Freeradius stops. Received HUP signal.
Hello guys. I'm using FreeRADIUS server for a few months now. I'm running it on Ubuntu 11.10 server. FreeRADIUS Version 2.1.10. The problem is that I started FreeRADIUS daemon on November 18th, and it stopped working after one week ( users authentication was not working). Sun Nov 18 06:30:58 2012 : Info: HUP - loading modules Sun Nov 18 06:30:58 2012 : Info: Module: Reloaded module files Sun Nov 18 06:30:58 2012 : Info: Module: Reloaded module attr_filter.access_reject Sun Nov 18 06:30:58 2012 : Info: Module: Reloaded module attr_filter.accounting_response Sun Nov 18 06:30:58 2012 : Info: Module: Reloaded module pap Sun Nov 18 06:30:58 2012 : Info: Module: Reloaded module detail Sun Nov 18 06:30:58 2012 : Info: Module: Reloaded module sql_log Sun Nov 18 06:30:58 2012 : Info: Module: Reloaded module auth_log Sun Nov 18 06:30:58 2012 : Info: Module: Reloaded module suffix Sun Nov 18 06:30:58 2012 : Info: Module: Reloaded module radutmp Sun Nov 18 06:30:58 2012 : Info: Loaded virtual server inner-tunnel Sun Nov 18 06:30:58 2012 : Info: Loaded virtual server default Sun Nov 18 19:12:12 2012 : Info: rlm_sql (sql): Attempting to connect rlm_sql_mysql #1 Sun Nov 18 19:12:12 2012 : Info: rlm_sql_mysql: Starting connect to MySQL server for #1 Sun Nov 18 19:12:12 2012 : Info: rlm_sql (sql): Connected new DB handle, #1 Sun Nov 18 19:12:12 2012 : Info: rlm_sql (sql): Attempting to connect rlm_sql_mysql #0 Sun Nov 18 19:12:12 2012 : Info: rlm_sql_mysql: Starting connect to MySQL server for #0 Sun Nov 18 19:12:12 2012 : Info: rlm_sql (sql): Connected new DB handle, #0 Sun Nov 18 19:12:12 2012 : Info: rlm_sql (sql): Attempting to connect rlm_sql_mysql #4 Sun Nov 18 19:12:12 2012 : Info: rlm_sql_mysql: Starting connect to MySQL server for #4 Sun Nov 18 19:12:12 2012 : Info: rlm_sql (sql): Connected new DB handle, #4 Sun Nov 18 19:12:12 2012 : Info: rlm_sql (sql): Attempting to connect rlm_sql_mysql #3 Sun Nov 18 19:12:12 2012 : Info: rlm_sql_mysql: Starting connect to MySQL server for #3 Sun Nov 18 19:12:12 2012 : Info: rlm_sql (sql): Connected new DB handle, #3 Sun Nov 18 19:13:33 2012 : Info: Loaded virtual server inner-tunnel Sun Nov 18 19:13:33 2012 : Info: rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked Sun Nov 18 19:13:33 2012 : Info: rlm_sql (sql): Attempting to connect to root@localhost:/radius Sun Nov 18 19:13:33 2012 : Info: rlm_sql (sql): Attempting to connect rlm_sql_mysql #0 Sun Nov 18 19:13:33 2012 : Info: rlm_sql_mysql: Starting connect to MySQL server for #0 Sun Nov 18 19:13:33 2012 : Info: rlm_sql (sql): Connected new DB handle, #0 Sun Nov 18 19:13:33 2012 : Info: rlm_sql (sql): Attempting to connect rlm_sql_mysql #1 Sun Nov 18 19:13:33 2012 : Info: rlm_sql_mysql: Starting connect to MySQL server for #1 Sun Nov 18 19:13:33 2012 : Info: rlm_sql (sql): Connected new DB handle, #1 Sun Nov 18 19:13:33 2012 : Info: rlm_sql (sql): Attempting to connect rlm_sql_mysql #2 Sun Nov 18 19:13:33 2012 : Info: rlm_sql_mysql: Starting connect to MySQL server for #2 Sun Nov 18 19:13:33 2012 : Info: rlm_sql (sql): Connected new DB handle, #2 Sun Nov 18 19:13:33 2012 : Info: rlm_sql (sql): Attempting to connect rlm_sql_mysql #3 Sun Nov 18 19:13:33 2012 : Info: rlm_sql_mysql: Starting connect to MySQL server for #3 Sun Nov 18 19:13:33 2012 : Info: rlm_sql (sql): Connected new DB handle, #3 Sun Nov 18 19:13:33 2012 : Info: rlm_sql (sql): Attempting to connect rlm_sql_mysql #4 Sun Nov 18 19:13:33 2012 : Info: rlm_sql_mysql: Starting connect to MySQL server for #4 Sun Nov 18 19:13:33 2012 : Info: rlm_sql (sql): Connected new DB handle, #4 Sun Nov 18 19:13:33 2012 : Info: Loaded virtual server default Sun Nov 18 19:13:33 2012 : Info: Ready to process requests. *Sun Nov 25 06:46:34 2012 : Info: Received HUP signal.