Re: FreeRadius with Eduroam - Accounting
On 5 Oct 2011, at 02:20, Mike Diggins wrote:
I'm running FreeRadius 2.1.3 on RedHat Enterprise Linux configured as an
Eduroam Radius proxy server. My Cisco Wireless Lan Controllers are constantly
failing over the Accounting Servers, due to lack of response from the Home
Servers, or so says the log. However, I believe the issue is that some remote
institutions Radius Servers are ignoring the Accounting packets, and timing
out my end, making it believe the Home Servers have failed to respond.
FreeRadius responds by marking the Home server dead. It then sends a
status-server query, to which is gets a reply, and enables the Dead Home
server. I believe that's the sequence of events anyway. I captured some of
that in debug mode:
Rejecting request 288 due to lack of any response from home server x.x.x.x
port 1813
Finished request 288.
Cleaning up request 288 ID 205 with timestamp +1161
PROXY: Marking home server x.x.x.x port 1813 as zombie (it looks like it is
dead).
Sending Status-Server of id 55 to x.x.x.x port 1813
Message-Authenticator := 0x
NAS-Identifier := Status Check. Are you alive?
Waking up in 3.9 seconds.
rad_recv: Access-Accept packet from host x.x.x.x port 1813, id=55, length=806
I don't have any control over Accounting Packets being accepted, or not, by
other Eduroam members. Some do, some don't I imagine. Is there a
configuration for FreeRadius that handles this situation cleanly? Seems to me
that FR should check the Home server first, before marking it dead (at least).
No i've talked about this with Alan. The proposed solution is an enhancement to
the detail writer/reader functionality where the server automagically spawns
new reader instances to listen on per domain detail files.
For now i'd recommend using rlm_replicate, this allows you to send an entirely
new request to the homeserver, whilst sending an Accounting-Response to the
NAS. FR does not track the new request and so won't be able to retransmit.
Just use something like:
preacct {
if(Realm Realm != 'local'){
update control {
Proxy-To-Realm := 'local'
Replicate-To-Realm = 'eduroam'
}
}
}
accounting {
replicate
}
Arran Cudbard-Bell
a.cudba...@freeradius.org
Betelwiki, Betelwiki, Betelwiki http://wiki.freeradius.org/ !
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius with Eduroam - Accounting
Hi, I'm running FreeRadius 2.1.3 on RedHat Enterprise Linux configured as an Eduroam Radius proxy server. My Cisco Wireless Lan Controllers are constantly failing over the Accounting Servers, due to lack of response from the Home Servers, or so says the log. However, I believe the issue is that some remote institutions Radius Servers are ignoring the Accounting packets, and timing out my end, making it believe the Home Servers have failed to respond. FreeRadius responds by marking the Home server dead. It then sends a status-server query, to which is gets a reply, and enables the Dead Home server. I believe that's the sequence of events anyway. I captured some of that in debug mode: the flow you captured is right - it tries, it doesnt get a response, it probes with status-server and marks server up again. thats fine...and the way it should work. regarding eduroam and proxying of accounting. yes. its a continual problem and one that I would like to see sorted...theres a large number of people who dont believe in the proxying of accounting (they dont believe in the accounting stuff really...) - I, however, like the accounting. the issue is that YOU know your NAS kit - and all the wierd things that it can do - sending 0 sesstion time and only using port 29 is the Cisco 'thing'.. what you arent ready for is the slew of junk from other sites NAS when they do accounting ..and be prepared for a whole lot of junk. (my current favourite is when 100% essential RADIUS attributes for accounting have been striped out by an over keen admin with the attribute filter on their RADIUS server. double fun!) I would suggest you take the accounting out of the 'live' stream and move to using one of the 'supplied with freeRADIUS' accounting virtual servers - decoupled-accounting, robust-proxy-accounting or copy-acct-to-home-server read those VS files and see which one appeals to you the most and which will suit your needs alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius with Eduroam - Accounting
On 10/05/2011 07:16 AM, Arran Cudbard-Bell wrote:
No i've talked about this with Alan. The proposed solution is an
enhancement to the detail writer/reader functionality where the
server automagically spawns new reader instances to listen on per
domain detail files.
