Re: rlm_perl problems]
Ivan Kalik wrote: Why? Alan is not the only developer. Read the copyright for rlm_perl code. I know that Boian is responsible for making our life easier :) I was asking if this patch is going to be included in next release. That is the comment i was expecting. Sorry for misunderstanding. Igor - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl problems]
Garber, Neal wrote: The error is in rlm_perl and appears related to thread data management, not the O/S and not perl (I run FreeBSD and you run CentOS; we even have different versions of perl). Boian can explain the change far better than I can; but, my interpretation of the change is that the thread specific data key is now created upon perl module instantiation and stored with the instance data (so there's now a separate key for each perl instance we defined in FreeRadius). (Perhaps someone will correct me if I interpreted it incorrectly.) When you say you're not good in C, if you are mean you are unsure how to apply the patch, try this: 1. Put the .diff file in the directory with rlm_perl.c (src/modules/rlm_perl is the directory). 2. Then use the patch command to update rlm_perl.c (it creates rlm_perl.c.orig as a backup and updates rlm_perl.c): patch rlm_perl.c rlm_perl.diff 3. Rebuild/install FreeRadius from source 4. Test 5. Say thank you to Boian (and Ivan as he helped also).. I know how to patch. I was just trying to find out what was the error. That's the part i was thinking of when i said not good in C :) You are right, i forgot to say thank you to all. :) Thank you Ivan, thank you Boian. Igor - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl problems]
On Jul 29, 2009, at 9:32 AM, Igor Smitran wrote: know that Boian is responsible for making our life easier :) I was asking if this patch is going to be included in next release. That is the comment i was expecting. Sorry for misunderstanding. Sure I will pull the changes back to repository. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: wrt54g+freeradius+mysql
Gustavo Marcello wrote: I was searching for this in my conf files, but I don't find it. where it should be? I'm not sure that I am forcing Auth-Type := LOCAL Well.. then you edited the default configuration files and broke them. Likely by deleting pap from the authorize section. I'm always amazed at the amount of effort people put into destroying the default configuration. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with CA.all
Julio Villacis Guevara wrote: Hi i am upgrade the version yet but the CA.all not generate serial. In version 2, CA.all isn't necessary. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: wrt54g+freeradius+mysql
I'm always amazed at the amount of effort people put into destroying the default configuration. From a newbie point of view the configuration for FreeRADIUS is huge, and for the most part yes you do leave it alone - so why is this config visible? remove it/hide it/embed it. Would it not be worth then looking at how the server is configured on a whole and moving items that shouldn't be reconfigured into separate config files, or provide a form of configuration that has a basic out of the source config, but then you create your own config file which is loaded on top of the base config and if you want to change options you then override the section you want to change. You've been around long enough to realise people don't read, they just want to get on and do, give them 101 config files with lots of options and they are going to play, you're probably just as guilty of this yourself when confronted with new software. Steve - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ldap not found
hi, you built it without the required ldap-devel package installed - hence your server cannot do LDAP. check the output of your ./configure carefully alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: wrt54g+freeradius+mysql
Steven Carr wrote: From a newbie point of view the configuration for FreeRADIUS is huge, and for the most part yes you do leave it alone - so why is this config visible? remove it/hide it/embed it. Hide it where? And it can't be embedded anywhere, because the whole point of a flexible server is to have it configurable. That makes embedding pretty much impossible. Would it not be worth then looking at how the server is configured on a whole and moving items that shouldn't be reconfigured into separate config files, or provide a form of configuration that has a basic out of the source config, but then you create your own config file which is loaded on top of the base config and if you want to change options you then override the section you want to change. Sort of like how the FAQ says add an entry to the users file, and it will work. You don't need to edit or even *look* at the majority of the configuration files. You've been around long enough to realise people don't read, they just want to get on and do, give them 101 config files with lots of options and they are going to play, you're probably just as guilty of this yourself when confronted with new software. Well... I tend to read documentation, too. If the documentation says here's how to make it work, I generally follow that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius-Users Digest, Vol 51, Issue 127
Thank you for your message. I am away until August 7th. I will respond to your message on my return . For urgent matters, please contact helpd...@stgeorges.bc.ca . Cheers, Gilbert Lo - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
coa functionality in server question
Hello,
Running FR 2.1.6 on freebs7.1
I`m trying to implement CoA origination by server.
read sites-available/originate-coa and
added home_server
home_server coa1 {
type = coa
ipaddr = 10.1.3.5
port = 1700
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
and coa_server to client
client test1 {
ipaddr = 10.1.3.5
netmask = 32
secret = testing321
nastype = other
coa_server = coa1
}
radiusd -X says
...
radiusd: Loading Clients
client test1 {
ipaddr = 81.200.3.4
netmask = 32
require_message_authenticator = no
secret = testing321
nastype = other
coa_server = coa1
}
/usr/local/etc/raddb/clients.conf[7]: No such home_server or home_server_pool
coa1
It seems that i didn`t understand sites-available/originate-coa right and miss
something in my conf
Could You please clarify it for me?
