adding accounting attribute
Hi, FreeRadius Users. Could somebody tell me if it's possible to add some accounting attribute depending on user's SQL group membership? For example - for all members of SQL group 'somegroupname' add: User-Category = '1' to every accounting packet. Which module should i read about more carefully? thank you in advance, -- Alexander - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Version 2.0 is a lot closer to reality...
Alan, thinking about upcoming upgrade from 1.1.5 to 2.0 i tried 2.0 with
my configuration from 1.1.5.
There seem to be some difference which i hope you can explain.
proxy.conf configuration is
realm NULL {
type= radius
authhost= LOCAL
accthost= LOCAL
}
and we have a user who has simple radcheck entry in sql:
mobile Auth-Type:=accept
in 1.1.5 radiusd performs authorize and authorize group checks in sql:
rlm_sql (sqlauth): sql_set_user escaped user -- 'mobile'
radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE
Username = 'mobile' ORDER BY id'
rlm_sql (sqlauth): Reserving sql socket id: 4
radius_xlat: 'SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
FROM radgroupcheck,usergroup WHERE (usergroup.Username = 'mobile' or
usergroup.CLID = '25009740996') AND usergroup.GroupName =
radgroupcheck.GroupName ORDER BY usergroup.PRIORITY,radgroupcheck.id'
radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE
Username = 'mobile' ORDER BY id'
radius_xlat: 'SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
FROM radgroupreply,usergroup WHERE (usergroup.Username = 'mobile' OR
usergroup.CLID = '25009740996') AND usergroup.GroupName =
radgroupreply.GroupName ORDER BY radgroupreply.id'
rlm_sql (sqlauth): Released sql socket id: 4
modcall[authorize]: module sqlauth returns ok for request 0
modcall: leaving group authorize (returns ok) for request 0
rad_check_password: Found Auth-Type Accept
rad_check_password: Auth-Type = Accept, accepting the user
Login OK: [mobile] (from client localhost port 0 cli 25009740996)
but in 2.0 we lack the group checks:
rlm_sql (sqlauth): sql_set_user escaped user -- 'mobile'
rlm_sql (sqlauth): Reserving sql socket id: 4
radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE
Username = 'mobile' ORDER BY id'
rlm_sql (sqlauth): User found in radcheck table
radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE
Username = 'mobile' ORDER BY id'
rlm_sql (sqlauth): Released sql socket id: 4
modcall[authorize]: module sqlauth returns ok for request 0
modcall: group authorize returns ok for request 0
rad_check_password: Found Auth-Type Accept
rad_check_password: Auth-Type = Accept, accepting the user
Login OK: [mobile] (from client localhost port 0 cli 25009700040996)
what could be the possible reason(s) of that?
Alan DeKok wrote:
I've just committed massive changes to the server core. The diff is
about 3k lines, and doesn't include deleted or added files.
The good news is that it looks to be nearly 100% backwards compatible
with the configurations currently allowed by the CVS head. That is,
I've written it to be backwards compatible, and validated it via tests,
but I won't claim it's perfect until people test it.
...
--
Sincerely Yours,
Alexander
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Version 2.0 is a lot closer to reality...
Arran Cudbard-Bell wrote: In 2.0 we lack the group checks: I thought group checks were slightly broken since 1.1.3 anyway if not can someone please close the bug report :) At least in 1.1.5 it doesn't fall through properly if a user belongs to multiple groups and the check items in the first group partially match.. Hm. I did not notice that. Walked through 1.1.3,4,5 transparently without problems for users living in 2 or more groups. Though i slightly modified group authorization queries and usergroup table (added CLID field). -- Sincerely Yours, Alexander - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
2.0.0-pre0 Out of memory in event.c
Hi. Some problems with FreeRADIUS Version 2.0.0-pre0, for host i686-pc-linux-gnu, built on Apr 12 2007 at 12:58:32 taken from cvs today: rad_recv: Access-Request packet from host 127.0.0.1 port 46565, id=8, length=95 User-Name = carta.skylink.msk.ru User-Password = cisco Calling-Station-Id = 250099013297573 Framed-Protocol = PPP Service-Type = Framed-User NAS-IP-Address = 212.119.97.85 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 rlm_realm: No '@' in User-Name = carta.skylink.msk.ru, looking up realm NULL rlm_realm: Found realm NULL rlm_realm: Adding Stripped-User-Name = carta.skylink.msk.ru rlm_realm: Proxying request from user carta.skylink.msk.ru to realm NULL rlm_realm: Adding Realm = NULL rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module suffix returns noop for request 0 users: Matched entry DEFAULT at line 106 modcall[authorize]: module files returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 radius_xlat: 'carta.skylink.msk.ru' rlm_sql (sqlauth): sql_set_user escaped user -- 'carta.skylink.msk.ru' rlm_sql (sqlauth): Reserving sql socket id: 3 radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'carta.skylink.msk.ru' ORDER BY id' SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'carta.skylink.msk.ru' ORDER BY id radius_xlat: 'SELECT GroupName FROM usergroup WHERE UserName='carta.skylink.msk.ru' OR CLID='250099013297573' order by priority' SELECT GroupName FROM usergroup WHERE UserName='carta.skylink.msk.ru' OR CLID='250099013297573' order by priority rlm_sql (sqlauth): Released sql socket id: 3 rlm_sql (sqlauth): User carta.skylink.msk.ru not found modcall[authorize]: module sqlauth returns notfound for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type Local auth: type Local auth: No password configured for the user Login incorrect (No password configured for the user): [carta.skylink.msk.ru/cisco] (from client localhost port 0 cli 250099013297573) auth: Failed to validate the user. Login incorrect: [carta.skylink.msk.ru/cisco] (from client localhost port 0 cli 250099013297573) ]event.c:1277] Out of memory Program exited with code 01. (gdb) no core unfortunately. -- Sincerely Yours, Alexander - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
sql auth problems with 2.0.0-pre
Gurus, may be i'm pulling some common mistake with my configuration being tested against cvs snapshot, but no idea which one. I've an sql profile telling: some.dotted.user Cleartext-Password = cisco NAS-IP-Address =~ xxx.xxx.97.(85|86) authentication request: User-Name = some.dotted.user User-Password = cisco Calling-Station-Id = 000 Framed-Protocol = PPP Service-Type = Framed-User NAS-IP-Address = xxx.xxx.97.85 gives the access-reject for unknown (for me) reason: rlm_sql (sqlauth): sql_set_user escaped user -- 'some.dotted.user' rlm_sql (sqlauth): Reserving sql socket id: 3 radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'some.dotted.user' ORDER BY id' SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'some.dotted.user' ORDER BY id ... rlm_sql (sqlauth): Released sql socket id: 3 modcall[authorize]: module sqlauth returns ok for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type Local auth: type Local auth: No password configured for the user Login incorrect (No password configured for the user): [some.dotted.user/cisco] (from client localhost port 0 cli 00) auth: Failed to validate the user. I've checked the authorization sql query shown in debug - it properly returns the profile configured -- Sincerely Yours, Alexander - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sql auth problems with 2.0.0-pre
Arran Cudbard-Bell wrote: Alexander Serkin wrote: Gurus, may be i'm pulling some common mistake with my configuration being tested against cvs snapshot, but no idea which one. I've an sql profile telling: some.dotted.user Cleartext-Password = cisco NAS-IP-Address =~ xxx.xxx.97.(85|86) Hmm I don't know how Cleartext-Password is mapped, always thought it was a legacy attribute. Try User-Password ? Also it's == not = for check items . Doesn't matter, Arran. Tried User-Password and '==' with the same result: module sqlauth returns ok but then: rad_check_password: Found Auth-Type Local auth: type Local auth: No password configured for the user -- Sincerely Yours, Alexander - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sql auth problems with 2.0.0-pre
Milan Holub wrote: Hi Alexander, On Thu, Apr 12, 2007 at 02:52:49PM +0400, Alexander Serkin wrote: Doesn't matter, Arran. Tried User-Password and '==' with the same result: module sqlauth returns ok but then: rad_check_password: Found Auth-Type Local auth: type Local auth: No password configured for the user == post your radiusd.conf; you probably explicitly overrides the result of sqlauth by setting the Auth-Type to Local somewhere in your config... yes i did. In users file: users: Matched entry DEFAULT at line 106: DEFAULTHuntgroup-Name == MSK, Realm == NULL, Auth-Type := Local Changed the line to DEFAULT Huntgroup-Name == MSK, Realm == NULL and added pap to the end of authorize section. Now with different negative result: modcall[authorize]: module sqlauth returns ok for request 0 rlm_pap: WARNING! No known good password found for the user. Authentication may fail because of this. modcall[authorize]: module pap returns noop for request 0 modcall: group authorize returns ok for request 0 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. -- Sincerely Yours, Alexander - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sql auth problems with 2.0.0-pre
Alexander Serkin wrote: Gurus, may be i'm pulling some common mistake with my configuration being tested against cvs snapshot, but no idea which one. I've an sql profile telling: some.dotted.user Cleartext-Password = cisco NAS-IP-Address =~ xxx.xxx.97.(85|86) The problem is that regular expression check of NAS-IP-Address =~ xxx.xxx.97.(85|86) does not work. When i delete this check from sql it works, when i change the check to NAS-IP-Address == xxx.xxx.97.85 it works too. What has changed since 1.1.5? The construction NAS-IP-Address =~ xxx.xxx.97.(85|86) did work for me there. In radiusd.conf we have: regular_expressions = yes extended_expressions= yes -- Sincerely Yours, Alexander - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sql auth problems with 2.0.0-pre
Alan DeKok wrote: Alexander Serkin wrote: The problem is that regular expression check of NAS-IP-Address =~ xxx.xxx.97.(85|86) does not work. In the CVS head? Yes i played with CVS head today. Checked huge amount of regexp variants - none worked. -- Sincerely Yours, Alexander - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sql auth problems with 2.0.0-pre
Hi,
got cvs tree today.
The read_groups configuration check is not included in rlm_sql.c for
some reason.
Adding:
{read_groups, PW_TYPE_BOOLEAN,
offsetof(SQL_CONFIG,read_groups), NULL, yes},
into
static const CONF_PARSER module_config[] = {
..
} helped a lot.
Now my config from 1.1.6 is almost working. Thanks a lot.
--
Sincerely Yours,
Alexander
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_sql.c in 2.0.0-pre2
Hi,
Is the read_groups configuration paramter reading strings
intentionally removed from rlm_sql.c? Why?
