how to output that attribute value as raw data?
Hi.
I was using freeradus-2.1.10 as radius home server.
I want to output log file that attribute value as raw data.
For example, NOT %{Acct-Terminate-Cause} - User-Request BUT %{Acct-Terminate
-Cause} - 1.
Then, I edited dictionary.rfc2866 like this.
---edited
#VALUE Acct-Terminate-Cause User-Request 1
-
The output became %{Acct-Terminate-Cause} - 1, and it became a hoped output.
However, default setting has become illegal.
---illegal thing
if(Acct-Terminate-Cause == User-Request){
sql
}
-
Please teach the way of the setting.
Thanks for your help.
ichiro tanaka
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to output that attribute value as raw data?
ichiro tanaka wrote:
I was using freeradus-2.1.10 as radius home server.
I want to output log file that attribute value as raw data.
For example, NOT %{Acct-Terminate-Cause} - User-Request BUT
%{Acct-Terminate
-Cause} - 1.
This is documented.
$ man unlang
See
%{Attribute‐Name#}
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Slow Mysql Queries
Hi, Are all the slow query entries potentially a problem, I mean should yes. any slow queries are potentially a problem. in your case I believe that you have that many rows in your DB table - and because there is no index, all entries have to be seen - as previous post says, you need a DBA or quickly pick up some skills. its quite easy to use 'EXPLAIN' with your SELECT query to find out what is happening...and even easier to add just one index that will fix the main bottleneck. common issue is running a DB that has no index on your main query target specifier (a default DB wont have ANY indexes on it for columns you have created). alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Problem with rml_sqlcounter with GigaByte datavolume
Thank you for this reply. I thought the limitation might come from the wrapping around 4.3 GB due to the limitations of a 32bit system with 2147483648 being the highest signed and 4294967296 being the highest unsigned number. 1705032704 is then exactly the difference to 6GB, after the system wrapped at 4.29GB. I requite the log: Sat Jun 4 23:10:21 2011 : Debug: rlm_sqlcounter: Rejected user lapzel14, check_item=1705032704, counter=2147513300 Exactly the 1705032704 one would expect based on highest 32bit unsigned integer. Now here is my problem: Why does it wrap at 32Bit, if the system is a x64 server? Does not make a lot of sense to me. Also, the FAQ is containing instructions how to deal with gigawords in terms of the sql statements that handel the calculation of the counter value. And as this is implemented, the counter value is not the problem here - it is the check_item value that as I understand is based on my configuration, taken straight out of the radcheck table. I am sorry, but this sounds like a limitation/bug of the standard system, that could be overcome. After all, if it can be resolved with custom perl code as I understand you suggest, why should the standard system not be able to handle data limits larger than 4.29GB out of the box? Or am I missing something? Alan, can you enlighten us on this issue? Regards Hanno From: YvesDM [mailto:ydm...@gmail.com] Sent: Monday, 6 June 2011 5:42 a.m. To: FreeRadius users mailing list Subject: Re: Problem with rml_sqlcounter with GigaByte datavolume On Sun, Jun 5, 2011 at 1:22 AM, Hanno Schupp hanno.sch...@gmail.com wrote: Dear All, can I ask for some pointers please. in my FreeRADIUS Version 2.1.8, for host x86_64-pc-linux-gnu (Ubuntu LTS 10.04) installation I have followed the Gigabyte instructions on the FreeRADIUS wiki's FAQ http://wiki.freeradius.org/FAQ#Why+do+Acct-Input-Octets+and+Acct-Output-Octe ts+wrap+at+4+GB%3F. The Usage is calculated correctly, but the check_item value is not what I expect to see (1.7 GB as opposed th 6GB set in radcheck). I understand who the system determines the counter value and it is correctly calculated, but where does the check_item vlaue of 1.7GB come from? I have no idea to be truthful. Sqlcounter also wraps at 4GB in its reply. Your 6GB is actually 5722.045 MB, then wraps at 4GB so 1,7GB left and this is replied ;-) As far as I know there's no integrated solution to this unless you change the source code. Most people solve this by using rlm_perl if I'm not mistaking. Make your perl calculate and reply gigawords + remaining bytes when values are 4GB Ps Make sure your coova-chilli is equal or 1.0.13, else it won't understand gigawords replies Kind regards, Y. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius not releasing IPs from pool
El 03/06/11 10:33, George Chelidze escribió:
On 06/01/2011 04:02 PM, Angel L. Mateo wrote:
Hello,
I have a problem with my pools in freeradius. The problems is that it is
not releasing IPs from the pools. At least, not all of them, so after a
while my users can't connect because the pool is full.
Several quick questions:
1. Are you sure your pool is large enough? Average duration of a
session/Number of new sessions per second should be taken in account.
