(RADIATOR) Re: Radiator: Performance issue
Hello Jaafar - Given the sizes of your /etc/paswd and /etc/shadow files, I am not surprised that Radiator is taking so long to start up. You should really be using an SQL database for such large user populations. regards Hugh On Tuesday, September 3, 2002, at 02:14 PM, Jaafar Bin Sarim wrote: > Hello Hugh > > I'm running 5 instances of radiusd operating in one server 256M RAM > and CPU 200MHz Ultra sparc1. > > Each of the 5 instances takes this much time to start as shown below: > > #/var/run 539$ time rad-roamin start > > real0m53.145s > user0m44.750s > sys 0m1.800s > > The sizes of /etc/passwd and /etc/shadow in the server are as follows: > -rw-r--r-- 1 root staff21215436 Sep 3 11:37 /etc/passwd > -r 1 root staff10251013 Sep 3 11:37 /etc/shadow > > We're running on Radiator version 3.1 > > We're updating our /etc/passwd and /etc/shadow every hour and the 5 > radius instances seem to be caching every hour as well. > This result in unavailability of the 5 radius instances. > > Are there any tips to improve performance or avoid any recaching > overlaps. > > Thank you. > > > Best Regards > Jaafar Sarim > SingNet > > > > -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) ipass Config Question
Hello Tunde -
Your Handler is not being used because the username string does not look like "user@myipass" which is what you have specified. I will need to see a trace 4 debug to see what form the iPass requests look like.
And if you are not reliably receiving the Framed-IP-Address attribute in the accounting requests, using the Class attribute as a backup is a good idea.
regards
Hugh
On Tuesday, September 3, 2002, at 04:09 AM, Ayotunde Itayemi wrote:
Hi All, Hi hugh,
My config is as below. In the past when "we" discussed about the state column of the RADONLINE
database not being reset appropriately resulting in IP-address pool being exhausted, you told me to
add the following lines to my config:
DeleteQuery update RADPOOL set STATE=0,TIME_STAMP=%t where YIADDR='%0' or YIADDR='%{Class}'
to the AdressAllocator SQL clause and the following line to AuthBy DYNAADDRESS clause
AddToReply Class = %{Reply:Framed-IP-Address}
Okay, I removed them later when things seemed to have "stabilised" but I am thinking of reintroducing them again
- please let me have your views based on the config file below.
MAIN PROBLEMS.
I installed ipass NetServer 3.9 as stated in the instructions and also configured radiator (below) based on ipass
instruction for configuring radiator.
The problem is that somehow, radiator is still using the handler for my client rather than the special handler for ipass
- which should cause it to proxy the request to the local ipass NetServer running on same
system.
Please note that the IP address I have radiator running on is e.d.f.211 .
I have also disabled the apache client I had running before because I guess there would be a conflict between apache
authentication and ipass NetServer since they both use localhost (127.0.0.1) in the client definitions for them?
Regards,
Tunde I.
