Re: Gigawords

[Guilherme Franco]

Hello Mr. Mayers,

I don't think so cause I've copied the very same sintax that can be found in
oraclesql.conf of FR 1.1.7.

Thank you.

Guilherme Franco

On 9/14/07, Phil Mayers [EMAIL PROTECTED] wrote:

 On Fri, 2007-09-14 at 00:05 -0300, Guilherme Franco wrote:
  Hello,
 
  I'm using rlm_sql_log in freeradius 1.1.4.
 
  In order to correctly work with acct-input/ output gigawords, I've
  replaced '%{Acct-Input-Octets}' with '%{%{Acct-Input-Gigawords}:-0}'
   32 | '%{%{Acct-Input-Octets}:-0}' in the rlm_sql_log conf, but this
  results in invalid queries like:
 
  update radacct set... ...acctiputoctets = 0  32 | 98...

 Is that not because you put an invalid query template in?

 You need () around the (val  N) bit.

 You also almost certain want to do:

 (giga  32) + words

 ...rather than using bitwise | operator


 

 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Gigawords

[Guilherme Franco]

Hi Mr. DeKok,

Ok, I've just asked it because of:
http://wiki.freeradius.org/index.php/FAQ#Why_do_Acct-Input-Octets_and_Acct-Output-Octets_wrap_at_4_GB.3F
(which
says that it should work in older versions)

Also, the rlm_sql_log module version is the same in 1.1.7 as in 1.1.4 (v
1.3.2.2 2005/12/12).

Thank you.

Guilherme Franco

On 9/14/07, Alan DeKok [EMAIL PROTECTED] wrote:

 Guilherme Franco wrote:
  Hello,
 
  I'm using rlm_sql_log in freeradius 1.1.4.
 
  In order to correctly work with acct-input/ output gigawords,

 Upgrade to 1.1.7.

 Alan DeKok.
 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Gigawords

[Guilherme Franco]

Hello,

I'm using rlm_sql_log in freeradius 1.1.4.

In order to correctly work with acct-input/ output gigawords, I've replaced
'%{Acct-Input-Octets}' with '%{%{Acct-Input-Gigawords}:-0}'  32 |
'%{%{Acct-Input-Octets}:-0}' in the rlm_sql_log conf, but this results in
invalid queries like:

update radacct set... ...acctiputoctets = 0  32 | 98...

Looks like the rlm_sql_log module was not compiled to parse that sintax.

What can I do, please (besides create a procedure on the DB to treat that)?

Thank you very much.

Guilherme Franco
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Big VSA + Proxy problem

[Guilherme Franco]

Hello,

It's the same server with the very same config for both users in
radcheck and radreply, except that in proxy.conf, only the proxy.com
realm is set to be proxied to 192.168.1.2.

When the user [EMAIL PROTECTED] (no proxy) logs in, the VSA
ERX-Service-Bundle is sent to the B-RAS, while it's not when the user
[EMAIL PROTECTED] (proxy) gets authenticated.

Thank you.

On 6/13/07, Alan Dekok [EMAIL PROTECTED] wrote:
 Guilherme Franco wrote:
  Hi,
 
  Sorry for bothering you guys.
 
  I would like to humbly ask if there's any ideas on this?

  There's a lot there, and it's not clear what's going on.

  Look at the differences between the two configurations.

  Alan DeKok.
 --
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
 -
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Big VSA + Proxy problem

[Guilherme Franco]

Hi,

Sorry for bothering you guys.

I would like to humbly ask if there's any ideas on this?

Thanks.

On 6/11/07, Guilherme Franco wrote:
 Hello Mr. Alan,

 Thank you for answering.

 Below, you will find a working local authentication, user
 [EMAIL PROTECTED] (without proxy), where the VSA ERX-Service-Bundle is
 found in radreply (although the debug doesn't says that) and sent back
 to the B-RAS:

 rad_recv: Access-Request packet from host 192.168.1.1:5, id=29, length=238
 Mon Jun 11 11:18:18 2007 : Debug: --- Walking the entire request list ---
 Mon Jun 11 11:18:18 2007 : Debug: Waking up in 31 seconds...
 Mon Jun 11 11:18:18 2007 : Debug: Thread 2 got semaphore
 Mon Jun 11 11:18:18 2007 : Debug: Thread 2 handling request 1, (1
 handled so far)
User-Password = testing
User-Name = [EMAIL PROTECTED]
Acct-Session-Id = erx atm 3/2.42:100.132:0002097381
Service-Type = Framed-User
Framed-Protocol = PPP
ERX-Pppoe-Description = pppoe 12:34:56:78:9a:bc
Calling-Station-Id = #BRAS-03#this is a description#100#132
Connect-Info = speed:UBR:12000
NAS-Port-Type = xDSL
NAS-Port = 845414532
NAS-Port-Id = atm 3/2.42:100.132
NAS-IP-Address = 192.168.1.1
NAS-Identifier = BRAS-03
 Mon Jun 11 11:18:18 2007 : Debug:   Processing the authorize section
 of radiusd.conf
 Mon Jun 11 11:18:18 2007 : Debug: modcall: entering group authorize
 for request 1
 Mon Jun 11 11:18:18 2007 : Debug:   modsingle[authorize]: calling
 preprocess (rlm_preprocess) for request 1
 Mon Jun 11 11:18:18 2007 : Debug:   modsingle[authorize]: returned
 from preprocess (rlm_preprocess) for request 1
 Mon Jun 11 11:18:18 2007 : Debug:   modcall[authorize]: module
 preprocess returns ok for request 1
 Mon Jun 11 11:18:18 2007 : Debug:   modsingle[authorize]: calling
 auth_log (rlm_detail) for request 1
 Mon Jun 11 11:18:18 2007 : Debug: radius_xlat:
 '/usr/local/var/log/radius/radacct/192.168.1.1/auth-detail-20070611'
 Mon Jun 11 11:18:18 2007 : Debug: rlm_detail:
 /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
 expands to /usr/local/var/log/radius/radacct/192.168.1.1/auth-detail-20070611
 Mon Jun 11 11:18:18 2007 : Debug:   modsingle[authorize]: returned
 from auth_log (rlm_detail) for request 1
 Mon Jun 11 11:18:18 2007 : Debug:   modcall[authorize]: module
 auth_log returns ok for request 1
 Mon Jun 11 11:18:18 2007 : Debug:   modsingle[authorize]: calling chap
 (rlm_chap) for request 1
 Mon Jun 11 11:18:18 2007 : Debug:   modsingle[authorize]: returned
 from chap (rlm_chap) for request 1
 Mon Jun 11 11:18:18 2007 : Debug:   modcall[authorize]: module chap
 returns noop for request 1
 Mon Jun 11 11:18:18 2007 : Debug:   modsingle[authorize]: calling
 suffix (rlm_realm) for request 1
 Mon Jun 11 11:18:18 2007 : Debug: rlm_realm: Looking up realm
 local.com for User-Name = [EMAIL PROTECTED]
 Mon Jun 11 11:18:18 2007 : Debug: rlm_realm: No such realm local.com
 Mon Jun 11 11:18:18 2007 : Debug:   modsingle[authorize]: returned
 from suffix (rlm_realm) for request 1
 Mon Jun 11 11:18:18 2007 : Debug:   modcall[authorize]: module
 suffix returns noop for request 1
 Mon Jun 11 11:18:18 2007 : Debug:   modsingle[authorize]: calling
 files (rlm_files) for request 1
 Mon Jun 11 11:18:18 2007 : Debug: users: Matched entry DEFAULT at line 171
 Mon Jun 11 11:18:18 2007 : Debug: users: Matched entry DEFAULT at line 183
 Mon Jun 11 11:18:18 2007 : Debug:   modsingle[authorize]: returned
 from files (rlm_files) for request 1
 Mon Jun 11 11:18:18 2007 : Debug:   modcall[authorize]: module files
 returns ok for request 1
 Mon Jun 11 11:18:18 2007 : Debug:   modsingle[authorize]: calling sql
 (rlm_sql) for request 1
 Mon Jun 11 11:18:18 2007 : Debug: radius_xlat:  '[EMAIL PROTECTED]'
 Mon Jun 11 11:18:18 2007 : Debug: rlm_sql (sql): sql_set_user escaped
 user -- '[EMAIL PROTECTED]'
 Mon Jun 11 11:18:18 2007 : Debug: radius_xlat:  'SELECT
 id,UserName,Attribute,Value,op FROM radcheck WHERE Username =
 '[EMAIL PROTECTED]' ORDER BY id'
 Mon Jun 11 11:18:18 2007 : Debug: rlm_sql (sql): Reserving sql socket id: 30
 Mon Jun 11 11:18:18 2007 : Debug: radius_xlat:  'SELECT
 radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
  FROM radgroupcheck,usergroup WHERE usergroup.Username =
 '[EMAIL PROTECTED]' AND usergroup.GroupName = radgroupcheck.GroupName
 ORDER BY radgroupcheck.id'
 Mon Jun 11 11:18:18 2007 : Debug: radius_xlat:  'SELECT
 id,UserName,Attribute,Value,op FROM radreply WHERE Username =
 '[EMAIL PROTECTED]' ORDER BY id'
 Mon Jun 11 11:18:18 2007 : Debug: radius_xlat:  'SELECT
 radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
  FROM radgroupreply,usergroup WHERE usergroup.Username =
 '[EMAIL PROTECTED]' AND usergroup.GroupName = radgroupreply.GroupName
 ORDER BY radgroupreply.id'
 Mon Jun 11 11:18:18 2007 : Debug

Re: Big VSA + Proxy problem

[Guilherme Franco]

Hello Mr. Alan,

Thank you for answering.

Below, you will find a working local authentication, user
[EMAIL PROTECTED] (without proxy), where the VSA ERX-Service-Bundle is
found in radreply (although the debug doesn't says that) and sent back
to the B-RAS:

rad_recv: Access-Request packet from host 192.168.1.1:5, id=29, length=238
Mon Jun 11 11:18:18 2007 : Debug: --- Walking the entire request list ---
Mon Jun 11 11:18:18 2007 : Debug: Waking up in 31 seconds...
Mon Jun 11 11:18:18 2007 : Debug: Thread 2 got semaphore
Mon Jun 11 11:18:18 2007 : Debug: Thread 2 handling request 1, (1
handled so far)
User-Password = testing
User-Name = [EMAIL PROTECTED]
Acct-Session-Id = erx atm 3/2.42:100.132:0002097381
Service-Type = Framed-User
Framed-Protocol = PPP
ERX-Pppoe-Description = pppoe 12:34:56:78:9a:bc
Calling-Station-Id = #BRAS-03#this is a description#100#132
Connect-Info = speed:UBR:12000
NAS-Port-Type = xDSL
NAS-Port = 845414532
NAS-Port-Id = atm 3/2.42:100.132
NAS-IP-Address = 192.168.1.1
NAS-Identifier = BRAS-03
Mon Jun 11 11:18:18 2007 : Debug:   Processing the authorize section
of radiusd.conf
Mon Jun 11 11:18:18 2007 : Debug: modcall: entering group authorize
for request 1
Mon Jun 11 11:18:18 2007 : Debug:   modsingle[authorize]: calling
preprocess (rlm_preprocess) for request 1
Mon Jun 11 11:18:18 2007 : Debug:   modsingle[authorize]: returned
from preprocess (rlm_preprocess) for request 1
Mon Jun 11 11:18:18 2007 : Debug:   modcall[authorize]: module
preprocess returns ok for request 1
Mon Jun 11 11:18:18 2007 : Debug:   modsingle[authorize]: calling
auth_log (rlm_detail) for request 1
Mon Jun 11 11:18:18 2007 : Debug: radius_xlat:
'/usr/local/var/log/radius/radacct/192.168.1.1/auth-detail-20070611'
Mon Jun 11 11:18:18 2007 : Debug: rlm_detail:
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /usr/local/var/log/radius/radacct/192.168.1.1/auth-detail-20070611
Mon Jun 11 11:18:18 2007 : Debug:   modsingle[authorize]: returned
from auth_log (rlm_detail) for request 1
Mon Jun 11 11:18:18 2007 : Debug:   modcall[authorize]: module
auth_log returns ok for request 1
Mon Jun 11 11:18:18 2007 : Debug:   modsingle[authorize]: calling chap
(rlm_chap) for request 1
Mon Jun 11 11:18:18 2007 : Debug:   modsingle[authorize]: returned
from chap (rlm_chap) for request 1
Mon Jun 11 11:18:18 2007 : Debug:   modcall[authorize]: module chap
returns noop for request 1
Mon Jun 11 11:18:18 2007 : Debug:   modsingle[authorize]: calling
suffix (rlm_realm) for request 1
Mon Jun 11 11:18:18 2007 : Debug: rlm_realm: Looking up realm
local.com for User-Name = [EMAIL PROTECTED]
Mon Jun 11 11:18:18 2007 : Debug: rlm_realm: No such realm local.com
Mon Jun 11 11:18:18 2007 : Debug:   modsingle[authorize]: returned
from suffix (rlm_realm) for request 1
Mon Jun 11 11:18:18 2007 : Debug:   modcall[authorize]: module
suffix returns noop for request 1
Mon Jun 11 11:18:18 2007 : Debug:   modsingle[authorize]: calling
files (rlm_files) for request 1
Mon Jun 11 11:18:18 2007 : Debug: users: Matched entry DEFAULT at line 171
Mon Jun 11 11:18:18 2007 : Debug: users: Matched entry DEFAULT at line 183
Mon Jun 11 11:18:18 2007 : Debug:   modsingle[authorize]: returned
from files (rlm_files) for request 1
Mon Jun 11 11:18:18 2007 : Debug:   modcall[authorize]: module files
returns ok for request 1
Mon Jun 11 11:18:18 2007 : Debug:   modsingle[authorize]: calling sql
(rlm_sql) for request 1
Mon Jun 11 11:18:18 2007 : Debug: radius_xlat:  '[EMAIL PROTECTED]'
Mon Jun 11 11:18:18 2007 : Debug: rlm_sql (sql): sql_set_user escaped
user -- '[EMAIL PROTECTED]'
Mon Jun 11 11:18:18 2007 : Debug: radius_xlat:  'SELECT
id,UserName,Attribute,Value,op FROM radcheck WHERE Username =
'[EMAIL PROTECTED]' ORDER BY id'
Mon Jun 11 11:18:18 2007 : Debug: rlm_sql (sql): Reserving sql socket id: 30
Mon Jun 11 11:18:18 2007 : Debug: radius_xlat:  'SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
 FROM radgroupcheck,usergroup WHERE usergroup.Username =
'[EMAIL PROTECTED]' AND usergroup.GroupName = radgroupcheck.GroupName
ORDER BY radgroupcheck.id'
Mon Jun 11 11:18:18 2007 : Debug: radius_xlat:  'SELECT
id,UserName,Attribute,Value,op FROM radreply WHERE Username =
'[EMAIL PROTECTED]' ORDER BY id'
Mon Jun 11 11:18:18 2007 : Debug: radius_xlat:  'SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
 FROM radgroupreply,usergroup WHERE usergroup.Username =
'[EMAIL PROTECTED]' AND usergroup.GroupName = radgroupreply.GroupName
ORDER BY radgroupreply.id'
Mon Jun 11 11:18:18 2007 : Debug: rlm_sql (sql): Released sql socket id: 30
Mon Jun 11 11:18:18 2007 : Debug:   modsingle[authorize]: returned
from sql (rlm_sql) for request 1
Mon Jun 11 11:18:18 2007 : Debug:   modcall[authorize]: module sql
returns ok for 

Big VSA + Proxy problem

[Guilherme Franco]

Hello,

Running Freeradius 1.1.4 on RHEL with an Oracle backend.

I'm at a Carrier and every @bar.com request is configured to be
proxied but I have a problem where a VSA (in radreply table) is not
even sent to bar.com.

In my database:

select * from radcheck;
ID  USERNAME ATTRIBUTE OP VALUE
---  --  -   
---
1   [EMAIL PROTECTED]User-Password   :=  temp123

select * from radreply;
ID  USERNAME ATTRIBUTE OP VALUE
---  --  
---
1   [EMAIL PROTECTED]ERX-Service-Bundle:=  test1

ID  USERNAME ATTRIBUTE OP VALUE
---  --  

2   [EMAIL PROTECTED]Framed-IP-Address:=  192.168.254.199

Disabling the proxying for this realm works correctly (freeradius
auths the user locally and sends the VSA to the router).

With proxy configured, the user gets authenticated by bar.com but the
VSA is not sent to bar.com (no traces of it in pre_proxy logs nor in
radiusd -X debugs).

I've already added ERX-Service-Bundle =* ANY in both attrs and
attrs.pre-proxy and enabled the filters in radiusd.conf, but still no
luck.

Question: if that issue gets fixed and the VSA goes to bar.com, is
there any way to bar.com return that same VSA untouched (considering
that bar.com doesn't knows a thing about that VSA, i.e: it doesn't has
any VSA info on it's database)? In fact, I don't need to send that VSA
to bar.com, I just need to send it directly to my router(just like in
the unproxied realm) but the proxy feature doesn't allow that.

Please consider that I can't simply add ERX-Service-Bundle := test1
in attrs (like I do with DNS VSAs) because the value of that VSA is
chained with the user in radreply and each user has it's own different
value (test2, test5, etc.).

I'm very worried. Can anyone please shed some light on this?

Thank you very much!
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: 1.1.6 with rlm_sqlippool: ip=[] len=0

[Guilherme Franco]

Mr. Alan and Mr. Peter,

Sorry for the lack of information.

I'll give more details about the problem on Monday.

Thank you very much.

On 5/12/07, Peter Nixon [EMAIL PROTECTED] wrote:
 On Sat 12 May 2007, Guilherme Franco wrote:
  Ok,
 
  But a lot of times, on the process of server restart (every hour on
  cron.hourly), freeradius hangs and Error: There appears to be another
  RADIUS server running on the authentication port 1812 messages
  appears.
 
  I have to manually kill -9 radiusd and start it again. Version 1.1.6
  hangs more in this matter than 1.1.4 do.
 
  Also, I've tried to update to the latest CVS
  (freeradius-server-snapshot-20070511.tar.bz2) just to check out
  (because Mr. Nixon have told earlier that the postgresql driver was
  fixed in CVS), but Floating point Exception occurred.

 OK. Well, please give us more information about this problem (Back trace etc)
 so that we can try to fix it.


 --

 Peter Nixon
 http://www.peternixon.net/
 PGP Key: http://www.peternixon.net/public.asc
 -
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: 1.1.6 with rlm_sqlippool: ip=[] len=0

[Guilherme Franco]

Ok,

But a lot of times, on the process of server restart (every hour on
cron.hourly), freeradius hangs and Error: There appears to be another
RADIUS server running on the authentication port 1812 messages
appears.

I have to manually kill -9 radiusd and start it again. Version 1.1.6
hangs more in this matter than 1.1.4 do.

Also, I've tried to update to the latest CVS
(freeradius-server-snapshot-20070511.tar.bz2) just to check out
(because Mr. Nixon have told earlier that the postgresql driver was
fixed in CVS), but Floating point Exception occurred.

That's it. Thanks.


On 5/10/07, Alan DeKok [EMAIL PROTECTED] wrote:
 Guilherme Franco wrote:
  On my earlier posts (months ago, with 1.1.4), it has been told that the
  latest CVS would solve the problem. I thought that 1.1.6 would include
  the fix from the CVS head.
 
  1.1.6 Changelog:
  *Fixed bug in PostgreSQL module that caused server crash.

 The error you posted is not a server crash.

  I thought that this would correct the behaviour as well, because the
  server did crash sometimes (I've sent some valgrind outputs to you in
  previous posts).

 Perhaps there are two unrelated bugs.  One got fixed.  I have no idea
 what the other bug is.

  Using the latest CVS will fix the problem?

 No.

 Alan DeKok.
 --
 http://deployingradius.com   - The web site of the book
 http://deployingradius.com/blog/ - The blog
 -
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: 1.1.6 with rlm_sqlippool: ip=[] len=0

[Guilherme Franco]

Hello Mr. DeKok,

On my earlier posts (months ago, with 1.1.4), it has been told that the
latest CVS would solve the problem. I thought that 1.1.6 would include the
fix from the CVS head.

1.1.6 Changelog:
*Fixed bug in PostgreSQL module that caused server crash.

I thought that this would correct the behaviour as well, because the server
did crash sometimes (I've sent some valgrind outputs to you in previous
posts).

Using the latest CVS will fix the problem?

Thank you very much.


On 5/10/07, Alan DeKok [EMAIL PROTECTED] wrote:


Guilherme Franco wrote:
 This was happening with 1.1.4 and I thought that 1.1.6 would correct
 this.

 Wasn't 1.1.6 supposed to work this out?

Which part of the ChangeLog said that?

Alan DeKok.
--
http://deployingradius.com   - The web site of the book
http://deployingradius.com/blog/ - The blog
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: 1.1.6 with rlm_sqlippool: ip=[] len=0

[Guilherme Franco]

Hello,

Using Freeradius 1.1.6 on latest RHEL AS4 x64 with rlm_sqlippool, using
PostgreSQL
8.2.1.

After some hours operating, freeradius start to log lots of Info:
rlm_sqlippool: ip=[] len=0. Running the allocate-find query directly
under
psql shows no problem.

Issuing service radiusd restart solves the problem. I did a
cron.hourly job with this then.

This was happening with 1.1.4 and I thought that 1.1.6 would correct this.

Wasn't 1.1.6 supposed to work this out?

Thanks.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: 1.1.4 stops responding to requests

[Guilherme Franco]

Hello,

Same with me, but acct is necessary.

The solution was radsqlrelay.

Regards,

Guilherme

On 2/13/07, Stefan Winter [EMAIL PROTECTED] wrote:


Hi,

 1.1.4 will run for a few hours and then either stop responding to
 requests or die.   There is no seg fault warning in any log file.  If I
 restart radius, it then begins answering again.  Since it is a
 production environment in which 300-500 users are connected at any given
 time, we were unable to simply turn on debugging and look for problems.
 Once we realized the problem we had to quickly revert to 1.0.5 for now
 and make our relatively few Vista users for a little longer.

Interesting... I've been seeing exactly this happening on our own system.
In
our case, I could track it down to the fact that it stopped responding
shortly after accounting packets came in. Turning off accounting (already
on
NAS level) deterministically solved the problem for me, so I suspect the
problem to be somewhere near there.
I never followed this trace, because accounting is optional at our site
(free
wireless) and it was our prod environment, I didn't want to mess around
without a good reason. So accounting is just off at the moment.

 I am going to try running it in debug mode over a weekend in a
 particular subset of the school's wireless network where not many users
 would be affected by a crash and see if I can collect any more
 information.  I will do it on a system that never had any earlier
 version of freeradius installed on it, just to be safe.  In the
 meantime, any advice would be appreciated.

Is it an option to not do accounting? Or maybe queue the acct in files
rather
than a proper backend (for me, the issue happened in combination with
mysql).
I never tried if the hangs occur also when logging to a file.

Greetings,

Stefan Winter

--
Stefan WINTER

Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de
la Recherche - Ingénieur de recherche

6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg


-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Update: Major impact on authentication!