* Sun Nov 25 06:46:34 2012 : Info: HUP - Re-reading configuration files Sun Nov 25 06:46:34 2012 : Info: HUP - loading modules Sun Nov 25 06:46:34 2012 : Info: Module: Reloaded module files Sun Nov 25 06:46:34 2012 : Info: Module: Reloaded module attr_filter.access_reject Sun Nov 25 06:46:34 2012 : Info: Module: Reloaded module attr_filter.accounting_response Sun Nov 25 06:46:34 2012 : Info: Module: Reloaded module pap Sun Nov 25 06:46:34 2012 : Info: Module: Reloaded module detail Sun Nov 25 06:46:34 2012 : Info: Module: Reloaded module sql_log Sun Nov 25 06:46:34 2012 : Info: Module: Reloaded module auth_log Sun Nov 25 06:46:34 2012 : Info: Module: Reloaded module suffix Sun Nov 25 06:46:34 2012 : Info: Module: Reloaded module radutmp Sun Nov 25 06:46:34 2012 : Info: Loaded virtual server inner-tunnel Sun Nov 25 06:46:34 2012 : Info: Loaded virtual server default Sun Nov 25 18:23:51 2012 : Info: rlm_sql (sql): Attempting to connect rlm_sql_mysql #2 Sun Nov 25 18:23:51 2012 : Info: rlm_sql_mysql: Starting connect to MySQL server for #2 Sun Nov 25 18:23:51 2012 : Info: rlm_sql (sql): Connected new DB handle, #2 Sun Nov 25 18:23:51 2012 : Info: rlm_sql (sql): Attempting
Re: Freeradius stops. Received HUP signal.
substance SUBSTANCE wrote: Why FreeRADIUS receives that HUP signal? Can I disable it , or should I update FreeRADIUS software? I had the same problem. This version of Freeradius should not be HUP'ed it seems. I found this info by searching the archives. Problem is that Ubuntu and Debian do that by default once a day in /etc/logrotate.d/freeradius. You should be fine by replacing /etc/init.d/freeradius reload with etc/init.d/freeradius restart in that file. Disclaimer: untested by me. In my case i upgraded to a more recent version. But this if far more hassle. hth, Michael - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Eduroam FreeRadius not working so well
Hi, I have a valid current subscription and yum reports no updates for my freeradius install, so I'm assuming it's okay. I didn't want to dwell on the version though as I just upgraded from a much older release which didn't help with my problem. 2.1.12-4 appears to have the required TLS fix - however, not sure why 2.2.0 isnt provided now anyway - this backporting of random things doesnt help in diagnosis alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Eduroam FreeRadius not working so well
On 12/06/2012 10:16 AM, Alan Buxey wrote:
Hi,
home_server_pool EDUROAM-FTLR {
type= fail-over
home_server = proxy1
home_server = proxy2
}
I would use:
type = client-port-balance
to balance between the 2. (that method ensures the EAP goes to one remote
server)
realm DEFAULT {
pool = EDUROAM-FTLR
nostrip
}
h, this isnt best practice if thats all you have for throwing stuff
upstream. woulf
strongly recommend using unlang to validate that the user has valid realm etc
and then
update the request to use a realm identifier (eg eduroam) and use that in
proxy.conf instead -
thus you are only sending valid users upstream (and not all the random typos
and junk)
as the upstream servers will like you more for that - and wont be dropping
requests and messing
you up.
