I wonder if its possible to do ldap lookups when handling accounting (start)
packets? This would likely mean adding an ldap entry to the accounting{}
section of the radiusd.conf file.
At the moment I am calling an external script from the acct-users file usingg:
DEFAULT
With modern
operating systems we have various server task scheduling options available to
use.
We can either use
OSes modified to provide soft real-time such as versions of Linux. We can also
ask the task schedulers to give certain processes either higher priority or to
give
Of Peter Nixon
Sent: 20 September 2006 12:22
To: FreeRadius users mailing list
Subject: Re: realtime for freeradius
On Wed 20 Sep 2006 14:09, Tariq Rashid wrote:
With modern operating systems we have various server task scheduling
options available to use.
We can either use OSes modified to provide
Tariq Rashid [EMAIL PROTECTED] wrote:
I would like however for the script to be called only when an LDAP attribute
has a certain values. Is this possible? The user's LDAP profile has already
been searched for the user's password in the initial auth request, and
possibly in the acct
Hi,
I am using the acct_users file to trigger an external script when an accounting
start has been received:
DEFAULT Acct-Status-Type == Start
Exec-Program = /etc/freeradius/scripts/acct_start.py %{User-Name}
I would like however for the script to be called only when an LDAP
One of our systems uses a fairly basic freeradius system (based on freeradius
1.0.2). A simple LDAP databse is used to check that a password matches the
supplied username.
What is the recommended way to achieve the following:
* upon receipt of accounting start check LDAP to see if an
hi,
under high load, we are familiar with the usual problem of dropped accounting
packets. this leads to retires and timeouts and possible marked dead, either
by the NAS or intermediate radius proxies.
this problem is particularly pronounced when a proxy used to sent traffic to
multiple
doing a configure
./configure --prefix=/opt/freeradius-snapshot-20051110
--with-openssl-includes=/usr/sfw/include/openssl
--with-openssl-libraries=/usr/sfw/lib
using the 20051110 snapshot - i still don't get a compile. havong said that
this is much better than 1.0.2 and 1.0.5
any ideas?
Of Joe
Maimon
Sent: 01 November 2005 12:53
To: FreeRadius users mailing list
Subject: Re: appending to a proxy reply attribute
Tariq Rashid wrote:
hi - i would like to achieve the following:
* inspect the reply packet from a proxy target radius
* if the reply contains Framed
hi - i'm having trouble compiling freeradius-1.0.5 for solaris express x86 (nv
b23).
i can make progress with the configure options ...
--with-openssl-includes=/usr/sfw/include/openssl
--with-openssl-libraries=/usr/sfw/lib
then i have to disable the sql module (remove from
hi - we're having the freeradius 1.0.2 daemon dying occasionally for mysterious
reasons - we're still investuigating the cause.
however - when it dies the radiusd.pid file is not removed. this causes
problems for most restart-wrappers ...
running in the foreground in an infinite loop is also
Baradakis
Sent: 21 October 2005 14:28
To: FreeRadius users mailing list
Subject: Re: recommended restart-wrapper for freeradius
Tariq Rashid wrote:
hi - we're having the freeradius 1.0.2 daemon dying occasionally for
mysterious reasons - we're still investuigating the cause.
You should
i'm running a freeradius 1.0.2 as a proxy, with a very simple configuration -
no ldap, no sql, only a users file, and some attribnute filters for pre- and
post- proxying.
strangely i'm finding that about once a day at random times the server is not
running, but the PID is left - thus
this by ensuring that the newly alloced conf section
is linked to the real top-level main conf section. in its absence, the
parent being passed to conf_read() seems always to be null ...
tariq
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Tariq
Rashid
Sent: 22
the clients.conf to be xlat'ed?
tariq
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of
Nicolas Baradakis
Sent: 13 September 2005 18:08
To: FreeRadius users mailing list
Subject: Re: custom variable in config files
Tariq Rashid wrote:
but this doesn't
trying and report back anything that works.
tariq
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Alan
DeKok
Sent: 15 September 2005 17:18
To: FreeRadius users mailing list
Subject: Re: custom variable in config files
Tariq Rashid [EMAIL PROTECTED] wrote
thanks - that works - i can confirm that for the list
tariq
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of
Nicolas Baradakis
Sent: 13 September 2005 18:08
To: FreeRadius users mailing list
Subject: Re: custom variable in config files
Tariq Rashid
hi - is it possible for me to declare a variable in one inlcuded config file,
which is then visible in all the config files?
in order to keep the config file as simple as possible, i want to take out the
site/server dependent portion into a variable. so at each different site/server
i would
and diagnostics
[EMAIL PROTECTED]:easynet_site} User-Password ==
test1.proxyradius.%{config:easynet_site}
Reply-Message = hello from the proxyradius layer
%{config:easynet_site}
any ideas? i'm using version 1.0.2 on debian 3.1
tariq rashid
-Original Message
i would like to filter off interim accoutning packets from specific domains
to a different proxy target - as follows...
