Changing proxy server for a specific user
Hello, I have defined a DEFAULT realm proxying requests to a remote radius server (for eduroam). Now I want to create another virtual server using this DEFAULT realm, but proxying requests to another radius server. Is there any way to do this? Maybe modifying some attribute in the request with an entry in the user's file? -- Angel L. Mateo Martínez Sección de Telemática Área de Tecnologías de la Información y las Comunicaciones Aplicadas (ATICA) http://www.um.es/atica Tfo: 868889150 Fax: 86337 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radwho: No configuration information in radutmp section of radiusd.conf
El 19/11/12 09:15, Fajar A. Nugraha escribió:
On Mon, Nov 19, 2012 at 2:28 PM, Angel L. Mateo ama...@um.es wrote:
accounting {
detail
unix
#radutmp
Well, that won't help.
You're trying to use radwho, but aren't logging accounting
information. That means radwho will NEVER show you anything.
I'm not sure about this. I have tried configuration with radutmp
line commented and uncommented. But the fact is that radwho is loggin
information, because radutmp is updated and if I use radwho -F file then I
can see is not empty.
That's odd. The only thing writing the utmp file should be accounting
section. Did you perhaps forgot to restart the server after making the
change?
Anyway, from a quick glance at radwho, the relevant change is probably
https://github.com/FreeRADIUS/freeradius-server/commit/41960ed2 . If
you know how to reverese a patch and build from source, you can try
reverting the patch (direct patch link:
https://github.com/FreeRADIUS/freeradius-server/commit/41960ed2.diff)
and see if it helps. I'm assuming you have a non-empty utmp file
already? If it works, then you found a bug and pinpoint the source. If
it doesn't, then it's something else.
Same configuration, with freeradius 2.2.0 but using radwho from 2.1.8
works. Instead of revert patching the file, I have copied radwho command
from previous folders, and it works without any problem.
So it seems that the problem is that now -F options is mandatory
instead of optional.
If this was the only problem, it wouldn't be any problem, but I'm
having the same problem with radzap:
/usr/bin/radzap -P 131833856 -u user -N ip localhost secret
radwho: No configuration information in radutmp section of radiusd.conf!
This same configuration with previous versions of radius works without
any problem.
--
Angel L. Mateo Martínez
Sección de Telemática
Área de Tecnologías de la Información
y las Comunicaciones Aplicadas (ATICA)
http://www.um.es/atica
Tfo: 868889150
Fax: 86337
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Personalizing ldap filters from users file
Hello,
I have freeradius (2.2.0) using ldap as backend for user information.
This radius server is used by different applications to authenticate and
authorize users. I want now to use different ldap filters for different
applications.
In LDAP I'm using SCHAC schema and schacUserStatus is a multivalue
attribute (in URN format) indicating services that the user has enabled
or disabled in the way:
dn: uid=user,basedn
uid: user
schacUserStatus: urn prefix:dovecot:enabled
schacUserStatus: urn prefix:eduroam:enabled
schacUserStatus: urn prefix:vpn:disabled
...
What I want is to define ldap filter as:
ldap {
...
filter = ((mail=%{User-Name})(schacUserStatus=urn prefix:
%{X-Atica-Service}:enabled))
...
}
where X-Atica-Service is a private attribute (of type string) I have
defined in dictionary, and this attribute is defined in users file for
the each with something like:
DEFAULT X-Actica-Service = 'vpn', Auth-Type = LDAP, Realm == um.es
User-Name := `%{User-Name}`,
Fall-Through = No
But this does not work.
As I have a virtual server for each service radius is authenticating I
don't mind defining this attribute in virtual server configuration. What
I want to avoid is to define different ldap modules differing just the
filter.
Any idea?
--
Angel L. Mateo Martínez
Sección de Telemática
Área de Tecnologías de la Información
y las Comunicaciones Aplicadas (ATICA)
http://www.um.es/atica
Tfo: 868889150
Fax: 86337
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Personalizing ldap filters from users file
El 19/11/12 11:17, Phil Mayers escribió:
On 11/19/2012 09:48 AM, Angel L. Mateo wrote:
ldap {
...
filter = ((mail=%{User-Name})(schacUserStatus=urn prefix:
%{X-Atica-Service}:enabled))
...
}
DEFAULT X-Actica-Service = 'vpn', Auth-Type = LDAP, Realm == um.es
User-Name := `%{User-Name}`,
Fall-Through = No
But this does not work.
It's important to understand how the users file works. The line you've
written above says:
set X-Actica-Service to vpn in the control items if it's not
already set (= operator)
set Auth-Type to LDAP in the control items if it's not already set
(= operatgor)
*if* Realm == um.es
and then
set User-Name to %{User-Name} on the reply items *always* (:=
operator)
set Fall-Through to No in the reply items if it's not already set
(= operator)
So, any variable you set on that first line goes in the control items,
so must be referred to there.
Either modify your LDAP filter to reference:
...%{control:X-Actica-Service}...
...or better yet, convert the logic to an unlang stanza which is more
flexible and more explicit / less magic, hence easier to understand,
*and* lets you set variables in any list. Like so:
authorize {
...
if (Realm == um.es) {
update request {
X-Actica-Service = ...
}
}
else {
...
}
ldap
}
Thank you, this way it works.
Also: I note you are setting Auth-Type. This is almost always wrong,
and almost certainly so in your case. Correct config of the LDAP module
should mean you don't need to set Auth-Type, and it's usually harmful to
do so. If it's not causing you a problem it's probably because you're
using the = rather than := operator.
It works for me. Maybe it's because I don't use ldap in authorize, but
just in:
authenticate {
Auth-Type LDAP {
ldap
}
}
I don't know the real cause of this (I have inherited this
configuration from an old config I didn't do it.
--
Angel L. Mateo Martínez
Sección de Telemática
Área de Tecnologías de la Información
y las Comunicaciones Aplicadas (ATICA)
http://www.um.es/atica
Tfo: 868889150
Fax: 86337
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radwho: No configuration information in radutmp section of radiusd.conf
El 16/11/12 17:03, Alan DeKok escribió:
Angel L. Mateo wrote:
Hello,
I have a problem with radwho since I upgraded from 2.1.10 to 2.2.0.
The same configuration (I'm trying now the default configuration
installed from ubuntu packages) works with version 2.1.10 and not with
2.2.0. The error I get is;
radwho: No configuration information in radutmp section of radiusd.conf
You need to have a modules section, with radutmp listed in it.
