After signal HUP freeRADIUS Segmentation fault
freeRADIUS version is 1.1.6.. I saw same question in mail-list(freeRADIUS 0.8), Did this problem fix?? Thanks. Nothing to do. Sleeping until we see a request. Reloading configuration files. reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/eap.conf Config: including file: /usr/local/etc/raddb/ldap.conf main: prefix = /usr/local main: localstatedir = /usr/local/var main: logdir = /usr/local/var/log/radius main: libdir = /usr/local/lib main: radacctdir = /usr/local/var/log/radius/radacct main: hostname_lookups = no main: max_request_time = 45 main: cleanup_delay = 5 main: max_requests = 256 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /usr/local/var/log/radius/radius.log main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /usr/local/var/run/radiusd/radiusd.pid main: user = (null) main: group = (null) main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/local/sbin/checkrad main: proxy_requests = no main: debug_level = 0 read_config_files: reading dictionary Mon Aug 13 06:55:25 2007 : Info: rlm_exec: Wait=yes but no output defined. Did you mean output=none? Mon Aug 13 06:55:25 2007 : Error: radiusd.conf[84] Auth-Type MS-CHAP already configured - skipping Mon Aug 13 06:55:25 2007 : Info: rlm_eap_tls: Loading the certificate file as a chain Mon Aug 13 06:55:25 2007 : Info: radiusd.conf Auth-Type eap already configured - skipping Mon Aug 13 06:55:25 2007 : Info: Ready to process requests. Segmentation fault - 雅虎免费邮箱3.5G容量,20M附件!- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Trying to work out 24hour access cards
Hi! Thanks for the swift reply. So if I run the script at every login, all it should do is have it check if there are no previous logins for that particular username, and if that's the case it should add a record containing: (username) Expiration = 86400 to... RadReply? Or is it a different table? And in this situation I'd be using Max-All-Session, right? Regards, Evert [EMAIL PROTECTED] wrote: Not really. They wiil be able to open an account at noon and use 12 hours; then few minutes before noon of the next day connect again and use another 12 hours mostly past your 24 hour deadline. You want to add the Expiration attribute to the user profile at the time of the first login. You can use exec or perl script to do this at the time of every login (you need to run it every time but add attribute only if it is the first for that user). Or, simpler, run an outside program once a day setting it for new starters. Put also Max-All-Session=86400 at the time of the account opening (you don't need that if you are running a script at every login). Ivan Kalik Kalik Informatika ISP Dana 10/8/2007, Evert Meulie [EMAIL PROTECTED] piše: Hi all! I have a system here that's based on freeradius-1.0.2-r5 (Gentoo distro) and we're having some problem with 24hour access cards. With these I mean logins that will give a user access for a period of max. 24 hours from first login. Should be able to be over a period of 2 days. For example first login: 3pm day 1 2nd login: 1pm day 2 should be allowed I've been looking at http://wiki.freeradius.org/Rlm_sqlcounter and see that Max-Daily-Session=86400 will NOT do the trick, since this will allow 24 hours of access PER day Max-All-Session=86400 will not work either, since this will allow a total of 24 hours of login time over an undefined period. How do I get the correct config for my situation? Do I set BOTH Max-Daily-Session Max-All-Session to 86400 in my case to get the correct result? Regards, Evert - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Patch for SQL and SQLIPPool performance
On Fri 10 Aug 2007, Roy Walker wrote: This patch has 2 things. Rewritten SQL queries for Postgres on the SQLIPPool. This actually makes using the SQLIPPool possible with a lot of clients (for Postgres at least, the FOR UPDATE was unnecessary since it is already in a transaction block, and actually dangerous as you could leave have dead lock scenarios). Hmm.. I need to go through the query flow to double check this but you may be correct. Query times dropped from 250+ ms to under 1 ms. For my needs I had removed CallingStationId from the query and index since it is always the same as username, but I left it in for the patch, is there really a situation where those 2 are different? Yep. UserName is supplied by the user. CallingStationId in my deployments is the user's GSM number supplied by the GSM operator. Depending on the network type you have this will change of course. It could also be the user's MAC address for example. There is now a configurable cache option for the 5 read-heavy tables involved in an auth request. You can of course as the config file sales, just leave it at 0 to disable the caching. ok. Interesting. Some warnings for those that are trying use SQLIPPool. Even after optimizing the query, the performance still will not allow more than about 10 or 20 simultaneous requests. The biggest problem I see is that one connection is not used to finish one client request all the way through. Ie the client requests and is auth'd against the check and reply tables, then the SQLIPPool call is made, but all the DB connections are in use, so your client gets a reject because the SQLIPPool call is not able to complete. One potential fix is to setup another SQL DB for just the IPPool and so you ensure that any connection that is handled can get an IP. I am fairly sure I have already recomended that to you and many other on the list. DO use a separate DB instance for sqlippool! I run with a total of 150 DB sockets assigned to FreeRADIUS (Auth (50), Acct(50) and SQLIPPool(50)) One thought is to make an IPPool module that calls to a DHCP server (or a pool of DHCP servers). Regardless, the IP allocation has to be able to scale to 500 or so simultaneous IP requests. These modules exist for other RADIUS servers. Personally I think its a really messy way of doing things, and doesn't allow you to virtualise overlapping IP pools, but if you wish to write a FreeRADIUS module to do it we would be happy to have it as a 4th IP Pool module ;-) Cheers -- Peter Nixon http://peternixon.net/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-Handshakes: every reply runs the full authorize-section
