Re: echo module creating zombies

[Craig Campbell]

Try changing wait to "yes".

Zombies are processes that have ended, but for which the parent has not 
"waited" to acknowledge the death of the child.

Their 'slot' in the process table has not been freed for re-use.

-Original Message- 
From: steff...@gmx.de

Sent: Wednesday, February 20, 2013 9:54 AM
To: freeradius-users@lists.freeradius.org
Subject: echo module creating zombies

Hello list,

I have a problem regarding the echo module which on my system creates zombie 
processes. I am using the following settings for echo:


wait = no
program = "/bin/true" (just for testing purposes)
packet_type = Access-Accept

After echo execs the program in question there is an undead child process 
left behind:


13467 ?Ssl0:00 /usr/local/freeradius/sbin/radiusd
14258 ?Z  0:00  \_ [true] 

This is pretty much everything strace has to say:

14258 execve("/bin/true", ["/bin/true", "asdf"], [/* 6 vars */]) = 0
14258 brk(0)= 0x85c6000
14258 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 
0) = 0xb7787000
14258 access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or 
directory)

14258 open("/etc/ld.so.cache", O_RDONLY) = 3
14258 fstat64(3, {st_mode=S_IFREG|0644, st_size=67227, ...}) = 0
14258 mmap2(NULL, 67227, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7776000
14258 close(3)  = 0
14258 open("/lib/i686/libc.so.6", O_RDONLY) = 3
14258 read(3, 
"\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\0h\1\0004\0\0\0\320\366\24\0\0\0\0\0004\0 
\0\n\0(\0D\0C\0\6\0\0\0004\0\0\0004\0\0\0004\0\0\0@\1\0\0@\1\0\0\5\0\0\0\4\0\0\0\3\0\0\0`z\23\0`z\23\0`z\23\0\23\0\0\0\23\0\0\0\4\0\0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0P\272\24\0P\272\24\0\5\0\0\0\0\20\0\0\1\0\0\0\344\301\24\0\344\301\24\0\344\301\24\0\230'\0\0lT\0\0\6\0\0\0\0\20\0\0\2\0\0\0|\335\24\0|\335\24\0|\335\24\0\360\0\0\0\360\0\0\0\6\0\0\0\4\0\0\0\4\0\0\0t\1\0\0t\1\0\0t\1\0\0 
\0\0\0 
\0\0\0\4\0\0\0\4\0\0\0\7\0\0\0\344\301\24\0\344\301\24\0\344\301\24\0\10\0\0\0@\0\0\0\4\0\0\0\4\0\0\0P\345tdtz\23\0tz\23\0tz\23\0\314+\0\0\314+\0\0\4\0\0\0\4\0\0\0Q\345td\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0\4\0\0\0R\345td\344\301\24\0\344\301\24\0\344\301\24\0\34\36\0\0\34\36\0\0\4\0\0\0\1\0\0\0\4\0\0\0\20\0\0\0\1\0\0\0GNU\0\0\0\0\0\2\0\0\0\6\0\0\0\t\0\0\0\363\3\0\0\t\0\0\0\0\2\0\0\16\0\0\0\2400\20D\200 
\2\1\214\3\346\220AE\210\0\204\0\10\0A\200\0@\300\200\0\f\2\f\0!
\0010\0\10@\"\10\246\4\210H6l\240\0260\0&\204\200\216\4\10B$\2\f\246\244\32\6c\310\0\302 
\1\300\0R\0!\201\10\4\n  \250\24\0\24(`\0\0P\240\312DB", 512) = 512

14258 fstat64(3, {st_mode=S_IFREG|0755, st_size=1376624, ...}) = 0
14258 mmap2(NULL, 1381968, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 
3, 0) = 0xb7624000
14258 mmap2(0xb777, 12288, PROT_READ|PROT_WRITE, 
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x14c) = 0xb777
14258 mmap2(0xb7773000, 9808, PROT_READ|PROT_WRITE, 
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0xb7773000

14258 close(3)  = 0
14258 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 
0) = 0xb7623000
14258 set_thread_area({entry_number:-1 -> 6, base_addr:0xb76236c0, 
limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, 
seg_not_present:0, useable:1}) = 0

14258 mprotect(0xb777, 8192, PROT_READ) = 0
14258 mprotect(0x804f000, 4096, PROT_READ) = 0
14258 mprotect(0xb77a3000, 4096, PROT_READ) = 0
14258 munmap(0xb7776000, 67227) = 0
14258 brk(0)= 0x85c6000
14258 brk(0x85e7000)= 0x85e7000
14258 close(1)  = 0
14258 close(2)  = 0
14258 exit_group(0) = ?

Any ideas why the zombies occur ?

Thanks
Stephan
-
List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html








Craig Campbell
craig.campb...@ccraft.ca
CampbellCraft Consulting Inc.
2 Kenny Court
Whitby, Ontario
Canada
L1R 2L8
905 922-2789



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: $75.00 USD Bounty

[Craig Campbell]

Again, perl is not my specialty, but spawn a background watchdog process that 
sleeps 40 seconds than kills the parent if it is still alive.
Similarly, have the parent kill the child  (watchdog) just before it exits if 
it completes its task.

-the other craig
  - Original Message - 
  From: Craig Smith 
  To: freeradius-users@lists.freeradius.org 
  Sent: Monday, March 21, 2011 4:51 PM
  Subject: Re: $75.00 USD Bounty


  Hi again,


  Okay, I have everything running, but I have one more question.


  Is there a way to adjust the timeout of the scripts being exec?


  I get the following error. I'm looking to make the timeout around 40 seconds.






  Error: Child PID 16599 is taking too much time: forcing failure and killing 
child.


  Thanks,


  Craig


  On Mon, Mar 21, 2011 at 12:27 PM, Craig Smith  wrote:

Alan,


I am also finding the documentation semi helpful. So I put:


exec {
program = "/path/to/program/exec-program-wait" <-- I know I need to change 
this
wait = yes
input_pairs = request
output_pairs = reply
}


In /etc/freeradius/modules/exec.


Now how do make my authentication request use exec?


Thanks,


Craig




--


  -
  List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


  __ Information from ESET Smart Security, version of virus signature 
database 5972 (20110321) __

  The message was checked by ESET Smart Security.

  http://www.eset.com




__ Information from ESET Smart Security, version of virus signature 
database 5972 (20110321) __

The message was checked by ESET Smart Security.

http://www.eset.com

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: $75.00 USD Bounty

[Craig Campbell]

Send it to Alan - he wrote the thing!  :)

The rest of us are just hacks!

:)
-the other craig
- Original Message - 
From: "Leander S." 

To: "FreeRadius users mailing list" 
Sent: Monday, March 21, 2011 2:05 PM
Subject: Re: $75.00 USD Bounty



Now who got the 75 Bucks?

 ;)
-
List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html


__ Information from ESET Smart Security, version of virus 
signature database 5971 (20110321) __


The message was checked by ESET Smart Security.

http://www.eset.com






__ Information from ESET Smart Security, version of virus signature 
database 5971 (20110321) __

The message was checked by ESET Smart Security.

http://www.eset.com



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: $75.00 USD Bounty

[Craig Campbell]

re:  "Why do you say it's deprecated?"

>From the source code, ..scripts/exec-program-wait 
  #  Before version 2.0 of FreeRADIUS, the script could be run from the
  #  deprecated attributes 'Exec-Program' and 'Exec-Program-Wait'.
  #  However, these attributes are no longer supported and you have to
  #  use the module 'rlm_exec' instead.
  #
  #  An entry for the module 'rlm_exec' must be added to the file
  #  'radiusd.conf' with the path of the script.
hence my attempts during my last upgrade to migrate to the new and improved 
method that will be used going forward.

re: "If you can be more specific about what you're trying to do"

My specific requirement is to port the logic of multiple entries in the users 
file to the new method.
The existing entries are like,

DEFAULT Auth-Type := Accept

Exec-Program-Wait = "/usr/local/sbin/auth -X -U -- %{User-Name} 
%{User-Password} %{%{Called-Station-Id}:-Missing} %{%{NAS-IP-Address}:-Missing} 
%{%{Calling-Station-Id}:-Missing} %{%{NAS-Port-Type}:-Missing} 
%{Vendor-Specific}" ,

Fall-Through = no


I'd like to migrate to the 'new and improved' method before I hit an upgrade 
where it becomes non optional.  I am not the original (also craig) poster who 
has a similar but more immediate requirement using a perl script.

Thanks,
-the other craig

- Original Message - 
From: "Phil Mayers" 
To: 
Sent: Monday, March 21, 2011 12:51 PM
Subject: Re: $75.00 USD Bounty


> On 21/03/11 15:04, Craig Campbell wrote:
>> Alan,
>> I've read the documents indicated repeatedly. (And again just now.)
>>
>> I have not yet been able to port the 'deprecated' method of
>>
>> EXEC-PROGRAM-WAIT="/usr/local/bin/auth -A parameter"
> 
> Why do you say it's deprecated?
> 
>>
>> to the new method.
>>
>> I guess I'm missing how to bind the program using the new method to the
>> entries in the users file.
> 
> You don't. Calling a script in a "users" file entry by using the magic 
> "Exec-Program-Wait" is different from defining an exec "module" and 
> calling that in the "authorize" section.
> 
> They work differently and serve different needs.
> 
> If you can be more specific about what you're trying to do and show why 
> it isn't working, people might be able to offer specific advice - but 
> it's better to start a different thread, specific to your question.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> 
> __ Information from ESET Smart Security, version of virus signature 
> database 5971 (20110321) __
> 
> The message was checked by ESET Smart Security.
> 
> http://www.eset.com
> 
> 
>


__ Information from ESET Smart Security, version of virus signature 
database 5971 (20110321) __

The message was checked by ESET Smart Security.

http://www.eset.com

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: $75.00 USD Bounty

[Craig Campbell]

Alan,
   re:"Do you have a *specific* question about the documentation?  I'm 
unwilling to re-post it here, as that is not helpful."


Perhaps we  (the craigs) are thinking about it from the wrong (old) angle?
What I am missing is how to connect the entries in the users file to the 
specific auth program I wish to use via the 'new and improved' method?
Simple fictional example, assume I have two (2) auth programs (auth1 and 
auth2), and two NAS devices (NAS1 and NAS2).  In users I can used default 
entries and specify the source NAS in an entry like,


   Default NAS-IP-Address=="192.168.1.1", Auth-Type:=Accept,

   <- What goes here to replace the deprecated 
Exec-Program-Wait for auth1 construct?

   Fall-Through = No

   Default NAS-IP-Address=="192.168.1.2", Auth-Type:=Accept,

   <- What goes here to replace the deprecated 
Exec-Program-Wait for auth2 construct?

   Fall-Through = No

I suspect this is a case of you knowing the system so well that you are 
making a trivial logic leap we are failing to see.


Thanks,
-craig(II)

- Original Message - 
From: "Alan DeKok" 

To: "FreeRadius users mailing list" 
Sent: Monday, March 21, 2011 12:34 PM
Subject: Re: $75.00 USD Bounty



Craig Smith wrote:

I am also finding the documentation semi helpful. So I put:


 In 2.1.x, you can *still* use Exec-Program-Wait.  So no change is
necessary.


exec {
program = "/path/to/program/exec-program-wait" <-- I know I need to
change this


 Change it to the path of the program you want to run.  This should be
Unix 101.


wait = yes
input_pairs = request
output_pairs = reply
}

In /etc/freeradius/modules/exec.

Now how do make my authentication request use exec?


 You read the documentation in raddb/modules/exec.

 Do you have a *specific* question about the documentation?  I'm
unwilling to re-post it here, as that is not helpful.

 Alan DeKok.
-
List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html


__ Information from ESET Smart Security, version of virus 
signature database 5971 (20110321) __


The message was checked by ESET Smart Security.

http://www.eset.com






__ Information from ESET Smart Security, version of virus signature 
database 5971 (20110321) __

The message was checked by ESET Smart Security.

http://www.eset.com



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: $75.00 USD Bounty

[Craig Campbell]

Craig,
I THINK you my want to name the exec module specifically...  from memory I 
THINK the syntax may be something like..

exec my_personal_auth_program {
program = "/path/to/program/exec-program-wait" <-- I know I need to change this
wait = yes
input_pairs = request
output_pairs = reply
}

Then I suspect you need to add a call to my_personal_auth_program to the 
sites-enabled/default file in either the authenticate or authorize section.

DISCLAIMER:  This is I think where all my attempts failed, hence I am still 
using the deprecated method.

Good luck and let me know if you solve this!

Cheers,
-the other craig 
  - Original Message - 
  From: Craig Smith 
  To: freeradius-users@lists.freeradius.org 
  Sent: Monday, March 21, 2011 12:27 PM
  Subject: Re: $75.00 USD Bounty


  Alan,


  I am also finding the documentation semi helpful. So I put:


  exec {
  program = "/path/to/program/exec-program-wait" <-- I know I need to change 
this
  wait = yes
  input_pairs = request
  output_pairs = reply
  }


  In /etc/freeradius/modules/exec.


  Now how do make my authentication request use exec?


  Thanks,


  Craig


--


  -
  List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


  __ Information from ESET Smart Security, version of virus signature 
database 5971 (20110321) __

  The message was checked by ESET Smart Security.

  http://www.eset.com




__ Information from ESET Smart Security, version of virus signature 
database 5971 (20110321) __

The message was checked by ESET Smart Security.

http://www.eset.com

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: $75.00 USD Bounty

[Craig Campbell]

Alan,
   I've read the documents indicated repeatedly.  (And again just now.)

I have not yet been able to port the 'deprecated' method of

   EXEC-PROGRAM-WAIT="/usr/local/bin/auth -A parameter"

to the new method.

I guess I'm missing how to bind the program using the new method to the 
entries in the users file.
This is not urgent, since I am still successfully using the old (and at this 
point more straight forward) method.


I understand how to add the CAPABILITY to use the program to the modules, 
but how to connect it to the users file escapes me.


This is NOT urgent for me, but if you get a moment to clarify, I'd 
appreciate it.  I'd like to leave the deprecated methods behind.


Thanks,
-craig (a different one than the original poster)

- Original Message - 
From: "Alan DeKok" 

To: "FreeRadius users mailing list" 
Sent: Monday, March 21, 2011 9:46 AM
Subject: Re: $75.00 USD Bounty



Craig Smith wrote:

I will pay $75.00 USD (via PayPal) to the first person who can send me
the documentation and working configuration files for external
authentication using a PHP script.


 Read scripts/exec-program-wait

 This is documented.

 Alan DeKok.
-
List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html


__ Information from ESET Smart Security, version of virus 
signature database 5970 (20110321) __


The message was checked by ESET Smart Security.

http://www.eset.com






__ Information from ESET Smart Security, version of virus signature 
database 5970 (20110321) __

The message was checked by ESET Smart Security.

http://www.eset.com



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: $75.00 USD Bounty

[Craig Campbell]

Hi Craig,
 Craig here too...

I am not very knacky with PERL, but I can tell you what you need to know.

1. in the file file users you will need a line like,
  DEFAULT Auth-Type := Accept

  Exec-Program-Wait = "/usr/local/sbin/auth -X -U -- %{User-Name} 
%{User-Password} %{%{Called-Station-Id}:-Missing} %{%{NAS-IP-Address}:-Missing} 
%{%{Calling-Station-Id}:-Missing} %{%{NAS-Port-Type}:-Missing} 
%{Vendor-Specific}" ,

  Fall-Through = no

  Where /usr/local/sbin/auth is your perl authorization script.
  You may either pass the authentication request parameters via command line as 
in the example above, or they may be collected from environmental variables.  
Note the '-' characters are replaced with '_' characters in the environmental 
variable names.  The -X and -U are specific to MY auth program.  The '--' 
denotes an end to command line switches.  The Parameter substitution for some 
variables ensures the word "Missing" in the event a value pair variable is not 
defined. (Again just for the needs of my script.)

  Beware:  There is a line length limit - much longer than this and you should 
use the environmental variable option to collect the parameters.  The example 
above EVOLVED form ancient radius software.  I'd likely drop the command line 
parameters entirely if I was writing it fresh today.
2. The auth script MUST return a return code == 0 (zero) for success.  Non zero 
and authentication is denied.

3. stdout from the auth script should be any value pairs you wish returned to 
the NAS.  (From memory) these value pairs need to be comma,' separated.  
Returning an INVALID value pair for the NAS results in NO value pairs being 
returned and the stdout becomes a log message as I recall - very misleading.  I 
suggest you test by adding 1 value pair at a time to the successful logins.

There's my 5 minute memory dump.  

Hope it helps,
-craig

- Original Message - 
  From: Craig Smith 
  To: freeradius-users@lists.freeradius.org 
  Sent: Monday, March 21, 2011 8:14 AM
  Subject: $75.00 USD Bounty


  Good Morning! 


  I will pay $75.00 USD (via PayPal) to the first person who can send me the 
documentation and working configuration files for external authentication using 
a PHP script. 


  Thanks,


  Craig


--


  -
  List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


  __ Information from ESET Smart Security, version of virus signature 
database 5970 (20110321) __

  The message was checked by ESET Smart Security.

  http://www.eset.com







-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


__ Information from ESET Smart Security, version of virus signature 
database 5970 (20110321) __

The message was checked by ESET Smart Security.

http://www.eset.com




__ Information from ESET Smart Security, version of virus signature 
database 5970 (20110321) __

The message was checked by ESET Smart Security.

http://www.eset.com

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: same username different password on different NAS

[Craig Campbell]

Sound like a configuration (a job for :> ) "realms".
Each location would be a different realm, so the seemingly overlapping
username "manger" would in fact be a unique "manager@realm-X".

Thoughts?
-craig

On Wednesday, March 16, 2011, Richard Thornton  wrote:
> I am just learning about freeradius now, and would like to see if I can use 
> it to manage access and logging for users at a few hundred locations.  Each 
> remote office has between 1 and 50 users, and at first glance freeradius will 
> do the job, but I just noticed a problem with overlapping usernames.  I am 
> not sure if I need to use virtual servers, or if there is a better / easier 
> way.
>
> The problem is that each location may have a user with the same login name as 
> a different location.  For a simple example, each site could have a login of 
> "manager", but the manager username at each site would probably pair up with 
> a different password.
>
> Without using virtual servers, is there a way to link the username "manager" 
> to the NAS name or IP of the location?  I'm picturing
>  something like the radcheck table containing an additional field for NAS 
> such that freeradius would key off the combined of NAS address and username 
> fields, rather than just the username field.
>
> I am not opposed to using virtual servers if that is a better idea, but I'm 
> worried about the overhead of several hundred of them...  Any ideas or 
> pointers to docs would be appreciated.
>
> -Richard
>
>
>
>
>

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to get fractions of seconds?

[Craig Campbell]

It sounds like the original request "I need to add the time spend for a 
particular Flow to a Logfile" wants to track the 'login time' in milliseconds.  
I suppose one could track the time from receiving the original request to 
sending the authentication - or receiving the accounting packet after 
authentication..  but I seriously doubt the added granularity would have any 
real meaning.  (References gettimeofday(2) for the seriously nerdy)

Sounds like you'd need to write your own additions to FreeRadius and submit 
them as an enhancement.  (I doubt the result would be worth the effort.)

Cheers,
-craig


  - Original Message - 
  From: Ramon J. Castillo 
  To: FreeRadius users mailing list 
  Sent: Wednesday, February 09, 2011 8:40 AM
  Subject: Re: How to get fractions of seconds?