I guess that's ok, in that it stops an unresponsive realm blocking other
realms, but wouldn't another solution be to add a config item to the
detail reader to drop packets which are X seconds old?
That would help with another case - where a realm is accepting some
accounting packets but not others (e.g. they've got a SQL config that is
barfing on upper-case usernames...).
Or, modify the detail reader to write a done marker byte into records
which it has processed.
p1 = ftell
read packet
send packet
if ok
p2 = ftell
seek(p1)
write('OK')
seek(p2)
else:
sleep retry
Anyway - something else the OP can do today (aside from rlm_replicate)
is to use follow the robust-proxy-accounting example, but instead of
queueing failed packets, just ok them or write to a detail file.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius with Eduroam - Accounting
Phil Mayers wrote:
I guess that's ok, in that it stops an unresponsive realm blocking other
realms, but wouldn't another solution be to add a config item to the
detail reader to drop packets which are X seconds old?
if (Acct-Delay-Time 3600) {
ok
} else {
... do proxy
}
Or, modify the detail reader to write a done marker byte into records
which it has processed.
That's a bit harder.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius with Eduroam - Accounting
On 10/05/2011 09:26 AM, Alan DeKok wrote:
Phil Mayers wrote:
I guess that's ok, in that it stops an unresponsive realm blocking other
realms, but wouldn't another solution be to add a config item to the
detail reader to drop packets which areX seconds old?
if (Acct-Delay-Time 3600) {
ok
} else {
... do proxy
}
Ah ha! Clever. I had forgotten the detail reader created/updated that
attribute. Yay FreeRADIUS!
Or, modify the detail reader to write a done marker byte into records
which it has processed.
That's a bit harder.
Tell me about it... we've got a home-grown system for logging DHCP
requests via pcap (because ISC dhcpd can't do decent logging) and, along
with a whole bunch of other crap, the process has to write to a logfile
in chunks, with the ability to do this (mark one row as written)
It was amazingly unreliable... I eventually resorted to writing them to
an sqlite database as a spool, on the grounds that marking them
done/ignored was easier that way.
One of these days I'll get the time to investigate FR DHCP...
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius with Eduroam - Accounting
On 5 Oct 2011, at 10:40, Phil Mayers wrote:
On 10/05/2011 09:26 AM, Alan DeKok wrote:
Phil Mayers wrote:
I guess that's ok, in that it stops an unresponsive realm blocking other
realms, but wouldn't another solution be to add a config item to the
detail reader to drop packets which areX seconds old?
if (Acct-Delay-Time 3600) {
ok
} else {
... do proxy
}
Ah ha! Clever. I had forgotten the detail reader created/updated that
attribute. Yay FreeRADIUS!
It's a bad way of doing it. At least with replicate every accounting packet has
a chance... Using Acct-Delay-Time you'll end up dumping anywhere between 1-15
seconds accounting data for all realms if one realm is unreachable.
-Arran
Arran Cudbard-Bell
a.cudba...@freeradius.org
Betelwiki, Betelwiki, Betelwiki http://wiki.freeradius.org/ !
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL and FreeRADIUS environment
Hi again, How can I do freeradius replication with radrelay? Do you know any tutorial or howto? I have a basic freeradius service installed and function!!! Thanks! -- View this message in context: http://freeradius.1045715.n5.nabble.com/MySQL-and-FreeRADIUS-environment-tp4845985p4872147.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius with Eduroam - Accounting
Arran Cudbard-Bell wrote:
It's a bad way of doing it. At least with replicate every accounting packet
has a chance... Using Acct-Delay-Time you'll end up dumping anywhere between
1-15 seconds accounting data for all realms if one realm is unreachable.
shrug
if (Packet-Transmit-Counter 5) {
ok
} else {
... proxy ...
}
If the home server doesn't get it after 5 tries, throw it away.
