Re: Transform reject to accept response with specific attributes
Arran Cudbard-Bell a.cudba...@freeradius.org writes:
On 6 Sep 2012, at 15:10, Kostas Zorbadelos kzo...@otenet.gr wrote:
Greetings to all,
I would like to achieve the following functionality: in case a user's
AUTHENTICATION fails, the user should not be rejected but be given an
accept response with specific attributes.
The reason behind this is to provide a captive portal functionality for
users having wrong credentials in their CPEs.
Could you provide a few hints for how the config would look like (I am
thinking of something in terms of unlang and utilizing virtual servers
but I am not sure how it would look like.
authenticate {
Auth-Type pap {
pap {
reject = 1
}
if (reject) {
ok
# Add extra attributes here...
}
}
}
Thank you very much, this seems to work.
-Arran
Kostas
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Transform reject to accept response with specific attributes
Greetings to all, I would like to achieve the following functionality: in case a user's AUTHENTICATION fails, the user should not be rejected but be given an accept response with specific attributes. The reason behind this is to provide a captive portal functionality for users having wrong credentials in their CPEs. Could you provide a few hints for how the config would look like (I am thinking of something in terms of unlang and utilizing virtual servers but I am not sure how it would look like. Regards, Kostas -- Kostas Zorbadelos twitter:@kzorbadeloshttp://gr.linkedin.com/in/kzorba () www.asciiribbon.org - against HTML e-mail proprietary attachments /\ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Trivial patch for rlm_acctlog in 2.0.5
On Wednesday 13 August 2008 12:24:44 Alan DeKok wrote: Kostas Zorbadelos wrote: As we are preparing for migration to 2.X version in some of our production systems, I took a closer look at the sources and found the rlm_acctlog module that allows for the logging of various types of accounting messages in the radius logs. Moreover I saw that syslog support in 2.X is vastly improved over 1.X series. See also rlm_linelog in the current source (git.freeradius.org), and raddb/modules/linelog. It is a fully configurable module that logs one line of text to a file, based on dynamically expanded keys. I will give a look at it. Seems like a nice generalization of rlm_acctlog -:) My minor request is, could you include the following patch in later releases (so as to not maintain it internally)? Done. Thanks Alan DeKok. Kostas Zorbadelos - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Trivial patch for rlm_acctlog in 2.0.5
Hello to everyone. As we are preparing for migration to 2.X version in some of our production systems, I took a closer look at the sources and found the rlm_acctlog module that allows for the logging of various types of accounting messages in the radius logs. Moreover I saw that syslog support in 2.X is vastly improved over 1.X series. My minor request is, could you include the following patch in later releases (so as to not maintain it internally)? --- rlm_acctlog.c.orig 2007-11-12 00:11:51.0 +0200 +++ rlm_acctlog.c 2008-08-08 13:54:34.0 +0300 @@ -79,7 +79,7 @@ rlm_acctlog_t *inst; VALUE_PAIR *pair; - charlogstr[MAX_STRING_LEN]; + charlogstr[1024]; int acctstatustype = 0; The idea is to have a bigger buffer than 253 characters for logging. Some old syslog implementations can have a 1024 character limit I think, so I guess that would be enough :) Thanks and keep up the good work. Kostas Zorbadelos - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxying doesn't work!
On Wed, Jul 11, 2007 at 09:22:32AM +0200, Federico Giannici wrote:
We have a working FreeRADIUS 1.1.4 running since a lot of months.
Now we have to proxy the requests for a realm (gtenet.it) to a given
RADIUS server, but our server seems to ignore the proxy configuration!
I have set proxy_requests = yes and included the proxy.conf file
(I'm sure of these, looked at the debug output).
Here it is our proxy.conf file:
proxy server {
synchronous = no
retry_delay = 5
retry_count = 3
dead_time = 120
default_fallback = yes
post_proxy_authorize = no
}
realm gtenet.it {
type= radius
authhost= 195.103.212.53:1645
accthost= 195.103.212.53:1646
secret = X
}
When a request for [EMAIL PROTECTED] is received, it goes through the
authorization and then instead of being proxied it goes through
authentication and obviously fail!
You need to uncomment the suffix module in the authorize section.
Here it is the output of the server in debug mode:
Jul 10 18:55:29 aragorn radiusd[23262]: Going to the next request
Jul 10 18:55:29 aragorn radiusd[23262]: Waking up in 6 seconds...
Jul 10 18:55:29 aragorn radiusd[23262]: rad_lowerpair: User-Name now
'[EMAIL PROTECTED]'
Jul 10 18:55:29 aragorn radiusd[23262]: rad_lowerpair: User-Password
now ''
Jul 10 18:55:29 aragorn radiusd[23262]: rad_rmspace_pair: User-Name now
'[EMAIL PROTECTED]'
Jul 10 18:55:29 aragorn radiusd[23262]: rad_rmspace_pair: User-Password
now ''
Jul 10 18:55:29 aragorn radiusd[23262]: Processing the authorize
section of radiusd.conf
Jul 10 18:55:29 aragorn radiusd[23262]: modcall: entering group
authorize for request 72
Jul 10 18:55:29 aragorn radiusd[23262]: modcall[authorize]: module
preprocess returns ok for request 72
Jul 10 18:55:29 aragorn radiusd[23262]: modcall[authorize]: module
nm returns noop for request 72
^
I don't know this module. Have you named an instance of a known module
this way?
Jul 10 18:55:29 aragorn radiusd[23262]: modcall[authorize]: module
chap returns noop for request 72
Jul 10 18:55:29 aragorn radiusd[23262]: modcall[authorize]: module
mschap returns noop for request 72
Jul 10 18:55:29 aragorn radiusd[23262]: rlm_pap: WARNING! No known
good password found for the user. Authentication may fail because of this.
Jul 10 18:55:29 aragorn radiusd[23262]: modcall[authorize]: module
pap returns noop for request 72
Jul 10 18:55:29 aragorn radiusd[23262]: modcall: leaving group authorize
(returns ok) for request 72
Jul 10 18:55:29 aragorn radiusd[23262]: auth: No authenticate method
(Auth-Type) configuration found for the request: Rejecting the user
Jul 10 18:55:29 aragorn radiusd[23262]: auth: Failed to validate the user.
Any hints of what could be the problem?
Thanks.
--
___
__
|- [EMAIL PROTECTED]
|ederico Giannici http://www.neomedia.it
___
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 2.0.0-pre1 compile problem on ubuntu
On Fri, May 25, 2007 at 02:27:48PM +0200, Alan Dekok wrote: Norbert Wegener wrote: on an ubuntu 6.06 configure does not show an error with 2.0.0-pre1. ... /home/norbert/Desktop/freeradius-server-2.0.0-pre1/src/lib/.libs/libradius.so -L/usr/local/lib /usr/lib/perl/5.8/auto/DynaLoader/DynaLoader.a -L/usr/lib/perl/5.8/CORE -lperl -ldl -lm -lc -lcrypt -lnsl -lresolv -lpthread -Wl,-E -Wl,-soname -Wl,rlm_perl-2.0.0-pre1.so -o .libs/rlm_perl-2.0.0-pre1.so^M /usr/bin/ld: cannot find -lperl^M I see it, too. I think it's because Dynloader is a static library, so libtool is looking for libperl.a, not libperl.so. This is because libpersl.so exists in the libperl-dev package. This is standard Debian practice. But I really don't know. Did I mention I hate libtool? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius proxy code questions and proposed patch
Hello to everyone.
In a previous thread
http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg33354.html
I had described a strange behavior in our large proxy setup. After
running the server in debug mode (radiusd -xxx) in our production
systems we found out what was causing our problems. The problem was
that the home server in our proxy setup was marked dead quite often
during the day and with a dead_time of 30 secs every request that came
within these 30 secs was rejected.
Our proxy conf initially looked like the following:
proxy server {
synchronous = yes
retry_delay = 0
retry_count = 0
dead_time = 30
default_fallback = yes
post_proxy_authorize = no
}
###
#
# Configuration for the proxy realms.
#
...
We first changed the dead_time to 0 so as to avoid marking the home
server dead in synchronous mode.
Additionally, we implemented the following patch (against version 1.1.6):
--- ./src/main/files.c.orig 2007-04-23 15:14:14.569932000 +0300
+++ ./src/main/files.c 2007-04-23 15:22:30.995686000 +0300
@@ -489,6 +489,15 @@
if (cl-last_reply (( now -
mainconfig.proxy_retry_delay * mainconfig.proxy_retry_count ))) {
continue;
}
+ /*
+* If we are running in synchronous proxy mode, there's
no point marking the target
+* server(s) dead, since this should be done by the
radius client
+*/
+ if (mainconfig.proxy_synchronous) {
+ radlog(L_PROXY, authentication server %s:%d
for realm %s seems unresponsive.,
+ cl-server, port, cl-realm);
+ continue;
+ }
cl-active = FALSE;
cl-wakeup = now + mainconfig.proxy_dead_time;
@@ -498,6 +507,15 @@
if (cl-last_reply (( now -
mainconfig.proxy_retry_delay * mainconfig.proxy_retry_count ))) {
continue;
}
+ /*
+* If we are running in synchronous proxy mode, there's
no point marking the target
+* server(s) dead, since this should be done by the
radius client
+*/
+ if (mainconfig.proxy_synchronous) {
+ radlog(L_PROXY, accounting server %s:%d for
realm %s seems unresponsive.,
+ cl-acct_server, port, cl-realm);
+ continue;
+ }
cl-acct_active = FALSE;
cl-acct_wakeup = now + mainconfig.proxy_dead_time;
The purpose of this patch is to not have the freeradius server mark
the home server dead when working in synchronous mode. We believe that
in synchronous operation it is a good idea to leave the job of marking
the server dead to the NAS client.
All the above actions solved our initial problems. However, after a
while we noticed again clients being rejected when they shouldn't.
The following code in request_list.c caught my attention:
/*
* Refresh a request, by using proxy_retry_delay, cleanup_delay,
* max_request_time, etc.
*
* When walking over the request list, all of the per-request
* magic is done here.
*/
static int refresh_request(REQUEST *request, void *data)
{
...
(around line 1264 version 1.1.6)
} else if (request-proxy !request-proxy_reply) {
/*
* The request is NOT finished, but there is an
* outstanding proxy request, with no matching
* proxy reply.
*
* Wake up when it's time to re-send
* the proxy request.
*
* But in synchronous proxy, we don't retry but we update
* the next retry time as NAS has not resent the request
* in the given retry window.
*/
if (mainconfig.proxy_synchronous) {
/*
* If the retry_delay * count has passed,
* then mark the realm dead.
*/
if (info-now (request-timestamp +
(mainconfig.proxy_retry_delay * mainconfig.proxy_retry_count))) {
rad_assert(request-child_pid ==
NO_SUCH_CHILD_PID);
request_reject(request);
realm_disable(request-proxy-dst_ipaddr,
request-proxy-dst_port);
request-finished = TRUE;
Re: Freeradius proxy code questions and proposed patch
On Mon, Apr 30, 2007 at 05:41:06PM +0200, Alan DeKok wrote: Kostas Zorbadelos wrote: I had described a strange behavior in our large proxy setup. After running the server in debug mode (radiusd -xxx) in our production systems we found out what was causing our problems. The problem was that the home server in our proxy setup was marked dead quite often during the day and with a dead_time of 30 secs every request that came within these 30 secs was rejected. Yes. In 1.x, the proxy code does this. It's fixed in 2.0, which should be released real soon now. + /* +* If we are running in synchronous proxy mode, there's no point marking the target +* server(s) dead, since this should be done by the radius client Uh, no. The RADIUS client doesn't know about the home servers. It only knows about the server it's sending packets to. Precicely. But when we work in 'synchronous' mode we want the NAS to be in charge of the retransmision policy not our proxy server. If the home server does not reply for any reason, we want the client (NAS) to notice it and retransmit. Eventually, the client will mark our proxy server dead not because it is its fault, but because the home server is not responding. The purpose of this patch is to not have the freeradius server mark the home server dead when working in synchronous mode. We believe that in synchronous operation it is a good idea to leave the job of marking the server dead to the NAS client. Which server? All your patch does is make sure that the NAS marks the proxying server as dead. Eventually, yes this is what the NAS will do. All that is due to the synchronous mode in proxy operation. ... It seems that in some strange occations the code enters the above path. A decision is made in case the current time is older than mainconfig.proxy_retry_delay * mainconfig.proxy_retry_count. If this is the case, the request is rejected and the code tries to disable the realm. However in the proxy.conf configuration file it is mentioned: All of that code is *gone* in 2.0. The new code is so much better that it's really quite hard to describe how much better it is. Please let me know your thoughts on these matters (also on the patch we provide) Take a look at the current CVS snapshot. It should be pretty robust with some recent bug fixes, and it will solve *all* of your proxying problems. And I do mean ALL of the problems. I have read in the list about the major clean up version 2.0 of the server will be. While reading the code of versions 1.x I could see that there is great room for improvement. I will take a look in the 2.0 sources and I look forward to testing it when it becomes available. Thanks a lot Alan. Kostas Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Autotools related problems in freeradius 1.1.6
On Mon, Apr 23, 2007 at 04:39:22PM +0200, Alan DeKok wrote:
Kostas Zorbadelos wrote:
If I do
./configure --prefix=/opt/freeradius
the build scripts presume that --enable-developer is true.
That may be an issue only in 1.1.6. You should be able to change it
by doing --disable-developer.
This is exactly what I did. The reason I mention it is because I think
the default should be sane in future releases of freeradius (that is
developer options switched off by default).
This has
the effect that -DNDEBUG is not defined in CFLAGS during compilation,
among other things, so the rad_assert() function can abort freeradius
operation in production environments.
Which is not necessarily a bad thing. Yes, it's bad for your RADIUS
server to go down. It's arguably worse for the RADIUS server to keep
running, and doing... something... after it notices that internal sanity
checks have failed.
I disagree with you on this one Alan. I discovered all these issues I
mention the hard way, after our radius server stopped running in
random times (after a failure in rad_assert() in request_list.c around
the section
...
static int refresh_request(REQUEST *request, void *data)
...
