Re: NAS list update without restarting radius server.
Yes, you can specify a network, not just single IP address.
Ivan Kalik
Kalik Informatika ISP
Dana 12/4/2008, "Tuc at T-B-O-H.NET" <[EMAIL PROTECTED]> piše:
>Hi Ivan,
>
> Thanks for the reply. I think its starting to sink in. :)
>I have to test out how we'll do a bit of it, but I think I get the
>jist of it. I don't see how any of the netmask, require_message_authenticator
>or virtual_server fit into it... But since I wasn't using it anyway, I
>won't push my luck. ;) (Unless for netmask your saying the nasname
>could be 192.168.3.0/24)
>
> Thanks, Tuc
>>
>> nasname on your AP goes into NAS-Identifier filed in access request.
>> It's not the same as nasname in nas table which takes NAS IP or FQDN.
>> You can put it in shortname filed. "Secret per NAS" = "Secret per NAS
>> IP address".
>>
>> Ivan Kalik
>> Kalik Informatika ISP
>>
>> Dana 11/4/2008, "Tuc at T-B-O-H.NET" <[EMAIL PROTECTED]> piše:
>>
>> >Hi,
>> >
>> >If I choose DNS name, and I don't fully qualify it,
>> >does it follow the standard BIND rules of using the "domain"
>> >setting, or going down the "search" path?
>> >
>> >Reason I'm trying to avoid the IP or the FQDN is that
>> >I was hoping to use the nasname along with the secret in
>> >the UAM program I'm using for a "Secret per NAS" situation.
>> >The hotspots are already using just a nasname currently (Which
>> >is just something like SBC-1427). (Then again, getting the
>> >client to put all the NAS into DNS is going to be a tough
>> >sell too)
>> >
>> >Thanks, Tuc
>> >>
>> >> IP address (or DNS name) goes into nasname field.
>> >>
>> >> Ivan Kalik
>> >> Kalik Informatika ISP
>> >>
>> >>
>> >> Dana 11/4/2008, "Tuc at T-B-O-H.NET" <[EMAIL PROTECTED]> piše:
>> >>
>> >> >Hi,
>> >> >
>> >> > I had actually kept this email in my queue to implement
>> >> >someday. Today is someday. But I have a question.
>> >> >
>> >> > The config file contains IP addresses, which the nas.sql
>> >> >doesn't. How do I sync up the format of the clients.conf with
>> >> >the nas.sql?
>> >> >
>> >> >client nas_shortname {
>> >> > ipaddr = ??
>> >> > (or)
>> >> > ipv6addr =
>> >> > netmask =
>> >> > secret = nas_secret
>> >> > require_message_authenticator =
>> >> > shortname = nas_shortname
>> >> > nastype = nas_type
>> >> > virtual_server =
>> >> >}
>> >> >
>> >> > Thanks, Tuc
>> >> >>
>> >> >> Hi,
>> >> >>
>> >> >> in sql.conf it says:
>> >> >>
>> >> >> Set readclients to 'yes' to read radius clients from the database
>> >> >> ('nas' table)
>> >> >> Clients will ONLY be read on server startup. For performance
>> >> >> and security reasons, finding clients via SQL queries CANNOT
>> >> >> be done "live" while the server is running.
>> >> >>
>> >> >> Best,
>> >> >> Walter
>> >> >>
>> >> >>
>> >> >> Am 22.01.2008 um 19:30 schrieb Pawel Cieplinski:
>> >> >>
>> >> >> > Hi there
>> >> >> >
>> >> >> >
>> >> >> >
>> >> >> > Everything works fine so far, but after adding a new NAS to DB,
>> >> >> > radius server need restart to read this data, I am trying to
>> >> >> > manipulate nas list without restarting freeradius, but due to lack
>> >> >> > od documentation could you help me with that please.
>> >> >> >
>> >> >> >
>> >> >> >
>> >> >> > Pawel Cieplinski
>> >
>> >
>> >
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
>>
>
>
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: SPAM(6.5) Re: NAS list update without restarting radius server.
Hello,
- Anyone can point me in the right direction if I am getting this error,
from the client:
"CTRL-EVENT-EAP-FAILURE EAP authentication failed"
- And on the freeradius console I have this:
Called-Station-Id = "00-20-a6-64-c3-b1:MVG-Personal"
Calling-Station-Id = "00-0f-cb-f9-3b-f9;MVG-Personal"
NAS-Identifier = "MVG-1"
State = 0x73e4f46973e6f0393091c54faaf880fd
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020200060315
Message-Authenticator = 0x330b306447495e1a49cd5c7cfe5c1c6d
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "easy", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: EAP packet type response id 2 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
users: Matched entry easy at line 90
expand: Hello, %{User-Name} -> Hello, easy
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP NAK
rlm_eap: EAP-NAK asked for EAP-Type/ttls
rlm_eap: processing type tls
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
++[eap] returns handled
Reply-Message = "Hello, easy"
EAP-Message = 0x010300061520
Message-Authenticator = 0x
State = 0x73e4f46972e7e1393091c54faaf880fd
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 153 with timestamp +279
Cleaning up request 1 ID 154 with timestamp +279
Ready to process requests.
