Peter Carlstedt wrote:
Hello everyone,
I´ve been searching the net for answers but havent´been able to find
any information about how to add a NAS in the MySQL tables instead of
using the clients.conf file. It is possible to use one of the tables
that comes with Freeradius?
If it is possibl
Hello everyone,
I´ve been searching the net for answers but havent´been able to find any
information about how to add a NAS in the MySQL tables instead of using the
clients.conf file. It is possible to use one of the tables that comes with
Freeradius?
If it is possible, is there any "HOW t
Josip Rodin wrote:
> Which reminds me - the other day I had a situation where a NAS was rebooted
> and ~300 users immediately tried to reconnect and authenticated over a
> FreeRADIUS 2.0.4 server, which in turn tried to authenticate them over its
> two home_servers set up as fail-over, but neither
Alan Buxey wrote:
> it'd be nice if SNMPTRAPs
> could be generated too natively but thats a different issue.
On the roadmap.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Tue, Dec 08, 2009 at 11:02:30PM +0100, Alan DeKok wrote:
> Logging *state changes* is OK. e.g. "this packet caused the proxy to
> decide that the home server is down". That happens for *one* packet,
> when the home server changes state.
>
> The messages you've asked to make "log file" wou
Hi,
> The messages you've asked to make "log file" would result in
> per-packet errors, not general state change errors. That's why I'm
> reluctant to make those changes.
exactly.
chuck me EVERYTHING in debug mode. i'll take the hit..i NEED the info...
but in general use - status change only.
Hi,
> 1 Error: Received Access-Accept packet from client home_server_ip_5
> port 1812 with invalid signature (err=2)! (Shared secret is incorrect.)
> Dropping packet without response.
well, theres a problem with shared secret there that needs to be ironed out
> Can any conclusions be d
Josip Rodin wrote:
> But the proxy state logging is not a priori per-packet, it's based on status
> check events. Only if each packet changes the proxy status (?!), then you'll
> get as many status check logs as there are packets.
Ah... that's the misunderstanding.
The messages which should b
On Tue, Dec 08, 2009 at 03:43:14PM +0100, Alan DeKok wrote:
> Garber, Neal wrote:
> >> This limit is around 8K packets in 2.1.x, and will be 64K packets in
> >> 2.2.x. So if you're getting 500 packets/s for a home server, 16s after
> >> it goes down, all 8k "slots" will be used.
>
> In 2.1.x, t
On Tue, Dec 08, 2009 at 11:32:36AM +, Alan Buxey wrote:
> Hi,
>
> > Again, my point was that people who are prepared to immediately intervene in
> > a dead radiusd are most commonly are prepared to immediately intervene in a
> > faulty configuration file.
>
> revisiting the early messages in
> Actually I copied the file from /usr/share/doc/freeradius/examples/certs
> folder
> But I didnt change any in MAKE file
>From which version? 2.1.7 or 2.1.8? 2.1.8 has the new Makefile which signs
client certificates with ca certificate.
> Is there anyother way to debug it???
That's openSSL stu
> Where I could get the "makefile" v.2.1.8-pre
> Probably it also solves the problem that I have.
PS. I would take the whole certs directory.
Ivan Kalik
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> Where I could get the "makefile" v.2.1.8-pre
> Probably it also solves the problem that I have.
Get the whole thing and take what you want:
http://git.freeradius.org/pre/
Ivan Kalik
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Coutesy of Michael Bowe . . .
Since Calling-Station-Id does not exist in the accounting spill from the
Cisco, concatenating the client-mac-address works just great.
In the instance that we are not using a Cisco then the
Calling-Station-Id is populated and client-mac-address does not exist.
S
O.K.
What is the best way to accomplish the following . . .
For a specific NAS-IP-Address=10.10.10.10
Accounting packet includes the following . . .
%{Calling-Station-Id}(does not exist)
%{client-mac-address}=..
Need to write the value for .
