how to output that attribute value as raw data?
Hi. I was using freeradus-2.1.10 as radius home server. I want to output log file that attribute value as raw data. For example, NOT %{Acct-Terminate-Cause} - User-Request BUT %{Acct-Terminate -Cause} - 1. Then, I edited dictionary.rfc2866 like this. ---edited #VALUE Acct-Terminate-Cause User-Request 1 - The output became %{Acct-Terminate-Cause} - 1, and it became a hoped output. However, default setting has become illegal. ---illegal thing if(Acct-Terminate-Cause == User-Request){ sql } - Please teach the way of the setting. Thanks for your help. ichiro tanaka - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to output that attribute value as raw data?
ichiro tanaka wrote: I was using freeradus-2.1.10 as radius home server. I want to output log file that attribute value as raw data. For example, NOT %{Acct-Terminate-Cause} - User-Request BUT %{Acct-Terminate -Cause} - 1. This is documented. $ man unlang See %{Attribute‐Name#} Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Slow Mysql Queries
Hi, Are all the slow query entries potentially a problem, I mean should yes. any slow queries are potentially a problem. in your case I believe that you have that many rows in your DB table - and because there is no index, all entries have to be seen - as previous post says, you need a DBA or quickly pick up some skills. its quite easy to use 'EXPLAIN' with your SELECT query to find out what is happening...and even easier to add just one index that will fix the main bottleneck. common issue is running a DB that has no index on your main query target specifier (a default DB wont have ANY indexes on it for columns you have created). alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Problem with rml_sqlcounter with GigaByte datavolume
Thank you for this reply. I thought the limitation might come from the wrapping around 4.3 GB due to the limitations of a 32bit system with 2147483648 being the highest signed and 4294967296 being the highest unsigned number. 1705032704 is then exactly the difference to 6GB, after the system wrapped at 4.29GB. I requite the log: Sat Jun 4 23:10:21 2011 : Debug: rlm_sqlcounter: Rejected user lapzel14, check_item=1705032704, counter=2147513300 Exactly the 1705032704 one would expect based on highest 32bit unsigned integer. Now here is my problem: Why does it wrap at 32Bit, if the system is a x64 server? Does not make a lot of sense to me. Also, the FAQ is containing instructions how to deal with gigawords in terms of the sql statements that handel the calculation of the counter value. And as this is implemented, the counter value is not the problem here - it is the check_item value that as I understand is based on my configuration, taken straight out of the radcheck table. I am sorry, but this sounds like a limitation/bug of the standard system, that could be overcome. After all, if it can be resolved with custom perl code as I understand you suggest, why should the standard system not be able to handle data limits larger than 4.29GB out of the box? Or am I missing something? Alan, can you enlighten us on this issue? Regards Hanno From: YvesDM [mailto:ydm...@gmail.com] Sent: Monday, 6 June 2011 5:42 a.m. To: FreeRadius users mailing list Subject: Re: Problem with rml_sqlcounter with GigaByte datavolume On Sun, Jun 5, 2011 at 1:22 AM, Hanno Schupp hanno.sch...@gmail.com wrote: Dear All, can I ask for some pointers please. in my FreeRADIUS Version 2.1.8, for host x86_64-pc-linux-gnu (Ubuntu LTS 10.04) installation I have followed the Gigabyte instructions on the FreeRADIUS wiki's FAQ http://wiki.freeradius.org/FAQ#Why+do+Acct-Input-Octets+and+Acct-Output-Octe ts+wrap+at+4+GB%3F. The Usage is calculated correctly, but the check_item value is not what I expect to see (1.7 GB as opposed th 6GB set in radcheck). I understand who the system determines the counter value and it is correctly calculated, but where does the check_item vlaue of 1.7GB come from? I have no idea to be truthful. Sqlcounter also wraps at 4GB in its reply. Your 6GB is actually 5722.045 MB, then wraps at 4GB so 1,7GB left and this is replied ;-) As far as I know there's no integrated solution to this unless you change the source code. Most people solve this by using rlm_perl if I'm not mistaking. Make your perl calculate and reply gigawords + remaining bytes when values are 4GB Ps Make sure your coova-chilli is equal or 1.0.13, else it won't understand gigawords replies Kind regards, Y. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius not releasing IPs from pool
