clients.conf storage in ldap
hi , I m playing with freeradius and openldap . I ll manage all my radius system on ldap. I made a perl script whi reads radiusd.conf and rewrites on fly the clients.conf file . For this I added a new objectclass RadiusClient on my onpenldap . Do you kmow if somebody works in the same direction ? I don't post my script on list but i can send it on demand . thank eric german Vous manquez despace pour stocker vos mails ? Yahoo! Mail vous offre GRATUITEMENT 100 Mo ! Créez votre Yahoo! Mail sur http://fr.benefits.yahoo.com/ Le nouveau Yahoo! Messenger est arrivé ! Découvrez toutes les nouveautés pour dialoguer instantanément avec vos amis. A télécharger gratuitement sur http://fr.messenger.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: extendedKeyUsage = 1.3.6.1.5.5.7.3.1
Hello Bilal. Dne petek 19 november 2004 09:02 je Bilal Shahid napisal(a): I am using FreeRADIUS to authenticate the XSupplicant using EAP-TLS. The certificates are being generated using the script CA.all. For the Server certificate, the TLS Web Server OID used is 1.3.6.1.5.5.7.3.1. Now what the FreeRADIUS Server is actually sending out to the Client (XSupplicant) (as seen from the Access Challenge packet dump while running the FreeRADIUS Server in the debug mode) is the following byte sequence: 0x08 2b 06 01 05 05 07 03 01 as opposed to 0x01 03 06 01 05 05 07 03 01 Have you checked the certificate for errors ? I've been using this EKU without problems with freeradius. AFAIK freeradius is not processing the certificates, but the openssl code is. In openssl.cnf you need: # [ eku ] extendedKeyUsage = 1.3.6.1.5.5.7.3.1 And when you sign a certificate request (I use openssl directly): openssl ca -extensions eku ... Check the certificate with: # openssl x509 -in krkotnik.arnes.si_cert.pem -noout -text [...] X509v3 extensions: X509v3 Extended Key Usage: TLS Web Server Authentication [...] -- lep pozdrav, Rok Pape. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Bandwidth management Cisco
Thx for you answer it is very nice. But I don't know how to activate the virtual template feature on freeradius. By default it is activate on Cisco Secure ACS. Could you tell me ? sincerly -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Andrea Gabellini Envoyé : vendredi 19 novembre 2004 10:23 À : [EMAIL PROTECTED] Objet : Re: Bandwidth management Cisco At 15.15 17/11/2004, you wrote: Hi, I would like to set up a max bandwidth over my cisco 1200AP (ios v12). My question is : what attribute I should use in radius to set the max download and upload for the client ? First you MUST use the virtual template feature of Cisco After that you can send via radius the ios commands like rate-limit. As Reply Item I use: Attribute: Cisco-AVPair Value: lcp:interface-config=rate-limit input 200 200 200 conform-action transmit exceed-action drop\nrate-limit output 200 200 200 conform-action transmit exceed-action drop thx -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Alan DeKok Envoyé : mercredi 17 novembre 2004 15:17 À : [EMAIL PROTECTED] Objet : Re: problem with freeradius - ldap - peap =?iso-8859-1?Q?P=E5l?= Hjelmeseth Myklebust [EMAIL PROTECTED] wrote: [EMAIL PROTECTED] log]# /usr/sbin/radiusd -x -A Please run the server as /usr/sbin/radiusd -X. You will get MUCH more debugging information, which will help you solve your problem. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --- A user friendly computer first requires a friendly user. --- Ing. Andrea Gabellini Email: [EMAIL PROTECTED] Tel: 0549 886111 (Italy) Tel. +378 0549 886111 (International) Intelcom San Marino S.p.A. Strada degli Angariari, 3 47891 Rovereta Repubblic of San Marino http://www.omniway.sm http://www.intelcom.sm - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Realmbased Relaying
On Thu, 18 Nov 2004 16:12:51 +0200 (EET) Kostas Kalevras [EMAIL PROTECTED] wrote: On Wed, 17 Nov 2004, jesk wrote: Hello again, i have question about Relaying Accounting Data. We have a customer, which want to have all related accounting data of his realm. Is there a way to relay the accounting data of his realm to his radiusserver? i thought about creating a seperate detail logfile and then setting up a seperate radrelay which works on the file and relay the data to him. Are there other kinds of solution to solve this scenario? When not, how can i create a seperate logfile with only his realm related data in it? radrelay is the solution. As for a detail file, either use Acct-Type like: Just curious, what's wrong with using the proxy feature in the server? That way you can still do local processing (or nothing) while the customer gets the accounting data almoust uninterrupted. And you don't have to rely on a second application, or that your server writes accounting correctly. The setup is simpler too. -- best regards Nils Rønhovde Telenor Networks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Compile problem of last CVS version on FreeBSD 4.x
