Re: Configure Errors with OpenSSL NetSNMP
Hi! On Tue, Dec 16, 2003 at 12:35:43AM -0600, MkLinux Admin @ Oceanbay wrote: This may have been covered before, but I cannot seem to find it when searching the archives. I am new to FreeRadius, but not new to Linux. I tried configuring FreeRadius, when checking for checking for asn1.h,snmp.h,snmp_impl.h... it would not find the NetSNMP installation. freeradius works with ucd-snmp not with net-snmp. Till now nobody submitted patches for the new version. Feel free to do so. On to OpenSSL, OpenSSL was compiled and installed in /usr/local/ssl and it cannot be found by the configure script. I added the usual LDFLAGS, etc to get it to find it, but there was more mess. In the end I just bypassed the checks altogether and told it it was okay to go ahead and include that. The usual way would be to use the configure scripts options to tell it where the openssl installation resides. Try ./configure --help to see what options are avaiable. Then I checked the confdefs.h file, it is 100% empty, something is getting stomped on here. no included ssl headers. when I change that to add in the ssl headers like below. I get the next bad result. Probably you hosed up configure by editing it by hand... try to do your changes in configure.in and run autoconf after this. FreeRadius is the only one which does not seem to get a hold of OpenSSL easy. I dunno what is going on, but I had to hand edit the configure script to get it all to work. Maybe this is all worth a good looking over. As for all of my code I write I use my own home-made configure scripts so I dunno how to fit it all up with autoconf. It seems to me that the main problem is you messing the configure script up. Please try to stick with it and follow its rules, and the compilation should work. Oliver. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
is this a complete auth-request packet?
This is pulled straight out of the output from radiusd -sfxxyz -l stdout I'm using FreeRadius 0.9.3, a Buffalo AirStation Pro, and EAP-TLS authentication. MySQL is used to store the user/pass/etc. attributes. The client is a WinXP box set up for PEAP/MS-CHAP ... I'm not sure if the client is misconfigured, if I'm not getting all the information from the NAS, or if the server is misconfigured. Any help is appreciated. --- packet info --- rad_recv: Access-Request packet from host 66.219.41.196:1090, id=56, length=138 User-Name = fakeAcctOne NAS-Identifier = AirStation Pro NAS-IP-Address = 172.16.2.10 NAS-Port = 1 NAS-Port-Type = Wireless-802.11 Called-Station-Id = 00022d75ad58 Calling-Station-Id = 00022d18efec Framed-MTU = 1400 EAP-Message = 0x020100100166616b65416363744f6e65 Message-Authenticator = 0x8c70a27688a11578a008cd41eaa8a98a - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configure Errors with OpenSSL NetSNMP
On Tuesday, December 16, 2003, at 08:11 AM, Oliver Graf wrote: Hi! On Tue, Dec 16, 2003 at 12:35:43AM -0600, MkLinux Admin @ Oceanbay wrote: This may have been covered before, but I cannot seem to find it when searching the archives. I am new to FreeRadius, but not new to Linux. I tried configuring FreeRadius, when checking for checking for asn1.h,snmp.h,snmp_impl.h... it would not find the NetSNMP installation. freeradius works with ucd-snmp not with net-snmp. Till now nobody submitted patches for the new version. Feel free to do so. The problem is that some file names are equal between openssl and netsnmp. Not sure of openssl, but net-snmp installs now in something like /usr/local/include/net-snmp and then one is better of using the '-I/usr/local/include/' with the '#include net-snmp/foo.h' On to OpenSSL, OpenSSL was compiled and installed in /usr/local/ssl and it cannot be found by the configure script. I added the usual LDFLAGS, etc to get it to find it, but there was more mess. In the end I just bypassed the checks altogether and told it it was okay to go ahead and include that. The usual way would be to use the configure scripts options to tell it where the openssl installation resides. Try ./configure --help to see what options are avaiable. Not sure, but it would be nice if the openssl would do the same as net-snmp in this case. Harrie - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP problem - HELP PLEASE
Hi Alan! Thanks for your help. I did what you told me, but it seems that it wasn't the only error I made... I put in the users file : ourson User-Password = testtest and my user on the XP supplicant is also the same, but authentication is still impossible! I really don't understand because the same error message appears even if I change the users file like I show you before. I am asking myself about which options must be put on the MS-CHAP module (on radiusd.conf) ? I didn't change any options on the MS-CHAP module ( use_mppe, require_encryption, require_strong with a # before), but is it necessary?? (I tried quickly to put these options = yes ,but I had same results) If you have any idea about what is wrong with my configuration, please tell me! here are my log with the beginning of freeradius when it's launched: + LD_LIBRARY_PATH=/usr/local/ssl-end/lib + LD_PRELOAD=/usr/local/ssl-end/lib/libcrypto.so + export LD_LIBRARY_PATH LD_PRELOAD + /usr/local/sbin/radiusd -X -y -z Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = /usr/local main: localstatedir = /usr/local/var main: logdir = /usr/local/var/log/radius main: libdir = /usr/local/lib main: radacctdir = /usr/local/var/log/radius/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = yes main: log_file = /usr/local/var/log/radius/radius.log main: log_auth = yes main: log_auth_badpass = yes main: log_auth_goodpass = yes main: pidfile = /usr/local/var/run/radiusd/radiusd.pid main: user = (null) main: group = (null) main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/local/sbin/checkrad main: proxy_requests = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients Using deprecated clients file. Support for this will go away soon. read_config_files: reading realms Using deprecated realms file. Support for this will go away soon. radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = crypt Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = yes mschap: require_strong = yes mschap: passwd = (null) mschap: authtype = MS-CHAP Module: Instantiated mschap (mschap) Module: Loaded eap eap: default_eap_type = peap eap: timer_expire = 60 eap: ignore_unknown_eap_types = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = (null) tls: pem_file_type = yes tls: private_key_file = /sauv-certif/cert/new/serveur6.pem tls: certificate_file = /sauv-certif/cert/new/serveur6.pem tls: CA_file = /sauv-certif/cert/new/root.pem tls: private_key_password = saucisson tls: dh_file = /sauv-certif/cert/new/dh tls: random_file = /sauv-certif/cert/new/random tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no rlm_eap: Loaded and initialized type tls peap: default_eap_type = mschapv2 peap: copy_request_to_tunnel = no peap: use_tunneled_reply = no rlm_eap: Loaded and initialized type peap rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = /usr/local/etc/raddb/huntgroups preprocess: hints = /usr/local/etc/raddb/hints preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded detail detail: detailfile = /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (auth_log) Module: Loaded realm realm: format = suffix realm: delimiter = @ Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = /usr/local/etc/raddb/users files: acctusersfile = /usr/local/etc/raddb/acct_users files: preproxy_usersfile = /usr/local/etc/raddb/preproxy_users files: compat = no [/usr/local/etc/raddb/users]:156 WARNING! Changing
Re: How to start/stop/restart FR