/*
* If the request is marked as a delayed reject, AND it's
* time to send the reject, then do so now.
*/
if (request-finished
((request-options RAD_REQUEST_OPTION_DELAYED_REJECT) != 0)) {
rad_assert(request-child_pid == NO_SUCH_CHILD_PID);
...)
In production environments the server should be able to at least
report the errors it encounters and continue operations. Service
availability is the most important.
In our case, after I recompiled freeradius with -DNDEBUG option set,
we noticed no further noticable problems in our radius service.
I believe that by default, --enable-developer should be false unless
explicitly set during configure.
Let me know if you need anything else to trace the issue.
It's just a couple of lines of shell scripting in configure.in.
As far as I can tell, the following minor patch should take care of the
issue of having developer flags switched off be default:
--- configure.in.orig Tue Apr 24 12:02:13 2007
+++ configure.inTue Apr 24 12:02:40 2007
@@ -278,11 +278,11 @@
AC_ARG_ENABLE(developer,
[ --enable-developer Enables features of interest to
developers.],
[ case $enableval in
-no)
- developer=no
+yes)
+ developer=yes
;;
*)
- developer=yes
+ developer=no
esac ]
)
Moreover, in a Solaris 9 environment
--enable-developer or --disable-developer seem to be ignored and
someone should define CFLAGS explicitly in the configure command to
define -NDEBUG macro.
I didn't manage to undestand however why in a Solaris environment,
--disable-developer seems to be ignored. Even if I set
--disable-developer in configure, the -DNDEBUG macro is not passed in
compilation options.
Find attached (a gzipped) BUILD log in my environment.
Thanks,
Kostas Zorbadelos
Alan DeKok.
--
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
BUILD.solaris-disable-developer.log.gz
Description: Binary data
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Autotools related problems in freeradius 1.1.6
On Tue, Apr 24, 2007 at 01:12:26PM +0200, Alan DeKok wrote: Kostas Zorbadelos wrote: I disagree with you on this one Alan. I discovered all these issues I mention the hard way, after our radius server stopped running in random times (after a failure in rad_assert() in request_list.c around the section ... In production environments the server should be able to at least report the errors it encounters and continue operations. Service availability is the most important. My point was that it should continue doing *what*? The assertions are there to catch catastrophic failures in the code. If the assertion trips, it's doing so because the error is non-recoverable. If you disable the assertions, the server may look like it's still running. But there's no guarantee that it will do anything useful. It may crash randomly later, for reasons that are difficult to track down. The only *safe* thing to do is to revert to a known working state. i.e. restart from scratch. In the code snippet I sent, from what I can tell, nothing catastrophic happens. The code checks to see if it is time to send a delayed reject back to the client and asserts that there is no child thread that works on that request. Anyway, if the developer flags are switched off rad_assert() does nothing. This is the way it is defined: #ifdef NDEBUG #define rad_assert(expr) ((void) (0)) #else #define rad_assert(expr) \ ((void) ((expr) ? 0 : \ rad_assert_fail (__FILE__, __LINE__))) #endif So if someone compiles freeradius without developer flags he actually de-activates all assertions :) As far as I can tell, the following minor patch should take care of the issue of having developer flags switched off be default: OK, thanks. There is the Solaris issue however. I will try to track it down and send a patch for this too if I can. Kostas Zorbadelos Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Autotools related problems in freeradius 1.1.6
Greetings to all in the list. I'd like to report an issue in the build scripts of freeradius. I tried to build version 1.1.6 but the problem exists in earlier versions too. If I do ./configure --prefix=/opt/freeradius the build scripts presume that --enable-developer is true. This has the effect that -DNDEBUG is not defined in CFLAGS during compilation, among other things, so the rad_assert() function can abort freeradius operation in production environments. I believe that by default, --enable-developer should be false unless explicitly set during configure. Moreover, in a Solaris 9 environment --enable-developer or --disable-developer seem to be ignored and someone should define CFLAGS explicitly in the configure command to define -NDEBUG macro. Let me know if you need anything else to trace the issue. Thanks, Kostas Zorbadelos - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Some problem
On Tue, Mar 06, 2007 at 10:51:25AM +0800, zhangxianshi wrote: If you ever need to build the freeradius perl module you should install the packages libperl-dev libperlversion Debian policy is to use libfoo-dev package to contain the libfoo.so symbolic link. This is what is missing in your case (libperl.so) Regards, Kostas Zorbadelos Dear All, I use a Linux system called Ubuntu. Yesterday I tried to complier the freeradius 1.1.4. When I begun to make, there is something wrong. This is the error log: Making all in rlm_passwd... make[6]: Entering directory `/home/stone/freeradius-1.1.4/src/modules/rlm_passwd' make[6]: Leaving directory `/home/stone/freeradius-1.1.4/src/modules/rlm_passwd' Making all in rlm_perl... make[6]: Entering directory `/home/stone/freeradius-1.1.4/src/modules/rlm_perl' /home/stone/freeradius-1.1.4/libtool --mode=link gcc -release 1.1.4 \ -module -export-dynamic -o rlm_perl.la \ -rpath /usr/local/lib rlm_perl.lo rlm_perl.c /home/stone/freeradius-1.1.4/src/lib/libradius.la \ `perl -MExtUtils::Embed -e ldopts` -lnsl -lresolv -lpthread *** Warning: Linking the shared library rlm_perl.la against the *** static library /usr/lib/perl/5.8/auto/DynaLoader/DynaLoader.a is not portable! gcc -shared .libs/rlm_perl.o -Wl,--rpath -Wl,/home/stone/freeradius-1.1.4/src/lib/.libs -Wl,--rpath -Wl,/usr/local/lib /home/stone/freeradius-1.1.4/src/lib/.libs/libradius.so -L/usr/local/lib /usr/lib/perl/5.8/auto/DynaLoader/DynaLoader.a -L/usr/lib/perl/5.8/CORE -lperl -ldl -lm -lc -lcrypt -lnsl -lresolv -lpthread -Wl,-E -Wl,-soname -Wl,rlm_perl-1.1.4.so -o .libs/rlm_perl-1.1.4.so /usr/bin/ld: cannot find -lperl collect2: ld returned 1 exit status make[6]: *** [rlm_perl.la] Error 1 make[6]: Leaving directory `/home/stone/freeradius-1.1.4/src/modules/rlm_perl' make[5]: *** [common] Error 2 make[5]: Leaving directory `/home/stone/freeradius-1.1.4/src/modules' make[4]: *** [all] Error 2 make[4]: Leaving directory `/home/stone/freeradius-1.1.4/src/modules' make[3]: *** [common] Error 2 make[3]: Leaving directory `/home/stone/freeradius-1.1.4/src' make[2]: *** [all] Error 2 make[2]: Leaving directory `/home/stone/freeradius-1.1.4/src' make[1]: *** [common] Error 2 make[1]: Leaving directory `/home/stone/freeradius-1.1.4' make: *** [all] Error 2 How can I slove it? Regards Zhang - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Strange problems in large proxy setup
On Fri, Feb 23, 2007 at 10:23:50AM -0500, Dennis Skinner wrote: Kostas Zorbadelos wrote: radiusd -X confirms that the configuration is correct, however I have this problem behaviour in large scale. My initial suspitions go to the proxying code to be honest, but I need to take a good look to grasp it. Hi Dennis, I would try running the production radius in debugging mode and send the output to a file that you can review for anomalies. If it is happening often enough and you don't want to run the primary radius in debug mode, you could do it on the secondary and force a failover for a short time and try to catch it. By 'debugging mode' I guess you are referring to radiusd -xxx or something is that correct? Could this affect the authentication service for our customers? I was thinking something in the lines of changing the freeradius config to log the packets going to the home server and their replies (detail_log module in pre_proxy and post_proxy stages). Has anyone else noticed this behaviour in a large load proxy setup? -- Dennis Skinner Systems Administrator BlueFrog Internet http://www.bluefrog.com -- Kostas Zorbadelos Systems Designer/Developer, Otenet SA [EMAIL PROTECTED] contact: kzorba (at) otenet.gr - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Strange problems in large proxy setup
My greetings to the list.
We have deployed a large setup using freeradius 1.1.3 in a proxy
configuration in front of FUNK radius. During the day we have about
150.000 concurrent DSL users online. Our setup takes the
access-request from the NAS, checks whether the user has any other
active sessions and if he is allowed to have a session the request is
proxied to the FUNK server that performs the actual authentication. So
the setup is a classical proxy setup. This policy decision of whether
the user is allowed to have a session is taken by a module we have
developed for this purpose (we call it rlm_concurrency). We use the
ldap module to find the maximum allowed sessions for a user.
Our setup involves no accounting, just authentication/authorization.
-----
| NAS | - | Freeradius | --- | FUNK |
-----
This is the actual config we have in our freeradius server:
authorize {
preprocess
# The following config instructs freeradius to stop processing
# requests if it matches the user in the local users file
files {
ok = return
}
ldap
concurrency
suffix
}
Here is a debugging output from freeradius with this config:
== Debugging output (radiusd -X) ==
Nothing to do. Sleeping until we see a request.
rad_recv: Access-Request packet from host 62.103.1.111:1645, id=4, length=127
Framed-Protocol = PPP
User-Name = foouser
User-Password = XX
Calling-Station-Id = X
NAS-Port-Type = Async
Connect-Info = 33600/31200 V34+/V42bis/LAPM
NAS-Port = 4115
NAS-Port-Id = Async2/2
Service-Type = Framed-User
NAS-IP-Address = 62.103.1.111
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 9
modcall[authorize]: module preprocess returns ok for request 9
modcall[authorize]: module files returns notfound for request 9
rlm_ldap: - authorize
rlm_ldap: performing user authorization for foouser
radius_xlat: '((uid=foouser)(radiusAccountStatus=activated))'
radius_xlat: '...'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=..., with filter
((uid=foouser)(radiusAccountStatus=activated))
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding radiusMaxLogins as Simultaneous-Use, value 1 op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: user foouser authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module ldap returns ok for request 9
rlm_concurrency: Found NAS-IP-Address: 62.103.1.111
rlm_concurrency: User: foouser, Max-Sessions found: 1
rlm_concurrency: Accepted User foouser. Active sessions: 0, Maximum allowed
sessions: 1
modcall[authorize]: module concurrency returns ok for request 9
rlm_realm: No '@' in User-Name = foouser, looking up realm NULL
rlm_realm: Found realm NULL
rlm_realm: Proxying request from user foouser to realm NULL
rlm_realm: Adding Realm = NULL
rlm_realm: Preparing to proxy authentication request to realm NULL
modcall[authorize]: module suffix returns updated for request 9
modcall: leaving group authorize (returns updated) for request 9
Sending Access-Request of id 9 to port 1645
Framed-Protocol = PPP
User-Name = foouser
User-Password = XX
Calling-Station-Id = XX
NAS-Port-Type = Async
Connect-Info = 33600/31200 V34+/V42bis/LAPM
NAS-Port = 4115
NAS-Port-Id = Async2/2
Service-Type = Framed-User
NAS-IP-Address = 62.103.1.111
Proxy-State = 0x34
--- Walking the entire request list ---
Waking up in 0 seconds...
...
Waking up in 0 seconds...