Let me suggest a patch:
*** rlm_sql.c.orig 2007-05-15 14:10:35.0 +0400
--- rlm_sql.c 2007-06-18 19:46:59.0 +0400
***
*** 57,62
--- 57,64
offsetof(SQL_CONFIG,tracefile), NULL, SQLTRACEFILE},
{readclients, PW_TYPE_BOOLEAN,
offsetof(SQL_CONFIG,do_clients), NULL, no},
+ {read_groups, PW_TYPE_BOOLEAN,
+ offsetof(SQL_CONFIG,read_groups), NULL, yes},
{deletestalesessions, PW_TYPE_BOOLEAN,
offsetof(SQL_CONFIG,deletestalesessions), NULL, yes},
{num_sql_socks, PW_TYPE_INTEGER,
read_groups is checked on line 959 of rlm_sql.c, but it's not set
anywhere before.
thanks,
--
Alexander
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sql.c in 2.0.0-pre2
Arran Cudbard-Bell wrote: Alan DeKok wrote: I don't think it was ever added. I'm not sure the functionality is even tested. i.e. Does it work? Alan DeKok. Read Groups in SQL ? Yes, very very well tested. It's horribly broken in 1.*.* though, or at least it was for me. Unfortunately whoever modified rlm_sql in cvs head chose a very inefficient querying system. First you query to pull out group membership, second you query to get each groups check items, then to get each groups reply items ... It just doesn't scale when a users a member of lots of groups. Previously you pulled out all the records for all the groups a user was a member of in two queries, one for check items and one for reply items.. Yes. It worked for me this way until at least 1.1.6. You are right, Alan, - read_grops configuration checks were not in 1.1.x also, but they worked somehow. Starting from 2.0.0-pre only user checks are performed by default. The only way to make groups to be checked was the supposed patch. Or adding Fall-Through=yes for all user profiles in radcheck table which is not good. -- Sincerely Yours, Alexander - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ippool and NAS-Port missing in access-request
Kostas Kalevras wrote: On Thu, 17 Jun 2004, Pate Mark-marpate1 wrote: rlm_ippool needs the nas-port-id to work. In the future the search key will be configurable. For now you could configure your NAS to also send the accounting-session-id in the access-request: radius-server attribute 44 include-in-access-req http://www.cisco.com/en/US/products/sw/iosswrel/ps1830/products_feature_guide09186a0080087b1d.html and use attr_rewrite to copy the accounting-session-id attribute to a nas-port-id attribute in the access request. Thank you, Kostas. that's what i was looking for. Can you give an example of attr_rewrite block to copy attributes? The explanations in radiusd.conf are not quite clear for me :) -- SY, Alexander - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ippool and NAS-Port missing in access-request
Alexander Serkin wrote: ... Thank you, Kostas. that's what i was looking for. Can you give an example of attr_rewrite block to copy attributes? The explanations in radiusd.conf are not quite clear for me :) My acct-session-id comes with value D47761550033DDC3 for example. I've also copied CLID (15 digits) into NAS-Port attribute because it's missing in request. But the results are some unpredictable. Four requests with different CLID and acct-session-id shows that allocated addresses are identical for the 1st and 4th requests: Sending Access-Request of id 148 to 127.0.0.1:1812 User-Name = [EMAIL PROTECTED] User-Password = internet Calling-Station-Id = 25009702749 Framed-Protocol = PPP Service-Type = Framed-User NAS-IP-Address = xxx.xxx.xxx.85 Acct-Session-Id = D47761550033DDBF rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=148, length=44 Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Address = xxx.xxx.122.69 Framed-IP-Netmask = 255.255.255.255 Sending Access-Request of id 149 to 127.0.0.1:1812 User-Name = [EMAIL PROTECTED] User-Password = internet Calling-Station-Id = 25009722752 Framed-Protocol = PPP Service-Type = Framed-User NAS-IP-Address = xxx.xxx.xxx.86 Acct-Session-Id = D47761550033DDC3 rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=149, length=44 Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Address = xxx.xxx.125.176 Framed-IP-Netmask = 255.255.255.255 Sending Access-Request of id 150 to 127.0.0.1:1812 User-Name = [EMAIL PROTECTED] User-Password = internet Calling-Station-Id = 25009722751 Framed-Protocol = PPP Service-Type = Framed-User NAS-IP-Address = xxx.xxx.xxx.85 Acct-Session-Id = D47761550033DDC2 rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=150, length=44 Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Address = xxx.xxx.124.55 Framed-IP-Netmask = 255.255.255.255 Sending Access-Request of id 151 to 127.0.0.1:1812 User-Name = [EMAIL PROTECTED] User-Password = internet Calling-Station-Id = 25009702750 Framed-Protocol = PPP Service-Type = Framed-User NAS-IP-Address = xxx.xxx.xxx.86 Acct-Session-Id = D47761550033DDC0 rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=151, length=44 Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Address = xxx.xxx.122.69 Framed-IP-Netmask = 255.255.255.255 -- SY, Alexander - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
accounting_update_query_alt ?
Hello. I wonder if there're any plans to add the accounting_update_query_alt to the sql configuration with INSERT? If not, i'll try myself. It is possible that the accounting update packet comes and AAA server did not see start record for it. The session is not registered in this case. -- Sincerely Yours, Alexander - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
NULL file in logdir
What means file named NULL in logdir? It's created by radiusd after start and is filled continuously by my users' names, NAS addresses and framed-ip-addresses divided by ':'. Radius (0.9.3) is built with mysql support (authacct). Found nothing in docs and mail archive. -- Alexander - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NULL file in logdir
oops. sorry, this is wtmp file when its name is not defined in config. Alexander Serkin wrote: What means file named NULL in logdir? It's created by radiusd after start and is filled continuously by my users' names, NAS addresses and framed-ip-addresses divided by ':'. Radius (0.9.3) is built with mysql support (authacct). Found nothing in docs and mail archive. -- Alexander - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
event-timestamp 3gpp2 attribute 41
Event-Timestamp occasionally is defined as date while in RFC 2869 it is integer: ... Value The Value field is four octets encoding an unsigned integer with the number of seconds since January 1, 1970 00:00 UTC. ... 3GPP2 Attribute 41 is called 3GPP2-R-P-Session-ID. Silently disappeared in P.S0001-B (http://www.3gpp2.org/Public_html/specs/P.S0001-B_v1.0.pdf), but was defined in P.S0001-A-1 (http://www.3gpp2.org/Public_html/specs/P.S0001-A-1.pdf). -- Sincerely Yours, Alexander Serkin, Moscow Cellular Communications ph. +7(095)7952089 fa. +7(095)7952084 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 1.0.0 crashes on oracle errors
Hello. I see a lot of 1401 errors in radiusd.log. But they does not lead to core dumps. Radiusd performs correctly. These errors come when users supply incorrect usernames those are longer than the username column size. We work on SPARC Solaris 2.8, gcc 3.3, Oracle 9.2.0.5, freeradius-1.0.0.. Kostas Zorbadelos [EMAIL PROTECTED] wrote: My environment is Solaris 2.8, gcc 2.95.3, Oracle 8.1.7. Freeradius crashes (and core dumps) after an sql query causes an error with an Oracle backend database. Yuck. First of all in oraclesql.conf there is a typo in accounting_start_query_alt query: Fixed, thanks. Secondly, I caused the crash by sending an accounting start packet with very large acct-session-id, that caused an ORA-01401(: inserted value too large for column) error. Ok. The server *should* be robust in the face of such errors. Should I submit a bug report in bugs.freeradius.org? Please. For anything else you might need to trace the error, please let me know. A gdb 'bt', so we can see where/when the error occured. If you have access to a Linux box, you can try running it under valgrind, which should give you more information about the invalid memory accesses. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ippool and NAS-Port missing in access-request
I can live without it. Already. -- Alexander Alan DeKok wrote: [EMAIL PROTECTED] wrote: Well, this exactly what I'd like to do: to build a one and to get it working... But I need some help from developers. So who wants cooperate ? Any help/hints are welcome http://lists.cistron.nl/pipermail/freeradius-users/2004-June/032911.html Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
sql group checks
Hi.
could anybody explain me what exactly FR does with group checks working with SQL
(Oracle in my case) ?
I see group_membership_query in sql.conf, but i do not see that FR uses it in debug:
rad_recv: Access-Request packet from host 127.0.0.1:50893, id=174, length=78
User-Name = [EMAIL PROTECTED]
User-Password = blahblah
Calling-Station-Id = 25009702749
Framed-Protocol = PPP
Service-Type = Framed-User
NAS-IP-Address = 212.119.97.86
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 29
modcall[authorize]: module preprocess returns ok for request 29
modcall[authorize]: module chap returns noop for request 29
rlm_realm: Looking up realm c for User-Name = [EMAIL PROTECTED]
rlm_realm: Found realm c
rlm_realm: Proxying request from user a to realm c
rlm_realm: Adding Realm = c
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module suffix returns noop for request 29
users: Matched DEFAULT at 73
modcall[authorize]: module files returns ok for request 29
WARNING: Attempt to use unknown xlat function, or non-existent attribute in
string %{DEFAULT}
radius_xlat: '[EMAIL PROTECTED]'
rlm_sql (sql): sql_set_user escaped user -- '[EMAIL PROTECTED]'
radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE
Username = '[EMAIL PROTECTED]' ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 0
radius_xlat: 'SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
FROM radgroupcheck,usergroup WHERE (usergroup.Username = '[EMAIL PROTECTED]' or
usergroup.CLID = '25009702749') AND usergroup.GroupName =
radgroupcheck.GroupName ORDER BY radgroupcheck.id'
radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE
Username = '[EMAIL PROTECTED]' ORDER BY id'
radius_xlat: 'SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
FROM radgroupreply,usergroup WHERE (usergroup.Username = '[EMAIL PROTECTED]' OR
usergroup.CLID = '25009702749') AND usergroup.GroupName =
radgroupreply.GroupName ORDER BY radgroupreply.id'
rlm_sql (sql): No matching entry in the database for request from user [EMAIL PROTECTED]
rlm_sql (sql): Released sql socket id: 0
modcall[authorize]: module sql returns notfound for request 29
modcall[authorize]: module mschap returns noop for request 29
modcall: group authorize returns ok for request 29
rad_check_password: Found Auth-Type Accept
rad_check_password: Auth-Type = Accept, accepting the user
Second - what exactly will FR do if authorize_group_check_query returns several
groups' membership for the user (i've slightly modified query and usergroup
table to check CLID also):
SQL SELECT radgroupcheck.id, radgroupcheck.GroupName, radgroupcheck.Attribute,
radgroupcheck.Value, radgroupcheck.op FROM radgroupcheck, usergroup WHERE
(usergroup.Username = '[EMAIL PROTECTED]' or usergroup.CLID = '25009702749') AND
usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id;
ID GROUPNAMEATTRIBUTE VALUE OP
10 cartaRealm c ==
11 cartaNAS-IP-Address 212.119.117.1 ==
19 blackholed Auth-Type Reject:=
In my case user is accepted though he is a member of blackholed group with
Auth-Type - Reject.