To expand on Alan's statement a bit here - it's possible that users are
associating with your eduroam SSID and sending all kinds of nonsense (I
think the best I've seen is:
spaceuser@domainnewlinespaceuser@domain/newlinerepeat 3 times
...and that the upstream RADIUS servers are not replying, which is
causing you to get these dropouts.
You probably want something like this:
authorize {
if (User-Name =~ /^([^@]*)@([-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/) {
# user has a valid-looking realm
update request {
Stripped-User-Name := %{1}
Realm = %{toupper:%{2}}
}
}
else {
# malformed NAI
update reply {
Reply-Message := malformed username
}
reject
}
if (Realm == MY.REALM) {
...
}
else {
update control {
Proxy-To-Realm := DEFAULT
}
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius stops. Received HUP signal.
Hi Michael, Thank you for the information. Yes there is a row like this: /etc/init.d/freeradius reload /dev/null I will comment this and replace with the new one: /etc/init.d/freeradius restart /dev/null I hope that this will work. On Thu, Dec 6, 2012 at 10:40 AM, Michael Weissenbacher m...@dermichi.comwrote: substance SUBSTANCE wrote: Why FreeRADIUS receives that HUP signal? Can I disable it , or should I update FreeRADIUS software? I had the same problem. This version of Freeradius should not be HUP'ed it seems. I found this info by searching the archives. Problem is that Ubuntu and Debian do that by default once a day in /etc/logrotate.d/freeradius. You should be fine by replacing /etc/init.d/freeradius reload with etc/init.d/freeradius restart in that file. Disclaimer: untested by me. In my case i upgraded to a more recent version. But this if far more hassle. hth, Michael - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Eduroam FreeRadius not working so well
Hi,
home_server_pool EDUROAM-FTLR {
type= fail-over
home_server = proxy1
home_server = proxy2
}
I would use:
type = client-port-balance
to balance between the 2. (that method ensures the EAP goes to one remote
server)
realm DEFAULT {
pool = EDUROAM-FTLR
nostrip
}
h, this isnt best practice if thats all you have for throwing stuff
upstream. woulf
strongly recommend using unlang to validate that the user has valid realm etc
and then
update the request to use a realm identifier (eg eduroam) and use that in
proxy.conf instead -
thus you are only sending valid users upstream (and not all the random typos
and junk)
as the upstream servers will like you more for that - and wont be dropping
requests and messing
you up.