[Guilherme Franco]

Hello,

Even with radsqlrelay working, sqlippool loses dbhandles with postgresql.

Because of this, the cron.hourly job is still necessary...


--

Date: Feb 8, 2007 10:40 AM
Subject: VALGRIND: Major impact on authentication!
To: FreeRadius users mailing list freeradius-users@lists.freeradius.org

Hello Mr. Alan,

Thank you for your concern!

Just another message I've seen under /var/log/messages:

kernel: radiusd[1672]: segfault at 0110 rip
002a97de2c1e rsp 007fbfffe340 error 4

Gonna implement radrelay now, then! (I was holding back because I've
seen somewhere in this mail list that it breaks simultaneous-use).

Thanks a lot!
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Update: Major impact on authentication!

[Guilherme Franco]

Sorry, Mr. Nixon,

Freeradius 1.1.4 on latest RHEL AS4 x64 with rlm_sqlippool, using PostgreSQL
8.2.1 and Oracle10gR2 backends (postgresql and oracle are installed on
another machine).

radiusd.conf: max_servers = 32
postgresql.conf: num_sql_socks = 32
oraclesql.conf  : num_sql_socks = 32

Oracle  : radcheck, radacct and radpostauth;
PGSQL: radippool.

Aside the other problems valgrind has shown (which radsqlrelay
circumvented), after some hours, freeradius start to log lots of Info:
rlm_sqlippool: ip=[] len=0. Running the allocate-find query directly under
psql shows no problem.

Issuing service radiusd restart solves the problem. I did a
cron.hourlyjob with this then.

PostgreSQL have only one table radippool with just 28000 entries there.

As you've told that this version of rlm_sqlippool is based upon a PostgreSQL
Bug, I'm considering to update to the latest CVS head and try it with
postgresql 8.2.3 and/or Oracle 10gr2.
Thank you!


---


On 2/12/07, Peter Nixon [EMAIL PROTECTED] wrote:
Guilherme

Can you please recap on your current configuration and version of FR?

Regards

Peter


On Mon 12 Feb 2007 19:10, Guilherme Franco wrote:

Hello,

Even with radsqlrelay working, sqlippool loses dbhandles with postgresql.

Because of this, the cron.hourly job is still necessary...


--

Date: Feb 8, 2007 10:40 AM
Subject: VALGRIND: Major impact on authentication!
To: FreeRadius users mailing list freeradius-users@lists.freeradius.org

Hello Mr. Alan,

Thank you for your concern!

Just another message I've seen under /var/log/messages:

kernel: radiusd[1672]: segfault at 0110 rip
002a97de2c1e rsp 007fbfffe340 error 4

Gonna implement radrelay now, then! (I was holding back because I've
seen somewhere in this mail list that it breaks simultaneous-use).

Thanks a lot!


--

Peter Nixon
http://www.peternixon.net/
PGP Key: http://www.peternixon.net/public.asc
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: VALGRIND: Major impact on authentication!

[Guilherme Franco]

Hello,

Thank you for the consulting offer Mr. Peter but, as you told, there
seems to be some bugs in the rlm_sql oracle driver.

As everything was good before and now it's breaking, the most probable
cause is the increase in the number of auth users, which brings lots
of acct (0 users in September 2006 and now with 4000 online users
pumping radacct). The oracle tables are well indexed so the response
time is low. What comes to my mind is that the driver is having
trouble to work with high acct throughput under peak time, starving
all the 32 threads.

I've considered radrelay/sqllog before, but wouldn't that break the
Simultaneous-Use functionality?

Thank you!
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

VALGRIND: Major impact on authentication!

[Guilherme Franco]

Hello Mr. Alan,

Thank you for your concern!

Just another message I've seen under /var/log/messages:

kernel: radiusd[1672]: segfault at 0110 rip
002a97de2c1e rsp 007fbfffe340 error 4

Gonna implement radrelay now, then! (I was holding back because I've
seen somewhere in this mail list that it breaks simultaneous-use).

Thanks a lot!
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Again: Major impact on authentication!

[Guilherme Franco]

Hello,

Of course, I can test sqlippool with Oracle. I just need to do it after
midnight because the earlier problems with Freeradius were so dramatic
that I've received orders to remove freeradius and install some commercial
software. Also, those tests would need to be synthetic ones, since the
default allocate-find does not get nor fix the static IP's for me and the
current users would lose their static IPs.

With the cron.hourly job to do a service radiusd restart, the environment
flows smooth. Removing the job and letting radiusd working for a few hours
creeps everything. Considering this, how come those problems could be
related to slow DB, if by simply reloading freeradius things start to work
good?

Now, even with the cron.hourly job, radiusd hanged sometimes, needing a kill
-9 to free it.

Some valgrind messages related to the oracle backend in radiusd
initialization:

==11562== Conditional jump or move depends on uninitialised value(s)
==11562==at 0x615F6B2: ztvo5ke (in
/usr/local/instantclient_10_2/libclntsh.so.10.1)
==11562==by 0x5EEC3DC: kpu8lgn (in
/usr/local/instantclient_10_2/libclntsh.so.10.1)
==11562==by 0x5EEA628: kpuauthxa (in
/usr/local/instantclient_10_2/libclntsh.so.10.1)
==11562==by 0x5EEA031: kpuauth (in
/usr/local/instantclient_10_2/libclntsh.so.10.1)
==11562==by 0x5E179A0: kpulon (in
/usr/local/instantclient_10_2/libclntsh.so.10.1)
==11562==by 0x5F45A3F: OCILogon (in
/usr/local/instantclient_10_2/libclntsh.so.10.1)
==11562==by 0x5A6B131: sql_init_socket (sql_oracle.c:158)
==11562==by 0x59667B1: connect_single_socket (sql.c:70)
==11562==by 0x5966907: sql_init_socketpool (sql.c:131)
==11562==by 0x5964EC5: rlm_sql_instantiate (rlm_sql.c:695)
==11562==by 0x40C31A: find_module_instance (in /usr/local/sbin/radiusd)
==11562==by 0x40DA4C: (within /usr/local/sbin/radiusd)
==11562== Syscall param write(buf) points to uninitialised byte(s)
==11562==at 0x397270B012: __write_nocancel (in /lib64/tls/libpthread-
2.3.4.so)
==11562==by 0x61FF1A9: snttwrite (in
/usr/local/instantclient_10_2/libclntsh.so.10.1)
==11562==by 0x61FBEBE: nttwr (in
/usr/local/instantclient_10_2/libclntsh.so.10.1)
==11562==by 0x6132971: nsntwrn (in
/usr/local/instantclient_10_2/libclntsh.so.10.1)
==11562==by 0x6138B41: nspsend (in
/usr/local/instantclient_10_2/libclntsh.so.10.1)
==11562==by 0x611A93C: nsdofls (in
/usr/local/instantclient_10_2/libclntsh.so.10.1)
==11562==by 0x611600E: nsdo (in
/usr/local/instantclient_10_2/libclntsh.so.10.1)
==11562==by 0x611543A: nsdosend (in
/usr/local/instantclient_10_2/libclntsh.so.10.1)
==11562==by 0x6151207: nioqrc (in
/usr/local/instantclient_10_2/libclntsh.so.10.1)
==11562==by 0x62BEB4E: ttcdrv (in
/usr/local/instantclient_10_2/libclntsh.so.10.1)
==11562==by 0x6159AD7: nioqwa (in
/usr/local/instantclient_10_2/libclntsh.so.10.1)
==11562==by 0x5F80BA6: upirtrc (in
/usr/local/instantclient_10_2/libclntsh.so.10.1)
==11562==  Address 0x4F0AFE7 is 47 bytes inside a block of size 2,070
alloc'd
==11562==at 0x490631D: calloc (vg_replace_malloc.c:279)
==11562==by 0x61C52C1: nsbGet (in
/usr/local/instantclient_10_2/libclntsh.so.10.1)
==11562==by 0x61C50F8: nsballoc (in
/usr/local/instantclient_10_2/libclntsh.so.10.1)
==11562==by 0x615566C: niotns (in
/usr/local/instantclient_10_2/libclntsh.so.10.1)
==11562==by 0x61D63AA: nigcall (in
/usr/local/instantclient_10_2/libclntsh.so.10.1)
==11562==by 0x615A399: osncon (in
/usr/local/instantclient_10_2/libclntsh.so.10.1)
==11562==by 0x5E168EF: kpuadef (in
/usr/local/instantclient_10_2/libclntsh.so.10.1)
==11562==by 0x5F814E7: upiini (in
/usr/local/instantclient_10_2/libclntsh.so.10.1)
==11562==by 0x5F5E619: upiah0 (in
/usr/local/instantclient_10_2/libclntsh.so.10.1)
==11562==by 0x5E162EF: kpuatch (in
/usr/local/instantclient_10_2/libclntsh.so.10.1)
==11562==by 0x5E17873: kpulon (in
/usr/local/instantclient_10_2/libclntsh.so.10.1)
==11562==by 0x5F45A3F: OCILogon (in
/usr/local/instantclient_10_2/libclntsh.so.10.1)
==11562== Use of uninitialised value of size 8
==11562==at 0x61F5CFA: ztceaencbk (in
/usr/local/instantclient_10_2/libclntsh.so.10.1)
==11562==by 0x61F0193: ztcebn (in
/usr/local/instantclient_10_2/libclntsh.so.10.1)
==11562==by 0x61EE024: ztcen (in
/usr/local/instantclient_10_2/libclntsh.so.10.1)
==11562==by 0x61EDE14: ztceenc (in
/usr/local/instantclient_10_2/libclntsh.so.10.1)
==11562==by 0x615F72E: ztvo5ke (in
/usr/local/instantclient_10_2/libclntsh.so.10.1)
==11562==by 0x5EEC3DC: kpu8lgn (in
/usr/local/instantclient_10_2/libclntsh.so.10.1)
==11562==by 0x5EEA628: kpuauthxa (in
/usr/local/instantclient_10_2/libclntsh.so.10.1)
==11562==by 0x5EEA031: kpuauth (in
/usr/local/instantclient_10_2/libclntsh.so.10.1)
==11562==by 0x5E179A0: kpulon (in
/usr/local/instantclient_10_2/libclntsh.so.10.1)
==11562==by 0x5F45A3F: OCILogon (in

VALGRIND: Major impact on authentication!

[Guilherme Franco]

Hi,

I did run valgrind radiusd -xxx at Wed Feb 7 19:15:08 2007 and at
Wed Feb 7 20:59:04 2007 radiusd DIED.

Afterwards, service radius restart would not work and of lots of
Error: Internal error processing module entry, Error:
rlm_sql_oracle: fetch failed in sql_fetch_row: ORA-24338: statement
handle not executed, and Error: rlm_sql (sql): failed after
re-connect appeared.

I've just disabled accounting in the NAS and then service radiusd
start worked.