# interim/status/alive accounting records are actually sent to the
processing domain
DEFAULT User-Name =~ @.*\.abc\.co\.uk$, Acct-Status-Type == Alive,
hi - is it possible for freeradius to match the domains/realms for proxying
purposes only (ie not rewrite the User-Name):
in the users file:
# following is used to map subdomains of *.easynet.co.uk
# to be proxied according to the realm easynet.co.uk
DEFAULT User-Name
hi, i'm planning a significant migration from a different radius server
(Radiator, perl based).
one advantage of that server is that it is very easy to code custom hooks to
apply business logic to post-(ldap)-search and post-auth points of the
radius sequence. the disadvantage is the
interpreter loaded into
RAM should run fine ... but I suspect something inefficent is happening with
Radiator.
tariq rashid
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Alan
DeKok
Sent: 23 August 2005 16:54
To: FreeRadius users mailing list
Subject: Re
hi -
i wonder what people's thoughts are on a radius cache that sits in frotn of
a set of real radius servers and responds quickly with a set of cached reply
attributes from a previous query? this may even be worthwhile even if the
caching only applies to rejected queries - so that bad requests
is it possible specify IP ranges in the clients.conf? or multiple IPs for
each client{} section?
for example:
client 1.2.3.0/23 {
secret = shared_secret
shortname = abc.def.ghi.jkl
nastype = other
}
or
client 1.2.3.1 {
secret = shared_secret
shortname
I am finding that auth requests are proxied, as expected, but not
accounting.
This appears to affect domain names which are proxied according to wildcard
entries in the users file as follows:
# following is used to map subdomains of *.abc.co.uk
# to be proxied according to the
just to confirm for the archives - this works well.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Alan
DeKok
Sent: 05 August 2005 16:14
To: FreeRadius users mailing list
Subject: Re: auth proxied, not acct using users file setting
Proxy-To-Realm
Tariq
PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of
Nicolas Baradakis
Sent: 03 August 2005 15:47
To: FreeRadius users mailing list
Subject: Re: accounting - respose from freeradius, and forward
Tariq Rashid wrote:
we'd like freeradius to reply to accounting requests (start, stop,
interim
, and forward
Tariq Rashid [EMAIL PROTECTED] wrote:
i'll have another look to see if it is possible using mechanisms within
the
radiusd.conf (perhaps calling 2 modules, one to reply, one to forward).
There could be a replicate module, which would send packets to
multiple destinations. I'd prefer
hi - is it possible for freeradius to do the following?
we'd like freeradius to reply to accounting requests (start, stop, interim)
with acknowledgements, but also to forward the accounting request to a
backend radius server but to ignore the response from this prozy behaviour.
this means that
Tariq Rashid [EMAIL PROTECTED] wrote:
since the state must be maintained in the freeradius proxy - is it
possible
to add it to the logs so that troubleshooting is easier? currently i have
to
match the timestamps.
Which log are you talking about?
Alan DeKok.
---
those
hi - i'm logging the pre-proxy and post-proxy logs. this works fine.
the proxy-logs show the user-name (and password attribute) and that is fine.
however the post-proxy logs don't contain the user-name because the reply
from the backend radius server doesn't necessarily send the username as an
I though you said that the backend server sent the attribute? How
do you comment it out?
i prevent the backend server from sending this particular Tunnel-Password
attribute.
t
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
when a backend radius server sends bakc the following tunnel attributes, the
freeradius 1.0.2 fails the request with tunnel password is too long for the
attribute( discovered by radiusd -X).
Tunnel-Server-Endpoint = 1:82.111.96.178
Tunnel-Type = 1:L2TP
Tunnel-Medium-Type
for the followiing profile .. the tunnel type is sent as value 1 not 3...