Yes. This server is an update from an existing one with the same
configuration, the only difference is freeradius versions (from 1.1.7 to
2.1.8) and that now I'm using virtual servers.
2. Are you sure you don't miss any accounting messages?
I think not.
3. Which attributes do you use to construct a pool key? Make sure all
attributes exist in Accounting messages.
The defaults, I'm not using the key option of the pool. I think the
defaults are %{NAS-IP-Address} %{NAS-Port}. NAS-IP-Address is always
the same (our VPN server)and NAS-Port changes from users. Is that correct?
--
Angel L. Mateo Martínez
Sección de Telemática
Área de Tecnologías de la Información _o)
y las Comunicaciones Aplicadas (ATICA) / \\
http://www.um.es/atica_(___V
Tfo: 868887590
Fax: 86337
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can't get checkrad to be called
George, Thanks for the reply. I will doublecheck my configuration. The one thing I noticed, even though checkrad is working, I can't find any clue in any log or debug output. I set it to log to checkrad.log, but that only works when I manually run /usr/sbin/checkrad. Is there another place that I'm not aware of? Thanks! -dan On 6/6/2011 1:14 AM, George Chelidze wrote: On 06/04/2011 06:28 AM, Dan Brisson wrote: Just finished setting up the latest Freeradius - 2.1.10. Checkrad is working. I've replicated the settings from 2.1.7 so I have to think something has changed from 2.1.7 to 2.1.10. hm.. I would compare both setups to eliminate any typos in 2.1.7 configuration. As far as it works with 2.1.10 you can build it on CentOS from source. Glad to hear you figured it out. Best Regards, George Chelidze - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Setting Cached-Session-Policy
Hi!
I am trying to get fast session resumption with VLAN assignments to
work. I have tried the suggestion in this message:
http://lists.freeradius.org/pipermail/freeradius-users/2011-April/msg00381.html
However, it seems to me as if the post-auth section is too late to set
the Cached-Session-Policy. I have added the following to the beginning
of the post-auth section in the default site:
post-auth {
if ( reply:Cached-Session-Policy ) {
if ( reply:Cached-Session-Policy =~ /vlan=(.+)/ ) {
update reply {
Reply-Message += Cached policy:
%{reply:Cached-Session-Policy}
Tunnel-Private-Group-ID := %{1}
Tunnel-Type = VLAN
Tunnel-Medium-Type = IEEE-802
}
}
}
elsif ( reply:Tunnel-Private_group-ID ) {
update reply {
Cached-Session-Policy :=
vlan=%{reply:Tunnel-Private-Group-ID}
}
}
I can see in the logs that this correctly sets Cached-Session-Policy,
e.g. to vlan=10. However, during session resumption it will only add
User-Name and Stripped-User-Name.
During the initial session setup I can see that attributes are saved
into the cache:
[peap] Success
[peap] Using saved attributes from the original Access-Accept
Tunnel-Private-Group-Id:0 = 18
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Type:0 = VLAN
User-Name = vogt
[peap] Saving response in the cache
[eap] Freeing handler
++[eap] returns ok
# Executing section post-auth from file /etc/raddb/sites-enabled/default
+- entering group post-auth {...}
++? if (reply:Cached-Session-Policy )
? Evaluating (reply:Cached-Session-Policy ) - FALSE
++? if (reply:Cached-Session-Policy ) - FALSE
++? elsif (reply:Tunnel-Private_group-ID )
? Evaluating (reply:Tunnel-Private_group-ID ) - TRUE
++? elsif (reply:Tunnel-Private_group-ID ) - TRUE
++- entering elsif (reply:Tunnel-Private_group-ID ) {...}
expand: vlan=%{reply:Tunnel-Private-Group-ID} - vlan=18
+++[reply] returns noop
++- elsif (reply:Tunnel-Private_group-ID ) returns noop
Now, if I understand the source code correctly, attributes are saved
when freeradius logs Saving response in the cache. I think this
means that setting Cached-Session-Policy in post-auth is too late
because at point the caching already happened and modifying
Cached-Session-Policy won't affect what is stored in the cache.
This is what is logged during session resumption:
[peap] Adding cached attributes to the reply:
User-Name = vogt
Stripped-User-Name = vogt
[eap] Freeing handler
++[eap] returns ok
Should setting Cached-Session-Policy in post-auth have an effect on
cached attributes or not?
Cheers,
Gerald
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Setting Cached-Session-Policy
On 06/06/2011 04:30 PM, Gerald Vogt wrote: Hi! I am trying to get fast session resumption with VLAN assignments to work. I have tried the suggestion in this message: http://lists.freeradius.org/pipermail/freeradius-users/2011-April/msg00381.html However, it seems to me as if the post-auth section is too late to set the Cached-Session-Policy. I have added the following to the beginning of the post-auth section in the default site: Are you setting it in the post-auth of the inner-tunnel? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius + Alvarion 4Motion specify filter-id value inaccess-accept from value in user conf file ?
