FreeRADIUS - no service!
Hi to all! We have an issue with a FreeRADIUS server (FreeRADIUS server and Oracle Database). Sometimes it fails and stops to process the AAA requests (only complete server reboot helps)! Here is the log output during the time of a failed situation: [r...@aaa0 ~]# tailf /usr/local/var/log/radius/radius.log Mon Dec 13 19:25:12 2010 : Error: rlm_sql_oracle: Oracle logon failed: 'rlm_sql_oracle: no connection to db' Mon Dec 13 19:25:12 2010 : Error: rlm_sql (sqlacct) in sql_accounting: stop packet with zero session length. [user 'mobile', nas '10.115.66.5'] Mon Dec 13 19:25:12 2010 : Error: rlm_sql (sqlacct) in sql_accounting: stop packet with zero session length. [user 'mobile', nas '10.115.66.5'] Mon Dec 13 19:25:12 2010 : Error: rlm_sql_oracle: Oracle logon failed: '(null)' Mon Dec 13 19:25:12 2010 : Error: rlm_sql (sqlacct): Failed to connect DB handle #7 Mon Dec 13 19:25:12 2010 : Error: rlm_sql (sqlacct): reconnect failed, database down? Mon Dec 13 19:25:12 2010 : Error: rlm_sql (sqlacct): Couldn't insert SQL accounting START record - rlm_sql_oracle: no connection to db Mon Dec 13 19:25:12 2010 : Error: rlm_sql (sqlacct) in sql_accounting: stop packet with zero session length. [user 'mobile', nas '10.115.66.5'] Mon Dec 13 19:25:12 2010 : Error: rlm_sql_oracle: execute query failed in sql_query: ORA-1: unique constraint (RADIUS.ACCT_IDX1) violated Mon Dec 13 19:25:12 2010 : Error: rlm_sql_oracle: Oracle logon failed: 'rlm_sql_oracle: no connection to db' [r...@aaa0 ~]# [r...@aaa0 ~]# /etc/init.d/rc.radiusd restart Starting FreeRADIUS:Mon Dec 13 20:09:51 2010 : Info: Starting - reading configuration files ... radiusd [r...@aaa0 ~]# tailf /usr/local/var/log/radius/radius.log Mon Dec 13 19:25:12 2010 : Error: rlm_sql (sqlacct) in sql_accounting: stop packet with zero session length. [user 'mobile', nas '10.115.66.5'] Mon Dec 13 19:25:12 2010 : Error: rlm_sql_oracle: Oracle logon failed: '(null)' Mon Dec 13 19:25:12 2010 : Error: rlm_sql (sqlacct): Failed to connect DB handle #7 Mon Dec 13 19:25:12 2010 : Error: rlm_sql (sqlacct): reconnect failed, database down? Mon Dec 13 19:25:12 2010 : Error: rlm_sql (sqlacct): Couldn't insert SQL accounting START record - rlm_sql_oracle: no connection to db Mon Dec 13 19:25:12 2010 : Error: rlm_sql (sqlacct) in sql_accounting: stop packet with zero session length. [user 'mobile', nas '10.115.66.5'] Mon Dec 13 19:25:12 2010 : Error: rlm_sql_oracle: execute query failed in sql_query: ORA-1: unique constraint (RADIUS.ACCT_IDX1) violated Mon Dec 13 19:25:12 2010 : Error: rlm_sql_oracle: Oracle logon failed: 'rlm_sql_oracle: no connection to db' Mon Dec 13 20:09:51 2010 : Info: Using deprecated naslist file. Support for this will go away soon. Mon Dec 13 20:09:51 2010 : Error: There appears to be another RADIUS server running on the authentication port 1812 [r...@aaa0 ~]# reboot Please, advise what can be the reason of such negative behaviour of the RADIUS server? Why does it lose connection to a db? How can we troubleshoot the issue further? Alexander - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRADIUS - no service!
Sorry, no idea about Oracle, but: Mon Dec 13 20:09:51 2010 : Error: There appears to be another RADIUS server running on the authentication port 1812 Seems the radius proces is still running, so does not stops properly. Maybe the former rasiusd process was hanged. Do an xxradius stop look via ps -eaf |grep -ie radius if still appears, kill it by hand. Restart radius. Hope it helps a bit. -Original Message- From: freeradius-users-bounces+escriba=cells...@lists.freeradius.org [mailto:freeradius-users-bounces+escriba=cells...@lists.freeradius.org] On Behalf Of ? ?? Sent: miércoles, 15 de diciembre de 2010 9:06 To: freeradius-users@lists.freeradius.org Subject: FreeRADIUS - no service! Hi to all! We have an issue with a FreeRADIUS server (FreeRADIUS server and Oracle Database). Sometimes it fails and stops to process the AAA requests (only complete server reboot helps)! Here is the log output during the time of a failed situation: [r...@aaa0 ~]# tailf /usr/local/var/log/radius/radius.log Mon Dec 13 19:25:12 2010 : Error: rlm_sql_oracle: Oracle logon failed: 'rlm_sql_oracle: no connection to db' Mon Dec 13 19:25:12 2010 : Error: rlm_sql (sqlacct) in sql_accounting: stop packet with zero session length. [user 'mobile', nas '10.115.66.5'] Mon Dec 13 19:25:12 2010 : Error: rlm_sql (sqlacct) in sql_accounting: stop packet with zero session length. [user 'mobile', nas '10.115.66.5'] Mon Dec 13 19:25:12 2010 : Error: rlm_sql_oracle: Oracle logon failed: '(null)' Mon Dec 13 19:25:12 2010 : Error: rlm_sql (sqlacct): Failed to connect DB handle #7 Mon Dec 13 19:25:12 2010 : Error: rlm_sql (sqlacct): reconnect failed, database down? Mon Dec 13 19:25:12 2010 : Error: rlm_sql (sqlacct): Couldn't insert SQL accounting START record - rlm_sql_oracle: no connection to db Mon Dec 13 19:25:12 2010 : Error: rlm_sql (sqlacct) in sql_accounting: stop packet with zero session length. [user 'mobile', nas '10.115.66.5'] Mon Dec 13 19:25:12 2010 : Error: rlm_sql_oracle: execute query failed in sql_query: ORA-1: unique constraint (RADIUS.ACCT_IDX1) violated Mon Dec 13 19:25:12 2010 : Error: rlm_sql_oracle: Oracle logon failed: 'rlm_sql_oracle: no connection to db' [r...