i forgot: thanks for the info - Original Message - From: Arran Cudbard-Bell [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Monday, June 11, 2007 10:16 AM Subject: Re: EAP-Handshakes: every reply runs the full authorize-section Rainer Brinkmann wrote: FreeRADIUS Version 1.1.0: Hello, we run EAP-TTLS and what we get in Debug-Mode is, that every received EAP-Packet within the TLS-Tunnel-establish runs the complete authorize-section and slows down the overall time to create a TTLS-Tunnel. Reason is, that the User-Name e.g. NTB-BRINK-610, which is the EAP-Identity, comes with every received EAP-Packet and is always checked against the full authorize-section. Is it possible to skip this redundant checks in the following EAP-responses that build a specific EAP-Session? (the EAP-Idents cant be resolved in our LDAP, cause that machinenames are always unknown to us. What we have to check are the inner-Tunnel - credentials) kind regards Rainer Brinkmann Network-Management University-Clinicum Hamburg / Germany Yep, this issue is reduced in 2.0 pre1 , the eap module will return handled (so will skip the rest of the authorise and authenticate sections) when it doesn't need to authenticate the user, or acquire attributes for authorisation/ authentication. 2.0pre1 brings to number of full autz/auth runs, down to around 3-4 per EAP authentication. -- Arran Cudbard-Bell ([EMAIL PROTECTED]) Authentication, Authorisation and Accounting Officer Infrastructure Services | ENG1 E1-1-08 University Of Sussex, Brighton EXT:01273 873900 | INT: 3900 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Pflichtangaben gemäß Gesetz über elektronische Handelsregister und Genossenschaftsregister sowie das Unternehmensregister (EHUG): Universitätsklinikum Hamburg-Eppendorf Körperschaft des öffentlichen Rechts Gerichtsstand: Hamburg Vorstandsmitglieder: Prof. Dr. Jörg F. Debatin (Vorsitzender) Dr. Alexander Kirstein Ricarda Klein Prof. Dr. Dr. Uwe Koch-Gromus - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
strip domain
Dear, i had did proxying the users based on the domain and the pstn no. using sql query on the radcheck table, but i need to strip the username before proxying it. please advice - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Error running FreeRadius 1.1.7
Hi everyone I get this error when trying to run FreeRadius 1.1.7 for the first time, does this sound familiar?: /usr/local/etc/raddb/hints[37]: Parse error (check) for entry DEFAULT: Unknown value Yes for attribute Strip-User-Name regards George - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-TLS Certificates
I am using free radius 1.1.6 for EAP-TLS. I think all the example certificates are old. Is there a place from where i can download some sample certificates (both for free radius and for client) which can be used for communication. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS Certificates
Hi, I am using free radius 1.1.6 for EAP-TLS. I think all the example certificates are old. Is there a place from where i can download some sample certificates (both for free radius and for client) which can be used for communication. get 1.1.7. ensure you copy your config to somewhere safe and then install 1.1.7 - it will auto generate the EAP-TLS stuff so you can get working with it. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem on WPA-EAP with Linux
Hi, I'am having trouble to authenticate my linux workstations with wpa_supplicant to Freeradius (1.1). The Windows Stations are working fine, but linux is making trouble. The AP is a Linksys WLAN Accesspoint, as said WPA Radius works, because all Windows Notebooks can login. I'am doing a WPA over EAP. And my Error is: Error: rlm_eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request After switching on my debug I see this: rlm_eap: NAK asked for bad type 0 rlm_eap: Failed in EAP select Which is most certanly the reason why the auth fails. But I'am far away from knowing the solution. Can you help please? Below the complete Log of the conversation: rad_recv: Access-Request packet from host 10.48.244.28:3073, id=1, length=131 User-Name = scit-acer NAS-IP-Address = 10.48.244.28 Called-Station-Id = 0016b64f44cc Calling-Station-Id = 0016cfab64e4 NAS-Identifier = 0016b64f44cc NAS-Port = 43 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0201000e01736369742d61636572 Message-Authenticator = 0x8b86db463306f78257b8e03600912a5b Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 rlm_eap: EAP packet type response id 1 length 14 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 0 users: Matched entry scit-acer at line 14 modcall[authorize]: module files returns ok for request 0 modcall: leaving group authorize (returns updated) for request 0 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Requiring client certificate rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module eap returns handled for request 0 modcall: leaving group authenticate (returns handled) for request 0 Sending Access-Challenge of id 1 to 10.48.244.28 port 3073 EAP-Message = 0x010200060d20 Message-Authenticator = 0x State = 0xb2f2a1559ef1683126762202eeec3974 