Current CVS version also cannot be built on FreeBSD. Is where any way to fix the problem? Friday, November 19, 2004, 5:41:56 PM, [EMAIL PROTECTED] wrote: fuanr Tried on two FreeBSD 4.x box fuanr #gmake fuanr gmake[1]: Entering directory `/root/src/radiusd' fuanr Making all in libltdl... fuanr gmake[2]: Entering directory `/root/src/radiusd/libltdl' fuanr gmake[2]: *** No rule to make target `all'. Stop. fuanr gmake[2]: Leaving directory `/root/src/radiusd/libltdl' fuanr gmake[1]: *** [common] Error 1 fuanr gmake[1]: Leaving directory `/root/src/radiusd' fuanr gmake: *** [all] Error 2 fuanr #uname -a fuanr FreeBSD 4.9-RELEASE FreeBSD 4.9-RELEASE #0: Mon Nov 10 15:58:43 MSK 2003 fuanr configure:8639: checking if libtool supports shared libraries fuanr configure:8641: result: yes fuanr configure:8644: checking whether to build shared fuanr libraries fuanr configure:8702: result: yes fuanr configure:8705: checking whether to build static fuanr libraries fuanr configure:8709: result: yes fuanr configure:8801: creating libtool fuanr configure:9348: checking for ld used by g++ fuanr configure:9415: result: /usr/libexec/elf/ld fuanr configure:9424: checking if the linker fuanr (/usr/libexec/elf/ld) is GNU ld fuanr configure:9439: result: yes fuanr configure:9490: checking whether the g++ linker fuanr (/usr/libexec/elf/ld) supports shared libraries fuanr configure:10316: result: yes fuanr I didn't found in config.log lines related to libltdl. fuanr This version can be built successfully if copy libltdl dir from fuanr release. fuanr - fuanr List info/subscribe/unsubscribe? See fuanr http://www.freeradius.org/list/users.html -- Andrei Koulik. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Unicode
Does FreeRADIUS support Unicode? best regards, josh. -- --- Josh Howlett, Networking Digital Communications, Information Systems Computing, University of Bristol, U.K. 'phone: 0117 928 7850 email: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Bandwidth management Cisco
On Mon, 22 Nov 2004, EROS wrote: Thx for you answer it is very nice. But I don't know how to activate the virtual template feature on freeradius. By default it is activate on Cisco Secure ACS. The virtual template is something you configure on the cisco not freeradius Could you tell me ? sincerly -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Andrea Gabellini Envoy? : vendredi 19 novembre 2004 10:23 ? : [EMAIL PROTECTED] Objet : Re: Bandwidth management Cisco At 15.15 17/11/2004, you wrote: Hi, I would like to set up a max bandwidth over my cisco 1200AP (ios v12). My question is : what attribute I should use in radius to set the max download and upload for the client ? First you MUST use the virtual template feature of Cisco After that you can send via radius the ios commands like rate-limit. As Reply Item I use: Attribute: Cisco-AVPair Value: lcp:interface-config=rate-limit input 200 200 200 conform-action transmit exceed-action drop\nrate-limit output 200 200 200 conform-action transmit exceed-action drop thx -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Alan DeKok Envoy? : mercredi 17 novembre 2004 15:17 ? : [EMAIL PROTECTED] Objet : Re: problem with freeradius - ldap - peap =?iso-8859-1?Q?P=E5l?= Hjelmeseth Myklebust [EMAIL PROTECTED] wrote: [EMAIL PROTECTED] log]# /usr/sbin/radiusd -x -A Please run the server as /usr/sbin/radiusd -X. You will get MUCH more debugging information, which will help you solve your problem. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --- A user friendly computer first requires a friendly user. --- Ing. Andrea Gabellini Email: [EMAIL PROTECTED] Tel: 0549 886111 (Italy) Tel. +378 0549 886111 (International) Intelcom San Marino S.p.A. Strada degli Angariari, 3 47891 Rovereta Repubblic of San Marino http://www.omniway.sm http://www.intelcom.sm - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: clients.conf storage in ldap
