RE: FW: Radacct table not working properly
Hello, My server has installed Chillispot and Freeradius, everything is working properly and now I want to use Freeradius without Chillispot. As soon as I uninstall chillispot the radacct table stop working. Can anyody tell me why? Thanks Regards - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FW: Radacct table not working properly
Javier Ruiz Escalante wrote: My server has installed Chillispot and Freeradius, everything is working properly and now I want to use Freeradius without Chillispot. As soon as I uninstall chillispot the radacct table stop working. Can anyody tell me why? If you don't send it RADIUS packets, it doesn't do anything. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: update reply problem
Hello and thank you for your response.
Is this only in Post-Auth-Type Reject?
Yes because if I add this in authorize to test:
ldap
perl
update reply {
Codigo-Reject = Error-Dominio
}
What does radiusd -Xxx say ?
the debug info with -Xxx is:
Tue Mar 27 09:36:22 2012 : Info: # Executing section post-auth from file
/etc/freeradius/sites-enabled/eduroam-inner-tunnel
Tue Mar 27 09:36:22 2012 : Info: +- entering group post-auth {...}
Tue Mar 27 09:36:22 2012 : Info: [sql] expand: %{Stripped-User-Name} -
02747632
Tue Mar 27 09:36:22 2012 : Info: [sql] expand:
%{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}} - 02747632
Tue Mar 27 09:36:22 2012 : Info: [sql] sql_set_user escaped user --
'02747632'
Tue Mar 27 09:36:22 2012 : Info: [sql] expand: INSERT INTO
radpostauth (username, mac, client, reply,
authdate,codreject,radauth) VALUES
( LOWER('%{User-Name}'),
LOWER('%i'), '%C',
'%{reply:Packet-Type}', NOW(),
'%{reply:Codigo-Reject}','radius') - INSERT INTO
radpostauth (username, mac, client, reply,
authdate,codreject,radauth) VALUES
( LOWER('02747632'),
LOWER('66:77:99:B1:A0:2F'), 'PA',
'Access-Accept', NOW(), 'Error-Dominio','radius')
Tue Mar 27 09:36:22 2012 : Debug: rlm_sql (sql) in sql_postauth: query is
INSERT INTO radpostauth (username, mac, client,
reply, authdate,codreject,radauth) VALUES
( LOWER('02747632'),
LOWER('66:77:99:B1:A0:2F'), 'PA',
'Access-Accept', NOW(), 'Error-Dominio','radius')
Tue Mar 27 09:36:22 2012 : Debug: rlm_sql (sql): Ignoring unconnected
handle 1..
Tue Mar 27 09:36:22 2012 : Debug: rlm_sql (sql): Ignoring unconnected
handle 0..
Tue Mar 27 09:36:22 2012 : Debug: rlm_sql (sql): Ignoring unconnected
handle 4..
Tue Mar 27 09:36:22 2012 : Debug: rlm_sql (sql): Ignoring unconnected
handle 3..
Tue Mar 27 09:36:22 2012 : Debug: rlm_sql (sql): Ignoring unconnected
handle 2..
Tue Mar 27 09:36:22 2012 : Info: ++[sql] returns fail
Tue Mar 27 09:36:22 2012 : Info: ++? if (fail)
Tue Mar 27 09:36:22 2012 : Info: ? Evaluating (fail) - TRUE
Tue Mar 27 09:36:22 2012 : Info: ++? if (fail) - TRUE
Tue Mar 27 09:36:22 2012 : Info: ++- entering if (fail) {...}
Tue Mar 27 09:36:22 2012 : Info: +++[reply] returns fail
Tue Mar 27 09:36:22 2012 : Info: [reply_log] expand:
/var/log/freeradius/radacct/%Y/%m/%d/%{Client-IP-Address}-reply-detail-%Y%m%d
- /var/log/freeradius/radacct/2012/03/27/10.253.40.43-reply-detail-20120327
Tue Mar 27 09:36:22 2012 : Info: [reply_log]
/var/log/freeradius/radacct/%Y/%m/%d/%{Client-IP-Address}-reply-detail-%Y%m%d
expands to
/var/log/freeradius/radacct/2012/03/27/10.253.40.43-reply-detail-20120327
Tue Mar 27 09:36:22 2012 : Info: [reply_log] expand: %t - Tue Mar 27
09:36:22 2012
Tue Mar 27 09:36:22 2012 : Info: +++[reply_log] returns ok
Tue Mar 27 09:36:22 2012 : Info: +++[reject] returns reject
Tue Mar 27 09:36:22 2012 : Info: ++- if (fail) returns reject
} # server eduroam-inner-tunnel
Tue Mar 27 09:36:22 2012 : Info: [ttls] Got tunneled reply code 3
Relaciones = 03
Nombre-Completo = MARCOS
*Codigo-Reject = Error-Dominio*
Tue Mar 27 09:36:22 2012 : Info: [ttls] Got tunneled Access-Reject
Tue Mar 27 09:36:22 2012 : Info: [eapeduroam] Handler failed in EAP/ttls
Tue Mar 27 09:36:22 2012 : Info: [eapeduroam] Failed in EAP select
Tue Mar 27 09:36:22 2012 : Info: ++[eapeduroam] returns invalid
Tue Mar 27 09:36:22 2012 : Info: Failed to authenticate the user.
