Re: Two Ldaps Authentication
Message: 6 Date: Fri, 16 Jun 2006 09:44:29 -0700 (PDT) From: fvt3 <[EMAIL PROTECTED]> Subject: Re: Two Ldaps Authentication To: FreeRadius users mailing list Message-ID: <[EMAIL PROTECTED]> Content-Type: text/plain; charset=iso-8859-1 Alan, This is what I have in my radius.conf Autz-Type LDAP1{ ldap_ldap1{ invalid=return } ldap_ldap2 } Auth-Type LDAP1 { redundant{ ldap_ldap1{ } ldap_ldap2 } users file DEFAULT Auth-Type = LDAP1 Fall-Through = No, Reply-Message = "ldap login" I'm forcing radius to lookup user in ldap1(ldap) and ldap2(Active Directory). The same user name can reside on both db backend. With this setup, radius only works if the user name does not exist on both db. If user John is on both db, it would only authenticate off LDAP1 and not in LDAP2. Here is my log correct...this is the way you have it configured. as long as ONE ldap server answers the request (whether it be an authentication allowed or rejected) it still answered. so it won't fail over to the next ldap server... --- Alan DeKok -- Terry J Fike Jr System Administrator MTA Solutions 907-793-4100 [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: limit upload and download speed for each user
Message: 3 Date: Fri, 19 May 2006 11:48:25 +0300 From: "Mordor Networks" <[EMAIL PROTECTED]> Subject: Re: limit upload and download speed for each user To: "FreeRadius users mailing list" Message-ID: <[EMAIL PROTECTED]> Content-Type: text/plain; charset="iso-8859-1" On 5/17/06, Terry J Fike Jr <[EMAIL PROTECTED]> wrote: does anyone knows how to limit upload/download speed for each user in "user" file ? Rate_Limit_Rate = 137, Rate_Limit_Burst = 15000, Police_Rate = 137, Police_Burst = 15000, Rate_Limit aprox= download Police_Rate aprox= upload -- Terry J Fike Jr System Administrator MTA Solutions 907-793-4100 [EMAIL PROTECTED] Hi how this can be done with mysql backend? i mean can we add the limit rate to sql ? - okay, i'm not sure how it is done with mysql, but in ldap, and flatfile i've done it. in flat file those attributes where associated with a user here's an example: username Password == "password" Service-Type = Framed-User, Framed-MTU = 1500, Port-Limit = 1, Idle-Timeout = 0, Rate_Limit_Rate = 5000, Rate_Limit_Burst = 15000, Police_Rate = 5000, Police_Burst = 15000, Session-Timeout = 0 in ldap on my dsl tree the attributes for a user has defined a group which has the speed. and in that group it has all the attributes listed here. you can have these attributes tied directly to a user as well instead of a group but it does change how your default lines are at the end of your users file. -- Terry J Fike Jr System Administrator MTA Solutions 907-793-4100 [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: limit upload and download speed for each user
> does anyone knows how to limit upload/download speed for each user in > "user" file ? Rate_Limit_Rate = 137, Rate_Limit_Burst = 15000, Police_Rate = 137, Police_Burst = 15000, Rate_Limit aprox= download Police_Rate aprox= upload -- Terry J Fike Jr System Administrator MTA Solutions 907-793-4100 [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius and 2 ldap servers.
Okay, since this isn't easy to piece together from the docs. (and no one has posted this on the mailing list that i've seen, and i've gotten a few emails on this as well) here is how i got freeradius running good failover with 2 ldap servers. hopefully those who know the system better than me will let me/us (the list) know if i've done something wrong here. in the ldap section you'll have: ldap ldap1 { server = identity = <> ... } ldap ldap2 { } then in the instantiate section put ldap1 ldap2 then in authorize you'll have: redundant { ldap1 ldap2 } and in authenticate you'll have: Auth-Type LDAP { redundant { ldap1 ldap2 } } that is what worked for me. now one thing to consider/think about. it appears whichever server is listed secondly (in instantiate, authorize, and authenticate, will be hit first) not sure why this is...and it may not be important -- Terry J Fike Jr System Administrator MTA Solutions 907-793-4100 [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius filters for ldap searching
The only way i got this to work, was seperate trees in ldap for each group. and then in your default line in your users file put the tree you want it to search for the group and nas definition. Message: 2 Date: Thu, 11 May 2006 12:52:47 +0300 From: Mircea Harapu <[EMAIL PROTECTED]> Subject: radius filters for ldap searching To: freeradius-users@lists.freeradius.org Message-ID: <[EMAIL PROTECTED]> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Hello, I'm using freeradius 1.0.4 with openldap 2.2.24 to authenticate users on cisco switches. Every switch belongs to a specific group and for every user I'm setting the groups he can access. I also use cisco avpairs for level privilege. So far , so good! The problems occured when I tried to make a user to have different level privileges on different switches . This is the profile I'm using : # test, radius, isp.ro dn: uid=test,ou=radius,dc=isp,dc=ro uid: test objectClass: radiusprofile cn: test userPassword:: xxx radiusGroupName: bucuresti