Re: [freeradius+mysql]pap method
Um yes, it's 'encrypted' using the shared secret between the NAS and the RADIUS server... this is described in RFC 2865. On 2 Aug 2011, at 07:31, gary wrote: Hi All I configure the NAS client as pap method for user authentication. But through the packet analysis by wireshark it appears Encrypted. Is it normal or any incorrect configure on NAS or Freeradius server? 111.JPG Best Regards Gary - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Arran Cudbard-Bell a.cudba...@freeradius.org RADIUS - Half the complexity of Diameter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: segmentation fault freeradius 2.1.7 using rlm_sql
Upgraded freeradius to 2.1.11 (built from source) This time it brought the whole machine down: radiusd[8644]: segfault at 00c8 rip 2aad51190cfb rsp 504b8770 error 4 radiusd[16348]: segfault at 00c8 rip 2afffa168cfb rsp 46c00170 error 4 radiusd[22540]: segfault at 04b8 rip 2b10e5147850 rsp 4707c2c8 error 4 radiusd[30297]: segfault at 00c8 rip 2b848c84bcfb rsp 54924750 error 4 audispd invoked oom-killer: gfp_mask=0x201d2, order=0, oomkilladj=0 Call Trace: [800c961b] out_of_memory+0x8e/0x2f3 [8002e3fc] __wake_up+0x38/0x4f [8000f625] __alloc_pages+0x27f/0x308 [8001300a] __do_page_cache_readahead+0x96/0x179 [80013945] filemap_nopage+0x14c/0x360 [80008964] __handle_mm_fault+0x1fb/0x1039 [8006720b] do_page_fault+0x4cb/0x874 [8005dde9] error_exit+0x0/0x84 Mem-info: Node 0 DMA per-cpu: cpu 0 hot: high 0, batch 1 used:0 cpu 0 cold: high 0, batch 1 used:0 cpu 1 hot: high 0, batch 1 used:0 cpu 1 cold: high 0, batch 1 used:0 Node 0 DMA32 per-cpu: cpu 0 hot: high 186, batch 31 used:18 cpu 0 cold: high 62, batch 15 used:45 cpu 1 hot: high 186, batch 31 used:31 cpu 1 cold: high 62, batch 15 used:61 Node 0 Normal per-cpu: cpu 0 hot: high 186, batch 31 used:61 cpu 0 cold: high 62, batch 15 used:49 cpu 1 hot: high 186, batch 31 used:24 cpu 1 cold: high 62, batch 15 used:52 Node 0 HighMem per-cpu: empty Free pages: 22180kB (0kB HighMem) Active:535129 inactive:455633 dirty:0 writeback:0 unstable:0 free:5545 slab:3369 mapped-file:1085 mapped-anon:990241 pagetables:5050 Node 0 DMA free:10116kB min:16kB low:20kB high:24kB active:0kB inactive:0kB present:9748kB pages_scanned:0 all_unreclaimable? yes lowmem_reserve[]: 0 3000 4010 4010 Node 0 DMA32 free:10052kB min:6052kB low:7564kB high:9076kB active:1623644kB inactive:1405408kB present:3072160kB pages_scanned:19313612 all_unreclaimable? yes lowmem_reserve[]: 0 0 1010 1010 Node 0 Normal free:2012kB min:2036kB low:2544kB high:3052kB active:508040kB inactive:425828kB present:1034240kB pages_scanned:2193259 all_unreclaimable? yes lowmem_reserve[]: 0 0 0 0 Node 0 HighMem free:0kB min:128kB low:128kB high:128kB active:0kB inactive:0kB present:0kB pages_scanned:0 all_unreclaimable? no lowmem_reserve[]: 0 0 0 0 Node 0 DMA: 5*4kB 2*8kB 4*16kB 3*32kB 5*64kB 3*128kB 0*256kB 0*512kB 1*1024kB 0*2048kB 2*4096kB = 10116kB Node 0 DMA32: 13*4kB 4*8kB 1*16kB 13*32kB 1*64kB 0*128kB 1*256kB 0*512kB 1*1024kB 0*2048kB 2*4096kB = 10052kB Node 0 Normal: 17*4kB 19*8kB 0*16kB 0*32kB 0*64kB 0*128kB 1*256kB 1*512kB 1*1024kB 0*2048kB 0*4096kB = 2012kB Node 0 HighMem: empty 1662 pagecache pages Swap cache: add 1095074, delete 1094514, find 2338993/2348642, race 0+1 Free swap = 0kB Total swap = 4096564kB Free swap:0kB 1310720 pages of RAM 299836 reserved pages 8240 pages shared 560 pages swap cached Out of memory: Killed process 18723, UID 95, (radiusd). -Original Message- From: freeradius-users-bounces+amir=ccc.co...@lists.freeradius.org [mailto:freeradius-users-bounces+amir=ccc.co...@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Wednesday, July 27, 2011 4:33 PM To: FreeRadius users mailing list Subject: Re: segmentation fault freeradius 2.1.7 using rlm_sql Amir Tal wrote: For some unknown reason radiusd keeps getting segmentation faults, every few days and even after several hours of work. Upgrade. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: segmentation fault freeradius 2.1.7 using rlm_sql
On 2 Aug 2011, at 09:27, Amir Tal wrote: Upgraded freeradius to 2.1.11 (built from source) Don't use 2.1.11 it segfaults, checkout the head of the 2.1.X branch in git -Arran Arran Cudbard-Bell a.cudba...@freeradius.org RADIUS - Half the complexity of Diameter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [freeradius+mysql]pap method
Hi All Thanks very much for your reply. Best Regards Gary - Original Message - From: Arran Cudbard-Bell To: FreeRadius users mailing list Sent: Tuesday, August 02, 2011 2:54 PM Subject: Re: [freeradius+mysql]pap method Um yes, it's 'encrypted' using the shared secret between the NAS and the RADIUS server... this is described in RFC 2865. On 2 Aug 2011, at 07:31, gary wrote: Hi All I configure the NAS client as pap method for user authentication. But through the packet analysis by wireshark it appears Encrypted. Is it normal or any incorrect configure on NAS or Freeradius server? 111.JPG Best Regards Gary - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Arran Cudbard-Bell a.cudba...@freeradius.org RADIUS - Half the complexity of Diameter -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: segmentation fault freeradius 2.1.7 using rlm_sql