In 2.1.10 later, IIRC.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL and FreeRADIUS environment
My FreeRADIU version is 2.1.10 on Debian. Suggest me update? Or is a valid verstion to work and implement freeradius replication with radrelay? Thanks, -- View this message in context: http://freeradius.1045715.n5.nabble.com/MySQL-and-FreeRADIUS-environment-tp4845985p4872269.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius with Eduroam - Accounting
On 05/10/11 09:56, Arran Cudbard-Bell wrote:
On 5 Oct 2011, at 10:40, Phil Mayers wrote:
On 10/05/2011 09:26 AM, Alan DeKok wrote:
Phil Mayers wrote:
I guess that's ok, in that it stops an unresponsive realm
blocking other realms, but wouldn't another solution be to add
a config item to the detail reader to drop packets which areX
seconds old?
if (Acct-Delay-Time 3600) { ok } else { ... do proxy }
Ah ha! Clever. I had forgotten the detail reader created/updated
that attribute. Yay FreeRADIUS!
It's a bad way of doing it. At least with replicate every accounting
packet has a chance... Using Acct-Delay-Time you'll end up dumping
anywhere between 1-15 seconds accounting data for all realms if one
realm is unreachable.
Whereas with rlm_replicate, you risk dropping arbitrary accounting
packets because there is no retry. There is no ideal solution, because
radius accounting was never designed for the kind of loosely-coupled
federation that is Eduroam.
For me, since most Eduroam sites don't care about receiving federated
accounting, my primary concern is for my server to carry on functioning,
and that means the detail file should not grow without bound. I don't
really care how that happens - as long as it does.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Mac access mixed ldap access same NAS
Hi list, does someone know if Its possible mix MAC auth with ldap AUTH in the same NAS. I mean, I have multiple connection to one NAS but a few users will access through mac address, and others will access trhough auth ldap + passwords. Nowadays Ive configured ldap access but I dont know how to configure freeradius to allow connect a few users(16-20) trhough mac auth. As always thanks you very much for your time and peacence. Regards, Alejandro Gándara Junior System Administrator - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL and FreeRADIUS environment
On Wed, Oct 5, 2011 at 4:57 PM, tonimanel antoniofernan...@fabergames.com wrote: Hi again, How can I do freeradius replication with radrelay? Do you know any tutorial or howto? Have you READ the suggested documentation? For example, Alan said Also, raddb/sites-available/copy-acct-to-home-server I also wrote earlier rerarding FR-managed replication: In this setup the user data needs to be synced manually though. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL and FreeRADIUS environment
I'm going to read this example file. I don't know if I will understand it but I will try it. Thanks, -- View this message in context: http://freeradius.1045715.n5.nabble.com/MySQL-and-FreeRADIUS-environment-tp4845985p4872336.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MySQL and FreeRADIUS environment
I have readed the example file. I have some doubts.
Do I get with this example file? I don't have a radrelay.conf example (or is
this?) ... I have readed in Internet that in radiusd.conf I should to define
a detail block information like detail detail-name {some information} to get
two binary files with my main server data (then the other server should to
use to replicate data), it is true? And then I should create radrelay.conf
file (because not exists in /etc/freeradius) with what information? I think
that with listen block of copy-acct-to-home-server file, it is true?
Then, when I have got radrelay.conf file with listen block information from
copy-acct-to-home-server file, where I should to define the second server?
I think that in some place I should to define the second server for make the
replica...
Can you help me? Can you tell me about that?
Thank you.
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/MySQL-and-FreeRADIUS-environment-tp4845985p4872393.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL and FreeRADIUS environment
tonimanel wrote:
I have readed the example file. I have some doubts.
Do I get with this example file? I don't have a radrelay.conf example (or is
this?)
Yes, you do. See the raddb/ directory.
... I have readed in Internet that in radiusd.conf I should to define
a detail block information like detail detail-name {some information} to get
two binary files with my main server data (then the other server should to
use to replicate data), it is true?
You could try reading the examples that come with the server. The
examples you were told to read.
Why search the internet when you have the answers in front of you?
And then I should create radrelay.conf
file (because not exists in /etc/freeradius) with what information? I think
that with listen block of copy-acct-to-home-server file, it is true?