--
Sincerely Yours,
Alexander Serkin,
Skylink, Moscow
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sql group checks
Kostas Kalevras wrote: On Fri, 15 Oct 2004, Alexander Serkin wrote: Hi. could anybody explain me what exactly FR does with group checks working with SQL (Oracle in my case) ? I see group_membership_query in sql.conf, but i do not see that FR uses it in debug: group_membership_query is used for Sql-Group attribute checking. Thanks. It's clean now. One more question - what is PRIORITY column in patched usergroup table for? Is it used somehow by code? I mean if my user appears in two groups and one group has Auth-Type:=Accept and another has Auth-Type:=Reject will the PRIORITY help radius to make decision what to do? Second - what exactly will FR do if authorize_group_check_query returns several groups' membership for the user (i've slightly modified query and usergroup table to check CLID also): SQL SELECT radgroupcheck.id, radgroupcheck.GroupName, radgroupcheck.Attribute, radgroupcheck.Value, radgroupcheck.op FROM radgroupcheck, usergroup WHERE (usergroup.Username = '[EMAIL PROTECTED]' or usergroup.CLID = '25009702749') AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id; ID GROUPNAMEATTRIBUTE VALUE OP 10 cartaRealm c == 11 cartaNAS-IP-Address 212.119.117.1 == 19 blackholed Auth-Type Reject:= In my case user is accepted though he is a member of blackholed group with Auth-Type - Reject. -- Sincerely Yours, Alexander Serkin, Skylink, Moscow - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Sincerely Yours, Alexander Serkin, Skylink, Moscow, ph. +7(095)7952089 fa. +7(095)7952084 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
replication with radrelay: Failed to aquire filelock
Hello again. While replicating accounting info to secondary server with radrelay i see the following message in radius.log: Thu Sep 30 10:48:51 2004 : Error: rlm_detail: Failed to aquire filelock for /opt/fr/radacct/detail, giving up Does it mean that i'm losing some accounting records when radrelay and radiusd processes are bumped with each other on detail file lock? Is it possible to avoid this if so? -- Sincerely Yours, Alexander Serkin, Skylink, Moscow - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: replication with radrelay: Failed to aquire filelock
Kostas Kalevras wrote: On Thu, 30 Sep 2004, Alexander Serkin wrote: Hello again. While replicating accounting info to secondary server with radrelay i see the following message in radius.log: Thu Sep 30 10:48:51 2004 : Error: rlm_detail: Failed to aquire filelock for /opt/fr/radacct/detail, giving up Does it mean that i'm losing some accounting records when radrelay and radiusd processes are bumped with each other on detail file lock? Only if you see these messages all the time. If the detail module fails to The message appears approximately once a minute (~1000 simultaneous logins). The amount of simultaneous logins grows with about 100 per month. So in 10 months we'll come to 2000 of them. And the message will be more frequent. And i've no idea when i shoud degin to worry about that :-). acquire the file lock it will return failure and the whole accounting process will fail. As a result the Access-Server *should* resend the corresponding accounting request which will probably get stored sucessfully the second time. -- Sincerely Yours, Alexander - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radrelay segmentation failt
hi. When running radrelay on 162Mb accounting file it dies with segmentation fault. There is quite enough disk space on the working partition: /dev/dsk/c1t0d0s713842586 9457567 424659470%/export/home freeradius is of version 1.0.1. gdb output is below: # gdb /opt/fr/bin/radrelay GNU gdb 6.0 Copyright 2003 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type show copying to see the conditions. There is absolutely no warranty for GDB. Type show warranty for details. This GDB was configured as sparc-sun-solaris2.8... (gdb) set args -x -a . -n localhost 10.01 (gdb) run Starting program: /opt/fr/bin/radrelay -x -a . -n localhost 10.01 [New LWP 1] [New LWP 2] [New LWP 3] [New LWP 4] [New LWP 5] Program received signal SIGSEGV, Segmentation fault. 0x00013698 in read_one (fp=0x3a418, r_req=0x39d44) at radrelay.c:287 287 if (userparse(buf, vp) 0 (gdb) bt #0 0x00013698 in read_one (fp=0x3a418, r_req=0x39d44) at radrelay.c:287 #1 0x00013e40 in loop (r_args=0xffbef658) at radrelay.c:605 #2 0x00014b08 in main (argc=-4262312, argv=0x13470) at radrelay.c:1003 The machine is SunOS abs-test 5.8 Generic_108528-29 sun4u sparc SUNW,Sun-Fire-V240 The same result is on SunOS mcc-aaa2 5.8 Generic_108528-27 sun4u sparc SUNW,Ultra-60 What can be wrong? -- Sincerely Yours, Alexander Serkin, Skylink, Moscow, ph. +7(095)7952089 fa. +7(095)7952084 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
problem building from CVS
Hi. While trying to build last CVS snapshot on sunos 5.8 i got some error: gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5 -Wall -D_GNU_SOURCE -g -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -W -Wredundant-decls -Wundef -I../include -DHOSTINFO=\sparc-sun-solaris2.8\ -DRADIUSD_VERSION=\1.1.0-pre0\ -o radrelay radrelay.o mainconfig.o util.o nas.o client.o log.o conffile.o files.o xlat.o -shared -L/install/src/frCVS/radiusd/src/lib ../lib/.libs/libradius.a -lnsl -lresolv -lsocket -lposix4 -lpthread -lcrypto /install/src/frCVS/radiusd/src/lib/.libs/libradius.a -lcrypt Text relocation remains referenced against symbol offset in file unknown 0x1744 radrelay.o ... ..very-very long listing.. ... lockf 0x304 ../lib/.libs/libradius.a(misc.o) ld: fatal: relocations remain against allocatable but non-writable sections collect2: ld returned 1 exit status make[4]: *** [radrelay] Error 1 make[4]: Leaving directory `/install/src/frCVS/radiusd/src/main' make[3]: *** [common] Error 1 make[3]: Leaving directory `/install/src/frCVS/radiusd/src' make[2]: *** [all] Error 2 make[2]: Leaving directory `/install/src/frCVS/radiusd/src' make[1]: *** [common] Error 1 make[1]: Leaving directory `/install/src/frCVS/radiusd' make: *** [all] Error 2 SunOS abs-test 5.8 Generic_108528-29 sun4u sparc SUNW,Sun-Fire-V240 SMClibtool libtool (sparc) 1.5 What is it? -- Sincerely Yours, Alexander Serkin, Skylink, Moscow - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radrelay segfault with 1.1.0-Pre0 and Mandrake 10 (2.4 Kernel)
Exact the same problem on sunOS-5.8. Alan said the fix for some kind of radrelay segfault will be in v1.0.2. The snapshot is of 1.1.0pre0, but no fixes for radrelay. Such alternative to Proxy-to-Realm removed in 1.0.0 is not good, yeah? We'll try to be patient and wait for some time... Daniel W. Halverson wrote: I'm having a strange problem trying to get radrelay to start up on a new Mandrake 10 box. As soon as it starts, I get a Segfault. (SIGSEGV) Looking with strace and gdb, it doesn't seem to ever get even to the first line of the program. Has anyone else seen this problem? I'm at a loss for an answer. Thanks for any help. Dan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Alexander - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco-AVPair Help (help!!) Part 1
mschapv2
Module: Instantiated eap (eap)
Listening on authentication *:1812
Listening on accounting *:1813
Listening on proxy *:1814
Ready to process requests.
rad_recv: Accounting-Request packet from host 10.100.255.17:1813,
id=229, length=194
Acct-Status-Type = Start
NAS-Port = 0
NAS-IP-Address = 10.100.255.17
Login-IP-Host = 10.100.248.2
Login-TCP-Port = 5962
Acct-Session-Id = 0x002339ee
User-Name =
Cisco-AVPair = ip:source-ip=10.100.248.2
Cisco-AVPair = ip:source-port=4385
Cisco-AVPair = ip:destination-ip=10.100.255.2
Cisco-AVPair = ip:destination-port=5962
Processing the preacct section of radiusd.conf
modcall: entering group preacct for request 3
modcall[preacct]: module preprocess returns noop for request 3
rlm_acct_unique: Hashing 'NAS-Port = 0,Client-IP-Address =
10.100.255.17,NAS-IP-Address = 10.100.255.17,Acct-Session-Id =
0x002339ee,User-Name = '
rlm_acct_unique: Acct-Unique-Session-ID = 80142e378dd3cad0.
modcall[preacct]: module acct_unique returns ok for request 3
modcall: group preacct returns ok for request 3
Processing the accounting section of radiusd.conf
modcall: entering group accounting for request 3
radius_xlat: '/var/log/radius/radacct/10.100.255.17/detail-20041104'
rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d
expands to /var/log/radius/radacct/10.100.255.17/detail-20041104
modcall[accounting]: module detail returns ok for request 3
modcall[accounting]: module unix returns ok for request 3
radius_xlat: '/var/log/radius/radutmp'
radius_xlat: ''
modcall[accounting]: module radutmp returns ok for request 3
radius_xlat: ''
radius_xlat: 'INSERT into radacct (AcctSessionId, AcctUniqueId,
UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime,
AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start,
ConnectInfo_stop, AcctInputOctets, AcctOutputOctets, CalledStationId,
CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol,
FramedIPAddress, AcctStartDelay, AcctStopDelay, TunnelClientEndpoint,
SourceIPAddress, DestinationIPAddress) values('0x002339ee',
'80142e378dd3cad0', '', '', '10.100.255.17', '0', '', '2004-11-04
13:01:16', '0', '0', '', '', '', '0', '0', '', '', '', '', '', '', '',
'0', '', 'ip:source-ip=3D10.100.248.2', 'ip:source-ip=3D10.100.248.2')'
rlm_sql (sql): Reserving sql socket id: 1
rlm_sql (sql): Released sql socket id: 1
modcall[accounting]: module sql returns ok for request 3
modcall: group accounting returns ok for request 3
Sending Accounting-Response of id 229 to 10.100.255.17:1813
Finished request 3
Going to the next request
--- Walking the entire request list ---
Cleaning up request 3 ID 229 with timestamp 418a7c7c
Waking up in 1 seconds...
--- Walking the entire request list ---
Cleaning up request 2 ID 58 with timestamp 418a7c77
Nothing to do. Sleeping until we see a request.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Sincerely Yours,
Alexander Serkin,
Skylink, Moscow,
ph. +7(095)7952089
fa. +7(095)7952084
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco-AVPair Help (help!!) Part 1
Alexander Serkin wrote: BTW - does mysql permit : in column names ? oops. stupid question. ignore it. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Oracle cursor leak
Kostas Zorbadelos wrote: ... I resubmit the patch as a text file (output of diff sql_oracle.c.before_patch sql_oracle.c freeradius_oracle_patch) because from the web page I had problems applying it and I was forced to apply it partly by hand editing of the code... the same problem. I cannot apply patch taken from the web: patching file src/modules/rlm_sql/drivers/rlm_sql_oracle/sql_oracle.c patch: malformed patch at line 60: @@ -311,9 +328,11 @@ -- Sincerely Yours, Alexander Serkin, Skylink, Moscow - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
max_servers num_sql_socks
Could anybody sched a light onto max_servers and num_sql_socks selection criteria ? (Oracle 9.2.0.4 is used). How many of them should one set up in order to optimize processor/memory usage? I had max_servers=32 and num_sql_socks=18 till today. A lot of There are no DB handles to use! messages appeared in the log. Now they are set to max_servers=80 and num_sql_socks=60. There is less messages about DB handles now but the message Unresponsive child (id nnn) for request is often repeated in the logfile. And processors (two 440MHz SPARC on Netra 1120) are utilized on 100%. We have about 1200 maximum active sessions with accounting update period of 10 minutes. -- Sincerely Yours, Alexander Serkin, Skylink, Moscow - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: max_servers num_sql_socks
Alan DeKok wrote:
...
A 386 should be able to handle that. Find out why your DB is so
slow, and fix it.
The problem comes up after about 15 records are created in the acct table.
