Re: UDPFROMTO and Proxy Problem
Hi Nicolas, Thomas! Here is a more detailed description of our scenario: +--+ +---+ | NAS/Roaming | (NAS/Roaming Partner may not be | 1 | | RadiusServer | part of our Network and can have their +---+ +--+ own Public/Private IP Networks) | | | +--+ | Our | +---| FireWall/| || IPSEC| || Tunnel | || Endpoint | |+--+ | | |+---+ | || 2 | +++ |+---+ | | |Clients which Clients with |comes from direct |IPSec Tunnels Internet Access | | | | | | | eth0:1 eth0 | 10.0.0.10 62.62.62.62 | | | |+--+ || Our |-eth1---[internal AdminLan] || RadiusServer | |+--+ | | | | +---+eth0:1 eth0 | | 3 | 10.0.0.10 62.62.62.62 | +---+ | | +-++ 1. Packet comes from NAS or from a Roaming Partner, either from internet or via IPSEC Tunnel, which terminates on Our Firewall. 2. The Firewall routes the Packet to our Radius Server. 3. The radius server auth/acct local realms and proxies all other realms to the appropriate foreign radius proxy/server back via Our Firewall. If the packet has to go to a partner which needs an IPSEC Tunnel it is proxied over eth0:1, otherwise over eth0. That's the point of our problem. In our case the default gateway points to the public ip_address of the internal interface of Our Firewall. For a Proxy Packet the Packet-src_ipaddr is empty. As the sendmsg function has no src_ipaddr it uses the default gateway as src_ipaddr for this packet. Therefore the IPSEC tunnel on Our Firewall discards the proxy packet because they expect the packet from 10.0.0.10 (LeftSide/RightSide IPSEC). Even if the IPSEC tunnel would allow our packets, the foreign radius server would silently discard the packet as it uses the wrong src_ipaddr. In your scenario you are direct connected to the networks where your proxyserver resides so you don't need to use a default gateway to reach your servers. My previously posted patch adds configuration items for the proxy.conf config file where you can define the ip_addr which should be used for each Realm. I would be glad if someone can confirm this as problem and my patch as the right solution ;-) For our 2.nd Problem i stated previously in this thread (that the above scenario is NOT working if eth0:1 is a physical interface) we will rebuild our test-scenario to post better debugging information. best regards Raimund Sacherer On Wed, 2004-10-20 at 16:34 +0200, Thomas MARCHESSEAU wrote: Hi Raimund, Nicolas and I did some test on proxy forwarding , we use this model : CLIENT 172.16.69.1 | vlan 69 | 172.16.69.3 (virtual ip handled by keepalived) | 172.16.69.2 (eth2) | +-+ | PROXY with udpfromto| | and bind_addr * | | ldflag = round_robin| +-+ | | eth0 eth3 192.168.7.241 10.17.1.243 | | | | +-vlan7-+ +-vlan1017--+ | | | | +--+ +--+ | Radius Srv | | Radius Srv | | 192.168.7.243| | 10.17.10.242 | +--+ +--+ We hope that it match with your goal . 1/ rad_recv: Access
Re: UDPFROMTO and Proxy Problem
Here is our Scenario which is working now:
Some Partners depend on an IPSec tunnel.
+--+
| Our |
| RadiusServer |
+--+
| |
eth0:1 eth0
10.0.0.10 62.62.62.62
| |
| |
| |
| |
+-IPSec Tunnel--+ +-Internet--+
| |
| |
+--+ +--+
| Other Radius Srv | | Other Radius Srv |
| from RaomPartner | | from RaomPartner |
+--+ +--+
If eth0:1 is another physical device (e.g. eth1) then it is NOT working.
Netstat -uan displays that the radius server is listening on all
(interfaces/ip-addresses) on port 1814.
Sending an request-package to our Roaming Partner is working (from the
correct IP also, but the respond from the Roaming Partner is not
recognized by our Radius Server but tcpdump shows that the Roaming
Partner sends an Respond (either Access Reject or Access Accept) and
that it's incoming on our interface (eth1).
If i move the IP from eth1 to eth0:1 as an alias, all is working again.
Strange is, if i locally connect with netcat to eth1 udp port 1814, our
Radius Server IS answering.
I do not really know where the problem exists, it works with IPAliases,
but i would feel much more secure if we can find a working solution for
eth1 also.