The server comes with a sample radrelay.conf. See the tar file on
the web site.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL and FreeRADIUS environment
I have readed the sites-available/example file that contains an example of how to define a client and a server. I should to define a client and a server in both machines (serverA's client is server B AND serverB's client is server A). Do you understand me? Thanks again. -- View this message in context: http://freeradius.1045715.n5.nabble.com/MySQL-and-FreeRADIUS-environment-tp4845985p4872439.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL and FreeRADIUS environment
tonimanel wrote: I have readed the sites-available/example file that contains an example of how to define a client and a server. i.e. you didn't do what you were told to do. I should to define a client and a server in both machines (serverA's client is server B AND serverB's client is server A). Do you understand me? I have no idea. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius with Eduroam - Accounting
On Wed, 5 Oct 2011, Arran Cudbard-Bell wrote:
On 5 Oct 2011, at 02:20, Mike Diggins wrote:
I'm running FreeRadius 2.1.3 on RedHat Enterprise Linux configured as an
Eduroam Radius proxy server. My Cisco Wireless Lan Controllers are constantly
failing over the Accounting Servers, due to lack of response from the Home
Servers, or so says the log. However, I believe the issue is that some remote
institutions Radius Servers are ignoring the Accounting packets, and timing out
my end, making it believe the Home Servers have failed to respond. FreeRadius
responds by marking the Home server dead. It then sends a status-server query,
to which is gets a reply, and enables the Dead Home server. I believe that's
the sequence of events anyway. I captured some of that in debug mode:
Rejecting request 288 due to lack of any response from home server x.x.x.x port
1813
Finished request 288.
Cleaning up request 288 ID 205 with timestamp +1161
PROXY: Marking home server x.x.x.x port 1813 as zombie (it looks like it is
dead).
Sending Status-Server of id 55 to x.x.x.x port 1813
Message-Authenticator := 0x
NAS-Identifier := Status Check. Are you alive?
Waking up in 3.9 seconds.
rad_recv: Access-Accept packet from host x.x.x.x port 1813, id=55, length=806
I don't have any control over Accounting Packets being accepted, or not, by
other Eduroam members. Some do, some don't I imagine. Is there a configuration
for FreeRadius that handles this situation cleanly? Seems to me that FR should
check the Home server first, before marking it dead (at least).
No i've talked about this with Alan. The proposed solution is an enhancement to
the detail writer/reader functionality where the server automagically spawns
new reader instances to listen on per domain detail files.
For now i'd recommend using rlm_replicate, this allows you to send an entirely
new request to the homeserver, whilst sending an Accounting-Response to the
NAS. FR does not track the new request and so won't be able to retransmit.
Just use something like:
preacct {
if(Realm Realm != 'local'){
update control {
Proxy-To-Realm := 'local'
Replicate-To-Realm = 'eduroam'
}
}
}
accounting {
replicate
}
Thanks for your suggestion. Do I drop this into my existing
..sites-available/default file? Does this add to what's there already, or
do I replace what's there with this (and does the order matter)? Sorry, I
have a very basic configuration and haven't had to delve into this.
-Mike
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius with Eduroam - Accounting
On 5 Oct 2011, at 12:50, Phil Mayers wrote:
On 05/10/11 09:56, Arran Cudbard-Bell wrote:
On 5 Oct 2011, at 10:40, Phil Mayers wrote:
On 10/05/2011 09:26 AM, Alan DeKok wrote:
Phil Mayers wrote:
I guess that's ok, in that it stops an unresponsive realm
blocking other realms, but wouldn't another solution be to add
a config item to the detail reader to drop packets which areX
seconds old?
if (Acct-Delay-Time 3600) { ok } else { ... do proxy }
Ah ha! Clever. I had forgotten the detail reader created/updated
that attribute. Yay FreeRADIUS!
It's a bad way of doing it. At least with replicate every accounting
packet has a chance... Using Acct-Delay-Time you'll end up dumping
anywhere between 1-15 seconds accounting data for all realms if one
realm is unreachable.
Whereas with rlm_replicate, you risk dropping arbitrary accounting packets
because there is no retry.
There is no ideal solution, because radius accounting was never designed for
the kind of loosely-coupled federation that is Eduroam.
For me, since most Eduroam sites don't care about receiving federated
accounting, my primary concern is for my server to carry on functioning, and
that means the detail file should not grow without bound. I don't really care
how that happens - as long as it does.
True. Both solutions suck in their own unique ways.
Roll on RADSEC.