The table is indexed. I've attached accounting schemasql.conf. May be some DBAs
are here in the list? Any advice will be appretiated.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Sincerely Yours,
Alexander Serkin,
Skylink, Moscow
/*
* Function to convert unix timestamp into local date format
*/
CREATE OR REPLACE
FUNCTION from_unixtime (unix_time IN NUMBER)
RETURN DATE IS
BEGIN
return FROM_TZ(CAST(TO_DATE('1970-01-01 00:00:00','-MM-DD
HH24:MI:SS')+unix_time/86400 AS TIMESTAMP), 'GMT')AT TIME ZONE 'Europe/Moscow';
END;
/
DROP TABLE acct;
CREATE TABLE acct (
RADACCTID NUMBER NOT NULL,
ACCTSESSIONID VARCHAR2(32),
CALLINGSTATIONID VARCHAR2(15),
FRAMEDIPADDRESSVARCHAR2(15),
CDMACORRELATIONID VARCHAR2(10),
CDMAHAAGENTVARCHAR2(15),
USERNAME VARCHAR2(128),
CDMAPCFIPADDRESS VARCHAR2(15),
CDMABSMSCADDR VARCHAR2(32),
CDMAUSERID NUMBER(12),
CDMAIPTECH NUMBER(12),
CDMACOMPTUNIND NUMBER(12),
CDMARELEASEIND NUMBER(12),
ACCTINPUTOCTETSNUMBER(12),
ACCTOUTPUTOCTETS NUMBER(12),
ACCTINPUTPACKETS NUMBER(12),
ACCTOUTPUTPACKETS NUMBER(12),
CDMABADFRAMECOUNT NUMBER(12),
CDMAACTIVETIME NUMBER(12),
CDMANUMACTIVE NUMBER(12),
CDMARECEIVEDHDLCOCTETS NUMBER(12),
CDMAIPQOS NUMBER(12),
CDMAAIRPRIORITYNUMBER(12),
CDMARPSESSIONIDNUMBER(21),
ACCTAUTHENTIC VARCHAR2(32),
ACCTSESSIONTIMENUMBER(12),
ACCTTERMINATECAUSE VARCHAR2(32),
NASPORTTYPEVARCHAR2(32),
NASPORTNUMBER(12),
SERVICETYPEVARCHAR2(32),
NASIPADDRESS VARCHAR2(15),
NASIDENTIFIER VARCHAR2(32),
ACCTUNIQUEID VARCHAR2(17),
REALM VARCHAR2(64),
TUNNELSERVERENDPOINT VARCHAR2(15),
TUNNELCLIENTENDPOINT VARCHAR2(15),
TUNNELASSIGNMENTID VARCHAR2(32),
TUNNELTYPE VARCHAR2(15),
ACCTTUNNELCONNECTION VARCHAR2(32),
TUNNELCLIENTAUTHID VARCHAR2(32),
TUNNELSERVERAUTHID VARCHAR2(32),
ACCTSTARTTIME NUMBER(21),
ACCTUPDATETIME NUMBER(21),
ACCTSTOPTIME NUMBER(21),
FRAMEDPROTOCOL VARCHAR2(32),
ACCTSTARTDELAY NUMBER(12),
ACCTSTOPDELAY NUMBER(12))
PCTFREE 10
PCTUSED 90
INITRANS1
MAXTRANS255
TABLESPACE radius
STORAGE (
INITIAL 12K
NEXT5K
PCTINCREASE 0
MINEXTENTS 1
MAXEXTENTS 2147483645
)
/
-- Creating Primary Key for ACCT
ALTER TABLE acct
ADD PRIMARY KEY (radacctid)
USING INDEX
PCTFREE 10
INITRANS2
MAXTRANS255
TABLESPACE radius
STORAGE (
INITIAL 8192K
NEXT2048K
MINEXTENTS 1
MAXEXTENTS 2147483645
)
/
DROP INDEX acct_idx1;
CREATE UNIQUE INDEX acct_idx1 ON
acct(ACCTSESSIONID,CALLINGSTATIONID,FRAMEDIPADDRESS,CDMACORRELATIONID,NASIPADDRESS,ACCTUNIQUEID,ACCTSTARTTIME,ACCTUPDATETIME,ACCTSTOPTIME)
PCTFREE 10
INITRANS2
MAXTRANS255
TABLESPACE radius
STORAGE (
INITIAL 81920K
NEXT8192K
MINEXTENTS 1
MAXEXTENTS 2147483645
);
DROP SEQUENCE acct_seq;
CREATE SEQUENCE acct_seq START WITH 1 INCREMENT BY 1;
CREATE OR REPLACE TRIGGER ACCT_SERIALNUMBER
BEFORE INSERT ON acct
FOR EACH ROW
BEGIN
SELECT acct_seq.nextval into :new.radacctid from dual;
END;
/
COMMIT;
#
# Configuration for the SQL module, when using MySQL.
#
# The database schema is available at:
#
# src/radiusd/src/modules/rlm_sql/drivers/rlm_sql_mysql/db_mysql.sql
#
# If you are using PostgreSQL, please use 'postgresql.conf', instead.
# If you are using Oracle, please use 'oracle.conf', instead.
# If you are using MS-SQL, please use 'mssql.conf', instead.
#
# $Id: sql.conf,v 1.26.4.1 2003/08/26 12:26:57 phampson Exp $
#
sql {
# Database type
# Current supported are: rlm_sql_mysql, rlm_sql_postgresql,
# rlm_sql_iodbc, rlm_sql_oracle, rlm_sql_unixodbc, rlm_sql_freetds
# driver = rlm_sql_mysql
driver = rlm_sql_oracle
# Connect info for Oracle
server = localhost
login = radius
password = password
# Database table configuration for Mysql
# radius_db = radius
# Database table configuration for Oracle
radius_db =
(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=localhost)(PORT=1521))(CONNECT_DATA=(SID=CDMA)))
# If you want both stop and start
how many records in radacct
Hello, how many records in radacct table do you manage to keep, guys? I see that radius stops working properly after about 15 accounting records in Oracle (9.2.0.4) database or ~3 in PostgreSQL 7.4.6. After that amount accounting records are not written into table and FR (v1.0.1) claims about no DB handles to use. I see this with Oracle and Postgres. The symptoms are the same on two different Solaris8 machines - Netra1120 with 2x440MHz processors and SunFire V240 with 2x1GHz processors. All recomendations about tuning are met - noatime on partitions with DB, no detail accounting, indexes on the accounting table. I'm fighting with that for a couple of months with no understanding what else could be wrong. Our DBA did some tunings on Oracle table and configuration - with no visible results. PostgreSQL is not tuned - just 'configure,make,make install, initdb, createdb radius,etc'. -- Alexander - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how many records in radacct
Thank you all for the hints. Really stupid was it not to create index on acctuniqueid. And 'explain' is my best friend ad finem seculorum. -- Alexander Kostas Kalevras wrote: On Mon, 22 Nov 2004, Alexander Serkin wrote: Hello, how many records in radacct table do you manage to keep, guys? I see that radius stops working properly after about 15 accounting records in Oracle (9.2.0.4) database or ~3 in PostgreSQL 7.4.6. After that amount accounting records are not written into table and FR (v1.0.1) claims about no DB handles to use. I see this with Oracle and Postgres. The symptoms are the same on two different Solaris8 machines - Netra1120 with 2x440MHz processors and SunFire V240 with 2x1GHz processors. All recomendations about tuning are met - noatime on partitions with DB, no detail accounting, indexes on the accounting table. I'm fighting with that for a couple of months with no understanding what else could be wrong. Our DBA did some tunings on Oracle table and configuration - with no visible results. PostgreSQL is not tuned - just 'configure,make,make install, initdb, createdb radius,etc'. I 've got more than 1,000,000 rows in my radacct table (MySQL+InnoDB). The numbers you are reporting are really small, your database should be able to handle them just fine. One guess would be that your Session-Ids are not that random so the corresponding update queries have too many candidate rows (explain select is your friend to find out bottlenecks like that). Try using Acct-Unique-Id if that is the case. Do an Explain select on the queries run by the freeradius server (mainly the accounting_stop query and the simul_count query if you 've enabled it) and you should quickly find the problem. I need to add a few notes on an alternative high performance accounting structure for freeradius in the tuning guide one of these days... -- Alexander - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas KalevrasNetwork Operations Center [EMAIL PROTECTED]National Technical University of Athens, Greece Work Phone:+30 210 7721861 'Go back to the shadow'Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Index on MCC/MNC
Phil Reilly wrote: Hi there, Does anybody know how to configure free radius to return attributes based on the 3GPP-SGSN-MCC-MNC parameter. this param is not defined in any dictionary file. If you know its format, then add it to the dictionary and enjoy. Is it described anywhere? Thanks Phil -- Sincerely Yours, Alexander Serkin, Skylink, Moscow - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Index on MCC/MNC
What's the problem with check? Something like 3GPP-SGSN-MCC-MNC == blahblah or 3GPP-SGSN-MCC-MNC =~ ^startswith or 3GPP-SGSN-MCC-MNC =~ endswith$ should work if this a string attribute. It depends on what you want. -- als Phil Reilly wrote: Hi I have defined it in the 3GPP dictionary file attribute 18, but I am unsure on how to configure the check on this parameter Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alexander Serkin Sent: 07 December 2004 14:55 To: [EMAIL PROTECTED] Subject: Re: Index on MCC/MNC Phil Reilly wrote: Hi there, Does anybody know how to configure free radius to return attributes based on the 3GPP-SGSN-MCC-MNC parameter. this param is not defined in any dictionary file. If you know its format, then add it to the dictionary and enjoy. Is it described anywhere? Thanks Phil - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuration sample CDMA-EVDO
Hi, Aldo. There's nothing special for freeradius providing AAA services for cdma ev-do. We're running CDMA (1xRTT, 1xEV-DO rev0/revA) network with ~25k peak online users on two servers running FR. Drop me a message if you're interested in details. -- Alexander Aldo wrote: Hello, could please somebody provide a configuration sample of a CDMA network which provides EVDO using RADIUS? Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Access request with no User-Name
Hi. I need a solution to deal with access requests not containing User-Name attribute. The request is as below: 3GPP2-Correlation-Id = 768E Calling-Station-Id = 25009769921 Framed-Protocol = PPP User-Password = secret Service-Type = Framed NAS-IP-Address = a.b.c.d Acct-Session-Id = D477603FF28E Nas-Identifier = some.host.name I need to build a username from CLID + some realm before authentication. I.e. if no username - add attribute User-Name = [EMAIL PROTECTED] to the request and authenticate it then. Please point me out to the appropriate module if its possible. -- Alexander - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radius behavior when DB is down
hi. Can anybody explain me the scenario of rlm_sql_... module actions while DB is inaccessible? I mean what happens whith daemon when 1) it starts and encounters that its sql store is down. 2) the db goes down while radius daemon is running. Does it make an attempt to reconnect or it dies too? Is the scenario the same for oracle and mysql? -- SY, Alexander - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius behavior when DB is down
Alan DeKok wrote: Alexander Serkin [EMAIL PROTECTED] wrote: Can anybody explain me the scenario of rlm_sql_... module actions while DB is inaccessible? I mean what happens whith daemon when 1) it starts and encounters that its sql store is down. Have you tried checking this yourself? It's not hard. If i have, i wouldn't ask this. Sometimes the question has a reason to be asked. I do not have an available test environment right now. 2) the db goes down while radius daemon is running. Similarly, this isn't hard to do in a test environment. Does it make an attempt to reconnect or it dies too? It tries to reconnect. Is the scenario the same for oracle and mysql? Yes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- SY, Alexander - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
strange behavior with two sql instances
Hello all.
I've some strange radius behavior using two sql databases.