rad_recv: Access-Accept packet from host , id=9, length=107
Proxy-State = 0x34
Class =
0x5342522d434c20444e3d22646570616b222041543d22323030222055533d2053493d223630373737383736302200
Filter-Id = USER-FILTER-OUT.out
Framed-Protocol = PPP
Service-Type = Framed-User
authorize: Skipping authorize in post-proxy stage
rad_check_password: Found Auth-Type
rad_check_password: Auth-Type = Accept, accepting the user
Login OK: [foouser] (from client KARP3845 port 4115 cli 2237021227)
Sending Access-Accept of id 4 to 62.103.1.111 port 1645
Class =
0x5342522d434c20444e3d22646570616b222041543d22323030222055533d2053493d223630373737383736302200
Filter-Id = USER-FILTER-OUT.out
Framed-Protocol = PPP
Service-Type = Framed-User
== End Debugging output (radiusd -X) ==
We have noticed no problems with our module and also no problems
whatsoever in a low traffic testing environment. However we have observed
the following strange behaviour in our production setup with its high
Re: Strange problems in large proxy setup
On Fri, Feb 23, 2007 at 02:49:57PM +, [EMAIL PROTECTED] wrote: Hi, active sessions and if he is allowed to have a session the request is proxied to the FUNK server that performs the actual authentication. So the setup is a classical proxy setup. This policy decision of whether whoah. steady on there. this is not a classical proxy setup. in a classical proxy setup ALL autentication is handled by a 3rd party. in this case you are doing an LDAP authorization on the FreeRADIUS box. OK you have a point there, my wording is incorrect. Yes, we do make an authorization decision in the freeradius box. the fact that this works on testing but not in high-volume production points a marked finger towards this LDAP process. The 'ldap process' you refer to is actually rlm_ldap and a tiny module of ours. However, we have never observed any issues with them, no error messages or any other logging messages. I believe I have a valid and quite simple (for my purposes of course) configuration. I make the authorization decision and if all OK, I proxy the request, otherwise I reject the request without proxying it. radiusd -X confirms that the configuration is correct, however I have this problem behaviour in large scale. My initial suspitions go to the proxying code to be honest, but I need to take a good look to grasp it. alan Kostas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Questions about proxy radius on multihomed host
On Sun, Dec 03, 2006 at 09:15:54PM -0800, Alan DeKok wrote: Kostas Zorbadelos wrote: on a multihomed Solaris host when radius packets are proxied what is their source IP? Is it IP1 or it could also be IP2? Uh... that's up to the OS. That's what I also thought. This would have to do with the TCP/IP implementation in the kernel... There are patches pending against CVS head that should fix this. In a portable way? I took a look at the sources where I see that in proxy.c a rad_send() is used to actually send the packet. rad_send() uses sendto() unless WITH_UDPFROMTO is defined in which case sendfromto() is used. In my case, WITH_UDPFROMTO is undefined. That only matters for packets being received by the server, not packets it's sending. I am reffering to proxy_send in proxy.c /* * Relay the request to a remote server. * Returns: * * RLM_MODULE_FAIL: we don't reply, caller returns without replying * RLM_MODULE_NOOP: caller falls through to normal processing * RLM_MODULE_HANDLED : we reply, caller returns without replying */ int proxy_send(REQUEST *request) From what I can see it has to do with the packets relayed by the server to the remote home server in proxy mode. Can I assume that outgoing packets use as source address the one listed in the listen directive? If that's the only IP used, yes. Otherwise, it's up to the OS to determine the best source IP for an outgoing packet. Thanks Alan. -- Kostas Zorbadelos [EMAIL PROTECTED] contact: kzorba (at) otenet.gr Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Questions about proxy radius on multihomed host
Hello to everyone. I have a question regarding freeradius proxying. My setup is freeradius 1.1.3 on Solaris 9. I have a very simple proxy configuration. The setup is a bit 'weird' in the sense that I have a freeradius server on the machine that acts as a proxy to another radius server running on the same machine (different IP). So the setup is described as Solaris 9 Host -- | IP1 IP2 | | Freeradius---Proxy--- Other Radius | || -- The Solaris host contains 2 IPs, freeradius is configured with the listen directive to accept authentication requests on IP1, while the other server is listening on IP2. In the other radius, I have configured as client the IP1 but I notice several failures. My question is: on a multihomed Solaris host when radius packets are proxied what is their source IP? Is it IP1 or it could also be IP2? I took a look at the sources where I see that in proxy.c a rad_send() is used to actually send the packet. rad_send() uses sendto() unless WITH_UDPFROMTO is defined in which case sendfromto() is used. In my case, WITH_UDPFROMTO is undefined. sendfromto() is defined in freeradius sources with comments that it works on Linux and FreeBSD 5.x. I have not seen any configuration option that sets the source address of outgoing packets, in case of multihomed hosts. There is only the following comment in radiusd.conf: # bind_address: Make the server listen on a particular IP address, and # send replies out from that address. This directive is most useful # for machines with multiple IP addresses on one interface. # # It can either contain *, or an IP address, or a fully qualified # Internet domain name. The default is * # # As of 1.0, you can also use the listen directive. See below for # more information. # Can I assume that outgoing packets use as source address the one listed in the listen directive? Thanks in advance, Kostas -- Kostas Zorbadelos [EMAIL PROTECTED] contact: kzorba (at) otenet.gr Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS user Survey
On Thu, Oct 05, 2006 at 02:39:18PM -0400, Alan DeKok wrote: In order to better understand the needs of people using FreeRADIUS, I've set up a survey with 12 questions. The goal is to understand who's using FreeRADIUS, how they're using it, and what the users needs are. The page is: http://gs-survey.com/s.asp?s=1651 Please take a few minutes to fill out the survey, and I'll be posting a summary of the responses here. I expect to have a few more surveys after this one, to be able to target future development. Thanks for your efforts in supporting FreeRADIUS. Alan DeKok. In the first question (How large is your organization?) the range 101 - 1000 is missing... In the question (How many RADIUS client machines do you have?) is the last range 101? -- Kostas Zorbadelos [EMAIL PROTECTED] contact: kzorba (at) otenet.gr Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP related questions
On Sat, Jul 01, 2006 at 12:04:24PM -0400, Alan DeKok wrote: Kostas Zorbadelos [EMAIL PROTECTED] wrote: I saw the cvs version and indeed it contains the code you describe. This is a very useful feature. The feature is not contained in the latest stable (1.1.2) version. Will it be in the next? Probably in 2.0, which we hope to release before the next millenium. OK, till then, I guess if we need the functionality, we patch the stable version... -:) Alan DeKok. -- Kostas Zorbadelos [EMAIL PROTECTED] contact: kzorba (at) otenet.gr Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP related questions
On Wed, Jun 28, 2006 at 04:21:14PM +0300, Kostas Kalevras wrote: On Wed, 28 Jun 2006, Kostas Zorbadelos wrote: On Wed, Jun 28, 2006 at 02:09:15PM +0300, Kostas Kalevras wrote: On Wed, Jun 28, 2006 at 11:56:27AM +0300, Kostas Zorbadelos wrote: I have a few suspicions where the problem might be. Is there a way to define the operator in the radius check attributes of ldap (without using the generic radiusCheckItem attribute)? radiusSessionTimeout: += value I meant in ldap.attrmap. When I define for example checkItem Group-Name radiusProfile what is the operator implied ( op=21 in the debugging output)? Can this be changed? In the cvs version at least an extra field is supported in ldap.attrmap which sets the operator to be used. Dont know if it's supported in the stable versions. Thanks Kostas, I saw the cvs version and indeed it contains the code you describe. This is a very useful feature. The feature is not contained in the latest stable (1.1.2) version. Will it be in the next? -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas [EMAIL PROTECTED] contact: kzorba (at) otenet.gr Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius advocacy needed for convincing corporate management
On Wed, Jun 28, 2006 at 02:01:24PM -0400, Alan DeKok wrote: Kostas Zorbadelos [EMAIL PROTECTED] wrote: - Any large installations that use freeradius effectively today (commercial environments preffered). This would give us arguments in favour of freeradius scalability and reliability Most commercial installations won't publicly say they're using it. I know of multiple national ISP's with millions of users who've replaced commercial servers with FreeRADIUS. But they don't want me to mention their names, sorry. An alternative is to see who's subscribed to this list. Past posts include people from DHL, among other large companies. Alan DeKok. Thanks very much for all the information. I hope the effort (of convincing) turns out OK. -- Kostas Zorbadelos [EMAIL PROTECTED] contact: kzorba (at) otenet.gr Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP related questions
rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=people,dc=company,dc=gr, with filter ((uid=kzorba)(objectClass=MyRadiusAccount)(radiusAccountStatus=activated)) rlm_ldap: looking for check items in directory... rlm_ldap: Adding radiusProfile as Group, value PSTN_STATIC op=21 rlm_ldap: Adding radiusMaxLogins as Simultaneous-Use, value 1 op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: Adding Framed-IP-Address as Framed-IP-Address, value 62.103.176.39 op=11 rlm_ldap: user kzorba authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type Reject rad_check_password: Auth-Type = Reject, rejecting user auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 167 to 127.0.0.1 port 41392 Reply-Message = Unauthorized access. Nothing to do. Sleeping until we see a request. My questions are: - Does this approach have a meaning? - Why the Group attribute returned through LDAP does not match the correct entry in users file? - Are there any alternative ideas to achieve the setup I want (users + profiles stored in LDAP with the form of the user entry as I described) Thanks in advance for any answers. Kostas -- Kostas Zorbadelos [EMAIL PROTECTED] contact: kzorba (at) otenet.gr Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP related questions
On Wed, Jun 28, 2006 at 11:56:27AM +0300, Kostas Zorbadelos wrote: I have a few suspicions where the problem might be. Is there a way to define the operator in the radius check attributes of ldap (without using the generic radiusCheckItem attribute)? -- Kostas Zorbadelos [EMAIL PROTECTED] contact: kzorba (at) otenet.gr Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP related questions
On Wed, Jun 28, 2006 at 02:11:00PM +0300, Kostas Kalevras wrote: On Wed, 28 Jun 2006, Kostas Zorbadelos wrote: Hello to everyone. I have a question regarding a configuration I am trying to achieve. I have users stored in an ldap database. An example user entry looks like this: dn: uid=kzorba,ou=people,dc=company,dc=gr cn: ZORBADELOS KONSTANTINOS uid: kzorba clearTextPwd: mypassword radiusProfile: PSTN_STATIC radiusAccountStatus: activated radiusMaxLogins: 1 radiusExpDate: 2030/12/31 00:00:00 Framed-IP-Address: 62.103.176.39 objectClass: account objectClass: MyRadiusAccount objectClass: top Tha attribute radiusProfile groups the users. For each group we have a corresponding profile Why not put the full profile DN in radiusProfile? Then you can use the profile_attribute mechanism That would be perfect, however we already have the users database and we use a different Radius software. Our data are in the form I described. Any modifications would require migration and this is what I am trying to avoid. -- Kostas Zorbadelos [EMAIL PROTECTED] contact: kzorba (at) otenet.gr Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius advocacy needed for convincing corporate management
My greetings to the list. The company I work is one of the largest ISPs in Greece. We are evaluating the possibility to move away from our current radius software (FUNK Radius now Juniper) in favour of freeradius. We as technical people understand all the benefits of the move (and it would also give us opportunity to contribute to the project). However management would like to hear stuff like - Any large installations that use freeradius effectively today (commercial environments preffered). This would give us arguments in favour of freeradius scalability and reliability - Possibility to have commercial support Anyone who can contribute arguments or facts is more than welcome. Kostas -- Kostas Zorbadelos [EMAIL PROTECTED] contact: kzorba (at) otenet.gr Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP related questions
On Wed, Jun 28, 2006 at 02:09:15PM +0300, Kostas Kalevras wrote: On Wed, Jun 28, 2006 at 11:56:27AM +0300, Kostas Zorbadelos wrote: I have a few suspicions where the problem might be. Is there a way to define the operator in the radius check attributes of ldap (without using the generic radiusCheckItem attribute)? radiusSessionTimeout: += value I meant in ldap.attrmap. When I define for example checkItem Group-Name radiusProfile what is the operator implied ( op=21 in the debugging output)? Can this be changed? -- Kostas Zorbadelos [EMAIL PROTECTED] contact: kzorba (at) otenet.gr Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error building version 1.1.1
On Thu, Mar 23, 2006 at 08:19:19AM +0100, Stefan Winter wrote: Hi, The makefile in src/lib creates the lib directory before it installs anything in it. I have no idea why building an RPM would result in things happening in the reverse order. Indeed the installation fails (I used --prefix in configure) and I compiled from sources without trying to make a package of any sort. By searching I found the following patch: Index: Makefile === RCS file: /source/radiusd/src/lib/Makefile,v retrieving revision 1.28 diff -u -r1.28 Makefile --- Makefile 22 Jan 2006 21:46:35 - 1.28 +++ Makefile 6 Mar 2006 17:51:34 - -48,6 +48,6 rm -rf .libs install: all - $(LIBTOOL) --mode=install $(INSTALL) -c $(TARGET).la $(R)$(libdir) + $(LIBTOOL) --mode=install $(INSTALL) -c $(TARGET).la $(R)$(libdir)/$(TARGET).la rm -f $(R)$(libdir)/$(TARGET)-$(RADIUSD_VERSION).la; ln -s $(TARGET).la $(R)$(libdir)/$(TARGET)-$(RADIUSD_VERSION).la This solved the issue. It doesn't only happen when building an RPM. I installed from the tarball and the same thing happened. It worked when I manually created lib/ after the first failed attempt und tried it a second time (SuSE 8.2). Nicolas Baradakis sent me a patched Makefile, I will try that soon and report back if it fixes the issue. Greetings, Stefan Winter -- Stefan WINTER Stiftung RESTENA - Rιseau Tιlιinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: [EMAIL PROTECTED]   Tel.:   +352 424409-1 http://www.restena.lu        Fax:    +352 422473 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Zorbadelos [EMAIL PROTECTED] contact: kzorba (at) otenet.gr Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: rlm_sql: unknown attribute Cisco-VSA
On Tue, Mar 01, 2005 at 02:35:09AM -0800, Abdul Lateef wrote: Hi Guys, Here is one small problem. I am using mySQL for the cisco NAS authontication i add the fowllowing in radreply table: id UserName Attributeop Value 11 12345Cisco-VSA= h323-credit-time=10 There is no attribute named Cisco-VSA in the freeradius dictionaries. Try using Cisco-AVPair += h323-credit-time=10 But It is working and the log is : Tue Mar 1 08:49:13 2005 : Error: rlm_sql: unknown attribute Cisco-VSA Tue Mar 1 08:49:13 2005 : Error: rlm_sql (sql): Error getting data from database It will be very thankful if anyone can treat it. Thank YOu __ Do you Yahoo!? Yahoo! Mail - now with 250MB free storage. Learn more. http://info.mail.yahoo.com/mail_250 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Zorbadelos Systems Developer, Otenet SA mailto: [EMAIL PROTECTED] Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How can I unsubscribe
On Fri, Feb 18, 2005 at 10:55:57AM +0800, Zhao Yu,SCNB RD NNA(BJ) wrote: How can I unsubscribe? http://lists.freeradius.org/mailman/listinfo/freeradius-users -- Kostas Zorbadelos Systems Developer, Otenet SA mailto: [EMAIL PROTECTED] Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Version 1.0.2 has been released.
On Thu, Feb 17, 2005 at 03:16:30PM +0200, Kostas Kalevras wrote: The patch was just commited in CVS. Could you check it out and make sure everything works as expected? -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf Kostas, I performed a diff between my patched sql_oracle.c file and the same file as seen in the freeradius CVS tree and there are no differences. Since this patch runs without problems in our production environment, everything seems to be OK. So we are expecting to see the patch included in the next release. Thanks again for everything. -- Kostas Zorbadelos Systems Developer, Otenet SA mailto: [EMAIL PROTECTED] Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Version 1.0.2 has been released.
On Wed, Feb 16, 2005 at 02:55:12PM -0500, Alan DeKok wrote: FreeRADIUS 1.0.2 ; $Date: 2005/02/13 01:03:20 $, urgency=medium * Novell eDirectory support. Patch from Novell. * localweb Trapeze dictionary updates. * EAP-SIM fixes. * Make Strip-User-Name = No work. * Don't declare zero-length arrays in rlm_passwd * Bug fix to make udpfromto code work * radrelay shouldn't dump core if it can't read a VP from the detail file. * Only initialize the random pool once. * In rlm_sql, don't escape characters twice. * Fix MD4 calculation on big-endian machines. * In rlm_ldap, only claim Auth-Type if a plain text password is present * Treat Quintium VSAs like Cisco VSAs * Locking fixes in threading code * rlm_krb5 includes /usr/include/et for Fedora Core * Fix post-auth REJECT stanza processing for rejections from external processes or home RADIUS servers * Fix building on gcc-4.0 by not trying to access static auth_port from other files. * Fix building SNMP support on Solaris 9, which needs -lkstat Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Dear Alan, unfortunately, as I can see, the patch discussed in http://bugs.freeradius.org/show_bug.cgi?id=128 was not applied in this release. Is this an omission, or the plan is to be applied later? Thanks and keep up the good work! -- Kostas Zorbadelos Systems Developer, Otenet SA mailto: [EMAIL PROTECTED] Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Version 1.0.2 has been released.