On Tue, Aug 2, 2011 at 2:27 PM, Amir Tal a...@ccc.co.il wrote: Upgraded freeradius to 2.1.11 (built from source) This time it brought the whole machine down: Notice how I DIDN'T suggest upgrading to 2.1.11, but to v2.1.x of git branch? There's a reason for that, and you just found out the hard way. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [PATCH] Adding new attributes to the ERX dictionary
Hi Bjørn, Could you please resubmit this via GitHub. http://wiki.freeradius.org/GitHub Many Thanks, Arran On 1 Aug 2011, at 11:16, Bjørn Mork wrote: This should make it compatible with JUNOSe version 12.1.1 and JUNOS version 11.2. Signed-off-by: Bjørn Mork bj...@mork.no --- share/dictionary.erx |8 1 files changed, 8 insertions(+), 0 deletions(-) diff --git a/share/dictionary.erx b/share/dictionary.erx index 93584d2..7b84f0c 100644 --- a/share/dictionary.erx +++ b/share/dictionary.erx @@ -11,6 +11,7 @@ # This dictionary applies to access services on Juniper JUNOS (M/MX) # based platforms as well as JUNOSe, although some of the attributes # have been given new names on JUNOS: +# http://www.juniper.net/techpubs/software/junos/junos112/radius-dictionary/unisphereDictionary_for_JUNOS_v11-2.dct # http://www.juniper.net/techpubs/en_US/junos10.3/topics/reference/general/aaa-subscriber-access-radius-vsa.html # # In this file, we keep the ERX prefix and the JUNOSe attribute names @@ -168,6 +169,7 @@ ATTRIBUTE ERX-MLD-No-Tracking-V1-Grps 105 integer ATTRIBUTE ERX-IPv6-Ingress-Policy-Name106 string ATTRIBUTE ERX-IPv6-Egress-Policy-Name 107 string ATTRIBUTE ERX-CoS-Shaping-Pmt-Type108 string +ATTRIBUTEERX-DHCP-Guided-Relay-Server109 ipaddr ATTRIBUTE ERX-Acc-Loop-Cir-Id 110 string ATTRIBUTE ERX-Acc-Aggr-Cir-Id-Bin 111 octets @@ -201,7 +203,9 @@ ATTRIBUTE ERX-Max-Clients-Per-Interface 143 integer ATTRIBUTE ERX-PPP-Monitor-Ingress-Only144 integer ATTRIBUTE ERX-CoS-Scheduler-Pmt-Type 146 string +ATTRIBUTEERX-Backup-Address-Pool 147 string +ATTRIBUTEERX-ICR-Partition-Id150 string ATTRIBUTE ERX-IPv6-Acct-Input-Octets 151 integer ATTRIBUTE ERX-IPv6-Acct-Output-Octets 152 integer ATTRIBUTE ERX-IPv6-Acct-Input-Packets 153 integer @@ -209,6 +213,10 @@ ATTRIBUTEERX-IPv6-Acct-Output-Packets 154 integer ATTRIBUTE ERX-IPv6-Acct-Input-Gigawords 155 integer ATTRIBUTE ERX-IPv6-Acct-Output-Gigawords 156 integer ATTRIBUTE ERX-IPv6-NdRa-Pool-Name 157 string +ATTRIBUTEERX-PppoE-Padn 158 string +ATTRIBUTEERX-Dhcp-Option-82 159 octets +ATTRIBUTEERX-Vlan-Map-Id 160 integer +ATTRIBUTEERX-IPv6-Delegated-Pool-Name161 string # -- 1.7.2.5 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Arran Cudbard-Bell a.cudba...@freeradius.org RADIUS - Half the complexity of Diameter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: segmentation fault freeradius 2.1.7 using rlm_sql
This is a production server, What is the latest stable version to use? Amir. -Original Message- From: freeradius-users-bounces+amir=ccc.co...@lists.freeradius.org [mailto:freeradius-users-bounces+amir=ccc.co...@lists.freeradius.org] On Behalf Of Fajar A. Nugraha Sent: Tuesday, August 02, 2011 11:02 AM To: FreeRadius users mailing list Subject: Re: segmentation fault freeradius 2.1.7 using rlm_sql On Tue, Aug 2, 2011 at 2:27 PM, Amir Tal a...@ccc.co.il wrote: Upgraded freeradius to 2.1.11 (built from source) This time it brought the whole machine down: Notice how I DIDN'T suggest upgrading to 2.1.11, but to v2.1.x of git branch? There's a reason for that, and you just found out the hard way. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: segmentation fault freeradius 2.1.7 using rlm_sql
On 2 Aug 2011, at 12:07, Amir Tal wrote: This is a production server, What is the latest stable version to use? 2.1.x head, it'll soon be tagged as 2.1.12. All the dangerous stuff goes on in the master branch, the 2.1.X branch is relatively stable. -Arran Amir. -Original Message- From: freeradius-users-bounces+amir=ccc.co...@lists.freeradius.org [mailto:freeradius-users-bounces+amir=ccc.co...@lists.freeradius.org] On Behalf Of Fajar A. Nugraha Sent: Tuesday, August 02, 2011 11:02 AM To: FreeRadius users mailing list Subject: Re: segmentation fault freeradius 2.1.7 using rlm_sql On Tue, Aug 2, 2011 at 2:27 PM, Amir Tal a...@ccc.co.il wrote: Upgraded freeradius to 2.1.11 (built from source) This time it brought the whole machine down: Notice how I DIDN'T suggest upgrading to 2.1.11, but to v2.1.x of git branch? There's a reason for that, and you just found out the hard way. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Arran Cudbard-Bell a.cudba...@freeradius.org RADIUS - Half the complexity of Diameter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [PATCH] Adding new attributes to the ERX dictionary
Arran Cudbard-Bell a.cudba...@freeradius.org writes: Hi Bjørn, Could you please resubmit this via GitHub. http://wiki.freeradius.org/GitHub Done. Thanks for the excellent instructions. One question I didn't find the answer to though: Should I rebase patches like this for all active branches (currently master and v2.1.x?) and send a pull request for each of them? Or should I just send one pull request based on the master branch and assume that you will automatically merge all relevant patches into v2.1.x as well? Bjørn - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Forwarding Accounting Packets