@aaa0 ~]# [r...@aaa0 ~]# /etc/init.d/rc.radiusd restart Starting FreeRADIUS:Mon Dec 13 20:09:51 2010 : Info: Starting - reading configuration files ... radiusd [r...@aaa0 ~]# tailf /usr/local/var/log/radius/radius.log Mon Dec 13 19:25:12 2010 : Error: rlm_sql (sqlacct) in sql_accounting: stop packet with zero session length. [user 'mobile', nas '10.115.66.5'] Mon Dec 13 19:25:12 2010 : Error: rlm_sql_oracle: Oracle logon failed: '(null)' Mon Dec 13 19:25:12 2010 : Error: rlm_sql (sqlacct): Failed to connect DB handle #7 Mon Dec 13 19:25:12 2010 : Error: rlm_sql (sqlacct): reconnect failed, database down? Mon Dec 13 19:25:12 2010 : Error: rlm_sql (sqlacct): Couldn't insert SQL accounting START record - rlm_sql_oracle: no connection to db Mon Dec 13 19:25:12 2010 : Error: rlm_sql (sqlacct) in sql_accounting: stop packet with zero session length. [user 'mobile', nas '10.115.66.5'] Mon Dec 13 19:25:12 2010 : Error: rlm_sql_oracle: execute query failed in sql_query: ORA-1: unique constraint (RADIUS.ACCT_IDX1) violated Mon Dec 13 19:25:12 2010 : Error: rlm_sql_oracle: Oracle logon failed: 'rlm_sql_oracle: no connection to db' Mon Dec 13 20:09:51 2010 : Info: Using deprecated naslist file. Support for this will go away soon. Mon Dec 13 20:09:51 2010 : Error: There appears to be another RADIUS server running on the authentication port 1812 [r...@aaa0 ~]# reboot Please, advise what can be the reason of such negative behaviour of the RADIUS server? Why does it lose connection to a db? How can we troubleshoot the issue further? Alexander - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS - no service!
2010/12/15 Александр Чурсин achursi...@gmail.com: Hi to all! We have an issue with a FreeRADIUS server (FreeRADIUS server and Oracle Database). Sometimes it fails and stops to process the AAA requests (only complete server reboot helps)! Here is the log output during the time of a failed situation: [r...@aaa0 ~]# tailf /usr/local/var/log/radius/radius.log Mon Dec 13 19:25:12 2010 : Error: rlm_sql_oracle: Oracle logon failed: 'rlm_sql_oracle: no connection to db' Mon Dec 13 19:25:12 2010 : Error: rlm_sql_oracle: Oracle logon failed: '(null)' Mon Dec 13 19:25:12 2010 : Error: rlm_sql (sqlacct): Failed to connect DB handle #7 Mon Dec 13 19:25:12 2010 : Error: rlm_sql (sqlacct): reconnect failed, database down? Please, advise what can be the reason of such negative behaviour of the RADIUS server? Why does it lose connection to a db? How can we troubleshoot the issue further? The logs should speak for itself. To fix this one you need to coordinate with network/dba guys. Sometimes its simply because oracle is dead or too busy to respond to anything. Other times in can be firewall issues. Mon Dec 13 20:09:51 2010 : Error: There appears to be another RADIUS server running on the authentication port 1812 Like Ramon mentioned, you probably need to do a kill -9 manually. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRADIUS - no service!
Thanks for the replies! We'll try to kill the process manually, but it is still unclear what is the core reason of the service fall ? The logs should speak for itself. To fix this one you need to coordinate with network/dba guys. Sometimes its simply because oracle s dead or too busy to respond to anything. Other times in can be firewall issues. There were no network changes before and during the RADIUS outage (no firewall). Dba guys say that the Oracle is Ok, and no significant issues were placed on record according to oracle logs. Alexander - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS - no service!
2010/12/15 Александр Чурсин achursi...@gmail.com: The logs should speak for itself. To fix this one you need to coordinate with network/dba guys. Sometimes its simply because oracle s dead or too busy to respond to anything. Other times in can be firewall issues. There were no network changes before and during the RADIUS outage (no firewall). Dba guys say that the Oracle is Ok, and no significant issues were placed on record according to oracle logs. Then do a simple test. When radius says can't reconnect, connect manually from the radius server with sqlplus (or whatever you're familiar with) using the same user/password that you use for radius. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS - no service!
