(RADIATOR) Re: Radiator: Performance issue
Hello Jaafar - Given the sizes of your /etc/paswd and /etc/shadow files, I am not surprised that Radiator is taking so long to start up. You should really be using an SQL database for such large user populations. regards Hugh On Tuesday, September 3, 2002, at 02:14 PM, Jaafar Bin Sarim wrote: > Hello Hugh > > I'm running 5 instances of radiusd operating in one server 256M RAM > and CPU 200MHz Ultra sparc1. > > Each of the 5 instances takes this much time to start as shown below: > > #/var/run 539$ time rad-roamin start > > real0m53.145s > user0m44.750s > sys 0m1.800s > > The sizes of /etc/passwd and /etc/shadow in the server are as follows: > -rw-r--r-- 1 root staff21215436 Sep 3 11:37 /etc/passwd > -r 1 root staff10251013 Sep 3 11:37 /etc/shadow > > We're running on Radiator version 3.1 > > We're updating our /etc/passwd and /etc/shadow every hour and the 5 > radius instances seem to be caching every hour as well. > This result in unavailability of the 5 radius instances. > > Are there any tips to improve performance or avoid any recaching > overlaps. > > Thank you. > > > Best Regards > Jaafar Sarim > SingNet > > > > -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) ipass Config Question
Hello Tunde - Your Handler is not being used because the username string does not look like "user@myipass" which is what you have specified. I will need to see a trace 4 debug to see what form the iPass requests look like. And if you are not reliably receiving the Framed-IP-Address attribute in the accounting requests, using the Class attribute as a backup is a good idea. regards Hugh On Tuesday, September 3, 2002, at 04:09 AM, Ayotunde Itayemi wrote: Hi All, Hi hugh, My config is as below. In the past when "we" discussed about the state column of the RADONLINE database not being reset appropriately resulting in IP-address pool being exhausted, you told me to add the following lines to my config: DeleteQuery update RADPOOL set STATE=0,TIME_STAMP=%t where YIADDR='%0' or YIADDR='%{Class}' to the AdressAllocator SQL clause and the following line to AuthBy DYNAADDRESS clause AddToReply Class = %{Reply:Framed-IP-Address} Okay, I removed them later when things seemed to have "stabilised" but I am thinking of reintroducing them again - please let me have your views based on the config file below. MAIN PROBLEMS. I installed ipass NetServer 3.9 as stated in the instructions and also configured radiator (below) based on ipass instruction for configuring radiator. The problem is that somehow, radiator is still using the handler for my client rather than the special handler for ipass - which should cause it to proxy the request to the local ipass NetServer running on same system. Please note that the IP address I have radiator running on is e.d.f.211 . I have also disabled the apache client I had running before because I guess there would be a conflict between apache authentication and ipass NetServer since they both use localhost (127.0.0.1) in the client definitions for them? Regards, Tunde I. # --- RADAR - Username radar Password # Programs for Simultaneous-Use SnmpgetProg /usr/bin/snmpget # SNMP access to radiator ROCommunity mysnmpRADsecret Port 162 Managers 127.0.0.1, 192.168.10.8 # Online users Identifier SDB1 DBSource dbi:Oracle:radius00 DBUsername radius DBAuth radius # DeleteQuery update RADPOOL set STATE=0,TIME_STAMP=%t \ # where YIADDR='%0' or