Hi I am trying to set up the radius server so that it forwards all accounting packet to a remote radius server without having to wait for reply. I set it up using the copy-acct-to-home-server, proxy.conf and detail files in the modules directory. I've got one problem however, whenever the remote radius server becomes unavailable and then comes back up, my radius server stop forwarding and never marks it as alive again. At this point the remote server is marked as zombie, and remains marked as zombie indefinitely, even when it becomes reachable. I am using FreeRadius 2.1.7 with the following parameters for the home server in the proxy.conf file: response_window = 8 zombie_period = 40 revive_interval = 120 status_check = none With these parameters I'm understanding that if the local radius server doesn't receive an accounting response from the remote server before 8 seconds then it will mark it as a zombie, after a further 40 seconds it should mark it as dead. Then after 120 seconds it should mark it alive again, however I never see it being marked as alive again. Is there something I'm doing wrong? Or an alternate option? Thanks and regards, Andrew - Vodafone - This email is intended only for the use of individuals to whom it is addressed, as it may contain confidential or privileged information. If you are not a named addressee, intended recipient, or the person responsible for delivering the message to the named addressee, be advised that you have received this email in error and that you should not disseminate, distribute, print, copy this mail or otherwise divulge its contents. In such instances, please notify Vodafone Malta Limited on telephone number +356 9247 and delete this email from your system. Since this transmission was affected via email, Vodafone Malta Limited cannot guarantee that it is secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. Vodafone Malta Limited does not accept liability for any errors or omissions in the contents of this message which arise as a result of email transmission. Save the environment for our children - Print e-mail only when necessary. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [PATCH] Adding new attributes to the ERX dictionary
Bjørn Mork wrote: One question I didn't find the answer to though: Should I rebase patches like this for all active branches (currently master and v2.1.x?) and send a pull request for each of them? Or should I just send one pull request based on the master branch and assume that you will automatically merge all relevant patches into v2.1.x as well? Merging the changes is easy. Just do it for one branch. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Forwarding Accounting Packets
Tonna, Andrew, VF-MT wrote: I am trying to set up the radius server so that it forwards all accounting packet to a remote radius server without having to wait for reply. Use version 2.1.11 (or git v2.1.x branch), and see src/modules/replicate Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Forwarding Accounting Packets
Thanks. Andrew -Original Message- From: freeradius-users-bounces+andrew.tonna=vodafone@lists.freeradius.org [mailto:freeradius-users-bounces+andrew.tonna=vodafone.com@lists.freerad ius.org] On Behalf Of Alan DeKok Sent: Tuesday, August 02, 2011 1:53 PM To: FreeRadius users mailing list Subject: Re: Forwarding Accounting Packets Tonna, Andrew, VF-MT wrote: I am trying to set up the radius server so that it forwards all accounting packet to a remote radius server without having to wait for reply. Use version 2.1.11 (or git v2.1.x branch), and see src/modules/replicate Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - Vodafone - This email is intended only for the use of individuals to whom it is addressed, as it may contain confidential or privileged information. If you are not a named addressee, intended recipient, or the person responsible for delivering the message to the named addressee, be advised that you have received this email in error and that you should not disseminate, distribute, print, copy this mail or otherwise divulge its contents. In such instances, please notify Vodafone Malta Limited on telephone number +356 9247 and delete this email from your system. Since this transmission was affected via email, Vodafone Malta Limited cannot guarantee that it is secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. Vodafone Malta Limited does not accept liability for any errors or omissions in the contents of this message which arise as a result of email transmission. Save the environment for our children - Print e-mail only when necessary. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
coova-chilli + freeradius + kerberos
Hi All, is it possible to send the password from coova-chilli(for example) as CHAP or MSCHAPv2 format to authenticate the clients on Kerberos through FreeRADIUS? Is it possible to do it without plain-text password? Let me know, please. Max - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Implementing SQL Insert/logging for SoH.