I built two databases - one on the radius server itself for auth and another on
separate db server for accounting. Splitted the sql.conf into sqlauth and
sqlacct parts. And made changes in radiusd.conf:
$INCLUDE ${confdir}/sqlauth.conf
$INCLUDE ${confdir}/sqlacct.conf
and
sqlauth.conf:
sql sqlauth {
driver = rlm_sql_oracle
server = localhost
login = radusr
password = password
radius_db =
(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=localhost)(PORT=1521))(CONNECT_DATA=(SID=DBSID)))
acct_table1 = acct
acct_table2 = acct
authcheck_table = radcheck
authreply_table = radreply
groupcheck_table = radgroupcheck
groupreply_table = radgroupreply
usergroup_table = usergroup
...
}
and
sqlacct.conf:
sql sqlacct {
driver = rlm_sql_oracle
server = some.host.tld
login = radusr
password = password
radius_db =
(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=some.host.tld)(PORT=1521))(CONNECT_DATA=(SID=DBSID)))
acct_table1 = acct
acct_table2 = acct
authcheck_table = radcheck
authreply_table = radreply
groupcheck_table = radgroupcheck
groupreply_table = radgroupreply
usergroup_table = usergroup
...
}
when the connection between radius server and accounting db server is present -
everything is good.
But when i emulate connection down (filtering sql traffic to accounting db
server from radius) the radius daemon stops doing authentication too until it's
restarted.
When radiusd is restarted it works with authentication requests well even when
accounting server remains unaccessible.
The debug is attached.
--
SY,
Alexander
no-connection-fr-debug.txt.gz
Description: Unix tar archive
Re: Event-Timestamp attribute
Ok. RFC says exactly that The Value field is four octets encoding an unsigned integer with the number of seconds since January 1, 1970 00:00 UTC. I did not think radiusd rewrites unix timestamp into date. Just because previous radius i was using used to put the timestamp into accounting as an integer. Moreover i did not notice this helpful trick in variables.txt: %S request timestamp in SQL format Does it mean that %S takes the timestamp from the Event-Timestamp field of the accounting packet? -- SY, Alexander Alan DeKok wrote: Alexander [EMAIL PROTECTED] wrote: This RFC says the attribute to be unsigned integer. Why is it date in dictionary.rfc2869? Because it's a date. See RFC 2866 for a definition of the time type. It's the same as date, and is stored as a 32-bit integer. If we name the file with rfc number, then why didn't we follow it ? It's not difficult to change the attribute every time i upgrade, but ... Why the heck are you changing the attribute? It's a date. It gets printed and parsed like a date. What goes into the RADIUS packet is a 32-bit integer, because that's how dates are represented in the protocol. Do you really want to see and type in all dates in your system as 32-bit integers? That's how they're represented internally in Unix. I'm at a complete loss for why you would want to change the type of the attribute. What do you hope to gain by it? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Event-Timestamp attribute
Alexander Serkin wrote:
Edit oraclesql.conf to use the query you want. That's why the
queries are configurable.
Shure i will. I've seen them occasionally :-)
The question was to guys who may did the trick already. Because in Oracle
You can parse the string May 18 2005 12:08:18 +0400 easily, but i've
no idea what to do with timezone specified as MSD or something else.
And finally i can modify the timezone presentation by Solaris zone info compiler
so that it would be +0400, but radiusd modifies it into =2B0400, and that
confuses oracle completely:
radius_xlat: 'INSERT into radacct (RadAcctId, AcctSessionId, CallingStationId,
FramedIPAddress, CDMACorrelationId, CDMAHAAgent, UserName, CDMAPCFIPAddress,
CDMABSMSCAddr, CDMAUserId, CDMAIPTech, CDMACompTunInd, CDMABadFrameCount,
CDMAReceivedHDLCOctets, CDMAIPQoS, CDMAAirPriority, CDMARPSessionID,
AcctAuthentic, NASPortType, NASPort, ServiceType, NASIPAddress, NASIdentifier,
AcctUniqueId, Realm, TunnelServerEndpoint, TunnelClientEndpoint,
TunnelAssignmentId, TunnelType, AcctTunnelConnection, TunnelClientAuthId,
TunnelServerAuthId, AcctStartTime, FramedProtocol, AcctStartDelay) values ('',
'1117', '25009700440', '212.119.123.233', '0003A62F', '0.0.0.0',
'mobile', '212.119.99.40', '0001', '0', '1', '0', '0', '1140', '0',
'13', '1', 'RADIUS', 'Virtual', '58503', 'Framed-User', '212.119.97.85',
'pdsn1.cell.ru', '0995358346e1d81e', 'NULL', '', '', '', '', '', '', '',
TO_TIMESTAMP_TZ('Oct 7 2004 12:50:00 =2B0400','Mon dd hh24:mi:ss tzhtzm'),
'', '')'
rlm_sql (sqlacct): Reserving sql socket id: 4
rlm_sql_oracle: execute query failed in sql_query: ORA-01858: a non-numeric
character was found where a numeric was expected
rlm_sql (sqlacct): Attempting to connect rlm_sql_oracle #4
rlm_sql (sqlacct): Connected new DB handle, #4
rlm_sql_oracle: execute query failed in sql_query: ORA-01858: a non-numeric
character was found where a numeric was expected
rlm_sql (sqlacct): failed after re-connect
Alan DeKok.
- List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
Sincerely Yours,
Alexander
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Event-Timestamp attribute
Alan DeKok wrote: Alexander Serkin [EMAIL PROTECTED] wrote: No. It takes the time that the packet was received. The Event-Timestamp attribute MAY be a lie. oops. When and why? Have not seen a lie from cisco NASes yet. Set the time wrong on the Cisco box, then look at Event-Timestamp. Set time wrong on radius host, then look at %S. Nonsense. ... Stop complaining that the server is broken, fix your configuration, and go away. One more nonsense. Nobody said the server is broken. I just needed some hints. You've directed me in a proper way. Thank you. Have some beer and calm down. -- als - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Release date for 1.1.0/CVS?
Alan DeKok wrote: Wesley Spadola [EMAIL PROTECTED] wrote: Is there any news of a approximate release date for the 1.1.0 line of FreeRADIUS? When it's ready. Hopefully in the next month or so. will there be a feature of configurable key for rlm_ippool database search? Which bugs are currently showstoppers for this line to be released as stable? The EAP linking issues. Other than that, the rest of the work is cleanups. I think it will be released as 2.0, because there are just so many things fixed, and so many new features added. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Sincerely Yours, Alexander Serkin, Skylink, Moscow - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
dictionary.3gpp2 note
hi, According to http://www.3gpp2.org/Public_html/specs/P.S0001-B_v2.0_041004.pdf (page 65) the attribute 41 (3GPP2-R-P-Session-Id) in dictionary.3gpp2 should be integer, not string. And i'd remove the comment '#' on it in the file. Thanks, -- als - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
regular expressions parsing changed in 1.1.2 ?
Hi,
I recently built 1.1.2 and it claims about regular expression in huntgroups:
/opt/fr/etc/raddb/huntgroups[87]: Parse error (check) for entry UNKNOWN:
Illegal regular expression in attribute: Calling-Station-Id: ?, *, +, or
{ } not preceded by valid regular expression
The string contains:
Calling-Station-Id =~ *
Do i need something like that now:
Calling-Station-Id =~ /*/
???
--
Sincerely Yours,
Alexander
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
mysql 5.0.22 with fr 1.1.2
while trying to compile the fr 1.1.2 with mysql 5.0.22 i got the following with rlm_sq_mysql configure: checking for mysql_config... yes checking for mysql_init in -lmysqlclient (using mysql_config)... no checking for mysql_init in -lmysqlclient... no configure: warning: mysql libraries not found. Use --with-mysql-lib-dir=path. checking for mysql.h (using mysql_config)... no checking for mysql/mysql.h... yes configure: warning: sql submodule 'mysql' disabled mysql libraries are in /opt/mysql/lib/mysql. The machine is under Solaris 8 x86. crle output says: [EMAIL PROTECTED]:/usr/local/src/freeradius-1.1.2~# crle Configuration file [3]: /var/ld/ld.config Default Library Path (ELF): /usr/lib:/usr/local/lib:/opt/mysql/lib/mysql:/usr/local/ssl/lib Trusted Directories (ELF):/usr/lib/secure (system default) And /usr/local/mysql is a symbolic link to /opt/mysql. Everything seems to be in place, but configure does not see mysql. What could be the reason? -- Sincerely Yours, Alexander - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mysql 5.0.22 with fr 1.1.2
Oh, sorry for flood, found the solution in the archives. http://lists.freeradius.org/mailman/htdig/freeradius-users/2003-April/017789.html [EMAIL PROTECTED] пишет: Hi, while trying to compile the fr 1.1.2 with mysql 5.0.22 i got the following with rlm_sq_mysql configure: you did do ./configure --with-mysql-lib-dir=/opt/mysql/lib/mysql as per the output bleatings, yes? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Sincerely Yours, Alexander - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
using CLID
Hello, freeradius-users. Is there some way to use CLID (Calling-Station-Id attribute) to determine wich server to proxy access-request to? Do not ask why not using realms. We do use realms too. But the only way to validate that the user comes from our network is to check his CLID. Because everybody can set any realm in his login credentials. CLID, also known as IMSI in CDMA packet data, is in the form of 15 digits XXX. A few starting digits (say first six ones) identify our network. If this first digits are different from ours, that means the access request should be sent to another operator's AAA server. -- Sincerely Yours, Alexander Serkin, Moscow Cellular Communications ph. +7(095)7952089 fa. +7(095)7952084 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: using CLID
thank you, Alan. Another question is - can i check through several DEFAULT items? I mean, if the first DEFAULT matched: DEFAULT NAS-IP-Address == a.b.c.d,Calling-Station-Id =~ ^123456, Group-Name := mygroup Fall-Through = Yes i want to check next DEAFULT: DEFAULT Group-Name == mygroup, Realm == some.realm.ru Auth-Type := Local Framed-Protocol = PPP, Service-Type = Framed, Fall-Through = Yes And if it matched too - authorize user: [EMAIL PROTECTED] User-Password == abcd Framed-IP-Address = 1.2.3.4 In my confguration after the first deafult matches, user is authorized, but his group attributes (placed in second DEFAILT instance) are ignored. Alan DeKok wrote: Alexander Serkin [EMAIL PROTECTED] wrote: Is there some way to use CLID (Calling-Station-Id attribute) to determine wich server to proxy access-request to? You can proxy on any criteria you want. Just set the Proxy-To-Realm attribute. That's what rlm_realm does. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Sincerely Yours, Alexander Serkin, Moscow Cellular Communications ph. +7(095)7952089 fa. +7(095)7952084 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
copying accounting
Is it possible to keep accounting for several realms locally along with sending it to third party AAA server? I.e. i need to write accounting for customers visiting us from another network, but also send it to their home AAA server. -- SY, Alexander Serkin, Moscow Cellular Communications ph. +7(095)7952089 fa. +7(095)7952084 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: copying accounting
Replicate-To-Realm seem to do what i want. Copying accounting matching the check item in acct_users to the realm specified while storing this accounting locally. Am i right? Alexander Serkin wrote: Is it possible to keep accounting for several realms locally along with sending it to third party AAA server? I.e. i need to write accounting for customers visiting us from another network, but also send it to their home AAA server. -- Sincerely Yours, Alexander Serkin, Moscow Cellular Communications ph. +7(095)7952089 fa. +7(095)7952084 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: copying accounting
radrelay seem to do more than i need. Actually the task is to copy accounting for specific CLID of roaming users to their home AAA server. radrelay works directly with detail file which contains not only roaming CLIDs. Alan DeKok wrote: Alexander Serkin [EMAIL PROTECTED] wrote: Replicate-To-Realm seem to do what i want. Copying accounting matching the check item in acct_users to the realm specified while storing this accounting locally. Am i right? That attribute is not supported. Use radrelay. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Sincerely Yours, Alexander Serkin, Moscow Cellular Communications ph. +7(095)7952089 fa. +7(095)7952084 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: copying accounting