  I see it useful too,  when specifying for example "response_window" that 
instead of be 1 "One second" could be 1200 as in "twelve hundred milliseconds".
   I have found some devices that time out in 3 seconds , in these cases you 
still want to retry at least once . Of course here the network delay is kept 
under  300 milliseconds  end to end.



--
  From: Alan DeKok 
  To: FreeRadius users mailing list 
  Sent: Wed, February 9, 2011 11:38:11 AM
  Subject: Re: How to get fractions of seconds?

  Stefan A. wrote:
  > Best would be to have something like '%l', but in a resolution of
  > milliseconds.

This is impossible.

The dates and elapsed times in RADIUS have a resolution down to one
  second, but no more.

It's possible to "fake" adding milliseconds, but they will bear little
  relation to the actual session times.  Network delays, processing
  delays, etc. will all affect the results.

Alan DeKok.
  -
  List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



  __ Information from ESET Smart Security, version of virus signature 
database 5858 (20110209) __

  The message was checked by ESET Smart Security.

  http://www.eset.com



--


  -
  List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


  __ Information from ESET Smart Security, version of virus signature 
database 5858 (20110209) __

  The message was checked by ESET Smart Security.

  http://www.eset.com




__ Information from ESET Smart Security, version of virus signature 
database 5859 (20110209) __

The message was checked by ESET Smart Security.

http://www.eset.com

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Exec Module FreeRADIUS Version 2.1.8

[Craig Campbell]

Hi Hollman,

   I too have failed to grasp the nuances of the 'new' exec mechanisms.  In 
the end I admitted defeat, and stuck to the 'old way' - which I fear may 
become deprecated at some point.  In any case, here is what I have done and 
have working at this point.


1. Restore all the config files to their state before your exec 
modifications.


2. In the /raddb/users file, add an entry similar to the following..

   DEFAULT Auth-Type := Accept
   Exec-Program-Wait = "/usr/local/sbin/auth -L -X -U  --  
%{User-Name} %{User-Password} %{%{Called-Station-Id}:-Missing} 
%{%{NAS-IP-Address}:-Missing} %{%{Calling-Station-Id}:-Missing} 
%{%{NAS-Port-Type}:-Missing} %{Vendor-Specific}" ,

   Fall-Through = no

3. My program (auth) required some command line parameters (for legacy 
reasons).   Radius dictionary name/value pairs are (should be) stored in the 
environment.  Environment variables are radius dictionary names converted to 
upper case only and all '-' changed to '_' characters.


4. The auth program in my case is responsible for returning (on stdout) all 
the replay Name/Value pairs.  These need to be 'comma separated.  Beware 
 characters and magically appearing commas.  My code has the following 
comment/warning ,


 "/* Need comma separated for freeradisu 2.1.8 */
  /* EXCEPT for first value pair - freeradius adds it's own comma there for 
some reason..."


A trailing comma seems to be harmless at this point.  I THINK multiple comma 
MAY also be harmless at this point.


If your reply value pairs are constant, you should be able to add them on 
the last line before the "Fall-Through = no" entry.
Your auth program should return 0 for successful authentication, I return 
255 for deny of login.  (Perhaps any non 0 would work.  Cannot recall.)



I would LOVE to understand the NEW and more correct way of achieving the 
same result.


If you figure it out, please let me know how to do it.

Good Luck,
-craig

- Original Message - 
From: "hollman.diaz" 

To: 
Sent: Sunday, January 30, 2011 8:50 PM
Subject: Exec Module FreeRADIUS Version 2.1.8




Hi everybody

I'm trying to change the Auth-Type attribute with an external application.
I'm using FreeRADIUS Version 2.1.8 and Ubuntu 10.04

What files do I should modify?
I have tried with:

/etc/freeradius/radiusd.conf:
...
instantiate {
#
#  Allows the execution of external scripts.
#  The entire command line (and output) must fit into 253 bytes.
#
#  e.g. Framed-Pool = `%{exec:/bin/echo foo}`
exec ven{
wait = yes
   program = "/etc/disconnect/php return.php
%{Calling-Station-Id}"
input_pairs = request
   output_pairs = reply
   shell_escape = yes
}

/etc/freeradius/sites-enabled/default
post-auth {
...
exec ven{
wait = yes
   program = "/etc/disconnect/php return.php
%{Calling-Station-Id}"
input_pairs = request
   output_pairs = reply
   shell_escape = yes
}

/etc/freeradius/modules/exec
...
#  See also "echo" for more sample configuration.
#
exec ven{
wait = yes
   program = "/etc/disconnect/php return.php
%{Calling-Station-Id}"
input_pairs = request
   output_pairs = reply
   shell_escape = yes
}

And /etc/freeradius/users:
...
DEFAULTAuth-Type := '%{exec:/etc/disconnect/php return.php
%{Calling-Station-Id}}'
 Fall-Through = No

External application is /etc/disconnect/return.php and it returns Accept 
or

Reject values.

I have read several forums but I do not understand the procedure. I would
appreciate a step by step procedure :)


Running freeradius -X, I get (with no modifications in
/etc/freeradius/users):
...
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
/etc/freeradius/sites-enabled/default[464]: Failed to find module "exec".
/etc/freeradius/sites-enabled/default[435]: Errors parsing post-auth
section.

Line 464 is
exec ven{

and line 435 is
post-auth {

Thanks in advance,

Hollman Diaz
--
View this message in context: 
http://freeradius.1045715.n5.nabble.com/Exec-Module-FreeRADIUS-Version-2-1-8-tp3363953p3363953.html

Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html


__ Information from ESET Smart Security, version of virus 
signature database 5832 (20110130) __


The message was checked by ESET Smart Security.

http://www.eset.com






__ Information from ESET Smart Security, version of virus signature 
database 5833 (20110131) __

The message was checked by ESET Smart Security.

http://www.eset.com



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

ETA for 2.1.11?

[Craig Campbell]

Just wondering when 2.1.11 might be released?

I am seeing an issue in 2.1.10 very similar to "FR 2.1.9 Frequent SegFault, 
didn't happen with FR 2.1.8" 
(http://freeradius.1045715.n5.nabble.com/FR-2-1-9-Frequent-SegFault-didn-t-happen-with-FR-2-1-8-td2787291.html).

I am hoping that the cause might have already been addressed and vanish in 
2.1.11.

Thanks for all the hard work on freeradius.

-craig



__ Information from ESET Smart Security, version of virus signature 
database 5803 (20110120) __

The message was checked by ESET Smart Security.

http://www.eset.com

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Output from Exec-Program-Wait in users file

[Craig Campbell]

I think I found the issue.  One of the value pairs being returned used a name 
not defined in the dictionary file.  The new name is similar leading me to 
suspect the old name was deprecated and eventually replaced with a more clear 
name.

Thanks all!
-craig
  - Original Message - 
  From: Craig Campbell 
  To: FreeRadius users mailing list 
  Sent: Friday, November 12, 2010 6:24 AM
  Subject: Output from Exec-Program-Wait in users file


  Hi,
  am migrating from an ancient radius install to FreeRADIUS Version 2.1.8
  The system uses a custom authentication binary which we access from the users 
file via,


DEFAULT NAS-IP-Address == "192.168.1.100", Auth-Type := Accept, 
Simultaneous-Use := 1
Exec-Program-Wait = "/usr/local/sbin/auth -X -U -u 5882626 -- 
%{User-Name} %{User-Password} %{%{Called-Station-Id}:-Missing} 
%{%{NAS-IP-Address}:-Missing} %{%{Calling-Station-Id}:-Missing} 
%{%{NAS-Port-Type}:-Missing} %{Vendor-Specific}" ,
Fall-Through = no

  On the old version, the output from the EXEC was sent back in the Accept 
packet..

  Now is looks like the stdout form the Exec-Program-Wait is not being send 
back but either dropped or misplaced.

++[sql] returns ok
+- entering group post-auth {...}
Exec-Program output: Framed-Compression=Van-Jacobsen-TCP-IP 
Framed-Routing=None Framed-MTU=1500 Framed-IP-Netmask=255.255.255.0 
Framed-Protocol=PPP Service-Type=Framed-User Idle-Timeout=1800 
Session-Timeout=86400 ERX-Virtual-Router=SOMEROUTER 
ERX-Ingress-Policy-Name=COMFORT_UP ERX-Egress-Policy-Name=COMFORT_DOWN
Exec-Program-Wait: plaintext: Framed-Compression=Van-Jacobsen-TCP-IP 
Framed-Routing=None Framed-MTU=1500 Framed-IP-Netmask=255.255.255.0 
Framed-Protocol=PPP Service-Type=Framed-User Idle-Timeout=1800 
Session-Timeout=86400 ERX-Virtual-Router=SOMEROUTER 
ERX-Ingress-Policy-Name=COMFORT_UP ERX-Egress-Policy-Name=COMFORT_DOWN
Exec-Program: returned: 0
++[exec] returns noop
Sending Access-Accept of id 248 to 192.168.1.100 port 5
Finished request 0.
  Is there a way to direct the output from the Exec-Program into the Accept 
packet?  

  As far as we can tell, we are sending back and empty Accept packet.  The 
values are calculated by the auth binary, so hard coding them would be very 
difficult.

  It's after 1am here, so I hope this won't seem obvious in the morning.

  Any hints would be greatly appreciated.

  Thanks so much,
  -craig



------
  Craig Campbell 
  craig.campb...@ccraft.ca 
  CampbellCraft Consulting Inc
  2 Kenny Court 
  Whitby, Ontario 
  Canada 
  L1R 2L8 
  905 922-2789 

   



  __ Information from ESET Smart Security, version of virus signature 
database 5612 (2010) __

  The message was checked by ESET Smart Security.

  http://www.eset.com


  __ Information from ESET Smart Security, version of virus signature 
database 5614 (20101112) __

  The message was checked by ESET Smart Security.

  http://www.eset.com



__ Information from ESET Smart Security, version of virus signature 
database 5614 (20101112) __

The message was checked by ESET Smart Security.

http://www.eset.com

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Output from Exec-Program-Wait in users file

[Craig Campbell]

Hi,
am migrating from an ancient radius install to FreeRADIUS Version 2.1.8
The system uses a custom authentication binary which we access from the users 
file via,


  DEFAULT NAS-IP-Address == "192.168.1.100", Auth-Type := Accept, 
Simultaneous-Use := 1
  Exec-Program-Wait = "/usr/local/sbin/auth -X -U -u 5882626 -- 
%{User-Name} %{User-Password} %{%{Called-Station-Id}:-Missing} 
%{%{NAS-IP-Address}:-Missing} %{%{Calling-Station-Id}:-Missing} 
%{%{NAS-Port-Type}:-Missing} %{Vendor-Specific}" ,
  Fall-Through = no

On the old version, the output from the EXEC was sent back in the Accept 
packet..

Now is looks like the stdout form the Exec-Program-Wait is not being send back 
but either dropped or misplaced.

  ++[sql] returns ok
  +- entering group post-auth {...}
  Exec-Program output: Framed-Compression=Van-Jacobsen-TCP-IP 
Framed-Routing=None Framed-MTU=1500 Framed-IP-Netmask=255.255.255.0 
Framed-Protocol=PPP Service-Type=Framed-User Idle-Timeout=1800 
Session-Timeout=86400 ERX-Virtual-Router=SOMEROUTER 
ERX-Ingress-Policy-Name=COMFORT_UP ERX-Egress-Policy-Name=COMFORT_DOWN
  Exec-Program-Wait: plaintext: Framed-Compression=Van-Jacobsen-TCP-IP 
Framed-Routing=None Framed-MTU=1500 Framed-IP-Netmask=255.255.255.0 
Framed-Protocol=PPP Service-Type=Framed-User Idle-Timeout=1800 
Session-Timeout=86400 ERX-Virtual-Router=SOMEROUTER 
ERX-Ingress-Policy-Name=COMFORT_UP ERX-Egress-Policy-Name=COMFORT_DOWN
  Exec-Program: returned: 0
  ++[exec] returns noop
  Sending Access-Accept of id 248 to 192.168.1.100 port 5
  Finished request 0.
Is there a way to direct the output from the Exec-Program into the Accept 
packet?  

As far as we can tell, we are sending back and empty Accept packet.  The values 
are calculated by the auth binary, so hard coding them would be very difficult.

It's after 1am here, so I hope this won't seem obvious in the morning.

Any hints would be greatly appreciated.

Thanks so much,
-craig



--------
Craig Campbell 
craig.campb...@ccraft.ca 
CampbellCraft Consulting Inc
2 Kenny Court 
Whitby, Ontario 
Canada 
L1R 2L8 
905 922-2789 

 



__ Information from ESET Smart Security, version of virus signature 
database 5612 (2010) __

The message was checked by ESET Smart Security.

http://www.eset.com

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Fw: How can I test result of redundant-load-balance

[Craig Campbell]

Freeradius 2.1.8
I am trying to replace the functionality (from sites/enabled/default) of, 

 ldap_server_1 {
  notfound = return
 }

with a redundant set of servers.  I cannot have 

  redundant-load-balance {
  ldap_server_1 {
notfound = return
   }
  ldap_server_2{
notfound = return
   }
  }

Does anyone know any way to (functionally) do this?



__ Information from ESET Smart Security, version of virus signature 
database 5075 (20100430) __

The message was checked by ESET Smart Security.

http://www.eset.com



__ Information from ESET Smart Security, version of virus signature 
database 5075 (20100430) __

The message was checked by ESET Smart Security.

http://www.eset.com

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Correction: LDAP without a User-Password (2.1.8)

[Craig Campbell]

successful
  [ldap] performing search in ou=People,o=SOMECOMPANY  ,o=somecompanynetwork, 
with filter (&(uid=SomeUser) (ntlRadiusStatus=Active) (inetUserStatus=Active) )
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
  [ldap] userPassword -> Password = "{SHA}rEtSjRgLo/JjdB2mc+QZbBYDxNU="
  [ldap] ntlradiusglobalprofileref -> Profile = 
"cn=prepaid,ou=Profiles,ou=Radius,ou=IP Services, o=SOMECOMPANY, 
o=somecompanynetwork"
WARNING: No "known good" password was found in LDAP.  Are you sure that the 
user is configured correctly?
[ldap] user SomeUser authorized to use remote access
  [ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.  Authentication may 
fail because of this.
++[pap] returns noop
No authenticate method (Auth-Type) configuration found for the request: 
Rejecting the user
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> SomeUser
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 163 to 127.0.0.1 port 59607
Waking up in 4.9 seconds.
Cleaning up request 0 ID 163 with timestamp +8
Ready to process requests.



Craig Campbell 
craig.campb...@ccraft.ca 
CampbellCraft Consulting Inc
2 Kenny Court 
Whitby, Ontario 
Canada 
L1R 2L8 
905 922-2789 

 



__ Information from ESET Smart Security, version of virus signature 
database 5072 (20100429) __

The message was checked by ESET Smart Security.

http://www.eset.com


__ Information from ESET Smart Security, version of virus signature 
database 5072 (20100429) __

The message was checked by ESET Smart Security.

http://www.eset.com



__ Information from ESET Smart Security, version of virus signature 
database 5072 (20100429) __

The message was checked by ESET Smart Security.

http://www.eset.com

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

LDAP without a User-Password (2.1.8)

[Craig Campbell]

adiusStatus=Active) (inetUserStatus=Active) )
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
  [ldap] userPassword -> Password = "{SHA}rEtSjRgLo/JjdB2mc+QZbBYDxNU="
  [ldap] ntlradiusglobalprofileref -> Profile = 
"cn=prepaid,ou=Profiles,ou=Radius,ou=IP Services, o=SOMECOMPANY, 
o=somecompanynetwork"
WARNING: No "known good" password was found in LDAP.  Are you sure that the 
user is configured correctly?
[ldap] user SomeUser authorized to use remote access
  [ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.  Authentication may 
fail because of this.
++[pap] returns noop
No authenticate method (Auth-Type) configuration found for the request: 
Rejecting the user
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> SomeUser
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 163 to 127.0.0.1 port 59607
Waking up in 4.9 seconds.
Cleaning up request 0 ID 163 with timestamp +8
Ready to process requests.



Craig Campbell 
craig.campb...@ccraft.ca 
CampbellCraft Consulting Inc
2 Kenny Court 
Whitby, Ontario 
Canada 
L1R 2L8 
905 922-2789 

 



__ Information from ESET Smart Security, version of virus signature 
database 5072 (20100429) __

The message was checked by ESET Smart Security.

http://www.eset.com



__ Information from ESET Smart Security, version of virus signature 
database 5072 (20100429) __

The message was checked by ESET Smart Security.

http://www.eset.com

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Run user defined scripts on client connect and disconnect

[Craig Campbell]

If I am understanding your needs, this script does NOT perform user 
authentication.


In that case, I THINK you want to trigger based upon accounting records 
being sent to radius.


To do this, you need to use the ../etc/raddb/acct_users file.

Here is an example that we have been using for a session ending...

DEFAULT Acct-Status-Type == Stop
   Exec-Program-Wait = "%{exec:/usr/local/sbin/acctstop.sh}",
   Fall-Through = no

From memory, I believe the counterpart to this is the "Acct-Status-Type == 

Start " (verify that).

Ensure you script provides a return code of 0.  I THINK they matter...

Good Luck!
-craig

- Original Message - 
From: "Josh Willmarth" 

To: "FreeRadius users mailing list" 
Sent: Sunday, February 07, 2010 2:44 AM
Subject: Re: Run user defined scripts on client connect and disconnect


Hello,

I looked at the included modules and read a lot of documentation, but
I seem to be missing the general concept. Could someone please give me
a detailed run down of which files to edit (and what to edit) in order
to execute a shell script during accounting and post-auth? This would
be greatly appreciated.

Thank you,
Josh Willmarth

On Thu, Feb 4, 2010 at 11:34 PM, Alan DeKok  
wrote:

Josh Willmarth wrote:

I have a radius server setup with version 2.1.8. Is there a way that I
can have custom scripts run each time a user successfully connects to
and disconnects from my radius server? If so, what environment
variables can be passed to these scripts? Sorry if I missed this in
the documentation, but I was unable to find the exact answer I am
looking for.


See raddb/modules/exec

Alan DeKok.
-
List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html




-
List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html


__ Information from ESET Smart Security, version of virus signature 
database 4842 (20100206) __


The message was checked by ESET Smart Security.

http://www.eset.com




__ Information from ESET Smart Security, version of virus signature 
database 4847 (20100208) __

The message was checked by ESET Smart Security.

http://www.eset.com



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Radiusd process exited without notice

[Craig Campbell]

Has anyone checked for

Acct-Terminate-Cause = User-Error

with the packets in question?

We are seeing some of the "Info: [sql] stop packet with zero session 
length." messages logged (but only so far during 1 specific minute of the 
day) and

they ALL have "Acct-Terminate-Cause = User-Error".

There is one other packet with Acct-Session-Time = 0 AND 
Acct-Terminate-Cause = User-Request that does NOT generate the warning.


Our current belief is that this is NOT radius related.
The troublesome packets do not appear to be causing any harm. (despite the 
subject, radiusd is NOT exiting and remains healthy and happy (Yeah 
2.1.8!! )


I'm just thinking you guys might be chasing a non (radius) issue.

Cheers,
-craig
- Original Message - 
From: "Alan DeKok" 

To: "FreeRadius users mailing list" 
Sent: Wednesday, January 06, 2010 5:17 AM
Subject: Re: Radiusd process exited without notice



Bjørn Mork wrote:

Alan DeKok  writes:

  The Acct-Session-Time should be at least 1 second.


Why?  I can't find any such requirements in RFC 2866.


