Re: The story of PAP, CHAP and the blank password
On Wed, Mar 16, 2011 at 06:19:08PM +0530, pradyumna dash wrote: Hi, Need a doc/pointer on FreeRadius+OpenLDAP+Mobile-OTP configuration, I would be implementing this in a SuSE server. Can any one help me how to do it? Regards, Neo I thought there was a link to a how-to for this on the mobile-otp website. I am getting ready to do it here as well with Redhat. Cheers, Ken - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Secondary LDAP server
On Tue, Mar 08, 2011 at 05:16:35PM -0600, Gary Gatten wrote: I'm pretty sure this is discussed, examples, etc in the doc: online and in FR conf files. Sorry I don't have exact location handy, but I'm sure its there. From: McNutt, Justin M. [mailto:mcnu...@missouri.edu] Sent: Tuesday, March 08, 2011 05:02 PM To: freeradius-users@lists.freeradius.org freeradius-users@lists.freeradius.org Subject: Secondary LDAP server One of my virtual servers uses LDAP auth. However, it isn't clear to me if modules/ldap can be configured with a secondary LDAP server, should the primary fail to respond. The group that provides the LDAP server can't set up multiple servers behind a load balancer due to cert issues, so I'm looking for a way to add a failover LDAP server to the RADIUS configuration. What's the easiest/best/recommended way to do something like this? Can modules/ldap be configured this way, or should I create a modules/ldap2 (or similar) and call it somehow? Suggestions welcome. Thanks! Justin McNutt Network Systems Analyst - Ninja DNPS, Mizzou Telecom (573) 882-5183 Look at redundant, load-balance and redundant-load-balance in man unlang. It goes over how to set this up and yes you will need to set up an ldap2. Cheers, Ken - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: linelog and rlm_eap
On Tue, Mar 08, 2011 at 04:44:53PM +0100, Kolbj??rn Barmen wrote: Is it possible to use the linelog to provide a debug light for rlm_eap and submodules? What I'm looking for is some way to tell why an authentication has failed for a given login attempt, without resorting to full debugging. If it is possible, example configuration is most welcome. Thanks! -- Kolbj??rn Barmen UNINETT Driftsenter You can use raddebug to enable debugging for just the problem user. That is usually much easier than trying to instrument the radius process piecemeal. Cheers, Ken - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Hash username or mac address to assign user to different vlan
On Fri, Feb 18, 2011 at 02:16:25PM +, Dean, Barry wrote: I have been asked to do just this and I am working on the solution now. We wanted to use multiple pools of VLANs/Subnets and assign Staff to one pool and Students# to the other. Then to select a VLAN within the pool, use a hashing function and select a VLAN. One concern I have is when is post-auth called? Would it get called for interim authentication requests? Because I don't want to be changing the VLAN mid sessions, which could potentially happen with a non-deterministic hash! In my tests I have been creating a hash from the 'State' attribute which seems reasonably random and gives me a good even share across the VLANs in my pools, but would be completely non-deterministic. (My tests are not real world so this could prove untrue). A hash on User-Name may be more deterministic, but may not give me the balance I need. Students and Staff have different format usernames so I am sure this would result in un-balanced sharing across the VLAN pools. And we have un-even numbers of students on different courses and their usernames start the same. I am using a perl module called within post-auth that does some LDAP lookups as well to find the type of the user. Nothing is set in stone yet and I am still experimenting, I feel sure whatever method I use will end up being a I wouldn't start from here solution in 12 months time! # Staff in our world means Staff + Research Postgrads and Students are Students + Taught Postgrads... You will always have fluctuations in the number of users per VLAN with any method of assignment, unless you keep track of VLAN/user and compensate. This will incur the I/O overhead of tracking this information although using some type of memory store like memcached would make this a lighter weight operation. In actual usage, there is very little need to have such an accurate leveling of usage. The count of users per VLAN does not reflect their actual load on the network. 10 users streaming video would use more bandwidth than 100+ users reading their Email or editing a document. You could also have every member of one group login at the same time and fully populate one VLAN. This is more likely if you group by role or class. The upshot is that you only need to be good-enough and not perfect to get the benefit of leveling, and using a hash(User-Name) is the simplest way to achieve that. In my code, we used a crc32 as the hash function and it was fine. (We tested it against our population of User-Names.) The md5 would be even better at randomizing, but it is a much more CPU intensive function. Using a dynamic group assignment is going to be more complicated, more bug ridden, and will not be any better than the straight-forward hash(User-Name) method. I do think that the amount of work for dynamic VLAN assignment adjustment is being discounted by it advocates. Cheers, Ken On 17 Feb 2011, at 23:52, Kenneth Marshall wrote: On Thu, Feb 17, 2011 at 02:26:14PM -0800, Brett Littrell wrote: I agree breaking the network up into separate VLANs then routing between them would help with broadcasting but I do not agree that hashing values and then using those hashing values as we randomizing agents to distribute vlans. There has to be a more elegant way to do this, I believe there is. First off by randomizing what network a host is going to be on is going to be extremely confusing when you try and troubleshoot other issues, for instance a virus outbreak, now you have to figure out who is on what subnet and who is sending what etc.. I can think of a lot of other issues that would cause headaches, suffice to say it is not a good idea. The better way to do this is to break people up by some logical means, such as Accounting, testing, personnel etc. Then create groups and assign group ids based on the users in those groups. This gives the benefit of segmenting and securing like minded traffic as well, maybe accounting can only talk to accounting, personnel can only talk to these servers, or those servers etc. Of course you would have to route to other subnets if you want them to talk but now you have control to say only this group of people can talk to that group of people and not just open it up for everyone. Even if you assign users by Group1, Group2, Group3 and you have a virus outbreak now you can at least look at it and say right away all Group1 subnet is crazy and have a list of all the stations/users in that group. Anyway, that is my 2 cents on the whole deal. Brett Littrell Network Manager MUSD CISSP, CCSP, CCVP, MCNE I agree with you that random VLAN selection is not a good idea and it wrecks havoc with most clients too. However, the problem we ran into was balancing the usage of all of the VLANS to get both good performance and minimize infrastructure costs
Re: Hash username or mac address to assign user to different vlan
On Fri, Feb 18, 2011 at 02:36:55PM +, Phil Mayers wrote: On 18/02/11 14:29, schilling wrote: Could you share your configuration and perl script? So I can learn from it? I am thinking of use ldap status to decide the pool, then hashing mac address of the client to get different VLAN. It seems like a lot of people are suddenly wanting to do this. Can any of you explain why, and why now? Just curious. It seems odd that so many people want to do it, all at the same time. Did an article appear online or in a magazine or something ;o) If you need to spread a userbase across network hardware efficiently, you need to do something like this. With the increased importance of security on a network, this sort of process is needed and simply reflects a growing attention to security overall and the prevelance of 802.1x. Cheers, Ken - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Hash username or mac address to assign user to different vlan
On Fri, Feb 18, 2011 at 03:00:48PM +, Phil Mayers wrote: On 18/02/11 14:52, schilling wrote: I can explain my environment. This is getting OT for the list, and will be my last post. We are migrating from traditional captive portal to new 802.1x WPA2-Enterprise, from fat AP to controller based wireless architecture, Wireless mobility comes into play too. At the same time, how to maintain the traditional source-based IP ACL/Firewall? We already implemented MPLS VPN based network virtualization, so we want to utilize both MPLS VPN and newer wireless architecture. That's why. I'm not suggesting that you shouldn't do *any* VLAN assignment. We do VLAN assignment on wireless, and in fact each VLAN is inside an MPLS VPN, so we're doing something similar to you. I'm only suggesting that hashing or any other load balancing scheme to keep ~N clients in each of X VLANs might be either unnecessary or possibly even harmful. Of course balancing does not matter if each of your VLANs can support your entire complement of users. We are not that lucky and need to spread the assignments out. Cheers, Ken Another thing is big VLAN broadcast scalability. So we want to chop off users in different VLANs at first by hash, later will try to implement group based VLAN assignment. But why? Many (most?) controller-based wireless systems don't suffer from broadcast scalability problems. For example, our Cisco WiSMs simply don't forward broadcasts. They proxy ARP requests and handle the DHCP internally, so there's no need for clients to send broadcasts. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Hash username or mac address to assign user to different vlan