El 03/06/11 10:33, George Chelidze escribió: On 06/01/2011 04:02 PM, Angel L. Mateo wrote: Hello, I have a problem with my pools in freeradius. The problems is that it is not releasing IPs from the pools. At least, not all of them, so after a while my users can't connect because the pool is full. Several quick questions: 1. Are you sure your pool is large enough? Average duration of a session/Number of new sessions per second should be taken in account. Yes. This server is an update from an existing one with the same configuration, the only difference is freeradius versions (from 1.1.7 to 2.1.8) and that now I'm using virtual servers. 2. Are you sure you don't miss any accounting messages? I think not. 3. Which attributes do you use to construct a pool key? Make sure all attributes exist in Accounting messages. The defaults, I'm not using the key option of the pool. I think the defaults are %{NAS-IP-Address} %{NAS-Port}. NAS-IP-Address is always the same (our VPN server)and NAS-Port changes from users. Is that correct? -- Angel L. Mateo Martínez Sección de Telemática Área de Tecnologías de la Información _o) y las Comunicaciones Aplicadas (ATICA) / \\ http://www.um.es/atica_(___V Tfo: 868887590 Fax: 86337 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can't get checkrad to be called
George, Thanks for the reply. I will doublecheck my configuration. The one thing I noticed, even though checkrad is working, I can't find any clue in any log or debug output. I set it to log to checkrad.log, but that only works when I manually run /usr/sbin/checkrad. Is there another place that I'm not aware of? Thanks! -dan On 6/6/2011 1:14 AM, George Chelidze wrote: On 06/04/2011 06:28 AM, Dan Brisson wrote: Just finished setting up the latest Freeradius - 2.1.10. Checkrad is working. I've replicated the settings from 2.1.7 so I have to think something has changed from 2.1.7 to 2.1.10. hm.. I would compare both setups to eliminate any typos in 2.1.7 configuration. As far as it works with 2.1.10 you can build it on CentOS from source. Glad to hear you figured it out. Best Regards, George Chelidze - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Setting Cached-Session-Policy
Hi! I am trying to get fast session resumption with VLAN assignments to work. I have tried the suggestion in this message: http://lists.freeradius.org/pipermail/freeradius-users/2011-April/msg00381.html However, it seems to me as if the post-auth section is too late to set the Cached-Session-Policy. I have added the following to the beginning of the post-auth section in the default site: post-auth { if ( reply:Cached-Session-Policy ) { if ( reply:Cached-Session-Policy =~ /vlan=(.+)/ ) { update reply { Reply-Message += Cached policy: %{reply:Cached-Session-Policy} Tunnel-Private-Group-ID := %{1} Tunnel-Type = VLAN Tunnel-Medium-Type = IEEE-802 } } } elsif ( reply:Tunnel-Private_group-ID ) { update reply { Cached-Session-Policy := vlan=%{reply:Tunnel-Private-Group-ID} } } I can see in the logs that this correctly sets Cached-Session-Policy, e.g. to vlan=10. However, during session resumption it will only add User-Name and Stripped-User-Name. During the initial session setup I can see that attributes are saved into the cache: [peap] Success [peap] Using saved attributes from the original Access-Accept Tunnel-Private-Group-Id:0 = 18 Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Type:0 = VLAN User-Name = vogt [peap] Saving response in the cache [eap] Freeing handler ++[eap] returns ok # Executing section post-auth from file /etc/raddb/sites-enabled/default +- entering group post-auth {...} ++? if (reply:Cached-Session-Policy ) ? Evaluating (reply:Cached-Session-Policy ) - FALSE ++? if (reply:Cached-Session-Policy ) - FALSE ++? elsif (reply:Tunnel-Private_group-ID ) ? Evaluating (reply:Tunnel-Private_group-ID ) - TRUE ++? elsif (reply:Tunnel-Private_group-ID ) - TRUE ++- entering elsif (reply:Tunnel-Private_group-ID ) {...} expand: vlan=%{reply:Tunnel-Private-Group-ID} - vlan=18 +++[reply] returns noop ++- elsif (reply:Tunnel-Private_group-ID ) returns noop Now, if I understand the source code correctly, attributes are saved when freeradius logs Saving response in the cache. I think this means that setting Cached-Session-Policy in post-auth is too late because at point the caching already happened and modifying Cached-Session-Policy won't affect what is stored in the cache. This is what is logged during session resumption: [peap] Adding cached attributes to the reply: User-Name = vogt Stripped-User-Name = vogt [eap] Freeing handler ++[eap] returns ok Should setting Cached-Session-Policy in post-auth have an effect on cached attributes or not? Cheers, Gerald - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Setting Cached-Session-Policy
On 06/06/2011 04:30 PM, Gerald Vogt wrote: Hi! I am trying to get fast session resumption with VLAN assignments to work. I have tried the suggestion in this message: http://lists.freeradius.org/pipermail/freeradius-users/2011-April/msg00381.html However, it seems to me as if the post-auth section is too late to set the Cached-Session-Policy. I have added the following to the beginning of the post-auth section in the default site: Are you setting it in the post-auth of the inner-tunnel? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius + Alvarion 4Motion specify filter-id value inaccess-accept from value in user conf file ?