See in Freeradius sources the file : free-radiusd-home-sources/etc/rc.radiusd-redhat I use this script with little changes. Place the script in /etc/init.d and use chkconfig. Thanks, Ripunjay Bararia wrote: hi just had this silly question what is the preferred/normal way to start/stop/restart FR running on a RedHat box with or without init.d scripts Ripunjay Bararia - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- -- Jean-Paul Chapalain - GICM - Resp. Reseaux et Infrastructure -- 32 rue Mirabeau - Le Relecq-Kerhuon - 29808 Brest Cedex 9, FRANCE -- Tel +33298002873 - Fax +33298284005 - [EMAIL PROTECTED] -- Key Fingerprint: 192C 1CFE F24A 050D F280 A086 AF15 8631 3ABB 4C7D - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem EAP TLS
Could you send some detail on your configuration ? You quoted about 550 lines to just add one sentence? Ahh, would it be nice for readers if writers would adopt a sensible quoting style :-) -- Try Linux 2.6 from BitKeeper for PXA2x0 CPUs at http://www.mn-logistik.de/unsupported/linux-2.6/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Prompt user for callback number
Title: Zprva How can I force freeradius server to prompt the user for its callback number? I cannot use %i variable because i need make out two phone number (1st call-in 2nd callback) Thx for reply. -mri
Prompt user for callback number - TXT
How can I force freeradius server to prompt the user for its callback number? I cannot use %i variable because i need make out two phone number (1st call-in 2nd callback) Thx for reply. Sorry for previous nonTXT format =] -mri - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[PATCH] proper .cvsignore files
The following patch adds proper .cvsignore patch to freeradius. -- MN-Logistik GmbH http://www.mn-logistik.de Holger Schurig Dieselstr. 18 61191 Rosbach v.d.Höhe Tel: (+49) 6003 9141 0 Fax: (+49) 6003 9141 49 # # Patch managed by http://www.mn-logistik.de/unsupported/pxa250/patcher # --- /dev/null +++ radiusd/.cvsignore @@ -0,0 +1,2 @@ +config.cache +libtool --- /dev/null +++ radiusd/libltdl/.cvsignore @@ -0,0 +1,3 @@ +libtool +stamp-h +stamp-h1 --- /dev/null +++ radiusd/raddb/.cvsignore @@ -0,0 +1,2 @@ +dictionary +radiusd.conf --- /dev/null +++ radiusd/scripts/.cvsignore @@ -0,0 +1,6 @@ +check-radiusd-config +cryptpasswd +radiusd.cron.daily +radiusd.cron.monthly +radwatch +rc.radiusd --- /dev/null +++ radiusd/src/include/.cvsignore @@ -0,0 +1,4 @@ +autoconf.h +build-radpaths-h +radpaths.h +stamp-h --- /dev/null +++ radiusd/src/main/.cvsignore @@ -0,0 +1,8 @@ +checkrad.pl +radclient +radiusd +radlast +radrelay +radtest +radwho +radzap --- /dev/null +++ radiusd/src/modules/.cvsignore @@ -0,0 +1 @@ +lib --- /dev/null +++ radiusd/src/modules/rlm_dbm/.cvsignore @@ -0,0 +1,2 @@ +rlm_dbm_cat +rlm_dbm_parser --- /dev/null +++ radiusd/src/modules/rlm_eap/.cvsignore @@ -0,0 +1 @@ +config.cache --- /dev/null +++ radiusd/src/modules/rlm_ippool/.cvsignore @@ -0,0 +1 @@ +rlm_ippool_tool --- /dev/null +++ radiusd/src/modules/rlm_mschap/.cvsignore @@ -0,0 +1 @@ +smbencrypt --- /dev/null +++ radiusd/src/modules/rlm_sql/drivers/.cvsignore @@ -0,0 +1 @@ +lib
Windows sending Hostname
I use Windows XP with PEAP for authentication The problem ist that in the uid at the Radius Server is always the following string: HOSTNAME\\USERNAME So our LDAP lookup is not working (requires only the username). Is there a possibility to extract only the username? Thanks Berndt - TGM - Die Schule der Technik IT-Service A-1200 Wien, Wexstr. 19-23 Tel. +43(1)33126/316 Fax: +43(1)33126/154 E-Mail: [EMAIL PROTECTED] - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP problem - HELP PLEASE
[EMAIL PROTECTED] wrote: Hi Alan! Thanks for your help. I did what you told me, but it seems that it wasn't the only error I made... I put in the users file : ourson User-Password = testtest i think i see two potential issues here ... one is noted in the logging: [/usr/local/etc/raddb/users]:156 WARNING! Changing 'User-Password =' to 'User-Password ==' ?for comparing RADIUS attribute in check item list for user ourson the operator that's needed is ==, not just = ... but radius sorta fixed that in the request, as the logs note. the other potential issue: the space before the password begins. assuming that the password gets encrypted into the EAP-Message ( something i'm thinking happens ... but i'm not sure of ), that space is getting added to the encypted string and will never match. and my user on the XP supplicant is also the same, but authentication is still impossible! I really don't understand because the same error message appears even if I change the users file like I show you before. I am asking myself about which options must be put on the MS-CHAP module (on radiusd.conf) ? I didn't change any options on the MS-CHAP module ( use_mppe, require_encryption, require_strong with a # before), but is it necessary?? (I tried quickly to put these options = yes ,but I had same results) If you have any idea about what is wrong with my configuration, please tell me! here are my log with the beginning of freeradius when it's launched: + LD_LIBRARY_PATH=/usr/local/ssl-end/lib + LD_PRELOAD=/usr/local/ssl-end/lib/libcrypto.so + export LD_LIBRARY_PATH LD_PRELOAD + /usr/local/sbin/radiusd -X -y -z Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = /usr/local main: localstatedir = /usr/local/var main: logdir = /usr/local/var/log/radius main: libdir = /usr/local/lib main: radacctdir = /usr/local/var/log/radius/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = yes main: log_file = /usr/local/var/log/radius/radius.log main: log_auth = yes main: log_auth_badpass = yes main: log_auth_goodpass = yes main: pidfile = /usr/local/var/run/radiusd/radiusd.pid main: user = (null) main: group = (null) main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/local/sbin/checkrad main: proxy_requests = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients Using deprecated clients file. Support for this will go away soon. read_config_files: reading realms Using deprecated realms file. Support for this will go away soon. radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = crypt Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = yes mschap: require_strong = yes mschap: passwd = (null) mschap: authtype = MS-CHAP Module: Instantiated mschap (mschap) Module: Loaded eap eap: default_eap_type = peap eap: timer_expire = 60 eap: ignore_unknown_eap_types = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = (null) tls: pem_file_type = yes tls: private_key_file = /sauv-certif/cert/new/serveur6.pem tls: certificate_file = /sauv-certif/cert/new/serveur6.pem tls: CA_file = /sauv-certif/cert/new/root.pem tls: private_key_password = saucisson tls: dh_file = /sauv-certif/cert/new/dh tls: random_file = /sauv-certif/cert/new/random tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no rlm_eap: Loaded and initialized type tls peap: default_eap_type = mschapv2 peap: copy_request_to_tunnel = no peap: use_tunneled_reply = no rlm_eap: Loaded and initialized type peap rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = /usr/local/etc/raddb/huntgroups preprocess: hints = /usr/local/etc/raddb/hints preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no
Re: Windows sending Hostname
do you have this part of the config enabled? preprocess { # Windows NT machines often authenticate themselves as # NT_DOMAIN\username # # If this is set to 'yes', then the NT_DOMAIN portion # of the user-name is silently discarded. with_ntdomain_hack = yes } Sevcik Berndt wrote: I use Windows XP with PEAP for authentication The problem ist that in the uid at the Radius Server is always the following string: HOSTNAME\\USERNAME So our LDAP lookup is not working (requires only the username). Is there a possibility to extract only the username? Thanks Berndt - TGM - Die Schule der Technik IT-Service A-1200 Wien, Wexstr. 19-23 Tel. +43(1)33126/316 Fax: +43(1)33126/154 E-Mail: [EMAIL PROTECTED] - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Realy need Help