In my modules section I have
modules {
...
$INCLUDE ${confdir}/modules/
..
}
and I have a file ${confdir}/modules/radutmp with content:
radutmp {
filename = ${logdir}/radutmp
username = %{User-Name}
case_sensitive = yes
check_with_nas = yes
perm = 0600
callerid = yes
}
My config (for default virtual server) is:
Which doesn't really help.
What's in the modules directory?
accounting {
detail
unix
#radutmp
Well, that won't help.
You're trying to use radwho, but aren't logging accounting
information. That means radwho will NEVER show you anything.
I'm not sure about this. I have tried configuration with radutmp line
commented and uncommented. But the fact is that radwho is loggin
information, because radutmp is updated and if I use radwho -F file
then I can see is not empty.
--
Angel L. Mateo Martínez
Sección de Telemática
Área de Tecnologías de la Información
y las Comunicaciones Aplicadas (ATICA)
http://www.um.es/atica
Tfo: 868889150
Fax: 86337
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radwho: No configuration information in radutmp section of radiusd.conf
Hello,
I have a problem with radwho since I upgraded from 2.1.10 to 2.2.0. The
same configuration (I'm trying now the default configuration installed
from ubuntu packages) works with version 2.1.10 and not with 2.2.0. The
error I get is;
radwho: No configuration information in radutmp section of radiusd.conf
My config (for default virtual server) is:
authorize {
preprocess
chap
mschap
suffix
eap {
ok = return
}
unix
files
expiration
logintime
pap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
unix
eap
}
preacct {
preprocess
suffix
files
}
accounting {
detail
unix
#radutmp
attr_filter.accounting_response
}
# Session database, used for checking Simultaneous-Use. Either the radutmp
# or rlm_sql module can handle this.
# The rlm_sql module is *much* faster
session {
radutmp
#
# See Simultaneous Use Checking Queries in sql.conf
# sql
}
post-auth {
exec
Post-Auth-Type REJECT {
attr_filter.access_reject
}
}
pre-proxy {
}
#
# When the server receives a reply to a request it proxied
# to a home server, the request may be massaged here, in the
# post-proxy stage.
#
post-proxy {
eap
}
I have tried it enabling and disabling radutmp in accounting section.
As I have already said, this same configuration works with 2.1.8
(default ubuntu package) but not with 2.2.0.
Any idea?
--
Angel L. Mateo Martínez
Sección de Telemática
Área de Tecnologías de la Información
y las Comunicaciones Aplicadas (ATICA)
http://www.um.es/atica
Tfo: 868889150
Fax: 86337
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radzap: Nothing to send
El 16/11/11 16:54, xgiova escribió: I'm havig the same problem on my Centos server. Can you explain how did you solve? The problem was related with virtual servers. The virtual server assigned to the client running radzap was incorrect. -- Angel L. Mateo Martínez Sección de Telemática Área de Tecnologías de la Información _o) y las Comunicaciones Aplicadas (ATICA) / \\ http://www.um.es/atica_(___V Tfo: 868887590 Fax: 86337 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radzap: Nothing to send
Hello, I have solved my problem. The problem was really related with virtual servers. -- Angel L. Mateo Martínez Sección de Telemática Área de Tecnologías de la Información _o) y las Comunicaciones Aplicadas (ATICA) / \\ http://www.um.es/atica_(___V Tfo: 868887590 Fax: 86337 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radzap: Nothing to send
Hello, I have a script using radzap to zap clients. This script with freeradius 1.1.7 worked, but since I updated to 2.1.10 it didn't work. The command I run is: root@vulpes21:~/scripts/radius# radzap -P 9937 -u user -N 10.57.112.8 localhost secret radclient: Nothing to send. The output for this user in radwho -R is: User-Name = user Acct-Session-Id = 2CC6 NAS-IP-Address = 10.57.112.8 NAS-Port = 9938 Service-type = Login-User Framed-IP-Address = Acct-Session-Time = 92 Calling-Station-Id = 9084.0d64.2d83 Any idea? One difference between my 1.1.7 config and the new one is that now I'm using virtual servers? Could it be the reason? -- Angel L. Mateo Martínez Sección de Telemática Área de Tecnologías de la Información _o) y las Comunicaciones Aplicadas (ATICA) / \\ http://www.um.es/atica_(___V Tfo: 868887590 Fax: 86337 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius and LDAP keepalive
Thank you. I have tried those options, but they doesn't work for me. The problem is that they configure freeradius to send TCP Keepalive messages over the connection, but these packets are just TCP packets, they don't content any ldap command, so openldap idle_timeout is still applied. -- Angel L. Mateo Martínez Sección de Telemática Área de Tecnologías de la Información _o) y las Comunicaciones Aplicadas (ATICA) / \\ http://www.um.es/atica_(___V Tfo: 868887590 Fax: 86337 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius and LDAP keepalive
Hello, I have a freeradius 2.1.10 running in a ubuntu (10.04) server. My users are in a ldap directory. The problem I have is that openldap server has an idle timeout (if there is more than this time with an idle connection, openldap closes the connection). So I want to know if there is some way to configure a keepalive on the ldap connection of freeradius. I have found in http://freeradius.1045715.n5.nabble.com/rlm-ldap-amp-TCP-KeepAlive-td2795077.html that it seems to be code to do this. I have checked this code with code from version 2.1.10 and it is there, but I think I have to configure something because connections are closed and I have logs like: Sep 7 12:12:51 vulpes22 freeradius[21497]: RADIUS Requested access: myuser@mydomain (0) Sep 7 12:12:51 vulpes22 freeradius[21497]: [ldap-email] ldap_search() failed: LDAP connection lost. Sep 7 12:12:51 vulpes22 freeradius[21497]: [ldap-email] Attempting reconnect Sep 7 12:12:51 vulpes22 freeradius[21497]: Login OK: [myuser@mydomain] (from client XXX port 1) freeradius is working (it reconnects with the ldap without any problem), but I want to avoid this error. Is there any way to configure this keepalive? -- Angel L. Mateo Martínez Sección de Telemática Área de Tecnologías de la Información _o) y las Comunicaciones Aplicadas (ATICA) / \\ http://www.um.es/atica_(___V Tfo: 868887590 Fax: 86337 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius and LDAP keepalive
El 07/09/11 13:02, Alan DeKok escribió: Angel L. Mateo wrote: I have a freeradius 2.1.10 running in a ubuntu (10.04) server. My users are in a ldap directory. The problem I have is that openldap server has an idle timeout (if there is more than this time with an idle connection, openldap closes the connection). So I want to know if there is some way to configure a keepalive on the ldap connection of freeradius. ... Is there any way to configure this keepalive? In 2.1.12, the keepalive configuration is documented in raddb/modules/ldap I didn't find any 2.1.12 freeradius version (the latest version at freeradius web is 2.1.11). In 2.1.11 (and 2.1.10) the options I have found that could be related are: * ldap_connections_number: number of active ldap connections (although I have this value configured as 15, I can only see one active connection with netstat) * timeout: Timeout to finish a query * timelimit: Timeout that the ldap server has to finish the query * net_timetout: Seconds to wait for resopnse of the server As far as I understand, none of these values is for a keepalive. Is there any other parameter? -- Angel L. Mateo Martínez Sección de Telemática Área de Tecnologías de la Información _o) y las Comunicaciones Aplicadas (ATICA) / \\ http://www.um.es/atica_(___V Tfo: 868887590 Fax: 86337 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius not releasing IPs from pool
Hello, I have found the problem... I have my freeradius servers being monitored by a system. This monitoring user was assigned to a pool, but it didn't send any stop account record, so IPs were never released. I have configured this user to not being assigned to any pool and the system works now perfectly. -- Angel L. Mateo Martínez Sección de Telemática Área de Tecnologías de la Información _o) y las Comunicaciones Aplicadas (ATICA) / \\ http://www.um.es/atica_(___V Tfo: 868887590 Fax: 86337 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius not releasing IPs from pool
El 03/06/11 10:33, George Chelidze escribió:
On 06/01/2011 04:02 PM, Angel L. Mateo wrote:
Hello,
I have a problem with my pools in freeradius. The problems is that it is
not releasing IPs from the pools. At least, not all of them, so after a
while my users can't connect because the pool is full.