Here is an example from our configuration:
--- SNIP radiusd.conf---
#bind_address = *
#bind_address = 10.0.0.10
listen {
ipaddr = 10.0.0.10
type=auth
}
listen {
ipaddr = 10.0.0.10
type=acct
}
listen {
ipaddr = 62.62.62.62
type=auth
}
listen {
ipaddr = 62.62.62.62
type=acct
}
--- SNIP ---
--- SNIP proxy.conf---
proxy server {
synchronous = no
retry_delay = 10
retry_count = 6
dead_time = 0
default_fallback = no
post_proxy_authorize = no
proxyip = 62.62.62.62
}
realm veryFrightenedRoamingPartner {
type= radius
authhost= 172.172.172.172:1812
accthost= 172.172.172.172:1813
proxyip = 10.10.10.10
secret = SECRET
}
--- SNIP ---
On Tue, 2004-10-12 at 16:47 +0200, Raimund Sacherer wrote:
Hi,
i compiled freeradius (1.0.1) with the UDPFROMTO configure option and i
applied the patch from nicolas
(http://www.mail-archive.com/[EMAIL PROTECTED]/msg09417.html)
and now receiving/sending local auth/acct packets with more than one ip
address works as expected.
There where two problems with proxying, first, i listen to 2 ip
addresses, if those where on different interfaces (eth0/eth1) it is not
working, the problem is, the packet is sent to the roamingpartner, but
the response is not recognized by freeradius (where a local test with
netcat is recognized), but i can see it clearly with tcpdump.
It works well if these 2 ip addresses are on the same interface (with
ip-alias).
The second problem with proxying is that it used the interface which was
defined to send data to the standard gateway as the src-ip address for
sending proxy-packets.
That was a problem for our scenario, as we have roamingpartners which
are listening for our packets on the first ip and others on the other,
therefore i patched freeradius to except in the realm-configuration
another parameter which tells the proxy_send method which src-ip it
should use to send the data, this is working and solved this second
problem, i have the patch attached and would be happy if it made it's
way into the source.
Technical Detail about the Patch:
1. Add Proxy IP Address to CONF_PARSER proxy_config[], MAIN_CONFIG_T and
into the REALM struct.
2. In generate_realms check if there is a proxy_ip set for this realm or
a global (mainconfig.proxy_ipaddr) one. If so, apply it.
3. In proxy_send check if in the REALM is an IP address set, if so, set
it in request-proxy-src_ipaddr so we have a src IP.
--- snip ---
--- freeradius-1.0.0-pre2/src/include/radiusd.h 2004-10-04
10:27:37.0 +0200
+++ /tmp/freeradius-1.0.0-pre2-ewave/src/include/radiusd.h2004-10-12
12:45:24.353286104 +0200
@@ -124,6 +124,7 @@
charserver[64];
characct_server[64];
uint32_tipaddr; /* authentication */
+ uint32_tproxy_ipaddr; /* proxy via interface, rsacherer */
uint32_tacct_ipaddr;
u_char secret[32];
time_t last_reply; /* last time we saw a packet */
@@ -194,6 +195,7 @@
int
Re: received response to request we did not send
I Sent today another mail to the userlist which (hopefully) explains my problem a little better! regards ;-) On Mon, 2004-10-11 at 14:45 +0200, Nicolas Baradakis wrote: Raimund Sacherer wrote: [...] But THERE is somewhere a problem i could not figure out until now: If the 62.4 and the 10.4 are on different interfaces (eth0=62.4/eth1=10.4) the packet is send to the roamingpartner and the roamingpartner answers (i verified it with tcpdump) BUT the radius server did not seem to receive this packet. I'm not sure I understand the whole explanation. Please specify who is the radius client, who is the proxy and who is the server. (an ascii schema can help, too) I tried from localhost to connect with netcat to the proxy port 1814 and the server recieved something (as i typed nonsens, it put's malformed packet in the logfile, but it was receiving something). Netstat displayed the 62.4 and 10.4 listening on 1812 and 1813 and * (0.0.0.0) listening on 1814. In radiusd.conf, are you using the directive bind_address or listen ? Currently our implementation works very well and i also could create a heartbeat interface now, as it is possible to listen on more ip-addresses, but it is not a clean solution, i want to fix this proxy behavior in the right way and put my patches into radius itself soon, as it seems without this outstanding fixes the UDPFROMTO patch is not complete! Is this the final setup you want to implement ? proxy1 eth0 + 62.4.e.f client 1 vip 1 | 62.4.a.b --- 62.4.c.d -| proxy1 eth1 | +- 10.4.g.h | | | | proxy2 eth0 +--|- 62.4.m.n client 2 vip 2| 10.4.i.j --- 10.4.k.l | proxy2 eth1 +- 10.4.o.p signature.asc Description: This is a digitally signed message part
Re: received response to request we did not send (was: freeradius1.0.0 pre2)
Hello Nicolas, and all other to!
