Re: Linksys WIFI Authentication using freeradius?
Fajar A. Nugraha l...@fajar.net escribió: On Fri, Dec 9, 2011 at 11:36 PM, Michel Bulgado mic...@casa.co.cu wrote: In conclusion what we discussed, my Linksys router when accounting packets sent after authenticating my user, but not shown or at least are suppressed by TTLS. is not so? So should I change the mechanism to use! Like Alan said, some NAS simply won't work for what you're trying to achieve, because it doesn't send accounting packets. Fix the NAS. There is another alternative. Instead of using 802.1x, you could use a captive portal. chllispot (and derivaties) is widely used and can send accounting packets just fine. It's more complex to setup (e.g. requires you setup a web server, and have a server or wireless AP which can function as captive portal), but it should work with any wireless access point that either: - captive-portal-capable (e.g. anything that can be flashed with dd-wrt standard or higher), OR - can bridge wireless to wired network, effectively making wireless clients to be in the same ethernet broadcast domain as wired clients. You'd still need a captive portal, but in this setup the captive portal can be another AP or a server. -- Fajar Fajar My Wlan is a WRT-110, so DD-WRT is not supported on this model. I wondered if I could at least implement Simultaneous-Use so that I can limit the user to connect once, but I think it is not possible, it would at least check the table raddact is where you store the Accounting and returning to the above not possible. This router is commercial, maybe for its commercial nature, the firmware you have installed, do not send those packets. Regards Michel -- Webmail, servicio de correo electronico Casa de las Americas - La Habana, Cuba. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Linksys WIFI Authentication using freeradius?
On 12/08/2011 10:06 PM, Fajar A. Nugraha wrote:
On Fri, Dec 9, 2011 at 9:39 AM,mic...@casa.co.cu wrote:
Michel Bulgadomic...@casa.co.cu escribió:
On 12/08/2011 04:26 PM, Fajar A. Nugraha wrote:
On Fri, Dec 9, 2011 at 4:11 AM, Michel Bulgadomic...@casa.co.cuwrote:
After the user to authenticate and connect to wireless, I noticed that
the
table RadAcct was empty, probing the inner-tunnel file found this:
There are no accounting Requests inside of EAP-TTLS or PEAP tunnels.
What other variants, I can choose to run the accounting?
sites-available/default
look for sql in accounting section.
This is my accounting section in /etc/raddb/sites-available/default
accounting {
detail
sql
}
And don't work
Michel
Hello again
As confirmed in my previous email, I have a problem, I have configured
freeradius supports tunneled TLS or TTLS best known for, my users can
connect using a username and password, but after connecting, not performing
the accounting in mysql, I was reviewing seconds
Let's go back to the basics.
Does your NAS send accounting packets? (hint: run FR in debug mode,
then get a client to connect and disconnect)
Some NAS (last time I tried with dd-wrt) it can authenticate using
EAP, but it can't send accounting packet.
Hi Fajar
I run radiusd in debug mode :
This is the output of the request:
rad_recv: Access-Request packet from host 192.168.25.15 port 32771,
id=125, length=121
User-Name = michel
NAS-IP-Address = 192.168.30.1
NAS-Port = 0
Called-Station-Id = 00-1E-E5-F4-7B-21
Calling-Station-Id = 00-1F-E1-2B-28-57
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x0201000b016d696368656c
Message-Authenticator = 0x72d68fa1027b67d016dd173b01c92dcf
+- entering group authorize {...}
++[preprocess] returns ok
[eap] EAP packet type response id 1 length 11
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[sql] expand: %{User-Name} - michel
[sql] sql_set_user escaped user -- 'michel'
rlm_sql (sql): Reserving sql socket id: 3
[sql] expand: SELECT id, username, attribute, value, op
FROM radcheck WHERE username = '%{SQL-User-Name}'
ORDER BY id - SELECT id, username, attribute, value, op FROM
radcheck WHERE username = 'michel' ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op
FROM radreply WHERE username = '%{SQL-User-Name}'
ORDER BY id - SELECT id, username, attribute, value, op FROM
radreply WHERE username = 'michel' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup
WHERE username = '%{SQL-User-Name}' ORDER BY priority -
SELECT groupname FROM radusergroup WHERE username =
'michel' ORDER BY priority
[sql] expand: SELECT id, groupname, attribute, Value,
op FROM radgroupcheck WHERE groupname =
'%{Sql-Group}' ORDER BY id - SELECT id, groupname,
attribute, Value, op FROM radgroupcheck
WHERE groupname = 'Computacion' ORDER BY id
[sql] User found in group Computacion
[sql] expand: SELECT id, groupname, attribute, value,
op FROM radgroupreply WHERE groupname =
'%{Sql-Group}' ORDER BY id - SELECT id, groupname,
attribute, value, op FROM radgroupreply
WHERE groupname = 'Computacion' ORDER BY id
rlm_sql (sql): Released sql socket id: 3
++[sql] returns ok
rlm_checkval: Item Name: Calling-Station-Id, Value: 00-1F-E1-2B-28-57
rlm_checkval: Value Name: Calling-Station-Id, Value: 00-1F-E1-2B-28-57
++[checkval] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 125 to 192.168.25.15 port 32771
Framed-Compression := Van-Jacobson-TCP-IP
Framed-Protocol := PPP
Service-Type := Framed-User
Acct-Interim-Interval = 60
EAP-Message = 0x010200061520
Message-Authenticator = 0x
State = 0xa86f76f4a86d635fb1337e0b98514b2f
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.25.15 port 32771,
id=126, length=240
User-Name = michel
NAS-IP-Address = 192.168.30.1
NAS-Port = 0
Called-Station-Id = 00-1E-E5-F4-7B-21
Calling-Station-Id = 00-1F-E1-2B-28-57
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message =
0x02020070158000661603010061015d03014ee2247053e29359e617993c10c473b4005b225795041ba292b2e85d81f47f553600390038003500160013000a00330032002f0007006600050004006300620061001500120009006500640060001400110008000600030100
State
Re: Linksys WIFI Authentication using freeradius?
On 12/09/2011 10:49 AM, Alan DeKok wrote: Michel Bulgado wrote: So, i don't see accounting packet, could be supressed by the TTLS or Absolutely not. Linkys Router dont send that packet in stream? Yes. Alan DeKok. Alan Excuse me everyone on the list for insisting so much with this issue, I'm interested in solving this problem. In conclusion what we discussed, my Linksys router when accounting packets sent after authenticating my user, but not shown or at least are suppressed by TTLS. is not so? So should I change the mechanism to use! Can you recommend any, that the process simple client-side that does not involve installation of certificates in the client side. As simple as the user only have to put user and password to connect Regards Michel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Linksys WIFI Authentication using freeradius?
On 12/07/2011 08:37 AM, Michel Bulgado wrote: On Wednesday 07 December 2011 01:26:08 Fajar A. Nugraha wrote: On Wed, Dec 7, 2011 at 1:15 PM,mic...@casa.co.cu wrote: google search and it turns out all the variations I have encountered are implementing freeradius with PEAP TLS and mysql which should generate certificates and then configure the client and in turn install these certificates to the exchange between the server and client. I was wondering, there is some other simpler way that does not imply that this set up or install certificates on the client side? PEAP-TTLS, PEAP-MSCHAPv2, PEAP-GTC, etc. On these setup there's only one certificate: the server. Depending on your OS/supplicant, the client can be set up to ignore the certificate validation, or to have a pop up asking whether they trust the server certicate. Note that the CLIENT choose which authentication method to use. Setup on NAS (i.e. access point) side is the same. Well, I have several clients with different operating systems: Windows, Linux, Apple. Something as simple as putting the username and password. Once you get pass certificate trust issue, it's a matter of putting username and password. Hi Fajar Thanks for reply me. If PEAP-TTLS, PEAP-MSCHAPv2, PEAP-GTC works with one certificate on the side of the server, of the three methods what you recomend me to use in the server? Did you have a manual, doc, i can use to setting up the authentication with freeradius with PEAP-TTLS or PEAP-MSCHAPv2 or PEAP-GTC and mysql? Michel At last! Finally after much struggle, I configure freeradius with mysql to authenticate wireless users. EAP-TTLS But another problem arises for me: After the user to authenticate and connect to wireless, I noticed that the table RadAcct was empty, probing the inner-tunnel file found this: There are no accounting Requests inside of EAP-TTLS or PEAP tunnels. What other variants, I can choose to run the accounting? Ideas? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Linksys WIFI Authentication using freeradius?
On 12/08/2011 04:26 PM, Fajar A. Nugraha wrote:
On Fri, Dec 9, 2011 at 4:11 AM, Michel Bulgadomic...@casa.co.cu wrote:
After the user to authenticate and connect to wireless, I noticed that the
table RadAcct was empty, probing the inner-tunnel file found this:
There are no accounting Requests inside of EAP-TTLS or PEAP tunnels.
What other variants, I can choose to run the accounting?
sites-available/default
look for sql in accounting section.
This is my accounting section in /etc/raddb/sites-available/default
accounting {
detail
sql
}
And don't work
Michel
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Linksys WIFI Authentication using freeradius?
Michel Bulgado mic...@casa.co.cu escribió:
On 12/08/2011 04:26 PM, Fajar A. Nugraha wrote:
On Fri, Dec 9, 2011 at 4:11 AM, Michel Bulgadomic...@casa.co.cu wrote:
After the user to authenticate and connect to wireless, I noticed that the
table RadAcct was empty, probing the inner-tunnel file found this:
There are no accounting Requests inside of EAP-TTLS or PEAP tunnels.
What other variants, I can choose to run the accounting?
sites-available/default
look for sql in accounting section.
This is my accounting section in /etc/raddb/sites-available/default
accounting {
detail
sql
}
And don't work
Michel
Hello again
As confirmed in my previous email, I have a problem, I have configured
freeradius supports tunneled TLS or TTLS best known for, my users can
connect using a username and password, but after connecting, not
performing the accounting in mysql, I was reviewing seconds
There are no accounting Requests inside of EAP-TTLS or PEAP tunnels.
And in turn asked me take this opportunity to ask Alan for who knows
more about the subject:
1 - You know how to get them to perform the accounting either through
a script?
In case there is no solution with TTLS:
2 - Which of these authentication mechanisms PEAP-TTLS,
PEAP-MSCHAPv2, PEAP-GTC, accounting works and in turn not necessarily
need to install client-side certificates?
regards
Michel
--
Webmail, servicio de correo electronico
Casa de las Americas - La Habana, Cuba.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Linksys WIFI Authentication using freeradius?
On Wednesday 07 December 2011 01:26:08 Fajar A. Nugraha wrote: On Wed, Dec 7, 2011 at 1:15 PM, mic...@casa.co.cu wrote: google search and it turns out all the variations I have encountered are implementing freeradius with PEAP TLS and mysql which should generate certificates and then configure the client and in turn install these certificates to the exchange between the server and client. I was wondering, there is some other simpler way that does not imply that this set up or install certificates on the client side? PEAP-TTLS, PEAP-MSCHAPv2, PEAP-GTC, etc. On these setup there's only one certificate: the server. Depending on your OS/supplicant, the client can be set up to ignore the certificate validation, or to have a pop up asking whether they trust the server certicate. Note that the CLIENT choose which authentication method to use. Setup on NAS (i.e. access point) side is the same. Well, I have several clients with different operating systems: Windows, Linux, Apple. Something as simple as putting the username and password. Once you get pass certificate trust issue, it's a matter of putting username and password. Hi Fajar Thanks for reply me. If PEAP-TTLS, PEAP-MSCHAPv2, PEAP-GTC works with one certificate on the side of the server, of the three methods what you recomend me to use in the server? Did you have a manual, doc, i can use to setting up the authentication with freeradius with PEAP-TTLS or PEAP-MSCHAPv2 or PEAP-GTC and mysql? Michel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Linksys WIFI Authentication using freeradius?
hello I have a Linksys WRT-110 router which supports various security mechanisms: WPA WPA2 Personal, WPA Enterprise and Radius authentication. Today WPA2 Personal use where all my clients use the same key or password to connect. I want to change this so that each user can connect with username and password in a personal way, I was thinking my router to authenticate against a radius server. google search and it turns out all the variations I have encountered are implementing freeradius with PEAP TLS and mysql which should generate certificates and then configure the client and in turn install these certificates to the exchange between the server and client. I was wondering, there is some other simpler way that does not imply that this set up or install certificates on the client side? Well, I have several clients with different operating systems: Windows, Linux, Apple. Something as simple as putting the username and password. It OpenWrt I saw as another variant to follow and the router does not appear in the list of supported devices. Ideas? Michel -- Webmail, servicio de correo electronico Casa de las Americas - La Habana, Cuba. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WiFI
Alan Buxey wrote: Hi, With them, users connect to my network using WIFI using a password exchange. I would like to change this pattern, I wondered if configuration is possible to perform Authentication, Authorization and Accounting with Freeradius and if I can provide any documentation that details the way as it can get. just configure those linksys wifi routers with the IP address of your RADIUS server and configure WPA and/or WPA2 enterprise mode (if they support it - and i'm sure those ones do). the users would then connect to the Enterprise EAP SSID and the AAA would be done on your RADIUS server. alan Hello For several days writing directed to the list, asking if it was possible with my Linksys access points perform authentication, authorization and accounting with freeradius, as a database using mysql. Reviewing the wiki site freeradius, I found this documentation: http://wiki.freeradius.org/WPA-HOWTO WPA + EAP TLS You need to install and create certificates for Windows clients, say that I have also ubuntu users and users with Macs. As would the case of these operating systems? There is a variant that does not include the exchange of certificates, a lower level or more simple exchange between the client, the access point and server freeradius? Thanks Michel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
WiFI
Hello I have three Linksys Wireless Routers: WRT160N WRT110 WRT360 - Now I'm not sure of the model With them, users connect to my network using WIFI using a password exchange. I would like to change this pattern, I wondered if configuration is possible to perform Authentication, Authorization and Accounting with Freeradius and if I can provide any documentation that details the way as it can get. Thanks Michel -- Webmail, servicio de correo electronico Casa de las Americas - La Habana, Cuba. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Segmentation Fault
Hello,
I actually try to cross compile freeradius 2.0.9 for powerpc. Everything
looks good during compilation, but we get Segmentation Fault on our
host when executing radiusd -X.
Our setup is :
- EGLIBC 2.9
- GCC 4.3.2
- Linux 2.6.31
Could you please help me to find a way to solve this problem.
Here you can find strace and gdb log.