Anton G.K.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
configure
hi i am facing following problem.plz help me freeradisu 2.1.6 on solaris10 bash-3.00# ./configure checking for gcc... gcc checking for C compiler default output file name... configure: error: C compiler cannot create executables See `config.log' for more details. -- View this message in context: http://www.nabble.com/configure-tp24718654p24718654.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: configure
Do you even read the errors you post? Did you read config.log? Most probably the compiler on your machine is broken! shivashankar wrote: hi i am facing following problem.plz help me freeradisu 2.1.6 on solaris10 bash-3.00# ./configure checking for gcc... gcc checking for C compiler default output file name... configure: error: C compiler cannot create executables See `config.log' for more details. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: coa functionality in server question
Anton G. wrote: It seems that i didn`t understand sites-available/originate-coa right and miss something in my conf Could You please clarify it for me? You need to link it into sites-enabled/originate-coa. The server reads only sites-enabled, not sites-available. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: configure
thax for u r reply again i have to install gcc could u plz let me know i am new for this installation. i think this problem with os. 2009/7/29 Padam J Singh padam.si...@inventum.cc Do you even read the errors you post? Did you read config.log? Most probably the compiler on your machine is broken! shivashankar wrote: hi i am facing following problem.plz help me freeradisu 2.1.6 on solaris10 bash-3.00# ./configure checking for gcc... gcc checking for C compiler default output file name... configure: error: C compiler cannot create executables See `config.log' for more details. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- regard's shiva shankar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to report bugs in freeradius-client?
Petr Uzel wrote: Hi list, Where should one report bugs in freeradius-client? https://bugs.freeradius.org/bugzilla does not have a component for freeradius client. I've added one. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: rlm_perl problems]
I know how to patch. I was just trying to find out what was the error. Igor: I hope you weren't offended by my assumption - I wasn't sure, based upon your comment, and I was just trying to help. If I offended you, I apologize. By the way, out of curiosity, did the patch work for you on 2.1.7 also? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: white list for nas-ipaddress
Hi, i cheked the debug and the file is correct:
Module: Instantiating files
files {
usersfile = /etc/freeradius/users
acctusersfile = /etc/freeradius/acct_users
preproxy_usersfile = /etc/freeradius/preproxy_users
compat = no
}
And i tried without Fall-Through = Yes and same result
:-(
Im stuck here, any help will be greatly appreciated
---
Miguel
On Tue, Jul 28, 2009 at 2:27 PM, Ivan Kalik t...@kalik.net wrote:
Hi, i want to accept all request coming from a specific nas-ip-assdress ,
i
used to configure like this (in users file):
DEFAULT NAS-IP-Address == 192.168.150.25, Auth-Type := Accept
Fall-Through = Yes
The above settings are not working now, this is the debug of a
transaction:
rad_recv: Access-Request packet from host 192.168.150.25 port 1645,
id=52,
length=94
NAS-IP-Address = 192.168.150.25
NAS-Port = 108
NAS-Port-Type = Async
User-Name = 123.com.sv
Called-Station-Id = 22660321
Calling-Station-Id = 22264218
User-Password = cisco
Service-Type = Dialout-Framed-User
...
++[files] returns noop
...
How sure are you that the users file you are using is the one server is
using? Check the debug of the server startup and see if the users file is
the correct one. If the file is correct, then your syntax isn't (check
that DEFAULT line for typing mistakes).
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to report bugs in freeradius-client?