On Fri, Feb 18, 2011 at 03:02:49PM +, Dean, Barry wrote: On 18 Feb 2011, at 14:26, Phil Mayers wrote: On 18/02/11 14:16, Dean, Barry wrote: I have been asked to do just this and I am working on the solution now. We wanted to use multiple pools of VLANs/Subnets and assign Staff to one pool and Students# to the other. Then to select a VLAN within the pool, use a hashing function and select a VLAN. One concern I have is when is post-auth called? Would it get called for interim authentication requests? Because I don't want to be changing the VLAN mid sessions, which could potentially happen with a non-deterministic hash! There is no such thing as an interim authentication request. Post-auth is called after every auth. I suspect you are referring to feature(s) on the switch(es) you use where it will re-auth the client after X minutes. That's just another, separate authentication as far as FreeRadius is concerned Yep, I was referring to the entries I see in my logs for Interim-Update, which is of course an Accounting record, and I had always assumed this went with an Auth as well, but have never looked in detail to see! So I am most likely talking rubbish! In my tests I have been creating a hash from the 'State' attribute That's a very bad idea. It will change mid-session and cause you huge problems. I will not be using this then :-) We do pervasive VLAN assignment on a large scale here, and my advice is the same as others in the thread - don't use a hash value. Just map a user or group to a vlan. If you need to balance the numbers of users on a vlan (why?) then you should log the vlan assignments to SQL and run a post-processing script that changes the assignment to keep the load balanced. Personally we just run big subnets to reduce the waste of IP space and configuration overhead. I don't design the wireless network here, I just make the RADIUS work as best I can. It has been decided to have smaller private IP ranges each associated with a VLAN and balance the routing of these across two routers. Then I was asked if I can distribute the users across these VLANS evenly. This was the initial request from our network group as well. I am beginning to think a round robin allocation might just do! That is what they asked for, but the key is to provide a persistent VLAN allocation for the length of the client's connection to the network. You can either cache the current VLAN assignment from a pure round-robin allocation which requires managing the information, expiring it as needed and other sorts of maintenance activities. In the end, using the hash of a static client parameter such as User-Name or MAC address gives you an even distribution without the maintenance headaches. Cheers, Ken However, the goal posts could move again yet! Latest news is that we will have 1 pool of VLANs, so time to tear up the existing code and take a fresh look! I currently have no idea how big these subnets will be either. -- Barry Dean Principal Programmer/Analyst Networks Group Computing Services Department Tel: 0151 795 9540 Skype: barryvdean Content-Description: ATT1.txt --- Nice boy, but about as sharp as a sack of wet mice. -- Foghorn Leghorn - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Hash username or mac address to assign user to different vlan
On Thu, Feb 17, 2011 at 02:06:18PM -0500, schilling wrote:
Hi All,
I get dynamic VLAN assignment working in post-auth section with
help/hints from a lot of list members. Now I want to do one more
steps. I would like to hash the username or mac-address to distribute
users to different VLANs. The idea is to use freeradius to spread the
load on different smaller subnets to reduce the broadcast in bigger
VLANs.
For example I want to do the following
if ( %{User-Name} !~ /@/ ) {
if ( %{User-Name}%2 == 0 ) {
update reply {
Service-Type = Framed-User
Tunnel-Type = VLAN
Tunnel-Medium-Type = IEEE-802
Tunnel-Private-Group-Id = facstaff0
}
elsif ( %{User-Name}%2 == 1 ) {
update reply {
Service-Type = Framed-User
Tunnel-Type = VLAN
Tunnel-Medium-Type = IEEE-802
Tunnel-Private-Group-Id = facstaff1
}
}
}
Will I be able to do this in the post-auth with unlang?
Thanks,
Schilling
I did not see how that could be done with just unlang and
we implemented it with a perl function that calculated a 32-bit
checksum of the User-Name and used that with the modulo function
to assign to the appropriate VLAN. Here is the authorize function
that we are using:
# Function to handle authorize
sub authorize {
# For debugging purposes only
# log_request_attributes;
# Here's where your authorization code comes
# You can call another function from here:
# test_call;
#
# Calculate the 32-bit checksum of the User-Name to use for
# assigning the VLAN number.
$chksum_username = unpack(%32C*, $RAD_REQUEST{'User-Name'});
if ($RAD_REPLY{'Connect-Info'} =~ /visitor/i) {
$RAD_REPLY{'Tunnel-Private-Group-Id'} = visitor0 .
($chksum_username % 8 + 1);
} elsif ($RAD_REPLY{'Connect-Info'} =~ /staff/i) {
$RAD_REPLY{'Tunnel-Private-Group-Id'} = staff0 .
($chksum_username % 8 + 1);
} elsif ($RAD_REPLY{'Connect-Info'} =~ /student/i) {
$RAD_REPLY{'Tunnel-Private-Group-Id'} = student0 .
($chksum_username % 8 + 1);
}
return RLM_MODULE_UPDATED;
}
Regards,
Ken
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Hash username or mac address to assign user to different vlan
On Thu, Feb 17, 2011 at 02:26:14PM -0800, Brett Littrell wrote:
I agree breaking the network up into separate VLANs then routing between
them would help with broadcasting but I do not agree that hashing values and
then using those hashing values as we randomizing agents to distribute vlans.
There has to be a more elegant way to do this, I believe there is.
First off by randomizing what network a host is going to be on is going to
be extremely confusing when you try and troubleshoot other issues, for
instance a virus outbreak, now you have to figure out who is on what subnet
and who is sending what etc.. I can think of a lot of other issues that would
cause headaches, suffice to say it is not a good idea.
The better way to do this is to break people up by some logical means,
such as Accounting, testing, personnel etc. Then create groups and assign
group ids based on the users in those groups. This gives the benefit of
segmenting and securing like minded traffic as well, maybe accounting can
only talk to accounting, personnel can only talk to these servers, or those
servers etc. Of course you would have to route to other subnets if you want
them to talk but now you have control to say only this group of people can
talk to that group of people and not just open it up for everyone.
Even if you assign users by Group1, Group2, Group3 and you have a virus
outbreak now you can at least look at it and say right away all Group1 subnet
is crazy and have a list of all the stations/users in that group.
Anyway, that is my 2 cents on the whole deal.
Brett Littrell
Network Manager
MUSD
CISSP, CCSP, CCVP, MCNE
I agree with you that random VLAN selection is not a good idea and it
wrecks havoc with most clients too. However, the problem we ran into was
balancing the usage of all of the VLANS to get both good performance and
minimize infrastructure costs. This can be done by assigning to groups
and then placing in the VLAN according to that group, but then you have
the problem of balancing the assignment to the named groups. In the end,
we used the hash function because it would deterministically assign a
user to a VLAN and balanced the hardware usage reasonably well. We used
the simple crc32, but a better hash function would distribute them even
better if all were connected simultaneously, but a crc32 was easy and
the size of the groups was within 10%. Calculating the group members
is easy, but they already have that information from VLAN/IP address of
the machine. It is also easy to have the network gear return who is
attached and what VLAN they are in.
My 1.5 cents. :)
Ken
On Thursday, February 17, 2011 at 11:26 AM, in message
fc9038-7cg@chipmunk.wormnet.eu, Alexander Clouter
a...@digriz.org.uk wrote:
schilling schilling2...@gmail.com wrote:
I get dynamic VLAN assignment working in post-auth section with
help/hints from a lot of list members. Now I want to do one more
steps. I would like to hash the username or mac-address to distribute
users to different VLANs. The idea is to use freeradius to spread the
load on different smaller subnets to reduce the broadcast in bigger
VLANs.
You are however not reducing the broadcast domain, you might be
segregating the noise though. If you have large L2 broadcast domains,
splitting people up into different VLAN's is not going to in effect
solve the problem.
For background noise, you can actually reduce chatter by asking Windows
clients to disable NetBEUI via DHCP and configure switches/wifi to not
forward client-client traffic where appropriate. For wireless networks
you can also kill a lot of multicast traffic (5353/udp is a good example
I would say).
Another possible work around is that VLAN 'facstaff' at site A is not
the same broadcast domain at site B.
Better still, L3 is the way to go. We have and it solves a lot of
problems, although there is upfront migration pains.
For example I want to do the following
if ( %{User-Name} !~ /@/ ) {
if ( %{User-Name}%2 == 0 ) {
update reply {
Service-Type = Framed-User
Tunnel-Type = VLAN
Tunnel-Medium-Type = IEEE-802
Tunnel-Private-Group-Id = facstaff0
}
elsif ( %{User-Name}%2 == 1 ) {
update reply {
Service-Type = Framed-User
Tunnel-Type = VLAN
Tunnel-Medium-Type = IEEE-802
Tunnel-Private-Group-Id = facstaff1
}
}
}
Will I be able to do this in the post-auth with unlang?