Josip Rodin wrote:
> Alan, please apply the patch:
Applied, thanks.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hello,
The question of performance of jradius has been raised a couple times. I
thought I'd share some recent findings and improvements. Attached are
some radperf results of various setups and a brief discussion is below.
The tests are after changes we have made, which we will be integrating
int
1.- Sorry for the HTML mail mess.
2.- Now I have signed the client certificate by using the "Makefile"
v.2.1.8-pre (just to be sure that I generate correctly the certificates).
So, client certificate:
-
subject=/C=FR/ST=Isere/O=ESRF/CN=swatzy01.esrf.fr/emailaddress=u...@example.com
-
issuer=/
Bjørn Mork wrote:
> Yes, I got one of those:
>
> Tue Dec 8 08:49:22 2009 : Proxy: Marking home server 192.168.8.216 port 1812
> as dead.
> Tue Dec 8 08:49:22 2009 : Error: Failed creating new proxy socket: server is
> too busy and home servers appear to be down
OK. That indicates that all
Garber, Neal wrote:
>> This limit is around 8K packets in 2.1.x, and will be 64K packets in
>> 2.2.x. So if you're getting 500 packets/s for a home server, 16s after
>> it goes down, all 8k "slots" will be used.
>
> I'm not sure if this is feasible and/or easy to implement, but I thought I'd
> a
Actually I copied the file from /usr/share/doc/freeradius/examples/certs
folder
But I didnt change any in MAKE file
Is there anyother way to debug it???
On Tue, Dec 8, 2009 at 3:40 AM, wrote:
> > Below is the complete Log..
> > Please let me know how to solve/debug it..
> >
> >
> This limit is around 8K packets in 2.1.x, and will be 64K packets in
> 2.2.x. So if you're getting 500 packets/s for a home server, 16s after
> it goes down, all 8k "slots" will be used.
I'm not sure if this is feasible and/or easy to implement, but I thought I'd
ask.. As a suggestion, can th
Alan DeKok writes:
> Bjørn Mork wrote:
>> Yes, now it continues to answer both authentication and accounting
>> requests, but it still stops proxying after a while (where "a while"
>> might be something like 20+ hours and 1+ million auth requests - I have
>> no indication that these values are fix
Fernando Calvelo Vazquez wrote:
> Where I could get the "makefile" v.2.1.8-pre
> Probably it also solves the problem that I have.
http://git.freeradius.org/pre/
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Bjørn Mork wrote:
> My problem is that this affects *all* proxied realms, including those
> with perfect radius servers. I know, because one of those realms is our
> own, running FreeRADIUS on another set of servers.
>
> You'll notice that all the "No outstanding request was found " messages
> we
Alan DeKok wrote:
Patric wrote:
Is there any way for me to get my FreeRADIUS-Acct-Session-Start-Time
attribute value into that date format?
http://dev.mysql.com/doc/refman/5.0/en/date-and-time-functions.html#function_from-unixtime
You sir are a genius :) It didnt even occur to me to do it in t
Just had this same problem myself. Oddly enough with Fedora, the
samba-common package is all that will be installed as a dependency and it
does not include the regular samba services. I could start winbind and even
do ntlm_auth requests, but I was essentially having this same issue where it
would j
Hi,
> My problem is that this affects *all* proxied realms, including those
> with perfect radius servers. I know, because one of those realms is our
> own, running FreeRADIUS on another set of servers.
oh - thats a perfect system for doing the status server queries on.
it would be good to show
Alan DeKok writes:
> Garber, Neal wrote:
>> When it fails, is it always at night? If so, could it be related to network
>> load - perhaps backups that are running? You could try capturing the output
>> from a continuous ping to see if you start getting timeouts or really long
>> response time
hi,
2 trivial (maybe too trivial? side-effects?) patches to stop the
two extraneous WARNING messages during compilation on FreeRADIUS
--- freeradius-server/Make.inc.in 2009-12-08 13:16:28.0 +
+++ freeradius-server-new/Make.inc.in 2009-12-08 12:46:20.0 +
@@ -22,6 +2
Where I could get the "makefile" v.2.1.8-pre
Probably it also solves the problem that I have.
regards,
Fernando.
t...@kalik.net wrote:
Below is the complete Log..