Last messages (I have the entire log, 70MB, if you want):

Wed Feb 7 20:59:04 2007 : Debug: radius_xlat: 'UPDATE radacct SET
AcctStopTime = TO_DATE('2007-02-07 20:56:41','-mm-dd hh24:mi:ss'),
AcctSessionTime = '0', AcctInputOctets = '0', AcctOutputOctets = '0',
AcctTerminateCause = 'User-Request', AcctStopDelay = '21',
ConnectInfo_stop = '' WHERE AcctSessionId = 'erx GigabitEthernet
11/0.109:2109:0021188786' AND UserName = '[EMAIL PROTECTED]' AND
NASIPAddress = '10.10.1.2' AND AcctStopTime IS NULL'

Wed Feb 7 20:59:04 2007 : Debug: rlm_sql (sql): Reserving sql socket id: 19

 65746D6F 6F632E6C 72622E6D 4E412027 44432044 49544953 31203D20 444E4120

 50545320 45504F47 203D2052 20275327 20444E41 4C425453 414F 3D204F49

 274E2720 44524F20 42205245 64692059   202068E0 

 04A238D4  63726573 65746D6F 6F632E6C 72622E6D 04A238DF 

 72677265 2E70756F   203D2065 67646172 70756F72 6C706572

 72472E79 4E70756F 20206320 

Argument/Register addr=be20748. Dump of memory from 0x00BE20708 to 0x00BE20848

 0BE20748     

   0080  0078   

   0BE207C0  0BE28C78  0BE29950 

 0BE2A838  0BEAFAD8     

        

 0078  77C8     

 F8E9DACB 0105   0BE207C0  8048 

        

 0BE28648      0BE28738 

   0BE26CE0    0BE20DB8 

  

Argument/Register addr=4e936d0. Dump of memory from 0x004E93690 to 0x004E937D0

 36353433 2E393837 203A5F2D 002F

     0078  0038 

     006C7173   

   0038  0150   

   006C7173     

        

Repeat 4 times

    

Argument/Register addr=4e91e9a. Dump of memory from 0x004E91E5A to 0x004E91F9A

 20444E41 49534443

 3D204954 41203120 5320444E 4F475054 20524550 5327203D 4E412027 54532044

 514F4C42 4F494555 27203D20 4F20274E 52454452 20594220 6469 

     00D0  0098 

     454C4553 69205443 73552C64 614E7265

 412C656D 69727474 65747562 6C61562C 6F2C6575 52462070 72204D4F 65726461

 20796C70 52454857 73552045 616E7265 3D20656D 7B252720 2D4C5153 72657355

 6D614E2D 20277D65 4544524F 59422052 00646920   

   0098  0138   

   454C4553 72205443 72676461 6370756F 6B636568 2C64692E

 67646172 70756F72 63656863 72472E6B 4E70756F 2C656D61 67646172

Argument/Register addr=20206270. Dump of memory from 0x020206230 to 0x020206370

 44432044 49544953 31203D20 444E4120

 50545320 45504F47 203D2052 20275327 20444E41 4C425453 414F 3D204F49

 274E2720 44524F20 42205245 64692059   202068E0 

 04A238D4  63726573 65746D6F 6F632E6C 72622E6D 04A238DF 

 72677265 2E70756F   203D2065 67646172 70756F72 6C706572

 72472E79 4E70756F 20206320  0FB0B12C 3231  

 0FB0B12C  0FB0B12C  20206440  04A238D4 

 0006  0FBADC38  0FB0B12C  7185CFB9 0039

 FBAD8001  0FB0B12C  0FB0B12C  0FB0B12C 

 0FB0B12C  0FB0B137    0FB0B12C 

    



- End of Call Stack Trace -

==30772==

==30772== Invalid write of size 1

==30772== at 0x5E82AD0: kpuhhrsp (in

Again: Major impact on authentication!

[Guilherme Franco]

Hello,

Thanks to everyone!

I'm using Oracle just for radcheck/radacct and PostgreSQL for radippool only.

No, Mr. Peter, no one is using dial-up admin nor anything alike when
the problem occurs, just pure auth (without acct).

I've disabled the cron.hourly job and the problem appeared again after
some hours. A simple radiusd restart solves the problem. As this
causes impact, I can't afford to do this all the time just to debug,
but I think I gonna run a script to capture all the radiusd -xxx
messages, so when the behaviour starts, I can see what's happening.

Also, it's important to note that this server is the proxy radius and
those error messages appear:

Error: Discarding duplicate request from client ERX-1:5 - ID: 115
due to unfinished request 32

Info: The maximum number of threads (32) are active, cannot spawn new
thread to handle request

Error: WARNING: Unresponsive child (id 1315006816) for request 105


With acct:

Error: rlm_sql (sql) in sql_accounting: stop packet with zero session
length. [user '[EMAIL PROTECTED]', nas '10.10.2.1']

Error: Internal error processing module entry


Thank you.



On 2/6/07, Peter Nixon [EMAIL PROTECTED] wrote:
 On Mon 05 Feb 2007 13:05, [EMAIL PROTECTED] wrote:
  Hi,
 
   Freeradius 1.1.4 is randomly losing connection to both databases and
   it's causing total loss in the authentication process:
 
  from a historical perspective you may find that is wasnt the 1.1.4 upgrade
  that has broken things - your database may have finally become too big and
  unwieldy. this has certainly been the case in many such cases.  I would
  check how long your database queries/inserts are taking. perhaps
  vacuum/optimise the tables, move/drop older entries, create better KEYs
  for the purposes you need.

 The _random_ problems don't coincide with a user running a usage report from
 a web interface by any chance do they??

 Regards
 --

 Peter Nixon
 http://www.peternixon.net/
 PGP Key: http://www.peternixon.net/public.asc

 -
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Again: Major impact on authentication!

[Guilherme Franco]

Thanks Mr. DeKok,

I've already downloaded valgrind, just need to setup everything in a
time where the user won't suffer from the downtime.

Mr. Marshall, the only transaction is in rlm_sqlippool.

Thanks.

On 2/6/07, Alan DeKok [EMAIL PROTECTED] wrote:
 Guilherme Franco wrote:
  Also, it's important to note that this server is the proxy radius and
  those error messages appear:
 
  Error: Discarding duplicate request from client ERX-1:5 - ID: 115
  due to unfinished request 32
 
  Info: The maximum number of threads (32) are active, cannot spawn new
  thread to handle request
 
  Error: WARNING: Unresponsive child (id 1315006816) for request 105

  All of those messages are caused by the same problem: something is
 preventing the server from working.  Find out what it is, and fix the
 problem.

  Error: Internal error processing module entry

  It might have helped if you posted that message earlier.  Internal
 errors ALWAYS indicate something bad happening.

  In this case, you're running 1.1.x, and somehow the data structures in
 the server have gotten corrupted.  That's a VERY likely reason why the
 server is broken.

  As yo how to see what's going wrong, run the server under valgrind.

  Alan DeKok.
 --
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
 -
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Again: Major impact on authentication!

[Guilherme Franco]

Hello Mr. Nixon!

No, the radius server and the DB server are connected in the same
switch, using gigabit UTP, resulting in 0.090ms RTT.

The proxy server is also directly connected to this switch.

I've been using CVS builds mainly because the rlm_sqlippool was under
development with constant updates done by you. The last one I've used
was freeradius-server-snapshot-20070120.tar.bz2 but the same behaviour
appeared, then I've switched to 1.1.4.

Humm Oracle support would be great! But I remember that in the
previous builds, I had to remove the BEGIN from allocate-begin in
rlm_sqlippool.c and recompile it because Oracle understands BEGIN as a
function/procedure/transaction start and the next steps taken by
rlm_sqlippool didn't fit in the correct structure (missing END; and
other statements). That way, no errors raised but sqlippool wouldn't
recognize the IP queried by the SELECT then.

Mr. Peter, also importantly, as we have both static and dynamic
ippools, two instances of sqlippool was running, namely sqlippool
DYNAMIC and sqlippool STATIC, called in this order by radiusd.

The allocate-find was not working correctly, not giving the same
static IPs to the user every time, so I've decided to remove one
sqlippool instance and I've created the following function:


CREATE OR REPLACE FUNCTION FOOBAR(user text, pool text, nas text)
RETURNS inet AS $$
declare
ip_temp inet := null;
BEGIN
if pool = 'DYNAMIC' then
select framedipaddress into ip_temp from radippool where expiry_time 
'now'::timestamp(0) and pool_name = pool ORDER BY (username  user),
(callingstationid  nas), expiry_time LIMIT 1 FOR UPDATE;
return ip_temp;
end if;

if pool  'DYNAMIC' then
 select framedipaddress into ip_temp from radippool where username
= user and pool_name = pool;

 if ip_temp is not null then
 return ip_temp;
end if;

if ip_temp is null then
select framedipaddress into ip_temp from radippool where expiry_time 
'now'::timestamp(0) and username = '' and pool_name = pool LIMIT 1 FOR
UPDATE;
UPDATE radippool SET username = user where framedipaddress = ip_temp;
return ip_temp;
end if;

END IF;

END;
$$ LANGUAGE plpgsql;

That way, allocate-find became just allocate-find = select
FOOBAR('%{User-Name}','%{check:Pool-Name}','%{Calling-Station-Id}')

No fail-over would occur anymore, the function works in less than
50ms, the static ip of the user is permanently written in the DB so I
think it became better this way, at least for me.

This setup was running fine since October 2006, until now that things
started to freak out.

Thank you!


On 2/6/07, Peter Nixon [EMAIL PROTECTED] wrote:
 On Tue 06 Feb 2007 15:27, Alan DeKok wrote:
  Guilherme Franco wrote:
   Also, it's important to note that this server is the proxy radius and
   those error messages appear:
  
   Error: Discarding duplicate request from client ERX-1:5 - ID: 115
   due to unfinished request 32
  
   Info: The maximum number of threads (32) are active, cannot spawn new
   thread to handle request
  
   Error: WARNING: Unresponsive child (id 1315006816) for request 105

 Do you by any chance have a statefull firewall between your radius server
 and database?

All of those messages are caused by the same problem: something is
  preventing the server from working.  Find out what it is, and fix the
  problem.
 
   Error: Internal error processing module entry
 
It might have helped if you posted that message earlier.  Internal
  errors ALWAYS indicate something bad happening.
 
In this case, you're running 1.1.x, and somehow the data structures in
  the server have gotten corrupted.  That's a VERY likely reason why the
  server is broken.
 
As yo how to see what's going wrong, run the server under valgrind.

 There _may_ be a problem with rlm_sqlippool in 1.1.4 (it is marked as an
 unstable module in 1.1.4)
 If at all possible please consider updating to CVS head as there has been
 allot of work on sqlippool and the postgresql driver. In-fact the latest
 version of sqlippool _should_ work on Oracle (which I remember you wanted to
 do previously) although I have not tested this functionality. (rlm_sqlippool
 in 1.1.4 relies on a bug in rlm_sql_postgresql to work, hence the reason it
 doesn't work properly with other DBs)

 Alternatively you could backport the cvs head version of sqlippool to 1.1.4
 which is something I have been considering for the 1.1.5 release but have
 yet to find the time to do (but would happily accept donations to do so :-)


 --

 Peter Nixon
 http://www.peternixon.net/
 PGP Key: http://www.peternixon.net/public.asc

 -
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Again: Major impact on authentication!

[Guilherme Franco]

Mr. Peter,

On 2/6/07, Peter Nixon [EMAIL PROTECTED] wrote:
 OK. Well we have added a few more things this week. The last commit was just
 over an hour ago for:
 http://bugs.freeradius.org/show_bug.cgi?id=414


Yes, I've been watching the progress in Automatic report from sources
(radiusd) in the devel list, thanks.


 Can you please confirm whether on not Oracle supports the SQL99 syntax? If so
 I will change all the BEGINs to START TRANSACTION. If it does not I will
 do the opposite.


Oracle automatically treats every changing aspect of the tables as a
transaction so there's no START TRANSACTION command in it. Every
BEGIN needs to have a END; and a dot . in after END;. Basically you
need the Transaction so you can do the FOR UPDATE command to lock that
framedipaddress temporally. In Oracle thou need no BEGIN, just do the
select ... for update and then the COMMIT; in the end.


 The patches I committed today and yesterday improved the exit codes which
 should make failover more flexible.


I don't know if the new CVS will suit for me because with the
PostgreSQL function that I've made there's no need to use 2 sqlippool
instances. Again, I don't have anything against the module fail-over,
I'm just using the function mainly because the native allocate-find
didn't fixed the users IP correctly for me (also one module is a bit
quicker).