You probably would get better millege calling on 'md5' xlat, I think
the following sort of thing will work:
authorise {
update reply {
Service-Type := Framed-User
Tunnel-Type := VLAN
Tunnel-Medium-Type :=
Re: Crypt Passwords in SQL
On Wed, Nov 17, 2010 at 05:00:19PM -0500, William wrote: On Wednesday, November 17, 2010 04:24:32 pm Kenneth Marshall wrote: On Wed, Nov 17, 2010 at 04:15:47PM -0500, William wrote: Greetings, First, Thanks Alan DeKok. That was exactly what I needed for NAS_Showt_Name. Second, I just discovered a new issue. Not sure if this is a radius or a MySQL issue. When I crypt a password (MySQL CRYPT command) the password matches anything and everything that matches the first 8 characters of the password. Is this a limitation of Radius crypt or is it a Mysql crypt ? I need 16+ character password that match. Wm Crypt has an 8 character limit in its specification. Some screwy systems play tricks like using the first 7 chars + the last char of a string longer than 8 chars (MacOS) instead of just the first 8, but it is still eight chars. You will need to use another encoding system for more characters. What attribute would I use instead of Crypt-Password ? I tried MD5-Password and a couple of others, but I can find no documentation on anything other than User-Password, Crypt-Password, ClearText-Password, and CHAP-Password. Wm Crypt-Password just holds the encrypted password. It is up to you to properly encrypt the password and use it. You just cannot use the MySQL crypt() function since it has an 8-char password limit. Ken - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Crypt Passwords in SQL
On Wed, Nov 17, 2010 at 04:15:47PM -0500, William wrote: Greetings, First, Thanks Alan DeKok. That was exactly what I needed for NAS_Showt_Name. Second, I just discovered a new issue. Not sure if this is a radius or a MySQL issue. When I crypt a password (MySQL CRYPT command) the password matches anything and everything that matches the first 8 characters of the password. Is this a limitation of Radius crypt or is it a Mysql crypt ? I need 16+ character password that match. Wm Crypt has an 8 character limit in its specification. Some screwy systems play tricks like using the first 7 chars + the last char of a string longer than 8 chars (MacOS) instead of just the first 8, but it is still eight chars. You will need to use another encoding system for more characters. Cheers, Ken - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Connecting the dots.
Many times this is caused by a software update to the system. To figure out where the problem lies, you will need to follow the very well documented procedure for debugging freeradius if you do not have logs of what was updated on the system so you can rollback the update(s). Cheers, Ken On Wed, Sep 15, 2010 at 08:25:10PM +0100, Lance Haig wrote: Hi, We have implemented a freeradius server on ubuntu 10.04 connecting to AD on windows 2003 to allow our users to auth against for wirless access. This morning it all broke. And we don?t know why. So I started looking to build a new server to fault find. I am trying to find some documentation to help me. Looking through the wiki and Alan?s website I found some documentation but it does not quite match the files and config I find In the freeradius directory. I am not sure how best to continue, can someone tell me how these two document site atch up? Thanks in advance Lance -- Lance Haig Virtualisation Engineer Forward Floor 1, Centro 3 19 Mandela Street London NW1 0DU T: 020 7121 1199 F: 020 7121 1196 M: 07786167805 W: www.forward.co.uk This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify Forward immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. Forward does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. Opinions expressed in this email are those of Lance Haig, and do not necessarily reflect those of Forward. If verification is required please request a hard-copy version. Forward Internet Group, a company incorporated in England with registered company number 05199774. Registered address: 1 Conduit Street, London W1S 2XA, United Kingdom; VAT Number: 844386209. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius capable of url-redirect
On Wed, Sep 08, 2010 at 10:25:41AM -0400, Nathan McDavit-Van Fleet wrote: Cisco has a feature to redirect users to a splash page after 802.1x/WPA2-personal authentication. We are interested in this feature so we can notify users of our EAP-TTLS service that we are migrating to PEAP-MSCHAPv2. I have included the url for the configuration description (of Cisco ACS). But essentially there is a av-pair and url-redirect attribute which need to be configured on Cisco ACS (and some other wireless configs) in order to enable that option. I am not talking about a captive portal. We want to display a info page for the users of a specific protocol. The document below describes that it happens after authentication and network access. http://www.cisco.com/en/US/products/ps6366/products_configuration_example091 86a0080956185.shtml Is this handled somehow is Freeradius? Per the included link: You can specify the redirect page on the Remote Authentication Dial-In User Service (RADIUS) server. The RADIUS server should be configured to return the Cisco av-pair url-redirect RADIUS attribute to the Wireless LAN Controller upon successful 802.1x authentication. This is normal radius server functionality and is supported by freeradius. Cheers, Ken - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help
On Tue, Jul 13, 2010 at 11:58:53PM +0500, Jawad Khawaja wrote: Hi, I am using CentOS with Radius 1.1.3. it automatically stops working. and i do restart its services to restore its original state.. As if we do restart system's services 2 or three times, system starts working it has a very strange to us... what should i share to trouble shoot. Any suggestion will be appreciated. ... Regards James I would recommend and upgrade to the latest release of freeradius. They have fixed a large number of bugs and enhanced it in ways that are not available in the 1.x release. We had similar hang problems in the 1.x release and set up a nanny script to restart it when it occurred. The 2.x release has not had this problem aside from having a much more managable configuration. Cheers, Ken - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius freeze
On Tue, May 04, 2010 at 04:56:46PM +0200, Tokie wrote: Hi everyone, I'm using FreeRADIUS Version 1.1.7 with Mysql. I use for Hotspot system. All works fine, but after around one day without activity, the radius server don't answer. Therefore, if I restart (/etc/init.d/freeradius restart), all works ok!! I monitor with the command ps and just restart result: # ps ax | grep freeradius 26118 ?Ssl0:00 /usr/sbin/freeradius Immediately after the connection of a hotspot's user: # ps ax | grep freeradius 26118 ?Ssl0:00 /usr/sbin/freeradius 26158 ?Z 0:00 [freeradius] defunct What does this mean *_/[freeradius] defunct/_*? If hotspot's user disconnect, nothing changes!! Could you help me?? Retarting the server is the appropriate measure to use to address this problem. The better solution would be to upgrade to version 2.1.8 which fixes so many bugs... Cheers, Ken - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ..DBI.so: undefined symbol: PL_tainting at.. while perl script compilation
This looks like a problem with the packages and not
freeradius. Maybe log this problem with them?
Cheers,
Ken
On Fri, Jun 19, 2009 at 03:41:00PM +0200, Tomasz Kolaj wrote:
Hello,
After system upgrade perl script used to authenticate clients by postgres fail
while radiusd is loading:
(log also at http://pastebin.com/m46849dbe)
baza raddb # radiusd -f
Can't load '/usr/lib64/perl5/vendor_perl/5.8.8/x86_64-linux/auto/DBI/DBI.so'
for module DBI:
/usr/lib64/perl5/vendor_perl/5.8.8/x86_64-linux/auto/DBI/DBI.so: undefined
symbol: PL_tainting at /usr/lib64/perl5/5.8.8/x86_64-linux/DynaLoader.pm line
230.
at /usr/lib64/perl5/vendor_perl/5.8.8/x86_64-linux/DBI.pm line 263
BEGIN failed--compilation aborted at
/usr/lib64/perl5/vendor_perl/5.8.8/x86_64-linux/DBI.pm line 263.
Compilation failed in require at /etc/raddb/example.pl line 6.
BEGIN failed--compilation aborted at /etc/raddb/example.pl line 6.
baza raddb # head -n 6 example.pl
#!/usr/bin/perl
use strict;
#use Pg;
use DBI;
modules/perl file contains:
perl {
module = /etc/raddb/example.pl
func_authenticate = authenticate
func_authorize = authorize
max_clones = 32
start_clones = 32
min_spare_clones = 0
max_spare_clones = 32
cleanup_delay = 5
max_request_per_clone = 0
}
Reproducible: Always
Steps to Reproduce:
1.Upgrade system (perl, postgres, freeradius), do perl-upgrade all
2.Configure freeradius to use example.pl as authenticate system
3.run radiusd
Actual Results:
Can't load '/usr/lib64/perl5/vendor_perl/5.8.8/x86_64-linux/auto/DBI/DBI.so'
for module DBI:
/usr/lib64/perl5/vendor_perl/5.8.8/x86_64-linux/auto/DBI/DBI.so: undefined
symbol: PL_tainting at /usr/lib64/perl5/5.8.8/x86_64-linux/DynaLoader.pm line
230.
at /usr/lib64/perl5/vendor_perl/5.8.8/x86_64-linux/DBI.pm line 263
BEGIN failed--compilation aborted at
/usr/lib64/perl5/vendor_perl/5.8.8/x86_64-linux/DBI.pm line 263.