Tue Mar 27 09:36:22 2012 : Info: } # server eduroam
Tue Mar 27 09:36:22 2012 : Info: Using Post-Auth-Type Reject
Tue Mar 27 09:36:22 2012 : Info: # Executing group from file
/etc/freeradius/sites-enabled/eduroam
Tue Mar 27 09:36:22 2012 : Info: +- entering group REJECT {...}
Tue Mar 27 09:36:22 2012 : Info: ++[reply] returns noop
Tue Mar 27 09:36:22 2012 : Info: [sql] expand: %{Stripped-User-Name} -
02747632
Tue Mar 27 09:36:22 2012 : Info: [sql] expand:
%{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}} - 02747632
Tue Mar 27 09:36:22 2012 : Info: [sql] sql_set_user escaped user --
'02747632'
Tue Mar 27 09:36:22 2012 : Info: [sql] expand: INSERT INTO
radpostauth (username, mac, client, reply,
authdate,codreject,radauth) VALUES
( LOWER('%{User-Name}'),
LOWER('%i'), '%C',
'%{reply:Packet-Type}', NOW(),
'%{reply:Codigo-Reject}','radius') - INSERT INTO
radpostauth (username, mac, client, reply,
authdate,codreject,radauth) VALUES
( LOWER('02747632'),
LOWER('66:77:99:B1:A0:2F'), 'PA',
'Access-Reject', NOW(), 'Credenciales-Erroneas
RE: FW: Radacct table not working properly
Hello, I send radius packets, (as long as I know...) I have a hotspot from Mikrotik and I have Radius configured, my client logs on and the information sent by MKT goes to a file but not to radacct table. Thanks Regards -Original Message- From: freeradius-users-bounces+fruiz002=hotmail@lists.freeradius.org [mailto:freeradius-users-bounces+fruiz002=hotmail@lists.freeradius.org] On Behalf Of Alan DeKok Sent: martes, 27 de marzo de 2012 9:58 To: FreeRadius users mailing list Subject: Re: FW: Radacct table not working properly Javier Ruiz Escalante wrote: My server has installed Chillispot and Freeradius, everything is working properly and now I want to use Freeradius without Chillispot. As soon as I uninstall chillispot the radacct table stop working. Can anyody tell me why? If you don't send it RADIUS packets, it doesn't do anything. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FW: Radacct table not working properly
Javier Ruiz Escalante wrote: I send radius packets, (as long as I know...) I have a hotspot from Mikrotik and I have Radius configured, my client logs on and the information sent by MKT goes to a file but not to radacct table. First, figure out exactly what's going on. Information is meaningless. Do you mean RADIUS accounting packets? And goes to a file is also meaningless. Which file? Why? And, AS ALWAYS, run the server in debugging mode to see what's going on. It's really not that hard. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FW: Radacct table not working properly
Hello, It's solved, It was from Mikrotik, the option Accounting has to be marked. Thanks Alan!! -Original Message- From: freeradius-users-bounces+fruiz002=hotmail@lists.freeradius.org [mailto:freeradius-users-bounces+fruiz002=hotmail@lists.freeradius.org] On Behalf Of Alan DeKok Sent: martes, 27 de marzo de 2012 10:53 To: FreeRadius users mailing list Subject: Re: FW: Radacct table not working properly Javier Ruiz Escalante wrote: I send radius packets, (as long as I know...) I have a hotspot from Mikrotik and I have Radius configured, my client logs on and the information sent by MKT goes to a file but not to radacct table. First, figure out exactly what's going on. Information is meaningless. Do you mean RADIUS accounting packets? And goes to a file is also meaningless. Which file? Why? And, AS ALWAYS, run the server in debugging mode to see what's going on. It's really not that hard. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FW: Radacct table not working properly
Javier Ruiz Escalante wrote: Look, I should have accounting information about the client (for example all the attributes I need for disconnection) in the radacct table, right? So... rather than following instructions, you asked another question. Which ones? The one I past belowatleast, that at the moment are going to a file in /var/log/freeradius/radacct Ok... that's a step ahead. You know which files it's logging to. What else is going on? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Dynamic-Clients
hi, i configured a radius server using freeradius 2.1.8. then i change some sql queries as my requirements.it works properly. then i need to add clients dynamically without clients.conf. i use /raddb/sites-available/dynamic-clients configured dynamic-clients as follows.but it is not working. please help me to configure it. http://freeradius.1045715.n5.nabble.com/file/n5597709/debug.txt debug.txt http://freeradius.1045715.n5.nabble.com/file/n5597709/dynamic-clients dynamic-clients nas table:- nasname = 10.10.10.161 shortname = type = other ports 1812 secret = testing123 community = description = RADIUS Client Thanking you.. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Dynamic-Clients-tp5597709p5597709.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic-Clients
On Tue, Mar 27, 2012 at 7:40 PM, dulan achint...@gmail.com wrote:
hi,
i configured a radius server using freeradius 2.1.8.
I recommend upgrade to 2.1.12 if possible.
then i change some sql
