-Station-Id is incorrect,reject the user.
(B if the User-Password is incorrect,reject the user
(B If the User-Name is not found, go to "Checking SQL(Mysql) DataBase."
(B
(B2.Checking SQL(Mysql) DataBase.
(B
(B If the User-Name is found,check the User-Password.
(B if the User-Password is correct,check the Calling-Station-Id.
(Bif the Calling-Station-Id is correct,the user is authenticated.
(Bif the Calling-Station-Id is incorrect,reject the user.
(B if the User-Password is incorrect,reject the user
(B If the User-Name is not found, reject the user.
(B
(BMy image process figure
(B--
(B Start
(B |
(B+++
(B| |user found
(B| users +---+
(B| file | |
(B+++ |
(B |user not found |
(B ||
(B ||
(B+++ |
(B| |user found |
(B| sql +---+
(B| (MySql) | |
(B+++ |
(B |user not found +++
(B | | |false
(B reject | Password+-reject
(B | check |
(B +++
(B |ok
(B |
(B ++---+
(B | Calling- |false
(B | Station-Id +--reject
(B | check |
(B ++---+
(B |ok
(B |
(B user authenticated
(B
(Bfigure 1
(B--
(B
(Bmy authorize section in radiusd.conf is below
(B--
(Bauthorize {
(Bpreprocess
(Bgroup {
(Bfiles {
(Bok = return
(B}
(Bsql {
(Bok = return
(B}
(B}
(B}
(B
(Bmy users file
(B--
(Btest Auth-Type := Local, User-Password == "test", Calling-Station-Id=="00"
(B User-Service = Framed-User ,
(B Framed-Protocol = PPP ,
(B Framed-IP-Address = 10.0.0.1 ,
(B Framed-IP-Netmask = 255.255.255.255
(B
(B
(BResult I tested.
(B--
(B |User-Name|User-Password|Calling-Station-Id|
(B--+-+-+--+
(B (1)|$B!{(B | $B!_(B | - |
(B--+-+-+--+
(B (2)|$B!{(B | $B!{(B | $B!_(B |
(B--+-+-+--+
$B!{(B:correct
$B!_(B:incorrect
(B
(BCase (1)
(B files(rlm_files) returns notfound but reject.
(B and sql db has been checked.
(B and group returns notfound but reject.
(B
(Bcase (2)
(B files(rlm_files) returns notfound but reject.
(B and sql db has been checked.
(B and group returns notfound but reject.
(B
(B
(B
(B
(B
(Bsorry for my poor english
(Bregards
(B
(B--
(Bbaffy200y <[EMAIL PROTECTED]>
(B
(B__
(BDo You Yahoo!?
(Bhttp://bb.yahoo.co.jp/
(B
(B
(B-
(BList info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Fail-Over
Hello, i have read configurable_failover for three times but i can not do that freeradius failover with ippool. I have two pools that i want to use then for all my users. I need that freradius start to asign IPs from the second Pool whe the first is full. I do not known what i must read to do it. Can somebody help me? Thank you. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
configure fail over -- docs please
Hi,
Can some one respond to this issue, Its very critical for my project.
Please let me know if you (list users) need any additional information
on this.
Thanks,
Vasudevan.S
Hi,
Please find the output in the primary server log.
I don't understand why it try's to check with the system users when it
has to try with the secondry server.