On Mon, 22 Nov 2004, eric german wrote: hi , I m playing with freeradius and openldap . I ll manage all my radius system on ldap. I made a perl script whi reads radiusd.conf and rewrites on fly the clients.conf file . For this I added a new objectclass RadiusClient on my onpenldap . Do you kmow if somebody works in the same direction ? I don't post my script on list but i can send it on demand . thank eric german Adding ldap based radius clients in rlm_ldap would be nice. It will be added at some point. Vous manquez d?espace pour stocker vos mails ? Yahoo! Mail vous offre GRATUITEMENT 100 Mo ! Cr?ez votre Yahoo! Mail sur http://fr.benefits.yahoo.com/ Le nouveau Yahoo! Messenger est arriv? ! D?couvrez toutes les nouveaut?s pour dialoguer instantan?ment avec vos amis. A t?l?charger gratuitement sur http://fr.messenger.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf
hyperthreading on freebsd for freeradius threads
i know this is a controversial topic but I dont' have a definitive answer. it would seem that using hyperthreading enabled CPUs, one would get slightly better performance from threaded applications such as FreeRadius. the underlying operating systems are freebsd 4.7+ and 5.3 (there was no support for HTT beofre 4.7). however, there are those that recommend that HTT is not enabled as it reduces either/both stability and performance. can anyone shed light / experience on this matter? my own expts have shown that performance seems to degrade when enabling the OS schedular to use the second logical CPU (ie suppressing the second cpu halting sysctl). tariq - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + MySQL + MD5 passwords
On Fri, 19 Nov 2004, Hamilton Vera wrote: Hi masters. I am looking for a tutorial/how-to to set up a radius server using freeradius and Mysql and MD5 passwords. Actually I have a Livingston Portmaster 3 authenticating users on my linux server. The authentication is based on MD5 passwords stored in /etc/shadow, for example $1$u5C6uZb/$FXr/.g1NXTZYh19Zj158y1 (using the SALT feature). I have to migrate these users to a new machine running freeradius, using the same good old school md5 passwords and mysql. Unfortunately my freeradius is only working with plain text authentication mode, I am googling for answers but all results point me to this list. I know that the subject is not new, but I am working on it for days without success, so sorry about the post. Which are the basic parameters in radiusd.conf to authenticate in Mysql with md5 passwords? Do I have to do any modification in the database? You 'll have to use the PAP module for authentication. I think you will need to configure it to use crypt encryption and make sure crypt does a salted-MD5 encryption. I'd appreciate any help Thanks in advance and sorry about the poor English. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius oracle crash
I build freeradius-1.0.1 with rlm_sql_oracle. (Oracle 10g) After some time radius daemon crashed (segfault) Backtrace core file produced this output: #0 0x40154c97 in mallopt () from /lib/libc.so.6 #1 0x40153ef3 in malloc () from /lib/libc.so.6 #2 0x40b4dc1a in sltstidinit () from /opt/oracle/lib/libclntsh.so.10.1 #3 0x40b7e6a3 in ltstidi () from /opt/oracle/lib/libclntsh.so.10.1 #4 0x403c4260 in kpuiInitMutex () from /opt/oracle/lib/libclntsh.so.10.1 #5 0x403cb6d3 in kpuinit0 () from /opt/oracle/lib/libclntsh.so.10.1 #6 0x403cb001 in kpuenvcr () from /opt/oracle/lib/libclntsh.so.10.1 #7 0x4043610a in OCIEnvCreate () from /opt/oracle/lib/libclntsh.so.10.1 #8 0x4023be64 in sql_init_socket (sqlsocket=0x8551280, config=0x81521a0) at sql_oracle.c:132 #9 0x402375dc in connect_single_socket (sqlsocket=0x8551280, inst=0x8151b40) at sql.c:70 How fix it? P.S. If freeradius run without threads (-s) - all ok. -- TARANTUL - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ippool - not releasing ip addresses
On Sun, 21 Nov 2004, Paul Hampson wrote: On Sat, Nov 20, 2004 at 10:51:32AM +1030, Mike O'Connor wrote: Thanks for you comments, I used you suggestion as a biases and have found that the accounting stop records do not always have the same port id. This means it does not match correctly and does not release the port. I do not see any way of fixing this from the nas end, so I plan to write some software which checks if a port has been release (using the Alive and Stop records) and then sends a Acct Stop record with the correct port details. In most cases this won't be a problem, as a new ippool call with a port number rlm_ipaddr thinks is still in use should free the IP address up, so it