- And the client don't get an IP address, guessing it has something to do
with EAP authentication "No EAP Start".
Thanks very much for help!
Best regards,
Johan Nyman
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS list update without restarting radius server.
Hi Ivan,
Thanks for the reply. I think its starting to sink in. :)
I have to test out how we'll do a bit of it, but I think I get the
jist of it. I don't see how any of the netmask, require_message_authenticator
or virtual_server fit into it... But since I wasn't using it anyway, I
won't push my luck. ;) (Unless for netmask your saying the nasname
could be 192.168.3.0/24)
Thanks, Tuc
>
> nasname on your AP goes into NAS-Identifier filed in access request.
> It's not the same as nasname in nas table which takes NAS IP or FQDN.
> You can put it in shortname filed. "Secret per NAS" = "Secret per NAS
> IP address".
>
> Ivan Kalik
> Kalik Informatika ISP
>
> Dana 11/4/2008, "Tuc at T-B-O-H.NET" <[EMAIL PROTECTED]> pi?e:
>
> >Hi,
> >
> > If I choose DNS name, and I don't fully qualify it,
> >does it follow the standard BIND rules of using the "domain"
> >setting, or going down the "search" path?
> >
> > Reason I'm trying to avoid the IP or the FQDN is that
> >I was hoping to use the nasname along with the secret in
> >the UAM program I'm using for a "Secret per NAS" situation.
> >The hotspots are already using just a nasname currently (Which
> >is just something like SBC-1427). (Then again, getting the
> >client to put all the NAS into DNS is going to be a tough
> >sell too)
> >
> > Thanks, Tuc
> >>
> >> IP address (or DNS name) goes into nasname field.
> >>
> >> Ivan Kalik
> >> Kalik Informatika ISP
> >>
> >>
> >> Dana 11/4/2008, "Tuc at T-B-O-H.NET" <[EMAIL PROTECTED]> pi?e:
> >>
> >> >Hi,
> >> >
> >> > I had actually kept this email in my queue to implement
> >> >someday. Today is someday. But I have a question.
> >> >
> >> > The config file contains IP addresses, which the nas.sql
> >> >doesn't. How do I sync up the format of the clients.conf with
> >> >the nas.sql?
> >> >
> >> >client nas_shortname {
> >> > ipaddr = ??
> >> > (or)
> >> > ipv6addr =
> >> > netmask =
> >> > secret = nas_secret
> >> > require_message_authenticator =
> >> > shortname = nas_shortname
> >> > nastype = nas_type
> >> > virtual_server =
> >> >}
> >> >
> >> > Thanks, Tuc
> >> >>
> >> >> Hi,
> >> >>
> >> >> in sql.conf it says:
> >> >>
> >> >> Set readclients to 'yes' to read radius clients from the database
> >> >> ('nas' table)
> >> >> Clients will ONLY be read on server startup. For performance
> >> >> and security reasons, finding clients via SQL queries CANNOT
> >> >> be done "live" while the server is running.
> >> >>
> >> >> Best,
> >> >> Walter
> >> >>
> >> >>
> >> >> Am 22.01.2008 um 19:30 schrieb Pawel Cieplinski:
> >> >>
> >> >> > Hi there
> >> >> >
> >> >> >
> >> >> >
> >> >> > Everything works fine so far, but after adding a new NAS to DB,
> >> >> > radius server need restart to read this data, I am trying to
> >> >> > manipulate nas list without restarting freeradius, but due to lack
> >> >> > od documentation could you help me with that please.
> >> >> >
> >> >> >
> >> >> >
> >> >> > Pawel Cieplinski
> >
> >
> >
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS list update without restarting radius server.
nasname on your AP goes into NAS-Identifier filed in access request.
It's not the same as nasname in nas table which takes NAS IP or FQDN.
You can put it in shortname filed. "Secret per NAS" = "Secret per NAS
IP address".
Ivan Kalik
Kalik Informatika ISP
Dana 11/4/2008, "Tuc at T-B-O-H.NET" <[EMAIL PROTECTED]> piše:
>Hi,
>
> If I choose DNS name, and I don't fully qualify it,
>does it follow the standard BIND rules of using the "domain"
>setting, or going down the "search" path?
>
> Reason I'm trying to avoid the IP or the FQDN is that
>I was hoping to use the nasname along with the secret in
>the UAM program I'm using for a "Secret per NAS" situation.
>The hotspots are already using just a nasname currently (Which
>is just something like SBC-1427). (Then again, getting the
>client to put all the NAS into DNS is going to be a tough
>sell too)
>
> Thanks, Tuc
>>
>> IP address (or DNS name) goes into nasname field.
