Re: [ANN] Version 3.0.0-rc0
On 11 July 2013, at 15:24, Arran Cudbard-Bell a.cudba...@freeradius.org wrote: On 11 Jul 2013, at 22:39, Doug Hardie bc...@lafn.org wrote: On 11 July 2013, at 06:09, Fajar A. Nugraha l...@fajar.net wrote: On Thu, Jul 11, 2013 at 7:28 PM, Arran Cudbard-Bell a.cudba...@freeradius.org wrote: We are now in feature freeze for 3.0. The configuration format and behaviour for 3.0 will be stable between now and the final release. If you are planning on deploying 3.0 and have an existing 2.x.x configuration you were planning to migrate when the 3.0 is released, now would be a good time to try that, and to report any issues or problematic behaviour changes you notice. I was not able to find a list of the changes between 2 and 3. https://github.com/FreeRADIUS/freeradius-server/blob/master/doc/ChangeLog Or https://lists.freeradius.org/pipermail/freeradius-devel/2012-September/006985.html https://lists.freeradius.org/pipermail/freeradius-users/2013-June/066846.html I have possibly read somewhere that user modules which can be compiled separately from the base system in version 2, now must be compiled within version 3. I wanted to check on this. Bundled modules no longer have their own standalone make files if that's what you're referring to. But you're fine building your own modules outside of FreeRADIUS. Yes I build outside of FreeRadius so thanks for the information and the pointer to the complete list. If you want to use the FreeRADIUS build framework, i.e. boilermake, then there's no support for specifying arbitrary paths to modules, so yes it'd have to be located within src/modules/. -Arran Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [ANN] Version 3.0.0-rc0
On 11 July 2013, at 06:09, Fajar A. Nugraha l...@fajar.net wrote: On Thu, Jul 11, 2013 at 7:28 PM, Arran Cudbard-Bell a.cudba...@freeradius.org wrote: We are now in feature freeze for 3.0. The configuration format and behaviour for 3.0 will be stable between now and the final release. If you are planning on deploying 3.0 and have an existing 2.x.x configuration you were planning to migrate when the 3.0 is released, now would be a good time to try that, and to report any issues or problematic behaviour changes you notice. I was not able to find a list of the changes between 2 and 3. I have possibly read somewhere that user modules which can be compiled separately from the base system in version 2, now must be compiled within version 3. I wanted to check on this. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wiki Links
On 2 September 2012, at 23:32, Alan DeKok wrote: Doug Hardie wrote: I was going to fix the modules pages, but my account no longer works. Id used to be wa6vvv. Those accounts were deleted about a year ago. The Wiki moved to a new machine, and was upgraded substantially. You'll need to use github or openid. Alan DeKok. I must have missed the announcements on that ;-) Since I have no familiarity with either and would only be using it to maintain FreeRADIUS documentation, is there a preferred approach, or one that would be more appropriate? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wiki Links
I was going to fix the modules pages, but my account no longer works. Id used to be wa6vvv. On 2 September 2012, at 15:05, Arran Cudbard-Bell wrote: Hi All, The gollum maintainers found a serious security issue, and informed us that we should upgrade the wikis ASAP. I've now done the upgrade work, but one of the features added (hierachical pages) has broken all the links across the site. I've fixed all the links on the home page, but there are many more. If you wouldn't mind helping out on the pages that get most traffic, it'd be very much appreciated. Many thanks, Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with crypt passwords matching
On 15 August 2012, at 14:23, Fajar A. Nugraha wrote: On Thu, Aug 16, 2012 at 3:40 AM, Robert Haskins robert.hask...@gmail.com wrote: I get a reject, even though the crypt'd passwords match! That's not how crypt works. You don't compare the crypted password. [pap] login attempt with password krt444 that is what the user sends [pap] Using CRYPT password *3u.3LS/VKTOVc that is what FR reads from whatever backend which stores user information (in your case, should be the unix module) The crypt'd password (*3u.3LS/VKTOVc) is exactly what is in the /etc/shadow file. because that's where FR reads it from, of course it's the same. So I am confident the shared secret is correct. Shared secret has nothing to do with your problem. What am I doing wrong? Simple. Is krt444 the correct password? FR says it's not. I don't know for sure about your system, but most Unix based systems will not generate a * in the encrypted password. Normally that is used to indicate a locked or disabled account. From the FreeBSD man pages: A password of `*' indicates that password authentication is disabled for that account (logins through other forms of authentication, e.g., using ssh(1) keys, will still work). The field only contains encrypted pass- words, and `*' can never be the result of encrypting a password. You might want to try reentering that password or check your man pages. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cant Start Radius Server MAC OSX (snow leopard)
The root user in OS-X is not easily accessible. Its there, just like in FreeBSD, but you can't login or su to it normally. You can activate the root password (there are instructions on the web) then you can su to it and start things. However, the most common approach is to use sudo. The first user account created is an admin user that does have more privileges then any other user, but it does not have root privileges. On 14 August 2011, at 20:11, Sallee, Stephen (Jake) wrote: Hmmm … are you sure you are root? I am not a MAC guy, but I do know that MACs are based off Linux (technically FreeBSD with some Steve Jobs magic on top, but who REALLY makes that distinction any more : ). That being the case root SHOULD have access to everything, so if as root you are being denied access to a file then either the file has become locked somehow (but Linux is not supposed to care about that) or you are not REALLY root. Your user may be root but it could be missing some privileges that another system user has. I have been using Fedora, Ubuntu, CentOS, etc for several years and have NEVER had a file deny root access. Root is the holy smack down you lay on a file when you want to fiddle with it no-matter-what, file permissions be d@mn3d! Then again, as I said, I am not a MAC guy so Apple could have done something special. Perhaps another MAC user here can say… Jake Sallee Godfather of Bandwidth System Engineer University of Mary Hardin-Baylor 900 College St. Belton, Texas 76513 Fone: 254-295-4658 Phax: 254-295-4221 From: freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org [mailto:freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org] On Behalf Of Elizabeth Fife Sent: Sunday, August 14, 2011 7:02 PM To: freeradius-users@lists.freeradius.org Subject: RE: Cant Start Radius Server MAC OSX (snow leopard) Hi Jack I am root user Server Radius Logs Say Sun Aug 14 16:59:56 2011 : Info: rlm_sql (sql): Driver rlm_sql_sqlite (module rlm_sql_sqlite) loaded and linked Sun Aug 14 16:59:56 2011 : Info: rlm_sql (sql): Attempting to connect to radius@localhost:/radius Sun Aug 14 16:59:56 2011 : Info: rlm_sql_sqlite: Opening sqlite database /private/etc/raddb/sqlite_radius_client_database for #0 Sun Aug 14 16:59:56 2011 : Info: rlm_sql_sqlite: sqlite3_open() = 0 Sun Aug 14 16:59:56 2011 : Info: rlm_sql_sqlite: Opening sqlite database /private/etc/raddb/sqlite_radius_client_database for #1 Sun Aug 14 16:59:56 2011 : Info: rlm_sql_sqlite: sqlite3_open() = 0 Sun Aug 14 16:59:56 2011 : Info: rlm_sql_sqlite: Opening sqlite database /private/etc/raddb/sqlite_radius_client_database for #2 Sun Aug 14 16:59:56 2011 : Info: rlm_sql_sqlite: sqlite3_open() = 0 Sun Aug 14 16:59:56 2011 : Info: rlm_sql_sqlite: Opening sqlite database /private/etc/raddb/sqlite_radius_client_database for #3 Sun Aug 14 16:59:56 2011 : Info: rlm_sql_sqlite: sqlite3_open() = 0 Sun Aug 14 16:59:56 2011 : Info: rlm_sql_sqlite: Opening sqlite database /private/etc/raddb/sqlite_radius_client_database for #4 Sun Aug 14 16:59:56 2011 : Info: rlm_sql_sqlite: sqlite3_open() = 0 Sun Aug 14 16:59:56 2011 : Error: /private/etc/raddb/users[215]: Parse error (check) for entry Service-Type: Invalid octet string NAS-Prompt-User for attribute name Sun Aug 14 16:59:56 2011 : Error: Errors reading /private/etc/raddb/users Sun Aug 14 16:59:56 2011 : Error: /private/etc/raddb/modules/files[7]: Instantiation failed for module files Sun Aug 14 16:59:56 2011 : Error: /private/etc/raddb/sites-enabled/inner-tunnel[111]: Failed to find module files. Sun Aug 14 16:59:56 2011 : Error: /private/etc/raddb/sites-enabled/inner-tunnel[34]: Errors parsing authorize section. Sun Aug 14 16:59:56 2011 : Error: Errors initializing modules radiusd -x says server10:~ admin$ radiusd -X FreeRADIUS Version 2.1.3, for host i386-apple-darwin10.0, built on Apr 11 2011 at 17:19:07 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /private/etc/raddb/radiusd.conf Unable to open file /private/etc/raddb/radiusd.conf: Permission denied Errors reading /private/etc/raddb/radiusd.conf DOes that help? To: freeradius-users@lists.freeradius.org Subject: RE: Cant Start Radius Server MAC OSX (snow leopard) Date: Sun, 14 Aug 2011 22:56:13 + As what user are you attempting to start FreeRADIUS? Most times FR is run as a daemon, so any user that tries to run FR should have permissions to look at FR's files, most time this is root or some other super user. What does radiusd -X say? Jake Sallee Godfather of Bandwidth System
Re: debug only for rlm_xxx (rlm_perl)
: warning: value computed is not used rlm_perl.c:568: warning: value computed is not used rlm_perl.c: In function 'pairadd_sv': rlm_perl.c:592: error: 'sb' undeclared (first use in this function) rlm_perl.c:592: error: (Each undeclared identifier is reported only once rlm_perl.c:592: error: for each function it appears in.) rlm_perl.c: In function 'rlmperl_call': rlm_perl.c:729: warning: value computed is not used On Thu, 11 Mar 2010 11:35:24 -0800, Doug Hardie bc...@lafn.org wrote: On 11 March 2010, at 03:43, bi...@antworte.me bi...@antworte.me wrote: Hello list, is there an option in radiusd.conf how to enable debug logging only for several rlm_modules, e.g. I have rlm_perl and I only want debug messages for this. Thanks for your reply in advance. It can be done via some modifications to the module source. Here is the approach I use in my modules: At the top of each function: int rdebug; rdebug = !stat(/var/log/radacct/radius_debug, sb); Then after each DEBUG entry add: if (rdebug) radlog (L_AUTH, %s, auth_msg); Note the L_AUTH is the level, the auth_msg is the message in the DEBUG statement. You can also add our own debugging that way that goes beyond that provided in the original module. To turn on this debugging just touch the filename listed in the stat command above. Debugging for that module will start. Disable it by deleting that file. You can change the file name to anything convenient for you. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: debug only for rlm_xxx (rlm_perl)
On 11 March 2010, at 03:43, bi...@antworte.me bi...@antworte.me wrote: Hello list, is there an option in radiusd.conf how to enable debug logging only for several rlm_modules, e.g. I have rlm_perl and I only want debug messages for this. Thanks for your reply in advance. It can be done via some modifications to the module source. Here is the approach I use in my modules: At the top of each function: int rdebug; rdebug = !stat(/var/log/radacct/radius_debug, sb); Then after each DEBUG entry add: if (rdebug) radlog (L_AUTH, %s, auth_msg); Note the L_AUTH is the level, the auth_msg is the message in the DEBUG statement. You can also add our own debugging that way that goes beyond that provided in the original module. To turn on this debugging just touch the filename listed in the stat command above. Debugging for that module will start. Disable it by deleting that file. You can change the file name to anything convenient for you. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wiki