queries as my requirements.it works properly.
then i need to add clients dynamically without clients.conf. i use
/raddb/sites-available/dynamic-clients
configured dynamic-clients as follows.but it is not working.
please help me to configure it.
http://freeradius.1045715.n5.nabble.com/file/n5597709/debug.txt debug.txt
It's better if you paste it directly in the mail body instead of attachement.
Anyway, did you read the debug log?
} # server dynamic_client_server
- Cannot add client 10.10.10.161: Required attribute
freeradius-Client-Secret is missing.
which part of that log is not clear?
The dynamic clients virtual server has all queries that FR would
execute. Try executing those queries manually, replacing
%{Packet-Src-IP-Address} with 10.10.10.161.
--
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic-Clients
Hi, http://freeradius.1045715.n5.nabble.com/file/n5597709/debug.txt debug.txt ...the answer is written right there in the debug log: Cannot add client 10.10.10.161: Required attribute freeradius-Client-Secret is missing have you populated your nas table with the secret ? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: load balancing and if statements
This is the answer. Also, this is much easier than what I was trying to do. Thank you for the pointer, Alan. -Scott On 3/26/12 5:17 PM, Alan Buxey a.l.m.bu...@lboro.ac.uk wrote: hi, a quick glance at your question and i'd say you be better off using simple entries in the users file - simple check items (use huntgroups for your NAS addresses) with LDAP groups. match the good stuff, set reply match the bad stuff, set reject. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: load balancing and if statements
Scott McLane Gardner wrote: Sent: Tuesday, March 27, 2012 9:34 AM To: FreeRadius users mailing list Subject: Re: load balancing and if statements This is the answer. Also, this is much easier than what I was trying to do. Thank you for the pointer, Alan. -Scott I'd be surprised if using Ldap-Group in the user's file resulted in load balancing of the group membership queries to the LDAP servers. Does it? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: load balancing and if statements
Brian Julin wrote: I'd be surprised if using Ldap-Group in the user's file resulted in load balancing of the group membership queries to the LDAP servers. Does it? It doesn't. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: load balancing and if statements
I'd be surprised if using Ldap-Group in the user's file resulted in load balancing of the group membership queries to the LDAP servers. Does it? It does, actually. Or at least it appears to. The first time it used ldap2 and the second time it used ldap1. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: load balancing and if statements
Brian Julin wrote: I'd be surprised if using Ldap-Group in the user's file resulted in load balancing of the group membership queries to the LDAP servers. Does it? It doesn't. Alan DeKok. So, now I'm confused again. If this doesn¹t load balance, then how should I really be going about this? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: load balancing and if statements
Scott McLane Gardner I'd be surprised if using Ldap-Group in the user's file resulted in load balancing of the group membership queries to the LDAP servers. Does it? It does, actually. Or at least it appears to. The first time it used ldap2 and the second time it used ldap1. Probably you are seeing the auth checks load balance while the group membership checks are not. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: load balancing and if statements
On 27/03/12 15:07, Scott McLane Gardner wrote: I'd be surprised if using Ldap-Group in the user's file resulted in load balancing of the group membership queries to the LDAP servers. Does it? It does, actually. Or at least it appears to. The first time it used ldap2 and the second time it used ldap1. Are you sure about that? It shouldn't work that way. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: load balancing and if statements
I cannot answer your question about if statements, but this much is clear: the Ldap-Group check attribute will query the ldap module that was instantiated last. If you want to query a specific module, you have to use modulename-Ldap-Group. Similarly for ldap xlats, you have to use the module name. (A sensible wishlist item might be to have load-balance sections in the instantiate section register the same hooks as their submodules, then you'd be able to name the load-balance and use lbr-modulename-Ldap-Group. But that sounds mildly hairy to implement.) Does this mean that what I want to do is not possible? -Scott - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: load balancing and if statements
Scott McLane Gardner
(A sensible wishlist item might be to have load-balance
sections in the
instantiate section register the same hooks as their
submodules, then
you'd be able to name the load-balance and use
lbr-modulename-Ldap-Group. But that sounds mildly hairy to
implement.)