A quick valgrind run detected some errors in rlm_sql for the oracle
connection. Gonna do a massive debugging after midnight to see if
there's something weird going on.

Thank you and everyone for the prompt answers!
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Major impact on authentication!

[Guilherme Franco]

Hi,

Freeradius 1.1.4 is randomly losing connection to both databases and it's
causing total loss in the authentication process:

Info: rlm_sql (sql): There are no DB handles to use! skipped 0, tried to
connect 0
Info: rlm_sql (sql_postgresql): There are no DB handles to use! skipped 0,
tried to connect 0
Info: The maximum number of threads (32) are active, cannot spawn new thread
to handle request

Running either in multi or single threaded mode, that messages appeared
47.099,00 times since Jan 27! Freeradius is configured with 32 max_servers
and 32 connections to each DB. There's no starving since no accounting is
being used and the server have to handle just 3 auths per second.

Every time this happens, no one can authenticate and doing a restart in
Freeradius solves the problem. To circumvent the problem, I've added a
cron.hourly job so each hour a service radiusd restart is issued.

As this is random, it's hard to debug, but at the same time freeradius loses
the connection, several other applications can successfully connect/
maintain previous established connections to the databases. I've enabled all
sorts of debug in the databases trying to better understand why freeradius
is doing this, but there was no luck.

I've installed the latest CVS and the same problem appeared, please help!
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Major impact on authentication!

[Guilherme Franco]

Hello,

Thank you all for your prompt answers!

The database takes between 15ms and 40ms to answer to freeradius and has
only 40.000 entries there, so it isn't big.

PostgreSQL is updated to it's latest version and vaccum runs every night.

The queries are from sqlippool.conf, so...

Thanks!
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Hibernating: Major impact on authentication!

[Guilherme Franco]

Hello,

Considering that all things indicate that there might be a problem with the
DB, I did some tweaks in PostgreSQL and took off the cron.hourly job.

Gonna watch out for problems then, thanks!

-

Hi,

Freeradius 1.1.4 is randomly losing connection to both databases and it's
causing total loss in the authentication process:

Info: rlm_sql (sql): There are no DB handles to use! skipped 0, tried to
connect 0
Info: rlm_sql (sql_postgresql): There are no DB handles to use! skipped 0,
tried to connect 0
Info: The maximum number of threads (32) are active, cannot spawn new thread
to handle request

Running either in multi or single threaded mode, that messages appeared
47.099,00 times since Jan 27! Freeradius is configured with 32 max_servers
and 32 connections to each DB. There's no starving since no accounting is
being used and the server have to handle just 3 auths per second.

Every time this happens, no one can authenticate and doing a restart in
Freeradius solves the problem. To circumvent the problem, I've added a
cron.hourly job so each hour a service radiusd restart is issued.

As this is random, it's hard to debug, but at the same time freeradius loses
the connection, several other applications can successfully connect/
maintain previous established connections to the databases. I've enabled all
sorts of debug in the databases trying to better understand why freeradius
is doing this, but there was no luck.

I've installed the latest CVS and the same problem appeared, please help!
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Major impact on authentication!

[Guilherme Franco]

I'm testing PostgreSQL performance with various tools.

Thanks!


On 2/5/07, Dennis Skinner [EMAIL PROTECTED] wrote:


Alan DeKok wrote:
 As this is random, it's hard to debug, but at the same time freeradius
 loses the connection, several other applications can successfully
 connect/ maintain previous established connections to the databases.

   FreeRADIUS is NOT losing its connection to the DB.  If you think
 that's happening, you will try to fix a problem that doesn't exist, and
 will NOT solve the real problem.

 I've enabled all sorts of debug in the databases trying to better
 understand why freeradius is doing this, but there was no luck.

   Find out why the database isn't responding to FreeRADIUS.

I had similar issues at one time with MySQL and FreeRADIUS.  There is an
app out there for MySQL called Mytop which is basically like the unix
top command, but looks at MySQL processes.  This makes it very easy to
watch and see what processes are taking too long and holding up the rest.

I'm not sure if there is a similar app out there for postgresql, but
it'd be worth a look.

--
Dennis Skinner
Systems Administrator
BlueFrog Internet
http://www.bluefrog.com
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Log notfound users

[Guilherme Franco]

Hello,

In authorize section I have the following:

sql {
   notfound = reject
}

In post-auth:

Post-Auth-Type REJECT {
   sql
   attr_filter.access_reject
   }

Both works correctly but I would like to log notfound users into
radpostauth table as well, just like in post-auth.

How may I do this, please?

Thank you.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

SEVERE! radiusd 2.0 and 1.1.4 dying! Segmentation fault

[Guilherme Franco]

Hi,

Freeradius 2.0 alpha was working correctly since November 1st.

Then, this month, suddenly the server started to die, complaining of
Info: rlm_sql (sql): There are no DB handles to use! skipped 0, tried
to connect 0.

The server runs threaded with max_servers = 32 and num_sql_socks = 32
(there are 5 reqs per seconds, no more than that).

Ok so I've tried to run it single threaded (-X), but then, it's slow
and it missess some access requests, due to processing the accounting.

I've uninstalled it and installed 1.1.4, but the same occurs!

Restarting radiusd when it fails gives another 15 minutes before it dies again.

Also, disabling accounting helps prolong the server lifetime.

Any clue on that? Thanks.

Sat Jan 27 19:13:16 2007 : Debug:   modsingle[accounting]: returned
from detail (rlm_detail) for request 108
Sat Jan 27 19:13:16 2007 : Debug:   modcall[accounting]: module
detail returns ok for request 108
Sat Jan 27 19:13:16 2007 : Debug:   modsingle[accounting]: calling
ippool (rlm_sqlippool) for request 108
Sat Jan 27 19:13:16 2007 : Debug: rlm_sql (sql_postgresql): Reserving
sql socket id: 11
Sat Jan 27 19:13:16 2007 : Debug: radius_xlat:  'BEGIN'
** Internal heap ERROR 17177 addr=(nil) *


**
HEAP DUMP heap name=Alloc statemen  desc=0x77e2b8
extent sz=0x1040 alt=32767 het=32767 rec=0 flg=2 opc=3
parent=0x77adb0 owner=(nil) nex=(nil) xsz=0x1040
EXTENT 0 addr=0x788818
 Chunk000788828 sz= 3752free 
 Chunk0007896d0 sz=  312freeable assoc with mark
prv=(nil) nxt=(nil)
 Chunk000789808 sz=   80freeable assoc with mark
prv=(nil) nxt=(nil)
EXTENT 1 addr=0x77d3e8
 Chunk00077d3f8 sz= 2448perm  perm alo=32
Total heap size= 6592
FREE LISTS:
Bucket 0 size=160
Bucket 1 size=288
Bucket 2 size=544
Bucket 3 size=1056
Bucket 4 size=2080
 Chunk000788828 sz= 3752free 
Bucket 5 size=4128
Bucket 6 size=16416
Bucket 7 size=32800
Total free space   = 3752
UNPINNED RECREATABLE CHUNKS (lru first):
PERMANENT CHUNKS:
 Chunk00077d3f8 sz= 2448perm  perm alo=32
Permanent space= 2448
**
Hla: 255

ORA-21500: internal error code, arguments: [17177], [0x0], [],
[], [], [], [], []
Errors in file :
ORA-21500: internal error code, arguments: [17177], [0x0], [],
[], [], [], [], []


- Call Stack Trace -
calling  call entryargument values in hex
location type point(? means dubious value)
   
Cannot seek to string table section header in /proc/11022/exe.
Cannot seek to string table section header in /proc/11022/exe.
9688CDEF CALL 9660C588 0 ? 0 ? 774EC8 ? 0 ? 1 ? 0 ?
96DA64D8 CALLr 0 ? 0 ? 655680 ? 0 ?
  4FA13060 ? 0 ?
96DA6CD4 CALL 965ED0E8 Sat Jan 27 19:13:16
2007 : Debug: radius_xlat:  'SELECT id,UserName,Attribute,Value,op
FROM radreply WHERE Username = '[EMAIL PROTECTED]' ORDER BY id'
0 ? 0 ? FF ? 0 ? 0 ? 0 ?
96DA6898 CALL 96605AC8 4FA13090 ? 0 ? 655680 ? 0 ?
  FF ? 0 ?
96D75B7F CALL 965FF0C8 0 ? 0 ? 0 ? 0 ? 788ED0 ? 0 ?
96D9135D CALL 96D757AA 0 ? 0 ? 0 ? 0 ? 0 ? 0 ?
966CA4FA CALL 96607898 0 ? 0 ? 0 ? 0 ? 0 ? 0 ?
966DF8CE CALL 966070F8 77DDA8 ? 0 ? 781BF0 ? 0 ?
  4FA15E50 ? 0 ?
966DF582 CALL 965F7D68 0 ? 0 ? B0D0A8C0 ? 3E ?
  B0D0AE20 ? 3E ?
966DBF1E CALL 965FEC88 0 ? 0 ? 0 ? 0 ? 0 ? 0 ?
9678A292 CALL 9660F088 0 ? 0 ? 4FA161D0 ? 0 ?
  772E10 ?Sat Jan 27
19:13:16 2007 : Debug: radius_xlat:  'SELECT
id,UserName,Attribute,Value,op FROM radreply WHERE Username =
'[EMAIL PROTECTED]' ORDER BY id'
0 ?
962BB4F6 CALL 962BAD60 4FA160C0 ? 0 ? 6536A4 ? 0 ?
  4FA162E2 ? 0 ?
0077C450 CALLs

- Argument/Register Address Dump -

Argument/Register addr=774ec8.  Dump of memory from 0x000774E88 to 0x000774FC8
        
        
   007773F0  0077AB38  0077AEE0 
        

Re: SEVERE! radiusd 2.0 and 1.1.4 dying! Segmentation fault

[Guilherme Franco]

Thanks Mr. Mayers,

The database is Oracle on a powerful machine which only do acct/ auth.
All the relevant auth/ accounting queries are indexed to speed things
up.

There's a PostgreSQL database to take care of the sqlippool module.

The strange thing is that even when the accounting is off (with low
load then) the error appears randomly.

Also, if the proxy realm dies the problem occurs too.

That segfault was captured by running radiusd -xxx, which pinpoints
to an Oracle OCI error in this case (with acct on).

I can't give you a gdb because the server is running fine now, but who
knows when it may happen...

That setup was running fine for almost 3 months. All indicates a
resource starving problem, but the load is low :(

Thank you very much.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Log notfound users

[Guilherme Franco]

Hello,

In authorize section I have the following:

sql {
   notfound = reject
}

In post-auth:

Post-Auth-Type REJECT {
   sql
   attr_filter.access_reject
   }

Both works correctly but I would like to log notfound users into radpostauth
table as well, just like in post-auth.

How may I do this, please?

Thank you.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: RADIUS will no longer start!

[Guilherme Franco]

Michelle,

Seems like someone took off your NASes either from your naslist or
clients.conf files, in your raddb dir.

In those files you need at least an entry like this (for clients.conf):

client 10.10.10.1 {
   secret  = secret123
}

Where 10.10.10.1 would be your NAS address and secret123 your secret.

By your debug, it seems that you're using the naslist file. As naslist
in deprecated, please use the clients.conf instead.

Hope this helps.