Works now. Update to instantiate description is now there. Thanks. On 3 March 2010, at 07:19, Peter Nixon wrote: On Sun 28 Feb 2010, Doug Hardie wrote: A week ago I tried to update the wiki to correct an interpretation error that was pointed out by one of the freeradius users. I can log into the wiki fine, but even though the save says the update was saved, it is not. I then posted the necessary change here and nothing has happened. Has the wiki become road kill? - The wiki has not become road kill.. I have just been busy and not paying attantion to the mailing list :-) I did several test changes, and couldn't see any problems, but I have upgraded to the latest mediawiki anyway. Let me know if you still have issues. Cheers -- Peter Nixon http://peternixon.net/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Wiki
A week ago I tried to update the wiki to correct an interpretation error that was pointed out by one of the freeradius users. I can log into the wiki fine, but even though the save says the update was saved, it is not. I then posted the necessary change here and nothing has happened. Has the wiki become road kill? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wiki
On 28 February 2010, at 16:02, Cudbard-Bell, Arran wrote: Do you get a blank page when you try and submit changes? I keep getting that, hitting refresh seems to push them through. Yes I get a blank page, but several refreshes still does not make a change. From: freeradius-users-bounces+arran.cudbard-bell=hp@lists.freeradius.org [freeradius-users-bounces+arran.cudbard-bell=hp@lists.freeradius.org] On Behalf Of Alan DeKok [al...@deployingradius.com] Sent: Sunday, February 28, 2010 12:58 PM To: FreeRadius users mailing list Subject: Re: Wiki Doug Hardie wrote: A week ago I tried to update the wiki to correct an interpretation error that was pointed out by one of the freeradius users. I can log into the wiki fine, but even though the save says the update was saved, it is not. I then posted the necessary change here and nothing has happened. Has the wiki become road kill? I hope not. I'll take a look. We may need to move it to another system. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: modules instantiation
I tried to correct the wiki's description but was not able to do so. I can log in fine and it says I can edit the file. However, after making the changes save just gives a blank screen and the changes never appear in the text. In the modules2 file change: The xxx_instantiate module is called each time a new instance is started. Generally this module is used to establish the data for the instance that needs to be retained during the life of the instance. For example, reading the configuration variables. cf_section_parse(conf, data, module_config) is used to do this function. to: The xxx_instantiate module is called each time a new instance is started during the initial configuration process. Generally this module is used to establish the data for the instance that needs to be retained during the life of the instance. For example, reading the configuration variables. cf_section_parse(conf, data, module_config) is used to do this function. Note that the instantiate module is not called each time a new instantiation of the module is started during run time. The data established during the instantiate module is available to all instantiations during run time. If you need to store data that is associated with a particulare *request*, and is valid only for the lifetime of a request, see request_data_add(), and request_data_get(). - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: modules instantiation
On 19 February 2010, at 15:24, Latha Krishnamurthi wrote: I am using the free radius 2.1.3. I have a module rlm_xxx and have initialized it as thread safe. I have configured the start_servers as 3. The issue I am having is as follows. I see that a new instance is getting created when the first one is busy handling a request. (I do this this by adding a sleep in the module and printing the threadid) I am expecting the xxx_instantiate function to get called each time a new instance is created (reading in the documentation). This does not happen. I am actually connecting to a server in the instantiate function and storing the socket id in the *instance, so that I can use it later in the authenticate etc. But it seems that the socket id is the same for all the instances. *instance seems to be shared by all the instances ?? Am I missing something/configuration, your help is grately appreciated. I believe this is an issue of terminology. Instantiation in this case refers to the configuration process prior to the start of the server accepting Radius requests. It does not refer to instantiation of new threads. I am not aware of any hook you can use for instatiation of new threads. In one of the older version rlm_example files is the following comment: * If the module needs to temporarily modify it's instantiation * data, the type should be changed to RLM_TYPE_THREAD_UNSAFE. * The server will then take care of ensuring that the module * is single-threaded. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: modules instantiation
On 19 February 2010, at 17:35, Latha Krishnamurthi wrote: Thankyou very much for your prompt reply. I was referring to this documentation. http://wiki.freeradius.org/Modules2 The xxx_instantiate module is called each time a new instance is started. Generally this module is used to establish the data for the instance that needs to be retained during the life of the instance. For example, reading the configuration variables. cf_section_parse(conf, data, module_config) is used to do this function. Setup struct rlm_xxx_t to hold data that needs to be accessed by all instances of the rlm. This data is not necessarily the same for each instance. There is a separate copy for each instance. For example, this is the place to store configuration variables that will be provided in FreeRADIUS.conf. Well, it sure seemed clear when I wrote it, but now I tend to agree that its a bit misleading. Those words were lifted from the original version 1 document and perhaps something changed with version 2, but I don't recall any such changes. In any case, it does need a revision. It is described like I can have the module specific data in the instance and use it in the life time of the instance. So if I need to use a unique socket connection for each thread, I have no place to store the instance specific data ? I need to have a global pool and lock it with mutex ?? (looks like rlm_ldap does something similar ?) Alan responded with something I was not aware of. I suspect thats the way you need to go. Thanks in advance LK --- On Fri, 2/19/10, Doug Hardie bc...@lafn.org wrote: From: Doug Hardie bc...@lafn.org Subject: Re: modules instantiation To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Date: Friday, February 19, 2010, 3:49 PM On 19 February 2010, at 15:24, Latha Krishnamurthi wrote: I am using the free radius 2.1.3. I have a module rlm_xxx and have initialized it as thread safe. I have configured the start_servers as 3. The issue I am having is as follows. I see that a new instance is getting created when the first one is busy handling a request. (I do this this by adding a sleep in the module and printing the threadid) I am expecting the xxx_instantiate function to get called each time a new instance is created (reading in the documentation). This does not happen. I am actually connecting to a server in the instantiate function and storing the socket id in the *instance, so that I can use it later in the authenticate etc. But it seems that the socket id is the same for all the instances. *instance seems to be shared by all the instances ?? Am I missing something/configuration, your help is grately appreciated. I believe this is an issue of terminology. Instantiation in this case refers to the configuration process prior to the start of the server accepting Radius requests. It does not refer to instantiation of new threads. I am not aware of any hook you can use for instatiation of new threads. In one of the older version rlm_example files is the following comment: * If the module needs to temporarily modify it's instantiation * data, the type should be changed to RLM_TYPE_THREAD_UNSAFE. * The server will then take care of ensuring that the module * is single-threaded. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: custom module not found
On 18 September 2009, at 13:32, James Devine wrote: I have a custom module that I am having problems getting loaded. It works fine on a freebsd machine, I just built 2.1.6 on an ubuntu machine, which appears to put the modules in /usr/local/lib, so I built the custom module and added it to /usr/local/lib and it cannot find it: Fri Sep 18 14:15:30 2009 : Error: /usr/local/etc/raddb/modules/gwis[11]: Failed to link to module 'rlm_gwis': file not found rlm_gwis-2.1.6.so and rlm_gwis.so exist in /usr/local/lib and I have set libdir = /usr/local/lib/ in radiusd.conf, any idea how to find out where it is trying to find that file? I believe radiusd -X will tell you the prefix its looking for. If not, then run ktrace on that. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: invoke userdefine module
See http://wiki.freeradius.org/Modules2 On 23 August 2009, at 23:45, shivashankar wrote: hi, i installed freeradius2.1.6 i added one user define module .. but i need to invoke this module..to test username and password. could u plz let me know how to invoke that userdefine module regardi's shiva shankar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius2.1.6 module errors
On 11 August 2009, at 06:54, ramesh p wrote:
Am doing it correctly? Please suggest?
Obviously not since FreeRADIUS is telling you it doesn't understant
the Acct-Type of Ignore. I suspect you are not getting a good answer
is that I (for one) do not understand what you are trying to
accomplish. You use the term ignore which implies to me that you want
FreeRADIUS to drop any non Stop packets and not respond at all. That
means that the NAS will continue to retry every one of those packets
for some predetermined number of times wasting bandwidth. I would
recommend providing some details on what you want to accomplish and
someone may be able to show you how to do that.
Thanks,
Rams.
4. freeradius2.1.6 module errors (ramesh p)
--
Message: 4
Date: Tue, 11 Aug 2009 12:50:30 +0530
From: ramesh p rock786...@gmail.com
Subject: freeradius2.1.6 module errors
To: FreeRadius users mailing list
freeradius-users@lists.freeradius.org
Message-ID:
6b6aa6710908110020r50a6d15aked46497f07cda...@mail.gmail.com
Content-Type: text/plain; charset=iso-8859-1
Hi All,
I have placed a small module IGNORE to ignore packets other than
Stop
type.
modified acct_users file as:
DEFAULT Acct-Status-Type == Tunnel-Stop, Acct-Type := IGNORE
DEFAULT Acct-Status-Type == Tunnel-Start, Acct-Type := IGNORE
DEFAULT Acct-Status-Type == Start, Acct-Type := IGNORE
DEFAULT Acct-Status-Type == Failed, Acct-Type := IGNORE
#DEFAULT Acct-Status-Type == Checkpoint, Acct-Type := IGNORE
DEFAULT Acct-Status-Type == Accounting-On, Acct-Type := IGNORE
DEFAULT Acct-Status-Type == Accounting-Off, Acct-Type := IGNORE
DEFAULT Acct-Status-Type == Tunnel-Reject, Acct-Type := IGNORE
DEFAULT Acct-Status-Type == Tunnel-Link-Start, Acct-Type := IGNORE
DEFAULT Acct-Status-Type == Tunnel-Link-Stop, Acct-Type := IGNORE
DEFAULT Acct-Status-Type == Tunnel-Link-Reject, Acct-Type :=
IGNORE
and added the following in accounting section of main configuration
file :
Acct-Type IGNORE {
ok
}
The above configuration was working in 1.1.6 version. However getting
following error in 2.1.6 version.
Module: Instantiating files
files {
usersfile = /usr/local/fnmt/freeradius2//etc/raddb/users
acctusersfile = /usr/local/fnmt/freeradius2//etc/raddb/
acct_users
preproxy_usersfile =
/usr/local/fnmt/freeradius2//etc/raddb/preproxy_users
compat = no
}
/usr/local/fnmt/freeradius2//etc/raddb/acct_users[25]: Parse error
(check)
for entry DEFAULT: Unknown value IGNORE for attribute Acct-Type
Errors reading /usr/local/fnmt/freeradius2//etc/raddb/acct_users
/usr/local/fnmt/freeradius2//etc/raddb/modules/files[7]: Instantiation
failed for module files
please help.
Thanks,
Rams.
Please help
-- next part --
An HTML attachment was scrubbed...