Does this mean that what I want to do is not possible?
I don't know, but I'll probably look into it over the next week
or two, because I never looked too hard at the LDAP config
I inherited, and didn't realize it was not load-balancing those
requests myself, and in fact isn't even redundant, so I'll be
looking to fix that (thanks for pointing it out BTW.)
I would think you might be able to get at least fail-over
redundancy working using the XLAT %{%{thing1}:-%{thing2}} syntax,
but I'm unsure right now as to how the interaction between the
Ldap-Group check attribute and the XLAT mechanism works.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: load balancing and if statements
Scott McLane Gardner wrote: So, now I'm confused again. If this doesn¹t load balance, then how should I really be going about this? It's hard. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: newbiie
hi Alan, I now fixed that dictonary issue. I followed the guide lines from here http://wiki.freeradius.org/PopTop to see if pptp and radius works. I am getting this error : /var/log/message Mar 27 15:11:54 test45 pptpd[2121]: CTRL: Starting call (launching pppd, opening GRE) Mar 27 15:11:54 test45 pppd[2123]: Plugin radius.so loaded. Mar 27 15:11:54 test45 pppd[2123]: RADIUS plugin initialized. Mar 27 15:11:54 test45 pppd[2123]: Plugin radattr.so loaded. Mar 27 15:11:54 test45 pppd[2123]: RADATTR plugin initialized. Mar 27 15:11:54 test45 pppd[2123]: Plugin /usr/lib64/pptpd/pptpd-logwtmp.so loaded. Mar 27 15:11:54 test45 pppd[2123]: pppd 2.4.5 started by root, uid 0 Mar 27 15:11:54 test45 pppd[2123]: Using interface ppp0 Mar 27 15:11:54 test45 pppd[2123]: Connect: ppp0 -- /dev/pts/1 Mar 27 15:11:57 test45 pptpd[2121]: CTRL: Ignored a SET LINK INFO packet with real ACCMs! Mar 27 15:11:58 test45 pppd[2123]: Peer testuser failed CHAP authentication Mar 27 15:11:58 test45 pppd[2123]: Connection terminated. Mar 27 15:11:58 test45 pppd[2123]: Exit. Mar 27 15:11:58 test45 pptpd[2121]: GRE: read(fd=6,buffer=611860,len=8196) from PTY failed: status = -1 error = Input/output error, usually caused by unexpected termination of pppd, check option syntax and pppd logs Mar 27 15:11:58 test45 pptpd[2121]: CTRL: PTY read or GRE write failed (pty,gre)=(6,7) And in /var/log/radius/radius.log -- i get nothing Tue Mar 27 13:29:13 2012 : Info: Loaded virtual server default Tue Mar 27 13:29:13 2012 : Info: Ready to process requests. Tue Mar 27 14:23:53 2012 : Info: Exiting normally. Tue Mar 27 14:23:53 2012 : Info: Loaded virtual server inner-tunnel Tue Mar 27 14:23:53 2012 : Info: Loaded virtual server default Tue Mar 27 14:23:53 2012 : Info: Ready to process requests. Tue Mar 27 14:58:03 2012 : Info: Exiting normally. Tue Mar 27 15:03:26 2012 : Info: Loaded virtual server inner-tunnel Tue Mar 27 15:03:26 2012 : Info: Loaded virtual server default Tue Mar 27 15:03:26 2012 : Info: Ready to process requests. I must be doing something wrong. On Mon, Mar 26, 2012 at 1:56 PM, Alan DeKok al...@deployingradius.comwrote: Khapare Joshi wrote: I am now progressing - i think. but got stucked. I enabled the ldap plugin. radiusd -X display all the correct info. but when try to connect vpn from windows client. here is the error i get. Maybe you guys have some tips on it. ... Mar 26 10:58:17 blade201 pppd[21163]: rc_read_dictionary: unknown vendor on line 22 of dictionary /etc/radiusclient-ng/dictionary.microsoft Mar 26 10:58:17 blade201 pppd[21163]: RADIUS: Can't read dictionary file /etc/radiusclient-ng/dictionary What is unclear about that message? It looks like you edited the dictionary file, and broke it. Don't do that. it seems i need some lines in my dictonary.microsoft file for pppd. How do i add this ? all I am trying to do here is pppd to delegate ip pool for client and radius to authentication for user via ldap. where I am missing thing ? You don't edit the dictionaries. All of the configuration is done in FreeRADIUS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: load balancing and if statements
So, is the documentation at http://wiki.freeradius.org/Load-balancing#Interaction+with+%22if%22+and+%22 else%22 incorrect, or is it only correct for the very latest version? -Scott - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: load balancing and if statements
Hi,
Does this mean that what I want to do is not possible?