>>
>> Ivan Kalik
>> Kalik Informatika ISP
>>
>>
>> Dana 11/4/2008, "Tuc at T-B-O-H.NET" <[EMAIL PROTECTED]> piše:
>>
>> >Hi,
>> >
>> >I had actually kept this email in my queue to implement
>> >someday. Today is someday. But I have a question.
>> >
>> >The config file contains IP addresses, which the nas.sql
>> >doesn't. How do I sync up the format of the clients.conf with
>> >the nas.sql?
>> >
>> >client nas_shortname {
>> >ipaddr = ??
>> >(or)
>> >ipv6addr =
>> >netmask =
>> >secret = nas_secret
>> >require_message_authenticator =
>> >shortname = nas_shortname
>> >nastype = nas_type
>> >virtual_server =
>> >}
>> >
>> >Thanks, Tuc
>> >>
>> >> Hi,
>> >>
>> >> in sql.conf it says:
>> >>
>> >> Set readclients to 'yes' to read radius clients from the database
>> >> ('nas' table)
>> >> Clients will ONLY be read on server startup. For performance
>> >> and security reasons, finding clients via SQL queries CANNOT
>> >> be done "live" while the server is running.
>> >>
>> >> Best,
>> >> Walter
>> >>
>> >>
>> >> Am 22.01.2008 um 19:30 schrieb Pawel Cieplinski:
>> >>
>> >> > Hi there
>> >> >
>> >> >
>> >> >
>> >> > Everything works fine so far, but after adding a new NAS to DB,
>> >> > radius server need restart to read this data, I am trying to
>> >> > manipulate nas list without restarting freeradius, but due to lack
>> >> > od documentation could you help me with that please.
>> >> >
>> >> >
>> >> >
>> >> > Pawel Cieplinski
>
>
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS list update without restarting radius server.
Tuc at T-B-O-H.NET wrote: > If I choose DNS name, and I don't fully qualify it, > does it follow the standard BIND rules of using the "domain" > setting, or going down the "search" path? It follows the normal process to look up domain names. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS list update without restarting radius server.
Hi,
If I choose DNS name, and I don't fully qualify it,
does it follow the standard BIND rules of using the "domain"
setting, or going down the "search" path?
Reason I'm trying to avoid the IP or the FQDN is that
I was hoping to use the nasname along with the secret in
the UAM program I'm using for a "Secret per NAS" situation.
The hotspots are already using just a nasname currently (Which
is just something like SBC-1427). (Then again, getting the
client to put all the NAS into DNS is going to be a tough
sell too)
Thanks, Tuc
>
> IP address (or DNS name) goes into nasname field.
>
> Ivan Kalik
> Kalik Informatika ISP
>
>
> Dana 11/4/2008, "Tuc at T-B-O-H.NET" <[EMAIL PROTECTED]> pi?e:
>
> >Hi,
> >
> > I had actually kept this email in my queue to implement
> >someday. Today is someday. But I have a question.
> >
> > The config file contains IP addresses, which the nas.sql
> >doesn't. How do I sync up the format of the clients.conf with
> >the nas.sql?
> >
> >client nas_shortname {
> > ipaddr = ??
> > (or)
> > ipv6addr =
> > netmask =
> > secret = nas_secret
> > require_message_authenticator =
> > shortname = nas_shortname
> > nastype = nas_type
> > virtual_server =
> >}
> >
> > Thanks, Tuc
> >>
> >> Hi,
> >>
> >> in sql.conf it says:
> >>
> >> Set readclients to 'yes' to read radius clients from the database
> >> ('nas' table)
> >> Clients will ONLY be read on server startup. For performance
> >> and security reasons, finding clients via SQL queries CANNOT
> >> be done "live" while the server is running.
> >>
> >> Best,
> >> Walter
> >>
> >>
> >> Am 22.01.2008 um 19:30 schrieb Pawel Cieplinski:
> >>
> >> > Hi there
> >> >
> >> >
> >> >
> >> > Everything works fine so far, but after adding a new NAS to DB,
> >> > radius server need restart to read this data, I am trying to
> >> > manipulate nas list without restarting freeradius, but due to lack
> >> > od documentation could you help me with that please.
> >> >
> >> >
> >> >
> >> > Pawel Cieplinski
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS list update without restarting radius server.
IP address (or DNS name) goes into nasname field.
Ivan Kalik
Kalik Informatika ISP
Dana 11/4/2008, "Tuc at T-B-O-H.NET" <[EMAIL PROTECTED]> piše:
>Hi,
>
> I had actually kept this email in my queue to implement
>someday. Today is someday. But I have a question.
>
> The config file contains IP addresses, which the nas.sql
>doesn't. How do I sync up the format of the clients.conf with
>the nas.sql?
>
>client nas_shortname {
> ipaddr = ??
