FreeRADIUS - no service!
Hi to all! We have an issue with a FreeRADIUS server (FreeRADIUS server and Oracle Database). Sometimes it fails and stops to process the AAA requests (only complete server reboot helps)! Here is the log output during the time of a failed situation: [r...@aaa0 ~]# tailf /usr/local/var/log/radius/radius.log Mon Dec 13 19:25:12 2010 : Error: rlm_sql_oracle: Oracle logon failed: 'rlm_sql_oracle: no connection to db' Mon Dec 13 19:25:12 2010 : Error: rlm_sql (sqlacct) in sql_accounting: stop packet with zero session length. [user 'mobile', nas '10.115.66.5'] Mon Dec 13 19:25:12 2010 : Error: rlm_sql (sqlacct) in sql_accounting: stop packet with zero session length. [user 'mobile', nas '10.115.66.5'] Mon Dec 13 19:25:12 2010 : Error: rlm_sql_oracle: Oracle logon failed: '(null)' Mon Dec 13 19:25:12 2010 : Error: rlm_sql (sqlacct): Failed to connect DB handle #7 Mon Dec 13 19:25:12 2010 : Error: rlm_sql (sqlacct): reconnect failed, database down? Mon Dec 13 19:25:12 2010 : Error: rlm_sql (sqlacct): Couldn't insert SQL accounting START record - rlm_sql_oracle: no connection to db Mon Dec 13 19:25:12 2010 : Error: rlm_sql (sqlacct) in sql_accounting: stop packet with zero session length. [user 'mobile', nas '10.115.66.5'] Mon Dec 13 19:25:12 2010 : Error: rlm_sql_oracle: execute query failed in sql_query: ORA-1: unique constraint (RADIUS.ACCT_IDX1) violated Mon Dec 13 19:25:12 2010 : Error: rlm_sql_oracle: Oracle logon failed: 'rlm_sql_oracle: no connection to db' [r...@aaa0 ~]# [r...@aaa0 ~]# /etc/init.d/rc.radiusd restart Starting FreeRADIUS:Mon Dec 13 20:09:51 2010 : Info: Starting - reading configuration files ... radiusd [r...@aaa0 ~]# tailf /usr/local/var/log/radius/radius.log Mon Dec 13 19:25:12 2010 : Error: rlm_sql (sqlacct) in sql_accounting: stop packet with zero session length. [user 'mobile', nas '10.115.66.5'] Mon Dec 13 19:25:12 2010 : Error: rlm_sql_oracle: Oracle logon failed: '(null)' Mon Dec 13 19:25:12 2010 : Error: rlm_sql (sqlacct): Failed to connect DB handle #7 Mon Dec 13 19:25:12 2010 : Error: rlm_sql (sqlacct): reconnect failed, database down? Mon Dec 13 19:25:12 2010 : Error: rlm_sql (sqlacct): Couldn't insert SQL accounting START record - rlm_sql_oracle: no connection to db Mon Dec 13 19:25:12 2010 : Error: rlm_sql (sqlacct) in sql_accounting: stop packet with zero session length. [user 'mobile', nas '10.115.66.5'] Mon Dec 13 19:25:12 2010 : Error: rlm_sql_oracle: execute query failed in sql_query: ORA-1: unique constraint (RADIUS.ACCT_IDX1) violated Mon Dec 13 19:25:12 2010 : Error: rlm_sql_oracle: Oracle logon failed: 'rlm_sql_oracle: no connection to db' Mon Dec 13 20:09:51 2010 : Info: Using deprecated naslist file. Support for this will go away soon. Mon Dec 13 20:09:51 2010 : Error: There appears to be another RADIUS server running on the authentication port 1812 [r...@aaa0 ~]# reboot Please, advise what can be the reason of such negative behaviour of the RADIUS server? Why does it lose connection to a db? How can we troubleshoot the issue further? Alexander - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRADIUS - no service!
Sorry, no idea about Oracle, but: Mon Dec 13 20:09:51 2010 : Error: There appears to be another RADIUS server running on the authentication port 1812 Seems the radius proces is still running, so does not stops properly. Maybe the former rasiusd process was hanged. Do an xxradius stop look via ps -eaf |grep -ie radius if still appears, kill it by hand. Restart radius. Hope it helps a bit. -Original Message- From: freeradius-users-bounces+escriba=cells...@lists.freeradius.org [mailto:freeradius-users-bounces+escriba=cells...@lists.freeradius.org] On Behalf Of ? ?? Sent: miércoles, 15 de diciembre de 2010 9:06 To: freeradius-users@lists.freeradius.org Subject: FreeRADIUS - no service! Hi to all! We have an issue with a FreeRADIUS server (FreeRADIUS server and Oracle Database). Sometimes it fails and stops to process the AAA requests (only complete server reboot helps)! Here is the log output during the time of a failed situation: [r...@aaa0 ~]# tailf /usr/local/var/log/radius/radius.log Mon Dec 13 19:25:12 2010 : Error: rlm_sql_oracle: Oracle logon failed: 'rlm_sql_oracle: no connection to db' Mon Dec 13 19:25:12 2010 : Error: rlm_sql (sqlacct) in sql_accounting: stop packet with zero session length. [user 'mobile', nas '10.115.66.5'] Mon Dec 13 19:25:12 2010 : Error: rlm_sql (sqlacct) in sql_accounting: stop packet with zero session length. [user 'mobile', nas '10.115.66.5'] Mon Dec 13 19:25:12 2010 : Error: rlm_sql_oracle: Oracle logon failed: '(null)' Mon Dec 13 19:25:12 2010 : Error: rlm_sql (sqlacct): Failed to connect DB handle #7 Mon Dec 13 19:25:12 2010 : Error: rlm_sql (sqlacct): reconnect failed, database down? Mon Dec 13 19:25:12 2010 : Error: rlm_sql (sqlacct): Couldn't insert SQL accounting START record - rlm_sql_oracle: no connection to db Mon Dec 13 19:25:12 2010 : Error: rlm_sql (sqlacct) in sql_accounting: stop packet with zero session length. [user 'mobile', nas '10.115.66.5'] Mon Dec 13 19:25:12 2010 : Error: rlm_sql_oracle: execute query failed in sql_query: ORA-1: unique constraint (RADIUS.ACCT_IDX1) violated Mon Dec 13 19:25:12 2010 : Error: rlm_sql_oracle: Oracle logon failed: 'rlm_sql_oracle: no connection to db' [r...@aaa0 ~]# [r...@aaa0 ~]# /etc/init.d/rc.radiusd restart Starting FreeRADIUS:Mon Dec 13 20:09:51 2010 : Info: Starting - reading configuration files ... radiusd [r...