 The RFC's miss a *lot*.  It is permissible for a multi-homed NAS to
send an accounting "start" from one IP, "update" from another IP, and
"stop" from a third IP.  While this is insane, there is equipment that
behaves this way.


 If the session
lasts less than .5 seconds then an Acct-Session-Time of 0 makes perfect
sense.  IMHO.


 Hmm... I still don't like it.


I can agree that the near simultaneous start and stop requests indicates
some error, but as suggested by Dinh Pham Cong it may be a user
disconnecting immediately after the session is established.  That
happens.


 Yes.

 Alan DeKok.
-
List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html 



__ Information from ESET Smart Security, version of virus signature 
database 4748 (20100106) __

The message was checked by ESET Smart Security.

http://www.eset.com



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Radiusd process exited without notice

[Craig Campbell]

I think these may be valid (more or less) messages containing a 
Acct-Session-Time = 0



I have no reason to think radiusd is to blame.  I'll keep you posted if I 
learn more.


Thanks,
-craig


- Original Message - 
From: "Alan DeKok" 

To: "FreeRadius users mailing list" 
Sent: Tuesday, January 05, 2010 10:13 AM
Subject: Re: Radiusd process exited without notice



Craig Campbell wrote:

I'm running 2.1.8 and while I have some of those messages in my logs
(~70), the radiusd process seems totally fine.


 Hmm... that shouldn't be happening.  But without a test case, it's
hard to track down.

 Alan DeKok.
-
List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html


__ Information from ESET Smart Security, version of virus 
signature database 4745 (20100105) __


The message was checked by ESET Smart Security.

http://www.eset.com






__ Information from ESET Smart Security, version of virus signature 
database 4745 (20100105) __

The message was checked by ESET Smart Security.

http://www.eset.com



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Radiusd process exited without notice

[Craig Campbell]

I'm running 2.1.8 and while I have some of those messages in my logs (~70), 
the radiusd process seems totally fine.


Cheers,
-craig

- Original Message - 
From: "Alan DeKok" 

To: "FreeRadius users mailing list" 
Sent: Monday, December 21, 2009 3:23 AM
Subject: Re: Radiusd process exited without notice



Dinh Pham Cong wrote:

Hi all,

I noticed that my radiusd process exited silently this morning without
any notice before I must start it manually at Mon Dec 21 10:42:23 2009
as you can see in the below log messages. Besides, no crash is recorded
in /var/log/messages.


 Try using 2.1.8 when it comes out.  It looks like an issue that was
previously reported, and fixed.

 Alan DeKok.
-
List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html


__ Information from ESET Smart Security, version of virus 
signature database 4704 (20091220) __


The message was checked by ESET Smart Security.

http://www.eset.com






__ Information from ESET Smart Security, version of virus signature 
database 4744 (20100105) __

The message was checked by ESET Smart Security.

http://www.eset.com



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

2.1.8 proxy zombie/dead/alive loops

[Craig Campbell]

as zombie (it looks like it is dead).
  Mon Jan  4 11:52:44 2010 : Info: [sql] stop packet with zero session length. 
[user 'test_user_please_reject_me', nas '192.168.1.226']
  Mon Jan  4 11:52:47 2010 : Error: No response to status check 5969 for home 
server 192.168.1.225 port 1813
  Mon Jan  4 11:53:13 2010 : Info: [sql] stop packet with zero session length. 
[user 'test_user_please_reject_me', nas '192.168.1.226']
  Mon Jan  4 11:53:16 2010 : Error: No response to status check 6007 for home 
server 192.168.1.225 port 1813
  Mon Jan  4 11:53:43 2010 : Proxy: Marking home server 192.168.1.225 port 1813 
as dead.
  Mon Jan  4 11:53:46 2010 : Info: [sql] stop packet with zero session length. 
[user 'test_user_please_reject_me', nas '192.168.1.226']

  on radius-a, for status_check=request I added to acct_user,

  test_user_please_reject_me  Auth-Type := Reject
  Reply-Message = "Status check only",
  Fall-Through = No


I suspect I SHOULD be using status_check=status-server.
Which then leads to why my server keeps getting marked as zombie/dead/alive

It seems like the accounting stop packet being sent is not generating a 
reply...?

Below is the only packet being sent... again and again

  Mon Jan  4 11:53:45 2010
  Acct-Status-Type = Stop
  User-Name = "not_real...@somerealm"
  Event-Timestamp = "Dec 31 2009 15:41:36 DST"
  Acct-Delay-Time = 331887
  NAS-Identifier = "ERX-2"
  Acct-Session-Id = "0378168264"
  NAS-IP-Address = 192.168.1.101
  Service-Type = Framed-User
  Framed-Protocol = PPP
  Framed-Compression = None
  ERX-Pppoe-Description = "pppoe 00:1d:68:ec:ee:64"
  Framed-IP-Address = 66.247.201.49
  Framed-IP-Netmask = 255.255.255.255
  ERX-Ingress-Policy-Name = "SOMEREALM_UP"
  ERX-Egress-Policy-Name = "SOMEREALM_DOWN"
  Calling-Station-Id = "ERX-0800283"
  Acct-Input-Gigawords = 0
  Acct-Input-Octets = 96
  Acct-Output-Gigawords = 0
  Acct-Output-Octets = 60
  ERX-Input-Gigapkts = 0
  Acct-Input-Packets = 0
  ERX-Output-Gigapkts = 0
  Acct-Output-Packets = 0
  NAS-Port-Type = Ethernet
  NAS-Port = 2147483931
  NAS-Port-Id = "GigabitEthernet 8/0.283:283"
  Acct-Authentic = RADIUS
  Acct-Session-Time = 0
  Acct-Terminate-Cause = User-Request
  Proxy-State = 0x3534313734
  Acct-Unique-Session-Id = "038113f04620fe75"
  Timestamp = 1262620425
  Request-Authenticator = Verified

I'm not certain what additional info would be helpful at this point.

Thanks,
-craig



Craig Campbell 
craig.campb...@ccraft.ca 
CampbellCraft Consulting Inc
2 Kenny Court 
Whitby, Ontario 
Canada 
L1R 2L8 
905 922-2789 

 



__ Information from ESET Smart Security, version of virus signature 
database 4743 (20100104) __

The message was checked by ESET Smart Security.

http://www.eset.com

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Unexpected "Exiting normally" 2.1.8?

[Craig Campbell]

Ok, here is (I think) the debug you wanted.

-craig

[r...@radius-a ~]# gdb radiusd
GNU gdb Fedora (6.8-27.el5)
Copyright (C) 2008 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later 


This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu"...
(gdb) break fr_event_loop
Function "fr_event_loop" not defined.
Make breakpoint pending on future shared library load? (y or [n]) y
Breakpoint 1 (fr_event_loop) pending.
(gdb) run -f
Starting program: /usr/local/sbin/radiusd -f
[Thread debugging using libthread_db enabled]
[New Thread 0x2b5c60c5ee10 (LWP 23494)]
[New Thread 0x4253c940 (LWP 23502)]
[New Thread 0x42f3d940 (LWP 23503)]
[New Thread 0x4393e940 (LWP 23504)]
[New Thread 0x4433f940 (LWP 23505)]
[New Thread 0x44d40940 (LWP 23506)]

Breakpoint 1, fr_event_loop (el=0x1d94e7f0) at event.c:321
321 el->exit = 0;
(gdb) watch el->exit
Hardware watchpoint 2: el->exit
(gdb) del 1
(gdb) cont
Continuing.

Watchpoint 2 deleted because the program has left the block in
which its expression is valid.
[Switching to Thread 0x4433f940 (LWP 23505)]
0x003acf499845 in fork () from /lib64/libc.so.6
(gdb) bt
#0  0x003acf499845 in fork () from /lib64/libc.so.6
#1  0x0041104c in radius_exec_program (cmd=0x1d988a60 
"/usr/local/sbin/acctstop.sh", request=0x1d9732f0, exec_wait=0,
   user_msg=0x0, msg_len=254, input_pairs=0x1d985fe0, output_pairs=0x0, 
shell_escape=1) at exec.c:274
#2  0x2b5c60e6cf58 in exec_xlat (instance=0x1d8e90b0, 
request=0x1d9732f0, fmt=0x1d988a60 "/usr/local/sbin/acctstop.sh",
   out=0x4433df60 "", outlen=254, func=0x42bd95 ) at 
rlm_exec.c:138
#3  0x0042bbd0 in decode_attribute (from=0x4433def0, to=0x4433dee8, 
freespace=254, open_p=0x4433de7c, request=0x1d9732f0,

   func=0x42bd95 ) at xlat.c:911
#4  0x0042c0a1 in radius_xlat (out=0x4433df60 "", outlen=254, 
fmt=0x1d988818 "%{exec:/usr/local/sbin/acctstop.sh}",

   request=0x1d9732f0, func=0x42bd95 ) at xlat.c:1086
#5  0x00429613 in pairxlatmove (req=0x1d9732f0, to=0x1d9734a8, 
from=0x4433e238) at valuepair.c:587
#6  0x2b5c632b993f in file_common (inst=0x1d90bb20, request=0x1d9732f0, 
filename=0x2b5c632b9e8e "acct_users", ht=0x1d90bdb0,

   request_pairs=0x1d985fe0, reply_pairs=0x1d9734a8) at rlm_files.c:472
#7  0x2b5c632b9a66 in file_preacct (instance=0x1d90bb20, 
request=0x1d9732f0) at rlm_files.c:525
#8  0x00420443 in call_modsingle (component=2, sp=0x1d94c8d0, 
request=0x1d9732f0) at modcall.c:297
#9  0x0042126b in modcall (component=2, c=0x1d94bcf0, 
request=0x1d9732f0) at modcall.c:669
#10 0x0041ea4f in indexed_modcall (comp=2, idx=0, 
request=0x1d9732f0) at modules.c:691
#11 0x0041fdb6 in module_preacct (request=0x1d9732f0) at 
modules.c:1470

#12 0x0040813c in rad_accounting (request=0x1d9732f0) at acct.c:57
#13 0x004356b5 in radius_handle_request (request=0x1d9732f0, 
fun=0x408108 ) at event.c:4086
#14 0x00426bd6 in request_handler_thread (arg=0x1d966a50) at 
threads.c:492

#15 0x003ad0006367 in start_thread () from /lib64/libpthread.so.0
#16 0x003acf4d30ad in clone () from /lib64/libc.so.6
(gdb) thread apply all bt full

Thread 6 (Thread 0x44d40940 (LWP 23506)):
#0  0x003acf4dee6e in __lll_lock_wait_private () from /lib64/libc.so.6
No symbol table info available.
#1  0x003acf476668 in _L_lock_12629 () from /lib64/libc.so.6
No symbol table info available.
#2  0x003acf47477f in malloc_atfork () from /lib64/libc.so.6
No symbol table info available.
#3  0x2b5c60823dab in pairalloc (da=0x1d8d4df8) at valuepair.c:72
   name_len = 0
   vp = (VALUE_PAIR *) 0x44d3df90
#4  0x2b5c60826302 in pairmake (attribute=0x2b5c640d42df 
"Acct-Unique-Session-Id", value=0x44d3e280 "2d5f2bbb0937b3b9",

   operator=0) at valuepair.c:1462
   da = (DICT_ATTR *) 0x1d8d4df8
   vp = (VALUE_PAIR *) 0x0
   tc = 0x0
   ts = 0x0
   tag = 0 '\0'
   found_tag = 0
   buffer = "\200âÓD\000\000\000\000pâÓD", '\0' 
   attrname = 0x2b5c640d42df "Acct-Unique-Session-Id"
#5  0x2b5c640d40ad in add_unique_id (instance=0x1d94aec0, 
request=0x1d972e90) at rlm_acct_unique.c:241
   buffer = "2d5f2bbb0937b3b9\0009365,Client-IP-Address = 
192.168.1.101,NAS-IP-Address = 192.168.1.101,Acct-Session-Id = 
\"0360078311\",User-Name = \"jpodu...@comfort\"", '\0' , 
"\030\a\aa\\+\000\000\000\000\000\000\000\000\000\000øE\230\035\000\000\000\000x\210\224\035\000\000\000\000\001\000\000\000ì\003\000\000\000\000"...

   md5_buf = "-_+»\t7³¹ÓôÏ\001bà>!"
   vp = (VALUE_PAIR *) 0x1d9845c0
   p = 0x44d3e315 ""
   length = 30
   left = 3947
   inst = (rlm_acct_unique_t *) 0x1d94aec0
   cur = (rlm_acct_unique_list_t *) 0x0
#6  0x00420443 in call_modsi

Re: Unexpected "Exiting normally" 2.1.8?

[Craig Campbell]

With the info you need (I hope)...

[r...@radius-a ~]# gdb radiusd
GNU gdb Fedora (6.8-27.el5)
Copyright (C) 2008 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later 


This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu"...
(gdb) break event_loop_exit
Function "event_loop_exit" not defined.
Make breakpoint pending on future shared library load? (y or [n]) y
Breakpoint 1 (event_loop_exit) pending.
(gdb) break radius_signal_self
Breakpoint 2 at 0x434d9f: file event.c, line 3733.
(gdb) cond 1 (flag == 2)
(gdb) run -f
Starting program: /usr/local/sbin/radiusd -f
Error in re-setting breakpoint 1: Function "event_loop_exit" not defined.
[Thread debugging using libthread_db enabled]
[New Thread 0x2b9e812b4e10 (LWP 5870)]
[New Thread 0x4106d940 (LWP 5878)]
[New Thread 0x41a6e940 (LWP 5879)]
[New Thread 0x4246f940 (LWP 5880)]
[New Thread 0x42e70940 (LWP 5881)]
[New Thread 0x43871940 (LWP 5882)]
Detaching after fork from child process 5884.



Detaching after fork from child process 7376.
[New Thread 0x44272940 (LWP 7379)]
[New Thread 0x44c73940 (LWP 7380)]
[New Thread 0x45674940 (LWP 7381)]
Detaching after fork from child process 7382.



Detaching after fork from child process 9604.
[Switching to Thread 0x45674940 (LWP 7381)]

Breakpoint 2, radius_signal_self (flag=8) at event.c:3733
3733rcode = read(self_pipe[0], buffer, sizeof(buffer));
(gdb) bt
#0  radius_signal_self (flag=8) at event.c:3733
#1  0x0043d12f in detail_send (listener=0x11534860, 
request=0x2c00f650) at detail.c:119
#2  0x00432902 in request_post_handler (request=0x2c00f650) at 
event.c:2523
#3  0x00435741 in radius_handle_request (request=0x2c00f650, 
fun=0x408108 ) at event.c:4092
#4  0x00426bd6 in request_handler_thread (arg=0x2c001420) at 
threads.c:492

#5  0x003ad0006367 in start_thread () from /lib64/libpthread.so.0
#6  0x003acf4d30ad in clone () from /lib64/libc.so.6
(gdb) thread apply all bt full

Thread 9 (Thread 0x45674940 (LWP 7381)):
#0  radius_signal_self (flag=8) at event.c:3733
   rcode = 0
   buffer = "@#1  0x0043d12f in detail_send (listener=0x11534860, 
request=0x2c00f650) at detail.c:119

   rtt = 0
   now = {tv_sec = 290127440, tv_usec = 0}
   data = (listen_detail_t *) 0x115348f0
#2  0x00432902 in request_post_handler (request=0x2c00f650) at 
event.c:2523

   child_state = 6
   when = {tv_sec = 8589934594, tv_usec = 46912518551120}
   vp = (VALUE_PAIR *) 0x0
#3  0x00435741 in radius_handle_request (request=0x2c00f650, 
fun=0x408108 ) at event.c:4092

No locals.
#4  0x00426bd6 in request_handler_thread (arg=0x2c001420) at 
threads.c:492

   fun = (RAD_REQUEST_FUNP) 0x408108 
   self = (THREAD_HANDLE *) 0x2c001420
#5  0x003ad0006367 in start_thread () from /lib64/libpthread.so.0
No symbol table info available.
#6  0x003acf4d30ad in clone () from /lib64/libc.so.6
No symbol table info available.

Thread 8 (Thread 0x44c73940 (LWP 7380)):
#0  0x003ad000c6b1 in sem_wait () from /lib64/libpthread.so.0
No symbol table info available.
#1  0x00426abb in request_handler_thread (arg=0x2c002580) at 
threads.c:453

   fun = (RAD_REQUEST_FUNP) 0x408108 
   self = (THREAD_HANDLE *) 0x2c002580
#2  0x003ad0006367 in start_thread () from /lib64/libpthread.so.0
No symbol table info available.
#3  0x003acf4d30ad in clone () from /lib64/libc.so.6
No symbol table info available.

Thread 7 (Thread 0x44272940 (LWP 7379)):
#0  0x003ad000c6b1 in sem_wait () from /lib64/libpthread.so.0
No symbol table info available.
#1  0x00426abb in request_handler_thread (arg=0x2c001140) at 
threads.c:453

   fun = (RAD_REQUEST_FUNP) 0x408108 
   self = (THREAD_HANDLE *) 0x2c001140
#2  0x003ad0006367 in start_thread () from /lib64/libpthread.so.0
No symbol table info available.
#3  0x003acf4d30ad in clone () from /lib64/libc.so.6
No symbol table info available.

Thread 6 (Thread 0x43871940 (LWP 5882)):
#0  0x003ad000c6b1 in sem_wait () from /lib64/libpthread.so.0
No symbol table info available.
---Type  to continue, or q  to quit--- 
#1  0x00426abb in request_handler_thread (arg=0x11533bd0) at 
threads.c:453

   fun = (RAD_REQUEST_FUNP) 0x408108 
   self = (THREAD_HANDLE *) 0x11533bd0
#2  0x003ad0006367 in start_thread () from /lib64/libpthread.so.0
No symbol table info available.
#3  0x003acf4d30ad in clone () from /lib64/libc.so.6
No symbol table info available.

Thread 5 (Thread 0x42e70940 (LWP 5881)):
#0  0x003ad000c6b1 in sem_wait () from /lib64/libpthread.so.0
No symbol table info available.
#1  0x00426abb in request_handler_thread (arg=0x11533a50) at 
threads

Re: Unexpected "Exiting normally" 2.1.8?

[Craig Campbell]

Here are the results from the latest gdb,

[[r...@radius-a ~]# gdb radiusd
GNU gdb Fedora (6.8-27.el5)
Copyright (C) 2008 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later 


This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu"...
(gdb) break event_loop_exit
Function "event_loop_exit" not defined.
Make breakpoint pending on future shared library load? (y or [n]) y
Breakpoint 1 (event_loop_exit) pending.
(gdb) break radius_signal_self
Breakpoint 2 at 0x434d9f: file event.c, line 3733.
(gdb) cond 1 (flag == 2)
(gdb) run -f
Starting program: /usr/local/sbin/radiusd -f
Error in re-setting breakpoint 1: Function "event_loop_exit" not defined.
[Thread debugging using libthread_db enabled]
[New Thread 0x2b8a5990de10 (LWP 543)]
[New Thread 0x41850940 (LWP 551)]
[New Thread 0x42400940 (LWP 552)]
[New Thread 0x42e01940 (LWP 553)]
[New Thread 0x43802940 (LWP 554)]
[New Thread 0x44203940 (LWP 555)]
Detaching after fork from child process 556.
Detaching after fork from child process 557.
Detaching after fork from child process 616.