Hi everybody, I am having a problem with acct_users, i did a shell script but when the user logon, the radius print that exec-program is running but it didnt make any action. I realy do know how to set it up. Thanks Atenciosamente Lucas Oliveira Web Manager Prompt Tecnologia www.prompt-tecnologia.com.br - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Getting no results with LDAP
Thanks for the tip with th NT Domain hack Brian. An other problem is the LDAP Query themself. I get no result for my Username. But the User exists and when I use the ldapsearch command with the same filter I also get an result. I use the latest CVS Version of Freeradius and openLDAP Version 2.1.22-1 rlm_ldap: - authorize rlm_ldap: performing user authorization for sevcikb radius_xlat: '(uid=sevcikb)' radius_xlat: 'ou=People,ou=admin,dc=tgm.dc=ac,dc=at' ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=People,ou=admin,dc=tgm.dc=ac,dc=at, with filter (uid=sevcikb) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed ldap_release_conn: Release Id: 0 Hers my config: ldap { server = localhost identity = cn=admin,dc=tgm,dc=ac,dc=at password = xxx basedn = ou=People,ou=admin,dc=tgm.dc=ac,dc=at filter = (uid=%{Stripped-User-Name:-%{User-Name}}) # base_filter = (objectclass=radiusprofile) # set this to 'yes' to use TLS encrypted connections # to the LDAP database by using the StartTLS extended # operation. # The StartTLS operation is supposed to be used with normal # ldap connections instead of using ldaps (port 689) connections start_tls = no # tls_cacertfile= /path/to/cacert.pem # tls_cacertdir = /path/to/ca/dir/ # tls_certfile = /path/to/radius.crt # tls_keyfile = /path/to/radius.key # tls_randfile = /path/to/rnd # tls_require_cert = demand # default_profile = cn=radprofile,ou=dialup,o=My Org,c=UA # profile_attribute = radiusProfileDn # access_attr = dialupAccess # Mapping of RADIUS dictionary attributes to LDAP # directory attributes. dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 # # NOTICE: The password_header directive is NOT case insensitive # # password_header = {clear} # # The server can usually figure this out on its own, and pull # the correct User-Password or NT-Password from the database. # # Note that NT-Passwords MUST be stored as a 32-digit hex # string, and MUST start off with 0x, such as: # # 0x000102030405060708090a0b0c0d0e0f # # Without the leading 0x, NT-Passwords will not work. # This goes for NT-Passwords stored in SQL, too. # password_attribute = ntPassword # groupname_attribute = cn # groupmembership_filter = (|((objectClass=GroupOfNames)(member=%{Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn}))) # groupmembership_attribute = radiusGroupName timeout = 4 timelimit = 3 net_timeout = 1 # compare_check_items = yes # do_xlat = yes # access_attr_used_for_allow = yes } Thanks for help Berndt - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
WLAN/NT-Domain Authentication
Hi all, we have a freeRadius Server (0.9.3) authenticating WLAN-Users. It works fine with the local users file, but we want it to authenticate the users against our NT-Domain. I have learned that rlm_smb should be used to achieve this, so I re-configured freeRadius with experimental modules. This block was added to radiusd.conf: smb { server = srv1.domain.com backup = srv2.domain.com domain = domain.com } But when I try to authenticate a user, I get: auth: Failed to validate the user. without any mentioning of the smb module in the above output about the request. Any help would be appreciated! With kind regards, Kajetan Matla __ WEB.DE FreeMail wird 5 Jahre jung! Feiern Sie mit uns und nutzen Sie die neuen Funktionen http://f.web.de/features/?mc=021130 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius Ip address assignation
There is a way for freeradius to be the one asigning the dynamic ip addresses, instead of the access server assigning them? I am trying to create different groups, with different dynamic ranges of ip addressess, for a project, and i cannot do that on the ascend max. Only the pool assignation is used to be specified using different PRI's or phone number. Anobody knows if there's a way of the radius be in charge of assigning the pool of ips for each group? _ Shop online for kids toys by age group, price range, and toy category at MSN Shopping. No waiting for a clerk to help you! http://shopping.msn.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WLAN/NT-Domain Authentication
WLAN authentication is handled by the EAP module. Sounds like, for what you're wanting to do, you need to look at the PEAP setup. --Mike On Tue, 2003-12-16 at 08:22, Kai Matla wrote: Hi all, we have a freeRadius Server (0.9.3) authenticating WLAN-Users. It works fine with the local users file, but we want it to authenticate the users against our NT-Domain. I have learned that rlm_smb should be used to achieve this, so I re-configured freeRadius with experimental modules. This block was added to radiusd.conf: smb { server = srv1.domain.com backup = srv2.domain.com domain = domain.com } But when I try to authenticate a user, I get: auth: Failed to validate the user. without any mentioning of the smb module in the above output about the request. Any help would be appreciated! With kind regards, Kajetan Matla __ WEB.DE FreeMail wird 5 Jahre jung! Feiern Sie mit uns und nutzen Sie die neuen Funktionen http://f.web.de/features/?mc=021130 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- --Mike --- Michael Griego Wireless LAN Project Manager The University of Texas at Dallas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius Ip address assignation
At 08:29 AM 12/16/2003, Alex Rodriguez wrote: There is a way for freeradius to be the one asigning the dynamic ip addresses, instead of the access server assigning them? I am trying to create different groups, with different dynamic ranges of ip addressess, for a project, and i cannot do that on the ascend max. Only the pool assignation is used to be specified using different PRI's or phone number. You can actually. If you put the ip's in different pools on the MAX, you can tell it which pool to pull a dynamic IP from via the Vendor-Specific attribute Ascend-Assign-IP-Pool ( from dictionary.ascend ). See the MAX documentation for how to do this. Anobody knows if there's a way of the radius be in charge of assigning the pool of ips for each group? the rlm_ippool module can allow FreeRADIUS to assign IP's from a pool that it manages. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Getting no results with LDAP