@aaa0 ~]# tailf /usr/local/var/log/radius/radius.log Mon Dec 13 19:25:12 2010 : Error: rlm_sql (sqlacct) in sql_accounting: stop packet with zero session length. [user 'mobile', nas '10.115.66.5'] Mon Dec 13 19:25:12 2010 : Error: rlm_sql_oracle: Oracle logon failed: '(null)' Mon Dec 13 19:25:12 2010 : Error: rlm_sql (sqlacct): Failed to connect DB handle #7 Mon Dec 13 19:25:12 2010 : Error: rlm_sql (sqlacct): reconnect failed, database down? Mon Dec 13 19:25:12 2010 : Error: rlm_sql (sqlacct): Couldn't insert SQL accounting START record - rlm_sql_oracle: no connection to db Mon Dec 13 19:25:12 2010 : Error: rlm_sql (sqlacct) in sql_accounting: stop packet with zero session length. [user 'mobile', nas '10.115.66.5'] Mon Dec 13 19:25:12 2010 : Error: rlm_sql_oracle: execute query failed in sql_query: ORA-1: unique constraint (RADIUS.ACCT_IDX1) violated Mon Dec 13 19:25:12 2010 : Error: rlm_sql_oracle: Oracle logon failed: 'rlm_sql_oracle: no connection to db' Mon Dec 13 20:09:51 2010 : Info: Using deprecated naslist file. Support for this will go away soon. Mon Dec 13 20:09:51 2010 : Error: There appears to be another RADIUS server running on the authentication port 1812 [r...@aaa0 ~]# reboot Please, advise what can be the reason of such negative behaviour of the RADIUS server? Why does it lose connection to a db? How can we troubleshoot the issue further? Alexander - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS - no service!
2010/12/15 Александр Чурсин achursi...@gmail.com: Hi to all! We have an issue with a FreeRADIUS server (FreeRADIUS server and Oracle Database). Sometimes it fails and stops to process the AAA requests (only complete server reboot helps)! Here is the log output during the time of a failed situation: [r...@aaa0 ~]# tailf /usr/local/var/log/radius/radius.log Mon Dec 13 19:25:12 2010 : Error: rlm_sql_oracle: Oracle logon failed: 'rlm_sql_oracle: no connection to db' Mon Dec 13 19:25:12 2010 : Error: rlm_sql_oracle: Oracle logon failed: '(null)' Mon Dec 13 19:25:12 2010 : Error: rlm_sql (sqlacct): Failed to connect DB handle #7 Mon Dec 13 19:25:12 2010 : Error: rlm_sql (sqlacct): reconnect failed, database down? Please, advise what can be the reason of such negative behaviour of the RADIUS server? Why does it lose connection to a db? How can we troubleshoot the issue further? The logs should speak for itself. To fix this one you need to coordinate with network/dba guys. Sometimes its simply because oracle is dead or too busy to respond to anything. Other times in can be firewall issues. Mon Dec 13 20:09:51 2010 : Error: There appears to be another RADIUS server running on the authentication port 1812 Like Ramon mentioned, you probably need to do a kill -9 manually. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRADIUS - no service!
Thanks for the replies! We'll try to kill the process manually, but it is still unclear what is the core reason of the service fall ? The logs should speak for itself. To fix this one you need to coordinate with network/dba guys. Sometimes its simply because oracle s dead or too busy to respond to anything. Other times in can be firewall issues. There were no network changes before and during the RADIUS outage (no firewall). Dba guys say that the Oracle is Ok, and no significant issues were placed on record according to oracle logs. Alexander - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS - no service!
2010/12/15 Александр Чурсин achursi...@gmail.com: The logs should speak for itself. To fix this one you need to coordinate with network/dba guys. Sometimes its simply because oracle s dead or too busy to respond to anything. Other times in can be firewall issues. There were no network changes before and during the RADIUS outage (no firewall). Dba guys say that the Oracle is Ok, and no significant issues were placed on record according to oracle logs. Then do a simple test. When radius says can't reconnect, connect manually from the radius server with sqlplus (or whatever you're familiar with) using the same user/password that you use for radius. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS - no service!
Hi,
We have an issue with a FreeRADIUS server (FreeRADIUS server and
Oracle Database). Sometimes it fails and stops to process the AAA
requests (only complete server reboot helps)!
Here is the log output during the time of a failed situation:
from the log
1) no connection to the DB. thats very concise
2) you are trying to send a dodgy accounting packet to the DB. dont.
3) you are sending a packet with same details - constraint violation.
4) finally, you are trying to run radius when its already running still.
kill -9 radiusd
then run the server.
why is it dying? proably numerous reasons. what version are you running?
I'd advise you do 2 things, firstly, have some extra terminal windows open
and in one, run a tcmdpump of your DB connection, and in the other, run radiusd
-X
(ie run in full debug mode as is written in all docs when you have a problem)
you might also want to put a wrapper around the accounting part so that packets
with zero session length etc (do you use Cisco gear by any chance? ;-) ) dont
find their way into STOP packets...which is why I asked what version you are
running..
in 2.1.x, something like this will do it
in the accounting {} sectin of your server, instead of just calling SQL,
wrapper it:
if (Acct-Session-Time != 0) {
sql
}
else {
ok
}
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius/Oracle compilation
It works here, is indeed smarter and lighter.
Hope it's ok.
