Mysql - radusergroup

[Neven]

Hi,

i'm using Freeradius 2, fedora16, mysql 5. 500 000  different users in
table.

i have a user in table radcheck (username and pass), i add that user in
radusergroup,  then I add usergroup in radgroupcheck and add attributes for
that group. That works well as far as i know.

Question:
Can I add a user in one group without adding that user in radusergroup
table? Is there some attribute that i can add in radcheck that will add a
user in one user group?

idUsername   AttributeOP  Value

1 User1 Cleartext-password :=123456
2 User1 Attribute for user group  ==   Group
that i can add attributes in radgroupcheck table


Could this be done?


Thank u.

Neven
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Load Balancing Issue

[A . L . M . Buxey]

Hi,

I am using Freeradius 2.2.0 on redhat 5. My goal was to increase the speed
of user authentication. To achieve this I configured Load Balancing (with
realms). I have a proxy Freeradius server, that is just proxying requests
to 2 other freeradius servers.

you only asked this question less than 2 hours ago. 

okay, you need to see why the proxy is causing a x3 factor in slowdown?  run 
the servers
in full debug mode with timestamps and check to see where your delay isdont 
throw
10 million requests at it though, just a dozen should be enought in the first 
instance
to see where the hit is.  I'd assume that you havent made any configuration 
changes
or tweaked any configs...in which case your proxy box is probably not ready to 
be dealing with
that many in transit requests (whereas the authentication servers can handle 
multiple
requests per thread) - so, some basic tweaking will probably do something 

..though I think you've already found that you dont need to load-balance ;-)

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Understanding the IP Pool module

[Бен Томпсон]

Hello Everyone

I am hoping to use rlm_ippool and I would like to understand a bit
about how it works. Firstly I want to understand the format of the
database.

I can see from the output of rlm_ippool_tool that there are five columns :-

Key | IP Address | Active  | CLI | Num

It is obvious what the first two are, and I am not sure about the last
three, but I guess that active means that this address is in use.

Could anyone explain to me what the columns cli and num are used for?

I noticed that this module is called from the post-auth and accounting
sections, and in the accounting section of sites-available/default
there is the following comment :-

#  Return an address to the IP Pool when we see a stop record.

Does this mean that the ippool module sets active to 0 when it sees
an accounting Stop from the same Key?

Also, I noticed that this module can be used for DHCP which obviously
does not have an accounting section. Does this mean that IP addresses
can never be deallocated from the pool?

Thanks in advance for any help.

Ben
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

DHCP reply don't go out

[Michele Pinassi]

Hi all,

i've just installed a FreeRadius server 2.2.0 with DHCP support because
i need a dhcp server that use MySQL ad a backend.

My network topology is:

eth0  inet addr:193.205.4.xxx [PUBLIC]
eth1  inet addr:172.20.1.2 [PRIVATE]

all dhcp requests and reply should come from eth1. Here is freeradius -X
dump:

FreeRADIUS Version 2.2.0, for host i486-pc-linux-gnu, built on Sep 20
2012 at 13:37:59
Copyright (C) 1999-2012 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/clients.conf
including files in directory /etc/freeradius/mods-enabled/
including configuration file /etc/freeradius/mods-enabled/replicate
including configuration file /etc/freeradius/mods-enabled/smsotp
including configuration file /etc/freeradius/mods-enabled/preprocess
including configuration file /etc/freeradius/mods-enabled/ldap
including configuration file /etc/freeradius/mods-enabled/counter
including configuration file /etc/freeradius/mods-enabled/detail.log
including configuration file /etc/freeradius/mods-enabled/otp
including configuration file /etc/freeradius/mods-enabled/inner-eap
including configuration file /etc/freeradius/mods-enabled/acct_unique
including configuration file /etc/freeradius/mods-enabled/wimax
including configuration file /etc/freeradius/mods-enabled/dynamic_clients
including configuration file /etc/freeradius/mods-enabled/etc_group
including configuration file /etc/freeradius/mods-enabled/redis
including configuration file /etc/freeradius/mods-enabled/cui
including configuration file /etc/freeradius/mods-enabled/ntlm_auth
including configuration file /etc/freeradius/mods-enabled/cache
including configuration file /etc/freeradius/mods-enabled/mac2ip
including configuration file /etc/freeradius/mods-enabled/dhcp_sqlippool
including configuration file /etc/freeradius/sql/mysql/ippool-dhcp.conf
including configuration file /etc/freeradius/mods-enabled/policy
including configuration file /etc/freeradius/mods-enabled/expiration
including configuration file /etc/freeradius/mods-enabled/logintime
including configuration file /etc/freeradius/mods-enabled/radutmp
including configuration file /etc/freeradius/mods-enabled/smbpasswd
including configuration file /etc/freeradius/mods-enabled/ippool
including configuration file /etc/freeradius/mods-enabled/rediswho
including configuration file /etc/freeradius/mods-enabled/pam
including configuration file /etc/freeradius/mods-enabled/soh
including configuration file /etc/freeradius/mods-enabled/detail.example.com
including configuration file /etc/freeradius/mods-enabled/realm
including configuration file /etc/freeradius/mods-enabled/mac2vlan
including configuration file /etc/freeradius/mods-enabled/attr_filter
including configuration file /etc/freeradius/mods-enabled/exec
including configuration file /etc/freeradius/mods-enabled/pap
including configuration file /etc/freeradius/mods-enabled/unix
including configuration file /etc/freeradius/mods-enabled/passwd
including configuration file /etc/freeradius/mods-enabled/echo
including configuration file /etc/freeradius/mods-enabled/sradutmp
including configuration file /etc/freeradius/mods-enabled/always
including configuration file /etc/freeradius/mods-enabled/checkval
including configuration file /etc/freeradius/mods-enabled/chap
including configuration file /etc/freeradius/mods-enabled/mschap
including configuration file /etc/freeradius/mods-enabled/krb5
including configuration file /etc/freeradius/mods-enabled/sql_log
including configuration file /etc/freeradius/mods-enabled/attr_rewrite
including configuration file /etc/freeradius/mods-enabled/files
including configuration file /etc/freeradius/mods-enabled/perl
including configuration file /etc/freeradius/mods-enabled/radrelay
including configuration file
/etc/freeradius/mods-enabled/sqlcounter_expire_on_login
including configuration file /etc/freeradius/mods-enabled/expr
including configuration file /etc/freeradius/mods-enabled/linelog
including configuration file /etc/freeradius/mods-enabled/opendirectory
including configuration file /etc/freeradius/mods-enabled/detail
including configuration file /etc/freeradius/mods-enabled/digest
including configuration file /etc/freeradius/eap.conf
including configuration file /etc/freeradius/sql.conf
including configuration file /etc/freeradius/sqlippool.conf
including configuration file /etc/freeradius/sql/mysql/ippool.conf
including configuration file /etc/freeradius/policy.conf
including files in directory /etc/freeradius/sites-enabled/
including configuration file /etc/freeradius/sites-enabled/dhcp
including configuration file /etc/freeradius/sites-enabled/default
main {
user = root

Re: Load Balancing Issue

[Muhammad Nadeem]

thanks alan
Actually I am using load balancing for rapid authentication of users. let
suppose i have one prosy server that is proxying incoming requests to these
five servers. Theoratically the speed of authentication should be fast. But
in case of mine it is too slow.
I have changed 'max_requests' in radiusd.config. And also remove
unnecessary processing on radius server (that is proxying requests). Now
tell me what else can I do?? :(

Though i am a new bee in RADIUS, but I think Proxy server is the bottle
neck???


On Tue, Feb 12, 2013 at 1:44 PM, a.l.m.bu...@lboro.ac.uk wrote:

 Hi,

 I am using Freeradius 2.2.0 on redhat 5. My goal was to increase the
 speed
 of user authentication. To achieve this I configured Load Balancing
 (with
 realms). I have a proxy Freeradius server, that is just proxying
 requests
 to 2 other freeradius servers.

 you only asked this question less than 2 hours ago.

 okay, you need to see why the proxy is causing a x3 factor in slowdown?
  run the servers
 in full debug mode with timestamps and check to see where your delay
 isdont throw
 10 million requests at it though, just a dozen should be enought in the
 first instance
 to see where the hit is.  I'd assume that you havent made any
 configuration changes
 or tweaked any configs...in which case your proxy box is probably not
 ready to be dealing with
 that many in transit requests (whereas the authentication servers can
 handle multiple
 requests per thread) - so, some basic tweaking will probably do
 something

 ..though I think you've already found that you dont need to load-balance
 ;-)

 alan
 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html




-- 
Best Regards
Muhammad Nadeem
Muhammad Ali Jinnah University
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Load Balancing Issue

[Russell Mike]

There are many different things you are talking at the same time.

