Re: Cannot control attribute ordering via rlm_perl
claude.brown wrote: Our new module was designed to replace rlm_sql and meet these goals: - Be roughly equivalent to rlm_files in terms of speed - Utilise all the features of rlm_files - avoid re-inventing that wheel - Allow high rate of user-by-user updates; i.e. avoid config re-write as per rlm_fastfile ? The fastusers module is deprecated, because the files module is just as fast. The files module also can be HUP'd, so it can be reloaded on the fly. Just use: radmin -e hup files and it will reload *only* the files module. I've tested it at loading 100K+ users/s off of disk. - Simple for stability: no shared in-memory state (avoid locking and races) The server core takes care of that when the files module is reloaded. - Simple for stability: avoid complex on-disk structures like databases with dubious libraries - Simple for stability: easy mechanism to re-write entire config (say daily) to iron our errors Daily config reloads are easy. - Simple for stability: re-use as much of freeRADIUS as possible; avoid writing lots of new code We acheived all these goals and can now process bring all our customers back onto our service in about five minutes. The price is a lot of i-nodes - we end up with one file per user in a dir tree. 5 minutes for what, exactly? Say you have a format similar to the users file, with one user per file. Loading 100K users will mean 100K file reads, and that can take a long time. So, do that in a cron job. Have it collect the individual user files into one large file. That might take 5 minutes, but who cares? It's once a day. Then, point the files module at the collected file. It shouldn't take longer than a second or two to reload it. With rlm_sql it would take an hour or two only then with careful (and human driven) rate management. I'm not sure what that means. An hour or two to load SQL? What is it doing? The main issues driving this delay were: - rlm_sql calls during EAP negotation instead of just at the end of EAP That can be fixed without a new module. - Performance issues on our MySQL backend that we didn't have budget to resolve - Thread lock-up's inside MySQL library yet no MySQL server queries were active I've seen lots of people running MySQL with 300K+ users, and no problems. The system needs to be designed carefully, but it *does* work. If this module is of interest to the community we are happy to contribute it. I'd first want to know how many users you have. And why it's taking so long to get a system up and running. It sounds like something is seriously wrong. What does it mean to bring customers into service in 5 minutes? With SQL, you should be able to keep the RADIUS server at 100% uptime. Then, re-write individual user entries via another administration process. Rewriting one user entry should take ~10ms at MOST with any SQL server. And when the server starts up, it just connects to SQL. It doesn't need to read all of the users from SQL. So there's no reason for any downtime, and having 10 users in SQL is just as fast as having 10M users in SQL. It really sounds like your *architecture* is wrong. Find that and fix it. Writing a new module should *not* be necessary. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cannot control attribute ordering via rlm_perl
Alan DeKok al...@deployingradius.com writes: claude.brown wrote: - Performance issues on our MySQL backend that we didn't have budget to resolve - Thread lock-up's inside MySQL library yet no MySQL server queries were active I've seen lots of people running MySQL with 300K+ users, and no problems. The system needs to be designed carefully, but it *does* work. You don't even need to be that careful. Just run a read-only mysql slave instance locally on the radius server and all mysql-related performance problems will vanish. If you do mysql accounting: use buffered-sql aka decoupled-accounting. It won't fix the performance issues on your accounting mysql-server, but it will decouple the radius server from any such problems. Bjørn - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[no subject]
Is There a way to add the removal of delimiters such as - or : to the rewrite_calling_station_id section. Thanks, Joe -- This email message and any attachments are for the sole use of the intended recipient(s) and contain confidential and/or privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message and any attachments. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re:
