RE: Loadbalancing and failover using different servers

2011-01-14 Thread Jason Hodges 
 Let's suppose that there is also an attacker
 (a disglunted employee maybe?), who knows about this bug and decides
to
 attack my FreeRadius servers, so he starts sending these
 specially crafted packets to each server and since the two servers
have
 the same bug, both of them would die upon receiving these packets.

I suggest using network-based firewall or even a kernel-based firewall
to limit what IP addresses are allowed to talk to your radius server.
While it's not 100% perfect, it should at least limit your exposure to
hosts you know about and hopefully trust.

Managing two platforms is very tough especially given the flexibility
FreeRadius gives you.  Not all platforms will offer this.  You'd be
begging to put yourself in a situation where both platforms can't
perform the same tasks the same way. (in my opinion)



Regards,
Jason P Hodges
Senior Network and Systems Architect




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Lost package after use FreeRadius

2010-11-19 Thread Jason Hodges 
Hi Robin,

Have FreeRadius mirror the Access-Accept (plus reply-attributes) of your
Mikrotik radius server.  You should be able to do a tcpdump (or snoop if
it's on Solaris) to see the authentication messaging.  Perhaps your
Mikrotik radius server is setting some network-level parameters in the
access-accept.  If it is, you'll want FreeRadius to have the same
behavior.

As long as the access-accept and reply-attributes are the same, it
should not matter which radius server you are using.

 Actually, only about 5-10% users have this problem.

From your description of the packet loss, I can't fathom how any radius
server could have that impact/result.

 If it's access-accept attributes issue, why will not all users lose
package or not visit website?

If all your users are configured the same, then they should have the
same experience.  I'd lean towards network troubleshooting for the
problem you describe.




Regards,
Jason P Hodges



-Original Message-
From: freeradius-users-bounces+jhodges=pocket@lists.freeradius.org
[mailto:freeradius-users-bounces+jhodges=pocket@lists.freeradius.org
] On Behalf Of Robin
Sent: Friday, November 19, 2010 11:19 AM
To: 'FreeRadius users mailing list'
Subject: RE: Lost package after use FreeRadius


Dear Alan,

Actually, only about 5-10% users have this problem. If it's
access-accept
attributes issue, why will not all users lose package or not visit
website?
Where can I find any documents about this?

Thanks.

Robin



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Domain in Username

2010-11-10 Thread Jason Hodges 
You could try this method ...

Don't 'strip' the realm and store complete usernames in your users file
(or database).

So your username would be j...@business or b...@communication.



Regards,
Jason


-Original Message-
From: freeradius-users-bounces+jhodges=pocket@lists.freeradius.org
[mailto:freeradius-users-bounces+jhodges=pocket@lists.freeradius.org
] On Behalf Of zouzou
Sent: Wednesday, November 10, 2010 3:21 PM
To: freeradius-users@lists.freeradius.org
Subject: Re: Domain in Username



  Define a communication realm, and don't define a business realm.
But I have other users in the business department, for exemple Jhon, and
i
want freeradius to accept if he uses j...@business. However, I don't
want
freeradius to accept if he uses j...@communication. The problem is that
these departments exist 
In the proxy.conf file, I had defined all departments as realm.
Thank you again.

-- 
View this message in context:
http://freeradius.1045715.n5.nabble.com/Domain-in-Username-tp3259377p325
9448.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.

-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Proxying/Rewriting Accounting Packets

2007-03-21 Thread Jason Hodges 
Thank you for the response.

I did cover that base as well.  I should have pasted
the script into the original email.  Here is the
script that I tested with (where xxx are numbers):

#!/bin/sh
if [ $1 =  ]; then
#Example 0xx
   echo 0xx
   else
   echo 1xx
fi

Even if no variable was passed to the script, it
outputs something.  I also used other system commands
(exec:/bin/echo testing ... exec:/bin/cat some file)
just in case.  It seems as long as I was using exec, I
got that same error.  If I just substituted with a
static value, it worked fine.

Your time is appreciated.  Thanks again for the
response.

Regards,
Jason


--- Alan DeKok [EMAIL PROTECTED] wrote:

 Jason Hodges wrote:
 ...
  Here are the debug results:
  radius_xlat:  '0210xxx'
  radius_xlat: Running registered xlat function of
  module exec for string
  '/usr/local/freeradius/bin/mdn_lookup.sh'
  rlm_exec (exec): Executing
  /usr/local/freeradius/bin/mdn_lookup.sh
  rlm_exec (exec): result 0
  radius_xlat:  ''
  rlm_attr_rewrite: xlat on replace string failed.
  
  Thoughts?  What have I missed?
 
   The script you write didn't output anything.
 
   Alan DeKok.
 --
   http://deployingradius.com   - The web site of
 the book
   http://deployingradius.com/blog/ - The blog
 - 
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html
 



 

Sucker-punch spam with award-winning protection. 
Try the free Yahoo! Mail Beta.
http://advision.webevents.yahoo.com/mailbeta/features_spam.html
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Proxying/Rewriting Accounting Packets

2007-03-20 Thread Jason Hodges 
Greetings.  First I'd like to thank everyone who works
on this project.  Freeradius is amazing.

For our issue, I have browsed the online
documentation, faq, and mailing lists.

We have a need to alter the accounting records that we
proxy to another company.  The attribute that we need
to rewrite is the Calling-Station-Id.

Basically what we need to do is have Freeradius do a
database query (via a script) to lookup the new
number that it should use in place of the original
value for Calling-Station-Id.

Here is what I have tried:

In radiusd.conf:
##Added by Jason
attr_rewrite mintomdn {
searchin = packet
attribute = Calling-Station-Id
searchfor = %i
#replacewith =
%{exec:/usr/local/freeradius/bin/mdn_lookup.sh
%{Calling-Station-Id}}
replacewith =
%{exec:/usr/local/freeradius/bin/mdn_lookup.sh %i}

   

#This works
#replacewith =
%{callingstationid}jasontest
   


ignore_case = no
new_attribute = no
max_matches = 1
append = no
}
##End Added by Jason

...
and in the pre_proxy stage:

pre-proxy {
#Added by Jason
mintomdn
#End Added by Jason
pre_proxy_log
}

Here are the debug results:
radius_xlat:  '0210xxx'
radius_xlat: Running registered xlat function of
module exec for string
'/usr/local/freeradius/bin/mdn_lookup.sh'
rlm_exec (exec): Executing
/usr/local/freeradius/bin/mdn_lookup.sh
rlm_exec (exec): result 0
radius_xlat:  ''
rlm_attr_rewrite: xlat on replace string failed.

Thoughts?  What have I missed?

Any assistance on this would be greatly appreciated. 
Thanks in advance for your time.

Regards,
Jason



 

8:00? 8:25? 8:40? Find a flick in no time 
with the Yahoo! Search movie showtime shortcut.
http://tools.search.yahoo.com/shortcuts/#news
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html