You want increase the response time of auth. Is your database indexed?
Thanks

On Tuesday, February 12, 2013, Muhammad Nadeem wrote:

 thanks alan
 Actually I am using load balancing for rapid authentication of users. let
 suppose i have one prosy server that is proxying incoming requests to these
 five servers. Theoratically the speed of authentication should be fast. But
 in case of mine it is too slow.
 I have changed 'max_requests' in radiusd.config. And also remove
 unnecessary processing on radius server (that is proxying requests). Now
 tell me what else can I do?? :(

 Though i am a new bee in RADIUS, but I think Proxy server is the bottle
 neck???


 On Tue, Feb 12, 2013 at 1:44 PM, a.l.m.bu...@lboro.ac.ukjavascript:_e({}, 
 'cvml', 'a.l.m.bu...@lboro.ac.uk');
  wrote:

 Hi,

 I am using Freeradius 2.2.0 on redhat 5. My goal was to increase the
 speed
 of user authentication. To achieve this I configured Load Balancing
 (with
 realms). I have a proxy Freeradius server, that is just proxying
 requests
 to 2 other freeradius servers.

 you only asked this question less than 2 hours ago.

 okay, you need to see why the proxy is causing a x3 factor in slowdown?
  run the servers
 in full debug mode with timestamps and check to see where your delay
 isdont throw
 10 million requests at it though, just a dozen should be enought in the
 first instance
 to see where the hit is.  I'd assume that you havent made any
 configuration changes
 or tweaked any configs...in which case your proxy box is probably not
 ready to be dealing with
 that many in transit requests (whereas the authentication servers can
 handle multiple
 requests per thread) - so, some basic tweaking will probably do
 something

 ..though I think you've already found that you dont need to load-balance
 ;-)

 alan
 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html




 --
 Best Regards
 Muhammad Nadeem
 Muhammad Ali Jinnah University

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: DHCP reply don't go out

[Russell Mike]

Is there any layer 3 device between client and dhcp server? Then you need
dhcp relay agent, if that is not the case chk firewall.
Thanks

On Tuesday, February 12, 2013, Michele Pinassi wrote:

 Hi all,

 i've just installed a FreeRadius server 2.2.0 with DHCP support because
 i need a dhcp server that use MySQL ad a backend.

 My network topology is:

 eth0  inet addr:193.205.4.xxx [PUBLIC]
 eth1  inet addr:172.20.1.2 [PRIVATE]

 all dhcp requests and reply should come from eth1. Here is freeradius -X
 dump:

 FreeRADIUS Version 2.2.0, for host i486-pc-linux-gnu, built on Sep 20
 2012 at 13:37:59
 Copyright (C) 1999-2012 The FreeRADIUS server project and contributors.
 There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
 PARTICULAR PURPOSE.
 You may redistribute copies of FreeRADIUS under the terms of the
 GNU General Public License v2.
 Starting - reading configuration files ...
 including configuration file /etc/freeradius/radiusd.conf
 including configuration file /etc/freeradius/clients.conf
 including files in directory /etc/freeradius/mods-enabled/
 including configuration file /etc/freeradius/mods-enabled/replicate
 including configuration file /etc/freeradius/mods-enabled/smsotp
 including configuration file /etc/freeradius/mods-enabled/preprocess
 including configuration file /etc/freeradius/mods-enabled/ldap
 including configuration file /etc/freeradius/mods-enabled/counter
 including configuration file /etc/freeradius/mods-enabled/detail.log
 including configuration file /etc/freeradius/mods-enabled/otp
 including configuration file /etc/freeradius/mods-enabled/inner-eap
 including configuration file /etc/freeradius/mods-enabled/acct_unique
 including configuration file /etc/freeradius/mods-enabled/wimax
 including configuration file /etc/freeradius/mods-enabled/dynamic_clients
 including configuration file /etc/freeradius/mods-enabled/etc_group
 including configuration file /etc/freeradius/mods-enabled/redis
 including configuration file /etc/freeradius/mods-enabled/cui
 including configuration file /etc/freeradius/mods-enabled/ntlm_auth
 including configuration file /etc/freeradius/mods-enabled/cache
 including configuration file /etc/freeradius/mods-enabled/mac2ip
 including configuration file /etc/freeradius/mods-enabled/dhcp_sqlippool
 including configuration file /etc/freeradius/sql/mysql/ippool-dhcp.conf
 including configuration file /etc/freeradius/mods-enabled/policy
 including configuration file /etc/freeradius/mods-enabled/expiration
 including configuration file /etc/freeradius/mods-enabled/logintime
 including configuration file /etc/freeradius/mods-enabled/radutmp
 including configuration file /etc/freeradius/mods-enabled/smbpasswd
 including configuration file /etc/freeradius/mods-enabled/ippool
 including configuration file /etc/freeradius/mods-enabled/rediswho
 including configuration file /etc/freeradius/mods-enabled/pam
 including configuration file /etc/freeradius/mods-enabled/soh
 including configuration file /etc/freeradius/mods-enabled/
 detail.example.com
 including configuration file /etc/freeradius/mods-enabled/realm
 including configuration file /etc/freeradius/mods-enabled/mac2vlan
 including configuration file /etc/freeradius/mods-enabled/attr_filter
 including configuration file /etc/freeradius/mods-enabled/exec
 including configuration file /etc/freeradius/mods-enabled/pap
 including configuration file /etc/freeradius/mods-enabled/unix
 including configuration file /etc/freeradius/mods-enabled/passwd
 including configuration file /etc/freeradius/mods-enabled/echo
 including configuration file /etc/freeradius/mods-enabled/sradutmp
 including configuration file /etc/freeradius/mods-enabled/always
 including configuration file /etc/freeradius/mods-enabled/checkval
 including configuration file /etc/freeradius/mods-enabled/chap
 including configuration file /etc/freeradius/mods-enabled/mschap
 including configuration file /etc/freeradius/mods-enabled/krb5
 including configuration file /etc/freeradius/mods-enabled/sql_log
 including configuration file /etc/freeradius/mods-enabled/attr_rewrite
 including configuration file /etc/freeradius/mods-enabled/files
 including configuration file /etc/freeradius/mods-enabled/perl
 including configuration file /etc/freeradius/mods-enabled/radrelay
 including configuration file
 /etc/freeradius/mods-enabled/sqlcounter_expire_on_login
 including configuration file /etc/freeradius/mods-enabled/expr
 including configuration file /etc/freeradius/mods-enabled/linelog
 including configuration file /etc/freeradius/mods-enabled/opendirectory
 including configuration file /etc/freeradius/mods-enabled/detail
 including configuration file /etc/freeradius/mods-enabled/digest
 including configuration file /etc/freeradius/eap.conf
 including configuration file /etc/freeradius/sql.conf
 including configuration file /etc/freeradius/sqlippool.conf
 including configuration file /etc/freeradius/sql/mysql/ippool.conf
 including 

Re: DHCP reply don't go out

[Michele Pinassi]

Thanks Russel for you prompt reply but i thing that's not a network
issue. I'm trying FreeRadius as an alternative for ISC DHCPD server that
run on the same server (and the same clients) perfectly.

Any other hint ?

Michele


On 12/02/2013 12:33, Russell Mike wrote:
 Is there any layer 3 device between client and dhcp server? Then you
 need dhcp relay agent,if that is not the case chk firewall. 
 Thanks
 

-- 
Michele Pinassi
Responsabile Telefonia di Ateneo
Servizio Reti, Sistemi e Sicurezza Informatica - Università degli Studi
di Siena
tel: 0577.(23)2169 - fax: 0577.(23)2053

Per trovare una soluzione rapida ai tuoi problemi tecnici
consulta le FAQ di Ateneo, http://www.faq.unisi.it



signature.asc
Description: OpenPGP digital signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Load Balancing

[Muhammad Nadeem]

Hi,
I am new to freeradius. I wantto implement load balancing on freeradius
servers (not on backend database).
I want that if a bulk of requests are received, these requests should be
distributed evenly among multiple freeradius servers.
Can any one please tell me, how could i achieve this goal.
Thanks in advance
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Load Balancing

[A . L . M . Buxey]

hi,

I want that if a bulk of requests are received, these requests should be
distributed evenly among multiple freeradius servers.

in proxy.conf, ensure that you have a suitable load-balance type defined for the
target servers - be aware that some types do not operate with EAP...as the whole
conversation needs to go to the same backend server.

I would recommend reading more of the FreeRADIUS documentation

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Load Balancing

[Alan DeKok]

Muhammad Nadeem wrote:
 Hi,
 I am new to freeradius. I wantto implement load balancing on freeradius
 servers (not on backend database).
 I want that if a bulk of requests are received, these requests should be
 distributed evenly among multiple freeradius servers.
 Can any one please tell me, how could i achieve this goal. 