On Wed, Jul 29, 2009 at 03:52:21PM +0200, Alan DeKok wrote: Petr Uzel wrote: Hi list, Where should one report bugs in freeradius-client? https://bugs.freeradius.org/bugzilla does not have a component for freeradius client. I've added one. Thanks! The bug report is here: https://bugs.freeradius.org/bugzilla/show_bug.cgi?id=9 -- Best regards / s pozdravem Petr Uzel, Packages maintainer - SUSE LINUX, s.r.o. e-mail: pu...@suse.cz Lihovarská 1060/12 http://www.suse.cz 190 00 Prague 9 Czech Republic pgpsunCZeUkxF.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Problem with CA.all
Hi How generate the certificates?? Thank in advance. Ing. Julio Villacís G. Ingeniero de Servicios Comware S.A. (593 4) 2690170 Ext. 4500 www.comware.com.ec Guayaquil-Ecuador -Mensaje original- De: Alan DeKok [mailto:al...@deployingradius.com] Enviado el: Wednesday, July 29, 2009 2:16 AM Para: jvill...@comware.com.ec; FreeRadius users mailing list Asunto: Re: Problem with CA.all Julio Villacis Guevara wrote: Hi i am upgrade the version yet but the CA.all not generate serial. In version 2, CA.all isn't necessary. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with CA.all
Julio Villacis Guevara wrote: Hi How generate the certificates?? Read the INSTALL file that comes with the server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[RE]Problem with proxied accounting
Thanks, Alan for the advice!
We have just upgraded to FreeRADIUS 2.1.6, but unfortunately the problem
persists:
Server1/:
total 1008236
-rw--- 1 root root 714751062 Jul 29 11:53 detail-20090729
-rw--- 1 root root 316653344 Jul 29 07:29 detail.work = stuck!
We got sometimes the following message for Server2:
Thu Jul 23 15:00:45 2009 : Proxy: No outstanding request was found for proxy
reply from home server Server2 IP address port 1813 - ID 142
And several messages for Server1:
Wed Jul 29 11:36:53 2009 : Error: Rejecting request 3993531 due to lack of any
response from home server Server1 IP address port 1813
Wed Jul 29 11:36:53 2009 : Error: PROXY: Marking home server Server1 IP
address port 1813 as zombie (it looks like it is dead).
Wed Jul 29 11:37:28 2009 : Info: Suspicious proxy state... continuing
Wed Jul 29 11:37:30 2009 : Error: Rejecting request 3998634 due to lack of any
response from home server Server1 IP address port 1813
...
In an attempt to force the revival of Server1, we scheduled the execution of
the following command every minute:
radmin -e set home_server state Server1 IP address 1813 alive
But still, it seems to stuck ... I checked with tcpdump port 1813 and host
Server1 IP address that even though the details.work for Server1 is freezed,
FreeRADIUS is sending accounting requests to Server1 and it is receiving
accounting responses.
# tcpdump port 1813 and host Server1 IP address
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
11:39:27.667255 IP FreeRADIUS IP address.1814 Server1.radius-acct: RADIUS,
Accounting Request (4), id: 0x0c length: 202
11:39:27.675969 IP Server1.radius-acct FreeRADIUS IP address.1814: RADIUS,
Accounting Response (5), id: 0x0c length: 20
...
I have many many questions of how FreeRADIUS proxy works. Could someone please
help us understand what we doing wrong?
1) Do you think that Server1 detail.work get stuck, because FreeRADIUS
detected that some of the accouting requests in the detail.work didn't have a
response from Server1?
2) FreeRADIUS is still sending accounting requests and receiving responses for
Server1, just because we are setting Server1 alive? When we do this, it starts
processing the details.work from the beginning of the file? After sometime,
FreeRADIUS proxy stops completely. Is it because FreeRADIUS had too many
accounting requests without responses?
3) Server1 receives all accounting requests received by FreeRADIUS, and Server2
receives accounting requests that matches a filter. I've noticed that Server1
and Server2 accounting responses for the same accounting requests have the same
Packet Identifier, and that the NAS frequently reuses this Packet Identifier.
Do you think that FreeRADIUS can get lost in this situation?
Please help us!
Thanks, Cristina Miyata
-
Cristina Miyata wrote:
We are using Freeradius 2.1.1 and we send accounting RADIUS to 2 different
servers called Server1 and Server2. In order to do so, we created two proxy
servers and 3 detailed accouting logs: detail (stored in the server), detail1
(processed by the proxy server that send accounting to Server1) and detail2
(processed by the proxy server that send accounting to Server2).
I'd suggest upgrading to 2.1.6. It fixes some issues when reading
from detail files.
Alan DeKok.