The problem is solved! Sorry for the posting Thanks Berndt On Tue, 2003-12-16 at 15:09, Sevcik Berndt wrote: Thanks for the tip with th NT Domain hack Brian. An other problem is the LDAP Query themself. I get no result for my Username. But the User exists and when I use the ldapsearch command with the same filter I also get an result. I use the latest CVS Version of Freeradius and openLDAP Version 2.1.22-1 rlm_ldap: - authorize rlm_ldap: performing user authorization for sevcikb radius_xlat: '(uid=sevcikb)' radius_xlat: 'ou=People,ou=admin,dc=tgm.dc=ac,dc=at' ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=People,ou=admin,dc=tgm.dc=ac,dc=at, with filter (uid=sevcikb) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed ldap_release_conn: Release Id: 0 Hers my config: ldap { server = localhost identity = cn=admin,dc=tgm,dc=ac,dc=at password = xxx basedn = ou=People,ou=admin,dc=tgm.dc=ac,dc=at filter = (uid=%{Stripped-User-Name:-%{User-Name}}) # base_filter = (objectclass=radiusprofile) # set this to 'yes' to use TLS encrypted connections # to the LDAP database by using the StartTLS extended # operation. # The StartTLS operation is supposed to be used with normal # ldap connections instead of using ldaps (port 689) connections start_tls = no # tls_cacertfile= /path/to/cacert.pem # tls_cacertdir = /path/to/ca/dir/ # tls_certfile = /path/to/radius.crt # tls_keyfile = /path/to/radius.key # tls_randfile = /path/to/rnd # tls_require_cert = demand # default_profile = cn=radprofile,ou=dialup,o=My Org,c=UA # profile_attribute = radiusProfileDn # access_attr = dialupAccess # Mapping of RADIUS dictionary attributes to LDAP # directory attributes. dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 # # NOTICE: The password_header directive is NOT case insensitive # # password_header = {clear} # # The server can usually figure this out on its own, and pull # the correct User-Password or NT-Password from the database. # # Note that NT-Passwords MUST be stored as a 32-digit hex # string, and MUST start off with 0x, such as: # # 0x000102030405060708090a0b0c0d0e0f # # Without the leading 0x, NT-Passwords will not work. # This goes for NT-Passwords stored in SQL, too. # password_attribute = ntPassword # groupname_attribute = cn # groupmembership_filter = (|((objectClass=GroupOfNames)(member=%{Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn}))) # groupmembership_attribute = radiusGroupName timeout = 4 timelimit = 3 net_timeout = 1 # compare_check_items = yes # do_xlat = yes # access_attr_used_for_allow = yes } Thanks for help Berndt - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Diese Message wurde erstellt mit freundlicher Unterstuetzung eines freilaufenden Pinguins aus artgerechter Freilandhaltung. Sie ist garantiert frei von Microsoftschen Viren. - TGM - Die Schule der Technik IT-Service A-1200 Wien, Wexstr. 19-23 Tel. +43(1)33126/316 Fax: +43(1)33126/154 E-Mail: [EMAIL PROTECTED] - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Getting no results with LDAP
On Tue, 16 Dec 2003, Sevcik Berndt wrote: Thanks for the tip with th NT Domain hack Brian. An other problem is the LDAP Query themself. I get no result for my Username. But the User exists and when I use the ldapsearch command with the same filter I also get an result. I use the latest CVS Version of Freeradius and openLDAP Version 2.1.22-1 rlm_ldap: - authorize rlm_ldap: performing user authorization for sevcikb radius_xlat: '(uid=sevcikb)' radius_xlat: 'ou=People,ou=admin,dc=tgm.dc=ac,dc=at' ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=People,ou=admin,dc=tgm.dc=ac,dc=at, with filter (uid=sevcikb) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed ldap_release_conn: Release Id: 0 Check your ldap server ACIs Check your ldap server logs freeradius normally just uses the openldap libs (which are used by ldapsearch) so there should be some kind of difference between the queries ran by each one. Hers my config: ldap { server = localhost identity = cn=admin,dc=tgm,dc=ac,dc=at password = xxx basedn = ou=People,ou=admin,dc=tgm.dc=ac,dc=at filter = (uid=%{Stripped-User-Name:-%{User-Name}}) # base_filter = (objectclass=radiusprofile) # set this to 'yes' to use TLS encrypted connections # to the LDAP database by using the StartTLS extended # operation. # The StartTLS operation is supposed to be used with normal # ldap connections instead of using ldaps (port 689) connections start_tls = no # tls_cacertfile= /path/to/cacert.pem # tls_cacertdir = /path/to/ca/dir/ # tls_certfile = /path/to/radius.crt # tls_keyfile = /path/to/radius.key # tls_randfile = /path/to/rnd # tls_require_cert = demand # default_profile = cn=radprofile,ou=dialup,o=My Org,c=UA # profile_attribute = radiusProfileDn # access_attr = dialupAccess # Mapping of RADIUS dictionary attributes to LDAP # directory attributes. dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 # # NOTICE: The password_header directive is NOT case insensitive # # password_header = {clear} # # The server can usually figure this out on its own, and pull # the correct User-Password or NT-Password from the database. # # Note that NT-Passwords MUST be stored as a 32-digit hex # string, and MUST start off with 0x, such as: # # 0x000102030405060708090a0b0c0d0e0f # # Without the leading 0x, NT-Passwords will not work. # This goes for NT-Passwords stored in SQL, too. # password_attribute = ntPassword # groupname_attribute = cn # groupmembership_filter = (|((objectClass=GroupOfNames)(member=%{Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn}))) # groupmembership_attribute = radiusGroupName timeout = 4 timelimit = 3 net_timeout = 1 # compare_check_items = yes # do_xlat = yes # access_attr_used_for_allow = yes } Thanks for help Berndt - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Repeating authentication all the time
The authentication now works and I see an Access Accept Packet at the end. But the interesting is that the authentication goes a few seconds later on and the same process is repeated. The Windows XP PC never gets really authenticated. The Access Point show that the authentication was successfull (RoamAbout R2) Has someone the same experience? Thanks Berndt Initializing the thread pool... Listening on IP address *, ports 1812/udp and 1813/udp, with proxy on 1814/udp. Ready to process requests. rad_recv: Access-Request packet from host 10.3.4.2:1043, id=136, length=116 Message-Authenticator = 0x649854dbce2d7bf0fcee43598bb647e6 User-Name = berndt.sevcik NAS-IP-Address = 10.3.4.2 Sending Access-Challenge of id 145 to 10.3.4.2:1043 EAP-Message = 0x01cc004a1900170301003ffbb7b7b2a9fc6b9e6cba07729cdb312818ca43307b7ec2a2ab3669b1d5b66f3a3df95d0b0adc9ef933a6b97961eb47099d149ffcc38d3f4ca2b16510ad77be Message-Authenticator = 0x State = 0x4cb24f3bbf150ffaf70f1305ee419e12 rad_recv: Access-Request packet from host 10.3.4.2:1043, id=146, length=145 Message-Authenticator = 0x2c0ff11621c9b0033f34fb6ea44546e7 User-Name = berndt.sevcik State = 0x4cb24f3bbf150ffaf70f1305ee419e12 NAS-IP-Address = 10.3.4.2 NAS-Port = 2 NAS-Port-Type = Wireless-802.11 Calling-Station-Id = 00-04-23-77-4b-a3 Framed-MTU = 1000 EAP-Message = 0x02cc001d1900170301001259680ad935701f4d4333b259e3773f36bf28 rlm_ldap: - authorize rlm_ldap: performing user authorization for berndt.sevcik ldap_get_conn: Got Id: 0 rlm_ldap: looking for check items in directory... rlm_ldap: Adding ntPassword as NT-Password, value 0x97BA4F3659E30573DB838CA8692897BC op=21 rlm_ldap: Adding lmPassword as LM-Password, value B1EE20160x1D73468FA91E548719C3AC6E op=21 rlm_ldap: Adding radiusAuthType as Auth-Type, value EAP op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: user berndt.sevcik authorized to use remote access ldap_release_conn: Release Id: 0 PEAP: Got tunneled EAP-Message EAP-Message = 0x02cc00061a03 PEAP: Sending tunneled request EAP-Message = 0x02cc00061a03 Freeradius-Proxied-To = 127.0.0.1 User-Name = berndt.sevcik State = 0x1ea57825164814a89aa097aba563 rlm_ldap: - authorize rlm_ldap: performing user authorization for berndt.sevcik ldap_get_conn: Got Id: 0 rlm_ldap: looking for check items in directory... rlm_ldap: Adding ntPassword as NT-Password, value 0x97BA4F3659E30573DB838CA8692897BC op=21 rlm_ldap: Adding lmPassword as LM-Password, value B1EE20160x1D73468FA91E548719C3AC6E op=21 rlm_ldap: Adding radiusAuthType as Auth-Type, value EAP op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: user berndt.sevcik authorized to use remote access ldap_release_conn: Release Id: 0 PEAP: Got tunneled reply RADIUS code 2 EAP-Message = 0x03cc0004 Message-Authenticator = 0x User-Name = berndt.sevcik Sending Access-Accept of id 146 to 10.3.4.2:1043 MS-MPPE-Recv-Key = 0x82040f0dd02ebaa84b2558e7067ce3f505fee4528a582a61c71762d4493c83e3 