Michel M.
strace log :
sendto(4, \0\0\0\24\0\26\3\1L\321-\374\0\0\0\0\0\0\0\0, 20, 0,
{sa_family=AF_NETLINK, pid=0, groups=}, 12) = 20
recvmsg(4, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=},
msg_iov(1)=[{\0\0\\0\24\0\2L\321-\374\0\0\7$\2\10\200\376\0\0\0\1\0\10\0\1\177\0\0\1...,
4096}], msg_controllen=0, msg_flags=0}, 0) = 288
recvmsg(4, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=},
msg_iov(1)=[{\0\...@\0\24\0\2l\321-\374\0\0\7$\n\200\200\376\0\0\0\1\0\24\0\1\0\0\0\0...,
4096}], msg_controllen=0, msg_flags=0}, 0) = 128
recvmsg(4, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=},
msg_iov(1)=[{\0\0\0\24\0\3\0\2L\321-\374\0\0\7$\0\0\0\0\0\0\0\1\0\24\0\1\0\0\0\0...,
4096}], msg_controllen=0, msg_flags=0}, 0) = 20
close(4)= 0
fstat64(1, {st_mode=S_IFCHR|0600, st_rdev=makedev(4, 64), ...}) = 0
ioctl(1, TCGETS, {B115200 opost isig icanon echo ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0)
= 0x48001000
open(/usr/local/lib/rlm_exec.la, O_RDONLY) = 4
fstat64(4, {st_mode=S_IFREG|0755, st_size=814, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0)
= 0x48002000
read(4, # rlm_exec.la - a libtool librar..., 4096) = 814
read(4, , 4096) = 0
close(4)= 0
munmap(0x48002000, 4096)= 0
open(/usr/local/lib/libpthread.la, O_RDONLY) = -1 ENOENT (No such file
or directory)
open(/lib/libpthread.la, O_RDONLY)= -1 ENOENT (No such file or
directory)
open(/usr/lib/libpthread.la, O_RDONLY) = -1 ENOENT (No such file or
directory)
access(/usr/local/lib/libpthread.so, R_OK) = -1 ENOENT (No such file
or directory)
access(/lib/libpthread.so, R_OK) = -1 ENOENT (No such file or
directory)
access(/usr/lib/libpthread.so, R_OK) = 0
futex(0x1016e378, FUTEX_WAKE_PRIVATE, 2147483647) = 0
open(/usr/lib/libpthread.so, O_RDONLY) = 4
read(4, /* GNU ld script\n Use the shar..., 512) = 219
close(4)= 0
open(/usr/local/lib/libresolv.la, O_RDONLY) = -1 ENOENT (No such file
or directory)
open(/lib/libresolv.la, O_RDONLY) = -1 ENOENT (No such file or
directory)
open(/usr/lib/libresolv.la, O_RDONLY) = -1 ENOENT (No such file or
directory)
access(/usr/local/lib/libresolv.so, R_OK) = -1 ENOENT (No such file or
directory)
access(/lib/libresolv.so, R_OK) = -1 ENOENT (No such file or
directory)
access(/usr/lib/libresolv.so, R_OK) = 0
open(/usr/lib/libresolv.so, O_RDONLY) = 4
read(4,
\177ELF\1\2\1\0\0\0\0\0\0\0\0\0\0\3\0\24\0\0\0\1\0\0.X\0\0\0004...,
512) = 512
fstat64(4, {st_mode=S_IFREG|0755, st_size=92607, ...}) = 0
mmap(0x6ffcb000, 150532, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE,
4, 0) = 0x6ffcb000
mprotect(0x6ffdd000, 61440, PROT_NONE) = 0
mmap(0x6ffec000, 8192, PROT_READ|PROT_WRITE|PROT_EXEC,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 4, 0x11000) = 0x6ffec000
mmap(0x6ffee000, 7172, PROT_READ|PROT_WRITE|PROT_EXEC,
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x6ffee000
close(4)= 0
open(/etc/ld.so.cache, O_RDONLY) = 4
fstat64(4, {st_mode=S_IFREG|0644, st_size=4841, ...}) = 0
mmap(NULL, 4841, PROT_READ, MAP_PRIVATE, 4, 0) = 0x48002000
close(4)= 0
open(/lib/libc.so.6, O_RDONLY)= 4
read(4,
\177ELF\1\2\1\0\0\0\0\0\0\0\0\0\0\3\0\24\0\0\0\1\0\1\356T\0\0\0004...,
512) = 512
fstat64(4, {st_mode=S_IFREG|0755, st_size=1733649, ...}) = 0
mmap(0x6fe4f000, 1487896, PROT_READ|PROT_EXEC,
MAP_PRIVATE|MAP_DENYWRITE, 4, 0) = 0x6fe4f000
mprotect(0x6ffa4000, 61440, PROT_NONE) = 0
mmap(0x6ffb3000, 20480, PROT_READ|PROT_WRITE|PROT_EXEC,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 4, 0x154000) = 0x6ffb3000
mmap(0x6ffb8000, 9240, PROT_READ|PROT_WRITE|PROT_EXEC,
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x6ffb8000
close(4)= 0
open(/lib/ld.so.1, O_RDONLY) = 4
read(4,
\177ELF\1\2\1\0\0\0\0\0\0\0\0\0\0\3\0\24\0\0\0\1\0\1_x\0\0\0004...,
512) = 512
fstat64(4, {st_mode=S_IFREG|0755, st_size=143055, ...}) = 0
mmap(0x6fe1, 192148, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE,
4, 0) = 0x6fe1
mprotect(0x6fe2e000, 61440, PROT_NONE) = 0
mmap(0x6fe3d000, 8192, PROT_READ|PROT_WRITE|PROT_EXEC,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 4, 0x1d000) = 0x6fe3d000
close(4)= 0
mprotect(0x6fe3d000, 4096, PROT_READ) = 0
mprotect(0x6ffb3000, 8192, PROT_READ) = 0
mprotect(0x6ffec000, 4096, PROT_READ) = 0
--- SIGSEGV (Segmentation fault) @ 0 (0) ---
+++ killed by SIGSEGV +++
gbd
Re: Problems with the mailing list?????
James J J Hooper wrote: On 07/11/2010 10:32, mic...@casa.co.cu wrote: Hello Gentlemen, there are problems on the list and everyone is on vacation or just moved to see activity on the list? I repeat my previous message, only this time I'm more brief The silence was your answer: You would like FreeRADIUS to return an Idle-Timeout of 900 seconds, you configured it to do that, and you showed us it was doing that in the Access-Accept packet. Therefore there is no problem with FreeRADIUS. If your NAS doesn't respect the Idle-Timeout attribute, that is a problem with your NAS - Refer to it's documentation to find out: a) If it supports the Idle-Timeout attribute at all (If so it might have a bug - contact the NAS manufacturer). or b) If it supports a different method to do the same thing. Regards, James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Hi It was indeed a problem of the operator that was used in the database, which will note when reviewing the documentation, which I should have done before writing to the list. newbie stuff ... My apologies if I headed to the list incorrectly, but I unsubscribed from the list months ago and at that time I received many messages a day. After re-subscribe in the Last Few Days I Have Noticed Arriving as Decreased traffic message to the list, for this reason, in a first attempt to not get any answer from the list, went back to write. Tim, James, Alan Thanks for answering my message. Michel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problems with the mailing list?????
Hello Gentlemen, there are problems on the list and everyone is on vacation or just moved to see activity on the list? I repeat my previous message, only this time I'm more brief I created a group in mysql and I've assigned certain attributes, one of them and is giving me problems is Idle-Timeout, which has a value of 900 seconds and the user is disconnected before time indicated. Because I want the user to be disconnected if after spending 10 ~ 15 minutes does not show any activity. not before that time. mysql SELECT * FROM `radgroupreply` ; +++++-+ | id | groupname | attribute | op | value | +++++-+ | 1 | Desarrollo | Service-Type | = | Framed-User | | 2 | Desarrollo | Framed-Protocol| = | PPP | | 3 | Desarrollo | Framed-MTU | = | 1500| | 4 | Desarrollo | Framed-Compression | = | Van-Jacobsen-TCP-IP | | 5 | Desarrollo | Framed-IP-Netmask | = | 255.255.255.0 | | 6 | Desarrollo | Idle-Timeout | := | 900 | +++++-+ here you can see the user disconnected prematurely rad_recv: Accounting-Request packet from host 172.19.19.10 port 17979, id=197, length=170 NAS-IP-Address = 172.19.19.10 NAS-Identifier = Access Server Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Address = 10.71.53.214 User-Name = carlos NAS-Port = 447 NAS-Port-Type = Async Called-Station-Id = 60110 Calling-Station-Id = 78382547 Acct-Status-Type = Stop Acct-Session-Id = 013425 Acct-Authentic = RADIUS Acct-Delay-Time = 0 Acct-Input-Octets = 47429 Acct-Output-Octets = 4377 Acct-Input-Packets = 66 Acct-Output-Packets = 57 Acct-Session-Time = 95 Acct-Terminate-Cause = Idle-Timeout Could be problems with the operator that I am implementing Thanks -- Webmail, servicio de correo electronico Casa de las Americas - La Habana, Cuba. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Idle-Timeout problem
Hi I currently work with freeradius version 2.1.7, my users are in mysql. mysql SELECT * FROM `radusergroup`; +++--+ | username | groupname | priority | +++--+ | joseph | Desarrollo |1 | | carlos | Desarrollo |1 | | miguel | Admins |1 | ++ My problem is that users are being disconnected before the time indicated by parameter Idle-Timeout. mysql SELECT * FROM `radgroupreply` ; +++++-+ | id | groupname | attribute | op | value | +++++-+ | 1 | Desarrollo | Service-Type | = | Framed-User | | 2 | Desarrollo | Framed-Protocol| = | PPP | | 3 | Desarrollo | Framed-MTU | = | 1500| | 4 | Desarrollo | Framed-Compression | = | Van-Jacobsen-TCP-IP | | 5 | Desarrollo | Framed-IP-Netmask | = | 255.255.255.0 | | 6 | Desarrollo | Idle-Timeout | := | 900 | | 7 | Admins | Service-Type | = | Framed-User | | 8 | Admins | Framed-Protocol| = | PPP | | 9 | Admins | Framed-MTU | = | 1500| | 10 | Admins | Framed-Compression | = | Van-Jacobsen-TCP-IP | | 11 | Admins | Framed-IP-Netmask | = | 255.255.255.0 | | 12 | Admins | Idle-Timeout | := | 0 | +++++-+ As you can see here he is sending the access server parameters defined above in the database. Sending Access-Accept of id 246 to 172.19.19.50 port 17979 Service-Type = Framed-User Framed-Protocol = PPP Framed-MTU = 1500 Framed-Compression = Van-Jacobson-TCP-IP Framed-IP-Netmask = 255.255.255.0 Idle-Timeout := 900 And here you can see the user disconnected prematurely rad_recv: Accounting-Request packet from host 172.19.19.10 port 17979, id=197, length=170 NAS-IP-Address = 172.19.19.10 NAS-Identifier = Access Server Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Address = 10.71.53.214 User-Name = carlos NAS-Port = 447 NAS-Port-Type = Async Called-Station-Id = 60110 Calling-Station-Id = 78382547 Acct-Status-Type = Stop Acct-Session-Id = 013425 Acct-Authentic = RADIUS Acct-Delay-Time = 0 Acct-Input-Octets = 47429 Acct-Output-Octets = 4377 Acct-Input-Packets = 66 Acct-Output-Packets = 57 Acct-Session-Time = 95 Acct-Terminate-Cause = Idle-Timeout Thanks Michel -- Webmail, servicio de correo electronico Casa de las Americas - La Habana, Cuba. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Calling-Station-Id
Bjørn Mork wrote: Michel Bulgado mic...@casa.co.cu writes: Try this way, remember the operator. |312|t...@internet.quimefa.cu|Calling-Station-Id | += | 72061490 |298|t...@internet.quimefa.cu|MD5-Password | := | password |313|t...@internet.quimefa.cu|Calling-Station-Id | += | 72061490 Please read the manual. In this case, that's users(5): Attribute += Value Always matches as a check item, and adds the current attribute with value to the list of configuration items. As a reply item, it has an identical meaning, but the attribute is added to the reply items. This means that the 3 lines |312|t...@internet.quimefa.cu|Calling-Station-Id | += | 72061490 |298|t...@internet.quimefa.cu|MD5-Password | := | password |313|t...@internet.quimefa.cu|Calling-Station-Id | += | 72061490 are identical to the single line |298|t...@internet.quimefa.cu|MD5-Password | := | password and the user will be accepted regardless of Calling-Station-Id. suffix] Looking up realm internet.quimefa.cu for User-Name = t...@internet.quimefa.cu [suffix] No such realm internet.quimefa.cu This is normal, and no problem. You may define a realm using LOCAL authentication to avoid it, but it won't change anything except remove the debug message. sql] User t...@internet.quimefa.cu not found ++[sql] returns notfound The sql module returns notfound if the check items don't match. This is expected in this case as I explained: Two different equality tests on a single attribute will never match. But in the end because it connects the user's which is declared in the file users. apparently you have stated that locate the user in the database and also in this file, you must define where you will store your users and then put the phone number. The debug output showed that the user matched a DEFAULT entry in users. That's a perfectly normal configuration. In fact, there is no problem defining the same user in both users and sql (and possibly other modules as well). The control and reply lists of the matching entries just add up, and the final result is then evaluated. But I agree that for simplicity it's probably best to define the specific user entries in one place. And that's what Osmany has done. The DEFAULT entry is probably just adding something generic, which is common for all users. Bjørn - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Thanks for the class, as we say in our country: Every day you learn something new. There are no problems is to define a user, in fact he did on both sides, in the file users and database sql. I would do it in one place, so you do not go crazy when you add a user or update any information of it, for example the phone number where you will be connected. Although the problem persists, the user can connect from any other phone number and may not be a problem of operator, but this by specifying the number in a single place, and not in the sql file users. Assuming this well held on both sides and again I'm wrong, maybe in the section authorize I miss you to use the module checkval. Even so if you could post your configuration, would be useful. Don't you think? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Calling-Station-Id
osm...@oc.quimefa.cu wrote: On Tue, 05 Jan 2010 20:05:07 -0500, mic...@casa.co.cu wrote: Osmany osm...@oc.quimefa.cu escribió: Hi, I have Freeradius configured using a mysql backend. I want users to be able to connect only if their Calling-Station-Id is the same as the attribute I specify in the radcheck table in mysql. For example: |312|t...@domain.com|Calling-Station-Id | == | phonenumber |298|t...@domain.com|MD5-Password | := | password supposedly, I want to allow user test to only connect from this phonenumber, but when I really test the account I find that user test can connect from any phone number. So I really don't know what to do, I already tried to use different combinations of operators. Can anyone help me? in the radreply table I have this: |111|t...@domain.com|Auth-Type|:=|Accept| thanks in advance. - Try using += operator and the phonenumber if the number of the user is 8724466 put 7 at the begin , for example: 78724466. You can put radius in debug mode for check why is reject the access. I tried with the above configuration by putting the number 7 in front of the phone number and indeed the user test can only connect with that phone number. I guess that the NAS forwards the phone number including area code. Since that is working, now I want to add another phone number (another Calling-Station-Id) to the user test, so that the user can connect from only one phone number or the other. I tried using the += operator and the user can connect from any phone number. So my configuration works only if the user has only one Calling-Station-Id attribute, but I wanted to work with two Calling-Station-Id attributes also. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Hello Osmany If you would like this test user connect from another phone number, simply add another entry in the same table, just as you did before. Obviously, your NAS foward to freeradius the phone number from where it is trying to connect it . He told me that the user can connect from any phone number? Can you could post your configuration radius? The AAA section Greetings Michel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Calling-Station-Id
Osmany wrote:
I tried with the above configuration by putting the number 7 in front of
the phone number and indeed the user test can only connect with that phone
number. I guess that the NAS forwards the phone number including area code.
Since that is working, now I want to add another phone number (another
Calling-Station-Id) to the user test, so that the user can connect from
only one phone number or the other. I tried using the += operator and the
user can connect from any phone number. So my configuration works only if
the user has only one Calling-Station-Id attribute, but I wanted to work
with two Calling-Station-Id attributes also.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hello Osmany
If you would like this test user connect from another phone number,
simply add another entry in the same table, just as you did before.
Add another entry with the Calling-Station-Id attribute? Let's see if I
understand. After I add the other entry in the table it would look like
this:
|312|t...@domain.com|Calling-Station-Id | == | phonenumber
|298|t...@domain.com|MD5-Password | := | password
|313|t...@domain.com|Calling-Station-Id | += | phonenumber
Let me just clarify that I tried this before and when I try to connect with this user,
freeradius does not let me. When I run freeradius in debug mode I find this in the logs:
rad_recv: Access-Request packet from host 192.168.25.50 port 17968, id=104,
length=148
User-Name = t...@internet.quimefa.cu
User-Password = test
NAS-IP-Address = 192.168.25.50
NAS-Port = 452
Service-Type = Framed-User
Framed-Protocol = PPP
Called-Station-Id = 60110
Calling-Station-Id = 72061490
NAS-Identifier = Aguila
NAS-Port-Type = Async
Connect-Info = 48000/31200 V90/V42bis/LAPM
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] Looking up realm internet.quimefa.cu for User-Name =
t...@internet.quimefa.cu
[suffix] No such realm internet.quimefa.cu
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
[files] users: Matched entry DEFAULT at line 172
++[files] returns ok
expand: %{User-Name} - t...@internet.quimefa.cu
[sql] sql_set_user escaped user -- 't...@internet.quimefa.cu'
rlm_sql (sql): Reserving sql socket id: 2
expand: SELECT id, username, attribute, value, op FROM radcheck
WHERE username = '%{SQL-User-Name}' ORDER BY id - SELECT
id, username, attribute, value, op FROM radcheck WHERE
username = 't...@internet.quimefa.cu' ORDER BY id
expand: SELECT groupname FROM radusergroup WHERE
username = '%{SQL-User-Name}' ORDER BY priority - SELECT groupname
FROM radusergroup WHERE username = 't...@internet.quimefa.cu'
ORDER BY priority
rlm_sql (sql): Released sql socket id: 2
[sql] User t...@internet.quimefa.cu not found
++[sql] returns notfound
Try this way, remember the operator.
|312|t...@internet.quimefa.cu|Calling-Station-Id | += | 72061490
|298|t...@internet.quimefa.cu|MD5-Password | := | password
|313|t...@internet.quimefa.cu|Calling-Station-Id | += | 72061490
However check that you return the error debugging.
suffix] Looking up realm internet.quimefa.cu for User-Name =
t...@internet.quimefa.cu
[suffix] No such realm internet.quimefa.cu
sql] User t...@internet.quimefa.cu not found
++[sql] returns notfound
For this reason, it is the user and should not assume that you connect it.