radiusGroupName: valcea radiusServiceType: NAS-Prompt-User # bucuresti, test, radius, isp.ro dn: cn=bucuresti,uid=test,ou=radius,dc=isp,dc=ro uid: test objectClass: radiusprofile userPassword:: xxx radiusGroupName: bucuresti radiusServiceType: NAS-Prompt-User radiusCiscoLevel: "shell:priv-lvl=15" cn: bucuresti # valcea, test, radius, isp.ro dn: cn=valcea,uid=test,ou=radius,dc=isp,dc=ro uid: test objectClass: radiusprofile userPassword:: xxx radiusGroupName: valcea radiusServiceType: NAS-Prompt-User radiusCiscoLevel: "shell:priv-lvl=7" cn: valcea raddb/users # Switch 192.168.50.202 # Descriere test DEFAULT NAS-IP-Address == 192.168.50.202, Ldap-Group == bucuresti Fall-Through = no DEFAULT Auth-Type := Reject what I need is to filter the ldap search in authorize section based on GroupName and I don't know how. -- Terry J Fike Jr System Administrator MTA Solutions 907-793-4100 [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius and 2 ldap servers
Okay, i'm probably being a little dense here but just wanted to check i'm understanding this correctly. if i'm running 2 ldap servers; in the users file, do i need a default entry for each ldap server? for example: moving from a line like this with a single ldap server: DEFAULT Huntgroup-Name == People, Ldap-Group == dial, User-Profile := "uid=dial,ou=profiles,ou=radius,dc=mtaonline,dc=net", Ldap-UserDN := `uid=%{User-Name},ou=People,dc=mtaonline,dc=net` Fall-Through = no to two lines like this: DEFAULT Huntgroup-Name == People, Ldap_primary-Ldap-Group == dial, User-Profile := "uid=dial,ou=profiles,ou=radius,dc=mtaonline,dc=net", Ldap-UserDN := `uid=%{User-Name},ou=People,dc=mtaonline,dc=net` Fall-Through = no DEFAULT Huntgroup-Name == People, Ldap_secondary-Ldap-Group == dial, User-Profile := "uid=dial,ou=profiles,ou=radius,dc=mtaonline,dc=net", Ldap-UserDN := `uid=%{User-Name},ou=People,dc=mtaonline,dc=net` Fall-Through = no assuming your ldap instatiations are ldap_primary and ldap_secondary respectively. thanks in advance t- -- Terry J Fike Jr System Administrator MTA Solutions 907-793-4100 [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius & ldap with two trees
> Try this in your radiusd.conf: > > basedn = "ou=%{Huntgroup-Name},ou=radius,dc=mtaonline,dc=net" > > You will need to either rename your "dial" huntgroup to "people" to > match your ldap structure or you can change the profile OU to be dial. > Either way, this setup is working for me. > > Ben this works! thanks Ben t- -- Terry J Fike Jr System Administrator MTA Solutions 907-793-4100 [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius & ldap with two trees
Okay, i want radius to look at two trees in ldap, one tree for dial-up one tree for dsl (so a user with a static ip in dsl gets a dynamic ip in dial-up). my huntgroup is like this: dialip1 dialip2 dialip on local box for testing dsl ip3 dsl ip4 dsl ip on local box for testing with the ip on local box commented out on the one i'm not testing. my users file is like so (at least, the two lines i'm testing with): DEFAULT Huntgroup-Name == dial, Ldap-Group == dial, User-Profile := "uid=dial,ou=profiles,ou=radius,dc=mtaonline,dc=net", Ldap-UserDN := `uid=%{User-Name},ou=people,dc=mtaonline,dc=net` Fall-Through = no DEFAULT Huntgroup-Name == dsl, Ldap-Group == dsl8m, User-Profile := "uid=dsl8m,ou=profiles,ou=radius,dc=mtaonline,dc=net", Ldap-UserDN := `uid=%{User-Name},ou=dsl,dc=mtaonline,dc=net` Fall-Through = no DEFAULT Auth-Type := Reject Reply-Message = "Please call the help desk." my ldap config in the radiusd.conf is as follows: ldap { server = "private ip" identity = "cn=Manager,dc=mtaonline,dc=net" password = somepassword basedn = "ou=people,dc=mtaonline,dc=net" #basedn = "dc=mtaonline,dc=net" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" base_filter = "(objectclass=radiusprofile)" start_tls = no tls_mode = no #this maps ldap attributetypes to radius attributes dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_cache_timeout = 120 ldap_cache_size = 0 ldap_connections_number = 10 #password_header = {clear} password_attribute = userPassword groupname_attribute = radiusGroupName groupmembership_filter = (&(uid=%{Stripped-User-Name:-%{User-Name}})(objectclass=radiusprofile)) groupmembership_attribute = radiusGroupName timeout = 3 timelimit = 5 net_timeout = 1 compare_check_items = no if i test with a user on the tree listed in basedn, it works. if i try to test with a user in a different tree, it fails. if i try a basedn one level up (so i can try to go down both trees) both users receive an Auth-Reject please call the help desk. in radiusd -X the reason is because ldap is finding multiple entries for the user (in two plus trees). i've gone through the documentation multiple times (and feel like i'm missing something). what am i doing wrong? or is there no way to do what i'm trying to do? i suppose it comes down to; is there a way to re-define the basedn in either huntgroups, or on a default line in the users file so the search comes up with a single user. thanks for your help t- -- Terry J Fike Jr System Administrator MTA Solutions 907-793-4100 [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius and LDAP with static ips...