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.48.244.28:3073, id=1, length=141 User-Name = scit-acer NAS-IP-Address = 10.48.244.28 Called-Station-Id = 0016b64f44cc Calling-Station-Id = 0016cfab64e4 NAS-Identifier = 0016b64f44cc NAS-Port = 43 Framed-MTU = 1400 State = 0xb2f2a1559ef1683126762202eeec3974 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020200060300 Message-Authenticator = 0x9a1a879ecba47ab01f2f3410625ceabc Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module preprocess returns ok for request 1 rlm_eap: EAP packet type response id 2 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 1 users: Matched entry scit-acer at line 14 modcall[authorize]: module files returns ok for request 1 modcall: leaving group authorize (returns updated) for request 1 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 rlm_eap: Request found, released from the list rlm_eap: EAP NAK rlm_eap: NAK asked for bad type 0 rlm_eap: Failed in EAP select modcall[authenticate]: module eap returns invalid for request 1 modcall: leaving group authenticate (returns invalid) for request 1 auth: Failed to validate the user. Login incorrect: [scit-acer] (from client khb-buehring port 43 cli 0016cfab64e4) Delaying request 1 for 1 seconds Finished request 1 TIA Alex - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: error on start freeradius + jradius
Hi Kevin This is the output i get Any ideas? regards George [EMAIL PROTECTED]:/# /usr/local/sbin/radiusd -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/jradius.conf Config: including file: /usr/local/etc/raddb/eap.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = /usr/local main: localstatedir = /usr/local/var main: logdir = /usr/local/var/log/radius main: libdir = /usr/local/lib main: radacctdir = /usr/local/var/log/radius/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /usr/local/var/log/radius/radius.log main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /usr/local/var/run/radiusd/radiusd.pid main: user = (null) main: group = (null) main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/local/sbin/checkrad main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib *** glibc detected *** /usr/local/sbin/radiusd: double free or corruption (fasttop): 0x80101ef0 *** === Backtrace: = /lib/tls/i686/cmov/libc.so.6[0xb7d787cd] /lib/tls/i686/cmov/libc.so.6(cfree+0x90)[0xb7d7be30] /usr/local/lib/libltdl.so.3[0xb7e597cb] /usr/local/lib/libltdl.so.3(lt_dlopenext+0xbe)[0xb7e5a15e] /usr/local/sbin/radiusd(find_module_instance+0x358)[0x8000daa8] /usr/local/sbin/radiusd(setup_modules+0x1e8)[0x8000df48] /usr/local/sbin/radiusd(main+0x46c)[0x8001173c] /lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xdc)[0xb7d26ebc] /usr/local/sbin/radiusd[0x80004fb1] === Memory map: 8000-8001e000 r-xp 08:01 2775048/usr/local/sbin/radiusd 8001e000-8001f000 rw-p 0001e000 08:01 2775048/usr/local/sbin/radiusd 8001f000-80107000 rw-p 8001f000 00:00 0 [heap] b7b0-b7b21000 rw-p b7b0 00:00 0 b7b21000-b7c0 ---p b7b21000 00:00 0 b7cee000-b7cf9000 r-xp 08:01 3620928/lib/libgcc_s.so.1 b7cf9000-b7cfa000 rw-p a000 08:01 3620928/lib/libgcc_s.so.1 b7cfa000-b7d03000 r-xp 08:01 3624181 /lib/tls/i686/cmov/libnss_files-2.5.so b7d03000-b7d05000 rw-p 8000 08:01 3624181 /lib/tls/i686/cmov/libnss_files-2.5.so b7d0f000-b7d11000 rw-p b7d0f000 00:00 0 b7d11000-b7e4c000 r-xp 08:01 3624164/lib/tls/i686/cmov/libc-2.5.so b7e4c000-b7e4d000 r--p 0013b000 08:01 3624164/lib/tls/i686/cmov/libc-2.5.so b7e4d000-b7e4f000 rw-p 0013c000 08:01 3624164/lib/tls/i686/cmov/libc-2.5.so b7e4f000-b7e52000 rw-p b7e4f000 00:00 0 b7e52000-b7e54000 r-xp 08:01 3624170/lib/tls/i686/cmov/libdl-2.5.so b7e54000-b7e56000 rw-p 1000 08:01 3624170/lib/tls/i686/cmov/libdl-2.5.so b7e56000-b7e5b000 r-xp 08:01 2773141/usr/local/lib/libltdl.so.3.1.4 b7e5b000-b7e5c000 rw-p 4000 08:01 2773141/usr/local/lib/libltdl.so.3.1.4 b7e5c000-b7e61000 r-xp 08:01 3624168 /lib/tls/i686/cmov/libcrypt-2.5.so b7e61000-b7e63000 rw-p 4000 08:01 3624168 /lib/tls/i686/cmov/libcrypt-2.5.so b7e63000-b7e8a000 rw-p b7e63000 00:00 0 b7e8a000-b7e9f000 r-xp 08:01 2775049 /usr/local/lib/libradius-1.1.7.so b7e9f000-b7ea rw-p 00015000 08:01 2775049 /usr/local/lib/libradius-1.1.7.so b7ea-b7ea1000 rw-p b7ea 00:00 0 b7ea1000-b7eb4000 r-xp 08:01 3624190 /lib/tls/i686/cmov/libpthread-2.5.so b7eb4000-b7eb6000 rw-p 00013000 08:01 3624190 /lib/tls/i686/cmov/libpthread-2.5.so b7eb6000-b7eb9000 rw-p b7eb6000 00:00 0 b7eb9000-b7ec8000 r-xp 08:01 3624192 /lib/tls/i686/cmov/libresolv-2.5.so b7ec8000-b7eca000 rw-p f000 08:01 3624192 /lib/tls/i686/cmov/libresolv-2.5.so b7eca000-b7ecc000 rw-p b7eca000 00:00 0 b7ecc000-b7edf000 r-xp 08:01 3624175 /lib/tls/i686/cmov/libnsl-2.5.so b7edf000-b7ee1000 rw-p 00012000 08:01 3624175 /lib/tls/i686/cmov/libnsl-2.5.so b7ee1000-b7ee3000 rw-p b7ee1000 00:00 0 b7ee9000-b7eeb000 r-xp 08:01 2775011 /usr/local/lib/rlm_exec-1.1.7.so
Re: Problem on WPA-EAP with Linux
Hi, sorry for the repost, I simply wanted to add, that I'am doing an EAP-TLS conversation and have all certs installed. TIA Alex - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error running FreeRadius 1.1.7
George Beitis wrote: Hi everyone I get this error when trying to run FreeRadius 1.1.7 for the first time, does this sound familiar?: /usr/local/etc/raddb/hints[37]: Parse error (check) for entry DEFAULT: Unknown value Yes for attribute Strip-User-Name It means you installed 1.1.7 on a system that previously had another RADIUS server installed. Ensure that FreeRADIUS is using the dictionaries that come with it, not any other dictionaries. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS Certificates