Several quick questions:
1. Are you sure your pool is large enough? Average duration of a
session/Number of new sessions per second should be taken in account.
Yes. This server is an update from an existing one with the same
configuration, the only difference is freeradius versions (from 1.1.7 to
2.1.8) and that now I'm using virtual servers.
2. Are you sure you don't miss any accounting messages?
I think not.
3. Which attributes do you use to construct a pool key? Make sure all
attributes exist in Accounting messages.
The defaults, I'm not using the key option of the pool. I think the
defaults are %{NAS-IP-Address} %{NAS-Port}. NAS-IP-Address is always
the same (our VPN server)and NAS-Port changes from users. Is that correct?
--
Angel L. Mateo Martínez
Sección de Telemática
Área de Tecnologías de la Información _o)
y las Comunicaciones Aplicadas (ATICA) / \\
http://www.um.es/atica_(___V
Tfo: 868887590
Fax: 86337
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius not releasing IPs from pool
Hello,
I have a problem with my pools in freeradius. The problems is that it
is not releasing IPs from the pools. At least, not all of them, so after
a while my users can't connect because the pool is full.
I check that it is not releasing IPs because I get (I have replaced
usernames with ):
root@vulpes21:/usr/share/doc/freeradius# radwho | grep 155.54.194
X PPP 999 Wed 10:28 155.54.213.20 155.54.194.128
X PPP 999 Wed 10:36 155.54.213.20 155.54.194.51
X PPP 999 Wed 10:42 155.54.213.20 155.54.194.8
X PPP 999 Wed 12:33 155.54.213.20 155.54.194.115
X PPP 999 Wed 12:37 155.54.213.20 155.54.194.101
X PPP 999 Wed 12:40 155.54.213.20 155.54.194.62
X PPP 999 Wed 13:06 155.54.213.20 155.54.194.92
X PPP 999 Wed 13:11 155.54.213.20 155.54.194.48
X PPP 999 Wed 13:24 155.54.213.20 155.54.194.78
X PPP 999 Wed 13:27 155.54.213.20 155.54.194.112
X PPP 999 Wed 13:28 155.54.213.20 155.54.194.59
X PPP 999 Wed 13:29 155.54.213.20 155.54.194.134
but rlm_ippol_tool shows a lot of IP addresses in use:
root@vulpes21:/etc/freeradius# rlm_ippool_tool -a pool_vpn.ippool
pool_vpn.ipindex | wc -l
122
In my configuration I have:
authorize {
vpn_log
vpn_syslog
suffix
files_vpn
pap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type LDAP {
ldap-email
}
}
preacct {
suffix
files_vpn
}
accounting {
vpn_log
unix
pool_vpn
pool_vpn_alu
pool_vpn_ryt
radutmp
vpn_acc_syslog
sql_log_um
}
session { }
post-auth {
pool_vpn
pool_vpn_alu
pool_vpn_ryt
vpn_log
vpn_syslog
}
pre-proxy { }
post-proxy { }
Any idea?
Ah... I'm running 2.1.8 from ubuntu 10.04.
--
Angel L. Mateo Martínez
Sección de Telemática
Área de Tecnologías de la Información _o)
y las Comunicaciones Aplicadas (ATICA) / \\
http://www.um.es/atica_(___V
Tfo: 868887590
Fax: 86337
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Login access-request results to syslog
El 23/05/11 14:30, Alan DeKok escribió:
Angel L. Mateo wrote:
...
reference = %{%{Packet-Type}:-format}
Which is *always* the request packet. Use %{reply:Packet-Type} for
the reply.
You'll have to find a way to switch the reference based on request or
reply. Maybe configure two versions of the linelog module.
OK. With %{reply:Packet-Type} I could log the result (Access-Accept or
Access-Reject) of the request query.
Thank you.
--
Angel L. Mateo Martínez
Sección de Telemática
Área de Tecnologías de la Información _o)
y las Comunicaciones Aplicadas (ATICA) / \\
http://www.um.es/atica_(___V
Tfo: 868887590
Fax: 86337
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Login access-request results to syslog
Hello,
I'm trying to configure my freeradius server (version 2.1.8 running in
a ubuntu 10.04 server) to log access request results to syslog. My
configuration is:
authorize {
...
sistemas_syslog
...
}
accounting {
...
sistemas_syslog
...