Okay, i have freeradius and ldap talking together quite fine. it doesn't matter if the nas is a dsl or dial-up it work correctly (huntgroups, defaults in the users file...etc) what i am wondering is there a way that if i have a user with a static ip for dsl, that i can not pull the static ip on the same account with dialup. i have group attributes for dsl and dialup, the static ip is associated with the user in ldap. below is an example dsl group from ldap and my dial-up group. also, the user i'm testing with (these are in ldif format). before moving to ldap all our dsl users were flatfiled in the users file (yea, i know how bad that is, and it is why i am pushing the move to ldap). anyways...in order to make this work we just added NAS-Identifier to the username/password line for authentication on users with static ips. this forced the system to authentice via unix authentication for dial-up. is there a way to do this in ldap without two trees (one for dsl one for dialup or one for statics, one for normal users? or ??) oh...yea...and i'll also put my defaults in from the users file. the huntgroups just list the NAS-IP-Address (for testing, 255.255.255.255 which i move to whichever group i want to work with as i'm running radtest locally on the radius server) thanks in advance t- DEFAULT Huntgroup-Name == dial, Ldap-Group == dial, User-Profile := "uid=dial,ou=profiles,ou=radius,dc=mtaonline,dc=net" Fall-Through = no DEFAULT Huntgroup-Name == dsl, Ldap-Group == dsl8m, User-Profile := "uid=dsl8m,ou=profiles,ou=radius,dc=mtaonline,dc=net" Fall-Through = no version: 1 # LDIF Export for: uid=dial,ou=profiles,ou=radius,dc=mtaonline,dc=net # Generated by phpLDAPadmin ( http://phpldapadmin.sourceforge.net/ ) on April 5, 2006 2:00 pm # Server: My LDAP Server (10.10.0.46) # Search Scope: base # Search Filter: (objectClass=*) # Total Entries: 1 # Entry 1: uid=dial,ou=profiles,ou=radius,dc=mtaonline,dc=net dn: uid=dial,ou=profiles,ou=radius,dc=mtaonline,dc=net radiusFramedCompression: Van-Jacobson-TCP-IP radiusPortLimit: 1 radiusFramedMTU: 1500 objectClass: radiusprofile radiusRateLimitRate: 0 radiusPoliceRate: 0 uid: dial radiusPoliceBurst: 15000 radiusIdleTimeout: 900 radiusFramedProtocol: PPP radiusSessionTimeout: 18000 radiusRateLimitBurst: 0 version: 1 # LDIF Export for: uid=dsl8m,ou=profiles,ou=radius,dc=mtaonline,dc=net # Generated by phpLDAPadmin ( http://phpldapadmin.sourceforge.net/ ) on April 5, 2006 2:00 pm # Server: My LDAP Server (10.10.0.46) # Search Scope: base # Search Filter: (objectClass=*) # Total Entries: 1 # Entry 1: uid=dsl8m,ou=profiles,ou=radius,dc=mtaonline,dc=net dn: uid=dsl8m,ou=profiles,ou=radius,dc=mtaonline,dc=net radiusPortLimit: 1 radiusFramedMTU: 1500 objectClass: radiusprofile radiusRateLimitRate: 8192 radiusPoliceRate: 8192 uid: dsl8m radiusPoliceBurst: 15000 radiusIdleTimeout: 0 radiusSessionTimeout: 0 radiusFramedRouting: None radiusRateLimitBurst: 15000 radiusServiceType: Framed-User version: 1 # LDIF Export for: uid=ftptest99,ou=People,dc=mtaonline,dc=net # Generated by phpLDAPadmin ( http://phpldapadmin.sourceforge.net/ ) on April 5, 2006 2:01 pm # Server: My LDAP Server (10.10.0.46) # Search Scope: base # Search Filter: (objectClass=*) # Total Entries: 1 # Entry 1: uid=ftptest99,ou=People,dc=mtaonline,dc=net dn: uid=ftptest99,ou=People,dc=mtaonline,dc=net mailLocalAddress: [EMAIL PROTECTED] sn: Tester userPassword: {CRYPT}XuO3ko3FEXkV6 loginShell: /bin/sh uidNumber: 2001 gidNumber: 2001 objectClass: OpenLDAPperson objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: radiusprofile objectClass: inetLocalMailRecipient objectClass: dcObject objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount uid: ftptest99 shadowLastChange: 13014 mailHost: mail.mtaonline.net mailRoutingAddress: [EMAIL PROTECTED] cn: Ftp99 Tester homeDirectory: /export/home/ftptest99 dc: People.mtaonline.net radiusFramedIPAddress: 192.168.200.1 radiusFramedIPNetmask: 255.255.255.0 radiusGroupName: dsl8m radiusGroupName: dial -- Terry J Fike Jr System Administrator MTA Solutions 907-793-4100 [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius, Ldap, and static IPs for users.