> (or)
> ipv6addr =
> netmask =
> secret = nas_secret
> require_message_authenticator =
> shortname = nas_shortname
> nastype = nas_type
> virtual_server =
>}
>
> Thanks, Tuc
>>
>> Hi,
>>
>> in sql.conf it says:
>>
>> Set readclients to 'yes' to read radius clients from the database
>> ('nas' table)
>> Clients will ONLY be read on server startup. For performance
>> and security reasons, finding clients via SQL queries CANNOT
>> be done "live" while the server is running.
>>
>> Best,
>> Walter
>>
>>
>> Am 22.01.2008 um 19:30 schrieb Pawel Cieplinski:
>>
>> > Hi there
>> >
>> >
>> >
>> > Everything works fine so far, but after adding a new NAS to DB,
>> > radius server need restart to read this data, I am trying to
>> > manipulate nas list without restarting freeradius, but due to lack
>> > od documentation could you help me with that please.
>> >
>> >
>> >
>> > Pawel Cieplinski
>> >
>
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS list update without restarting radius server.
Hi,
I had actually kept this email in my queue to implement
someday. Today is someday. But I have a question.
The config file contains IP addresses, which the nas.sql
doesn't. How do I sync up the format of the clients.conf with
the nas.sql?
client nas_shortname {
ipaddr = ??
(or)
ipv6addr =
netmask =
secret = nas_secret
require_message_authenticator =
shortname = nas_shortname
nastype = nas_type
virtual_server =
}
Thanks, Tuc
>
> Hi,
>
> in sql.conf it says:
>
> Set readclients to 'yes' to read radius clients from the database
> ('nas' table)
> Clients will ONLY be read on server startup. For performance
> and security reasons, finding clients via SQL queries CANNOT
> be done "live" while the server is running.
>
> Best,
> Walter
>
>
> Am 22.01.2008 um 19:30 schrieb Pawel Cieplinski:
>
> > Hi there
> >
> >
> >
> > Everything works fine so far, but after adding a new NAS to DB,
> > radius server need restart to read this data, I am trying to
> > manipulate nas list without restarting freeradius, but due to lack
> > od documentation could you help me with that please.
> >
> >
> >
> > Pawel Cieplinski
> >
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS list update without restarting radius server.
Arran Cudbard-Bell wrote: >> If the list update takes longer than 1/10 of a second, something is >> very wrong. > > Ours often takes ~20 seconds for 600 NAS. Ouch. 600 SQL qeuries really take that long? i.e. if the SELECT for NASes from SQL takes less than 20s on the command-line, then something else is doing wrong inside of the server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS list update without restarting radius server.
Hey Alan, On Jan 23, 2008 9:47 AM, Alan DeKok <[EMAIL PROTECTED]> wrote: > liran tal wrote: > > Maybe freeradius can read the nas list from sql at startup to some > > linked list and this list will be updated every given interval with a > query > > to the database. > > It's more complicated than that. The NASes need to be deleted, too. > And this has to be done without affecting normal server operation. > > As always, patches are welcome. > Well, every given interval a query will run on the database server to get the list of nases and it will build a new linked list based on that and delete the other nodes and free the pointers of those. I guess that coming up with a method to check against each nas if it's there or not, and to remove or add it based on a check is do-able but would probably face some efficiency issues where-as I think it would be proper to create a new linked list with whatever nases that query returns and free the previous linked list from memory. I haven't had a look at the relevant code but it seems quite basic to implement unless I'm over-seeing some critical aspects :-) I'll be glad to take a look if you can refer me to the current piece of code where freeradius handles the nas lists read from the database and stores them. Regards, Liran Tal. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: NAS list update without restarting radius server.
I wont be adding NASes, but users will do, so i am thinking 0-10 a day. Linking to a dynamic list using interal its not a good solution, becouse i will need to wait for list update after adding NAS. Other solution i am thinking is to run two instances of server and restart them in round robin and use iptables to redirect packets to actual working server. Goal is to serveradius to third party as a service, so users will add their own nases, modified them etc, at this stage i cannot really say how many times a day i will need a restart, but i am wondering about also about following soltion: Run two servers: Primary and Secondary, primary will be restarted once a day, and secondary every time NAS list will be changed. After adding a NAS primimary will not respond (unknown NAS) so NAS will ask secondary instead) also request from other nases will not be lost becouse primary is not restarded on NAS list change. What do you think ? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] g] On Behalf Of Marinko Tarlac Sent: 23 January 2008 10:05 To: FreeRadius users mailing list Subject: Re: NAS list update without restarting radius server. Well how many times per day do you add nases? On Jan 23, 2008 10:20 AM, liran tal <[EMAIL PROTECTED]> wrote: Hey Alan, On Jan 23, 2008 9:47 AM, Alan DeKok <[EMAIL PROTECTED]> wrote: liran tal wrote: > Maybe freeradius can read the nas list from sql at startup to some > linked list and this list will be updated every given interval with a query > to the database. It's more complicated than that. The NASes need to be deleted, too. And this has to be done without affecting normal server operation. As always, patches are welcome. Well, every given interval a query will run on the database server to get the list of nases and it will build a new linked list based on that and delete the other nodes and free the pointers of those. I guess that coming up with a method to check against each nas if it's there or not, and to remove or add it based on a check is do-able but would probably face some efficiency issues where-as I think it would be proper to create a new linked list with whatever nases that query returns and free the previous linked list from memory. I haven't had a look at the relevant code but it seems quite basic to implement unless I'm over-seeing some critical aspects :-) I'll be glad to take a look if you can refer me to the current piece of code where freeradius handles the nas lists read from the database and stores them. Regards, Liran Tal. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS list update without restarting radius server.