--- /tmp/configure.in.orig 2010-12-14 23:24:40.019101002 -1000
+++ /tmp/configure.in 2010-12-14 23:18:25.875101003 -1000
@@ -86,32 +86,37 @@
if test x$oracle_lib_dir != x ; then
ORACLE_LIBDIR_SWITCH=-L${oracle_lib_dir}
fi
- LIBS=$old_LIBS $ORACLE_LIBDIR_SWITCH -lclntsh -lnnz10
- AC_TRY_LINK([#include oci.h
-
- static OCIEnv *p_env;
- static OCIError *p_err;
- static OCISvcCtx*p_svc;
- static OCIStmt *p_sql;
- static OCIDefine*p_dfn= (OCIDefine
*) 0;
- static OCIBind *p_bnd= (OCIBind *)
0;
- ],
- [
- int p_bvi;
- charp_sli[20];
- int rc;
- charerrbuf[100];
- int errcode;
-
- rc = OCIInitialize((ub4) OCI_DEFAULT, (dvoid
*)0, /* Initialize OCI */
- (dvoid * (*)(dvoid *, size_t)) 0,
- (dvoid * (*)(dvoid *, dvoid *,
size_t))0,
- (void (*)(dvoid *, dvoid *)) 0 );
-
- ],
- ORACLE_LIBS=$ORACLE_LIBDIR_SWITCH -lclntsh -lnnz10,
- ORACLE_LIBS=
- )
+ for oracle_version in 10 11 9 ; do
+ LIBS=$old_LIBS $ORACLE_LIBDIR_SWITCH -lclntsh
-lnnz${oracle_version}
+ AC_TRY_LINK([#include oci.h
+
+ static OCIEnv *p_env;
+ static OCIError *p_err;
+ static OCISvcCtx*p_svc;
+ static OCIStmt *p_sql;
+ static OCIDefine*p_dfn=
(OCIDefine *) 0;
+ static OCIBind *p_bnd=
(OCIBind *) 0;
+ ],
+ [
+ int p_bvi;
+ charp_sli[20];
+ int rc;
+ charerrbuf[100];
+ int errcode;
+
+ rc = OCIInitialize((ub4) OCI_DEFAULT,
(dvoid *)0, /* Initialize OCI */
+ (dvoid * (*)(dvoid *,
size_t)) 0,
+ (dvoid * (*)(dvoid *,
dvoid *, size_t))0,
+ (void (*)(dvoid *,
dvoid *)) 0 );
+
+ ],
+ ORACLE_LIBS=$ORACLE_LIBDIR_SWITCH -lclntsh
-lnnz${oracle_version},
+ ORACLE_LIBS=
+ )
+ if test x$ORACLE_LIBS != x; then
+ break
+ fi
+ done
LIBS=$old_LIBS
CFLAGS=$old_CFLAGS
@@ -129,7 +134,7 @@
if test x$ORACLE_LIBS = x; then
AC_MSG_WARN([oracle libraries not found. Use
--with-oracle-lib-dir=path.])
- fail=$fail libclntsh libnnz10
+ fail=$fail libclntsh libnnz${oracle_version}
else
sql_oracle_ldflags=${sql_oracle_ldflags} $ORACLE_LIBS
AC_MSG_RESULT(yes)
Message original
Date: Wed, 15 Dec 2010 07:54:38 +0100
From:
freeradius-users-bounces+alexandre.chapellon=mana...@lists.freeradius.org (on
behalf of Alan DeKok al...@deployingradius.com)
Subject: Re: Freeradius/Oracle compilation
To: FreeRadius users mailing list freeradius-users@lists.freeradius.org
Alexandre Chapellon wrote:
Hello I didn't have even a comment about this.
Is there something stupid in the proposed patch?
I've been busy. Off of the top of my head:
- requiring a new option to configure isn't friendly.
- the whole *point* of configure is to have the computer just figure it
out
- leave the old code there, it works for many people
- add *new* code, which is run only if the old code doesn't find
the libraries
- don't force the user to choose an oracle version.
- you can write a
Re: FreeRADIUS - no service!
Hi, There were no network changes before and during the RADIUS outage (no firewall). Dba guys say that the Oracle is Ok, and no significant issues were placed on record according to oracle logs. Then do a simple test. When radius says can't reconnect, connect manually from the radius server with sqlplus (or whatever you're familiar with) using the same user/password that you use for radius. ..and first rule of networking - never believe what another team says about their server - especially DBA people ;-) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
query
Hi, I have downloaded the free radius server and successfully installed on linux machine.. Can you please tell me that does your this implimentation supports the US-ASCII to UTF-8 conversion as you are saying this is compliant to RFC 2865 ? thanks and regards, karnik jain - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxying CoA
Hello,
I'm trying to figure out how to proxy CoA packets. I have read through a
similar thread on this list (
http://lists.freeradius.org/mailman/htdig/freeradius-users/2010-July/msg00335.html
),
but somehow I cannot get it to work.
My setup is the following:
In my proxy.conf:
home_server nas_coa {
type = coa
ipaddr = 10.0.0.2
port = 3799
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
secret = testing123
}
home_server_pool to_coa_nas {
home_server = nas_coa
}
I have updated the sites-enabled/coa to look as below:
listen {
type = coa
ipaddr = *
port = 3799
server = coa
}
server coa {
recv-coa {
update control {
Home-Server-Pool := to_coa_nas
}
}
send-coa {
# Sample module.
ok
}
}
When I'm sending a Disconnect packet, I get the following:
Wed Dec 15 12:06:41 2010 : Info: Ready to process requests.
rad_recv: Disconnect-Request packet from host 127.0.0.1 port 56343, id=51,
length=50
Framed-IP-Address = 91.83.148.2
Acct-Session-Id = D94F82E3300682B3
NAS-IP-Address = 10.0.0.2
Wed Dec 15 12:06:43 2010 : Info: server coa {
Wed Dec 15 12:06:43 2010 : Info: # Executing section recv-coa from file
/Users/tripy/Devel/test-servers/freeradius-2.1.10/etc/raddb.proxy/sites-enabled/coa
Wed Dec 15 12:06:43 2010 : Info: +- entering group recv-coa {...}
Wed Dec 15 12:06:43 2010 : Info: ++[control] returns noop
Wed Dec 15 12:06:43 2010 : Info: # Executing section send-coa from file
/Users/tripy/Devel/test-servers/freeradius-2.1.10/etc/raddb.proxy/sites-enabled/coa
Wed Dec 15 12:06:43 2010 : Info: +- entering group send-coa {...}
Wed Dec 15 12:06:43 2010 : Info: ++[ok] returns ok
Wed Dec 15 12:06:43 2010 : Info: } # server coa
Sending Disconnect-ACK of id 51 to 127.0.0.1 port 56343
Clearly I am missing something obvious, but I cannot find what it is.