Hello All, I'm trying to figure out how to get a static ip to only show up on a DSL login, and not a Dial-up. I'm using Freeradius 1.0.1 and OpenLdap 2.1.30. The only changes in the radiusd.conf is to bind to an ip and port and turn off radutmp and radwtmp I have a huntgroup for the dial-up that allows me to differentiate between the dial and dsl based on the radiusGroupName without any problems. But now i need to be able to let a DSL user with a static ip be able to log in via dial-up and pull a dynamic ip. Is this possible and how do i do it (or for that matter, what docs might even point me in the right direction) i'm not seeing much on this in my searches. my huntgroups.conf is like this: dialup NAS-IP-Address == ip of nas device in my users file i have this: DEFAULT Ldap-Group == disabled, Auth-Type := Reject Reply-Message = "Account disabled. Please call the helpdesk." DEFAULT Huntgroup-Name == dialup, Ldap-Group == dial, User-Profile := "uid=dial,ou=profiles,ou=radius,dc=mtaonline,dc=net" Fall-Through = no DEFAULT Ldap-Group == dsl128, User-Profile :="uid=dsl128,ou=profiles,ou=radius,dc=mtaonline,dc=net" Fall-Through = no DEFAULT Ldap-Group == dsl256, User-Profile :="uid=dsl256,ou=profiles,ou=radius,dc=mtaonline,dc=net" Fall-Through = no DEFAULT Ldap-Group == dsl512, User-Profile :="uid=dsl512,ou=profiles,ou=radius,dc=mtaonline,dc=net" Fall-Through = no DEFAULT Ldap-Group == dsl768, User-Profile :="uid=dsl768,ou=profiles,ou=radius,dc=mtaonline,dc=net" Fall-Through = no DEFAULT Ldap-Group == dsl4m, User-Profile :="uid=dsl4m,ou=profiles,ou=radius,dc=mtaonline,dc=net" Fall-Through = no DEFAULT Ldap-Group == dsl8m, User-Profile :="uid=dsl8m,ou=profiles,ou=radius,dc=mtaonline,dc=net" Fall-Through = no DEFAULT Auth-Type := Reject Reply-Message = "Please call the helpdesk." the ldap user i'm testing this all with looks like this: dn: uid=tfike,ou=People,dc=mtaonline,dc=net cn: Terry gecos: Terry,,Fike gidNumber: 14 homeDirectory: /export/home/tfike loginShell: /bin/csh objectClass: posixAccount objectClass: top objectClass: radiusprofile objectClass: shadowAccount radiusFramedIPAddress: 216.152.176.25 radiusFramedIPNetmask: 255.255.255.255 radiusGroupName: dial radiusGroupName: dsl4m shadowLastChange: 13062 uid: tfike uidNumber: 130 userPassword: temppass thanks in advance. -- Terry J Fike Jr System Administrator MTA Solutions 907-793-4100 [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius install problem
when you set up the client in the clients.conf did you put all the client info inside {} ? client ip { secret = nosecret shortname = mycomputer } it didn't look that way in the message, but that may have just been for ease of writing... -- Terry J Fike Jr System Administrator MTA Solutions 907-793-4100 [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question about ippools
> It all depends on how you get the Pool-Name attribute added to the > user's configuration attribute list. If it's added for one user when > that user comes from a specific NAS, then only that user on that > specific NAS will get an IP from the relevant pool. Okay, i see in the radiusd.conf where to set the pools, but where do define them as a per NAS? (ie: pool 1.2.3.0/24 to NAS1 and 1.2.4.0/24 to NAS2) then in the user's info just add Pool-name := right? what is the Group == part for in the DEFAULT?? would that be for the fallthroughs? -- Terry J Fike Jr System Administrator MTA Solutions 907-793-4100 [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
question about ippools
Hello, I'm wondering if it is possible to set up an ippool for a single user? Right now our users are flatfiled in the users file. anyone with a static has the info with their username, all the rest of the users get their ip assigned by the NAS device they are logging in through. From what i've read of the documentation, it seems the ippool set up is for all users in all NAS devices (or did i read this wrong?) At this point i believe the pool will be for us by the user no matter what NAS device they are coming from (which i think is how it is supposed to work anyways right?) Thanks for your help t- -- Terry J Fike Jr System Administrator MTA Solutions 907-793-4100 [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: Radrealay and coredumps...
Arg...okay, yea, it has got to be something funky with the machine i've been compiling on... As per some advice you gave earlier, i compiled this on a different sol9 box (never had freeradius on it before) copied the detail file from current radius server, and used the radrelay on the new box...sent just fine. i guess it is time to build me a new radius box... -- Terry J Fike Jr System Administrator MTA Solutions 907-793-4100 [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: Radrealay and coredumps...
> I'm not sure what else to suggest. It really looks like the >compiler tools on your system don't produce usable binaries. > > I've *never* seen this problem on Solaris, but I've always used GCC. > > Alan DeKok Yea, i've used gcc to compile pretty much everything, and the wierd thing is that this only breaks for the one NAS device. For everything else, radrelay works just fine. It goes through and reads all the dictionary files, and at the time it opens the detail file for relaying is the point it cores. And it only does it from the PDSN *shrug* Everything else works just fine...all my users authenticate just like normal...even from the pdsn, i get my accounting data just fine...even from the pdsn...*shrug* this just is not making any sense... -- Terry J Fike Jr System Administrator MTA Solutions 907-793-4100 [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radrealay and coredumps...
Okay, i'm about 90% certain i've blown away everthing before rebuilding. (i guess this is what i get for having four different versions on the machine in the last couple years...) both were built with the environment variables CC "opt/csw/gcc3/bin/gcc -m64" PATH=/usr/bin:/sbin:/usr/sbin:/opt/oracle/products/9.2.0/bin: /usr/local/bin:/usr/local/sbin:/tools/scripts:/tools/scripts/radius: /opt/sfw/bin:/opt/sfw/sbin:/opt/csw/bin:/opt/csw/sbin:/usr/ccs/bin: /usr/openwin/bin:/usr/ucb:/etc:. CLASSPATH=/usr/local/jdk1.4/lib/ojdbc14.jar:/usr/local/jdk1.4/lib/tools.jar: /usr/local/jdk1.4/jre/lib/rt.jar:. the first one (without --disable-shared) also had: ORACLE_BASE=/opt/oracle ORACLE_HOME=/opt/oracle/products/9.2.0 ORACLE_SID=RADIUS the second one (with --disable-shared) didn't link in a required library from oracle so i rebuilt it without the oracle info. (it was just quicker that way) gcc version 3.3.2 make is gmake 3.80 rebuilt once with ./configure --prefix=/usr/local --with-rlm--dbm=/opt/csw/bdb4 --enable-developer make make install run radrelay on the data from the pdsn, still cores with: warning: Couldn't find general-purpose registers in core file. blow everything away and build with ./configure --prefix=/usr/local --with-rlm-dbm=/opt/csw/bdb4 --disable-shared --enable-developer make make install run radrelay on the data from the pdsn and still cores with warning: Couldn't find general-purpose registers in core file. (this is from inside gdb) p.s. i took a couple days to do this to ensure the data i was getting off the pdsn would be from the "current" build without the extra modules -- Terry J Fike Jr System Administrator MTA Solutions 907-793-4100 [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: Raadrelay and coredumps...