  The documentation is clear.  Load-balancing is simple to configure.
It's documented in proxy.conf.

  My guess is your test is wrong.  You're probably sending packets in
*series*.  The latency added by a proxy slows down series, so that it
takes longer.

  If you send packets in parallel, you would see a higher latency for
each packet, but the ability to process more packets per second.

  You've admitted to not knowing much about RADIUS.  If the test doesn't
do what you expect, the obvious conclusion is to blame the test, not
FreeRADIUS.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Understanding the IP Pool module

[Alan DeKok]

Бен Томпсон wrote:
 I am hoping to use rlm_ippool and I would like to understand a bit
 about how it works. Firstly I want to understand the format of the
 database.

  The best approach is to look at the documentation, followed by the code.

 Could anyone explain to me what the columns cli and num are used for?

  I haven't looked at it myself.  All I know is that it works.

 Does this mean that the ippool module sets active to 0 when it sees
 an accounting Stop from the same Key?

  No idea.  Look at the code.

 Also, I noticed that this module can be used for DHCP which obviously
 does not have an accounting section. Does this mean that IP addresses
 can never be deallocated from the pool?

  No.  The addresses should have a lifetime.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Load Balancing

[Muhammad Nadeem]

thanx alan,,
I have configured a proxy server using documentation of 'proxy.conf'. which
is proxying requests to 2 home_servers. Yes you are right, may b the tool
which I am using (Radius NT client) sending requests in series. I tried to
use Rad Client to send requests in Parallel, but i wasn't succeed. Could
you please help me out to send parallel requests to proxy server???
Bundle of thanks in advance :)



On Tue, Feb 12, 2013 at 7:19 PM, Alan DeKok al...@deployingradius.comwrote:

 Muhammad Nadeem wrote:
  Hi,
  I am new to freeradius. I wantto implement load balancing on freeradius
  servers (not on backend database).
  I want that if a bulk of requests are received, these requests should be
  distributed evenly among multiple freeradius servers.
  Can any one please tell me, how could i achieve this goal.

   The documentation is clear.  Load-balancing is simple to configure.
 It's documented in proxy.conf.

   My guess is your test is wrong.  You're probably sending packets in
 *series*.  The latency added by a proxy slows down series, so that it
 takes longer.

   If you send packets in parallel, you would see a higher latency for
 each packet, but the ability to process more packets per second.

   You've admitted to not knowing much about RADIUS.  If the test doesn't
 do what you expect, the obvious conclusion is to blame the test, not
 FreeRADIUS.

   Alan DeKok.
 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html




-- 
Best Regards
Muhammad Nadeem
Muhammad Ali Jinnah University
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: DHCP reply don't go out

[Michele Pinassi]

Maybe i've found something that can help us to solve the problem.

Here's FreeRadius DHCP reply (from dhcpdump):

---

  TIME: 2013-02-12 15:13:10.426
IP: 172.20.1.2 (0:c:29:eb:3e:86)  172.20.1.20 (0:4:13:71:11:65)
OP: 2 (BOOTPREPLY)
 HTYPE: 1 (Ethernet)
  HLEN: 6
  HOPS: 0
   XID: 44d8b628
  SECS: 0
 FLAGS: 0
CIADDR: 0.0.0.0
YIADDR: 172.20.1.20
SIADDR: 172.20.1.2
GIADDR: 0.0.0.0
CHADDR: 00:04:13:71:11:65:00:00:00:00:00:00:00:00:00:00
 SNAME: .
 FNAME: .
OPTION:  53 (  1) DHCP message type 5 (DHCPACK)
OPTION:   1 (  4) Subnet mask   255.255.255.0
OPTION:   3 (  4) Routers   172.20.1.1
OPTION:   4 (  4) Time server   172.20.1.2
OPTION:   6 (  4) DNS server172.20.1.2
OPTION:  12 ( 13) Host name voip.unisi.it
OPTION:  15 ( 13) Domainnamevoip.unisi.it
OPTION:  42 (  4) NTP servers   172.20.1.2
OPTION:  51 (  4) IP address leasetime  7200 (2h)
OPTION:  54 (  4) Server identifier 172.20.1.2
OPTION:  66 ( 17) TFTP server name  tftp://172.20.1.2
---

and this is the ISC DHCP Server reply (that i use in production on the
same machine):