-[ Received Mail Content ]--
Subject : Problem with proxied accounting
Date : Tue, 21 Jul 2009 21:28:58 -0400 (EDT)
From : Cristina Miyata cmiy...@lycos.com
To : freeradius-users@lists.freeradius.org
p {margin-top:0px;margin-bottom:0px;}
Dear FreeRADIUS Users,
We are using Freeradius 2.1.1 and we send accounting RADIUS to 2 different
servers called Server1 and Server2. In order to do so, we created two proxy
servers and 3 detailed accouting logs: detail (stored in the server), detail1
(processed by the proxy server that send accounting to Server1) and detail2
(processed by the proxy server that send accounting to Server2).
For a while, the proxy serves works fine. Then one of them starts logging
reject request due to lack of any response from home server Server1 IP
address port 1813:
Tue Jul 21 22:03:29 2009 : Error: Rejecting request 38447540 due to lack of any
response from home server Server1 IP address port 1813
Tue Jul 21 22:03:29 2009 : Error: PROXY: Marking home server Server1 IP
address port 1813 as zombie (it looks like it is dead).
The proxy server for Server2 also stops working from time to time, but doesn't
log any errors in radius.log file. The details file for the proxy gets larger
and larger, and it seems to be consumed very very slowly (can see accounting
being sent to Server2) or not consumed (simply stops sending accouting to
Server2) by the proxy server:
total 4265476
-rw--- 1 root root 1246037041 Jul 20 23:59 detail-20090720
-rw
Re: configure
Maybe positing on solaris lists would be better? shiva shankar wrote: thax for u r reply again i have to install gcc could u plz let me know i am new for this installation. i think this problem with os. 2009/7/29 Padam J Singh padam.si...@inventum.cc Do you even read the errors you post? Did you read config.log? Most probably the compiler on your machine is broken! shivashankar wrote: hi i am facing following problem.plz help me freeradisu 2.1.6 on solaris10 bash-3.00# ./configure checking for gcc... gcc checking for C compiler default output file name... configure: error: C compiler cannot create executables See `config.log' for more details. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- regard's shiva shankar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: configure
Maybe posting on solaris lists would be better? shiva shankar wrote: thax for u r reply again i have to install gcc could u plz let me know i am new for this installation. i think this problem with os. 2009/7/29 Padam J Singh padam.si...@inventum.cc Do you even read the errors you post? Did you read config.log? Most probably the compiler on your machine is broken! shivashankar wrote: hi i am facing following problem.plz help me freeradisu 2.1.6 on solaris10 bash-3.00# ./configure checking for gcc... gcc checking for C compiler default output file name... configure: error: C compiler cannot create executables See `config.log' for more details. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- regard's shiva shankar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius and CouchDB
Has anyone tried to run Freeradius with all the data stored in CouchDB? CouchDB uses a HTTP interface so maybe the only thing needed is http client support in ulang? -- damjan | дамјан This is my jabber ID -- dam...@bagra.net.mk -- not my mail address, it's a Jabber ID --^ :) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with CA.all
Hi, Hi How generate the certificates?? there is a new makefile and script to do the work. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius and CouchDB
Damjan wrote: Has anyone tried to run Freeradius with all the data stored in CouchDB? CouchDB uses a HTTP interface so maybe the only thing needed is http client support in ulang? Umm... unlang is a policy language. It is NOT a generic programming language. It will NEVER be a programming language. If you need couchdb support, I would suggest using the Perl module, and the Perl couchDB APIs. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Problem with CA.all
Hi please how i do? Thnak in advance Ing. Julio Villacís G. Ingeniero de Servicios Comware S.A. (593 4) 2690170 Ext. 4500 www.comware.com.ec Guayaquil-Ecuador -Mensaje original- De: Alan Buxey [mailto:a.l.m.bu...@lboro.ac.uk] Enviado el: Wednesday, July 29, 2009 10:32 AM Para: jvill...@comware.com.ec; FreeRadius users mailing list CC: 'Alan DeKok' Asunto: Re: Problem with CA.all Hi, Hi How generate the certificates?? there is a new makefile and script to do the work. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [RE]Problem with proxied accounting