Guilherme


On 1/24/07, Michelle Gates [EMAIL PROTECTED] wrote:



All,

Our RADIUS server has been up and running fine for 127 days now. Suddenly
today it no longer runs. I tried to put it into debug mode and got the
following output:



[EMAIL PROTECTED] ~]# /opt/freeradius/sbin/radiusd -X
Starting - reading configuration files ...
reread_config:  reading radiusd.conf
Config:   including file: /opt/freeradius/etc/raddb/proxy.conf
Config:   including file: /opt/freeradius/etc/raddb/trs_proxy.conf
Config:   including file: /opt/freeradius/etc/raddb/clients.conf
Config:   including file: /opt/freeradius/etc/raddb/trs_clients.conf
Config:   including file: /opt/freeradius/etc/raddb/snmp.conf
Config:   including file: /opt/freeradius/etc/raddb/sqlcounter.conf
Config:   including file: /opt/freeradius/etc/raddb/eap.conf
Config:   including file: /opt/freeradius/etc/raddb/sql.conf
main: prefix = /opt/freeradius
main: localstatedir = /opt/freeradius/var
main: logdir = /opt/freeradius/var/log/radius
main: libdir = /opt/freeradius/lib
main: radacctdir = /opt/freeradius/var/log/radius/radacct
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = /opt/freeradius/var/log/radius/radius.log
main: log_auth = yes
main: log_auth_badpass = yes
main: log_auth_goodpass = no
main: pidfile = /opt/freeradius/var/run/radiusd/radiusd.pid
main: user = trustive
main: group = trustive
main: usercollide = no
main: lower_user = no
main: lower_pass = no
main: nospace_user = no
main: nospace_pass = no
main: checkrad = /opt/freeradius/sbin/checkrad
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = no
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files:  reading dictionary
read_config_files:  reading naslist
Using deprecated naslist file.  Support for this will go away soon.
read_config_files:  reading clients
/opt/freeradius/etc/raddb/radiusd.conf[751]: Missing client name

-

Can anyone shed any light on this? Unfortunately for me, one of our
developers was working on our production server but *claims* not to have
changed anything of any consequence...

I'm really unsure of where this is coming from! Has anyone seen this error
before or could anyone at least point me in the right direction?

Best regards,

-michelle.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: !!! Assertion failed in listen.c, line 621 !!!

[Guilherme Franco]

So, that was it!

It works now, thanks.

Back to the threads again :)

On 12/12/06, Guilherme Franco [EMAIL PROTECTED] wrote:


Thanks a lot!

I gonna test it right now!


On 12/12/06, Alan DeKok [EMAIL PROTECTED] wrote:

 Peter Nixon wrote:

  Running CVS HEAD in single threaded mode works around the problem for
 the time
  being...

 Ugh. After staring at the code a little more, the bug is in threads.c,
 where it was passing 'request-proxysecret' rather than 'request' to the
 'listener-send' function.

 It should be fixed now.

 Alan DeKok.
 --
 http://deployingradius.com   - The web site of the book
 http://deployingradius.com/blog/ - The blog
 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: !!! Assertion failed in listen.c, line 621 !!!

[Guilherme Franco]

Yes, I'm using it single-threaded, since September.

I don't want to go back to 1.1.3 since it gave me problems.

Thanks.

On 12/12/06, Peter Nixon [EMAIL PROTECTED] wrote:


On Tue 12 Dec 2006 03:08, Guilherme Franco wrote:
 No way man!

 :)

 I've done a CVS clean install now (EVERYTHING old deleted before
 install and rebooted machine) but the same error occurs!

 It's just like the log from the previous post (below).

 radiusd dies after Sending Access-Request to the proxy, every single
 time.

 I'm not using any old conf, configured it from scratch.

 Please help!

Running CVS HEAD in single threaded mode works around the problem for the
time
being...

This is on the TODO list to fix before the 2.0 release :-)

http://wiki.freeradius.org/Development_Roadmap#Version_2.0

--

Peter Nixon
http://www.peternixon.net/
PGP Key: http://www.peternixon.net/public.asc


-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: !!! Assertion failed in listen.c, line 621 !!!

[Guilherme Franco]

Thanks a lot!

I gonna test it right now!


On 12/12/06, Alan DeKok [EMAIL PROTECTED] wrote:


Peter Nixon wrote:

 Running CVS HEAD in single threaded mode works around the problem for
the time
 being...

Ugh. After staring at the code a little more, the bug is in threads.c,
where it was passing 'request-proxysecret' rather than 'request' to the
'listener-send' function.

It should be fixed now.

Alan DeKok.
--
http://deployingradius.com   - The web site of the book
http://deployingradius.com/blog/ - The blog
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Assertion failed in listen.c, line 621

[Guilherme Franco]

Hello,

I did a set follow-fork-mode child in gdb now but then, there's no
assertion failed!

The radiusd child process keeps running now but no one can authenticate:

[EMAIL PROTECTED] tmp]# cat /usr/local/var/log/radius/radius.log
Sat Dec  9 15:47:02 2006 : Info: FreeRADIUS Version 2.0.0-pre0, for
host x86_64-unknown-linux-gnu, built on Dec  3 2006 at 21:00:48
Sat Dec  9 15:47:02 2006 : Info: Starting - reading configuration files ...
Sat Dec  9 15:47:03 2006 : Info: rlm_sql (sql): Driver rlm_sql_oracle
(module rlm_sql_oracle) loaded and linked
Sat Dec  9 15:47:03 2006 : Info: rlm_sql (sql): Attempting to connect
to [EMAIL PROTECTED]:/(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=10.10.10.1
)(PORT=1521))(CONNECT_DATA=(SID=DB_R)))
Sat Dec  9 15:47:03 2006 : Info: rlm_sql (sql_postgresql): Driver
rlm_sql_postgresql (module rlm_sql_postgresql) loaded and linked
Sat Dec  9 15:47:03 2006 : Info: rlm_sql (sql_postgresql): Attempting
to connect to [EMAIL PROTECTED]:/DB_R
Sat Dec  9 15:47:04 2006 : Info: Ready to process requests.
Sat Dec  9 15:47:52 2006 : Error: Discarding duplicate request from
client NAS-1 port 5 - ID: 57 due to unfinished request 0
Sat Dec  9 15:47:58 2006 : Error: Discarding duplicate request from
client NAS-1 port 5 - ID: 57 due to unfinished request 0
Sat Dec  9 15:48:04 2006 : Error: Discarding duplicate request from
client NAS-1 port 5 - ID: 57 due to unfinished request 0
Sat Dec  9 15:48:16 2006 : Error: TIMEOUT for request 0 in module
server core, component server core
Sat Dec  9 15:48:23 2006 : Error: Discarding duplicate request from
client NAS-1 port 5 - ID: 58 due to unfinished request 3
Sat Dec  9 15:48:29 2006 : Error: Discarding duplicate request from
client NAS-1 port 5 - ID: 58 due to unfinished request 3
Sat Dec  9 15:48:35 2006 : Error: Discarding duplicate request from
client NAS-1 port 5 - ID: 58 due to unfinished request 3
Sat Dec  9 15:48:40 2006 : Error: TIMEOUT for request 1 in module
server core, component server core
Sat Dec  9 15:48:46 2006 : Error: TIMEOUT for request 2 in module
server core, component server core
Sat Dec  9 15:48:47 2006 : Error: TIMEOUT for request 3 in module
server core, component server core
Sat Dec  9 15:49:19 2006 : Error: Discarding duplicate request from
client NAS-1 port 5 - ID: 59 due to unfinished request 22

So:

Running radiusd alone, without gdb, generates Assertion failed in
listen.c, line 621;

Running radiusd inside gdb generates no error, but does not works
(as shown in the logs);

Running radiusd -X alone or inside gdb works without any problems.

What might it be?

ps. Regarding the previous post, the Assertion failed occurs only
when the first packet is received.

Thanks you!



On 12/6/06, Alan DeKok [EMAIL PROTECTED] wrote:

Guilherme Franco wrote:
 I'm not HUPing the server in any way, never.

 Ok..

 GDB output:

 Starting program: /usr/local/sbin/radiusd
 [Thread debugging using libthread_db enabled]
 [New Thread 182896328384 (LWP 31483)]
 Detaching after fork from child process 31486.

 Program exited normally.

 sigh  You've just printed out the GDB information from the server
process that starts the daemon... which exits normally.

 Please send the gdb information from the core file.  i.e. the program
that is failing.

 Wed Dec  6 20:33:09 2006 : Info: Ready to process requests.
 Wed Dec  6 20:33:09 2006 : Error: Assertion failed in listen.c, line 621

 Immediately?  Without ever receiving packets?  That's very weird...

 Alan DeKok.
--
 http://deployingradius.com   - The web site of the book
 http://deployingradius.com/blog/ - The blog
-
List info/subscribe/unsubscribe? See

http://www.freeradius.org/list/users.html
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Assertion failed in listen.c, line 621

[Guilherme Franco]

Mr. Alan.

Sorry for bothering you.

If I run radiusd and setup the NAS to not send any requests to this radius
server, radiusd stays up all day in Info: Ready to process requests..

In the momment that I setup the NAS to send request to the radius server and
the first request goes to it, radiusd dies.

Maybe sometimes radiusd is not even taking a chance to log that someone
tried to auth and just dies.

But of all the logs that I have, just ONE shows the following:

Wed Dec  7 09:15:04 2006 : Info: Ready to process requests.
Wed Dec  7 09:15:04 2006 : Auth: Invalid user: [EMAIL PROTECTED] (from client
NAS-4 port 2952792216)
Wed Dec  7 09:15:04 2006 : Error: Assertion failed in listen.c, line 621

All the other are just like:

Wed Dec  6 11:02:46 2006 : Info: Ready to process requests.
Wed Dec  6 11:02:46 2006 : Error: Assertion failed in listen.c, line 621

Besides that, I've installed the latest CVS above the old one, not a clean
install.

That might be the problem, what do you think?

Thank you.



On 12/11/06, Alan DeKok [EMAIL PROTECTED] wrote:


Guilherme Franco wrote:
 Hello,

 I did a set follow-fork-mode child in gdb now but then, there's no
 assertion failed!

And the server doesn't process any requests, either.

 ps. Regarding the previous post, the Assertion failed occurs only
 when the first packet is received.

   That's not what the debug log showed.  The log you posted showed
NOTHING being received, and the server dying.  I find that very hard to
believe.

Please post a debug log showing that the server dies AFTER receiving a
packet, and AFTER deciding that the packet has to be proxied.

You posted:

  Wed Dec  6 20:33:09 2006 : Info: Ready to process requests.
  Wed Dec  6 20:33:09 2006 : Error: Assertion failed in listen.c, line
621

i.e. NOT packet received, AND it dies.  That's pretty much impossible.

It looks to me like you're still running the old version of the
server, without the fix for that problem.

Alan DeKok.
--
http://deployingradius.com   - The web site of the book
http://deployingradius.com/blog/ - The blog
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Assertion failed in listen.c, line 621

[Guilherme Franco]

Ok,

The log is below, thank you.

