Re: Re[2]: High Avaibility
Hello Sorry for the delay in responding. Currently in the system I have two mysql servers configured as master-master. Freeradius world, totally not know, so I can not tell them if the configuration is load-balancing or just high-availability. The software we have developed connects to an IP (radius server) can not specify more. Asked why, if you can mount a balancer in the ip and balance between other servers freeradius (detecting the fall), but would have to configure this balancer in HA. Or have two servers and one as slave (HA). As freeradius not know the world and I've searched, but have not found information, I wanted to know a little more the functioning of freeradius. Freeradius not know if flags or similar stored in memory, etc., then the slave would not have these states, etc.. After read, I have been a little more clear, to indicate to me that using two servers with two ips, might work. I thought it would be more complicated because states would keep in memory or the like. The part of the db (mysql) I have it resolved, the problem was with freeradius. I found this: http://wiki.freeradius.org/Fail-over http://wiki.freeradius.org/Load-balancing I try with what I have said. Thank you very much. Regards Anto 2012/3/3 hashim zayed hashim.za...@gmail.com: If you are using mysql to store accounting and auth data the best solution is to have mysql cluster which is high available shared nothing DB (no need for any kind of shared storage ) with high performance ( 1 billion transaction as claimed ny oracle for the new version 7.2.4). By the way there is a white paper on using freeradiu with mysql cluster, you can find it in mysql website. On 2012 3 2 23:32, McNutt, Justin M. mcnu...@missouri.edu wrote: Be careful with load balancers too. Some NAS don't work well through a load balancer (Trapeze wireless controllers). --J From: Толик Шавловский tolik_shavlov...@mail.rumailto:tolik_shavlov...@mail.ru Reply-To: Толик Шавловский tolik_shavlov...@mail.rumailto:tolik_shavlov...@mail.ru, FreeRadius users mailing list freeradius-users@lists.freeradius.orgmailto:freeradius-users@lists.freeradius.org Date: Thu, 1 Mar 2012 17:52:29 +0400 To: FreeRadius users mailing list freeradius-users@lists.freeradius.orgmailto:freeradius-users@lists.freeradius.org Subject: Re[2]: High Avaibility Hi, if your NAS does not support 2 radius servers you can use load balancer (ex fortinet). 01 марта 2012, 15:37 от Phil Mayers p.may...@imperial.ac.ukmailto:p.may...@imperial.ac.uk: On 01/03/12 10:16, Anto wrote: Hello In the coming days I will set up a freeradius server for access control and accounting. I've been looking for information on freeradius and high availability, since my idea is to have two servers in case one fails, continue to operate with the other, but I just found information. So I turn to the list, in case I can recommend someone with experience on stage. I do not know if it is feasible to have a server as master and one slave, when the main falls, the other up the interface. If there is some kind of balancer radius and use both servers, etc.. This is a very vague question. You're going to get a lot of either too-vague or too-specific answers. A few things you need to specify: 1. When you say high availability what are you hoping to achieve? 2. How long can you tolerate when an unscheduled outage for? 1 second or 60? 3. Do your RADIUS servers talk to external data sources (SQL, LDAP)? 4. Do you care about load-balancing, or just high-availability? I'll make a few comments: Most NASes support 2 (or more) RADIUS servers, and will fail over when they detect an outage. For resilience, you just need to build two RADIUS servers on different IPs, and specify these in your NAS. You don't need a load-balancer or other complications, and they will just make things less reliable. Making redundant RADIUS servers is easy; you just build two machines, and run FreeRADIUS on each with the same config. The hard bit is replicating any data sources between them (LDAP, SQL) and handling writes such as accounting packets into SQL, SQL session counters, and so on. You need to be more specific about what you're doing and what you want to achieve. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius Logrotate settings for FreeBSD
Hi, we are using FreeRADIUS Version 2.1.12 In FREEBSD v.9. our logrotate settings like below. /var/log/freeradius/radius.log { daily rotate 8 create missingok compress postrotate kill -HUP `cat /var/run/freeradius/freeradius.pid` endscript } after rotate log radius.log file remain 0 lenght what is correnct settings of postrotate section of freeradius ? thanks in advance. -- Selçuk YAZAR - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius Logrotate settings for FreeBSD
On Thu, Mar 8, 2012 at 6:04 PM, Selcuk Yazar selcuk.ya...@gmail.com wrote: Hi, we are using FreeRADIUS Version 2.1.12 In FREEBSD v.9. our logrotate settings like below. /var/log/freeradius/radius.log { daily rotate 8 create missingok compress postrotate kill -HUP `cat /var/run/freeradius/freeradius.pid` endscript } after rotate log radius.log file remain 0 lenght what is correnct settings of postrotate section of freeradius ? Is the PID file correct? Try restarting FR, and send kill -HUP manually. What does the log file say? Does it say anything about HUP and reopening log file? Or does it say something like unable to read configuration file? -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius + ntlm_auth, broken?
