Re: Cannot control attribute ordering via rlm_perl
claude.brown wrote: Our new module was designed to replace rlm_sql and meet these goals: - Be roughly equivalent to rlm_files in terms of speed - Utilise all the features of rlm_files - avoid re-inventing that wheel - Allow high rate of user-by-user updates; i.e. avoid config re-write as per rlm_fastfile ? The fastusers module is deprecated, because the files module is just as fast. The files module also can be HUP'd, so it can be reloaded on the fly. Just use: radmin -e hup files and it will reload *only* the files module. I've tested it at loading 100K+ users/s off of disk. - Simple for stability: no shared in-memory state (avoid locking and races) The server core takes care of that when the files module is reloaded. - Simple for stability: avoid complex on-disk structures like databases with dubious libraries - Simple for stability: easy mechanism to re-write entire config (say daily) to iron our errors Daily config reloads are easy. - Simple for stability: re-use as much of freeRADIUS as possible; avoid writing lots of new code We acheived all these goals and can now process bring all our customers back onto our service in about five minutes. The price is a lot of i-nodes - we end up with one file per user in a dir tree. 5 minutes for what, exactly? Say you have a format similar to the users file, with one user per file. Loading 100K users will mean 100K file reads, and that can take a long time. So, do that in a cron job. Have it collect the individual user files into one large file. That might take 5 minutes, but who cares? It's once a day. Then, point the files module at the collected file. It shouldn't take longer than a second or two to reload it. With rlm_sql it would take an hour or two only then with careful (and human driven) rate management. I'm not sure what that means. An hour or two to load SQL? What is it doing? The main issues driving this delay were: - rlm_sql calls during EAP negotation instead of just at the end of EAP That can be fixed without a new module. - Performance issues on our MySQL backend that we didn't have budget to resolve - Thread lock-up's inside MySQL library yet no MySQL server queries were active I've seen lots of people running MySQL with 300K+ users, and no problems. The system needs to be designed carefully, but it *does* work. If this module is of interest to the community we are happy to contribute it. I'd first want to know how many users you have. And why it's taking so long to get a system up and running. It sounds like something is seriously wrong. What does it mean to bring customers into service in 5 minutes? With SQL, you should be able to keep the RADIUS server at 100% uptime. Then, re-write individual user entries via another administration process. Rewriting one user entry should take ~10ms at MOST with any SQL server. And when the server starts up, it just connects to SQL. It doesn't need to read all of the users from SQL. So there's no reason for any downtime, and having 10 users in SQL is just as fast as having 10M users in SQL. It really sounds like your *architecture* is wrong. Find that and fix it. Writing a new module should *not* be necessary. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cannot control attribute ordering via rlm_perl
Alan DeKok al...@deployingradius.com writes: claude.brown wrote: - Performance issues on our MySQL backend that we didn't have budget to resolve - Thread lock-up's inside MySQL library yet no MySQL server queries were active I've seen lots of people running MySQL with 300K+ users, and no problems. The system needs to be designed carefully, but it *does* work. You don't even need to be that careful. Just run a read-only mysql slave instance locally on the radius server and all mysql-related performance problems will vanish. If you do mysql accounting: use buffered-sql aka decoupled-accounting. It won't fix the performance issues on your accounting mysql-server, but it will decouple the radius server from any such problems. Bjørn - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[no subject]
Is There a way to add the removal of delimiters such as - or : to the rewrite_calling_station_id section. Thanks, Joe -- This email message and any attachments are for the sole use of the intended recipient(s) and contain confidential and/or privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message and any attachments. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re:
On 16 Jan 2012, at 15:22, McSparin, Joe wrote:
Is There a way to add the removal of delimiters such as - or : to the
rewrite_calling_station_id section.
Course.
Just change
update request {
Called-Station-Id := %{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
}
to
update request {
Called-Station-Id := %{tolower:%{1}%{2}%{3}%{4}%{5}%{6}}
}
-Arran
Thanks,
Joe
This email message and any attachments are for the sole use of the intended
recipient(s) and contain confidential and/or privileged information. Any
unauthorized review, use, disclosure or distribution is prohibited. If you
are not the intended recipient, please contact the sender by reply email and
destroy all copies of the original message and any attachments.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Arran Cudbard-Bell
a.cudba...@freeradius.org
Betelwiki, Betelwiki, Betelwiki http://wiki.freeradius.org/ !