Gonna delete and clean install it, I just thought that ./configure,
make, make install would overwrite everything except the confs.

radiusd -xxx
Mon Dec 11 19:47:58 2006 : Info: Ready to process requests.
Mon Dec 11 19:47:58 2006 : Debug: Nothing to do.  Sleeping until we
see a request.
Mon Dec 11 19:47:58 2006 : Debug: Thread 1 waiting to be assigned a request
Mon Dec 11 19:47:58 2006 : Debug: Thread 2 waiting to be assigned a request
Mon Dec 11 19:47:58 2006 : Debug: Thread 5 waiting to be assigned a request
Mon Dec 11 19:47:58 2006 : Debug: Thread 3 waiting to be assigned a request
Mon Dec 11 19:47:58 2006 : Debug: Thread 4 waiting to be assigned a request
rad_recv: Access-Request packet from host 10.10.2.11 port 5,
id=206, length=234
Mon Dec 11 19:48:17 2006 : Debug: --- Walking the entire request list ---
Mon Dec 11 19:48:17 2006 : Debug: Thread 1 got semaphore
Mon Dec 11 19:48:17 2006 : Debug: Threads: total/active/spare threads = 5/0/5
Mon Dec 11 19:48:17 2006 : Debug: Thread 1 handling request 0, (1
handled so far)
Mon Dec 11 19:48:17 2006 : Debug: Waking up in 1 seconds...
   User-Password = bogus123
   User-Name = [EMAIL PROTECTED]
   Acct-Session-Id = nas GigabitEthernet 11/0.165:2165:0028716608
   Service-Type = Framed-User
   Framed-Protocol = PPP
   ERX-Pppoe-Description = pppoe 00:0b:23:fd:1d:8c
   Calling-Station-Id = NAS-01#2165
   NAS-Port-Type = Ethernet
   NAS-Port = 2952792181
   NAS-Port-Id = GigabitEthernet 11/0.165:2165
   NAS-IP-Address = 10.10.2.11
   NAS-Identifier = NAS-01
Mon Dec 11 19:48:17 2006 : Debug:   Processing the authorize section
of radiusd.conf
Mon Dec 11 19:48:17 2006 : Debug: modcall:  entering group authorize
for request 0
Mon Dec 11 19:48:17 2006 : Debug:   modsingle[authorize]: calling
preprocess (rlm_preprocess) for request 0
Mon Dec 11 19:48:17 2006 : Debug:   modsingle[authorize]: returned
from preprocess (rlm_preprocess) for request 0
Mon Dec 11 19:48:17 2006 : Debug:   modcall[authorize]: module
preprocess returns ok for request 0
Mon Dec 11 19:48:17 2006 : Debug:   modsingle[authorize]: calling
auth_log (rlm_detail) for request 0
Mon Dec 11 19:48:17 2006 : Debug: radius_xlat:
'/usr/local/var/log/radius/radacct/10.10.2.11/auth-detail-20061211'
Mon Dec 11 19:48:17 2006 : Debug: rlm_detail:
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /usr/local/var/log/radius/radacct/10.10.2.11/auth-detail-20061211
Mon Dec 11 19:48:17 2006 : Debug: radius_xlat:  'Mon Dec 11 19:48:17 2006'
Mon Dec 11 19:48:17 2006 : Debug:   modsingle[authorize]: returned
from auth_log (rlm_detail) for request 0
Mon Dec 11 19:48:17 2006 : Debug:   modcall[authorize]: module
auth_log returns ok for request 0
Mon Dec 11 19:48:17 2006 : Debug:   modsingle[authorize]: calling chap
(rlm_chap) for request 0
Mon Dec 11 19:48:17 2006 : Debug:   modsingle[authorize]: returned
from chap (rlm_chap) for request 0
Mon Dec 11 19:48:17 2006 : Debug:   modcall[authorize]: module chap
returns noop for request 0
Mon Dec 11 19:48:17 2006 : Debug:   modsingle[authorize]: calling
mschap (rlm_mschap) for request 0
Mon Dec 11 19:48:17 2006 : Debug:   modsingle[authorize]: returned
from mschap (rlm_mschap) for request 0
Mon Dec 11 19:48:17 2006 : Debug:   modcall[authorize]: module
mschap returns noop for request 0
Mon Dec 11 19:48:17 2006 : Debug:   modsingle[authorize]: calling unix
(rlm_unix) for request 0
Mon Dec 11 19:48:17 2006 : Debug:   modsingle[authorize]: returned
from unix (rlm_unix) for request 0
Mon Dec 11 19:48:17 2006 : Debug:   modcall[authorize]: module unix
returns notfound for request 0
Mon Dec 11 19:48:17 2006 : Debug:   modsingle[authorize]: calling
suffix (rlm_realm) for request 0
Mon Dec 11 19:48:17 2006 : Debug: rlm_realm: Looking up realm
foo.com for User-Name = [EMAIL PROTECTED]
Mon Dec 11 19:48:17 2006 : Debug: rlm_realm: Found realm foo.com
Mon Dec 11 19:48:17 2006 : Debug: rlm_realm: Adding
Stripped-User-Name = bogus
Mon Dec 11 19:48:17 2006 : Debug: rlm_realm: Proxying request from
user bogus to realm foo.com
Mon Dec 11 19:48:17 2006 : Debug: rlm_realm: Adding Realm = foo.com
Mon Dec 11 19:48:17 2006 : Debug: rlm_realm: Preparing to proxy
authentication request to realm foo.com
Mon Dec 11 19:48:17 2006 : Debug:   modsingle[authorize]: returned
from suffix (rlm_realm) for request 0
Mon Dec 11 19:48:17 2006 : Debug:   modcall[authorize]: module
suffix returns updated for request 0
Mon Dec 11 19:48:17 2006 : Debug:   modsingle[authorize]: calling
files (rlm_files) for request 0
Mon Dec 11 19:48:17 2006 : Debug: users: Matched entry DEFAULT at line 173
Mon Dec 11 19:48:17 2006 : Debug:   modsingle[authorize]: returned
from files (rlm_files) for request 0
Mon Dec 11 19:48:17 2006 : Debug:   modcall[authorize]: module files
returns ok for request 0
Mon Dec 11 19:48:17 2006 : Debug:   modsingle[authorize]: calling sql
(rlm_sql) for 

!!! Assertion failed in listen.c, line 621 !!!

[Guilherme Franco]

No way man!

:)

I've done a CVS clean install now (EVERYTHING old deleted before
install and rebooted machine) but the same error occurs!

It's just like the log from the previous post (below).

radiusd dies after Sending Access-Request to the proxy, every single time.

I'm not using any old conf, configured it from scratch.

Please help!

Thanks.


On 12/11/06, Guilherme Franco [EMAIL PROTECTED] wrote:

Ok,

The log is below, thank you.

Gonna delete and clean install it, I just thought that ./configure,
make, make install would overwrite everything except the confs.

radiusd -xxx
Mon Dec 11 19:47:58 2006 : Info: Ready to process requests.
Mon Dec 11 19:47:58 2006 : Debug: Nothing to do.  Sleeping until we
see a request.
Mon Dec 11 19:47:58 2006 : Debug: Thread 1 waiting to be assigned a request
Mon Dec 11 19:47:58 2006 : Debug: Thread 2 waiting to be assigned a request
Mon Dec 11 19:47:58 2006 : Debug: Thread 5 waiting to be assigned a request
Mon Dec 11 19:47:58 2006 : Debug: Thread 3 waiting to be assigned a request
Mon Dec 11 19:47:58 2006 : Debug: Thread 4 waiting to be assigned a request
rad_recv: Access-Request packet from host 10.10.2.11 port 5,
id=206, length=234
Mon Dec 11 19:48:17 2006 : Debug: --- Walking the entire request list ---
Mon Dec 11 19:48:17 2006 : Debug: Thread 1 got semaphore
Mon Dec 11 19:48:17 2006 : Debug: Threads: total/active/spare threads = 5/0/5
Mon Dec 11 19:48:17 2006 : Debug: Thread 1 handling request 0, (1
handled so far)
Mon Dec 11 19:48:17 2006 : Debug: Waking up in 1 seconds...
   User-Password = bogus123
   User-Name = [EMAIL PROTECTED]
   Acct-Session-Id = nas GigabitEthernet 11/0.165:2165:0028716608
   Service-Type = Framed-User
   Framed-Protocol = PPP
   ERX-Pppoe-Description = pppoe 00:0b:23:fd:1d:8c
   Calling-Station-Id = NAS-01#2165
   NAS-Port-Type = Ethernet
   NAS-Port = 2952792181
   NAS-Port-Id = GigabitEthernet 11/0.165:2165
   NAS-IP-Address = 10.10.2.11
   NAS-Identifier = NAS-01
Mon Dec 11 19:48:17 2006 : Debug:   Processing the authorize section
of radiusd.conf
Mon Dec 11 19:48:17 2006 : Debug: modcall:  entering group authorize
for request 0
Mon Dec 11 19:48:17 2006 : Debug:   modsingle[authorize]: calling
preprocess (rlm_preprocess) for request 0
Mon Dec 11 19:48:17 2006 : Debug:   modsingle[authorize]: returned
from preprocess (rlm_preprocess) for request 0
Mon Dec 11 19:48:17 2006 : Debug:   modcall[authorize]: module
preprocess returns ok for request 0
Mon Dec 11 19:48:17 2006 : Debug:   modsingle[authorize]: calling
auth_log (rlm_detail) for request 0
Mon Dec 11 19:48:17 2006 : Debug: radius_xlat:
'/usr/local/var/log/radius/radacct/10.10.2.11/auth-detail-20061211'
Mon Dec 11 19:48:17 2006 : Debug: rlm_detail:
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /usr/local/var/log/radius/radacct/10.10.2.11/auth-detail-20061211
Mon Dec 11 19:48:17 2006 : Debug: radius_xlat:  'Mon Dec 11 19:48:17 2006'
Mon Dec 11 19:48:17 2006 : Debug:   modsingle[authorize]: returned
from auth_log (rlm_detail) for request 0
Mon Dec 11 19:48:17 2006 : Debug:   modcall[authorize]: module
auth_log returns ok for request 0
Mon Dec 11 19:48:17 2006 : Debug:   modsingle[authorize]: calling chap
(rlm_chap) for request 0
Mon Dec 11 19:48:17 2006 : Debug:   modsingle[authorize]: returned
from chap (rlm_chap) for request 0
Mon Dec 11 19:48:17 2006 : Debug:   modcall[authorize]: module chap
returns noop for request 0
Mon Dec 11 19:48:17 2006 : Debug:   modsingle[authorize]: calling
mschap (rlm_mschap) for request 0
Mon Dec 11 19:48:17 2006 : Debug:   modsingle[authorize]: returned
from mschap (rlm_mschap) for request 0
Mon Dec 11 19:48:17 2006 : Debug:   modcall[authorize]: module
mschap returns noop for request 0
Mon Dec 11 19:48:17 2006 : Debug:   modsingle[authorize]: calling unix
(rlm_unix) for request 0
Mon Dec 11 19:48:17 2006 : Debug:   modsingle[authorize]: returned
from unix (rlm_unix) for request 0
Mon Dec 11 19:48:17 2006 : Debug:   modcall[authorize]: module unix
returns notfound for request 0
Mon Dec 11 19:48:17 2006 : Debug:   modsingle[authorize]: calling
suffix (rlm_realm) for request 0
Mon Dec 11 19:48:17 2006 : Debug: rlm_realm: Looking up realm
foo.com for User-Name = [EMAIL PROTECTED]
Mon Dec 11 19:48:17 2006 : Debug: rlm_realm: Found realm foo.com
Mon Dec 11 19:48:17 2006 : Debug: rlm_realm: Adding
Stripped-User-Name = bogus
Mon Dec 11 19:48:17 2006 : Debug: rlm_realm: Proxying request from
user bogus to realm foo.com
Mon Dec 11 19:48:17 2006 : Debug: rlm_realm: Adding Realm = foo.com
Mon Dec 11 19:48:17 2006 : Debug: rlm_realm: Preparing to proxy
authentication request to realm foo.com
Mon Dec 11 19:48:17 2006 : Debug:   modsingle[authorize]: returned
from suffix (rlm_realm) for request 0
Mon Dec 11 19:48:17 2006 : Debug:   modcall[authorize]: module
suffix returns updated for request 0
Mon Dec 11 19:48:17 2006 : Debug:   modsingle[authorize

Re: !!! Assertion failed in listen.c, line 621 !!!

[Guilherme Franco]

I have to thank you very much for all your effort!

This is a very weird problem, but I remember that Peter Nixon kinda
had the same problem. I saw that in the devel forum:
http://lists.freeradius.org/mailman/htdig/freeradius-devel/2006-September/010273.html

Also, from Tuyan:
http://lists.freeradius.org/mailman/htdig/freeradius-devel/2006-September/010357.html

And a similar one from Chaigneau, but with 1.1.3, without crashes:
http://lists.freeradius.org/mailman/htdig/freeradius-devel/2006-November/010478.html

If is there anything that I can do to help, please let me know.