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
eap-mschapv2 and radius.log
All, I have noticed a behaviour in the logging and I'm not sure if it is misconfiguration on my part, misunderstanding of the expected behaviour or a bug. If I attempt to log in using EAP-MSCHAPv2 inside of an eap method (e.g. PEAP/EAP-MSCHAPv2) I see Login OK: for the outer EAP regardless of the result of the inner EAP. e.g: Thu Dec 6 11:10:55 2012 : Auth: Login OK: [scott] (from client pepsi port 0 cli 02-00-00-00-00-01 via TLS tunnel) Thu Dec 6 11:10:55 2012 : Auth: Login OK: [scott] (from client pepsi port 0 cli 02-00-00-00-00-01 via TLS tunnel) Thu Dec 6 11:10:56 2012 : Auth: Login OK: [anonym...@lboro.ac.uk] (from client pepsi port 0 cli 02-00-00-00-00-01) This means if I have a user with a bad password I get the following in the log: Thu Dec 6 11:21:37 2012 : Auth: Login OK: [scott] (from client pepsi port 0 cli 02-00-00-00-00-01 via TLS tunnel) As the mschap module is waiting for the user to re-enter their password eventual it times out. Therefore this is the only entry in the log. Which is somewhat confusing, as it has actually failed but the only log entry is Login OK. Has anyone else noticed this behaviour? or have I configured something wrong? Regards Scott Armitage signature.asc Description: Message signed with OpenPGP using GPGMail - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap-mschapv2 and radius.log
On 6 Dec 2012, at 11:33, Scott Armitage s.p.armit...@lboro.ac.uk wrote: All, I have noticed a behaviour in the logging and I'm not sure if it is misconfiguration on my part, misunderstanding of the expected behaviour or a bug. If I attempt to log in using EAP-MSCHAPv2 inside of an eap method (e.g. PEAP/EAP-MSCHAPv2) I see Login OK: for the outer EAP regardless of the result of the inner EAP. e.g: Thu Dec 6 11:10:55 2012 : Auth: Login OK: [scott] (from client pepsi port 0 cli 02-00-00-00-00-01 via TLS tunnel) Thu Dec 6 11:10:55 2012 : Auth: Login OK: [scott] (from client pepsi port 0 cli 02-00-00-00-00-01 via TLS tunnel) Thu Dec 6 11:10:56 2012 : Auth: Login OK: [anonym...@lboro.ac.uk] (from client pepsi port 0 cli 02-00-00-00-00-01) This means if I have a user with a bad password I get the following in the log: Thu Dec 6 11:21:37 2012 : Auth: Login OK: [scott] (from client pepsi port 0 cli 02-00-00-00-00-01 via TLS tunnel) As the mschap module is waiting for the user to re-enter their password eventual it times out. Therefore this is the only entry in the log. Which is somewhat confusing, as it has actually failed but the only log entry is Login OK. Has anyone else noticed this behaviour? or have I configured something wrong? Regards Scott Armitage- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Sorry forgot to say. I notice this with both FreeRADIUS Version 2.2.0 and 3.0 Regards Scott signature.asc Description: Message signed with OpenPGP using GPGMail - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius stops. Received HUP signal.
On 12/06/2012 06:00 AM, substance SUBSTANCE wrote: But anyway, Why we need this logrotate.d script for freeradius at all? : Log rotation is necessary to prevent the log files for long running processes from filling up the disk as well as for auditing and archive purposes. Log management is a fundamental aspect of system administration. Virtually all system daemons have log rotation of some type. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: preproxy_users
I test it on version 2.2.0 ( server side ). Alan coudl you please check it, thx. -Original Message- From: freeradius-users-bounces+peter.balsianok=orange...@lists.freeradius.org [mailto:freeradius-users-bounces+peter.balsianok=orange...@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Wednesday, November 28, 2012 4:09 PM To: FreeRadius users mailing list Cc: Alan Buxey Subject: Re: preproxy_users BALSIANOK, Peter wrote: I use standard dictionary attribute 3GPP-SGSN-Address, which is located in ( in old and new one version of freeradius ) ... [radiusd@tdrad1 test]$ /app/radius/freeradius-2.2.0/bin/radclient -x -t 10 -r 1 -f wapgtw/acct.req -d /app/radius/freeradius-2.2.0/etc/raddb/ggsn-acct/ localhost:2813 acct testing123 ... [files] WARNING: Unknown module 3GPP-SGSN-Address in string expansion % Are you running 2.2.0 on the server side? Older versions of the server had issues where they didn't like a number as the first character of an attribute expansion. 2.2.0 fixed that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ldap eDir support in master branch
