Re: rlm_ippool - not releasing ip addresses
Kostas Kalevras a écrit : I have some scripts here which will process a ip pool file (using rlm_ippool_tool) against radwho or a radacct table, which I used to clean out rm_ippool's data every so often. The problem is that any non-FreeRADIUS modification of the database needs to be done while FreeRADIUS is stopped. I'd love to improve rlm_ippool_tool, but if I ever work on it again, it'll be to SQLise rlm_ippool instead, (as I believe someone has done and posted a patch to the list), as part of my heartfelt desire to turn FreeRADIUS into some kind of unusual SQL database frontend. ^_^ Hmm, rlm_ippool can be a good candidate for sqlizing. Though it will need to use the rlm_sql functions (like radsqlrelay does). sql xlat is good for queries but in the case of rlm_ippool inserts/updates are also required which are difficult to implement through xlat. db is efficient, just need some perl around it. Personnaly, I don't want to install an sql server just in order to play with ippool. Keep it simple and easy. -- Dominique LALOT Ingénieur Système Réseau CISCAM Pole Réseau Université de la Méditerranée http://annuaire.univ-mrs.fr/showuser.php?uid=lalot - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how many records in radacct
Thank you all for the hints. Really stupid was it not to create index on acctuniqueid. And 'explain' is my best friend ad finem seculorum. -- Alexander Kostas Kalevras wrote: On Mon, 22 Nov 2004, Alexander Serkin wrote: Hello, how many records in radacct table do you manage to keep, guys? I see that radius stops working properly after about 15 accounting records in Oracle (9.2.0.4) database or ~3 in PostgreSQL 7.4.6. After that amount accounting records are not written into table and FR (v1.0.1) claims about no DB handles to use. I see this with Oracle and Postgres. The symptoms are the same on two different Solaris8 machines - Netra1120 with 2x440MHz processors and SunFire V240 with 2x1GHz processors. All recomendations about tuning are met - noatime on partitions with DB, no detail accounting, indexes on the accounting table. I'm fighting with that for a couple of months with no understanding what else could be wrong. Our DBA did some tunings on Oracle table and configuration - with no visible results. PostgreSQL is not tuned - just 'configure,make,make install, initdb, createdb radius,etc'. I 've got more than 1,000,000 rows in my radacct table (MySQL+InnoDB). The numbers you are reporting are really small, your database should be able to handle them just fine. One guess would be that your Session-Ids are not that random so the corresponding update queries have too many candidate rows (explain select is your friend to find out bottlenecks like that). Try using Acct-Unique-Id if that is the case. Do an Explain select on the queries run by the freeradius server (mainly the accounting_stop query and the simul_count query if you 've enabled it) and you should quickly find the problem. I need to add a few notes on an alternative high performance accounting structure for freeradius in the tuning guide one of these days... -- Alexander - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas KalevrasNetwork Operations Center [EMAIL PROTECTED]National Technical University of Athens, Greece Work Phone:+30 210 7721861 'Go back to the shadow'Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Unicode
--On Monday, November 22, 2004 16:59:31 -0500 Alan DeKok [EMAIL PROTECTED] wrote: Josh Howlett [EMAIL PROTECTED] wrote: Just out of curiousity, what do FreeRADIUS users from places that have non-ASCII characters do about non-Unicode support? Enforce usernames/passwords with ASCII-only characters? It would never do anything that crazy. :) As of 1.0, it will seamlessly print, parse, and use any non-ASCII character in any string attribute. The only invalid character is '\000' Does this apply to the modules as well, or is Unicode support module dependent? I'm only really interested in rlm_sql (mysql). If there are FreeRADIUS users reading this from places that use Unicode usernames/passwords I would appreciate your advice! many thanks, josh. -- --- Josh Howlett, Networking Digital Communications, Information Systems Computing, University of Bristol, U.K. 'phone: 0117 928 7850 email: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: clients.conf storage in ldap