}
post-auth {
...
sistemas_syslog
Post-Auth-Type REJECT {
...
sistemas_syslog
}
Post-Auth-Type ACCEPT {
...
sistemas_syslog
}
}
And I also have:
linelog sistemas_syslog {
filename = syslog
format = This is a Application log message for %{User-Name}
(%{Packet-Type})
reference = %{%{Packet-Type}:-format}
Access-Request = Application Requested access: %{User-Name}
Access-Reject = Application Rejected access: %{User-Name}
Access-Challenge = Application Sent challenge: %{User-Name}
Access-Accept = Application Accepted access: %{User-Name}
}
But all logs I have are:
May 23 12:44:33 vulpes21 freeradius: Application Requested access:
May 23 12:44:33 vulpes21 freeradius: Application Requested access:
(yes, it is sent twice). In debug mode I get:
rad_recv: Access-Request packet from host 155.54.67.15 port 52081, id=1,
length=71
Calling-Station-Id = Xx
User-Name =
User-Password = X
Service-Type = Login-User
server sistemas {
+- entering group authorize {...}
[sistemas_log] expand:
/var/log/freeradius/radacct/%{Client-IP-Address}/sistemas_log-%Y%m%d -
/var/log/freeradius/radacct/155.54.67.15/sistemas_log-20110523
[sistemas_log]
/var/log/freeradius/radacct/%{Client-IP-Address}/sistemas_log-%Y%m%d
expands to /var/log/freeradius/radacct/155.54.67.15/sistemas_log-20110523
[sistemas_log] expand: %t - Mon May 23 12:44:33 2011
++[sistemas_log] returns ok
[sistemas_syslog] expand: %{Packet-Type} - Access-Request
[sistemas_syslog] expand: %{%{Packet-Type}:-format} - Access-Request
[sistemas_syslog] expand: Application Requested access: %{User-Name} -
Application Requested access:
++[sistemas_syslog] returns ok
[suffix] Looking up realm um.es for User-Name =
[suffix] Found realm um.es
[suffix] Adding Stripped-User-Name = amateo
[suffix] Adding Realm = um.es
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[files_sistemas] users: Matched entry DEFAULT at line 15
[files_sistemas]expand: %{User-Name} -
++[files_sistemas] returns ok
[pap] WARNING! No known good password found for the user.
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = LDAP
+- entering group LDAP {...}
[ldap-email] login attempt by amateo with password XX
The rest of LDAP debug messages
++[ldap-email] returns ok
Login OK: [] (from client monitor port 0 cli PORTALREDES)
+- entering group post-auth {...}
[sistemas_log] expand:
/var/log/freeradius/radacct/%{Client-IP-Address}/sistemas_log-%Y%m%d -
/var/log/freeradius/radacct/155.54.67.15/sistemas_log-20110523
[sistemas_log]
/var/log/freeradius/radacct/%{Client-IP-Address}/sistemas_log-%Y%m%d
expands to /var/log/freeradius/radacct/155.54.67.15/sistemas_log-20110523
[sistemas_log] expand: %t - Mon May 23 12:44:33 2011
++[sistemas_log] returns ok
[sistemas_syslog] expand: %{Packet-Type} - Access-Request
[sistemas_syslog] expand: %{%{Packet-Type}:-format} - Access-Request
[sistemas_syslog] expand: Application Requested access: %{User-Name} -
Application Requested access:
++[sistemas_syslog] returns ok
} # server sistemas
Sending Access-Accept of id 1 to 155.54.67.15 port 52081
User-Name =
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
All I want is to log in syslog if the access-request is accepted or
rejected for any reason.
Any help?
--
Angel L. Mateo Martínez
Sección de Telemática
Área de Tecnologías de la Información _o)
y las Comunicaciones Aplicadas (ATICA) / \\
http://www.um.es/atica_(___V
Tfo: 868887590
Fax: 86337
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: R: freeradius and IP pools
If both users are the same, it is better to configure just one user and make checks stripping the realm. -- Angel L. Mateo Martínez Sección de Telemática Área de Tecnologías de la Información _o) y las Comunicaciones Aplicadas (ATICA) / \\ http://www.um.es/atica_(___V Tfo: 968367590 Fax: 968398337 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem with CPU load
Hello, We have a debian server (debian 4.0 etch) running freeradius 1.1.7. We have compile it from debian source package, but including eap_tls and eap_ttls support. Our user repository is an LDAP server (openldap 2.3.30) running in another host. This radius server is a Xen virtual machine with 512MB of RAM. The problem we have is that sometimes it loads the CPU too much. An uptime of the host reports loads over 100 points and a 99% of CPU utilization. These loads last least than a minute, but during this minute, you can't authorize anybody. Any idea of what could be happening? -- Angel L. Mateo Martínez Sección de Telemática Área de Tecnologías de la Información _o) y las Comunicaciones Aplicadas (ATICA) / \\ http://www.um.es/atica_(___V Tfo: 968367590 Fax: 968398337 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP + groups problem
Hello,
We are using freeradius with a ldap backend for my users. We have a few
services authenticating against the radius server that need to filter
some groups of users
For users we have a posix schema: Our users has the posixAccount schema
whith its main group in the attribute gidNumber. Something like this:
dn: uid=myuser,ou=Users,dc=domain.com
objectClass: posixAccount
objectClass: shadowAccount
objectClass: CourierMailAccount
uid: myuser
uidNumber: 123456
gidNumber: 1001
loginShell: /bin/bash
mail: [EMAIL PROTECTED]
...
For the group entry we have:
dn: cn=groupA,ou=Groups,dc=domain.com
cn: groupA
gidNumber: 1001
objectClass: posixGroup
objectClass: top
For user's secondary groups we have:
dn: cn=groupB,ou=Groups,dc=domain.com
cn: groupB
gidNumber: 1002
objectClass: posixGroup
objectClass: top
memberUid: myuser
so, this user belongs to groupA (main group) and groupB (secondary
group). This is similar to /etc/passwd and /etc/group files.
What I want is that the below users' entry reject access to user
myuser:
DEFAULT Ldap-Group == groupB, Auth-Type := Reject
Reply-Message = groupB users are not allowed to login
I am trying varios configurations but I don't get the good one. I have
try to configure as:
groupname_attribute = gidNumber
groupmembership_filter = ((objectClass=posixAccount)(uid=
%{Stripped-User-Name:-%{User-Name}}))
groupmembership_attribute = uid
but with this configuration I can filter just by the main group (myuser
is still allowed).
The configuration:
groupname_attribute = cn
groupmembership_filter = ((objectClass=posixGroup)(memberUid=
%{Stripped-User-Name:-%{User-Name}}))
groupmembership_attribute = memberUid
seems to look just in secondary groups.