-Arran
Arran Cudbard-Bell
a.cudba...@freeradius.org
Betelwiki, Betelwiki, Betelwiki http://wiki.freeradius.org/ !
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius with Eduroam - Accounting
Thanks for your suggestion. Do I drop this into my existing
..sites-available/default file? Does this add to what's there already, or do
I replace what's there with this (and does the order matter)? Sorry, I have a
very basic configuration and haven't had to delve into this.
Add it to sites-available/default in the existing sections (put replicate in
the accounting {} section, put the other stuff in the preacct section...
-Arran
Arran Cudbard-Bell
a.cudba...@freeradius.org
Betelwiki, Betelwiki, Betelwiki http://wiki.freeradius.org/ !
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Reply-Message in freeradius
Hello, How to add Reply-Message in freeradius? anyone advise me pls. For example : I would like to send Your username or password is wrong message to NAS if the someone to access to my freeradius via wrong password from that NAS Thanks, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[no subject]
Hi, I just installed freeradius 2.1.12 on ubuntu server from src file and got the following error: # radiusd -X radiusd: error while loading shared libraries: libfreeradius-radius-2.1.12.so: cannot open shared object file: No such file or directory Thanks, ASM - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply-Message in freeradius
On 5 Oct 2011, at 16:23, Dagia Dorjsuren wrote:
Hello,
How to add Reply-Message in freeradius? anyone advise me pls.
For example : I would like to send Your username or password is wrong
message to NAS if the someone to access to my freeradius via wrong password
from that NAS
raddb/sites-available/default
post-auth {
Post-Auth-Type REJECT {
update reply {
Reply-Message = Your password is wrong, prepare to be
eaten by flying monkeys.
}
}
}
Arran Cudbard-Bell
a.cudba...@freeradius.org
Betelwiki, Betelwiki, Betelwiki http://wiki.freeradius.org/ !
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply-Message in freeradius
On Wed, Oct 5, 2011 at 9:23 PM, Dagia Dorjsuren dagmi...@yahoo.com wrote:
Hello,
How to add Reply-Message in freeradius? anyone advise me pls.
post-auth {
...
update reply {
Reply-Message = Your message here\r\n
}
...
}
For example : I would like to send Your username or password is wrong
message to NAS if the someone to access to my freeradius via wrong password
from that NAS
That's tricky. Checking for reject is easy enough (see example in the
default post-auth section). Checking WHY the rejection happens (e.g.
account expire, wrong password) is not easy.
One workaround is to add your reply-message only when no there is no
previous message (which is what = does. See man unlang).
--
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re:
On Wed, Oct 5, 2011 at 9:32 PM, Alex rsm alex-...@hotmail.com wrote: Hi, I just installed freeradius 2.1.12 on ubuntu server from src file and got the following error: # radiusd -X radiusd: error while loading shared libraries: libfreeradius-radius-2.1.12.so: cannot open shared object file: No such file or directory run ldconfig. ... of if you prefer using prebuilt package, see https://launchpad.net/~freeradius/+archive/stable -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: (No subject)
ldconfig -v ?? alan -- Message may be brief as it has been sent from my mobile - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Trying to configure Cisco WLC 5500 for radius auth
Hi all, Trying to configure our cisco WLC's to play nice with freeradius... Looking for some pointers to get the two of them talking. Will have windows, linux, and personal devices like smartphones connecting, though I suspect the bulk will be smartphones. I would rather not hand out the PSK to users as I know this will get loose. I have set up a WLAN for this but it does not seem to be talking to freeradius. Will the traffic be coming from the WLC or the designated WLAN for the SSID? Would very much appreciate any pointers. I've got it working as far as authenticating my switches and routers. Saved us probably $10k plus. -- Jefferson K Davis Technology and Information Systems Manager Standard School District 1200 North Chester Ave Bakersfield, CA 93308 661.392.2110 ext 120 (office) 661.392.0681 (fax) http://district.standard.k12.ca.us - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius with Eduroam - Accounting