Hello, I tried using only Framed-Filter-Id and Filter-Id in users conf file and deleting the line Filter-Id = Profile1 from my site-ennabled/default conf file but it doesn't work. When processing the post-authentication section it doesn't add atributes provided in users conf to the access-accept. I added the files line in post-authent section of default conf file (I suposed this way it parse the users conf file when processing the post authent section) but it doesn't work. Could you give me a sample of your site-ennabled/default conf file ? Here is the Radiusd -X output of my server : FreeRADIUS Version 3.0.0, for host i686-pc-linux-gnu, built on May 31 2011 at 08:06:19 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /usr/local/etc/raddb/radiusd.conf including configuration file /usr/local/etc/raddb/proxy.conf including configuration file /usr/local/etc/raddb/clients.conf including files in directory /usr/local/etc/raddb/modules/ including configuration file /usr/local/etc/raddb/modules/soh including configuration file /usr/local/etc/raddb/modules/acct_unique including configuration file /usr/local/etc/raddb/modules/preprocess including configuration file /usr/local/etc/raddb/modules/ntlm_auth including configuration file /usr/local/etc/raddb/modules/unix including configuration file /usr/local/etc/raddb/modules/exec including configuration file /usr/local/etc/raddb/modules/detail including configuration file /usr/local/etc/raddb/modules/perl including configuration file /usr/local/etc/raddb/modules/detail.log including configuration file /usr/local/etc/raddb/modules/attr_rewrite including configuration file /usr/local/etc/raddb/modules/redis including configuration file /usr/local/etc/raddb/modules/chap including configuration file /usr/local/etc/raddb/modules/radutmp including configuration file /usr/local/etc/raddb/modules/files including configuration file /usr/local/etc/raddb/modules/replicate including configuration file /usr/local/etc/raddb/modules/opendirectory including configuration file /usr/local/etc/raddb/modules/ldap including configuration file /usr/local/etc/raddb/modules/smbpasswd including configuration file /usr/local/etc/raddb/modules/inner-eap including configuration file /usr/local/etc/raddb/modules/otp including configuration file /usr/local/etc/raddb/modules/sradutmp including configuration file /usr/local/etc/raddb/modules/smsotp including configuration file /usr/local/etc/raddb/modules/mschap including configuration file /usr/local/etc/raddb/modules/pam including configuration file /usr/local/etc/raddb/modules/wimax including configuration file /usr/local/etc/raddb/modules/mac2ip including configuration file /usr/local/etc/raddb/modules/cui including configuration file /usr/local/etc/raddb/modules/echo including configuration file /usr/local/etc/raddb/modules/krb5 including configuration file /usr/local/etc/raddb/modules/expiration including configuration file /usr/local/etc/raddb/modules/eap including configuration file /usr/local/etc/raddb/modules/linelog including configuration file /usr/local/etc/raddb/modules/policy including configuration file /usr/local/etc/raddb/modules/realm including configuration file /usr/local/etc/raddb/modules/sql_log including configuration file /usr/local/etc/raddb/modules/always including configuration file /usr/local/etc/raddb/modules/sql including configuration file /usr/local/etc/raddb/sql/mysql/dialup.conf including configuration file /usr/local/etc/raddb/modules/sqlcounter_expire_on_login including configuration file /usr/local/etc/raddb/modules/etc_group including configuration file /usr/local/etc/raddb/modules/digest including configuration file /usr/local/etc/raddb/modules/mac2vlan including configuration file /usr/local/etc/raddb/modules/logintime including configuration file /usr/local/etc/raddb/modules/attr_filter including configuration file /usr/local/etc/raddb/modules/expr including configuration file /usr/local/etc/raddb/modules/rediswho including configuration file /usr/local/etc/raddb/modules/checkval including configuration file /usr/local/etc/raddb/modules/passwd including configuration file /usr/local/etc/raddb/modules/sqlippool including configuration file /usr/local/etc/raddb/sql/postgresql/ippool.conf including configuration file /usr/local/etc/raddb/modules/detail.example.com including configuration file /usr/local/etc/raddb/modules/ippool including configuration file /usr/local/etc/raddb/modules/counter including configuration file /usr/local/etc/raddb/modules/dynamic_clients including configuration file /usr/local/etc/raddb/modules/pap including configuration file /usr/local/etc/raddb/policy.conf including files in directory
RE: Freeradius + Alvarion 4Motion specify filter-id value inaccess-accept from value in user conf file ?