Any idea?
Thanks,
tripy
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS - no service!
Alan, please, clarify some things:
1) in the accounting {} sectin of your server, instead of just calling SQL,
wrapper it:
if (Acct-Session-Time != 0) {
sql
}
else {
ok
}
Where can I put this wrapper, sql.conf or in some source file and
after that the server must be recompiled ?
2) tcmdpump of your DB connection, and in the other, run radiusd -X
So I need to run two terminal windows with these command running on it
during the problem? Tcpdump... you mean tcpdump traffic with a source
of RADIUS and a destionaton of Oracle DB ?
3) you are sending a packet with same details - constraint violation.
What do you mean?
Sorry for newbie questions.
Thanks in advance!
p.s. Yes, you are right RADIUS client is Cisco PDSN.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS - no service!
Hi,
Alan, please, clarify some things:
1) in the accounting {} sectin of your server, instead of just calling SQL,
wrapper it:
if (Acct-Session-Time != 0) {
sql
}
else {
ok
}
Where can I put this wrapper, sql.conf or in some source file and
after that the server must be recompiled ?
read what I wrote again - pay particular attention to the bit straight
after the 1) partplace it in the accounting {} section where SQL is called
in your virtual server
2) tcmdpump of your DB connection, and in the other, run radiusd -X
So I need to run two terminal windows with these command running on it
during the problem? Tcpdump... you mean tcpdump traffic with a source
of RADIUS and a destionaton of Oracle DB ?
yes and yes
3) you are sending a packet with same details - constraint violation.
What do you mean?
databases, particularly relational ones, have unique keys in each index entry
so that they can be linked/searched/operated on. if you try inserting a new
entry
with the same key as an existing entry, then its doomed to failure.
p.s. Yes, you are right RADIUS client is Cisco PDSN.
yes, we have cisco kit and it spews out such packets too
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: query
karnik jain wrote: Hi, I have downloaded the free radius server and successfully installed on linux machine.. Can you please tell me that does your this implimentation supports the US-ASCII to UTF-8 conversion They are compatible. No conversion is required. as you are saying this is compliant to RFC 2865 ? Yes. Alan DeKok - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRADIUS - no service!
Ok, thanks for explanation.
The RADIUS version is 1.1.0
In the accounting section of the radiusd.conf we have:
accounting {
#detail
#acct_unique
#
# Vladikavkaz OSE
Acct-Type OSE {
acct_unique
group {
sqlacct {
fail = 1
# ok = return
}
OSE {
fail = 1
ok = return
}
}
# sql_log
}
#
and so on anologous to these constructions with as a delimeter ...
So, no sql mentioned... I'am sorry, but it's unclear for me where to
put the wrapper.
Alexander
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: query
Hello Sir, Thank you so much for spending valuable time of yours for the reply. As per my understanding of RFC 2865, It is clearly written in section 5.0 of RFC 2865 that “text 1-253 octets containing UTF-8 encoded 10646 [7] characters. Text of length zero (0) MUST NOT be sent; omit the entire attribute instead.” So, It has to be converted into UTF-8 as per *RFC 3629 - UTF-8, a transformation format of ISO 10646 *at the time of sending ACCESS REQUEST packet to RADIUS server by NAS and same it has to be decoded by NAS when it is being received from server in ACCESS ACCEPT packet. If it would be compatible to each other than What is the need of including above statement in RFC-2865 clearly? Sir, I am totally confused by your statement that “*there is no need of conversion as it is compatible”.* I have searched a lot regarding this thing and I am not able to find any such thing as said by you. I am also able to find one open source library named *iconv* which can does this encoding and decoding task. *Can you please tell me that? * *From where I can find the information regarding US-ASCII UTF-8 compatibleness as per your reply or any RFC number if it is known to you?* ** ** *Looking forward to your positive reply at your earliest,* *- Karnik Jain* On Wed, Dec 15, 2010 at 7:52 PM, Alan DeKok al...@deployingradius.comwrote: karnik jain wrote: Hi, I have downloaded the free radius server and successfully installed on linux machine.. Can you please tell me that does your this implimentation supports the US-ASCII to UTF-8 conversion They are compatible. No conversion is required. as you are saying this is compliant to RFC 2865 ? Yes. Alan DeKok - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: query
Hello, Thank you so much for spending valuable time of yours for the reply. As per my understanding of RFC 2865, It is clearly written in *section 5.0 of RFC 2865* that, *“text 1-253 octets containing UTF-8 encoded 10646 [7] characters. Text of length zero (0) MUST NOT be sent; omit the entire attribute instead.” * So, It has to be converted into UTF-8 as per RFC 3629 - UTF-8, a transformation format of ISO 10646 at the time of sending ACCESS REQUEST packet to RADIUS server by NAS and same it has to be decoded by NAS when it is being received from server in ACCESS ACCEPT packet. If it would be compatible to each other than What is the need of including above statement in RFC-2865 clearly, correct me If my understanding is wrong? Sir, I am totally confused by your statement that *“there is no need of conversion as it is compatible*”. I have searched a lot regarding this thing and I am not able to find any such thing as said by you. I am also able to find one open source library named *iconv* which can does this encoding and decoding task. ** *Can you please tell me that,* *From where I can find the information regarding US-ASCII UTF-8 compatibleness as per your reply or any RFC number if it is known to you? * ** Looking forward to your positive reply at your earliest, - Karnik Jain On Wed, Dec 15, 2010 at 7:52 PM, Alan DeKok al...@deployingradius.comwrote: karnik jain wrote: Hi, I have downloaded the free radius server and successfully installed on linux machine.. Can you please tell me that does your this implimentation supports the US-ASCII to UTF-8 conversion They are compatible. No conversion is required. as you are saying this is compliant to RFC 2865 ? Yes. Alan DeKok - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: query