I can try to port it in rlm_ldap.c but , I need some help on freeradius and in c language . first question : -I must patch rlm_ldap or an another module ?(the module reading clients.conf ? ) . - I don't know very well freeradius arch (one month ago) . thanks eric german --- Kostas Kalevras [EMAIL PROTECTED] a écrit : On Mon, 22 Nov 2004, eric german wrote: hi , I m playing with freeradius and openldap . I ll manage all my radius system on ldap. I made a perl script whi reads radiusd.conf and rewrites on fly the clients.conf file . For this I added a new objectclass RadiusClient on my onpenldap . Do you kmow if somebody works in the same direction ? I don't post my script on list but i can send it on demand . thank eric german Adding ldap based radius clients in rlm_ldap would be nice. It will be added at some point. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf Vous manquez despace pour stocker vos mails ? Yahoo! Mail vous offre GRATUITEMENT 100 Mo ! Créez votre Yahoo! Mail sur http://fr.benefits.yahoo.com/ Le nouveau Yahoo! Messenger est arrivé ! Découvrez toutes les nouveautés pour dialoguer instantanément avec vos amis. A télécharger gratuitement sur http://fr.messenger.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: clients.conf storage in ldap
On Tue, 23 Nov 2004, eric german wrote: I can try to port it in rlm_ldap.c but , I need some help on freeradius and in c language . first question : -I must patch rlm_ldap or an another module ?(the module reading clients.conf ? ) . - I don't know very well freeradius arch (one month ago) . thanks eric german Take a look at the radius client support in rlm_sql.c and use that as a starting point. Make client reading configurable obviously. Or you can wait for a while. It's on my TODO list and it should be added by the end of the year. --- Kostas Kalevras [EMAIL PROTECTED] a ?crit : On Mon, 22 Nov 2004, eric german wrote: hi , I m playing with freeradius and openldap . I ll manage all my radius system on ldap. I made a perl script whi reads radiusd.conf and rewrites on fly the clients.conf file . For this I added a new objectclass RadiusClient on my onpenldap . Do you kmow if somebody works in the same direction ? I don't post my script on list but i can send it on demand . thank eric german Adding ldap based radius clients in rlm_ldap would be nice. It will be added at some point. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf Vous manquez d?espace pour stocker vos mails ? Yahoo! Mail vous offre GRATUITEMENT 100 Mo ! Cr?ez votre Yahoo! Mail sur http://fr.benefits.yahoo.com/ Le nouveau Yahoo! Messenger est arriv? ! D?couvrez toutes les nouveaut?s pour dialoguer instantan?ment avec vos amis. A t?l?charger gratuitement sur http://fr.messenger.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf
Re: how many records in radacct
On Tue, 23 Nov 2004, Alexander Serkin wrote: Kostas Kalevras wrote: On Tue, 23 Nov 2004, jesk wrote: ... 10,000,000 rows can be a lot depending on your candidate rows for each query and your available memory for caching. A more scalable structure (which i 'll start using on my installation) is this: Create a memory mapped table (HEAP type in MySQL) storing only live sessions. That means that on accounting stop we do a delete instead of an update. That way double login detection works with the least overhead while also accounting is fast. For full accounting we also use a detail file and radsqlrelay (that's the reason i wrote it) to insert accounting directly on the radacct table. Since radius does not need to perform queries on the radacct table and radsqlrelay can cope with sql server delays/downtime we don't really mind that much how big our accounting table gets and we can also perform maintainance work on it without affecting the radius service. My 0,02E Well, how do you deal with stop records lost for some reason? There should be some tool to remove these stale records from active table. dialupadmin/bin/clean_radcct :-) -- Alexander - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radacct table empty
Hello folks, I'm making a test with freeradius authenticating with an DB in MySQL. I have activate logs for the authentications and it create a directory for each nas in my network in the directory /usr/local/var/log/radius/radacct/IP of the NAS/logs, in this directory I havea lot of logs, but nothing in the DB. Iwould like to have this logs in the radacct MySQL table. But I did not findanything regarding in how to do this king of configuration!! I have searched in radiusd.conf and sql.conf. Please if some one could give some tip I will be very gratefull. Thanks, André Zenun Yahoo! Acesso Grátis - Internet rápida e grátis. Instale o discador agora!