Alan DeKok wrote: Pawel Cieplinski wrote: I wont be adding NASes, but users will do, so i am thinking 0-10 a day. Linking to a dynamic list using interal its not a good solution, becouse i will need to wait for list update after adding NAS. If the list update takes longer than 1/10 of a second, something is very wrong. Ours often takes ~20 seconds for 600 NAS. Other solution i am thinking is to run two instances of server and restart them in round robin and use iptables to redirect packets to actual working server. Yuck. That's a lot more complicated. Goal is to serveradius to third party as a service, so users will add their own nases, modified them etc, at this stage i cannot really say how many times a day i will need a restart, but i am wondering about also about following soltion: For all that work, why not just fix the server so that it can be safely HUP'd? Honestly, I'm wondering why people will put huge efforts into building and maintaining multiple machines rather than doing tiny bits of coding. If the functionality is *that* important, it should be important enough to add to the server core. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS list update without restarting radius server.
Hi, > well the previous info regarding this only being read at startup was > specific to data in SQL, so I suppose a kill -HUP should work. > But I haven't tested it :P, maybe someone else on the list can tell us, > otherwise give it a go by manually updating the clients.conf and > try a kill -HUP, according to latest sources (2.0.1) users file is HUP safe, SQL is not (SQL logging is) - as Alan says - need it? code it. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS list update without restarting radius server.
Andy Smith wrote: > well the previous info regarding this only being read at startup was > specific to data in SQL, so I suppose a kill -HUP should work. Clients are not reloaded on HUP. Only modules, and even then, only some modules. Look at the log file after a HUP to see which modules were re-loaded. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS list update without restarting radius server.
Hi, well the previous info regarding this only being read at startup was specific to data in SQL, so I suppose a kill -HUP should work. But I haven't tested it :P, maybe someone else on the list can tell us, otherwise give it a go by manually updating the clients.conf and try a kill -HUP, cheers Andy. - Original Message - From: "Pawel Cieplinski" <[EMAIL PROTECTED]> To: "'A.smith'" <[EMAIL PROTECTED]> Sent: Wednesday, January 23, 2008 2:02 PM Subject: RE: NAS list update without restarting radius server. Hey Pawel, why not have a script read the contents of the NAS table and update the freeradius clients.conf text file with the data, then configure freeradius to use the clients.conf file rather than MySQL for the secrets data? You could have it run every minute or so??? cheers Andy. Ok Andy but is radiusd not readind clients.conf on start ? Like data from SQL ? Pawel Message sent using UK Grid Webmail 2.7.9 -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.516 / Virus Database: 269.19.9/1238 - Release Date: 22/01/2008 20:12 -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.516 / Virus Database: 269.19.9/1239 - Release Date: 23/01/2008 10:24 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS list update without restarting radius server.
Exactly my point Alan :) Regards, Liran Tal. On Jan 23, 2008 2:04 PM, Alan DeKok <[EMAIL PROTECTED]> wrote: > Pawel Cieplinski wrote: > > I wont be adding NASes, but users will do, so i am thinking 0-10 a day. > > > > Linking to a dynamic list using interal its not a good solution, becouse > i > > will need to wait for list update after adding NAS. > > If the list update takes longer than 1/10 of a second, something is > very wrong. > > > Other solution i am thinking is to run two instances of server and > restart > > them in round robin and use iptables to redirect packets to actual > working > > server. > > Yuck. That's a lot more complicated. > > > Goal is to serveradius to third party as a service, so users will add > their > > own nases, modified them etc, at this stage i cannot really say how many > > times a day i will need a restart, but i am wondering about also about > > following soltion: > > For all that work, why not just fix the server so that it can be > safely HUP'd? > > Honestly, I'm wondering why people will put huge efforts into building > and maintaining multiple machines rather than doing tiny bits of coding. > If the functionality is *that* important, it should be important enough > to add to the server core. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS list update without restarting radius server.