But in the end because it connects the user's which is declared in the file
users. apparently
you have stated that locate the user in the database and also in this
file, you must define where you will store your users and then put the
phone number.
Once again check the AAA section, where you define how it will look freeradius
user.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Calling-Station-Id
Osmany osm...@oc.quimefa.cu escribió: Hi, I have Freeradius configured using a mysql backend. I want users to be able to connect only if their Calling-Station-Id is the same as the attribute I specify in the radcheck table in mysql. For example: |312|t...@internet.quimefa.cu|Calling-Station-Id | == | phonenumber |298|t...@internet.quimefa.cu|MD5-Password | := | password supposedly, I want to allow user test to only connect from this phonenumber, but when I really test the account I find that user test can connect from any phone number. So I really don't know what to do, I already tried to use different combinations of operators. Can anyone help me? in the radreply table I have this: |111|t...@internet.quimefa.cu|Auth-Type|:=|Accept| thanks in advance. - Try using += operator and the phonenumber if the number of the user is 8724466 put 7 at the begin , for example: 78724466. You can put radius in debug mode for check why is reject the access. Greetings Michel -- Webmail, servicio de correo electronico Casa de las Americas - La Habana, Cuba. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Clean script session in raddact
On Wed, 2009-11-04 at 10:40 +, Ivan Kalik wrote: Need to know if there's a script that allows users to clean their session has been connected by a long period in the table raddact. DELETE FROM radacct WHERE AcctStartTime whatever Why would you allow users to do anything with their accounting records? Ivan Kalik Kalik Informatika ISP Hello Ivan I solved the problem, thanks. but now another problem has presented me, I want to add another server as secondary freeradius if the first fails or becomes available to any problems. Both servers are running well, but I would keep the same records in both databases, for when a user is authenticated on my primary server will add the same record in both database. and the same goes for when authenticating against the secondary server. But what happens when the first server is not available for network and such records can not be stored in the bd? Is there a way to replicate it when it becomes available or loses this entry? there is any way to do this? Thanks Michel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Clean script session in raddact
Hi list Need to know if there's a script that allows users to clean their session has been connected by a long period in the table raddact. Thanks Michel This message was sent using IMP, the Internet Messaging Program. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Store session on mysql
Hello I currently work with the version 2.1.6 without any problem, session of my users are stored in the file radutmp. I would store them at the same time in mysql, is this possible? Is there any page where this is documented? I want to make a script for my squid server then checks against mysql search if the user is connected, compare against a file if it exists in that list, take the IP address that you assign and freeradius in the squid allows internet access. Suggestions? Greetings Michel -- Webmail, servicio de correo electronico Casa de las Americas - La Habana, Cuba. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Store session on mysql
On Thu, 2009-10-01 at 13:22 +0100, Ivan Kalik wrote: I currently work with the version 2.1.6 without any problem, session of my users are stored in the file radutmp. I would store them at the same time in mysql, is this possible? Yes. Configure sql.conf and uncomment sql entries in radiusd.conf and accounting section of virtusl server you are using (probably default). Is there any page where this is documented? Try SQL HOWTO on the wiki. I want to make a script for my squid server then checks against mysql search if the user is connected, compare against a file if it exists in that list, take the IP address that you assign and freeradius in the squid allows internet access. Suggestions? Use (ready-made) captive portal instead. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Hello Ivan I set the parameters sql.conf database mysql In this case, I am currently doing the accounting on it. I went to this uncommented radiusd.conf and $ INCLUDE sql.conf and the accounting section in my virtual server is: - radutmp and sql only need to add in the section session? In which table stores the session when the user connects? to set my script to check my squid server from which the user is connected and take the IP address that I assign my nas? the stored user name and IP address assigned by the NAS in the database? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Store session on mysql
Hello I currently work with the version 2.1.6 without any problem, session of my users are stored in the file radutmp. I would store them at the same time in mysql, is this possible? Is there any page where this is documented? I want to make a script for my squid server then checks against mysql search if the user is connected, compare against a file if it exists in that list, take the IP address that you assign and freeradius in the squid allows internet access. Suggestions? Greetings Michel -- Webmail, servicio de correo electronico Casa de las Americas - La Habana, Cuba. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
two ldap servers in my config
Hello
Using freeradius 2.1.6, my users are authenticated against the Active
Directory. I have a primary and a secondary controller on the network.
I wonder if you could specify in the configuration of two ldap
servers, when one does not respond due to technical queries are then
made my second controller.
This is my autenticate section:
authenticate {
Auth-Type LDAP {
ldap
}
}
Thanks
Michel
--
Webmail, servicio de correo electronico
Casa de las Americas - La Habana, Cuba.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Migrate users file to mysql?
Hi Ivan The only difference between a NAS1 and NAS2 is because the first NAS1 have installed a module that allows digital modems set the user's account to a phone number, while the NAS2 has a module with analog modems that do not allow this. Equally be used both for serving Dialin. I removed the setting Auth-Type from the beginning. Now, if you look though the difference for this user when you connect both NAS, they assigned different IP that are not in the same block. besides that one checks the telephone number from which you are connected, the other by the type of technology. My question is how could accommodate all on one line, I mean to avoid having to repeat the same user twice with different parameters? I think the state is more flexible configuration of my users in the users file for this type of scheme, I can not even see it in a mysql database. could show if possible, an example would be like mysql? -- Webmail, servicio de correo electronico Casa de las Americas - La Habana, Cuba. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Migrate users file to mysql?
Hello As you will see I'm still a beginner in freeradius I recently upgrade my version of freeradius to latest version V2.1.6, my users or the same parameters are declared in the file users These authenticate against an LDAP. I have several two NAS, NAS1 a module with an analog modems and NAS2 digital modems to connect where Dialin using the service. My question is: 1 - How can my users migrate users from the file into mysql? 2 - I have users connecting to both Access Server, but when they connect the NAS1, my server raidus assigned different parameters when connecting the NAS2 to pass other parameters or conditions, Framed-IP-Address etc... Currently I have declared the same user with different parameters and conditions. NAS1= 192.168.25.20 NAS2= 192.168.25.30 frank Auth-Type := LDAP, NAS-IP-Address == 192.168.25.20, Calling-Station-Id == 76415044, Simultaneous-Use := 1 Service-Type = Framed-User, Framed-Protocol = PPP, Framed-MTU = 1500, Framed-Compression = Van-Jacobsen-TCP-IP, Framed-Protocol = PPP, Framed-IP-Address = 192.168.28.110, Framed-IP-Netmask = 255.255.255.0, Idle-Timeout = 0 frank Auth-Type := LDAP, NAS-IP-Address == 192.168.25.30, Simultaneous-Use := 1 Service-Type = Framed-User, Framed-Protocol = PPP, Framed-MTU = 1500, Framed-Compression = Van-Jacobsen-TCP-IP, Framed-Protocol = PPP, Framed-IP-Address = 192.168.29.110, Framed-IP-Netmask = 255.255.255.0, Idle-Timeout = 0 As would be declared to migrate to mysql? I have to repeat them twice as I have done here? Thank you -- Webmail, servicio de correo electronico Casa de las Americas - La Habana, Cuba. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Lower case - Solved
On Tue, 2009-06-09 at 16:09 -0700, Chris wrote:
On Jun 9, 2009, at 3:52 PM, Ivan Kalik wrote:
I migrated my freeradius version 1.1.3-1.4.el5 that came with CentOS
5.3 to version 2.1.6-2.
I am looking for an option that I had in my previous configuration
and
does not find it on this new, maybe it is removed. the fact is that
many
of my users sometimes tend to write the username with the first
letter
in upper or miniscule.
That works just for pap requests. Use lc perl function to rewrite
username/pass in perl module.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
Here's what I'm using:
perl_tolower.pm:
use strict;
use vars qw(%RAD_REQUEST %RAD_REPLY %RAD_CHECK);
#
# This the remapping of return values
#
use constantRLM_MODULE_REJECT=0;# /* immediately
reject the request */
use constantRLM_MODULE_FAIL= 1;# /* module failed,
don't reply */
use constantRLM_MODULE_OK=2;# /* the module is
OK, continue */
use constantRLM_MODULE_HANDLED= 3;# /* the module
handled the request, so stop. */
use constantRLM_MODULE_INVALID= 4;# /* the module
considers therequest invalid. */
use constantRLM_MODULE_USERLOCK= 5;# /* reject the
request (useris locked out) */
use constantRLM_MODULE_NOTFOUND= 6;# /* user not found
*/
use constantRLM_MODULE_NOOP= 7;# /* module succeeded
withoutdoing anything */
use constantRLM_MODULE_UPDATED= 8;# /* OK (pairs
modified) */
use constantRLM_MODULE_NUMCODES= 9;# /* How many
return codes there are */
sub authorize {
$RAD_REQUEST{'User-Name'} = lc($RAD_REQUEST{'User-Name'});
return RLM_MODULE_OK;
}
sub preacct {
$RAD_REQUEST{'User-Name'} = lc($RAD_REQUEST{'User-Name'});
return RLM_MODULE_OK;
}
sub xlat {
return RLM_MODULE_OK;
}
radiusd.conf:
modules {
perl {
module = /usr/local/etc/raddb/perl/perl_tolower.pm
}
...
}
Enable perl modules in authorize and preacct. I think order matters
here, so you probably want them near the top...
sites-enabled/default:
authorize {
perl
}
preacct {
perl
}
Thanks Chris
I solved the problem with users who write their login in uppercase and
lower case
Michel
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Lower case
Hello everyone I migrated my freeradius version 1.1.3-1.4.el5 that came with CentOS 5.3 to version 2.1.6-2. I am looking for an option that I had in my previous configuration and does not find it on this new, maybe it is removed. the fact is that many of my users sometimes tend to write the username with the first letter in upper or miniscule. If someone could guide me, how i cant fix this. lower_user = after lower_pass = no Thanks Michel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Authentication
Hi I am newcomer to freeradius, I use the version is 1.1.3 release 1.4.el5 is coming in the repository of centos, my users are in the windows directory, I would like to authenticate users as follows mic...@casa.co.cu. Excuse my English is very poor, appreciate any help Thanks Michel -- Webmail, servicio de correo electronico Casa de las Americas - La Habana, Cuba. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Simple authentication by users file.
Hello Everybody !
Sorry for my english : the french people are known to be bad in other langage
than french !
To make my (new) experience with freeRADIUS I try to authenticate with simple
User-name and password in the users file.
Sorry for the long post but I want to give all is necessary to understand.
My conf is following (some big extract) :
modules {
pap {
auto_header = no
}
chap {
authtype = CHAP
}
preprocess {
huntgroups = ${confdir}/huntgroups
hints = ${confdir}/hints
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
}
files {
usersfile = ${confdir}/users
acctusersfile = ${confdir}/acct_users
compat = no
}
pam {
pam_auth = radiusd
}
always fail {
rcode = fail
}
always reject {
rcode = reject
}
always noop {
rcode = noop
}
always handled {
rcode = handled
}
always updated {
rcode = updated
}
always notfound {
rcode = notfound
}
always ok {
rcode = ok
simulcount = 0
mpp = no
}
}
server ensmp {
authorize {
files
}
authenticate {
# I don't know what is mandatory here
}
}
Client.conf file :
client 1.2.3.4 {
secret =
shortname = Linux
nastype = other
}
users file :
myself Auth-Type := Accept,User-Password == YY
And I try to access with a radius client (radexample) :
Linux# radexample
login: myself
Password:
myself RADIUS Authentication failure (RC=2)
My server in launch in debug mode ( /usr/sbin/freeradius -Xxx) without errors
at the moment of my try :
Thu Mar 26 18:13:01 2009 : Debug: Ready to process requests.
rad_recv: Access-Request packet from host 1.2.3.4 port 48655, id=88, length=65
User-Name = myself
User-Password = YY
Service-Type = Authenticate-Only
NAS-Port = 0
NAS-IP-Address = 10.3.5.136
Thu Mar 26 18:13:18 2009 : Debug: auth: No authenticate method (Auth-Type)
configuration found for the request: Rejectig the user
Thu Mar 26 18:13:18 2009 : Debug: auth: Failed to validate the user.
Thu Mar 26 18:13:18 2009 : Auth: Login incorrect: [mgaudet/ifqj1cf5] (from
client turing port 0)
Thu Mar 26 18:13:18 2009 : Debug: Delaying reject of request 0 for 1 seconds
Thu Mar 26 18:13:18 2009 : Debug: Going to the next request
Thu Mar 26 18:13:18 2009 : Debug: Waking up in 0.9 seconds.
Thu Mar 26 18:13:19 2009 : Debug: Sending delayed reject for request 0
Sending Access-Reject of id 88 to 10.3.5.136 port 48655
Thu Mar 26 18:13:19 2009 : Debug: Waking up in 4.9 seconds.
Thu Mar 26 18:13:24 2009 : Debug: Cleaning up request 0 ID 88 with timestamp +17
The request have been received and acknowledge but rejected because missing
Auth-Type.
I don't understand WHAT AND WHERE to put Auth-Type elsewhere in my conf.
Some ideas ?
Thank's in advance.
Regards.
Michel.
--
Michel GAUDET
Centre de Calcul et des Systèmes d'Information
Ecole Nationale Supérieure des Mines de Paris
60-62, Boulevard Saint Michel
75272 PARIS cedex 06 FRANCE
Tel : 01.40.51.92.03 Fax : 01.40.51.93 01
mail : michel.gau...@mines-paristech.fr
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl and RLM_MODULE_REJECT
Le vendredi 25 janvier 2008 17:01, Alan DeKok a écrit :
Jean-Michel Caricand wrote:
Well. I made a lot of tests without success. I'm not yet able to REJECT a
request in a post_proxy function, but that works fine in a authorize
function.
Does someone have ideas ?
In 2.0, it looks like this isn't dealt with in src/main/event.c around
line 1075. It's probably useful to add...
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
I use freeradius-1.1.3 (Debian Etch package). I applied this patch to radiusd.c
to solve
my problem. That works. My question : my patch seems good or not ?