Cristina Miyata wrote: We have just upgraded to FreeRADIUS 2.1.6, but unfortunately the problem persists: Server1/: total 1008236 -rw--- 1 root root 714751062 Jul 29 11:53 detail-20090729 -rw--- 1 root root 316653344 Jul 29 07:29 detail.work = stuck! A 700M detail file? Wow... it should really be rather a lot smaller than that. I would suggest adding %H (at least) to the filename, which will shrink them in size by a factor of 24. We got sometimes the following message for Server2: Thu Jul 23 15:00:45 2009 : Proxy: No outstanding request was found for proxy reply from home server Server2 IP address port 1813 - ID 142 And several messages for Server1: Wed Jul 29 11:36:53 2009 : Error: Rejecting request 3993531 due to lack of any response from home server Server1 IP address port 1813 Wed Jul 29 11:36:53 2009 : Error: PROXY: Marking home server Server1 IP address port 1813 as zombie (it looks like it is dead). Wed Jul 29 11:37:28 2009 : Info: Suspicious proxy state... continuing Wed Jul 29 11:37:30 2009 : Error: Rejecting request 3998634 due to lack of any response from home server Server1 IP address port 1813 Your home servers are dead or dying. That's not good. In an attempt to force the revival of Server1, we scheduled the execution of the following command every minute: radmin -e set home_server state Server1 IP address 1813 alive Uh... that won't help. What happens when it's still down? This is a *very* bad idea. You should use the normal status checks to determine if a home server is alive. But still, it seems to stuck ... I checked with tcpdump port 1813 and host Server1 IP address that even though the details.work for Server1 is freezed, FreeRADIUS is sending accounting requests to Server1 and it is receiving accounting responses. Yes it doesn't *modify* the detail file while it's being processed. It processes the whole file, (sending packets the whole time), and then deletes the file when it's done. If the home servers are almost down, it will *continue* to process the detail file, and it will *continue* to send packets until it's done. That's what you're seeing. If the home servers are down, it will STOP proxying packets, and it will STOP reading the detail file... because the home servers are down. I have many many questions of how FreeRADIUS proxy works. Could someone please help us understand what we doing wrong? The entire functionality of proxying is documented in the configuration files. 1) Do you think that Server1 detail.work get stuck, because FreeRADIUS detected that some of the accouting requests in the detail.work didn't have a response from Server1? That is how the process is *documented* as working. See raddb/sites-available/copy-acct-to-home-server. 2) FreeRADIUS is still sending accounting requests and receiving responses for Server1, just because we are setting Server1 alive? When we do this, it starts processing the details.work from the beginning of the file? After sometime, FreeRADIUS proxy stops completely. Is it because FreeRADIUS had too many accounting requests without responses? I have no idea what that means. 3) Server1 receives all accounting requests received by FreeRADIUS, and Server2 receives accounting requests that matches a filter. I've noticed that Server1 and Server2 accounting responses for the same accounting requests have the same Packet Identifier, and that the NAS frequently reuses this Packet Identifier. Do you think that FreeRADIUS can get lost in this situation? No. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: configure
On 07/29/2009 11:26 AM, Padam J Singh wrote: Maybe posting on solaris lists would be better? Rather than posting on another list why not read some of the documentation :-) A good place to start is: ./configure --help And you'll discover there is a way to tell configure what your compiler command is. I don't think there is anything in freeradius which demands the compiler be gcc, you should be able to use your native compiler. Of course if you don't have any compiler installed that would be a problem too :-) GNU autoconf has extensive documentation. http://www.gnu.org/software/autoconf There is also this really neat thing called google where you can find the answers to most any problem like this on your own without asking others ;-) shiva shankar wrote: thax for u r reply again i have to install gcc could u plz let me know i am new for this installation. i think this problem with os. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Problem with CA.all
Hi please how i do? You go to the raddb/certs directory and read the file strangely named README. You follow those instructions. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Decoupled accounting
Hi All, I'm using freeradius 2.1.6 and want to move to decoupled accounting. I understand the example configs, but one question I still have is this: do I have to have preacct and accounting sections in my virtual.blah.com file (very similar to the default file) which is in the sites-enabled dir, even though I will have preacct and accounting sections in the decoupled-accounting file? Regards, Ranbir -- Kanwar Ranbir Sandhu Linux 2.6.27.25-170.2.72.fc10.x86_64 x86_64 GNU/Linux 13:16:02 up 5 days, 4:42, 5 users, load average: 1.43, 1.36, 1.26 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Captive portal: can I use chap or pap in conjunction with ntlm_auth?
Is there a way for me to use pap with users stored in Active Directory?
Yes. If you followed AD integration document you have already done that.