Please let me know how to solve/debug it..
[tls] Done initial handshake
[tls] <<< TLS 1.0 Alert [length 0002],
Garber, Neal wrote:
> When it fails, is it always at night? If so, could it be related to network
> load - perhaps backups that are running? You could try capturing the output
> from a continuous ping to see if you start getting timeouts or really long
> response times between FR and one of th
> At approximately 08:40 something happens, and a lot of servers are
> flagged as dead or zombie.
> This could of course have been caused by network problems, but there was
> no such problem at this time. Proxying goes over the same interface as
When it fails, is it always at night? If so, cou
Patric wrote:
> Is there any way for me to get my FreeRADIUS-Acct-Session-Start-Time
> attribute value into that date format?
http://dev.mysql.com/doc/refman/5.0/en/date-and-time-functions.html#function_from-unixtime
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/l
Bjørn Mork wrote:
> Yes, now it continues to answer both authentication and accounting
> requests, but it still stops proxying after a while (where "a while"
> might be something like 20+ hours and 1+ million auth requests - I have
> no indication that these values are fixed).
Look for the mes
Josip Rodin writes:
> On Tue, Dec 08, 2009 at 10:10:11AM +0100, Bj??rn Mork wrote:
>> The symptoms are that all home servers are marked dead/zombie. Typical
>> obfuscated home_server list in this state:
>>
>> server(bjorn) ~ 71$ radmin -e "show home_server list"
>> 192.168.8.120 1812auth
Hi,
> Again, my point was that people who are prepared to immediately intervene in
> a dead radiusd are most commonly are prepared to immediately intervene in a
> faulty configuration file.
revisiting the early messages in this thread clearly indicate a
desire for much more verbose logging of pro
On Tue, Dec 08, 2009 at 09:59:32AM +, Alan Buxey wrote:
> Hi,
>
> > So you fit the bill anyway - if you're prepared for a completely dead
> > FreeRADIUS, you're prepared for the situation such as a logging issue.
>
> not at all. dead radiusd not an issue compared to several gigabytes
> of sud
Hi,
> So you fit the bill anyway - if you're prepared for a completely dead
> FreeRADIUS, you're prepared for the situation such as a logging issue.
not at all. dead radiusd not an issue compared to several gigabytes
of sudden unexpected log behaviour due to an issue at remote proxy,
for example.
Hi everyone,
Firstly, thanks Alan for your help with my acct_start_time problem, that
was exactly what I was after. The only problem that remains for me is
getting the value into a different format so I can store it in my
database table.
So I have the following setup currently:
share/dictio
On Tue, Dec 08, 2009 at 10:10:11AM +0100, Bj??rn Mork wrote:
> The symptoms are that all home servers are marked dead/zombie. Typical
> obfuscated home_server list in this state:
>
> server(bjorn) ~ 71$ radmin -e "show home_server list"
> 192.168.8.120 1812authalive 0
> 192.168.8.246
Alan DeKok writes:
> Bjørn Mork wrote:
>> Bjørn Mork writes:
>>> The server had been running for 45 hours when this happened. I haven't
>>> got the faintest idea where to start looking for the bug.
>>
>> I have to correct myself after looking over the logs: The server
>> stopped answering auth
On Mon, Dec 07, 2009 at 11:31:44PM -, t...@kalik.net wrote:
> > I almost have a working Radius setup...
>
> It's working.
>
> > My XP tells me that the username/password is invalid (Error 961). I
> > suspect the password attibute to be empty..
>
> There is no password attribute in mschap. Pr
rosect...@yahoo.com wrote:
> In user account setup, you can use either Cleartext-Password or
> User-Password. What is the difference? Thanks.
Cleartext-Password is what *you* say is the "known good" password.
User-Password is whatever nonsense the user typed into a password prompt.
Alan De
44 matches
Mail list logo