Is there any way to configure taking count of main and secondary groups
with this structure?
Thanks in advance
--
Angel L. Mateo Martínez
Sección de Telemática
Área de Tecnologías de la Información _o)
y las Comunicaciones Aplicadas (ATICA) / \\
http://www.um.es/atica_(___V
Tfo: 968367590
Fax: 968398337
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius is logging the passwords
El jue, 22-02-2007 a las 11:51 +, [EMAIL PROTECTED] escribió:
Hi,
El mié, 21-02-2007 a las 13:32 +0100, Alan DeKok escribió:
In 1.1.4, yes. See radiusd.conf, look at the detail section.
But I have 1.1.3 :-(. Is there any way without needing to upgrade?
you can use the 'suppress' feature for each of the detail logs. this feature
was introduced in 1.1.2
eg
suppress {
User-Password
}
in your detail stanzas
Great! It works. Thank you very much
--
Angel L. Mateo Martínez
Sección de Telemática
Área de Tecnologías de la Información _o)
y las Comunicaciones Aplicadas (ATICA) / \\
http://www.um.es/atica_(___V
Tfo: 968367590
Fax: 968398337
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius is logging the passwords
El mié, 21-02-2007 a las 13:32 +0100, Alan DeKok escribió: In 1.1.4, yes. See radiusd.conf, look at the detail section. But I have 1.1.3 :-(. Is there any way without needing to upgrade? -- Angel L. Mateo Martínez Sección de Telemática Área de Tecnologías de la Información _o) y las Comunicaciones Aplicadas (ATICA) / \\ http://www.um.es/atica_(___V Tfo: 968367590 Fax: 968398337 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radwho is not working
El vie, 16-02-2007 a las 13:16 +, [EMAIL PROTECTED] escribió: Hi, I have changed from freeradius 1.1.2 to freeradius 1.1.3 and now it works with the same configuration. I don't know the reason, but now it works. ..bit 1.1.4 is current release ;-) Yes, I know it, but 1.1.3 is the version provided in debian etch. -- Angel L. Mateo Martínez Sección de Telemática Área de Tecnologías de la Información _o) y las Comunicaciones Aplicadas (ATICA) / \\ http://www.um.es/atica_(___V Tfo: 968367590 Fax: 968398337 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radwho is not working
El mar, 13-02-2007 a las 12:14 +0100, Angel L. Mateo escribió: Hello, More info about my problem... In the radius.log file I have a lot of entries of the form: Tue Feb 13 12:12:13 2007 : Error: rlm_radutmp: Logout for NAS ap port 1627, but no Login record Tue Feb 13 12:12:35 2007 : Error: rlm_radutmp: Logout for NAS ap port 3100, but no Login record Tue Feb 13 12:12:46 2007 : Error: rlm_radutmp: Logout for NAS ap port 8726, but no Login record Hello, Another mistery of computers... I have changed from freeradius 1.1.2 to freeradius 1.1.3 and now it works with the same configuration. I don't know the reason, but now it works. -- Angel L. Mateo Martínez Sección de Telemática Área de Tecnologías de la Información _o) y las Comunicaciones Aplicadas (ATICA) / \\ http://www.um.es/atica_(___V Tfo: 968367590 Fax: 968398337 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radwho is not working
Hello, More info about my problem... In the radius.log file I have a lot of entries of the form: Tue Feb 13 12:12:13 2007 : Error: rlm_radutmp: Logout for NAS ap port 1627, but no Login record Tue Feb 13 12:12:35 2007 : Error: rlm_radutmp: Logout for NAS ap port 3100, but no Login record Tue Feb 13 12:12:46 2007 : Error: rlm_radutmp: Logout for NAS ap port 8726, but no Login record -- Angel L. Mateo Martínez Sección de Telemática Área de Tecnologías de la Información _o) y las Comunicaciones Aplicadas (ATICA) / \\ http://www.um.es/atica_(___V Tfo: 968367590 Fax: 968398337 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radwho is not working
El sáb, 06-01-2007 a las 00:02 -0500, Alan DeKok escribió:
Angel L. Mateo wrote:
But, if this was the problem, why freeradius updates the file? (I have
checked that the file is modified every time freeradius makes an
authentication)
Does debugging mode show radutmp returns noop? If so, nothing new
was written.
Hello,
I continue with this problem. radwho doesn't display any connection,
although I am sure I have a lot. I have checked that debug doesn't
display any radutmp returns noop and I haven't got any line as this.
I have also checked that RASes are sending the accounting info. As long
as I can see I think it is, because we have a lot of Acct-Status-Type =
Start (and Stop) entries in my detail files.
For example, this is the debug of an accounting packet I am receiving:
rad_recv: Accounting-Request packet from host 155.54.213.20:1440,
id=235, length=135
User-Name = [EMAIL PROTECTED]
NAS-Port = 28167
Service-Type = Framed-User
Framed-Protocol = PPP
Framed-IP-Address = 155.54.194.77
Class = rpvum
Calling-Station-Id = 147.84.74.78
Acct-Status-Type = Start
Acct-Session-Id = FA904B8A
Tunnel-Client-Endpoint:0 = 147.84.74.78
Acct-Authentic = RADIUS
Acct-Delay-Time = 0
NAS-IP-Address = 155.54.213.20
NAS-Port-Type = Virtual
Processing the preacct section of radiusd.conf
modcall: entering group preacct for request 2
modcall[preacct]: module preprocess returns noop for request 2
rlm_acct_unique: Hashing 'NAS-Port = 28167,Client-IP-Address =
155.54.213.20,NAS-IP-Address = 155.54.213.20,Acct-Session-Id =
FA904B8A,User-Name = [EMAIL PROTECTED]'
rlm_acct_unique: Acct-Unique-Session-ID = 62eeb2626cd2e4c0.
modcall[preacct]: module acct_unique returns ok for request 2
rlm_realm: Looking up realm um.es for User-Name = [EMAIL PROTECTED]
rlm_realm: Found realm um.es
rlm_realm: Adding Stripped-User-Name = rociogon
rlm_realm: Proxying request from user rociogon to realm um.es
rlm_realm: Adding Realm = um.es
rlm_realm: Accounting realm is LOCAL.