I tried this patch and it worked partialy.
I have to note we are currently using the 1.0.0 pre2 release.
I think i need to describe our scenario
We used to bind our roamingpartners with an ipsectunnel which terminates
on private ip's (let's call them 10.4).
Now we want our new roamingpartners to use public ip addresses (62.4)
without tunnels, but to leave the old roamingpartners enough time (and
we know some would not change it) to change we want the server to listen
to both ip addresses, the 10.4 and the 62.4.
with the UDPFROMTO option and the patch from Nicolas this works great
for local auth/acct, but it does not work for roaming.
If the server want's to roam, the src ip address field in the packet
field was empty, so i resumed the kernel choose the ip to send from and
it seemed so as it tooks the ip which was used to send to the default
gateway.
I patched the freeradius server so i can add in the proxy.conf file for
every realm an proxyiface option which defines the IPaddress which
should be used for proxying. If the src address in the packet is empty,
i take the IP from the proxy.conf and it seemed to work.
But THERE is somewhere a problem i could not figure out until now:
If the 62.4 and the 10.4 are on different interfaces
(eth0=62.4/eth1=10.4) the packet is send to the roamingpartner and the
roamingpartner answers (i verified it with tcpdump) BUT the radius
server did not seem to receive this packet.
I tried from localhost to connect with netcat to the proxy port 1814 and
the server recieved something (as i typed nonsens, it put's malformed
packet in the logfile, but it was receiving something).
Netstat displayed the 62.4 and 10.4 listening on 1812 and 1813 and *
(0.0.0.0) listening on 1814.
After that i tried to make 10.4 an alias on the eth0 interface (eth0:1)
and since that time it worked perfectly!
Right now i talked with our network guy and he told me that it could be
that listening on * (as for proxying is done) differs between listening
on all ip addresses and listening on all devices, so that there are some
interface-binding problems, but i do not know.
Currently our implementation works very well and i also could create a
heartbeat interface now, as it is possible to listen on more
ip-addresses, but it is not a clean solution, i want to fix this proxy
behavior in the right way and put my patches into radius itself soon, as
it seems without this outstanding fixes the UDPFROMTO patch is not
complete!
Best regards and hope of much helping heads ;-)
Raimund Sacherer
Am Mittwoch, den 15.09.2004, 16:48 +0200 schrieb Nicolas Baradakis:
Raimund Sacherer wrote:
we want the server to listen on 2 interfaces, but there is a problem, if
i tell it to bind to * (any device) it seems to NOT sent the package out
to the client on the same interface it gots in, in fact, it seems it's
randomly choosing on which interface it sends the package out.
so, the client send's to X.X.X.X but the reply comes from X.X.X.Y and
the client does not accept the package ...
is this a bug or am i missing something?