> Terry J Fike Jr <[EMAIL PROTECTED]> wrote: > > I did amake distclean before ./configure each time > The *installed* files may be causing problems. even if i'm telling a different prefix each time? (i ask because i have 1.0.2 in /usr/local and 1.0.0 in /opt) as i make new versions i just change the prefix so i can leave the old version running. 1.0.0-pre3 used to be in /usr/local but i deleted all those files before compiling 1.0.2 -- Terry J Fike Jr System Administrator MTA Solutions 907-793-4100 [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: Raadrelay and coredumps..
Okay, quick (and possible moot) question... could there be issues on this because of compiling it 64bit instead of 32 bit? Most of my older versions were 32 bit, but since getting oracle installed 64 bit finally, i installed the newer (1.0.0 and 1.0.2) 64bit? -- Terry J Fike Jr System Administrator MTA Solutions 907-793-4100 [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: Raadrelay and coredumps...
I did amake distclean before ./configure each time and i ran the radrelay from inside src/main (i didn't do make install on any of these runs) with the exception of the radiusd.conf file, i've been using pretty much the same config files since 0.8.3 (though i think i changed to the new clients.conf in 1.0.0 and copied that into 1.0.2) the radiusd.conf i edit from scratch with each new version based on the conf file from the previous version. unfortunetly, i'm doing this in a production environment, so swapping servers isn't going to be easy, but i'll see what i can do. (i have a lot of things :( tied into the same ip as radius) -- Terry J Fike Jr System Administrator MTA Solutions 907-793-4100 [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Raadrelay and coredumps...
*sigh* okay, first off, shoot me...i didn't read /doc/bugs right and i hadn't recompiled with the --enable-developer so, i did that...same output from the core (Couldn't find general-purpose registers in core file) recompiled it a couple times... once with just --disable-shared still cores... once with --enable-developer (without --disable-shared) still cores, no change in output inside gdb once with --enable-developer with --disable-shared still cores, no change in output inside gdb one thing though, while in the "make" process with --enable-developer i received lots of warnings (mostly from md4.c) but no errors. is this normal when compiling with --enable-developer? also...any other ideas? -- Terry J Fike Jr System Administrator MTA Solutions 907-793-4100 [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radrelay and coredumps...
Thanks Alan for all your help! anyone know of any other good paid for radius servers?? cause unfortunetly...with this not working...i'm going to have to come up with something new :( and i really like this one...very easy to install, very user friendly (with configs and with errors) and VERY stable (pretty much takes a user fubar to break it) you guys have done great work i'll be sad to see it go... -- Terry J Fike Jr System Administrator MTA Solutions 907-793-4100 [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radrelay and coredumps...
argh...i pulled the package down from sunfreeware.com and this is my outupt... this is on a sol 9 box, runing 1.0.2 radrelay # ./gdb ./radrelay /opt/var/log/radius/radacct/12.21.213.86/core GNU gdb 6.0 Copyright 2003 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "sparc-sun-solaris2.9"... warning: Couldn't find general-purpose registers in core file. warning: Couldn't find general-purpose registers in core file. 0x in ?? () (gdb) bt #0 0x in ?? () (gdb) #0 0x in ?? () (gdb) bt #0 0x in ?? () (gdb) quit Is there something else i can do/try to dig the info you need out of this file? -- Terry J Fike Jr System Administrator MTA Solutions 907-793-4100 [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radrelay and coredumps...
What is gdb? (and what sort of package could i find it in) we don't have it on our boxes so i'll need to find it and install it then get you the info you need. -- Terry J Fike Jr System Administrator MTA Solutions 907-793-4100 [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Restart Radius
if your on unix world in your $prefix/sbin should be a script called rc.radiusd call this like so: /prefix/sbin/rc.radiusd restart that is a quick clean way of restarting radius -- Terry J Fike Jr System Administrator MTA Solutions 907-793-4100 [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radrelay and coredumps...