 ---

  TIME: 2013-02-12 15:19:42.168
IP: 172.20.1.2 (0:c:29:eb:3e:86)  172.20.1.20 (cc:ef:48:5e:8f:e4)
OP: 2 (BOOTPREPLY)
 HTYPE: 1 (Ethernet)
  HLEN: 6
  HOPS: 0
   XID: 5ace8683
  SECS: 0
 FLAGS: 0
CIADDR: 172.20.1.20
YIADDR: 172.20.1.20
SIADDR: 0.0.0.0
GIADDR: 0.0.0.0
CHADDR: cc:ef:48:5e:8f:e4:00:00:00:00:00:00:00:00:00:00
 SNAME: .
 FNAME: .
OPTION:  53 (  1) DHCP message type 5 (DHCPACK)
OPTION:  54 (  4) Server identifier 172.20.1.2
OPTION:  51 (  4) IP address leasetime  7200 (2h)
OPTION:   1 (  4) Subnet mask   255.255.255.0
OPTION:   3 (  4) Routers   172.20.1.1
OPTION:  42 (  4) NTP servers   172.20.1.2
OPTION:   6 (  4) DNS server172.20.1.2
OPTION:  15 ( 13) Domainnamevoip.unisi.it
OPTION:  58 (  4) T13600 (60m)
OPTION:  59 (  4) T26300 (1h45m)
OPTION:  66 ( 17) TFTP server name  tftp://172.20.1.2
OPTION:   2 (  4) Time offset   7200 (2h)
---

I'm pointing on CIADDR and SIADDR.

Maybe something wrong in my policy.conf ?

[...]

#  Assign compatibility data to request for sqlippool
dhcp_sqlippool.post-auth {
#  Do some minor hacks to the request so that it looks
#  like a RADIUS request to the SQL IP Pool module.
update control {
Pool-Name = main_pool
}

update request {
User-Name = DHCP-%{DHCP-Client-Hardware-Address}
Calling-Station-Id = %{DHCP-Client-Hardware-Address}
NAS-IP-Address = 
%{%{DHCP-Gateway-IP-Address}:-127.0.0.1}
Acct-Status-Type = Start
}

#  Call the actual module
#
#  Uncomment this in order to really call it!
dhcp_sqlippool
# fail

#  Convert Framed-IP-Address to DHCP, but only if we
#  actually allocated an address.
if (ok) {
update reply {
DHCP-Your-IP-Address = 
%{reply:Framed-IP-Address}
}
}
}
}

Thanks, Michele


On 12/02/2013 12:33, Russell Mike wrote:
 Is there any layer 3 device between client and dhcp server? Then you
 need dhcp relay agent,if that is not the case chk firewall. 
 Thanks
 
 On Tuesday, February 12, 2013, Michele Pinassi wrote:
 
 Hi all,
 
 i've just installed a FreeRadius server 2.2.0 with DHCP support because
 i need a dhcp server that use MySQL ad a backend.
 
 My network topology is:
 
 eth0  inet addr:193.205.4.xxx [PUBLIC]
 eth1  inet addr:172.20.1.2 [PRIVATE]
 
 all dhcp requests and reply should come from eth1. Here is freeradius -X
 dump:
 
 FreeRADIUS Version 2.2.0, for host i486-pc-linux-gnu, built on Sep 20
 2012 at 13:37:59
 Copyright (C) 1999-2012 The FreeRADIUS server project and contributors.
 There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
 PARTICULAR PURPOSE.
 You may redistribute copies of FreeRADIUS under the terms of the
 GNU General Public License v2.
 Starting - reading configuration files ...
 including configuration file /etc/freeradius/radiusd.conf
 including configuration file /etc/freeradius/clients.conf
 including files in directory 

Re: DHCP reply don't go out

[Alan DeKok]

Michele Pinassi wrote:
 Hi all,
 
 i've just installed a FreeRadius server 2.2.0 with DHCP support because
 i need a dhcp server that use MySQL ad a backend.
...
 Sending DHCP-Offer of id 022e173c from 255.255.255.255:67 to 172.20.1.20:68
 Finished request 0.

  That looks weird.  An empty offer packet?  There should be *something*
in it.

  I suggest starting with the example configuration in
sites-available/dhcp.  It won't do SQL, but it will return example
DHCP responses.