I use Daloradius and MySQL but if memory serves it would be similar to this: DegCleartext-Password := ge55ged Service-Type = Callback-Login-User, Login-IP-Host = 0.0.0.0, Callback-Number = 9,5551212, Login-Service = Telnet, Framed-Filter-Id = profile1 -Original Message- From: Hahusseau, Thomas [mailto:thomas.hahuss...@cassidian.com] Sent: Monday, June 06, 2011 12:39 PM To: David Peterson-WirelessConnections; FreeRadius users mailing list Subject: RE: Freeradius + Alvarion 4Motion specify filter-id value inaccess-accept from value in user conf file ? Hello, I tried using only Framed-Filter-Id and Filter-Id in users conf file and deleting the line Filter-Id = Profile1 from my site-ennabled/default conf file but it doesn't work. When processing the post-authentication section it doesn't add atributes provided in users conf to the access-accept. I added the files line in post-authent section of default conf file (I suposed this way it parse the users conf file when processing the post authent section) but it doesn't work. Could you give me a sample of your site-ennabled/default conf file ? Here is the Radiusd -X output of my server : FreeRADIUS Version 3.0.0, for host i686-pc-linux-gnu, built on May 31 2011 at 08:06:19 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /usr/local/etc/raddb/radiusd.conf including configuration file /usr/local/etc/raddb/proxy.conf including configuration file /usr/local/etc/raddb/clients.conf including files in directory /usr/local/etc/raddb/modules/ including configuration file /usr/local/etc/raddb/modules/soh including configuration file /usr/local/etc/raddb/modules/acct_unique including configuration file /usr/local/etc/raddb/modules/preprocess including configuration file /usr/local/etc/raddb/modules/ntlm_auth including configuration file /usr/local/etc/raddb/modules/unix including configuration file /usr/local/etc/raddb/modules/exec including configuration file /usr/local/etc/raddb/modules/detail including configuration file /usr/local/etc/raddb/modules/perl including configuration file /usr/local/etc/raddb/modules/detail.log including configuration file /usr/local/etc/raddb/modules/attr_rewrite including configuration file /usr/local/etc/raddb/modules/redis including configuration file /usr/local/etc/raddb/modules/chap including configuration file /usr/local/etc/raddb/modules/radutmp including configuration file /usr/local/etc/raddb/modules/files including configuration file /usr/local/etc/raddb/modules/replicate including configuration file /usr/local/etc/raddb/modules/opendirectory including configuration file /usr/local/etc/raddb/modules/ldap including configuration file /usr/local/etc/raddb/modules/smbpasswd including configuration file /usr/local/etc/raddb/modules/inner-eap including configuration file /usr/local/etc/raddb/modules/otp including configuration file /usr/local/etc/raddb/modules/sradutmp including configuration file /usr/local/etc/raddb/modules/smsotp including configuration file /usr/local/etc/raddb/modules/mschap including configuration file /usr/local/etc/raddb/modules/pam including configuration file /usr/local/etc/raddb/modules/wimax including configuration file /usr/local/etc/raddb/modules/mac2ip including configuration file /usr/local/etc/raddb/modules/cui including configuration file /usr/local/etc/raddb/modules/echo including configuration file /usr/local/etc/raddb/modules/krb5 including configuration file /usr/local/etc/raddb/modules/expiration including configuration file /usr/local/etc/raddb/modules/eap including configuration file /usr/local/etc/raddb/modules/linelog including configuration file /usr/local/etc/raddb/modules/policy including configuration file /usr/local/etc/raddb/modules/realm including configuration file /usr/local/etc/raddb/modules/sql_log including configuration file /usr/local/etc/raddb/modules/always including configuration file /usr/local/etc/raddb/modules/sql including configuration file /usr/local/etc/raddb/sql/mysql/dialup.conf including configuration file /usr/local/etc/raddb/modules/sqlcounter_expire_on_login including configuration file /usr/local/etc/raddb/modules/etc_group including configuration file /usr/local/etc/raddb/modules/digest including configuration file /usr/local/etc/raddb/modules/mac2vlan including configuration file /usr/local/etc/raddb/modules/logintime including configuration file /usr/local/etc/raddb/modules/attr_filter including configuration file /usr/local/etc/raddb/modules/expr including configuration file /usr/local/etc/raddb/modules/rediswho including configuration file /usr/local/etc/raddb/modules/checkval including configuration file
Expand Ldap Attribute on Post-Auth section