modcall[preacct]: module suffix returns noop for request 2
modcall[preacct]: module files returns noop for request 2
modcall: leaving group preacct (returns ok) for request 2
Processing the accounting section of radiusd.conf
modcall: entering group accounting for request 2
radius_xlat:
'/var/log/freeradius/radacct/155.54.213.20/detail-20070205'
rlm_detail:
/var/log/freeradius/radacct/%{Huntgroup-Name:-%{Client-IP-Address}}/detail-%Y%m%d
expands to /var/log/freeradius/radacct/155.54.213.20/detail-20070205
modcall[accounting]: module detail returns ok for request 2
modcall[accounting]: module unix returns ok for request 2
radius_xlat: '/var/log/freeradius/radutmp'
radius_xlat: '[EMAIL PROTECTED]'
modcall[accounting]: module radutmp returns ok for request 2
rlm_ippool: This is not an Accounting-Stop. Return NOOP.
modcall[accounting]: module pool_vpn returns noop for request 2
rlm_ippool: This is not an Accounting-Stop. Return NOOP.
modcall[accounting]: module pool_vpn_alu returns noop for request 2
rlm_ippool: This is not an Accounting-Stop. Return NOOP.
modcall[accounting]: module pool_ono returns noop for request 2
rlm_ippool: This is not an Accounting-Stop. Return NOOP.
modcall[accounting]: module pool_ono_alu returns noop for request 2
rlm_sql_log (sql_log): Processing sql_log_accounting
radius_xlat: 'INSERT INTO radacct (AcctSessionId, UserName, ??
RealUserName, ?? NASIPAddress, FramedIPAddress, AcctStartTime,
AcctStopTime, ?? AcctSessionTime, AcctTerminateCause) VALUES ??
('FA904B8A', '[EMAIL PROTECTED]', ?? 'rpvum', '155.54.213.20', ??
'155.54.194.77', '2007-02-05 10:40:41', '0', '0', '');'
radius_xlat: '/var/log/freeradius/radacct/sql-relay'
modcall[accounting]: module sql_log returns ok for request 2
modcall: leaving group accounting (returns ok) for request 2
Sending Accounting-Response of id 235 to 155.54.213.20 port 1440
Finished request 2
I think it is recording the entry because I can see it in the detail
file and I can see a line modcall[accounting]: module radutmp returns
ok for request 2 in this debug log.
But radwho still displays nothing.
My configuration is:
...
modules {
...
unix {
cache = no
cache_reload = 600
shadow = /etc/shadow
radwtmp = ${logdir}/radwtmp
}
...
detail {
detailfile =
${radacctdir}/%{Huntgroup-Name:-%{Client-IP-Address}}/detail-%Y%m%d
detailperm = 0600
}
detail auth_log {
detailfile =
${radacctdir}/%{Huntgroup-Name:-%{Client-IP-Address}}/auth-detail-%Y%m%d
detailperm = 0600
}
...
radutmp {
filename = ${logdir}/radutmp
username = %{User-Name
Re: How to send tome clients to the same detail file
El mar, 07-11-2006 a las 18:29 -0500, Alan DeKok escribió:
Angel L. Mateo [EMAIL PROTECTED] wrote:
But now I want to send all the logs for requests from a group of
clients (defined as a huntgroup) to the same files, and the request for
all other clients as now (classified with the IP address of the client).
Is there any way to redefine this files for a set of clients?
Yes. Define an attribute, and set it per-client. Then use that
attribute in the expansion of the detailfile.
Hello,
After a lot of time, I have taken up again this issue. I want a a group
of radius clients (defined in the same huntgroup) to log their request
(detail and auth-detail files) in the same file. So I have redefine my
logs files as:
detail {
detailfile =
${radacctdir}/%{Huntgroup-Name:-%{Client-IP-Address}}/detail-%Y%m%d
detailperm = 0600
}
detail auth_log {
detailfile =
${radacctdir}/%{Huntgroup-Name:-%{Client-IP-Address}}/auth-detail-%Y%m%d
detailperm = 0600
}
So if I have a client defined in a huntgroup, it logs to the
huntgroup's log files and if not, it logs to a directory identify by its
client ip address.
My problem is that this is working fine for the auth-detail file, but
detail file is still logging individually, without using the
Huntgroup-Name variable.
Any idea?
--
Angel L. Mateo Martínez
Sección de Telemática
Área de Tecnologías de la Información _o)
y las Comunicaciones Aplicadas (ATICA) / \\
http://www.um.es/atica_(___V
Tfo: 968367590
Fax: 968398337
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radwho is not working
El jue, 04-01-2007 a las 05:16 -0800, Alan DeKok escribió: Angel L. Mateo wrote: The problem I have is that although radumtp and radwmtp are updated every time time radius authenticate an user, radwho shows an empty list, but radlast shows information. For example, at this moment: Run the server in debugging mode. The radutmp file needs certain information to create an entry, and if that information isn't in the accounting packet, it can't create an entry. Debugging mode WILL show you this. But, if this was the problem, why freeradius updates the file? (I have checked that the file is modified every time freeradius makes an authentication) -- Angel L. Mateo Martínez Sección de Telemática Área de Tecnologías de la Información _o) y las Comunicaciones Aplicadas (ATICA) / \\ http://www.um.es/atica_(___V Tfo: 968367590 Fax: 968398337 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radwho is not working
) anonymou 1648:ap Thu Jan 4 12:05 still logged in anonymou 1211:ap Thu Jan 4 12:03 still logged in anonymou 1647:ap Thu Jan 4 12:02 - 12:05 (00:03) anonymou 764:ap Thu Jan 4 12:02 - 12:05 (00:03) skarmeta 837:ap Thu Jan 4 12:01 - 12:05 (00:03) anonymou 938:ap Thu Jan 4 12:00 - 12:02 (00:01) anonymou 1646:ap Thu Jan 4 11:59 - 12:02 (00:03) anonymou 763:ap Thu Jan 4 11:58 - 12:00 (00:01) skarmeta 809:ap Thu Jan 4 11:57 - 12:01 (00:03) anonymou 1645:ap Thu Jan 4 11:57 - 11:59 (00:02) anonymou 937:ap Thu Jan 4 11:56 - 11:58 (00:01) anonymou 613:ap Thu Jan 4 11:55 - 12:00 (00:04) anonymou 1644:ap Thu Jan 4 11:55 - 11:57 (00:02) anonymou 762:ap Thu Jan 4 11:54 - 11:56 (00:01) skarmeta 835:ap Thu Jan 4 11:53 - 11:57 (00:03) anonymou 1643:ap Thu Jan 4 11:53 - 11:55 (00:02) anonymou 1642:ap Thu Jan 4 11:51 - 11:53 (00:01) anonymou 936:ap Thu Jan 4 11:50 - 11:54 (00:03) anonymou 2668:ap Thu Jan 4 11:50 still logged in skarmeta 808:ap Thu Jan 4 11:49 - 11:53 (00:03) anonymou 1641:ap Thu Jan 4 11:49 - 11:51 (00:02) anonymou 761:ap Thu Jan 4 11:48 - 11:50 (00:01) ... as you can see, radlast shows that there are users logged in to teh system, but vulpes2:/etc/freeradius# radwho Login Name What TTY When From Location any idea? -- Angel L. Mateo Martínez Sección de Telemática Área de Tecnologías de la Información _o) y las Comunicaciones Aplicadas (ATICA) / \\ http://www.um.es/atica_(___V Tfo: 968367590 Fax: 968398337 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to send tome clients to the same detail file
Hello,
I have a running server with this configuration:
detail {
detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
detailperm = 0600
}
detail auth_log {
detailfile = ${radacctdir}/%{Client-IP-Address}/auth-detail-%Y%m%d
detailperm = 0600
}
I have activated the detail file in the accounting section and the
auth_log in the authorize and are working fine.