Compilation failed in require at /etc/raddb/example.pl line 6.
BEGIN failed--compilation aborted at /etc/raddb/example.pl line 6.
Regards,
--
Tomasz Kolaj
ABP Computer
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR Using MAC Authentication
On Fri, May 08, 2009 at 11:35:20AM -0400, Steve Wu wrote: Hi - I have just started tinkering with Freeradius, I built an Ubuntu 8.10 server box and installed FR -- sudo apt-get install freeradius*. It installed in a breeze and tested fine. I have setup a HP420 AP for testing, it's chattering with the FR box fine (I think). I want my wireless clients to do MAC authentication via the FR box. I have setup my users file to auth two of my test laptops: 000E35-84610A Auth-Type := Local, User-Password == esradius 00215C-08B25D Auth-Type := Local, User-Password == esradius When either tries to connect up, in the FR debug I see: rad_recv: Access-Request packet from host 10.10.18.241:2160, id=7, length=53 User-Name = 00215c-08b25d User-Password = 00215c-08b25d Processing the authorize section of radiusd.conf The authentication eventually fails: rlm_pap: WARNING! No known good password found for the user. Authentication may fail because of this. Why is the User-Password the MAC address and not what is specified in the users file? I have only tweaked the users and clients.conf files. That is what MAC authentication is, if the MAC is in the list it can connect. Cheers, Ken Just simple MAC authentication, that's all I want at this point. Thanks in advance! - Steve - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help with initial setup Sita--Ext. Radius--Int.Radius--AD
On Thu, Apr 16, 2009 at 09:41:21AM -0400, Podlazov, Lev wrote: Good morning , Our organization is trying to set Wireless Users authentication via AD with Radius in between. The reason for Ext. and Int. Radius based on our security group recommendations. I've installed freeradius-1.1.3 from RedHat . It's up on both Ext and Int boxes. I was able to run radtest and radclient locally on both machines but when I am trying to run them from Ext to Int I am getting these errors radclient: no response from server for ID 174 . I've set access for all users in /etc/raddb/users and defined clients in /etc/raddb/clients.conf according to documentation. I am totally new to Radius and this point I am lost what to try next. Any help greatly appreciated Thanks Lev Podlazov IMF 202-623-4054 Wow, I would really recommend using the latest 2.x release or if you absolutely have to use 1.x use version 1.1.7. The 2.x is much easier to use. Cheers, Ken - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Production servers num_sql_socks
On Thu, Mar 05, 2009 at 09:19:19AM -0600, Ben Wiechman wrote: We set num_sql_socks to 25. We had them set to 10 but ran into issues when massive numbers of subscribers were attempting to enter the network at once - for example when we would power cycle a base station with 400 subscribers on it for maintenance. Ben Wiechman From: freeradius-users-bounces+ben=wisper-wireless@lists.freeradius.org [mailto:freeradius-users-bounces+ben=wisper-wireless@lists.freeradius.or g] On Behalf Of Stelio Gouveia Sent: Thursday, March 05, 2009 8:55 AM To: freeradius-users@lists.freeradius.org Subject: Production servers num_sql_socks I've read a few posts about increasing this value when There are no DB handles to use occur. Not sure if it's a good idea. Granted your DB is fast enough to query quickly. Upping this value on a slow DB will severely degrade performance. What's sort of values are you guys using for production servers? -- Regards Stelio Gouveia The value depends on three inter-dependent factors: 1. the time to answer a query by your DB backend 2. how many queries can be handled reasonably by your backend 3. your request rate Typically, there is a sweet spot, performance-wise for this setting. If your backends are not available when needed, you will have people unable to connect. If you increase the number above which your backend DB can safely handle, you will have a total service outage in a high load situation. A load test with your setup is the best option. Good luck. Cheers, Ken - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS + MSCHAPv2 + Vista
On Fri, Jan 23, 2009 at 08:55:32AM +0100, Alan DeKok wrote: Tim Gustafson wrote: I am running FreeRADIUS on FreeBSD 7.1 for my Cisco wireless APs to authenticate against. The clients are using MSCHAPv2 and XP and Mac OSX (as well as several wireless devices like iPhones and so on) are able to authenticate against the WAPs just fine, but Vista is failing. In my log I have: Auth: Login OK: [test] (from client ucsc-60-40 port 0 via TLS tunnel) Auth: Login incorrect: [test/via Auth-Type = EAP] (from client foo port 519 cli ..) Don't look at radius.log to debug problems. Run in debugging mode. I Googled for Vista/FreeRADIUS/MSCHAPv2 and found some kerfuffle about there being problems with FreeRADIUS 1.1.3, but I'm running 2.0.5 so I'm assuming that my server is not affected by the 1.1.3 problem. The kerfuffle seemed to be related to a TLS problem, and based on the log entries above, it seems to me that the TLS tunnel is working fine, but the encapsulated packet is not. Don't guess. Run in debugging mode and be sure. Incidentally, we also tried on a Windows 7 Beta machine, which experienced the exact same symptoms as the Vista machine. Also, this set-up was working in December and then stopped working somewhere along the way. I'm wondering if perhaps Microsoft release some sort of fix since then that actually broke something. They have been known to do that. They make gratuitous changes to the clients to ensure that they break compatibility with *all* non-MS RADIUS servers. They've done this multiple times. And, just to be complete about it, if we point the WAP to an Active Directory RADIUS server the set-up works as-is. Of course! Microsoft is compatible with themselves. Any ideas what might be going on? Post the full debugging output. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html For what it is worth, we are running Freeradius 2.1.3 using Cisco wireless APs with PEAP/MSCHAPv2 and TTLS/PAP and are not having any problems. I will say, that the full debug output is very useful in determining any problems and how to resolve them. Cheers, Ken - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: switch/case in radiusd.conf (was: ldap backend and Realm)
man unlang
Ken
On Tue, Nov 18, 2008 at 01:51:11PM +0100, Edgar Fu? wrote:
switch %{Realm} {
case domain1 {
I'm admittedly feeling totally stupid, but is this syntax documented
anywhere?
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS + OpenLDAP + MSCHAPv2
See: http://deployingradius.com/documents/protocols/oracles.html Ken On Tue, Nov 18, 2008 at 01:29:48PM -0800, Tim Gustafson wrote: Ok, I've upgraded to FreeRADIUS 2.0.5 on a FreeBSD box (the FreeBSD ports is more up-to-date than the CentOS Yum repositories apparently). However, upon reading the documentation in modules/ldap, I see this: # However, LDAP can be used for authentication ONLY when the # Access-Request packet contains a clear-text User-Password # attribute. LDAP authentication will NOT work for any other # authentication method. # # This means that LDAP servers don't understand EAP. If you # force Auth-Type = LDAP, and then send the server a # request containing EAP authentication, then authentication # WILL NOT WORK. So, does this mean that you can't do MSCHAPv2 against an LDAP server, or am I missing something again? Tim Gustafson SOE Webmaster UC Santa Cruz [EMAIL PROTECTED] 831-459-5354 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to link radiusd statically?