Hello there, I'm trying to evaluate an ldap returned attribute on the post-auth section. At my dictionary: ATTRIBUTE Aa 3000string At my ldap.attrmap: checkItem AA eduPersonAffiliation And at my custom module: exec aloca_vlans { wait = yes program = /usr/local/bin/script-teste.sh %{User-Name} %{control:Aa} %{reply:Aa} %{Aa} input_pairs = request output_pairs = reply packet_type = Access-Accept shell_escape = yes } When running radiusd -X, I see the data getting fetched. [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] eduPersonAffiliation - Aa == 5 [ldap] eduPersonAffiliation - Aa == 2 [ldap] userPassword - Password-With-Header == x [ldap] ntPassword - NT-Password == xx [ldap] looking for reply items in directory... But when the variables are expanded it returns nothing: # Executing section post-auth from file /etc/freeradius/sites-enabled/default +- entering group post-auth {...} [reply_log] expand: /var/log/freeradius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d - /var/log/freeradius/radacct/xx/reply-detail-20110606 [reply_log] /var/log/freeradius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d expands to /var/log/freeradius/radacct/xx/reply-detail-20110606 [reply_log] expand: %t - Mon Jun 6 15:04:10 2011 ++[reply_log] returns ok [aloca_vlans] expand: %{User-Name} - renan.manola [aloca_vlans] expand: %{control:Aa} - [aloca_vlans] expand: %{reply:Aa} - [aloca_vlans] expand: %{Aa} - I have specified the control and reply lists just as a test. If I don't specify the variable name at the dictionary file, the log complains of unknown module not found. Best regards. -- Renan Manola Analista de Tecnologia da Informação Nucleo de Processamento de Dados (NPD) Universidade Federal do Espírito Santo (UFES) Ministério da Educação - Serviço Público Federal E-mail: rman...@npd.ufes.br Antes de imprimir pense em seu compromisso com o Meio Ambiente. As informações existentes nesta mensagem e em seus arquivos anexados são para uso restrito, sendo seu sigilo protegido por lei. Caso você não seja o destinatário, saiba que leitura, divulgação ou cópia são proibidas. Neste caso, favor notificar o remetente e apagar as informações. O uso impróprio destas informações será tratado conforme as normas da empresa e a legislação em vigor. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Setting Cached-Session-Policy
On 06.06.11 17:46, Phil Mayers wrote: On 06/06/2011 04:30 PM, Gerald Vogt wrote: Hi! I am trying to get fast session resumption with VLAN assignments to work. I have tried the suggestion in this message: http://lists.freeradius.org/pipermail/freeradius-users/2011-April/msg00381.html However, it seems to me as if the post-auth section is too late to set the Cached-Session-Policy. I have added the following to the beginning of the post-auth section in the default site: Are you setting it in the post-auth of the inner-tunnel? No. In the outer tunnel config. Gerald - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Renaming during Machine Authentication
I have enabled ldap in the inner-tunnel...here is the lastest debug log (part 1) Mark FreeRADIUS Version 2.1.10, for host i686-pc-linux-gnu, built on Mar 23 2011 at 11:28:44 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/proxy.conf including configuration file /etc/raddb/clients.conf including files in directory /etc/raddb/modules/ including configuration file /etc/raddb/modules/acct_unique including configuration file /etc/raddb/modules/always including configuration file /etc/raddb/modules/attr_filter including configuration file /etc/raddb/modules/attr_rewrite including configuration file /etc/raddb/modules/chap including configuration file /etc/raddb/modules/checkval including configuration file /etc/raddb/modules/counter including configuration file /etc/raddb/modules/cui including configuration file /etc/raddb/modules/detail including configuration file /etc/raddb/modules/detail.example.com including configuration file /etc/raddb/modules/detail.log including configuration file /etc/raddb/modules/digest including configuration file /etc/raddb/modules/dynamic_clients including configuration file /etc/raddb/modules/echo including configuration file /etc/raddb/modules/etc_group including configuration file /etc/raddb/modules/exec including configuration file /etc/raddb/modules/expiration including configuration file /etc/raddb/modules/expr including configuration file /etc/raddb/modules/files including configuration file /etc/raddb/modules/inner-eap including configuration file /etc/raddb/modules/ippool including configuration file /etc/raddb/modules/krb5 including configuration file /etc/raddb/modules/ldap including configuration file /etc/raddb/modules/linelog including configuration file /etc/raddb/modules/logintime including configuration file /etc/raddb/modules/mac2ip including configuration file /etc/raddb/modules/mac2vlan including configuration file /etc/raddb/modules/mschap including configuration file /etc/raddb/modules/ntlm_auth including configuration file /etc/raddb/modules/opendirectory including configuration file /etc/raddb/modules/otp including configuration file /etc/raddb/modules/pam including configuration file /etc/raddb/modules/pap including configuration file /etc/raddb/modules/passwd including configuration file /etc/raddb/modules/perl including