rad_recv: Access-Request packet from host 192.168.112.77:58298, id=2,
length=90
Calling-Station-Id = "31"
User-Name = "[EMAIL PROTECTED]"
User-Password = "dummy"
NAS-Identifier = "vasus.india.adventnet.com"
Thu Apr 8 12:34:28 2004 : Debug: modcall: entering group authorize for
request 0
Thu Apr 8 12:34:28 2004 : Debug: modsingle[authorize]: calling
preprocess (rlm_preprocess) for request 0
Thu Apr 8 12:34:28 2004 : Debug: modsingle[authorize]: returned from
preprocess (rlm_preprocess) for request 0
Thu Apr 8 12:34:28 2004 : Debug: modcall[authorize]: module
"preprocess" returns ok for request 0
Thu Apr 8 12:34:28 2004 : Debug: modsingle[authorize]: calling chap
(rlm_chap) for request 0
Thu Apr 8 12:34:28 2004 : Debug: modsingle[authorize]: returned from
chap (rlm_chap) for request 0
Thu Apr 8 12:34:28 2004 : Debug: modcall[authorize]: module "chap"
returns noop for request 0
Thu Apr 8 12:34:28 2004 : Debug: modsingle[authorize]: calling eap
(rlm_eap) for request 0
Thu Apr 8 12:34:28 2004 : Debug: modsingle[authorize]: returned from
eap (rlm_eap) for request 0
Thu Apr 8 12:34:28 2004 : Debug: modcall[authorize]: module "eap"
returns noop for request 0
Thu Apr 8 12:34:28 2004 : Debug: modsingle[authorize]: calling suffix
(rlm_realm) for request 0
Thu Apr 8 12:34:28 2004 : Debug: rlm_realm: Looking up realm
"adventnet.com" for User-Name = "[EMAIL PROTECTED]"
Thu Apr 8 12:34:28 2004 : Debug: rlm_realm: Found realm "DEFAULT"
Thu Apr 8 12:34:28 2004 : Debug: rlm_realm: Adding
Stripped-User-Name = "dummy"
Thu Apr 8 12:34:28 2004 : Debug: rlm_realm: Proxying request from
user dummy to realm DEFAULT
Thu Apr 8 12:34:28 2004 : Debug: rlm_realm: Adding Realm = "DEFAULT"
Thu Apr 8 12:34:28 2004 : Debug: rlm_realm: Authentication realm is
LOCAL.
Thu Apr 8 12:34:28 2004 : Debug: modsingle[authorize]: returned from
suffix (rlm_realm) for request 0
Thu Apr 8 12:34:28 2004 : Debug: modcall[authorize]: module "suffix"
returns noop for request 0
Thu Apr 8 12:34:28 2004 : Debug: modsingle[authorize]: calling files
(rlm_files) for request 0
Thu Apr 8 12:34:28 2004 : Debug: users: Matched DEFAULT at 155
Thu Apr 8 12:34:28 2004 : Debug: modsingle[authorize]: returned from
files (rlm_files) for request 0
Thu Apr 8 12:34:28 2004 : Debug: modcall[authorize]: module "files"
returns ok for request 0
Thu Apr 8 12:34:28 2004 : Debug: modsingle[authorize]: calling mschap
(rlm_mschap) for request 0
Thu Apr 8 12:34:28 2004 : Debug: modsingle[authorize]: returned from
mschap (rlm_mschap) for request 0
Thu Apr 8 12:34:28 2004 : Debug: modcall[authorize]: module "mschap"
returns noop for request 0
Thu Apr 8 12:34:28 2004 : Debug: modcall: group authorize returns ok
for request 0
Thu Apr 8 12:34:28 2004 : Debug: rad_check_password: Found Auth-Type
System
Thu Apr 8 12:34:28 2004 : Debug: auth: type "System"
Thu Apr 8 12:34:28 2004 : Debug: modcall: entering group authenticate
for request 0
Thu Apr 8 12:34:28 2004 : Debug: modsingle[authenticate]: calling
unix (rlm_unix) for request 0
Thu Apr 8 12:34:28 2004 : Debug: modsingle[authenticate]: returned
from unix (rlm_unix) for request 0
Thu Apr 8 12:34:28 2004 : Debug: modcall[authenticate]: module "unix"
returns notfound for request 0
Thu Apr 8 12:34:28 2004 : Debug: modcall: group authenticate returns
notfound for request 0
Thu Apr 8 12:34:28 2004 : Debug: auth: Failed to validate the user.