YIADDR='%{Class}' # === Identifier mySQLallocator DBSource dbi:Oracle:radius00 DBUsername radiusgold DBAuth radiusgold # DeleteQuery update RADPOOL set STATE=0,TIME_STAMP=%t \ # where YIADDR='%0' or YIADDR='%{Class}' DefaultLeasePeriod 172800 # LeaseReclaimInterval 86400 # POOL ALLOCATION RULES Subnetmask 255.255.255.255 Range a.b.e.31 a.b.e.60 Range a.b.e.62 a.b.e.91 Subnetmask 255.255.255.255 Range a.b.c.52 a.b.c.100 Range a.b.c.110 a.b.c.139 Range a.b.c.150 a.b.c.200 Range a.b.c.225 a.b.c.250 # === CLIENTs = Secret DupInterval 0 SNMPCommunity public Identifier viruse2 IdenticalClients a.b.c.4 a.b.c.5 a.b.c.6 \ 172.31.1.6 172.31.1.4 172.31.1.8 192.168.10.5 RewriteUsername s/^IPASS\/([^@]+)\@([^@]+)$/IPASS\/$1#$2\@myipass/ # pattonRAS Secret DupInterval 0 NasType Patton SNMPCommunity patt123mon Identifier viruse1 IdenticalClients a.b.c.61 a.b.c.92 RewriteUsername s/^IPASS\/([^@]+)\@([^@]+)$/IPASS\/$1#$2\@myipass/ # ipass client for VNAS (incoming roamers) Secret Identifier ipassclient IdenticalClients d.e.f.212 RewriteUsername s/^IPASS\/([^@]+)\@([^@]+)$/IPASS\/$1#$2\@myipass/ # # web server on this box # Secret apache!:123 # DupInterval 0 # Identifier apache # # === AUTH BYs = Identifier SQLStaffauth NoDefault DBSource dbi:Oracle:radius00 DBUsername radius DBAuth radius AuthSelect select PASSWORD, CHECKATTR from STAFF \ where USERNAME = '%n' and STATUS = 'Enabled' Identifier SQLClientauth NoDefault DBSource dbi:Oracle:radius00 DBUsername radius DBAuth radius AuthSelect select PASSWORD, CHECKATTR, REPLYATTR \ from SUBSCRIBERS where USERNAME = '%n' \ and STATUS = 'Enabled' AutoMPPEKeys Identifier myIPADDRESSauth Allocator mySQLallocator # AddToReply Class = %{Reply:Framed-IP-Address} # PoolHint %{Reply:PoolHint} PoolHint %{Client:Identifier} MapAttribute yiaddr, Framed-IP-Address MapAttribute subnetmask, Framed-IP-Netmask StripFromReply PoolHint # policy = 4 (40bit), 2 (128bit), 6 (any) AddToReply MS-MPPE-Encryption-Policy = 1, MS-MPPE-Encryption-Types = 6 AddToReply MS-MPPE-Send-Key, MS-MPPE-Recv-Key Identifier pattonIPADDRESSauth Allocator mySQLallocator PoolHint %{Client:Identifier} # PoolHint %{Reply:PoolHint
(RADIATOR) ipass Config Question
Hi All, Hi hugh, My config is as below. In the past when "we" discussed about the state column of the RADONLINE database not being reset appropriately resulting in IP-address pool being exhausted, you told me to add the following lines to my config: DeleteQuery update RADPOOL set STATE=0,TIME_STAMP=%t where YIADDR='%0' or YIADDR='%{Class}' to the AdressAllocator SQL clause and the following line to AuthBy DYNAADDRESS clause AddToReply Class = %{Reply:Framed-IP-Address} Okay, I removed them later when things seemed to have "stabilised" but I am thinking of reintroducing them again - please let me have your views based on the config file below. MAIN PROBLEMS. I installed ipass NetServer 3.9 as stated in the instructions and also configured radiator (below) based on ipass instruction for configuring radiator. The problem is that somehow, radiator is still using the handler for my client rather than the special handler for ipass - which should cause it to proxy the request to the local ipass NetServer running on same system. Please note that the IP address I have radiator running on is e.d.f.211 . I have also disabled the apache client I had running before because I guess there would be a conflict between apache authentication and