Ok. I can use radrelay. But. I do not understand the reason why the replicate-to-realm is being removed from server. There are two operators now wich we have roaming agreements with. But what will we do if their amount grows to 10, 20? We'll have to start up to 20 instances of radrelay. And monitor their states. Not good, is it? Alan DeKok wrote: Alexander Serkin [EMAIL PROTECTED] wrote: radrelay seem to do more than i need. So? Replicate-To-Realm won't work. If it does, you're using an older version of the server, and that feature will STOP working when you upgrade. Don't use Replicate-To-Realm. Actually the task is to copy accounting for specific CLID of roaming users to their home AAA server. radrelay works directly with detail file which contains not only roaming CLIDs. So... configure the server to have a variant of the detail module which is used only to log the roaming users. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- SY, Alexander - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_ippool and NAS-Port missing in access-request
hello again. The problem is that Cisco PDSN (NAS for 3G CDMA networks) does not send any NAS-Port attributes in its Access-Request: RADIUS(0022F081): Send to unknown id 21797/240 212.119.96.62:1812, Access-Request, len 131 RADIUS: authenticator C4 5F D4 5B EB C5 68 69 - 16 78 96 A7 5B A7 69 C3 RADIUS: Vendor, 3GPP2 [26] 16 RADIUS: cdma-correlation-id[44] 10 0011F792 RADIUS: Calling-Station-Id [31] 17 25009702749 RADIUS: Framed-Protocol [7] 6 PPP [1] RADIUS: User-Name [1] 8 mobile RADIUS: CHAP-Password [3] 19 * RADIUS: Service-Type[6] 6 Framed[2] RADIUS: NAS-IP-Address [4] 6 a.b.c.d RADIUS: Acct-Session-Id [44] 18 D477615500339643 RADIUS: Nas-Identifier [32] 15 pdsn.foo.bar but rlm_ippool requires at least NAS-Port to work. Is there any workaround for this problem? -- SY, Alexander - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ippool and NAS-Port missing in access-request
There is a command. Something like radius-server attribute nas-port, but it does not work for now. The IOS Release is the last for this kind of hardware. And i'll definitely open a case with Cisco regarding this problem. But this is not a subject for the freeradius-users. I wonder if i could fix the problem using some friendly freeradius features ;-) Pate Mark-marpate1 wrote: ... Hi Alexander, Speak to Cisco. There should be a command to allow these attributes to be present in the Access Request. The next problem may be that the NAS-Port-ID value is a constant (check with Cisco) - I know this is for a related Cisco product on the 2.5G side. HTH, Mark - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- SY, Alexander - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ippool and NAS-Port missing in access-request
Pate Mark-marpate1 wrote: I used only NAS-PortNAS-IP-Address with radclient and it seem enough to allocate an IP from the pool: Sending Access-Request of id 69 to 127.0.0.1:1812 User-Name = [EMAIL PROTECTED] User-Password = xx Calling-Station-Id = 25009702749 Framed-Protocol = PPP Service-Type = Framed-User NAS-IP-Address = 212.119.97.86 NAS-Port = 55 rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=69, length=44 Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Address = 212.119.124.33 Framed-IP-Netmask = 255.255.255.255 What if you send another access-request with the same nas-port value - you get the same IP address? Cisco seem to have a problem with the way that they oops. Second request gives another address, but third request gives the same as it was in the first. Not good. use nas-port on the GGSN and possibly the PDSN. You need to check with Cisco that the nas-port value is changed for each subscriber. nas-port is different, but it is missed in access-request as long as nas-port-id. I've only nas-port and only in accounting request. Too bad. Mark - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- SY, Alexander - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FR-1.1.2 dies with error
Hi all. We have some trouble with fr-1.1.2 Oracle-9.2.0.6 Solaris 9. The process dies periodically with the error: Thu Aug 3 14:27:43 2006 : Error: Assertion failed in request_list.c, line 1012 FR is built with the following configuration: ./configure \ --with-ltdl-lib=libltdl \ --with-ltdl-include=libltdl \ --enable-ltdl-install=yes \ --with-threads \ --without-openssl \ --enable-developer \ --prefix=/opt/fr It did not dump core, thouigh i enabled it in radiusd.conf and said ulimit -c unlimited. any suggestions? -- Sincerely Yours, Alexander - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR-1.1.2 dies with error
Alan DeKok пишет: It's probably because your DB is slow. See the logs for messages about unresponsive child. The code path to the assertion is taken only when the request has been marked done, but there is still a child thread blocked, and working on it. Either fix the DB, or delete the assertion. But if you delete the assertion, odds are that something else will go wrong elsewhere. Do you mean just comment out line 1012 in request_list.c ? I think i'll try this first because speeding up DB is not a trivial task by now. Thanks for the hints, -- Sincerely Yours, Alexander - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR-1.1.2 dies with error
Laker Netman wrote: How large a DB is this? And what type of link is there between FR and the DB? It's about 36 million records since april 2005. Unless there are, literally, (tens of) thousands of records and/or a *slow* link (think dial-up) and/or ancient hardware there should be some reasonable ways to speed up the DB response. Archiving of records and indexing are two that come to mind first. More complicated, but effective, would be clustering or optimization, even review of the DB version (deprecated?). I was partially wrong with the environment description. The authentication DB is very small (less than 1 records in all the tables). It is local on Sun Netra 1120 (2x440MHz) and Oracle 9.2.0.6. It serves about 2 to 5 radius requests per second. And the accounting DB is located on remote server (HP DL380 3GHz, Red Hat Enterprise with Oracle 10.2.0.1), connected to AAA server via 100BaseT link (loaded by 1-5%). The accounting process takes up to 25 requests per second. I suppose this is what bites the radius process periodically. Alan is correct, you are fixing (hiding) a symptom, and I can say from personal experience it *will* bite you in the butt at some point :) The worst part of it, too, will be that the new issue may not be clearly linkable back to the FR problem you have currently and you may not remember this piece of the puzzle. You are definitely right. We'll consider archiving. Indexing is already done on all the columns taking part in where clauses. Commenting rad_assert is just a temporary solution. Just for me to spend weekend with my friends and some beer. And not to be awaken in the night by damned SMS from dead AAA process :-) Thanks, -- Alexander - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR-1.1.2 dies with error
Hi all, Alan DeKok wrote: Alexander Serkin [EMAIL PROTECTED] wrote: Do you mean just comment out line 1012 in request_list.c ? Yes. I think i'll try this first because speeding up DB is not a trivial task by now. But it's the real source of the problem... I'm still trying to investigate the problem with one of my AAA servers. Is it possible to tell on wich request assertion fails? I mean authentication or accounting. We have two servers and use load-balancing between them configured on NASes. But assertion fails periodically with only one of the servers mostly on line 1012 of request_list.c, but sometimes on line 1039 of the same file. -- Sincerely Yours, Alexander - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR-1.1.2 dies with error
Alan DeKok wrote: Alexander Serkin [EMAIL PROTECTED] wrote: I'm still trying to investigate the problem with one of my AAA servers. It's a problem with the DB, not with the server. I understand this, Alan. My experiments with hiding assertion strings in request_list.c came into failure. And i feel that Oracle is not good production server for radius accounting. Or the DB structure is not optimal for our application. Does anybody in the list use the FROracle for the systems serving about 4500 simultaneous connections? It's really not much, but... Will the accounting table partitioning help? -- Sincerely Yours, Alexander - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR-1.1.2 dies with error
Alan DeKok wrote: Alexander Serkin [EMAIL PROTECTED] wrote: And i feel that Oracle is not good production server for radius accounting. Or the DB structure is not optimal for our application. I know of Oracle installations with 400k users. And the default schema works with installations of millions of users. do you mean 400k active simultaneous connections? And do they use accounting updates (Interim-Update records)? Does anybody in the list use the FROracle for the systems serving about 4500 simultaneous connections? It's really not much, but... Will the accounting table partitioning help? How big are your tables? Do you have gigabytes of historical data in them? The table is about 37 million records since april 2005. -- Sincerely Yours, Alexander - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR-1.1.2 dies with error
Nicolas Baradakis wrote: Alexander Serkin wrote: And i feel that Oracle is not good production server for radius accounting. Or the DB structure is not optimal for our application. Does anybody in the list use the FROracle for the systems serving about 4500 simultaneous connections? It's really not much, but... Will the accounting table partitioning help? Maybe you could use radsqlrelay for accounting data, so FreeRADIUS doesn't interact with the database anymore. See the manpages for rlm_sql_log(5) and radsqlrelay(8) for more details. didn't think about this yet. Is it possible to run radsqlrelay similar to radrelay - when it feeds the sql log to db while the log is being written by radiusd? -- Sincerely Yours, Alexander - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Oracle is not supported by radsqlrelay?
Alexander Serkin wrote: Nicolas Baradakis wrote: Maybe you could use radsqlrelay for accounting data, so FreeRADIUS doesn't interact with the database anymore. See the manpages for rlm_sql_log(5) and radsqlrelay(8) for more details. didn't think about this yet. Is it possible to run radsqlrelay similar to radrelay - when it feeds the sql log to db while the log is being written by radiusd? Oracle is not supported by radsqlrelay? # radsqlrelay -b CDMA -d oracle -h host -P 1521 -p pass -u user -x ./tst-sql error: SQL driver not supported yet: oracle This is very strange because i remeber that i used it once after some maintenance operations with our oracle DB. May be with freeradius-1.1.1. Something changed? -- Sincerely Yours, Alexander - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Oracle is not supported by radsqlrelay?
Nicolas Baradakis wrote: radsqlrelay was added in version 1.1.0 and since then it was never changed. (you can check the CVS log if you want) Yes. i was wrong. In my case i've just fed sqllog to sqlplus utility. Finally radsqlrelay works for me with oracle too after patching 2 strings as you said. At least this gives us a chance to free up the production db temporary for optimization. Thanks for the hint, Nicolas. -- Sincerely Yours, Alexander - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR-1.1.2 dies with error
Alan DeKok wrote: Alexander Serkin [EMAIL PROTECTED] wrote: I know of Oracle installations with 400k users. And the default schema works with installations of millions of users. do you mean 400k active simultaneous connections? And do they use accounting updates (Interim-Update records)? There are no simultaneous connections in RADIUS. Oh, sorry. I didn't mean simultaneous connections. I meant the amount of online users. We have up to ~4500 online connections for ~170k subscribers. I mean 400k users, many of whom are online at the same time, and sending accounting updates. The table is about 37 million records since april 2005. Is it indexed? yes it is indexed by all columns which take part in where clauses of the select and update queries. And why do you have a years worth of data available to your RADIUS server? It's completely unnecessary. You may need a years worth of data available for your billing software, and long-term records, but those things don't need one second response time. Change your tables so that you have current data (i.e. last month or so) available to FreeRADIUS, and leave the year-old data in another table that the server doesn't use. We will. This is subject to discuss with our DBAs. Thanks for your comments, Alan. -- Sincerely Yours, Alexander - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Oracle is not supported by radsqlrelay?