Hi, We have an issue with a FreeRADIUS server (FreeRADIUS server and Oracle Database). Sometimes it fails and stops to process the AAA requests (only complete server reboot helps)! Here is the log output during the time of a failed situation: from the log 1) no connection to the DB. thats very concise 2) you are trying to send a dodgy accounting packet to the DB. dont. 3) you are sending a packet with same details - constraint violation. 4) finally, you are trying to run radius when its already running still. kill -9 radiusd then run the server. why is it dying? proably numerous reasons. what version are you running? I'd advise you do 2 things, firstly, have some extra terminal windows open and in one, run a tcmdpump of your DB connection, and in the other, run radiusd -X (ie run in full debug mode as is written in all docs when you have a problem) you might also want to put a wrapper around the accounting part so that packets with zero session length etc (do you use Cisco gear by any chance? ;-) ) dont find their way into STOP packets...which is why I asked what version you are running.. in 2.1.x, something like this will do it in the accounting {} sectin of your server, instead of just calling SQL, wrapper it: if (Acct-Session-Time != 0) { sql } else { ok } alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius/Oracle compilation
It works here, is indeed smarter and lighter. Hope it's ok. --- /tmp/configure.in.orig 2010-12-14 23:24:40.019101002 -1000 +++ /tmp/configure.in 2010-12-14 23:18:25.875101003 -1000 @@ -86,32 +86,37 @@ if test x$oracle_lib_dir != x ; then ORACLE_LIBDIR_SWITCH=-L${oracle_lib_dir} fi - LIBS=$old_LIBS $ORACLE_LIBDIR_SWITCH -lclntsh -lnnz10 - AC_TRY_LINK([#include oci.h - - static OCIEnv *p_env; - static OCIError *p_err; - static OCISvcCtx*p_svc; - static OCIStmt *p_sql; - static OCIDefine*p_dfn= (OCIDefine *) 0; - static OCIBind *p_bnd= (OCIBind *) 0; - ], - [ - int p_bvi; - charp_sli[20]; - int rc; - charerrbuf[100]; - int errcode; - - rc = OCIInitialize((ub4) OCI_DEFAULT, (dvoid *)0, /* Initialize OCI */ - (dvoid * (*)(dvoid *, size_t)) 0, - (dvoid * (*)(dvoid *, dvoid *, size_t))0, - (void (*)(dvoid *, dvoid *)) 0 ); - - ], - ORACLE_LIBS=$ORACLE_LIBDIR_SWITCH -lclntsh -lnnz10, - ORACLE_LIBS= - ) + for oracle_version in 10 11 9 ; do + LIBS=$old_LIBS $ORACLE_LIBDIR_SWITCH -lclntsh -lnnz${oracle_version} + AC_TRY_LINK([#include oci.h + + static OCIEnv *p_env; + static OCIError *p_err; + static OCISvcCtx*p_svc; + static OCIStmt *p_sql; + static OCIDefine*p_dfn= (OCIDefine *) 0; + static OCIBind *p_bnd= (OCIBind *) 0; + ], + [ + int p_bvi; + charp_sli[20]; + int rc; + charerrbuf[100]; + int errcode; + + rc = OCIInitialize((ub4) OCI_DEFAULT, (dvoid *)0, /* Initialize OCI */ + (dvoid * (*)(dvoid *, size_t)) 0, + (dvoid * (*)(dvoid *, dvoid *, size_t))0, + (void (*)(dvoid *, dvoid *)) 0 ); + + ], + ORACLE_LIBS=$ORACLE_LIBDIR_SWITCH -lclntsh -lnnz${oracle_version}, + ORACLE_LIBS= + ) + if test x$ORACLE_LIBS != x; then + break + fi + done LIBS=$old_LIBS CFLAGS=$old_CFLAGS @@ -129,7 +134,7 @@ if test x$ORACLE_LIBS = x; then AC_MSG_WARN([oracle libraries not found. Use --with-oracle-lib-dir=path.]) - fail=$fail libclntsh libnnz10 + fail=$fail libclntsh libnnz${oracle_version} else sql_oracle_ldflags=${sql_oracle_ldflags} $ORACLE_LIBS AC_MSG_RESULT(yes) Message original Date: Wed, 15 Dec 2010 07:54:38 +0100 From: freeradius-users-bounces+alexandre.chapellon=mana...@lists.freeradius.org (on behalf of Alan DeKok al...@deployingradius.com) Subject: Re: Freeradius/Oracle compilation To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Alexandre Chapellon wrote: Hello I didn't have even a comment about this. Is there something stupid in the proposed patch? I've been busy. Off of the top of my head: - requiring a new option to configure isn't friendly. - the whole *point* of configure is to have the computer just figure it out - leave the old code there, it works for many people - add *new* code, which is run only if the old code doesn't find the libraries - don't force the user to choose an oracle version. - you can write a
Re: FreeRADIUS - no service!
Hi, There were no network changes before and during the RADIUS outage (no firewall). Dba guys say that the Oracle is Ok, and no significant issues were placed on record according to oracle logs. Then do a simple test. When radius says can't reconnect, connect manually from the radius server with sqlplus (or whatever you're familiar with) using the same user/password that you use for radius. ..and first rule of networking - never believe what another team says about their server - especially DBA people ;-) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
query
Hi, I have downloaded the free radius server and successfully installed on linux machine.. Can you please tell me that does your this implimentation supports the US-ASCII to UTF-8 conversion as you are saying this is compliant to RFC 2865 ? thanks and regards, karnik jain - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxying CoA
Hello, I'm trying to figure out how to proxy CoA packets. I have read through a similar thread on this list ( http://lists.freeradius.org/mailman/htdig/freeradius-users/2010-July/msg00335.html ), but somehow I cannot get it to work. My setup is the following: In my proxy.conf: home_server nas_coa { type = coa ipaddr = 10.0.0.2 port = 3799 coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } secret = testing123 } home_server_pool to_coa_nas { home_server = nas_coa } I have updated the sites-enabled/coa to look as below: listen { type = coa ipaddr = * port = 3799 server = coa } server coa { recv-coa { update control { Home-Server-Pool := to_coa_nas } } send-coa { # Sample module. ok } } When I'm sending a Disconnect packet, I get the following: Wed Dec 15 12:06:41 2010 : Info: Ready to process requests. rad_recv: Disconnect-Request packet from host 127.0.0.1 port 56343, id=51, length=50 Framed-IP-Address = 91.83.148.2 Acct-Session-Id = D94F82E3300682B3 NAS-IP-Address = 10.0.0.2 Wed Dec 15 12:06:43 2010 : Info: server coa { Wed Dec 15 12:06:43 2010 : Info: # Executing section recv-coa from file /Users/tripy/Devel/test-servers/freeradius-2.1.10/etc/raddb.proxy/sites-enabled/coa Wed Dec 15 12:06:43 2010 : Info: +- entering group recv-coa {...} Wed Dec 15 12:06:43 2010 : Info: ++[control] returns noop Wed Dec 15 12:06:43 2010 : Info: # Executing section send-coa from file /Users/tripy/Devel/test-servers/freeradius-2.1.10/etc/raddb.proxy/sites-enabled/coa Wed Dec 15 12:06:43 2010 : Info: +- entering group send-coa {...} Wed Dec 15 12:06:43 2010 : Info: ++[ok] returns ok Wed Dec 15 12:06:43 2010 : Info: } # server coa Sending Disconnect-ACK of id 51 to 127.0.0.1 port 56343 Clearly I am missing something obvious, but I cannot find what it is. Any idea? Thanks, tripy - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS - no service!