Thu Apr 8 12:34:28 2004 : Auth: Login incorrect: [dummy] (from client
vasus.adventnet.com port 0 cli 31)
Thu Apr 8 12:34:28 2004 : Debug: Delaying request 0 for 1 seconds
Thanks,
Vasudevan.S
Hi,
Can anyone help me in configuring the proxy servers for fail over.
Please find the proxy configuration I have done in the primary and
secondary radius servers.
Primary Server (proxy.conf)
realm DEFAULT{
type = radius
authhost = wifi-test3.adventnet.com:1812
accthost = wifi-test3.adventnet.com:1813
secret = xydsudysdiu
ldflag = fail_over
}
Secondry server (proxy.conf)
realm DEFAULT{
type = radius
authhost = vasus.adventnet.com:1812
accthost = vasus.adventnet.com:1813
secret = xydsudysdiu
ldflag = fail_over
}
both are linux systems. I have added user in the secondary server and
trying to authent
configure fail over -- docs please
Hi,
Please find the output in the primary server log.
I don't understand why it try's to check with the system users when it
has to try with the secondry server.
rad_recv: Access-Request packet from host 192.168.112.77:58298, id=2,
length=90
Calling-Station-Id = "31"
User-Name = "[EMAIL PROTECTED]"
User-Password = "dummy"
NAS-Identifier = "vasus.india.adventnet.com"
Thu Apr 8 12:34:28 2004 : Debug: modcall: entering group authorize for
request 0
Thu Apr 8 12:34:28 2004 : Debug: modsingle[authorize]: calling
preprocess (rlm_preprocess) for request 0
Thu Apr 8 12:34:28 2004 : Debug: modsingle[authorize]: returned from
preprocess (rlm_preprocess) for request 0
Thu Apr 8 12:34:28 2004 : Debug: modcall[authorize]: module
"preprocess" returns ok for request 0
Thu Apr 8 12:34:28 2004 : Debug: modsingle[authorize]: calling chap
(rlm_chap) for request 0
Thu Apr 8 12:34:28 2004 : Debug: modsingle[authorize]: returned from
chap (rlm_chap) for request 0
Thu Apr 8 12:34:28 2004 : Debug: modcall[authorize]: module "chap"
returns noop for request 0
Thu Apr 8 12:34:28 2004 : Debug: modsingle[authorize]: calling eap
(rlm_eap) for request 0
Thu Apr 8 12:34:28 2004 : Debug: modsingle[authorize]: returned from
eap (rlm_eap) for request 0
Thu Apr 8 12:34:28 2004 : Debug: modcall[authorize]: module "eap"
returns noop for request 0
Thu Apr 8 12:34:28 2004 : Debug: modsingle[authorize]: calling suffix
(rlm_realm) for request 0
Thu Apr 8 12:34:28 2004 : Debug: rlm_realm: Looking up realm
"adventnet.com" for User-Name = "[EMAIL PROTECTED]"
Thu Apr 8 12:34:28 2004 : Debug: rlm_realm: Found realm "DEFAULT"
Thu Apr 8 12:34:28 2004 : Debug: rlm_realm: Adding
Stripped-User-Name = "dummy"
Thu Apr 8 12:34:28 2004 : Debug: rlm_realm: Proxying request from
user dummy to realm DEFAULT
Thu Apr 8 12:34:28 2004 : Debug: rlm_realm: Adding Realm = "DEFAULT"
Thu Apr 8 12:34:28 2004 : Debug: rlm_realm: Authentication realm is
LOCAL.