URL: https://lists.freeradius.org/pipermail/freeradius-users/attachments/20090811/c31a18ad/attachment.html
--
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
End of Freeradius-Users Digest, Vol 52, Issue 54
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: howto pstack running freeradius process
On 23 July 2009, at 22:53, George Chelidze wrote: On Thu, 2009-07-23 at 22:27 -0700, Doug Hardie wrote: On 23 July 2009, at 22:09, George Chelidze wrote: On Thu, 2009-07-23 at 16:10 +0200, Alan DeKok wrote: George Chelidze wrote: Hello, I am investigating one issue with freeradius 2.1.6 custom module and would like to get a stack trace of running process. This is a local OS issue. It has nothing to do with FreeRADIUS. Hello Alan, I didn't say it's an issue with freeradius. I said it's an issue with a custom module and I am trying to find the reason that's why I asked about stack trace. The approach I use to debug a module is to compile it with gdb (helps to also compile freeradius with gdb). Then run it under gdb with -X. You can then set breakpoints or other gdb trace commands and then feed it the input that causes the problem. Hello Doug, Thanks for reply. Unfortunately when I start freeradiusd with -X problem is gone, it only exists when I start it in background, so I'd like to attach to the running daemon and get the stack trace if possible. that sounds like a threading issue. Have you tried running it restricted to only one thread? There is a parameter in the initialization data (RLM_TYPE_THREAD_UNSAFE) that will prevent it from being multi-threaded. If that doesn't fail, you should have a better handle on the cause. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: howto pstack running freeradius process
On 23 July 2009, at 22:09, George Chelidze wrote: On Thu, 2009-07-23 at 16:10 +0200, Alan DeKok wrote: George Chelidze wrote: Hello, I am investigating one issue with freeradius 2.1.6 custom module and would like to get a stack trace of running process. This is a local OS issue. It has nothing to do with FreeRADIUS. Hello Alan, I didn't say it's an issue with freeradius. I said it's an issue with a custom module and I am trying to find the reason that's why I asked about stack trace. The approach I use to debug a module is to compile it with gdb (helps to also compile freeradius with gdb). Then run it under gdb with -X. You can then set breakpoints or other gdb trace commands and then feed it the input that causes the problem. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to add new modules(like java) to freeradius
http://wiki.freeradius.org/Modules2 On 19 July 2009, at 22:25, shivashankar wrote: hi all, how to add new modules(like java) to freeradius2.1.6 with simple java module .. plz help me out. thax for advace -- View this message in context: http://www.nabble.com/how-to-add-new-modules%28like-java%29-to-freeradius-tp24564098p24564098.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 1.x to 2.x Upgrade Howto available?
On 22 June 2009, at 10:41, John Kane wrote: Is there a 'howto' on upgrade from Freeradius 1.x to 2.x, one that lists what configs were moved where, etc. that would allow a person to do the upgrade as smoothly and quickly as possible (I can't seem to find one). One place that really helped me with that is raddb/sites-available/ README. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_exec wiki
On 15 June 2009, at 14:41, a.l.m.bu...@lboro.ac.uk wrote: Hi, (grin), but of course, if I want to write for the wiki, I'm going to have to install the latest release, to be sure what I write is valid for the most current context. Fortunately I have a test box for stuff like this. :) ..but to mirror wat you've ben saying - why not support 1.x fully on the wiki - theres plenty of 1.x installs out there and 1.x users who are forced into such a situation - eg because their enforced distro/repository policy means no building from source it would be much beter if there was a full delineation between 1.x and 2.x docs - the web is full of older resources that dont say what version their tweaks and info is good for. Thats actually a good idea. For example, during the initial introduction period for 2.x, there was nothing in the wiki about writing your own modules for 2.x. The existing page was only for 1.x. It didn't know about the existence of 2.x because it didn't exist when the page was written. As a result, anyone who was trying to use 2.x in the early days and wanted to write their own modules would have failed horribly. The 1.x instructions were not at all appropriate for 2.x. Since I only use FreeRadius for authenticating a small number of dial-in users, I didn't need to convert at all. 1.x would have been just fine for me probably longer than I will have dial- in users. I only did the conversion to be able to rewrite the module page for 2.x. Now both of them are there. However, by having 2 editions of each page, the top page would become enormous and difficult to handle. Making separate sections for each version would make it a lot easier for people during these transitions. There seems to be no end to Alan's imagination for new features. I expect a version 3.x in the near future. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAP password
On 13 May 2009, at 02:10, Ivan Kalik wrote:
On 12 May 2009, at 13:29, Doug Hardie wrote:
V 2.1.5. I am having a problem with PAP not using the proper user
id. IF the user id is just a plain
user_id then it works properly. However, I have some realms setup
that have prefixes and suffixes e.g., DUB+user_id@lafn. PAP is
trying to find the user_id DUB+user_id@lafn rather than the
stripped user id user_id and hence it doesn't find a password for
the user. Everything works just fine if I add Auth-Type := Accept
to the users file, but thats not a great way to run a railroad.
Obviously I missed something.
hints has:
DEFAULT Prefix == DUB+, Suffix == @lafn, Strip-User-Name = Yes
Hint = SlipStream
What have I missed?
I seem to have reached a dead end with this. Version 1.x would strip
both the prefix and the suffix in Stripped-User-Name and then use
that
to find the password. Version 2.x will strip one or the other, but
not both.
Use this to strip prefix. Use realms module to strip suffix. suffix is
listed in default configuration. Just add your suffixes as local
realms to
proxy.conf.
I'll have to give that a try. I am a bit concerned because I need
hints to generate different hints based on the presence of the
suffix. What I ended up tonight with is the following in hints:
DEFAULT User-Name =~ DUN[+]([...@]+)@*
User-Name := %{1},
Hint = NationalSS1
DEFAULT User-Name =~ dun[+]([...@]+)@*
User-Name := %{1},
Hint = NationalSS2
and so on. This works but might be a bit kludgy. At least we are
authenticating again. Thanks for the help.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAP password
On 13 May 2009, at 11:07, a.l.m.bu...@lboro.ac.uk wrote:
Hi,
DEFAULT User-Name =~ DUN[+]([...@]+)@*
User-Name := %{1},
Hint = NationalSS1
DEFAULT User-Name =~ dun[+]([...@]+)@*
User-Name := %{1},
Hint = NationalSS2
and so on. This works but might be a bit kludgy. At least we are
authenticating again. Thanks for the help.
welcome to the wild world of regex.
suggest DUN\+([...@]+)@*
Tried that. user name becomes +user id. Had to put the brackets
around the + to make it work. Found that hint in man re_format.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PAP password
V 2.1.5. I am having a problem with PAP not using the proper user id. IF the user id is just a plain user_id then it works properly. However, I have some realms setup that have prefixes and suffixes e.g., DUB+user_id@lafn. PAP is trying to find the user_id DUB+user_id@lafn rather than the stripped user id user_id and hence it doesn't find a password for the user. Everything works just fine if I add Auth-Type := Accept to the users file, but thats not a great way to run a railroad. Obviously I missed something. hints has: DEFAULT Prefix == DUB+, Suffix == @lafn, Strip-User-Name = Yes Hint = SlipStream What have I missed? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAP password
On 12 May 2009, at 13:29, Doug Hardie wrote: V 2.1.5. I am having a problem with PAP not using the proper user id. IF the user id is just a plain user_id then it works properly. However, I have some realms setup that have prefixes and suffixes e.g., DUB+user_id@lafn. PAP is trying to find the user_id DUB+user_id@lafn rather than the stripped user id user_id and hence it doesn't find a password for the user. Everything works just fine if I add Auth-Type := Accept to the users file, but thats not a great way to run a railroad. Obviously I missed something. hints has: DEFAULT Prefix == DUB+, Suffix == @lafn, Strip-User-Name = Yes Hint = SlipStream What have I missed? I seem to have reached a dead end with this. Version 1.x would strip both the prefix and the suffix in Stripped-User-Name and then use that to find the password. Version 2.x will strip one or the other, but not both. From what I can see in presufcmp there appears to be no easy way to get it to strip both. I have tried a number of kludges in hints to try and get that done. None seem to work. I am having to run a production server with Auth-Type := Accept to keep things up and running, but this is not really acceptable. One kludge that appears might work is in paircmp.c at line 142 add: for (len=0; lenstrlen(rest); len++) if (rest[len] == '\@') rest[len] = '\0'; I believe that would work since when both a prefix and suffix are present the prefix is removed and the suffix remains. All my suffixes have a @. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAP password
On 12 May 2009, at 20:28, Doug Hardie wrote:
On 12 May 2009, at 13:29, Doug Hardie wrote:
V 2.1.5. I am having a problem with PAP not using the proper user
id. IF the user id is just a plain
user_id then it works properly. However, I have some realms
setup that have prefixes and suffixes e.g., DUB+user_id@lafn.
PAP is trying to find the user_id DUB+user_id@lafn rather than
the stripped user id user_id and hence it doesn't find a password
for the user. Everything works just fine if I add Auth-Type :=
Accept to the users file, but thats not a great way to run a
railroad. Obviously I missed something.
hints has:
DEFAULT Prefix == DUB+, Suffix == @lafn, Strip-User-Name = Yes
Hint = SlipStream
What have I missed?
I seem to have reached a dead end with this. Version 1.x would
strip both the prefix and the suffix in Stripped-User-Name and then
use that to find the password. Version 2.x will strip one or the
other, but not both. From what I can see in presufcmp there appears
to be no easy way to get it to strip both. I have tried a number of
kludges in hints to try and get that done. None seem to work. I am
having to run a production server with Auth-Type := Accept to keep
things up and running, but this is not really acceptable.
One kludge that appears might work is in paircmp.c at line 142 add:
for (len=0; lenstrlen(rest); len++)
if (rest[len] == '\@') rest[len] = '\0';
I believe that would work since when both a prefix and suffix are
present the prefix is removed and the suffix remains. All my
suffixes have a @.