On 12/15/2010 10:00 AM, karnik jain wrote: Hello Sir, Thank you so much for spending valuable time of yours for the reply. As per my understanding of RFC 2865, It is clearly written in section 5.0 of RFC 2865 that “text 1-253 octets containing UTF-8 encoded 10646 [7]characters. Text of length zero (0) MUST NOT be sent;omit the entire attribute instead.” So, It has to be converted into UTF-8 as per*RFC 3629 - UTF-8, a transformation format of ISO 10646*at the time of sending ACCESS REQUEST packet to RADIUS server by NAS and same it has to be decoded by NAS when it is being received from server in ACCESS ACCEPT packet. If it would be compatible to each other thanWhat is the need of including above statement in RFC-2865 clearly? Sir, I am totally confused by your statement that “*there is no need of conversion as it is compatible”.* I have searched a lot regarding this thing and I am not able to find any such thing as said by you. I am also able to find one open source library named*iconv* which can does this encoding and decoding task. *Can you please tell me that?* * From where I can find the information regarding US-ASCII UTF-8 compatibleness as per your reply or any RFC number if it is known to you?* ASCII is a proper subset of UTF-8. No conversion is necessary, ASCII is UTF-8 by definition. If you read the relevant RFC's you would know this, it's not hard to find this information thus it's left as an exercise to the reader :-) -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: query
karnik jain wrote: As per my understanding of RFC 2865, It is clearly written in *section 5.0 of RFC 2865* that, *“text 1-253 octets containing UTF-8 encoded 10646 [7] characters. Text of length zero (0) MUST NOT be sent; omit the entire attribute instead.” * So, It has to be converted into UTF-8 No. 7 bit US-ASCII is a subset of UTF-8. If it would be compatible to each other than What is the need of including above statement in RFC-2865 clearly, correct me If my understanding is wrong? The statement is required for international text. i.e. non US-ASCII. *Can you please tell me that,* *From where I can find the information regarding US-ASCII UTF-8 compatibleness as per your reply or any RFC number if it is known to you? * Read the UTF-8 RFC. This is all documented elsewhere, and is not part of FreeRADIUS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: wifi ip allocation
Thank you Alexandre for your analysis and more precision on your thread! It is very helpul and appreciate!! -- View this message in context: http://freeradius.1045715.n5.nabble.com/wifi-ip-allocation-tp3286614p3306442.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
mysql huntgroups Access-Reject
Greetings from Texas. I'm setting up freeradius to authenticate/authorize network engineers to log into cisco and juniper devices. Some devices we share with other organizations. I need to be able to allow some engineers access to some devices and not others. I'm running on redhat with Mysql as the backend. I'll will be writing a web front end to manage our radius server(s) once I get a working configuration for our situation.. I have freeradius 2.1.7. That's the rpm for redhat 5.4. I have radcheck and radreply working. (username and password checking) I have radusergroup, radgroupcheck, radgroupreply working if I populate the huntgroups flat file with appropriate information. I can set shell:privs on ciscos for a specific user based on group membership via radgroupreply. As I understand it, if I move huntgroups out of the flat file (preprocess) and into mysql, I loose the ability to send an Access-Reject based on huntgroups. Is that correct? Thanks, Gene Titus The Office of Telecommunication Services The University of Texas at Austin -- View this message in context: http://freeradius.1045715.n5.nabble.com/mysql-huntgroups-Access-Reject-tp3306623p3306623.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS - no service!
1.1.0 ? And this is your ONLY problem?
At least upgrade to 1.1.8 - but if you want my help you'll need to be running
the current release 2.1.x train
Alan
- Reply message -
From: Александр Чурсин achursi...@gmail.com
Date: Wed, Dec 15, 2010 14:29
Subject: FreeRADIUS - no service!
To: freeradius-users@lists.freeradius.org
freeradius-users@lists.freeradius.org
Ok, thanks for explanation.
The RADIUS version is 1.1.0
In the accounting section of the radiusd.conf we have:
accounting {
#detail
#acct_unique
#
# Vladikavkaz OSE
Acct-Type OSE {
acct_unique
group {
sqlacct {
fail = 1
# ok = return
}
OSE {
fail = 1
ok = return
}
}
# sql_log
}
#
and so on anologous to these constructions with as a delimeter ...
So, no sql mentioned... I'am sorry, but it's unclear for me where to
put the wrapper.
Alexander
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRADIUS - no service!
To be fair the fact that he is able to get along running such an ancient
release of FreeRADIUS is a testament to the quality of the software...however
it is dangerous to run antiquated versions of well know software, the security
implications are horrendous.
Jake Sallee
Godfather Of Bandwidth
Network Engineer
Fone: 254-295-4658
Phax: 254-295-4221
From: freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org
[mailto:freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org] On
Behalf Of Alan Buxey
Sent: Wednesday, December 15, 2010 11:37 AM
To: achursi...@gmail.com; freeradius-users@lists.freeradius.org
Subject: Re: FreeRADIUS - no service!
1.1.0 ? And this is your ONLY problem?
At least upgrade to 1.1.8 - but if you want my help you'll need to be running
the current release 2.1.x train
Alan
- Reply message -
From: Александр Чурсин achursi...@gmail.com
Date: Wed, Dec 15, 2010 14:29
Subject: FreeRADIUS - no service!
To: freeradius-users@lists.freeradius.org
freeradius-users@lists.freeradius.org
Ok, thanks for explanation.
The RADIUS version is 1.1.0
In the accounting section of the radiusd.conf we have:
accounting {
#detail
#acct_unique
#
# Vladikavkaz OSE
Acct-Type OSE {
acct_unique
group {
sqlacct {
fail = 1
# ok = return
}
OSE {
fail = 1
ok = return
}
}
# sql_log
}
#
and so on anologous to these constructions with as a delimeter ...
So, no sql mentioned... I'am sorry, but it's unclear for me where to
put the wrapper.
Alexander
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Reals Based Upon Port
So I am still a bit confused by this (I'm just now getting back to this issue).