On Thu, Feb 17, 2005 at 03:16:30PM +0200, Kostas Kalevras wrote: The patch was just commited in CVS. Could you check it out and make sure everything works as expected? -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf Kostas, I cannot find a web cvs interface in the freeradius site. I will wait till tomorrow and I will download the latest snapshot. The patch as seen in http://bugs.freeradius.org/show_bug.cgi?id=128 is already applied in our production environment and runs without problems for a few months. Thanks a lot Kostas -- Kostas Zorbadelos Systems Developer, Otenet SA mailto: [EMAIL PROTECTED] Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with Auth-Type
On Tue, Nov 16, 2004 at 08:02:42AM +, carlos akitani wrote: htmldiv style='background-color:'DIV class=RTEHi, I've go the same problem but no solution. /DIV DIV class=RTEI've added the Auth-Type:=Local in the users file but the same answer:/DIV DIV class=RTEauth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user /DIV DIV class=RTEand even (username/password) not valide (but I've declared them in the clients.conf)./DIV DIV class=RTEHow to do?/DIV DIV class=RTEnbsp;/DIV First of all; please NO HTML MAIL! You should really read documentation first before trying to achieve what you want. Clients.conf is not used to store usernames and passwords of the users. The users file is meant to do that. Read the comments in the users file and also the aaa.txt in the doc directory to get an idea of how the radius server works. Kostas -- Kostas Zorbadelos Systems Developer, Otenet SA mailto: [EMAIL PROTECTED] Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with Auth-Type
On Wed, Nov 10, 2004 at 11:23:52AM -0300, German P. Santillan - DESETech wrote: You won't find that in radiusd.conf. You need to add Auth-Type := Local to the users file. Man users to see anything else. My system requires Local Auth-Type Method, but this method ha not defined in my radiusd.conf, and when I run radiusd with -X param, this appear auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user Thanks Germ??n P. Santill??n Administrador de Redes DESETech Argentina http://www.desetech.com.ar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Zorbadelos Systems Developer, Otenet SA mailto: [EMAIL PROTECTED] Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticating more than username/password
On Fri, Nov 12, 2004 at 11:28:09AM -0800, David Young wrote: Hi, I was wondering if there's a way to make freeradius authenticate a client based on more than username and password? for example, I want to limit a user to dial in only from a certain designated number (ANI) to prevent fraud. My user lookup is done through postgresql. Is there a way to do additional checks before replying to the NAS with an Accept or Reject response? Maybe something that will do: Yes, use additional check items. Look at the comments in the users file and also in its man page for more info. if (username and password and ANI) all match then Accept else reject Thanks a lot, David -- Kostas Zorbadelos Systems Developer, Otenet SA mailto: [EMAIL PROTECTED] Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Oracle cursor leak
On Thu, Nov 11, 2004 at 02:23:36PM +0300, Alexander Serkin wrote:
OK here is the patched file. You can verify it if you diff it with the
original file.
Kostas
Kostas Zorbadelos wrote:
...
I resubmit the patch as a text file (output of
diff sql_oracle.c.before_patch sql_oracle.c freeradius_oracle_patch)
because from the web page I had
problems applying it and I was forced to apply it partly by hand
editing of the code...
the same problem. I cannot apply patch taken from the web:
patching file src/modules/rlm_sql/drivers/rlm_sql_oracle/sql_oracle.c
patch: malformed patch at line 60: @@ -311,9 +328,11 @@
--
Sincerely Yours,
Alexander Serkin,
Skylink, Moscow
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
Kostas Zorbadelos
Systems Developer, Otenet SA
mailto: [EMAIL PROTECTED]
Out there in the darkness, out there in the night
out there in the starlight, one soul burns brighter
than a thousand suns.
/*
* sql_oracle.c Oracle (OCI) routines for rlm_sql
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*
* Copyright 2000 The FreeRADIUS server project
* Copyright 2000 David Kerry [EMAIL PROTECTED]
*/
#include stdio.h
#include sys/stat.h
#include sys/time.h
#include stdlib.h
#include string.h
#include radiusd.h
#include oci.h
#include rlm_sql.h
typedef struct rlm_sql_oracle_sock {
OCIEnv *env;
OCIError *errHandle;
OCISvcCtx *conn;
OCIStmt *queryHandle;
sb2 *indicators;
char **results;
int id;
int in_use;
struct timeval tv;
} rlm_sql_oracle_sock;
#define MAX_DATASTR_LEN 64
/*
*
* Function: sql_error
*
* Purpose: database specific error. Returns error associated with
* connection
*
*/
static char *sql_error(SQLSOCK *sqlsocket, SQL_CONFIG *config) {
static char msgbuf[512];
sb4 errcode = 0;
rlm_sql_oracle_sock *oracle_sock = sqlsocket-conn;
if (!oracle_sock) return rlm_sql_oracle: no connection to db;
memset((void *) msgbuf, (int)'\0', sizeof(msgbuf));
OCIErrorGet((dvoid *) oracle_sock-errHandle, (ub4) 1, (text *) NULL,
errcode, msgbuf, (ub4) sizeof(msgbuf), (ub4) OCI_HTYPE_ERROR);
if (errcode) {
return msgbuf;
}
else {
return NULL;
}
}
/*
*
* Function: sql_check_error
*
* Purpose: check the error to see if the server is down
*
*/
static int sql_check_error(SQLSOCK *sqlsocket, SQL_CONFIG *config) {
if (strstr(sql_error(sqlsocket, config), ORA-03113) ||
strstr(sql_error(sqlsocket, config), ORA-03114)) {
radlog(L_ERR,rlm_sql_oracle: OCI_SERVER_NOT_CONNECTED);
return SQL_DOWN;
}
else {
radlog(L_ERR,rlm_sql_oracle: OCI_SERVER_NORMAL);
return -1;
}
}
/*
*
* Function: sql_close
*
* Purpose: database specific close. Closes an open database
* connection and cleans up any open handles.
*
*/
static int sql_close(SQLSOCK *sqlsocket, SQL_CONFIG *config) {
rlm_sql_oracle_sock *oracle_sock = sqlsocket-conn;
if (oracle_sock-conn) {
OCILogoff (oracle_sock-conn, oracle_sock-errHandle);
}
if (oracle_sock-queryHandle) {
OCIHandleFree((dvoid *)oracle_sock-queryHandle, (ub4) OCI_HTYPE_STMT);
}
if (oracle_sock-errHandle) {
OCIHandleFree((dvoid *)oracle_sock-errHandle, (ub4) OCI_HTYPE_ERROR);
}
if (oracle_sock-env) {
OCIHandleFree((dvoid *)oracle_sock-env, (ub4) OCI_HTYPE_ENV);
}
oracle_sock-conn = NULL;
free(oracle_sock);
sqlsocket-conn = NULL;
return 0;
}
/*
*
* Function: sql_init_socket
*
* Purpose: Establish connection to the db
*
*/
static int sql_init_socket(SQLSOCK *sqlsocket, SQL_CONFIG *config) {
rlm_sql_oracle_sock *oracle_sock;
if (!sqlsocket-conn) {
sqlsocket-conn = (rlm_sql_oracle_sock *)rad_malloc(sizeof(rlm_sql_oracle_sock
Re: Oracle cursor leak
On Wed, Nov 03, 2004 at 07:27:18PM +0100, Roberto Re wrote: hi, I have applied the patch yesterday only, but the problem still exists. The cursors are allocated and they continuously increase up to the maximum limit imposed by Oracle to the db. I have analysed some of the queries allocating the cursors: there are some query to RADGROUPCHECK and RADGROUPREPLY tables, which are _*empty*_. Could it be those ones raising the problem? As we are not using those 2 tables , would it be possible to modify the cfg of Freeradius, so that it does no longer use them? I will also try to insert some dummy-values in the two RADGROUP... Thanks and regards Roberto I am not using RADGROUPCHECK and RADGROUPREPLY either so I have commented out all the relevant lines for them (including the queries) in oraclesql.conf. I haven't noticed any problem with cursor allocating in oracle 8i. Our DBA told me that there are database parameters you can tune that could help (look at cursor_sharing and instead of the value EXACT use FORCE (for 8i) or SIMILAR (for 9i)). Kostas On Thu, Oct 14, 2004 at 11:13:40AM +0200, Roberto Re wrote: Kostas Zorbadelos wrote: On Wed, Oct 13, 2004 at 06:25:25PM +0200, Roberto Re wrote: First of all thanks for your attention, Alan My problem however seems to be more like this: http://lists.cistron.nl/pipermail/freeradius-devel/2002-December/004052.html I had already checked the working code, which includes that patch and it is exactly the following one: http://www.freeradius.org/cvs-log/radiusd/src/modules/rlm_sql/drivers/rlm_sql_oracle/sql_oracle.c The code in this url does not include the patch Alan is reffering to. Of course the patch in http://bugs.freeradius.org/show_bug.cgi?id=128 addresses the freeradius crash in case of Oracle errors in sql queries. This happens with the Oracle 8i client libraries. I was told that Oracle 9 client libs do not cause the freeradius crash (not tested my self). In my experience with Oracle 9 client (on a Linux RedHat Enterprise) the freeRADIUS dont crash, it dont realease cursors on the oracle side. Roberto OK, if the crashes do not happen on successive Oracle errors, try the patch and let us know if it also solves your problem. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Zorbadelos Systems Developer, Otenet SA mailto: [EMAIL PROTECTED] Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Exec-Program-Wait question and rlm_exec
Hello to everyone. First of all I have a question for Exec-Program-Wait. I need to run an external C program that expects in its environment a proper LD_LIBRARY_PATH to run. I followed the obvious solution of using a wrapper bash shell script, that sets the environment and calls the C program via exec. Can I avoid this? That is, can I have the radius server pass the proper environment directly to the program? I read the variables.txt and I do not see this possibility. The second thing I want to bring up again is the rlm_exec module. Back in September (thread rlm_exec vs Exec-Program-Wait attribute) summarized in http://lists.freeradius.org/archives/freeradius-users/2004/09/frm00161.html, a set of changes to rlm_exec were proposed to also handle the case of having attributes in access-reject. Are these changes going to be accepted finally and if so in which version? I am trying 1.0.1 now with the exec-program-wait because of rlm_exec resctrictions. Thanks in advance. Kostas -- Kostas Zorbadelos Systems Developer, Otenet SA mailto: [EMAIL PROTECTED] Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program-Wait question and rlm_exec
On Tue, Oct 26, 2004 at 10:20:48AM -0400, Alan DeKok wrote: Kostas Zorbadelos [EMAIL PROTECTED] wrote: First of all I have a question for Exec-Program-Wait. I need to run an external C program that expects in its environment a proper LD_LIBRARY_PATH to run. I followed the obvious solution of using a wrapper bash shell script, that sets the environment and calls the C program via exec. Can I avoid this? No. I'd suggest adding a patch to rlm_exec, so that it can take a configuration directive for LD_LIBRARY_PATH, and maybe others. The second thing I want to bring up again is the rlm_exec module. Back in September (thread rlm_exec vs Exec-Program-Wait attribute) summarized in http://lists.freeradius.org/archives/freeradius-users/2004/09/frm00161.html, a set of changes to rlm_exec were proposed to also handle the case of having attributes in access-reject. Are these changes going to be accepted finally and if so in which version? Probably, but I haven't had time to look over them yet. If sufficient people use the patch and like it, it can be added. Alan DeKok. Actually the conversation in that thread ended by mentioning the ideas rlm_exec should follow. I didn't see any patch that implemented them. If there is such a patch please direct me to it and I will test it. Kostas -- Kostas Zorbadelos Systems Developer, Otenet SA mailto: [EMAIL PROTECTED] Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Oracle cursor leak
On Wed, Oct 13, 2004 at 06:25:25PM +0200, Roberto Re wrote:
First of all thanks for your attention, Alan
My problem however seems to be more like this:
http://lists.cistron.nl/pipermail/freeradius-devel/2002-December/004052.html
I had already checked the working code, which includes that patch and it
is exactly the following one:
http://www.freeradius.org/cvs-log/radiusd/src/modules/rlm_sql/drivers/rlm_sql_oracle/sql_oracle.c
The code in this url does not include the patch Alan is reffering
to. Of course the patch in
http://bugs.freeradius.org/show_bug.cgi?id=128 addresses the
freeradius crash in case of Oracle errors in sql queries. This happens
with the Oracle 8i client libraries. I was told that Oracle 9 client
libs do not cause the freeradius crash (not tested my self). Anyway
the proposed patch is said to better handle the Oracle connections.
I tested the patch myself and it works OK. Crashes no longer occur and
freeradius handles Oracle connections better.
However the patch is not included in freeradius 1.0.1. Any plans of
including it in a later version?
I resubmit the patch as a text file (output of
diff sql_oracle.c.before_patch sql_oracle.c freeradius_oracle_patch)
because from the web page I had
problems applying it and I was forced to apply it partly by hand
editing of the code...
Kostas
Function: sql_free_result , does this function realease memory but not
any cursors on the oracle side?
Thanks
Roberto
Alan DeKok wrote:
Roberto Re [EMAIL PROTECTED] wrote:
I've installed a FreeRADIUS version 1.0.0 on a Linux Red Hat Enterprise
with Oracle Client 9.1, it never close any cursors it opened, leading to
all sorts of interesting problems when the max-open-cursor limits
were hit.