On Tue, Aug 05, 2008 at 04:40:05PM +0200, Alan DeKok wrote: [EMAIL PROTECTED] wrote: I would like to build radiusd with all necessary libraries statically linked in. I have tried the following command ./configure --enable-shared=no --enable-static=yes That should work *if* you have static libraries available. During linking phase, there are a bunch of problems; 1. libperl.a is not found (that has been fixed by downloading Perl 5.8.8 and building it locally); 2. many undefined functions, mainly in libkrb5.a Exactly. Your OS has not supplied static libraries. I suggest removing the modules you don't need, as that may help. i.e. If you don't need kerberos, just rm -rf src/modules/rlm_krb5. Is this a way to go? Has anyone successfully built freeradius 2.0.5 with static linkage? A number of times. Usually with various amounts of fighting the OS. I have no idea why vendors don't supply static libraries. It's not like disk space is expensive these days. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html One big benefit of dynamic libraries is the ability to update a single library and not need to recompile all the dependent software again. Also, for completely valid reasons static libraries that use similar software sub-components (zlib for example) will cause the statically linked application to segfault if the version differs. Using the dynamic libraries also allows the system to share common libraries amongst all running programs and make more efficient use of machine resources. In the worst cases, a static executable can cause a machine to swap/page where a dynamic version has no problems with the same resources. I think for a combination of these and other reasons, many vendors prefer dynamic libraries. Good luck with your static build, as Alan states it may take some trial-and-error to get it to work. Our approach here has been to localize all of the dependent dynamic libraries within the software application directory. This simplifies the build/update process by compartmentalizing the software from the normal system libraries and makes it less susceptible to failure following an OS update. My two cents, Ken - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: high performance FR installation and unfinished requests
Your response time must always be fast enough. If the DB lags at any time you will have the timeout problem. Typically, this can occur during checkpoints or other heavy I/O periods. What is the response time under load? Ken On Tue, Jun 17, 2008 at 03:08:39PM +0200, Michael Schwartzkopff wrote: Am Dienstag, 17. Juni 2008 15:00 schrieb Ivan Kalik: 200 requests per second is not much for freeradius but it's a lot for the database. It's highly likely that the database can't cope. We check this. DB response 3ms and the DB has 1000 threads. So no problem here. -- Dr. Michael Schwartzkopff MultiNET Services GmbH Addresse: Bretonischer Ring 7; 85630 Grasbrunn; Germany Tel: +49 - 89 - 45 69 11 0 Fax: +49 - 89 - 45 69 11 21 mob: +49 - 174 - 343 28 75 mail: [EMAIL PROTECTED] web: www.multinet.de Sitz der Gesellschaft: 85630 Grasbrunn Registergericht: Amtsgericht M?nchen HRB 114375 Gesch?ftsf?hrer: G?nter Jurgeneit, Hubert Martens --- PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B Skype: misch42 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius and active directory
On Thu, Dec 20, 2007 at 09:44:25PM +0100, Rutger Beyen wrote: Hello, I'm very glad I found a list like this. I hope some of you can help me with this problem. I want to set up a project with 802.1X, so users accessing my cisco switch first have to log on. I found out that I could use freeradius for this. But what I want to do is verify if the credentials entered by the user (on a WinXP) are correct, by checking with the Active Directory on a Win2003Server. Using Ntlm_auth from the samba server is not an option. I want to access the AD with the ldap protocol for compatibility reasons. Next, I want to place the logged on user is a specific VLAN. So I have to retrieve the user's vlan from the AD. Is there any way to configure freeradius to do so? I would like to base the vlan on the OU of the person in the AD. Can you please provide me with the necessary steps to accomplish this? Thank you very much, Rutger Rutger, I think that if you do not use ntlm_auth, you will need a 3rd party supplicant for the Windows boxes. You probably will need to use ntlm_auth and also bind to AD using the LDAP protocol to lookup the OU/VLAN. Ken - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x kerberos
On Thu, Oct 11, 2007 at 11:28:36AM -0400, Lisa Besko wrote:
Thanks for the help so far. Part of the problem is we have probably tried
so many things we probably messed something up along the way don't remember
what is is.
I think I have all the right stuff in the config files. I'll do a little
cut and paste here and maybe you will spot something I missed.
radius.conf (and all the eap parts are uncommented as well):
modules {
..
krb5 {
# keytab containing the key used by rlm_krb5
keytab = /usr/local/raddb/nmserv.keytab
# principal that is used by rlm_krb5
#service_principal = host/[EMAIL PROTECTED]
}
.
pap {
auto_header = yes
}
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type kerberos {
krb5
}
}
I think this should be Kerberos and not kerberos.
Ken
---
eap.conf:
eap {
default_eap_type = ttls
md5 {
}
tls {
private_key_password = whatever
private_key_file = ${raddbdir}/certs/cert-srv.pem
certificate_file = ${raddbdir}/certs/cert-srv.pem
CA_file = ${raddbdir}/certs/demoCA/cacert.pem
dh_file = ${raddbdir}/certs/dh
random_file = ${raddbdir}/certs/random
}
ttls {
default_eap_type = md5
copy_request_to_tunnel = yes
use_tunneled_reply = yes
}
}
users:
DEFAULT Freeradius-Proxied-To == 127.0.0.1
Fall-Through = Yes
DEFAULT Auth-Type := Kerberos
Fall-Through = 1
Debug out put at the moment:
rlm_realm: Looking up realm msu.edu for User-Name = [EMAIL PROTECTED]
rlm_realm: Found realm MSU.EDU
rlm_realm: Adding Stripped-User-Name = testuser
rlm_realm: Proxying request from user testuser to realm MSU.EDU
rlm_realm: Adding Realm = MSU.EDU
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module suffix returns noop for request 4
rlm_eap: EAP packet type response id 1 length 18
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module eap returns updated for request 4
users: Matched entry DEFAULT at line 10
modcall[authorize]: module files returns ok for request 4
rlm_pap: WARNING! No known good password found for the user.
Authentication may fail because of this.
modcall[authorize]: module pap returns noop for request 4
modcall: leaving group authorize (returns updated) for request 4
rad_check_password: Found Auth-Type Kerberos
auth: type Kerberos
Processing the authenticate section of radiusd.conf
modcall: entering group kerberos for request 4
rlm_krb5: Attribute User-Password is required for authentication.
modcall[authenticate]: module krb5 returns invalid for request 4
modcall: leaving group kerberos (returns invalid) for request 4
auth: Failed to validate the user.
[EMAIL PROTECTED] wrote:
no. you dont need to use the users file for the userid/password. you
simply need to ensure that the krb5 module is in the Authorize
section and that you have PAP enabled...and that you are using EAP-TTLS
with PAP inner method.
soyour FR config needs at least the following configs...
radiusd.conf
in the authorize section
krb5 {
}
in the authenticate section (radiusd.conf for 1.1.x, sites-enabled/default
for 2.x)
Auth-Type krb5 {
krb5
}
you MAY configure krb5 in radiusd we havent found this actually
necessary(!)
# krb5 {
# keytab = /path/to/keytab
# service_principal = name_of_principle
# }
finally. if you are facing issues and you dont help with supplying a log
file then please ensure that your RADIUS request isnt being b0rked
by something in the users file eg
DEFAULT Auth-Type = System
you can at least change this to
DEFAULT Auth-Type = krb5
just for checking(!!)
alan
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
Lisa Besko
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Authorize after checking an LDAP attribute value
Dear Freeradius users:
I am trying to set up my authentication to allow only users
with a particular value of a particular LDAP attribute to login.
I am using freeradius 1.1.7 and I have the authentication
going against Kerberos but I do not know how to have the
radius server check the value of the attribute before allow
access. If they are not in the group, it should send back the
reject packet. Does anyone know how to perform a check item
check against a particular LDAP attribute? Here is how I can
set an attribute to the value and it works correctly:
DEFAULT Auth-Type = Kerberos, NAS-IP-Address == 1.2.3.4, NAS-Port == 10
Connect-Info = %{ldap:ldap:///dc=test,dc=com?testValue?sub?uid=%u};
Any suggestions would be appreciated.