*** freeradius-1.1.3/src/main/radiusd.c Tue May 16 18:26:07 2006
--- /root/FREERADIUS/freeradius-1.1.3/src/main/radiusd.cSat Jan 26
11:04:06 2008
***
*** 1585,1590
--- 1585,1595
int rcode;
rcode = proxy_receive(request);
switch (rcode) {
+ case RLM_MODULE_REJECT:
+ DEBUG2(Request %d rejected in proxy_receive.,
request-number);
+ request_reject(request);
+ goto finished_request;
+ break;
default: /* Don't Do Anything */
break;
case RLM_MODULE_FAIL:
Cheers.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_perl and RLM_MODULE_REJECT
Hi, I have a question on rlm_perl and RLM_MODULE_REJECT. If in a function (post_proxy) I return RLM_MODULE_REJECT I can see this in log : modcall[post-proxy]: module perl1 returns reject for request 1 ... but my request is still accepted : Access-Accept not Access-Reject ! How to do that ? Thank. -- Jean-Michel Caricand Tél: 03.81.66.20.63 E-mail: [EMAIL PROTECTED] Equipe systèmes Laboratoire d'Informatique de l'Université de Franche-Comté 16, route de Gray - 25030 BESANÇON CEDEX - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl and RLM_MODULE_REJECT
doesn't make sense to use RLM_MODULE_REJECT in post_proxy. May be you need pre_proxy ? From radius.conf file # # When the server decides to proxy a request to a home server, # the proxied request is first passed through the pre-proxy # stage. This stage can re-write the request, or decide to # cancel the proxy. # # Only a few modules currently have this method. # Best Regards, Boian Jordanov SNE Orbitel - Next Generation Telecom tel. +359 2 4004 723 tel. +359 2 4004 002 On Jan 25, 2008, at 11:52 AM, Jean-Michel Caricand wrote: I have a question on rlm_perl and RLM_MODULE_REJECT. If in a function (post_proxy) I return RLM_MODULE_REJECT I can see this in log : - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html But I must check some attributes defined by my home server. I can't check them in pre_proxy because they are not set. No ? I want to reject the access if by example the Framed-IP-Address is not in a valid range. Thank. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl and RLM_MODULE_REJECT
Le vendredi 25 janvier 2008 12:55, Boian Jordanov a écrit : Try with RLM_MODULE_FAIL in post_proxy Best Regards, Boian Jordanov SNE Orbitel - Next Generation Telecom tel. +359 2 4004 723 tel. +359 2 4004 002 On Jan 25, 2008, at 12:35 PM, Jean-Michel Caricand wrote: doesn't make sense to use RLM_MODULE_REJECT in post_proxy. May be you need pre_proxy ? From radius.conf file # # When the server decides to proxy a request to a home server, # the proxied request is first passed through the pre-proxy # stage. This stage can re-write the request, or decide to # cancel the proxy. # # Only a few modules currently have this method. # Best Regards, Boian Jordanov SNE Orbitel - Next Generation Telecom tel. +359 2 4004 723 tel. +359 2 4004 002 On Jan 25, 2008, at 11:52 AM, Jean-Michel Caricand wrote: I have a question on rlm_perl and RLM_MODULE_REJECT. If in a function (post_proxy) I return RLM_MODULE_REJECT I can see this in log : - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html But I must check some attributes defined by my home server. I can't check them in pre_proxy because they are not set. No ? I want to reject the access if by example the Framed-IP-Address is not in a valid range. Thank. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html With RLM_MODULE_FAIL, I get theses messages : modcall[post-proxy]: module perl1 returns fail for request 0 modcall: leaving group post-proxy (returns fail) for request 0 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 127.0.0.1:42610, id=123, length=71 Discarding duplicate request from client localhost:42610 - ID: 123 due to unfinished request 0 --- Walking the entire request list --- Waking up in 28 seconds... rad_recv: Access-Request packet from host 127.0.0.1:42610, id=123, length=71 Discarding duplicate request from client localhost:42610 - ID: 123 due to unfinished request 0 --- Walking the entire request list --- Waking up in 25 seconds... -- Jean-Michel Caricand Tél: 03.81.66.20.63 E-mail: [EMAIL PROTECTED] Equipe systèmes Laboratoire d'Informatique de l'Université de Franche-Comté 16, route de Gray - 25030 BESANÇON CEDEX - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl and RLM_MODULE_REJECT
Le vendredi 25 janvier 2008 12:55, Boian Jordanov a écrit : Try with RLM_MODULE_FAIL in post_proxy Best Regards, Boian Jordanov SNE Orbitel - Next Generation Telecom tel. +359 2 4004 723 tel. +359 2 4004 002 On Jan 25, 2008, at 12:35 PM, Jean-Michel Caricand wrote: doesn't make sense to use RLM_MODULE_REJECT in post_proxy. May be you need pre_proxy ? From radius.conf file # # When the server decides to proxy a request to a home server, # the proxied request is first passed through the pre-proxy # stage. This stage can re-write the request, or decide to # cancel the proxy. # # Only a few modules currently have this method. # Best Regards, Boian Jordanov SNE Orbitel - Next Generation Telecom tel. +359 2 4004 723 tel. +359 2 4004 002 On Jan 25, 2008, at 11:52 AM, Jean-Michel Caricand wrote: I have a question on rlm_perl and RLM_MODULE_REJECT. If in a function (post_proxy) I return RLM_MODULE_REJECT I can see this in log : - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html But I must check some attributes defined by my home server. I can't check them in pre_proxy because they are not set. No ? I want to reject the access if by example the Framed-IP-Address is not in a valid range. Thank. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Well. I made a lot of tests without success. I'm not yet able to REJECT a request in a post_proxy function, but that works fine in a authorize function. Does someone have ideas ? -- Jean-Michel Caricand Tél: 03.81.66.20.63 E-mail: [EMAIL PROTECTED] Equipe systèmes Laboratoire d'Informatique de l'Université de Franche-Comté 16, route de Gray - 25030 BESANÇON CEDEX - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Ascend-Send-Secret problem
Hello, i'm new to freeradius and i tried to install it so that i could use cdrtool, openser and freeradius together to make a Call Data Recorder. Unfortunately, i haven't been able to make it work even once because of this error : ERROR: Ascend-Send-Secret attribute in request: Cannot decrypt it. Here's an output example with freeradius -xxyz -l stdout : 1 rad_recv: Accounting-Request packet from host 127.0.0.1:42631, id=142, length=428 2 --- Walking the entire request list --- 3 Waking up in 31 seconds... 4 Threads: total/active/spare threads = 5/0/5 5 Thread 1 got semaphore 6 Thread 1 handling request 0, (1 handled so far) 7 Acct-Status-Type = Failed 8 Service-Type = IAPP-Register 9 Attr-102 = 0x01e6 10 Error-Cause = 1 11 User-Name = [EMAIL PROTECTED] 12 Calling-Station-Id = sip:[EMAIL PROTECTED] 13 Called-Station-Id = sip:[EMAIL PROTECTED] 14 Attr-107 = 0x7369703a6a616d403139322e3136382e37302e37303a35303630 15 Acct-Session-Id = [EMAIL PROTECTED] 16 Attr-104 = 0x3832393436343731393436323038303033 17 Attr-105 = 0x3832393436313631333537333735373638 18 Attr-103 = 0x31 19 X-Ascend-Third-Prompt = n/a 20 ERROR: Ascend-Send-Secret attribute in request: Cannot decrypt it. 21 Server rejecting request 0. 22 Finished request 0 23 Going to the next request 24 Thread 1 waiting to be assigned a request 25 rad_recv: Accounting-Request packet from host 127.0.0.1:42631, id=142, length=428 26 Discarding duplicate request from client localhost:42631 - ID: 142 Best regards, -- Jean-Michel Foucher OpenWengo, the free and multiplatform VoIP client http://dev.openwengo.com/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius and Hardware Tokens
Hi all, I am currently looking for a replacement solution for centralized authentication for one customer. They want openness and standards. Freeradius seems a very good solution, but they also want a solution that permits use of hardware tokens. I looked that FreeRadius support X9.9, so I have a simple question : Which are the hardware tokens that can be used surely with FreeRadius (fully supported)? I saw that cryptocards are fully supported, but references are often dated of 2002. Today, are cryptocards still usable? If yes what is possible and what is not. For example how can we manage tokens, is there an open source tool? How can we reset a blocked token (too much pin errors)? do we need initializer? but then do we need also cryptocard server? and if yes how muche licenses do we need and what is the advantage of using freeradius with it? Are there other tokens than cryptocards fully or well supported? I am actually blocked by these questions and can't find any answers, even in the mailing list. Thanks for a quick response, as I have to give answer to my customer in 2 days (sic). =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Michel APPLAINCOURT | E-mail : [EMAIL PROTECTED] Managing Director | Phone : +32 65 321573 ext 6001 IT-OPTICS s.a| Fax: +32 65 321574 [The boy that you love is the man that you fear] =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
sql.conf (update query)
Hi,
I try to add an additional query in the query update in sql.conf. This
is possible to make it ?
Here what I have test:
accounting_update_query = UPDATE ${acct_table1} \
SET FramedIPAddress = '%{Framed-IP-Address}', \
AcctSessionTime = '%{Acct-Session-Time}', \
AcctInputOctets = '%{Acct-Input-Octets}', \
AcctOutputOctets = '%{Acct-Output-Octets}' \
WHERE AcctSessionId = '%{Acct-Session-Id}' \
AND UserName = '%{SQL-User-Name}' \
AND NASIPAddress= '%{NAS-IP-Address}'; INSERT into radtempo
(AcctInputOctets, AcctOutputOctets, AcctSessionId) values('%{Ac
ct-Input-Octets}', '%{Acct-Output-Octets}', '%{Acct-Session-Id}')
rlm_sql_mysql: MYSQL check_error: 1064 received
rlm_sql (sql): Couldn't update SQL accounting ALIVE record - You have an
error in your SQL syntax; check the manual that corresponds to your
MySQL server version for the right syntax to use near '; INSERT into
radtempo (AcctInputOctets, AcctOutputOctets, AcctSessionId) values' at
line 1
--
Michel Bélanger
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AcctOutputOctets AcctIntputOctets limit
Hi, I installed a freeradius for PPPoE users and I have problems with AcctOutputOctets AcctInputOctets which are limited to 2 GB. Several of my users download 75 GB and more per month. Is this normal this limit? Do all the ISP have this problem? How I can bypass this limit? -Michel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
re:Re: huntgroups/groups with sql
Thanks, Michel Jansens Michel Jansens [EMAIL PROTECTED] wrote: Tryed to add 'Fall-Through = Yes' to all 'radgroupcheck' entries, but it didn't work. It works in the CVS head, and will be in 1.1.x and following versions. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
huntgroups/groups with sql
Hi,
I want to use FR to control the access to different ressources (radius clients).
I've put my users in 'radcheck', defined groups in 'radgroupcheck' according to
Client-IP-Address and put the users in their groups in 'usergroup'.
Some users are in more than one group, but they can only access to the first
matching group defined in 'radgroupcheck'.
Tryed to add 'Fall-Through = Yes' to all 'radgroupcheck' entries, but it
didn't work.
Now I've found a workaround:
I added a column 'groupIPaddr' varchar(15) in 'radgroupcheck'. I put there
the Client-IP-Address
and changed the query in sql.conf to:
authorize_group_check_query = SELECT
${groupcheck_table}.id,${groupcheck_table}.GroupName,
${groupcheck_table}.Attribute,${groupcheck_table}.Value,
${groupcheck_table}.op
FROM ${groupcheck_table},${usergroup_table}
WHERE ${groupcheck_table}.groupIPaddr ='%{Client-IP-Address}' AND
${usergroup_table}.Username = '%{SQL-User-Name}' AND
${usergroup_table}.GroupName = ${groupcheck_table}.GroupName
ORDER BY ${groupcheck_table}.id
Now My users have access to all their authorized nasses whatever the order of
definition of the groups.
Was there an easier/more standard way of doing?
Michel
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Logging question
I have recently install Freeradius 1.0.4 on Freebsd 5.4 and I have a question about the logging method. I need to log ALL output log in MySQL but freeradius seems logger only some items. It's possible to logging all the details ? PS: sorry for my bad english. -Michel Example of the details which I have need for logger: User-Name = "x" Acct-Status-Type = Alive NAS-IP-Address = xxx.xxx.xxx.xxx NAS-Port-Id = "1469" NAS-Port-Type = Async Called-Station-Id = "0.18135:18.135#184550775#CCT 05MGAJ100301-647BLCA-000#speed:nrt-VBR:8000,8000,1#pppoe 00:0/" Calling-Station-Id = "atm 9" Acct-Status-Type = 0 Acct-Authentic = RADIUS Acct-Session-Id = "0001B09E" Framed-Protocol = PPP Tunnel-Server-Endpoint:0 = "xx.xx.xx.xx" Tunnel-Type:0 = L2TP Framed-IP-Address = xx.xx.xx.xx Acct-Input-Octets = 11654536 Acct-Output-Octets = 8767555 Acct-Input-Packets = 30 Acct-Output-Packets = 99184 Acct-Session-Time = 367068 Acct-Delay-Time = 0 Service-Type = Framed-User Client-IP-Address = xx.xx.xx.xx Acct-Unique-Session-Id = "6ee4bbf067e6b27a" - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Redundant mysql authorize not working
Okay for me this is a 99% solution.
I use now value is 1
Thanks again i am very happy now...
Michel
It isn't a solution but an ugly hack :)
Em Qui, 2005-02-10 às 20:44 +0100, Michel van Dop escreveu:
Hi,
This is the solution for slow redundant mysql authorize:
echo 0 /proc/sys/net/ipv4/tcp_syn_retries
(default value is 5)
Thanks to Tiago
Micheld
- Original Message -
From: Michel van Dop [EMAIL PROTECTED]
To: freeradius-users@lists.freeradius.org
Sent: Thursday, February 10, 2005 3:30 PM
Subject: Re: Redundant mysql authorize not working
Hi Gilbert,
I am not sure but i think also this is a bug im mysql driver!
Same problems here! But i have a little solution i hope this
is working on your situation.
We have two location and every location have a own radius server and ow
n
mysql db.
We also use mysql replication. So there is a master en slave situation.
On location one we have master db and radius.
On radiusd.conf we have
authorize
redundant {
sql1 #(masterdb on localdb)
sql2 #(slave db on location 2)
}
accounting {
sql1 #(location 1 master)
On location 2:
radiusd.conf we have:
authorize
redundant {
sql2 #(slave db localdb)
sql1 #(masterdb db on location 2)
}
accounting {
sql1 #(location 1 master)
So radius server on more than one location check to login in the local
db
(accounting).
So the users can login every time local.
On the client NAS we use chillipot so there we can configure a first
radius and second.
So first is local same subnet and when down he go to the second radius
i
can connection to location 2.
So i think this is save (for me) !?
I testit and i can reboot one of the radius servers and every users can
login in the down time.
The best solution is when redundant is fast working. But i have spent s
o
much time in it.
This is for my a working solution.
Sorry for my english!
Michel
Nobody can help me or can say this is a bug?
max_request_time make no different..
Gilbert
what happens...
The connection to the second mysql database it takes three minutes!
It look likes a bug i search on google and see same problems but no
solutions!
I set max_request_time to 5 seconds, so it's faster for testing:
Gilbert
Gilbert Otingen [EMAIL PROTECTED] wrote:
redundant {
sql1
sql2
}
And i can see the successful connect in the log and everything
works as
expected... but until i shutdown the first database.
Then... what happens?
Any ideas on what the problem is?
Without a description of the problem, I have no idea.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
Met vriendelijke groet,
M. v Dop
www.westwireless.nl
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users
html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Met vriendelijke groet,
M. v Dop
www.westwireless.nl
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Redundant mysql authorize not working
Hi Gilbert,
I am not sure but i think also this is a bug im mysql driver!
Same problems here! But i have a little solution i hope this
is working on your situation.
We have two location and every location have a own radius server and own mysql
db.
We also use mysql replication. So there is a master en slave situation.
On location one we have master db and radius.
On radiusd.conf we have
authorize
redundant {
sql1 #(masterdb on localdb)
sql2 #(slave db on location 2)
}
accounting {
sql1 #(location 1 master)
On location 2:
radiusd.conf we have:
authorize
redundant {
sql2 #(slave db localdb)
sql1 #(masterdb db on location 2)
}
accounting {
sql1 #(location 1 master)
So radius server on more than one location check to login in the local db
(accounting).
So the users can login every time local.
On the client NAS we use chillipot so there we can configure a first radius and
second.
So first is local same subnet and when down he go to the second radius i can
connection to location 2.
So i think this is save (for me) !?
I testit and i can reboot one of the radius servers and every users can login
in the down time.
The best solution is when redundant is fast working. But i have spent so much
time in it.
This is for my a working solution.
Sorry for my english!
Michel
Nobody can help me or can say this is a bug?
max_request_time make no different..
Gilbert
what happens...
The connection to the second mysql database it takes three minutes!
It look likes a bug i search on google and see same problems but no
solutions!
I set max_request_time to 5 seconds, so it's faster for testing:
Gilbert
Gilbert Otingen [EMAIL PROTECTED] wrote:
redundant {
sql1
sql2
}
And i can see the successful connect in the log and everything works as
expected... but until i shutdown the first database.
Then... what happens?
Any ideas on what the problem is?
Without a description of the problem, I have no idea.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Met vriendelijke groet,
M. v Dop
www.westwireless.nl
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Redundant mysql authorize not working
Hi,
This is the solution for slow redundant mysql authorize:
echo 0 /proc/sys/net/ipv4/tcp_syn_retries
(default value is 5)
Thanks to Tiago
Micheld
- Original Message -
From: Michel van Dop [EMAIL PROTECTED]
To: freeradius-users@lists.freeradius.org
Sent: Thursday, February 10, 2005 3:30 PM
Subject: Re: Redundant mysql authorize not working
Hi Gilbert,
I am not sure but i think also this is a bug im mysql driver!
Same problems here! But i have a little solution i hope this
is working on your situation.
We have two location and every location have a own radius server and own
mysql db.
We also use mysql replication. So there is a master en slave situation.
On location one we have master db and radius.