How can I fix this problem ?
http://bugs.freeradius.org/show_bug.cgi?id=128
The patch there may help. If it does, please say so on the list.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
Kostas Zorbadelos
Systems Developer, Otenet SA
mailto: [EMAIL PROTECTED]
Out there in the darkness, out there in the night
out there in the starlight, one soul burns brighter
than a thousand suns.
75a76,94
/*
*
*Function: sql_check_error
*
*Purpose: check the error to see if the server is down
*
*/
static int sql_check_error(SQLSOCK *sqlsocket, SQL_CONFIG *config) {
if (strstr(sql_error(sqlsocket, config), ORA-03113) ||
strstr(sql_error(sqlsocket, config), ORA-03114)) {
radlog(L_ERR,rlm_sql_oracle: OCI_SERVER_NOT_CONNECTED);
return SQL_DOWN;
}
else {
radlog(L_ERR,rlm_sql_oracle: OCI_SERVER_NORMAL);
return -1;
}
}
247c266
(ub4) OCI_DEFAULT);
---
(ub4) OCI_COMMIT_ON_SUCCESS);
249,252c268,269
if ((x != OCI_NO_DATA) (x != OCI_SUCCESS)) {
radlog(L_ERR,rlm_sql_oracle: execute query failed in sql_query: %s,
sql_error(sqlsocket, config));
return SQL_DOWN;
---
if (x == OCI_SUCCESS) {
return 0;
255,257c272,273
x = OCITransCommit(oracle_sock-conn, oracle_sock-errHandle, (ub4) 0);
if (x != OCI_SUCCESS) {
radlog(L_ERR,rlm_sql_oracle: commit failed in sql_query: %s,
---
if (x == OCI_ERROR) {
radlog(L_ERR,rlm_sql_oracle: execute query failed in sql_query: %s,
259c275,278
return SQL_DOWN;
---
return sql_check_error(sqlsocket, config);
}
else {
return -1;
261,262d279
return 0;
314,316c331,335
else if (x != OCI_SUCCESS) {
radlog(L_ERR,rlm_sql_oracle: query failed in sql_select_query:
%s,sql_error(sqlsocket, config));
return SQL_DOWN;
---
if (x != OCI_SUCCESS) {
radlog(L_ERR,rlm_sql_oracle: query failed in sql_select_query: %s,
sql_error(sqlsocket, config));
return sql_check_error(sqlsocket, config);
495,496c514,517
if (x == OCI_NO_DATA) {
return -1;
---
if (x == OCI_SUCCESS) {
sqlsocket-row = oracle_sock-results;
return 0;
498,499c519,520
else if (x != OCI_SUCCESS) {
/* XXX Check if x suggests we should return SQL_DOWN */
---
if (x == OCI_ERROR) {
502c523
return SQL_DOWN;
---
return sql_check_error(sqlsocket, config);
503a525,527
else {
return -1;
}
505,506d528
sqlsocket-row = oracle_sock-results
Re: Oracle cursor leak
On Thu, Oct 14, 2004 at 11:13:40AM +0200, Roberto Re wrote: Kostas Zorbadelos wrote: On Wed, Oct 13, 2004 at 06:25:25PM +0200, Roberto Re wrote: First of all thanks for your attention, Alan My problem however seems to be more like this: http://lists.cistron.nl/pipermail/freeradius-devel/2002-December/004052.html I had already checked the working code, which includes that patch and it is exactly the following one: http://www.freeradius.org/cvs-log/radiusd/src/modules/rlm_sql/drivers/rlm_sql_oracle/sql_oracle.c The code in this url does not include the patch Alan is reffering to. Of course the patch in http://bugs.freeradius.org/show_bug.cgi?id=128 addresses the freeradius crash in case of Oracle errors in sql queries. This happens with the Oracle 8i client libraries. I was told that Oracle 9 client libs do not cause the freeradius crash (not tested my self). In my experience with Oracle 9 client (on a Linux RedHat Enterprise) the freeRADIUS dont crash, it dont realease cursors on the oracle side. Roberto OK, if the crashes do not happen on successive Oracle errors, try the patch and let us know if it also solves your problem. -- Kostas Zorbadelos Systems Developer, Otenet SA mailto: [EMAIL PROTECTED] Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxying Radius server
On Wed, Sep 08, 2004 at 02:43:34AM -0700, Cool Man wrote: So, use the 'nostrip' option in the realm configuration. Hi , I am using freeradius 1.0.0 for proxying pupose. I have seen a small problem with my proxy test. I have a radius server acting as proxy which forwards the packets to another radius server. Further, I have also enabled proxying on second radius server. Client --(Proxy radius server)(Radius Server). Now my problem is when I enter the user name like [EMAIL PROTECTED] the proxy radius server Strippes of the realm while forwarding the packets to actuall radius server. I see this problem because if the actuall radius server need to decide wether it should forward the user credential to another server then the realm information is not there. This is similar like hop by hop forwarding the request to radius server untill it finds the desired one. Could anyone explain this and explain why freeradius strippes of the realm from username while forwarding the request to another server. Thanks Raza. - Do you Yahoo!? New and Improved Yahoo! Mail - 100MB free storage! -- Kostas Zorbadelos Systems Developer, Otenet SA mailto: [EMAIL PROTECTED] Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program doesn't execute the program
On Mon, Sep 06, 2004 at 02:27:29PM +0300, Edgars wrote: Hello, in some way this attribute does not execute my PHP program. I have data base insert query in this file to test all this. If i execute the *.php program from command line, everything is OK - a new field is added in the DB. I've put this attribute with path in the radcheck table. Where could be the problem? Can't tell anything from the debugging mode.. Edgars - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Is your script executable from the user who owns radiusd? A chmod 755 would be appropriate then. -- Kostas Zorbadelos Systems Developer, Otenet SA mailto: [EMAIL PROTECTED] Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program doesn't execute the program
On Mon, Sep 06, 2004 at 03:12:47PM +0300, Edgars wrote: with permissions there are no problems, i tried also your chmod options. The same:/ Maybe something else? Edgars Perhaps you should create an executable wrapper shell script containing the call to your php script like StartPhp.sh #!/bin/sh php -f the/path/to/php/script Kostas Zorbadelos wrote: On Mon, Sep 06, 2004 at 02:27:29PM +0300, Edgars wrote: Hello, in some way this attribute does not execute my PHP program. I have data base insert query in this file to test all this. If i execute the *.php program from command line, everything is OK - a new field is added in the DB. I've put this attribute with path in the radcheck table. Where could be the problem? Can't tell anything from the debugging mode.. Edgars - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Is your script executable from the user who owns radiusd? A chmod 755 would be appropriate then. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Zorbadelos Systems Developer, Otenet SA mailto: [EMAIL PROTECTED] Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program doesn't execute the program
On Mon, Sep 06, 2004 at 04:00:43PM +0300, Edgars wrote: What is the debugging output of radiusd -X? nope, the same. Edgars Kostas Zorbadelos wrote: On Mon, Sep 06, 2004 at 03:12:47PM +0300, Edgars wrote: with permissions there are no problems, i tried also your chmod options. The same:/ Maybe something else? Edgars Perhaps you should create an executable wrapper shell script containing the call to your php script like StartPhp.sh #!/bin/sh php -f the/path/to/php/script Kostas Zorbadelos wrote: On Mon, Sep 06, 2004 at 02:27:29PM +0300, Edgars wrote: Hello, in some way this attribute does not execute my PHP program. I have data base insert query in this file to test all this. If i execute the *.php program from command line, everything is OK - a new field is added in the DB. I've put this attribute with path in the radcheck table. Where could be the problem? Can't tell anything from the debugging mode.. Edgars - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Is your script executable from the user who owns radiusd? A chmod 755 would be appropriate then. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Zorbadelos Systems Developer, Otenet SA mailto: [EMAIL PROTECTED] Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_exec vs Exec-Program-Wait attribute
On Sat, Sep 04, 2004 at 07:56:29PM +0200, Thor Spruyt wrote: Paul Hampson wrote: New behaviour: (Replaces behaviour identical to 0 above) If the program returns 1 through RLM_MODULE_NUMCODES, return the appropriate code and attributes as expected. 1RLM_MODULE_REJECT, /* immediately reject the request */ 2RLM_MODULE_FAIL,/* module failed, don't reply */ 3RLM_MODULE_OK, /* the module is OK, continue */ 4RLM_MODULE_HANDLED, /* the module handled the request, so stop. */ 5RLM_MODULE_INVALID, /* the module considers the request invalid. */ 6RLM_MODULE_USERLOCK,/* reject the request (user is locked out) */ 7RLM_MODULE_NOTFOUND,/* user not found */ 8RLM_MODULE_NOOP,/* module succeeded without doing anything */ 9RLM_MODULE_UPDATED, /* OK (pairs modified) */ Looks ok. If it returns RLM_MODULE_NUMCODES, return RLM_MODULE_OK. (as for 0) Maybe it's better to return RLM_MODULE_FAIL in this case. This then leads the question, what return code do we want for when the child process terminates abnormally? (!WIFEXITED or rad_waitpid returns something other than the child's pid)... If we leave it as it is, it's RLM_MODULE_REJECT with the below patch... Would RLM_MODULE_FAIL be better? (Changes return 1 at src/main/exec.c:390 to return 2... This I guess RLM_MODULE_FAIL would be better here. -- Regards, Thor Spruyt I also agree with Thor's input. -- Kostas Zorbadelos Systems Developer, Otenet SA mailto: [EMAIL PROTECTED] Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program doesn't execute the program
On Mon, Sep 06, 2004 at 04:25:48PM +0300, Edgars wrote: got it to work:)i was putting this attribute in the radcheck table not radreply. Ok, so you were using an sql db backend... But now another problem is rising up - the only reason why i want to use this attribute is that i wanted to add a Session-Timeout attribute to radreply table and that this timeout should be given to the user in the current authentication try. But the php script is only adding the timeout but it will be given to user only at the next login. How to workaround this? Should i use rlm_sql instead of exec-program attribute? Edgars So you don't need to store it in radreply table. Your external script will enrich the attributes returned to the client by adding the Session-Timeout. -- Kostas Zorbadelos Systems Developer, Otenet SA mailto: [EMAIL PROTECTED] Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_exec vs Exec-Program-Wait attribute
On Thu, Sep 02, 2004 at 02:52:13PM -0400, Alan DeKok wrote:
Dear Alan,
though this setup you propose will work, I agree with Thor's oppinion
on the matter. I believe that it would be a good idea to allow
rlm_exec module return reject messages with attributes in them as
Exec-Program-Wait does. In this case, we can have the good things of
Exec-Program-Wait, plus the extras of rlm_exec.
For now, I think
that for my needs I will use Exec-Program-Wait as I find it a more
elegant setup (of course I do not expect it to go away in a future
version right?).
Please let us know your thoughts on the matter.
Thanks
Kostas
Kostas Zorbadelos [EMAIL PROTECTED] wrote:
Autz-Type CLID{
callerid {
fail=reject
}
}
In this case when the external script returns a non zero exit code or
fails I get an Access-Reject. However I cannot put any attributes
inside this reject packet.