checking NAS-Port-Type on freeradius
I want to check which port the client is using to get conected to. I am using freeradius, and testing with radclient. My test is: cat EOF | radclient -x localhost auth testing123 User-Name = gollum User-Password = smeagol NAS-IP-Address = localhost NAS-Port-Type = 5 NAS-Port = 0 EOF and I want the server to verify if the user gollum can access trhouh a virtual NAS-Port (NAS-Port-Type=5), for example. In radiusd.conf, I put these lines: checkval { # The attribute to look for in the request item-name = NAS-Port-Type # The attribute to look for in check items. Can be multi valued check-name = NAS-Port-Type # The data type. Can be # string,integer,ipaddr,date,abinary,octets #data-type = string data-type = integer # If set to yes and we dont find the item-name attribute in the # request then we send back a reject # DEFAULT is no #notfound-reject = no notfound-reject = yes } and in the radcheck table this line: mysql select * from radcheck; ++--+---++--+ | id | UserName | Attribute | op | Value | ++--+---++--+ | 7 | gollum | NAS-Port-Type | == | PIAFS | | 4 | gollum | User-Password | == | smeagol | ++--+---++--+ So, I mean if the gollum is trying to acces through a virtual port, it must be denied. But it receives a accept response. How to do it work? thank you, very much, for any help !! Luiz Gustavo - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxy and Accounting
Hello All, I am using FreeRadius-1.0.1. The client is 802.1x client on windows XP with PEAP. The authenticator is an HP 2524 switch (10.0.1.20 in the log file). For me things are working fine with one radius server and AAA works pretty good and I can also check the simultaneous-use for a user. Now I am trying to use the same setup and introduce the proxy radius server (10.0.1.5 in the log file). The XP client sends the credentials to main radius server and based on the Realm (THESIS.COM in the log file), the request is proxied to another freeradius server (10.0.1.15) which does the actual authetication. Everything works fine upto this point. But then the problem is that the proxy radius server does not send any accounting information to the other radius server. Now it means that if there are multiple users trying to get connected using the same username/password, there is no way to restrict them until and Simultaneous-Use works and for this, Radisu server should have accounting information. Note that the proxy server has the accounting information and I can see the connected user (authenticated by the 2nd radius server) using radwho. Probably I am making some mistake somewhere which I cannot figure out after trying so many times. I will really appreciate any pointers in this regard. The log file is attached with the email as radiuslog. I added this line in the users file DEFAULT Proxy-To-Realm := THESIS.COM Following is the proxy.conf file for the proxy server proxy server { synchronous = yes retry_delay = 5 retry_count = 3 dead_time = 120 default_fallback = yes post_proxy_authorize = yes } realm LOCAL { type= radius authhost= LOCAL accthost= LOCAL } realm NULL { type= radius authhost= LOCAL accthost= LOCAL secret = testing123 } realm THESIS.COM { type= radius authhost= 10.0.1.15:1812 accthost= 10.0.1.15:1813 secret = testing123 } Best Regards Khurram __ Do you Yahoo!? Meet the all-new My Yahoo! - Try it today! http://my.yahoo.com radiuslog Description: radiuslog
peap - ldap - eDirectory
Hello to all. 2 weeks ago I downloaded fedora core 3, with the intention of implementing 802.1x security for our wireless system. I'm not sure how to find the version of freeradius I have, only that it is stock in the latest release of fedora core 3. The radiusd.conf file has this if it helps radiusd.conf.in,v 1.188 2004/05/13 I am using 3com7250 WAPS, Freeradius (of course), Novells LDAP server running in Netware 6.5 (clear text enabled), Win2K sp4 and WinXP supplicants. My goal is 802.1x PEAP, connecting to the Novell LDAP server for the user database. I can successfully connect to LDAP. I can authenticate w/ PEAP so long as the username is in the Users file. Maybe what I am expecting of the software is incorrect, I am new to