On radiusd.conf we have
authorize
redundant {
sql1 #(masterdb on localdb)
sql2 #(slave db on location 2)
}
accounting {
sql1 #(location 1 master)
On location 2:
radiusd.conf we have:
authorize
redundant {
sql2 #(slave db localdb)
sql1 #(masterdb db on location 2)
}
accounting {
sql1 #(location 1 master)
So radius server on more than one location check to login in the local db
(accounting).
So the users can login every time local.
On the client NAS we use chillipot so there we can configure a first
radius and second.
So first is local same subnet and when down he go to the second radius i
can connection to location 2.
So i think this is save (for me) !?
I testit and i can reboot one of the radius servers and every users can
login in the down time.
The best solution is when redundant is fast working. But i have spent so
much time in it.
This is for my a working solution.
Sorry for my english!
Michel
Nobody can help me or can say this is a bug?
max_request_time make no different..
Gilbert
what happens...
The connection to the second mysql database it takes three minutes!
It look likes a bug i search on google and see same problems but no
solutions!
I set max_request_time to 5 seconds, so it's faster for testing:
Gilbert
Gilbert Otingen [EMAIL PROTECTED] wrote:
redundant {
sql1
sql2
}
And i can see the successful connect in the log and everything
works as
expected... but until i shutdown the first database.
Then... what happens?
Any ideas on what the problem is?
Without a description of the problem, I have no idea.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
Met vriendelijke groet,
M. v Dop
www.westwireless.nl
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fail_over mysql again!
Hi,
I fount i 85% solution for my problem.
Set in sql1 (masterdb) connect_failure_retry_delay = 1800
So if master db is down is use slave:
authorize {
redundant {
sql1
sql2
}
}
He go slow (180 seconds down) from sql1 to sql2 and try connect after 1800
secondes retry to sql1.
So 1800 seconden up on slave db and 180 second down and again up and
litle down and over again.
When master db is up sql1 he do not go to sql2.
I think there is a bug in rlm_sql_mysql driver you need set a time out when
not response. Time out is now to long!!
180 seconds now and i need 4 seconds good! And than my solutions is perfect!
My clients NAS (chillispot) have a first radius and second. If first is down
than he go to the second. So this is sort of proxy.
I think that radrelay is the same?!
Thank you i hope there is a solutions for time out on rlm_sql_mysql driver?
Michel
- Original Message -
From: Dustin Doris [EMAIL PROTECTED]
To: freeradius-users@lists.freeradius.org
Sent: Wednesday, February 02, 2005 4:41 PM
Subject: Re: Fail_over mysql again!
On Tue, 1 Feb 2005, Michel van Dop wrote:
When i only connect freeradius to the slave db it works great! Same on
only
master db!
I think there is a radiusd.conf problem i find on google more configs
old/and very old but not a working solution.
The fail-over document on the own radius directory is very old from 2000.
Okay thank you for the radrelay tip. Is there i example or document for
this?
And when i use radrelay is there a option to set only master db to write
sessions on finisch sessions?
Or radrelay working only for account reading?
Check out doc/radrelay, it will show you how to use it. You will set it
up to send to a certain server, so in your case you just point it at your
master accounting server. The replication setup between your master and
slave sql database will take care of replicating the data to the slave.
- Original Message -
From: Dustin Doris [EMAIL PROTECTED]
To: freeradius-users@lists.freeradius.org
Sent: Tuesday, February 01, 2005 4:08 PM
Subject: Re: Fail_over mysql again!
Hello,
I have problems on FC1 freeradius 0.9.3 on failover and mysql db's. I
use
two mysql db's replication. One master db and slave db.
So when master is down freeradius server go on on the second slave db
whit accounting.
So i think there is a bug in version 0.9.3 or sql/driver/module.
Now i install two machines FC2 whit:
freeradius-1.0.1-0.FC2 and freeradius-mysql-1.0.1-0.FC2
But same problems on fail_over on sql1 and sql2. Sql1 is down and
second
db, sql2 is up.
Start slow and user request hi give every 240 second a good replay.
When i start the first db everithing works!!! ?
So can some one send me good sample or tips how to use fail_over mysql
on 2 db's. It's only for accounting so users get a replay when
masterdb
is down.
Michel
How does it perform when you have it only talking to the slave server?
For example, if you just take out the redundancy and setup to only use
the
slave/failover server for sql? Is it fast then or do you see a similar
slow startup and query issues?
Another option, is what I do, is use radrelay to send the accounting
packets to the sql database. That way the radius server just logs to a
detail file, which is quick, and the accounting packet is done. Then
radrelay constantly tries to send those accounting packets over to our
sql
server for storage. With that you can afford some downtime on the sql
server, because as soon as it comes back up, radrelay will send over
all
the missed packets. When everything is up, the accounting packets are
pretty close to real-time in the sql server. I guess it depends how
close
to real-time you need in the sql database.
BTW. I'm not saying to stop trying to make failover work, just
offering
another option to it, if you can't get it to work.
-Dusty
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Fail_over mysql again!
Hello, I have problems on FC1 freeradius 0.9.3 on failover and mysql db's. I use two mysql db's replication. One master db and slave db. So when master is down freeradius server go on on the second slave db whit accounting. So i think there is a bug in version 0.9.3 or sql/driver/module. Now i install two machines FC2 whit: freeradius-1.0.1-0.FC2 and freeradius-mysql-1.0.1-0.FC2 But same problems on fail_over on sql1 and sql2. Sql1 is down and second db, sql2 is up. Start slow and user request hi give every 240 second a good replay. When i start the first db everithing works!!! ? So can some one send me good sample or tips how to use fail_over mysql on 2 db's. It's only for accounting so users get a replay when masterdb is down. Michel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fail_over mysql again!
When i only connect freeradius to the slave db it works great! Same on only master db! I think there is a radiusd.conf problem i find on google more configs old/and very old but not a working solution. The fail-over document on the own radius directory is very old from 2000. Okay thank you for the radrelay tip. Is there i example or document for this? And when i use radrelay is there a option to set only master db to write sessions on finisch sessions? Or radrelay working only for account reading? Thanks for the help! Michel - Original Message - From: Dustin Doris [EMAIL PROTECTED] To: freeradius-users@lists.freeradius.org Sent: Tuesday, February 01, 2005 4:08 PM Subject: Re: Fail_over mysql again! Hello, I have problems on FC1 freeradius 0.9.3 on failover and mysql db's. I use two mysql db's replication. One master db and slave db. So when master is down freeradius server go on on the second slave db whit accounting. So i think there is a bug in version 0.9.3 or sql/driver/module. Now i install two machines FC2 whit: freeradius-1.0.1-0.FC2 and freeradius-mysql-1.0.1-0.FC2 But same problems on fail_over on sql1 and sql2. Sql1 is down and second db, sql2 is up. Start slow and user request hi give every 240 second a good replay. When i start the first db everithing works!!! ? So can some one send me good sample or tips how to use fail_over mysql on 2 db's. It's only for accounting so users get a replay when masterdb is down. Michel How does it perform when you have it only talking to the slave server? For example, if you just take out the redundancy and setup to only use the slave/failover server for sql? Is it fast then or do you see a similar slow startup and query issues? Another option, is what I do, is use radrelay to send the accounting packets to the sql database. That way the radius server just logs to a detail file, which is quick, and the accounting packet is done. Then radrelay constantly tries to send those accounting packets over to our sql server for storage. With that you can afford some downtime on the sql server, because as soon as it comes back up, radrelay will send over all the missed packets. When everything is up, the accounting packets are pretty close to real-time in the sql server. I guess it depends how close to real-time you need in the sql database. BTW. I'm not saying to stop trying to make failover work, just offering another option to it, if you can't get it to work. -Dusty - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
sql failover
Hi,
Sorry for my bad english!
I have tryed everything to have it working with
failover mysql db's.
Somthing i not seeing. I now there is a bug in
the accounting redundant.I hope someone can look at my configsand
debuging log in this messages and can tell me the
problem so i can use the freeradius servers, this is the last step!
I am using fedora Core 1 and freeradius-0.9.3-1.1, freeradius-mysql-0.9.3-1.1 (standard
rpm fedora).
I have 2servers same versions and i have
the same problems. On one db radius config it works i test both mysql
servers.
My config files are here, i can not sending inthis e-mail (to big for
the list):
http://www.italo.nu/radiusd.txt
http://www.italo.nu/sql1.txt
http://www.italo.nu/sql2.txt
Isearch on googleand findthis
pages, and try:
http://lists.cistron.nl/pipermail/freeradius-users/2004-September/036618.html
http://lists.cistron.nl/pipermail/freeradius-users/2002-January/004131.html
http://www.freeradius.org/radiusd/doc/configurable_failover
** mysql1is downnow and starting radiusd -X
**
Starting - reading configuration files
...reread_config: reading radiusd.confConfig:
including file: /etc/raddb/clients.confConfig: including file:
/etc/raddb/snmp.confConfig: including file:
/etc/raddb/sql1.confConfig: including file:
/etc/raddb/sql2.confmain: prefix = "/usr"main: localstatedir
= "/var"
main: logdir =
"/var/log/radius"main: libdir = "/usr/lib"main: radacctdir =
"/var/log/radius/radacct"main: hostname_lookups = nomain:
max_request_time = 30main: cleanup_delay = 5main:
max_requests = 1024main: delete_blocked_requests = 0main:
port = 1812main: allow_core_dumps = nomain:
log_stripped_names = nomain: log_file =
"/var/log/radius/radius.log"main: log_auth = nomain:
log_auth_badpass = yesmain: log_auth_goodpass = yesmain:
pidfile = "/var/run/radiusd/radiusd.pid"main: user =
"radiusd"main: group = "radiusd"main: usercollide =
nomain: lower_user = "no"main: lower_pass =
"no"main: nospace_user = "no"main: nospace_pass =
"no"main: checkrad = "/usr/sbin/checkrad"main:
proxy_requests = nosecurity: max_attributes = 200security:
reject_delay = 1security: status_server = nomain:
debug_level = 0read_config_files: reading
dictionaryread_config_files: reading naslistUsing deprecated
naslist file. Support for this will go away
soon.read_config_files: reading clientsUsing deprecated clients
file. Support for this will go away soon.read_config_files:
reading realmsUsing deprecated realms file. Support for this will go
away soon.radiusd: entering modules setupModule: Library search
path is /usr/libModule: Loaded exprModule: Instantiated expr
(expr)Module: Loaded PAPpap: encryption_scheme =
"crypt"Module: Instantiated pap (pap)Module: Loaded CHAPModule:
Instantiated chap (chap)Module: Loaded MS-CHAPmschap: use_mppe =
yesmschap: require_encryption = nomschap: require_strong =
nomschap: passwd = "(null)"mschap: authtype =
"MS-CHAP"Module: Instantiated mschap (mschap)Module: Loaded
preprocesspreprocess: huntgroups =
"/etc/raddb/huntgroups"preprocess: hints =
"/etc/raddb/hints"preprocess: with_ascend_hack =
nopreprocess: ascend_channels_per_line = 23preprocess:
with_ntdomain_hack = nopreprocess: with_specialix_jetstream_hack =
nopreprocess: with_cisco_vsa_hack = noModule: Instantiated
preprocess (preprocess)Module: Loaded realmrealm: format =
"suffix"realm: delimiter = "@"Module: Instantiated realm
(suffix)Module: Loaded SQLsql: driver =
"rlm_sql_mysql"sql: server = "192.168.160.10"sql: port =
""sql: login = "linksys_wrt"sql: password =
"password"sql: radius_db = "db"sql: acct_table =
"radacct"sql: acct_table2 = "radacct"sql: authcheck_table =
"users"sql: authreply_table = "radreply"sql:
groupcheck_table = "radgroupcheck"sql: groupreply_table =
"radgroupreply"sql: usergroup_table = "users"sql: nas_table
= "nas"sql: dict_table = "dictionary"sql: sqltrace =
nosql: sqltracefile = "/var/log/radius/sqltrace.sql"sql:
deletestalesessions = yessql: num_sql_socks = 5sql:
sql_user_name = "%{User-Name}"sql: default_user_profile =
""sql: query_on_not_found = nosql: authorize_check_query =
"SELECT id,UserName,Attribute,Value,op FROM users WHERE Username =
'%{SQL-User-Name}' ORDER BY id"sql: authorize_reply_query = "SELECT
id,UserName,Attribute,Value,op FROM radreply WHERE Username = '%{SQL-User-Name}'
ORDER BY id"sql: authorize_group_check_query = "SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
FROM radgroupcheck,users WHERE users.Username = '%{SQL-User-Name}' AND
users.GroupName = radgroupcheck.GroupName ORDER BY
radgroupcheck.id"sql: authorize_group_reply_query = "SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
FROM radgroupreply,users WHERE users.Username = '%{SQL-User-Name}' AND
users.GroupName = radgroupreply.GroupName ORDER BY
radgroupreply.id"sql: accounting_onoff_query =
Re: sql failover
Hi, I use replication but this is one way. So i want the replication (slave) db is backup/second db in freeradius. (Master db - slave db) I use mysql server 3.23.58 on Fedora Core 1. And the new mysql 4.x don't replication two way (don't master - slave). Only the better sql server have this two way options replications. MySQL-max db clustering i don't now how this is working? I have to search in mysql.com thank you for the tip. Michel - Original Message - From: Lewis Bergman [EMAIL PROTECTED] To: freeradius-users@lists.freeradius.org Sent: Sunday, January 30, 2005 4:15 PM Subject: Re: sql failover Michel van Dop said: Hi, Sorry for my bad english! I have tryed everything to have it working with failover mysql db's. Somthing i not seeing. I now there is a bug in the accounting redundant. I hope someone can look at my configs and debuging log in this messages and can tell me the problem so i can use the freeradius servers, this is the last step! I am using fedora Core 1 and freeradius-0.9.3-1.1, freeradius-mysql-0.9.3-1.1 (standard rpm fedora). I have 2 servers same versions and i have the same problems. On one db radius config it works i test both mysql servers. This probably isn't the answere you want but here goes. If you are looking for redundant mysql accounting or auth why not use MySQL-max db clustering and compile freeradius from source against that. The setup is pretty well documented and works very well. freeradius works with it very well. -- Lewis Bergman Texas Communications 4309 Maple ST. Abilene, TX 79602 325-695-6962 ext 115 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Have anyone a good example failover mysql config?
On authorize and accounting i using this now:
group {
sql1 {
fail = return
notfound = return
noop = 2
ok = return
updated = 3
reject = return
userlock = 4
invalid = 5
handled = 6
}
sql2 {
fail = return
notfound = return
noop = 2
ok = return
updated = 3
reject = return
userlock = 4
invalid = 5
handled = 6
}
}
Same problem! ? Starting slow 240 second to get started and radiusd -X give
after starting this on request this:
### radtest test test localhost 1812 secretkey ###
Re-sending Access-Request of id 226 to 127.0.0.1:1812
User-Name = test
User-Password = \016\211\031\273\032\001T\203t8\375\305\357_qG
NAS-IP-Address = radius02
NAS-Port = 1812
radclient: no response from server
Listening on IP address *, ports 1812/udp and 1813/udp.
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1:32776, id=218, length=57
User-Name = test
User-Password = test
NAS-IP-Address = 255.255.255.255
NAS-Port = 1812
modcall: entering group authorize for request 0
modcall[authorize]: module preprocess returns ok for request 0
modcall[authorize]: module chap returns noop for request 0
modcall[authorize]: module mschap returns noop for request 0
rlm_realm: No '@' in User-Name = theus, looking up realm NULL
rlm_realm: No such realm NULL
modcall[authorize]: module suffix returns noop for request 0
modcall: entering group group for request 0
radius_xlat: 'test'
rlm_sql (sql1): sql_set_user escaped user -- 'test'
radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM users WHERE
Username = 'test' ORDER BY id'
rlm_sql (sql1): Ignoring unconnected handle 4..
rlm_sql (sql1): Ignoring unconnected handle 3..
rlm_sql (sql1): Ignoring unconnected handle 2..
rlm_sql (sql1): Ignoring unconnected handle 1..
rlm_sql (sql1): Ignoring unconnected handle 0..
rlm_sql (sql1): There are no DB handles to use! skipped 5, tried to connect
0
modcall[authorize]: module sql1 returns fail for request 0
modcall: group group returns fail for request 0
modcall: group authorize returns fail for request 0
There was no response configured: rejecting request 0
Server rejecting request 0.