So do the following:
Autz-Type CLID {
callerid {
ok = return
notfound = return
... = return
fail = 1
}
another_files
}
Make the another_files module a copy of rlm_files, and point it
to different users files. It will then be run ONLY when the
external scrip returns fail, and you can add replay attributes to
the reject packet there.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Kostas Zorbadelos
Systems Developer, Otenet SA
mailto: [EMAIL PROTECTED]
Out there in the darkness, out there in the night
out there in the starlight, one soul burns brighter
than a thousand suns.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 1.0.0 Solaris compile issues [Partially SOLVED]
On Thu, Aug 26, 2004 at 05:19:06PM +0300, Kostas Zorbadelos wrote: Hello to everyone. I had sent 2 compile issues of freeradius-1.0.0 on Solaris 2.8, gcc 2.95.3 I can see that ltdl.h is not in the include path passed to gcc but in ./libltdl/ltdl.h. The problem is solved if we use the --with-ltdl-include in the configure line This one was my problem. I had used $./configure --prefix=~/freeradius-1.0.0/BUILD in configure. The problem does not exist if I use a full path in --prefix and not the '~' shortcut of bash. However, the error regarding rlm_x99_token exists. Making static dynamic in rlm_x99_token... make[6]: Entering directory `/space/radius/freeradius-1.0.0/src/modules/rlm_x99_token' gcc -fcse-skip-blocks -fexpensive-optimizations -finline-functions -fomit-frame-pointer -O3 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5 -Wall -D_GNU_SOURCE -DNDEBUG -I../../include -DX99_MODULE_NAME=\rlm_x99_token\ -DFREERADIUS -c x99_rlm.c -o x99_rlm.o In file included from x99_rlm.c:54: x99.h:26: openssl/des.h: No such file or directory I do not have openssl in the system. Shouldn't autoconf diagnose this and disable rlm_x99_token as it did in several eap modules? I solved it using --without-rlm_x99_token in the configure line. -- Kostas Zorbadelos Systems Developer, Otenet SA mailto: [EMAIL PROTECTED] Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Oracle bug report
OK, it seems bugs.freeradius.org is experiencing problems. I submit the bug here with the corresponding debugging outputs. When the problems are restored, I will submit it in bugs also... Short Description: Freeradius crashes upon oracle errors in accounting queries Way to reproduce: Run radiusd -X and from a shell for ((i=0;$i30; i=$i+1)); do radclient -d ~/freeradius/BUILD/etc/raddb/ -f testacct localhost acct testing123; sleep 2; done testacct file: User-Name = kzorbatest Acct-Session-Id = 123456789009876543211234567890ABCDEFGHI NAS-IP-Address = 62.103.3.155 Acct-Status-Type = Start (very big Acct-Session-Id will cause oracle error (ORA-01401: inserted value too large for column) Environment: Solaris 8, gcc 2.95.3, Oracle 8.1.7 Attached are the outputs of gdb executable core with the bt and also output of truss Kostas -- Kostas Zorbadelos Systems Developer, Otenet SA mailto: [EMAIL PROTECTED] Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. [EMAIL PROTECTED]:~-gdb /space/radius/freeradius/BUILD/sbin/radiusd ./core GNU gdb 6.0 Copyright 2003 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type show copying to see the conditions. There is absolutely no warranty for GDB. Type show warranty for details. This GDB was configured as sparc-sun-solaris2.8...(no debugging symbols found)... Core was generated by `radiusd -X'. Program terminated with signal 10, Bus error. Reading symbols from /usr/lib/libcrypt_i.so.1...(no debugging symbols found)... done. Loaded symbols for /usr/lib/libcrypt_i.so.1 Reading symbols from /space/radius/freeradius/BUILD/lib/libradius-1.0.0.so...done. Loaded symbols for /space/radius/freeradius/BUILD/lib/libradius-1.0.0.so Reading symbols from /space/radius/freeradius/BUILD/lib/libltdl.so.3...done. Loaded symbols for /space/radius/freeradius/BUILD/lib/libltdl.so.3 Reading symbols from /usr/lib/libdl.so.1...done. Loaded symbols for /usr/lib/libdl.so.1 Reading symbols from /usr/lib/libnsl.so.1...done. Loaded symbols for /usr/lib/libnsl.so.1 Reading symbols from /usr/lib/libresolv.so.2...done. Loaded symbols for /usr/lib/libresolv.so.2 Reading symbols from /usr/lib/libsocket.so.1...done. Loaded symbols for /usr/lib/libsocket.so.1 Reading symbols from /usr/lib/librt.so.1...done. Loaded symbols for /usr/lib/librt.so.1 Reading symbols from /usr/lib/libpthread.so.1...done. Loaded symbols for /usr/lib/libpthread.so.1 Reading symbols from /usr/lib/libc.so.1...done. Loaded symbols for /usr/lib/libc.so.1 Reading symbols from /usr/lib/libgen.so.1...done. Loaded symbols for /usr/lib/libgen.so.1 Reading symbols from /usr/lib/libmp.so.2...done. Loaded symbols for /usr/lib/libmp.so.2 Reading symbols from /usr/lib/libaio.so.1...done. Loaded symbols for /usr/lib/libaio.so.1 Reading symbols from /usr/platform/SUNW,Sun-Fire-480R/lib/libc_psr.so.1...done. Loaded symbols for /usr/platform/SUNW,Sun-Fire-480R/lib/libc_psr.so.1 Reading symbols from /usr/lib/libthread.so.1...done. Loaded symbols for /usr/lib/libthread.so.1 Reading symbols from /usr/lib/nss_files.so.1...done. Loaded symbols for /usr/lib/nss_files.so.1 Reading symbols from /space/radius/freeradius-1.0.0/BUILD/lib/rlm_exec-1.0.0.so... done. Loaded symbols for /space/radius/freeradius-1.0.0/BUILD/lib/rlm_exec-1.0.0.so Reading symbols from /space/radius/freeradius-1.0.0/BUILD/lib/rlm_expr-1.0.0.so... done. Loaded symbols for /space/radius/freeradius-1.0.0/BUILD/lib/rlm_expr-1.0.0.so Reading symbols from /space/radius/freeradius-1.0.0/BUILD/lib/rlm_pap-1.0.0.so... done. Loaded symbols for /space/radius/freeradius-1.0.0/BUILD/lib/rlm_pap-1.0.0.so Reading symbols from /space/radius/freeradius-1.0.0/BUILD/lib/rlm_chap-1.0.0.so... done. Loaded symbols for /space/radius/freeradius-1.0.0/BUILD/lib/rlm_chap-1.0.0.so Reading symbols from /space/radius/freeradius-1.0.0/BUILD/lib/rlm_mschap-1.0.0.so...done. Loaded symbols for /space/radius/freeradius-1.0.0/BUILD/lib/rlm_mschap-1.0.0.so Reading symbols from /space/radius/freeradius-1.0.0/BUILD/lib/rlm_unix-1.0.0.so... done. Loaded symbols for /space/radius/freeradius-1.0.0/BUILD/lib/rlm_unix-1.0.0.so Reading symbols from /space/radius/freeradius-1.0.0/BUILD/lib/rlm_eap-1.0.0.so... done. Loaded symbols for /space/radius/freeradius-1.0.0/BUILD/lib/rlm_eap-1.0.0.so Reading symbols from /space/radius/freeradius-1.0.0/BUILD/lib/rlm_eap_md5-1.0.0.so...done. Loaded symbols for /space/radius/freeradius-1.0.0/BUILD/lib/rlm_eap_md5-1.0.0.so Reading symbols from /space/radius/freeradius-1.0.0/BUILD/lib/rlm_eap_leap-1.0.0.so...done. Loaded symbols for /space/radius/freeradius-1.0.0/BUILD/lib/rlm_eap_leap-1.0.0.so Reading symbols from /space/radius/freeradius-1.0.0/BUILD/lib/rlm_eap_gtc-1.0.0.so...done. Loaded symbols for /space/radius/freeradius-1.0.0/BUILD/lib/rlm_eap_gtc
Re: Oracle bug report
On Fri, Sep 03, 2004 at 08:54:42AM -0500, Dave Weis wrote: On Fri, 3 Sep 2004, Kostas Zorbadelos wrote: OK, it seems bugs.freeradius.org is experiencing problems. I submit the bug here with the corresponding debugging outputs. When the problems are restored, I will submit it in bugs also... Short Description: Freeradius crashes upon oracle errors in accounting queries Way to reproduce: Run radiusd -X and from a shell for ((i=0;$i30; i=$i+1)); do radclient -d ~/freeradius/BUILD/etc/raddb/ -f testacct localhost acct testing123; sleep 2; done testacct file: User-Name = kzorbatest Acct-Session-Id = 123456789009876543211234567890ABCDEFGHI NAS-IP-Address = 62.103.3.155 Acct-Status-Type = Start (very big Acct-Session-Id will cause oracle error (ORA-01401: inserted value too large for column) That is because the session ID column is declared as a 32 character varchar. You are putting 39 characters into it. If the spec defines a maximum length of 32 characters, then you have too long of a session ID, or the column isn't large enough. dave Yes, I know. I caused the oracle error on purpose to cause the crash. Kostas -- Dave Weis [EMAIL PROTECTED] http://www.internetsolver.com/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Zorbadelos Systems Developer, Otenet SA mailto: [EMAIL PROTECTED] Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 1.0.0 crashes on oracle errors
On Thu, Sep 02, 2004 at 01:24:19PM +0800, ElHassan, Omar wrote:
I have been experiencing the exact same problem - a crash with repeated
start packets. I have the same environment (O.S., gcc and freeradius).
I have found that as a test, a slight modification to sql_oracle.c to not
return SQL_DOWN but -1 in sql_query as follows:
x = OCIStmtExecute(oracle_sock-conn,
oracle_sock-queryHandle,
oracle_sock-errHandle,
(ub4) 1,
(ub4) 0,
(OCISnapshot *) NULL,
(OCISnapshot *) NULL,
(ub4) OCI_DEFAULT);
if ((x != OCI_NO_DATA) (x != OCI_SUCCESS)) {
radlog(L_ERR,rlm_sql_oracle: execute query failed in
sql_query: %s,
sql_error(sqlsocket, config));
/*return SQL_DOWN;*/
return -1;
}
Will remove this crash. A -1 here means that the connection is not re-opened
after each error. I hope this helps us in finding the problem.
Regards,
OeH
Very good Omar,
but what happens when all connections die in this way and are not
re-opened? Freeradius will remain running but with no connections to
the Oracle database. In conversations regarding this issue several
months ago, I was told that it is an error that has to do with the
re-open of the connections and you confirm that.
Anyway, i will submit a gdb traceback in bugs.freeradius.org. I only
hope that I will have time to do it today.
There is too much expertise here, to let the bug get away...
Thanks
Kostas
--
Kostas Zorbadelos
Currently at: Otenet IT Department
mailto: [EMAIL PROTECTED]
Out there in the darkness, out there in the night
out there in the starlight, one soul burns brighter
than a thousand suns.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_exec vs Exec-Program-Wait attribute
In a previous thread I described my scenario:
My scenario is simple. When I receive an authentication request for a
user, I want to run an external program and if everything goes OK,
return access-accept with some attributes, otherwise I want to return
access-reject with other attributes.
This scenario is accomplished easily using the Exec-Program-Wait
attribute in users file.
When I try to accomplish the same thing with rlm_exec, as Doug Hardie
and Alan suggested, I use configurable failover:
radiusd.conf:
exec callerid {
wait=yes
program=/space/radius/callerid.sh
input_pairs = request
output_pairs = reply
packet_type = Access-Request
}
in users I have
CLIDACTIVATEAuth-Type := Local, User-Password==AAA, Autz-Type := CLID
and in the authorize section of radiusd.conf
Autz-Type CLID{
callerid {
fail=reject
}
}
In this case when the external script returns a non zero exit code or
fails I get an Access-Reject. However I cannot put any attributes
inside this reject packet. If my script outputs pairs and exits with a
non zero status, the pairs are not kept in the reject packet sent back
to the client. So my questions are:
- is it possible to have attributes in reject packets in rlm_exec
setups (something I can do with Exec-Program-Wait)?
- is Exec-Program-Wait deprecated and probably removed in future
versions? If so, how can I accomplish my scenario?
I need to make a decision for an imminent project.
Thanks in advance
Kostas
--
Kostas Zorbadelos
Systems Developer, Otenet SA
mailto: [EMAIL PROTECTED]
Out there in the darkness, out there in the night
out there in the starlight, one soul burns brighter
than a thousand suns.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: help with rlm_sql_oracle
On Tue, Aug 31, 2004 at 09:42:42AM +0300, Ivan wrote: It should be possible to compile freeradius oracle support with the oracle client installed only. I also had various problems with 9.2 oracle client (on my debian system) so I installed oracle client 8.1.7 rel3. If you set the ORACLE_HOME environment variable in the configure of freeradius, it should detect and build the oracle module without problems. Dear FreeRadius.org comunity, We`ve got a problem during installation of FreeRadius server 1.0.0 for use with the Oracle database on FreeBSD. The next sample of the config.log file illustrates our problem: orabsd# ./configure . configuring in ./drivers/rlm_sql_oracle running /bin/sh ./configure --enable-ltdl-install --enable-ltdl-install --cache-file=../../../../.././config.cache --srcdir=. loading cache ../../../../.././config.cache checking for gcc... (cached) gcc checking whether the C compiler (gcc -g -O2 -pthread -D_THREAD_SAFE -DOPENSSL_NO_KRB5 -Wall -D_GNU_SOURCE -DNDEBUG ) works... yes checking whether the C compiler (gcc -g -O2 -pthread -D_THREAD_SAFE -DOPENSSL_NO_KRB5 -Wall -D_GNU_SOURCE -DNDEBUG ) is a cross-compiler... no checking whether we are using GNU C... (cached) yes checking whether gcc accepts -g... (cached) yes checking how to run the C preprocessor... (cached) gcc -E checking for oci.h... no configure: warning: oracle headers not found. Use --with-oracle-home-dir=path. configure: warning: sql submodule 'oracle' disabled updating cache ../../../../.././config.cache creating ./config.status creating Makefile . As you see, we can`t compile the rlm_sql_oracle driver. We were trying to install the FreeRadius server on a PC with Oracle client for FreeBSD 4.10-5.2.1(we tried different releases of FreeBSD). We tried to do the following steps: 1. ./configure --with-oracle-home-dir=path to the oracle client directory ./configure --disable-shared --with-oracle-home-dir=path to the oracle client directory 2. ./configure --with-oracle-lib-dir=path to the oracle client lib directory, to the /rdbms/demo directory ./configure --disable-shared --with-oracle-lib-dir=path to the oracle client lib directory, to the /rdbms/demo directory 3. we also tried to compile the rlm_sql_oracle driver alone in the installation directory of the oracle client, but with no result. Is it possible to install the FreeRadius server with oracle support on a PC just with oracle client installed (without basic installation of the Oracle database. we use a separate database server with Oracle 9.2i)? If yes, then wich directory must contain the oracle client lib files? If it`s not possible, then will it be possible to connect to the oracle database located on a remote PC? Hope to hear from you soon with best regards, Ivan and Valery mailto:[EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Zorbadelos Currently at: Otenet IT Department mailto: [EMAIL PROTECTED] Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 1.0.0 crashes on oracle errors
On Tue, Aug 31, 2004 at 12:35:18PM +0400, Alexander Serkin wrote: Hello. I see a lot of 1401 errors in radiusd.log. But they does not lead to core dumps. Radiusd performs correctly. These errors come when users supply incorrect usernames those are longer than the username column size. We work on SPARC Solaris 2.8, gcc 3.3, Oracle 9.2.0.5, freeradius-1.0.0.. Hmmm. I have a different compiler version and older Oracle version (8.1.7). Have you tried to cause the 1401 error continously and not sporadically? You can do that with radclient. Anyway I will submit a bug report with the gdb output. Kostas Zorbadelos [EMAIL PROTECTED] wrote: My environment is Solaris 2.8, gcc 2.95.3, Oracle 8.1.7. Freeradius crashes (and core dumps) after an sql query causes an error with an Oracle backend database. Yuck. First of all in oraclesql.conf there is a typo in accounting_start_query_alt query: Fixed, thanks. Secondly, I caused the crash by sending an accounting start packet with very large acct-session-id, that caused an ORA-01401(: inserted value too large for column) error. Ok. The server *should* be robust in the face of such errors. Should I submit a bug report in bugs.freeradius.org? Please. For anything else you might need to trace the error, please let me know. A gdb 'bt', so we can see where/when the error occured. If you have access to a Linux box, you can try running it under valgrind, which should give you more information about the invalid memory accesses. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Zorbadelos Currently at: Otenet IT Department mailto: [EMAIL PROTECTED] Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_exec questions
Hello to everyone.
My scenario is simple. When I receive an authentication request for a
user, I want to run an external program and if everything goes OK,
return access-accept with some attributes, otherwise I want to return
access-reject with other attributes.