Alan, please, clarify some things: 1) in the accounting {} sectin of your server, instead of just calling SQL, wrapper it: if (Acct-Session-Time != 0) { sql } else { ok } Where can I put this wrapper, sql.conf or in some source file and after that the server must be recompiled ? 2) tcmdpump of your DB connection, and in the other, run radiusd -X So I need to run two terminal windows with these command running on it during the problem? Tcpdump... you mean tcpdump traffic with a source of RADIUS and a destionaton of Oracle DB ? 3) you are sending a packet with same details - constraint violation. What do you mean? Sorry for newbie questions. Thanks in advance! p.s. Yes, you are right RADIUS client is Cisco PDSN. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS - no service!
Hi, Alan, please, clarify some things: 1) in the accounting {} sectin of your server, instead of just calling SQL, wrapper it: if (Acct-Session-Time != 0) { sql } else { ok } Where can I put this wrapper, sql.conf or in some source file and after that the server must be recompiled ? read what I wrote again - pay particular attention to the bit straight after the 1) partplace it in the accounting {} section where SQL is called in your virtual server 2) tcmdpump of your DB connection, and in the other, run radiusd -X So I need to run two terminal windows with these command running on it during the problem? Tcpdump... you mean tcpdump traffic with a source of RADIUS and a destionaton of Oracle DB ? yes and yes 3) you are sending a packet with same details - constraint violation. What do you mean? databases, particularly relational ones, have unique keys in each index entry so that they can be linked/searched/operated on. if you try inserting a new entry with the same key as an existing entry, then its doomed to failure. p.s. Yes, you are right RADIUS client is Cisco PDSN. yes, we have cisco kit and it spews out such packets too alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: query
karnik jain wrote: Hi, I have downloaded the free radius server and successfully installed on linux machine.. Can you please tell me that does your this implimentation supports the US-ASCII to UTF-8 conversion They are compatible. No conversion is required. as you are saying this is compliant to RFC 2865 ? Yes. Alan DeKok - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRADIUS - no service!
Ok, thanks for explanation. The RADIUS version is 1.1.0 In the accounting section of the radiusd.conf we have: accounting { #detail #acct_unique # # Vladikavkaz OSE Acct-Type OSE { acct_unique group { sqlacct { fail = 1 # ok = return } OSE { fail = 1 ok = return } } # sql_log } # and so on anologous to these constructions with as a delimeter ... So, no sql mentioned... I'am sorry, but it's unclear for me where to put the wrapper. Alexander - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: query
Hello Sir, Thank you so much for spending valuable time of yours for the reply. As per my understanding of RFC 2865, It is clearly written in section 5.0 of RFC 2865 that “text 1-253 octets containing UTF-8 encoded 10646 [7] characters. Text of length zero (0) MUST NOT be sent; omit the entire attribute instead.” So, It has to be converted into UTF-8 as per *RFC 3629 - UTF-8, a transformation format of ISO 10646 *at the time of sending ACCESS REQUEST packet to RADIUS server by NAS and same it has to be decoded by NAS when it is being received from server in ACCESS ACCEPT packet. If it would be compatible to each other than What is the need of including above statement in RFC-2865 clearly? Sir, I am totally confused by your statement that “*there is no need of conversion as it is compatible”.* I have searched a lot regarding this thing and I am not able to find any such thing as said by you. I am also able to find one open source library named *iconv* which can does this encoding and decoding task. *Can you please tell me that? * *From where I can find the information regarding US-ASCII UTF-8 compatibleness as per your reply or any RFC number if it is known to you?* ** ** *Looking forward to your positive reply at your earliest,* *- Karnik Jain* On Wed, Dec 15, 2010 at 7:52 PM, Alan DeKok al...@deployingradius.comwrote: karnik jain wrote: Hi, I have downloaded the free radius server and successfully installed on linux machine.. Can you please tell me that does your this implimentation supports the US-ASCII to UTF-8 conversion They are compatible. No conversion is required. as you are saying this is compliant to RFC 2865 ? Yes. Alan DeKok - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: query
Hello, Thank you so much for spending valuable time of yours for the reply. As per my understanding of RFC 2865, It is clearly written in *section 5.0 of RFC 2865* that, *“text 1-253 octets containing UTF-8 encoded 10646 [7] characters. Text of length zero (0) MUST NOT be sent; omit the entire attribute instead.” * So, It has to be converted into UTF-8 as per RFC 3629 - UTF-8, a transformation format of ISO 10646 at the time of sending ACCESS REQUEST packet to RADIUS server by NAS and same it has to be decoded by NAS when it is being received from server in ACCESS ACCEPT packet. If it would be compatible to each other than What is the need of including above statement in RFC-2865 clearly, correct me If my understanding is wrong? Sir, I am totally confused by your statement that *“there is no need of conversion as it is compatible*”. I have searched a lot regarding this thing and I am not able to find any such thing as said by you. I am also able to find one open source library named *iconv* which can does this encoding and decoding task. ** *Can you please tell me that,* *From where I can find the information regarding US-ASCII UTF-8 compatibleness as per your reply or any RFC number if it is known to you? * ** Looking forward to your positive reply at your earliest, - Karnik Jain On Wed, Dec 15, 2010 at 7:52 PM, Alan DeKok al...@deployingradius.comwrote: karnik jain wrote: Hi, I have downloaded the free radius server and successfully installed on linux machine.. Can you please tell me that does your this implimentation supports the US-ASCII to UTF-8 conversion They are compatible. No conversion is required. as you are saying this is compliant to RFC 2865 ? Yes. Alan DeKok - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: query