# --- RADAR -
Username radar
Password
# Programs for Simultaneous-Use
SnmpgetProg /usr/bin/snmpget
# SNMP access to radiator
ROCommunity mysnmpRADsecret
Port 162
Managers 127.0.0.1, 192.168.10.8
# Online users
Identifier SDB1
DBSource dbi:Oracle:radius00
DBUsername radius
DBAuth radius
# DeleteQuery update RADPOOL set STATE=0,TIME_STAMP=%t \
# where YIADDR='%0' or YIADDR='%{Class}'
# ===
Identifier mySQLallocator
DBSource dbi:Oracle:radius00
DBUsername radiusgold
DBAuth radiusgold
# DeleteQuery update RADPOOL set STATE=0,TIME_STAMP=%t \
# where YIADDR='%0' or YIADDR='%{Class}'
DefaultLeasePeriod 172800
# LeaseReclaimInterval 86400
# POOL ALLOCATION RULES
Subnetmask 255.255.255.255
Range a.b.e.31 a.b.e.60
Range a.b.e.62 a.b.e.91
Subnetmask 255.255.255.255
Range a.b.c.52 a.b.c.100
Range a.b.c.110 a.b.c.139
Range a.b.c.150 a.b.c.200
Range a.b.c.225 a.b.c.250
# === CLIENTs =
Secret
DupInterval 0
SNMPCommunity public
Identifier viruse2
IdenticalClients a.b.c.4 a.b.c.5 a.b.c.6 \
172.31.1.6 172.31.1.4 172.31.1.8 192.168.10.5
RewriteUsername s/^IPASS\/([^@]+)\@([^@]+)$/IPASS\/$1#$2\@myipass/
# pattonRAS
Secret
DupInterval 0
NasType Patton
SNMPCommunity patt123mon
Identifier viruse1
IdenticalClients a.b.c.61 a.b.c.92
RewriteUsername s/^IPASS\/([^@]+)\@([^@]+)$/IPASS\/$1#$2\@myipass/
# ipass client for VNAS (incoming roamers)
Secret
Identifier ipassclient
IdenticalClients d.e.f.212
RewriteUsername s/^IPASS\/([^@]+)\@([^@]+)$/IPASS\/$1#$2\@myipass/
#
# web server on this box
# Secret apache!:123
# DupInterval 0
# Identifier apache
#
# === AUTH BYs =
Identifier SQLStaffauth
NoDefault
DBSource dbi:Oracle:radius00
DBUsername radius
DBAuth radius
AuthSelect select PASSWORD, CHECKATTR from STAFF \
where USERNAME = '%n' and STATUS = 'Enabled'
Identifier SQLClientauth
NoDefault
DBSource dbi:Oracle:radius00
DBUsername radius
DBAuth radius
AuthSelect select PASSWORD, CHECKATTR, REPLYATTR \
from SUBSCRIBERS where USERNAME = '%n' \
and STATUS = 'Enabled'
AutoMPPEKeys
Identifier myIPADDRESSauth
Allocator mySQLallocator
# AddToReply Class = %{Reply:Framed-IP-Address}
# PoolHint %{Reply:PoolHint}
PoolHint %{Client:Identifier}
MapAttribute yiaddr, Framed-IP-Address
MapAttribute subnetmask, Framed-IP-Netmask
StripFromReply PoolHint
# policy = 4 (40bit), 2 (128bit), 6 (any)
AddToReply MS-MPPE-Encryption-Policy = 1, MS-MPPE-Encryption-Types = 6
AddToReply MS-MPPE-Send-Key, MS-MPPE-Recv-Key
Identifier pattonIPADDRESSauth
Allocator mySQLallocator
PoolHint %{Client:Identifier}
# PoolHint %{Reply:PoolHint
(RADIATOR) ipass Config Question
Hi All, Hi hugh,
My config is as below. In the past when "we"
discussed about the state column of the
RADONLINE
database not being reset appropriately resulting in
IP-address pool being exhausted, you told me to
add the following lines to my config:
DeleteQuery update RADPOOL set
STATE=0,TIME_STAMP=%t where YIADDR='%0' or
YIADDR='%{Class}'
to the AdressAllocator SQL clause and the following
line to AuthBy DYNAADDRESS clause
AddToReply Class =
%{Reply:Framed-IP-Address}
Okay, I removed them later when things seemed to
have "stabilised" but I am thinking of reintroducing them again
- please let me have your views based on the config
file below.
MAIN PROBLEMS.
I installed ipass NetServer 3.9 as stated in the
instructions and also configured radiator (below) based on ipass
instruction for configuring radiator.
The problem is that somehow, radiator is still
using the handler for my client rather than the special handler for
ipass
- which should
cause it to proxy the request to the local ipass NetServer running on
same
system.
Please note that the IP address I have radiator
running on is e.d.f.211 .
I have also disabled the apache client I had
running before because I guess there would be a conflict between apache
authentication and ipass NetServer since they both
use localhost (127.0.0.1) in the client definitions for them?
Regards,
Tunde I.