MS-MPPE-Send-Key = 0xaa9976081be52cdc089a854b705837c58c0e218b0f58a52f82585c06711400dd EAP-Message = 0x03cc0004 Message-Authenticator = 0x User-Name = berndt.sevcik Sending Access-Challenge of id 145 to 10.3.4.2:1043 EAP-Message = 0x01cc004a1900170301003ffbb7b7b2a9fc6b9e6cba07729cdb312818ca43307b7ec2a2ab3669b1d5b66f3a3df95d0b0adc9ef933a6b97961eb47099d149ffcc38d3f4ca2b16510ad77be Message-Authenticator = 0x State = 0x4cb24f3bbf150ffaf70f1305ee419e12 rad_recv: Access-Request packet from host 10.3.4.2:1043, id=146, length=145 Message-Authenticator = 0x2c0ff11621c9b0033f34fb6ea44546e7 User-Name = berndt.sevcik State = 0x4cb24f3bbf150ffaf70f1305ee419e12 NAS-IP-Address = 10.3.4.2 NAS-Port = 2 NAS-Port-Type = Wireless-802.11 Calling-Station-Id = 00-04-23-77-4b-a3 Framed-MTU = 1000 EAP-Message = 0x02cc001d1900170301001259680ad935701f4d4333b259e3773f36bf28 rlm_ldap: - authorize rlm_ldap: performing user authorization for berndt.sevcik ldap_get_conn: Got Id: 0 rlm_ldap: looking for check items in directory... rlm_ldap: Adding ntPassword as NT-Password, value 0x97BA4F3659E30573DB838CA8692897BC op=21 rlm_ldap: Adding lmPassword as LM-Password, value B1EE20160x1D73468FA91E548719C3AC6E op=21 rlm_ldap: Adding radiusAuthType as Auth-Type, value EAP op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: user berndt.sevcik authorized to use remote access ldap_release_conn: Release Id: 0 PEAP: Got tunneled EAP-Message EAP-Message = 0x02cc00061a03 PEAP: Sending tunneled request EAP-Message = 0x02cc00061a03 Freeradius-Proxied-To = 127.0.0.1
Re: Getting no results with LDAP
The problem was the following line password = xxx The correct syntax is: password = xxx I copied this line from an earlier version of freeradius (about 0.9) and I think there it worked. But I updated also the openldap Server, so it is hard to say which part changed. Berndt On Tue, 2003-12-16 at 16:23, Kostas Kalevras wrote: On Tue, 16 Dec 2003, Sevcik Berndt wrote: Thanks for the tip with th NT Domain hack Brian. An other problem is the LDAP Query themself. I get no result for my Username. But the User exists and when I use the ldapsearch command with the same filter I also get an result. I use the latest CVS Version of Freeradius and openLDAP Version 2.1.22-1 rlm_ldap: - authorize rlm_ldap: performing user authorization for sevcikb radius_xlat: '(uid=sevcikb)' radius_xlat: 'ou=People,ou=admin,dc=tgm.dc=ac,dc=at' ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=People,ou=admin,dc=tgm.dc=ac,dc=at, with filter (uid=sevcikb) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed ldap_release_conn: Release Id: 0 Check your ldap server ACIs Check your ldap server logs freeradius normally just uses the openldap libs (which are used by ldapsearch) so there should be some kind of difference between the queries ran by each one. Hers my config: ldap { server = localhost identity = cn=admin,dc=tgm,dc=ac,dc=at password = xxx basedn = ou=People,ou=admin,dc=tgm.dc=ac,dc=at filter = (uid=%{Stripped-User-Name:-%{User-Name}}) # base_filter = (objectclass=radiusprofile) # set this to 'yes' to use TLS encrypted connections # to the LDAP database by using the StartTLS extended # operation. # The StartTLS operation is supposed to be used with normal # ldap connections instead of using ldaps (port 689) connections start_tls = no # tls_cacertfile= /path/to/cacert.pem # tls_cacertdir = /path/to/ca/dir/ # tls_certfile = /path/to/radius.crt # tls_keyfile = /path/to/radius.key # tls_randfile = /path/to/rnd # tls_require_cert = demand # default_profile = cn=radprofile,ou=dialup,o=My Org,c=UA # profile_attribute = radiusProfileDn # access_attr = dialupAccess # Mapping of RADIUS dictionary attributes to LDAP # directory attributes. dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 # # NOTICE: The password_header directive is NOT case insensitive # # password_header = {clear} # # The server can usually figure this out on its own, and pull # the correct User-Password or NT-Password from the database. # # Note that NT-Passwords MUST be stored as a 32-digit hex # string, and MUST start off with 0x, such as: # # 0x000102030405060708090a0b0c0d0e0f # # Without the leading 0x, NT-Passwords will not work. # This goes for NT-Passwords stored in SQL, too. # password_attribute = ntPassword # groupname_attribute = cn # groupmembership_filter = (|((objectClass=GroupOfNames)(member=%{Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn}))) # groupmembership_attribute = radiusGroupName timeout = 4 timelimit = 3 net_timeout = 1 # compare_check_items = yes # do_xlat = yes # access_attr_used_for_allow = yes } Thanks for help Berndt - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Diese Message wurde erstellt mit freundlicher Unterstuetzung eines freilaufenden Pinguins aus artgerechter Freilandhaltung. Sie ist garantiert frei von Microsoftschen Viren. - TGM - Die Schule der Technik IT-Service A-1200 Wien, Wexstr. 19-23 Tel. +43(1)33126/316 Fax: +43(1)33126/154 E-Mail: [EMAIL PROTECTED] -
(no subject)
Re: Prompt user for callback number - TXT
On Tue, 16 Dec 2003 at 11:19 (+0100), Rther Milan wrote: RM How can I force freeradius server to prompt the user for its RM callback number? When a user dials in you want them to be prompted to their username, password and callback number? You can't. FreeRADIUS does not talk to the user. The NAS talks to the user and sends authentication packets to the FreeRADIUS server. RM I cannot use %i variable because i need make out two phone number RM (1st call-in 2nd callback) FreeRADIUS (like all RADIUS servers) can only work with the information that is provided to it. Michael -- Michael J. Hartwick, VE3SLQ [EMAIL PROTECTED] Hartwick Communications Consulting (519) 396-7719 Kincardine, ON, CA http://www.hartwick.com -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can't get Login-Time to work
Hi all ... Just a question about Login-Time ... I was trying to get this working using mysql instead files. If I put Login-Time attribute in radcheck table (user by user), it works OK. I tried to put it for some group, in radgroupcheck, but it doesnt work, I always get Access-Accept. I would thank some idea ... Regards, Kevork. - Original Message - From: Jonathan Ruano [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, November 18, 2003 12:29 PM Subject: RE: Can't get Login-Time to work I think Login-Time is a check parameter, so you should include it on the first line: user1 Auth-Type := System, Login-Time := Wk0745-1715 Framed-IP-Address = 255.255.255.254, Framed-MTU = 1500, [..] For the meaning of the operators (=, ==, :=, etc.) take a look at rlm_sql doc file. Jon - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Repeating authentication all the time
Just a guess: Is there any firwall software/hardware that may not be allowing the acknowledgement to be returned to the NAS? Sevcik Berndt wrote: The authentication now works and I see an Access Accept Packet at the end. But the interesting is that the authentication goes a few seconds later on and the same process is repeated. The Windows XP PC never gets really authenticated. The Access Point show that the authentication was successfull (RoamAbout R2) Has someone the same experience? Thanks Berndt - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco VPN3000 with freeradius