On 16 Jan 2012, at 15:22, McSparin, Joe wrote: Is There a way to add the removal of delimiters such as - or : to the rewrite_calling_station_id section. Course. Just change update request { Called-Station-Id := %{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} } to update request { Called-Station-Id := %{tolower:%{1}%{2}%{3}%{4}%{5}%{6}} } -Arran Thanks, Joe This email message and any attachments are for the sole use of the intended recipient(s) and contain confidential and/or privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message and any attachments. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Arran Cudbard-Bell a.cudba...@freeradius.org Betelwiki, Betelwiki, Betelwiki http://wiki.freeradius.org/ ! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
merging two systems
I have two systems that both use freeradius out of MySQL. I would like to consolidate onto a single system, but maintain the database separation to ensure there are no username collisions and ease in auditing/reporting, etc. System A already has a database of freeradius_A and system B has a database of freeradius_B. What is the preferred method to configure freeradius to authenticate two sets of users out of two databases? Should I look at running multiple instances of freeRADIUS or can I utilize both databases with one instance? --Blake - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: merging two systems
Blake Hudson [bl...@ispn.net] writes: What is the preferred method to configure freeradius to authenticate two sets of users out of two databases? Should I look at running multiple instances of freeRADIUS or can I utilize both databases with one instance? This should be doable by defining multiple named sql instances, then, based on the criteria you use to separate sessions for the two services, invoke one or the other of them by name appropriately. Basically look for every place in the configs where the sql module is called, either as a directive, or inside a string xlat, and you would have to multiplex each of those statements to use the appropriate name (instead of sql) in the appropriate case. Also, multiple instances of FreeRADIUS are not hard to do, and can sometimes be preferable is you would like to add a bit more partitioning from a security perspective, but each will require its own port and/or IP address so your NAS flexibility may play a part in that decision. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE:
perfect thanks. From: freeradius-users-bounces+jmcsparin=hillcountrymemorial.org@lists.freerad ius.org [mailto:freeradius-users-bounces+jmcsparin=hillcountrymemorial.org@lists .freeradius.org] On Behalf Of Arran Cudbard-Bell Sent: Monday, January 16, 2012 8:39 AM To: FreeRadius users mailing list Subject: Re: On 16 Jan 2012, at 15:22, McSparin, Joe wrote: Is There a way to add the removal of delimiters such as - or : to the rewrite_calling_station_id section. Course. Just change update request { Called-Station-Id := %{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} } to update request { Called-Station-Id := %{tolower:%{1}%{2}%{3}%{4}%{5}%{6}} } -Arran Thanks, Joe This email message and any attachments are for the sole use of the intended recipient(s) and contain confidential and/or privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message and any attachments. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Arran Cudbard-Bell a.cudba...@freeradius.org Betelwiki, Betelwiki, Betelwiki http://wiki.freeradius.org/ ! -- This email message and any attachments are for the sole use of the intended recipient(s) and contain confidential and/or privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message and any attachments. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: merging two systems
Brian Julin wrote the following on 1/16/2012 9:01 AM: Blake Hudson [bl...@ispn.net] writes: What is the preferred method to configure freeradius to authenticate two sets of users out of two databases? Should I look at running multiple instances of freeRADIUS or can I utilize both databases with one instance? This should be doable by defining multiple named sql instances, then, based on the criteria you use to separate sessions for the two services, invoke one or the other of them by name appropriately. Basically look for every place in the configs where the sql module is called, either as a directive, or inside a string xlat, and you would have to multiplex each of those statements to use the appropriate name (instead of sql) in the appropriate case. Thanks for the response, I've created a couple named sql instances, but I'm not sure how to configure one nas to use one instance and the other nas to use the other instance. It seems pretty straight forward to use one instance for auth and another for accounting, but I did not see an example or documentation on how to associate a sql instance to a nas. If you could point me in the right direction I'd appreciate it. --Blake - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: merging two systems