# --- RADAR
- Username
radar Password # Programs for
Simultaneous-UseSnmpgetProg /usr/bin/snmpget# SNMP access to
radiator ROCommunity
mysnmpRADsecret Port 162 Managers 127.0.0.1,
192.168.10.8# Online users Identifier
SDB1 DBSource dbi:Oracle:radius00 DBUsername
radius DBAuth
radius# DeleteQuery
update RADPOOL set STATE=0,TIME_STAMP=%t
\#
where YIADDR='%0' or YIADDR='%{Class}'#
=== Identifier
mySQLallocator
DBSource
dbi:Oracle:radius00
DBUsername
radiusgold
DBAuth
radiusgold# DeleteQuery update RADPOOL set STATE=0,TIME_STAMP=%t
\# where YIADDR='%0' or YIADDR='%{Class}'
DefaultLeasePeriod
172800# LeaseReclaimInterval
86400
# POOL ALLOCATION
RULES
Subnetmask
255.255.255.255
Range a.b.e.31 a.b.e.60 Range a.b.e.62
a.b.e.91
Subnetmask
255.255.255.255
Range a.b.c.52 a.b.c.100 Range a.b.c.110
a.b.c.139 Range a.b.c.150
a.b.c.200 Range a.b.c.225 a.b.c.250
# === CLIENTs
= Secret
DupInterval
0 SNMPCommunity
public Identifier
viruse2 IdenticalClients a.b.c.4 a.b.c.5 a.b.c.6
\ 172.31.1.6 172.31.1.4 172.31.1.8
192.168.10.5 RewriteUsername
s/^IPASS\/([^@]+)\@([^@]+)$/IPASS\/$1#$2\@myipass/# pattonRAS Secret
DupInterval
0 NasType Patton SNMPCommunity
patt123mon Identifier
viruse1 IdenticalClients a.b.c.61 a.b.c.92 RewriteUsername
s/^IPASS\/([^@]+)\@([^@]+)$/IPASS\/$1#$2\@myipass/# ipass client for VNAS (incoming roamers) Secret
Identifier ipassclient IdenticalClients
d.e.f.212 RewriteUsername
s/^IPASS\/([^@]+)\@([^@]+)$/IPASS\/$1#$2\@myipass/## web server on this box# Secret
apache!:123# DupInterval 0# Identifier
apache## === AUTH BYs
= Identifier
SQLStaffauth
NoDefault
DBSource
dbi:Oracle:radius00
DBUsername
radius
DBAuth
radius AuthSelect select PASSWORD,
CHECKATTR from STAFF
\
where USERNAME = '%n' and STATUS = 'Enabled' Identifier
SQLClientauth NoDefault DBSource dbi:Oracle:radius00 DBUsername radius DBAuth radius AuthSelect
select PASSWORD, CHECKATTR, REPLYATTR \ from SUBSCRIBERS where
USERNAME = '%n' \ and STATUS =
'Enabled' AutoMPPEKeys Identifier myIPADDRESSauth Allocator
mySQLallocator# AddToReply Class =
%{Reply:Framed-IP-Address}# PoolHint
%{Reply:PoolHint} PoolHint
%{Client:Identifier} MapAttribute yiaddr,
Framed-IP-Address MapAttribute subnetmask,
Framed-IP-Netmask StripFromReply PoolHint# policy = 4 (40bit), 2
(128bit), 6 (any) AddToReply MS-MPPE-Encryption-Policy = 1,
MS-MPPE-Encryption-Types = 6 AddToReply MS-MPPE-Send-Key,
MS-MPPE-Recv-Key Identifier
pattonIPADDRESSauth Allocator
mySQLallocator PoolHint
%{Client:Identifier}# PoolHint
%{Reply:PoolHint}
MapAttribute yiaddr,
Framed-IP-Address
MapAttribute subnetmask,
Framed-IP-Netmask StripFromReply
PoolHint## proxy radius for IPASS
Identifier
ipassNetserver
Host
d.e.f.211
Secret
AuthPort
11812
AcctPort
11813#=== HANDLERs
AcctLogFileName
%L/ipass/detail RewriteUsername
s/^IPASS\/([^#]+)\#([^@]
(RADIATOR) *GhostSessions Prob