[EMAIL PROTECTED] Password == 888, NAS-IP-Address == 1.2.3.4
Tunnel-Server-Endpoint := 1:3.4.5.6,
Tunnel-Type := 1:L2TP,
Tunnel-Medium-Type := 1:IP,
Tunnel-Password := 1:***,
i'm finding counterintuitive behaviour for the regexp in the searchfor
attr_rewrite. i have the following
attr_rewrite attr_rewrite_post-proxy {
attribute = Framed-Route
searchin = proxy_reply
searchfor = ([0-9./]+) ([0-9.]+) ([0-9]+)(.*)
in addition, the following suggests an unsual regex process...
attr_rewrite attr_rewrite_post-proxy {
attribute = Framed-Route
searchin = proxy_reply
searchfor = ([0-9.]+) ([0-9.]+) ([0-9]+)(.*)
replacewith = [%{1}] [%{2}] [%{3}]
hi - we're successfully using snmp to monitor the freeradius statistics.
however - when freeradius is restarted with HUP signal, the snmp connection
doesn't work. i'm not too familair with snmp/smuc but i'm guessing
freeradius is not reconnecting to snmpd?
to solve this we have to restart snmpd
hi - i'd like to use the radius server's IP within the configuration files.
specifically, to include it in the reply-message - i know that some
variables are defined %u, %p, %n, etc ... see doc... but none of these
contain the radius server's IP address. this needs to be not from the radius
=~ @.*\.ukonline\.co\.uk$, Proxy-To-Realm :=
ukonline.co.uk
t
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Alan
DeKok
Sent: 16 June 2005 17:59
To: FreeRadius users mailing list
Subject: Re: proxy wildcard realms (subdomains)
Tariq Rashid [EMAIL PROTECTED] wrote
hi - is it possible to minitor the active threads via snmp? this is
different from the pool allocated threads - most of which can be asleep /
not awaiting a response.
tariq
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
hi - i after much searching the archives i couldn't find a good way to proxy
to subdomains of a domain:
[EMAIL PROTECTED]
for any number of subdomains under a given domain.com (inlcuding nil).
is this possible? (i don't want the username stripped)
thanks
tariq
-
List
i know the FAQ mentions the daemontools for ensuring that the freeradiusd
daemon is available in the event of an unlikely crash.
can anyone recommend another set of tools or scripts for managing the
freeradius daemon - i don't like the way the daemontools is not consistent
with the usual unix
since
you configured with --prefix=/usr/local/freeradius, everything will be under
that directory.
so
etc/raddb will be in /usr/local/freeradius/etc/raddb and so
on...
if
you're going to use --prefix - why not completely separate if from the system
/usr and do a
the included docs and examples don't use the atrrs_filter module with the
pre-proxy{} section in radiusd.conf.
there is a post-proxy{} and that works fine.
i have different instatiations (with different config files) for each pre-
and post-proxy. having no replies from the list i decided to
hi,
i'm interesting in doing some pre-proxy processing.
pre-proxy:
* i need to restrict the attributes that are sent on to the
target/home radius server
* the documentation doesn't suggest that attr_filter can be used in
the pre-proxy{} section.
is this a
is there an issue with freeradius proxying to a home radius server which is
in fact on the same IP address that the proxy is listening on, but on a
different port.
that is the proxy and backend servers are on the same hardware listening on
the same interface.
the proxy (using a realm in
hi - is anyone aware of a hardware device which can do radius proxying,
chosing targets according to the username domains?
the advantages of a hardware device are:
1. fast reboot times
2. possibly faster packet processing
3. lower maintenance and support compared to a
thanks for the reply - multiple source ports is the obvious answer which i
didn't trust was actually specified in the RFCs. The reason for this is that
too often i have seen requests from 1645 to 1645 and not (random-high-port
to 1645) for example.
extendid ID? well some radius servers will
When a radius proxy, such as an appropriately configured freeradius ,
forwards (proxies) a radius request to a target, the target sees a radius
request from the proxy .. it sees its IP address, the source port, and the
UID of the radius request.
now, when the radius target forms a
for radius proxying, does freeradius allocate a thread from its pool to each
proxied radius request? this would allow me to control proxying by setting
max allocated threads and also the pre-alloc size too.
or does it maintain a fixed-size state table? (i guess size 256 sinec that
is the length
just a quick question about proxying radius.
when a radius proxy forward a request onto the target radius servers, does
the response ncessarily return via the proxy server/device?
i ask this because if i want to post-process replies from a radius server
(the target of the proxying) i need to be
We're considering using a front-end radius server instance as a proxy -
which will proxy depending on the user's domain name.
The question I have is to do with concurrency.
As I understand it - if I use a single-threaded radius proxy server - it
will it have to wait for a reply from a proxied
Is this correct? If it is, it would make sense to have a threaded radius
proxy server as the forwarding proxy - perhaps with 3000 threads
configured.
It would then take 3000 delayed resoponses to fill exhaust the 3000
threads.