Hello, I tried using only Framed-Filter-Id and Filter-Id in users conf file and deleting the line Filter-Id = Profile1 from my site-ennabled/default conf file but it doesn't work. When processing the post-authentication section it doesn't add atributes provided in users conf to the access-accept. I added the files line in post-authent section of default conf file (I suposed this way it parse the users conf file when processing the post authent section) but it doesn't work. Could you give me a sample of your site-ennabled/default conf file ? Here is the Radiusd -X output of my server : FreeRADIUS Version 3.0.0, for host i686-pc-linux-gnu, built on May 31 2011 at 08:06:19 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /usr/local/etc/raddb/radiusd.conf including configuration file /usr/local/etc/raddb/proxy.conf including configuration file /usr/local/etc/raddb/clients.conf including files in directory /usr/local/etc/raddb/modules/ including configuration file /usr/local/etc/raddb/modules/soh including configuration file /usr/local/etc/raddb/modules/acct_unique including configuration file /usr/local/etc/raddb/modules/preprocess including configuration file /usr/local/etc/raddb/modules/ntlm_auth including configuration file /usr/local/etc/raddb/modules/unix including configuration file /usr/local/etc/raddb/modules/exec including configuration file /usr/local/etc/raddb/modules/detail including configuration file /usr/local/etc/raddb/modules/perl including configuration file /usr/local/etc/raddb/modules/detail.log including configuration file /usr/local/etc/raddb/modules/attr_rewrite including configuration file /usr/local/etc/raddb/modules/redis including configuration file /usr/local/etc/raddb/modules/chap including configuration file /usr/local/etc/raddb/modules/radutmp including configuration file /usr/local/etc/raddb/modules/files including configuration file /usr/local/etc/raddb/modules/replicate including configuration file /usr/local/etc/raddb/modules/opendirectory including configuration file /usr/local/etc/raddb/modules/ldap including configuration file /usr/local/etc/raddb/modules/smbpasswd including configuration file /usr/local/etc/raddb/modules/inner-eap including configuration file /usr/local/etc/raddb/modules/otp including configuration file /usr/local/etc/raddb/modules/sradutmp including configuration file /usr/local/etc/raddb/modules/smsotp including configuration file /usr/local/etc/raddb/modules/mschap including configuration file /usr/local/etc/raddb/modules/pam including configuration file /usr/local/etc/raddb/modules/wimax including configuration file /usr/local/etc/raddb/modules/mac2ip including configuration file /usr/local/etc/raddb/modules/cui including configuration file /usr/local/etc/raddb/modules/echo including configuration file /usr/local/etc/raddb/modules/krb5 including configuration file /usr/local/etc/raddb/modules/expiration including configuration file /usr/local/etc/raddb/modules/eap including configuration file /usr/local/etc/raddb/modules/linelog including configuration file /usr/local/etc/raddb/modules/policy including configuration file /usr/local/etc/raddb/modules/realm including configuration file /usr/local/etc/raddb/modules/sql_log including configuration file /usr/local/etc/raddb/modules/always including configuration file /usr/local/etc/raddb/modules/sql including configuration file /usr/local/etc/raddb/sql/mysql/dialup.conf including configuration file /usr/local/etc/raddb/modules/sqlcounter_expire_on_login including configuration file /usr/local/etc/raddb/modules/etc_group including configuration file /usr/local/etc/raddb/modules/digest including configuration file /usr/local/etc/raddb/modules/mac2vlan including configuration file /usr/local/etc/raddb/modules/logintime including configuration file /usr/local/etc/raddb/modules/attr_filter including configuration file /usr/local/etc/raddb/modules/expr including configuration file /usr/local/etc/raddb/modules/rediswho including configuration file /usr/local/etc/raddb/modules/checkval including configuration file /usr/local/etc/raddb/modules/passwd including configuration file /usr/local/etc/raddb/modules/sqlippool including configuration file /usr/local/etc/raddb/sql/postgresql/ippool.conf including configuration file /usr/local/etc/raddb/modules/detail.example.com including configuration file /usr/local/etc/raddb/modules/ippool including configuration file /usr/local/etc/raddb/modules/counter including configuration file /usr/local/etc/raddb/modules/dynamic_clients including configuration file /usr/local/etc/raddb/modules/pap including configuration file /usr/local/etc/raddb/policy.conf including files in directory
RE: Freeradius + Alvarion 4Motion specify filter-id value inaccess-accept from value in user conf file ?