-- Forwarded Message -- Subject: BOUNCE [EMAIL PROTECTED]:Non-member submission from ["Christian Rautscher" <[EMAIL PROTECTED]>] Date: Mon, 2 Sep 2002 01:29:12 -0500 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] >From [EMAIL PROTECTED] Mon Sep 2 01:29:11 2002 Received: from mail.raiffeisen.it (mail.raiffeisen.net [195.254.224.24]) by server1.open.com.au (8.11.0/8.11.0) with ESMTP id g826TBC24233; Mon, 2 Sep 2002 01:29:11 -0500 Sensitivity: Subject: *GhostSessions Prob To: Hugh Irvine <[EMAIL PROTECTED]>, [EMAIL PROTECTED] X-Mailer: Lotus Notes Release 5.0.10 March 22, 2002 Message-ID: <[EMAIL PROTECTED]> From: "Christian Rautscher" <[EMAIL PROTECTED]> Date: Mon, 2 Sep 2002 13:27:17 +0200 X-MIMETrack: Serialize by Router on RIS3/RAIFF(Release 5.0.10 |March 22, 2002) at 02.09.2002 13:27:29 MIME-Version: 1.0 Content-type: text/plain; charset=us-ascii Hello Hugh, hi everybody, i'd like to ask if some1 could help me with the quite "famous" Problem of the "ghost-sessions" in Radiator-DB. P.es. AccessServer works fine. Connecting clients will be registered in the Radonline-DB of Radiator with their SessionStart-Entry. Now lets assume that at a certain point, due to networking failure or other reason Radiator and AccessServer aren't able to comunicate to each other anymore. Now we assume that Client A and B are disconnecting themselves right at this moment. PROBLEM:NAS doesn't send Stop-Session-Entry to Radiator, so for Radiator that client is still online. Now let's assume that the communication Problem between Radiator and NAS has been solved, and client A would like to re-enter. But isn't able, because of the configuration of Radiator the client exceeds the its allowed simulateous Permission of 1. As i've already tried with the Nas-Type Attribute but somehow it won't work as it should. As i noticed that this kind of problem appeared quite often in this mailing-list i hope that someone may be able to help me. Thank you just in advance, Christian --- -- Mike McCauley [EMAIL PROTECTED] Open System Consultants Pty. LtdUnix, Perl, Motif, C++, WWW 24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au Phone +61 3 9598-0985 Fax +61 3 9598-0955 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS etc on Unix, Windows, MacOS etc. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Version 3.3 install
Hi Charly -
I will let Mike reply to your suggestion.
regards
Hugh
On Monday, September 2, 2002, at 05:57 PM, Karl Gaissmaier wrote:
> Hi Hugh,
>
> Hugh Irvine schrieb:
>>
>> Hello Charly -
>>
>> What I usually do is skip the "make install" step altogether, and just
>> leave the various versions in seperate directories.
>>
>
> and I do it in the meanwhile with the following startup script:
> (tweaking the -I flag on perl startup and dealing with PREFIX=...
> and a symbolic link "current" pointing to actual version)
>
>> #!/bin/sh
>> #
>> # kg 08/02
>> #
>> PERL=/radiator/perl/bin/perl
>> RADIUS_LIB=/radiator/current/lib/site_perl
>> RADIUSD=/radiator/current/bin/radiusd
>> CONFIG=/radiator/etc/radiator-config
>> PIDFILE=/radiator/etc/pidfile
>> #
>> case "$1" in
>> 'start')
>> if [ -f $RADIUSD -a -f $CONFIG ]; then
>> echo "radius (radiator) service starting."
>> $PERL -I$RADIUS_LIB $RADIUSD -config_file $CONFIG
>> else
>> echo "$RADIUSD or $CONFIG missing. STOPPED!"
>> fi
>> ;;
>> 'stop')
>> if [ -f $PIDFILE ]; then
>> echo "Stopping the radius (radiator) service."