The above method works for striped-user-name but authentication still
has DUB+user_id. There is a most interesting worked example in the
wiki that I adapted:
DEFAULT User-Name =~ DUB+([...@]+)@*
User-Name := %{1},
Hint = SlipStream
This almost works. The authentication is done using +user_id so
the basic problem has a solution but the regex needs some help. I
don't need to retain the suffix or prefix but there are several
different prefixes so I need to check for each separately. I don't
have a lot of experience with regex so it should be simple, but
haven't found it yet.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius upgrade help
On 30 April 2009, at 06:21, Ivan Kalik wrote: Appreciate if some one can please forward any docs/details about the upgrade from old freeradius version 1.1.6 to 2.1.4 in linux. All the information is right there - in the configuration files. If parts of radiusd.conf have been moved somewhere - there will be comments in radiusd.conf explaining where. Same for sql.conf. And for user entries that work for all protocols, examples are - in users file. And have in mind - the less you change in the default configuration, the greater the chance that it will work. One document there that is not obvious is sites-available/README. That contains a wealth of information on the new architecture and how to do the conversion. I found that the most helpful document. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: autostart script for FreeRADIUS
On Mar 29, 2009, at 18:16, Tseveendorj wrote: Hello, I was installed FreeRADIUS 2.1.3 on FreeBSD 6.4 . I want FreeRADIUS comes up when the system is rebooting. Did you add to /etc/rc.conf: radiusd_enable=YES radiusd_flags=-y I am not sure about the flags for that version. The -y is for version 1. But there may be some you need for version 2. I haven't put it in production yet. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: autostart script for FreeRADIUS
On Mar 29, 2009, at 20:10, Tseveendorj wrote: May be I got the problem why radiusd didn't come up. I found following error in the radiusd.log Fri Mar 27 20:09:43 2009 : Info: rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked Fri Mar 27 20:09:43 2009 : Info: rlm_sql (sql): Attempting to connect to r...@localhost:/billing Fri Mar 27 20:09:43 2009 : Info: rlm_sql_mysql: Starting connect to MySQL server for #0 Fri Mar 27 20:09:43 2009 : Error: rlm_sql_mysql: Couldn't connect socket to MySQL server r...@localhost:billing Fri Mar 27 20:09:43 2009 : Error: rlm_sql_mysql: Mysql error 'Can't connect to local MySQL server through socket '/tmp/mysql.sock' (2)' Fri Mar 27 20:09:43 2009 : Error: rlm_sql (sql): Failed to connect DB handle #0 Fri Mar 27 20:09:43 2009 : Info: rlm_sql (sql): There are no DB handles to use! skipped 5, tried to connect 0 Fri Mar 27 20:09:43 2009 : Error: Failed to load clients from SQL. Fri Mar 27 20:09:43 2009 : Error: /usr/local/etc/raddb/sql.conf[22]: Instantiation failed for module sql Fri Mar 27 20:09:43 2009 : Error: /usr/local/etc/raddb/sites-enabled/ default[149]: Failed to find module sql. Fri Mar 27 20:09:43 2009 : Error: /usr/local/etc/raddb/sites-enabled/ default[62]: Errors parsing authorize section. Fri Mar 27 20:09:43 2009 : Error: Errors initializing modules In my config FreeRADIUS must work with MySQL but from the log freeradius couldn't connect to mysql server. I thought that is problem. isn't it ? There lies the problem. It would appear that MySQL is not running when FreeRADIUS starts. Check through the messages log to seen what the startup order is. I suspect its backwards. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Conversion to Version 2
I finally got a chance to try to update the Wiki again. It worked fine today. Anyway, there are now instructions for creating modules for both Version 1 and Version 2. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Conversion to Version 2
I am unable to update the Wiki. It says I am blocked by aland. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Conversion to Version 2
On Feb 27, 2009, at 21:34, Alan DeKok wrote: Doug Hardie wrote: Thanks. Those are pretty obtuse comments. I finally figured out by trial and error you have to create those two sections as they are not in the file. No. From raddb/sites-available/README: The virtual servers do NOT have to be set up with the sites-available and sites-enabled directories. You can still have one radiusd.conf file, and put the server configuration there: The contents that *used* to be in radiusd.conf are now in raddb/sites-available/default. They were removed from radiusd.conf because (a) they were getting too big, and (b) it enabled example files per virtual server. Actually a good idea. Its just not obvious. The previously mentioned README is very helpful. I think its in the wrong place. It should be in raddb where its easier to find. Perhaps there should also be an UPDATING file that points to it. The new structure needs a road map because things are quite difficult to find until you really understand the structure. I now have one module completely working and the other one most probably working. I don't have the complete environment on the test machine yet so it won't do everything yet. I hope to start updating the WIKI on Monday. My initial approach is to retain the existing module page but identify it as Version 1 and create a new one that is for Version 2. One significant change that took mw quite awhile to figure out was that the request arguments are addressed differently. You have to be careful in using the proper pointer for the data type. However, anything with an IPv4 address, e.g. Freamed-IP-Address, is handled quite differently. Version 1 would give you a string (10.0.1.1) whereas Version 2 gives you the binary version as 4 bytes. I haven't checked all the other data types for changes like that. The other ones I use maintained the same format. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Conversion to Version 2
I finally figured out how to compile the module. Its actually quite simple once you figure out the new structure. The problem I still have is how to incorporate that into the new conf file. There used to be authorize and accounting sections that listed the modules. I can't find where that has been placed in the new structure. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Conversion to Version 2
On Feb 27, 2009, at 16:05, t...@kalik.net wrote: I finally figured out how to compile the module. Its actually quite simple once you figure out the new structure. The problem I still have is how to incorporate that into the new conf file. There used to be authorize and accounting sections that listed the modules. I can't find where that has been placed in the new structure. - Read the comments near the end of the radiusd.conf file (where those sections used to be). Thanks. Those are pretty obtuse comments. I finally figured out by trial and error you have to create those two sections as they are not in the file. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Conversion to Version 2
On Oct 6, 2008, at 02:22, Alan DeKok wrote: Doug Hardie wrote: Thats not that big a deal as for the basic stuff, the code is quite straight forward. However, the bigger issue is for modules. The wiki page is still completely oriented towards version 1 as I have never tried version 2. What has to be changed with modules to use them with version 2? A fair bit. But much of it should be simple renaming of functions. A lot of librad_* names have moved to fr_*, etc. The main module structure has changed a little. But the basic functioning of the module is pretty much the same. There are still authorize, etc. functions which take the same arguments. I suspect that the wiki page will quickly lose its value otherwise. Feel free to update the Wiki. Is there still a way to compile the module away from the freeradius source structure like there was for version 1? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Conversion to Version 2
On Feb 26, 2009, at 21:52, Alan DeKok wrote: Doug Hardie wrote: Is there still a way to compile the module away from the freeradius source structure like there was for version 1? That was difficult to do in version 1. It should be a lot easier now, as all of the include files have been cleaned up and regularized. Are there any worked examples. I have not figured out how to get it done yet. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Conversion to Version 2
On Oct 6, 2008, at 01:07, [EMAIL PROTECTED] wrote: Hi, No question about that. I read about all the new authentication features and its amazing how anyone can keep up with all that stuff. However, if converting my modules is going to be a big deal, I don't see any real advantage. it 'it works for me, i cant see why I should upgrade' is your viewpoint, then fair enough. keep with 1.x - but dont expect support for it on this list for much longer ; *that* is the gotcha. Thats not that big a deal as for the basic stuff, the code is quite straight forward. However, the bigger issue is for modules. The wiki page is still completely oriented towards version 1 as I have never tried version 2. What has to be changed with modules to use them with version 2? I suspect that the wiki page will quickly lose its value otherwise. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Conversion to Version 2
I have been using FreeRadius 1.x for a number of years. It has worked just fine. All I am using it for is to authenticate and authorize dial-in users (its about as simple as you can get). The only unusual item is I have a couple of fairly complex modules for authorization and accounting. The question is should I bother to upgrade to 2.x. I don't have a need for any of the new features it provides. I don't even use most of the features in 1.x. My largest concern is the modules. I don't recall seeing anything here about what changes would be required for them other than I believe they have to be compiled with the server. Currently the modules are compiled separately and placed in /usr/local/lib and everything just works. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Conversion to Version 2
On Oct 5, 2008, at 13:27, [EMAIL PROTECTED] wrote: Hi, I have been using FreeRadius 1.x for a number of years. It has worked just fine. All I am using it for is to authenticate and authorize dial-in users (its about as simple as you can get). The only unusual item is I have a couple of fairly complex modules for authorization and accounting. The question is should I bother to upgrade to 2.x. I don't have a need for any of the new features it provides. I don't even use most of the features in 1.x. My largest concern is the modules. I don't recall seeing anything here about what changes would be required for them other than I believe they have to be compiled with the server. Currently the modules are compiled separately and placed in /usr/local/lib and everything just works. in your case, reasons would be, stability, I have never had a stability issue with FreeRadius - it just works without any attention from me. speed, Perhaps, but with about 10-20 authentication requests per hour thats not much of an issue. bug fixes, Don't seem to have seen any bugs with the portions I use. new server statistics access (SNMP and radmin tool), I have all the stats I need (not much but with just dial-in there is no need for much). easy debugging of single users or NAS etc. Possibly, but never had a need for that - it just works. the new version provides all of this for you - and more for others due to its extensibility. No question about that. I read about all the new authentication features and its amazing how anyone can keep up with all that stuff. However, if converting my modules is going to be a big deal, I don't see any real advantage. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_exec use
On Mar 19, 2008, at 11:34, T Kid82 wrote:
You have put significant effort into butchering the default
configuration. Why?
I got this from the comments in exec-program-wait (which has been
deprecated) where it explains how to use rlm_exec. It says,
An entry for the module 'rlm_exec' must be added to the file
'radiusd.conf' with the path of the script.
authorize {
...
exec
...
}
I also added
exec {
program = /usr/local/etc/raddb/authenticate
wait = yes
input_pairs = request
output_pairs = reply
}
to my radiusd.conf which is also from the comments in exec-program-
wait
Why would this let all users through?
I thought that since I am always returning 3 to the server, that this
would let all users pass through.
you didn't set Auth-Type
Where do I set the Auth-Type. Can you provide a sample code snippet on
how to do this? Or perhaps a link to the doc.
If you think this isn't necessary, then you need to spend more time
understanding how the server works.
I dont know either way. Thats why I decided to mail the list. I have
looked through quite a bit of documentation but I didnt find much on
this particular module
Its not obvious what you are really trying to accomplish. However, I
suspect you would like to use your own special criteria for
determining if access should be permitted. rlm_exec is a very
inefficent way to do that. You can make it work, but it will require
extensive forks and perform rather poorly. rlm_perl works a whole lot
better. However, if you are really concerned about performance, you
should consider rolling your own module. There is an example of how
to do that in the wiki. That will give you the best performance as
you will not incur the perl overhead either.
There is a really big difference between authorization and
authentication modules. Creating an authorization module is probably
all you need to do. Authentication modules require much more than
just including them in the list of authentication modules. I
understand that you also might have to modify the base radiusd code
for them in addition to creating a module that requires some very
special structuring. Freeradius separates the concepts of
authentication from authorization to relieve you of the details of
some of the very complex authentication schemes. Generally all you
need to deal with is authorization. If you use the default
authentication setup, radiusd will figure out which method to use and
take care of it.
If you are going to make major mods to the configuration, you will
need to start reading the source code. There just isn't that much
documented beyond that.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Debugging RLM modules
On Feb 2, 2008, at 01:14, Alan DeKok wrote: Ali Majdzadeh wrote: Is there any way to debug an RLM module using gdb? Yes. The modules are just shared libraries. See the gdb manual for how to deal with shared libraries. Some additional info may be helpful. You can attach to a running radiusd with gdb and the -i option and set breakpoints for the module you want to debug. However, if this is an operational server you will quickly get into big issues. You really ought to get either another instance running or use a test server and start it with gdb -i radiusd -X. Then set your breakpoints and run the test. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [newbie] radutmp question
On Sep 23, 2007, at 11:23, Cheng-Lin Yang wrote: Hi all, I have encountered a problem with radutmp. The information of my environment is a vpn service and auth with freeradius 1.1.7. The problem happened as below: 1. start up the radiusd 2. user abc connect to vpn, and I can use radwho to see abc user 3. shutdown radiusd 4. user disconnect from vpn server (radiusd not start yet) 5. start up radiusd, and radwho still shows abc is connected Is there any way to solve this problem? any suggestion is extremely welcomed. Thank you. :)\ Delete step 3. radiusd can only receive requests when it is running. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authorization in RADIUS, Authorization in freeradius
On Sep 2, 2007, at 08:52, George Beitis wrote: Do you know of any products that can be used with freeradius to provide such authorization facilities? Using perhaps policies? I have a number of authorization policies implemented using FreeRadius. I have a module that implements those policy decisions based on the attributes that are sent with the request. I believe the authorization decision is made after the authentication check, but not sure about that. A check of the debug output would show that clearly. However, either way would work for me. Both authentication and authorization have to pass or the request is denied. Generally I get more authorization failures than authentication failures. However, when a user's dialer corrupts the password, there will be a long string of authentication failures as they just keep trying the same thing over and over again. Most of them don't bother to read the returned message. After a week or so they will contact us. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: conflict with other services?