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 218 to 127.0.0.1:32776
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 218 with timestamp 41fd47af
Nothing to do. Sleeping until we see a request.
rad_recv: Access-Request packet from host 127.0.0.1:32776, id=222, length=57
User-Name = test
User-Password = test
NAS-IP-Address = 255.255.255.255
NAS-Port = 1812
modcall: entering group authorize for request 1
modcall[authorize]: module preprocess returns ok for request 1
modcall[authorize]: module chap returns noop for request 1
modcall[authorize]: module mschap returns noop for request 1
rlm_realm: No '@' in User-Name = theus, looking up realm NULL
rlm_realm: No such realm NULL
modcall[authorize]: module suffix returns noop for request 1
modcall: entering group group for request 1
radius_xlat: 'theus'
rlm_sql (sql1): sql_set_user escaped user -- 'test'
radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM users WHERE
Username = 'theus' ORDER BY id'
rlm_sql (sql1): Trying to (re)connect unconnected handle 4..
rlm_sql (sql1): Attempting to connect rlm_sql_mysql #4
rlm_sql_mysql: Starting connect to MySQL server for #4
- Original Message -
From: Nicolas Baradakis [EMAIL PROTECTED]
To: freeradius-users@lists.freeradius.org
Sent: Sunday, January 30, 2005 5:58 PM
Subject: Re: Have anyone a good example failover mysql config?
Michel van Dop wrote:
accounting {
redundant {
sql1 {
ok = return
}
sql2
}
}
But same problems ??? Can any one send a working failover config?
Read again the workaround provided in the bug report: you shouldn't
use redundant stanza. (use group instead)
Nicolas Baradakis
--
A: Yes.
Q: Are you sure?
A: Because it reverses the logical flow of conversation.
Q: Why is top posting annoying in email?
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list
Have anyone a good example failover mysql config?
Hello Freeradius users, Have anyone a good example of failover mysql config (radiusd.conf)? I want to use SQL1, if it's down, try SQL2. I reed the configurable_failover document but it don't work, or not understanding. If now one of my mysql server go down, radius server work slow and failt many times to login. Please help me... Met vriendelijke groet, M. v Dop www.westwireless.nl - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Have anyone a good example failover mysql config?
When i shutdown mysql (sql1) he get slow on starting (240 seconds) and after
20 times i get a response.
Both mysql servers are working! I test it on a single db radius config.
I do this in radiusd.conf
$INCLUDE ${confdir}/sql1.conf # sql sql1 { server 1 options }
$INCLUDE ${confdir}/sql2.conf sql sql2 { server 2 options }
authorize {
redundant {
sql1
sql2
notfound = return
}
}
accounting {
redundant {
sql1
sql2
}
}
See the time on radius.log
Fri Jan 28 17:21:10 2005 : Info: rlm_sql (sql1): Driver rlm_sql_mysql
(module rlm_sql_mysql) loaded and linked
Fri Jan 28 17:21:10 2005 : Info: rlm_sql (sql1): Attempting to connect to
[EMAIL PROTECTED]:/db
Fri Jan 28 17:21:10 2005 : Info: rlm_sql_mysql: Starting connect to MySQL
server for #0
Fri Jan 28 17:24:19 2005 : Error: rlm_sql_mysql: Couldn't connect socket to
MySQL server [EMAIL PROTECTED]:db
Fri Jan 28 17:24:19 2005 : Error: rlm_sql_mysql: Mysql error 'Can't connect
to MySQL server on '192.168.160.10' (110)'
Fri Jan 28 17:24:19 2005 : Error: rlm_sql (sql1): Failed to connect DB
handle #0
Fri Jan 28 17:24:19 2005 : Info: rlm_sql (sql2): Driver rlm_sql_mysql
(module rlm_sql_mysql) loaded and linked
Fri Jan 28 17:24:19 2005 : Info: rlm_sql (sql2): Attempting to connect to
[EMAIL PROTECTED]:/westwireless
- Original Message -
From: Dustin Doris [EMAIL PROTECTED]
To: freeradius-users@lists.freeradius.org
Sent: Friday, January 28, 2005 4:32 PM
Subject: Re: Have anyone a good example failover mysql config?
Hello Freeradius users,
Have anyone a good example of failover mysql config (radiusd.conf)?
I want to use SQL1, if it's down, try SQL2.
I reed the configurable_failover document but it don't work, or not
understanding.
If now one of my mysql server go down, radius server work slow and failt
many times to login.
Please help me...
Read doc/configurable_failover, it will show you how.
I'm doing it with ldap, but it should be pretty much the same. First,
make sure you have two sql configurations. So, in sql.conf, change this
sql {
to this
sql sql1 {
then at the end of the file, start a new one and name it something else,
like this
sql sql2 {
copy all the stuff from sql1 here and modify to point to the other server
} #don't forget to close it with this
Then in raidusd.conf use configurable_failover options.
Here is how I do it with ldap
authorize {
stuff...
redundant {
ldap1
ldap2
notfound = return
}
}
I imaging you would just change that to something like
redundant {
sql1
sql2
}
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Have anyone a good example failover mysql config?
Strange! But thank you, for linking me the bug!
I reed in the bug report a solutions, i change this:
$INCLUDE ${confdir}/sql1.conf
$INCLUDE ${confdir}/sql2.conf
authorize {
redundant {
sql1 {
ok = return
}
sql2
}
}
accounting {
redundant {
sql1 {
ok = return
}
sql2
}
}
But same problems ??? Can any one send a working failover config?
Fri Jan 28 20:11:13 2005 : Info: rlm_sql (sql1): Driver rlm_sql_mysql
(module rlm_sql_mysql) loaded and linked
Fri Jan 28 20:11:13 2005 : Info: rlm_sql (sql1): Attempting to connect to
[EMAIL PROTECTED]:/db
Fri Jan 28 20:11:13 2005 : Info: rlm_sql_mysql: Starting connect to MySQL
server for #0
Fri Jan 28 20:14:22 2005 : Error: rlm_sql_mysql: Couldn't connect socket to
MySQL server [EMAIL PROTECTED]:db
Fri Jan 28 20:14:22 2005 : Error: rlm_sql_mysql: Mysql error 'Can't connect
to MySQL server on '192.168.160.10' (110)'
Fri Jan 28 20:14:22 2005 : Error: rlm_sql (sql1): Failed to connect DB
handle #0
Fri Jan 28 20:14:22 2005 : Info: rlm_sql (sql2): Driver rlm_sql_mysql
(module rlm_sql_mysql) loaded and linked
Fri Jan 28 20:14:22 2005 : Info: rlm_sql (sql2): Attempting to connect to
[EMAIL PROTECTED]:/db
Fri Jan 28 20:14:22 2005 : Info: rlm_sql_mysql: Starting connect to MySQL
server for #0
Fri Jan 28 20:14:22 2005 : Info: rlm_sql_mysql: Starting connect to MySQL
server for #1
Fri Jan 28 20:14:22 2005 : Info: rlm_sql_mysql: Starting connect to MySQL
server for #2
Fri Jan 28 20:14:22 2005 : Info: rlm_sql_mysql: Starting connect to MySQL
server for #3
Fri Jan 28 20:14:22 2005 : Info: rlm_sql_mysql: Starting connect to MySQL
server for #4
Fri Jan 28 20:14:22 2005 : Info: Listening on IP address *, ports 1812/udp
and 1813/udp.
Fri Jan 28 20:14:22 2005 : Info: Ready to process requests.
- Original Message -
From: Nicolas Baradakis [EMAIL PROTECTED]
To: freeradius-users@lists.freeradius.org
Sent: Friday, January 28, 2005 6:37 PM
Subject: Re: Have anyone a good example failover mysql config?
Michel van Dop wrote:
When i shutdown mysql (sql1) he get slow on starting (240 seconds) and
after 20 times i get a response.
Both mysql servers are working! I test it on a single db radius config.
[...]
accounting {
redundant {
sql1
sql2
}
}
redundant stanza doesn't work in the accounting section.
It's a known bug, see http://bugs.freeradius.org/show_bug.cgi?id=173
--
Nicolas Baradakis
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Slow second db on freeradius
(sql1): Failed to connect DB handle #2
Thu Jan 27 10:55:55 2005 : Info: rlm_sql (sql1): There are no DB handles to
use! skipped 1, tried to connect 1
Thu Jan 27 10:55:55 2005 : Auth: Login OK: [user/password] (from client
nas3.domain.nl port 1812)
In my radiusd.conf
$INCLUDE ${confdir}/sql1.conf
$INCLUDE ${confdir}/sql2.conf
accounting {
group {
sql1 {
fail = 1
notfound = return
noop = 2
ok = return
updated = 3
reject = return
userlock = 4
invalid = 5
handled = 6
}
sql2 {
fail = 1
notfound = return
noop = 2
ok = return
updated = 3
reject = return
userlock = 4
invalid = 5
handled = 6
}
}
}
authorize {
group {
sql1 {
fail = 1
notfound = return
noop = 2
ok = return
updated = 3
reject = return
userlock = 4
invalid = 5
handled = 6
}
sql2 {
fail = 1
notfound = return
noop = 2
ok = return
updated = 3
reject = return
userlock = 4
invalid = 5
handled = 6
}
}
}
In sql1.conf and sql2.conf i also try this:
connect_failure_retry_delay = 5 #60
Can any one help me whit this problem to make it faster?
Thanks Michel
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Slow second db on freeradius
I use already the outsite ip address in my second config /etc/raddb/sql2.conf Only on testing radtest is use localhost. But on my radius client i use te outsite ip address. Thank you Mandy Well, I had a similar problem when starting freeradius, it took a loong time, and everybody accused a slow db. But I found out a bit later that the problem was in configuring the host of the database as localhost and not 127.0.0.1. When I used the numeric IP it started immediately. Maybe it's the same problem. Home, no matter how far... http://www.home.ro - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Met vriendelijke groet, M. v Dop www.westwireless.nl - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Slow second db on freeradius
:59 2005 : Error: WARNING: Unresponsive child (id 3178441648)
for request 30
Thu Jan 27 10:54:59 2005 : Info: rlm_sql (sql1): Trying to (re)connect
unconnected handle 4..
Thu Jan 27 10:54:59 2005 : Info: rlm_sql_mysql: Starting connect to MySQL
server for #4
Thu Jan 27 10:55:04 2005 : Info: rlm_sql (sql1): Trying to (re)connect
unconnected handle 1..
Thu Jan 27 10:55:04 2005 : Info: rlm_sql_mysql: Starting connect to MySQL
server for #1
Thu Jan 27 10:55:07 2005 : Error: Discarding new request from client
nas3.domain.nl:32770 - ID: 139 due to live request 33
Thu Jan 27 10:55:10 2005 : Error: Discarding new request from client
nas3.domain.nl:32770 - ID: 139 due to live request 33
Thu Jan 27 10:55:13 2005 : Info: rlm_sql (sql1): Trying to (re)connect
unconnected handle 0..
Thu Jan 27 10:55:13 2005 : Info: rlm_sql_mysql: Starting connect to MySQL
server for #0
Thu Jan 27 10:55:16 2005 : Error: Discarding new request from client
nas3.domain.nl:32770 - ID: 144 due to live request 36
Thu Jan 27 10:55:18 2005 : Info: rlm_sql (sql1): There are no DB handles to
use! skipped 0, tried to connect 0
Thu Jan 27 10:55:18 2005 : Auth: Login OK: [user/password] (from client
nas3.domain.nl port 1812)
Thu Jan 27 10:55:22 2005 : Error: rlm_sql_mysql: Couldn't connect socket to
MySQL server [EMAIL PROTECTED]:db
Thu Jan 27 10:55:22 2005 : Error: rlm_sql_mysql: Mysql error 'Can't connect
to MySQL server on '192.168.160.10' (110)'
Thu Jan 27 10:55:22 2005 : Error: rlm_sql (sql1): Failed to connect DB handle
#3
Thu Jan 27 10:55:22 2005 : Info: rlm_sql (sql1): There are no DB handles to
use! skipped 1, tried to connect 1
Thu Jan 27 10:55:22 2005 : Auth: Login OK: [user/password] (from client
nas3.domain.nl port 1812)
Thu Jan 27 10:55:55 2005 : Error: rlm_sql_mysql: Couldn't connect socket to
MySQL server [EMAIL PROTECTED]:db
Thu Jan 27 10:55:55 2005 : Error: rlm_sql_mysql: Mysql error 'Can't connect
to MySQL server on '192.168.160.10' (110)'
Thu Jan 27 10:55:55 2005 : Error: rlm_sql (sql1): Failed to connect DB handle
#2
Thu Jan 27 10:55:55 2005 : Info: rlm_sql (sql1): There are no DB handles to
use! skipped 1, tried to connect 1
Thu Jan 27 10:55:55 2005 : Auth: Login OK: [user/password] (from client
nas3.domain.nl port 1812)
In my radiusd.conf
$INCLUDE ${confdir}/sql1.conf
$INCLUDE ${confdir}/sql2.conf
accounting {
group {
sql1 {
fail = 1
notfound = return
noop = 2
ok = return
updated = 3
reject = return
userlock = 4
invalid = 5
handled = 6
}
sql2 {
fail = 1
notfound = return
noop = 2
ok = return
updated = 3
reject = return
userlock = 4
invalid = 5
handled = 6
}
}
}
authorize {
group {
sql1 {
fail = 1
notfound = return
noop = 2
ok = return
updated = 3
reject = return
userlock = 4
invalid = 5
handled = 6
}
sql2 {
fail = 1
notfound = return
noop = 2
ok = return
updated = 3
reject = return
userlock = 4
invalid = 5
handled = 6
}
}
}
In sql1.conf and sql2.conf i also try this:
connect_failure_retry_delay = 5 #60
Can any one help me whit this problem to make it faster?
Thanks Michel
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Met vriendelijke groet,
M. v Dop
www.westwireless.nl
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Slow second db on freeradius
27 10:55:18 2005 : Auth: Login OK: [user/password] (from client
nas3.domain.nl port 1812)
Thu Jan 27 10:55:22 2005 : Error: rlm_sql_mysql: Couldn't connect socket to
MySQL server [EMAIL PROTECTED]:db
Thu Jan 27 10:55:22 2005 : Error: rlm_sql_mysql: Mysql error 'Can't connect
to MySQL server on '192.168.160.10' (110)'
Thu Jan 27 10:55:22 2005 : Error: rlm_sql (sql1): Failed to connect DB
handle #3
Thu Jan 27 10:55:22 2005 : Info: rlm_sql (sql1): There are no DB handles to
use! skipped 1, tried to connect 1
Thu Jan 27 10:55:22 2005 : Auth: Login OK: [user/password] (from client
nas3.domain.nl port 1812)
Thu Jan 27 10:55:55 2005 : Error: rlm_sql_mysql: Couldn't connect socket to
MySQL server [EMAIL PROTECTED]:db
Thu Jan 27 10:55:55 2005 : Error: rlm_sql_mysql: Mysql error 'Can't connect
to MySQL server on '192.168.160.10' (110)'
Thu Jan 27 10:55:55 2005 : Error: rlm_sql (sql1): Failed to connect DB
handle #2
Thu Jan 27 10:55:55 2005 : Info: rlm_sql (sql1): There are no DB handles to
use! skipped 1, tried to connect 1
Thu Jan 27 10:55:55 2005 : Auth: Login OK: [user/password] (from client
nas3.domain.nl port 1812)
In my radiusd.conf
$INCLUDE ${confdir}/sql1.conf
$INCLUDE ${confdir}/sql2.conf
accounting {
group {
sql1 {
fail = 1
notfound = return
noop = 2
ok = return
updated = 3
reject = return
userlock = 4
invalid = 5
handled = 6
}
sql2 {
fail = 1
notfound = return
noop = 2
ok = return
updated = 3
reject = return
userlock = 4
invalid = 5
handled = 6
}
}
}
authorize {
group {
sql1 {
fail = 1
notfound = return
noop = 2
ok = return
updated = 3
reject = return
userlock = 4
invalid = 5
handled = 6
}
sql2 {
fail = 1
notfound = return
noop = 2
ok = return
updated = 3
reject = return
userlock = 4
invalid = 5
handled = 6
}
}
}
In sql1.conf and sql2.conf i also try this:
connect_failure_retry_delay = 5 #60
Can any one help me whit this problem to make it faster?