can later be reallocated. Yap It's a problem if you have more ports than IP addresses. ^_^ (As I do here. _) I tried using radkill, but that was more trouble than worth, as the radutmp file was getting boned for entirely different reasons. If you have more ports than IPs and your accounting does not work right then there's not really anything you can do to make things work. I have some scripts here which will process a ip pool file (using rlm_ippool_tool) against radwho or a radacct table, which I used to clean out rm_ippool's data every so often. The problem is that any non-FreeRADIUS modification of the database needs to be done while FreeRADIUS is stopped. I'd love to improve rlm_ippool_tool, but if I ever work on it again, it'll be to SQLise rlm_ippool instead, (as I believe someone has done and posted a patch to the list), as part of my heartfelt desire to turn FreeRADIUS into some kind of unusual SQL database frontend. ^_^ Hmm, rlm_ippool can be a good candidate for sqlizing. Though it will need to use the rlm_sql functions (like radsqlrelay does). sql xlat is good for queries but in the case of rlm_ippool inserts/updates are also required which are difficult to implement through xlat. -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: COMPILATION ERROR
Janakan, Thanks a lot! It worked! I just deleted rlm_x99_token before configuration and everything was OK. What is more, it didn't complaint about mysql as it used to do before. Best Regards, Eva Kolega NOC - TEI of ATHENS Janakan Rajendran wrote: Eva, I had the same problem couple of days before and got it fixed. Disable rlm_x99_token when using configure command. It would help to get rid of this error. Regards, Janakan Rajendran From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Eva Kolega Sent: Friday, November 19, 2004 7:22 AM To: [EMAIL PROTECTED] Subject: COMPILATION ERROR I used to have an error in compilation with mysql components, so I thought of changing machine (SUN Fire 280R) and begin from scratch. So I installed mysql 2.0.21 and openssl as recommended by Sun. And then I had the following error in bold upon compilation. However, this file is there ! I have seen this error in a newsgroup in early October but I did not see any answer provided. But of course freeradius runs on Sol 9! So, has anybody come accross to this error ? Thanks a lot, Eva COMPILATION LOG- make[6]: Leaving directory `/usr/local/src/freeradius-1.0.1/src/modules/rlm_unix' Making static dynamic in rlm_x99_token... make[6]: Entering directory `/usr/local/src/freeradius-1.0.1/src/modules/rlm_x99_token' gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5 -Wall -D_GNU_SOURCE -g -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -W -Wredundant-decls -Wundef -I../../include -DX99_MODULE_NAME=\"rlm_x99_token\" -DFREERADIUS -c x99_rlm.c -o x99_rlm.o In file included from x99_rlm.c:54: x99.h:26:42: openssl/des.h: No such file or directory In file included from x99_rlm.c:54: x99.h:146: error: parse error before "des_cblock" x99.h:146: warning: no semicolon at end of struct or union x99.h:147: warning: type defaults to `int' in declaration of `x99_user_info_t' x99.h:147: warning: data definition has no type or storage class x99.h:152: error: parse error before "des_cblock" x99.h:152: warning: function declaration isn't a prototype x99.h:153: error: parse error before "des_cblock" x99.h:153: warning: function declaration isn't a prototype x99.h:165: error: parse error before "des_cblock" x99.h:165: warning: function declaration isn't a prototype x99.h:166: warning: type defaults to `int' in declaration of `des_cblock' x99.h:166: error: parse error before "keyblock" x99.h:167: warning: function declaration isn't a prototype x99.h:170: error: parse error before "x99_user_info_t" x99.h:170: warning: function declaration isn't a prototype x99.h:180: error: parse error before "des_cblock" x99.h:180: warning: function declaration isn't a prototype x99.h:182: warning: type defaults to `int' in declaration of `des_cblock' x99.h:182: error: parse error before "keyblock" x99.h:182: warning: function declaration isn't a prototype x99_rlm.c: In function `x99_token_authorize': x99_rlm.c:294: error: parse error before "user_info" x99_rlm.c:331: error: `user_info' undeclared (first use in this function) x99_rlm.c:331: error: (Each undeclared identifier is reported only once x99_rlm.c:331: error: for each function it appears in.) x99_rlm.c: In function `x99_token_authenticate': x99_rlm.c:460: error: parse error before "user_info" x99_rlm.c:492: error: `user_info' undeclared (first use in this function) x99_rlm.c:550: warning: deprecated use of label at end of compound statement make[6]: *** [x99_rlm.o] Error 1 make[6]: Leaving directory `/usr/local/src/freeradius-1.0.1/src/modules/rlm_x99_token' make[5]: *** [common] Error 1 make[5]: Leaving directory `/usr/local/src/freeradius-1.0.1/src/modules' make[4]: *** [all] Error 2 make[4]: Leaving directory `/usr/local/src/freeradius-1.0.1/src/modules' make[3]: *** [common] Error 1 make[3]: Leaving directory `/usr/local/src/freeradius-1.0.1/src' make[2]: *** [all] Error 2 make[2]: Leaving directory `/usr/local/src/freeradius-1.0.1/src' make[1]: *** [common] Error 1 make[1]: Leaving directory `/usr/local/src/freeradius-1.0.1' make: *** [all] Error 2
Freeradius accounting problem
hi all, I want to get user online time from detail files and calc money spend by user. So My questiong: Must I read acct detail file written by radius server? or There are some existing methods? Thank you. Regards Yyc --- And the vision that was planted in my brain. Still remains with the sound of silence. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
how many records in radacct
Hello, how many records in radacct table do you manage to keep, guys? I see that radius stops working properly after about 15 accounting records in Oracle (9.2.0.4) database or ~3 in PostgreSQL 7.4.6. After that amount accounting records are not written into table and FR (v1.0.1) claims about no DB handles to use. I see this with Oracle and Postgres. The symptoms are the same on two different Solaris8 machines - Netra1120 with 2x440MHz processors and SunFire V240 with 2x1GHz processors. All recomendations about tuning are met - noatime on partitions with DB, no detail accounting, indexes on the accounting table. I'm fighting with that for a couple of months with no understanding what else could be wrong. Our DBA did some tunings on Oracle table and configuration - with no visible results. PostgreSQL is not tuned - just 'configure,make,make install, initdb, createdb radius,etc'. -- Alexander - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how many records in radacct
Alexander Serkin wrote: I see that radius stops working properly after about 15 accounting records in Oracle (9.2.0.4) database or ~3 in PostgreSQL 7.4.6. After that amount accounting records are not written into table and FR (v1.0.1) claims about no DB handles to use. I see this with Oracle and Postgres. The symptoms are the same on two different Solaris8 machines - Netra1120 with 2x440MHz processors and SunFire V240 with 2x1GHz processors. All recomendations about tuning are met - noatime on partitions with DB, no detail accounting, indexes on the accounting table. I'm fighting with that for a couple of months with no understanding what else could be wrong. Our DBA did some tunings on Oracle table and configuration - with no visible results. PostgreSQL is not tuned - just 'configure,make,make install, initdb, createdb radius,etc'. Maybe try setting the maximum requests per server configuration item of freeradius to something like 1 and see if the problem disappears. -- Regards, Thor Spruyt E: [EMAIL PROTECTED] W: www.thor-spruyt.com M: +32 (0)475 67 22 65 Bestel nu uw exemplaar van Operationele verkoop (Walter Spruyt - Liesbeth Huysmans) via www.salesguide.be Ontdek de Telenet Hotspot service op www.telenet.be/hotspots - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: how many records in radacct
I have 1,736,884 in my current MySQL table. -Original Message- From: [EMAIL PROTECTED] [mailto:freeradius- [EMAIL PROTECTED] On Behalf Of Alexander Serkin Sent: Monday, November 22, 2004 1:11 PM To: [EMAIL PROTECTED] Subject: how many records in radacct Hello, how many records in radacct table do you manage to keep, guys? I see that radius stops working properly after about 15 accounting records in Oracle (9.2.0.4) database or ~3 in PostgreSQL 7.4.6. After that amount accounting records are not written into table and FR (v1.0.1) claims about no DB handles to use. I see this with Oracle and Postgres. The symptoms are the same on two different Solaris8 machines - Netra1120 with 2x440MHz processors and SunFire V240 with 2x1GHz processors. All recomendations about tuning are met - noatime on partitions with DB, no detail accounting, indexes on the accounting table. I'm fighting with that for a couple of months with no understanding what else could be wrong. Our DBA did some tunings on Oracle table and configuration - with no visible results. PostgreSQL is not tuned - just 'configure,make,make install, initdb, createdb radius,etc'. -- Alexander - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: acct_users - Exec-Program not working