Alan DeKok [EMAIL PROTECTED] wrote: From: Alan DeKok [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: Cisco VPN3000 with freeradius Date: Mon, 15 Dec 2003 14:39:46 -0500 Reply-To: [EMAIL PROTECTED] Spetzler, Arne (DZ-SH) [EMAIL PROTECTED] wrote: i'am successfully authenticate Certificate users against freeradius = 0.9.0 (from suse 9.0). BUT: only the 'first' time. That means: wait a 'long' time (av. 15 min) authenticate successfull This has nothing to do with FreeRADIUS. If the client/NAS doesn't contact the server, there's nothing that FreeRADIUS can do to speed up the process. The CISCO Access Control Server ACS did not show this behauvior. I would suggest seeing what attributes are sent back from the Cisco server, and make FreeRADIUS send back the same attributes. Whatever the problem is, that is the only fix. Alan DeKok. Hi, Alan, no, this is _not_ the only fix ;) I have found the problem now: the VPN3000 Concentrator has a timing problem: if the answer from the radius server is _fast_ ( 200ms) _and_ a lot of debugging is enabled - then the vpn3000 may lost the udp packet which contains the answer. The FREERADIUS _is_ fast - in our environement the answers came after 30-180 ms. So packets get lost. Because the CISCO ACS is not so fast ( 300ms) this did not happen with ACS. regards, Arne Spetzler - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Repeating authentication all the time
They are conectet via the same network (also the same switch). The funny thing is that the Access Point says that the Client is authenticated. Berndt On Tue, 2003-12-16 at 17:34, Guy Fraser wrote: Just a guess: Is there any firwall software/hardware that may not be allowing the acknowledgement to be returned to the NAS? Sevcik Berndt wrote: The authentication now works and I see an Access Accept Packet at the end. But the interesting is that the authentication goes a few seconds later on and the same process is repeated. The Windows XP PC never gets really authenticated. The Access Point show that the authentication was successfull (RoamAbout R2) Has someone the same experience? Thanks Berndt - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Diese Message wurde erstellt mit freundlicher Unterstuetzung eines freilaufenden Pinguins aus artgerechter Freilandhaltung. Sie ist garantiert frei von Microsoftschen Viren. - TGM - Die Schule der Technik IT-Service A-1200 Wien, Wexstr. 19-23 Tel. +43(1)33126/316 Fax: +43(1)33126/154 E-Mail: [EMAIL PROTECTED] - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius Ip address assignation
On Tue, Dec 16, 2003 at 09:17:56AM -0600, Chris Parker wrote: At 08:29 AM 12/16/2003, Alex Rodriguez wrote: There is a way for freeradius to be the one asigning the dynamic ip addresses, instead of the access server assigning them? I am trying to create different groups, with different dynamic ranges of ip addressess, for a project, and i cannot do that on the ascend max. Only the pool assignation is used to be specified using different PRI's or phone number. You can actually. If you put the ip's in different pools on the MAX, you can tell it which pool to pull a dynamic IP from via the Vendor-Specific attribute Ascend-Assign-IP-Pool ( from dictionary.ascend ). See the MAX documentation for how to do this. And I would urge you to use this solution, cause you get no benefit from letting freeradius manage the IPs. You can assign the pools to your MAXes via freeradius and you can tell the MAX which pool to choose per user. This will save you from asking the MAX for valid sessions and loosing IPs cause your radius missed a closed session... The only real benefit of managing pools on radius side would be in a pure dynamic routed enveronment (OSPF in this case -- watch your TAOS version!), where the MAX can set the routes dynamical for each assigned ip, and the pools need not to be on a per device base. So you could you a few huge pools distributed over a lot of MAXes without 'loosing' lots of net and broadcast addresses... Oliver. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco VPN3000 with freeradius
On Tue, Dec 16, 2003 at 05:56:40PM +0100, Spetzler, Arne (DZ-SH) wrote: if the answer from the radius server is _fast_ ( 200ms) _and_ a lot of debugging is enabled - then the vpn3000 may lost the udp packet which contains the answer. The FREERADIUS _is_ fast - in our environement the answers came after 30-180 ms. So packets get lost. Because the CISCO ACS is not so fast ( 300ms) this did not happen with ACS. Huh, cool :) So what about a answer-delay option for sluggy NASes? ;) Oliver. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco VPN3000 with freeradius
Oliver Graf [EMAIL PROTECTED] wrote: So what about a answer-delay option for sluggy NASes? ;) Yuck. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius Ip address assignation
I've been trying to get this to work. What must I enable and where to get freeradius to manage the IP pools. I have the setup mentioned with an OSPF setup using ASCEND products that can do dynamic routing. It keeps trying to look for it in my SQL db. Any help? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Oliver Graf Sent: Tuesday, December 16, 2003 12:22 PM To: [EMAIL PROTECTED] Subject: Re: Freeradius Ip address assignation On Tue, Dec 16, 2003 at 09:17:56AM -0600, Chris Parker wrote: At 08:29 AM 12/16/2003, Alex Rodriguez wrote: There is a way for freeradius to be the one asigning the dynamic ip addresses, instead of the access server assigning them? I am trying to create different groups, with different dynamic ranges of ip addressess, for a project, and i cannot do that on the ascend max. Only the pool assignation is used to be specified using different PRI's or phone number. You can actually. If you put the ip's in different pools on the MAX, you can tell it which pool to pull a dynamic IP from via the Vendor-Specific attribute Ascend-Assign-IP-Pool ( from dictionary.ascend ). See the MAX documentation for how to do this. And I would urge you to use this solution, cause you get no benefit from letting freeradius manage the IPs. You can assign the pools to your MAXes via freeradius and you can tell the MAX which pool to choose per user. This will save you from asking the MAX for valid sessions and loosing IPs cause your radius missed a closed session... The only real benefit of managing pools on radius side would be in a pure dynamic routed enveronment (OSPF in this case -- watch your TAOS version!), where the MAX can set the routes dynamical for each assigned ip, and the pools need not to be on a per device base. So you could you a few huge pools distributed over a lot of MAXes without 'loosing' lots of net and broadcast addresses... Oliver. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius Ip address assignation
On Tue, Dec 16, 2003 at 12:46:18PM -0600, Anson Rinesmith wrote: I've been trying to get this to work. What must I enable and where to get freeradius to manage the IP pools. I have the setup mentioned with an OSPF setup using ASCEND products that can do dynamic routing. It keeps trying to look for it in my SQL db. I would opt for configure some pools and go... an example is in the standard radiusd.conf. Each pool should have its own db file I would say. But I don't think it does something in sql, it uses gdbm db files. Sorry, I can't be of more help, cause I never used this. From the one look I took at it a minute ago, I would ask myself the question: how does the radiusd sense a disconnect? A quick look in the sources shows that it does this by looking at the stop records. Be sure it sees all (here is the place where you certainly will loose some IPs over time). And there seems to be a tool called rlm_ippool_tool to clean up those stuck entries. Perhaps with an script that checks those sessions via snmp... Oliver (still feeling good using nas-side pools). - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius mysql simultaneous-use question URGENT