Hello I try to set up AD as freeradius authentication oracle. My system: ohv:/etc/raddb/modules # radiusd -v radiusd: FreeRADIUS Version 2.1.12, for host x86_64-suse-linux-gnu, built on Oct 19 2011 at 13:55 I followed this guidelines http://deployingradius.com/documents/configuration/active_directory.html and everything went great (user logons OK, all the tests decribed in howto went OK) until the last part MS-CHAP + ntlm_auth OK, what happens when I try to authenticate via MS-CHAP ohv:/etc/samba # radtest -t mschap freeradius.test passwordschmassword localhost 0 testing123 Sending Access-Request of id 11 to 127.0.0.1 port 1812 User-Name = freeradius.test NAS-IP-Address = 10.128.160.4 NAS-Port = 0 Message-Authenticator = 0x MS-CHAP-Challenge = 0x7c68b9721c3a0b46 MS-CHAP-Response = 0x000113e96b497efab1bd69bfdcb845393f54e1cd4d71aa7e604a rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=11, length=38 MS-CHAP-Error = \000E=691 R=1 Lets see freeradius log Thu Mar 8 13:42:03 2012 : Info: Found Auth-Type = MSCHAP Thu Mar 8 13:42:03 2012 : Info: # Executing group from file /etc/raddb/sites-enabled/default Thu Mar 8 13:42:03 2012 : Info: +- entering group MS-CHAP {...} Thu Mar 8 13:42:03 2012 : Info: [mschap] Told to do MS-CHAPv1 with NT-Password Thu Mar 8 13:42:03 2012 : Info: [mschap] expand: --username=%{mschap:User-Name:-None} - --username=freeradius.test Thu Mar 8 13:42:03 2012 : Info: [mschap] No NT-Domain was found in the User-Name. Thu Mar 8 13:42:03 2012 : Info: [mschap] expand: %{mschap:NT-Domain} - Thu Mar 8 13:42:03 2012 : Info: [mschap] ... expanding second conditional Thu Mar 8 13:42:03 2012 : Info: [mschap] expand: --domain=%{%{mschap:NT-Domain}:-LOCAL} - --domain=LOCAL Thu Mar 8 13:42:03 2012 : Info: [mschap] mschap1: 7c Thu Mar 8 13:42:03 2012 : Info: [mschap] expand: --challenge=%{mschap:Challenge:-00} - --challenge=7c68b9721c3a0b46 Thu Mar 8 13:42:03 2012 : Info: [mschap] expand: --nt-response=%{mschap:NT-Response:-00} - --nt-response=13e96b497efab1bd69bfdcb845393f54e1cd4d71aa7e604a Thu Mar 8 13:42:03 2012 : Debug: Exec-Program output: Reading winbind reply failed! (0xc001) Thu Mar 8 13:42:03 2012 : Debug: Exec-Program-Wait: plaintext: Reading winbind reply failed! (0xc001) Thu Mar 8 13:42:03 2012 : Debug: Exec-Program: returned: 1 Thu Mar 8 13:42:03 2012 : Info: [mschap] External script failed. Thu Mar 8 13:42:03 2012 : Info: [mschap] MS-CHAP-Response is incorrect. Thu Mar 8 13:42:03 2012 : Info: ++[mschap] returns reject OK, lets strace this and find the actual command line sent to freeradius and try it out on command line (edited to follow correct syntax!) Command line looks like this: /usr/bin/ntlm_auth --request-nt-key, --username=freeradius.test, --domain=LOCAL, --challenge=0x7c68b9721c3a0b46, --nt-response=13e96b497efab1bd69bfdcb845393f54e1cd4d71aa7e604a Logon failure (0xc06d) Wait, what? Let's re-check ntlm_auth --request-nt-key --domain=local --username=freeradius.test --password=passwordschmassword NT_STATUS_OK: Success (0x0) Seems that values for challenge and response are getting filled incorrectly. I also tried to turn with_ntdomain_hack aprameter on and off, but no avail. Is freeradius at all responsible to fill those parameters or how can I fix this behaviour? Andres Septer Systems Administrator Navirec Software OÜ Tallinn, Estonia http://navirec.com- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRadius Logrotate settings for FreeBSD
Hi, You probably need to HUP your log daemon as well. cheers, tamas From: freeradius-users-bounces+tamas.becz=ericsson@lists.freeradius.org [mailto:freeradius-users-bounces+tamas.becz=ericsson@lists.freeradius.org] On Behalf Of Selcuk Yazar Sent: Thursday, March 08, 2012 12:04 PM To: freeradius-users@lists.freeradius.org Subject: FreeRadius Logrotate settings for FreeBSD Hi, we are using FreeRADIUS Version 2.1.12 In FREEBSD v.9. our logrotate settings like below. /var/log/freeradius/radius.log { daily rotate 8 create missingok compress postrotate kill -HUP `cat /var/run/freeradius/freeradius.pid` endscript } after rotate log radius.log file remain 0 lenght what is correnct settings of postrotate section of freeradius ? thanks in advance. -- Selçuk YAZAR - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius + ntlm_auth, broken?