Hi Thor, thank you very much for replay, I will try to be more specific. I have freeradius 1.01 working on RedHat 9. It is working accepting users, creating detail files from few Cisco NAS boxes and START and STOP records are inserted into MySQL database. What I would like to do is to update the above records with Alive records. So I was thinking (right?) that if I will add in acct_users definition of Alive record everything will work but is not. Can you help? regards Marek Any personal or sensitive information contained in this email and attachments must be handled in accordance with the Victorian Information Privacy Act 2000, the Health Records Act 2001 or the Privacy Act 1988 (Commonwealth), as applicable. This email, including all attachments, is confidential. If you are not the intended recipient, you must not disclose, distribute, copy or use the information contained in this email or attachments. Any confidentiality or privilege is not waived or lost because this email has been sent to you in error. If you have received it in error, please let us know by reply email, delete it from your system and destroy any copies. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Compile problem of last CVS version on FreeBSD 4.x
[EMAIL PROTECTED] wrote: Current CVS version also cannot be built on FreeBSD. Is where any way to fix the problem? See the list archives. It's a known problem. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Unicode
Josh Howlett [EMAIL PROTECTED] wrote: Does FreeRADIUS support Unicode? Not really. But sending binary data which just happens to be unicode may work. Alan Dekok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: hyperthreading on freebsd for freeradius threads
Tariq Rashid [EMAIL PROTECTED] wrote: it would seem that using hyperthreading enabled CPUs, one would get slightly better performance from threaded applications such as FreeRadius. Maybe. It all depends. however, there are those that recommend that HTT is not enabled as it reduces either/both stability and performance. That could be true, too. my own expts have shown that performance seems to degrade when enabling the OS schedular to use the second logical CPU (ie suppressing the second cpu halting sysctl). Getting hyperthreading correct is hard. It may not be completely supported on FreeBSD. Alan Dekok.. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ippool - not releasing ip addresses
Hi Paul Thanks for you email. I sat down this weekend and wrote the same type of tool. I find all the ip address which have been left active, read out of the radacct database a closed record for each ip address. Then use radclient to send a radacct stop record for each ip address but change the nas port the one reported by rlm_ippool_tool. You mention that the problem only happend if there is not enought ip for the total ports. If I have understood you correctly, I have to disargree. For this site we have 25 port and 30 ip's. Thanks Mike Paul Hampson wrote: On Sat, Nov 20, 2004 at 10:51:32AM +1030, Mike O'Connor wrote: Thanks for you comments, I used you suggestion as a biases and have found that the accounting stop records do not always have the same port id. This means it does not match correctly and does not release the port. I do not see any way of fixing this from the nas end, so I plan to write some software which checks if a port has been release (using the Alive and Stop records) and then sends a Acct Stop record with the correct port details. In most cases this won't be a problem, as a new ippool call with a port number rlm_ipaddr thinks is still in use should free the IP address up, so it can later be reallocated. It's a problem if you have more ports than IP addresses. ^_^ (As I do here. _) I tried using radkill, but that was more trouble than worth, as the radutmp file was getting boned for entirely different reasons. I have some scripts here which will process a ip pool file (using rlm_ippool_tool) against radwho or a radacct table, which I used to clean out rm_ippool's data every so often. The problem is that any non-FreeRADIUS modification of the database needs to be done while FreeRADIUS is stopped. I'd love to improve rlm_ippool_tool, but if I ever work on it again, it'll be to SQLise rlm_ippool instead, (as I believe someone has done and posted a patch to the list), as part of my heartfelt desire to turn FreeRADIUS into some kind of unusual SQL database frontend. ^_^ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Unicode
