Re: Pre release of 2.1.12
Hi, it's now running on our most busy server. Both -X and background-multithreaded do their usual job. I do not see any problems so far. That said, I was at that point with 2.1.11 as well, and it caught fire after 48+ hours only. So, there might still be surprises. I'll keep it running under surveillance for the rest of the week. By next Monday, I'll speak up again and let you know if my setup (still) works fine. Keeps on running like Forest Gump. Stefan Greetings, Stefan Winter Am 29.08.2011 16:13, schrieb Alan DeKok: I've put some pre releases of 2.1.12 on the web site: http://git.freeradius.org/pre/ Please let me know if there are any problems. If not, this can become 2.1.12. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pre release of 2.1.12
Been running a week now, and the prerelease still looks good here as well. Bjørn - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pre release of 2.1.12
Hi, munin has been added to the radiusd group which is defined in the control virtual server - and this used to work all okay with 2.1.10 and 2.1.11 - so the change in code for root GID seems to have borked the access to radiusd.sock for other groups. I've committed a fix to the v2.1.x branch of git which should address this. hmm, latest GIT version checked out and compiled...still seems to do the same: Mon Sep 5 13:39:33 2011 : Error: Unauthorized connection to /var/run/radiusd/radiusd.sock from gid 101 radiusd: FreeRADIUS Version 2.1.12, for host i686-pc-linux-gnu, built on Sep 5 2011 at 13:32:28 alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pre release of 2.1.12
On 5 Sep 2011, at 14:42, Alan Buxey wrote: Hi, munin has been added to the radiusd group which is defined in the control virtual server - and this used to work all okay with 2.1.10 and 2.1.11 - so the change in code for root GID seems to have borked the access to radiusd.sock for other groups. I've committed a fix to the v2.1.x branch of git which should address this. hmm, latest GIT version checked out and compiled...still seems to do the same: Checked the freeradius.org repo and the github repo and there's been no relevant commits... *poke* Alan D, git push... Arran Cudbard-Bell a.cudba...@freeradius.org RADIUS - Half the complexity of Diameter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pre release of 2.1.12
Hi, hmm, latest GIT version checked out and compiled...still seems to do the same: Checked the freeradius.org repo and the github repo and there's been no relevant commits... *poke* Alan D, git push... :-) must've gone to a private repo! :-) PS thanks to this thread I've tweaked some of my settings too - and i love that RANDOM idea. i'm wondering if theres any mileage in doing the same thing for Session-Time auth replies? for when a drove of people fireup their laptops/phones etc at start of lecture hours or when labs get booted up at same time with WoL ? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pre release of 2.1.12
On 5 Sep 2011, at 15:06, Alan Buxey wrote: Hi, hmm, latest GIT version checked out and compiled...still seems to do the same: Checked the freeradius.org repo and the github repo and there's been no relevant commits... *poke* Alan D, git push... :-) must've gone to a private repo! :-) ... and now a public repo, if you'd care to pull and try again. PS thanks to this thread I've tweaked some of my settings too - and i love that RANDOM idea. i'm wondering if theres any mileage in doing the same thing for Session-Time auth replies? for when a drove of people fireup their laptops/phones etc at start of lecture hours or when labs get booted up at same time with WoL ? WoL stuff certainly. Also when you get a Switch/AP reboot and a bunch of devices come online at the same time, so you don't hammer the server with a bunch of simultaneous re-auths. -Arran Arran Cudbard-Bell a.cudba...@freeradius.org RADIUS - Half the complexity of Diameter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pre release of 2.1.12
Hi, :-) must've gone to a private repo! :-) ... and now a public repo, if you'd care to pull and try again. hmm, command.c and auth.c appears to have been updated but still see no joy with 'radmin' as munin user (who is in radiusd group) Mon Sep 5 15:55:04 2011 : Error: Unauthorized connection to /var/run/radiusd/radiusd.sock from gid 101 radiusd: FreeRADIUS Version 2.1.12, for host i686-pc-linux-gnu, built on Sep 5 2011 at 15:53:18 alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pre release of 2.1.12
hi, probably want to change this line in radmin.c too printf(Copyright (C) 2008 The FreeRADIUS server project and contributors.\n); maybe change that string to a global that can be pulled in from an include? - this could then be used in other places where old copyright statements lurk alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pre release of 2.1.12
Alan Buxey wrote: maybe change that string to a global that can be pulled in from an include? - this could then be used in other places where old copyright statements lurk Maybe. It's not a high priority. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pre release of 2.1.12