I use Daloradius and MySQL but if memory serves it would be similar to this: DegCleartext-Password := ge55ged Service-Type = Callback-Login-User, Login-IP-Host = 0.0.0.0, Callback-Number = 9,5551212, Login-Service = Telnet, Framed-Filter-Id = profile1 -Original Message- From: Hahusseau, Thomas [mailto:thomas.hahuss...@cassidian.com] Sent: Monday, June 06, 2011 12:39 PM To: David Peterson-WirelessConnections; FreeRadius users mailing list Subject: RE: Freeradius + Alvarion 4Motion specify filter-id value inaccess-accept from value in user conf file ? Hello, I tried using only Framed-Filter-Id and Filter-Id in users conf file and deleting the line Filter-Id = Profile1 from my site-ennabled/default conf file but it doesn't work. When processing the post-authentication section it doesn't add atributes provided in users conf to the access-accept. I added the files line in post-authent section of default conf file (I suposed this way it parse the users conf file when processing the post authent section) but it doesn't work. Could you give me a sample of your site-ennabled/default conf file ? Here is the Radiusd -X output of my server : FreeRADIUS Version 3.0.0, for host i686-pc-linux-gnu, built on May 31 2011 at 08:06:19 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /usr/local/etc/raddb/radiusd.conf including configuration file /usr/local/etc/raddb/proxy.conf including configuration file /usr/local/etc/raddb/clients.conf including files in directory /usr/local/etc/raddb/modules/ including configuration file /usr/local/etc/raddb/modules/soh including configuration file /usr/local/etc/raddb/modules/acct_unique including configuration file /usr/local/etc/raddb/modules/preprocess including configuration file /usr/local/etc/raddb/modules/ntlm_auth including configuration file /usr/local/etc/raddb/modules/unix including configuration file /usr/local/etc/raddb/modules/exec including configuration file /usr/local/etc/raddb/modules/detail including configuration file /usr/local/etc/raddb/modules/perl including configuration file /usr/local/etc/raddb/modules/detail.log including configuration file /usr/local/etc/raddb/modules/attr_rewrite including configuration file /usr/local/etc/raddb/modules/redis including configuration file /usr/local/etc/raddb/modules/chap including configuration file /usr/local/etc/raddb/modules/radutmp including configuration file /usr/local/etc/raddb/modules/files including configuration file /usr/local/etc/raddb/modules/replicate including configuration file /usr/local/etc/raddb/modules/opendirectory including configuration file /usr/local/etc/raddb/modules/ldap including configuration file /usr/local/etc/raddb/modules/smbpasswd including configuration file /usr/local/etc/raddb/modules/inner-eap including configuration file /usr/local/etc/raddb/modules/otp including configuration file /usr/local/etc/raddb/modules/sradutmp including configuration file /usr/local/etc/raddb/modules/smsotp including configuration file /usr/local/etc/raddb/modules/mschap including configuration file /usr/local/etc/raddb/modules/pam including configuration file /usr/local/etc/raddb/modules/wimax including configuration file /usr/local/etc/raddb/modules/mac2ip including configuration file /usr/local/etc/raddb/modules/cui including configuration file /usr/local/etc/raddb/modules/echo including configuration file /usr/local/etc/raddb/modules/krb5 including configuration file /usr/local/etc/raddb/modules/expiration including configuration file /usr/local/etc/raddb/modules/eap including configuration file /usr/local/etc/raddb/modules/linelog including configuration file /usr/local/etc/raddb/modules/policy including configuration file /usr/local/etc/raddb/modules/realm including configuration file /usr/local/etc/raddb/modules/sql_log including configuration file /usr/local/etc/raddb/modules/always including configuration file /usr/local/etc/raddb/modules/sql including configuration file /usr/local/etc/raddb/sql/mysql/dialup.conf including configuration file /usr/local/etc/raddb/modules/sqlcounter_expire_on_login including configuration file /usr/local/etc/raddb/modules/etc_group including configuration file /usr/local/etc/raddb/modules/digest including configuration file /usr/local/etc/raddb/modules/mac2vlan including configuration file /usr/local/etc/raddb/modules/logintime including configuration file /usr/local/etc/raddb/modules/attr_filter including configuration file /usr/local/etc/raddb/modules/expr including configuration file /usr/local/etc/raddb/modules/rediswho including configuration file /usr/local/etc/raddb/modules/checkval including configuration file
Expand Ldap Attribute on Post-Auth section
Hello there,
I'm trying to evaluate an ldap returned attribute on the post-auth section.
At my dictionary:
ATTRIBUTE Aa 3000string
At my ldap.attrmap:
checkItem AA eduPersonAffiliation
And at my custom module:
exec aloca_vlans {
wait = yes
program = /usr/local/bin/script-teste.sh %{User-Name}
%{control:Aa} %{reply:Aa} %{Aa}
input_pairs = request
output_pairs = reply
packet_type = Access-Accept
shell_escape = yes
}
When running radiusd -X, I see the data getting fetched.