On Jul 20, 2007, at 12:55, Hugh Messenger wrote: If it makes any difference, I run radiusd in –X mode, because it crashes when running as a service (valgrind showed Bad Things happening). While that may not be all of the issues, debug mode uses a lot of disk I/O. You might be getting delays accessing mail files from this. You need to figure out why it doesn't run as a service. I have been using it in service mode for years with no problems. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Build a custom module
On Jul 4, 2007, at 00:15, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: I use the makefile from the wiki, it includes -DNDEBUG. If I build freeradius and install on a fresh netinst Debian (without freeradius), my module works fine. But if I build only the module and use with a preinstalled freeradius, I get a segfault. You may need to remove that define then. It has to be the same way the base system was built. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Build a custom module
On Jul 3, 2007, at 07:25, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Hello! I am developing a custom module for Debian 4.0 with preinstalled FreeRADIUS 1.1.3, but if I build and install my module I get a segmentation fault. Is there a way to build a custom module, and use it with a preinstalled FreeRADIUS? You may need to include -DNDEBUG in the Makefile depending on how the base system was built. Having that set wrong will definitely cause a seg fault. You also need the header files from that specific version as later versions have made significant changes to some of the structures. The method I use to build modules is shown in the Wiki. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wiki
Done On May 28, 2007, at 03:50, Arran Cudbard-Bell wrote: I was hoping for that type of page go in the Examples section. Perhaps Cookbook might be a better name for the section. Ok , would you mind changing the section name ? Then i'll start adding a few recipes. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wiki
On May 27, 2007, at 02:49, Arran Cudbard-Bell wrote: Alan Dekok wrote: Doug Hardie wrote: I should be done with the front page. Some of the lower pages may need some tweaking. The information is all there, but perhaps it could use some more explanation. I'll need to think about that more later. It looks very good, thanks. Alan DeKok. Added SQL xlat section to SQL. Propose addition of Cookbook section ? I know you have the formal how to pages, but might be good to have an informal page describing how to get real world services running. FreeRadius and HP Procurve switch configuration. FreeRadius and HP Procurve wireless access points. FreeRadius and Janet Roaming Service / UKerna. There must be a wealth of knowledge out there about weird and wonderful NASes and services.. I was hoping for that type of page go in the Examples section. Perhaps Cookbook might be a better name for the section. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius crash
On May 25, 2007, at 01:24, Alan Dekok wrote: Doug Hardie wrote: I am completely unable to replicate this situation on my test system. I can run thousands of requests via multiple radclients without any problems. I can drive the test system to overload and other than responses slow down a bit, it just works properly. #0 0x2830a6e8 in ?? () from /usr/local/lib/rlm_lafn.so #1 0x2830b9c0 in lafn_authorize (instance=0x0, request=0x0) at rlm_lafn.c:543 Umm... if you're using modules you wrote yourself, my guess would be that the problem lies in those modules. You probably have access a pointer after it's freed, which corrupts memory. The standard server as shipped in 1.1.6 does *not* have this problem. Nope. All memory that is used is local. Nothing is retained. Only the authorize module is used. Nothing is dynamically allocated in the module. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius crash
On May 25, 2007, at 01:24, Alan Dekok wrote: Doug Hardie wrote: I am completely unable to replicate this situation on my test system. I can run thousands of requests via multiple radclients without any problems. I can drive the test system to overload and other than responses slow down a bit, it just works properly. #0 0x2830a6e8 in ?? () from /usr/local/lib/rlm_lafn.so #1 0x2830b9c0 in lafn_authorize (instance=0x0, request=0x0) at rlm_lafn.c:543 Umm... if you're using modules you wrote yourself, my guess would be that the problem lies in those modules. You probably have access a pointer after it's freed, which corrupts memory. The standard server as shipped in 1.1.6 does *not* have this problem. Should have pointed out that this module ran for over a year with 1.1.2 and FreeBSD 5.3 without any problems. Never once had a core dump. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius crash
I think I may have found the cause of my crashes. One of the proxy servers or NASs is occasionally sending me an incorrectly formatted authentication request. I have not been able to capture the entire packet yet but I did manage to log part of the last one just as the crash occurred and the part that was successfully flushed out of the buffers before the seg fault is definitely corrupt. Because my secondary server only handles requests when the primary is down, I can set it to capture all the packets. However, I am going to have to wait till I can upgrade its OS. Its also our news server and upgrading that is always a large pain. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Wiki
On Sun 20 May 2007, Doug Hardie wrote: I am having problems finding the way to get from the main Wiki page to the configuration information. The pages are there. When I search for something they are found. I just can't figure out how you are supposed to link to them from the main page. For example the modules page does eventually link back to the main page, but I can't figure out how to go from the main page to it. It's all a bit ad hoc at present. As it's a wiki, you are welcome to assist with indexing of the information :-) Who do I need to contact on this. The main page (at least) is locked to prevent updates. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius crash
On May 8, 2007, at 00:49, Alan DeKok wrote: Doug Hardie wrote: FreeRadius 1.1.2 on FreeBSD 6.1 using libpthread. Upgrade to 1.1.6. It has a lot of fixes that may help. It looks like it's crashing when starting a new child thread. That may be a pthread issue in the underlying libraries. The saga continues. Digging around through the core dumps I noticed that often one of my modules was active in another thread and always at a fprintf statement. I wondered if perhaps FreeBSD's fprintf statment was not always thread safe so I removed all of them. Not the problem. Now its dying on a simple assignment statement. However, thats obvious when you see the arguments to the authorize function: Both zeros. I didn't think that was supposed to happen. None of the included modules check for that condition. Is this whats causing my problem or is it the result of the thread that is not able to get started properly?I suspect the latter since the prior stack is corrupt. I am tempted to put a check for that right at the beginning of the authorize function and just return if it happens. Good idea? I am completely unable to replicate this situation on my test system. I can run thousands of requests via multiple radclients without any problems. I can drive the test system to overload and other than responses slow down a bit, it just works properly. #0 0x2830a6e8 in ?? () from /usr/local/lib/rlm_lafn.so #1 0x2830b9c0 in lafn_authorize (instance=0x0, request=0x0) at rlm_lafn.c:543 Previous frame inner to this frame (corrupt stack?) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wiki
On May 21, 2007, at 00:23, Alan Dekok wrote: Doug Hardie wrote: I would be glad to. Is there a plan? Is there a listing of the various pages? I couldn't find either. There's no plan. There's no listing of various pages, unfortunately. Well, then I can't botch it up too bad. I expect to get started later this afternoon. I suggest looking at: http://wiki.freeradius.org/Special:Deadendpages http://wiki.freeradius.org/Special:Lonelypages http://wiki.freeradius.org/Special:Newpages The last one lets you list 500 recently created pages. That's a good start to a definitive list. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Wiki
I am having problems finding the way to get from the main Wiki page to the configuration information. The pages are there. When I search for something they are found. I just can't figure out how you are supposed to link to them from the main page. For example the modules page does eventually link back to the main page, but I can't figure out how to go from the main page to it. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wiki
On May 20, 2007, at 16:56, Peter Nixon wrote: On Sun 20 May 2007, Doug Hardie wrote: I am having problems finding the way to get from the main Wiki page to the configuration information. The pages are there. When I search for something they are found. I just can't figure out how you are supposed to link to them from the main page. For example the modules page does eventually link back to the main page, but I can't figure out how to go from the main page to it. It's all a bit ad hoc at present. As it's a wiki, you are welcome to assist with indexing of the information :-) I would be glad to. Is there a plan? Is there a listing of the various pages? I couldn't find either. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius crash
On May 8, 2007, at 00:49, Alan DeKok wrote: Doug Hardie wrote: FreeRadius 1.1.2 on FreeBSD 6.1 using libpthread. Upgrade to 1.1.6. It has a lot of fixes that may help. It looks like it's crashing when starting a new child thread. That may be a pthread issue in the underlying libraries. Upgraded to the latest of everything. Same problem except that it only took about an hour before the first crash. Any ideas how to figure out what is going on? Or at least to find the request that is in process when the crash occurs? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius crash
On May 19, 2007, at 16:34, David Wood wrote:
Hi Doug and everyone,
In message [EMAIL PROTECTED], Doug
Hardie
[EMAIL PROTECTED] writes
On May 8, 2007, at 00:49, Alan DeKok wrote:
Doug Hardie wrote:
FreeRadius 1.1.2 on FreeBSD 6.1 using libpthread.
Upgrade to 1.1.6. It has a lot of fixes that may help.
It looks like it's crashing when starting a new child thread.
That
may be a pthread issue in the underlying libraries.
Upgraded to the latest of everything.
Including the OS? FreeBSD is up to 6.2-RELEASE(-p4) now. FWIW, I
didn't
find going from 6.1 to 6.2 that painful - though there's always the
risk
of something going wrong.
Same problem except that it
only took about an hour before the first crash.
Any ideas how to figure out what is going on? Or at least to find
the request that is in process when the crash occurs?
Can I ask - especially as I'm the maintainer of the FreeBSD FreeRADIUS
port - are you using the port or not? I've put in a lot of effort to
tidy up the port over the last few versions, and I believe it is now a
good quality and easily maintainable port, despite it missing one
or two
features I'd like to add when I get the time.
Most notably, I've done away with unnecessary or irrelevant patches
(in
fact, the only patch that remains is to do with FreeBSD 4.x and will
probably be ripped out soon).
As an aside, I hope to create a 2.0.0-pre1 port soon - though I've
been
away and very busy, and there's still a ports freeze in place with the
ongoing work to switch FreeBSD to XOrg 7.2. I don't know whether
testing
with 2.0.0-pre1 is of interest to you, but I intend to try running
2.0.0-pre1 on my site as soon as possible for testing purposes.
Hopefully someone can give you some debugging advice, and we can
figure
out whether this is a FreeRADIUS or FreeBSD problem. I doubt that the
port itself is to blame, as apart from the aforementioned source patch
(which just adds a single #include line to one file), and a some
patching to the build system to change the install location of raddb,
the port simply wraps the contents of the tarball from the FreeRADIUS
project.
I am using the port as of about a week ago.
One thing I just noticed. The following is in radiusd.conf:
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
However, ps -H shows only 3 active threads. I would have expected
more. But perhaps its idle right now. I think 8 threads is the most
I have ever seen. The last crash was trying to start the 8th
thread. Perhaps upping min_spare_servers above 8 would help.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius crash
On May 19, 2007, at 17:27, Doug Hardie wrote:
One thing I just noticed. The following is in radiusd.conf:
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
However, ps -H shows only 3 active threads. I would have expected
more. But perhaps its idle right now. I think 8 threads is the most
I have ever seen. The last crash was trying to start the 8th
thread. Perhaps upping min_spare_servers above 8 would help.
Nope. Just tried the following:
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 10
max_spare_servers = 20
max_requests_per_server = 0
}
and the number of threads after several hours is still 3.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius crash
On May 8, 2007, at 00:49, Alan DeKok wrote: Doug Hardie wrote: FreeRadius 1.1.2 on FreeBSD 6.1 using libpthread. Upgrade to 1.1.6. It has a lot of fixes that may help. It looks like it's crashing when starting a new child thread. That may be a pthread issue in the underlying libraries. Well, both the primary and backup machines crashed again today at the same time. Its not the FreeRadius changes that will fix it. I will be upgrading the OS in a few days. There appear to be some changes to pthread library. Will watch to see what happens after that. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius crash
On May 8, 2007, at 00:49, Alan DeKok wrote: Doug Hardie wrote: FreeRadius 1.1.2 on FreeBSD 6.1 using libpthread. Upgrade to 1.1.6. It has a lot of fixes that may help. It looks like it's crashing when starting a new child thread. That may be a pthread issue in the underlying libraries. I upgraded the secondary server to 1.1.6. We will see what happens the next time the primary crashes. It will probably be about another week before then as they crashed early yesterday. I expect though that the problem is in libpthread. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius crash
I am encountering an infrequent problem where FreeRadius crashes about once a week on a fairly busy server. I have a primary and secondary authentication server and just a primary accounting server. Both the primary and secondary crash at the same time (well the secondary is about 30 seconds behind the primary). Thus I know that it is an authentication request causing the problem. However, using the authentication requests that occurred just prior to the crash I am unable to replicate the problem. I have core dumps and have tried to find useful information on the cause but have not found anything. The trace always shows: (gdb) where #0 0x280a94ab in pthread_testcancel () from /usr/lib/libpthread.so.2 #1 0x280a1e3c in pthread_mutexattr_init () from /usr/lib/ libpthread.so.2 #2 0x2808b450 in ?? () FreeRadius 1.1.2 on FreeBSD 6.1 using libpthread. I have tried using libthr but that crashed instantly on receipt of any request so I suspect that was not intended to work. I am beginning to suspect that the problem may lie in libpthread. Is there anything that can be retrieved from the core files that might help? There are always several threads active at the time of the crash. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Failed to link to module rlm_name : file not found
On Mar 26, 2007, at 19:35, lishuai zhao wrote:
Hi, everyone:
I added a new module named rlm_name to FreeRADIUS and produced
makefile as rlm_example, also I add rlm_name to src/modules/stable.