Now, the best way to integrate that with accounts stored elsewhere (files,
sql, ldap, etc.) is to create failover after pap in authorize section of
default virtual server (instead of forcing it in users file):
if(!Auth-Type) {
update control {
Auth-Type = ntlm_auth
}
}
Awesome. Thank you that worked like a charm!
John
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Decoupled accounting
No, the accounting will only work on the virtual serve who has a listen section that has acct activated. If you put a new virtual server without acct listen section will not work. 2009/7/29 Kanwar Ranbir Sandhu m3fr...@thesandhufamily.ca: Hi All, I'm using freeradius 2.1.6 and want to move to decoupled accounting. I understand the example configs, but one question I still have is this: do I have to have preacct and accounting sections in my virtual.blah.com file (very similar to the default file) which is in the sites-enabled dir, even though I will have preacct and accounting sections in the decoupled-accounting file? Regards, Ranbir -- Kanwar Ranbir Sandhu Linux 2.6.27.25-170.2.72.fc10.x86_64 x86_64 GNU/Linux 13:16:02 up 5 days, 4:42, 5 users, load average: 1.43, 1.36, 1.26 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[RE]Problem with proxied accounting
One thing that I forgot to mention is that Server1 doesn't support sending
status check with status-server, so I had configure status check with request.
I can't blame the Server1 to not respond to accounting requests, because I can
see the accounting responses ... So I really don't know what is going on
home_server Server11 {
type = acct
ipaddr = Server1 IP address
port = 1813
response_window = 5
status_check = request
username = suntech
password = password
secret = secret
}
home_server_pool Server1_POOL {
type = fail-over
home_server = Server11
}
realm Server1 {
type= radius
acct_pool = Server1_POOL
secret = secret
Cristina Miyata wrote:
We have just upgraded to FreeRADIUS 2.1.6, but unfortunately the problem
persists:
Server1/:
total 1008236
-rw--- 1 root root 714751062 Jul 29 11:53 detail-20090729
-rw--- 1 root root 316653344 Jul 29 07:29 detail.work = stuck!
A 700M detail file? Wow... it should really be rather a lot smaller
than that.
I would suggest adding %H (at least) to the filename, which will
shrink them in size by a factor of 24.
We got sometimes the following message for Server2:
Thu Jul 23 15:00:45 2009 : Proxy: No outstanding request was found for proxy
reply from home server Server2 IP address port 1813 - ID 142
And several messages for Server1:
Wed Jul 29 11:36:53 2009 : Error: Rejecting request 3993531 due to lack of
any response from home server Server1 IP address port 1813
Wed Jul 29 11:36:53 2009 : Error: PROXY: Marking home server Server1 IP
address port 1813 as zombie (it looks like it is dead).
Wed Jul 29 11:37:28 2009 : Info: Suspicious proxy state... continuing
Wed Jul 29 11:37:30 2009 : Error: Rejecting request 3998634 due to lack of
any response from home server Server1 IP address port 1813
Your home servers are dead or dying. That's not good.
In an attempt to force the revival of Server1, we scheduled the execution of
the following command every minute:
radmin -e set home_server state Server1 IP address 1813 alive
Uh... that won't help. What happens when it's still down? This is a
*very* bad idea.
You should use the normal status checks to determine if a home server
is alive.
But still, it seems to stuck ... I checked with tcpdump port 1813 and host
Server1 IP address that even though the details.work for Server1 is
freezed, FreeRADIUS is sending accounting requests to Server1 and it is
receiving accounting responses.
Yes it doesn't *modify* the detail file while it's being
processed. It processes the whole file, (sending packets the whole
time), and then deletes the file when it's done.
If the home servers are almost down, it will *continue* to process the
detail file, and it will *continue* to send packets until it's done.
That's what you're seeing. If the home servers are down, it will STOP
proxying packets, and it will STOP reading the detail file... because
the home servers are down.
I have many many questions of how FreeRADIUS proxy works. Could someone
please help us understand what we doing wrong?
The entire functionality of proxying is documented in the
configuration files.
1) Do you think that Server1 detail.work get stuck, because FreeRADIUS
detected that some of the accouting requests in the detail.work didn't have a
response from Server1?
That is how the process is *documented* as working. See
raddb/sites-available/copy-acct-to-home-server.
2) FreeRADIUS is still sending accounting requests and receiving responses
for Server1, just because we are setting Server1 alive? When we do this, it
starts processing the details.work from the beginning of the file? After
sometime, FreeRADIUS proxy stops completely. Is it because FreeRADIUS had too
many accounting requests without responses?