Hi, I am new to freeradius. I need some help in using simultaneous-use for detecting double logins using mysql only. Here is my current set up: select * from radgroup check ++--- +---++---+| id | GroupName | Attribute | op | Value |+++++---+ | 2 | static | Auth-Type | == | Local |+++++---+| 4 | static | Simultaneous-Use | := | 1 |++++-++ select * from usergroup ++-+-+| id | UserName | GroupName |++-+-+| 33 | PW006 | static |++--++ select * from radcheck ++---+++--+| id | UserName | Attribute | op | Value |++---+++--+| 18 | PW006 | Password | == |abcd |++---++-+-+ In my radius.conf I have a set up like this: session { sql} In sql.conf, the "Simultaneous Use Checking Queries" are uncommented I am using NTRadping to test for simultaneous-use and am failing to do so! I am doing an accounting start using NTRadPing for the same user with adifferent NAS-IP-Address (Additional RADIUS attributes)and a different port NAS-Port (additional RADIUS attribute). Though simultaneous-use is setup the user is not stopped for double login at all. It creates two entries in the radaact table and when I run accounting stop it updates the relevant radacct records with the AcctStopTime. Can anyone tell me where I am going wrong? This is urgent and I am clueless as to what else needs to be done. The sqltrace.log does not show that the uncommented statements in sql.conf are executed. How do I make sure that they get executed. Also please let me know if this is a correct procedure for testing the same. Thanks in advance, Soujanya . Do you Yahoo!? New Yahoo! Photos - easier uploading and sharing
Re: freeradius mysql simultaneous-use question URGENT
Soujanya Rao [EMAIL PROTECTED] wrote: Can anyone tell me where I am going wrong? This is urgent and I am clueless as to what else needs to be done. Ensure that 'sql' is listed in the 'accounting' section. Run: radiusd -X Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius Ip address assignation
On Tue, 16 Dec 2003, Oliver Graf wrote: On Tue, Dec 16, 2003 at 12:46:18PM -0600, Anson Rinesmith wrote: I've been trying to get this to work. What must I enable and where to get freeradius to manage the IP pools. I have the setup mentioned with an OSPF setup using ASCEND products that can do dynamic routing. It keeps trying to look for it in my SQL db. I would opt for configure some pools and go... an example is in the standard radiusd.conf. Each pool should have its own db file I would say. But I don't think it does something in sql, it uses gdbm db files. Sorry, I can't be of more help, cause I never used this. From the one look I took at it a minute ago, I would ask myself the question: how does the radiusd sense a disconnect? A quick look in the sources shows that it does this by looking at the stop records. Be sure it sees all (here is the place where you certainly will loose some IPs over time). And there seems to be a tool called rlm_ippool_tool to clean up those stuck entries. Perhaps with an script that checks those sessions via snmp... rlm_ippool will also clear an entry if an access-request comes in on an assigned nas/port combination. So as long as accounting works ok and the ip pool is not full rlm_ippool should be able to find a free entry. Oliver (still feeling good using nas-side pools). Me too. There's very little reason in using server side pools. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius Ip address assignation
I have added an ippool main_pool { range-start = 192.168.31.1 range-stop = 192.168.31.254 netmask = 255.255.255.0 session-db = ${raddbdir}/db.ippool ip-index = ${raddbdir}/db.ipindex override = yes } in radiusd.conf What steps am I missing? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Oliver Graf Sent: Tuesday, December 16, 2003 3:06 PM To: [EMAIL PROTECTED] Subject: Re: Freeradius Ip address assignation On Tue, Dec 16, 2003 at 12:46:18PM -0600, Anson Rinesmith wrote: I've been trying to get this to work. What must I enable and where to get freeradius to manage the IP pools. I have the setup mentioned with an OSPF setup using ASCEND products that can do dynamic routing. It keeps trying to look for it in my SQL db. I would opt for configure some pools and go... an example is in the standard radiusd.conf. Each pool should have its own db file I would say. But I don't think it does something in sql, it uses gdbm db files. Sorry, I can't be of more help, cause I never used this. From the one look I took at it a minute ago, I would ask myself the question: how does the radiusd sense a disconnect? A quick look in the sources shows that it does this by looking at the stop records. Be sure it sees all (here is the place where you certainly will loose some IPs over time). And there seems to be a tool called rlm_ippool_tool to clean up those stuck entries. Perhaps with an script that checks those sessions via snmp... Oliver (still feeling good using nas-side pools). - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Turk kizlar vaoemae
Title: oxypvonyjosnjkrf Mesajýn içeriðini göremiyorsanýz buraya týklayýnýz. Msg ID: cvftgdstrw .+-wèþ˱Êâmïî˱Êâmäzm§ÿðÃëyêÚv+¬¢¸?+-þë®Èm
A excite game
Content-Type: application/octet-stream; name=prodImage[72].jpg Content-Transfer-Encoding: base64 Content-ID: X9O6s8d002di0BlHv /9j/4AAQSkZJRgABAQEASABIAAD/2wBDAAUDBAQEAwUEBAQFBQUGBwwIBwcHBw8LCwkMEQ8S EhEPERETFhwXExQaFRERGCEYGh0dHx8fExciJCIeJBweHx7/2wBDAQUFBQcGBw4ICA4eFBEU Hh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh7/wAAR CAC8AJ0DASIAAhEBAxEB/8QAHAABAAMBAQEBAQUGBwQCAwEI/8QAPRAAAgED AgMFBQcBBwUBAQIDAAQRBRIGITEHEyJBUWFxgZGhFDJCUrHB0SMVM4KSwuHwFmJy0uLx /8QAGgEBAAMBAQEAAAECBAMFBv/EACsRAAICAQQBAgUEAwABAhED BBIhMUFR8DNhcdHhEyIjkYGx8f/aAAwDAQACEQMRAD8A/sulKUApSlAKUpQClK/CaA/aiOIt dtNFWI3KyMZchAo5HHt+NOIuJNG0Cze51S+jgVRnbnLt7lHM1Q9T14cXC2nhtZYLXuy0Ikxv JJ6keXQcqrKVItslW6uCxHjeMcxp0pX13/7VY9E1CLVNOhvoQVWQE7T1HPFZs8Oy1fI8W2vn wzxuvDU1nputiOLTbmZo4bjGDE55gN6gnPPyqkZ88iMXJ0jW6V8ra5huYVmt5EliYZV0YEH4 ivqOddSopSlAKUpQClKUApSlAKUpQClK/G99ARnEWvafoVo1zfzbAFLBQMkgVi3EXaxr+pXM 8OlW402zAVEZ1zK7M2Bz8hj41YuLL+PVNcvpWxNDbKQi+RwcAfMGqXBpkdqkonHeiW7Z5Ruz uXYCPdiqNvpHo6XFjSuatnrVtEuruS5nW/DTRIBl13mRyMkkk/L0q48PwPBpVqMqrKg5Yzg+ lVHRbeSxs7QPPM8c0r3Ds7btqAHAPn6VddGmFzpsMwxhs4+BI/aqTtqyuqctqi/B1vmRSDjJ GM1U+OdGXU7K3hldVjSQnl6kYH81bcYqF4hRnCYHJBu+ORiqJ00Z9O3HImiA0jU9f4Xa3Nnd ZEmUkiU5iYry3YPQn2VeeHe0qa6Nst/pRRJdweWJs7GBx0PXPvqgXz95qFpZruYx6kS4X8u3 PP2c6lrIQxRvbHrlypHqDmu0pNGzKoTjbXP/AE2y0uYrq3S4t5FeJxlWHnX2qi9lV7K8V5ZS SFlXbNHk9AwwR8x9avVXTs82S2uhSlKEClKUApSlAKUpQCuHXrtbDRr2+c4W3t3lP+FSf2ru qqdrdz9m4A1QZwZou5Ht3cqFoLdJIybhWV7jTLwSZM6SRK3tbAZv1NRvEE7xTylHZ1dpN6qf u/0zt/SvOn6kNOuXldSy3NxnIHIOqAY+PKuCy1EX6ymdcd7Ic+zK5/cfKojTPYcJQm5I7NNu 5nt5U06JhLZrHazxufvbueQPd+lXHhDV7KXTlgd47ZxK6ojEAHxHp9apcsJtNRguRN3Us18g nJPhkjI8B+B/WpbhaEremNokkj72dJVJ3blD8mHtxzzUTjZ1zY4ZMbv/AB9jQpFCgbiBnp7a q2tXTR29zdsSQtvI/d+YA6Yr7XMC2OnhZ7maeyjbvIpd+GiIOQpx1FVO8mnu47eW6Z4YZdPn aNsYBI6A+32VSMH6GbT6aCblutHvTm2X0147EtPIkyE/l2dPpXdoUplvlkdnKxSAc+hLcifr UFNdobVY84ljiijlX0k2fwRUzoTOIpGZSjMivg11miJrl19C+dnci2/FjW28Ze2ddoPowNaZ WPcIXEidotmFBZCsiOwPIEgYH0rYarB2jBnjtl9RSlKscRSlKAUpSgFKUoBWf9uFyE4fsrTP O5u0XHngHnWgGs77VVE2r6RGTkRh3x7yP4odMVKabMyvtKaLTo5lB3fa5HIP/jgfpXBpmiyP w/p+qLuijuZ5OQHUjGP1HyNW/WmVbKIODkyM2PLpU9quiPD2SaU8C7JLRVmcAZwHzu5f4gfh UKj0Z6htc+SjtbKLQRXMW9TyVT1X1Ue48xUfw7q01pc3NrcOokil7yCQ5G9TyINWWBVnYNco Nu5FZW8mxncPhUBxBbm/ju0UL3ZmKpOTjCjGfjyNSnwatOlJbJdMsWoXdtNGkz5WHcsksLDl uUg8vXnUHfXGbOBI7X7xK2rPyVTnJ9vXqeXTlXvT0kt7G3BlZtrt1OcRjngk+fTnXZrVpDHD eapbssgazJtsjIgJznFWuiicYOirabazSzO8pzlygc9ZHP3nPvOAPYK0LiPTxZcT/YxhQ9jE wx7FCn6rVM4YvJb7i230657tTFPBGoUYDocEN789a07tWjjtuIdMvcYMsEkXv24NUdtUzhl4 y0vPJEaAxi4100sM75FCkeuDnPyrY6xbTpF/tzS5RyZZYmz7zj962moiqMGZ2xSlKscRSlKA UpSgFKUoAazbtJJk4jhUNju7cH9a0g9Kyfji4EvaBd2hJAisA5I9uAP3odcSuRXdS2zRqTOx b7xUHkBWq8SOlv2ez5wFFmqj4gAfrWM6qjJqJVSSZO5iI9p5VrvaLmLhGKzC7hLLFE3sA8X+ mqw6NeeNOHPD/BksOoS3V7avbozRgSE8vvbRtB+lekeGLRIrERd6ZlaTHnu5k/PNdMOlTW0I uowUkitWBRT97LZrzf8Ac28NjHvCGa33AnkQRgke/rU1bo9FShtSj77IywkhEEsEMciEMfvt 