[EMAIL PROTECTED] wrote: get 1.1.7. ensure you copy your config to somewhere safe and then install 1.1.7 - it will auto generate the EAP-TLS stuff so you can get working with it. That's CVS head, not 1.1.7. I think we can release 2.0-pre2 this week. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error running FreeRadius 1.1.7
George Beitis wrote: Thanks for the reply Alan, i was running version 1.1.1 before. I deleted the raddb directory, what else should i delete before making a clean install? That should have worked. Read the debug output to see which dictionary files it's loading. Make sure you've installed the ones from 1.1.7, and that the server is using them. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem on WPA-EAP with Linux
Alexandros Gougousoudis wrote: After switching on my debug I see this: rlm_eap: NAK asked for bad type 0 rlm_eap: Failed in EAP select The supplicant is misconfigured, or broken. Which is most certanly the reason why the auth fails. But I'am far away from knowing the solution. Can you help please? Ask on the xsupplicant list. There's nothing you can do to the RADIUS server that will make the supplicant behave properly. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error running FreeRadius 1.1.7
Thanks for the reply Alan, i was running version 1.1.1 before. I deleted the raddb directory, what else should i delete before making a clean install? regards George Alan DeKok wrote: George Beitis wrote: Hi everyone I get this error when trying to run FreeRadius 1.1.7 for the first time, does this sound familiar?: /usr/local/etc/raddb/hints[37]: Parse error (check) for entry DEFAULT: Unknown value Yes for attribute Strip-User-Name It means you installed 1.1.7 on a system that previously had another RADIUS server installed. Ensure that FreeRADIUS is using the dictionaries that come with it, not any other dictionaries. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error running FreeRadius 1.1.7
Hi, Thanks for the reply Alan, i was running version 1.1.1 before. I deleted the raddb directory, what else should i delete before making a clean install? possibly all the rlm_* files in your lib directory - wherever that is for your installation, to stop shared library problems. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS Certificates
Hi, That's CVS head, not 1.1.7. I think we can release 2.0-pre2 this week. comments on CVS: the listen directive is not active by default in the radiusd.conf , I thought this would have been made the de facto way for 2.0 naslist, realms and clients are still present - obsolete in 1.1.x surely GONE in 2.0 there is no commented out, ready to run experimental.conf line - as we have for snmp.conf etc alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
OR Problem in authorize_check_query
hello,i have a problem in this sql-statement (in mssql.conf): authorize_check_query = "SELECT id,UserName,Attribute,Value,op,right FROM ${authcheck_table} WHERE ((Username = '%{SQL-User-Name}') AND (right = 1) AND (CallingID = '%{Calling-Station-Id}')) OR ('%{Called-Station-Id}' IN (SELECT TelNr FROM Emergencynbrs)) ORDER BY id" if i´m using the OR-statement in my authorize_check_query,ican not authentificate the User! i have tryed too with OR (1=1) but no way. without the OR part off the sql Statement it work´s correctly. any help is apprecied.Live.com Jouez et gagnez des Xbox 360! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Problem on WPA-EAP with Linux
Are you sure you have property configurated Windows client?? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] ] On Behalf Of Alexandros Gougousoudis Sent: Monday, August 13, 2007 4:03 PM To: FreeRadius users mailing list Subject: Re: Problem on WPA-EAP with Linux Hi, sorry for the repost, I simply wanted to add, that I'am doing an EAP-TLS conversation and have all certs installed. TIA Alex - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error running FreeRadius 1.1.7
Hi Alan, i removed all the dictionary files as you recommended and any other freeradius related file on the system, i even made a package using the freeradius build guide and installed and uninstalled it. The problems i have remain the same. This is what i get for my output. The only dictionaries on my system are under usr/share/freeradius regards George /usr/sbin/freeradius -x Starting - reading configuration files ... Using deprecated naslist file. Support for this will go away soon. Module: Loaded exec rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP Module: Instantiated mschap (mschap) Module: Loaded System Module: Instantiated unix (unix) Module: Loaded eap rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap rlm_eap: Loaded and initialized type gtc rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess /etc/freeradius/hints[37]: Parse error (check) for entry DEFAULT: Unknown value Yes for attribute Strip-User-Name rlm_preprocess: Error reading /etc/freeradius/hints radiusd.conf[1021]: preprocess: Module instantiation failed. radiusd.conf[1802] Unknown module preprocess. radiusd.conf[1792] Failed to parse authorize section. Alan DeKok wrote: George Beitis wrote: Thanks for the reply Alan, i was running version 1.1.1 before. I deleted the raddb directory, what else should i delete before making a clean install? That should have worked. Read the debug output to see which dictionary files it's loading. Make sure you've installed the ones from 1.1.7, and that the server is using them. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error running FreeRadius 1.1.7