my advice was so you werent doing all that LDAP-Group , NAS-IP-Address
stuff in unlang...
regarding the load-balance, you should be okay just keeping
that bit similar to how you had it ...heck, you might even try
redundant-load-balance {
ldap1
ldap2
}
man unlang
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: newbiie
Hi, Tue Mar 27 14:23:53 2012 : Info: Ready to process requests. Tue Mar 27 14:58:03 2012 : Info: Exiting normally. Tue Mar 27 15:03:26 2012 : Info: Loaded virtual server inner-tunnel Tue Mar 27 15:03:26 2012 : Info: Loaded virtual server default Tue Mar 27 15:03:26 2012 : Info: Ready to process requests. a few usual guesses. such as the client cant talk to the server, local firewall issues etc...or you just dont have fail/success logging turned on. at this point you follow the docs and run 'radiusd -X' rather than a background daemon process...and then see what you see. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: newbiie
Khapare Joshi wrote: hi Alan, I now fixed that dictonary issue. I followed the guide lines from here http://wiki.freeradius.org/PopTop to see if pptp and radius works. I am getting this error : How about asking the PPTP people how their software works? Mar 27 15:11:58 test45 pppd[2123]: Peer testuser failed CHAP authentication That message shouldn't be hard to understand. And in /var/log/radius/radius.log -- i get nothing How about running the server in debugging mode, as suggested in the FAQ, README, INSTALL, and daily on this list? I must be doing something wrong. Well... the RADIUS server isn't receiving packets. This isn't a RADIUS problem. It's an IP routing problem. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: load balancing and if statements
Scott McLane Gardner wrote: So, is the documentation at http://wiki.freeradius.org/Load-balancing#Interaction+with+%22if%22+and+%22 else%22 incorrect, or is it only correct for the very latest version? It's correct. You're missing the point. That documentation is for calling MODULES. The configuration files have lists of MODULES, which are managed in sections. Sections can be if/else/etc. LDAP-Group is an ATTRIBUTE. Reading the MODULE documentation figure out how an ATTRIBUTE works is WRONG. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: newbiie
On 27/03/12 16:17, Khapare Joshi wrote: And in /var/log/radius/radius.log -- i get nothing Tue Mar 27 13:29:13 2012 : Info: Loaded virtual server default Tue Mar 27 13:29:13 2012 : Info: Ready to process requests. Tue Mar 27 14:23:53 2012 : Info: Exiting normally. Tue Mar 27 14:23:53 2012 : Info: Loaded virtual server inner-tunnel Tue Mar 27 14:23:53 2012 : Info: Loaded virtual server default Tue Mar 27 14:23:53 2012 : Info: Ready to process requests. Tue Mar 27 14:58:03 2012 : Info: Exiting normally. Tue Mar 27 15:03:26 2012 : Info: Loaded virtual server inner-tunnel Tue Mar 27 15:03:26 2012 : Info: Loaded virtual server default Tue Mar 27 15:03:26 2012 : Info: Ready to process requests. I must be doing something wrong. No radius packets are arriving at FreeRADIUS. Check your config. Check the IP addresses. Check any firewalls. Use tcpdump/wireshark/radsniff at both ends. This is not a FreeRADIUS problem, it's a basic unix troubleshooting problem. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxy + copy accounting to passive home server
Hello, I am trying to deploy proxy configuration to my radius server. I added home_server_pool with two home_servers. I can successfully send accounting packets (with load-balance) to other two radius servers. I also can use attribute filtering for proxy via acct_users as below. acct_users: DEFAULT Called-Station-Id = internet1, Proxy-To-Realm := TEST1 But, I want to send same packet to both servers when proxying. If I proxied the accounting packet to server A successfully, then I want to also copy to it to the other radius server. (means that passive one for each packet while load-balancing) I read some forums and see that it can be done via copy-acct-to-home-server. But, I could not configure it. (I also could not understand where I should edit it? on proxy ? or home_servers? Can you please help me on this issue? Thanks... -- View this message in context: http://freeradius.1045715.n5.nabble.com/Proxy-copy-accounting-to-passive-home-server-tp5598480p5598480.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxy + copy accounting to passive home server