Nicolas Baradakis wrote:
Alexander Serkin wrote:
Finally radsqlrelay works for me with oracle too after patching 2
strings as you said.
Please create a patch with diff -u radsqlrelay.orig radsqlrelay
and post it to the list. I'll add it in version 1.1.3.
Here it is:
--- radsqlrelay.orig2006-08-16 15:40:58.220277000 +0400
+++ radsqlrelay 2006-08-16 17:53:20.151452000 +0400
@@ -156,6 +156,8 @@
$data_source = DBI:mysql:database=$args{b};host=$args{h};
} elsif (lc($args{d}) eq 'pg') {
$data_source = DBI:Pg:dbname=$args{b};host=$args{h};
+} elsif (lc($args{d}) eq 'oracle') {
+$data_source = DBI:Oracle:$args{b};
} else {
print STDERR error: SQL driver not supported yet: $args{d}\n;
exit 1;
whith -b db.domain.tld i give the database description stored in
$TNS_ADMIN/tnsnames.ora:
db.domain.tld =
(DESCRIPTION =
(ADDRESS_LIST =
(ADDRESS = (PROTOCOL = TCP)(HOST = db.domain.tld)(PORT = 1521))
)
(CONNECT_DATA =
(SERVICE_NAME = DB SID)
)
)
--
Sincerely Yours,
Alexander
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_perl link error
Hi, i'm getting the following error while building rlm_perl module: make[6]: Entering directory `/opt/fr/src/freeradius-1.1.3/src/modules/rlm_perl' /opt/fr/src/freeradius-1.1.3/libtool --mode=link gcc -release 1.1.3 \ -module -export-dynamic -o rlm_perl.la \ -rpath /opt/fr/lib rlm_perl.lo rlm_perl.c /opt/fr/src/freeradius-1.1.3/src/lib/libradius.la \ `perl -MExtUtils::Embed -e ldopts` -lnsl -lresolv -lsocket -lposix4 -lpthread *** Warning: Linking the shared library rlm_perl.la against the *** static library /usr/local/lib/perl5/5.8.6/sun4-solaris/auto/DynaLoader/DynaLoader.a is not portable! gcc -shared -Wl,-h -Wl,rlm_perl-1.1.3.so -o .libs/rlm_perl-1.1.3.so .libs/rlm_perl.o -R/opt/fr/src/freeradius-1.1.3/src/lib/.libs -R/opt/fr/lib /opt/fr/src/freeradius-1.1.3/src/lib/.libs/libradius.so -L/usr/local/lib /usr/local/lib/perl5/5.8.6/sun4-solaris/auto/DynaLoader/DynaLoader.a -L/usr/local/lib/perl5/5.8.6/sun4-solaris/CORE -lperl -ldl -lm -lc -lnsl -lresolv -lsocket -lposix4 -lpthread -lc Text relocation remains referenced against symbol offset in file unknown 0x2628 /usr/local/lib/perl5/5.8.6/sun4-solaris/CORE/libperl.a(perl.o) ... does it mean that perl is compiled incorrectly on the machine? It seem to be installed from SMCperl binary package for SunOS 5.8 -- Sincerely Yours, Alexander - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FR-1.1.3 on solaris10 strange things
Hi. We have strange behaviour on sparc solaris 10 server with fr-1.1.3 installed: without any visible reason the radiusd process goes to almost 100% CPU usage for 3-5 minutes. Then it comes back to normal state again (less than 1% CPU). Visually the 100% CPU load does not impact the system funcionality - there are no problems with authentication/accounting processing. The server is not hard loaded - there are not more than 2-3 requests per second on it. prstat output reports: PID USERNAME SIZE RSS STATE PRI NICE TIME CPU PROCESS/NLWP 757 radius 93M 10M run 400 0:56:05 99% radiusd/18 and prstat -vm : PID USERNAME USR SYS TRP TFL DFL LCK SLP LAT VCX ICX SCL SIG PROCESS/NLWP 757 radius 4.5 1.1 0.0 0.0 0.0 93 0.2 1.6 65 315 .24 0 radiusd/18 has anybody seen this? What can be the reason? Previously it was run on Netra-1120 with solaris 9, the subject appeared after moving to netra-240 Sol10: 5.10 Generic sun4u sparc SUNW,Netra-240 -- Alexander - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR-1.1.3 on solaris10 strange things
Alan DeKok wrote: Alexander Serkin [EMAIL PROTECTED] wrote: We have strange behaviour on sparc solaris 10 server with fr-1.1.3 installed: without any visible reason the radiusd process goes to almost 100% CPU usage for 3-5 minutes. Then it comes back to normal state again (less than 1% CPU). Yuck. I don't run Solaris, so I can't comment more than that... It looks like a busy loop somewhere, probably in the main socket handling code. We'll run a second instance on another netra soon. May be someone could give an advice how to debug the problem while the server will not be in production? -- Sincerely Yours, Alexander - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR-1.1.3 on solaris10 strange things
Alan DeKok пишет:
Alexander Serkin [EMAIL PROTECTED] wrote:
May be someone could give an advice how to debug the problem while the
server will not be in production?
Attach to it with gdb, and see what it's doing.
Got some debugs on this. The problem does not depend on solaris version
- both 9 and 10 have the same effects.
The effect rises up when the request is proxied to other server and this
server does not answer:
rad_recv: Access-Request packet from host 127.0.0.1:34653, id=69, length=81
User-Name = mobile
User-Password = internet
Calling-Station-Id = 999
Framed-Protocol = PPP
Service-Type = Framed-User
NAS-IP-Address = 212.119.97.85
rad_lowerpair: User-Name now 'mobile'
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module preprocess returns ok for request 0
modcall[authorize]: module chap returns noop for request 0
rlm_realm: No '@' in User-Name = mobile, looking up realm NULL
rlm_realm: Found realm NULL
rlm_realm: Adding Stripped-User-Name = mobile
rlm_realm: Proxying request from user mobile to realm NULL
rlm_realm: Adding Realm = NULL
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module suffix returns noop for request 0
users: Matched entry DEFAULT at line 156
modcall[authorize]: module files returns ok for request 0
radius_xlat: 'mobile'
rlm_sql (sqlauth): sql_set_user escaped user -- 'mobile'
radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE
Username = 'mobile' ORDER BY id'
rlm_sql (sqlauth): Reserving sql socket id: 4
radius_xlat: 'SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
FROM radgroupcheck,usergroup WHERE (usergroup.Username = 'mobile' or
usergroup.CLID = '999') AND usergroup.GroupName =
radgroupcheck.GroupName ORDER BY usergroup.PRIORITY,radgroupcheck.id'
radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE
Username = 'mobile' ORDER BY id'
radius_xlat: 'SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
FROM radgroupreply,usergroup WHERE (usergroup.Username = 'mobile' OR
usergroup.CLID = '999') AND usergroup.GroupName =
radgroupreply.GroupName ORDER BY radgroupreply.id'
rlm_sql (sqlauth): Released sql socket id: 4
modcall[authorize]: module sqlauth returns ok for request 0
modcall[authorize]: module mschap returns noop for request 0
modcall: leaving group authorize (returns ok) for request 0
Sending Access-Request of id 0 to 212.119.96.99 port 1812
User-Name = mobile
User-Password = internet
Calling-Station-Id = 999
Framed-Protocol = PPP
Service-Type = Framed-User
NAS-IP-Address = 212.119.97.85
Proxy-State = 0x3639
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 0 seconds...
After that the srings Walking/Waking rapidly appear during dead_time
configured in proxy.conf and at the same time the process takes about
50% of CPU on slow netra 1120 (2x440MHz) and up to 99% on Netra-240
(1x1GHz). After dead_time we see:
Waking up in 0 seconds...
--- Walking the entire request list ---
Rejecting request 0 due to lack of any response from home server
localhost:34653
Server rejecting request 0.
Waking up in 0 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 69 to 127.0.0.1 port 34653
Cleaning up request 0 ID 69 with timestamp 45596c9d
Nothing to do. Sleeping until we see a request.
--- Walking the entire request list ---
Nothing to do. Sleeping until we see a request.
I do not understand why it says home server localhost while the
request was proxied to home server 212.119.96.99?
May be i have some incorrect configuration in the proxy.conf?
proxy.conf:
Proxy server {
synchronous = no
retry_delay = 5
retry_count = 3
dead_time = 15
default_fallback = no
}
realm DUMMY {
type= radius
authhost= 212.119.96.99:1812
accthost= 212.119.96.99:1813
secret = secret
nostrip
}
--
Sincerely Yours,
Alexander
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR-1.1.3 on solaris10 strange things
Alexander Serkin пишет: Alan DeKok пишет: Alexander Serkin [EMAIL PROTECTED] wrote: May be someone could give an advice how to debug the problem while the server will not be in production? Attach to it with gdb, and see what it's doing. Got some debugs on this. The problem does not depend on solaris version - both 9 and 10 have the same effects. The effect rises up when the request is proxied to other server and this server does not answer: ... After that the srings Walking/Waking rapidly appear during dead_time configured in proxy.conf and at the same time the process takes about 50% of CPU on slow netra 1120 (2x440MHz) and up to 99% on Netra-240 (1x1GHz). After dead_time we see: Sorry not after dead_time. After (retry_delay*retry_count). -- Sincerely Yours, Alexander - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR-1.1.3 on solaris10 strange things
Alexander Serkin wrote: Alexander Serkin wrote: ... After that the srings Walking/Waking rapidly appear during dead_time configured in proxy.conf and at the same time the process takes about 50% of CPU on slow netra 1120 (2x440MHz) and up to 99% on Netra-240 (1x1GHz). After dead_time we see: Sorry not after dead_time. After (retry_delay*retry_count). Sorry again. After max_request_time (60s). -- Sincerely Yours, Alexander - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR-1.1.3 on solaris10 strange things
Sorry, sorry, sorry. It's all my fault. Proxy server instead of proxy server in proxy.conf. So it did not retries and set retry_delay to 0 and so on... -- Sincerely Yours, Alexander - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
new radrelay features
Hi, According to the docs on 2.0.0 pre-release do i understand right that to proxy accounting requests i should set up radiusd.conf to put accounting into detail file and set up radrelay.conf to proxy requests to another servers? What confuses me is that both radiusd.conf and radrelay.conf include the same files - proxy.conf and acct_users. And in many configurations acct_users for radiusd.conf and for radrelay.conf will be different. Should we keep two different files say acct_users_radiusd and acct_users_radrelay in that case? And it seems that we should have two proxy.conf files also. -- als - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
configuring groups in sql tables
Hi,
Wther i'm missing something in docs or it is impossible to do more than
one groupcheck for the same username by sql.