>> kill -15 `cat $PIDFILE`
>> fi
>> ;;
>> 'restart')
>> if [ -f $PIDFILE ]; then
>> echo "Restarting the radius (radiator) service."
>> kill -1 `cat $PIDFILE`
>> fi
>> ;;
>> *)
>> echo "Usage: /etc/init.d/radiator { start | stop | restart }"
>> ;;
>> esac
>> exit 0
>
>
> I have also a discrete perl installation only for radius, because
> I need some modules/versions specific for radius and I will not
> pay attention when I upgrade the main perl installation for our
> workstations.
>
> Anyway, Hugh and Mike, there are more than one way to solve this
> problem with concurrent versions, but I think at least one
> solution should be described in the manual or at least in FAQ.
>
> Best regards
> Charly
>
>
> --
> Karl Gaissmaier Computing Center,University of Ulm,Germany
> Email:[EMAIL PROTECTED] Network Administration
> Tel.: ++49 731 50-22499
>
>
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Port Mapping
If you use Linux you can set a port redirect with iptables using something like this iptables -A PREROUTING -t nat -s 0.0.0.0/0 -p udp --source-port 1645 -j REDIRECT --destination-port 1812 This will add a rule to the PREROUTING chain in the NAT table to redirect any UDP traffic on port 1645 to port 1812. This way you can avoid running two instances of Radiator. Again, if you run NT this will be of little help to you :) Regards, Rickard - Original Message - From: "jai" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Saturday, August 31, 2002 6:17 AM Subject: (RADIATOR) Port Mapping > Hi, > > Is it possible to redirect the port on same machine ?? > > I have NAS, where i can't change the port which is working on 1645 & 1646, > so i need to do redirection from 1812 & 1813 > > > Thanx > > Jai > > === > Archive at http://www.open.com.au/archives/radiator/ > Announcements on [EMAIL PROTECTED] > To unsubscribe, email '[EMAIL PROTECTED]' with > 'unsubscribe radiator' in the body of the message. > === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Version 3.3 install
Hi Hugh,
Hugh Irvine schrieb:
>
> Hello Charly -
>
> What I usually do is skip the "make install" step altogether, and just
> leave the various versions in seperate directories.
>
and I do it in the meanwhile with the following startup script:
(tweaking the -I flag on perl startup and dealing with PREFIX=...
and a symbolic link "current" pointing to actual version)
> #!/bin/sh
> #
> # kg 08/02
> #
> PERL=/radiator/perl/bin/perl
> RADIUS_LIB=/radiator/current/lib/site_perl
> RADIUSD=/radiator/current/bin/radiusd
> CONFIG=/radiator/etc/radiator-config
> PIDFILE=/radiator/etc/pidfile
> #
> case "$1" in
> 'start')
> if [ -f $RADIUSD -a -f $CONFIG ]; then
> echo "radius (radiator) service starting."
> $PERL -I$RADIUS_LIB $RADIUSD -config_file $CONFIG
> else
> echo "$RADIUSD or $CONFIG missing. STOPPED!"
> fi
> ;;
> 'stop')
> if [ -f $PIDFILE ]; then
> echo "Stopping the radius (radiator) service."
> kill -15 `cat $PIDFILE`
> fi
> ;;
> 'restart')
> if [ -f $PIDFILE ]; then
> echo "Restarting the radius (radiator) service."
> kill -1 `cat $PIDFILE`
> fi
> ;;
> *)
> echo "Usage: /etc/init.d/radiator { start | stop | restart }"
> ;;
> esac
> exit 0
I have also a discrete perl installation only for radius, because
I need some modules/versions specific for radius and I will not
pay attention when I upgrade the main perl installation for our
workstations.
Anyway, Hugh and Mike, there are more than one way to solve this
problem with concurrent versions, but I think at least one
solution should be described in the manual or at least in FAQ.
Best regards
Charly
--
Karl Gaissmaier Computing Center,University of Ulm,Germany
Email:[EMAIL PROTECTED] Network Administration
Tel.: ++49 731 50-22499
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Apache authentication problem
This could be really useful! Can Radius authentication be done through IIS as well? Regards, Brian. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