So I have the following setup:
- Radiusd Server
-- 2 home_servers listening on 1812 and 1813
-- 2 home_servers listening on 1815 and 1816
In my proxy.conf I have the following:
proxy server {
default_fallback = no
}
home_server server01 {
type = auth+acct
ipaddr = server01
port = 1812,1813
secret = s3cret
require_message_authenticator = no
response_window = 20
zombie_period = 10
status_check = request
username = t...@test.com
password = s3cret
check_interval = 5
num_answers_to_alive = 3
}
home_server server02 {
type = auth+acct
ipaddr = server02
port = 1812,1813
secret = s3cret
require_message_authenticator = no
response_window = 20
zombie_period = 10
status_check = request
username = t...@test.com
password = s3cret
check_interval = 5
num_answers_to_alive = 3
}
home_server_pool server-balance {
type = load-balance
home_server = server01
home_server = server02
}
realm DEFAULT {
pool = server-balance
nostrip
}
I'm pretty clear on how I would add a new home_server_pool called like
alt-server-balance with the other two home_servers defined which listen on the
1815,1816 the part I am confused about is how to define the new realm, since
I'm using DEFAULT to send all traffic to server-balance how do I define a new
realm which will accept traffic on 1815,1816 and send it to alt-server-balance.
I hope that makes sense.
Thanks,
Brian Carpio
-Original Message-
From: freeradius-users-bounces+bcarpio=broadhop@lists.freeradius.org
[mailto:freeradius-users-bounces+bcarpio=broadhop@lists.freeradius.org] On
Behalf Of Alan DeKok
Sent: Wednesday, August 18, 2010 7:09 PM
To: FreeRadius users mailing list
Subject: Re: Reals Based Upon Port
Brian Carpio wrote:
Currently I am using freeradius2-2.1.8-2 to load balance radius traffic
between two hosts, I have a single realm DEFAULT setup which proxies the
radius traffic between the two servers and that works great, however now I
have an unusual need to proxy auth/acct radius traffic to non standard ports
and I'm unsure how (or even it's even possible) to setup a new realm which is
based on destination port for instance.
Read raddb/proxy.conf. Look for port. This is documented.
- NOTE: Traffic coming into freeradius on 1815/1816 will be sent to this Alt
realm...
Set up a virtual server to handle requests sent to those ports. See
raddb/sites-available/README
I am just wondering if this is possible. Or if I would need to setup another
instance of freeradius with its own configuration to do this alternative
ports setup.
No.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRADIUS - no service!
Honestly and as you have already understood the system is an inheritance from the previous system administrator. Now we try to fix some current issues on it... Ok, I see the best way is an upgrade to a later version. But what about the Oracle database? How can we make an upgrade with a preservation of current db and settings? What version do you recommend, guys? Alexander - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP/EAP-GTC proxy?
OK, upgraded to 2.1.10 as suggested. Thanks. However, I have a different
issue now -- seems that the passcode is not being proxied over to the home
server. I only see a username, nas IP address and proxy state being proxied
in the access-request packet but no user-password. Also get a segmentation
fault after the authentication is rejected.
Thanks for the help
Here's the debug output:
[r...@mackeral-dev raddb]# /usr/sbin/radiusd -X
FreeRADIUS Version 2.1.10, for host x86_64-redhat-linux-gnu, built on Dec 15
2010 at 09:27:40
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/modules/
including configuration file /etc/raddb/modules/digest
including configuration file /etc/raddb/modules/ippool
including configuration file /etc/raddb/modules/echo
including configuration file /etc/raddb/modules/detail.example.com
including configuration file /etc/raddb/modules/passwd
including configuration file /etc/raddb/modules/pap
including configuration file /etc/raddb/modules/exec
including configuration file /etc/raddb/modules/logintime
including configuration file /etc/raddb/modules/mac2ip
including configuration file /etc/raddb/modules/counter
including configuration file /etc/raddb/modules/always
including configuration file /etc/raddb/modules/mac2vlan
including configuration file /etc/raddb/modules/attr_filter
including configuration file /etc/raddb/modules/pam
including configuration file /etc/raddb/modules/attr_rewrite
including configuration file /etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /etc/raddb/modules/cui
including configuration file /etc/raddb/modules/sql_log
including configuration file /etc/raddb/modules/inner-eap
including configuration file /etc/raddb/modules/dynamic_clients
including configuration file /etc/raddb/modules/sradutmp
including configuration file /etc/raddb/modules/mschap
including configuration file /etc/raddb/modules/perl
including configuration file /etc/raddb/modules/expr
including configuration file /etc/raddb/modules/files
including configuration file /etc/raddb/modules/chap
including configuration file /etc/raddb/modules/radutmp
including configuration file /etc/raddb/modules/etc_group
including configuration file /etc/raddb/modules/realm
including configuration file /etc/raddb/modules/smsotp
including configuration file /etc/raddb/modules/ntlm_auth
including configuration file /etc/raddb/modules/preprocess
including configuration file /etc/raddb/modules/expiration
including configuration file /etc/raddb/modules/checkval
including configuration file /etc/raddb/modules/detail.log
including configuration file /etc/raddb/modules/linelog
including configuration file /etc/raddb/modules/smbpasswd
including configuration file /etc/raddb/modules/unix
including configuration file /etc/raddb/modules/detail
including configuration file /etc/raddb/modules/wimax
including configuration file /etc/raddb/modules/otp
including configuration file /etc/raddb/modules/acct_unique
including configuration file /etc/raddb/modules/policy
including configuration file /etc/raddb/modules/opendirectory
including configuration file /etc/raddb/eap.conf
including configuration file /etc/raddb/policy.conf
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/control-socket
including configuration file /etc/raddb/sites-enabled/default
including configuration file /etc/raddb/sites-enabled/inner-tunnel
including configuration file /etc/raddb/sites-enabled/proxy-inner-tunnel
main {
user = radiusd
group = radiusd
allow_core_dumps = no
}
including dictionary file /etc/raddb/dictionary
main {
prefix = /usr
localstatedir = /var
logdir = /var/log/radius
libdir = /usr/lib64/freeradius
radacctdir = /var/log/radius/radacct
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = /var/run/radiusd/radiusd.pid