I have two groups which should be authorized differently - group1:
DEFAULT Huntgroup-Name == MSK, Realm == domain.com, Auth-Type := Accept
Service-Type = Outbound-User,
Tunnel-Type = L2TP,
Tunnel-Server-Endpoint = xxx.yyy.97.71,
Cisco-AVpair += vpdn:l2tp-tunnel-password=secret
and group2:
DEFAULT Realm == domain.com, NAS-IP-Address == xxx.yyy.117.1
Framed-Protocol = PPP,
Service-Type = Framed,
Framed-IP-Netmask = 255.255.255.255,
cisco-avpair = lcp:interface-config=peer default ip address
pool VRFNAM\nppp ipcp dns aaa.bbb.1.253 aaa.bbb.1.253\nppp ipcp wins
aaa.bbb.1.253\n
What i can do:
insert into RADGROUPCHECK values('','group2','Realm','==','domain.com');
insert into RADGROUPCHECK
values('','group2','NAS-IP-Address','==','xxx.yyy.117.1');
insert into RADGROUPREPLY values('','group2','Framed-Protocol','=','PPP');
insert into RADGROUPREPLY values('','group2','Service-Type','=','Framed');
insert into RADGROUPREPLY
values('','group2','Framed-IP-Netmask','=','255.255.255.255');
insert into RADGROUPREPLY
values('','group2','cisco-avpair','=','lcp:interface-config=peer default
ip address pool group1\nppp ipcp dns aaa.bbb.1.253 aaa.bbb.1.253\nppp
ipcp wins aaa.bbb.1.253\n');
and
insert into USERGROUP values('','[EMAIL PROTECTED]','','group2','5');
Then i can remove group2 description from users file and it works.
But when i do the same with group1 - both groups 1 and 2 stop working.
The difference is that both radgroupcheck and radgroupreply sql queries
now return two attribute sets for group 1 and 2 simultaneously.
I thought that radiusd should follow check items and select the proper
group according to attributes present in the request, but sqlauth module
returns notfound. So the users file and sql tables are not processed in
the same manner. What am i missing?
--
Sincerely Yours,
Alexander
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
configuring groups in sql tables
Sorry, may be my question was not spelled well.
Actually i need to move multiple default entries from users file into
sql table. Is it possible to create multiple DEFAULT instances in sql
tables istead of placing them in users file like this:
DEFAULT Huntgroup-Name == MSK, Realm == domain1.com, Auth-Type := Accept
Service-Type = Outbound-User,
Tunnel-Type = L2TP,
Tunnel-Server-Endpoint = 1.1.1.1,
Cisco-AVpair += vpdn:l2tp-tunnel-password=secret1
DEFAULT Huntgroup-Name == MSK, Realm == domain2.com, Auth-Type := Accept
Service-Type = Outbound-User,
Tunnel-Type = L2TP,
Tunnel-Server-Endpoint = 2.2.2.2,
Cisco-AVpair += vpdn:l2tp-tunnel-password=secret2
and so on ?
Alexander Serkin wrote:
Hi,
Wther i'm missing something in docs or it is impossible to do more than
one groupcheck for the same username by sql.
I have two groups which should be authorized differently - group1:
DEFAULT Huntgroup-Name == MSK, Realm == domain.com, Auth-Type := Accept
Service-Type = Outbound-User,
Tunnel-Type = L2TP,
Tunnel-Server-Endpoint = xxx.yyy.97.71,
Cisco-AVpair += vpdn:l2tp-tunnel-password=secret
and group2:
DEFAULT Realm == domain.com, NAS-IP-Address == xxx.yyy.117.1
Framed-Protocol = PPP,
Service-Type = Framed,
Framed-IP-Netmask = 255.255.255.255,
cisco-avpair = lcp:interface-config=peer default ip address
pool VRFNAM\nppp ipcp dns aaa.bbb.1.253 aaa.bbb.1.253\nppp ipcp wins
aaa.bbb.1.253\n
What i can do:
insert into RADGROUPCHECK values('','group2','Realm','==','domain.com');
insert into RADGROUPCHECK
values('','group2','NAS-IP-Address','==','xxx.yyy.117.1');
insert into RADGROUPREPLY values('','group2','Framed-Protocol','=','PPP');
insert into RADGROUPREPLY values('','group2','Service-Type','=','Framed');
insert into RADGROUPREPLY
values('','group2','Framed-IP-Netmask','=','255.255.255.255');
insert into RADGROUPREPLY
values('','group2','cisco-avpair','=','lcp:interface-config=peer default
ip address pool group1\nppp ipcp dns aaa.bbb.1.253 aaa.bbb.1.253\nppp
ipcp wins aaa.bbb.1.253\n');
and
insert into USERGROUP values('','[EMAIL PROTECTED]','','group2','5');
Then i can remove group2 description from users file and it works.
But when i do the same with group1 - both groups 1 and 2 stop working.
The difference is that both radgroupcheck and radgroupreply sql queries
now return two attribute sets for group 1 and 2 simultaneously.
I thought that radiusd should follow check items and select the proper
group according to attributes present in the request, but sqlauth module
returns notfound. So the users file and sql tables are not processed in
the same manner. What am i missing?
--
Sincerely Yours,
Alexander Serkin,
Moscow Cellular Communications,
ph. +7(495)7952089
fa. +7(495)7952084
skype: aserkin
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: configuring groups in sql tables
Michael Schwartzkopff пишет: Perhaps you like to use the SQL-Group test like TestNAS1NAS-IP-Address == xxx.xxx.xxx.xxx SQL-Group == dialup, SQL-Group == adsl in the proxy config. Sorry, Michael. Did not understand this quite well. My multiple DEFAULT entries does not depend on NAS. They are mostly defined by Realm - on every specific realm we should accept the request and give different tunnel attributes. So do we need to determine the group by RealmHuntgroup-Name and insert the reply attributes into radgroupreply? That does not fit in my mind, sorry. I need an example :-) -- als - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
dictionary.3gpp2 suggested patch
Hi, freeradius-users. I'd suggest a small patch for dictionary.3gpp2. The corrections include some attributes described in latest 3gpp2 specifications, which are used in our environment. It corrects 3GPP2-R-P-Session-ID to be integer, and sets several attributes according to their description in http://www.3gpp2.org/Public_html/specs/X.S0011-005-C_v3.0_061030.pdf : 3GPP2-Always-On 3GPP2-MEID and http://www.3gpp2.org/Public_html/specs/A.S0008-B_v1.0_061019.pdf (Annex E): 3GPP2-HRPD-Access-Authentication 3GPP2-HRPD-AT-Hardware-Id The patch itself is: --- dictionary.3gpp2.orig 2005-12-01 01:17:18.0 +0300 +++ dictionary.3gpp22007-01-11 09:39:51.900975000 +0300 @@ -57,12 +57,12 @@ ATTRIBUTE 3GPP2-IP-QoS36 integer # 37-38 ? ATTRIBUTE 3GPP2-Airlink-Priority 39 integer -ATTRIBUTE 3GPP2-Airlink-Record-Type 40 integer # ? -#ATTRIBUTE 3GPP2-R-P-Session-ID41 string -ATTRIBUTE 3GPP2-Airlink-Sequence-Number 42 integer # ? +ATTRIBUTE 3GPP2-Airlink-Record-Type 40 integer +ATTRIBUTE 3GPP2-R-P-Session-ID41 integer +ATTRIBUTE 3GPP2-Airlink-Sequence-Number 42 integer ATTRIBUTE 3GPP2-Received-HDLC-Octets 43 integer ATTRIBUTE 3GPP2-Correlation-Id44 string -ATTRIBUTE 3GPP2-Module-Orig-Term-Indicator45 octets # ? +ATTRIBUTE 3GPP2-Module-Orig-Term-Indicator45 octets ATTRIBUTE 3GPP2-Inbound-Mobile-IP-Sig-Octets 46 integer ATTRIBUTE 3GPP2-Outbound-Mobile-IP-Sig-Octets 47 integer ATTRIBUTE 3GPP2-Session-Continue 48 integer @@ -80,7 +80,10 @@ # The next set of attributes contain sub-types ATTRIBUTE 3GPP2-Remote-IP-Address 59 octets -# 60 - 69 are marked reserved +ATTRIBUTE 3GPP2-HRPD-Access-Authentication60 integer +ATTRIBUTE 3GPP2-HRPD-AT-Hardware-Id 61 octets + +# 62 - 69 are marked reserved ATTRIBUTE 3GPP2-Remote-IPv6-Address 70 octets ATTRIBUTE 3GPP2-Remote-Address-Table-Index71 octets @@ -91,10 +94,7 @@ # the following don't contain subtypes ATTRIBUTE 3GPP2-DNS-Update-Required 75 integer -# Is this 76 or 78? Check... -#ATTRIBUTE 3GPP2-Always-On 76 integer -# 77 ? -#ATTRIBUTE 3GPP2-Always-On 78 integer +ATTRIBUTE 3GPP2-Always-On 78 integer ATTRIBUTE 3GPP2-Foreign-Agent-Address 79 ipaddr ATTRIBUTE 3GPP2-Last-User-Activity-Time 80 integer ATTRIBUTE 3GPP2-MN-AAA-Removal-Indication 81 integer @@ -123,5 +123,6 @@ # The next set of attributes contain sub-types ATTRIBUTE 3GPP2-Remote-IPv6-Octet-Count 97 octets ATTRIBUTE 3GPP2-PrePaid-Tariff-Switching 98 octets +ATTRIBUTE 3GPP2-MEID 116 string END-VENDOR 3GPP2 -- Sincerely Yours, Alexander - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius on Sun Fire platforms
[EMAIL PROTECTED] wrote: Could anyone advise whether Freeradius can be run on the below SUN Hardware/Software platform list. Many thanks in advance for the support you can provide, your help is much appreciated. Sun Fire V210UltraSPARC IIIi / Solaris 10 Java ES Sun Fire V240UltraSPARC IIIi / Solaris 10 Java ES we successfully run FR on V240 platform, Sol10 since the beginning of November 2006 -- Sincerely Yours, Alexander - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco-AVpair rate-limit attributes
satish patel wrote: Dear all i have cisco VPDN with freeradius ( 1.1.4 ) on Suse 10.2 my users connect throgh the xp client useig vpn connection and useing Internet Services but now thing is that i wann restrict user base bandwidth means i want to set bandwidth 64kbps for user1 and 128 kbps for user2 so is it possible through the Cisco-Avpair attributes. i have find lots of document regarding cisco-AVpair attributes then i test it on my network but i dont know it will working or not You have to identify the Virtual-Access interface of this user when he is online and look at this command output: sh interface Virtual-Access X rate-limit -- Sincerely Yours, Alexander - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco-AVpair rate-limit attributes
satish patel wrote: Thanks dear now my cisco-AVPair working with users file but tell me is it work with mysql tables ? but i have notice when i set why not? 64000 then my bandwidth meter give me 500 kbps u r passing is it any issue regarding rate-limit ??? I'm not aware about any rate-limit issues. It may depend on platform and IOS version. You should accurately check which attributes you're giving by the radius running it in debug mode (radiusd -X) or say debug radius on cisco box to check the request/accept attributes. If your cisco is in production don't forget to set debug condition on username tested in order to limit debug output to the session being tested. -- Sincerely Yours, Alexander - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Message in radius.log
Jean Frontin wrote: Hello, Here is two lines of the radius.log. Everything in tables looks like okay. Where must I search, I don't understand the first line below. So, why is the second line good ? Perhaps your username is in users file and is not in database? What does mean cli at the end of the second line ? calling-station-id -- Sincerely Yours, Alexander - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