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
merging two systems
I have two systems that both use freeradius out of MySQL. I would like to consolidate onto a single system, but maintain the database separation to ensure there are no username collisions and ease in auditing/reporting, etc. System A already has a database of freeradius_A and system B has a database of freeradius_B. What is the preferred method to configure freeradius to authenticate two sets of users out of two databases? Should I look at running multiple instances of freeRADIUS or can I utilize both databases with one instance? --Blake - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: merging two systems
Blake Hudson [bl...@ispn.net] writes: What is the preferred method to configure freeradius to authenticate two sets of users out of two databases? Should I look at running multiple instances of freeRADIUS or can I utilize both databases with one instance? This should be doable by defining multiple named sql instances, then, based on the criteria you use to separate sessions for the two services, invoke one or the other of them by name appropriately. Basically look for every place in the configs where the sql module is called, either as a directive, or inside a string xlat, and you would have to multiplex each of those statements to use the appropriate name (instead of sql) in the appropriate case. Also, multiple instances of FreeRADIUS are not hard to do, and can sometimes be preferable is you would like to add a bit more partitioning from a security perspective, but each will require its own port and/or IP address so your NAS flexibility may play a part in that decision. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE:
perfect thanks.
From:
freeradius-users-bounces+jmcsparin=hillcountrymemorial.org@lists.freerad
ius.org
[mailto:freeradius-users-bounces+jmcsparin=hillcountrymemorial.org@lists
.freeradius.org] On Behalf Of Arran Cudbard-Bell
Sent: Monday, January 16, 2012 8:39 AM
To: FreeRadius users mailing list
Subject: Re:
On 16 Jan 2012, at 15:22, McSparin, Joe wrote:
Is There a way to add the removal of delimiters such as - or
: to the rewrite_calling_station_id section.
Course.
Just change
update request {
Called-Station-Id := %{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
}
to
update request {
Called-Station-Id := %{tolower:%{1}%{2}%{3}%{4}%{5}%{6}}
}
-Arran
Thanks,
Joe
This email message and any attachments are for the sole use of
the intended recipient(s) and contain confidential and/or privileged
information. Any unauthorized review, use, disclosure or distribution is
prohibited. If you are not the intended recipient, please contact the
sender by reply email and destroy all copies of the original message and
any attachments.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
Arran Cudbard-Bell
a.cudba...@freeradius.org
Betelwiki, Betelwiki, Betelwiki http://wiki.freeradius.org/ !
--
This email message and any attachments are for the sole use of the intended
recipient(s) and contain confidential and/or privileged information. Any
unauthorized review, use, disclosure or distribution is prohibited. If you are
not the intended recipient, please contact the sender by reply email and
destroy all copies of the original message and any attachments.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: merging two systems
Brian Julin wrote the following on 1/16/2012 9:01 AM: Blake Hudson [bl...@ispn.net] writes: What is the preferred method to configure freeradius to authenticate two sets of users out of two databases? Should I look at running multiple instances of freeRADIUS or can I utilize both databases with one instance? This should be doable by defining multiple named sql instances, then, based on the criteria you use to separate sessions for the two services, invoke one or the other of them by name appropriately. Basically look for every place in the configs where the sql module is called, either as a directive, or inside a string xlat, and you would have to multiplex each of those statements to use the appropriate name (instead of sql) in the appropriate case. Thanks for the response, I've created a couple named sql instances, but I'm not sure how to configure one nas to use one instance and the other nas to use the other instance. It seems pretty straight forward to use one instance for auth and another for accounting, but I did not see an example or documentation on how to associate a sql instance to a nas. If you could point me in the right direction I'd appreciate it. --Blake - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: merging two systems
On 16/01/12 16:55, Blake Hudson wrote:
It seems pretty straight forward to use one instance for auth and
another for accounting, but I did not see an example or documentation on
how to associate a sql instance to a nas. If you could point me in the
right direction I'd appreciate it.