Hi, Further to my last foray onto the list regarding SoH, I'm looking to commit the returned SoH info to the radius database using FreeRADIUS' sql connection. I could be well off target here, but please humour me, so far I have... Created a table 'radsoh', and declared this inside sql.conf. Added a query (soh_query) to dialup.conf, at present this simply just inserts User-Name to the table. Declared soh_query in rlm_sql/conf.h Declared soh_query in the 'module_config' section of rlm_sql.c Declared a function, rlm_sql_soh, which is essentially a copy of rlm_sql_postauth into rlm_sql.c. Added rlm_sql_soh to the export section of rlm_sql.c. It compiles and runs, but here is where I run out of ideas. Presuming I'm on the right track, what else is required to enable the query, and how would I make the call to execute the query? Ideally the call should be made from the with SoH virtual server defined in raddb/sites-enabled. Thanks, Jezz. Jezz Palmer Information Services and Systems Swansea University Singleton Park Swansea SA2 8PP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: coova-chilli + freeradius + kerberos
Massimiliano Tommasi wrote: Hi All, is it possible to send the password from coova-chilli(for example) as CHAP or MSCHAPv2 format to authenticate the clients on Kerberos through FreeRADIUS? Is it possible to do it without plain-text password? No. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Implementing SQL Insert/logging for SoH.
Palmer J.D.F. wrote: Further to my last foray onto the list regarding SoH, I'm looking to commit the returned SoH info to the radius database using FreeRADIUS' sql connection. It's just attributes. I could be well off target here, but please humour me, so far I have... Created a table 'radsoh', and declared this inside sql.conf. OK... Added a query (soh_query) to dialup.conf, at present this simply just inserts User-Name to the table. Uh... that won't work. Declared soh_query in rlm_sql/conf.h Declared soh_query in the 'module_config' section of rlm_sql.c Declared a function, rlm_sql_soh, which is essentially a copy of rlm_sql_postauth into rlm_sql.c. Added rlm_sql_soh to the export section of rlm_sql.c. And all of that is unnecessary. It compiles and runs, but here is where I run out of ideas. Presuming I'm on the right track, what else is required to enable the query, and how would I make the call to execute the query? Ideally the call should be made from the with SoH virtual server defined in raddb/sites-enabled. Read raddb/sites-available/soh. The server runs an authorize section. This is *exactly* like the normal authorize section for a RADIUS packet. Just configure the authorize queries, and go. No source code mods are needed. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Implementing SQL Insert/logging for SoH.
On 2 Aug 2011, at 15:07, Alan DeKok wrote:
Palmer J.D.F. wrote:
Further to my last foray onto the list regarding SoH, I'm looking to
commit the returned SoH info to the radius database using FreeRADIUS'
sql connection.
It's just attributes.
just use sql xlat...
update request {
Tmp-String-1 := %{sql:INSERT INTO ...}
}
Arran Cudbard-Bell
a.cudba...@freeradius.org
RADIUS - Half the complexity of Diameter
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Implementing SQL Insert/logging for SoH.
Palmer J.D.F. wrote:
Further to my last foray onto the list regarding SoH, I'm looking
to
commit the returned SoH info to the radius database using
FreeRADIUS'
sql connection.
It's just attributes.
just use sql xlat...
update request {
Tmp-String-1 := %{sql:INSERT INTO ...}
}
Didn't think xlat could do inserts and updates?