Detaching after fork from child process 5364.
Detaching after fork from child process 5394.
[Switching to Thread 0x45605940 (LWP 4185)]

Breakpoint 2, radius_signal_self (flag=8) at event.c:3733
3733rcode = read(self_pipe[0], buffer, sizeof(buffer));
(gdb)

Thanks,
-craig

- Original Message - 
From: "Alan DeKok" 

To: "FreeRadius users mailing list" 
Sent: Thursday, November 26, 2009 1:45 AM
Subject: Re: Unexpected "Exiting normally" 2.1.8?



Bjørn Mork wrote:

I am now seeing this very same problem, and strongly suspect it to be
related to dead proxy home servers.  I was able to provoke the "Exiting
normally" on a server with *no* traffic at all, by doing a couple of
requests for a realm with dead home servers and then waiting:

 Wed Nov 25 18:03:56 2009 : Error: PROXY: Marking home server 88.a.b.158 
port 1812 as zombie (it looks like it is dead).
 Wed Nov 25 18:04:35 2009 : Error: PROXY: Marking home server 84.c.d.222 
port 1812 as zombie (it looks like it is dead).

 Wed Nov 25 19:38:13 2009 : Info: Exiting normally.

No requests at all were sent to this server between the two last log
lines.


 Hmm... the "exiting normally" means that it received a signal to exit
(internal or external).  Otherwise, it just keeps running.

 Try using gdb, and:

(gdb) break event_loop_exit
(gdb) break radius_signal_self
(gdb) cond 1 (flag == 2)

(gdb) run

 And then when it stops:

(gdb) thread apply all bt full

 That *should* catch the stack trace where it exits.


I was planning to use the 2.1.7 release, but hit the recursive mutex
problem.


 Ugh.  Some systems don't support recursive mutexes, and even better,
don't complain when you try to use them!


 Now, adding the two facts, I'm starting to wonder whether the
"Exiting normally" bug might be related to the fix for the recursive
mutexes?  They are both related to dead home servers.  Makes me
suspicious...


 Quite possibly, yes.  But the fact that it exits a minute and a half
after the last packet is odd.


And I'm wondering what my other options are wrt the mutex problem.  I am
pretty much stuch with RHEL on these servers (not my choice).  Is this a
glibc 2.5 problem?  Should I demand an upgrade to a more modern OS?


 Let's wait for the back trace.

 Alan DeKok.
-
List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html 



__ Information from ESET Smart Security, version of virus signature 
database 4636 (20091125) __

The message was checked by ESET Smart Security.

http://www.eset.com



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Unexpected "Exiting normally" 2.1.8?

[Craig Campbell]

Ok,
   can anyone identify a certain "GOOD" build to use for the git bisect? 
(Say where 2.1.7 was released?)


I looked through the logs and have arbitrarily selected,
134f314c57d67b56bab93db4089c25e956ad6cf2] Lots of notes prior to 2.1.7

I do not know how to force git to build that revision so I could actually 
verify it is good.


Thanks,
-craig
- Original Message - 
From: "Craig Campbell" 

To: "FreeRadius users mailing list" 
Sent: Tuesday, November 24, 2009 7:28 AM
Subject: Re: Unexpected "Exiting normally" 2.1.8?



Thanks for the correction.

I have rebuilt and am re-running my test.  I just hope I didn't somehow 
taint the bisect work and provide misleading information to Alan.


I should know some time today if I need to redo the bisection.
For my previous work I had done,

$git bisect start
$git bisect bad
$git bisect good 321c0ae58641f709d115526bb564cbd8c4dab71d<- I do 
not have full confidence in this


Followed by loops of ,
$./conf
$CFLAGS='-O0 -g' ./configure
$make clean
$find . -name "*.o"<- sometimes I found lingering .o 
files - not certain why.  I would delete any I discovered at this point

$make
$git bisect skip|bad|good<- depending on if build failed, binary 
crashed or other error (skip), had error (bad), or succeeded(good)
$git pull  <- I THINK this may be 
unnecessary..  but not certain.  Docs I found on git were not entirely 
clear


If I need to re-bisect, could you perhaps spoon feed me the commands to 
ensure I'm doing it correctly?  Specifically, how can I acquire and verify 
I have my first "good" build?  And then the incantation to perform 
iterative bisections until I run out.


I truly hope I haven't provided misleading info.

Thanks,
-craig
- Original Message - 
From: "Alexander Clouter" 

To: 
Sent: Monday, November 23, 2009 8:13 AM
Subject: Re: Unexpected "Exiting normally" 2.1.8?



Hi,

Craig Campbell  wrote:


   I re -acquired the source, but there seems to be a (minor I think) 
error.


   $git clone git://git.freeradius.org/freeradius-server.git
   $cd freeradius-server
   $git fetch origin stable:stable
   $git pull   <- should be 'git checkout stable'
   $make clean
   $CFLAGS='-O0 -g' ./configure
   $make


Otherwise if I am reading that right you are trying to compile off the
unstable branch.

Cheers

--
Alexander Clouter
.sigmonster says: BOFH excuse #169:
 broadcast packets on wrong frequency

-
List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html


__ Information from ESET Smart Security, version of virus 
signature database 4630 (20091123) __


The message was checked by ESET Smart Security.

http://www.eset.com






__ Information from ESET Smart Security, version of virus 
signature database 4632 (20091124) __


The message was checked by ESET Smart Security.

http://www.eset.com



-
List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html


__ Information from ESET Smart Security, version of virus 
signature database 4632 (20091124) __


The message was checked by ESET Smart Security.

http://www.eset.com






__ Information from ESET Smart Security, version of virus signature 
database 4635 (20091125) __

The message was checked by ESET Smart Security.

http://www.eset.com



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Unexpected "Exiting normally" 2.1.8?

[Craig Campbell]

Thanks for the correction.

I have rebuilt and am re-running my test.  I just hope I didn't somehow 
taint the bisect work and provide misleading information to Alan.


I should know some time today if I need to redo the bisection.
For my previous work I had done,

$git bisect start
$git bisect bad
$git bisect good 321c0ae58641f709d115526bb564cbd8c4dab71d<- I do not 
have full confidence in this


Followed by loops of ,
$./conf
$CFLAGS='-O0 -g' ./configure
$make clean
$find . -name "*.o"<- sometimes I found lingering .o files - 
not certain why.  I would delete any I discovered at this point

$make
$git bisect skip|bad|good<- depending on if build failed, binary 
crashed or other error (skip), had error (bad), or succeeded(good)
$git pull  <- I THINK this may be 
unnecessary..  but not certain.  Docs I found on git were not entirely clear


If I need to re-bisect, could you perhaps spoon feed me the commands to 
ensure I'm doing it correctly?  Specifically, how can I acquire and verify I 
have my first "good" build?  And then the incantation to perform iterative 
bisections until I run out.


I truly hope I haven't provided misleading info.

Thanks,
-craig
- Original Message - 
From: "Alexander Clouter" 

To: 
Sent: Monday, November 23, 2009 8:13 AM
Subject: Re: Unexpected "Exiting normally" 2.1.8?



Hi,

Craig Campbell  wrote:


   I re -acquired the source, but there seems to be a (minor I think) 
error.


   $git clone git://git.freeradius.org/freeradius-server.git
   $cd freeradius-server
   $git fetch origin stable:stable
   $git pull   <- should be 'git checkout stable'
   $make clean
   $CFLAGS='-O0 -g' ./configure
   $make


Otherwise if I am reading that right you are trying to compile off the
unstable branch.

Cheers

--
Alexander Clouter
.sigmonster says: BOFH excuse #169:
 broadcast packets on wrong frequency

-
List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html


__ Information from ESET Smart Security, version of virus 
signature database 4630 (20091123) __


The message was checked by ESET Smart Security.

http://www.eset.com






__ Information from ESET Smart Security, version of virus signature 
database 4632 (20091124) __

The message was checked by ESET Smart Security.

http://www.eset.com



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Unexpected "Exiting normally" 2.1.8?

[Craig Campbell]

Hmm...  it seems the error remains...  (See below)

I will try another 'fresh build' tomorrow just in case I did something 
wrong.


Thanks,
-craig

Detaching after fork from child process 659.
Detaching after fork from child process 689.

Program received signal SIGTERM, Terminated.
0x003acf4306a7 in kill () from /lib64/libc.so.6
(gdb)
(gdb)
(gdb) bt full
#0  0x003acf4306a7 in kill () from /lib64/libc.so.6
No symbol table info available.
#1  0x00424172 in main (argc=2, argv=0x7fff6246da68) at 
radiusd.c:419

   rcode = 0
   argval = -1
   spawn_flag = 1
   dont_fork = 1
   flag = 0
   act = {__sigaction_handler = {sa_handler = 0x424349 , 
sa_sigaction = 0x424349 }, sa_mask = {

   __val = {0 }}, sa_flags = 0, sa_restorer = 0}
(gdb) where
#0  0x003acf4306a7 in kill () from /lib64/libc.so.6
#1  0x00424172 in main (argc=2, argv=0x7fff6246da68) at 
radiusd.c:419

(gdb)



- Original Message - 
From: "Alan DeKok" 

To: "FreeRadius users mailing list" 
Sent: Monday, November 23, 2009 7:06 AM
Subject: Re: Unexpected "Exiting normally" 2.1.8?



Craig Campbell wrote:

Thanks Alan,
I re -acquired the source, but there seems to be a (minor I think)
error.


  $git clone git://git.freeradius.org/freeradius-server.git
  $cd freeradius-server
  $git fetch origin stable:stable
  $git pull


 No.  See http://git.freeradius.org for the exact commands.

$ git checkout stable

 Alan DeKok.
-
List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html


__ Information from ESET Smart Security, version of virus 
signature database 4629 (20091123) __


The message was checked by ESET Smart Security.

http://www.eset.com






__ Information from ESET Smart Security, version of virus signature 
database 4631 (20091123) __

The message was checked by ESET Smart Security.

http://www.eset.com



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Unexpected "Exiting normally" 2.1.8?

[Craig Campbell]

Thanks Alan,
I re -acquired the source, but there seems to be a (minor I think) error.

$git clone git://git.freeradius.org/freeradius-server.git
$cd freeradius-server
$git fetch origin stable:stable
$git pull
$make clean
$CFLAGS='-O0 -g' ./configure 
$make

  Making all in frs_acct...
  gmake[6]: Entering directory 
`/home/craig/src/freeradius/freeradius-server/src/modules/frs_acct'
  /bin/sh /home/craig/src/freeradius/freeradius-server/libtool --mode=compile 
gcc  -O0 -g -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -Wall -D_GNU_SOURCE -g 
-Wshadow -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings 
-Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations 
-Wnested-externs -W -Wredundant-decls -Wundef 
-I/home/craig/src/freeradius/freeradius-server/src 
-I/home/craig/src/freeradius/freeradius-server/libltdl  -c frs_acct.c
  libtool: compile:  gcc -O0 -g -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -Wall 
-D_GNU_SOURCE -g -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align 
-Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations 
-Wnested-externs -W -Wredundant-decls -Wundef 
-I/home/craig/src/freeradius/freeradius-server/src 
-I/home/craig/src/freeradius/freeradius-server/libltdl -c frs_acct.c  -fPIC 
-DPIC -o .libs/frs_acct.o
  In file included from 
/home/craig/src/freeradius/freeradius-server/src/freeradius-devel/radiusd.h:107,
   from frs_acct.c:29:
  
/home/craig/src/freeradius/freeradius-server/src/freeradius-devel/smodule.h:144:
 error: expected specifier-qualifier-list before 'RADCLIENT'
  gmake[6]: *** [frs_acct.lo] Error 1
  gmake[6]: Leaving directory 
`/home/craig/src/freeradius/freeradius-server/src/modules/frs_acct'
  gmake[5]: *** [common] Error 2
As soon as I can build a version, I'll test again to ensure we got the bug we 
were seeking.

Thanks,
-craig


- Original Message - 
From: "Alan DeKok" 
To: "FreeRadius users mailing list" 
Sent: Sunday, November 22, 2009 3:14 AM
Subject: Re: Unexpected "Exiting normally" 2.1.8?


> Craig Campbell wrote:
>> Once you have another version (reverted), I can test again...
>> 
>> I am really unfamiliar with git, so I may need a hint as to getting  the
>> correct version for testing.
> 
>  I've reverted the problem commit.  It doesn't fix the PostgreSQL
> issue, and it causes other problems.
> 
>  The fix is now in the "stable" branch.
> 
>  Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> 
> __ Information from ESET Smart Security, version of virus signature 
> database 4627 (20091121) __
> 
> The message was checked by ESET Smart Security.
> 
> http://www.eset.com
> 
> 
>


__ Information from ESET Smart Security, version of virus signature 
database 4629 (20091123) __

The message was checked by ESET Smart Security.

http://www.eset.com

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Unexpected "Exiting normally" 2.1.8?

[Craig Campbell]

Once you have another version (reverted), I can test again...

I am really unfamiliar with git, so I may need a hint as to getting  the 
correct version for testing.


Thanks,
-craig
- Original Message - 
From: "Alan DeKok" 

To: "FreeRadius users mailing list" 
Sent: Wednesday, November 18, 2009 12:31 PM
Subject: Re: Unexpected "Exiting normally" 2.1.8?



Craig Campbell wrote:

Ok,
   I hope this is helpful.  Below please find the git bisect log.
There were a number of iterations with make errors which I then
skipped.  I suspect the errors were OS specific and were clearly fixed
in later iterations.

-bash-3.2$ git bisect log
git bisect start
# bad: [9dbc8974fdd2300a70293eda9c62bce20a3c9165] errormsg may be NULL


 Huh...  Since that commit doesn't help the reported bug, it's likely
best to just revert it.  Oh well.

 Alan DeKok.
-
List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html


__ Information from ESET Smart Security, version of virus 
signature database 4618 (20091118) __


The message was checked by ESET Smart Security.

http://www.eset.com






__ Information from ESET Smart Security, version of virus signature 
database 4618 (20091118) __

The message was checked by ESET Smart Security.

http://www.eset.com



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Unexpected "Exiting normally" 2.1.8?

[Craig Campbell]

d] Check for undefined 
types, too

git bisect skip 64700e41098a874581d683c8606c94f9ad23079d
# skip: [f4dd3a6e803219b61f3ec1d1b7f3767ee54e8eec] Free tcp structure, too
git bisect skip f4dd3a6e803219b61f3ec1d1b7f3767ee54e8eec
# skip: [382b6c2223ba1a233ca9f4d248beb888a0123f3e] Print more descriptive 
error message for too many EAP sessions

git bisect skip 382b6c2223ba1a233ca9f4d248beb888a0123f3e
# skip: [5aa01c58d91063b5bbbf5aef941137d7cf638bbe] Changed stop packet msg 
to debug rather than error

git bisect skip 5aa01c58d91063b5bbbf5aef941137d7cf638bbe
# skip: [e69be18535bd8b9a2cfb50a9df7cb44e3129ab4c] Added more debugging 
messages

git bisect skip e69be18535bd8b9a2cfb50a9df7cb44e3129ab4c
# skip: [817e64f14df0e5816d87784f995e8fc4a240e048] Initialize proto for 
old-style realms

git bisect skip 817e64f14df0e5816d87784f995e8fc4a240e048
# skip: [d711a368ebf0e057e54596d22584ca2ce37e209c] Make 
client/port/key-balance more like fail-over

git bisect skip d711a368ebf0e057e54596d22584ca2ce37e209c
# skip: [ff89e4cac7f2a9256c7d360b1d53a1eb69a28f40] More plumbing to get to 
home servers via TCP

git bisect skip ff89e4cac7f2a9256c7d360b1d53a1eb69a28f40
# skip: [fe4bf0a8d6d7e168e0c6729115df1315abbe5e20] Fix typo
git bisect skip fe4bf0a8d6d7e168e0c6729115df1315abbe5e20
# skip: [732917380982c0aa5ff862ffa2d901fbe52dac36] Allow radclient to 
send/receive RADIUS over TCP

git bisect skip 732917380982c0aa5ff862ffa2d901fbe52dac36
# skip: [a4202aeb848174ed430fd29573e3dd2db78ae2a1] fix debian/rules to 
honour CFLAGS

git bisect skip a4202aeb848174ed430fd29573e3dd2db78ae2a1
# skip: [6a6d2b450fd7ddff65e9f73bbe96ba3f5f914f08] Check src_port, not 
dst_port

git bisect skip 6a6d2b450fd7ddff65e9f73bbe96ba3f5f914f08
# skip: [30adbf8230730a7503f5e3654df90c5c2a38a8ed] Call detach only if 
function exists

git bisect skip 30adbf8230730a7503f5e3654df90c5c2a38a8ed
# skip: [8fa1a08726aad4f379c7bcc6df608f8d79594a34] Removed recursive 
mutexes.

git bisect skip 8fa1a08726aad4f379c7bcc6df608f8d79594a34
# skip: [ce2a48e678fd80199b886aeda654ed2f94340c19] Allow clients to use TCP
git bisect skip ce2a48e678fd80199b886aeda654ed2f94340c19
-bash-3.2$
- Original Message - 
From: "Alan DeKok" 

To: "FreeRadius users mailing list" 
Sent: Monday, November 16, 2009 11:02 AM
Subject: Re: Unexpected "Exiting normally" 2.1.8?



Craig Campbell wrote:

Still running tests with bisect.

successful runs take some time to identify (a day).

Please let me know if the bug is identified, otherwise I'll keep
plugging away.


 Thanks.  Once we know the commit, the fix should hopefully be easy.

 Alan DeKok.
-
List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html


__ Information from ESET Smart Security, version of virus 
signature database 4612 (20091116) __


The message was checked by ESET Smart Security.

http://www.eset.com






__ Information from ESET Smart Security, version of virus signature 
database 4617 (20091118) __

The message was checked by ESET Smart Security.

http://www.eset.com



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Unexpected "Exiting normally" 2.1.8?

[Craig Campbell]

Still running tests with bisect.

successful runs take some time to identify (a day).

Please let me know if the bug is identified, otherwise I'll keep plugging 
away.


Thanks,
-craig

- Original Message - 
From: "Alan DeKok" 

To: "FreeRadius users mailing list" 
Sent: Friday, November 06, 2009 5:04 PM
Subject: Re: Unexpected "Exiting normally" 2.1.8?



Craig Campbell wrote:

I was able to get some bisect runs (I think).  However, I am
encountering a different error in these.

If radiusd is run in multithreaded mode, it hangs shortly after
beginning. This particular error has already been fixed (later).


 Use a system that supports recursive mutexes.


Do you know if the Signal/Exit error depends upon multi threading?  i.e
will it happen if run with the -s option?


 It depends on multithreading.

 Alan DeKok.
-
List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html


__ Information from ESET Smart Security, version of virus 
signature database 4580 (20091106) __


The message was checked by ESET Smart Security.

http://www.eset.com






__ Information from ESET Smart Security, version of virus signature 
database 4611 (20091116) __

The message was checked by ESET Smart Security.

http://www.eset.com



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Proxy to multiple servers in FR 2.1.7

[Craig Campbell]

Re:  "Do I need a second site-enable/copy-acct-to-home-server1 file that 
reads from a different detail file?"


As far as I can tell (and have done) - Yes, you do.

Cheers,
-craig

- Original Message - 
From: "Patric" 

To: "FreeRadius users mailing list" 
Sent: Thursday, November 12, 2009 9:50 AM
Subject: Proxy to multiple servers in FR 2.1.7



Hi again all :)

I am attempting to proxy all accounting packets to 2 servers.
In my proxy.conf I am using a default realm.

realm DEFAULT {
acct_pool   = my_acct_failover
nostrip
}

I create a home_server entry for each server, and add them to the 
home_server_pool for that realm:


home_server copy-acct-to-home-server {
}

home_server copy-acct-to-home-server2 {
}

home_server_pool my_acct_failover {
home_server = copy-acct-to-home-server
home_server = copy-acct-to-home-server2
}

If I have site-enable/copy-acct-to-home-server it then appears to work in 
a fail-over method, where it will send to the first server until it is not 
reachable, then it sends to the second server.