Regards,
Ken Marshall
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQLIPPool performance issue
Roy, The obvious really bad ones I have noted below. Ken On Thu, Jul 26, 2007 at 12:57:15PM -0500, Roy Walker wrote: Here is the config lines: max_connections = 100 shared_buffers = 400MB Could be as much as 25% of RAM or 2GB. temp_buffers = 32MB work_mem = 1MB Running EXPLAIN ANALYZE for the logged queries will let you know if this value is too small. In particular, it is used to evaluate whether or not a hash/merge join can be used. You may need to raise it depending on what your query analysis shows. maintenance_work_mem = 128MB Bump this up to 256MB or 512MB or more. Otherwise maintaenance actions can become disk I/O bound. max_fsm_pages = 204800 This needs to be large enough to handle the size of your DB. Didn't change any of these as for my testing I don't have autovacuum enabled. You definitely need to enable autovacuum. Poor plans due to poor statistics can hamstring your performance. #vacuum_cost_delay = 0 # 0-1000 milliseconds #vacuum_cost_page_hit = 1 # 0-1 credits #vacuum_cost_page_miss = 10 # 0-1 credits #vacuum_cost_page_dirty = 20# 0-1 credits #vacuum_cost_limit = 200# 0-1 credits You may need the bgwriter to smooth out checkpoint I/O. Check to see if you are getting checkpoint errors in your logs. #bgwriter_delay = 200ms # 10-1ms between rounds #bgwriter_lru_percent = 1.0 # 0-100% of LRU buffers scanned/round #bgwriter_lru_maxpages = 5 # 0-1000 buffers max written/round #bgwriter_all_percent = 0.333 # 0-100% of all buffers scanned/round #bgwriter_all_maxpages = 5 # 0-1000 buffers max written/round #wal_buffers = 64kB Bump this to 256kB. #commit_delay = 0 # range 0-10, in microseconds #commit_siblings = 5# range 1-1000 checkpoint_segments = 32# in logfile segments, min 1, 16MB each #checkpoint_timeout = 5min # range 30s-1h #random_page_cost = 4.0 autovacuum = off# enable autovacuum subprocess? Should be on. # 'on' requires stats_start_collector # and stats_row_level to also be on On, and stats_row_level should be on too. #autovacuum_naptime = 1min # time between autovacuum runs #autovacuum_vacuum_threshold = 500 # min # of tuple updates before # vacuum #autovacuum_analyze_threshold = 250 # min # of tuple updates before # analyze #autovacuum_vacuum_scale_factor = 0.2 # fraction of rel size before # vacuum #autovacuum_analyze_scale_factor = 0.1 # fraction of rel size before # analyze #autovacuum_freeze_max_age = 2 # maximum XID age before forced vacuum # (change requires restart) #autovacuum_vacuum_cost_delay = -1 # default vacuum cost delay for # autovacuum, -1 means use # vacuum_cost_delay #autovacuum_vacuum_cost_limit = -1 # default vacuum cost limit for # autovacuum, -1 means use # vacuum_cost_limit -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] s.org] On Behalf Of Peter Nixon Sent: Thursday, July 26, 2007 9:53 AM To: FreeRadius users mailing list Subject: Re: SQLIPPool performance issue On Thu 26 Jul 2007, Kenneth Marshall wrote: Roy, It sounds like you may need to adjust the DB parameters. The defaults, even in 8.2, are still fairly conservative. Would you post your current settings for things like: max_connections shared_buffers work_mem maintenance_work_mem max_fsm_pages vacuum_cost_* bgwriter_* wal_buffers commit_delay commit_siblings checkpoint_segments checkpoint_timeout random_page_cost effective_cache_size autovacuum autovacuum_* Basically, anything you have changed from the default configuration file. Proper choices for these parameters can make a huge difference in baseline performance. Yep. My guess is, on that box, if he is running a default Postgresql config he should get 10-100 times greater performance after tuning it correctly for the ram and cpu setup.. Cheers -- Peter Nixon http://peternixon.net/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQLIPPool performance issue
Roy, It sounds like you may need to adjust the DB parameters. The defaults, even in 8.2, are still fairly conservative. Would you post your current settings for things like: max_connections shared_buffers work_mem maintenance_work_mem max_fsm_pages vacuum_cost_* bgwriter_* wal_buffers commit_delay commit_siblings checkpoint_segments checkpoint_timeout random_page_cost effective_cache_size autovacuum autovacuum_* Basically, anything you have changed from the default configuration file. Proper choices for these parameters can make a huge difference in baseline performance. Ken On Wed, Jul 25, 2007 at 11:27:53PM -0500, Roy Walker wrote: Ok chaning the indexes definately made some difference. The database load still went off the charts, but the radius logs were much better with DB errors connect errors. This still seems horribly slow. I can take it down to 2 simultaneous connections on the radclient test and will still get some IP Allocation FAILED (although way less than I was) messages in the radius logs. With only 2 simultaneous connections the DB load hovers around 1 so that seems fine. Here is the command I am using to test: /radclient -p 2 -d /usr/src/freeradius-server-snapshot-20070725/share -f /tmp/radclient-test 1.1.1.10 auth testing123 Where the radclient-test file has 5000 client requests seperated by the necessary blank lines. I guess I will spend some time tomorrow and enable postgres query logging. I already have an idea of what I am going to find, there is just an insane number of queries running per auth request and the subsequent IP allocation... Peter: If you can share any query changes you have, I would be most appreciative. Roy From: [EMAIL PROTECTED] on behalf of Peter Nixon Sent: Wed 7/25/2007 6:30 PM To: FreeRadius users mailing list Subject: Re: SQLIPPool performance issue Hi Roy The default indexes are: CREATE INDEX radippool_poolname_ipaadr ON radippool USING btree (pool_name, framedipaddress); CREATE INDEX radippool_poolname_expire ON radippool USING btree (pool_name, expiry_time); CREATE INDEX radippool_nasipaddr_poolkey ON radippool USING btree (nasipaddress, pool_key); CREATE INDEX radippool_nasipaddr_calling ON radippool USING btree (nasipaddress, callingstationid); After reading though them, I think they need some work... (My production queries are a little different and so are my indexes) I think a better index set would be: CREATE INDEX radippool_poolname_expire ON radippool USING btree (pool_name, expiry_time); CREATE INDEX radippool_framedipaddress ON radippool USING btree (framedipaddress); CREATE INDEX radippool_nasip_poolkey_ipaddress ON radippool USING btree (nasipaddress, pool_key, framedipaddress); Therefore, please run to fullowing on your postgresql database, and report back to me what difference it makes: DROP INDEX radippool_poolname_ipaadr; DROP INDEX radippool_nasipaddr_poolkey; DROP INDEX radippool_nasipaddr_calling; CREATE INDEX radippool_nasip_poolkey_ipaddress ON radippool USING btree (nasipaddress, pool_key, framedipaddress); CREATE INDEX radippool_framedipaddress ON radippool USING btree (framedipaddress); Cheers Peter On Thu 26 Jul 2007, Roy Walker wrote: Using freeradius-server-snapshot-20070705. I have setup a test scenario where radclient is sending 500 simultaneous requests to the radius server. This drives the load on the radius and postgres database to pretty much max. The Postgres database is an 8 Core (4 dual cpu) Sun Opteron with 8g of ram and 3 x 15k SAS drives on an LSI Megaraid controller. So the database box is a decent machine. Here is the indexes on the postgres database: radius=# \di List of relations Schema |Name | Type | Owner | Table +-+---++--- public | badusers_incidentdate_idx | index | dialup | badusers public | badusers_pkey | index | dialup | badusers public | badusers_username_idx | index | dialup | badusers public | mtotacct_acctdate_idx | index | dialup | mtotacct public | mtotacct_nasipaddress_idx | index | dialup | mtotacct public | mtotacct_pkey | index | dialup | mtotacct public | mtotacct_username_idx | index | dialup | mtotacct public | mtotacct_userondate_idx | index | dialup | mtotacct public | nas_nasname | index | dialup | nas public | nas_pkey| index | dialup | nas public | radacct_active_user_idx | index | dialup | radacct public | radacct_pkey| index | dialup | radacct public | radacct_start_user_idx | index | dialup | radacct public | radcheck_pkey | index | dialup | radcheck public | radcheck_username | index | dialup | radcheck
Re: SQLIPPool performance issue