Cheers,
Jezz.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: segmentation fault freeradius 2.1.7 using rlm_sql
Upgraded freeradius to 2.1.11 (built from source) Don't use 2.1.11 it segfaults, checkout the head of the 2.1.X branch in git Notice how I DIDN'T suggest upgrading to 2.1.11, but to v2.1.x of git branch? There's a reason for that, and you just found out the hard way. Houston, we have a problem ;-) This is not the first time a FreeRADIUS release was not ready for production when it was released. Those of us who package upstream projects for distribution worry a lot about stability and robustness. I've said this before so forgive me, but I'm going to reiterate it again. Please don't get mad at the messenger, I have only the best intentions with these observations. FreeRADIUS has some problems which other projects have avoided. * FreeRADIUS has no notion of a stable release. Many projects maintain both a stable production version and a current version (which is not the same as the tip, rather it's tagged in source code control, tested and released just like any other release, it's just got a few more features than the rock solid stable release). The rock solid stable release has been field proven, should have the absolute confidence of system administrators and be viable for multiple years (in other words you can install it and be confident once it's put in production you're good to go for several years. Occasionally a stable release needs a bug or security fix. When that occurs the stable release is surgically modified to fix exactly that one issue, it's minor version number is bumped. System administrators are never told to upgrade to a significant new version because of the bug/security issue, instead they reinstall a patched version of stable. * FreeRADIUS has way too much churn for a critical system service. Think about other system services, how often do you see kerberos, bind, iptables, pam, MySQL, etc. going through significant revisions? Are the administrators of those services constantly being told to upgrade the service because of the bug/feature du jour? * The QE component of FreeRADIUS has proven to be inadequate. I know Alan runs a set of tests and he calls for testing prior to a new release. But we've seen the amount of testing which actually occurs is inadequate because releases have gone out with significant problems and those releases have gotten pushed into production. I think part of the problem is the frequent release schedule (measured in months) and the lack of a coordinated beta testing program. Releases should not occur until after they've successfully navigated a beta program. I humbly would suggest the following: * Create and maintain a stable version. * Organize a rigorous beta test program. * Slow down the release schedule, avoid the temptation to cut a new release because of minor new features. If production servers can't run successfully without a feature that's an indication the prior release was too hasty. Critical bug fixes should occur in the release branch and the release branch re-released. The release interval for a system service like FreeRADIUS should be measured in years, not months or weeks. Comments? Thoughts? Do you agree/disagree? John -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Implementing SQL Insert/logging for SoH.
On 2 Aug 2011, at 15:44, Palmer J.D.F. wrote:
Palmer J.D.F. wrote:
Further to my last foray onto the list regarding SoH, I'm looking
to
commit the returned SoH info to the radius database using
FreeRADIUS'
sql connection.
It's just attributes.
just use sql xlat...
update request {
Tmp-String-1 := %{sql:INSERT INTO ...}
}
Didn't think xlat could do inserts and updates?
I wrote the patch to add the functionality and its been in the server code for
about the past three years :)
-Arran
Arran Cudbard-Bell
a.cudba...@freeradius.org
RADIUS - Half the complexity of Diameter
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Implementing SQL Insert/logging for SoH.
Didn't think xlat could do inserts and updates?
I wrote the patch to add the functionality and its been in the server
code for about the past three years :)
Good stuff. :)
The source of rlm_sql.c still states only ...
* sql xlat function. Right now only SELECTs are supported.
We'd already tried - Tmp-String-5 := %{sql:INSERT into radsoh
(sid,data) VALUES (NULL,'ss');} - but it wasn't encapsulated in an
'update request {.. ..}' statement so failed, schoolboy error.
I did some digging on interweb which said INSERTs not possible, then
read the above comment in the 2.1.11 source, so gave up on xlat then.
All sorted now though.
Thanks,
Jezz.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
max users in radius
Hello all! I´m a begineer on radius. I will install radius on two systems : windows and linux ( each one in a separate network and different environments ). my question : How many concurrent users can be authenticated on radius? where can I see the radius restrictions ? Is there a academic version of radius? ( I work in an University ) Thanks in advance. Regards. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: max users in radius
Hi, my question :� How many concurrent users can be authenticated on radius? where can I see the radius restrictions ? concurrent users or authentications per second? once a user authenticates then they are online for as long as their session before a reauth (unless session-timeout is varies, or CoA used etc). Is there a academic version of radius? ( I work in an University ) errr? this is FreeRADIUS ;-) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: segmentation fault freeradius 2.1.7 using rlm_sql