Is there a way I can configure this to send to both at once? Do I need a 
second site-enable/copy-acct-to-home-server1 file that reads from a 
different detail file?


I am using the default realm so I dont know how to setup a second 
home_server_pool either...


Any help is much appreciated, Im going in circles :)
Many thanks
Patric
-
List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html


__ Information from ESET Smart Security, version of virus 
signature database 4600 (20091112) __


The message was checked by ESET Smart Security.

http://www.eset.com






__ Information from ESET Smart Security, version of virus signature 
database 4600 (20091112) __

The message was checked by ESET Smart Security.

http://www.eset.com



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Unexpected "Exiting normally" 2.1.8?

[Craig Campbell]

Hi Alexander.

 Thanks for the update - I was concluding I'd have to wait for the release 
of 2.1.8 to pursue this.  I am currently in a situation where I can help 
debug 2.1.8, since the 'new' systems aren't yet in production.


Looking at your debug output (and I am in no way an expert at that) it seems 
as though the process received a signal?
I am running a 'custom' module (event.c as I recall) from Alan that resolves 
an issue with hung children (very exciting!), and I followed Alan's 
instructions to get to this point.  I would really like to try to 'give 
back' if I can and assist in identifying the cause of the program exiting 
(assuming it is a new and as of yet unidentified bug).


Would copying the steps you have below on my two redhat systems be a good 
way to proceed?


Let me know,
-craig
- Original Message - 
From: "Alexander Clouter" 

To: 
Sent: Wednesday, November 04, 2009 11:43 AM
Subject: Re: Unexpected "Exiting normally" 2.1.8?



Craig Campbell  wrote:


I'm running an unreleased '"development?" version of freeradius (2.1.8?).


"me too", I get exactly what you are getting.  If you are always
fiddling with FreeRADIUS I recommend you always run it in gdb as then
you can get things fixed easily.

I usually build FreeRADIUS (under Debian stable) with:

git clone http://git.freeradius.org/freeradius-server.git
cd freeradius-server
git checkout release_2_1_7
git checkout -b soas

git cherry-pick c7a9d2aa1b3fa91591ce95f19aa5ba42c102f4f7
git cherry-pick fbdc02ad699b9bc4d410daaa54f76df7141d2f64
git cherry-pick fa0e98d1056e22fa413078dbd8c3fe0d85532826
git cherry-pick 92ab5fef40320d1dbc3fe59db82cb20a3ec69249
git cherry-pick 4ca219b1f1ab68fc8434072e51a8e4b95cf37c16
git cherry-pick 52880d0020b7b900ae8383b142b08e4e11cde639
git cherry-pick 137e3759b2ffc0c4f99064dadbd7461d3e86ae2a
git cherry-pick 9491d6eb7b963532855ccc8a63a523a2a1e3af2b
git cherry-pick 4baebf8202d7db372a9ad2ce5026ec6c986f0de7
git cherry-pick 382b6c2223ba1a233ca9f4d248beb888a0123f3e
git cherry-pick 751e9a39b2221a2623001a4611021a8e01cf4375
git cherry-pick 1013e94b66064f24170e394e63ba4f093c141d74
git cherry-pick 1628ef2387d9f7a89b3c2ff8945f49777eb135f1
git cherry-pick 83c2cd412b1208e67381372baa73c779cd2848f6
git cherry-pick f6e2dba8a7e4dd31d36d5b8ee434d21600e3f99f
git cherry-pick 64700e41098a874581d683c8606c94f9ad23079d
git cherry-pick e69be18535bd8b9a2cfb50a9df7cb44e3129ab4c
git cherry-pick 9261f3e0026323b2c397af13d02fbc5780908143

DEB_BUILD_OPTIONS='debug nostrip noopt' CFLAGS='-DIE_LIBTOOL_DIE' 
debuild -us -b




It's when I add (I am pretty sure it's the in the first 8 or so
patches) the following I get the same problem with FreeRADIUS:

git cherry-pick 12ead56dffca9b3ecddc8a7860a1ef5b5361b374
git cherry-pick d711a368ebf0e057e54596d22584ca2ce37e209c
git cherry-pick 057c7ac764a4639f715edcbde7dc22491b79be62
git cherry-pick a4202aeb848174ed430fd29573e3dd2db78ae2a1
git cherry-pick a92700b3fb88239ccb0db9f5ece68dd430937df3
git cherry-pick b1e815d0b4bec01f9721d4b92786960b2218f149
git cherry-pick 30adbf8230730a7503f5e3654df90c5c2a38a8ed
git cherry-pick f2d96581f98990d24991c99a681d018a3df85e92
git cherry-pick 5aa01c58d91063b5bbbf5aef941137d7cf638bbe
git cherry-pick 9b70af0c517daad7d374f4cc948488429d3a9cc0
git cherry-pick 98b22609015439b16cc62cf45e4472a14377da2a
git cherry-pick 092f0ea30cdfc2d669afe47061fafb9407269641
git cherry-pick b853a84e6c4ccd5d9e2c4ad9da2c421a234e887f
git cherry-pick d9dd62aae7baa5346f19236cead4414c03546d45
git cherry-pick 1700127c8a7150f57056495a2980fd132dafdb92
git cherry-pick 9dbc8974fdd2300a70293eda9c62bce20a3c9165


I guess at this point I am going to be told to be a good boy and run off
and use git bisect? :)

Looking through the patches normally I cannot see what could have caused
the graceful exit...which is exactly what I am getting:

garibaldi:/usr/src# gdb freeradius
GNU gdb 6.8-debian
Copyright (C) 2008 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
<http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show
copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu"...
(gdb) run -f
Starting program: /usr/sbin/freeradius -f
[Thread debugging using libthread_db enabled]
[New Thread 0x7f9ba2eeaae0 (LWP 14420)]
[New Thread 0x41313950 (LWP 14423)]
[New Thread 0x4271a950 (LWP 14424)]
[New Thread 0x42f1b950 (LWP 14425)]
[New Thread 0x4371c950 (LWP 14426)]
[New Thread 0x43f1d950 (LWP 14427)]

Program received signal SIGTERM, Terminated.
[Switching to Thread 0x7f9ba2eeaae0 (LWP 14420)]
0x7f9ba171e1c7 in kill () from /lib/libc.so.6
(gdb) bt full
#0  0x7f9ba171e1c7 in kill () from /lib/libc.so.6
No symbol table info available.
#1  0x004228d9 i

Unexpected "Exiting normally" 2.1.8?

[Craig Campbell]

I'm running an unreleased '"development?" version of freeradius (2.1.8?).

So far it is working well, but it is terminating for reasons I cannot determine.

The log contains the following,

Mon Oct 26 15:48:57 2009 : Info: rlm_sql (sql): Driver rlm_sql_mysql (module 
rlm_sql_mysql) loaded and linked
Mon Oct 26 15:48:57 2009 : Info: rlm_sql (sql): Attempting to connect to 
radi...@localhost:/radius
Mon Oct 26 15:48:57 2009 : Info: rlm_sql_mysql: Starting connect to MySQL 
server for #0
Mon Oct 26 15:48:57 2009 : Info: rlm_sql_mysql: Starting connect to MySQL 
server for #1
Mon Oct 26 15:48:57 2009 : Info: rlm_sql_mysql: Starting connect to MySQL 
server for #2
Mon Oct 26 15:48:57 2009 : Info: rlm_sql_mysql: Starting connect to MySQL 
server for #3
Mon Oct 26 15:48:57 2009 : Info: rlm_sql_mysql: Starting connect to MySQL 
server for #4
Mon Oct 26 15:48:57 2009 : Info: Loaded virtual server inner-tunnel
Mon Oct 26 15:48:57 2009 : Info: Loaded virtual server copy-acct-to-home-server
Mon Oct 26 15:48:57 2009 : Info: Loaded virtual server copy-acct-to-radius-c
Mon Oct 26 15:48:57 2009 : Info: Loaded virtual server 
Mon Oct 26 15:48:57 2009 : Info: Ready to process requests.
Mon Oct 26 17:57:33 2009 : Error: PROXY: Marking home server 192.168.1.226 port 
1813 as zombie (it looks like it is dead).
Mon Oct 26 17:58:13 2009 : Info: PROXY: Marking home server 192.168.1.226 port 
1813 as dead.
Mon Oct 26 20:05:36 2009 : Info: Exiting normally.

The zombie messages are suspicious, since neither host is experiencing any 
significant load. (The zombie server is also 2.1.8.  There is a 2.1.7 server as 
well NOT being zombied..)
The exit message is much later, but no hint as to WHY it is exiting normally.

Any hints would be greatly appreciated.

Thanks,
-craig


----
Craig Campbell 
craig.campb...@ccraft.ca 
CampbellCraft Consulting Inc
2 Kenny Court 
Whitby, Ontario 
Canada 
L1R 2L8 
905 922-2789 

 



__ Information from ESET Smart Security, version of virus signature 
database 4546 (20091027) __

The message was checked by ESET Smart Security.

http://www.eset.com

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: cannot upgrade 2.1.6 to 2.1.7

[Craig Campbell]

You still haven't mentioned (as far as I can see) what your system IS?

It could be you need to add some semi-optional package to it?

As far back as I can check, this file should be in /usr/include (Redhat AS3 
Update 4, Fedora 7) so it looks like your OS might have something missing.

The name of the call you want to remove is "wait_for_child_to_die" 

Can you imagine its removal resulting an a "happy ending" for your system?  
If the name is accurate, eventually you could fill up your process table.

Good luck,
-craig
  - Original Message - 
  From: kachin Agarwal 
  To: freeradius-users@lists.freeradius.org 
  Sent: Friday, October 23, 2009 1:19 AM
  Subject: cannot upgrade 2.1.6 to 2.1.7


Hi,


If i dont ve pthread.h in my system.. then how did the 2.1.6 build 
work.? but i remove the line 
callback=wait_for_child_to_die;
there is no error.
can i remove this line and build or is there any other solution to fix 
it

Thanx & Regards,
kachin
   


--
  Try the new Yahoo! India Homepage. Click here.


--


  -
  List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


  __ Information from ESET Smart Security, version of virus signature 
database 4535 (20091023) __

  The message was checked by ESET Smart Security.

  http://www.eset.com




__ Information from ESET Smart Security, version of virus signature 
database 4536 (20091023) __

The message was checked by ESET Smart Security.

http://www.eset.com

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: cannot upgrade 2.1.6 to 2.1.7

[Craig Campbell]

What type of system are you on?

Did you run ./configure first?  Make clean?

I built 2.1.7 and had no similar issues. (Readhat AS5 Update 3)
  - Original Message - 
  From: kachin Agarwal 
  To: freeradius-users@lists.freeradius.org 
  Sent: Thursday, October 22, 2009 7:30 AM
  Subject: cannot upgrade 2.1.6 to 2.1.7


Hi, 
 i m trying to upgrade my radius server from 2.1.6 to 2.1.7
but when ever i try to make the build i m getting the following error

xlat.c:548: warning: passing argument 3 of 'xlat_register' discards 
qualifiers from pointer target type
xlat.c:557: warning: passing argument 3 of 'xlat_register' discards 
qualifiers from pointer target type
xlat.c:569: warning: passing argument 3 of 'xlat_register' discards 
qualifiers from pointer target type
xlat.c:577: warning: passing argument 3 of 'xlat_register' discards 
qualifiers from pointer target type
xlat.c:582: warning: passing argument 3 of 'xlat_register' discards 
qualifiers from pointer target type
event.c: In function 'wait_a_bit':
event.c:1166: warning: implicit declaration of function 'pthread_equal'
event.c:1177: error: 'wait_for_child_to_die' undeclared (first use in 
this function)
event.c:1177: error: (Each undeclared identifier is reported only once
event.c:1177: error: for each function it appears in.)
event.c: In function 'radius_event_init':
event.c:3441: warning: unused variable 'attr'
make[5]: *** [event.lo] Error 1
make[4]: *** [common] Error 2
make[3]: *** [all] Error 2
make[2]: *** [common] Error 2
make[1]: *** [all] Error 2
make: *** [*/*/*/*/*/*/freeradius-server-2.1.7/src/main/radiusd] Error 2


plz help me. where should i declare it??

Thanx & Regards,
Kachin
   


--
  From cricket scores to your friends. Try the Yahoo! India Homepage!


--


  -
  List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


  __ Information from ESET Smart Security, version of virus signature 
database 4532 (20091022) __

  The message was checked by ESET Smart Security.

  http://www.eset.com




__ Information from ESET Smart Security, version of virus signature 
database 4533 (20091022) __

The message was checked by ESET Smart Security.

http://www.eset.com

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: over 30 radiusd processes - more information

[Craig Campbell]

I think you may be 'jumping the gun' a wee bit.

The system currently has over 13,000 active sessions.

There were some odd accounting packets, but the vast majority were valid. 
These could be configuration errors or hack attempts (investigating).


Questions:

1) Could bad accounting packets cause the radiusd process to EXIT?
2) Could bad accounting packets result in hung child processes (as seen in 
the gdb output after the radius log file)?


Thanks,
-craig

- Original Message - 
From: "Ivan Kalik" 

To: "FreeRadius users mailing list" 
Sent: Sunday, October 18, 2009 10:56 AM
Subject: Re: over 30 radiusd processes - more information



I've continued to try an investigate the root cause of this, and the last
run behaved slightly differently - the parent process seems to have
terminated, and there are more messages in the radius log.

There were four (4) hung processes left over.

I have attached the radius.log file below, as well as gdb sessions for 
the

hung processes showing the results of the gd 'bt' and 'list' commands.

It looks like Alan's initial idea that the hung processes are a result of
running the acctstop.sh process are correct.  I've tried looking at the
code
to see if anything 'leapt out' at me, but the logic is quite clever, and
dissecting it from the middle is quite a challenge.

I am hoping that the gdb output might prove helpful to someone already
familiar with the logic flow.

It seems I can reproduce this issue within 24 hours, so if there is any
other information I could gather, please left me know.

Thanks,
-craig

radiusd.log

Fri Oct 16 11:15:56 2009 : Info: Exiting normally.
Fri Oct 16 11:16:22 2009 : Info: rlm_sql (sql): Driver rlm_sql_mysql
(module
rlm_sql_mysql) loaded and linked
Fri Oct 16 11:16:22 2009 : Info: rlm_sql (sql): Attempting to connect to
radi...@localhost:/radius
Fri Oct 16 11:16:22 2009 : Info: rlm_sql_mysql: Starting connect to MySQL
server for #0
Fri Oct 16 11:16:22 2009 : Info: rlm_sql_mysql: Starting connect to MySQL
server for #1
Fri Oct 16 11:16:22 2009 : Info: rlm_sql_mysql: Starting connect to MySQL
server for #2
Fri Oct 16 11:16:22 2009 : Info: rlm_sql_mysql: Starting connect to MySQL
server for #3
Fri Oct 16 11:16:22 2009 : Info: rlm_sql_mysql: Starting connect to MySQL
server for #4
Fri Oct 16 11:16:22 2009 : Info: Loaded virtual server inner-tunnel
Fri Oct 16 11:16:22 2009 : Info: Loaded virtual server
copy-acct-to-home-server
Fri Oct 16 11:16:22 2009 : Info: Loaded virtual server
copy-acct-to-radius-c
Fri Oct 16 11:16:22 2009 : Info: Loaded virtual server 
Fri Oct 16 11:16:22 2009 : Info: Ready to process requests.
Fri Oct 16 17:29:12 2009 : Error: [sql] stop packet with zero session
length. [user 'use...@realm4tl', nas '192.168.1.101']
Sat Oct 17 02:00:18 2009 : Error: [sql] stop packet with zero session
length. [user 'use...@realm1', nas '192.168.1.101']
Sat Oct 17 02:00:18 2009 : Error: [sql] stop packet with zero session
length. [user 'use...@realm1', nas '192.168.1.101']

etc.

/*
* If stop but zero session length AND no previous
* session found, drop it as in invalid packet
* This is to fix CISCO's aaa from filling our
* table with bogus crap
*/

Your NAS is broken. Fix it so it sends proper accounting packets.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html


__ Information from ESET Smart Security, version of virus 
signature database 4519 (20091018) __


The message was checked by ESET Smart Security.

http://www.eset.com






__ Information from ESET Smart Security, version of virus signature 
database 4519 (20091018) __

The message was checked by ESET Smart Security.

http://www.eset.com



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: over 30 radiusd processes - more information

[Craig Campbell]

I've continued to try an investigate the root cause of this, and the last 
run behaved slightly differently - the parent process seems to have 
terminated, and there are more messages in the radius log.


There were four (4) hung processes left over.

I have attached the radius.log file below, as well as gdb sessions for the 
hung processes showing the results of the gd 'bt' and 'list' commands.


It looks like Alan's initial idea that the hung processes are a result of 
running the acctstop.sh process are correct.  I've tried looking at the code 
to see if anything 'leapt out' at me, but the logic is quite clever, and 
dissecting it from the middle is quite a challenge.


I am hoping that the gdb output might prove helpful to someone already 
familiar with the logic flow.


It seems I can reproduce this issue within 24 hours, so if there is any 
other information I could gather, please left me know.