When I do ./configure; make; make install, all the process are
sucessful.
If I do not use module rlm_name, the radius sever can run
normally.
But when I add rlm_name in the modules {} of radiusd.conf and run
./radiusd -X,
it says
Failed to link to module rlm_name : file not found.
All the .la .lo and .a files generated can be found in /usr/
local/lib.
I have been searching mailing list for a long time, but every
method is useless to me.
Any one can help me?
Thank you very much!
See the Wiki for a complete example on how to build a module. You
can build it within FreeRADIUS, but there are a number of things you
have to do to make that work. Its much easier to build it by itself
and then just add it into modules and it will be loaded and used.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS user Survey
On Oct 5, 2006, at 14:12, King, Michael wrote: Still a 404 -Original Message- From: [EMAIL PROTECTED] [mailto:freeradius-users-bounces [EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Thursday, October 05, 2006 3:59 PM To: FreeRadius users mailing list Subject: Re: FreeRADIUS user Survey Guilherme Franco [EMAIL PROTECTED] wrote: Survey Not Found Whoops... the make active link didn't work. I poked it again. Alan DeKok. I just got it. Worked fine this time. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Multiple prefixes and suffixes in hints
I don't see anything in the docs, but is it possible to have hints entries that distinguish between: userid xx+userid [EMAIL PROTECTED] [EMAIL PROTECTED] Such that a different hint is given for each of the above forms. The first 3 are easy. The last one is the issue. I am guessing that an entry along the form of: DEFAULT Prefix == xx, Suffix== @yyy, Strip-User-name = Yes Hint = 4th-form would be used. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxy IP Address
I have a situation where all my authentication requests are proxied to me. I have 4 different groups of users that require unique local polieies and have been using a fairly complicated parsing of the Called ID phone number and a couple other fields to figure out which group a request is in. However, I just found out that each of the 4 groups is being proxied through different proxy servers. It would be real easy to distinguish the group from the IP address that the proxy request is being sent from. However, I have not been able to find a variable that contains that information. Have I missed it? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy IP Address
On Sep 2, 2006, at 11:44, Alan DeKok wrote: Doug Hardie [EMAIL PROTECTED] wrote: It would be real easy to distinguish the group from the IP address that the proxy request is being sent from. However, I have not been able to find a variable that contains that information. Have I missed it? The proxies look like normal NASes to the server. You can use Client-IP-Address. Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Access to wiki?
On Aug 7, 2006, at 14:20, Peter Nixon wrote: On Fri 04 Aug 2006 18:35, John Horne wrote: Hello, Is there a problem with the freeradius wiki (http://wiki.freeradius.org)? I am trying to sort out a problem and came across a reference to the wiki page. However my browser just sits there when trying to access the page. I can resolve the DNS name and ping it; just not access it. As far as I can tell the server is working fine. Are you still having problems? Working fine for me now. I had that problem also earlier, but it works fine now. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Regarding adding a module
On Aug 5, 2006, at 01:24, Ravi S M wrote: Hi I wanted to add our own module for free radius code on Solaris box. So please through some light on this. There used to be a fairly thorough writeup on that on the freeradius wiki - http://wiki.freeradius.org/. However, I can't seem to access it right now. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Version 1.1.1 stops responding
On Apr 9, 2006, at 17:46, Alan DeKok wrote: Duane Cox [EMAIL PROTECTED] wrote: I have 2 servers with identical hardware/software configs. Both servers hang at the same time. stopping/starting the daemon doesn't resolve the issue, rebooting the box does. That's fairly bad. I'm not sure how something in the application layer could cause that. Maybe an OS issue? But then why would *both* boxes hand at the *same* time? I was assuming it had something to do with the sql module because that is where it paused (see: sql hangs, was (conflicts/duplicates need)) Maybe a wider network issue? I'm just guessing here... Check the times very closely. They may be 10 seconds apart. I had a problem with a module that was crashing. The first request took out the primary server and then when it didn't respond, 10 seconds later it tried the backup and crashed it also. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Creating a New Module
On Mar 28, 2006, at 10:55, Michael Nguyen wrote: Hey guys, I'm looking at this nifty FreeRadius package and I'd like to quickly write a simple XML-RPC module for FreeRadius. I'm looking at the other modules and I'm wondering which one you guys would recommend that I mimic. I just want the simplest, most straightforward module that I could use to just plug in the XML-RPC calls. Any suggestions or perhaps dev documentation that you could point me to? There is info you will need on the wiki: http://www.freeradius.org/ list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: opening sockets in modules
On Mar 28, 2006, at 22:08, radhika putty wrote: Hi.. Are we allowed to open sockets inside a module and communicate with other programs. If not then how else can we communicate with other network programs.. I can't see why not. I have one module that I tested that used pipes to move the actual updating of a sql database outside the radius server. It worked just fine. The performance improvement wasn't enough to justify doing that on a production server though. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dynamic module installation
On Mar 22, 2006, at 10:15, Alan DeKok wrote: jasonatx0001 [EMAIL PROTECTED] wrote: Is it possible to dynamically install a new module ? i.e. configure/make/install radius then compile a new module seperately and move its .so to the lib directory ? Yes. That's the intent behind the design. Is there an example on how to construct the makefile for that? I know how to do it if you put the module into the freeradius structuure, but can it be built outside that structure? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dynamic module installation
On Mar 23, 2006, at 08:07, jasonatx0001 wrote: yes it can. I simply built my module with gcc as a dynamic library. Just be sure to use the same compiler flags that were used to build the freeradius sever - for example I was experiencing problems until I added the NDEBUG flag. After I built my module I just put the .so in the libs directory and added modified my config files. Not having a lot of success with this. I used that info and built the module. this is a module that works fine when built directly into freeradius. Copied it to libs and tried to use it. With the NDEBUG flag I get a core dump. My module does use the DEBUG command. So I removed that. No more core dumps, but a connect to a unix socket fails miserably. The socket is there and works. Restoring the original module works fine too. Perhaps something is still wrong in the way I am making the module. Here is the makefile: VERS = 1.0.5 CFLAGS = -I/usr/include -I/usr/local/msql3/include \ -I/usr/ports/net/freeradius/work/freeradius-$(VERS)/src/ include LIBS= -lc -L/usr/local/msql3/lib -lmsql ALL:rlm_msql.o rlm_msql rlm_msql.o: rlm_msql.c cc -g -fPIC -c $(CFLAGS) rlm_msql.c rlm_msql: rlm_msql.o cc -g -shared -soname,rlm_msql-$(VERS).so $(LIBS) \ -o rlm_msql-$(VERS).so rlm_msql.o install:rlm_msql install rlm_msql-$(VERS).so /usr/local/lib ln -s /usr/local/lib/rlm_msql-$(VERS).so /usr/local/lib/ rlm_msql.so - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problems with freeradius 1.0.5
On Dec 15, 2005, at 05:42, Riccardo Veraldi wrote: hell oI upgraded from freeradius 1.0.2 to 1.0.5 and nothing works anymore I have this error: radiusd.conf[1682] Unknown Auth-Type Pam in authenticate section. commenting out pam thne I Got this radiusd.conf[1682] Unknown Auth-Type System in authenticate section. and so if I comment out unix in the radiusd.conf fiel I get this error: rlm_eap_gtc: Unknown Auth-Type PAP rlm_eap: Failed to initialize type gtc anyone has some hints ??\ Run the server with -X and check for error messages. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Signal 10
On Dec 9, 2005, at 00:00, Doug Hardie wrote: Well, it finally happened again. This is the packet with the same timestamp as the signal 10 message. There is no response to it. I haven't decoded it completely yet, but it appears that the user id is corrupt. I wonder if something in that field is causing the problem. I was able to identify the user from the phone number and that user did successfully connect about 6 times earlier today so I don't think its a configuration issue but most likely a line issue (dial-in) causing corruption of the user-id. The NAS is Ascend and I would have thought it would catch that and not forward junk at us. Found the problem. There are several NULLs in that user id. My reading of the RFCs led me to believe there could not be NULLs in that field. Hence I never allowed for that in one of my rlm's. Don't understand the signal 10 though. Normally that kind of problem generates a signal 11. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Signal 10
On Dec 5, 2005, at 14:31, Alan DeKok wrote:
Doug Hardie [EMAIL PROTECTED] wrote:
I have a primary and backup freeradius server running on different
machines. For the last couple days they have both been receiving a
signal 10 at almost the same time.
Signal 10 is SIGBUS: Bus error. It's usually indicative of bad
memory.
I suspect its a request from somewhere. I am going to enable
tcpdump on the secondary server but am at a loss to figure out how
to get a core dump. I don't see any place in the code where signal
10 is redirected. Any other ideas on how to diagnose this problem?
Thanks.
Use tcpdump to see what packet is causing the problem.
If you're running a version prior to 1.0.5, then upgrade. See
http://www.freeradius.org/security.html for more information.
Well, it finally happened again. This is the packet with the same
timestamp as the signal 10 message. There is no response to it. I
haven't decoded it completely yet, but it appears that the user id is
corrupt. I wonder if something in that field is causing the
problem. I was able to identify the user from the phone number and
that user did successfully connect about 6 times earlier today so I
don't think its a configuration issue but most likely a line issue
(dial-in) causing corruption of the user-id. The NAS is Ascend and I
would have thought it would catch that and not forward junk at us.
23:24:24.340733 IP o1-laxradius1.o1.com.3787 zook.radius: RADIUS,
Access Request (1), id: 0xad length: 443
0x: 00a0 cc3e 87dc 0c38 6fe1 0800 4500
8o...E.
0x0010: 01d7 475c 7011 7767 4251 6787 ce75 ..G
\..p.wgBQg..u
0x0020: 1205 0ecb 066d 01c3 ee22 01ad 01bb
96b0 .m.
0x0030: f002 4858 4ab7 33e4 2f64 8901 ce7f 0194 ..HXJ.3./
d..
0x0040: 2821 522e 616a 2c71 4942 3872 6c76 4148 (!
R.aj,qIB8rlvAH
0x0050: 496b 6576 663a 4b42 5b2e 576b 4476 5434 Ikevf:KB
[.WkDvT4
0x0060: 4a34 6a5e 417c 6147 6b75 4c35 7153 7a6f J4j^A|
aGkuL5qSzo
0x0070: 6c40 5878 3061 6075 2040 3637 6177 3f5f
[EMAIL PROTECTED]@67aw?_
0x0080: 4622 462a 497e 4f36 5661 7570 3f36 7d73
FF*I~O6Vaup?6}s
0x0090: 4979 4d5b 4078 5428 4569 585a 457b 3345 [EMAIL PROTECTED]
(EiXZE{3E
0x00a0: 5136 2477 3d56 2068 6671 505a 4738 2354 Q6
$w=V.hfqPZG8#T
0x00b0: 2a3f 4f7e 3029 246c 5331 4c70 3d62 5529 *?O~0)
$lS1Lp=bU)
0x00c0: 704e 7e42 512c 6d26 6646 3e24 436e 2965 pN~BQ,mfF
$Cn)e
0x00d0: 2e52 0406 4513 db2e 200a 6c61 7861
7078 .R..E.laxapx
0x00e0: 3038 0506 5a54 1a0c 0211 0d06
08ZT
0x00f0: 0003 3d06 0606
0001 =...