  If that works, then the code is OK.  The next step is to update the
configuration to send the correct options in DHCP packets.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Load Balancing

[Alan DeKok]

Muhammad Nadeem wrote:
 thanx alan,,
 I have configured a proxy server using documentation of 'proxy.conf'.
 which is proxying requests to 2 home_servers. Yes you are right, may b
 the tool which I am using (Radius NT client) sending requests in series.

  Then the test doesn't mean anything.

 I tried to use Rad Client to send requests in Parallel, but i wasn't
 succeed. Could you please help me out to send parallel requests to proxy
 server???

  There aren't many good tools available.  I did have a tool on the
corporate web site (radperf), but that's been taken down for various
reasons.

  You can always use commercial traffic generators.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Load Balancing Issue

[John Dennis]

On 02/12/2013 06:12 AM, Muhammad Nadeem wrote:

thanks alan
Actually I am using load balancing for rapid authentication of users.
let suppose i have one prosy server that is proxying incoming requests
to these five servers. Theoratically the speed of authentication should
be fast. But in case of mine it is too slow.
I have changed 'max_requests' in radiusd.config. And also remove
unnecessary processing on radius server (that is proxying requests). Now
tell me what else can I do?? :(


For starters try reading Alan's response he so graciously provided to you.

--
John Dennis jden...@redhat.com

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: DHCP reply don't go out

[Alan DeKok]

Michele Pinassi wrote:
 Maybe i've found something that can help us to solve the problem.
 
 Here's FreeRadius DHCP reply (from dhcpdump):
...
 I'm pointing on CIADDR and SIADDR.
 
 Maybe something wrong in my policy.conf ?

  I don't think so.  It's weird that the fields are reversed.

  I've pushed some changes to the v2.x.x branch on github.  It should
print out more information about the DHCP packet it's sending.  If you
could try that, it would be a big help.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Load Balancing

[adrian.p.smith]

  There aren't many good tools available.  I did have a tool on the corporate 
 web site (radperf), but that's been taken down for various reasons.

  You can always use commercial traffic generators.

We're a Java group and we use Jmeter with a home-written sampler that uses 
TinyRadius client.



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Dialup Admin

[Shawky Skaff]

Hi Guys,

Could I please get a response to this?

From: freeradius-users-bounces+shawkys=ivox.com...@lists.freeradius.org 
[mailto:freeradius-users-bounces+shawkys=ivox.com...@lists.freeradius.org] On 
Behalf Of Shawky Skaff
Sent: Tuesday, 29 January 2013 12:45 PM
To: freeradius-users@lists.freeradius.org
Subject: Dialup Admin


In dialup admin if a select accounting and run an accounting query, I can see 
accounting data listed in the tables, uptime, downloads, uploads, etc, however 
if I edit the user, the connection status has no information and the open 
session shows no sessions.



Doesn't the data for all locations come from the same place? Is there anything 
that I need to do?

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: pam.d ssh radius

[Matt Zagrabelny]

On Tue, Feb 12, 2013 at 3:50 PM, T W gqma...@yahoo.com wrote:

 All,

 I got this working at the end of last year, but now I've having trouble.
 I'm setting up SSH access using RADIUS auth on a Ubuntu 12.10 system.  Im
 using the latest version of libpam-radius-auth  (1.3.17-0ubuntu4) and have
 followed the readme along with many other explanations and can not get it
 working. I'm getting the same error even when I try on different VM's
 running different versions of Ubuntu.  The error PAM (sshd) illegal module
 type: auth makes it sound like it does not support the auth method. Anyone
 else run into this?

Haven't run into what you've described, but we do use the RADIUS
client PAM module as you've noted. Our /etc/pam.d/sshd looks like:

# PAM configuration for the Secure Shell service

# Read environment variables from /etc/environment and
# /etc/security/pam_env.conf.
auth   required pam_env.so # [1]
# In Debian 4.0 (etch), locale-related environment variables were moved to
# /etc/default/locale, so read that as well.
auth   required pam_env.so envfile=/etc/default/locale

auth   sufficient   pam_radius_auth.so

# Standard Un*x authentication.
#@include common-auth

# Disallow non-root logins when /etc/nologin exists.
accountrequired pam_nologin.so

# Uncomment and edit /etc/security/access.conf if you need to set complex
# access limits that are hard to express in sshd_config.
# account  required pam_access.so

# Standard Un*x authorization.
@include common-account

# Standard Un*x session setup and teardown.
@include common-session

# Print the message of the day upon successful login.
# This includes a dynamically generated part from /run/motd.dynamic
# and a static (admin-editable) part from /etc/motd.
sessionoptional pam_motd.so  motd=/run/motd.dynamic noupdate
sessionoptional pam_motd.so # [1]

# Print the status of the user's mailbox upon successful login.
sessionoptional pam_mail.so standard noenv # [1]

# Set up user limits from /etc/security/limits.conf.
sessionrequired pam_limits.so

# Set up SELinux capabilities (need modified pam)
# session  required pam_selinux.so multiple

# Standard Un*x password updating.
@include common-password


Hope that helps.