Alan Buxey wrote: hmm, command.c and auth.c appears to have been updated but still see no joy with 'radmin' as munin user (who is in radiusd group) Mon Sep 5 15:55:04 2011 : Error: Unauthorized connection to /var/run/radiusd/radiusd.sock from gid 101 My guess is that the get peer id function is returning only *one* group. Munin is first part of the munin group, but secondly part of the radmin group. So... the sockets asks which group is connecting, and gets told munin. I'm not sure there's a clean solution to that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pre release of 2.1.12
Hi, My guess is that the get peer id function is returning only *one* group. Munin is first part of the munin group, but secondly part of the radmin group. So... the sockets asks which group is connecting, and gets told munin. I'm not sure there's a clean solution to that. hmm, it used to work - i guess the fix to fix the brokeness also broke this setup. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pre release of 2.1.12
FWIW, found this in ./freeradius-server-2.1.12/src/main/auth.c 502c502 #ifdef WITH_POXT_PROXY_AUTHORIZE --- #ifdef WITH_POST_PROXY_AUTHORIZE On Aug 29, 2011, at 7:13 AM, Alan DeKok wrote: I've put some pre releases of 2.1.12 on the web site: http://git.freeradius.org/pre/ Please let me know if there are any problems. If not, this can become 2.1.12. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pre release of 2.1.12
Jim Madden wrote: FWIW, found this in ./freeradius-server-2.1.12/src/main/auth.c Whoops. Fixed that, thanks. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pre release of 2.1.12
Alan Buxey wrote: hmm, it used to work - i guess the fix to fix the brokeness also broke this setup. I think the change is related to checking the peer ID on the new connection, rather than the old one. See commit f0e7064e58f712853c429dcb27e53861f1a9cde1 Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pre release of 2.1.12
Alan DeKok al...@deployingradius.com writes: Alan Buxey wrote: hmm, command.c and auth.c appears to have been updated but still see no joy with 'radmin' as munin user (who is in radiusd group) Mon Sep 5 15:55:04 2011 : Error: Unauthorized connection to /var/run/radiusd/radiusd.sock from gid 101 My guess is that the get peer id function is returning only *one* group. Munin is first part of the munin group, but secondly part of the radmin group. So... the sockets asks which group is connecting, and gets told munin. I assume that's because the function uses the sockopt SO_PEERCRED Return the credentials of the foreign process connected to this socket. This is only possible for connected AF_UNIX stream sockets and AF_UNIX stream and datagram socket pairs created using socketpair(2); see unix(7). The returned credentials are those that were in effect at the time of the call to connect(2) or socketpair(2). Argu‐ ment is a ucred structure. This socket option is read-only. So how about just running 'sg radiusd radmin'? Would that work? And be an acceptable workaround? Bjørn - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pre release of 2.1.12
Alexander Clouter wrote:
Would be handy to change Acct-Interim-Interval to something like:
update reply {
Acct-Interim-Interval := 3000 + %{rand:1200}
}
Cute. Added.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pre release of 2.1.12
Alan Buxey wrote: however, i have noticed a bug/change of bahviour which doesnt seem right. Fri Sep 2 17:15:04 2011 : Error: Unauthorized connection to /var/run/radiusd/radiusd.sock from gid 101 Fri Sep 2 17:15:16 2011 : Error: Unauthorized connection to /var/run/radiusd/radiusd.sock from gid 101 Fri Sep 2 17:15:29 2011 : Error: Unauthorized connection to /var/run/radiusd/radiusd.sock from gid 101 GID 101 is munin. OK. munin has been added to the radiusd group which is defined in the control virtual server - and this used to work all okay with 2.1.10 and 2.1.11 - so the change in code for root GID seems to have borked the access to radiusd.sock for other groups. I've committed a fix to the v2.1.x branch of git which should address this. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pre release of 2.1.12
Alexander Clouter a...@digriz.org.uk wrote: I've put some pre releases of 2.1.12 on the web site: http://git.freeradius.org/pre/ Priming up my end for a burn in... 24 hours later, still churning happily. Running 2.1.12 (bfe2c025). Cheers -- Alexander Clouter .sigmonster says: The only constant is change. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pre release of 2.1.12
It is running on one of my production servers. So far no problems, but it has only run for q few hours. Sent from Verizon Wireless - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pre release of 2.1.12