0x0100: 1f0c 3831 3839 3939 3936 3432 1a0c ..
818642
0x0110: 0211 4206 1a0c 0211
4306 ..B...C.
0x0120: 1e0c 3831 3834 3531 3230 3231 ..
8184512021
0x0130: 2c0b 3436 3430 3430 3339 391a 0c00 0002 ,.
464040399.
0x0140: 11c5 0600 005d c01a 0c00 0002 11ff
0600 .]..
0x0150: 00cb 2002 9228 43cf bc9a 6370 3060 7a0b .
(C...cp0`z.
0x0160: ad93 4cf2 4390 7d64 46c7 5bca 29c0 1d4c ..L.C.}dF.
[.)..L
0x0170: 815a c49d ac21 c6e8 35c1 2703 ff14 4b6a .Z...!..
5.'...Kj
0x0180: 3b50 3177 8497 9089 b92a 38d1 61ce
42e6 ;P1w.*8.a.B.
0x0190: e556 d74d 47d6 c1a8 5b90 4c25 63d0 d9ca .V.MG...[.L
%c...
0x01a0: 5ebf 4d49 5de2 adfd baa6 9607 542f bb86
^.MI]...T/..
0x01b0: f138 9922 3179 aa7a 2225 1756 11b5 a87a .
8.1y.z%.V...z
0x01c0: c40c 2b6e f6f3 c8b7 f084 1fe5 dd60 3231 ..
+n.`21
0x01d0: aafa 6a7d f4cb b21d 1ebf 1c58 8e33
1d61 ..j}...X.3.a
0x01e0: 5355 f9be ef SU...
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Signal 10
I have a primary and backup freeradius server running on different machines. For the last couple days they have both been receiving a signal 10 at almost the same time. The secondary server gets the signal exactly 10 seconds after the primary. The time between the signals varies from a few hours to a week or so. I can't seem to find anything else that is going on at that time. The secondary system is basically idle. It only handles a test check every 10 minutes. So far none of the signals have occurred within 2 minutes of one of those test checks. The primary server is quite busy. Nothing unusual shows in the radius.log, Messages shows the signal 10 but no core dump and none is actually generated. I have some internal debugging in my rlms and I enabled that but nothing shows there either. I suspect its a request from somewhere. I am going to enable tcpdump on the secondary server but am at a loss to figure out how to get a core dump. I don't see any place in the code where signal 10 is redirected. Any other ideas on how to diagnose this problem? Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication Responses during error conditions
I am a bit confused now. I understood that if a module returns
RLM_MODULE_FAIL that radiusd would not return an authorization
reject. However, it appears that it still does.
rad_recv: Access-Request packet from host 127.0.0.1:53579, id=193,
length=71
User-Name = visitor
User-Password = asdfjkle
Called-Station-Id = 8053342021
Calling-Station-Id = 3232546586
rad_lowerpair: User-Name now 'visitor'
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
hints: Matched DEFAULT at 59
modcall[authorize]: module preprocess returns ok for request 0
users: Matched entry visitor at line 51
modcall[authorize]: module files returns ok for request 0
rlm_lafn: Found USER_NAME
rlm_lafn: Found NAS
rlm_lafn: Found Calling ID
rlm_lafn: Found Called ID
rlm_lafn: Found Hint
get_time returns 60
Unable to connect to 0: Can't connect to MSQL server on 0
modcall[authorize]: module lafn returns fail for request 0
modcall: group authorize returns fail for request 0
There was no response configured: rejecting request 0
Server rejecting request 0.
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 193 to 127.0.0.1:53579
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 193 with timestamp 42e96be9
Nothing to do. Sleeping until we see a request.
zool# ./visitor
Received response ID 193, code 3, length = 20
From radiusd.conf:
# Authorization. First preprocess (hints and huntgroups files),
authorize {
preprocess
files
lafn
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication Responses during error conditions
On Jul 28, 2005, at 17:09, Alan DeKok wrote: RADIUS servers are supposed to return Access-Reject's for Access-Accepts, rather than just dropping the packets. If the server *requires* a back-end DB, and that DB is down, then arguable the server can pretend it's down, too. I am trying to get the Ascend NASs to switch to the secondary radius server when the primary has a failure condition. I know that no response will cause that, but haven't been able to find any way to make the switch occur with the primary is not working properly. Is there a particular value to send back that would cause the switch? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Exec-Program-Wait vs rlm_exec vs rlm_your own
I transitioned from Cistron radius some time ago. There the only option was Exec-Program-Wait. I had developed one that suited our needs. It transitioned quite well to freeradius. However, there are notes in various places that Exec-Program-Wait will somtime go away. The indicated replacement is rlm_exec. I tried to convert my programs over to that and never could quite get everything to work. There were always issues that have been discussed here at length. There were some patches that might have helped my situation, but I didn't want to have to keep remembering to patch new versions etc. Recently I took a more detailed look at rlm_example and decided to give that approach a try. Its actually quite easy to convert an Exec- Program-Wait into a rlm_. Some of the steps are not obvious and the really difficult part is figuring out what you need to do to get configure to work properly. The real advantage of this, however, is that there is no forking overhead. It runs a lot more efficiently and can do more than what the Exec-Program-Waits can do. Hence, I would suggest that rather than push the rlm_exec as the replacement for Exec-Program-Wait, that creating your own rlm_ would be a better approach. There are no real instructions for creating your own rlm that I could find. However, the experience is still fresh and if you are interested I could put together a first draft of instructions on creating a rlm. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_exec
I have 2 exec-prog-wait modules that I am converting to rlms. The process fork time is very significant for both because of the various startup things that have to be done. By making them rlm's that is done infrequently. One of them is for authorization and the other for accounting. i have already created the accounting rlm and it seems to work fine. The question I have is should I add the authorization code to that rlm or create a separate rlm? There is virtually no commonality between them. Both are fairly complex so intermingling them in the same source file will make it fairly difficult to read/maintain. Are there any performance differences to having 2 rlm's vs one? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 1.0.4
On Jun 15, 2005, at 21:09, Andrew Thompson wrote: On Thu, Jun 16, 2005 at 01:51:04PM +1000, Paul Hampson wrote: On Thu, Jun 16, 2005 at 03:29:05PM +1200, Andrew Thompson wrote: Hi, I maintain the FreeRADIUS port for FreeBSD and am holding off upgrading from 1.0.2 due to the imminent release of 1.0.4 (06 June). There doesn't seem to be any discussion on the mailing lists, is 1.0.4 due soon or should I upgrade to 1.0.3 in the interim? Sorry about the delay. I'm just about to go prep and tag it, so a release in the next few hours, I hope. Excellent, I will stay posted. As a user of that particular port, a big thank you to both of you. -- Doug - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hanging radiusd
I am encountering a problem on 1 of my radius servers (not any of the others). Every so often it hangs and quits responding to requests. FreeBSD 5.3. ps shows a status of TLs which means its waiting for a lock. There is no way to kill the process and ktrace shows absolutely nothing over many requests that timeout. The only way to restart it is a reboot. I do know that one of the memory boards is likely to be defective. I suspect that this is the cause of the problem. FreeBSD reports less memory on that board that is marked on the board itself. I don't recall the exact numbers but its not a multiple of 2. I won't be on site till Friday so won't be able to put in new memory till then. Does my assumption appear valid? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No detail logs # 2
On May 29, 2005, at 21:50, Radius wrote: Everything was working fine until we switched back haul providers. We changed all the ip address's that we could fine under the raddb/etc directory. I'm sure I missed a setting or something. We changed providers as well as our IP address's 4 days ago. Ever Since we did, no detail logs are being created by FreeRadius 9.3 Everyone can get logged in and realms are working fine, just no detail log. Any Ideas? Presuming you don't want to bring it down to run in debug mode which would answer that question, run ktrace/strace/truss or whichever equivallent you have have on the running radiusd for a few minutes. Then look through the output for the open of the logfile. It should show the relevent error code. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: restrict login based on nas
On May 16, 2005, at 13:34, Bartosz Jozwiak wrote: Hello, Is it possible to restrict users to login only to specific nas client? So if they use different nas their login should be rejected. I do that using a EXEC-PROG-WAIT module. a rlm_exec module will apparently also do that but I haven't had time to convert. There is a macro for the NAS IP address and I just include that in the argument list to the module. There is a doc on variables that has all of the info on that. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius conf.
rad_check_password: Found Auth-Type System rlm_unix: [pradeep]: invalid password You are configured for Unix password validatation and the password you gave is not the one the system has for that user id. On Mar 2, 2005, at 23:10, Pradeep Nevatia wrote: Dear i haven't solved my problem please help me out.. pradeep.. Dear Recently I have installed freeradius (freeradius-0.9.3-1.i386.rpm),i have some problem in password auth. i have created new user:pradeep with pass:123456 when i tried to test the auth. enabling Debug mod. using command radtest pradeep 123456 localhost:1812 0 testing123 it generate following massage : rad_recv: Access-Request packet from host 127.0.0.1:32783, id=176, length=59 User-Name = pradeep User-Password = 123456 NAS-IP-Address = 255.255.255.255 NAS-Port = 0 modcall: entering group authorize for request 1 modcall[authorize]: module preprocess returns ok for request 1 modcall[authorize]: module chap returns noop for request 1 modcall[authorize]: module eap returns noop for request 1 rlm_realm: No '@' in User-Name = pradeep, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 1 users: Matched DEFAULT at 152 modcall[authorize]: module files returns ok for request 1 modcall[authorize]: module mschap returns noop for request 1 modcall: group authorize returns ok for request 1 rad_check_password: Found Auth-Type System auth: type System modcall: entering group authenticate for request 1 rlm_unix: [pradeep]: invalid password modcall[authenticate]: module unix returns reject for request 1 modcall: group authenticate returns reject for request 1 auth: Failed to validate the user. Delaying request 1 for 1 seconds Finished request 1 == Please help me where i have made mistake in conf. Regards Pradeep.. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Source code
On Dec 1, 2004, at 10:17, Alan DeKok wrote: Panagiotis Mavros [EMAIL PROTECTED] wrote: we are proposing a lightweight WLAN roaming architecture. This means that we implement a roaming architecture for a small community. The scenario is Client--AP--foreign server --Home server and so on... All this is done using EAP-MD5 authentication (only this authentication scheme) and mysql for keeping user profiles. Read raddb/eap.conf. EAp-MD5 is not recommended for new installations. It's not secure. The idea is to minimize the lenght of packets in order to provide faster roaming. Huh? No wonder you're confused. The length of the packets makes ZERO difference for roaming. Read that again. ZERO. What you are trying to do is useless.] There was a hint in one of his earlier postings: He lives in an alternate universe (academic institution) were things like the laws of physics and thermodynamics do not apply. Reality is entirely established by the professor's dreams. The fact that the professor has his head up his ... is not relevant. This guy needs to come up with something that looks like it implements the professor's dream. It only has to appear to do such as our reality doesn't appear in that universe. I believe the best solution was previously posted - a module or script which checks the lengths and then rejects the request if they are not the right size. Easy to develop and can be demonstrated using a series of radcheck commands. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_exec questions
On Aug 27, 2004, at 09:05, Kostas Zorbadelos wrote:
The module returns fail but no access-reject is sent back and radtest
keeps retransmitting.