On 12/15/2010 10:00 AM, karnik jain wrote: Hello Sir, Thank you so much for spending valuable time of yours for the reply. As per my understanding of RFC 2865, It is clearly written in section 5.0 of RFC 2865 that “text 1-253 octets containing UTF-8 encoded 10646 [7]characters. Text of length zero (0) MUST NOT be sent;omit the entire attribute instead.” So, It has to be converted into UTF-8 as per*RFC 3629 - UTF-8, a transformation format of ISO 10646*at the time of sending ACCESS REQUEST packet to RADIUS server by NAS and same it has to be decoded by NAS when it is being received from server in ACCESS ACCEPT packet. If it would be compatible to each other thanWhat is the need of including above statement in RFC-2865 clearly? Sir, I am totally confused by your statement that “*there is no need of conversion as it is compatible”.* I have searched a lot regarding this thing and I am not able to find any such thing as said by you. I am also able to find one open source library named*iconv* which can does this encoding and decoding task. *Can you please tell me that?* * From where I can find the information regarding US-ASCII UTF-8 compatibleness as per your reply or any RFC number if it is known to you?* ASCII is a proper subset of UTF-8. No conversion is necessary, ASCII is UTF-8 by definition. If you read the relevant RFC's you would know this, it's not hard to find this information thus it's left as an exercise to the reader :-) -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: query
karnik jain wrote: As per my understanding of RFC 2865, It is clearly written in *section 5.0 of RFC 2865* that, *“text 1-253 octets containing UTF-8 encoded 10646 [7] characters. Text of length zero (0) MUST NOT be sent; omit the entire attribute instead.” * So, It has to be converted into UTF-8 No. 7 bit US-ASCII is a subset of UTF-8. If it would be compatible to each other than What is the need of including above statement in RFC-2865 clearly, correct me If my understanding is wrong? The statement is required for international text. i.e. non US-ASCII. *Can you please tell me that,* *From where I can find the information regarding US-ASCII UTF-8 compatibleness as per your reply or any RFC number if it is known to you? * Read the UTF-8 RFC. This is all documented elsewhere, and is not part of FreeRADIUS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: wifi ip allocation
Thank you Alexandre for your analysis and more precision on your thread! It is very helpul and appreciate!! -- View this message in context: http://freeradius.1045715.n5.nabble.com/wifi-ip-allocation-tp3286614p3306442.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
mysql huntgroups Access-Reject
Greetings from Texas. I'm setting up freeradius to authenticate/authorize network engineers to log into cisco and juniper devices. Some devices we share with other organizations. I need to be able to allow some engineers access to some devices and not others. I'm running on redhat with Mysql as the backend. I'll will be writing a web front end to manage our radius server(s) once I get a working configuration for our situation.. I have freeradius 2.1.7. That's the rpm for redhat 5.4. I have radcheck and radreply working. (username and password checking) I have radusergroup, radgroupcheck, radgroupreply working if I populate the huntgroups flat file with appropriate information. I can set shell:privs on ciscos for a specific user based on group membership via radgroupreply. As I understand it, if I move huntgroups out of the flat file (preprocess) and into mysql, I loose the ability to send an Access-Reject based on huntgroups. Is that correct? Thanks, Gene Titus The Office of Telecommunication Services The University of Texas at Austin -- View this message in context: http://freeradius.1045715.n5.nabble.com/mysql-huntgroups-Access-Reject-tp3306623p3306623.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS - no service!
1.1.0 ? And this is your ONLY problem? At least upgrade to 1.1.8 - but if you want my help you'll need to be running the current release 2.1.x train Alan - Reply message - From: Александр Чурсин achursi...@gmail.com Date: Wed, Dec 15, 2010 14:29 Subject: FreeRADIUS - no service! To: freeradius-users@lists.freeradius.org freeradius-users@lists.freeradius.org Ok, thanks for explanation. The RADIUS version is 1.1.0 In the accounting section of the radiusd.conf we have: accounting { #detail #acct_unique # # Vladikavkaz OSE Acct-Type OSE { acct_unique group { sqlacct { fail = 1 # ok = return } OSE { fail = 1 ok = return } } # sql_log } # and so on anologous to these constructions with as a delimeter ... So, no sql mentioned... I'am sorry, but it's unclear for me where to put the wrapper. Alexander - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRADIUS - no service!
To be fair the fact that he is able to get along running such an ancient release of FreeRADIUS is a testament to the quality of the software...however it is dangerous to run antiquated versions of well know software, the security implications are horrendous. Jake Sallee Godfather Of Bandwidth Network Engineer Fone: 254-295-4658 Phax: 254-295-4221 From: freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org [mailto:freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org] On Behalf Of Alan Buxey Sent: Wednesday, December 15, 2010 11:37 AM To: achursi...@gmail.com; freeradius-users@lists.freeradius.org Subject: Re: FreeRADIUS - no service! 1.1.0 ? And this is your ONLY problem? At least upgrade to 1.1.8 - but if you want my help you'll need to be running the current release 2.1.x train Alan - Reply message - From: Александр Чурсин achursi...@gmail.com Date: Wed, Dec 15, 2010 14:29 Subject: FreeRADIUS - no service! To: freeradius-users@lists.freeradius.org freeradius-users@lists.freeradius.org Ok, thanks for explanation. The RADIUS version is 1.1.0 In the accounting section of the radiusd.conf we have: accounting { #detail #acct_unique # # Vladikavkaz OSE Acct-Type OSE { acct_unique group { sqlacct { fail = 1 # ok = return } OSE { fail = 1 ok = return } } # sql_log } # and so on anologous to these constructions with as a delimeter ... So, no sql mentioned... I'am sorry, but it's unclear for me where to put the wrapper. Alexander - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Reals Based Upon Port