On 08/03/12 11:56, Andres Septer wrote: --nt-response=13e96b497efab1bd69bfdcb845393f54e1cd4d71aa7e604a Thu Mar 8 13:42:03 2012 : Debug: Exec-Program output: Reading winbind reply failed! (0xc001) Weird. It looks a bit like ntlm_auth failed completely here. Check for permissions, SELinux settings, and so on. Check the winbind log files, and perhaps try using strace -f -p freerad.pid -o log to watch process execution. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_perl, aaa, dialup admin
Hi... I have a lot of problems configuring freeRadius. First I have a web service and a perl client to obtain users and password from an external database. I used with rlm_perl with an script perl in the authetication func and it works... but i need to implement dialup admin (or daloradius) to account... but i read that dialup admin works with a mysql database so... what i need to use to works dialup admin? and what archives i need to edit (users, radiusd.conf, etc) to authentication with rlm_perl and authorize and accounting with mysql? -- Fabricio A. Flores G. Egresado en Ingeniería en Sistemas MSN: fabri_flor...@hotmail.com Google: fabriflor...@gmail.com Twitter: fabricioflores Skype: fabriciofloresgallardo Blog Personal http://fabricioflores.wordpress.com/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Tracing access request chain
I'm trying to trace an access attempt that occurred today so that I can categorically say to a user that you were successfully connected to our network, or not, whatever the case maybe. However I'm struggling to create a chain of events by going through the logs. I can see by grepping the logs in the radacct folder that the user sent the access-request. The results are in both the auth-detail and the pre-proxy-detail logs. From there I can see in my internal radius servers that the access was accepted, but I cannot find any reference to the user, or the any of the incoming conversation in the outgoing logs like post-proxy, or reply. I was hoping I'd see a reference to the username and Access-Accept or similar. Can someone please help me out by letting me know if there is one common string that will help me trace one request incoming and outgoing? Cheers, Andi From 1st November 2011 UWIC changed its title to Cardiff Metropolitan University. From the 6th December 2011, as part of this change, all email addresses which included @uwic.ac.uk have changed to @cardiffmet.ac.uk. All emails sent from Cardiff Metropolitan University will now be sent from the new @cardiffmet.ac.uk address. Please could you ensure that all of your contact records and databases are updated to reflect this change. Further information can be found on the website here.http://www3.uwic.ac.uk/English/News/Pages/UWIC-Name-Change.aspx Ar Dachwedd y 1af 2011 newidiodd UWIC ei henw i Brifysgol Fetropolitan Caerdydd. O Ragfyr 6ed, fel rhan o'r newid yma, bydd pob cyfeiriad e-bost sy'n cynnwys @uwic.ac.uk yn newid i @cardiffmet.ac.uk. Bydd yr holl ebyst a ddanfonir o Brifysgol Fetropolitan Caerdydd yn cael eu danfon o'r cyfeiriad @cardiffmet.ac.uk newydd. Gwnewch yn siwr eich bod yn diweddaru eich cofnodion cyswllt a'ch cronfeydd data i adlewyrchu hyn. Gellir cael rhagor o wybodaeth ar y wefan yma.http://www3.uwic.ac.uk/English/News/Pages/UWIC-Name-Change.aspx - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: freeradius + ntlm_auth, broken?