Thanks Michel
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
Met vriendelijke groet,
M. v Dop
www.westwireless.nl
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Met vriendelijke groet,
M. v Dop
www.westwireless.nl
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Slow second db on freeradius
I have already make the sub-domains in my named server. I change the domain names in the log i send to this mailinglist. I think this is not a dns problem but i am not a exper. When i change sql1.conf to sql2.conf it works. So second db is working and i use same nas radius client. So i have also privs on the mysql db. It looks like a loop try first db and after 240 second i go connect to second for 40? seconds and go to the first db (240 seconds). Over en over. - Original Message - From: Alan DeKok [EMAIL PROTECTED] To: freeradius-users@lists.freeradius.org Sent: Thursday, January 27, 2005 6:46 PM Subject: Re: Slow second db on freeradius Manda Costin [EMAIL PROTECTED] wrote: But I found out a bit later that the problem was in configuring the host of the database as localhost and not 127.0.0.1. When I used the numeric IP it started immediately. Maybe it's the same problem. If you don't set up DNS, then the process of mapping names to IP's will take a very long time. FreeRADIUS has no control over DNS. FreeRADIUS *depends* on DNS to work properly. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Slow second db on freeradius
I see the problem, when both mysql servers started i can switch sql1 and
sql2 files and it works.
When i stop one db the first or the second. Freeradius get slow
I check a again the mysql connections, i change the radiusd.conf server
working on one db, both mysql server working good.
So mysql connections work good. But my fail_over config in radiusd.conf do
not working i think.
In my radiusd.conf
$INCLUDE ${confdir}/sql1.conf
$INCLUDE ${confdir}/sql2.conf
always handled {
rcode = handled
}
accounting {
group {
sql1 {
fail = 1
notfound = return
noop = 2
ok = return
updated = 3
reject = return
userlock = 4
invalid = 5
handled = 6
}
sql2 {
fail = 1
notfound = return
noop = 2
ok = return
updated = 3
reject = return
userlock = 4
invalid = 5
handled = 6
}
}
}
authorize {
group {
sql1 {
fail = 1
notfound = return
noop = 2
ok = return
updated = 3
reject = return
userlock = 4
invalid = 5
handled = 6
}
sql2 {
fail = 1
notfound = return
noop = 2
ok = return
updated = 3
reject = return
userlock = 4
invalid = 5
handled = 6
}
}
}
- Original Message -
From: Alan DeKok [EMAIL PROTECTED]
To: freeradius-users@lists.freeradius.org
Sent: Thursday, January 27, 2005 8:04 PM
Subject: Re: Slow second db on freeradius
Michel van Dop [EMAIL PROTECTED] wrote:
I think this is not a dns problem but i am not a exper. When i change
sql1.conf to sql2.conf it works.
Then the problem is in the SQL databases, not in FreeRADIUS.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL db failover
Okay i understand that ( i hope so):
Now i do this in radiusd.conf:
modules {
# same place where this $INCLUDE ${confdir}/sql.conf
$INCLUDE ${confdir}/sql1.conf
$INCLUDE ${confdir}/sql2.conf
# insert this i reed this in the doc confiruable_failover
always handled {
rcode = handled
}
# i copy sql.conf to sql1.conf and sql2.conf and edit this files
# and edit the begin in sql1.conf to sql sql1{ and in the sql2.conf i edit
sql sql2{
accounting {
# i place this in accounting and remove sql
redundant {
sql1 # try module sql1
sql2 # if that's down, try module sql2
handled # otherwise drop the request as
}
I get this error cat /var/log/radius/radius.log
Sat Jan 15 13:35:19 2005 : Error: ERROR: Cannot find a configuration entry
for module sql.
- Original Message -
From: Alan DeKok [EMAIL PROTECTED]
To: freeradius-users@lists.freeradius.org
Sent: Saturday, January 15, 2005 1:26 AM
Subject: Re: SQL db failover
Michel van Dop [EMAIL PROTECTED] wrote:
So i leave the default config in radiusd.conf include the file sql.conf
and put this in my radiusd.conf:
$INCLUDE ${confdir}/sql.conf
modules {
Once again, the include for sql.conf MUST BE INSIDE of the modules
section. It's there in the default config. Why do you expect it to
work when you move it outside?
sql sql1 {
driver = rlm_sql_mysql
server=myfirstserver.example
# Insert the rest of config of sql.conf in here
Why? Just copy sql.conf to sql1.conf and sql2.conf. Edit
THOSE files to start off with sql sql1 { and sql sql2 { instead of
just sql {. Then, $INCLUDE both of the files in radiusd.conf, in
the SAME PLACE that the normal sql.conf file is included.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL db failover
= UPDATE radacct SET AcctStopTime = '%S',
AcctSessionTime = '%{Acct-Session-Time}', AcctInputOctets =
'%{Acct-Input-Octets}', AcctOutputOctets = '%{Acct-Output-Octets}',
AcctTerminateCause = '%{Acct-Terminate-Cause}', AcctStopDelay =
'%{Acct-Delay-Time}', ConnectInfo_stop = '%{Connect-Info}' WHERE
AcctSessionId = '%{Acct-Session-Id}' AND UserName = '%{SQL-User-Name}' AND
NASIPAddress = '%{NAS-IP-Address}' AND AcctStopTime = 0
sql: accounting_stop_query_alt = INSERT into radacct (RadAcctId,
AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId,
NASPortType, AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic,
ConnectInfo_start, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets,
CalledStationId, CallingStationId, AcctTerminateCause, ServiceType,
FramedProtocol, FramedIPAddress, AcctStartDelay, AcctStopDelay) values('',
'%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}',
'%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}',
DATE_SUB('%S',INTERVAL (%{Acct-Session-Time:-0} + %{Acct-Delay-Time:-0})
SECOND), '%S', '%{Acct-Session-Time}', '%{Acct-Authentic}', '',
'%{Connect-Info}', '%{Acct-Input-Octets}', '%{Acct-Output-Octets}',
'%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Acct-Terminate-Cause}',
'%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '0',
'%{Acct-Delay-Time}')
sql: group_membership_query = SELECT GroupName FROM users WHERE
UserName='%{SQL-User-Name}'
sql: connect_failure_retry_delay = 60
sql: simul_count_query =
sql: simul_verify_query = SELECT RadAcctId, AcctSessionId, UserName,
NASIPAddress, NASPortId, FramedIPAddress, CallingStationId, FramedProtocol
FROM radacct WHERE UserName='%{SQL-User-Name}' AND AcctStopTime = 0
rlm_sql (sql2): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and
linked
rlm_sql (sql2): Attempting to connect to [EMAIL PROTECTED]:/westwireless
rlm_sql (sql2): starting 0
rlm_sql (sql2): Attempting to connect rlm_sql_mysql #0
rlm_sql_mysql: Starting connect to MySQL server for #0
rlm_sql (sql2): Connected new DB handle, #0
rlm_sql (sql2): starting 1
rlm_sql (sql2): Attempting to connect rlm_sql_mysql #1
rlm_sql_mysql: Starting connect to MySQL server for #1
rlm_sql (sql2): Connected new DB handle, #1
rlm_sql (sql2): starting 2
rlm_sql (sql2): Attempting to connect rlm_sql_mysql #2
rlm_sql_mysql: Starting connect to MySQL server for #2
rlm_sql (sql2): Connected new DB handle, #2
rlm_sql (sql2): starting 3
rlm_sql (sql2): Attempting to connect rlm_sql_mysql #3
rlm_sql_mysql: Starting connect to MySQL server for #3
rlm_sql (sql2): Connected new DB handle, #3
rlm_sql (sql2): starting 4
rlm_sql (sql2): Attempting to connect rlm_sql_mysql #4
rlm_sql_mysql: Starting connect to MySQL server for #4
rlm_sql (sql2): Connected new DB handle, #4
Module: Instantiated sql (sql2)
Module: Loaded Acct-Unique-Session-Id
acct_unique: key = User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port-Id
Module: Instantiated acct_unique (acct_unique)
Module: Loaded detail
detail: detailfile =
/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded System
unix: cache = no
unix: passwd = (null)
unix: shadow = /etc/shadow
unix: group = (null)
unix: radwtmp = /var/log/radius/radwtmp
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded radutmp
radutmp: filename = /var/log/radius/radutmp
radutmp: username = %{User-Name}
radutmp: case_sensitive = yes
radutmp: check_with_nas = yes
radutmp: perm = 384
radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
ERROR: Cannot find a configuration entry for module sql.
Can anyone help me?
Thanks Michel
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL db failover
Okay good, i replace any refrence to sql module and fix it. But how do i replace this? In group or sql1,sql2 or ? What's the name of sql1 and sql2 ? Thank you, Michel - Original Message - From: Alan DeKok [EMAIL PROTECTED] To: freeradius-users@lists.freeradius.org Sent: Saturday, January 15, 2005 5:58 PM Subject: Re: SQL db failover Michel van Dop [EMAIL PROTECTED] wrote: Okay i understand that ( i hope so): Now i do this in radiusd.conf: Yup, that should work. I get this error cat /var/log/radius/radius.log Sat Jan 15 13:35:19 2005 : Error: ERROR: Cannot find a configuration entry for module sql. Some part of radiusd.conf has a reference to an sql module. Find that, fix it, and it should work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL db failover
It works!! Yes
Thanks Alan !!
I replace on every refrence to sql this:
group {
sql1 {
fail = 1
notfound = return
noop = 2
ok = return
updated = 3
reject = return
userlock = 4
invalid = 5
handled = 6
}
sql2 {
fail = 1
notfound = return
noop = 2
ok = return
updated = 3
reject = return
userlock = 4
invalid = 5
handled = 6
}
}
- Original Message -
From: Michel van Dop [EMAIL PROTECTED]
To: freeradius-users@lists.freeradius.org
Sent: Saturday, January 15, 2005 8:11 PM
Subject: Re: SQL db failover
Okay good, i replace any refrence to sql module and fix it.
But how do i replace this? In group or sql1,sql2 or ?
What's the name of sql1 and sql2 ?
Thank you,
Michel
- Original Message -
From: Alan DeKok [EMAIL PROTECTED]
To: freeradius-users@lists.freeradius.org
Sent: Saturday, January 15, 2005 5:58 PM
Subject: Re: SQL db failover
Michel van Dop [EMAIL PROTECTED] wrote:
Okay i understand that ( i hope so):
Now i do this in radiusd.conf:
Yup, that should work.
I get this error cat /var/log/radius/radius.log
Sat Jan 15 13:35:19 2005 : Error: ERROR: Cannot find a configuration
entry
for module sql.
Some part of radiusd.conf has a reference to an sql module. Find
that, fix it, and it should work.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SQL db failover
Hi,
The mirroring between the two mysql db (3.23.58-4) work with the replication
mechanism of mysql and I have two sql.conf to
describe the way to connect to each db and right config on radiusd.conf
I use freeradius-0.9.3-1.1 and freeradius-mysql-0.9.3-1.1 I now this is old
but this is the last stap!
I have this in the radiusd.conf
$INCLUDE ${confdir}/sql.conf
$INCLUDE ${confdir}/sql2.conf
modules {
sql sql {
}
sql sql2 {
}
always handled {
rcode = handled
}
}
Fri Jan 14 15:23:35 2005 : Error: rlm_sql (sql): mysql is NOT an SQL driver!
Fri Jan 14 15:23:35 2005 : Error: radiusd.conf[480]: sql: Module instantiation
failed.
I read the configurable_failover doc. But i don't understanding.
I'm guessing I'm doing something wrong. Any help would be great!
Thanks Michel
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL db failover
Thank you Alan,
Sorry but this is new for me. Freeradius is now running but on one db.
Now the last step freeradius SQL db failover!
So i leave the default config in radiusd.conf include the file sql.conf
and put this in my radiusd.conf:
$INCLUDE ${confdir}/sql.conf
modules {
sql sql1 {
driver = rlm_sql_mysql
server=myfirstserver.example
# Insert the rest of config of sql.conf in here
# include this? - STRCMP(Username, '%{SQL-User-Name}') = 0 ORDER BY
id
# etc.
}
sql sql2 {
driver = rlm_sql_mysql
server=mysecondserver.example
# Insert the rest of config of sql2.conf in here
# include this? - STRCMP(Username, '%{SQL-User-Name}') = 0 ORDER BY
id
# etc.
}
always handled {
rcode = handled
}
}
accounting {
redundant {
sql1 # try module sql1
sql2 # if that's down, try module sql2
handled # otherwise drop the request as
# it's been handled by the always
# module (see doc/rlm_always)
}
}
Thats it? Thank you to support me.
Michel
- Original Message -
From: Alan DeKok [EMAIL PROTECTED]
To: freeradius-users@lists.freeradius.org
Sent: Friday, January 14, 2005 3:56 PM
Subject: Re: SQL db failover
Michel van Dop [EMAIL PROTECTED] wrote:
I use freeradius-0.9.3-1.1 and freeradius-mysql-0.9.3-1.1 I now this is
old
but this is the last stap!
I would suggest upgrading. See http://www.freeradius.org/security.html
I have this in the radiusd.conf
$INCLUDE ${confdir}/sql.conf
$INCLUDE ${confdir}/sql2.conf
The default configuration includes sql.conf from *inside* of the
modules section. Why have you taken them out?
modules {
sql sql {
}
sql sql2 {
}
And you've just defined two SQL modules with ZERO configuration.
Let me guess: you put those two entries there because after you
removed $INCLUDE ...sql.conf from the modules section, the server
complained about no such module sql. Now that you've added empty
SQL configuration, the server doesn't give that errror, but gives
another one.
The solution is to follow the default configuration of the server.