configuration file /etc/raddb/modules/policy including configuration file /etc/raddb/modules/preprocess including configuration file /etc/raddb/modules/radutmp including configuration file /etc/raddb/modules/realm including configuration file /etc/raddb/modules/smbpasswd including configuration file /etc/raddb/modules/smsotp including configuration file /etc/raddb/modules/sql_log including configuration file /etc/raddb/modules/sqlcounter_expire_on_login including configuration file /etc/raddb/modules/sradutmp including configuration file /etc/raddb/modules/unix including configuration file /etc/raddb/modules/wimax including configuration file /etc/raddb/eap.conf including configuration file /etc/raddb/policy.conf including files in directory /etc/raddb/sites-enabled/ including configuration file /etc/raddb/sites-enabled/default including configuration file /etc/raddb/sites-enabled/inner-tunnel including configuration file /etc/raddb/sites-enabled/control-socket main { allow_core_dumps = no } including dictionary file /etc/raddb/dictionary main { prefix = /usr/local localstatedir = /var logdir = /var/log/radius libdir = /usr/local/lib radacctdir = /var/log/radius/radacct hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = /var/run/radiusd/radiusd.pid checkrad = /usr/local/sbin/checkrad debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } radiusd: Loading Realms and Home Servers proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = auth secret = testing123 response_window = 20 max_outstanding = 65536 require_message_authenticator = yes zombie_period = 40 status_check = status-server ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 irt = 2 mrt = 16 mrc = 5 mrd = 30 } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: Loading Clients
Re: Problem with rml_sqlcounter with GigaByte datavolume
On Mon, Jun 6, 2011 at 1:24 PM, Hanno Schupp hanno.sch...@gmail.com wrote: Thank you for this reply. I thought the limitation might come from the wrapping around 4.3 GB due to the limitations of a 32bit system with 2147483648 being the highest signed and 4294967296 being the highest unsigned number. 1705032704 is then exactly the difference to 6GB, after the system wrapped at 4.29GB. I requite the log: Sat Jun 4 23:10:21 2011 : Debug: rlm_sqlcounter: Rejected user lapzel14, check_item=1705032704, counter=2147513300 Exactly the 1705032704 one would expect based on highest 32bit unsigned integer. Now here is my problem: Why does it wrap at 32Bit, if the system is a x64 server? Does not make a lot of sense to me. Also, the FAQ is containing instructions how to deal with gigawords in terms of the sql statements that handel the calculation of the counter value. And as this is implemented, the counter value is not the problem here – it is the check_item value that as I understand is based on my configuration, taken straight out of the radcheck table. I am sorry, but this sounds like a limitation/bug of the standard system, that could be overcome. After all, if it can be resolved with custom perl code as I understand you suggest, why should the standard system not be able to handle data limits larger than 4.29GB out of the box? Or am I missing something? Alan, can you enlighten us on this issue? Regards Hanno You confuse gigawords storage in the database coming from acct updates/stop packets of the nas with the reply from sqlcounter. FR is capable of saving gigawords in the database when a nas is sending them, that's not the problem. But, the sqlcounter's code was never changed to reply gigawords to the nas. Check the C code and you will see. Kind regards Y. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wiki - Once upon a time there was documentation
I can confirm that some Wiki pages are blank (waiting to be edited). I checked, and they don't appear to be on the to-do list for conversion. Instead, it brings it up as a Create New Page dialog. I'm willing to help out with them, but need to create an account and review the stylesheets/directives for Restructured Text/Markdown first. Also, unlike other mailing lists I've used, I can't seem to figure out how to use the web interface to reply within an existing thread (I'm a new user, so I can't respond to the original mail or digest). We are planning to deploy FreeRadius within the next month, so I'm doing my homework first. I appreciate all the resources you do have available so far. http://wiki.freeradius.org/Mac-Auth http://wiki.freeradius.org/%23Is+there+a+way+to+bind+FreeRADIUS+to+a+specific+IP+address%3F http://bugs.freeradius.org/show_bug.cgi?id=207 (This is a broken link from http://wiki.freeradius.org/FAQ, which also has some minor grammatical errors I'd be happy to fix). http://wiki.freeradius.org/SNMP http://wiki.freeradius.org/MIB http://wiki.freeradius.org/Framed-IP-Netmask http://wiki.freeradius.org/%23Why+do+Acct-Input-Octets+and+Acct-Output-Octets+wrap+at+4+GB%3F - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to output that attribute value as raw data?