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] eduPersonAffiliation - Aa == 5
[ldap] eduPersonAffiliation - Aa == 2
[ldap] userPassword - Password-With-Header == x
[ldap] ntPassword - NT-Password == xx
[ldap] looking for reply items in directory...
But when the variables are expanded it returns nothing:
# Executing section post-auth from file
/etc/freeradius/sites-enabled/default
+- entering group post-auth {...}
[reply_log] expand:
/var/log/freeradius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d -
/var/log/freeradius/radacct/xx/reply-detail-20110606
[reply_log]
/var/log/freeradius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d
expands to /var/log/freeradius/radacct/xx/reply-detail-20110606
[reply_log] expand: %t - Mon Jun 6 15:04:10 2011
++[reply_log] returns ok
[aloca_vlans] expand: %{User-Name} - renan.manola
[aloca_vlans] expand: %{control:Aa} -
[aloca_vlans] expand: %{reply:Aa} -
[aloca_vlans] expand: %{Aa} -
I have specified the control and reply lists just as a test. If I don't
specify the variable name at the dictionary file, the log complains of
unknown module not found.
Best regards.
--
Renan Manola
Analista de Tecnologia da Informação
Nucleo de Processamento de Dados (NPD)
Universidade Federal do Espírito Santo (UFES)
Ministério da Educação - Serviço Público Federal
E-mail: rman...@npd.ufes.br
Antes de imprimir pense em seu compromisso com o Meio Ambiente.
As informações existentes nesta mensagem e em seus arquivos anexados são para
uso restrito, sendo seu sigilo protegido por lei. Caso você não seja o
destinatário, saiba que leitura, divulgação ou cópia são proibidas. Neste caso,
favor notificar o remetente e apagar as informações. O uso impróprio destas
informações será tratado conforme as normas da empresa e a legislação em vigor.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Setting Cached-Session-Policy
On 06.06.11 17:46, Phil Mayers wrote: On 06/06/2011 04:30 PM, Gerald Vogt wrote: Hi! I am trying to get fast session resumption with VLAN assignments to work. I have tried the suggestion in this message: http://lists.freeradius.org/pipermail/freeradius-users/2011-April/msg00381.html However, it seems to me as if the post-auth section is too late to set the Cached-Session-Policy. I have added the following to the beginning of the post-auth section in the default site: Are you setting it in the post-auth of the inner-tunnel? No. In the outer tunnel config. Gerald - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Renaming during Machine Authentication
I have enabled ldap in the inner-tunnel...here is the lastest debug log (part 1)
Mark
FreeRADIUS Version 2.1.10, for host i686-pc-linux-gnu, built on Mar 23 2011 at
11:28:44
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/modules/
including configuration file /etc/raddb/modules/acct_unique
including configuration file /etc/raddb/modules/always
including configuration file /etc/raddb/modules/attr_filter
including configuration file /etc/raddb/modules/attr_rewrite
including configuration file /etc/raddb/modules/chap
including configuration file /etc/raddb/modules/checkval
including configuration file /etc/raddb/modules/counter
including configuration file /etc/raddb/modules/cui
including configuration file /etc/raddb/modules/detail
including configuration file /etc/raddb/modules/detail.example.com
including configuration file /etc/raddb/modules/detail.log
including configuration file /etc/raddb/modules/digest
including configuration file /etc/raddb/modules/dynamic_clients
including configuration file /etc/raddb/modules/echo
including configuration file /etc/raddb/modules/etc_group
including configuration file /etc/raddb/modules/exec
including configuration file /etc/raddb/modules/expiration
including configuration file /etc/raddb/modules/expr
including configuration file /etc/raddb/modules/files
including configuration file /etc/raddb/modules/inner-eap
including configuration file /etc/raddb/modules/ippool
including configuration file /etc/raddb/modules/krb5
including configuration file /etc/raddb/modules/ldap
including configuration file /etc/raddb/modules/linelog
including configuration file /etc/raddb/modules/logintime
including configuration file /etc/raddb/modules/mac2ip
including configuration file /etc/raddb/modules/mac2vlan
including configuration file /etc/raddb/modules/mschap
including configuration file /etc/raddb/modules/ntlm_auth
including configuration file /etc/raddb/modules/opendirectory
including configuration file /etc/raddb/modules/otp
including configuration file /etc/raddb/modules/pam
including configuration file /etc/raddb/modules/pap
including configuration file /etc/raddb/modules/passwd
including configuration file /etc/raddb/modules/perl
including configuration file /etc/raddb/modules/policy
including configuration file /etc/raddb/modules/preprocess
including configuration file /etc/raddb/modules/radutmp
including configuration file /etc/raddb/modules/realm
including configuration file /etc/raddb/modules/smbpasswd
including configuration file /etc/raddb/modules/smsotp
including configuration file /etc/raddb/modules/sql_log