Thanks,
-craig

radiusd.log

Fri Oct 16 11:15:56 2009 : Info: Exiting normally.
Fri Oct 16 11:16:22 2009 : Info: rlm_sql (sql): Driver rlm_sql_mysql (module 
rlm_sql_mysql) loaded and linked
Fri Oct 16 11:16:22 2009 : Info: rlm_sql (sql): Attempting to connect to 
radi...@localhost:/radius
Fri Oct 16 11:16:22 2009 : Info: rlm_sql_mysql: Starting connect to MySQL 
server for #0
Fri Oct 16 11:16:22 2009 : Info: rlm_sql_mysql: Starting connect to MySQL 
server for #1
Fri Oct 16 11:16:22 2009 : Info: rlm_sql_mysql: Starting connect to MySQL 
server for #2
Fri Oct 16 11:16:22 2009 : Info: rlm_sql_mysql: Starting connect to MySQL 
server for #3
Fri Oct 16 11:16:22 2009 : Info: rlm_sql_mysql: Starting connect to MySQL 
server for #4

Fri Oct 16 11:16:22 2009 : Info: Loaded virtual server inner-tunnel
Fri Oct 16 11:16:22 2009 : Info: Loaded virtual server 
copy-acct-to-home-server

Fri Oct 16 11:16:22 2009 : Info: Loaded virtual server copy-acct-to-radius-c
Fri Oct 16 11:16:22 2009 : Info: Loaded virtual server 
Fri Oct 16 11:16:22 2009 : Info: Ready to process requests.
Fri Oct 16 17:29:12 2009 : Error: [sql] stop packet with zero session 
length. [user 'use...@realm4tl', nas '192.168.1.101']
Sat Oct 17 02:00:18 2009 : Error: [sql] stop packet with zero session 
length. [user 'use...@realm1', nas '192.168.1.101']
Sat Oct 17 02:00:18 2009 : Error: [sql] stop packet with zero session 
length. [user 'use...@realm1', nas '192.168.1.101']
Sat Oct 17 02:00:18 2009 : Error: [sql] stop packet with zero session 
length. [user 'use...@realm3', nas '192.168.1.101']
Sat Oct 17 02:00:20 2009 : Error: [sql] stop packet with zero session 
length. [user 'us...@realm1', nas '192.168.1.101']
Sat Oct 17 02:00:20 2009 : Error: [sql] stop packet with zero session 
length. [user 'use...@realm1', nas '192.168.1.101']
Sat Oct 17 02:00:20 2009 : Error: [sql] stop packet with zero session 
length. [user 'use...@realm1', nas '192.168.1.101']
Sat Oct 17 02:00:20 2009 : Error: [sql] stop packet with zero session 
length. [user 'use...@realm1', nas '192.168.1.101']
Sat Oct 17 02:00:20 2009 : Error: [sql] stop packet with zero session 
length. [user 'use...@realm1', nas '192.168.1.101']
Sat Oct 17 02:00:20 2009 : Error: [sql] stop packet with zero session 
length. [user 'use...@realm1', nas '192.168.1.101']
Sat Oct 17 02:00:21 2009 : Error: [sql] stop packet with zero session 
length. [user 'use...@realm1', nas '192.168.1.101']
Sat Oct 17 02:00:21 2009 : Error: [sql] stop packet with zero session 
length. [user 'us...@realm1', nas '192.168.1.101']
Sat Oct 17 02:00:21 2009 : Error: [sql] stop packet with zero session 
length. [user 'use...@realm3', nas '192.168.1.101']
Sat Oct 17 02:00:21 2009 : Error: [sql] stop packet with zero session 
length. [user 'use...@realm1', nas '192.168.1.101']
Sat Oct 17 02:00:21 2009 : Error: [sql] stop packet with zero session 
length. [user 'use...@realm4', nas '192.168.1.101']
Sat Oct 17 02:00:21 2009 : Error: [sql] stop packet with zero session 
length. [user 'use...@realm1', nas '192.168.1.101']
Sat Oct 17 02:00:21 2009 : Error: [sql] stop packet with zero session 
length. [user 'us...@realm3', nas '192.168.1.101']
Sat Oct 17 02:00:21 2009 : Error: [sql] stop packet with zero session 
length. [user 'username', nas '192.168.1.101']
Sat Oct 17 02:00:21 2009 : Error: [sql] stop packet with zero session 
length. [user 'use...@realm2', nas '192.168.1.101']
Sat Oct 17 02:00:22 2009 : Error: [sql] stop packet with zero session 
length. [user 'use...@realm1', nas '192.168.1.101']
Sat Oct 17 02:00:22 2009 : Error: [sql] stop packet with zero session 
length. [user 'use...@realm1', nas '192.168.1.101']
Sat Oct 17 02:00:22 2009 : Error: [sql] stop packet with zero session 
length. [user 'use...@realm1', nas '192.168.1.101']
Sat Oct 17 02:00:22 2009 : Error: [sql] stop packet with zero session 
length. [user 'use...@realm3', nas '192.168.1.101']
Sat Oct 17 02:00:22 2009 : Error: [sql] stop packet with zero session 
length. [user 'use...@realm1', nas '192.168.1.101']
Sat Oct 17 02:00:22 2009 : Error: [sql] stop packet with 

Re: How to disable threads in 2.1.7

[Craig Campbell]

From the man page for radiusd, the -s option specifies,

"Some systems have issues with threading, however, so  running
 in  "single server" mode may help to address those issues."

I cannot help but wonder if in fact others have been seeing this, and just 
opted for -s and less efficiency.


At this point all the (troubled) server receives are accounting packets   It 
then relays these packets to two (2) other radius servers, and processed 
them according to acct_users, which in turn runs a script for Stop packets.


Thus far, only running an external script has been identified (thanks Alan) 
as creating child processes of radiusd.


I really would LOVE for this to be a configuration error on my part, but so 
far I cannot locate one.


Thanks,
-craig
- Original Message - 
From: "Phil Mayers" 

To: "FreeRadius users mailing list" 
Sent: Friday, October 16, 2009 8:52 AM
Subject: Re: How to disable threads in 2.1.7



Craig Campbell wrote:
I was hoping to build a version that could fork children, but not spawn 
threads.


Not possible.

You could run lots of copies with a single thread bound to different UDP 
ports, and load-balance them somehow.


I cannot explain why apparently no one else is seeing the issue I am 
chasing.  As far as I can tell, my configuration is quite basic.


The fact that it's not happening for anyone else would tend to indicate 
it's specific to your system. We fork processes on accounting in some of 
our virtual servers, and this doesn't happen.

-
List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html


__ Information from ESET Smart Security, version of virus 
signature database 4514 (20091016) __


The message was checked by ESET Smart Security.

http://www.eset.com






__ Information from ESET Smart Security, version of virus signature 
database 4514 (20091016) __

The message was checked by ESET Smart Security.

http://www.eset.com



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to disable threads in 2.1.7

[Craig Campbell]

I was hoping to build a version that could fork children, but not spawn 
threads.


There are known 'challenges' in using the fork command in multi threaded 
environments.  (As opposed to a process that forks children for different 
processing branches.)  A couple of years ago I had an extremely challenging 
time modifying an existing threaded application to additionally fork off 
children to perform certain other tasks.


The issue I am seeing of stranded/hung children looks similar (that is not 
to say I have caught the culprit...  just suspicion at this point).
The issue seems to happen only sometimes during bursts of increased load. 
(Same as my previous experience.)


If I were to GUESS, at this point I'd look for interrupts that result in 
children when mute locks are in place and unintentionally inherited by the 
child process.  (My solution was to acquire ALL locks before a fork, then 
have the child and parent clear them all after) - see man pthread_atfork 
section: RATIONALE if you have access to a Linux system).


I cannot explain why apparently no one else is seeing the issue I am 
chasing.  As far as I can tell, my configuration is quite basic.


I am now trying a run with the -s option but, if successful, it won't tell 
us much about why.


Thanks for all the assistance,
-craig


- Original Message - 
From: "Alan DeKok" 

To: "FreeRadius users mailing list" 
Sent: Friday, October 16, 2009 8:15 AM
Subject: Re: How to disable threads in 2.1.7



Craig Campbell wrote:

So I cannot have multi processes without having threads as well?


 What does that mean?

 Alan DeKok.
-
List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html


__ Information from ESET Smart Security, version of virus 
signature database 4514 (20091016) __


The message was checked by ESET Smart Security.

http://www.eset.com






__ Information from ESET Smart Security, version of virus signature 
database 4514 (20091016) __

The message was checked by ESET Smart Security.

http://www.eset.com



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to disable threads in 2.1.7

[Craig Campbell]

So I cannot have multi processes without having threads as well?


- Original Message - 
From: "Ivan Kalik" 

To: "FreeRadius users mailing list" 
Sent: Friday, October 16, 2009 7:57 AM
Subject: Re: How to disable threads in 2.1.7



I am trying to build a version of 2.1.7 without threads (trying to debug
an abandoned child process issue). on a redhat AS5 Linux system


You don't build it without threads, you start it without threads. See man
radiusd.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html


__ Information from ESET Smart Security, version of virus 
signature database 4514 (20091016) __


The message was checked by ESET Smart Security.

http://www.eset.com






__ Information from ESET Smart Security, version of virus signature 
database 4514 (20091016) __

The message was checked by ESET Smart Security.

http://www.eset.com



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

How to disable threads in 2.1.7

[Craig Campbell]

I am trying to build a version of 2.1.7 without threads (trying to debug an 
abandoned child process issue). on a redhat AS5 Linux system

Every configure option I try seems to be ignored.

In config.log I find entries like,

Using built-in specs.
Target: x86_64-redhat-linux
Configured with: ../configure --prefix=/usr --mandir=/usr/share/man 
--infodir=/usr/share/info --enable-shared --enable-threads=posix 
--enable-checking=release --with-system-zlib --enable-__cxa_atexit 
--disable-libunwind-exceptions --enable-libgcj-multifile 
--enable-languages=c,c++,objc,obj-c++,java,fortran,ada --enable-java-awt=gtk 
--disable-dssi --enable-plugin 
--with-java-home=/usr/lib/jvm/java-1.4.2-gcj-1.4.2.0/jre --with-cpu=generic 
--host=x86_64-redhat-linux
Thread model: posix

I have tried the following options for configure, all with no apparent luck,

./configure --with-threads=no
 ./configure --disable-threads
 ./configure --enable-threads=NO
 ./configure --enable-threads=no --with-threads=no --disable-threads 
--disable-thread --with-thread=no
 ./configure --disable-threads --disable-thread
 ./configure --disable-pthreads --disable-thread
 ./configure --disable-pthreads --disable-thread

Has anyone determined how to disable threads?

Thanks,
-craig



Craig Campbell 
craig.campb...@ccraft.ca 
CampbellCraft Consulting Inc
2 Kenny Court 
Whitby, Ontario 
Canada 
L1R 2L8 
905 922-2789 

 



__ Information from ESET Smart Security, version of virus signature 
database 4514 (20091016) __

The message was checked by ESET Smart Security.

http://www.eset.com

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

acct_users WARNING in 2.1.7

[Craig Campbell]

I've upgraded from 2.1.6 to 2.1.7 and the following error is now appearing in 
my debug output.

[/usr/local/etc/raddb/acct_users]:36 WARNING! Check item "Tmp-String-0" 
found in reply item list for user "DEFAULT".This attribute MUST go on the 
first line with the other check items

acct_users contains the following, (Line 36 is the line beginning with DEFAULT)

#CECExec-Program = "%{exec:/usr/local/sbin/acctstop.sh}",
DEFAULT Acct-Status-Type == Stop
Tmp-String-0 = "%{exec:/usr/local/sbin/acctstop.sh}",
Fall-Through = no


What have I done wrong?  It seems to be ok, and be doing what I desire.  
but I want the config to be CLEAN.
All I really want is to run a script when an accounting STOP record is 
received.  Am I doing it wrong?

Thanks,
-craig


----
Craig Campbell 
craig.campb...@ccraft.ca 
CampbellCraft Consulting Inc
2 Kenny Court 
Whitby, Ontario 
Canada 
L1R 2L8 
905 922-2789 

 



__ Information from ESET Smart Security, version of virus signature 
database 4509 (20091015) __

The message was checked by ESET Smart Security.

http://www.eset.com

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: over 30 radiusd processes

[Craig Campbell]

Nothing in the log except the normal startup.

This server is only receiving accounting records currently.

While the ps command doesn't show the time of these extra processes (over 24 
hours old), in a previous event, I determined they seemed to coincide with a 
significant increase in radius traffic (from ~100/min to over 1000/min)  I 
believe the NAS forces all users to log off (and they automatically log back 
in) in the middle of the night, and I suspect this is related.


Also, the system provided is a Virtual Machine, which normally seems to have 
plenty of resources available.  The mysql database is local to the same 
system, and is only used to keep accounting records of currently logged in 
users (radutmp replacement - a cron job flushed out completed records to 
prevent database growth).


Alan suggested this might be related to shell scripts being run - as happens 
when acct STOP records are received.


I'm trying to come up with a strategy to narrow down what might be 
happening.


Under what circumstances does radiusd fork?  Also, I THOUGH I'd heard 
somewhere that threads and fork did NOT interact well.


I am also considering upgrading to 2.1.7 (but I just finished configuring 
2.1.6 :(  2.1.7 wasn't released when I started this..)


Thoughts?

Thanks (everyone),
-craig


- Original Message - 
From: "Marinko Tarlac" 

To: "FreeRadius users mailing list" 
Sent: Wednesday, October 14, 2009 7:12 AM
Subject: Re: over 30 radiusd processes



I had a same problem when one of our databases was terrible slow...

Is there anything in radius.log ?

Alan DeKok wrote:

Craig Campbell wrote:


Freeradius 2.1.6

Running on Redhat AS5 Update 3
with mysql-devel rpms added to enable mysql support.

Compiled with no options specified. (./configure ; make clean ; make ;
make install)



  I don't know.. all I know is it cleans up processes when I run them,
and no one else seems to be running into this.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html





-
List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html


__ Information from ESET Smart Security, version of virus 
signature database 4506 (20091014) __


The message was checked by ESET Smart Security.

http://www.eset.com






__ Information from ESET Smart Security, version of virus signature 
database 4506 (20091014) __

The message was checked by ESET Smart Security.

http://www.eset.com



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: over 30 radiusd processes

[Craig Campbell]

Freeradius 2.1.6

Running on Redhat AS5 Update 3
with mysql-devel rpms added to enable mysql support.

Compiled with no options specified. (./configure ; make clean ; make ; make 
install)


Thanks,
-craig
- Original Message - 
From: "Alan DeKok" 

To: "FreeRadius users mailing list" 
Sent: Tuesday, October 13, 2009 1:55 AM
Subject: Re: over 30 radiusd processes



Craig Campbell wrote:

Up to 65 processes now

Any ideas how to stop this from happening?


 Which version are you running?

 Alan DeKok.
-
List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html


__ Information from ESET Smart Security, version of virus 
signature database 4501 (20091012) __


The message was checked by ESET Smart Security.

http://www.eset.com






__ Information from ESET Smart Security, version of virus signature 
database 4502 (20091013) __

The message was checked by ESET Smart Security.

http://www.eset.com



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: over 30 radiusd processes

[Craig Campbell]

Up to 65 processes now

Any ideas how to stop this from happening?

Anyone?

Thanks,
-craig
- Original Message - 
From: "Alan DeKok" 

To: "FreeRadius users mailing list" 
Sent: Saturday, October 10, 2009 1:21 AM
Subject: Re: over 30 radiusd processes



Craig Campbell wrote:

Yes, two(2) binaries and one (1) shell script are called via exec as
follows from the file,


Could you NOT CC me on messages to the list?  I subscribe, and I read
the messages.

 And fix your mailer.  I saw a *large* number of duplicates.


   - user (an authentication binary program - Exec-Program-Wait
= "/usr/local/sbin/auth -- %{User-Name} %{User-Password}
%{%{Called-Station-Id}:-Missing} %{%{NAS-IP-Address}:-Missing}
%{%{Calling-Station-Id}:-Missing} %{%{NAS-Port-Type}:-Missing}
%{Vendor-Specific}" ,)

   -acct_user (shell script - Exec-Program =
"%{exec:/usr/local/sbin/acctstop.sh}", )
and
   -attr_rewrite module (a hex translation binary -  replacewith =
"%{exec:/usr/local/sbin/hexconvert -lX %{User-Name} }")

Is this bad?
Is there a better alternative?


Thanks so much!
-craig



- Original Message - From: "Alan DeKok" 

To: "FreeRadius users mailing list" 


Sent: Friday, October 09, 2009 4:17 PM
Subject: Re: over 30 radiusd processes



Craig Campbell wrote:

radius-a seems to be getting the bulk of the radius records.  Normally,
it has a single process.
Last night it spawned a bunch of children that seem to be loitering...


 Are you forking shell scripts via "exec"?


radius-b and radius-c don't have more than a single radiusd process.

Any idea what is going on?  Why all the children?  Do I need to be
concerned?  Is this normal?


 It's not normal.  They're likely zombies that need to go away.  The
server normally cleans up any zombie children, but...

 Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

__ Information from ESET Smart Security, version of virus
signature database 4494 (20091009) __

The message was checked by ESET Smart Security.

http://www.eset.com






__ Information from ESET Smart Security, version of virus
signature database 4494 (20091009) __

The message was checked by ESET Smart Security.

http://www.eset.com



-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html




-
List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html


__ Information from ESET Smart Security, version of virus 
signature database 4494 (20091009) __


The message was checked by ESET Smart Security.

http://www.eset.com






__ Information from ESET Smart Security, version of virus signature 
database 4501 (20091012) __

The message was checked by ESET Smart Security.

http://www.eset.com



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Using SQL instead of radutmp - WAS Re: Problems with radutmp

[Craig Campbell]

Ok,
here is what I did (more or less) to use the sql option of freeradius 2.1.6 
instead of the radutmp functionality.
This is a 'work in progress', so it is possible I have errors not yet 
discovered...

I used mysql, since it was already available on my Redhat Linux platform.

If you compiled freeradius, then make certain you had the mysql-devel rpms 
installed.  If they were not, you will need to install them, then rebuild 
freeradius from scratch (save your config files).  The 'configure' script looks 
for these, and if they are missing, critical modules will not be available for 
sql access. (configure ; make clean ; make ; make install)

1) You need to create the initial radius database as per instructions found 
here http://wiki.freeradius.org/SQL_HOWTO

2) Files to modify...
  a.. -/usr/local/etc/raddb/radius.config
  Uncomment the line,

   $INCLUDE sql.conf

  b.. -/usr/local/etc/raddb/sql.conf
  Modify the login and password lines to match your database's values (from SQL 
setup)
   

  c.. - /usr/local/etc/raddb/sites-available/default
  Uncomment sql in the accounting section to store accounting records in the 
database
  Uncomment sql in the session section to have sql check for Simultaneous-Use


  d.. - /usr/local/etc/raddb/sites-available/inner-tunnel
  Comment out radutmp in session section
  Uncomment sql in session section


  e.. /usr/local/etc/raddb/sql/mysql/admin.sql
  Modify userid and password for radius database to match local parameters.

  f.. /usr/local/etc/raddb/sql/mysql/dialup.conf
  Uncomment the line beginning with "simul_count_query ="


3)  Since I was ONLY interested in current logins, and NOT the accounting 
records, I added a cron job to DELETE completed sessions from the database.  
This should prevent (I hope) database growth.

>From root's crontab,


  */5 * * * *  /usr/bin/mysql -u radius -pSecretPassword  radius -e "delete 
from radacct where acctstoptime is not NULL ;"



4) A simple command to 'mimic' the radwho functionality ( I used an alias)
  alias radwho='/usr/bin/mysql -u radius -pSecretPassword  radius -e "select 
username, acctsessionid, nasportid, nasporttype, acctstarttime from radacct 
where acctstoptime is NULL ;"'

I hope I haven't overlooked anything.

Good Luck! 
-craig

- Original Message - 
From: "Gerardo Contreras" 
To: "Craig Campbell" 
Sent: Friday, October 09, 2009 6:21 PM
Subject: Re: Problems with radutmp


> 
> Hi.
> 
> I think I have a very similar scenario to yours.
> 
> I have this NAS server which sends the same NAS port to the radius 
> server every time, so the radutmp always have the last connected user 
> only. I've tried to hack the radutmp module without any success. Main 
> thing I want to do is to use the simultaneous-use feature.
> 
> It'll be great if you can share that hacks with me.
> 
> Cheers
> 
> Craig Campbell wrote:
>> Hi, I actually needed to REMOVE most of the hacks.  It works fairly 
>> well (so far - still testing).
>>
>> Did you just want the radutmp functionality?  If so, I can try to send 
>> you what I did to make it work.. I'm in the Eastern time zone (Toronto 
>> Canada) and just got home.
>>
>> How urgent is your need?
>>
>> Cheers,
>> -craig
>>
>> - Original Message - From: "Gerardo Contreras" 
>> 
>> To: 
>> Sent: Friday, October 09, 2009 4:28 PM
>> Subject: Re: Problems with radutmp
>>
>>
>>>
>>> Hi, Craig.
>>>
>>> Found your post where you were asking about this same thing.
>>>
>>> Do you solve it using SQL? If so, did you have to hack still the 
>>> freeradius code, or was more on the SQL side?
>>>
>>> Do you have available the hacks you did to make radutmp working with 
>>> this setup?
>>>
>>> Greetings,
>>>
>>>
>>> Craig Campbell wrote:
>>>> What is the NAS-Port value?  I don't THINK radutmp can handle 
>>>> multiple sessions sharing a port.
>>>>
>>>> -craig
>>>> - Original Message - From: "Gerardo Contreras" 
>>>> 
>>>> To: 
>>>> Sent: Friday, October 09, 2009 1:00 PM
>>>> Subject: Problems with radutmp
>>>>
>>>>
>>>>> Hi.
>>>>>
>>>>> I'm having some problems with radutmp.
>>>>>
>>>>> I'm using an Aruba Mobility Controller which has radauth and 
>>>>> radacct configured to this freeradius server. In fact, I've tried 
>>>>> with freeradius both on centOS and ubuntu with same results.
&

Re: over 30 radiusd processes

[Craig Campbell]

Yes, two(2) binaries and one (1) shell script are called via exec as follows 
from the file,


   - user (an authentication binary program - Exec-Program-Wait = 
"/usr/local/sbin/auth -- %{User-Name} %{User-Password} 
%{%{Called-Station-Id}:-Missing} %{%{NAS-IP-Address}:-Missing} 
%{%{Calling-Station-Id}:-Missing} %{%{NAS-Port-Type}:-Missing} 
%{Vendor-Specific}" ,)


   -acct_user (shell script - Exec-Program = 
"%{exec:/usr/local/sbin/acctstop.sh}", )

and
   -attr_rewrite module (a hex translation binary -  replacewith = 
"%{exec:/usr/local/sbin/hexconvert -lX %{User-Name} }")


Is this bad?
Is there a better alternative?