So I am still a bit confused by this (I'm just now getting back to this issue). So I have the following setup: - Radiusd Server -- 2 home_servers listening on 1812 and 1813 -- 2 home_servers listening on 1815 and 1816 In my proxy.conf I have the following: proxy server { default_fallback = no } home_server server01 { type = auth+acct ipaddr = server01 port = 1812,1813 secret = s3cret require_message_authenticator = no response_window = 20 zombie_period = 10 status_check = request username = t...@test.com password = s3cret check_interval = 5 num_answers_to_alive = 3 } home_server server02 { type = auth+acct ipaddr = server02 port = 1812,1813 secret = s3cret require_message_authenticator = no response_window = 20 zombie_period = 10 status_check = request username = t...@test.com password = s3cret check_interval = 5 num_answers_to_alive = 3 } home_server_pool server-balance { type = load-balance home_server = server01 home_server = server02 } realm DEFAULT { pool = server-balance nostrip } I'm pretty clear on how I would add a new home_server_pool called like alt-server-balance with the other two home_servers defined which listen on the 1815,1816 the part I am confused about is how to define the new realm, since I'm using DEFAULT to send all traffic to server-balance how do I define a new realm which will accept traffic on 1815,1816 and send it to alt-server-balance. I hope that makes sense. Thanks, Brian Carpio -Original Message- From: freeradius-users-bounces+bcarpio=broadhop@lists.freeradius.org [mailto:freeradius-users-bounces+bcarpio=broadhop@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Wednesday, August 18, 2010 7:09 PM To: FreeRadius users mailing list Subject: Re: Reals Based Upon Port Brian Carpio wrote: Currently I am using freeradius2-2.1.8-2 to load balance radius traffic between two hosts, I have a single realm DEFAULT setup which proxies the radius traffic between the two servers and that works great, however now I have an unusual need to proxy auth/acct radius traffic to non standard ports and I'm unsure how (or even it's even possible) to setup a new realm which is based on destination port for instance. Read raddb/proxy.conf. Look for port. This is documented. - NOTE: Traffic coming into freeradius on 1815/1816 will be sent to this Alt realm... Set up a virtual server to handle requests sent to those ports. See raddb/sites-available/README I am just wondering if this is possible. Or if I would need to setup another instance of freeradius with its own configuration to do this alternative ports setup. No. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRADIUS - no service!
Honestly and as you have already understood the system is an inheritance from the previous system administrator. Now we try to fix some current issues on it... Ok, I see the best way is an upgrade to a later version. But what about the Oracle database? How can we make an upgrade with a preservation of current db and settings? What version do you recommend, guys? Alexander - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP/EAP-GTC proxy?
OK, upgraded to 2.1.10 as suggested. Thanks. However, I have a different issue now -- seems that the passcode is not being proxied over to the home server. I only see a username, nas IP address and proxy state being proxied in the access-request packet but no user-password. Also get a segmentation fault after the authentication is rejected. Thanks for the help Here's the debug output: [r...@mackeral-dev raddb]# /usr/sbin/radiusd -X FreeRADIUS Version 2.1.10, for host x86_64-redhat-linux-gnu, built on Dec 15 2010 at 09:27:40 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/proxy.conf including configuration file /etc/raddb/clients.conf including files in directory /etc/raddb/modules/ including configuration file /etc/raddb/modules/digest including configuration file /etc/raddb/modules/ippool including configuration file /etc/raddb/modules/echo including configuration file /etc/raddb/modules/detail.example.com including configuration file /etc/raddb/modules/passwd including configuration file /etc/raddb/modules/pap including configuration file /etc/raddb/modules/exec including configuration file /etc/raddb/modules/logintime including configuration file /etc/raddb/modules/mac2ip including configuration file /etc/raddb/modules/counter including configuration file /etc/raddb/modules/always including configuration file /etc/raddb/modules/mac2vlan including configuration file /etc/raddb/modules/attr_filter including configuration file /etc/raddb/modules/pam including configuration file /etc/raddb/modules/attr_rewrite including configuration file /etc/raddb/modules/sqlcounter_expire_on_login including configuration file /etc/raddb/modules/cui including configuration file /etc/raddb/modules/sql_log including configuration file /etc/raddb/modules/inner-eap including configuration file /etc/raddb/modules/dynamic_clients including configuration file /etc/raddb/modules/sradutmp including configuration file /etc/raddb/modules/mschap including configuration file /etc/raddb/modules/perl including configuration file /etc/raddb/modules/expr including configuration file /etc/raddb/modules/files including configuration file /etc/raddb/modules/chap including configuration file /etc/raddb/modules/radutmp including configuration file /etc/raddb/modules/etc_group including configuration file /etc/raddb/modules/realm including configuration file /etc/raddb/modules/smsotp including configuration file /etc/raddb/modules/ntlm_auth including configuration file /etc/raddb/modules/preprocess including configuration file /etc/raddb/modules/expiration including configuration file /etc/raddb/modules/checkval including configuration file /etc/raddb/modules/detail.log including configuration file /etc/raddb/modules/linelog including configuration file /etc/raddb/modules/smbpasswd including configuration file /etc/raddb/modules/unix including configuration file /etc/raddb/modules/detail including configuration file /etc/raddb/modules/wimax including configuration file /etc/raddb/modules/otp including configuration file /etc/raddb/modules/acct_unique including configuration file /etc/raddb/modules/policy including configuration file /etc/raddb/modules/opendirectory including configuration file /etc/raddb/eap.conf including configuration file /etc/raddb/policy.conf including files in directory /etc/raddb/sites-enabled/ including configuration file /etc/raddb/sites-enabled/control-socket including configuration file /etc/raddb/sites-enabled/default including configuration file /etc/raddb/sites-enabled/inner-tunnel including configuration file /etc/raddb/sites-enabled/proxy-inner-tunnel main { user = radiusd group = radiusd allow_core_dumps = no } including dictionary file /etc/raddb/dictionary main { prefix = /usr localstatedir = /var logdir = /var/log/radius libdir = /usr/lib64/freeradius radacctdir = /var/log/radius/radacct hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = /var/run/radiusd/radiusd.pid checkrad = /usr/sbin/checkrad debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } radiusd: Loading Realms and Home Servers proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server meddle { ipaddr =