ipass NetServer since they both use localhost (127.0.0.1) in the client definitions for them? Regards, Tunde I. # --- RADAR - Username radar Password # Programs for Simultaneous-UseSnmpgetProg /usr/bin/snmpget# SNMP access to radiator ROCommunity mysnmpRADsecret Port 162 Managers 127.0.0.1, 192.168.10.8# Online users Identifier SDB1 DBSource dbi:Oracle:radius00 DBUsername radius DBAuth radius# DeleteQuery update RADPOOL set STATE=0,TIME_STAMP=%t \# where YIADDR='%0' or YIADDR='%{Class}'# === Identifier mySQLallocator DBSource dbi:Oracle:radius00 DBUsername radiusgold DBAuth radiusgold# DeleteQuery update RADPOOL set STATE=0,TIME_STAMP=%t \# where YIADDR='%0' or YIADDR='%{Class}' DefaultLeasePeriod 172800# LeaseReclaimInterval 86400 # POOL ALLOCATION RULES Subnetmask 255.255.255.255 Range a.b.e.31 a.b.e.60 Range a.b.e.62 a.b.e.91 Subnetmask 255.255.255.255 Range a.b.c.52 a.b.c.100 Range a.b.c.110 a.b.c.139 Range a.b.c.150 a.b.c.200 Range a.b.c.225 a.b.c.250 # === CLIENTs = Secret DupInterval 0 SNMPCommunity public Identifier viruse2 IdenticalClients a.b.c.4 a.b.c.5 a.b.c.6 \ 172.31.1.6 172.31.1.4 172.31.1.8 192.168.10.5 RewriteUsername s/^IPASS\/([^@]+)\@([^@]+)$/IPASS\/$1#$2\@myipass/# pattonRAS Secret DupInterval 0 NasType Patton SNMPCommunity patt123mon Identifier viruse1 IdenticalClients a.b.c.61 a.b.c.92 RewriteUsername s/^IPASS\/([^@]+)\@([^@]+)$/IPASS\/$1#$2\@myipass/# ipass client for VNAS (incoming roamers) Secret Identifier ipassclient IdenticalClients d.e.f.212 RewriteUsername s/^IPASS\/([^@]+)\@([^@]+)$/IPASS\/$1#$2\@myipass/## web server on this box# Secret apache!:123# DupInterval 0# Identifier apache## === AUTH BYs = Identifier SQLStaffauth NoDefault DBSource dbi:Oracle:radius00 DBUsername radius DBAuth radius AuthSelect select PASSWORD, CHECKATTR from STAFF \ where USERNAME = '%n' and STATUS = 'Enabled' Identifier SQLClientauth NoDefault DBSource dbi:Oracle:radius00 DBUsername radius DBAuth radius AuthSelect select PASSWORD, CHECKATTR, REPLYATTR \ from SUBSCRIBERS where USERNAME = '%n' \ and STATUS = 'Enabled' AutoMPPEKeys Identifier myIPADDRESSauth Allocator mySQLallocator# AddToReply Class = %{Reply:Framed-IP-Address}# PoolHint %{Reply:PoolHint} PoolHint %{Client:Identifier} MapAttribute yiaddr, Framed-IP-Address MapAttribute subnetmask, Framed-IP-Netmask StripFromReply PoolHint# policy = 4 (40bit), 2 (128bit), 6 (any) AddToReply MS-MPPE-Encryption-Policy = 1, MS-MPPE-Encryption-Types = 6 AddToReply MS-MPPE-Send-Key, MS-MPPE-Recv-Key Identifier pattonIPADDRESSauth Allocator mySQLallocator PoolHint %{Client:Identifier}# PoolHint %{Reply:PoolHint} MapAttribute yiaddr, Framed-IP-Address MapAttribute subnetmask, Framed-IP-Netmask StripFromReply PoolHint## proxy radius for IPASS Identifier ipassNetserver Host d.e.f.211 Secret AuthPort 11812 AcctPort 11813#=== HANDLERs AcctLogFileName %L/ipass/detail RewriteUsername s/^IPASS\/([^#]+)\#([^@]
(RADIATOR) *GhostSessions Prob