Mr. Walker, It sounds as if you need to tune your postgresql installation. By the way, postgresql 8.2.4 will out perform 8.1.9. You should probably turn on query logging and see what the queries are and if they can be optimized. Maybe you are missing an index or two, although you may just have too little I/O capacity. Good luck. Ken On Wed, Jul 25, 2007 at 01:19:04PM -0500, Roy Walker wrote: I am having a problem with the SQLIPPOOL performance. This is migration of an existing radius server using flat user files (old server is running radius 1.1.0). Running freeradius-server-snapshot-20070705 on a P4 2.8GHZ machine Database is Postgres 8.1.9 running on a monstrous Sun Opteron machine. When radius starts taking requests (it's a lot of requests, about 500/sec), the load on the radius server spikes to 100 and it eventually stops taking requests completely. The database is never above 0.05 load. I see messages like these in the radius logs: Wed Jul 25 10:29:15 2007 : Info: IP Allocation FAILED from general_pool (did slogic.t-mobile.com cli 14696841693 port 0 user 14696841693) Wed Jul 25 10:29:15 2007 : Info: IP Allocation FAILED from general_pool (did slogic.t-mobile.com cli 19723023688 port 0 user 19723023688) Wed Jul 25 10:29:15 2007 : Info: IP Allocation FAILED from general_pool (did slogic.t-mobile.com cli 14696845996 port 0 user 14696845996) Wed Jul 25 10:29:15 2007 : Info: IP Allocation FAILED from general_pool (did slogic.t-mobile.com cli 14696846177 port 0 user 14696846177) Wed Jul 25 10:29:15 2007 : Info: IP Allocation FAILED from general_pool (did slogic.t-mobile.com cli 14696825390 port 0 user 14696825390) Wed Jul 25 10:29:15 2007 : Info: IP Allocation FAILED from general_pool (did slogic.t-mobile.com cli 14694415538 port 0 user 14694415538) Wed Jul 25 10:29:15 2007 : Info: IP Allocation FAILED from general_pool (did slogic.t-mobile.com cli 14696883664 port 0 user 14696883664) Wed Jul 25 10:29:15 2007 : Info: IP Allocation FAILED from general_pool (did slogic.t-mobile.com cli 12149915071 port 0 user 12149915071) Wed Jul 25 10:29:15 2007 : Info: IP Allocation FAILED from general_pool (did slogic.t-mobile.com cli 19728908614 port 0 user 19728908614) Wed Jul 25 10:29:15 2007 : Info: IP Allocation FAILED from general_pool (did slogic.t-mobile.com cli 19723023948 port 0 user 19723023948) Wed Jul 25 10:29:15 2007 : Error: Discarding duplicate request from client nas01 port 1812 - ID: 102 due to unfinished request 3988 Wed Jul 25 10:29:15 2007 : Error: Discarding duplicate request from client nas01 port 1812 - ID: 62 due to unfinished request 3987 Wed Jul 25 10:29:15 2007 : Error: Discarding duplicate request from client nas01 port 1812 - ID: 116 due to unfinished request 3989 Wed Jul 25 10:29:15 2007 : Error: Discarding duplicate request from client nas01 port 1812 - ID: 121 due to unfinished request 3990 Wed Jul 25 10:29:15 2007 : Error: Discarding duplicate request from client nas01 port 1812 - ID: 26 due to unfinished request 3991 Wed Jul 25 10:29:15 2007 : Info: rlm_sql (sql): There are no DB handles to use! skipped 0, tried to connect 0 Wed Jul 25 10:29:15 2007 : Info: rlm_sql (sql): There are no DB handles to use! skipped 0, tried to connect 0 Wed Jul 25 10:29:15 2007 : Info: rlm_sql (sql): There are no DB handles to use! skipped 0, tried to connect 0 Wed Jul 25 10:29:15 2007 : Info: rlm_sql (sql): There are no DB handles to use! skipped 0, tried to connect 0 Wed Jul 25 10:29:15 2007 : Info: rlm_sql (sql): There are no DB handles to use! skipped 0, tried to connect 0 Wed Jul 25 10:29:15 2007 : Info: rlm_sql (sql): There are no DB handles to use! skipped 0, tried to connect 0 Wed Jul 25 10:29:15 2007 : Info: rlm_sql (sql): There are no DB handles to use! skipped 0, tried to connect 0 Wed Jul 25 10:29:15 2007 : Info: rlm_sql (sql): There are no DB handles to use! skipped 0, tried to connect 0 Wed Jul 25 10:29:15 2007 : Info: rlm_sql (sql): There are no DB handles to use! skipped 0, tried to connect 0 Wed Jul 25 10:29:15 2007 : Info: rlm_sql (sql): There are no DB handles to use! skipped 0, tried to connect 0 Wed Jul 25 10:29:15 2007 : Error: Discarding duplicate request from client nas01 port 1812 - ID: 105 due to unfinished request 3992 Wed Jul 25 10:29:15 2007 : Error: Discarding duplicate request from client nas01 port 1812 - ID: 74 due to unfinished request 3993 Wed Jul 25 10:29:15 2007 : Error: Discarding duplicate request from client nas01 port 1812 - ID: 29 due to unfinished request 3994 Wed Jul 25 10:29:15 2007 : Info: rlm_sql (sql): There are no DB handles to use! skipped 0, tried to connect 0 Wed Jul 25 10:29:15 2007 : Auth: Login OK: [12146063348] (from client nas01 port 0 cli 12146063348) I have tried playing with the numbers of threads (I used the current radius servers setting to start) and the results are the same.
redundancy/failover support for LDAP xlat
Dear FreeRADIUS users,
I am working on setting up LDAP failover for my radius servers.
I currently have two instances defined in the modules section:
ldap ldap1 {...}
ldap ldap2 {...}
and have a redundant section in authorize:
redundant {
ldap1
ldap2
}
This is correctly making the connection to the ldap server.
However, in the users file I am using the ldap_xlat process
to send the appropriate Class definition back to the network
gear:
DEFAULT Auth-Type = Kerberos, NAS-IP-Address == x.y.z.g
Class = OU=%{ldap:ldap:///dc=rice,dc=edu?Class?sub?uid=%u};
The problem is that that this does not work unless I define a specific
instance for the xlat process. This does not allow it to failover to
the working server. Does anyone have any ideas about how to implement
such functionality?
Ken Marshall
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Hibernating: Major impact on authentication!
On Tue, Feb 06, 2007 at 09:14:47AM +, Phil Mayers wrote: Kenneth Marshall wrote: Mr. Franco, I have not looked at the DB connection code, but is there a connection timer on the DB connection. That is, does the connection get dropped No If the latter, the problem could be that the long running connections are not allowing the indexes and table spaces to be maintained properly. This could cause bloat and performance problems over time. After a At least on Postgres, this is NOT correct. Open *transactions* block such activity. However the base rlm_sql doesn't use transactions because they're un-needed, and the rlm_sql_ippool module executes very short running transactions indeed. I believe the OP is running Postgres, but if anyone finds themselves running a database where maintaining long-running connections blocks maintenance jobs, I would recommend the un-install it immediately. - True. It is not freeradius' job to manage the DB. Are there any other databases on the server that could have a long running transaction and are preventing the clean-up of the ippool DB? Ken - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Hibernating: Major impact on authentication!
Mr. Franco, I have not looked at the DB connection code, but is there a connection timer on the DB connection. That is, does the connection get dropped and restarted occasionally or does it persist until the connection dies? If the latter, the problem could be that the long running connections are not allowing the indexes and table spaces to be maintained properly. This could cause bloat and performance problems over time. After a restart it would clear up since now the vacuum DB maintenance process can clear the outstanding blocks. A restart of each connection handle every few thousand or so queries by the radius server would solve that problem. Just an idea. Ken On Mon, Feb 05, 2007 at 06:30:57PM -0200, Guilherme Franco wrote: Hello, Considering that all things indicate that there might be a problem with the DB, I did some tweaks in PostgreSQL and took off the cron.hourly job. Gonna watch out for problems then, thanks! - Hi, Freeradius 1.1.4 is randomly losing connection to both databases and it's causing total loss in the authentication process: Info: rlm_sql (sql): There are no DB handles to use! skipped 0, tried to connect 0 Info: rlm_sql (sql_postgresql): There are no DB handles to use! skipped 0, tried to connect 0 Info: The maximum number of threads (32) are active, cannot spawn new thread to handle request Running either in multi or single threaded mode, that messages appeared 47.099,00 times since Jan 27! Freeradius is configured with 32 max_servers and 32 connections to each DB. There's no starving since no accounting is being used and the server have to handle just 3 auths per second. Every time this happens, no one can authenticate and doing a restart in Freeradius solves the problem. To circumvent the problem, I've added a cron.hourly job so each hour a service radiusd restart is issued. As this is random, it's hard to debug, but at the same time freeradius loses the connection, several other applications can successfully connect/ maintain previous established connections to the databases. I've enabled all sorts of debug in the databases trying to better understand why freeradius is doing this, but there was no luck. I've installed the latest CVS and the same problem appeared, please help! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Change RAD_REPLY item in rlm_perl, not add a new pair
On Thu, Jun 22, 2006 at 09:58:54AM +0300, Boian Jordanov wrote:
Maybe passing a HASH ref for hash which contains the Operator key and the vp
item too will be a good idea. For example
$hash{'Tunnel-Id'} = visitor;
$hash{'Operator'} = :=;
$RAD_REPLY{'Tunnel-Id'} = \%hash;
This way we will not change existing behavior.
I like this. One key feature missing in rlm_perl was the ability
to substitute values in attribute pairs, not just add a new one.