What am I missing?
Alan responded to me on a similar issue some time ago with the response
to use configurable failover. There is a very good document on that in
the docs directory. I came up with the following approach based on
that. However, it has never been tested and no one responded to my
posting of it. I didn't want to do any more disruptive testing on a
production machine so I reverted to an Exec-Program-Wait module which
does it all very simply.
modules {
...
exec l_auth {
wait = yes
program = /etc/raddb/local %{HINT} R
input_pairs = request
output_pairs = reply
}
always reject {
rcode = reject
}
...
}
post-auth {
redundant {
l_auth {
fail = 1
}
reject
}
}
It also seems like I might be able to use the following in post-auth:
post-auth {
l_auth {
fail = reject
}
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Unusual pstack entry
pstack on radiusd (0.93) FreeBSD 4.6 shows what appears to be all threads idle except for this one: - thread 4 - 0x2820dcd8 _thread_kern_sched (0, 74756f, 73736553, 2820e652, 28254da4, 28252e24) + 4c 0x2820e6ab _thread_kern_sched_state_unlock (3, 8163f9c, 2824d100, fd, 28254da4, 80c1d54) + 67 0x28212d8c pthread_cond_wait (817a128, 817a124, bfac8b3c, 281d0b20, 3bfc, eff) + 180 0x281d0b6d sem_wait (80c1d54, bfac8bb0, bfac8b6c, 805ca79, bfac8bb0, aeff) + 69 0x805cb03 rad_waitpid (aeff, bfac8bac, 0, 0, bfacb414, bfacbe3c) + 9b 0x8056f89 radius_exec_program (817a0e0, 8173a00, 1, bfacbe3c, ff, 816a400) + 66d 0x8057f53 rad_authenticate (8173a00, 816a400, 8173a1c, 281d0b90, 8163cd0, 8163cc0) + 89f 0x8052c04 rad_respond (8173a00, 80576b4, 0, 0, 28254da4, bfabc000) + 198 0x805c21c _init (8163cc0, 0, 0, 0, 0, 0) + bb88 0x281d24a3 _thread_start () + 37 That thread has said the same thing for over an hour. It appears to be waiting for an Exec-Program-Wait module with pid of aeff to return. That pid is in the range where current processes were about an hour ago so it seems to match. However, that process is long gone. Somehow the signal was not caught. Am I interpreting this correctly? Every couple days radiusd just quits or hangs using all the processor. When it hangs there are hundreds of threads. I haven't check them carefully yet since this is a production system and having radiusd down causes all kinds of complaints. I suspect that somehow this problem is growing slowly until eventually radiusd (or thread system) just can't handle the number of threads anymore. Anyway thats a guess until I can capture the real thread state when it hangs. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_exec
On Aug 15, 2004, at 15:43, Alan DeKok wrote: Doug Hardie [EMAIL PROTECTED] wrote: I still need some help. I have searched through the archives, google, documentation and source code. I need the program I am calling to be able to return pairs to to the NAS with the authentication request is granted and I need to have it not authenticate in some cases. In the EXEC-PROGRAM-WAIT a non-zero return will cause it not to return a successful authentication. Which is what it's designed to do. Then how do you replace a depreciated EXEC-PROGRAM-WAIT call with something that calls an external program that can return pairs or cause authentication failure with the regulare authentication failure logging messages? All I get is a note in radius.log that the extermal script failed. The normal user logging does not take place. What normal user logging? There is no logging of the user id /password for the failed authentication attempt, only a logged message that the exec module failed. The rlm_exec module only seems to treat the return code in that way. What way? Generate a exec module failed message. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program-Wait attributes not included in Access-Accept
On Jul 26, 2004, at 06:58, Thor Spruyt wrote: Hi, I have freeradius 0.9.3 running with Postgresql database backend. The only thing the radius checks is the password and then executes an external script if authentication is ok. The section in the users file is: DEFAULT Auth-Type = Local Exec-Program-Wait = /opt/radius1/bin/auth.pl Everything runs fine, except the attributes output by the script (attr = value seperated by newlines) are not added to the reply as you can see in this debugging output: auth: type Local auth: user supplied User-Password matches local User-Password radius_xlat: '/opt/radius1/bin/auth.pl' Exec-Program: /opt/radius1/bin/auth.pl Exec-Program output: Acct-Interim-Interval = 600 Idle-Timeout = 3600 Session-Timeout = 171454526 Exec-Program-Wait: plaintext: Acct-Interim-Interval = 600 Idle-Timeout = 3600 Session-Timeout = 171454526 Exec-Program: returned: 0 Login OK: [thor] (from client x port 0 cli 00:30:00:04:A5:22) Sending Access-Accept of id 112 to 192.168.250.105:32780 Finished request 0 Going to the next request Any idea what might be wrong? I have an Exec-Program-Wait and I don't use returns. Here is an example of the script output that works: Session-Timeout = 3600, Framed-IP-Address = 66.81.99.99 There are no returns anywhere in the string. I tried various combinations of things using debug mode to find one that works. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius log
Those are all authentication request logging entries (the log and the
config file). You will never see a disconnect in the authentication
log entries. There is no authentication request when a user
disconnects. You have to look at the accounting log entries.
On Jun 15, 2004, at 21:07, apellido jr., wilfredo p. wrote:
The radius.log file is only written to when an authentication request
is processed. User's only authenticate when the connection is
established. Accounting requests are sent to the radius server when
the connection is established and when it terminates.
Ok, this the tail of radius.log
Sun Jun 13 23:36:40 2004 : Auth: Login OK: [apellido] (from client =
portmaster.mactan.ph port 0)
Sun Jun 13 23:38:05 2004 : Auth: Login incorrect: [gunday/molendijk] =
(from client portmaster.mactan.ph port 13)
Sun Jun 13 23:38:40 2004 : Auth: Login OK: [gunday] (from client =
portmaster.mactan.ph port 13)
Sun Jun 13 23:38:47 2004 : Auth: Login incorrect: [lmharm/literock] =
(from client portmaster.mactan.ph port 27)
Sun Jun 13 23:40:19 2004 : Auth: Login OK: [apellido] (from client =
portmaster.mactan.ph port 1)
Sun Jun 13 23:41:00 2004 : Auth: Login OK: [gunday] (from client =
portmaster.mactan.ph port 13)
Sun Jun 13 23:42:17 2004 : Auth: Login OK: [mim] (from client =
portmaster.mactan.ph port 27)
I dont see any message that show that the user is disconnected. Im the
one
who use the account apellido and when i tried to disconnect, it doesnt
appear in radius.log that ive disconnected. Although i configured
freeradius(radius.conf) just like this.
log_file = ${logdir}/radius.log
log_auth = yes
log_auth_badpass = yes
log_auth_goodpass = yes
thanks in advance...
Those are
handled differently depending on you radius server configuration.
On Jun 15, 2004, at 17:57, apellido jr., wilfredo p. wrote:
Sorry if im wrong fo what im trying to say. what i mean is, i dont
see
any
message in radius.log that the user is disconnected.
- Original Message -
From: Alan DeKok [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Tuesday, June 15, 2004 9:28 PM
Subject: Re: radius log
apellido jr., wilfredo p. [EMAIL PROTECTED] wrote:
Hello i configured freeradius (rlm_pap + rlm_mysql +
rlm_sqlcounter)
=
successfuly and it authenticate perfectfully but i dont see any
stop
=
message in radius.log.
Accounting packets aren't logged to radius.log.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-- Doug
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-- Doug
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS sending Access-Reject if no response to proxied Access-Request
On Apr 26, 2004, at 14:19, Alan DeKok wrote: [EMAIL PROTECTED] wrote: This behavior is causing a lot of spurious access-reject packets in our configuration, with RADIUS servers behind a load-balancer. Why? What's so problematic about the Access-Rejects? Because the NAS will not switch over to the alternate radius server which is probably working properly. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: exec-program-wait - scripts are not executing
Are you sure you are looking in the right directory? Since you didn't specify the full path, it uses whatever it has as a working path at that point. It may not be one that is obvious. Try specifying the complete path. Also run it by hand to be sure the permissions are correct. On Apr 13, 2004, at 20:53, mel wrote: A simple test script: echo hello rad.txt acct_users: testuser Password == test123 Exec-Program = sh /home/radius/test.sh It does not produce the rad.txt. tesh.sh has the correct permission and it is executable. Leaving out the sh to just /home/radius/test.sh also gives no result. radiusd in debug mode: Wed Apr 14 11:42:47 2004 : Debug: radius_xlat: 'sh /home/radius/test.sh' Wed Apr 14 11:42:47 2004 : Debug: Exec-Program: sh /home/radius/test.sh Any ideas as to why the script does not produce the output (i.e the file rad.txt)? Regards, --mel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Doug - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Choosing Free Radius (beta?)
On Mar 1, 2004, at 20:05, Matt Bailey wrote: I am currently trying to choose a radius server to evaluate for use. It appears that free radius is going to replace cistron since cistron development has slowed to maintenance. Is the current Free Radius server a viable solution? When will a 'non-beta' version be available? Is any one using Free Radius in production environment succesfully? Thanks for any information, I am having a dificult time finding good comparisons of GPL radius servers. I recently switched from Cistron to version 0.9.3. It has worked very well, but the configuration is quite a bit different from Cistron. There are many more options and ways to set things up than Cistron ever had. I found that the documentation was easy to follow once you understand it. Help is available here which I found necessary. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Error Returns
I encountered an unusual situation today with freeradius 0.9.3. For some unknown reason all 32 threads locked up. radius.log shows lots of entries like: Thu Feb 12 12:53:40 2004 : Info: The maximum number of threads (32) are active, cannot spawn new thread to handle request What is surprising is that it appears the server returned authorization failed responses to the NASs as they never attempted to use my backup server and all the users received an invalid user id or password message. Is this the way the server is supposed to work in this situation? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
User name logging in radutmp and radwtmp
Is there a way to configure such that prefixes and suffixes are stripped from user names when they are logged in the radutmp and radwtmp files? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Prefix and Suffix
I am trying to setup a users file using prefix and suffix and can't
seem to get it to recognize them. Authentication requests without a
prefix or suffix are handled properly. However, when I use them it
just ignores those entries in the users file and goes to the last
DEFAULT entry. Excpept from the users file:
DEFAULT Prefix == DUB+, Strip-User-Name = Yes, Auth-Type := System
Exec-Program-Wait = /etc/raddb/local %u %n S
%{Called-Station-Id},
Idle-Timeout = 900
DEFAULT Suffix == @lafn, Strip-User-Name = Yes, Auth-Type := System
Exec-Program-Wait = /etc/raddb/local %u %n E
%{Called-Station-Id},
Idle-Timeout = 900
DEFAULT Auth-Type := System
Exec-Program-Wait = /etc/raddb/local %u %n R
%{Called-Station-Id},
Idle-Timeout = 900
The debug output when using the suffix:
rad_lowerpair: User-Name now '[EMAIL PROTECTED]'
rad_rmspace_pair: User-Name now '[EMAIL PROTECTED]'
modcall: entering group authorize for request 0
modcall[authorize]: module preprocess returns ok for request 0
users: Matched DEFAULT at 66
modcall[authorize]: module files returns ok for request 0
modcall: group authorize returns ok for request 0
Line 66 is the last DEFAULT statement. I have made the hints file
completely empty. Prefix and Suffix only appear in the users file. I
have tried commenting out anything dealing with prefix or suffix in the
radiusd.conf file which didn't seem to change anything.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