Hello, I am trying to deploy proxy configuration to my radius server. I added home_server_pool with two home_servers. I can successfully send accounting packets (with load-balance) to other two radius servers. I also can use attribute filtering for proxy via acct_users as below. acct_users: DEFAULT Called-Station-Id = internet1, Proxy-To-Realm := TEST1 But, I want to send same packet to both servers when proxying. If I proxied the accounting packet to server A successfully, then I want to also copy to it to the other radius server. (means that passive one for each packet while load-balancing) I read some forums and see that it can be done via copy-acct-to-home-server. But, I could not configure it. (I also could not understand where I should edit it? on proxy ? or home_servers? Can you please help me on this issue? Thanks... Mimir - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxy + copy accounting to passive home server
Hello, I am trying to deploy proxy configuration to my radius server. I added home_server_pool with two home_servers. I can successfully send accounting packets (with load-balance) to other two radius servers. I also can use attribute filtering for proxy via acct_users as below. acct_users: DEFAULT Called-Station-Id = internet1, Proxy-To-Realm := TEST1 But, I want to send same packet to both servers when proxying. If I proxied the accounting packet to server A successfully, then I want to also copy to it to the other radius server. (means that passive one for each packet while load-balancing) I read some forums and see that it can be done via copy-acct-to-home-server. But, I could not configure it. (I also could not understand where I should edit it? on proxy ? or home_servers? Can you please help me on this issue? Thanks... Mimir -- View this message in context: http://freeradius.1045715.n5.nabble.com/Proxy-copy-accounting-to-passive-home-server-tp5598491p5598491.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: load balancing and if statements
Hi, So, is the documentation at http://wiki.freeradius.org/Load-balancing#Interaction+with+%22if%22+and+%22 else%22 incorrect, or is it only correct for the very latest version? its correct you want to load balance the requests to the LDAP servers, yes? so whats the load balancing of the LDAP-Group attribute bit that you are stuck on? isnt that groupand the NAS check..valid no matter which LDAP server was talked to? If so, then use either users file (basic, simple) or policy (slightly more complex) to allow access from those NAS addresses when that group is present. one is a source of info, one is a variable from that source. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: load balancing and if statements
On Mon, 26 Mar 2012 11:46:22 -0700
Scott McLane Gardner sgar...@uark.edu wrote:
If I can't use if statements in a load balance block, can anyone
suggest another way to go about accomplishing what I want to do here?
After reading this thread and realizing it affects my implementation
(though with mysql), I started poking at this to work out a solution.
The real problem with trying to build this in unlang is that there
doesn't seem to be a way to differentiate between a failed Sql-Group
check and a negative result. Instead, I have to cheese it out with
an XLAT no-op to see if the SQL server is responding. If I'm missing
something useful here, please let me know. I'd love some feedback from
the gurus. Anyway, the config bits:
policy {
# ...
mysql-1-disabled {
if(%{mysql-1:SELECT 'test'} != test) {
fail
}
if(mysql-1-Sql-Group == disabled) {
reject
}
else {
ok
}
}
mysql-2-disabled {
if(%{mysql-2:SELECT 'test'} != test) {
fail
}
if(mysql-2-Sql-Group == disabled) {
reject
}
else {
ok
}
}
}
instantiate {
# ...
redundant-load-balance sql-disabled {
mysql-1-disabled
mysql-2-disabled
}
}
Once this is in, sql-disabled can be placed in an authorize{} block.
I really wish there was a better way to do this...
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