Pawel Cieplinski wrote: > I wont be adding NASes, but users will do, so i am thinking 0-10 a day. > > Linking to a dynamic list using interal its not a good solution, becouse i > will need to wait for list update after adding NAS. If the list update takes longer than 1/10 of a second, something is very wrong. > Other solution i am thinking is to run two instances of server and restart > them in round robin and use iptables to redirect packets to actual working > server. Yuck. That's a lot more complicated. > Goal is to serveradius to third party as a service, so users will add their > own nases, modified them etc, at this stage i cannot really say how many > times a day i will need a restart, but i am wondering about also about > following soltion: For all that work, why not just fix the server so that it can be safely HUP'd? Honestly, I'm wondering why people will put huge efforts into building and maintaining multiple machines rather than doing tiny bits of coding. If the functionality is *that* important, it should be important enough to add to the server core. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: NAS list update without restarting radius server.
Hi Liran
I think, that will have to be a solution, i havegot also an idea to run two
instances of server on one machine on diffrent ports and redirect ports
using iptables, for egzample:
Radius A listening on ports 1820-1821
Radius B listening on ports 1822-1823
Variable server_on;
Start script is to run both servers and tell ip tables to redirect ports
1812-1813 to 1820-1821.
Variable server_on is set to A;
And "reboot server script" is checking server_on value:
If server_on == A then
{ reboot server B;
tell iptables to forward request to server B;
server_on = B;
} else {
reboot server A;
tell iptables to forward request to server A;
server_on = A;
}
Theoreticly non working server is idle and not taking resoures.
The only thing i dont know yet is switching while request is operating eg:
user send auth_request... Get response, and we swithed servers before
accounting.
Its just an idea, maybe it will be useful to someone
Pawel Cieplinski
From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
g] On Behalf Of liran tal
Sent: 23 January 2008 12:07
To: FreeRadius users mailing list
Subject: Re: NAS list update without restarting radius server.
I think that having 2 servers running in master/slave and constantly
exchanging the roles between them is highly a compromise for reading
once in a while a cached nas list and updating it every now and
then.
The interval to update the nas list can be user defined and will
solely
depend on your system being able to support it. Ofcourse I wouldn't
recommend doing it every second but a reasonable time is in place
I think.
Also I'm thinking that like most services in the world changes take
affect
only after a limited time which you can enforce in a policy.
For example, you tell your users or whomever operates the nas list
that
changes to the nas are affected only after 3 hours and set that time
as
the interval for freeradius to re-build the list.
Very much like that is what happens with DNS record updates for
example
(although for somewhat different reasons) which you have to wait at
least
a couple of hours if not the full 72 hours for the dns records to
update
on servers/routers across the globe.
Regards,
Liran Tal.
On Jan 23, 2008 12:08 PM, Pawel Cieplinski <[EMAIL PROTECTED]
> wrote:
I wont be adding NASes, but users will do, so i am thinking
0-10 a day.
Linking to a dynamic list using interal its not a good
solution, becouse i
will need to wait for list update after adding NAS.
Other solution i am thinking is to run two instances of
server and restart
them in round robin and use iptables to redirect packets to
actual working
server.
Goal is to serveradius to third party as a service, so users
will add their
own nases, modified them etc, at this stage i cannot really
say how many
times a day i will need a restart, but i am wondering about
also about
following soltion:
Run two servers:
Primary and Secondary, primary will be restarted once a day,
and secondary
every time NAS list will be changed. After adding a NAS
primimary will not
respond (unknown NAS) so NAS will ask secondary instead)
also request from
other nases will not be lost becouse primary is not
restarded on NAS list
change.
What do you think ?
From:
freeradius-users-bounces+pawel=
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]
>
g] On Behalf Of Marinko Tarlac
Sent: 23 January 2008 10:05
To: FreeRadius users mailing list
Subject: Re: NAS list update without restarting
radius server.
Well how many times per day do you add nases?
On Jan 23, 2008 10:20 AM, liran tal
<[EMAIL PROTECTED] > wrote:
Hey Alan,
Re: NAS list update without restarting radius server.
Hey Pawel, why not have a script read the contents of the NAS table and update the freeradius clients.conf text file with the data, then configure freeradius to use the clients.conf file rather than MySQL for the secrets data? You could have it run every minute or so??? cheers Andy. Message sent using UK Grid Webmail 2.7.9 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS list update without restarting radius server.