Alan DeKok wrote: Josh Howlett [EMAIL PROTECTED] wrote: Does FreeRADIUS support Unicode? Not really. But sending binary data which just happens to be unicode may work. Just out of curiousity, what do FreeRADIUS users from places that have non-ASCII characters do about non-Unicode support? Enforce usernames/passwords with ASCII-only characters? josh. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Unicode
Josh Howlett [EMAIL PROTECTED] wrote: Just out of curiousity, what do FreeRADIUS users from places that have non-ASCII characters do about non-Unicode support? Enforce usernames/passwords with ASCII-only characters? It would never do anything that crazy. :) As of 1.0, it will seamlessly print, parse, and use any non-ASCII character in any string attribute. The only invalid character is '\000' Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to setup redundancy against password failure not just users (authorize/authenticate)?
Hi, I need to setup failoverwith unix and ldap systems. In a failover document from freeradius, it seems easy to setup failover for authorize section but no way to specify failover for authenticate section. Once an authorize type is selected it seems that onlysingle authentication can be done. We have a requirement where If the password fails against one database,we would like to check against other. Is there any configuration that I can setup to achieve this?. If not can somebody provide me some pointers to modify freeradius source code. I would really appreciate any advice/suggestion in this regard. Thank You! Laxman Gajbhe
Re: how many records in radacct
On Mon, Nov 22, 2004 at 10:10:53PM +0300, Alexander Serkin wrote: Hello, how many records in radacct table do you manage to keep, guys? About of 1.3M without any problem. I see that radius stops working properly after about 15 accounting records in Oracle (9.2.0.4) database or ~3 in PostgreSQL 7.4.6. After that amount accounting records are not written into table and FR (v1.0.1) claims about no DB handles to use. I see this with Oracle and Postgres. The symptoms are the same on two different Solaris8 machines - Netra1120 with 2x440MHz processors and SunFire V240 with 2x1GHz processors. All recomendations about tuning are met - noatime on partitions with DB, no detail accounting, indexes on the accounting table. I'm fighting with that for a couple of months with no understanding what else could be wrong. Our DBA did some tunings on Oracle table and configuration - with no visible results. PostgreSQL is not tuned - just 'configure,make,make install, initdb, createdb radius,etc'. Can't say anything about Oracle but here's several advices on PG. First, you should ANALYZE, or better VACUUM ANALYZE RadAcct table at least every time it grows 1.5-2 times. We do VACUUM ANALYZE nightly. If your radius server receives and processes Accounting-Update's you will probably need even more often. See PostgreSQL documentation on database maintenance: http://www.postgresql.org/docs/7.4/static/maintenance.html#ROUTINE-VACUUMING Second, did you modify standard schema and/or postgresql.conf to fit your needs? If so, try to determine which queries are slowest and try to understand why, e.g. there's no appropriate index or something. The default ones should work OK. Third, make sure you have no dead locks. ps auxww | grep postgres | grep waiting Several words for Peter Nixon about default PostgreSQL schema/queries... 1. now() returns timestamp with time zone, so there's no need to cast it once more. This applies to AcctStartTime::timestamp with time zone too. 2. accounting_onoff_query shound not have AcctSessionTime IS NULL condition in where clause, otherwise those records which were updated by Accounting-Update will not be closed. Active sessions just have AcctStopTime IS NULL. 3. I don't understand why there's DATE_SUB function at all :) One can simply say CURRENT_DATE - some_integer * '1minute'::interval. Is it simpler to call date_sub(CURRENT_DATE, some_integer, 'minute')? -- Fduch M. Pravking - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to setup redundancy against password failure not just users (authorize/authenticate)?