Thanks so much!
-craig



- Original Message - 
From: "Alan DeKok" 

To: "FreeRadius users mailing list" 
Sent: Friday, October 09, 2009 4:17 PM
Subject: Re: over 30 radiusd processes



Craig Campbell wrote:

radius-a seems to be getting the bulk of the radius records.  Normally,
it has a single process.
Last night it spawned a bunch of children that seem to be loitering...


 Are you forking shell scripts via "exec"?


radius-b and radius-c don't have more than a single radiusd process.

Any idea what is going on?  Why all the children?  Do I need to be
concerned?  Is this normal?


 It's not normal.  They're likely zombies that need to go away.  The
server normally cleans up any zombie children, but...

 Alan DeKok.
-
List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html


__ Information from ESET Smart Security, version of virus 
signature database 4494 (20091009) __


The message was checked by ESET Smart Security.

http://www.eset.com






__ Information from ESET Smart Security, version of virus signature 
database 4494 (20091009) __

The message was checked by ESET Smart Security.

http://www.eset.com



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: errors There are no DB handles to use and Discarding conflicting packet from client

[Craig Campbell]

Also check out http://wiki.freeradius.org/SQL_HOWTO
  - Original Message - 
  From: Alisson 
  To: FreeRadius users mailing list 
  Sent: Friday, October 09, 2009 2:53 PM
  Subject: Re: errors There are no DB handles to use and Discarding conflicting 
packet from client


  somebody have this same problem?


  2009/10/9 Roberto Greiner 

http://forums.mysql.com/

Alisson wrote:

  ok.. but what I need to do on my DB?

  Repair? Create another DB? alter some variable?


  2009/10/9 Alan DeKok mailto:al...@deployingradius.com>>


 Alisson wrote:
 > Hi, I have a dedicated server with freeradius 2.05
 >
 > i'm getting 2 errors
 >
 > Error: Discarding conflicting packet from client net port 25000
 - ID: 100
 > due to recent request 7343.
 >
 > There are no DB handles to use! skipped 0, tried to connect 0

  Your database is broken.  Fix it.

 > I'm searching on the forums and a lot of people has this problem..

  They all have broken databases.

 > I change sql_num_socks = 30
 > I increase the max_connections=500
 > I increase everything that what was possible
 >
 > but the problem still happens
 >
 > I see on the forums in alot of web sites and nobody has the solution

  Really?  This question has been asked and answered probably hundreds
 of times on this list.  The answer is always the same:

  Fix the database.

  The database is either down, or it is not responding to queries.  No
 amount of forum-shopping or poking at FreeRADIUS will fix the DB.

  Alan DeKok.
 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html




  -- 
  Att.
  Alisson F. Gonçalves
  Sistemas de Informação - UFGD

  


  -
  List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html



-- 
 -
  Marcos Roberto Greiner

 Os otimistas acham que estamos no melhor dos mundos
  Os pessimistas tem medo de que isto seja verdade
James Branch Cabell
 -


-
List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html




  -- 
  Att.
  Alisson F. Gonçalves
  Sistemas de Informação - UFGD



--


  -
  List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


  __ Information from ESET Smart Security, version of virus signature 
database 4494 (20091009) __

  The message was checked by ESET Smart Security.

  http://www.eset.com




__ Information from ESET Smart Security, version of virus signature 
database 4494 (20091009) __

The message was checked by ESET Smart Security.

http://www.eset.com

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: errors There are no DB handles to use and Discarding conflicting packet from client

[Craig Campbell]

Did you set up the database?

If not, check out /usr/local/etc/raddb/sql/mysql/admin.sql  (assuming you are 
intending to use mysql.)

Good luck,
-craig
  - Original Message - 
  From: Alisson 
  To: FreeRadius users mailing list 
  Sent: Friday, October 09, 2009 2:53 PM
  Subject: Re: errors There are no DB handles to use and Discarding conflicting 
packet from client


  somebody have this same problem?


  2009/10/9 Roberto Greiner 

http://forums.mysql.com/

Alisson wrote:

  ok.. but what I need to do on my DB?

  Repair? Create another DB? alter some variable?


  2009/10/9 Alan DeKok mailto:al...@deployingradius.com>>


 Alisson wrote:
 > Hi, I have a dedicated server with freeradius 2.05
 >
 > i'm getting 2 errors
 >
 > Error: Discarding conflicting packet from client net port 25000
 - ID: 100
 > due to recent request 7343.
 >
 > There are no DB handles to use! skipped 0, tried to connect 0

  Your database is broken.  Fix it.

 > I'm searching on the forums and a lot of people has this problem..

  They all have broken databases.

 > I change sql_num_socks = 30
 > I increase the max_connections=500
 > I increase everything that what was possible
 >
 > but the problem still happens
 >
 > I see on the forums in alot of web sites and nobody has the solution

  Really?  This question has been asked and answered probably hundreds
 of times on this list.  The answer is always the same:

  Fix the database.

  The database is either down, or it is not responding to queries.  No
 amount of forum-shopping or poking at FreeRADIUS will fix the DB.

  Alan DeKok.
 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html




  -- 
  Att.
  Alisson F. Gonçalves
  Sistemas de Informação - UFGD

  


  -
  List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html



-- 
 -
  Marcos Roberto Greiner

 Os otimistas acham que estamos no melhor dos mundos
  Os pessimistas tem medo de que isto seja verdade
James Branch Cabell
 -


-
List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html




  -- 
  Att.
  Alisson F. Gonçalves
  Sistemas de Informação - UFGD



--


  -
  List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


  __ Information from ESET Smart Security, version of virus signature 
database 4494 (20091009) __

  The message was checked by ESET Smart Security.

  http://www.eset.com




__ Information from ESET Smart Security, version of virus signature 
database 4494 (20091009) __

The message was checked by ESET Smart Security.

http://www.eset.com

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problems with radutmp

[Craig Campbell]

What is the NAS-Port value?  I don't THINK radutmp can handle multiple 
sessions sharing a port.


-craig
- Original Message - 
From: "Gerardo Contreras" 

To: 
Sent: Friday, October 09, 2009 1:00 PM
Subject: Problems with radutmp



Hi.

I'm having some problems with radutmp.

I'm using an Aruba Mobility Controller which has radauth and radacct 
configured to this freeradius server. In fact, I've tried with freeradius 
both on centOS and ubuntu with same results.


When a user logs in, a corresponding entry is added to radutmp, and 
indeed, nobody can log in with this user account (if I activate 
Simultaneous-use). But if another users logs in, the entry for the 
previous user gets deleted from radutmp, and a new one is added for this 
new user. Then, a user with the account from the first user can log in 
indeed. In other words, only the last logged in user gets to the radutmp 
file.


On both boxes, using freeradius 2.1.0.

Any idea?

--
Gerardo Contreras
NetX
http://netx.com.mx/
T: +52 (614) 2010101 x 121
M: +52 (614) 2479727
Sin costo: 01800 GO2NETX

-
List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html


__ Information from ESET Smart Security, version of virus 
signature database 4493 (20091009) __


The message was checked by ESET Smart Security.

http://www.eset.com






__ Information from ESET Smart Security, version of virus signature 
database 4493 (20091009) __

The message was checked by ESET Smart Security.

http://www.eset.com



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: over 30 radiusd processes

[Craig Campbell]

Update:

strace  suggests all the child processes are doing the same thing,

[r...@radius-a raddb]# strace -p 30893
Process 30893 attached - interrupt to quit
futex(0x3acf752554, FUTEX_WAIT_PRIVATE, 2, NULL 

Hope this helps,
-craig
  - Original Message - 
  From: Craig Campbell 
  To: FreeRadius users mailing list 
  Sent: Thursday, October 08, 2009 12:07 PM
  Subject: over 30 radiusd processes


  I am runnning 2.1.6 on Redhat Linux (Red Hat Enterprise Linux Server release 
5.3 (Tikanga)).

  This server relays all records to an identical server radius-b and radius-c
  Similarly radius-b relays its records back to radius-a (except those from 
radius-a)
  radius-c is just for testing.

  All relaying appears to be working correctly.

  These server currently receiving accounting records only.

  radius-a seems to be getting the bulk of the radius records.  Normally, it 
has a single process.
  Last night it spawned a bunch of children that seem to be loitering...  

  radius-b and radius-c don't have more than a single radiusd process.

  Any idea what is going on?  Why all the children?  Do I need to be concerned? 
 Is this normal?

  From the detail log, is seems that the message rate increase to about 
2000-2400/minute at that time for about 3 minutes, then dropped to <1000/min.
[r...@radius-a radius]# ps -aef | grep radiusd
radiusd   5426 21400  0 03:32 ?00:00:00 /usr/local/sbin/radiusd
radiusd   5738 21400  0 03:29 ?00:00:00 /usr/local/sbin/radiusd
radiusd   8239 21400  0 03:32 ?00:00:00 /usr/local/sbin/radiusd
radiusd   8240 21400  0 03:32 ?00:00:00 /usr/local/sbin/radiusd
radiusd   8241 21400  0 03:32 ?00:00:00 /usr/local/sbin/radiusd
radiusd   8242 21400  0 03:32 ?00:00:00 /usr/local/sbin/radiusd
radiusd   8243 21400  0 03:32 ?00:00:00 /usr/local/sbin/radiusd
radiusd   8244 21400  0 03:32 ?00:00:00 /usr/local/sbin/radiusd
radiusd   9029 21400  0 03:32 ?00:00:00 /usr/local/sbin/radiusd
radiusd   9104 21400  0 03:29 ?00:00:00 /usr/local/sbin/radiusd
radiusd  14154 21400  0 03:33 ?00:00:00 /usr/local/sbin/radiusd
radiusd  14426 21400  0 03:33 ?00:00:00 /usr/local/sbin/radiusd
radiusd  15039 21400  0 03:33 ?00:00:00 /usr/local/sbin/radiusd
radiusd  15040 21400  0 03:33 ?00:00:00 /usr/local/sbin/radiusd
radiusd  16082 21400  0 03:36 ?00:00:00 /usr/local/sbin/radiusd
radiusd  17295 21400  0 03:33 ?00:00:00 /usr/local/sbin/radiusd
root 19242 20229  0 11:42 pts/000:00:00 grep radiusd
radiusd  19974 21400  0 03:33 ?00:00:00 /usr/local/sbin/radiusd
radiusd  20670 21400  0 03:33 ?00:00:00 /usr/local/sbin/radiusd
radiusd  20673 21400  0 03:33 ?00:00:00 /usr/local/sbin/radiusd
radiusd  20674 21400  0 03:33 ?00:00:00 /usr/local/sbin/radiusd
radiusd  20675 21400  0 03:33 ?00:00:00 /usr/local/sbin/radiusd
radiusd  20679 21400  0 03:33 ?00:00:00 /usr/local/sbin/radiusd
radiusd  20680 21400  0 03:33 ?00:00:00 /usr/local/sbin/radiusd
radiusd  21207 21400  0 03:31 ?00:00:00 /usr/local/sbin/radiusd
radiusd  21208 21400  0 03:31 ?00:00:00 /usr/local/sbin/radiusd
radiusd  21209 21400  0 03:31 ?00:00:00 /usr/local/sbin/radiusd
radiusd  21300 21400  0 03:33 ?00:00:00 /usr/local/sbin/radiusd
radiusd  21301 21400  0 03:33 ?00:00:00 /usr/local/sbin/radiusd
radiusd  21400 1  0 Oct07 ?00:02:40 /usr/local/sbin/radiusd
radiusd  26543 21400  0 03:34 ?00:00:00 /usr/local/sbin/radiusd
radiusd  26683 21400  0 03:31 ?00:00:00 /usr/local/sbin/radiusd
radiusd  28411 21400  0 03:34 ?00:00:00 /usr/local/sbin/radiusd
radiusd  29065 21400  0 03:31 ?00:00:00 /usr/local/sbin/radiusd
radiusd  30648 21400  0 03:34 ?00:00:00 /usr/local/sbin/radiusd
radiusd  30649 21400  0 03:34 ?00:00:00 /usr/local/sbin/radiusd
radiusd  30893 21400  0 03:31 ?00:00:00 /usr/local/sbin/radiusd

  Thanks,
  -craig





  __ Information from ESET Smart Security, version of virus signature 
database 4490 (20091008) __

  The message was checked by ESET Smart Security.

  http://www.eset.com


  __ Information from ESET Smart Security, version of virus signature 
database 4490 (20091008) __

  The message was checked by ESET Smart Security.

  http://www.eset.com



--


  -
  List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


  __ Information from ESET Smart Security, version of virus signature 
database 4490 (20091008) __

  The message was checked by ESET Smart Security.

  http://www.eset.com




__ Information from ESET Smart Security, version 

over 30 radiusd processes

[Craig Campbell]

I am runnning 2.1.6 on Redhat Linux (Red Hat Enterprise Linux Server release 
5.3 (Tikanga)).

This server relays all records to an identical server radius-b and radius-c
Similarly radius-b relays its records back to radius-a (except those from 
radius-a)
radius-c is just for testing.

All relaying appears to be working correctly.

These server currently receiving accounting records only.

radius-a seems to be getting the bulk of the radius records.  Normally, it has 
a single process.
Last night it spawned a bunch of children that seem to be loitering...  

radius-b and radius-c don't have more than a single radiusd process.

Any idea what is going on?  Why all the children?  Do I need to be concerned?  
Is this normal?

>From the detail log, is seems that the message rate increase to about 
>2000-2400/minute at that time for about 3 minutes, then dropped to <1000/min.
  [r...@radius-a radius]# ps -aef | grep radiusd
  radiusd   5426 21400  0 03:32 ?00:00:00 /usr/local/sbin/radiusd
  radiusd   5738 21400  0 03:29 ?00:00:00 /usr/local/sbin/radiusd
  radiusd   8239 21400  0 03:32 ?00:00:00 /usr/local/sbin/radiusd
  radiusd   8240 21400  0 03:32 ?00:00:00 /usr/local/sbin/radiusd
  radiusd   8241 21400  0 03:32 ?00:00:00 /usr/local/sbin/radiusd
  radiusd   8242 21400  0 03:32 ?00:00:00 /usr/local/sbin/radiusd
  radiusd   8243 21400  0 03:32 ?00:00:00 /usr/local/sbin/radiusd
  radiusd   8244 21400  0 03:32 ?00:00:00 /usr/local/sbin/radiusd
  radiusd   9029 21400  0 03:32 ?00:00:00 /usr/local/sbin/radiusd
  radiusd   9104 21400  0 03:29 ?00:00:00 /usr/local/sbin/radiusd
  radiusd  14154 21400  0 03:33 ?00:00:00 /usr/local/sbin/radiusd
  radiusd  14426 21400  0 03:33 ?00:00:00 /usr/local/sbin/radiusd
  radiusd  15039 21400  0 03:33 ?00:00:00 /usr/local/sbin/radiusd
  radiusd  15040 21400  0 03:33 ?00:00:00 /usr/local/sbin/radiusd
  radiusd  16082 21400  0 03:36 ?00:00:00 /usr/local/sbin/radiusd
  radiusd  17295 21400  0 03:33 ?00:00:00 /usr/local/sbin/radiusd
  root 19242 20229  0 11:42 pts/000:00:00 grep radiusd
  radiusd  19974 21400  0 03:33 ?00:00:00 /usr/local/sbin/radiusd
  radiusd  20670 21400  0 03:33 ?00:00:00 /usr/local/sbin/radiusd
  radiusd  20673 21400  0 03:33 ?00:00:00 /usr/local/sbin/radiusd
  radiusd  20674 21400  0 03:33 ?00:00:00 /usr/local/sbin/radiusd
  radiusd  20675 21400  0 03:33 ?00:00:00 /usr/local/sbin/radiusd
  radiusd  20679 21400  0 03:33 ?00:00:00 /usr/local/sbin/radiusd
  radiusd  20680 21400  0 03:33 ?00:00:00 /usr/local/sbin/radiusd
  radiusd  21207 21400  0 03:31 ?00:00:00 /usr/local/sbin/radiusd
  radiusd  21208 21400  0 03:31 ?00:00:00 /usr/local/sbin/radiusd
  radiusd  21209 21400  0 03:31 ?00:00:00 /usr/local/sbin/radiusd
  radiusd  21300 21400  0 03:33 ?00:00:00 /usr/local/sbin/radiusd
  radiusd  21301 21400  0 03:33 ?00:00:00 /usr/local/sbin/radiusd
  radiusd  21400 1  0 Oct07 ?00:02:40 /usr/local/sbin/radiusd
  radiusd  26543 21400  0 03:34 ?00:00:00 /usr/local/sbin/radiusd
  radiusd  26683 21400  0 03:31 ?00:00:00 /usr/local/sbin/radiusd
  radiusd  28411 21400  0 03:34 ?00:00:00 /usr/local/sbin/radiusd
  radiusd  29065 21400  0 03:31 ?00:00:00 /usr/local/sbin/radiusd
  radiusd  30648 21400  0 03:34 ?00:00:00 /usr/local/sbin/radiusd
  radiusd  30649 21400  0 03:34 ?00:00:00 /usr/local/sbin/radiusd
  radiusd  30893 21400  0 03:31 ?00:00:00 /usr/local/sbin/radiusd

Thanks,
-craig





__ Information from ESET Smart Security, version of virus signature 
database 4490 (20091008) __

The message was checked by ESET Smart Security.

http://www.eset.com

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Switchig from radutmp to sql

[Craig Campbell]

Due to multiple issues using radutmp, on the advice of this list, I am 
converting to mysql to track users and enable Simultaneous-Use controls.


1) radutmp (code) assumed only 1 user per port (our device allows several 
users per NAS port).  So, (by default) radutmp only showed the LAST user 
assigned to a specific NAS port, wich required a bit of a workaround/hack. 
I would like to 'loose the hack' if possible.  Does the sql module also 
assume only 1 user per NAS port?


2) Is there a command similar to radwho that acts upon the sql database?

Thanks,
-craig 



__ Information from ESET Smart Security, version of virus signature 
database 4470 (20090930) __

The message was checked by ESET Smart Security.

http://www.eset.com



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Juniper Acct-Session-Id is too large

[Craig Campbell]

I am hoping someone has encountered this before and might have suggestions 
how to work around.