-- Forwarded Message -- Subject: BOUNCE [EMAIL PROTECTED]:Non-member submission from ["Christian Rautscher" <[EMAIL PROTECTED]>] Date: Mon, 2 Sep 2002 01:29:12 -0500 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] >From [EMAIL PROTECTED] Mon Sep 2 01:29:11 2002 Received: from mail.raiffeisen.it (mail.raiffeisen.net [195.254.224.24]) by server1.open.com.au (8.11.0/8.11.0) with ESMTP id g826TBC24233; Mon, 2 Sep 2002 01:29:11 -0500 Sensitivity: Subject: *GhostSessions Prob To: Hugh Irvine <[EMAIL PROTECTED]>, [EMAIL PROTECTED] X-Mailer: Lotus Notes Release 5.0.10 March 22, 2002 Message-ID: <[EMAIL PROTECTED]> From: "Christian Rautscher" <[EMAIL PROTECTED]> Date: Mon, 2 Sep 2002 13:27:17 +0200 X-MIMETrack: Serialize by Router on RIS3/RAIFF(Release 5.0.10 |March 22, 2002) at 02.09.2002 13:27:29 MIME-Version: 1.0 Content-type: text/plain; charset=us-ascii Hello Hugh, hi everybody, i'd like to ask if some1 could help me with the quite "famous" Problem of the "ghost-sessions" in Radiator-DB. P.es. AccessServer works fine. Connecting clients will be registered in the Radonline-DB of Radiator with their SessionStart-Entry. Now lets assume that at a certain point, due to networking failure or other reason Radiator and AccessServer aren't able to comunicate to each other anymore. Now we assume that Client A and B are disconnecting themselves right at this moment. PROBLEM:NAS doesn't send Stop-Session-Entry to Radiator, so for Radiator that client is still online. Now let's assume that the communication Problem between Radiator and NAS has been solved, and client A would like to re-enter. But isn't able, because of the configuration of Radiator the client exceeds the its allowed simulateous Permission of 1. As i've already tried with the Nas-Type Attribute but somehow it won't work as it should. As i noticed that this kind of problem appeared quite often in this mailing-list i hope that someone may be able to help me. Thank you just in advance, Christian --- -- Mike McCauley [EMAIL PROTECTED] Open System Consultants Pty. LtdUnix, Perl, Motif, C++, WWW 24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au Phone +61 3 9598-0985 Fax +61 3 9598-0955 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS etc on Unix, Windows, MacOS etc. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Version 3.3 install
Hi Charly - I will let Mike reply to your suggestion. regards Hugh On Monday, September 2, 2002, at 05:57 PM, Karl Gaissmaier wrote: > Hi Hugh, > > Hugh Irvine schrieb: >> >> Hello Charly - >> >> What I usually do is skip the "make install" step altogether, and just >> leave the various versions in seperate directories. >> > > and I do it in the meanwhile with the following startup script: > (tweaking the -I flag on perl startup and dealing with PREFIX=... > and a symbolic link "current" pointing to actual version) > >> #!/bin/sh >> # >> # kg 08/02 >> # >> PERL=/radiator/perl/bin/perl >> RADIUS_LIB=/radiator/current/lib/site_perl >> RADIUSD=/radiator/current/bin/radiusd >> CONFIG=/radiator/etc/radiator-config >> PIDFILE=/radiator/etc/pidfile >> # >> case "$1" in >> 'start') >> if [ -f $RADIUSD -a -f $CONFIG ]; then >> echo "radius (radiator) service starting." >> $PERL -I$RADIUS_LIB $RADIUSD -config_file $CONFIG >> else >> echo "$RADIUSD or $CONFIG missing. STOPPED!" >> fi >> ;; >> 'stop') >> if [ -f $PIDFILE ]; then >> echo "Stopping the radius (radiator) service." >> kill -15 `cat $PIDFILE` >> fi >> ;; >> 'restart') >> if [ -f $PIDFILE ]; then >> echo "Restarting the radius (radiator) service." >> kill -1 `cat $PIDFILE` >> fi >> ;; >> *) >> echo "Usage: /etc/init.d/radiator { start | stop | restart }" >> ;; >> esac >> exit 0 > > > I have also a discrete perl installation only for radius, because > I need some modules/versions specific for radius and I will not > pay attention when I upgrade the main perl installation for our > workstations. > > Anyway, Hugh and Mike, there are more than one way to solve this > problem with concurrent versions, but I think at least one > solution should be described in the manual or at least in FAQ. > > Best regards > Charly > > > -- > Karl Gaissmaier Computing Center,University of Ulm,Germany > Email:[EMAIL PROTECTED] Network Administration > Tel.: ++49 731 50-22499 > > -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Port Mapping