including configuration file /etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /etc/raddb/modules/sradutmp
including configuration file /etc/raddb/modules/unix
including configuration file /etc/raddb/modules/wimax
including configuration file /etc/raddb/eap.conf
including configuration file /etc/raddb/policy.conf
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/default
including configuration file /etc/raddb/sites-enabled/inner-tunnel
including configuration file /etc/raddb/sites-enabled/control-socket
main {
allow_core_dumps = no
}
including dictionary file /etc/raddb/dictionary
main {
prefix = /usr/local
localstatedir = /var
logdir = /var/log/radius
libdir = /usr/local/lib
radacctdir = /var/log/radius/radacct
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = /var/run/radiusd/radiusd.pid
checkrad = /usr/local/sbin/checkrad
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
radiusd: Loading Realms and Home Servers
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = auth
secret = testing123
response_window = 20
max_outstanding = 65536
require_message_authenticator = yes
zombie_period = 40
status_check = status-server
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: Loading Clients
Re: Problem with rml_sqlcounter with GigaByte datavolume
On Mon, Jun 6, 2011 at 1:24 PM, Hanno Schupp hanno.sch...@gmail.com wrote: Thank you for this reply. I thought the limitation might come from the wrapping around 4.3 GB due to the limitations of a 32bit system with 2147483648 being the highest signed and 4294967296 being the highest unsigned number. 1705032704 is then exactly the difference to 6GB, after the system wrapped at 4.29GB. I requite the log: Sat Jun 4 23:10:21 2011 : Debug: rlm_sqlcounter: Rejected user lapzel14, check_item=1705032704, counter=2147513300 Exactly the 1705032704 one would expect based on highest 32bit unsigned integer. Now here is my problem: Why does it wrap at 32Bit, if the system is a x64 server? Does not make a lot of sense to me. Also, the FAQ is containing instructions how to deal with gigawords in terms of the sql statements that handel the calculation of the counter value. And as this is implemented, the counter value is not the problem here – it is the check_item value that as I understand is based on my configuration, taken straight out of the radcheck table. I am sorry, but this sounds like a limitation/bug of the standard system, that could be overcome. After all, if it can be resolved with custom perl code as I understand you suggest, why should the standard system not be able to handle data limits larger than 4.29GB out of the box? Or am I missing something? Alan, can you enlighten us on this issue? Regards Hanno You confuse gigawords storage in the database coming from acct updates/stop packets of the nas with the reply from sqlcounter. FR is capable of saving gigawords in the database when a nas is sending them, that's not the problem. But, the sqlcounter's code was never changed to reply gigawords to the nas. Check the C code and you will see. Kind regards Y. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wiki - Once upon a time there was documentation
I can confirm that some Wiki pages are blank (waiting to be edited). I checked, and they don't appear to be on the to-do list for conversion. Instead, it brings it up as a Create New Page dialog. I'm willing to help out with them, but need to create an account and review the stylesheets/directives for Restructured Text/Markdown first. Also, unlike other mailing lists I've used, I can't seem to figure out how to use the web interface to reply within an existing thread (I'm a new user, so I can't respond to the original mail or digest). We are planning to deploy FreeRadius within the next month, so I'm doing my homework first. I appreciate all the resources you do have available so far. http://wiki.freeradius.org/Mac-Auth http://wiki.freeradius.org/%23Is+there+a+way+to+bind+FreeRADIUS+to+a+specific+IP+address%3F http://bugs.freeradius.org/show_bug.cgi?id=207 (This is a broken link from http://wiki.freeradius.org/FAQ, which also has some minor grammatical errors I'd be happy to fix). http://wiki.freeradius.org/SNMP http://wiki.freeradius.org/MIB http://wiki.freeradius.org/Framed-IP-Netmask http://wiki.freeradius.org/%23Why+do+Acct-Input-Octets+and+Acct-Output-Octets+wrap+at+4+GB%3F - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to output that attribute value as raw data?
thanks a lot Alan.
OH, I see. thanks!
I've tried that beoame a %{Acct-Status-Type#} - 1.
But, %{Packet-Type#} - . (%{Packet-Type} - Access-Accept)
Packet-Type's type is INTEGER.
Is freeradius internal attributes off the subject?
Thanks for your help.
ichiro tanaka
This is documented.
$ man unlang
See
%{Attribute‐Name#}
Alan DeKok.
Hi.
I was using freeradus-2.1.10 as radius home server.
I want to output log file that attribute value as raw data.
For example, NOT %{Acct-Terminate-Cause} - User-Request BUT %{Acct-
Terminate
-Cause} - 1.
Then, I edited dictionary.rfc2866 like this.
---edited
#VALUE Acct-Terminate-Cause User-Request 1
-
The output became %{Acct-Terminate-Cause} - 1, and it became a hoped
output.
However, default setting has become illegal.
