RE: Loadbalancing and failover using different servers
Let's suppose that there is also an attacker (a disglunted employee maybe?), who knows about this bug and decides to attack my FreeRadius servers, so he starts sending these specially crafted packets to each server and since the two servers have the same bug, both of them would die upon receiving these packets. I suggest using network-based firewall or even a kernel-based firewall to limit what IP addresses are allowed to talk to your radius server. While it's not 100% perfect, it should at least limit your exposure to hosts you know about and hopefully trust. Managing two platforms is very tough especially given the flexibility FreeRadius gives you. Not all platforms will offer this. You'd be begging to put yourself in a situation where both platforms can't perform the same tasks the same way. (in my opinion) Regards, Jason P Hodges Senior Network and Systems Architect - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Lost package after use FreeRadius
Hi Robin, Have FreeRadius mirror the Access-Accept (plus reply-attributes) of your Mikrotik radius server. You should be able to do a tcpdump (or snoop if it's on Solaris) to see the authentication messaging. Perhaps your Mikrotik radius server is setting some network-level parameters in the access-accept. If it is, you'll want FreeRadius to have the same behavior. As long as the access-accept and reply-attributes are the same, it should not matter which radius server you are using. Actually, only about 5-10% users have this problem. From your description of the packet loss, I can't fathom how any radius server could have that impact/result. If it's access-accept attributes issue, why will not all users lose package or not visit website? If all your users are configured the same, then they should have the same experience. I'd lean towards network troubleshooting for the problem you describe. Regards, Jason P Hodges -Original Message- From: freeradius-users-bounces+jhodges=pocket@lists.freeradius.org [mailto:freeradius-users-bounces+jhodges=pocket@lists.freeradius.org ] On Behalf Of Robin Sent: Friday, November 19, 2010 11:19 AM To: 'FreeRadius users mailing list' Subject: RE: Lost package after use FreeRadius Dear Alan, Actually, only about 5-10% users have this problem. If it's access-accept attributes issue, why will not all users lose package or not visit website? Where can I find any documents about this? Thanks. Robin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Domain in Username
You could try this method ... Don't 'strip' the realm and store complete usernames in your users file (or database). So your username would be j...@business or b...@communication. Regards, Jason -Original Message- From: freeradius-users-bounces+jhodges=pocket@lists.freeradius.org [mailto:freeradius-users-bounces+jhodges=pocket@lists.freeradius.org ] On Behalf Of zouzou Sent: Wednesday, November 10, 2010 3:21 PM To: freeradius-users@lists.freeradius.org Subject: Re: Domain in Username Define a communication realm, and don't define a business realm. But I have other users in the business department, for exemple Jhon, and i want freeradius to accept if he uses j...@business. However, I don't want freeradius to accept if he uses j...@communication. The problem is that these departments exist In the proxy.conf file, I had defined all departments as realm. Thank you again. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Domain-in-Username-tp3259377p325 9448.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxying/Rewriting Accounting Packets
Thank you for the response. I did cover that base as well. I should have pasted the script into the original email. Here is the script that I tested with (where xxx are numbers): #!/bin/sh if [ $1 = ]; then #Example 0xx echo 0xx else echo 1xx fi Even if no variable was passed to the script, it outputs something. I also used other system commands (exec:/bin/echo testing ... exec:/bin/cat some file) just in case. It seems as long as I was using exec, I got that same error. If I just substituted with a static value, it worked fine. Your time is appreciated. Thanks again for the response. Regards, Jason --- Alan DeKok [EMAIL PROTECTED] wrote: Jason Hodges wrote: ... Here are the debug results: radius_xlat: '0210xxx' radius_xlat: Running registered xlat function of module exec for string '/usr/local/freeradius/bin/mdn_lookup.sh' rlm_exec (exec): Executing /usr/local/freeradius/bin/mdn_lookup.sh rlm_exec (exec): result 0 radius_xlat: '' rlm_attr_rewrite: xlat on replace string failed. Thoughts? What have I missed? The script you write didn't output anything. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Sucker-punch spam with award-winning protection. Try the free Yahoo! Mail Beta. http://advision.webevents.yahoo.com/mailbeta/features_spam.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxying/Rewriting Accounting Packets
Greetings. First I'd like to thank everyone who works on this project. Freeradius is amazing. For our issue, I have browsed the online documentation, faq, and mailing lists. We have a need to alter the accounting records that we proxy to another company. The attribute that we need to rewrite is the Calling-Station-Id. Basically what we need to do is have Freeradius do a database query (via a script) to lookup the new number that it should use in place of the original value for Calling-Station-Id. Here is what I have tried: In radiusd.conf: ##Added by Jason attr_rewrite mintomdn { searchin = packet attribute = Calling-Station-Id searchfor = %i #replacewith = %{exec:/usr/local/freeradius/bin/mdn_lookup.sh %{Calling-Station-Id}} replacewith = %{exec:/usr/local/freeradius/bin/mdn_lookup.sh %i} #This works #replacewith = %{callingstationid}jasontest ignore_case = no new_attribute = no max_matches = 1 append = no } ##End Added by Jason ... and in the pre_proxy stage: pre-proxy { #Added by Jason mintomdn #End Added by Jason pre_proxy_log } Here are the debug results: radius_xlat: '0210xxx' radius_xlat: Running registered xlat function of module exec for string '/usr/local/freeradius/bin/mdn_lookup.sh' rlm_exec (exec): Executing /usr/local/freeradius/bin/mdn_lookup.sh rlm_exec (exec): result 0 radius_xlat: '' rlm_attr_rewrite: xlat on replace string failed. Thoughts? What have I missed? Any assistance on this would be greatly appreciated. Thanks in advance for your time. Regards, Jason 8:00? 8:25? 8:40? Find a flick in no time with the Yahoo! Search movie showtime shortcut. http://tools.search.yahoo.com/shortcuts/#news - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html