I run into a similar problem a long time ago. A patch was submitted on
the development list[1], but it's not enabled by default. You have to
build the server with :
$ ./configure --with-udpfromto
[1] http://lists.cistron.nl/archives/freeradius-devel/2003/09/frm00034.html
It solved the problem of received response to request we did not send
for me with Freeradius 0.9.x
However I recently tested 1.0.0 version and found out that a line of
the patch was not included in the source tree. And it looks like I
found a volunteer to test the following patch :-)
Index: src/main/mainconfig.c
===
RCS file: /source/radiusd/src/main/mainconfig.c,v
retrieving revision 1.39
diff -u -r1.39 mainconfig.c
--- src/main/mainconfig.c 10 Jun 2004 18:23:10 - 1.39
+++ src/main/mainconfig.c 15 Sep 2004 13:38:01 -
@@ -49,6 +49,9 @@
#include grp.h
#include pwd.h
+#ifdef WITH_UDPFROMTO
+#include udpfromto.h
+#endif
#ifdef HAVE_SYSLOG_H
#include syslog.h
@@ -935,7 +938,13 @@
if (this-fd 0) {
return -1;
}
-
+
+#ifdef WITH_UDPFROMTO
+ if (udpfromto_init(this-fd) != 0) {
+ radlog(L_ERR|L_CONS, ERROR: udpfromto init failed.);
+ }
+#endif
+
sa = (struct sockaddr_in *) salocal;
memset ((char *) sa, '\0', sizeof(salocal));
sa-sin_family = AF_INET;
signature.asc
Description: Dies ist ein digital signierter Nachrichtenteil
Re: received response to request we did not send (was: freeradius 1.0.0 pre2)
Yes my Friend! ;-) I am your volunteer ;-)
asapest i will set up this patch in our test-lab and create the package,
if in our test-environment all goes well i will deploy this on our
servers and we could send this patch to the development mailinglist :-)
Am Mittwoch, den 15.09.2004, 16:48 +0200 schrieb Nicolas Baradakis:
Raimund Sacherer wrote:
we want the server to listen on 2 interfaces, but there is a problem, if
i tell it to bind to * (any device) it seems to NOT sent the package out
to the client on the same interface it gots in, in fact, it seems it's
randomly choosing on which interface it sends the package out.
so, the client send's to X.X.X.X but the reply comes from X.X.X.Y and
the client does not accept the package ...
is this a bug or am i missing something?
I run into a similar problem a long time ago. A patch was submitted on
the development list[1], but it's not enabled by default. You have to
build the server with :
$ ./configure --with-udpfromto
[1] http://lists.cistron.nl/archives/freeradius-devel/2003/09/frm00034.html
It solved the problem of received response to request we did not send
for me with Freeradius 0.9.x
However I recently tested 1.0.0 version and found out that a line of
the patch was not included in the source tree. And it looks like I
found a volunteer to test the following patch :-)
Index: src/main/mainconfig.c
===
RCS file: /source/radiusd/src/main/mainconfig.c,v
retrieving revision 1.39
diff -u -r1.39 mainconfig.c
--- src/main/mainconfig.c 10 Jun 2004 18:23:10 - 1.39
+++ src/main/mainconfig.c 15 Sep 2004 13:38:01 -
@@ -49,6 +49,9 @@
#include grp.h
#include pwd.h
+#ifdef WITH_UDPFROMTO
+#include udpfromto.h
+#endif
#ifdef HAVE_SYSLOG_H
#include syslog.h
@@ -935,7 +938,13 @@
if (this-fd 0) {
return -1;
}
-
+
+#ifdef WITH_UDPFROMTO
+ if (udpfromto_init(this-fd) != 0) {
+ radlog(L_ERR|L_CONS, ERROR: udpfromto init failed.);
+ }
+#endif
+
sa = (struct sockaddr_in *) salocal;
memset ((char *) sa, '\0', sizeof(salocal));
sa-sin_family = AF_INET;
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius 1.0.0 pre2
Hello! we are using the freeradius server 1.0.0 pre2. we want the server to listen on 2 interfaces, but there is a problem, if i tell it to bind to * (any device) it seems to NOT sent the package out to the client on the same interface it gots in, in fact, it seems it's randomly choosing on which interface it sends the package out. so, the client send's to X.X.X.X but the reply comes from X.X.X.Y and the client does not accept the package ... is this a bug or am i missing something? thx and regards Ray - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 1.0.0 pre2
for further information: we need the radius server to listen on more interfaces because we have some hardware which can work only with ONE radius entry (annoyingly, one of this clients is a cisco machine *sigh*) and for this machines we want to supply a fail-over interface which is maintained and triggered via heartbeat so it swithes over to the other server on failure. with this scenario we can manage clients with work correctly with more then one radius server and also the others in a safe manner. regards raimund Am Mittwoch, den 15.09.2004, 09:37 +0200 schrieb Raimund Sacherer: Hello! we are using the freeradius server 1.0.0 pre2. we want the server to listen on 2 interfaces, but there is a problem, if i tell it to bind to * (any device) it seems to NOT sent the package out to the client on the same interface it gots in, in fact, it seems it's randomly choosing on which interface it sends the package out. so, the client send's to X.X.X.X but the reply comes from X.X.X.Y and the client does not accept the package ... is this a bug or am i missing something? thx and regards Ray - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Is Release 1.0.0 available?