Having 3000 threads waiting up to 30 seconds for a response
now that NetBSD 2.0 has beenout for a short while, I wonder if nayone has
any positive/negatoive experiences wusing it with freeradius?
particularly with regard to the underlying performance improvments of NetBSD
2.0 (arguably over frebsd 4.x). i know its threading is much improved.
tariq
-
i know this is a controversial topic but I dont' have a definitive answer.
it would seem that using hyperthreading enabled CPUs, one would get slightly
better performance from threaded applications such as FreeRadius.
the underlying operating systems are freebsd 4.7+ and 5.3 (there was no
just curious - but are there any hardware radius clients (cisco, lucent,
redback, other) that can use radius over ipv6?
i realise it is not a common scenario. perhaps radius over ipv6 using its
mandatory ipsec encryption?
tariq
-Original Message-
From: Alan DeKok [mailto:[EMAIL
hi - we're seeing a Lucent Stinger device sending radius requests with a
passowrd field that is less than the 16 octets as per protocol.
now, some radius servers seem not to like this - but freeradius seems to
work fine with this. i suspect that is because freeradius either ignores the
length of
throttle them - ie, if the request rate is say 80/s or less then that is
fine. if the requests come in faster, then the smoothing buffer would
store them in a queue and then release them at a rate no quicker than the
chosen rate, say 80/s.
of course, this buffering, can be done in an
i wonder if anyone has experience in this or comments ...
in a test environment, we note that rare spikes of very high request rates
seem to knock out the radius servers for a short period while they recover.
an immediate solution that comes to mind is to use traffic shaping (such as
ALTQ) to
i wonder if any of the developers or other users may shed some light on this
...
as i mentioned recently i'm benchmakring and characterising freeradius and
radiator - primarily for capacity planning, and being aware of unusual
behaviour.
i've written some code which send radius requests to a
two further observations, which may give someone a clue:
* as the rate is increased such the the interval between requests
approaches zero,
all my experiments have show freeradius to improve its response time
such that all jumps have pretty much recovered during the later
2 benchmarking tools (code and output is resdable and self-evident) attached for you
to use / comment on/ improve.
python uses pyrad module, C uses libradius from standard BSD install (a static version
exists for linux).
comments appreciated.
thread_test_linear.py
Description:
slightly off-topic, but is there a library like the standard FreeBSD (4.9) libradius
for linux? (eg debian 3 unstable/stable)
i've got benchamrking code written to test freeradius/radiator which links against
this, but i need to move this code to a faster linux box.
the lib radiuclient(-ng)
the man page should be there in the sources... just install it again. if you don't
want to do that then just load it directly into man (man man_file_name). some version
of the less/more pager can also read the man page directly.
you can download a fresh copy of the sources from the website if
initialization time of a FreeRadius server?
Thanks,
Htin
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tariq
Rashid
Sent: Tuesday, March 30, 2004 8:21 AM
To: '[EMAIL PROTECTED]'
Subject: RE: performance, stability, benchmarks
let me rephrase a little of my
to continue the theread on radius performance and stability characteristics
..
i'm trying to identify a list of items/metrics/indicators to measure. for
example:
* radius response time with constant radius query rate
* radius response time with increasing radius query rate
I wonder if there are existing benchmarks of freeradius performance compared
with other radius servers.
Or even non-comparative benchmarks.
Also, I'm having trouble finding information about what is unique to
freeradius in terms of performance. The website suggests that freeradiius is
high
i've previously used radiator as it is simple to modify the check and reply
items, especially when the check and reply items depend on some quite
convoluted logic (the flowchart is not simple).
having had an initial look at freeradius and the ldap module - i am reaching
the conclusion that the
-Original Message-
From: Tariq Rashid [mailto:[EMAIL PROTECTED]
Sent: 15 March 2004 09:42
To: '[EMAIL PROTECTED]'
Subject: ldap attributes dependent on complex logic - freeradius
suitable?
i've previously used radiator as it is simple to modify the check and reply
items, especially when
: Kostas Kalevras [mailto:[EMAIL PROTECTED]
Sent: 02 March 2004 19:16
To: '[EMAIL PROTECTED]'
Subject: Re: multiple repliItems from ldap
On Tue, 2 Mar 2004, Tariq Rashid wrote:
Mapping from ldap attributes to radius attributes is fine using the
ldap.attrmap file, such as
replyItem
this
and rad_send() from lib/radius.c where it doesn't do that.
t
-Original Message-
From: Kostas Kalevras [mailto:[EMAIL PROTECTED]
Sent: 02 March 2004 19:16
To: '[EMAIL PROTECTED]'
Subject: Re: multiple repliItems from ldap
On Tue, 2 Mar 2004, Tariq Rashid wrote:
Mapping from ldap
i've had a search through the archives and google and can't find examples of
anyone using freeradius with its list of allowed NAS clients (ip or dns
names) held in a database - which is imported at startup, or periodically,
not necessarily at every request (perhaps a refesh after a max counter).
73 matches
Mail list logo