Check the winbind log files, Did that already. Nothing interesting there, only lines like [2012/03/08 14:32:17.115991, 3] winbindd/winbindd_misc.c:417(winbindd_priv_pipe_dir) [25675]: request location of privileged pipe [2012/03/08 14:32:17.117136, 6] winbindd/winbindd.c:840(winbind_client_request_read) closing socket 26, client exited and perhaps try using strace -f -p freerad.pid -o log to watch process execution. I already did that to get the command line. When I run that line manually I get login failed. T try to figure out how to capture actual ntlm_auth output from within freerad process. Also, where freeradd gets the values for parameters MS-CHAP-Challenge = 0xd50bd065d4215da9 MS-CHAP-Response = 0x00011e7c77d05691cb2822a6670bf0b458e251c4ef170a2c2fff ? Those seem to be wrong. When I use them manually from command line I get login failed A. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How do I stop reading of detail file after a certain threshold is reached
Thanks Alan and Fajar, How do I ensure the buffered-sql file gets included by the server? Do I need an additional default Virtual Server configuration to enable the buffered-sql? Where are the SQL queries picked up from if there is no buffered sql? Also, how does dialup admin interface pick up server/sql information if I wish to incorporate that in the product? Thanks in advance, vivek - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: proxy server goes deaf after Client has closed connection (RadSec to home server)
Alan DeKok [al...@deployingradius.com] wrote Sent: Wednesday, March 07, 2012 3:52 AM To: FreeRadius users mailing list Subject: Re: proxy server goes deaf after Client has closed connection (RadSec to home server) Brian Julin wrote: (at this point the server does not see any additional requests sent to it, so we kill it to see if it is hanging out anywhere interesting... really should do this several times more to verify... maybe try a kill -9 next time...) It's hanging because it's trying to lock the proxy mutex twice. That's a no-no. I'll push a fix later today. This keeps the server listening, but there are some lingering issues: 10:40:31 : Info: (18) Proxying request to home server XXX.XXX.XXX.XXX port 2083 10:40:31 : Debug: Proxy is writing 123 bytes to SSL 10:40:31 : Debug: Thread 1 waiting to be assigned a request 10:40:31 : Debug: Proxy SSL socket has data to read 10:40:31 : Debug: Client has closed connection 10:40:31 : Info: ... closing socket proxy (YYY.YYY.YYY.YYY, 39314) - home_server (XXX.XXX.XXX.XXX, 2083) 10:40:31 : Debug: Waking up in 0.3 seconds. 10:40:31 : Debug: Waking up in 0.4 seconds. 10:40:31 : Debug: Waking up in 29.1 seconds. rad_recv: Access-Request packet from host 127.0.0.1 port 51126, id=247, length=147 10:40:34 : Debug: Opening new proxy (YYY.YYY.YYY.YYY, 0) - home_server (XXX.XXX.XXX.XXX, 2083) 10:40:34 : Debug: Trying SSL to port 2083 10:40:34 : Debug: Requiring Server certificate 10:40:34 : Debug: Listening on proxy (YYY.YYY.YYY.YYY, 41712) - home_server (XXX.XXX.XXX.XXX, 2083) 10:40:34 : Debug: No Post-Proxy-Type Fail: ignoring 10:40:34 : Debug: Waking up in 26.8 seconds. (... resends from the client don't work... This may or may not be time-window related...) rad_recv: Access-Request packet from host 127.0.0.1 port 51126, id=247, length=147 10:40:40 : Proxy: (18) Failed to insert entry into proxy list. 10:40:40 : Proxy: (18) Failed to insert initial packet into the proxy list. 10:40:40 : Debug: No Post-Proxy-Type Fail: ignoring 10:40:40 : Debug: Waking up in 20.9 seconds. rad_recv: Access-Request packet from host 127.0.0.1 port 51126, id=247, length=147 10:40:52 : Proxy: (18) Failed to insert entry into proxy list. 10:40:52 : Proxy: (18) Failed to insert initial packet into the proxy list. 10:40:52 : Debug: No Post-Proxy-Type Fail: ignoring 10:40:52 : Debug: Waking up in 8.9 seconds. 10:41:01 : Debug: Waking up in 4.9 seconds. 10:41:06 : Info: (18) Cleaning up request packet ID 247 with timestamp +4879 10:41:06 : Info: Ready to process requests. (...this next set of requests succeeds...) rad_recv: Access-Request packet from host 127.0.0.1 port 51126, id=251, length=147 10:48:06 : Debug: Waking up in 0.3 seconds. 10:48:06 : Debug: Thread 4 got semaphore 10:48:06 : Debug: Thread 4 handling request 19, (10 handled so far) (...) 10:48:06 : Info: (27) Finished request 27. 10:48:06 : Debug: Thread 2 waiting to be assigned a request 10:48:06 : Debug: Waking up in 0.1 seconds. 10:48:07 : Debug: Waking up in 4.1 seconds. 