Okay, here comes a bit of an update. just in case of compatability issues between 1.0.0 files and the 1.0.2 radrelay app i moved everything into 1.0.2 and started fresh my detail file of all data for the individual NAS devices. here is the command i used to run radrelay (v 1.0.2) /usr/local/bin/radrelay -a /opt/var/log/radius/radacct/12.21.213.86 -d /usr/local/etc/raddb -r 209.4.229.75:1813 -S /path/to/secretfile detail-NAS it still cores. here is from the top of the core file: CORE radrelay /usr/local/bin/radrelay -a /opt/var/log/radius/radacct/12.21.213.86 -d /usr/loc CORE SUNW,Sun-Fire-280R CORE in/r opt/ us/r .213 CORE CORE /freeradal/share/usr/local/share CORE radrelay /usr/local/bin/radrelay -a /opt/var/log/radius/radacct/12.21.213.86 -d /usr/loc CORE /freeradal/share/usr/local/share CORE SUNW,Sun-Fire-280R CORE CORE SunOS david Generic_112233-11 sun4u CORE CORE CORE /freeradal/share/usr/local/share CORE ing "%s" failed to parse IPv6 address string "%s" unknown attribute type %d Unknown attribute "%s" Attr- Vendor- 0123456789 Attribute has invalid length -Attr- Illegal regular expression in attribute: %s: %s Duplicate tag %s for attribute %s Duplicate tag %s for attribute %s Invalid tag for attribute %s No token read where we expected an attribute name Expected end of line or comma failed to get value expecting '=' Read a comment instead of a token $Id: token.c,v 1.17 2003/09/12 19:25:29 phampson Exp $ $Id: misc.c,v 1.41.2.2 2004/10/04 15:26:46 aland Exp $ %d.%d.%d.%d %x:%x:%x:%x 0123456789abcdef $Id: log.c,v 1.7 2003/09/12 19:25:29 phampson Exp $ $Id: filters.c,v 1.36 2004/02/26 19:04:20 aland Exp $ here is the end of a truss of this (starting from reading the last of the dictionary files): open("/usr/local/share/freeradius/dictionary.xedia", O_RDONLY) = 5 fstat(5, 0x7FFFE540)= 0 fstat(5, 0x7FFFE410)= 0 ioctl(5, TCGETA, 0x7FFFE47C)Err#25 ENOTTY read(5, " # # # # # # # # # # # #".., 8192) = 766 read(5, 0x1001290A4, 8192) = 0 lseek(5, 0, SEEK_CUR) = 766 close(5)= 0 brk(0x10023D830)= 0 brk(0x100241830)= 0 read(4, " i n t e g e r\n A T T R".., 8192) = 8192 brk(0x100241830)= 0 brk(0x100245830)= 0 brk(0x100245830)= 0 brk(0x100249830)= 0 read(4, " i r e l e s s - 1 X - E".., 8192) = 8192 brk(0x100249830)= 0 brk(0x10024D830)= 0 brk(0x10024D830)= 0 brk(0x100251830)= 0 read(4, "\n", 8192) = 1 read(4, 0x100127084, 8192) = 0 lseek(4, 0, SEEK_CUR) = 24577 close(4)= 0 read(3, 0x100125064, 8192) = 0 lseek(3, 0, SEEK_CUR) = 935 close(3)= 0 so_socket(PF_INET, SOCK_DGRAM, IPPROTO_IP, "", 1) = 3 sigaction(SIGTERM, 0x7070, 0x7230) = 0 sigprocmask(SIG_SETMASK, 0x7DD1D4C0, 0x7190) = 0 fork1() = 882 sigprocmask(SIG_SETMASK, 0x7190, 0x) = 0 lwp_schedctl(SC_STATE|SC_PREEMPT, 0, 0x7FFFEF68) = 0 mmap(0x, 8192, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANON, -1, 0) = 0x7DA0 munmap(0x7DA0, 8192)= 0 _exit(0) I can send the whole core file and truss file if need be. I'm still a little surprised this works for all but one of my NAS devices... Thanks for your help on this so far :) t- -- Terry J Fike Jr System Administrator MTA Solutions 907-793-4100 [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radrelay and coredumps...
Okay, Per Alan i compiled up 1.0.2 and moved the radrelay binary. (i didn't move everything into version 1.0.2 just the 1.0.2 binary into my 1.0.0 install). Modified all the dictionary files to the way they are in 1.0.2 and it still cores. with pretty much the same output in a strings of the core. would there be differences in the CVS that might help? my config string was as follows: CC=/path/to/gcc3 -m64 ./configure --prefix=/usr/local --with-rlm-dbm=/path/to/berkeley4 then a make no errors in either configure or make... i'm also willing to post/send the data from the core if need be. -- Terry J Fike Jr System Administrator MTA Solutions 907-793-4100 [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Radrelay and coredumps...