Thu Apr 8 12:34:28 2004 : Debug: modsingle[authorize]: returned from
suffix (rlm_realm) for request 0
Thu Apr 8 12:34:28 2004 : Debug: modcall[authorize]: module "suffix"
returns noop for request 0
Thu Apr 8 12:34:28 2004 : Debug: modsingle[authorize]: calling files
(rlm_files) for request 0
Thu Apr 8 12:34:28 2004 : Debug: users: Matched DEFAULT at 155
Thu Apr 8 12:34:28 2004 : Debug: modsingle[authorize]: returned from
files (rlm_files) for request 0
Thu Apr 8 12:34:28 2004 : Debug: modcall[authorize]: module "files"
returns ok for request 0
Thu Apr 8 12:34:28 2004 : Debug: modsingle[authorize]: calling mschap
(rlm_mschap) for request 0
Thu Apr 8 12:34:28 2004 : Debug: modsingle[authorize]: returned from
mschap (rlm_mschap) for request 0
Thu Apr 8 12:34:28 2004 : Debug: modcall[authorize]: module "mschap"
returns noop for request 0
Thu Apr 8 12:34:28 2004 : Debug: modcall: group authorize returns ok
for request 0
Thu Apr 8 12:34:28 2004 : Debug: rad_check_password: Found Auth-Type
System
Thu Apr 8 12:34:28 2004 : Debug: auth: type "System"
Thu Apr 8 12:34:28 2004 : Debug: modcall: entering group authenticate
for request 0
Thu Apr 8 12:34:28 2004 : Debug: modsingle[authenticate]: calling
unix (rlm_unix) for request 0
Thu Apr 8 12:34:28 2004 : Debug: modsingle[authenticate]: returned
from unix (rlm_unix) for request 0
Thu Apr 8 12:34:28 2004 : Debug: modcall[authenticate]: module "unix"
returns notfound for request 0
Thu Apr 8 12:34:28 2004 : Debug: modcall: group authenticate returns
notfound for request 0
Thu Apr 8 12:34:28 2004 : Debug: auth: Failed to validate the user.
Thu Apr 8 12:34:28 2004 : Auth: Login incorrect: [dummy] (from client
vasus.adventnet.com port 0 cli 31)
Thu Apr 8 12:34:28 2004 : Debug: Delaying request 0 for 1 seconds
Thanks,
Vasudevan.S
Hi,
Can anyone help me in configuring the proxy servers for fail over.
Please find the proxy configuration I have done in the primary and
secondary radius servers.
Primary Server (proxy.conf)
realm DEFAULT{
type = radius
authhost = wifi-test3.adventnet.com:1812
accthost = wifi-test3.adventnet.com:1813
secret = xydsudysdiu
ldflag = fail_over
}
Secondry server (proxy.conf)
realm DEFAULT{
type = radius
authhost = vasus.adventnet.com:1812
accthost = vasus.adventnet.com:1813
secret = xydsudysdiu
ldflag = fail_over
}
both are linux systems. I have added user in the secondary server and
trying to authenticate the user. But the primary server never sends the
request to the secondary server and try's to authenticate in the primary
server itself and rejects the
configure fail over -- docs please
Hi,
Can anyone help me in configuring the proxy servers for fail over.
Please find the proxy configuration I have done in the primary and
secondary radius servers.
Primary Server (proxy.conf)
realm DEFAULT{
type = radius
authhost = wifi-test3.adventnet.com:1812
accthost = wifi-test3.adventnet.com:1813
secret = xydsudysdiu
ldflag = fail_over
}
Secondry server (proxy.conf)
realm DEFAULT{
type = radius
authhost = vasus.adventnet.com:1812
accthost = vasus.adventnet.com:1813
secret = xydsudysdiu
ldflag = fail_over
}
both are linux systems. I have added user in the secondary server and
trying to authenticate the user. But the primary server never sends the
request to the secondary server and try's to authenticate in the primary
server itself and rejects the authentication request.
EndClient -- > Primary server --> Secondary server (user info in the
secondary server)
Can any one shed some light on this. Hope most of the users in the list
should have worked with multiple radius server configuration.
Thanks a lot to one and all for the support.
Regards,
Vasudevan.S
Dear All,
Is there any document to configure failover using free radius
installation if distributed setups (diff networks). If there is one
please point to the doc.
Thanks,
Vasudevan.S
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
configure fail over -- docs please
Dear All, Is there any document to configure failover using free radius installation if distributed setups (diff networks). If there is one please point to the doc. Thanks, Vasudevan.S - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