But now I want to send all the logs for requests from a group of
clients (defined as a huntgroup) to the same files, and the request for
all other clients as now (classified with the IP address of the client).
Is there any way to redefine this files for a set of clients?
--
Angel L. Mateo Martínez
Sección de Telemática
Área de Tecnologías de la Información _o)
y las Comunicaciones Aplicadas (ATICA) / \\
http://www.um.es/atica_(___V
Tfo: 968367590
Fax: 968398337
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: EAP and accounting
El vie, 20-10-2006 a las 09:24 -0400, King, Michael escribió:
Yes. It's possible.
Look in eap.conf In each EAP section (TTLS and PEAP) this code snippet exists
# The reply attributes sent to the NAS are
# usually based on the name of the user
# 'outside' of the tunnel (usually
# 'anonymous'). If you want to send the
# reply attributes based on the user name
# inside of the tunnel, then set this
# configuration entry to 'yes', and the reply
# to the NAS will be taken from the reply to
# the tunneled request.
#
# allowed values: {no, yes}
use_tunneled_reply = no
Hello,
I have this attribute set to yes. With this, the reply my freeradius
server sent to the client is based in the user inside the EAP tunnel,
but the accounting logs are still registered with username anonymous
instead the username inside the tunneled request.
--
Angel L. Mateo Martínez
Sección de Telemática
Área de Tecnologías de la Información _o)
y las Comunicaciones Aplicadas (ATICA) / \\
http://www.um.es/atica_(___V
Tfo: 968367590
Fax: 968398337
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP and accounting
Hello, I am developing my freeradius server (version 1.1.2) to use it in a WPA wireless environment with EAP authentication. Until this moment (without EAP) the accounting information collected by freeradius is in the form: - detail-MMDD: Fri Oct 20 11:07:59 2006 User-Name = username@realm NAS-Port = 2161 Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Address = X.X.X.X Class = 0x69636172756d Calling-Station-Id = 172.18.201.166 Acct-Status-Type = Start Acct-Session-Id = 15D003FA Tunnel-Client-Endpoint:0 = 172.18.201.166 Acct-Authentic = RADIUS Acct-Delay-Time = 0 NAS-IP-Address = nas IP address NAS-Port-Type = Virtual Proxy-State = 0x323034 Client-IP-Address = client ip address Acct-Unique-Session-Id = e43a1da655ba3ef3 Stripped-User-Name = username Realm = realm Timestamp = 1161335279 - auth-detail-MMDD: Packet-Type = Access-Request Fri Oct 20 11:10:14 2006 User-Name = username@realm User-Password = 190482 NAS-Identifier = nas id NAS-IP-Address = nas ip Proxy-State = 0x323433 Client-IP-Address = client ip But with EAP the files has the same form, but username is always anonymous, because the real authentication is made through the tunnel connection. I want to know if there is any way to configure radius to log the real username instead of anonymous in the log files. Thanks. -- Angel L. Mateo Martínez Sección de Telemática Área de Tecnologías de la Información _o) y las Comunicaciones Aplicadas (ATICA) / \\ http://www.um.es/atica_(___V Tfo: 968367590 Fax: 968398337 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Source IP address for proxy requests
El mar, 26-09-2006 a las 10:00 +0200, Sebastien Cantos escribió: I've you seen my post or are you just ignoring it ? :) I've seen your post. I already know I could reconfigure routes. -- Angel L. Mateo Martínez Sección de Telemática Área de Tecnologías de la Información _o) y las Comunicaciones Aplicadas (ATICA) / \\ http://www.um.es/atica_(___V Tfo: 968367590 Fax: 968398337 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Source IP address for proxy requests
El lun, 25-09-2006 a las 22:54 +0300, Peter Nixon escribió: I had this problem previously with FreeRADIUS where radius had to reply from the inside interface of a multihomed server else the packets would not match the IPSec tunnel ACLs bound to the external interface (A common config) I solved it by telling freeradius to only bind to one IP. Does this config no longer work?? It continues working, but the problem is with connections originated from the radius server, not the answer. Specifically, the problem is with proxy requests sent by the radius server. -- Angel L. Mateo Martínez Sección de Telemática Área de Tecnologías de la Información _o) y las Comunicaciones Aplicadas (ATICA) / \\ http://www.um.es/atica_(___V Tfo: 968367590 Fax: 968398337 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Source IP address for proxy requests
Hello, I have a cluster of two servers running freeradius (the cluster is monitored by heartbeat). Each of the two members of the cluster has its own IP address (192.168.1.2 and 192.168.1.3) and one of the (the active member) has the IP address in which it runs freeradius (192.168.1.1), so freeradius only listen in this address, not in the owned by the server. Freeradius is working fine with this configuration, except the proxy module. The problema I have is that proxy requests are originated with the IP address of the member, not the IP of the cluster. And I haven't found any configuration option to configure this. Is there any way to do it? -- Angel L. Mateo Martínez Sección de Telemática Área de Tecnologías de la Información _o) y las Comunicaciones Aplicadas (ATICA) / \\ http://www.um.es/atica_(___V Tfo: 968367590 Fax: 968398337 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Source IP address for proxy requests
El lun, 25-09-2006 a las 14:46 +0200, Nicolas Baradakis escribió: Angel L. Mateo wrote: Freeradius is working fine with this configuration, except the proxy module. The problema I have is that proxy requests are originated with the IP address of the member, not the IP of the cluster. And I haven't found any configuration option to configure this. Is there any way to do it? Why is this a problem? This is a problem for the next reasons: * I have to configure my firewall to accept radius conections to different addresses, not just the clustered IP. * The radius that receives the request has to define two different clients (to accept my request) and also my clustered radius (to send requests to me). I now it can be solved with configuration but I think this is not a elegant solution to the problem. If I have configured freeradius to listen in just one interface of the server, why it has to use another different interface? I note RADIUS packets are using UDP, which means they're connectionless. I think you don't want a machine from the cluster send a proxy request, and a different machine get the proxy reply. This wouldn't work. This is an impossible situation, because I have an active/standby configuration of the cluster. Just one node is running the IP and the server. The other node is just a backup one (in a normal environment). -- Angel L. Mateo [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Different ldap authentications
Hello,
We are using freeradius as our radius server and we use it for
authentication and authorization in different applications. Our users
backend is a ldap directory, so in radiusd.conf we've got:
server = ldap.domain.com
identity = cn=radiususer,dc=domain,dc=com
password = radiuspw
basedn = ou=People,dc=domain,dc=com
filter = (uid=%{Stripped-User-Name:-%{User-Name}})
Now, we need to configure our radius server so it could use another
different ldap configuration for some of its clients. I know I could
discriminate clients, but I haven't found how to make it use another
different ldap configuration, if it is possible.