.10 3GPP2-PCF-IP-Address = 172.16.200.2 3GPP2-Compulsory-Tunnel-Indicator = 0 3GPP2-Begin-Session = 1 Client-IP-Address = 12.21.213.86 Acct-Unique-Session-Id = "cee384ac39a4612c" Timestamp = 1108755020 Fri Feb 18 10:31:44 2005 Acct-Status-Type = Stop User-Name = "wap" Event-Timestamp = "Feb 18 2005 10:33:22 AKST" Service-Type = Framed-User NAS-IP-Address = 64.4.239.197 Shasta-Attr-4 = 0x53686173746120353030303a2069534f532028746d292c207064736e2d6d74 632d332e302e3128352900 Acct-Session-Id = "0b000d74" 3GPP2-Correlation-Id = "0b000d73" Calling-Station-Id = "09073559993" NAS-Port = 184552819 NAS-Port-Type = Virtual Framed-IP-Netmask = 255.255.255.255 3GPP2-IP-Technology = 1 3GPP2-BSID = "07FA0001012D" Acct-Authentic = RADIUS Framed-IP-Address = 64.4.233.10 Acct-Input-Octets = 88 Acct-Output-Octets = 88 Acct-Input-Packets = 2 Acct-Output-Packets = 2 Acct-Terminate-Cause = User-Request 3GPP2-Release-Indicator = 3 3GPP2-Session-Continue = 0 ... and continues like that for a while ... ... some more stuff that i'm not sure if i need to add or not ... Anyone got any ideas what i might be doing wrong here? Thanks in advance for your help t- -- Terry J Fike Jr System Administrator MTA Solutions 907-793-4100 [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Question about radrelay and file deletion/rotation
Okay, hopefully this is a pretty easy question; if i want to go through my large file (accounting packets from all NAS devices) about once a month so it doesn't grow too large, do i have to shutdown both radius and radrelay or can i just shutdown radius, do my housecleaning, and start it back up? (In the radius.conf file i'm setting locking=yes for this detail file) Thanks in advance. t- -- Terry J Fike Jr System Administrator MTA Solutions 907-793-4100 [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Copying accounting packets
> Never let more than 1 radrelay process the same logfile! > > For each radrelay, you should configure a seperate rlm_detail instance, > which logs the needed packets to a different logfile which radrelay can read > from. > So for your situation, you need 3 rlm_detail instances: > - 1 to log all requests to seperate logfiles based on source ip and time > - 1 to log all requests to a single logfile > - 1 to log requests from a particular NAS to a single logfile > -- > Groeten, Regards, Salutations, Okay, sounds like what i was thinking. Thanks very much! t- -- Terry J Fike Jr System Administrator MTA Solutions 907-793-4100 [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Copying accounting packets
Hello All, I'm looking for information on what others have done in similar situations. What i have to do is copy the accounting packets from one particular NAS device to another radius server. I know i can use radrelay for this if i copy all the accounting packets from that NAS device into one file but here is my dilemma. I am flat filing all accounting packets from the different NAS devices by IP then by date. Then once a day, i copy all these into a database for accounting/billing purposes. (yes i realize this is a little clunky but i lose almost no data this way, and the overall system runs faster, and i have a guaranteed backup if my database takes a major nosedive for the trashcan and the normal database backups fail as well) To add to the fun, I'm about to have to start forwarding all (from all NAS devices) accounting packets to a web content filtering system. So I suppose the question is, will there be a problem running two sets of radrelay (one on all accounting packets, and one on accounting packets from just one NAS)? or is there a better way to do this and I'm just being blind? -- Terry J Fike Jr System Administrator MTA Solutions 907-793-4100 [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Install Solaris9 - ver 1.0.1 and 1.0.2
Message: 2 Date: Wed, 16 Feb 2005 16:40:30 -0700 (MST) From: Data Processing Fone Net <[EMAIL PROTECTED]> Subject: Install Solaris9 - ver 1.0.1 and 1.0.2 To: freeradius-users@lists.freeradius.org Reply-To: freeradius-users@lists.freeradius.org Afternoon, I can not get the 1.0.1 or 1.0.2 versions to compile on may Solaris 9 server. I went to the FAQ's and archive to research past recommendations. I have installed all the recommended packages, updated the CPAN modules, installed all new gcc, make, ld and the like. I put on the newest patches for sol9. I have tried the standard ./configure, I tried on teh recommended ./configure in the archives and I am not able to get a build. I remove the freeradius dir and untar the tar ball for each time I attempt to get a build completed. Here is what I do get on the make and make install. configure seems to be ok. I am not the best or most knowledgeable when it comes to this so I do expect it is a simple problem that I have missed. End of the make process: make[6]: Leaving directory `/var/tmp/freeradius-1.0.2/src/modules/rlm_unix' Making static dynamic in rlm_x99_token... make[6]: Entering directory `/var/tmp/freeradius-1.0.2/src/modules/rlm_x99_token' gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5 -Wall -D_GNU_SOURCE -DNDEBUG -I../../include -DX99_MODULE_NAME=\"rlm_x99_token\" -DFREERADIUS -c x99_rlm.c -o x99_rlm.o In file included from x99_rlm.c:54: x99.h:26:42: openssl/des.h: No such file or directory In file included from x99_rlm.c:54: msg trunkated. on my Sol 9 box, i removed all references to x99 in the makefile and then it compiled just fine. But then, i didn't need that stuff so i was okay with that. -- Terry J Fike Jr System Administrator MTA Solutions 907-793-4100 [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius hangs after a HUP
Message: 8 Date: Wed, 19 Jan 2005 12:17:05 -0500 (EST) From: Joe H <[EMAIL PROTECTED]> To: freeradius-users@lists.freeradius.org Subject: Freeradius hangs after a HUP Reply-To: freeradius-users@lists.freeradius.org We have two seemingly identical freeradius servers, for this email lets call them radius-1 and radius-2. Both are FreeBSD 4.9 systems running freeradius 1.0.1 with an Openldap 2.2.18 authentication method. Both machines run freeradius without a problem. When I send a HUP to reload the config files on radius-1, the radiusd process hangs and needs to be killed and started. If I do the same process on radius-2, it reloads fine. I have diffed all the configs and the only thing that is different in them is the listen statements in the radiusd.conf, as they should be. My question is, has anyone seen this before and if so, how was it fixed? Troubleshooting already done: Checked configs for errors. reinstalled freeradius Thanks. --__--__-- We had this problem with two different versions (pre 1) to the point were we just gave up on HUP. we just force a restart each time. the 30 second reload time doesn't affect the users as far as we can see and we ensure we get a clean load each time. BTW, we are/were running this on Sol 8 and now Sol 9. -- Terry J Fike Jr System Administrator MTA Solutions 907-793-4100 [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 8e6 technologies and radius