John Dennis wrote: FreeRADIUS has some problems which other projects have avoided. Sure. The reasons are pretty straightforward. The contribution from the community is small. The people who contribute get few rewards, and lots of arrows. The people who complain don't contribute. It's really that simple. All of the rest you posted below is engineering process. It's all nice. But it requires someone to do the work. And I don't see anyone volunteering. The few times I've asked, everyone says they're busy. * FreeRADIUS has no notion of a stable release. Many projects maintain both a stable production version and a current version (which is not the same as the tip, rather it's tagged in source code control, tested and released just like any other release, it's just got a few more features than the rock solid stable release). The rock solid stable release has been field proven, should have the absolute confidence of system administrators and be viable for multiple years (in other words you can install it and be confident once it's put in production you're good to go for several years. Occasionally a stable release needs a bug or security fix. When that occurs the stable release is surgically modified to fix exactly that one issue, it's minor version number is bumped. System administrators are never told to upgrade to a significant new version because of the bug/security issue, instead they reinstall a patched version of stable. Great. That's done with 1.1.x. Who's going to do it for 2.x? * FreeRADIUS has way too much churn for a critical system service. Think about other system services, how often do you see kerberos, bind, iptables, pam, MySQL, etc. going through significant revisions? Are the administrators of those services constantly being told to upgrade the service because of the bug/feature du jour? Git is useful here. The difference between 2.1.10 and 2.1.11 is 4K LoC added, ~1K deleted, out of more than 80K. That's less than 5%. And a lot of that is adding extern C headers to files. * The QE component of FreeRADIUS has proven to be inadequate. I know Alan runs a set of tests and he calls for testing prior to a new release. But we've seen the amount of testing which actually occurs is inadequate because releases have gone out with significant problems and those releases have gotten pushed into production. I think part of the problem is the frequent release schedule (measured in months) and the lack of a coordinated beta testing program. Releases should not occur until after they've successfully navigated a beta program. Great. Help. I humbly would suggest the following: * Create and maintain a stable version. Perhaps. I plan on releasing 3.0 within a few months. The 2.1.x branch can then be re-labeled 2.2.0. I can be marked stable, if someone is willing to put work into maintaining it. And we're already doing this for 1.1.x. It works, it's shipped in many legacy packages. It hasn't changed in years. * Organize a rigorous beta test program. crickets Right. Lots of volunteers there. * Slow down the release schedule, avoid the temptation to cut a new release because of minor new features. If production servers can't run successfully without a feature that's an indication the prior release was too hasty. Critical bug fixes should occur in the release branch and the release branch re-released. The release interval for a system service like FreeRADIUS should be measured in years, not months or weeks. Absolutely not. There are a TON of changes being made to RADIUS. It's simply not feasible to have release intervals of years. And let me remind you: we DO have a stable release with a release interval of years. What happens? People don't even use the most recent version of that (1.1.8). Instead, they use an older version (1.1.3), because that's the only thing that THEIR OS VENDOR SUPPORTS. Hint? Then they ask for help here. It's ridiculous. I'll bet RH is making more money off of FreeRADIUS than I am. So if you want a stable release, contribute. Otherwise, I'm tired of the complaints. You've sent me email off-list complaining that YOUR CUSTOMERS are upset about the quality of the FR documentation. Fine. When I asked if you were willing to pay for better documentation, you didn't respond. And again here, you've posted a long message detailing work that *other people* are supposed to do. There is a conspicuous failure to volunteer for ANY of the things on your list. So... thanks for the contribution. Doing what you want (for free) is not really high on my list of priorities. I'll do what I can to make FR better. But that's only because I want to, and I'm spending *my* hard-earned money to do so. i.e. I'm putting MY money where my mouth is. I invite others to do the same. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: max users in radius
Hello Alan. Thank you for your support. At this moment I don´t think if authentications per second matter. So, I suppose that there aren´t limit for concurrent users...right? Regards. On Tue, Aug 2, 2011 at 3:10 PM, Alan Buxey a.l.m.bu...@lboro.ac.uk wrote: Hi, my question :� How many concurrent users can be authenticated on radius? where can I see the radius restrictions ? concurrent users or authentications per second? once a user authenticates then they are online for as long as their session before a reauth (unless session-timeout is varies, or CoA used etc). Is there a academic version of radius? ( I work in an University ) errr? this is FreeRADIUS ;-) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: max users in radius
On Wed, Aug 3, 2011 at 4:37 AM, ANGEL RICO GUZMAN angel.r...@upaep.mx wrote: Hello Alan. Thank you for your support. At this moment I don´t think if authentications per second matter. So, I suppose that there aren´t limit for concurrent users...right? Short version: yes. Long version: depends. Some setups use interim-update, where the NAS would send accounting packets to radius at a specified time interval for every connected user. Each accounting packet would usually equal to disk write (either to detail file or database). While freeradius itself doesn't enforce a hard limit, your disk will most likely be a limiting factor since it has limited IOPS. So if you use short interim update interval (e.g. 5 minutes), and you log accounting packets to database, and you have slow disks, then you'll probably see a practical limit of number of concurrent users before the radius server becomes unbearably slow. Again, the limit is not in freeradius. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rml_perl is not adding attributes to Access-accept
I'm new to FreeRADIUS and was initially exploring simple things, such
as add attributes to an Access-Accept message.
My problem is that the perl script is not being able to access (ie
print) values from RAD_REQUEST nor add pairs to RAD_REPLY.
The following script:
*** start of example.pl script ***
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
#
# Copyright 2002 The FreeRADIUS server project
# Copyright 2002 Boian Jordanov bjorda...@orbitel.bg
#
#
# Example code for use with rlm_perl
#
# You can use every module that comes with your perl distribution!
#
# If you are using DBI and do some queries to DB, please be sure to
# use the CLONE function to initialize the DBI connection to DB.
#
use strict;
# use ...
# This is very important ! Without this script will not get the filled hashesh
from main.