I noticed someone else had the same problem on the 11th of June, It was also suggested to him to use the dictionaries that came with freeradius, but there has been no response of any sort since then on that subject. It would be good if the person who asked the original question found a solution and could post it regards George George Beitis wrote: Hi Alan, i removed all the dictionary files as you recommended and any other freeradius related file on the system, i even made a package using the freeradius build guide and installed and uninstalled it. The problems i have remain the same. This is what i get for my output. The only dictionaries on my system are under usr/share/freeradius regards George /usr/sbin/freeradius -x Starting - reading configuration files ... Using deprecated naslist file. Support for this will go away soon. Module: Loaded exec rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP Module: Instantiated mschap (mschap) Module: Loaded System Module: Instantiated unix (unix) Module: Loaded eap rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap rlm_eap: Loaded and initialized type gtc rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess /etc/freeradius/hints[37]: Parse error (check) for entry DEFAULT: Unknown value Yes for attribute Strip-User-Name rlm_preprocess: Error reading /etc/freeradius/hints radiusd.conf[1021]: preprocess: Module instantiation failed. radiusd.conf[1802] Unknown module preprocess. radiusd.conf[1792] Failed to parse authorize section. Alan DeKok wrote: George Beitis wrote: Thanks for the reply Alan, i was running version 1.1.1 before. I deleted the raddb directory, what else should i delete before making a clean install? That should have worked. Read the debug output to see which dictionary files it's loading. Make sure you've installed the ones from 1.1.7, and that the server is using them. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error running FreeRadius 1.1.7
George Beitis wrote: Hi Alan, i removed all the dictionary files as you recommended and any other freeradius related file on the system, i even made a package using the freeradius build guide and installed and uninstalled it. The problems i have remain the same. This is what i get for my output. The only dictionaries on my system are under usr/share/freeradius Hmm... on further investigation, there are some minor issues with the dictionaries. If you've deleted (or commented out) the dictionary.compat file, then you'll get this error. A normal install with un-touched dictionaries won't get it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS Certificates
[EMAIL PROTECTED] wrote: the listen directive is not active by default in the radiusd.conf , I thought this would have been made the de facto way for 2.0 ? bind_address and port are no longer globally defined in radiusd.conf. There is instead a top-level listen directive. naslist, realms and clients are still present - obsolete in 1.1.x surely GONE in 2.0 ? naslist clients were deleted from CVS in 2005. naspasswd realms are still there, along with man pages. I've deleted those. checkrad is a hack. It's unmaintained, and nearly unmaintainable. We should replace it with something better. there is no commented out, ready to run experimental.conf line - as we have for snmp.conf etc The experimental.conf stuff is supposed to be made active a module at a time, rather than pulling everything in. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS Certificates
hi, thanks - sorry i got confused over 2 of my repositories earlier today (i'm keeping TNC patch uptodate with FR releases) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS Certificates
On Mon 13 Aug 2007, Alan DeKok wrote: [EMAIL PROTECTED] wrote: the listen directive is not active by default in the radiusd.conf , I thought this would have been made the de facto way for 2.0 ? bind_address and port are no longer globally defined in radiusd.conf. There is instead a top-level listen directive. naslist, realms and clients are still present - obsolete in 1.1.x surely GONE in 2.0 ? naslist clients were deleted from CVS in 2005. naspasswd realms are still there, along with man pages. I've deleted those. checkrad is a hack. It's unmaintained, and nearly unmaintainable. We should replace it with something better. there is no commented out, ready to run experimental.conf line - as we have for snmp.conf etc The experimental.conf stuff is supposed to be made active a module at a time, rather than pulling everything in. I think for 2.0 would should make an etc/raddb/experimental/xxx.conf setup with a main file somewhere which includes each one, but where each include line is commented out by default.. Cheers -- Peter Nixon http://peternixon.net/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Configuration issue - unknown client
This is my first stab at Freeradius. I have the server installed on Sabayon Linux, and the radtest script runs fine. I've done basically no configuration to it, because I'm not sure what to configure. I'm writing a client on another system (it's VMS if that's germane). I format send a request packet to the server system, and get (running radiusd -X): rad_recv: Access-Request packet from host 192.168.0.11:1812, id=67, length=47 Ignoring request from unknown client 192.168.0.11:1812 I'm sure I don't have the server configured properly. So, what am I missing? Thanks! -- +---++ | Dan O'Reilly | There are 10 types of people in this | | Principal Engineer| world: those who understand binary | | Process Software | and those who don't.| | http://www.process.com|| +---++ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radius client in on Server, Freeradius on another Server
Hi I have radius client installed in my server and freeradius and mysql installed in other server how can i connect them ? what configs i need to change ram - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuration issue - unknown client