Simply match any attribute you want in the request, and then call the
relevant modules:
authorize {
...
if (Client-IP-Address == 192.0.2.1) {
sql1
}
elsif (Client-IP-Address == 192.0.2.2) {
sql2
}
...
}
You probably want to match on Huntgroup, Client-Shortname or some other
more useful field than source IP.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: merging two systems
Phil Mayers wrote the following on 1/16/2012 11:18 AM:
On 16/01/12 16:55, Blake Hudson wrote:
It seems pretty straight forward to use one instance for auth and
another for accounting, but I did not see an example or documentation on
how to associate a sql instance to a nas. If you could point me in the
right direction I'd appreciate it.
Simply match any attribute you want in the request, and then call the
relevant modules:
authorize {
...
if (Client-IP-Address == 192.0.2.1) {
sql1
}
elsif (Client-IP-Address == 192.0.2.2) {
sql2
}
...
}
You probably want to match on Huntgroup, Client-Shortname or some
other more useful field than source IP.
Thanks. That's awesome. I didn't realize that I could create decision
points in the config like that. Hunt groups combined with a couple if
statements should provide a great mechanism for what I want to
implement. Thanks for the direction.
--Blake
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: compiling freeradius 2.1.12 in Debian squeeze
Hi, On Sat, Jan 14, 2012 at 06:56:32PM +, Rui Ribeiro wrote: One of the problems is freeradius is expecting ltdl 3.x, and squeeze has 7; the other is that the file changelog is no more in the right format. (tough the last one is easily fixed) Hit this the other day - make sure you don't have old ltdl (especially -dev) packages hanging around. if you've upgraded from lenny to squeeze, then you probably have. Purge the old ones install new -dev. On Sun, Jan 15, 2012 at 09:15:38AM +0700, Fajar A. Nugraha wrote: On Sun, Jan 15, 2012 at 8:16 AM, Rui Ribeiro ruyrybe...@gmail.com wrote: Indeed just found configure make works fine; been the whole time trying to build a deb package. fakeroot dpkg-buildpackage -b -uc doesn't work. I usually just use dpkg-buildpackage -b. Mostly with Ubuntu's debian directory, but I'm pretty sure last time I tried 2.1.12 with it's included debian directory it also works fine. Latest v2.1.x from git however won't work since some patches needs to be changed. I tend to use dpkg-buildpackage -us -uc -rfakeroot In latest git, you need to do rm debian/patches/rlm_sql.libs.diff sed -ie '/rlm_sql/d' debian/patches/series before it will build (may not be the actual fix, but gets it to build I'm not using rlm_sql). Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Only Out-of-tunnel
Hi,
I've found some user and its mac address with OK status ( I mean
Access-Accept) who only are logs about out-of-tunnel. I wonder why could
this happen...
Please could you help me?
This is my config, thanks in advance!