The access device in use is from a company called Juniper.
I am using freeradius 2.1.6 (can upgrade to 2.1.7 if there is any 
advantage).


Their Acct-Session-Id numbers are too large for the radutmp field. 
Acct-Session-Id=315138101 becomes Acct-Session-Id = "15138101" (the code 
automatically chops off the excess on the right apparently)


This becomes a problem when trying to use the Simultaneous-Use 
functionality.  Once a duplicate is suspected, and radcheck determines it is 
no longer
active, it appears an accounting Stop is generated internally, with the 
s(truncated) ession id extracted from radutmp.  ([sanenasport]   expand: 
%{Acct-Session-Id} -> 15138101).  I assume this stop is intended to 
eventually remove the 'stale' entry from radutmp?  (There is a custom 
acctstop script that appears to hang - so I am not certian.)


Has anyone come up with an eloquent solution for Acct-Session-Ids that are 
too large for radutmp?


Has anyone come up with an alternate way of achieving the same result?

Thanks,
-craig 



__ Information from ESET Smart Security, version of virus signature 
database 4415 (20090910) __

The message was checked by ESET Smart Security.

http://www.eset.com



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Checkrad / Simultaneous-Use clarification please

[Craig Campbell]

From: "Alan DeKok" 

"If you want to check the stripped user name... then use it."


How can I control this?  I am assuming you are referring to proxy.con realm 
configuration?


"Why you ask?"

The 'powers that be' have declared that the same userid may log in via 
multiple realms (access technologies) up to a certain connection limit.
So u...@realm1 and u...@realm2 count as 2 connections for user.  In their 
original form, radius would view them as two distinct userids.


I need the form 'u...@realm' for authentication right after the 
simultaneous-use check.


How, specifically, can I get the Simultaneous-Use function to use the 
Stripped-User-Name (proxy.conf)? and yet use the original User-Name for the 
remainder of the processing?  (I have seen references to variable in some 
cases having a form of %{prefix:User-Name} but am unclear of how/where  that 
can/should be used.


I have searched the internet, the docs available, and some of the source 
code in attempting to understand freeradius, only posting questions when I 
am truly puzzled.  Indications of "how" to do (or NOT do) something are most 
appreciated.  This is a significant upgrade effort, and I'm ok with 
re-designing how things are achieved, if I can determine WHAT the 'best way' 
should be.  I have NO control over the rules that apply to users and 
accounts in the real world.  (I especially love when they CONTRADICT! - 
Marketing...)


Thanks,
-craig

- Original Message - 
From: "Alan DeKok" 

To: "FreeRadius users mailing list" 
Sent: Thursday, September 10, 2009 4:16 AM
Subject: Re: Checkrad / Simultaneous-Use clarification please



Craig Campbell wrote:

We currently have users that log in both with and without realms.


 Well... then you have to manage that.


In radutmp we log the stripped username (i.e. no realm component).


 Why?


Since the radutmp data has no realm  part for the username, how do I get
the Simultaneous-Use code to check the username without the realm
component? Currently the realm portion is carried through until the
accounting processing (for radutmp).


 I don't understand.  You give radutmp a stripped user name, but you
don't give the session checking a stripped user name?

 If you want to check the stripped user name... then use it.


If I understand correctly, f...@comfort will pass Sinultaneous-Use
because radutmp is logging these as just "fred".


 Yes.  Because you told it to treat them as different users.

 If you want the simultaneous checking to check the stripped user name,
then strip the user name...

 Alan DeKok.

-
List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html


__ Information from ESET Smart Security, version of virus 
signature database 4412 (20090909) __


The message was checked by ESET Smart Security.

http://www.eset.com






__ Information from ESET Smart Security, version of virus signature 
database 4412 (20090909) __

The message was checked by ESET Smart Security.

http://www.eset.com



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Checkrad / Simultaneous-Use clarification please

[Craig Campbell]

I am investigaitng using the Simultaneous-Use feature with freeradius 2.1.6.

We currently have users that log in both with and without realms.

In radutmp we log the stripped username (i.e. no realm component).

Since the radutmp data has no realm  part for the username, how do I get the 
Simultaneous-Use code to check the username without the realm component? 
Currently the realm portion is carried through until the accounting 
processing (for radutmp).


For example,

# radwho -r | grep pebenopi
fred,fred,PPP,S315138101,Wed 11:28,192.168.1.101,201.229.41.119
fred,fred,PPP,S315305457,Wed 20:53,192.168.1.101,66.247.201.44
fred,fred,PPP,S317335857,Wed 10:40,192.168.1.101,201.229.26.67


From users


f...@comfort Auth-Type := Accept, Simultaneous-Use := 1
   Exec-Program-Wait = "/custome_auth_binary" ,
   Fall-Through = no

If I understand correctly, f...@comfort will pass Sinultaneous-Use because 
radutmp is logging these as just "fred".


Thanks,
-craig 



__ Information from ESET Smart Security, version of virus signature 
database 4411 (20090909) __

The message was checked by ESET Smart Security.

http://www.eset.com



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to proxy accounting requests to multiple destinations

[Craig Campbell]

I suspect you'll need to treat it like two unique servers, and create two 
(2) copy-acct-to-home-server instances (or double up the entries in the 
one).
Unless I'm mistaken, you'll also need two detail files for the relaying of 
the information.



- Original Message - 
From: "Dánial Olsen" 

To: "FreeRadius users mailing list" 
Sent: Thursday, September 03, 2009 6:12 PM
Subject: RE: How to proxy accounting requests to multiple destinations


Hi again,

This subject is misleading and should rather read: How to proxy an 
accounting request to the same destination twice


I've now also tried with robust-proxy-accounting but it only sends to one of 
the home_servers.


Any advice or pointers in the right direction will be greatly appreciated!

--
Dánial


-Original Message-
From: freeradius-users-bounces+dol=ft...@lists.freeradius.org 
[mailto:freeradius-users-bounces+dol=ft...@lists.freeradius.org] On Behalf 
Of Dánial Olsen

Sent: Thursday, September 03, 2009 3:34 PM
To: freeradius-users@lists.freeradius.org
Subject: How to proxy accounting requests to multiple destinations

Hi,

I'm running FreeRADIUS 2.1.6 on FreeBSD 7.2 and I need to proxy incoming 
radius accounting requests to two different ports at the same destination 
ip. I'm quite inexperienced with freeradius and I'm not sure I've understood 
completely what I need to do.


I've set up realms, home_servers and home_server_pools in proxy.conf.
I've also made two instances of copy-acct-to-home-server in /sites-enabled 
and an extra detail file in a separate directory, which one 
copy-acct-to-home-server reads.


With the configurations I've made accounting requests are being proxied to 
one port of the destination ip, and the debug output reports for the second 
instance:


[suffix] Request already proxied.  Ignoring.

Am I correct in the assumption that I need to rewrite the accounting packet 
so it will be allowed to proxy again? How can I achieve this? Or is there 
another way to do things?


I'm also puzzled by how I can send to two different home_servers when the 
packet will of course only match one realm?


--
Dánial



-
List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html


-
List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html


__ Information from ESET Smart Security, version of virus signature 
database 4392 (20090903) __


The message was checked by ESET Smart Security.

http://www.eset.com




__ Information from ESET Smart Security, version of virus signature 
database 4392 (20090903) __

The message was checked by ESET Smart Security.

http://www.eset.com



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Simple Accounting 'radrelay' functionality - Version 2.1.6

[Craig Campbell]

Thanks for your help.

I have downloaded the pre 2.1.7 version and taken a look at the
radrelay.conf file as well as trying to find the specific info for Virtual
Servers you reference below.  (Not certain I found what you wanted me to on
that one.)

I had gathered that the new version of freeradius used the existing detail
files as source for the relay options, so it was no longer necessary to
create a duplicate detail_relay file.  Is this incorrect?


From the context of your message, does the relay source need to be a

specific hard coded name?  (i.e. the detail_relay file I thought I no longer
needed?)

Given the relative simplicity of what I need to do, do you know how the
current developers/designers envisioned this being achieved?  I want to keep
everything as 'standard' as possible.

Old way (as I understand it):
   1) Create a duplicate detail_relay file for each server you need to
send duplicate accounting records to.
   2) Run a radrelay process to scan (and truncate) the detail_relay
file as it is written to and read fully.

New way is?:
   a) radiusd process relays records from existing detail files to
other radius accounting (home) servers?  (No detail_relay file required?)

Thanks,
-craig

- Original Message - 
From: "Ivan Kalik" 

To: "Craig Campbell" 
Sent: Monday, August 31, 2009 5:12 PM
Subject: Re: Simple Accounting 'radrelay' functionality - Version 2.1.6



OK. This expands:


[detail] /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d
expands
to /var/log/radius/radacct/192.168.1.101/detail-20090831


But filename in detail reader:


Polling for detail file
/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d
Waking up in 0.8 seconds.
Polling for detail file


... doesn't. This is documented. Read the comments in virtual server
configuration.

Ivan Kalik
Kalik Informatika ISP


__ Information from ESET Smart Security, version of virus
signature database 4385 (20090831) __

The message was checked by ESET Smart Security.

http://www.eset.com






__ Information from ESET Smart Security, version of virus signature 
database 4386 (20090901) __


The message was checked by ESET Smart Security.

http://www.eset.com




__ Information from ESET Smart Security, version of virus signature 
database 4386 (20090901) __

The message was checked by ESET Smart Security.

http://www.eset.com



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Simple Accounting 'radrelay' functionality - Version 2.1.6

[Craig Campbell]

Here is some more of the log file - I didn't realize what to look for.. (I 
did a string search for "proxy" below this point - nothing..  same for 
"192.168.1.126" and "radius-b" strings.)


Thanks,
-craig

Listening on proxy address * port 1814
Waking up in 0.9 seconds.
rad_recv: Accounting-Request packet from host 192.168.1.101 port 50125, 
id=180, length=241

   Acct-Status-Type = Start
   User-Name = "na...@comfort"
   Event-Timestamp = "Aug 31 2009 15:33:05 AST"
   Acct-Delay-Time = 0
   NAS-Identifier = "ERX-2"
   Acct-Session-Id = "0314486542"
   NAS-IP-Address = 192.168.1.101
   Service-Type = Framed-User
   Framed-Protocol = PPP
   Framed-Compression = None
   ERX-Pppoe-Description = "pppoe 00:90:d0:63:df:6d"
   Framed-IP-Address = 199.2.117.119
   Framed-IP-Netmask = 255.255.255.255
   ERX-Ingress-Policy-Name = "COMFORT_UP"
   ERX-Egress-Policy-Name = "COMFORT_DOWN"
   Calling-Station-Id = "ERX-0900261"
   NAS-Port-Type = Ethernet
   NAS-Port = 2415919365
   NAS-Port-Id = "GigabitEthernet 9/0.261:261"
   Acct-Authentic = RADIUS
+- entering group preacct {...}
++[preprocess] returns ok
[acct_unique] Hashing 'NAS-Port = 2415919365,Client-IP-Address = 
192.168.1.101,NAS-IP-Address = 192.168.1.101,Acct-Session-Id = 
"0314486542",User-Name = "na...@comfort"'

[acct_unique] Acct-Unique-Session-ID = "a805b61e88cd3fe2".
++[acct_unique] returns ok
[sanenasport]   expand: ^.* -> ^.*
[sanenasport]   expand: %{Acct-Session-Id} -> 0314486542
sanenasport: Changed value for attribute NAS-Port from '?' to '0314486542'
sanenasport: Could not find value pair for attribute NAS-Port
++[sanenasport] returns ok
[hexconvert]expand: ^...@ftth.aw$ -> ^...@ftth.aw$
hexconvert: Does not match: User-Name = na...@comfort
++[hexconvert] returns ok
[suffix] Looking up realm "comfort" for User-Name = "na...@comfort"
[suffix] No such realm "comfort"
++[suffix] returns noop
++[files] returns noop
+- entering group accounting {...}
[detail]expand: 
/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d -> 
/var/log/radius/radacct/192.168.1.101/detail-20090831
[detail] /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands 
to /var/log/radius/radacct/192.168.1.101/detail-20090831

[detail]expand: %t -> Mon Aug 31 15:32:59 2009
++[detail] returns ok
++[unix] returns ok
[nameonly]  expand: @.*$ -> @.*$
nameonly: Changed value for attribute User-Name from 'na...@comfort' to 
'nana1'

++[nameonly] returns ok
[radutmp]   expand: /var/log/radius/radutmp -> /var/log/radius/radutmp
[radutmp]   expand: %{User-Name} -> nana1
++[radutmp] returns ok
[attr_filter.accounting_response]   expand: %{User-Name} -> nana1
attr_filter: Matched entry DEFAULT at line 12
++[attr_filter.accounting_response] returns updated
Sending Accounting-Response of id 180 to 192.168.1.101 port 50125
Finished request 0.
Cleaning up request 0 ID 180 with timestamp +1
Going to the next request
Waking up in 0.4 seconds.
Polling for detail file 
/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d

Waking up in 1.1 seconds.
Polling for detail file 
/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d

Waking up in 0.8 seconds.
Polling for detail file 
/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d

Waking up in 1.2 seconds.
rad_recv: Accounting-Request packet from host 192.168.1.101 port 50125, 
id=181, length=250

   Acct-Status-Type = Start
   User-Name = "jmartine...@comfort"
   Event-Timestamp = "Aug 31 2009 15:33:07 AST"
   Acct-Delay-Time = 0
   NAS-Identifier = "ERX-2"
   Acct-Session-Id = "0314486551"
   NAS-IP-Address = 192.168.1.101
   Service-Type = Framed-User
   Framed-Protocol = PPP
   Framed-Compression = None
   ERX-Pppoe-Description = "pppoe 00:08:5c:89:2c:20"
   Framed-IP-Address = 199.2.118.252
   Framed-IP-Netmask = 255.255.255.255
   ERX-Ingress-Policy-Name = "COMFORT_UP"
   ERX-Egress-Policy-Name = "COMFORT_DOWN"
   Calling-Station-Id = "ERX-01317600067"
   Connect-Info = "speed:UBR"
   NAS-Port-Type = xDSL
   NAS-Port = 330301507
   NAS-Port-Id = "atm 1/3.3300:176.67"
   Acct-Authentic = RADIUS
+- entering group preacct {...}
++[preprocess] returns ok
[acct_unique] Hashing 'NAS-Port = 330301507,Client-IP-Address = 
192.168.1.101,NAS-IP-Address = 192.168.1.101,Acct-Session-Id = 
"0314486551",User-Name = "jmartine...@comfort"'

[acct_unique] Acct-Unique-Session-ID = "21e39488e0f55f2c".
++[acct_unique] returns ok
[sanenasport]   expand: ^.* -> ^.*
[sanenasport]   expand: %{Acct-Session-Id} -> 0314486551
sanenasport: Changed value for attribute NAS-Port from '?°' to '0314486551'
sanenasport: Could not find value pair for attribute NAS-Port
++[sanenasport] returns ok
[hexconvert]expand: ^...@ftth.aw$ -> ^...@ftth.aw$
hexconvert: Does not match: User-Name = jmartine...@comfort
++[hexconvert] returns ok
[suffix] L

Simple Accounting 'radrelay' functionality - Version 2.1.6

[Craig Campbell]

Hi.

FreeRadius 2.1.6 running in Redhat Linux AS5.3

We are upgrading from ancient radius servers to current, and discovered the
radrelay program no longer exists.

Despite my best efforts, I have failed to configure relaying correctly.  I
think I am including below the required changes.  I hope someone that has
done this successfully can easily see where I went wrong.  (Thanks in
advance!)

We have two (2) radius servers (Redhat Linux AS5), radius-a and radius-b and
wish to replicate
accounting info between them.

(Previously radius-1 ran radrelay to radius-2 and radius-2 ran radrelay to
radius-1 -- just to be clear)

For my testing, I am attempting to get radius-a to replicate to radius-b
(Get
things working in 1 direction first.)

I have created a symbolic link in /usr/local/etc/raddb/sites-enabled/ to
/usr/local/etc/raddb/sites-available/copy-acct-to-home-server

I have ADDED the following  to (and REMOVED NOTHING FROM) the
proxy.conf file,

home_server radius-b {
   type = acct
   ipaddr = 192.168.1.226
   port = 1813
   secret = booboo
   require_message_authenticator = no
   response_window = 20
   zombie_period = 40
   revive_interval = 120
   status_check = status-server
   check_interval = 30
   num_answers_to_alive = 3
   coa {
   # Initial retransmit interval: 1..5
   irt = 2
   # Maximum Retransmit Timeout: 1..30 (0 == no maximum)
   mrt = 16
# Maximum Retransmit Count: 1..20 (0 == retransmit forever)
   mrc = 5
   # Maximum Retransmit Duration: 5..60
   mrd = 30
   }
}

home_server_pool my_acct_relay {
   type = fail-over
   home_server = radius-b
}

realm relay_realm {
   acct_pool = my_acct_relay
}

~~~
I have modified the file
/usr/local/etc/raddb/sites-enabled/copy-to-home-server as follows,

server copy-acct-to-home-server {
   listen {
   type = detail
#CECfilename = ${radacctdir}/detail
   filename = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
   load_factor = 10
   }

   preacct {
#CEC Added this from web searches...
   update control {
   Proxy-To-Realm := relay_realm
   }
   preprocess
   suffix
   files
   }

~~~

Accounting packets are being sent from 192.168.1.101 to radius-a and are
logged.
No IP traffic has been detected from from radius-a to radius-b.
The detail file I expect is being updated.
No log files of the form,
${radacctdir}/%{Client-IP-Address}/pre-proxy-detail-%Y%m%d
and ${radacctdir}/%{Client-IP-Address}/post-proxy-detail-%Y%m%d
have been created, although I thought they should have been.

The startup log has no obvious errors I can see,

FreeRADIUS Version 2.1.6, for host x86_64-unknown-linux-gnu, built on Aug 28
2009 at 09:39:34
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /usr/local/etc/raddb/radiusd.conf
including configuration file /usr/local/etc/raddb/proxy.conf
including configuration file /usr/local/etc/raddb/clients.conf
including files in directory /usr/local/etc/raddb/modules/
including configuration file /usr/local/etc/raddb/modules/perl
including configuration file /usr/local/etc/raddb/modules/pap
including configuration file /usr/local/etc/raddb/modules/sradutmp
including configuration file /usr/local/etc/raddb/modules/counter
including configuration file /usr/local/etc/raddb/modules/policy
including configuration file /usr/local/etc/raddb/modules/passwd
including configuration file /usr/local/etc/raddb/modules/exec
including configuration file /usr/local/etc/raddb/modules/expiration
including configuration file /usr/local/etc/raddb/modules/digest
including configuration file /usr/local/etc/raddb/modules/mac2ip
including configuration file /usr/local/etc/raddb/modules/mschap
including configuration file /usr/local/etc/raddb/modules/realm
including configuration file /usr/local/etc/raddb/modules/mac2vlan
including configuration file /usr/local/etc/raddb/modules/attr_filter
including configuration file /usr/local/etc/raddb/modules/logintime
including configuration file
/usr/local/etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /usr/local/etc/raddb/modules/radutmp
including configuration file /usr/local/etc/raddb/modules/sql_log
including configuration file /usr/local/etc/raddb/modules/linelog
including configuration file /usr/local/etc/raddb/modules/smbpasswd
including configuration file /usr/local/etc/raddb/modules/smsotp
including configuration file /usr/local/etc/raddb/modules/otp
including configuration file /usr/local/etc/raddb/mo