Roll on RADSEC. Ha ha ha cough splutter coffee everywhere now. Thanks for the laugh the uptake of IPv6 and DNSSEC looks absolutely ravenous and rapid compared to that of DNSSEC. I've had a couple of sites ask about it and go no further (they are running RADIUS servers that can do RADSEC without being prerelease/beta) is this the configuration required (minimal) or the prescribed eduroam method of coming on board? I dont know. Maybe its the giant hole in stats caused when the proxies no longer see end site traffic...and the onus on sites to provide stats... either way even with RADSEC , when a site is down or non responsive you'll still have a backup of accounting data for them alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Trying to configure Cisco WLC 5500 for radius auth
On 05/10/11 15:49, Jefferson Davis wrote: Hi all, Trying to configure our cisco WLC's to play nice with freeradius... Looking for some pointers to get the two of them talking. Will have windows, linux, and personal devices like smartphones connecting, though I suspect the bulk will be smartphones. I would rather not hand out the PSK to users as I know this will get loose. I have set up a WLAN for this but it does not seem to be talking to freeradius. Will the traffic be coming from the WLC or the designated WLAN for the SSID? This is not a FreeRADIUS question - you should ask on a Cisco list; and your question is way too vague. What does play nice with FreeRADIUS mean? Are you trying to setup a WPA-Enterprise (username/password authenticated) WLAN? Or an open WLAN with web auth? Or an open wlan with MAC-based auth? You need to read the documentation for your WLC. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Rewriting wimax calling-station-id with perl
an unresponsive realm
blocking other realms, but wouldn't another solution be to add
a config item to the detail reader to drop packets which areX
seconds old?
if (Acct-Delay-Time3600) { ok } else { ... do proxy }
Ah ha! Clever. I had forgotten the detail reader created/updated
that attribute. Yay FreeRADIUS!
It's a bad way of doing it. At least with replicate every accounting
packet has a chance... Using Acct-Delay-Time you'll end up dumping
anywhere between 1-15 seconds accounting data for all realms if one
realm is unreachable.
Whereas with rlm_replicate, you risk dropping arbitrary accounting
packets because there is no retry. There is no ideal solution, because
radius accounting was never designed for the kind of loosely-coupled
federation that is Eduroam.
For me, since most Eduroam sites don't care about receiving federated
accounting, my primary concern is for my server to carry on functioning,
and that means the detail file should not grow without bound. I don't
really care how that happens - as long as it does.
--
Message: 4
Date: Wed, 5 Oct 2011 13:06:33 +0200
From: Alejandro Gandaraagand...@optaresolutions.com
Subject: Mac access mixed ldap access same NAS
To: FreeRadius users mailing list
freeradius-users@lists.freeradius.org
Message-ID:
CAF40+uwJa0dZ-3YNcr=qkru1nurl6lhy77w2rhepdunwjtb...@mail.gmail.com
Content-Type: text/plain; charset=iso-8859-1
Hi list,
does someone know if Its possible mix MAC auth with ldap AUTH in the same
NAS.
I mean, I have multiple connection to one NAS but a few users will access
through mac address, and others will access trhough auth ldap + passwords.
Nowadays Ive configured ldap access but I dont know how to configure
freeradius to allow connect a few users(16-20) trhough mac auth.
As always thanks you very much for your time and peacence.
Regards,
Alejandro G?ndara
Junior System Administrator
-- next part --
An HTML attachment was scrubbed...
URL:https://lists.freeradius.org/pipermail/freeradius-users/attachments/20111005/89d60099/attachment.html
--
Message: 5
Date: Wed, 5 Oct 2011 18:12:15 +0700
From: Fajar A. Nugrahal...@fajar.net
Subject: Re: MySQL and FreeRADIUS environment
To: FreeRadius users mailing list
freeradius-users@lists.freeradius.org
Message-ID:
CAG1y0scaQb6etjqx9n2KAk1mxKrqGKgU3=bdsbz5ntaxuum...@mail.gmail.com
Content-Type: text/plain; charset=ISO-8859-1
On Wed, Oct 5, 2011 at 4:57 PM, tonimanel
antoniofernan...@fabergames.com wrote:
Hi again,
How can I do freeradius replication with radrelay? Do you know any tutorial
or howto?