checkrad = /usr/sbin/checkrad
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
radiusd: Loading Realms and Home Servers
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server meddle {
ipaddr =
Password oddity
Set up FreeRadius on SLES 10. Using the NTRadPing utility we can authenticate to our back end LDAP server (eDirectory) w/o problem. However, when we enabled Radius authentication on two separate Wireless access points (Linksys WRT54 and DLink WBR 1310), they both fail authentication because the password they pass (or how FreeRadius interprets the password) changes one letter of the password. For example, we set up a radtest user with a password of radtest. FreeRadius server in debug shows the request come in but passes a password value of aadtest. So, as a test we changed the password to aadtest for the radtest user. The password then came across as badtest. So, we thought we'd change the password to cadtest to see what would happen. Now the password was sent/received as aadtest again. Using NTRadPing utility, we see the request come in, get processed and then login... Running FreeRadius 1.1.0 as this is the version that Novell supports. Please don't yell at me on this. Their documentation is based on this version and not the latest version... Has anyone seen this behavior before and if so, know how to fix it? TIA!! -- View this message in context: http://freeradius.1045715.n5.nabble.com/Password-oddity-tp3307174p3307174.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Password oddity
Someone will for SURE yell at you for using something that old. Or, they'll just ignore you. That is a weird a$$ problem for sure! Why can't you upgrade? At LEAST to the latest 1.x version? -Original Message- From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell@lists.freeradius.org] On Behalf Of discgolfer72 Sent: Wednesday, December 15, 2010 5:36 PM To: freeradius-users@lists.freeradius.org Subject: Password oddity Set up FreeRadius on SLES 10. Using the NTRadPing utility we can authenticate to our back end LDAP server (eDirectory) w/o problem. However, when we enabled Radius authentication on two separate Wireless access points (Linksys WRT54 and DLink WBR 1310), they both fail authentication because the password they pass (or how FreeRadius interprets the password) changes one letter of the password. For example, we set up a radtest user with a password of radtest. FreeRadius server in debug shows the request come in but passes a password value of aadtest. So, as a test we changed the password to aadtest for the radtest user. The password then came across as badtest. So, we thought we'd change the password to cadtest to see what would happen. Now the password was sent/received as aadtest again. Using NTRadPing utility, we see the request come in, get processed and then login... Running FreeRadius 1.1.0 as this is the version that Novell supports. Please don't yell at me on this. Their documentation is based on this version and not the latest version... Has anyone seen this behavior before and if so, know how to fix it? TIA!! -- View this message in context: http://freeradius.1045715.n5.nabble.com/Password-oddity-tp3307174p3307174.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html font size=1 div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in' /div This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system. /font - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Password oddity
I guess that would be my next step. Anyone else out there seen this particular issue? -- View this message in context: http://freeradius.1045715.n5.nabble.com/Password-oddity-tp3307174p3307212.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Password oddity
Where do you play disc golf? -Original Message- From: freeradius-users-bounces+jtabasz=cisco@lists.freeradius.org [mailto:freeradius-users-bounces+jtabasz=cisco@lists.freeradius.org] On Behalf Of discgolfer72 Sent: Wednesday, December 15, 2010 3:36 PM To: freeradius-users@lists.freeradius.org Subject: Password oddity Set up FreeRadius on SLES 10. Using the NTRadPing utility we can authenticate to our back end LDAP server (eDirectory) w/o problem. However, when we enabled Radius authentication on two separate Wireless access points (Linksys WRT54 and DLink WBR 1310), they both fail authentication because the password they pass (or how FreeRadius interprets the password) changes one letter of the password. For example, we set up a radtest user with a password of radtest. FreeRadius server in debug shows the request come in but passes a password value of aadtest. So, as a test we changed the password to aadtest for the radtest user. The password then came across as badtest. So, we thought we'd change the password to cadtest to see what would happen. Now the password was sent/received as aadtest again. Using NTRadPing utility, we see the request come in, get processed and then login... Running FreeRadius 1.1.0 as this is the version that Novell supports. Please don't yell at me on this. Their documentation is based on this version and not the latest version... Has anyone seen this behavior before and if so, know how to fix it? TIA!! -- View this message in context: http://freeradius.1045715.n5.nabble.com/Password-oddity-tp3307174p330717 4.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Password oddity
Mainly Tennessee. You? Sent via DROID on Verizon Wireless -Original message- From: John Tabasz (jtabasz) jtab...@cisco.com To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Thu, Dec 16, 2010 00:12:43 GMT+00:00 Subject: RE: Password oddity Where do you play disc golf? -Original Message- From: freeradius-users-bounces+jtabasz=cisco@lists.freeradius.org [mailto:freeradius-users-bounces+jtabasz=cisco@lists.freeradius.org] On Behalf Of discgolfer72 Sent: Wednesday, December 15, 2010 3:36 PM To: freeradius-users@lists.freeradius.org Subject: Password oddity Set up FreeRadius on SLES 10. Using the NTRadPing utility we can authenticate to our back end LDAP server (eDirectory) w/o problem. However, when we enabled Radius authentication on two separate Wireless access points (Linksys WRT54 and DLink WBR 1310), they both fail authentication because the password they pass (or how FreeRadius interprets the password) changes one letter of the password. For example, we set up a radtest user with a password of radtest. FreeRadius server in debug shows the request come in but passes a password value of aadtest. So, as a test we changed the password to aadtest for the radtest user. The password then came across as badtest. So, we thought we'd change the password to cadtest to see what would happen. Now the password was sent/received as aadtest again. Using NTRadPing utility, we see the request come in, get processed and then login... Running FreeRadius 1.1.0 as this is the version that Novell supports. Please don't yell at me on this. Their documentation is based on this version and not the latest version... Has anyone seen this behavior before and if so, know how to fix it? TIA!! -- View this message in context: http://freeradius.1045715.n5.nabble.com/Password-oddity-tp3307174p330717 4.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Password oddity