10:48:11 : Info: (19) Cleaning up request packet ID 251 with timestamp +5334 10:48:11 : Info: (20) Cleaning up request packet ID 177 with timestamp +5334 10:48:11 : Info: (21) Cleaning up request packet ID 59 with timestamp +5334 10:48:11 : Info: (22) Cleaning up request packet ID 56 with timestamp +5334 10:48:11 : Debug: Waking up in 0.1 seconds. 10:48:11 : Info: (24) Cleaning up request packet ID 183 with timestamp +5334 10:48:11 : Info: (25) Cleaning up request packet ID 243 with timestamp +5334 10:48:11 : Info: (26) Cleaning up request packet ID 134 with timestamp +5334 10:48:11 : Info: (27) Cleaning up request packet ID 128 with timestamp +5334 10:48:11 : Info: Ready to process requests. (...however, this can now happen on subsequent requests, or sometimes out of the blue. It doesn't always...) 10:56:37 : Debug: Proxy SSL socket has data to read 10:56:37 : Debug: Client has closed connection 10:56:37 : Info: ... closing socket proxy (YYY.YYY.YYY.YYY, 41712) - home_server (XXX.XXX.XXX.XXX, 2083) 10:56:37 : Error: Fatal error removing socket: (unknown error) [Thread 0x74f94700 (LWP 24568) exited] [Thread 0x75995700 (LWP 24567) exited] [Thread 0x76d97700 (LWP 24565) exited] [Thread 0x76396700 (LWP 24566) exited] (...That one above was from out of the blue. This one I put a breakpoint in and it happened while processing a request..) Breakpoint 1, event_new_fd (this=0x805790) at process.c:3715 3715 radlog(L_ERR, Fatal error removing socket: %s, (gdb) bt #0 event_new_fd (this=0x805790) at process.c:3715 #1 0x0043c718 in proxy_tls_recv (listener=0x805790) at tls_listen.c:499 #2 0x00430a9a in event_socket_handler (xel=value optimized out, fd=value optimized out, ctx=0x805790) at process.c:3327 #3 0x77deddfb in fr_event_loop (el=0x7d0c20) at event.c:415 #4
Re: How do I stop reading of detail file after a certain threshold is reached
Hi, How do I ensure the buffered-sql file gets included by the server? Do I need an additional default Virtual Server configuration to enable the buffered-sql? you ensure theres a link to it from sites-enabled into sites-available Where are the SQL queries picked up from if there is no buffered sql? your current default/inner-tunnel etc virtual servers Also, how does dialup admin interface pick up server/sql information if I wish to incorporate that in the product? configuration file alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Tracing access request chain
Hi, I can see by grepping the logs in the radacct folder that the user sent the access-request. The results are in both the auth-detail and the pre-proxy-detail logs. From there I can see in my internal radius servers that the access was accepted, but I cannot find any reference to the user, or the any of the incoming conversation in the outgoing logs like post-proxy, or reply. I was hoping I’d see a reference to the username and Access-Accept or similar. you're not doing any accounting? the accounting packets would have the user-name, IP address, MAC address etc in the accounting packets - the present of these shows tha the client is online and doing things. the reply-detail log should have the user-name alongside the Access-Accept for basic success/fail, the basic auth = yes in the log [] section of radiusd.conf will show the 'Login OK' and 'Invalid user' messages for each user-name alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius + ntlm_auth, broken?
Hi, Check the winbind log files, Did that already. Nothing interesting there, only lines like [2012/03/08 14:32:17.115991, 3] winbindd/winbindd_misc.c:417(winbindd_priv_pipe_dir) [25675]: request location of privileged pipe [2012/03/08 14:32:17.117136, 6] winbindd/winbindd.c:840(winbind_client_request_read) closing socket 26, client exited and perhaps try using strace -f -p freerad.pid -o log to watch process execution. I already did that to get the command line. When I run that line manually I get login failed. T try to figure out how to capture actual ntlm_auth output from within freerad process. Also, where freeradd gets the values for parameters MS-CHAP-Challenge = 0xd50bd065d4215da9 MS-CHAP-Response = 0x00011e7c77d05691cb2822a6670bf0b458e251c4ef170a2c2fff ? Those seem to be wrong. When I use them manually from command line I get login failed which version of samba are you running? versions 3.2 - 3.5 have b0rked return things - fixed in latest 3.6 - on the command line things work okay but when a program is using the return values they are wrong (or something to that affect. cant recall all the details but the recomendation is 3.0.x (RHEL5 classic) or 3.6 (new distro). the mailing list logs are filled with previous discussion. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html