-mz
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: pam.d ssh radius

[Alan DeKok]

T W wrote:
 I got this working at the end of last year, but now I've having trouble.
  I'm setting up SSH access using RADIUS auth on a Ubuntu 12.10 system.
  Im using the latest version of libpam-radius-auth  (1.3.17-0ubuntu4)
 and have followed the readme along with many other explanations and can
 not get it working. I'm getting the same error even when I try on
 different VM's running different versions of Ubuntu.  The error PAM
 (sshd) illegal module type: auth makes it sound like it does not
 support the auth method. Anyone else run into this?

  No idea.  I'd suggest asking the PAM people.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Load Balancing

[Muhammad Nadeem]

thanx alan..
But i searching around on web i came to know that radclient can also be
used for load testing. But when i use this with -p (to send requests in
parallel), it only send one packet. here is the command out put
[root@billing ~]# echo User-Name=001AAD3F8165,
NAS-IP-Address=10.192.100.4|radclient  -p 100 192.168.0.102 auth
testing123 -x
Sending Access-Request of id 120 to 192.168.0.102 port 1812
User-Name = 001AAD3F8165
NAS-IP-Address = 10.192.100.4
rad_recv: Access-Accept packet from host 192.168.0.102 port 1812,
id=120, length=143
Qos-Policing-Profile-Name = 128K_UL
Qos-Metering-Profile-Name = 512K_DL
Context-Name = Postpaid-VR
DHCP-Max-Leases = 1
Forward-Policy = in:nonpayment_redirect_post
HTTP-Redirect-Profile-Name = nonpayment_redirect


why dont -p sends requests in parallel ?


On Tue, Feb 12, 2013 at 7:45 PM, Alan DeKok al...@deployingradius.comwrote:

 Muhammad Nadeem wrote:
  thanx alan,,
  I have configured a proxy server using documentation of 'proxy.conf'.
  which is proxying requests to 2 home_servers. Yes you are right, may b
  the tool which I am using (Radius NT client) sending requests in series.

   Then the test doesn't mean anything.

  I tried to use Rad Client to send requests in Parallel, but i wasn't
  succeed. Could you please help me out to send parallel requests to proxy
  server???

   There aren't many good tools available.  I did have a tool on the
 corporate web site (radperf), but that's been taken down for various
 reasons.

   You can always use commercial traffic generators.

   Alan DeKok.
 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html




-- 
Best Regards
Muhammad Nadeem
Muhammad Ali Jinnah University
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Understanding the IP Pool module

[Бен Томпсон]

Thanks Alan

2013/2/12 Alan DeKok al...@deployingradius.com:
 Бен Томпсон wrote:
 I am hoping to use rlm_ippool and I would like to understand a bit
 about how it works. Firstly I want to understand the format of the
 database.

   The best approach is to look at the documentation, followed by the code.

I have had a look at the code and have been able to work out a few
things. I will write my findings here, both for my own reference and
for others who might ask the same questions in the future.

Regarding the active flag: as I understand it so far, this is
basically supposed to indicate whether a session (e.g. PPP,) is
currently up and using this address. The theory being that the flag is
set to 1 when the IP is dished out during RADIUS post-auth, and it is
set to 0 when the accounting stop is recieved.

I also figured out that cli flag is the Calling-Station-Id and this
is used as an identifier in Multilink PPP sessions. It would appear
that in the old days of bundling together conections with dial up
modems (to get more bandwidth) it was necessary to issue the same
address in mutliple authentication requests.

One thing I still don't understand though is how best to use ippool
for DHCP. I don't understand where and how I should call the module
during a DHCP transaction. For example I can call it during
DHCP-Discover, but it seems that if I call it again during
DHCP-Request I might get different address even when the key is the
same. I will continue to to study the code to see why this happens and
if I figure it out I will report back with my findings.

If anyone else knows the answers, I would be grateful hear from them.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html