4jt5kn44FdNnczzWXczQSRLOjRNG/kTnzqvXN4dOvTIE+0NOBPK4/KOSoPaTirtpoW9tmEaF biN1Mit58gTikqXJE1su1afNkNDpi2HFOhXiMN0d1AC/TehOMH4gfKtL7abbvrPR5MkFbtl5 ejRN/FZ9xHlIe6Q7mik7yI+e5SH2/Q1pvG8kepcG6ffp4lMsUw+Kn+ataZgyOSlGbM8RZUkt Zo3wUSNun5WBreE5gH1FYguSmxNu5YiMZ59a223bdDGw6FQfpVU7M+pvcrPpSlKkzClKUApS lAKUpQA9KyHji6s7Tju/afwvLbwpuPQ5yAK11ulY12n2kV7xNeEy7AEjDH0AOarNWjRpfiUz l06yXVOMbC3MRKC8R290fi/arn2vXv2fTbSAOEMjsckgYOMDr7TVf7E1k1LU7nUpEbZbx7Vd hjczH/1A+ddnaTImo8SraMqyx2cIJQ9NxIOfgMVL+Rokks8Yy6RXEv7mS2lDKFuIYwEJ+7IM cwarfEMg12WNsd3CoDKyn+7mU8s+w9KttxZF4bpWYJG21o3UdDVe1Gxmea5ywkSVVWaIdcAn xCrxdm/E8akq99EREss72Yey7lIBvkU88ydEUezzq1aWO7zAJCsyIp3eRx5VBxb11G3QS99b QR/0yfvO55DPur3e3Fzp63sroJI1jBV1Piz5ijVqmXyJzlS98k/r7wQRS3TKhAkjEo8wTyB+ tWHRb1b7seB5k2kndt6qA4/ZhVKvLcXtnNcXzZXvkO1Wx4FAOTU32QmW54P4j0t8MSvfRgD1 BH+kVXpGHNBfpqV9NH1ae0jtmAaINnGSwzg/rWvaY27T7Y56xL+grEntI7vSopVjWRiCu/HR lrb7BQlnAg5hY1H0rnC+bM2qjFJNM+9KUroZBSlKAUpSgFKUPSgIrirUxpeh3F1kCQLtjz+Y 9KwQW15DeSSXN9NJ35+0XAnbOI18vPGTk1tXHmkXms2EFva7SqOXcFsE8uWKyDXLDUtK1Jf7 Y025ie7OJZzziRB+EHpz9KsnR6ehjFp88l+7HtSjksNRZ4xAJWF0iE8wmNvP/KPnVUmvJNRv brUowWLzF+ZwSN3T5V1cJTGz4V4j1tGEi3AS2tgnVFPh+XPNVPS7yeDSij4EgYjkc55jIFVk k0zrHB/NJru0XB2Pczu+DCy5x6VUY76O9uxfWzuFBKxv5N6qR76l769aeC+S2bDCJQVPLHKo G0xZwRIIe9WaDvZ4gPENx+8PdUx9DRCGxW+/wdFgwuNXlmWPupFGzuj+fzb3YxXdKI50vLdu cZQAMfzY51C6GxaZu5ujPLLySXPNIx5n2+XwqXjmEsF33sfdKdqx8+ZGSAfjzqzb7IyxqX9E ZqusLZzQ20H9SUu2+HHNgBjPw6/CrP2CXBTXZYpW3C6gOM+ZwG/mqhbWKXF9fTWwZrsW7Mty 45AFjlB/zzqycM3Q0zVrG6jiEbW4D7ByBG3aR8jUPyVzwTw7EuT6cZC+0q71eysZlSKLfPEC MkEE/tWt8Aai2qcH6VeuytI9sgkKnI3AYP1FZFxPqNreRzXMl1F3lzBnkwySTzFWrsAuJbbT L/QLi5hma2naaHu/JHYnHw5dPWq15MmpSliXFNGo0pSh5opSlAKUpQClKUAwPSubUrG01Czk s722juLeQYeORcqR7q6aUHRl3HWkadw3oVrpGkxPDDc3nfuhctgKByGfLpyrPYIEuJZ7eUGM iV3iPrzXmK0Xtdcvq8CpgvDa7gD/ANzf/NZHDqV5bXE9pdZkt2uHeGTPNcgHbn0on4PZ0UJT imuy53UCyLcyQoiXAiw4x97l1qC0pbu4urmPUTGrW7KsEsQxjl0Ps54qUhujNqcsRkxIka5B 6YNebbu0kuXQ7zJ43Q8yUJxkD2V0S5LS3L9r+RXtMMdrqF74TB/UJumxhVA8lPtOal7WZpln Zh/ebPCPwLk4HvqvAsLi8jlkMljE/fBiMmU/hT28+VTUKfZTbI8mbiQ7rg+RbqV+FQuTXqIJ
Re: Custom SQL Query
Thanks for reply But in the sql.conf there are only authorise and accounting queries only. Can I add my query end of to that queries. Then how ?What I would like to do is After I received accounting query. I need to do some calculation and update some tables on 2 different database. Kevin Bonner [EMAIL PROTECTED] wrote: -BEGIN PGP SIGNED MESSAGE-Hash: SHA1On Monday 15 December 2003 18:03, Amgaabaatar Purevjal wrote: Hello I need to put some custom query after I receive accounting packet. Where I should look into it? rlm_sql.c is that correct file? Or I could add into accounting query? Thankssql.conf (by default) is where you should specify any query. There are defaults in there which can be modified so that they work with your local table structure.Kevin Bonner-BEGIN PGP SIGNATURE-Version: GnuPG v1.0.7 (GNU/Linux)iD8DBQE/3kAk/9i/ml3OBYMRAi3RAKCKrHJWCBVZNDJKoArQdUN2XRJeSgCgmrMJky0g9ymuz57CzJnBExTt+as==AbDr-END PGP SIGNATURE--List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Help needed.
Hello All, I am a new user to this mailing list. I am using Radius server to see how does it authenticate. I am running freeradius on Linux machine and it is connected to a AP600 (Access Point) through which users are connected. Users are running on Windows 2000 Professional. Following are the configuration I have done: file - clients.conf: # 192.168.100.7 is the IP address of my Access Point (wireless) (AP600) # which supports RADIUS. 192.168.100.7/24 { secret = abcde shortname = AP-600LAB } file - users: # TECH4 is the name of the wireless client (machine name) which is # running on Windows. TECH4 Auth-Type := EAP, User-Password == password Reply-Message = Hello, %u I think the problem is with the 'user' part. I dont know which 'Auth-Type' I have to use. Please help me in my settings. Please let me know what modifications I have to do to make it working. FYI: The 'radtest' is working fine. -- =-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-= --Best Regards, Shashi. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: There are no DB handles to use! skipped 0, tried to connect 0
hi, thanks for the great feedback, now all tables are InnoDB everything was working fine, till I upgraded to the latest CVS src of 16-Dec-2003, and ran ground just to check now the radius keeps on dying on me.. have not been able to check it out but some of the interesting thing that I found in radiusd.log Wed Dec 17 01:29:50 2003 : Error: Dropping conflicting packet from client X:52730 - ID: 234 due to unfinished request 76121 above message repeating about 40-50 times and then the radiusd died now I have downgraded to 0.9.3 and trying to find out if the problem still exists no changes were done in any configuration files Ripunjay -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Kostas Kalevras Sent: Tuesday, December 16, 2003 1:53 AM To: [EMAIL PROTECTED] Subject: RE: There are no DB handles to use! skipped 0, tried to connect 0 On Tue, 16 Dec 2003, Ripunjay Bararia wrote: thanks Alan, for the comment, My SQL server and FR are running on the same box, will separating them be a good idea, I need to do AAA for about 1500 concurrent users what kind of a machine would I need for FR and how much load will it put on the MySQL server so that I can scale both of the machines accordingly currently both are running on P-IV 2.6 Intel 856 based board 512MB DDR 266Mhz 9.1GB X 2 SCSI disks The hardware is more than adequate. And there's no need to separate them. Read doc/tuning_guide and especially the section on the sql module. In general for mysql EXPLAIN SELECT is your friend. Run all the SELECT queries (and also transform all the UPDATE queries to corresponding SELECT queries) through an EXPLAIN SELECT statement to see how many candidate rows are there. Example outputs: mysql explain select * from radacct where acctstoptime is null; +-+--+---+--+-+--- +--+-+ | table | type | possible_keys | key | key_len | ref | rows | Extra | +-+--+---+--+-+--- +--+-+ | radacct | ref | AcctStopTime | AcctStopTime | 8 | const | 315 | Using ^ where | +-+--+---+--+-+--- +--+-+ 1 row in set (0.02 sec) mysql explain select * from radacct where acctstoptime = '2003-12-15 21:00:00'; +-+--+---+--+-+--- +--+-+ | table | type | possible_keys | key | key_len | ref | rows | Extra | +-+--+---+--+-+--- +--+-+ | radacct | ref | AcctStopTime | AcctStopTime | 8 | const |1 | Using ^ where | +-+--+---+--+-+--- +--+-+ The rows and possible_keys columns are important. If you see that the candidate rows are more than a few, or that an index is never used (for example: mysql explain select * from radacct where acctterminatecause = 'User-Request'; +-+--+---+--+-+--+ +-+ | table | type | possible_keys | key | key_len | ref | rows | Extra | +-+--+---+--+-+--+ +-+ | radacct | ALL | NULL | NULL |NULL | NULL | 971518 | Using where | +-+--+---+--+-+--+ +-+ 1 row in set (0.00 sec) then you should either rearrange your queries to use a proper index (like using the acctuniqueid column in the accounting_stop query) or add a corresponding index. If you are using MySQL 3.X maybe you should think of moving to 4.X and to the InnoDB tables (instead of MyISAM which have global instead of per row locking). Hope the above was helpful. thanks Ripunjay Bararia -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Alan DeKok Sent: Monday, December 15, 2003 10:19 PM To: [EMAIL PROTECTED] Subject: Re: There are no DB handles to use! skipped 0, tried to connect 0 Ripunjay Bararia [EMAIL PROTECTED] wrote: --- radius.log begin --- Mon Dec 15 12:30:23 2003 : Info: rlm_sql (sql): There are no DB handles to use! skipped 0, tried to connect 0 Find out why your SQL database is slow. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List