use vars qw(%RAD_REQUEST %RAD_REPLY %RAD_CHECK);
#use Data::Dumper;
# This is hash wich hold original request from radius
my %RAD_REQUEST;
# In this hash you add values that will be returned to NAS.
my %RAD_REPLY;
#This is for check items
my %RAD_CHECK;
#
# This the remapping of return values
#
use constantRLM_MODULE_REJECT=0;# /* immediately reject the
request */
use constantRLM_MODULE_FAIL= 1;# /* module failed, don't
reply */
use constantRLM_MODULE_OK=2;# /* the module is OK,
continue */
use constantRLM_MODULE_HANDLED= 3;# /* the module handled the
request, so stop. */
use constantRLM_MODULE_INVALID= 4;# /* the module considers the
request invalid. */
use constantRLM_MODULE_USERLOCK= 5;# /* reject the request (user
is locked out) */
use constantRLM_MODULE_NOTFOUND= 6;# /* user not found */
use constantRLM_MODULE_NOOP= 7;# /* module succeeded without
doing anything */
use constantRLM_MODULE_UPDATED= 8;# /* OK (pairs modified) */
use constantRLM_MODULE_NUMCODES= 9;# /* How many return codes
there are */
# Function to handle authorize
sub authorize {
# For debugging purposes only
log_request_attributes;
# Here's where your authorization code comes
# You can call another function from here:
test_call;
return RLM_MODULE_OK;
}
# Function to handle authenticate
sub authenticate {
# For debugging purposes only
log_request_attributes;
print * testing auth\n;
print $RAD_REQUEST{'User-Name'};
print \n **\n;
if ($RAD_REQUEST{'User-Name'} =~ /^baduser/i) {
# Reject user and tell him why
$RAD_REPLY{'Reply-Message'} = Denied access by rlm_perl
function;
return RLM_MODULE_REJECT;
} else {
# Accept user and set some attribute
$RAD_REPLY{'h323-credit-amount'} = 100;
return RLM_MODULE_OK;
}
# Accept user and set some attribute
$RAD_REPLY{'h323-credit-amount'} = 100;
return RLM_MODULE_OK;
}
# Function to handle preacct
sub preacct {
# For debugging purposes only
log_request_attributes;
return RLM_MODULE_OK;
}
# Function to handle accounting
sub accounting {
print * accounting\n;
# For debugging purposes only
log_request_attributes;
# You can call another subroutine from here
test_call;
return RLM_MODULE_OK;
}
sub accounting_start {
print * accounting_start\n;
return RLM_MODULE_OK;
}
sub accounting_stop {
print * accounting_stop\n;
return RLM_MODULE_OK;
}
# Function to handle checksimul
sub checksimul {
# For debugging purposes only
log_request_attributes;
return RLM_MODULE_OK;
}
# Function to handle pre_proxy
sub pre_proxy {
# For debugging purposes only
log_request_attributes;
return RLM_MODULE_OK;
}
# Function to handle post_proxy
sub post_proxy {
# For debugging purposes only
log_request_attributes;
return RLM_MODULE_OK;
}
# Function to handle post_auth
sub post_auth {
# For debugging purposes only
log_request_attributes;
return RLM_MODULE_OK;
}
# Function to handle xlat
sub xlat {
# For
Packet of Disconnect PHP
Hello, I'm working on getting a hotspot set up, and I need the ability to have a user log themselves out, so that they can connect on another computer. I have it set up so that the user can enter their information and have it log them out, but it doesn't disconnect them from the router, so they can continue using the internet until they disconnect from the wireless, so I need to send a packet of disconnect. Is there a way to do this in php? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Returning attributes based on group membership using NTLM_AUTH
I'm trying to set up switch logons for IT staff. Some will get operator
(limited, read-only) access, some get manager (full) access. I've got two
Active Directory groups that control which access they get.
I've got the ntlm_auth section working with two different instances, one for
each, using the --require-membership-of switch to ntlm_auth.
modules/ntlm_auth
exec ntlm_auth.swcmgr {
wait = yes
program = /usr/bin/ntlm_auth --request-nt-key --domain= MYDOMAIN
--username=%{User-Name} --password=%{User-Password}
--require-membership-of=MYDOMAIN\\SWITCH-MANAGERS
}
exec ntlm_auth.swcoper {
wait = yes
program = /usr/bin/ntlm_auth --request-nt-key --domain= MYDOMAIN
--username=%{User-Name} --password=%{User-Password}
--require-membership-of=MYDOMAIN\\SWITCH-OPERATORS
}
End of file
I've also got the following in my users file:
users
DEFAULT Auth-Type = ntlm_auth.swcmgr, Service-Type == 7,
NAS-Port-Type == 5
Service-Type := 6,
# Fall-Through = Yes
#DEFAULTAuth-Type = ntlm_auth.swcoper, Service-Type == 7,
NAS-Port-Type == 5
# Service-Type := 7
End of file
And in sites-enabled/default, I've listed these two in the authenticate
section.
With the config above, it'll let managers in with manager access, but not
operators. If I comment out the first DEFAULT line in the users file, and
uncomment the second, it'll let operators in with operator access, but not
managers. But if I uncomment out both, operators get denied access on the
first DEFAULT line, and processing stops. If I uncomment out the
Fall-Through line, it appears to only fall-through on success of the first
DEFAULT section, not on failure.
What's the best way to accomplish what I want? I think I'd need to use
unlang somehow, but the sites-enabled/default says unlang should go in
post-auth, and I think I need it in the authenticate section? Or should I
be looking to do it in the modules/ntlm_auth file? Is this too complicated
for unlang, should I be looking at perl or python? Or am I overcomplicating
things? Any pointers would be appreciated.
John H. Moe
Network Support - Hatch IT
HATCH
Tel: +61 (7) 3166
Direct: +61 (7) 3166 7684
Fax: +61 (7) 3368 3754
Mobile: +61 438 772 425
61 Petrie Terrace, Brisbane, Queensland Australia 4000
*
NOTICE - This message from Hatch is intended only for the use of the individual
or entity to which it is addressed and may contain information which is
privileged, confidential or proprietary.