Password oddity
Set up FreeRadius on SLES 10. Using the NTRadPing utility we can authenticate to our back end LDAP server (eDirectory) w/o problem. However, when we enabled Radius authentication on two separate Wireless access points (Linksys WRT54 and DLink WBR 1310), they both fail authentication because the password they pass (or how FreeRadius interprets the password) changes one letter of the password. For example, we set up a radtest user with a password of radtest. FreeRadius server in debug shows the request come in but passes a password value of aadtest. So, as a test we changed the password to aadtest for the radtest user. The password then came across as badtest. So, we thought we'd change the password to cadtest to see what would happen. Now the password was sent/received as aadtest again. Using NTRadPing utility, we see the request come in, get processed and then login... Running FreeRadius 1.1.0 as this is the version that Novell supports. Please don't yell at me on this. Their documentation is based on this version and not the latest version... Has anyone seen this behavior before and if so, know how to fix it? TIA!! -- View this message in context: http://freeradius.1045715.n5.nabble.com/Password-oddity-tp3307174p3307174.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Password oddity
Someone will for SURE yell at you for using something that old. Or, they'll just ignore you. That is a weird a$$ problem for sure! Why can't you upgrade? At LEAST to the latest 1.x version? -Original Message- From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell@lists.freeradius.org] On Behalf Of discgolfer72 Sent: Wednesday, December 15, 2010 5:36 PM To: freeradius-users@lists.freeradius.org Subject: Password oddity Set up FreeRadius on SLES 10. Using the NTRadPing utility we can authenticate to our back end LDAP server (eDirectory) w/o problem. However, when we enabled Radius authentication on two separate Wireless access points (Linksys WRT54 and DLink WBR 1310), they both fail authentication because the password they pass (or how FreeRadius interprets the password) changes one letter of the password. For example, we set up a radtest user with a password of radtest. FreeRadius server in debug shows the request come in but passes a password value of aadtest. So, as a test we changed the password to aadtest for the radtest user. The password then came across as badtest. So, we thought we'd change the password to cadtest to see what would happen. Now the password was sent/received as aadtest again. Using NTRadPing utility, we see the request come in, get processed and then login... Running FreeRadius 1.1.0 as this is the version that Novell supports. Please don't yell at me on this. Their documentation is based on this version and not the latest version... Has anyone seen this behavior before and if so, know how to fix it? TIA!! -- View this message in context: http://freeradius.1045715.n5.nabble.com/Password-oddity-tp3307174p3307174.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html font size=1 div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in' /div This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system. /font - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Password oddity
I guess that would be my next step. Anyone else out there seen this particular issue? -- View this message in context: http://freeradius.1045715.n5.nabble.com/Password-oddity-tp3307174p3307212.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Password oddity
Where do you play disc golf? -Original Message- From: freeradius-users-bounces+jtabasz=cisco@lists.freeradius.org [mailto:freeradius-users-bounces+jtabasz=cisco@lists.freeradius.org] On Behalf Of discgolfer72 Sent: Wednesday, December 15, 2010 3:36 PM To: freeradius-users@lists.freeradius.org Subject: Password oddity Set up FreeRadius on SLES 10. Using the NTRadPing utility we can authenticate to our back end LDAP server (eDirectory) w/o problem. However, when we enabled Radius authentication on two separate Wireless access points (Linksys WRT54 and DLink WBR 1310), they both fail authentication because the password they pass (or how FreeRadius interprets the password) changes one letter of the password. For example, we set up a radtest user with a password of radtest. FreeRadius server in debug shows the request come in but passes a password value of aadtest. So, as a test we changed the password to aadtest for the radtest user. The password then came across as badtest. So, we thought we'd change the password to cadtest to see what would happen. Now the password was sent/received as aadtest again. Using NTRadPing utility, we see the request come in, get processed and then login... Running FreeRadius 1.1.0 as this is the version that Novell supports. Please don't yell at me on this. Their documentation is based on this version and not the latest version... Has anyone seen this behavior before and if so, know how to fix it? TIA!! -- View this message in context: http://freeradius.1045715.n5.nabble.com/Password-oddity-tp3307174p330717 4.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Password oddity
Mainly Tennessee. You? Sent via DROID on Verizon Wireless -Original message- From: John Tabasz (jtabasz) jtab...@cisco.com To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Thu, Dec 16, 2010 00:12:43 GMT+00:00 Subject: RE: Password oddity Where do you play disc golf? -Original Message- From: freeradius-users-bounces+jtabasz=cisco@lists.freeradius.org [mailto:freeradius-users-bounces+jtabasz=cisco@lists.freeradius.org] On Behalf Of discgolfer72 Sent: Wednesday, December 15, 2010 3:36 PM To: freeradius-users@lists.freeradius.org Subject: Password oddity Set up FreeRadius on SLES 10. Using the NTRadPing utility we can authenticate to our back end LDAP server (eDirectory) w/o problem. However, when we enabled Radius authentication on two separate Wireless access points (Linksys WRT54 and DLink WBR 1310), they both fail authentication because the password they pass (or how FreeRadius interprets the password) changes one letter of the password. For example, we set up a radtest user with a password of radtest. FreeRadius server in debug shows the request come in but passes a password value of aadtest. So, as a test we changed the password to aadtest for the radtest user. The password then came across as badtest. So, we thought we'd change the password to cadtest to see what would happen. Now the password was sent/received as aadtest again. Using NTRadPing utility, we see the request come in, get processed and then login... Running FreeRadius 1.1.0 as this is the version that Novell supports. Please don't yell at me on this. Their documentation is based on this version and not the latest version... Has anyone seen this behavior before and if so, know how to fix it? TIA!! -- View this message in context: http://freeradius.1045715.n5.nabble.com/Password-oddity-tp3307174p330717 4.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Password oddity