--
Angel L. Mateo Martínez
Sección de Telemática
Área de Tecnologías de la Información _o)
y las Comunicaciones Aplicadas (ATICA) / \\
http://www.um.es/atica_(___V
Tfo: 968367590
Fax: 968398337
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
A cluster of freeradius servers
Hi, I want to deploy the next configuration: I have a proxy radius server (freeradius) who redirect its requests to another freeradius server. I have another freeradius server with the same configuration as this last one. What I want is to configure the proxy radius to proxy requests to one of these servers. It this fail, then it should ask to the other one. If this posible with freeradius? How do I do it? -- Angel L. Mateo Martínez Sección de Telemática Área de Tecnologías de la Información _o) y las Comunicaciones Aplicadas (ATICA)/ \\ http://www.um.es/atica _(___V Tfo: 968367590 Fax: 968398337 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: Dropping conflicting packet due to unfinished request
El mar, 17-05-2005 a las 10:19 -0400, Dustin Doris escribió: Perhaps your ldap server might be running a little slow. Are you using openldap? If so, what version? Also, do you have the attributes you are searching with indexed? Finally, if you are using a BDB backend, what does your DB_CONFIG file show? Yes, I have OpenLDAP, version 2.2.13, and I have all the attributes radius uses indexed. It may be a problem with my ldap server, but it run without any problem last 3 months. Problems appeared a week ago. Trying to solve the problem yesterday I increased the max_request_time, timeout and timelimit options. Since then, there isn't any problem (it's the first time in last week that radius is running more than 12 hours without problems) Another problem I have when the problem appears is that databases are corrupted. When the problem crash radius daemon, I have, not just, to restart it, but also I have to delete the db.ippool and db.ipindex files. If I restart it without deleting these files, radius runs with problem and dies after a little while. -- Angel L. Mateo Martínez Sección de Telemática Área de Tecnologías de la Información _o) y las Comunicaciones Aplicadas (ATICA)/ \\ http://www.um.es/atica _(___V Tfo: 968367590 Fax: 968398337 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Error: Dropping conflicting packet due to unfinished request
Hello, I run freeradius server (1.0.2) with ldap support in a debian sarge server. Last days I'm having the error message Error: Dropping conflicting packet due to unfinished request a lot of times and the server dies too frequently. I've seen in previous threads (http://lists.freeradius.org/archives/freeradius-users/2005/04/frm00119.html and http://lists.freeradius.org/archives/freeradius-users/2005/05/msg7.html) about this message related whith a bug in external commands, but I don't use any external command, I just use an ldap server as the users' database. Any idea? -- Angel L. Mateo Martínez Sección de Telemática Área de Tecnologías de la Información _o) y las Comunicaciones Aplicadas (ATICA)/ \\ http://www.um.es/atica _(___V Tfo: 968367590 Fax: 968398337 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: different pools for different realms
El vie, 08-04-2005 a las 20:03 +0300, Kostas Kalevras escribió: DEFAULT Realm == myrealm, NAS-IP-Address == 10.10.10.1, Auth-Type = LDAP, Pool-Name := my_pool Thank you. I didn't know I can use Realm attribute in the check line. Is there any list of attribute's names I can use there?, because this attribute isn't in http://www.freeradius.org/rfc/attributes.html -- Angel L. Mateo Martínez Sección de Telemática Área de Tecnologías de la Información _o) y las Comunicaciones Aplicadas (ATICA)/ \\ http://www.um.es/atica _(___V Tfo: 968367590 Fax: 968398337 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
different pools for different realms
Hello,
I am newbie with freeradius (and with all radius servers), so maybe
this is a silly question, I am sorry if it is.
I have 1.0.2 running in a debian sarge box.
I am configuring a new radius server to substitute two different radius
already working. We want to substitute that two servers with a new one.
So we have to unify both configurations.
That servers offers IP addresses from different pools to their users.
So with the new one we have to authenticate users (with different
realms) and map them to different ip pools.
By now, I have an entry in the users file like this:
DEFAULT Auth-Type = LDAP, Pool-Name := my_pool, NAS-IP-Address ==
10.10.10.1
User-Name := `%{User-Name}`,
Service-Type = Framed-User,
Framed-Protocol = PPP,
X-Ascend-Client-Primary-DNS = 10.10.10.10,
X-Ascend-Client-Secondary-DNS = 10.10.10.11,
Fall-Through = No
(I authenticate through a LDAP server)
Is there any way to force that entry to have a particular realm?, that
is something like this:
DEFAULT Auth-Type = LDAP, Realm == @myrealm, Pool-Name := my_pool,
NAS-IP-Address == 10.10.10.1
...
...
Or there is any other way to do what I want?
--
Angel L. Mateo Martínez
Sección de Telemática
Área de Tecnologías de la Información _o)
y las Comunicaciones Aplicadas (ATICA)/ \\
http://www.um.es/atica _(___V
Tfo: 968367590
Fax: 968398337
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