I think that having 2 servers running in master/slave and constantly exchanging the roles between them is highly a compromise for reading once in a while a cached nas list and updating it every now and then. The interval to update the nas list can be user defined and will solely depend on your system being able to support it. Ofcourse I wouldn't recommend doing it every second but a reasonable time is in place I think. Also I'm thinking that like most services in the world changes take affect only after a limited time which you can enforce in a policy. For example, you tell your users or whomever operates the nas list that changes to the nas are affected only after 3 hours and set that time as the interval for freeradius to re-build the list. Very much like that is what happens with DNS record updates for example (although for somewhat different reasons) which you have to wait at least a couple of hours if not the full 72 hours for the dns records to update on servers/routers across the globe. Regards, Liran Tal. On Jan 23, 2008 12:08 PM, Pawel Cieplinski <[EMAIL PROTECTED]> wrote: > I wont be adding NASes, but users will do, so i am thinking 0-10 a day. > > Linking to a dynamic list using interal its not a good solution, becouse i > will need to wait for list update after adding NAS. > > Other solution i am thinking is to run two instances of server and restart > them in round robin and use iptables to redirect packets to actual working > server. > > Goal is to serveradius to third party as a service, so users will add > their > own nases, modified them etc, at this stage i cannot really say how many > times a day i will need a restart, but i am wondering about also about > following soltion: > > Run two servers: > > Primary and Secondary, primary will be restarted once a day, and secondary > every time NAS list will be changed. After adding a NAS primimary will not > respond (unknown NAS) so NAS will ask secondary instead) also request from > other nases will not be lost becouse primary is not restarded on NAS list > change. > > What do you think ? > > > > >From: > [EMAIL PROTECTED] > [mailto: > [EMAIL PROTECTED] > g] On Behalf Of Marinko Tarlac > Sent: 23 January 2008 10:05 >To: FreeRadius users mailing list >Subject: Re: NAS list update without restarting radius server. > > >Well how many times per day do you add nases? > > >On Jan 23, 2008 10:20 AM, liran tal <[EMAIL PROTECTED]> wrote: > > > >Hey Alan, > > >On Jan 23, 2008 9:47 AM, Alan DeKok > <[EMAIL PROTECTED]> wrote: > > >liran tal wrote: >> Maybe freeradius can read the nas list from sql > at > startup to some >> linked list and this list will be updated every > given interval with a query >> to the database. > > > It's more complicated than that. The NASes need > to > be deleted, too. >And this has to be done without affecting normal > server operation. > > As always, patches are welcome. > > > >Well, every given interval a query will run on the database > server to get the >list of nases and it will build a new linked list based on > that and delete >the other nodes and free the pointers of those. > >I guess that coming up with a method to check against each > nas if it's >there or not, and to remove or add it based on a check is > do-able >but would probably face some efficiency issues where-as I > think it >would be proper to create a new linked list with whatever > nases that >query returns and free the previous linked list from > memory. > > >I haven't had a look at the relevant code but it seems > quite > basic >to implement unless I'm over-seeing some critical aspects > :-) > >I'll be glad to take a look if you can refer me to the > current piece >of code where freeradius handles the nas lists read from > the > database >and stores them. > > >Regards, >Liran Tal. > >- >List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS list update without restarting radius server.
Well how many times per day do you add nases? On Jan 23, 2008 10:20 AM, liran tal <[EMAIL PROTECTED]> wrote: > > Hey Alan, > > On Jan 23, 2008 9:47 AM, Alan DeKok <[EMAIL PROTECTED]> wrote: > > > liran tal wrote: > > > Maybe freeradius can read the nas list from sql at startup to some > > > linked list and this list will be updated every given interval with a > > query > > > to the database. > > > > It's more complicated than that. The NASes need to be deleted, too. > > And this has to be done without affecting normal server operation. > > > > As always, patches are welcome. > > > > Well, every given interval a query will run on the database server to get > the > list of nases and it will build a new linked list based on that and delete > the other nodes and free the pointers of those. > > I guess that coming up with a method to check against each nas if it's > there or not, and to remove or add it based on a check is do-able > but would probably face some efficiency issues where-as I think it > would be proper to create a new linked list with whatever nases that > query returns and free the previous linked list from memory. > > I haven't had a look at the relevant code but it seems quite basic > to implement unless I'm over-seeing some critical aspects :-) > > I'll be glad to take a look if you can refer me to the current piece > of code where freeradius handles the nas lists read from the database > and stores them. > > > Regards, > Liran Tal. > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS list update without restarting radius server.
liran tal wrote: > Maybe freeradius can read the nas list from sql at startup to some > linked list and this list will be updated every given interval with a query > to the database. It's more complicated than that. The NASes need to be deleted, too. And this has to be done without affecting normal server operation. As always, patches are welcome. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS list update without restarting radius server.
Maybe freeradius can read the nas list from sql at startup to some
linked list and this list will be updated every given interval with a query
to the database.
Sounds reasonable.
Regards,
Liran Tal.
On Jan 23, 2008 12:51 AM, Marinko Tarlac <[EMAIL PROTECTED]> wrote:
> Cron can help but how will you know that NAS is added and you can lost
> some updates while your radius server was down.
>
> Better idea is to make script and call it after every insert
>
> PHP can do this...
>
> Pawel Cieplinski wrote:
> > Hi
> >
> > Ok walter that is clear to me.
> >
> > How would you solve that problem? Lets say I need NAS working just after
> its
> > added to SQL.
> >
> > Restarting freeradius daemon using cron ?