Nice. I have switched to basketball for the time being but DeLaveaga is my home course in Santa Cruz CA. Love it. From: freeradius-users-bounces+jtabasz=cisco@lists.freeradius.org [mailto:freeradius-users-bounces+jtabasz=cisco@lists.freeradius.org] On Behalf Of Ben Lewis Sent: Wednesday, December 15, 2010 4:19 PM To: FreeRadius users mailing list Subject: RE: Password oddity Mainly Tennessee. You? Sent via DROID on Verizon Wireless -Original message- From: John Tabasz (jtabasz) jtab...@cisco.com To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Thu, Dec 16, 2010 00:12:43 GMT+00:00 Subject: RE: Password oddity Where do you play disc golf? -Original Message- From: freeradius-users-bounces+jtabasz=cisco@lists.freeradius.org [mailto:freeradius-users-bounces+jtabasz=cisco@lists.freeradius.org] On Behalf Of discgolfer72 Sent: Wednesday, December 15, 2010 3:36 PM To: freeradius-users@lists.freeradius.org Subject: Password oddity Set up FreeRadius on SLES 10. Using the NTRadPing utility we can authenticate to our back end LDAP server (eDirectory) w/o problem. However, when we enabled Radius authentication on two separate Wireless access points (Linksys WRT54 and DLink WBR 1310), they both fail authentication because the password they pass (or how FreeRadius interprets the password) changes one letter of the password. For example, we set up a radtest user with a password of radtest. FreeRadius server in debug shows the request come in but passes a password value of aadtest. So, as a test we changed the password to aadtest for the radtest user. The password then came across as badtest. So, we thought we'd change the password to cadtest to see what would happen. Now the password was sent/received as aadtest again. Using NTRadPing utility, we see the request come in, get processed and then login... Running FreeRadius 1.1.0 as this is the version that Novell supports. Please don't yell at me on this. Their documentation is based on this version and not the latest version... Has anyone seen this behavior before and if so, know how to fix it? TIA!! -- View this message in context: http://freeradius.1045715.n5.nabble.com/Password-oddity-tp3307174p330717 4.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
multiple usergroups failing; freeradius 2.1.10 + Cisco-AVPairs
Hi, During a rebuild of our Radius servers from an old freeradius 1.x install to 2.1.10, we've lost ability to push multiple usergroups to our Cisco LNS: MySQL: radcheck: id UserNameAttribute op Value 9791t...@realm Password:= {clear}somepass radgroupreply: id GroupName Attribute op Value 161 VRF-TESTCisco-AVPair+= ip:vrf-id=TEST 162 VRF-TESTCisco-AVPair+= ip:ip-unnumbered=loopback25 2211QOS-PROFILE Cisco-AVPair+= ip:sub-qos-policy-out=TEST-QOS-PROFILE radreply: id UserNameAttribute op Value 124561 t...@realm Framed-IP-Netmask = 255.255.255.255 124571 t...@realm Framed-IP-Address = 1.1.1.1 usergroup: UserNameGroupName priority t...@realm VRF-TEST1 t...@realm QOS-PROFILE 2 debugging Radius on the Cisco shows (amongst other things): RADIUS: Vendor, Cisco [26] 21 RADIUS: Cisco AVpair [1] 15 ip:vrf-id=TEST RADIUS: Vendor, Cisco [26] 35 RADIUS: Cisco AVpair [1] 29 ip:ip-unnumbered=loopback25 If you set QOS-PROFILE to priority 0 for example, it will then only pick up the QOS-PROFILE usergroup, not both. Setting both usergroups to same priority yeilds the same results; only applying the first, never both. To rule out the Cisco i've performed a tcpdump on Radius itself; I can only see freeradius sending one usergroup in the Access-Accept response. This is also a fresh freeradius install via FreeBSD ports; no configuration was carried over from the previous install except for MySQL DB credentials. Thoughts? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: multiple usergroups failing; freeradius 2.1.10 + Cisco-AVPairs
SQL log attached: rlm_sql (sql): Reserving sql socket id: 4 rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 't...@realm' ORDER BY id rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 't...@realm' ORDER BY id rlm_sql_mysql: query: SELECT groupname FROM usergroup WHERE username = 't...@realm' ORDER BY priority rlm_sql_mysql: query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'VRF-TEST' ORDER BY id rlm_sql_mysql: query: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'VRF-TEST' ORDER BY id rlm_sql (sql): Released sql socket id: 4 If I run the 3rd query manually, it does pickup VRF-TEST and QOS-PROFILE usergroups, however looking at the above groupcheck/groupreply query, it is only running it for the first instance. bug perhaps in rlm_sql_mysql? -Michael On Thu, 16 Dec 2010 11:33:46 +1100, mich...@jarrett.id.au wrote: Hi, During a rebuild of our Radius servers from an old freeradius 1.x install to 2.1.10, we've lost ability to push multiple usergroups to our Cisco LNS: MySQL: radcheck: idUserNameAttribute op Value 9791 t...@realm Password:= {clear}somepass radgroupreply: idGroupName Attribute op Value 161 VRF-TESTCisco-AVPair+= ip:vrf-id=TEST 162 VRF-TESTCisco-AVPair+= ip:ip-unnumbered=loopback25 2211 QOS-PROFILE Cisco-AVPair+= ip:sub-qos-policy-out=TEST-QOS-PROFILE radreply: idUserNameAttribute op Value 124561t...@realm Framed-IP-Netmask = 255.255.255.255 124571t...@realm Framed-IP-Address = 1.1.1.1 usergroup: UserName GroupName priority t...@realmVRF-TEST1 t...@realmQOS-PROFILE 2 debugging Radius on the Cisco shows (amongst other things): RADIUS: Vendor, Cisco [26] 21 RADIUS: Cisco AVpair [1] 15 ip:vrf-id=TEST RADIUS: Vendor, Cisco [26] 35 RADIUS: Cisco AVpair [1] 29 ip:ip-unnumbered=loopback25 If you set QOS-PROFILE to priority 0 for example, it will then only pick up the QOS-PROFILE usergroup, not both. Setting both usergroups to same priority yeilds the same results; only applying the first, never both. To rule out the Cisco i've performed a tcpdump on Radius itself; I can only see freeradius sending one usergroup in the Access-Accept response. This is also a fresh freeradius install via FreeBSD ports; no configuration was carried over from the previous install except for MySQL DB credentials. Thoughts? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html