---illegal thing
if(Acct-Terminate-Cause == User-Request){
sql
}
-
Please teach the way of the setting.
Thanks for your help.
ichiro tanaka
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Unable to authenticate locally when remote proxy server is unavailable
Hello Alan, Thank you for your prompt response. If you don't mind I have a few follow up questions mentioned below. I would appreciate if you could answer them. Thanks again for your help. Regards, Jyoti. On Mon, 2011-06-06 at 07:26 +0200, Alan DeKok wrote: jch2...@verizon.net wrote: The questions I want to ask are as follows: 1. Is this the right method to perform this operation or there could be a simpler way to do this, i.e. authenticate the request using backup cache or database when remote Radius server is down? If you can authenticate the request with a DB, then the remote RADIUS server is not needed. Get rid of it. If you can't get a local DB, then when the remote RADIUS server is down, users cannot authenticate. Actually, the requirement states that if the remote proxy server should authenticate all associate requests when it is up. When the remote proxy server is down only then the authentication can be done locally with the information cached from a previous successful request. I might be able to perform local authentication for an EAP-PEAP request coming from the client using self-signed certificates. Do you agree? 2. Is there a way to know (by ping or other methods) if the remote radius server is down so that I can perform the local authentication right away when the 802.1x request is received instead of proxying the request a few times and then determining that the remote proxy Radius server is not alive or not available? See raddb/proxy.conf. Look for status-server. Is there a specific configuration that you are talking about? I was never able to capture status-server packets using a tool like ethereal. In short, the only way to see if it's up is to send it RADIUS packets. 3. If somehow I determine that the remote Radius server is unavailable and I get a 802.1x request (EAP-PEAP) can I verify the authenticity of the request using the local cache and send an Access-Accept somehow tricking the NAS to open the port? No. 4. Is it possible to reduce the time for e.g. Waking up in 119.8 seconds? No. For one, you haven't explaing why that time is a problem. For two, those timers are determined by the servers configuration. If you want that time to change, change the configuration. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Slow Mysql Queries
Thanks for the advice everyone! I have removed scripts which caused the VERY slow queries and have now had the slow query log on for a few days. It is still showing loads of entry's but http access performance is not noticeably slow(on occasion there is a small delay). The slow queries appear to be mostly coming from radacct and radcheck when a wireless user is trying to authenticate... Phpadmin states that there have been 30 queries in only 25 hours which is 3 per second. (there is 4 database's including an analytics database also which will be included in this) 20% of the queries are from the 'change db' query. 4300 of the slow queries in the slow query log are from ONE WIRELESS CLIENT trying to authenticate, yet radius.log only shows around 75 authentication attempts...the lines read like this: -- # Time: 110605 13:43:15 # User@Host: freeradius[freeradius] @ localhost [] # Query_time: 0 Lock_time: 0 Rows_sent: 1 Rows_examined: 37 SELECT radacct.UserName AS UserName , radcheck.Value AS Value FROM radacct left outer join radlookupnas ON radlookupnas.user = radacct.UserName AND radlookupnas.macauth = '0' AND radacct.CallingStationId = '60-33-4B-20-1F-5F' left outer join radcheck ON radcheck.username = radacct.username AND radcheck.attribute='User-Password' WHERE radcheck.username = radlookupnas.user LIMIT 1; - In radius.log I can see that a lot of the entrys are double ups, the same authentication request repeated a few times over 2 or 3 seconds: -- Tue Jun 7 09:31:34 2011 : Auth: Login incorrect: [60-33-4B-20-1F-5F/password] (from client localhost port 3 cli 60-33-4B-20-1F-5F) Tue Jun 7 09:31:35 2011 : Auth: Login incorrect: [60-33-4B-20-1F-5F/password] (from client localhost port 3 cli 60-33-4B-20-1F-5F) Tue Jun 7 09:31:35 2011 : Auth: Login incorrect: [60-33-4B-20-1F-5F/password] (from client localhost port 3 cli 60-33-4B-20-1F-5F) -- AND the occasional Error like this: --- Error: Discarding duplicate request from client localhost:58813 - ID: 19 due to unfinished request 14831 Error: WARNING: Unresponsive child (id 2954177424) for request 14832 (in component accounting module rlm_sql) Error: Discarding duplicate request from client localhost:33869 - ID: 151 due to unfinished request 14832 --- PHPmyadmin runtime info states that Select_full_join is 49and that if this value is not 0, you should carefully