just curious ..., what's a toddler? ;-) congrulations from me to :) regards On Mon, 2004-07-26 at 14:15 +0100, Graeme Hinchliffe wrote: On Thu, 2004-07-22 at 22:25, Alan DeKok wrote: David [EMAIL PROTECTED] wrote: I saw on the list last week that 1.0.0 was just about ready and I have seen some other posts referring to 1.0.0 , is 1.0.0 ready for download yet? No. I was going to release it last Friday, but my wife released Baby 1.0 first. That took priority, oddly enough. Give me a few days to sleep... congratulations!, welcome to the world of parenting and sleepless nights of stress :) enjoy your few days of sleep (if you get them) you may not be getting any more for a while :) Congratulations... (I have both baby 2.0 and Toddler 1.0 at home :) ) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: +++ only 1 radius +++
make a ps axH, you should notice that there ARE more threads, they are only represented under the same process ID. maybe is the threadhandling backported to 2.4.20 kernel, but i think this is strange as i had 2.4.2x kernels with additional threads... maybe has your kernel different patches, nonetheless, if you do not see your 5 threas with ps axH you have another problem. regards Am Mon, den 12.07.2004 schrieb Rogerio Albandes um 15:17: Hello. box with 1 thead1: Linux mail2 2.4.20-20.9 #1 Mon Aug 18 11:37:49 EDT 2003 i686 athlon i386 GNU/Linux box with 5 theads: Linux proxy-radius 2.4.18-3 #1 Thu Apr 18 07:31:07 EDT 2002 i586 unknown Anoter with 5 theads: Linux mysql1-pet.pipegrep.com.br 2.6.5-1.358 #1 Sat May 8 09:00:01 EDT 2004 i586 i586 i386 GNU/Linux But, with 1 thread work well TIA - Original Message - From: Raimund Sacherer [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, July 12, 2004 9:49 AM Subject: Re: +++ only 1 radius +++ that seems quite ok, if you check i believe you will find out that on one computer you are using a kernel 2.4 and on the other a kernel 2.6. The new kernel 2.6 has a changed thread-handling, so that threads are shown with the process ID of the main process, as you can see with: ps axH For reasons i do not know ps afxH is not working (f in combination with H). best regards Am Mon, den 12.07.2004 schrieb Rogerio Albandes um 14:28: Hello, Excuse for my bad english. Mysql radius start with only 1 process: 30464 ?S 0:00 /usr/local/sbin/radiusd -y In another machine its OK: 2164 ?S 0:01 /usr/local/sbin/radiusd -y 2167 ?S 0:00 \_ /usr/local/sbin/radiusd -y 2168 ?S 0:02 \_ /usr/local/sbin/radiusd -y 2169 ?S 0:02 \_ /usr/local/sbin/radiusd -y 2170 ?S 0:02 \_ /usr/local/sbin/radiusd -y 2171 ?S 0:02 \_ /usr/local/sbin/radiusd -y 2172 ?S 0:02 \_ /usr/local/sbin/radiusd -y radius.conf : start_servers = 5 TIA - Original Message - From: Mihai Barbulescu [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, July 12, 2004 10:31 AM Subject: cisco(as5350)+radius Hello, I have a CISCO AS 5350 and i whant it to write in a radius+msql. aaa authentication login userauthen local aaa accounting exec default start-stop group radius aaa accounting connection h323 start-stop group radius aaa session-id common gw-accounting aaa acct-template callhistory-detail radius-server host XXX auth-port 1813 acct-port 1812 radius-server key 7 XXX radius-server vsa send accounting radius-server vsa send authentication I've configured freeradius to write in MYSQL. In mysql i have the following tables on radius database(on wich i use them for a MAXTNT and they work fine) radacct radreply radcheck radgroupcheck usergroup I receive accouting packets from cisco on my radius server but i don't now how to configure radius to put them in another table from radius database. So please someone help me Thx. -- Barbulescu Mihai Network Engineer RoEduNet Bucharest NOC - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Raimund Sacherer IT Development e W) a) v) e eWave Telekommunikation GmbH A-1210 Wien, Ignaz-Köck-Straße 1 Tel: +43 1 278 36 50-45 Fax: +43 1 278 36 50-33 www.eWave.at - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Raimund Sacherer IT Development e W) a) v) e eWave Telekommunikation GmbH A-1210 Wien, Ignaz-Köck-Straße 1 Tel: +43 1 278 36 50-45 Fax: +43 1 278 36 50-33 www.eWave.at - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: +++ only 1 radius +++