Hi, okay7k auths through so far and all fine so far.for auths.. however, i have noticed a bug/change of bahviour which doesnt seem right. Fri Sep 2 17:15:04 2011 : Error: Unauthorized connection to /var/run/radiusd/radiusd.sock from gid 101 Fri Sep 2 17:15:16 2011 : Error: Unauthorized connection to /var/run/radiusd/radiusd.sock from gid 101 Fri Sep 2 17:15:29 2011 : Error: Unauthorized connection to /var/run/radiusd/radiusd.sock from gid 101 GID 101 is munin. munin has been added to the radiusd group which is defined in the control virtual server - and this used to work all okay with 2.1.10 and 2.1.11 - so the change in code for root GID seems to have borked the access to radiusd.sock for other groups. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pre release of 2.1.12
On 29/08/2011 15:13, Alan DeKok wrote: I've put some pre releases of 2.1.12 on the web site: http://git.freeradius.org/pre/ Please let me know if there are any problems. If not, this can become 2.1.12. All seems good so far. -James radmin show version FreeRADIUS Version 2.1.12, for host i686-pc-linux-gnu, built on Aug 30 2011 at 01:08:47 radmin show uptime Up since Thu Sep 1 04:02:20 2011 radmin stats client auth requests419006 responses 432061 accepts 56219 rejects 4154 challenges 371688 dup 44 invalid 0 malformed 0 bad_signature 0 dropped 65 unknown_types 0 radmin stats client acct requests93500 responses 93499 dup 0 invalid 0 malformed 0 bad_signature 0 dropped 0 unknown_types 0 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pre release of 2.1.12
Alan DeKok al...@deployingradius.com wrote:
I've put some pre releases of 2.1.12 on the web site:
http://git.freeradius.org/pre/
Please let me know if there are any problems. If not, this can become
2.1.12.
Something handy to add if it is not too late.
We suffered a power failure today which caused our 802.1X/MAC-auth
clients to surge their accounting traffic. All due to the following in
post-auth:
# defaults
update reply {
[snipped]
Acct-Interim-Interval := 3600
}
Would be handy to change Acct-Interim-Interval to something like:
update reply {
Acct-Interim-Interval := 3000 + %{rand:1200}
}
This would give me Acct-Interim-Interval set to 1hr+-10mins.
As it is set now, I just got 1MB of journal recorded to file accounting
data landing on my systems :)
Cheers
--
Alexander Clouter
.sigmonster says: The chief cause of problems is solutions.
-- Eric Sevareid
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pre release of 2.1.12
Would be handy to change Acct-Interim-Interval to something like:
update reply {
Acct-Interim-Interval := 3000 + %{rand:1200}
}
This would give me Acct-Interim-Interval set to 1hr+-10mins.
As it is set now, I just got 1MB of journal recorded to file accounting
data landing on my systems :)
Are you suggesting adding a rand xlat? I guess it'd be useful to add some fuzz
to interim update intervals. But there are many other options for fuzz other
than rand. For example...
if(%{%{NAS-IP-Address}:-%{Packet-Src-Ip-Address}} =~
/([0-9]{1,3})[.]([0-9]{1,3})$/){
update control {
Tmp-Integer-0 = %{expr:((%{1}*1000)+%{2})%%2000}
}
}
-Arran
Arran Cudbard-Bell
a.cudba...@freeradius.org
RADIUS - Half the complexity of Diameter
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pre release of 2.1.12
40,000 authentications in about 6 and a half hours. I use eap, eap-peap, ldap, mschap, files, sql (mysql), proxy, and postauth mostly. No problems. The files and sql modules are where I have my wildest modifications, but that is that not much compared to what some people on this list are doing. I use the eap cach and configure the eap/mschap with send_error = yes. No problems seen. My first impression is that the server is doing a cleaner job of managing child processes. My platform is CentOS 5.6 with standard packages except Samba and Freeradius. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pre release of 2.1.12
Hi, it's now running on our most busy server. Both -X and background-multithreaded do their usual job. I do not see any problems so far. That said, I was at that point with 2.1.11 as well, and it caught fire after 48+ hours only. So, there might still be surprises. I'll keep it running under surveillance for the rest of the week. By next Monday, I'll speak up again and let you know if my setup (still) works fine. Greetings, Stefan Winter Am 29.08.2011 16:13, schrieb Alan DeKok: I've put some pre releases of 2.1.12 on the web site: http://git.freeradius.org/pre/ Please let me know if there are any problems. If not, this can become 2.1.12. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pre release of 2.1.12
Alan DeKok al...@deployingradius.com wrote: I've put some pre releases of 2.1.12 on the web site: http://git.freeradius.org/pre/ Priming up my end for a burn in... Cheers -- Alexander Clouter .sigmonster says: And on the seventh day, He exited from append mode. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pre release of 2.1.12
Hi, it's now running on our most busy server. Both -X and background-multithreaded do their usual job. I do not see any problems so far. its on one of our production servers and on a couple of other systems. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