On Mon, 22 Nov 2004, Laxman Gajbhe wrote: Hi, I need to setup failover with unix and ldap systems. In a failover document from freeradius, it seems easy to setup failover for authorize section but no way to specify failover for authenticate section. Once an authorize type is selected it seems that only single authentication can be done. We have a requirement where If the password fails against one database, we would like to check against other. Is there any configuration that I can setup to achieve this?. If not can somebody provide me some pointers to modify freeradius source code. I would really appreciate any advice/suggestion in this regard. I think this should work: authenticate{ Auth-Type Something{ -- the auth-type you 've configured redundant{ ldap unix } } } Thank You! Laxman Gajbhe -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: how many records in radacct
On Mon, Nov 22, 2004 at 10:10:53PM +0300, Alexander Serkin wrote: Hello, how many records in radacct table do you manage to keep, guys? About of 1.3M without any problem. Here, exactly 4,657,586, and growing, running on freebsd 4.8 , two 2.4 Ghz, 1024 MB ram , i havent done any tunning, freeradius compiled from source and mysql 3.23 from ports, Miguel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Unknown attribute Acct-Unique-Session-Id
Hi all, I'm getting the error: Unknown attribute Acct-Unique-Session-Id When receiving radius accounting packages. It I understand correctly the Acct-Unique-Session-Id is created by radius internally from the parameters specified for the acct_unique module. I changed the key value for the acct_unique so that it is composed only have values that exist in my radius acc messages, but I still get this error. I also have acct_unique to me preacct module: preacct { preprocess acct_unique . . } Can someone give me a pointer as to what I'm missing here? # radiusd -v radiusd: FreeRADIUS Version 1.0.1, for host , built on Nov 20 2004 at 10:49:52 Thanks, -Jev - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No Auth password from XP.
At 01:38 PM 11/21/2004, Sven Juergensen wrote: hi john, how does your entry in the 'users' file look like? i had a similar issue with peap. after i removed the 'auth-type := local' (not sure if this is the proper syntax) from the according user it worked. My looked just like that. I'll try it Thanks maybe this helps. sven John Mulkerin wrote: I've already read the FAQ, mailinglists and all configs. Built Freeradius on RH9. Enabled EAPTLS. Copied root.der and cert-clt.p12 to my WindowsXP clinet machine. On XP Client, enabled 802.1x authentication with PEAP. Authentication Method is EAP-MSCHAP v2. I get a WIndows Userid log in screen. I'm using the testuser/Secret149 combo. However, password doesn't seem to be sent. What am I doing wrong? AP is an ExtremeNetworks Altitude 300. Here is snippet from log: - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Unknown attribute Acct-Unique-Session-Id
I added Acct-Unique-Session-Id to my dictionary file, not sure why I didn't do this in the first place. What confuses me is that, It was a straight forward install, and I don't under stand why that attribute was not in the standard dictionary file from the get go... Anyway, working now! -Jev Jev wrote: Hi all, I'm getting the error: Unknown attribute Acct-Unique-Session-Id When receiving radius accounting packages. It I understand correctly the Acct-Unique-Session-Id is created by radius internally from the parameters specified for the acct_unique module. I changed the key value for the acct_unique so that it is composed only have values that exist in my radius acc messages, but I still get this error. I also have acct_unique to me preacct module: preacct { preprocess acct_unique . . } Can someone give me a pointer as to what I'm missing here? # radiusd -v radiusd: FreeRADIUS Version 1.0.1, for host , built on Nov 20 2004 at 10:49:52 Thanks, -Jev - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html