On 16/01/12 16:55, Blake Hudson wrote: It seems pretty straight forward to use one instance for auth and another for accounting, but I did not see an example or documentation on how to associate a sql instance to a nas. If you could point me in the right direction I'd appreciate it. Simply match any attribute you want in the request, and then call the relevant modules: authorize { ... if (Client-IP-Address == 192.0.2.1) { sql1 } elsif (Client-IP-Address == 192.0.2.2) { sql2 } ... } You probably want to match on Huntgroup, Client-Shortname or some other more useful field than source IP. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: merging two systems
Phil Mayers wrote the following on 1/16/2012 11:18 AM: On 16/01/12 16:55, Blake Hudson wrote: It seems pretty straight forward to use one instance for auth and another for accounting, but I did not see an example or documentation on how to associate a sql instance to a nas. If you could point me in the right direction I'd appreciate it. Simply match any attribute you want in the request, and then call the relevant modules: authorize { ... if (Client-IP-Address == 192.0.2.1) { sql1 } elsif (Client-IP-Address == 192.0.2.2) { sql2 } ... } You probably want to match on Huntgroup, Client-Shortname or some other more useful field than source IP. Thanks. That's awesome. I didn't realize that I could create decision points in the config like that. Hunt groups combined with a couple if statements should provide a great mechanism for what I want to implement. Thanks for the direction. --Blake - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: compiling freeradius 2.1.12 in Debian squeeze
Hi, On Sat, Jan 14, 2012 at 06:56:32PM +, Rui Ribeiro wrote: One of the problems is freeradius is expecting ltdl 3.x, and squeeze has 7; the other is that the file changelog is no more in the right format. (tough the last one is easily fixed) Hit this the other day - make sure you don't have old ltdl (especially -dev) packages hanging around. if you've upgraded from lenny to squeeze, then you probably have. Purge the old ones install new -dev. On Sun, Jan 15, 2012 at 09:15:38AM +0700, Fajar A. Nugraha wrote: On Sun, Jan 15, 2012 at 8:16 AM, Rui Ribeiro ruyrybe...@gmail.com wrote: Indeed just found configure make works fine; been the whole time trying to build a deb package. fakeroot dpkg-buildpackage -b -uc doesn't work. I usually just use dpkg-buildpackage -b. Mostly with Ubuntu's debian directory, but I'm pretty sure last time I tried 2.1.12 with it's included debian directory it also works fine. Latest v2.1.x from git however won't work since some patches needs to be changed. I tend to use dpkg-buildpackage -us -uc -rfakeroot In latest git, you need to do rm debian/patches/rlm_sql.libs.diff sed -ie '/rlm_sql/d' debian/patches/series before it will build (may not be the actual fix, but gets it to build I'm not using rlm_sql). Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Only Out-of-tunnel
Hi, I've found some user and its mac address with OK status ( I mean Access-Accept) who only are logs about out-of-tunnel. I wonder why could this happen... Please could you help me? This is my config, thanks in advance! FreeRADIUS Version 2.1.1, for host x86_64-unknown-linux-gnu, built on Oct 21 2008 at 15:14:37 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /usr/local/etc/raddb/radiusd.conf including configuration file /usr/local/etc/raddb/proxy.conf including configuration file /usr/local/etc/raddb/clients.conf including files in directory /usr/local/etc/raddb/modules/ including configuration file /usr/local/etc/raddb/modules/chap including configuration file /usr/local/etc/raddb/modules/mschap including configuration file /usr/local/etc/raddb/modules/exec including configuration file /usr/local/etc/raddb/modules/realm including configuration file /usr/local/etc/raddb/modules/checkval including configuration file /usr/local/etc/raddb/modules/passwd including configuration file /usr/local/etc/raddb/modules/attr_filter including configuration file /usr/local/etc/raddb/modules/files.backup including configuration file /usr/local/etc/raddb/modules/linelog including configuration file /usr/local/etc/raddb/modules/wimax including configuration