On 8/13/07, Dan O'Reilly [EMAIL PROTECTED] wrote: This is my first stab at Freeradius. I have the server installed on Sabayon Linux, and the radtest script runs fine. I've done basically no configuration to it, because I'm not sure what to configure. I'm writing a client on another system (it's VMS if that's germane). I format send a request packet to the server system, and get (running radiusd -X): rad_recv: Access-Request packet from host 192.168.0.11:1812, id=67, length=47 Ignoring request from unknown client 192.168.0.11:1812 You need to add new clients to clients.conf. FreeRADIUS will only talk to clients in this file. -- Nicholas Hall [EMAIL PROTECTED] 262.208.6271 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius client in on Server, Freeradius on another Server
On 8/13/07, ram [EMAIL PROTECTED] wrote: Hi I have radius client installed in my server and freeradius and mysql installed in other server how can i connect them ? what configs i need to change ram You will need to add the client in clients.conf on the server -- Nicholas Hall [EMAIL PROTECTED] 262.208.6271 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuration issue - unknown client
Same issue. Here's my /etc/raddb/clients.conf: client 192.168.0.11 secret foobar At 04:15 PM 8/13/2007, Nicholas Hall wrote: On 8/13/07, Dan O'Reilly mailto:[EMAIL PROTECTED][EMAIL PROTECTED] wrote: This is my first stab at Freeradius. I have the server installed on Sabayon Linux, and the radtest script runs fine. I've done basically no configuration to it, because I'm not sure what to configure. I'm writing a client on another system (it's VMS if that's germane). I format send a request packet to the server system, and get (running radiusd -X): rad_recv: Access-Request packet from host http://192.168.0.11:1812192.168.0.11:1812, id=67, length=47 Ignoring request from unknown client http://192.168.0.11:1812192.168.0.11:1812 You need to add new clients to clients.conf. FreeRADIUS will only talk to clients in this file. -- Nicholas Hall mailto:[EMAIL PROTECTED][EMAIL PROTECTED] 262.208.6271 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- +---++ | Dan O'Reilly | There are 10 types of people in this | | Principal Engineer| world: those who understand binary | | Process Software | and those who don't.| | http://www.process.com|| +---++ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius client in on Server, Freeradius on another Server
You will need to add the client in clients.conf on the server iam using radiusclient-ng on client side to connect to radius server is there anything required to config radiusclient-ng side iam using mysql, so i need to add in database or clients.conf ( hardcode) ram - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuration issue - unknown client
On 8/13/07, Dan O'Reilly [EMAIL PROTECTED] wrote: Same issue. Here's my /etc/raddb/clients.conf: client 192.168.0.11 secret foobar Shouldn't that be: client 192.168.0.11 { secret = foobar } -- Nicholas Hall [EMAIL PROTECTED] 262.208.6271 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuration issue - unknown client
I had it that way and it didn't work either. At 04:27 PM 8/13/2007, Nicholas Hall wrote: On 8/13/07, Dan O'Reilly mailto:[EMAIL PROTECTED][EMAIL PROTECTED] wrote: Same issue. Here's my /etc/raddb/clients.conf: client http://192.168.0.11192.168.0.11 secret foobar Shouldn't that be: client http://192.168.0.11192.168.0.11 { secret = foobar } -- Nicholas Hall mailto:[EMAIL PROTECTED][EMAIL PROTECTED] 262.208.6271 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- +---++ | Dan O'Reilly | There are 10 types of people in this | | Principal Engineer| world: those who understand binary | | Process Software | and those who don't.| | http://www.process.com|| +---++ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuration issue - unknown client
On 8/13/07, Dan O'Reilly [EMAIL PROTECTED] wrote: I had it that way and it didn't work either. At 04:27 PM 8/13/2007, Nicholas Hall wrote: On 8/13/07, Dan O'Reilly mailto:[EMAIL PROTECTED][EMAIL PROTECTED] wrote: Same issue. Here's my /etc/raddb/clients.conf: client http://192.168.0.11192.168.0.11 secret foobar Shouldn't that be: client http://192.168.0.11192.168.0.11 { secret = foobar } Dan, please follow the examples in clients.conf and then post your complete radius debug output (radiusd -X) -- Nicholas Hall [EMAIL PROTECTED] 262.208.6271 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuration issue - unknown client
My /etc/raddb/clients.conf: client 192.168.0.11 { secret = foobar } Here's the output from radiusd -X: danolaptop freeradius-1.1.7 # /usr/local/sbin/radiusd -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/eap.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = /usr/local main: localstatedir = /usr/local/var main: logdir = /usr/local/var/log/radius main: libdir = /usr/local/lib main: radacctdir = /usr/local/var/log/radius/radacct main: hostname_lookups = no main: snmp = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /usr/local/var/log/radius/radius.log main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /usr/local/var/run/radiusd/radiusd.pid main: user = (null) main: group = (null) main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/local/sbin/checkrad main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded exec exec: wait = yes exec: program = (null) exec: input_pairs = request exec: output_pairs = (null) exec: packet_type = (null) rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = crypt pap: auto_header = yes Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = (null) mschap: ntlm_auth = (null) Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = (null) unix: shadow = (null) unix: group = (null) unix: radwtmp = /usr/local/var/log/radius/radwtmp unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = md5 eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = Password: gtc: auth_type = PAP rlm_eap: Loaded and initialized type gtc mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = /usr/local/etc/raddb/huntgroups preprocess: hints = /usr/local/etc/raddb/hints preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no preprocess: with_alvarion_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = suffix realm: delimiter = @ realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = /usr/local/etc/raddb/users files: acctusersfile = /usr/local/etc/raddb/acct_users files: preproxy_usersfile = /usr/local/etc/raddb/preproxy_users files: compat = no Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port Module: Instantiated acct_unique (acct_unique) Module: Loaded detail detail: detailfile = /usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename = /usr/local/var/log/radius/radutmp radutmp: username = %{User-Name} radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Listening on authentication *:1812 Listening on accounting *:1813
Radius is running away with the CPU
I have been using freeradius for several years but in the last few months have seen a problem with the cpu usage. TOP almost always shows radius with 100% CPU much of the time it is at 300%. The load average runs up to 32 at times as well. This corresponds with the max_servers. I am using a mysql database on the same box and it looks to be behaving and queries to it are fast. The box is dual 2.8 xeon with 2 GB ram. Anyone have a idea what would cause this? David top - 14:33:51 up 82 days, 3:50, 1 user, load average: 2.83, 4.85, 4.30 Tasks: 100 total, 2 running, 98 sleeping, 0 stopped, 0 zombie Cpu(s): 10.3% us, 64.9% sy, 0.0% ni, 24.6% id, 0.2% wa, 0.0% hi, 0.0% si Mem: 1034396k total, 859184k used, 175212k free,32808k buffers Swap: 2032212k total,47388k used, 1984824k free, 712524k cached PID USER PR NI VIRT RES SHR S %CPU %MEMTIME+ COMMAND 12550 radiusd 16 0 96576 5312 816 S 300 0.5 22064:15 radiusd - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius is running away with the CPU
I am attempting to build a setup which authenticates users from 3 realms in one MySQL database. Some of my users, actually a large proportion of them, are currently not using their realm to authenticate. I am about to merge the dial pools so I won't be able to use huntgroups or hints to figure out which realm they are coming from. I am trying to use the new unlang option to avoid writing an rlm_perl type script. FreeRADIUS-snapshot-20070813 I don't know if any of this is legal. I'm using one sql module. I just call it once for each realm after changing the %{User-Name} to append that realm. It just looked like it might work so I tried it. The debug output makes it look like I am very close. I haven't been able to figure out exactly what is wrong with it, yet. The failure happens in rlm_pap when the user does not specify a realm. I don't see the cause of the failure in the debug output. I'm probably not interpreting the output correctly. Here are the diffs to the default config coming from the snapshot. --- radiusd.conf-orig Mon Aug 13 20:42:25 2007 +++ radiusd.confMon Aug 13 21:15:41 2007 @@ -210,7 +210,7 @@ # Allowed values are: # integer port number (1812) # 0 means use /etc/services for the proper port - port = 0 + port = 1645 # Type of packets to listen for. # Allowed values are: @@ -252,7 +252,7 @@ listen { ipaddr = * # ipv6addr = :: - port = 0 + port = 1646 type = acct # interface = eth0 # clients = per_socket_clients @@ -1051,7 +1051,7 @@ # # If you're not running a Cisco or Quintum NAS, you don't # need this hack. - with_cisco_vsa_hack = no + with_cisco_vsa_hack = yes } # Livingston-style 'users' file @@ -1214,33 +1214,33 @@ # # See rlm_sql_log(5) manpage. # -# sql_log { -# path = ${radacctdir}/sql-relay -# acct_table = radacct -# postauth_table = radpostauth -# -# Start = INSERT INTO ${acct_table} (AcctSessionId, UserName, \ -# NASIPAddress, FramedIPAddress, AcctStartTime, AcctStopTime, \ -# AcctSessionTime, AcctTerminateCause) VALUES \ -# ('%{Acct-Session-Id}', '%{User-Name}', '%{NAS-IP-Address}', \ -# '%{Framed-IP-Address}', '%S', '0', '0', ''); -# Stop = INSERT INTO ${acct_table} (AcctSessionId, UserName, \ -# NASIPAddress, FramedIPAddress, AcctStartTime, AcctStopTime, \ -# AcctSessionTime, AcctTerminateCause) VALUES \ -# ('%{Acct-Session-Id}', '%{User-Name}', '%{NAS-IP-Address}', \ -# '%{Framed-IP-Address}', '0', '%S', '%{Acct-Session-Time}', \ -# '%{Acct-Terminate-Cause}'); -# Alive = INSERT INTO ${acct_table} (AcctSessionId, UserName, \ -# NASIPAddress, FramedIPAddress, AcctStartTime, AcctStopTime, \ -# AcctSessionTime, AcctTerminateCause) VALUES \ -# ('%{Acct-Session-Id}', '%{User-Name}', '%{NAS-IP-Address}', \ -# '%{Framed-IP-Address}', '0', '0', '%{Acct-Session-Time}',''); -# -# Post-Auth = INSERT INTO ${postauth_table} \ -# (user, pass, reply, date) VALUES\ -# ('%{User-Name}', '%{User-Password:-Chap-Password}', \ -# '%{reply:Packet-Type}', '%S'); -# } + sql_log { + path = ${radacctdir}/sql-relay + acct_table = radacct + postauth_table = radpostauth + + Start = INSERT INTO ${acct_table} (AcctSessionId, UserName, \ +NASIPAddress, FramedIPAddress, AcctStartTime, AcctStopTime, \ +AcctSessionTime, AcctTerminateCause) VALUES \ +('%{Acct-Session-Id}', '%{User-Name}', '%{NAS-IP-Address}', \ +'%{Framed-IP-Address}', '%S', '0', '0', ''); + Stop = INSERT INTO ${acct_table} (AcctSessionId, UserName, \ +NASIPAddress, FramedIPAddress, AcctStartTime, AcctStopTime, \ +AcctSessionTime, AcctTerminateCause) VALUES \ +('%{Acct-Session-Id}', '%{User-Name}', '%{NAS-IP-Address}', \ +'%{Framed-IP-Address}', '0', '%S', '%{Acct-Session-Time}', \ +'%{Acct-Terminate-Cause}'); + Alive = INSERT INTO ${acct_table} (AcctSessionId, UserName, \ +NASIPAddress, FramedIPAddress, AcctStartTime, AcctStopTime, \ +AcctSessionTime, AcctTerminateCause) VALUES \ +('%{Acct-Session-Id}', '%{User-Name}', '%{NAS-IP-Address}', \ +'%{Framed-IP-Address