Radius. I was expecting the LDAP backend to supply mschapv2 with the username and password, so i wouldn't have run a seperate database of users. If it doesn't please disregaurd the rest of this email...if it is supposed to, the error I am getting is listed below. I have beating my head against the wall trying to make this work for the last 2 weeks at 8 hrs a day, and am ready to admit I cannot make it work, without a seperate user database. Any ideas, help, or correcting my idea of how the software is supposed to work would be greatly appreciated. HERES STARTUP [EMAIL PROTECTED] ~]# radiusd -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/proxy.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/eap.conf Config: including file: /etc/raddb/sql.conf main: prefix = /usr main: localstatedir = /var main: logdir = /var/log/radius main: libdir = /usr/lib main: radacctdir = /var/log/radius/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /var/log/radius/radius.log main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /var/run/radiusd/radiusd.pid main: user = radiusd main: group = radiusd main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/sbin/checkrad main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib Module: Loaded exec exec: wait = yes exec: program = (null) exec: input_pairs = request exec: output_pairs = (null) exec: packet_type = (null) rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = crypt Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = (null) mschap: authtype = MS-CHAP mschap: ntlm_auth = (null) Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = (null) unix: shadow = /etc/shadow unix: group = (null) unix: radwtmp = /var/log/radius/radwtmp unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = peap eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = Password: gtc: auth_type = PAP rlm_eap: Loaded and initialized type gtc tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = (null) tls: pem_file_type = yes tls: private_key_file = /etc/raddb/certs/cert-srv.pem tls: certificate_file = /etc/raddb/certs/cert-srv.pem tls: CA_file = /etc/raddb/certs/demoCA/cacert.pem tls: private_key_password = whatever tls: dh_file = /etc/raddb/certs/dh tls: random_file = /etc/raddb/certs/random tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = (null) rlm_eap: Loaded and initialized type tls peap: default_eap_type = mschapv2 peap: copy_request_to_tunnel = no peap: use_tunneled_reply = no peap: proxy_tunneled_request_as_eap = yes rlm_eap: Loaded and
acct_user WARNING!'s after upgrade to 1.0.1
Hi, I recently upgraded to freeradius 1.0.1 from 1.0. On start up I'm getting the error: files: acctusersfile = /usr/local/etc/raddb/acct_users files: preproxy_usersfile = /usr/local/etc/raddb/preproxy_users files: compat = no [/usr/local/etc/raddb/acct_users]:18 WARNING! Check item Exec-Program ?found in reply item list for user DEFAULT. ?This attribute MUST go on the first line with the other check items [/usr/local/etc/raddb/acct_users]:23 WARNING! Check item Exec-Program ?found in reply item list for user DEFAULT. ?This attribute MUST go on the first line with the other check items Module: Instantiated files (files) Module: Loaded detail I'm pretty sure I was not getting that warning with 1.0 (though I would not swear on this). I was calling some scripts in my acct_users file, but this no longer works in 1.0.1. My acct_users file looks like this: DEFAULT Acct-Status-Type == Start Exec-Program = /usr/local/bin/rp DEFAULT Acct-Status-Type == Stop Exec-Program = /usr/local/bin/rs Is this a bug, or did you miss some feature change between 1.0 and 1.0.1? Regards, -Emil - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: acct_user WARNING!'s after upgrade to 1.0.1
Jev [EMAIL PROTECTED] wrote: [/usr/local/etc/raddb/acct_users]:18 WARNING! Check item Exec-Program ?found in reply item list for user DEFAULT. ?This attribute MUST go on the first line with the other check items You probably didn't update the dictionaries. For now, you can ignore the error. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: peap - ldap - eDirectory