I have done the following configuration in radiusd.conf:
exec callerid {
wait=yes
program=/space/radius/callerid.sh
input_pairs = request
output_pairs = reply
packet_type = Access-Request
}
in users I have
CLIDACTIVATEAuth-Type := Local, Autz-Type := CLID
and in the authorize section of radiusd.conf
Autz-Type CLID{
callerid
}
In case my script terminates normally, I get the attribute value pairs
appended to an access-accept message as I want. However, if I make an
exit 1 at the end of the script, I do not get an access-reject with
the output attribute-value pairs appended.
I make the test with radtest
radtest -d . CLIDACTIVATE 1760 localhost 123 testing123
and from radiusd -X I get
rad_recv: Access-Request packet from host 127.0.0.1:64711, id=42, length=64
User-Name = CLIDACTIVATE
User-Password = 1760
NAS-IP-Address = 255.255.255.255
NAS-Port = 123
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 2
modcall[authorize]: module preprocess returns ok for request 2
modcall[authorize]: module chap returns noop for request 2
modcall[authorize]: module mschap returns noop for request 2
rlm_realm: No '/' in User-Name = CLIDACTIVATE, looking up realm NULL
rlm_realm: No such realm NULL
modcall[authorize]: module realmslash returns noop for request 2
rlm_realm: No '@' in User-Name = CLIDACTIVATE, looking up realm NULL
rlm_realm: No such realm NULL
modcall[authorize]: module suffix returns noop for request 2
users: Matched CLIDACTIVATE at 74
modcall[authorize]: module files returns ok for request 2
modcall: group authorize returns ok for request 2
Processing the authorize section of radiusd.conf
modcall: entering group Autz-Type for request 2
radius_xlat: '/space/radius/callerid.sh'
Exec-Program: /space/radius/callerid.sh
Exec-Program output: h323-return-code = 2
Exec-Program-Wait: value-pairs: h323-return-code = 2
Exec-Program: returned: 1
rlm_exec (callerid): External script failed
modcall[authorize]: module callerid returns fail for request 2
modcall: group Autz-Type returns fail for request 2
Finished request 2
Going to the next request
The module returns fail but no access-reject is sent back and radtest
keeps retransmitting.
What am I missing?
Thanks for any help.
Kostas
--
Kostas Zorbadelos
Currently at: Otenet IT Department
mailto: [EMAIL PROTECTED]
Out there in the darkness, out there in the night
out there in the starlight, one soul burns brighter
than a thousand suns.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 1.0.0 Solaris compile issues
On Thu, Aug 26, 2004 at 11:15:57AM -0400, Alan DeKok wrote: Kostas Zorbadelos [EMAIL PROTECTED] wrote: gcc -fcse-skip-blocks -fexpensive-optimizations -finline-functions -fomit-frame-pointer -O3 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5 -Wall -D_GNU_SOURCE -DNDEBUG -I../../include -I./libeap -c rlm_eap.c -o rlm_eap.o In file included from rlm_eap.c:26: rlm_eap.h:26: ltdl.h: No such file or directory You probably did: $ ./configure --disable-ltdl-install I did that, but second. In the beginning I just did $ ./configure --prefix=/my/path I can see that ltdl.h is not in the include path passed to gcc but in ./libltdl/ltdl.h. The problem is solved if we use the --with-ltdl-include in the configure line I don't see why that would be necessary, if you didn't pass any other options to configure. So by passing the --prefix option, I couldn't avoid passing --with-ltdl-include too? Making static dynamic in rlm_x99_token... make[6]: Entering directory `/space/radius/freeradius-1.0.0/src/modules/rlm_x99_token' gcc -fcse-skip-blocks -fexpensive-optimizations -finline-functions -fomit-frame-pointer -O3 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5 -Wall -D_GNU_SOURCE -DNDEBUG -I../../include -DX99_MODULE_NAME=\rlm_x99_token\ -DFREERADIUS -c x99_rlm.c -o x99_rlm.o In file included from x99_rlm.c:54: x99.h:26: openssl/des.h: No such file or directory Hmm... if you don't have openssl, it shouldn't try to use it. What's the output of ./configure? Output of ./configure is attached in the file. Kostas Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Zorbadelos Currently at: Otenet IT Department mailto: [EMAIL PROTECTED] Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. [EMAIL PROTECTED]:~/freeradius-1.0.0-./configure loading cache ./config.cache checking for gcc... (cached) gcc checking whether the C compiler (gcc -fcse-skip-blocks -fexpensive-optimizations -finline-functions -fomit-frame-pointer -O3 -s) works... yes checking whether the C compiler (gcc -fcse-skip-blocks -fexpensive-optimizations -finline-functions -fomit-frame-pointer -O3 -s) is a cross-compiler... no checking whether we are using GNU C... (cached) yes checking whether gcc accepts -g... (cached) yes checking how to run the C preprocessor... (cached) gcc -E checking whether gcc needs -traditional... (cached) no checking whether we are using SUNPro C... (cached) no checking for ranlib... (cached) ranlib checking for AIX... no checking for gmake... (cached) no checking for make... (cached) /usr/local/bin/make checking for lt_dlinit in -lltdl... (cached) yes checking for Cygwin environment... (cached) no checking for mingw32 environment... (cached) no checking host system type... sparc-sun-solaris2.8 checking build system type... sparc-sun-solaris2.8 checking for ld used by GCC... (cached) /usr/ccs/bin/ld checking if the linker (/usr/ccs/bin/ld) is GNU ld... (cached) no checking for /usr/ccs/bin/ld option to reload object files... (cached) -r checking for BSD-compatible nm... (cached) /usr/ccs/bin/nm -p checking whether ln -s works... (cached) yes checking how to recognise dependant libraries... (cached) pass_all checking for object suffix... (cached) o checking for executable suffix... (cached) no checking command to parse /usr/ccs/bin/nm -p output... (cached) ok checking for dlfcn.h... (cached) yes checking for ranlib... (cached) ranlib checking for strip... (cached) strip checking for objdir... .libs checking for gcc option to produce PIC... (cached) -fPIC checking if gcc PIC flag -fPIC works... (cached) yes checking if gcc static flag -static works... (cached) yes checking if gcc supports -c -o file.o... (cached) yes checking if gcc supports -c -o file.lo... (cached) yes checking if gcc supports -fno-rtti -fno-exceptions... yes checking whether the linker (/usr/ccs/bin/ld) supports shared libraries... *** Warning: Releases of GCC earlier than version 3.0 cannot reliably *** create self contained shared libraries on Solaris systems, without *** introducing a dependency on libgcc.a. Therefore, libtool is disabling *** -no-undefined support, which will at least allow you to build shared *** libraries. However, you may find that when you link such libraries *** into an application without using GCC, you have to manually add *** `gcc --print-libgcc-file-name` to the link command. We urge you to *** upgrade to a newer version of GCC. Another option is to rebuild your *** current GCC to use the GNU linker from GNU binutils 2.9.1 or newer. yes checking how to hardcode library paths into programs... immediate checking whether stripping libraries is possible... no checking dynamic linker characteristics... solaris2.8 ld.so checking if libtool supports
Re: raddb/users, having OR conditions
On Mon, Aug 23, 2004 at 10:15:00PM +0200, Adam KOSA wrote: I had asked the same question months ago and I was told that it is not possible... Hi List I'm sorry if this is a basic question here. I just set up freeradius, using it to authenticate to network devices (instead local auth). I got it up almost fine. In my raddb/users file, i have the following: test Auth-Type := Local, User-Password == test, Simultaneous-Use := 10, Calling-Station-Id == 10.19.5.1 Service-Type = Login, cisco-avpair=shell:priv-lvl=15 I understand that in the first line i can set up conditions, separated by commas which all have to be true to permit login. How can i set up an OR condition? I'm thinking about letting more IP-s in via radius, not only allowing login from ip 10.19.5.1. Currently i duplicated the test user and the second entry has another IP - this way i can login from both IP-s. But i don't like that i had to duplicate the password, and every setting. But being new to freeradius i know no more ways. I'd be greatful if one could describe a solution. Thanks Adam - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Zorbadelos Currently at: Otenet IT Department mailto: [EMAIL PROTECTED] Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Modify packet proxied to a specific realm [Solved in 2 ways]
At Tue, 15 Jun 2004 11:55:00 -0400, Alan DeKok wrote: Please don't CC me on messages. I already read the list, and I don't need to see the same message twice. Sorry Alan (replied to all by accident) I wanted for every username of the form [EMAIL PROTECTED] to add 3 wispr attributes (Location-Id, LocationName and LogoffUrl) to the access request packets and 2 attributes (Location-Id, Location-Name) to the accounting packets before they get proxied to the home radius. In preproxy_users, you should be able to do: #--- DEFAULT User-Name =~ @testrealm$, Packet-Type == Access-Request Wispr-Location-Id = foo, Wispr-LocationName = bar, ... After adding the files module in pre-proxy section, worked like a charm. Wonderful and elegant configuration (much better from the one I came up with). Since the atrr_rewrite module and the preproxy_users are said to be 'experimental' which one would you recommend for use in a production environment? Is any of this going to go away in 1.0.0 or the future? Thanks for everything. -- Kostas Zorbadelos Currently at: Otenet IT Department mailto: [EMAIL PROTECTED] Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Modify packet proxied to a specific realm
At Mon, 14 Jun 2004 14:09:45 -0400, Alan DeKok wrote: Kostas Zorbadelos [EMAIL PROTECTED] wrote: I would like to know if and how it is possible to modify an accounting and an authentication request packet that is going to be proxied to a specific realm. Ues. Use the preproxy section. Alan DeKok. Thanks Alan, I thought I would. But which module should I use? And how can I add the attribute(s) I want for a specific realm only? I think I will focus on the attr_rewrite module but unfortunately it is not very clear how I can achieve what I want from the sample configuration in radiusd.conf. Any other ideas are welcome. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Zorbadelos Currently at: Otenet IT Department mailto: [EMAIL PROTECTED] Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Modify packet proxied to a specific realm [Solved with a few questions]
At Mon, 14 Jun 2004 14:09:45 -0400,
Alan DeKok wrote:
Kostas Zorbadelos [EMAIL PROTECTED] wrote:
I would like to know if and how it is possible to modify an accounting
and an authentication request
packet that is going to be proxied to a specific realm.
Ues. Use the preproxy section.
Alan DeKok.
Hello again. Now that I have a working configuration that solves my
problem, I post it to the list for archiving purposes and also a few
clarifications.
I am using version 0.9.3 but I plan to test everything with 1.0.0 pre2
also.
Description of the problem
---
I wanted for every username of the form [EMAIL PROTECTED] to add 3 wispr
attributes (Location-Id, LocationName and LogoffUrl) to the access request
packets and 2 attributes (Location-Id, Location-Name) to the
accounting packets before they get proxied to the home radius.
I used the attr_rewrite module with the following config in
radiusd.conf:
attr_rewrite addLocationId {
attribute = WISPr-Location-ID
# may be packet, reply, or config
searchin = packet
searchfor = [+ ]
replacewith = isocc=gr,cc=30,ac=21,network=otenet
ignore_case = no
new_attribute = yes
max_matches = 10
## If set to yes then the replace string will be appended to the
original string
append = yes
}
attr_rewrite addLocationName {
attribute = WISPr-Location-Name
# may be packet, reply, or config
searchin = packet
searchfor =
replacewith = OTENET,hotspot
ignore_case = no
new_attribute = yes
max_matches = 10
## If set to yes then the replace string will be appended to the
original string
append = yes
}
attr_rewrite addLogoffUrl {
attribute = WISPr-Logoff-URL
# may be packet, reply, or config
searchin = packet
searchfor =
replacewith =
https://192.168.3.3:8443/accountLogoff/home?confirmed=true;
ignore_case = no
new_attribute = yes
max_matches = 10
## If set to yes then the replace string will be appended to the
original string
append = yes
}
1) The pre-proxy section
-
The pre-proxy section in radiusd.conf wasn't what I wanted because the
modifications would happen before the proxy of every packet and not
just packets destined to the specific realm testrealm. After the test
however I noticed that the packets were not modified at all (is this a
bug that is fixed in 1.0.0?)
My configuration
pre-proxy {
addLocationId
addLocationName
addLogoffUrl
}
and the relevant part of the debugging output
rad_recv: Access-Request packet from host 212.205.85.239:4422, id=214, length=103
Acct-Session-Id = 01C3
User-Name = [EMAIL PROTECTED]
User-Password = usera
NAS-IP-Address = 212.205.178.115
NAS-Port = 0
NAS-Port-Type = Virtual
Proxy-State = 0x6f70656e65745f776c616e
modcall: entering group authorize for request 0
...
rlm_realm: Preparing to proxy authentication request to realm testrealm
...
modcall: entering group pre-proxy for request 0
radius_xlat: 'isocc=gr,cc=30,ac=21,network=otenet'
rlm_attr_rewrite: Added attribute WISPr-Location-ID with value
'isocc=gr,cc=30,ac=21,network=otenet'
modcall[pre-proxy]: module addLocationId returns ok for request 0
radius_xlat: 'OTENET,hotspot'
rlm_attr_rewrite: Added attribute WISPr-Location-Name with value 'OTENET,hotspot'
modcall[pre-proxy]: module addLocationName returns ok for request 0
radius_xlat: 'https://192.168.3.3:8443/accountLogoff/home?confirmed=true'
rlm_attr_rewrite: Added attribute WISPr-Logoff-URL with value
'https://192.168.3.3:8443/accountLogoff/home?confirmed=true'
modcall[pre-proxy]: module addLogoffUrl returns ok for request 0
modcall: group pre-proxy returns ok for request 0
Sending Access-Request of id 1 to 212.205.178.120:1812
User-Name = usera
Acct-Session-Id = 01C3
User-Password = usera
NAS-IP-Address = 212.205.178.115
NAS-Port = 0
NAS-Port-Type = Virtual
Proxy-State = 0x6f70656e65745f776c616e
Proxy-State = 0x323134
...
As you can see the packet was not modified. The same thing happened
for accounting packets also.