> >
> > Or
> >
> > Use script wchich add NAS to SQL and restarting freerdius ?
> >
> > Regards
> > Pawel Cieplinski
> >
> > -Original Message-
> > From: freeradius-users-bounces+pawel=
> [EMAIL PROTECTED]
> > [mailto:
> [EMAIL PROTECTED]
> > g] On Behalf Of Walter Krivanek, VividVisions
> > Sent: 22 January 2008 18:46
> > To: FreeRadius users mailing list
> > Subject: Re: NAS list update without restarting radius server.
> >
> > Hi,
> >
> > in sql.conf it says:
> >
> > Set readclients to 'yes' to read radius clients from the database
> > ('nas' table)
> > Clients will ONLY be read on server startup. For performance
> > and security reasons, finding clients via SQL queries CANNOT
> > be done "live" while the server is running.
> >
> > Best,
> > Walter
> >
> >
> > Am 22.01.2008 um 19:30 schrieb Pawel Cieplinski:
> >
> >
> >> Hi there
> >>
> >>
> >>
> >> Everything works fine so far, but after adding a new NAS to DB,
> >> radius server need restart to read this data, I am trying to
> >> manipulate nas list without restarting freeradius, but due to lack
> >> od documentation could you help me with that please.
> >>
> >>
> >>
> >> Pawel Cieplinski
> >>
> >> -
> >> List info/subscribe/unsubscribe? See
> >>
> > http://www.freeradius.org/list/users.html
> >
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> >
> >
> >
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS list update without restarting radius server.
Pawel Cieplinski wrote: > Everything works fine so far, but after adding a new NAS to DB, radius > server need restart to read this data, I am trying to manipulate nas > list without restarting freeradius, but due to lack od documentation > could you help me with that please. As always, patches are welcome. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS list update without restarting radius server.
Hi,
in sql.conf it says:
Set readclients to 'yes' to read radius clients from the database
('nas' table)
Clients will ONLY be read on server startup. For performance
and security reasons, finding clients via SQL queries CANNOT
be done "live" while the server is running.
Best,
Walter
Am 22.01.2008 um 19:30 schrieb Pawel Cieplinski:
Hi there
Everything works fine so far, but after adding a new NAS to DB,
radius server need restart to read this data, I am trying to
manipulate nas list without restarting freeradius, but due to lack
od documentation could you help me with that please.
Pawel Cieplinski
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS list update without restarting radius server.
Cron can help but how will you know that NAS is added and you can lost
some updates while your radius server was down.
Better idea is to make script and call it after every insert
PHP can do this...
Pawel Cieplinski wrote:
Hi
Ok walter that is clear to me.
How would you solve that problem? Lets say I need NAS working just after its
added to SQL.
Restarting freeradius daemon using cron ?
Or
Use script wchich add NAS to SQL and restarting freerdius ?
Regards
Pawel Cieplinski
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
g] On Behalf Of Walter Krivanek, VividVisions
Sent: 22 January 2008 18:46
To: FreeRadius users mailing list
Subject: Re: NAS list update without restarting radius server.
Hi,
in sql.conf it says:
Set readclients to 'yes' to read radius clients from the database
('nas' table)
Clients will ONLY be read on server startup. For performance
and security reasons, finding clients via SQL queries CANNOT
be done "live" while the server is running.
Best,
Walter
Am 22.01.2008 um 19:30 schrieb Pawel Cieplinski:
Hi there
Everything works fine so far, but after adding a new NAS to DB,
radius server need restart to read this data, I am trying to
manipulate nas list without restarting freeradius, but due to lack
od documentation could you help me with that please.
Pawel Cieplinski
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: NAS list update without restarting radius server.
Hi
Ok walter that is clear to me.
How would you solve that problem? Lets say I need NAS working just after its
added to SQL.
Restarting freeradius daemon using cron ?
Or
Use script wchich add NAS to SQL and restarting freerdius ?
Regards
Pawel Cieplinski
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
g] On Behalf Of Walter Krivanek, VividVisions
Sent: 22 January 2008 18:46
To: FreeRadius users mailing list
Subject: Re: NAS list update without restarting radius server.
Hi,
in sql.conf it says:
Set readclients to 'yes' to read radius clients from the database
('nas' table)
Clients will ONLY be read on server startup. For performance
and security reasons, finding clients via SQL queries CANNOT
be done "live" while the server is running.
Best,
Walter
Am 22.01.2008 um 19:30 schrieb Pawel Cieplinski:
> Hi there
>
>
>
> Everything works fine so far, but after adding a new NAS to DB,
> radius server need restart to read this data, I am trying to
> manipulate nas list without restarting freeradius, but due to lack
> od documentation could you help me with that please.
>
>
>
> Pawel Cieplinski
>
> -
> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.5.516 / Virus Database: 269.19.8/1236 - Release Date: 21/01/2008
20:23
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