Nice. I have switched to basketball for the time being but DeLaveaga is my home course in Santa Cruz CA. Love it. From: freeradius-users-bounces+jtabasz=cisco@lists.freeradius.org [mailto:freeradius-users-bounces+jtabasz=cisco@lists.freeradius.org] On Behalf Of Ben Lewis Sent: Wednesday, December 15, 2010 4:19 PM To: FreeRadius users mailing list Subject: RE: Password oddity Mainly Tennessee. You? Sent via DROID on Verizon Wireless -Original message- From: John Tabasz (jtabasz) jtab...@cisco.com To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Thu, Dec 16, 2010 00:12:43 GMT+00:00 Subject: RE: Password oddity Where do you play disc golf? -Original Message- From: freeradius-users-bounces+jtabasz=cisco@lists.freeradius.org [mailto:freeradius-users-bounces+jtabasz=cisco@lists.freeradius.org] On Behalf Of discgolfer72 Sent: Wednesday, December 15, 2010 3:36 PM To: freeradius-users@lists.freeradius.org Subject: Password oddity Set up FreeRadius on SLES 10. Using the NTRadPing utility we can authenticate to our back end LDAP server (eDirectory) w/o problem. However, when we enabled Radius authentication on two separate Wireless access points (Linksys WRT54 and DLink WBR 1310), they both fail authentication because the password they pass (or how FreeRadius interprets the password) changes one letter of the password. For example, we set up a radtest user with a password of radtest. FreeRadius server in debug shows the request come in but passes a password value of aadtest. So, as a test we changed the password to aadtest for the radtest user. The password then came across as badtest. So, we thought we'd change the password to cadtest to see what would happen. Now the password was sent/received as aadtest again. Using NTRadPing utility, we see the request come in, get processed and then login... Running FreeRadius 1.1.0 as this is the version that Novell supports. Please don't yell at me on this. Their documentation is based on this version and not the latest version... Has anyone seen this behavior before and if so, know how to fix it? TIA!! -- View this message in context: http://freeradius.1045715.n5.nabble.com/Password-oddity-tp3307174p330717 4.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
multiple usergroups failing; freeradius 2.1.10 + Cisco-AVPairs
Hi,
During a rebuild of our Radius servers from an old freeradius 1.x install to
2.1.10, we've lost ability to push multiple usergroups to our Cisco LNS:
MySQL:
radcheck:
id UserNameAttribute op Value
9791t...@realm Password:= {clear}somepass
radgroupreply:
id GroupName Attribute op Value
161 VRF-TESTCisco-AVPair+= ip:vrf-id=TEST
162 VRF-TESTCisco-AVPair+= ip:ip-unnumbered=loopback25
2211QOS-PROFILE Cisco-AVPair+=
ip:sub-qos-policy-out=TEST-QOS-PROFILE
radreply:
id UserNameAttribute op Value
124561 t...@realm Framed-IP-Netmask = 255.255.255.255
124571 t...@realm Framed-IP-Address = 1.1.1.1
usergroup:
UserNameGroupName priority
t...@realm VRF-TEST1
t...@realm QOS-PROFILE 2
debugging Radius on the Cisco shows (amongst other things):
RADIUS: Vendor, Cisco [26] 21
RADIUS: Cisco AVpair [1] 15 ip:vrf-id=TEST
RADIUS: Vendor, Cisco [26] 35
RADIUS: Cisco AVpair [1] 29 ip:ip-unnumbered=loopback25
If you set QOS-PROFILE to priority 0 for example, it will then only pick up the
QOS-PROFILE usergroup, not both. Setting both usergroups to same priority
yeilds the same results; only applying the first, never both.
To rule out the Cisco i've performed a tcpdump on Radius itself; I can only see
freeradius sending one usergroup in the Access-Accept response.
This is also a fresh freeradius install via FreeBSD ports; no configuration was
carried over from the previous install except for MySQL DB credentials.
Thoughts?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: multiple usergroups failing; freeradius 2.1.10 + Cisco-AVPairs
SQL log attached:
rlm_sql (sql): Reserving sql socket id: 4
rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM
radcheck WHERE username = 't...@realm' ORDER BY id
rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM
radreply WHERE username = 't...@realm' ORDER BY id
rlm_sql_mysql: query: SELECT groupname FROM usergroup
WHERE username = 't...@realm' ORDER BY priority
rlm_sql_mysql: query: SELECT id, groupname, attribute, Value, op
FROM radgroupcheck WHERE groupname = 'VRF-TEST' ORDER
BY id
rlm_sql_mysql: query: SELECT id, groupname, attribute, value, op
FROM radgroupreply WHERE groupname = 'VRF-TEST' ORDER
BY id
rlm_sql (sql): Released sql socket id: 4
If I run the 3rd query manually, it does pickup VRF-TEST and QOS-PROFILE
usergroups, however looking at the above groupcheck/groupreply query, it is
only running it for the first instance. bug perhaps in rlm_sql_mysql?
-Michael
On Thu, 16 Dec 2010 11:33:46 +1100, mich...@jarrett.id.au wrote:
Hi,
During a rebuild of our Radius servers from an old freeradius 1.x install
to 2.1.10, we've lost ability to push multiple usergroups to our Cisco LNS:
MySQL:
radcheck:
idUserNameAttribute op Value
9791 t...@realm Password:= {clear}somepass
radgroupreply:
idGroupName Attribute op Value
161 VRF-TESTCisco-AVPair+= ip:vrf-id=TEST
162 VRF-TESTCisco-AVPair+= ip:ip-unnumbered=loopback25
2211 QOS-PROFILE Cisco-AVPair+=
ip:sub-qos-policy-out=TEST-QOS-PROFILE
radreply:
idUserNameAttribute op Value
124561t...@realm Framed-IP-Netmask = 255.255.255.255
124571t...@realm Framed-IP-Address = 1.1.1.1
usergroup:
UserName GroupName priority
t...@realmVRF-TEST1
t...@realmQOS-PROFILE 2
debugging Radius on the Cisco shows (amongst other things):
RADIUS: Vendor, Cisco [26] 21
RADIUS: Cisco AVpair [1] 15 ip:vrf-id=TEST
RADIUS: Vendor, Cisco [26] 35
RADIUS: Cisco AVpair [1] 29 ip:ip-unnumbered=loopback25
If you set QOS-PROFILE to priority 0 for example, it will then only pick
up the QOS-PROFILE usergroup, not both. Setting both usergroups to same
priority yeilds the same results; only applying the first, never both.
To rule out the Cisco i've performed a tcpdump on Radius itself; I can
only see freeradius sending one usergroup in the Access-Accept response.
This is also a fresh freeradius install via FreeBSD ports; no
configuration was carried over from the previous install except for MySQL
DB credentials.
Thoughts?
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