FreeRADIUS Version 2.1.1, for host x86_64-unknown-linux-gnu, built on Oct
21 2008 at 15:14:37
Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /usr/local/etc/raddb/radiusd.conf
including configuration file /usr/local/etc/raddb/proxy.conf
including configuration file /usr/local/etc/raddb/clients.conf
including files in directory /usr/local/etc/raddb/modules/
including configuration file /usr/local/etc/raddb/modules/chap
including configuration file /usr/local/etc/raddb/modules/mschap
including configuration file /usr/local/etc/raddb/modules/exec
including configuration file /usr/local/etc/raddb/modules/realm
including configuration file /usr/local/etc/raddb/modules/checkval
including configuration file /usr/local/etc/raddb/modules/passwd
including configuration file /usr/local/etc/raddb/modules/attr_filter
including configuration file /usr/local/etc/raddb/modules/files.backup
including configuration file /usr/local/etc/raddb/modules/linelog
including configuration file /usr/local/etc/raddb/modules/wimax
including configuration file /usr/local/etc/raddb/modules/pam
including configuration file /usr/local/etc/raddb/modules/inner-eap
including configuration file /usr/local/etc/raddb/modules/echo
including configuration file /usr/local/etc/raddb/modules/acct_unique
including configuration file /usr/local/etc/raddb/modules/etc_group
including configuration file /usr/local/etc/raddb/modules/pap
including configuration file /usr/local/etc/raddb/modules/expr
including configuration file /usr/local/etc/raddb/modules/smbpasswd
including configuration file /usr/local/etc/raddb/modules/attr_rewrite
including configuration file /usr/local/etc/raddb/modules/radutmp
including configuration file /usr/local/etc/raddb/modules/mac2ip
including configuration file /usr/local/etc/raddb/modules/logintime
including configuration file /usr/local/etc/raddb/modules/sql_log
including configuration file /usr/local/etc/raddb/modules/preprocess
including configuration file /usr/local/etc/raddb/modules/policy
including configuration file /usr/local/etc/raddb/modules/digest
including configuration file /usr/local/etc/raddb/modules/mac2vlan
including configuration file /usr/local/etc/raddb/modules/files
including configuration file /usr/local/etc/raddb/modules/always
including configuration file /usr/local/etc/raddb/modules/detail
including configuration file /usr/local/etc/raddb/modules/krb5
including configuration file /usr/local/etc/raddb/modules/sradutmp
including configuration file /usr/local/etc/raddb/modules/counter
including configuration file /usr/local/etc/raddb/modules/detail.example.com
including configuration file /usr/local/etc/raddb/modules/ippool
including configuration file /usr/local/etc/raddb/modules/expiration
including configuration file /usr/local/etc/raddb/modules/detail.log
including configuration file /usr/local/etc/raddb/modules/ldap
including configuration file /usr/local/etc/raddb/modules/unix
including configuration file /usr/local/etc/raddb/eap.conf
including configuration file /usr/local/etc/raddb/sql.conf
including configuration file /usr/local/etc/raddb/sql/mysql/dialup.conf
including configuration file /usr/local/etc/raddb/sql/mysql/counter.conf
including configuration file /usr/local/etc/raddb/policy.conf
including files in directory /usr/local/etc/raddb/sites-enabled/
including configuration file /usr/local/etc/raddb/sites-enabled/status
including configuration file /usr/local/etc/raddb/sites-enabled/inner-tunnel
including configuration file
/usr/local/etc/raddb/sites-enabled/default.backup
including configuration file /usr/local/etc/raddb/sites-enabled/default
including configuration file
/usr/local/etc/raddb/sites-enabled/inner-tunnel-peap
group = radiusd
user = radiusd
including dictionary file /usr/local/etc/raddb/dictionary
main {
prefix = /usr/local
localstatedir = /usr/local/var
logdir = /usr/local/var/log/radius
libdir = /usr/local/lib
radacctdir = /usr/local/var/log/radius/radacct
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
allow_core_dumps = no
pidfile = /usr/local/var/run/radiusd/radiusd.pid
checkrad = /usr/local/sbin/checkrad
debug_level = 0
proxy_requests = no
log {
stripped_names = yes
auth = yes
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
client localhost {
ipaddr = 127.0.0.1
impossible to be authenticated
Hello Please i use radius with captival portal, but i can't autheticated. i have this message : pepperspot[2939]: redir.c: 1397: Radius request timed out what does this mean? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: impossible to be authenticated
ousmane sanogo wrote: Hello Please i use radius with captival portal, but i can't autheticated. i have this message : pepperspot[2939]: redir.c: 1397: Radius request timed out what does this mean? What part of that message is unclear? Do you know what network timeouts are? Have you tried running FreeRADIUS in debugging mode, as suggested in the FAQ, README, man page, and daily on this list? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Only Out-of-tunnel
Where's the log for when this happens? As MAC auth wouldn't go through EAP tunnel it would suggest that some entry in eg users file is coming into play... alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: impossible to be authenticated
Hi, Please i use radius with captival portal, but i can't autheticated. i have this message : pepperspot[2939]: redir.c: 1397: Radius request timed out umm, what does your radiusd -X (ie the FreeRADIUS server) show? anything? suggest the daemon isnt live or the system is firewalled/ACLd alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