thanks a lot Alan. OH, I see. thanks! I've tried that beoame a %{Acct-Status-Type#} - 1. But, %{Packet-Type#} - . (%{Packet-Type} - Access-Accept) Packet-Type's type is INTEGER. Is freeradius internal attributes off the subject? Thanks for your help. ichiro tanaka This is documented. $ man unlang See %{Attribute‐Name#} Alan DeKok. Hi. I was using freeradus-2.1.10 as radius home server. I want to output log file that attribute value as raw data. For example, NOT %{Acct-Terminate-Cause} - User-Request BUT %{Acct- Terminate -Cause} - 1. Then, I edited dictionary.rfc2866 like this. ---edited #VALUE Acct-Terminate-Cause User-Request 1 - The output became %{Acct-Terminate-Cause} - 1, and it became a hoped output. However, default setting has become illegal. ---illegal thing if(Acct-Terminate-Cause == User-Request){ sql } - Please teach the way of the setting. Thanks for your help. ichiro tanaka - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Unable to authenticate locally when remote proxy server is unavailable
Hello Alan, Thank you for your prompt response. If you don't mind I have a few follow up questions mentioned below. I would appreciate if you could answer them. Thanks again for your help. Regards, Jyoti. On Mon, 2011-06-06 at 07:26 +0200, Alan DeKok wrote: jch2...@verizon.net wrote: The questions I want to ask are as follows: 1. Is this the right method to perform this operation or there could be a simpler way to do this, i.e. authenticate the request using backup cache or database when remote Radius server is down? If you can authenticate the request with a DB, then the remote RADIUS server is not needed. Get rid of it. If you can't get a local DB, then when the remote RADIUS server is down, users cannot authenticate. Actually, the requirement states that if the remote proxy server should authenticate all associate requests when it is up. When the remote proxy server is down only then the authentication can be done locally with the information cached from a previous successful request. I might be able to perform local authentication for an EAP-PEAP request coming from the client using self-signed certificates. Do you agree? 2. Is there a way to know (by ping or other methods) if the remote radius server is down so that I can perform the local authentication right away when the 802.1x request is received instead of proxying the request a few times and then determining that the remote proxy Radius server is not alive or not available? See raddb/proxy.conf. Look for status-server. Is there a specific configuration that you are talking about? I was never able to capture status-server packets using a tool like ethereal. In short, the only way to see if it's up is to send it RADIUS packets. 3. If somehow I determine that the remote Radius server is unavailable and I get a 802.1x request (EAP-PEAP) can I verify the authenticity of the request using the local cache and send an Access-Accept somehow tricking the NAS to open the port? No. 4. Is it possible to reduce the time for e.g. Waking up in 119.8 seconds? No. For one, you haven't explaing why that time is a problem. For two, those timers are determined by the servers configuration. If you want that time to change, change the configuration. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Slow Mysql Queries
Thanks for the advice everyone! I have removed scripts which caused the VERY slow queries and have now had the slow query log on for a few days. It is still showing loads of entry's but http access performance is not noticeably slow(on occasion there is a small delay). The slow queries appear to be mostly coming from radacct and radcheck when a wireless user is trying to authenticate... Phpadmin states that there have been 30 queries in only 25 hours which is 3 per second. (there is 4 database's including an analytics database also which will be included in this) 20% of the queries are from the 'change db' query. 4300 of the slow queries in the slow query log are from ONE WIRELESS CLIENT trying to authenticate, yet radius.log only shows around 75 authentication attempts...the lines read like this: -- # Time: 110605 13:43:15 # User@Host: freeradius[freeradius] @ localhost [] # Query_time: 0 Lock_time: 0 Rows_sent: 1 Rows_examined: 37 SELECT radacct.UserName AS UserName , radcheck.Value AS Value FROM radacct left outer join radlookupnas ON radlookupnas.user = radacct.UserName AND radlookupnas.macauth = '0' AND radacct.CallingStationId = '60-33-4B-20-1F-5F' left outer join radcheck ON radcheck.username = radacct.username AND radcheck.attribute='User-Password' WHERE radcheck.username = radlookupnas.user LIMIT 1; - In radius.log I can see that a lot of the entrys are double ups, the same authentication request repeated a few times over 2 or 3 seconds: -- Tue Jun 7 09:31:34 2011 : Auth: Login incorrect: [60-33-4B-20-1F-5F/password] (from client localhost port 3 cli 60-33-4B-20-1F-5F) Tue Jun 7 09:31:35 2011 : Auth: Login incorrect: [60-33-4B-20-1F-5F/password] (from client localhost port 3 cli 60-33-4B-20-1F-5F) Tue Jun 7 09:31:35 2011 : Auth: Login incorrect: [60-33-4B-20-1F-5F/password] (from client localhost port 3 cli 60-33-4B-20-1F-5F) -- AND the occasional Error like this: --- Error: Discarding duplicate request from client