EAP-TLS certificate based authentication in linux
Hi I have certificate based EAP_TLS authentication working with windows xp clients.Does the same set up works for linux also.For xp clinets i am using p12 and root.der certificates. Regards Anoop ** DISCLAIMER ** Information contained and transmitted by this E-MAIL is proprietary to Sify Limited and is intended for use only by the individual or entity to which it is addressed, and may contain information that is privileged, confidential or exempt from disclosure under applicable law. If this is a forwarded message, the content of this E-MAIL may not have been sent with the authority of the Company. If you are not the intended recipient, an agent of the intended recipient or a person responsible for delivering the information to the named recipient, you are notified that any use, distribution, transmission, printing, copying or dissemination of this information in any way or in any manner is strictly prohibited. If you have received this communication in error, please delete this mail notify us immediately at [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius is running away with the CPU
Grr, I took out the In-Reply-To, but I forgot to change the Subject. I am so sorry, and embarassed. -- Scott LambertKC5MLE Unix SysAdmin [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Authenticate users from 3 realms in one MySQL database
I am attempting to build a setup which authenticates users from 3 realms in one MySQL database. Some of my users, actually a large proportion of them, are currently not using their realm to authenticate. I am about to merge the dial pools so I won't be able to use huntgroups or hints to figure out which realm they are coming from. I am trying to use the new unlang option to avoid writing an rlm_perl type script. FreeRADIUS-snapshot-20070813 I don't know if any of this is legal. I'm using one sql module. I just call it once for each realm after changing the %{User-Name} to append that realm. It just looked like it might work so I tried it. The debug output makes it look like I am very close. I haven't been able to figure out exactly what is wrong with it, yet. The failure happens in rlm_pap when the user does not specify a realm. I don't see the cause of the failure in the debug output. I'm probably not interpreting the output correctly. Here are the diffs to the default config coming from the snapshot. --- radiusd.conf-orig Mon Aug 13 20:42:25 2007 +++ radiusd.confMon Aug 13 21:15:41 2007 @@ -210,7 +210,7 @@ # Allowed values are: # integer port number (1812) # 0 means use /etc/services for the proper port - port = 0 + port = 1645 # Type of packets to listen for. # Allowed values are: @@ -252,7 +252,7 @@ listen { ipaddr = * # ipv6addr = :: - port = 0 + port = 1646 type = acct # interface = eth0 # clients = per_socket_clients @@ -1051,7 +1051,7 @@ # # If you're not running a Cisco or Quintum NAS, you don't # need this hack. - with_cisco_vsa_hack = no + with_cisco_vsa_hack = yes } # Livingston-style 'users' file @@ -1214,33 +1214,33 @@ # # See rlm_sql_log(5) manpage. # -# sql_log { -# path = ${radacctdir}/sql-relay -# acct_table = radacct -# postauth_table = radpostauth -# -# Start = INSERT INTO ${acct_table} (AcctSessionId, UserName, \ -# NASIPAddress, FramedIPAddress, AcctStartTime, AcctStopTime, \ -# AcctSessionTime, AcctTerminateCause) VALUES \ -# ('%{Acct-Session-Id}', '%{User-Name}', '%{NAS-IP-Address}', \ -# '%{Framed-IP-Address}', '%S', '0', '0', ''); -# Stop = INSERT INTO ${acct_table} (AcctSessionId, UserName, \ -# NASIPAddress, FramedIPAddress, AcctStartTime, AcctStopTime, \ -# AcctSessionTime, AcctTerminateCause) VALUES \ -# ('%{Acct-Session-Id}', '%{User-Name}', '%{NAS-IP-Address}', \ -# '%{Framed-IP-Address}', '0', '%S', '%{Acct-Session-Time}', \ -# '%{Acct-Terminate-Cause}'); -# Alive = INSERT INTO ${acct_table} (AcctSessionId, UserName, \ -# NASIPAddress, FramedIPAddress, AcctStartTime, AcctStopTime, \ -# AcctSessionTime, AcctTerminateCause) VALUES \ -# ('%{Acct-Session-Id}', '%{User-Name}', '%{NAS-IP-Address}', \ -# '%{Framed-IP-Address}', '0', '0', '%{Acct-Session-Time}',''); -# -# Post-Auth = INSERT INTO ${postauth_table} \ -# (user, pass, reply, date) VALUES\ -# ('%{User-Name}', '%{User-Password:-Chap-Password}', \ -# '%{reply:Packet-Type}', '%S'); -# } + sql_log { + path = ${radacctdir}/sql-relay + acct_table = radacct + postauth_table = radpostauth + + Start = INSERT INTO ${acct_table} (AcctSessionId, UserName, \ +NASIPAddress, FramedIPAddress, AcctStartTime, AcctStopTime, \ +AcctSessionTime, AcctTerminateCause) VALUES \ +('%{Acct-Session-Id}', '%{User-Name}', '%{NAS-IP-Address}', \ +'%{Framed-IP-Address}', '%S', '0', '0', ''); + Stop = INSERT INTO ${acct_table} (AcctSessionId, UserName, \ +NASIPAddress, FramedIPAddress, AcctStartTime, AcctStopTime, \ +AcctSessionTime, AcctTerminateCause) VALUES \ +('%{Acct-Session-Id}', '%{User-Name}', '%{NAS-IP-Address}', \ +'%{Framed-IP-Address}', '0', '%S', '%{Acct-Session-Time}', \ +'%{Acct-Terminate-Cause}'); + Alive = INSERT INTO ${acct_table} (AcctSessionId, UserName, \ +NASIPAddress, FramedIPAddress, AcctStartTime, AcctStopTime, \ +AcctSessionTime, AcctTerminateCause) VALUES \ +('%{Acct-Session-Id}', '%{User-Name}', '%{NAS-IP-Address}', \ +'%{Framed-IP-Address