Ken
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Change RAD_REPLY item in rlm_perl, not add a new pair
On Tue, Jun 20, 2006 at 11:23:13AM +0300, Boian Jordanov wrote: On Tuesday 20 June 2006 02:17, Kenneth Marshall wrote: Dear Freeradius Users: I am trying to use rlm_perl to append a number to one member of the reply packet using rlm_perl and the %RAD_REPLY hash. I am running freeradius-1.1.1. Here is the code that I am using, a modified example.pl: Edit rlm_perl.c and change T_OP_EQ to T_OP_SET in function get_hv_content recomplie and install Thank you for that information. I am testing this now. Ken Marshall - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Change RAD_REPLY item in rlm_perl, not add a new pair
On Tue, Jun 20, 2006 at 11:05:04AM +0200, Bj?rn Mork wrote: Kenneth Marshall [EMAIL PROTECTED] writes: I am trying to use rlm_perl to append a number to one member of the reply packet using rlm_perl and the %RAD_REPLY hash. I am running freeradius-1.1.1. I don't think you can do that with rlm_perl. The inability to specify operator is limiting. rlm_perl will choose T_OP_ADD if the hash value is an array reference. Otherwise it defaults to T_OP_EQ when creating the lists of vps out of the %RAD_REPLY and %RAD_CHECK hashes. There is no way to specify T_OP_SET, which is the functionality you need. I would really love to improve this, but I can't think of any nice way to do it. If one were to add operators to the perl hashes, how could that be done? Adding an additional set of hashes, mapping attribute names to operators? Adding magic operator strings to either key or value of the current hashes? I'm afraid that noen of these will be backwards compatible with existing perl scripts using rlm_perl. Another possibility would be to let rlm_perl assume T_OP_SET for modified attributes (unless they are array references). This makes sense to me (and to you it seems, since that's what you expected :-). But I dont't know of an effecient way to implement this. You'd probably have to walk through the lists, comparing the values of all attributes. Unless you tie the hashes to some class implementing the necessarry logic in its STORE function? That might be a possibilty... I agree with you. It makes more sense to modify attributes that are changed instead of appending a new pair which will be discarded in most cases. Is there an easy way to tie a modified flag to each attribute that could be changed to indicate a modification. Or use something like a composite key attribute+operator with a missing operator defaulting to current behavior. This would allow people to use := when needed and old code should still work correctly. Ken - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Change RAD_REPLY item in rlm_perl, not add a new pair
Dear Freeradius Users:
I am trying to use rlm_perl to append a number to one
member of the reply packet using rlm_perl and the %RAD_REPLY
hash. I am running freeradius-1.1.1. Here is the code that
I am using, a modified example.pl:
use strict;
# use ...
# This is very important ! Without this script will not get the filled hashesh
from main.
use vars qw(%RAD_REQUEST %RAD_REPLY %RAD_CHECK);
use vars qw($count_visitor $count_staff $count_student @rad_array);
use Data::Dumper;
# This is hash wich hold original request from radius
#my %RAD_REQUEST;
# In this hash you add values that will be returned to NAS.
#my %RAD_REPLY;
my $count_visitor = 0, $count_staff = 0, $count_student = 0;
#This is for check items
#my %RAD_CHECK;
...
# Function to handle authorize
sub authorize {
# For debugging purposes only
log_request_attributes;
# Here's where your authorization code comes
# You can call another function from here:
test_call;
if ($RAD_REPLY{'Tunnel-Private-Group-Id'} =~ /visitor/i) {
$RAD_REPLY{'Tunnel-Private-Group-Id'} .= $count_visitor % 4;
$count_visitor += 1;
} elsif ($RAD_REPLY{'Tunnel-Private-Group-Id'} =~ /staff/i) {
$RAD_REPLY{'Tunnel-Private-Group-Id'} .= $count_staff % 3;
$count_staff += 1;
} elsif ($RAD_REPLY{'Tunnel-Private-Group-Id'} =~ /student/i) {
$RAD_REPLY{'Tunnel-Private-Group-Id'} .= $count_student % 2;
$count_student += 1;
}
return RLM_MODULE_UPDATED;
}
...
Here is the debug output from radiusd:
/usr/site/freeradius/sbin/radiusd -Xxx
Mon Jun 19 18:09:07 2006 : Info: Starting - reading configuration files ...
Mon Jun 19 18:09:07 2006 : Debug: reread_config: reading radiusd.conf
Mon Jun 19 18:09:07 2006 : Debug: Config: including file:
/usr/site/freeradius-1.1.1/etc/raddb/proxy.conf
Mon Jun 19 18:09:07 2006 : Debug: Config: including file:
/usr/site/freeradius-1.1.1/etc/raddb/clients.conf
Mon Jun 19 18:09:07 2006 : Debug: Config: including file:
/usr/site/freeradius-1.1.1/etc/raddb/snmp.conf
Mon Jun 19 18:09:07 2006 : Debug: Config: including file:
/usr/site/freeradius-1.1.1/etc/raddb/eap.conf
Mon Jun 19 18:09:07 2006 : Debug: Config: including file:
/usr/site/freeradius-1.1.1/etc/raddb/sql.conf
Mon Jun 19 18:09:07 2006 : Debug: main: prefix = /usr/site/freeradius-1.1.1
Mon Jun 19 18:09:07 2006 : Debug: main: localstatedir =
/usr/site/freeradius-1.1.1/var
Mon Jun 19 18:09:07 2006 : Debug: main: logdir =
/usr/site/freeradius-1.1.1/var/log/radius
Mon Jun 19 18:09:07 2006 : Debug: main: libdir =
/usr/site/freeradius-1.1.1/lib
Mon Jun 19 18:09:07 2006 : Debug: main: radacctdir =
/usr/site/freeradius-1.1.1/var/log/radius/radacct
Mon Jun 19 18:09:07 2006 : Debug: main: hostname_lookups = no
Mon Jun 19 18:09:07 2006 : Debug: main: snmp = no
Mon Jun 19 18:09:07 2006 : Debug: main: max_request_time = 30
Mon Jun 19 18:09:07 2006 : Debug: main: cleanup_delay = 5
Mon Jun 19 18:09:07 2006 : Debug: main: max_requests = 1024
Mon Jun 19 18:09:07 2006 : Debug: main: delete_blocked_requests = 0
Mon Jun 19 18:09:07 2006 : Debug: main: port = 0
Mon Jun 19 18:09:07 2006 : Debug: main: allow_core_dumps = no
Mon Jun 19 18:09:07 2006 : Debug: main: log_stripped_names = no
Mon Jun 19 18:09:07 2006 : Debug: main: log_file =
/usr/site/freeradius-1.1.1/var/log/radius/radius.log
Mon Jun 19 18:09:07 2006 : Debug: main: log_auth = no
Mon Jun 19 18:09:07 2006 : Debug: main: log_auth_badpass = no
Mon Jun 19 18:09:07 2006 : Debug: main: log_auth_goodpass = no
Mon Jun 19 18:09:07 2006 : Debug: main: pidfile =
/usr/site/freeradius-1.1.1/var/run/radiusd/radiusd.pid
Mon Jun 19 18:09:07 2006 : Debug: main: user = (null)
Mon Jun 19 18:09:07 2006 : Debug: main: group = (null)
Mon Jun 19 18:09:07 2006 : Debug: main: usercollide = no
Mon Jun 19 18:09:07 2006 : Debug: main: lower_user = no
Mon Jun 19 18:09:07 2006 : Debug: main: lower_pass = no
Mon Jun 19 18:09:07 2006 : Debug: main: nospace_user = no
Mon Jun 19 18:09:07 2006 : Debug: main: nospace_pass = no
Mon Jun 19 18:09:07 2006 : Debug: main: checkrad =
/usr/site/freeradius-1.1.1/sbin/checkrad
Mon Jun 19 18:09:07 2006 : Debug: main: proxy_requests = yes
Mon Jun 19 18:09:07 2006 : Debug: proxy: retry_delay = 5
Mon Jun 19 18:09:07 2006 : Debug: proxy: retry_count = 3
Mon Jun 19 18:09:07 2006 : Debug: proxy: synchronous = no
Mon Jun 19 18:09:07 2006 : Debug: proxy: default_fallback = yes
Mon Jun 19 18:09:07 2006 : Debug: proxy: dead_time = 120
Mon Jun 19 18:09:07 2006 : Debug: proxy: post_proxy_authorize = no
Mon Jun 19 18:09:07 2006 : Debug: proxy: wake_all_if_all_dead = no
Mon Jun 19 18:09:07 2006 : Debug: security: max_attributes = 200
Mon Jun 19 18:09:07 2006 : Debug: security: reject_delay = 1
Mon Jun 19 18:09:07 2006 : Debug: security: status_server = no
Mon Jun 19 18:09:07 2006 : Debug: main: debug_level = 0
Mon Jun 19 18:09:07 2006
How to make a persistent counter?
Dear FreeRADIUS users: I am trying to implement some load balancing for our wireless network. Each user needs to be placed in a different VLAN to distribute the use of each one. If I had a persistent counter that I could access, I could use the rlm_expr module to take the modulus of the counter and use that to generate the next candidate VLAN. Does anyone have any idea about how that could be accomplished? Ken - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