If you use Linux you can set a port redirect with iptables using something like this iptables -A PREROUTING -t nat -s 0.0.0.0/0 -p udp --source-port 1645 -j REDIRECT --destination-port 1812 This will add a rule to the PREROUTING chain in the NAT table to redirect any UDP traffic on port 1645 to port 1812. This way you can avoid running two instances of Radiator. Again, if you run NT this will be of little help to you :) Regards, Rickard - Original Message - From: "jai" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Saturday, August 31, 2002 6:17 AM Subject: (RADIATOR) Port Mapping > Hi, > > Is it possible to redirect the port on same machine ?? > > I have NAS, where i can't change the port which is working on 1645 & 1646, > so i need to do redirection from 1812 & 1813 > > > Thanx > > Jai > > === > Archive at http://www.open.com.au/archives/radiator/ > Announcements on [EMAIL PROTECTED] > To unsubscribe, email '[EMAIL PROTECTED]' with > 'unsubscribe radiator' in the body of the message. > === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Version 3.3 install
Hi Hugh, Hugh Irvine schrieb: > > Hello Charly - > > What I usually do is skip the "make install" step altogether, and just > leave the various versions in seperate directories. > and I do it in the meanwhile with the following startup script: (tweaking the -I flag on perl startup and dealing with PREFIX=... and a symbolic link "current" pointing to actual version) > #!/bin/sh > # > # kg 08/02 > # > PERL=/radiator/perl/bin/perl > RADIUS_LIB=/radiator/current/lib/site_perl > RADIUSD=/radiator/current/bin/radiusd > CONFIG=/radiator/etc/radiator-config > PIDFILE=/radiator/etc/pidfile > # > case "$1" in > 'start') > if [ -f $RADIUSD -a -f $CONFIG ]; then > echo "radius (radiator) service starting." > $PERL -I$RADIUS_LIB $RADIUSD -config_file $CONFIG > else > echo "$RADIUSD or $CONFIG missing. STOPPED!" > fi > ;; > 'stop') > if [ -f $PIDFILE ]; then > echo "Stopping the radius (radiator) service." > kill -15 `cat $PIDFILE` > fi > ;; > 'restart') > if [ -f $PIDFILE ]; then > echo "Restarting the radius (radiator) service." > kill -1 `cat $PIDFILE` > fi > ;; > *) > echo "Usage: /etc/init.d/radiator { start | stop | restart }" > ;; > esac > exit 0 I have also a discrete perl installation only for radius, because I need some modules/versions specific for radius and I will not pay attention when I upgrade the main perl installation for our workstations. Anyway, Hugh and Mike, there are more than one way to solve this problem with concurrent versions, but I think at least one solution should be described in the manual or at least in FAQ. Best regards Charly -- Karl Gaissmaier Computing Center,University of Ulm,Germany Email:[EMAIL PROTECTED] Network Administration Tel.: ++49 731 50-22499 === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Apache authentication problem
This could be really useful! Can Radius authentication be done through IIS as well? Regards, Brian. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.