Hi, Now that I have my packages, i've started deploying FR3 for our eduroam federation. And I just saw that the eDir support is gone. now my question is : 1. is it abandoned ? 2. is it not yet ported to the new rlm_ldap code ? Olivier -- Olivier Beytrison Network Security Engineer, HES-SO Fribourg Mobile: +41 (0)78 619 73 53 Mail: oliv...@heliosnet.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap eDir support in master branch
On 06/12/12 16:45, Olivier Beytrison wrote: Hi, Now that I have my packages, i've started deploying FR3 for our eduroam federation. And I just saw that the eDir support is gone. now my question is : 1. is it abandoned ? 2. is it not yet ported to the new rlm_ldap code ? No-one who has eDir for testing has stepped up to implement it. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap eDir support in master branch
On 06.12.2012 17:45, Olivier Beytrison wrote: Hi, Now that I have my packages, i've started deploying FR3 for our eduroam federation. And I just saw that the eDir support is gone. now my question is : 1. is it abandoned ? 2. is it not yet ported to the new rlm_ldap code ? Nevermind my question, just saw AlanD message on the devel list. Well looks like i'll go nowhere whilst eDir support is not present :/ I might try to port at least the authentication against the central password to the new module, this is all I need. And if some one needs it, I can provide a working eDirectory server for testing purpose. Olivier -- Olivier Beytrison Network Security Engineer, HES-SO Fribourg Mobile: +41 (0)78 619 73 53 Mail: oliv...@heliosnet.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap-mschapv2 and radius.log
On 6 Dec 2012, at 14:07, Scott Armitage s.p.armit...@lboro.ac.uk wrote: On 6 Dec 2012, at 11:33, Scott Armitage s.p.armit...@lboro.ac.uk wrote: All, I have noticed a behaviour in the logging and I'm not sure if it is misconfiguration on my part, misunderstanding of the expected behaviour or a bug. If I attempt to log in using EAP-MSCHAPv2 inside of an eap method (e.g. PEAP/EAP-MSCHAPv2) I see Login OK: for the outer EAP regardless of the result of the inner EAP. e.g: Thu Dec 6 11:10:55 2012 : Auth: Login OK: [scott] (from client pepsi port 0 cli 02-00-00-00-00-01 via TLS tunnel) Thu Dec 6 11:10:55 2012 : Auth: Login OK: [scott] (from client pepsi port 0 cli 02-00-00-00-00-01 via TLS tunnel) Thu Dec 6 11:10:56 2012 : Auth: Login OK: [anonym...@lboro.ac.uk] (from client pepsi port 0 cli 02-00-00-00-00-01) This means if I have a user with a bad password I get the following in the log: Thu Dec 6 11:21:37 2012 : Auth: Login OK: [scott] (from client pepsi port 0 cli 02-00-00-00-00-01 via TLS tunnel) As the mschap module is waiting for the user to re-enter their password eventual it times out. Therefore this is the only entry in the log. Which is somewhat confusing, as it has actually failed but the only log entry is Login OK. Has anyone else noticed this behaviour? or have I configured something wrong? Regards Scott Armitage- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Sorry forgot to say. I notice this with both FreeRADIUS Version 2.2.0 and 3.0 ignore this, I was just being dumb. I had enabled SoH and the first OK is the SoH. signature.asc Description: Message signed with OpenPGP using GPGMail - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[no subject]
Hello everyone,
in
/etc/raddb/sql/mysql/counter.conf
there is
%b unix time value of beginning of reset period
which makes things like
sqlcounter counterChilliSpotMaxTotalOctetsDaily {
counter-name = ChilliSpot-Max-Total-Octets-Daily
check-name = CS-Total-Octets-Daily
counter-type = data
reply-name = ChilliSpot-Max-Total-Octets
sqlmod-inst = sql
key = User-Name
reset = daily
query = SELECT IFNULL((SUM(AcctInputOctets +
AcctOutputOctets)),0) FROM radacct WHERE UserName='%{%k}' AND
UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime '%b'
}
possible
how would i get the value of %b for a user from say PHP so i can calc
and show them how much bandwidth they have left?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