Daniel Hesse [EMAIL PROTECTED] wrote: Hello to all. 2 weeks ago I downloaded fedora core 3, with the intention of implementing 802.1x security for our wireless system. I'm not sure how to find the version of freeradius I have $ radiusd -v Maybe what I am expecting of the software is incorrect, I am new to Radius. I was expecting the LDAP backend to supply mschapv2 with the username and password, I'm not sure what you mean by that. LDAP stores usernames passwords. FreeRADIUS does authentication. If FreeRADIUS can get passwords from LDAP, it can do the authentication for itself. rlm_ldap: performing search in o=StormLake, with filter (uid=dhesse) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... You need to configure a clear-text password in the LDAP database for the user. modcall: entering group Auth-Type for request 6 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for dhesse with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. Exactly. The server has no known good password with which to perform authentication. And LDAP doesn't do MS-CHAPv2, so you can't ask it to do that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radgroupcheck and sql module return value
Hi, I am trying to proxy to a remote server if the user is not found in the local database. To do this I added a DEFAULT Proxy-To-Realm in the users file and a failover entry to radiusd.conf: authorize { group { sql { notfound = 1 ok =return } files } } The problem I am seeing is that the sql module returns ok even when the user is not found in the database. Essentially this messes up my configurable_failover setup. Looking at the log (included at the end) it looks like radcheck returns notfound but radgroupcheck returns ok - which in turn results in the sql module returning ok. In my postgresql.conf I have COMMENTED out all the relevant lines for RADGROUPCHECK and RADGROUPREPLY. If I uncomment the queries and add dummy queries - that is - queries that will always result in the row not being found then _everything_ is OK (sql module returns notfound for non-existent users as expected and the request is proxied to the remote host). How do I make the above configuration work while having empty queries for radgroupcheck (I have no use for it). Thanks! Vinod. -- rad_recv: Access-Request packet from host 127.0.0.1:1094, id=204, length=56 User-Name = vino User-Password = root123 NAS-IP-Address = 255.255.255.255 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 0 modcall: entering group group for request 0 radius_xlat: 'vino' rlm_sql (sql): sql_set_user escaped user -- 'vino' radius_xlat: 'SELECT pkey, uid, attribute, password, op_req ??FROM radius_check ??WHERE uid = 'vino' ??ORDER BY pkey' rlm_sql (sql): Reserving sql socket id: 4 rlm_sql_postgresql: query: SELECT pkey, uid, attribute, password, op_req ??FROM radius_check ??WHERE uid = 'vino' ??ORDER BY pkey rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: affected rows = rlm_sql (sql): User vino not found in radcheck radius_xlat: '' radius_xlat: '' rlm_sql (sql): Released sql socket id: 4 modcall[authorize]: module sql returns ok for request 0 modcall: group group returns ok for request 0 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: acct_user WARNING!'s after upgrade to 1.0.1
Alan DeKok wrote: Jev [EMAIL PROTECTED] wrote: [/usr/local/etc/raddb/acct_users]:18 WARNING! Check item Exec-Program ?found in reply item list for user DEFAULT. ?This attribute MUST go on the first line with the other check items You probably didn't update the dictionaries. I'm sure I have updated my dictionaries, would they have changed between 1.0 and 1.0.1 anyway? For now, you can ignore the error. I'm not worried about the error, but my scripts are not getting called on acc start/stop, which unfortunately I can not just ignore! :) Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_exec for acc
Hi all, I understand Exec-Program is being deprecated in users, but what about acct_users, can I call scripts for acc Start/Stops using the rlm_exec module? I played around with this, but I wasn't able to get any results, nor have I have any docs/examples for this... Any help greatly appreciated... -Jev - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html