I have no idea what that means.
3) Server1 receives all accounting requests received by FreeRADIUS, and
Server2 receives accounting requests that matches a filter. I've noticed that
Server1 and Server2 accounting responses for the same accounting requests
have the same Packet Identifier, and that the NAS frequently reuses this
Packet Identifier. Do you think that FreeRADIUS can get lost in this
situation?
No.
Alan DeKok.
-[ Received Mail Content ]--
Subject : [RE]Problem with proxied accounting
Date : Wed, 29 Jul 2009 11:19:14 -0400 (EDT)
From : Cristina Miyata cmiy...@lycos.com
To : freeradius-users@lists.freeradius.org
p {margin-top:0px;margin-bottom:0px;}
Thanks, Alan for the advice!
We have just upgraded to FreeRADIUS 2.1.6, but unfortunately the problem
persists:
Server1/:
total 1008236
-rw--- 1 root root 714751062 Jul 29 11:53 detail-20090729
-rw--- 1 root root 316653344 Jul 29 07:29 detail.work = stuck!
We got sometimes the following message
Re: Decoupled accounting
On Wed, 2009-07-29 at 21:21 +0200, Rokkhan wrote: No, the accounting will only work on the virtual serve who has a listen section that has acct activated. If you put a new virtual server without acct listen section will not work. My virtual server does have an acct listen section. I'm talking about the sections where you define the various other modules that preacct and accounting would use (e.g. sql, sqlippool, etc.). Regards, Ranbir -- Kanwar Ranbir Sandhu Linux 2.6.27.25-170.2.72.fc10.x86_64 x86_64 GNU/Linux 18:01:57 up 5 days, 9:28, 4 users, load average: 1.16, 1.09, 0.63 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Captive portal: can I use chap or pap in conjunction with ntlm_auth?
Is there a way for me to use pap with users stored in Active Directory?
Yes. If you followed AD integration document you have already done that.
Now, the best way to integrate that with accounts stored elsewhere
(files,
sql, ldap, etc.) is to create failover after pap in authorize section of
default virtual server (instead of forcing it in users file):
if(!Auth-Type) {
update control {
Auth-Type = ntlm_auth
}
}
Awesome. Thank you that worked like a charm!
It should be if(!control:Auth-Type). I have added the guide for combining
AD accounts with accounts stored elsewhere to freeradius wiki:
http://wiki.freeradius.org/Combining_authentication_of_AD_accounts_%28ntlm_auth%29_with_accounts_stored_elsewhere
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [RE]Problem with proxied accounting
We have just upgraded to FreeRADIUS 2.1.6, but unfortunately the problem persists: Server1/: total 1008236 -rw--- 1 root root 714751062 Jul 29 11:53 detail-20090729 -rw--- 1 root root 316653344 Jul 29 07:29 detail.work = stuck! We got sometimes the following message for Server2: Thu Jul 23 15:00:45 2009 : Proxy: No outstanding request was found for proxy reply from home server Server2 IP address port 1813 - ID 142 And several messages for Server1: Wed Jul 29 11:36:53 2009 : Error: Rejecting request 3993531 due to lack of any response from home server Server1 IP address port 1813 Wed Jul 29 11:36:53 2009 : Error: PROXY: Marking home server Server1 IP address port 1813 as zombie (it looks like it is dead). Wed Jul 29 11:37:28 2009 : Info: Suspicious proxy state... continuing Wed Jul 29 11:37:30 2009 : Error: Rejecting request 3998634 due to lack of any response from home server Server1 IP address port 1813 ... In an attempt to force the revival of Server1, we scheduled the execution of the following command every minute: radmin -e set home_server state Server1 IP address 1813 alive Ugh, don't do that. But still, it seems to stuck ... I checked with tcpdump port 1813 and host Server1 IP address that even though the details.work for Server1 is freezed, FreeRADIUS is sending accounting requests to Server1 and it is receiving accounting responses. # tcpdump port 1813 and host Server1 IP address tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 11:39:27.667255 IP FreeRADIUS IP address.1814 Server1.radius-acct: RADIUS, Accounting Request (4), id: 0x0c length: 202 11:39:27.675969 IP Server1.radius-acct FreeRADIUS IP address.1814: RADIUS, Accounting Response (5), id: 0x0c length: 20 ... Is there a firewall blocking requests? Server1 is sending responses but they are not reaching the proxy. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