Have you READ the suggested documentation? For example, Alan said
Also, raddb/sites-available/copy-acct-to-home-server
I also wrote earlier rerarding FR-managed replication: In this setup
the user data needs to be synced manually though.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radius dhcp
Hello, I have a setup where th user initiates DHCP request to the NAS. The NAS then tries to authenticate the user using regular radius requests (basicilly Access-Request with username=macaddr). If authenticated the NAS relay the dhcp request to a dhcp server That works. I want to know if there is any *standardized* way to specify the NAS the DHCP server to relay the DHCP request to, using attributes in the radius Access-Accept? I have found dhcp dictionnary (talking about gateway DHCP to RADIUS) but am not sure it is intended to do that. If not does anybody knows if it's possible with redback xxxSE BRAS? Regards. -- http://www.horoa.net Alexandre Chapellon Ingénierie des systèmes open sources et réseaux. Follow me on twitter: @alxgomz http://www.twitter.com/alxgomz - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius dhcp
Alexandre Chapellon wrote: That works. I want to know if there is any *standardized* way to specify the NAS the DHCP server to relay the DHCP request to, using attributes in the radius Access-Accept? No. I have found dhcp dictionnary (talking about gateway DHCP to RADIUS) but am not sure it is intended to do that. If not does anybody knows if it's possible with redback xxxSE BRAS? See dictionary.redback. Other than that... nope. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Rewriting wimax calling-station-id with perl
On 2011/10/05 08:15 PM, James T Mugauri wrote: Hi, As you are undoubtedly aware, the ubuntu/debian package of freeradius comes without the wimax module (despite having the wimax module) installed. My own attempts to compile/install/build deb package for ubuntu always die with the infamous undefined reference to `lt_preloaded_symbols' that apparently has even Alan opting to forsake libtool. Which version of debian do you need packages for? -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 Before acting on this email or opening any attachments you should read Cape PC Service's email disclaimer at: http://www.pcservices.co.za/disclaimer.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: password in EAP request
In example.pl perl script $RAD_REQUEST{'User-Name'} returns the username of
the EAP request message. How can I get the password of the
EAP request? $RAD_REQUEST{'User-Password'} won't return the password.
[Tim] You can't. RADIUS Access-Request packets that use EAP do not send
the password to the RADIUS server. The only attributes you can access are
the ones sent in the RADIUS request, which are listed below in the debug
output.
rad_recv: Access-Request packet from host 24.26.79.31 port 50168, id=207,
length=185
User-Name = test
NAS-IP-Address = 10.0.0.31
NAS-Identifier = belair
NAS-Port = 0
Called-Station-Id = 00-0D-67-12-15-80:SSO_BelAir-PMIP-8021x
Calling-Station-Id = 00-26-4A-FC-EB-B2
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = CONNECT 11Mbps 802.11b
EAP-Message = 0x020100060319
State = 0xce81437fce8047c9464d6ff62d386d00
Message-Authenticator = 0x5feafac09a6cce51d36958efc628f397
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: password in EAP request
Hi,
In example.pl perl script $RAD_REQUEST{'User-Name'} returns the username
of the EAP request message. How can I get the password of the
EAP request? $RAD_REQUEST{'User-Password'} won't return the password.
it certainly wont for PEAPv0/MSCHAPv2 which is what your request looks
like - hint, its a challenge response mechanism, the password is never disclosed
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply-Message in freeradius
Hi
One more question.
How about if user name is wrong? eg: send reply message user name not found
Best Regards
Gary
- Original Message -
From: Arran Cudbard-Bell
To: Dagia Dorjsuren ; FreeRadius users mailing list
Sent: Wednesday, October 05, 2011 10:34 PM
Subject: Re: Reply-Message in freeradius
On 5 Oct 2011, at 16:23, Dagia Dorjsuren wrote:
Hello, How to add Reply-Message in freeradius? anyone advise me pls.For
example : I would like to send Your username or password is wrong message to
NAS if the someone to access to my freeradius via wrong password from that
NASraddb/sites-available/default
post-auth {
Post-Auth-Type REJECT {
update reply {
Reply-Message = Your password is wrong, prepare to be eaten by flying
monkeys.
}
}
}
Arran Cudbard-Bell
a.cudba...@freeradius.org
Betelwiki, Betelwiki, Betelwiki http://wiki.freeradius.org/ !
--
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