localhost:58813 - ID: 19 due to unfinished request 14831 Error: WARNING: Unresponsive child (id 2954177424) for request 14832 (in component accounting module rlm_sql) Error: Discarding duplicate request from client localhost:33869 - ID: 151 due to unfinished request 14832 --- PHPmyadmin runtime info states that Select_full_join is 49and that if this value is not 0, you should carefully check the indexes of your tables. If the radius Mysql tables need to be indexed which ones? radacct has 3500 records and is 1.1mb, radcheck has 9000 and is .5mb and aradacct has 27000 and is 8mb. Are either of these that big? I output this mysqlreport and tried to find where issues are but it's not obvious to me: --- MySQL 5.0.51a-3ubuntu5- uptime 0 23:40:19 Tue Jun 7 11:23:18 2011 __ Key _ Buffer used 4.71M of 32.00M %Used: 14.71 Current 5.02M%Usage: 15.70 Write hit 23.31% Read hit 99.74% __ Questions ___ Total 276.17k 3.2/s QC Hits 135.76k 1.6/s %Total: 49.16 Com_ 49.73k 0.6/s 18.01 COM_QUIT 46.82k 0.5/s 16.95 DMS 44.44k 0.5/s 16.09 -Unknown588 0.0/s0.21 Slow (4)7.44k 0.1/s2.69 %DMS: 16.74 Log: ON DMS44.44k 0.5/s 16.09 UPDATE 19.94k 0.2/s7.22 44.87 SELECT 19.70k 0.2/s7.13 44.33 DELETE2.13k 0.0/s0.77 4.79 INSERT1.69k 0.0/s0.61 3.80 REPLACE 987 0.0/s0.36 2.22 Com_ 49.73k 0.6/s 18.01 change_db46.71k 0.5/s 16.91 show_status 1.14k 0.0/s0.41 set_option 729 0.0/s0.26 __ SELECT and Sort _ Scan6.48k 0.1/s %SELECT: 32.91 Range 1.17k 0.0/s5.92 Full join 47 0.0/s0.24 Range check 0 0/s0.00 Full rng join 0 0/s0.00 Sort scan 737 0.0/s Sort range888 0.0/s Sort mrg pass 10 0.0/s __ Query Cache _ Memory usage 800.98k of 16.00M %Used: 4.89 Block Fragmnt 14.25% Hits 135.76k 1.6/s Inserts18.76k 0.2/s Insrt:Prune 18.76k:1 0.2/s Hit:Insert 7.24:1 __ Table Locks _ Waited 73 0.0/s %Total: 0.13 Immediate
Re: Slow Mysql Queries
On Tue, Jun 7, 2011 at 10:54 AM, OzSpots - Carl Sawers c...@ozspots.com.au wrote: SELECT radacct.UserName AS UserName , radcheck.Value AS Value FROM radacct left outer join radlookupnas ON radlookupnas.user = radacct.UserName AND radlookupnas.macauth = '0' AND radacct.CallingStationId = '60-33-4B-20-1F-5F' left outer join radcheck ON radcheck.username = radacct.username AND radcheck.attribute='User-Password' WHERE radcheck.username = radlookupnas.user LIMIT 1; (sigh) This is obviously a custom query. Who wrote that? You're joining three tables (radcheck, radacct, radlookupnas. While possible, it means that as the radacct gets bigger the query will be slower. Does the person who wrote that understands the consequences? If yes, did that person setup the necessary measures to keep performance acceptable (e.g. using indexes)? If not, get a dba, have them fix it. - In radius.log I can see that a lot of the entrys are double ups, the same authentication request repeated a few times over 2 or 3 seconds: AND the occasional Error like this: No need to repeat this info over and over and over again. As previously noted, this is side effect to db being slow. It won't go away if you don't fix the db. PHPmyadmin runtime info states that Select_full_join is 49 and that if this value is not 0, you should carefully check the indexes of your tables. Good suggestion. Did you do it? If the radius Mysql tables need to be indexed which ones? That's why I repeatedly say get a dba. A dba will know what to do. If you insist on doing it yourself anyway, here's a hint: http://dev.mysql.com/doc/refman/5.1/en/using-explain.html Use that on whatever slow query you have to get an idea of why it's so slow. radacct has 3500 records and is 1.1mb, radcheck has 9000 and is .5mb and aradacct has 27000 and is 8mb. Are either of these that big? It's very small. I have systems with radacct as big as several million entries per month, with tens of GB data. And it works just fine. We have a certified MySQL DBA helping design the database structure and queries. I output this mysqlreport and tried to find where issues are but it's Here's another hint: don't expect phpmyadmin or mysqlreport to magically show you which option to change in order to get performance boost. So in summary: - use EXPLAIN - fix non-optimum indexes - fix server settings (hint: convert your tables to innodb, use reasonable innodb_buffer_pool_size) - if you have no idea what I'm talking about, get a dba -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Unable to authenticate locally when remote proxy server is unavailable
Jyoti Chatterjee wrote: Actually, the requirement states that if the remote proxy server should authenticate all associate requests when it is up. When the remote proxy server is down only then the authentication can be done locally with the information cached from a previous successful request. EAP doesn't work that way. Your requirement is impossible to implement. I might be able to perform local authentication for an EAP-PEAP request coming from the client using self-signed certificates. Do you agree? No. Is there a specific configuration that you are talking about? I was never able to capture status-server packets using a tool like ethereal. Did I say to use ethereal? No. I said to read proxy.conf. Did you do that? No. Why? If you're not interested in getting help on this list, don't ask questions here. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html