Ok, here is an excerpt from my process table. Version of proc: procps version 3.2.1 Debian Sarge [EMAIL PROTECTED]:~$ ps afx --SNIP-- 758 ?Ss 0:00 /bin/sh /usr/bin/svscanboot 760 ?S 0:09 \_ svscan /var/lib/svscan 761 ?S 0:00 | \_ supervise freeradius 14795 ?S 0:00 | | \_ /usr/sbin/freeradius -fyz -lstderr 763 ?S 0:00 | \_ supervise log 764 ?S 0:00 | \_ multilog t s16777215 ./main [EMAIL PROTECTED]:~$ ps axH 14795 ?S 0:00 /usr/sbin/freeradius -fyz -lstderr 14795 ?S 0:00 /usr/sbin/freeradius -fyz -lstderr 14795 ?S 0:00 /usr/sbin/freeradius -fyz -lstderr 14795 ?S 0:00 /usr/sbin/freeradius -fyz -lstderr 14795 ?S 0:00 /usr/sbin/freeradius -fyz -lstderr 14795 ?S 0:00 /usr/sbin/freeradius -fyz -lstderr 14795 ?S 0:00 /usr/sbin/freeradius -fyz -lstderr 14795 ?S 0:00 /usr/sbin/freeradius -fyz -lstderr 14795 ?S 0:00 /usr/sbin/freeradius -fyz -lstderr 14795 ?S 0:00 /usr/sbin/freeradius -fyz -lstderr 14795 ?S 0:00 /usr/sbin/freeradius -fyz -lstderr 14795 ?S 0:00 /usr/sbin/freeradius -fyz -lstderr 14795 ?S 0:00 /usr/sbin/freeradius -fyz -lstderr 14795 ?S 0:00 /usr/sbin/freeradius -fyz -lstderr 14795 ?S 0:00 /usr/sbin/freeradius -fyz -lstderr 14795 ?S 0:00 /usr/sbin/freeradius -fyz -lstderr 14876 pts/29 R+ 0:00 ps axH best regards Raimund Am Mon, den 12.07.2004 schrieb Rogerio Albandes um 17:13: [EMAIL PROTECTED] pipegrep.com.br]# ps axH ps: error: Unsupported option (BSD syntax) [EMAIL PROTECTED] pipegrep.com.br]# ps aux | grep radius root 30464 0.0 0.0 15616 44 ?S09:25 0:00 /usr/local/sbin/radiusd -y make a ps axH, you should notice that there ARE more threads, they are only represented under the same process ID. maybe is the threadhandling backported to 2.4.20 kernel, but i think this is strange as i had 2.4.2x kernels with additional threads... maybe has your kernel different patches, nonetheless, if you do not see your 5 threas with ps axH you have another problem. regards Am Mon, den 12.07.2004 schrieb Rogerio Albandes um 15:17: Hello. box with 1 thead1: Linux mail2 2.4.20-20.9 #1 Mon Aug 18 11:37:49 EDT 2003 i686 athlon i386 GNU/Linux box with 5 theads: Linux proxy-radius 2.4.18-3 #1 Thu Apr 18 07:31:07 EDT 2002 i586 unknown Anoter with 5 theads: Linux mysql1-pet.pipegrep.com.br 2.6.5-1.358 #1 Sat May 8 09:00:01 EDT 2004 i586 i586 i386 GNU/Linux But, with 1 thread work well TIA - Original Message - From: Raimund Sacherer [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, July 12, 2004 9:49 AM Subject: Re: +++ only 1 radius +++ that seems quite ok, if you check i believe you will find out that on one computer you are using a kernel 2.4 and on the other a kernel 2.6. The new kernel 2.6 has a changed thread-handling, so that threads are shown with the process ID of the main process, as you can see with: ps axH For reasons i do not know ps afxH is not working (f in combination with H). best regards Am Mon, den 12.07.2004 schrieb Rogerio Albandes um 14:28: Hello, Excuse for my bad english. Mysql radius start with only 1 process: 30464 ?S 0:00 /usr/local/sbin/radiusd -y In another machine its OK: 2164 ?S 0:01 /usr/local/sbin/radiusd -y 2167 ?S 0:00 \_ /usr/local/sbin/radiusd -y 2168 ?S 0:02 \_ /usr/local/sbin/radiusd -y 2169 ?S 0:02 \_ /usr/local/sbin/radiusd -y 2170 ?S 0:02 \_ /usr/local/sbin/radiusd -y 2171 ?S 0:02 \_ /usr/local/sbin/radiusd -y 2172 ?S 0:02 \_ /usr/local/sbin/radiusd -y radius.conf : start_servers = 5 TIA - Original Message - From: Mihai Barbulescu [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, July 12, 2004 10:31 AM Subject: cisco(as5350)+radius Hello, I have a CISCO AS 5350 and i whant it to write in a radius+msql. aaa authentication login userauthen local aaa accounting exec default start-stop group radius aaa accounting connection h323 start-stop group radius aaa session-id common gw-accounting aaa acct-template callhistory-detail radius-server host XXX auth-port 1813 acct-port 1812 radius-server key 7 XXX radius-server vsa send accounting radius-server vsa send authentication I've configured freeradius to write in MYSQL. In mysql i have the following tables on radius database(on wich i use them for a MAXTNT and they work fine) radacct radreply radcheck radgroupcheck usergroup
Re: Compiling Freeradius-1.0.0-pre3
': sql_mysql.c:346: `mysql_sock' undeclared (first use in this function) sql_mysql.c:349: warning: implicit declaration of function `mysql_close' sql_mysql.c: In function `sql_affected_rows': sql_mysql.c:395: `mysql_sock' undeclared (first use in this function) sql_mysql.c:397: warning: implicit declaration of function `mysql_affected_rows' gmake[10]: *** [sql_mysql.o] Error 1 gmake[10]: Leaving directory `/root/freeradius-1.0.0-pre3/src/modules/rlm_sql/drivers/rlm_sql_mysql' gmake[9]: *** [common] Error 1 gmake[9]: Leaving directory `/root/freeradius-1.0.0-pre3/src/modules/rlm_sql/drivers' gmake[8]: *** [static] Error 2 gmake[8]: Leaving directory `/root/freeradius-1.0.0-pre3/src/modules/rlm_sql/drivers' gmake[7]: *** [common] Error 1 gmake[7]: Leaving directory `/root/freeradius-1.0.0-pre3/src/modules/rlm_sql' gmake[6]: *** [static] Error 2 gmake[6]: Leaving directory `/root/freeradius-1.0.0-pre3/src/modules/rlm_sql' gmake[5]: *** [common] Error 1 gmake[5]: Leaving directory `/root/freeradius-1.0.0-pre3/src/modules' gmake[4]: *** [all] Error 2 gmake[4]: Leaving directory `/root/freeradius-1.0.0-pre3/src/modules' gmake[3]: *** [common] Error 1 gmake[3]: Leaving directory `/root/freeradius-1.0.0-pre3/src' gmake[2]: *** [all] Error 2 gmake[2]: Leaving directory `/root/freeradius-1.0.0-pre3/src' gmake[1]: *** [common] Error 1 gmake[1]: Leaving directory `/root/freeradius-1.0.0-pre3' make: *** [all] Error 2 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Raimund Sacherer IT Development e W) a) v) e eWave Telekommunikation GmbH A-1210 Wien, Ignaz-Köck-Straße 1 Tel: +43 1 278 36 50-45 Fax: +43 1 278 36 50-33 www.eWave.at - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Discard a Package if REALM does not match a realm in proxy.conf
Hello! Is it possible to tell the radius Server to not process a packet further if the realm does not match a realm defined in the proxy.conf file? We have a database system which creates realms on demond in a realm table if a new realm occures, so we do not have to define the realm twice, first in the proxy.conf, second in the database itself. I assumed a package with a realm not defined in proxy.conf would be silently discarded, but now i know it is not true, and if someone had a typo in the realm or something else our realms table grows, that's naturally not what we want. I could not find any information about aborting a request based on his realm, so ... maybe someone knows a solution or can point me to the right place for documentation. Best regards Raimund -- Raimund Sacherer IT Development e W) a) v) e eWave Telekommunikation GmbH A-1210 Wien, Ignaz-Köck-Straße 1 Tel: +43 1 278 36 50-45 Fax: +43 1 278 36 50-33 www.eWave.at - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