file /usr/local/etc/raddb/modules/pam including configuration file /usr/local/etc/raddb/modules/inner-eap including configuration file /usr/local/etc/raddb/modules/echo including configuration file /usr/local/etc/raddb/modules/acct_unique including configuration file /usr/local/etc/raddb/modules/etc_group including configuration file /usr/local/etc/raddb/modules/pap including configuration file /usr/local/etc/raddb/modules/expr including configuration file /usr/local/etc/raddb/modules/smbpasswd including configuration file /usr/local/etc/raddb/modules/attr_rewrite including configuration file /usr/local/etc/raddb/modules/radutmp including configuration file /usr/local/etc/raddb/modules/mac2ip including configuration file /usr/local/etc/raddb/modules/logintime including configuration file /usr/local/etc/raddb/modules/sql_log including configuration file /usr/local/etc/raddb/modules/preprocess including configuration file /usr/local/etc/raddb/modules/policy including configuration file /usr/local/etc/raddb/modules/digest including configuration file /usr/local/etc/raddb/modules/mac2vlan including configuration file /usr/local/etc/raddb/modules/files including configuration file /usr/local/etc/raddb/modules/always including configuration file /usr/local/etc/raddb/modules/detail including configuration file /usr/local/etc/raddb/modules/krb5 including configuration file /usr/local/etc/raddb/modules/sradutmp including configuration file /usr/local/etc/raddb/modules/counter including configuration file /usr/local/etc/raddb/modules/detail.example.com including configuration file /usr/local/etc/raddb/modules/ippool including configuration file /usr/local/etc/raddb/modules/expiration including configuration file /usr/local/etc/raddb/modules/detail.log including configuration file /usr/local/etc/raddb/modules/ldap including configuration file /usr/local/etc/raddb/modules/unix including configuration file /usr/local/etc/raddb/eap.conf including configuration file /usr/local/etc/raddb/sql.conf including configuration file /usr/local/etc/raddb/sql/mysql/dialup.conf including configuration file /usr/local/etc/raddb/sql/mysql/counter.conf including configuration file /usr/local/etc/raddb/policy.conf including files in directory /usr/local/etc/raddb/sites-enabled/ including configuration file /usr/local/etc/raddb/sites-enabled/status including configuration file /usr/local/etc/raddb/sites-enabled/inner-tunnel including configuration file /usr/local/etc/raddb/sites-enabled/default.backup including configuration file /usr/local/etc/raddb/sites-enabled/default including configuration file /usr/local/etc/raddb/sites-enabled/inner-tunnel-peap group = radiusd user = radiusd including dictionary file /usr/local/etc/raddb/dictionary main { prefix = /usr/local localstatedir = /usr/local/var logdir = /usr/local/var/log/radius libdir = /usr/local/lib radacctdir = /usr/local/var/log/radius/radacct hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 allow_core_dumps = no pidfile = /usr/local/var/run/radiusd/radiusd.pid checkrad = /usr/local/sbin/checkrad debug_level = 0 proxy_requests = no log { stripped_names = yes auth = yes auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } client localhost { ipaddr = 127.0.0.1
impossible to be authenticated
Hello Please i use radius with captival portal, but i can't autheticated. i have this message : pepperspot[2939]: redir.c: 1397: Radius request timed out what does this mean? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: impossible to be authenticated
ousmane sanogo wrote: Hello Please i use radius with captival portal, but i can't autheticated. i have this message : pepperspot[2939]: redir.c: 1397: Radius request timed out what does this mean? What part of that message is unclear? Do you know what network timeouts are? Have you tried running FreeRADIUS in debugging mode, as suggested in the FAQ, README, man page, and daily on this list? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Only Out-of-tunnel
Where's the log for when this happens? As MAC auth wouldn't go through EAP tunnel it would suggest that some entry in eg users file is coming into play... alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: impossible to be authenticated
Hi, Please i use radius with captival portal, but i can't autheticated. i have this message : pepperspot[2939]: redir.c: 1397: Radius request timed out umm, what does your radiusd -X (ie the FreeRADIUS server) show? anything? suggest the daemon isnt live or the system is firewalled/ACLd alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html