2) The solution with autz-type and acct-type
-
Here is the relevant parts from the working config:
authorize {
preprocess
chap
realmslash
suffix
#
# Read the 'users' file
files
Autz-Type WLANRoaming{
addLocationId
addLocationName
Modify packet proxied to a specific realm
Hello to everyone. I would like to know if and how it is possible to modify an accounting and an authentication request packet that is going to be proxied to a specific realm. What I want is to add a specific attribute with a specific value to every accounting and authentication request packet that is going to be proxied at realm X before it gets proxied. I would appreciate any suggestions. Thanks in advance Kostas -- Kostas Zorbadelos Currently at: Otenet IT Department mailto: [EMAIL PROTECTED] Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Alan is the King!
At Fri, 21 May 2004 11:03:45 -0300, RH List Account wrote: This is indeed very interesting. I 'll keep it in mind... (Opensource + support = convincing managers to switch!) Folks, I just wanted to publicly thank Alan DeKok for his invaluable assistance last week. We had a problem that we were kicking ourselves over and just couldn't get. After a search online, we found www.cladju.org. I don't think it's well enough publicised here, but Alan does do RADIUS consulting, and can make your FreeRADIUS problems go away very very quickly. If you have a problem, and have found Alan's tireless answering of questions on this list to be useful, consider contacting him directly. He quickly found our problem, and we have now been able to turn on a new service, easily justifying his very modest fee. Open source is great, but people gotta eat. Alan, hats off to you. Robert Hof Internet Architect Transact Bermuda - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Zorbadelos Currently at: Otenet IT Department mailto: [EMAIL PROTECTED] Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: User with 2 profiles but different simultaneous-use in each
At Tue, 6 Apr 2004 12:14:59 +0300 (EEST), Kostas Kalevras wrote: Dear Kostas first of all thanks for your answer. I don't have this module compiled in the binary versions I compiled. I saw its source code however inside src/modules. Is it an experimental module that needs to be 'activated' in the configure step? What is its function exactly? (I know that you are the most relevant person to ask and I didn't see any documentation for it apart from the source code) Using this module can I achieve the locking senario I want? That is, when the user is logged in an ISDN line (has Simultaneous-Use=2) can I reject him if he tries to loggin as an ADSL at the same time? Looking forward to your answer to also learn the role of your module. Kostas On Mon, 5 Apr 2004, Kostas Zorbadelos wrote: Hello to everyone. I have the following problem where I work. We have a user, lets say kzorba that is an ADSL user and has a specific profile (check and reply attributes). We want to limit the Simultaneous-Use of the user for this service to 1. We also want for the same user to be able to use an ISDN 128 backup connection in case his ADSL line has a problem. I this case our user has a different profile and Simultaneous-Use 2 (in order to be able to login twice for the 2 isdn channels). So the question is: how can I lock the user in a way that when he uses his ADSL connection, not to be able to connect with ISDN at all (that's easy since Simultaneous-Use is 1 in this case and won't be allowed to login for anything else) and the opposite (when in as an ISDN not to be able to use the ADSL). Any suggestions are highly appreciated. Since you keep different profiles for each connection (ADSL or ISDN) then you can add a check item for the NAS-Port-Type (Virtual or ISDN) in each one and use rlm_checkval to only allow the corresponding port-type for each profile. Thanks in advance Kostas PS: By the way we have our user database in LDAP but I think that's irrelevant. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: User with 2 profiles but different simultaneous-use in each
At Wed, 7 Apr 2004 01:36:11 +0400,
Alexander M. Pravking wrote:
Alexander thank you very much.
You understood exactly the locking senario I want to achieve.
Your first post seemed wonderfull, too bad it doesn't work. I will
look into rlm_perl if there is no other way.
Thanks again.
Kostas
I'm sorry for misleading you, you can't configure it this way.
On Tue, Apr 06, 2004 at 09:46:33AM +0400, Alexander M. Pravking wrote:
On Mon, Apr 05, 2004 at 08:16:24PM +0300, Kostas Zorbadelos wrote:
Hello to everyone.
I have the following problem where I work. We have a user, lets say
kzorba that is an ADSL user and has a specific profile (check and
reply attributes). We want to limit the Simultaneous-Use of
the user for this service to 1. We also want for the same user to be
able to use an ISDN 128 backup connection in case his ADSL line has a
problem. I this case our user has a different profile and
Simultaneous-Use 2 (in order to be able to login twice for the 2 isdn
channels). So the question is: how can I lock the user in a way that
when he uses his ADSL connection, not to be able to connect with ISDN
at all (that's easy since Simultaneous-Use is 1 in this case and won't
be allowed to login for anything else) and the opposite (when in as an
ISDN not to be able to use the ADSL).
Any suggestions are highly appreciated.
You could do it in authorize {} section instead of session {}.
Say you have defined 2 attrs (e.g. of type integer): ADSL-Up and ISDN-Up.
Assuming you have accounting in SQL, you could do:
ADSL-Up := `%{sql:SELECT count(*) FROM radacct WHERE UserName = '%u' AND
NASPortType = 'Ethernet' AND AcctStopTime IS NULL}`
ISDN-Up := `%{sql:SELECT count(*) FROM radacct WHERE UserName = '%u' AND
NASPortType = 'ISDN' AND AcctStopTime IS NULL}`
(Note the backquotes; the behavour can change soon.)
That's fine. But... These attributes should go into config items,
so you cannot use users file to check them, since attributes being
checked are always taken from the request:
Then put 2 entries in users file:
DEFAULT NAS-Port-Type == ISDN, ADSL-Up 0, Auth-Type := Reject
Reply-Message := You have your ADSL up, ISDN connections disabled
DEFAULT NAS-Port-Type == Ethernet, ISDN-Up 0, Auth-Type := Reject
Reply-Message := To use ADSL, first stop your backup ISDN connections
Instead, you can use rlm_perl (I'd recommend post-auth section, but then you
should patch rlm_perl a little ;-):
sub authorize {
if ($RAD_REQUEST{'NAS-Port-Type'} eq 'ISDN'
and $RAD_CHECK{'ADSL-Up'} 0) {
$RAD_REPLY{'Reply-Message'} =
You have your ADSL up, ISDN connections disabled;
return RLM_MODULE_REJECT;
}
if ($RAD_REQUEST{'NAS-Port-Type'} eq 'Ethernet'
and $RAD_CHECK{'ISDN-Up'} 0) {
$RAD_REPLY{'Reply-Message'} =
To use ADSL again, first stop your backup ISDN connections;
return RLM_MODULE_REJECT;
}
return RLM_MODULE_NOOP;
}
--
Fduch M. Pravking
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[Resend]: Error in sql module causes freeradius to stop functioning
Hi to everyone.
I send this a week ago. Has this been answered before or is it not
clear somehow? I searched the archives and found nothing. If I can
help giving more information please let me know. I would really like
to know about this behaviour.
Thanks in advance.
---BeginMessage---
Hello to everyone.
Yesterday I installed freeradius-0.9.3 on a Solaris 2.7 production
environment. I use sql module and oracle as my database to store
accounting. I first try to store the accounting data in the database
and afterwards I write them in files with the detail module. The
problem is that sometimes I get data that fail to be inserted in my
database (wrong size, stupid error) so I see the following in
radius.log:
...
Thu Apr 1 15:55:13 2004 : Error: rlm_sql_oracle: execute query failed
in sql_query: ORA-01401: inserted value too large for column
Thu Apr 1 15:55:13 2004 : Auth: Login OK: [EMAIL PROTECTED] (from
client fworks port 352 cli 2221038953)
Thu Apr 1 15:55:14 2004 : Error: rlm_sql_oracle: execute query failed
in sql_query: ORA-01401: inserted value too large for column
Thu Apr 1 15:55:14 2004 : Error: rlm_sql (sql1): failed after re-connect
Thu Apr 1 15:55:14 2004 : Error: rlm_sql: Couldn't insert SQL
accounting STOP record - ORA-01401: inserted value too large for column
Thu Apr 1 15:55:18 2004 : Error: rlm_sql_oracle: execute query failed
in sql_query: ORA-01401: inserted value too large for column
Thu Apr 1 15:55:18 2004 : Error: rlm_sql_oracle: execute query failed
in sql_query: ORA-01401: inserted value too large for column
Thu Apr 1 15:55:18 2004 : Error: rlm_sql (sql1): failed after re-connect
Thu Apr 1 15:55:18 2004 : Error: rlm_sql: Couldn't insert SQL
accounting STOP record - ORA-01401: inserted value too large for column
Thu Apr 1 15:55:21 2004 : Auth: Login OK: [EMAIL PROTECTED] (from
client fworks port 0 cli 2104131605)
...
The error is very clear and I found the problem data. As I can
understand,
when a query fails, the sql module will try to execute the alternative
query (if it exists) and if this also fails it reconnects to the db
and tries one more time. Is this correct?
Anyway, the radius server keeps servicing other requests and after a
few such failures, the whole server stops functioning!
Is this a correct behaviour? Shouldn't the server keep working servicing
other requests? Is there some sort of threshold of errors after which
the server stops functioning? Should we consider that a bug? (at first
sight it seems this way)
My configuration regarding accounting follows below.
# Pre-accounting. Decide which accounting type to use.
#
preacct {
preprocess
#
# Look for IPASS-style 'realm/', and if not found, look for
# '@realm', and decide whether or not to proxy, based on
# that.
#
# Accounting requests are generally proxied to the same
# home server as authentication requests.
# realmslash
suffix
#
# Read the 'acct_users' file
files
}
#
# Accounting. Log the accounting data.
#
accounting {
#
# Ensure that we have a semi-unique identifier for every
# request, and many NAS boxes are broken.
acct_unique
#
# Create a 'detail'ed log of the packets.
# Note that accounting requests which are proxied
# are also logged in the detail file.
# detail
# daily
# unix# wtmp file
#
# For Simultaneous-Use tracking.
#
# Due to packet losses in the network, the data here
# may be incorrect. There's little we can do about it.
# radutmp
# sradutmp
# Return an address to the IP Pool when we see a stop record.
# main_pool
# see acct_users file
Acct-Type SQL1{
sql1
detail
}
}
The acct_users file:
DEFAULT Acct-Type := SQL1
Thank you in advance.---End Message---
Error in sql module causes freeradius to stop functioning
Hello to everyone.
Yesterday I installed freeradius-0.9.3 on a Solaris 2.7 production
environment. I use sql module and oracle as my database to store
accounting. I first try to store the accounting data in the database
and afterwards I write them in files with the detail module. The
problem is that sometimes I get data that fail to be inserted in my
database (wrong size, stupid error) so I see the following in
radius.log:
...
Thu Apr 1 15:55:13 2004 : Error: rlm_sql_oracle: execute query failed
in sql_query: ORA-01401: inserted value too large for column
Thu Apr 1 15:55:13 2004 : Auth: Login OK: [EMAIL PROTECTED] (from
client fworks port 352 cli 2221038953)
Thu Apr 1 15:55:14 2004 : Error: rlm_sql_oracle: execute query failed
in sql_query: ORA-01401: inserted value too large for column
Thu Apr 1 15:55:14 2004 : Error: rlm_sql (sql1): failed after re-connect
Thu Apr 1 15:55:14 2004 : Error: rlm_sql: Couldn't insert SQL
accounting STOP record - ORA-01401: inserted value too large for column
Thu Apr 1 15:55:18 2004 : Error: rlm_sql_oracle: execute query failed
in sql_query: ORA-01401: inserted value too large for column
Thu Apr 1 15:55:18 2004 : Error: rlm_sql_oracle: execute query failed
in sql_query: ORA-01401: inserted value too large for column
Thu Apr 1 15:55:18 2004 : Error: rlm_sql (sql1): failed after re-connect
Thu Apr 1 15:55:18 2004 : Error: rlm_sql: Couldn't insert SQL
accounting STOP record - ORA-01401: inserted value too large for column
Thu Apr 1 15:55:21 2004 : Auth: Login OK: [EMAIL PROTECTED] (from
client fworks port 0 cli 2104131605)
...
The error is very clear and I found the problem data. As I can
understand,
when a query fails, the sql module will try to execute the alternative
query (if it exists) and if this also fails it reconnects to the db
and tries one more time. Is this correct?
Anyway, the radius server keeps servicing other requests and after a
few such failures, the whole server stops functioning!
Is this a correct behaviour? Shouldn't the server keep working servicing
other requests? Is there some sort of threshold of errors after which
the server stops functioning? Should we consider that a bug? (at first
sight it seems this way)
My configuration regarding accounting follows below.
# Pre-accounting. Decide which accounting type to use.
#
preacct {
preprocess
#
# Look for IPASS-style 'realm/', and if not found, look for
# '@realm', and decide whether or not to proxy, based on
# that.
#
# Accounting requests are generally proxied to the same
# home server as authentication requests.
# realmslash
suffix
#
# Read the 'acct_users' file
files
}
#
# Accounting. Log the accounting data.
#
accounting {
#
# Ensure that we have a semi-unique identifier for every
# request, and many NAS boxes are broken.
acct_unique
#
# Create a 'detail'ed log of the packets.
# Note that accounting requests which are proxied
# are also logged in the detail file.
# detail
# daily
# unix# wtmp file
#
# For Simultaneous-Use tracking.
#
# Due to packet losses in the network, the data here
# may be incorrect. There's little we can do about it.
# radutmp
# sradutmp
# Return an address to the IP Pool when we see a stop record.
# main_pool
# see acct_users file
Acct-Type SQL1{
sql1
detail
}
}
The acct_users file:
DEFAULT Acct-Type := SQL1
Thank you in advance.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
HUP signal does not always work in Solaris
Hello. In a Solaris 2.7 I compiled the latest freeradius release (0.9.3) with gcc 2.95.3. I use it in a production environment with the sql module and an Oracle database. When I change a configuration file and send the HUP signal to the server, sometimes the server is killed. I also notice that in the occasions that HUP works, the connections to the database are closed and then re-opened. Does this have to do with the db or is it a freeradius problem? For any information I can provide to trace the problem, please let me know. Thanks in adnvance. Kostas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