Internet communications cannot be guaranteed to be secure or error-free as
information could be intercepted, corrupted, lost, arrive late or contain
viruses. By communicating with us via e-mail, you accept such risks. When
addressed to our clients, any information, drawings, opinions or advice
(collectively, information) contained in this e-mail is subject to the terms
and conditions expressed in the governing agreements. Where no such agreement
exists, the recipient shall neither rely upon nor disclose to others, such
information without our written consent. Unless otherwise agreed, we do not
assume any liability with respect to the accuracy or completeness of the
information set out in this e-mail. If you have received this message in
error, please notify us immediately by return e-mail and destroy and delete the
message from your computer.
smime.p7s
Description: S/MIME cryptographic signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Returning attributes based on group membership using NTLM_AUTH
Sorry to reply to my own post, but I think I've found the answer; can
someone let me know if I'm on the right track?
I believe that I should be using ntlm_auth to *only* validate the *password*
in the authenticate section. And then I'll need to configure the LDAP
module and use Ldap-Group as an additional item to match against in the
users file to return the appropriate Service-Type attribute?
John H. Moe
Network Support - Hatch IT
HATCH
Tel: +61 (7) 3166
Direct: +61 (7) 3166 7684
Fax: +61 (7) 3368 3754
Mobile: +61 438 772 425
61 Petrie Terrace, Brisbane, Queensland Australia 4000
-Original Message-
From: freeradius-users-bounces+jmoe=hatch.com...@lists.freeradius.org
[mailto:freeradius-users-
bounces+jmoe=hatch.com...@lists.freeradius.org] On Behalf Of Moe, John
Sent: Wednesday, 3 August 2011 9:33 AM
To: freeradius-users@lists.freeradius.org
Subject: Returning attributes based on group membership using NTLM_AUTH
I'm trying to set up switch logons for IT staff. Some will get
operator
(limited, read-only) access, some get manager (full) access. I've got
two
Active Directory groups that control which access they get.
I've got the ntlm_auth section working with two different instances,
one for
each, using the --require-membership-of switch to ntlm_auth.
modules/ntlm_auth
exec ntlm_auth.swcmgr {
wait = yes
program = /usr/bin/ntlm_auth --request-nt-key --domain=
MYDOMAIN
--username=%{User-Name} --password=%{User-Password}
--require-membership-of=MYDOMAIN\\SWITCH-MANAGERS
}
exec ntlm_auth.swcoper {
wait = yes
program = /usr/bin/ntlm_auth --request-nt-key --domain=
MYDOMAIN
--username=%{User-Name} --password=%{User-Password}
--require-membership-of=MYDOMAIN\\SWITCH-OPERATORS
}
End of file
I've also got the following in my users file:
users
DEFAULT Auth-Type = ntlm_auth.swcmgr, Service-Type == 7,
NAS-Port-Type == 5
Service-Type := 6,
# Fall-Through = Yes
#DEFAULTAuth-Type = ntlm_auth.swcoper, Service-Type ==
7,
NAS-Port-Type == 5
# Service-Type := 7
End of file
And in sites-enabled/default, I've listed these two in the authenticate
section.
With the config above, it'll let managers in with manager access, but
not
operators. If I comment out the first DEFAULT line in the users file,
and
uncomment the second, it'll let operators in with operator access, but
not
managers. But if I uncomment out both, operators get denied access on
the
first DEFAULT line, and processing stops. If I uncomment out the
Fall-Through line, it appears to only fall-through on success of the
first
DEFAULT section, not on failure.
What's the best way to accomplish what I want? I think I'd need to use
unlang somehow, but the sites-enabled/default says unlang should go in
post-auth, and I think I need it in the authenticate section? Or
should I
be looking to do it in the modules/ntlm_auth file? Is this too
complicated
for unlang, should I be looking at perl or python? Or am I
overcomplicating
things? Any pointers would be appreciated.
John H. Moe
Network Support - Hatch IT
HATCH
Tel: +61 (7) 3166
Direct: +61 (7) 3166 7684
Fax: +61 (7) 3368 3754
Mobile: +61 438 772 425
61 Petrie Terrace, Brisbane, Queensland Australia 4000
*
NOTICE - This message from Hatch is intended only for the use of the individual
or entity to which it is addressed and may contain information which is
privileged, confidential or proprietary.
Internet communications cannot be guaranteed to be secure or error-free as
information could be intercepted, corrupted, lost, arrive late or contain
viruses. By communicating with us via e-mail, you accept such risks. When
addressed to our clients, any information, drawings, opinions or advice
(collectively, information) contained in this e-mail is subject to the terms
and conditions expressed in the governing agreements. Where no such agreement
exists, the recipient shall neither rely upon nor disclose to others, such
information without our written consent. Unless otherwise agreed, we do not
assume any liability with respect to the accuracy or completeness of the
information set out in this e-mail. If you have received this message in
error, please notify us immediately by return e-mail and destroy and delete the
message from your computer.
smime.p7s
Description: S/MIME cryptographic signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