check the indexes of your tables. If the radius Mysql tables need to be indexed which ones? radacct has 3500 records and is 1.1mb, radcheck has 9000 and is .5mb and aradacct has 27000 and is 8mb. Are either of these that big? I output this mysqlreport and tried to find where issues are but it's not obvious to me: --- MySQL 5.0.51a-3ubuntu5- uptime 0 23:40:19 Tue Jun 7 11:23:18 2011 __ Key _ Buffer used 4.71M of 32.00M %Used: 14.71 Current 5.02M%Usage: 15.70 Write hit 23.31% Read hit 99.74% __ Questions ___ Total 276.17k 3.2/s QC Hits 135.76k 1.6/s %Total: 49.16 Com_ 49.73k 0.6/s 18.01 COM_QUIT 46.82k 0.5/s 16.95 DMS 44.44k 0.5/s 16.09 -Unknown588 0.0/s0.21 Slow (4)7.44k 0.1/s2.69 %DMS: 16.74 Log: ON DMS44.44k 0.5/s 16.09 UPDATE 19.94k 0.2/s7.22 44.87 SELECT 19.70k 0.2/s7.13 44.33 DELETE2.13k 0.0/s0.77 4.79 INSERT1.69k 0.0/s0.61 3.80 REPLACE 987 0.0/s0.36 2.22 Com_ 49.73k 0.6/s 18.01 change_db46.71k 0.5/s 16.91 show_status 1.14k 0.0/s0.41 set_option 729 0.0/s0.26 __ SELECT and Sort _ Scan6.48k 0.1/s %SELECT: 32.91 Range 1.17k 0.0/s5.92 Full join 47 0.0/s0.24 Range check 0 0/s0.00 Full rng join 0 0/s0.00 Sort scan 737 0.0/s Sort range888 0.0/s Sort mrg pass 10 0.0/s __ Query Cache _ Memory usage 800.98k of 16.00M %Used: 4.89 Block Fragmnt 14.25% Hits 135.76k 1.6/s Inserts18.76k 0.2/s Insrt:Prune 18.76k:1 0.2/s Hit:Insert 7.24:1 __ Table Locks _ Waited 73 0.0/s %Total: 0.13 Immediate
Re: Slow Mysql Queries
On Tue, Jun 7, 2011 at 10:54 AM, OzSpots - Carl Sawers c...@ozspots.com.au wrote: SELECT radacct.UserName AS UserName , radcheck.Value AS Value FROM radacct left outer join radlookupnas ON radlookupnas.user = radacct.UserName AND radlookupnas.macauth = '0' AND radacct.CallingStationId = '60-33-4B-20-1F-5F' left outer join radcheck ON radcheck.username = radacct.username AND radcheck.attribute='User-Password' WHERE radcheck.username = radlookupnas.user LIMIT 1; (sigh) This is obviously a custom query. Who wrote that? You're joining three tables (radcheck, radacct, radlookupnas. While possible, it means that as the radacct gets bigger the query will be slower. Does the person who wrote that understands the consequences? If yes, did that person setup the necessary measures to keep performance acceptable (e.g. using indexes)? If not, get a dba, have them fix it. - In radius.log I can see that a lot of the entrys are double ups, the same authentication request repeated a few times over 2 or 3 seconds: AND the occasional Error like this: No need to repeat this info over and over and over again. As previously noted, this is side effect to db being slow. It won't go away if you don't fix the db. PHPmyadmin runtime info states that Select_full_join is 49 and that if this value is not 0, you should carefully check the indexes of your tables. Good suggestion. Did you do it? If the radius Mysql tables need to be indexed which ones? That's why I repeatedly say get a dba. A dba will know what to do. If you insist on doing it yourself anyway, here's a hint: http://dev.mysql.com/doc/refman/5.1/en/using-explain.html Use that on whatever slow query you have to get an idea of why it's so slow. radacct has 3500 records and is 1.1mb, radcheck has 9000 and is .5mb and aradacct has 27000 and is 8mb. Are either of these that big? It's very small. I have systems with radacct as big as several million entries per month, with tens of GB data. And it works just fine. We have a certified MySQL DBA helping design the database structure and queries. I output this mysqlreport and tried to find where issues are but it's Here's another hint: don't expect phpmyadmin or mysqlreport to magically show you which option to change in order to get performance boost. So in summary: - use EXPLAIN - fix non-optimum indexes - fix server settings (hint: convert your tables to innodb, use reasonable innodb_buffer_pool_size) - if you have no idea what I'm talking about, get a dba -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Unable to authenticate locally when remote proxy server is unavailable
Jyoti Chatterjee wrote: Actually, the requirement states that if the remote proxy server should authenticate all associate requests when it is up. When the remote proxy server is down only then the authentication can be done locally with the information cached from a previous successful request. EAP doesn't work that way. Your requirement is impossible to implement. I might be able to perform local authentication for an EAP-PEAP request coming from the client using self-signed certificates. Do you agree? No. Is there a specific configuration that you are talking about? I was never able to capture status-server packets using a tool like ethereal. Did I say to use ethereal? No. I said to read proxy.conf. Did you do that? No. Why? If you're not interested in getting help on this list, don't ask questions here. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