They use the Class attribute to tell their box what users are being filtered and how (which filtering ruleset). but it means that either the nas device has to send the data to it, or i can radrelay it to the 8e6 box (which is what i'm using for testing at the moment). it also has the ability (i think) to recieve data like an accounting server and then forward it to the actual accounting server. how do i modify the Access-Accept to send it to the NAS so it can add this attribute in the accounting packet? I don't remember seeing anything like that in the readmes or comments in the conf files? (not to say i couldn't be blind and have totally missed it though) -- Terry J Fike Jr System Administrator MTA Solutions 907-793-4100 [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
8e6 technologies and radius
Has anyone out there used these boxes with freeradius? We are trying to set up a demo (to see if it work/if we can get it working) and what i have gotten from the 8e6 is that an attribute needs to be added to the user, the attribute is Class (value 25?) and it does show up in the base dictionary file (but as requiring an octet value not a string which the 8e6 box wants). This may be a stupid question (since i haven't read through the RFCs for radius) but would/could it cause some major problems if i changed the dictionary file so it expected a string instead of an octet? Right now, as far as i can see, none of our NAS devices are using the Class attribute (as it doesn't show up in any of the accounting packets from the different NAS devices), but i thought i would check with those who know more than me before i go trying to break things. thanks in advance. Terry -- Terry J Fike Jr System Administrator MTA Solutions 907-793-4100 [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Orinoco AP-2500 authentication rejects
Are you sure it is actually rejecting them (in the radius log) and not just not sending anything back to the ap-2500. that was a problem i had for a while. we have three ap-2500's up and running against freeradius 1.0.0 and working pretty well at that. also, make sure you have the right info in the clients.conf file. -- Terry J Fike Jr System Administrator MTA Solutions 907-793-4100 [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: difference in columns/names
The "Acct_Output_Octets_64" isn't a standard RADIUS attribute. It's a Redback attribute. (see dictionary.redback) I suggest asking Redback what it means, and why it's zero. Alan DeKok. Okay, will do. Thank you very much! t- -- Terry J Fike Jr System Administrator MTA Solutions 907-793-4100 [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: difference in columns/names
Terry J Fike Jr <[EMAIL PROTECTED]> wrote: / Okay, i'm not sure if this is the right place, to ask, but since it is / / more or less radius accounting i thought i'd try here. Does anyone know / / the difference in the data in the columns inputoctets/outputoctets and / / inputoctets64/outputoctets64 and why there would always be data in the / / i/o columns, but not always in the i/o64 columns?/ Are those columns in the standard FreeRADIUS SQL schema? Alan DeKok <>Umm...not sure, much of this was originally set up by someone else and i just copied the sql queries into the sql.conf file from our original version (0.8.3). Here is an example of one of the queries accounting_update_query = "INSERT into interim_updates (AcctSessionId, AcctUniqueId, UserName, NASIPAddress, NASPortId, AcctUpdateTime, AcctSessionTime, AcctAuthentic, ConnectInfo_Update, AcctInputOctets, AcctInputOctets64, AcctOutputOctets, AcctOutputOctets64, AcctTerminateCause, ServiceType, FramedProtocol, FramedIPAddress) values ('%{Acct-Session-Id}','%{Acct-Unique-Session_Id}','%{SQL-User-Name}','%{NAS-IP-Address}','%{NAS-Port-Id}',TO_DATE('%S','-mm-dd hh24:mi:ss'),'%{Acct-Session-Time}','%{Acct-Authentic}','%{Connect-Info}','%{Acct-Input-Octets}',radius.hex2dec('%{Acct_Input_Octets_64}'),'%{Acct-Output-Octets}',radius.hex2dec('%{Acct_Output_Octets_64}'),'%{Acct-Terminate-Cause}','%{Service-Type}','%{Framed-Protocol}','%{Framed-IP-Address}')" and just in case this was an inhouse written java function, here is hex2dec from in oracle function hex2dec ( hex_in varchar2) return NUMBER as language java name 'Hex2Dec.getInt(java.lang.String) return int'; public class Hex2Dec { public static long getInt(String hex) { if(hex!=null && hex.startsWith("0x")) { String cleanHex = hex.substring(2, hex.length()); return Long.parseLong(cleanHex, 16); } else if(hex!=null) { return Long.parseLong(hex, 16); } else { return 0; } } } -- Terry J Fike Jr System Administrator MTA Solutions 907-793-4100 [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
difference in columns/names
Okay, i'm not sure if this is the right place, to ask, but since it is more or less radius accounting i thought i'd try here. Does anyone know the difference in the data in the columns inputoctets/outputoctets and inputoctets64/outputoctets64 and why there would always be data in the i/o columns, but not always in the i/o64 columns? And it doesn't appear to matter which NAS device the data is coming from. I'm using FR1.0.0 on Sol8. All the data i'm finding in google/books just deals with input/outputoctets in general. Any help/pointers is appreciated. Thanks in advance t- -- Terry J Fike Jr System Administrator MTA Solutions 907-793-4100 [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AP Orinoco 2500
Okay, i know for the most part these things have been done to death, but mostly just with logging. Has anyone else had issues with the orinoco allowing multiple sessions for a user. (ie: they are loged in via another NAS device and their port limit=1 they are still allowed to log into the AP normally) thanks in advance t- -- Terry J Fike Jr System Administrator MTA Solutions 907-793-4100 [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html