Don't move things around if you don't know why they're in a particular
location. And if the server complains after you've moved things
around anyways, odds are that you did the wrong thing.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
sql.conf
Description: Binary data
Re: dialup_admin - blank right frames
I had the same problems. This is my solutions: [EMAIL PROTECTED] dialup]# pwd /var/www/html/dialup [EMAIL PROTECTED] dialup]# ln -s /usr/local/dialup_admin/htdocs htdocs [EMAIL PROTECTED] dialup]# ls -l total 0 lrwxrwxrwx 1 root root 30 Jan 13 21:15 htdocs - /usr/local/dialup_admin/htdocs [EMAIL PROTECTED] dialup]# And everything workt !! Yes!! Michel - Original Message - From: Lewis Bergman [EMAIL PROTECTED] To: freeradius-users@lists.freeradius.org Sent: Monday, January 10, 2005 10:01 PM Subject: dialup_admin - blank right frames Freeradius 1.0.1 Mysql-max-4.1.8 Apache 2.0.46 PHP 4.2.3 (from rpm) register globals On Magic Qoutes Off Most of the right frames come back empty. Technically, they come back with some html but no information. No php errors are reported. To try and find out what is going on I inserted some print statements into the user_stats.php3 file. All the statements print until I get to the line that has $start = da_sql_escape_string($start);. After that nothing prints. Normally I would expect some kind of php error if execution stopped but I don't get anything. I compiled freeradius against 4.1.8-max libs, and headers with the standard ./configure make make install stuff. I saw a post from March 2003 about blank right frames likely being a directory problem. I have followed the directions and linked the dialup_admin/htdocs dir to another dir in my web server's space so I don't think that is it. Any ideas on where to look from here? -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 325-691-3301 800-299-6962 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dialup_admin - blank right frames
Hi Lewis, I have the same problem (blank right screen). Phpmyadmin works good on this server (httpd)?! If you start httpd services get you also this error? [EMAIL PROTECTED] root]# service httpd restart Stopping httpd:[ OK ] Starting httpd: httpd: Could not determine the server's fully qualified domain name, using 127.0.0.1 for ServerName [ OK ] I dont now about this is a problem. I have two radius server on fedora, one server work good i see the right page. But the one server i got the same problems. I try copies config to the problem httpd server but same problems. I think i somting forget a rpm? Any ideas? Michel - Original Message - From: Lewis Bergman [EMAIL PROTECTED] To: freeradius-users@lists.freeradius.org Sent: Monday, January 10, 2005 10:01 PM Subject: dialup_admin - blank right frames Freeradius 1.0.1 Mysql-max-4.1.8 Apache 2.0.46 PHP 4.2.3 (from rpm) register globals On Magic Qoutes Off Most of the right frames come back empty. Technically, they come back with some html but no information. No php errors are reported. To try and find out what is going on I inserted some print statements into the user_stats.php3 file. All the statements print until I get to the line that has $start = da_sql_escape_string($start);. After that nothing prints. Normally I would expect some kind of php error if execution stopped but I don't get anything. I compiled freeradius against 4.1.8-max libs, and headers with the standard ./configure make make install stuff. I saw a post from March 2003 about blank right frames likely being a directory problem. I have followed the directions and linked the dialup_admin/htdocs dir to another dir in my web server's space so I don't think that is it. Any ideas on where to look from here? -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 325-691-3301 800-299-6962 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dialup_admin - blank right frames
Hi, Thank you for the fast response but i add this in my httpd.conf: AddType application/x-tar .tgzAddType application/x-httpd-php .phpAddType application/x-httpd-php .php3 And restart httpd: same blank right sreen! Michel - Original Message - From: [EMAIL PROTECTED] To: freeradius-users@lists.freeradius.org Sent: Tuesday, January 11, 2005 5:54 PM Subject: Re: dialup_admin - blank right frames Hi Add to your httpd.conf in the modules after the word in italics (AddType) the following:# AddType allows you to add to or override the MIME configuration# file mime.types for specific file types.#AddType application/x-tar .tgzAddType application/x-httpd-php .phpAddType application/x-httpd-php .php3and restart your apache then it will display correctly.I hope this help.Quoting Michel van Dop [EMAIL PROTECTED]: Hi Lewis, I have the same problem (blank right screen). Phpmyadmin works good on this server (httpd)?! If you start httpd services get you also this error? [EMAIL PROTECTED] root]# service httpd restart Stopping httpd: [ OK ] Starting httpd: httpd: Could not determine the server's fully qualified domain name, using 127.0.0.1 for ServerName [ OK ] I dont now about this is a problem. I have two radius server on fedora, one server work good i see the right page. But the one server i got the same problems. I try copies config to the problem httpd server but same problems. I think i somting forget a rpm? Any ideas? Michel - Original Message - From: "Lewis Bergman" [EMAIL PROTECTED] To: freeradius-users@lists.freeradius.org Sent: Monday, January 10, 2005 10:01 PM Subject: dialup_admin - blank right frames Freeradius 1.0.1 Mysql-max-4.1.8 Apache 2.0.46 PHP 4.2.3 (from rpm) register globals On Magic Qoutes Off Most of the right frames come back empty. Technically, they come back with some html but no information. No php errors are reported. To try and find out what is going on I inserted some print statements into the user_stats.php3 file. All the statements print until I get to the line that has "$start = da_sql_escape_string($start);". After that nothing prints. Normally I would expect some kind of php error if execution stopped but I don't get anything. I compiled freeradius against 4.1.8-max libs, and headers with the standard ./configure make make install stuff. I saw a post from March 2003 about blank right frames likely being a directory problem. I have followed the directions and linked the dialup_admin/htdocs dir to another dir in my web server's space so I don't think that is it. Any ideas on where to look from here? -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 325-691-3301 800-299-6962 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.htmlARUNA MUHYIDDIN,MONARCH COMMUNICATIONS LIMITED,2, AGORO ODIYAN STREET,OFF SAKA TINUBU,VICTORIA ISLAND,LAGOS,NIGERIA.234-8023717175http://www.monarchng.com/
Re: dialup_admin - blank right frames
Hi Kostas, i have install php-mysql! But PhpMyAdmin works... But i check this out! Can you tell me how to check this if enabled? I have webmin (simple web interface) I have install now php-ldap and mod_auth_mysql but same blank page. Thanks, Michel - Original Message - From: Kostas Kalevras [EMAIL PROTECTED] To: freeradius-users@lists.freeradius.org Sent: Tuesday, January 11, 2005 6:46 PM Subject: Re: dialup_admin - blank right frames On Tue, 11 Jan 2005, Michel van Dop wrote: Hi, Thank you for the fast response but i add this in my httpd.conf: AddType application/x-tar .tgz AddType application/x-httpd-php .php AddType application/x-httpd-php .php3 And restart httpd : same blank right sreen! Check that the mysql support in php is actually enabled. That's the most common reason for this kind of behaviour. Michel - Original Message - From: [EMAIL PROTECTED] To: freeradius-users@lists.freeradius.org Sent: Tuesday, January 11, 2005 5:54 PM Subject: Re: dialup_admin - blank right frames Hi Add to your httpd.conf in the modules after the word in italics? (AddType) the? following: # AddType allows you to add to or override the MIME configuration # file mime.types for specific file types. # AddType? application/x-tar .tgz AddType? application/x-httpd-php .php AddType? application/x-httpd-php .php3 and restart your apache then it will display correctly. I hope this help. Quoting Michel van Dop [EMAIL PROTECTED]: Hi Lewis, I have the same problem (blank right screen). Phpmyadmin works good on this server (httpd)?! If you start httpd services get you also this error? [EMAIL PROTECTED] root]# service httpd restart Stopping httpd: [ OK ] Starting httpd: httpd: Could not determine the server's fully qualified domain name, using 127.0.0.1 for ServerName [ OK ] I dont now about this is a problem. I have two radius server on fedora, one server work good i see the right page. But the one server i got the same problems. I try copies config to the problem httpd server but same problems. I think i somting forget a rpm? Any ideas? Michel - Original Message - From: Lewis Bergman [EMAIL PROTECTED] To: freeradius-users@lists.freeradius.org Sent: Monday, January 10, 2005 10:01 PM Subject: dialup_admin - blank right frames Freeradius 1.0.1 Mysql-max-4.1.8 Apache 2.0.46 PHP 4.2.3 (from rpm) register globals On Magic Qoutes Off Most of the right frames come back empty. Technically, they come back with some html but no information. No php errors are reported. To try and find out what is going on I inserted some print statements into the user_stats.php3 file. All the statements print until I get to the line that has $start = da_sql_escape_string($start);. After that nothing prints. Normally I would expect some kind of php error if execution stopped but I don't get anything. I compiled freeradius against 4.1.8-max libs, and headers with the standard ./configure make make install stuff. I saw a post from March 2003 about blank right frames likely being a directory problem. I have followed the directions and linked the dialup_admin/htdocs dir to another dir in my web server's space so I don't think that is it. Any ideas on where to look from here? -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 325-691-3301 800-299-6962 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html ARUNA MUHYIDDIN, MONARCH COMMUNICATIONS LIMITED, 2, AGORO ODIYAN STREET, OFF SAKA TINUBU, VICTORIA ISLAND, LAGOS, NIGERIA. 234-8023717175 http://www.monarchng.com/ -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius on two Mysql servers?
Thank yo to replay, Diane.
Yes i use sql1.conf local host mysql dband
sql2.conf to mysql server on the same subnet.
Alan, i use fedora1 and on this system this is the last freeradius server version. Is this
version 0.9.3-1.1not stable?
Michel
- Original Message -
From:
Paul-Hus Diane
To: 'freeradius-users@lists.freeradius.org'
Sent: Sunday, January 09, 2005 6:34
PM
Subject: RE: Freeradius on two Mysql
servers?
Just a
tought
If you copy your
sql2.conf over from the first server , did you change the IP addres in
the sql2.conf on the second server ?
sql1.conf refer to
localhost so it is OK on both server.
#
Connect info
server = "xxx.xxx.xxx.xxx"
login = "radius"
password = "xx"
diane
-Original
Message-From: Michel van
Dop [mailto:[EMAIL PROTECTED] Sent: Sunday, January 09,
2005 10:34
AMTo:
freeradius-users@lists.freeradius.orgSubject: Freeradius on two Mysql
servers?
Hello,
I wan to runTWO MySQL
(3.23.58-4) servers and have FreeRadius (0.9.3-1.1)fall over between
them,i dosomething like this: duplicate your sql.conf and edit the
second copy to reflect connecting to your backup server ; then name the files
something like sql1.conf and sql2.conf ; in radiusd.conf change and duplicate
the include line for sql.conf to include sql1.conf and sql2.conf instead ; in
the 'authorize' section of radiusd.conf change the 'sql' entry to a 'group'
one, like this:$INCLUDE ${confdir}/sql1.conf
$INCLUDE ${confdir}/sql2.conf
# sql group { sql1 { fail = 1 notfound = return noop = 2 ok = return updated = 3 reject = return userlock = 4 invalid = 5 handled = 6 } sql2 { fail = 1 notfound = return noop = 2 ok = return updated = 3 reject = return userlock = 4 invalid = 5 handled = 6 } }Jan 9 13:29:37 radius02 radiusd: Sun Jan 9 13:29:37 2005 : Info: Starting - reading configuration files ...
[Failed]Can any one tell me to get this running? On one db is working fine. The second db is the same db version and tabel.Thanks, Michel
Re: Accounting proxying
Hi, I am using chillispot software on more than 5 wrt54gs and we use freeradius . We have 2 freeradius server on 2 mysql we use replication so there is a master db and a slave db. We want use one freeradius server (use master db), only when freeradius (use master db) is offline we want to second radius server on the slave db. Is there a simple solution to set proxy on the freeradius (master db) and when freeradius is down toe go to second freeradius (slave db) Is there a simple url or doc to do this? Or is this solution crazy, and there is a better solution for my problem? Thank you, Michel - Original Message - From: Kostas Kalevras [EMAIL PROTECTED] To: freeradius-users@lists.freeradius.org Sent: Saturday, January 08, 2005 7:32 PM Subject: Re: Accounting proxying On Fri, 7 Jan 2005, Nicolas Baradakis wrote: Now we have both radrelay and radsqlrelay, there is more than one way to proxy accounting requests. I'd like to discuss this topic on the list, and see in a concret case which one is more suitable. Let's take the following case: all the accounting go in a single database. (this base may be replicated later but it's outside of the current topic) We want the requests to be buffered in detail files if the database is momently slow, or maybe down / unreachable. There's another reason to keep detail files, the reason radsqlrelay was created in the first place. The fact that you don't want your radius service to be affected by operations performed on the database (record removal, large queries like statistics calculation, etc). I see at least three possible designs with radrelay/radsqlrelay... 1. The proxy stores all the accounting requests in a single local file, then radrelay forwards it to a server which does accounting only. ++ || +---| realm | || server | ||| |++ | +---+ auth |++ | |---+|| | |---| realm | | proxy || server | | | acct || | |+ ++ +---+|__ +---+ ++ __ |---| || | | |---| radrelay| acct |-| data | |---|| server |-| base | |---| || | | +---+ ++ \__/ detail file This design adds an extra failure point in the accounting process. 2. The proxy sorts the accounting requests by realms and writes a detail file per realm. Then we start one radsqlrelay instance per realm (with the appropriate sql module) to feed the database. ++ || +---| realm | || server | ||| |++ | +---+ auth |++ | |---+|| | |---| realm | | proxy || server | | | acct || | |+ ++ +---+| +---+ __ |---|-+ radsqlrealy __ |---|-| instances | | |---|-| -| data | |---|-| -| base | +---+-| | | +---+ \__/ one detail file per realm Rather clean design. Although i don't quite understand why you need separate detail/radsqlrelay per realm. Why can't you do it all with one detail file/radsqlrelay process? 3. The proxy forwards everything to the real server. However, the realm server stores the request in a detail file and answers quickly to the proxy. A radsqlrelay instance (this time on the realm server) feeds the database... ++ || +---| realm | detail || server
How to change personal fields dialup_admin?
Hello, I wanne change in the dialup_admin the Personal Information page fields. I now i can change in the admin.conf the user-info tabelname. But how can i change the tabel fields, i can change the the user_info.php3. But i thing there is a better solutions for this, but i don't now how? Thank you, Michel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ttotacct is empty in mysql db, how to?
Thank you.. I reed the manual and my config in admin.conf sql_command: /usr/bin/mysql are wrong. My dialup_admin works i see online status! Great !! But when is try this to run tot_stats i get a error 1045. My user in admin.conf is good and have a password!? [EMAIL PROTECTED] bin]# ./tot_stats DELETE FROM totacct WHERE AcctDate = '2004-12-09 00:00:00'; INSERT INTO totacct (UserName,AcctDate,ConnNum,ConnTotDuration, ConnMaxDuration,ConnMinDuration,InputOctets,OutputOctets,NASIPAddress) SELECT UserName,'2004-12-09',COUNT(*),SUM(AcctSessionTime), MAX(AcctSessionTime),MIN(AcctSessionTime),SUM(AcctInputOctets), SUM(AcctOutputOctets),NASIPAddress FROM radacct WHERE AcctStopTime = '2004-12-09 00:00:00' AND AcctStopTime '2004-12-10 00:00:00' GROUP BY UserName,NASIPAddress; ERROR 1045: Access denied for user: '[EMAIL PROTECTED]' (Using password: NO) - Original Message - From: Kostas Kalevras [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, December 09, 2004 11:45 PM Subject: Re: Ttotacct is empty in mysql db, how to? On Thu, 9 Dec 2004, Michel van Dop wrote: Hello, I using freeradius-mysql-0.9.3-1.1 on fedora 1, i connect to mysql server 3.58.x db. It work okay mysql on username and groupname. My totacct is empty in mysql db. Can anyone tell me how to config this or can me send a good link with information about this. totacct is populated by the dialupadmin/bin/tot_stats script. Configure it properly, run it and things should work. The dialupadmin/doc/HOWTO should contain more information. Thank you to read my problem, Michel -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Ttotacct is empty in mysql db, how to?
Hello, I using freeradius-mysql-0.9.3-1.1 on fedora 1,i connect to mysql server 3.58.x db.It workokay mysql on username and groupname. Mytotacct is empty in mysql db. Can anyone tell me how to config this or can me send a good link with information about this. Thank you to read my problem, Michel
freeradius-1.0.0 pre2 execution segfault
Hello! My configuration : Openssl v 0.9.7d installed with the option shared in /usr/local/ssl Openssl v 0.9.7d installed with the option shared in /usr/local/openssl-certgen openssl-SNAP20040613 installed with the option shared in /usr/local/openssl ./config and install OK ! Ive added the path /usr/local/openssl/lib to the ld.so.conf. Freeradius v 1.0.0 pre2 installed in /etc/raddb/ ./configure and installation OK ! When I radiusd is launched, I get an Segmentation fault. Apparently, the eap module with type tls is loaded but not instanciated. With defaut_eap_type in eap.conf set to md5 instead of tls and the tls module commented, it works fine ! Any ideas ? Thanks
freeradius 1.0.0 pre1 segmentation fault with tls
Hello ! I've been trying to make freeradius working with EAP-TLS but I have a segmentation fault. I'm using : - freeradius 1.0.0 pre1 - openssl-SNAP20040613 when I radiusd is launched with the script radiusd.sh, here is what I get : Module: Loaded eap eap: default_eap_type = tls eap: timer_expire = 60 eap: ignore_unknown_eap_types = yes eap: cisco_accounting_username_bug = no Segmentation fault I'd be very greatfull if anyone could help me. Thanks
RE : freeradius 1.0.0 pre1 segmentation fault with tls
I've checked the logfile and here's what I get : Info: Using deprecated naslist file. Support for this will go away soon. Info: rlm_exec: Wait=yes but no output defined. Did you mean output=none? I don't think there's anything wrong in that but. Maybe, a link a bad link to the openssl libraries while compilation or execution. I've used http://www.impossiblereflex.com/8021x/eap-tls-HOWTO.htm, is it the one you're referring to? Thanks -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Sathish Challa Envoyé : vendredi 18 juin 2004 13:41 À : [EMAIL PROTECTED] Objet : RE: freeradius 1.0.0 pre1 segmentation fault with tls Do it as per How-To guide and after that install pre2 it works. Ofcourse it worked for me. Thank you, Sathish Challa. GRIC Software India Pvt. Ltd., www.GoRemote.com Mobile: +91-98451-90676 Office [Direct]: +91-80 513 80 882 Server Group's Mission: Innovative, open and scalable solutions pioneered proactively with a methodical approach and engineering agility to deliver quality solutions to the Customers and prudent responses to Product Management and other decision making bodies -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fr édéric EVRARD Sent: Friday, June 18, 2004 4:47 PM To: [EMAIL PROTECTED] Subject: Re: freeradius 1.0.0 pre1 segmentation fault with tls Hello ! I've been trying to make freeradius working with EAP-TLS but I have a segmentation fault. I'm using : - freeradius 1.0.0 pre1 - openssl-SNAP20040613 when I radiusd is launched with the script radiusd.sh, here is what I get : Module: Loaded eap eap: default_eap_type = tls eap: timer_expire = 60 eap: ignore_unknown_eap_types = yes eap: cisco_accounting_username_bug = no Segmentation fault I'd be very greatfull if anyone could help me. Look in configure log if all is ok about link with opennssl lib Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