Thanks again!


On 12/11/06, Alan DeKok [EMAIL PROTECTED] wrote:

Guilherme Franco wrote:

 I've done a CVS clean install now (EVERYTHING old deleted before
 install and rebooted machine) but the same error occurs!

 OK... it's just that I have a difficult time reproducing the problem,
so it's kind of hard to figure out what's going wrong.

 Alan DeKok.
--
 http://deployingradius.com   - The web site of the book
 http://deployingradius.com/blog/ - The blog
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Assertion failed in listen.c, line 621

[Guilherme Franco]

Hello,

I did a set follow-fork-mode child in gdb now but then, there's no
assertion failed!

The radiusd child process keeps running now but no one can authenticate:

[EMAIL PROTECTED] tmp]# cat /usr/local/var/log/radius/radius.log
Sat Dec  9 15:47:02 2006 : Info: FreeRADIUS Version 2.0.0-pre0, for
host x86_64-unknown-linux-gnu, built on Dec  3 2006 at 21:00:48
Sat Dec  9 15:47:02 2006 : Info: Starting - reading configuration files ...
Sat Dec  9 15:47:03 2006 : Info: rlm_sql (sql): Driver rlm_sql_oracle
(module rlm_sql_oracle) loaded and linked
Sat Dec  9 15:47:03 2006 : Info: rlm_sql (sql): Attempting to connect
to [EMAIL 
PROTECTED]:/(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=10.10.10.1)(PORT=1521))(CONNECT_DATA=(SID=DB_R)))
Sat Dec  9 15:47:03 2006 : Info: rlm_sql (sql_postgresql): Driver
rlm_sql_postgresql (module rlm_sql_postgresql) loaded and linked
Sat Dec  9 15:47:03 2006 : Info: rlm_sql (sql_postgresql): Attempting
to connect to [EMAIL PROTECTED]:/DB_R
Sat Dec  9 15:47:04 2006 : Info: Ready to process requests.
Sat Dec  9 15:47:52 2006 : Error: Discarding duplicate request from
client NAS-1 port 5 - ID: 57 due to unfinished request 0
Sat Dec  9 15:47:58 2006 : Error: Discarding duplicate request from
client NAS-1 port 5 - ID: 57 due to unfinished request 0
Sat Dec  9 15:48:04 2006 : Error: Discarding duplicate request from
client NAS-1 port 5 - ID: 57 due to unfinished request 0
Sat Dec  9 15:48:16 2006 : Error: TIMEOUT for request 0 in module
server core, component server core
Sat Dec  9 15:48:23 2006 : Error: Discarding duplicate request from
client NAS-1 port 5 - ID: 58 due to unfinished request 3
Sat Dec  9 15:48:29 2006 : Error: Discarding duplicate request from
client NAS-1 port 5 - ID: 58 due to unfinished request 3
Sat Dec  9 15:48:35 2006 : Error: Discarding duplicate request from
client NAS-1 port 5 - ID: 58 due to unfinished request 3
Sat Dec  9 15:48:40 2006 : Error: TIMEOUT for request 1 in module
server core, component server core
Sat Dec  9 15:48:46 2006 : Error: TIMEOUT for request 2 in module
server core, component server core
Sat Dec  9 15:48:47 2006 : Error: TIMEOUT for request 3 in module
server core, component server core
Sat Dec  9 15:49:19 2006 : Error: Discarding duplicate request from
client NAS-1 port 5 - ID: 59 due to unfinished request 22

So:

Running radiusd alone, without gdb, generates Assertion failed in
listen.c, line 621;

Running radiusd inside gdb generates no error, but does not works
(as shown in the logs);

Running radiusd -X alone or inside gdb works without any problems.

What might it be?

ps. Regarding the previous post, the Assertion failed occurs only
when the first packet is received.

Thanks you!



On 12/6/06, Alan DeKok [EMAIL PROTECTED] wrote:

Guilherme Franco wrote:
 I'm not HUPing the server in any way, never.

 Ok..

 GDB output:

 Starting program: /usr/local/sbin/radiusd
 [Thread debugging using libthread_db enabled]
 [New Thread 182896328384 (LWP 31483)]
 Detaching after fork from child process 31486.

 Program exited normally.

 sigh  You've just printed out the GDB information from the server
process that starts the daemon... which exits normally.

 Please send the gdb information from the core file.  i.e. the program
that is failing.

 Wed Dec  6 20:33:09 2006 : Info: Ready to process requests.
 Wed Dec  6 20:33:09 2006 : Error: Assertion failed in listen.c, line 621

 Immediately?  Without ever receiving packets?  That's very weird...

 Alan DeKok.
--
 http://deployingradius.com   - The web site of the book
 http://deployingradius.com/blog/ - The blog
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Assertion failed in listen.c, line 621

[Guilherme Franco]

Hi,

I'm not HUPing the server in any way, never.

GDB output:

Starting program: /usr/local/sbin/radiusd
[Thread debugging using libthread_db enabled]
[New Thread 182896328384 (LWP 31483)]
Detaching after fork from child process 31486.

Program exited normally.
(gdb) info threads
No registers.
(gdb) thread apply all bt full
(gdb) Quit

--

[EMAIL PROTECTED] ~]# /usr/local/var/log/radius/radius.log:

Wed Dec  6 20:33:08 2006 : Info: FreeRADIUS Version 2.0.0-pre0, for
host x86_64-unknown-linux-gnu, built on Dec  3 2006 at 21:00:48
Wed Dec  6 20:33:08 2006 : Info: Starting - reading configuration files ...
Wed Dec  6 20:33:08 2006 : Info: rlm_sql (sql): Driver rlm_sql_oracle
(module rlm_sql_oracle) loaded and linked
Wed Dec  6 20:33:08 2006 : Info: rlm_sql (sql): Attempting to connect
to [EMAIL PROTECTED]:/(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(
HOST=10.10.10.2)(PORT=1521))(CONNECT_DATA=(SID=DB_R)))
Wed Dec  6 20:33:09 2006 : Info: rlm_sql (sql_postgresql): Driver
rlm_sql_postgresql (module rlm_sql_postgresql) loaded and linked
Wed Dec  6 20:33:09 2006 : Info: rlm_sql (sql_postgresql): Attempting
to connect to [EMAIL PROTECTED]:/DB_R
Wed Dec  6 20:33:09 2006 : Info: Ready to process requests.
Wed Dec  6 20:33:09 2006 : Error: Assertion failed in listen.c, line 621

Thank you.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Assertion failed in listen.c, line 621

[Guilherme Franco]

Hello,

Freeradius-snapshot-20061203 crashes, when running just radiusd with
proxy (radiusd -X doesn't crash):

It logs the following Error: Assertion failed in listen.c, line 621,
which is rad_assert(request-proxy_listener == listener);

Thanks.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

(CVS) Error: Assertion failed in listen.c, line 621

[Guilherme Franco]

Hello,

I'm having problems again, when running radiusd (radiusd -X doesn't crash):

Before, in freeradius-snapshot-20061002 it was Error: Assertion failed
in listen.c, line 620, which was: rad_assert(request-proxy_listener
== listener);

Now, in freeradius-snapshot-20061203 it gives me Error: Assertion
failed in listen.c, line 621, which also is:
rad_assert(request-proxy_listener == listener);

That error was reported by Mr. Peter Nixon in September and by me in
October, but Mr. Alan DeKok said that it was already corrected.

Please note that freeradius-snapshot-20061203 was installed as an
update on top of freeradius-snapshot-20061002, not a clean install.

Any concerns on this?

Thanks.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

CVS error

[Guilherme Franco]

Hello,

I'm trying to do a CVS login and got this error:

cvs -d :pserver:[EMAIL PROTECTED]:/source login

Logging in to :pserver:[EMAIL PROTECTED]:2401:/source

CVS password: ***

cvs [login aborted]: connect to cvs.freeradius.org:2401 failed: A
connection attempt failed because the connected party did not properly
respond after a periodof time, or established connection failed
because connected host has failed to respond.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

CVS problem

[Guilherme Franco]

Hello,

I'm trying to do a cvs checkout but it won't let me:

cvs -d :pserver:[EMAIL PROTECTED]:/source login

Logging in to :pserver:[EMAIL PROTECTED]:2401/source
CVS password: anoncvs

cvs -d :pserver:[EMAIL PROTECTED]:/source checkout radiusd

It just hangs in the checkout part...

Any problems with the server?

Thanks.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

PROBLEM - Proxy + SQLIPPOOL + Framed-IP-Address

[Guilherme Franco]

Hi,

Doing proxy, freeradius always ignore the static Framed-IP-Address set
in radreply table and sets the random SQLIPPOOL instead.

Without proxy, SQLIPPOOL won't assign an IP from the pool and grabs
the Framed-IP-Address correctly.

I guess it's because the Framed-IP-Address = 255.255.255.254 contained
in the Access-Accept packet from the proxy home server.

Played with attrs but no luck.

Please help!

Thanks!
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

'{%SQL-User-Name}' does not work for SQLIPPOOL

[Guilherme Franco]

Hello,

'{%SQL-User-Name}' does not work for SQLIPPOOL, it always appears blank.

What should I use in order to get the username?

Thank you.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

SOLVED '{%SQL-User-Name}' does not work for SQLIPPOOL

[Guilherme Franco]

Nevermind, I used %{User-Name} and it works.



Hello,

'{%SQL-User-Name}' does not work for SQLIPPOOL, it always appears blank.

What should I use in order to get the username?

Thank you.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: SQLIPPOOL problem

[Guilherme Franco]

Thanks Peter, that will do.

But I came into another problem, regarding this.

I've created entries in radreply such as [EMAIL PROTECTED]
Framed-IP-Address = 1.1.1.2.

When the user authenticates, freeradius finds the data from radreply,
but sqlippool still assigns a random IP.

What can it be, please?


Thank you very much.


On 10/28/06, Peter Nixon [EMAIL PROTECTED] wrote:

On Fri 27 Oct 2006 01:50, Guilherme Franco wrote:
 Hi,

 This is very important, please.

 In ippool module I can use two or more pools just by setting

 ippool POOL1{...}
 ippool POOL2{...}

 In SQLIPPOOL, I know that I can create as many pools as I wan't but I
 need to treat that pools differently, say, POOL1 assigns static IPs
 and POOL2 dynamic ones, or POOL1 is in databaseX and POOL2 in
 databaseY.

 So I did this sqlippool.conf:

 sqlippool POOL1{...}
 sqlippool POOL2{...}

 And then in radiusd.conf

 post-auth{
 POOL1
 POOL2
 }

 But the user that have Pool-Name := POOL2 in radcheck receives the IP
 (because POOL2 exists in the database), but it's not treated by the
 POOL2 instance created in sqlippool.conf (radiusd -X shows that both
 module POOL1 and POOL2 are instantiated), it's being treated by the
 POOL1 instance.

 So, how can I tell that for users that belong to POOL2 use the POOL2
 module, instead of POOL1 and vice-versa?

With sqlippool the name of the module has no relation to the Pool-Name
attribute. The easiest way to do what you want is simply make the 2nd module
use a different database table and don't put the same Pool-Name is both
tables..

Cheers

--

Peter Nixon
http://www.peternixon.net/
PGP Key: http://www.peternixon.net/public.asc
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html




--
Guilherme de Oliveira Franco
Damovo - Brasil
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

SQLIPPOOL problem

[Guilherme Franco]

Hi,

This is very important, please.

In ippool module I can use two or more pools just by setting

ippool POOL1{...}
ippool POOL2{...}

In SQLIPPOOL, I know that I can create as many pools as I wan't but I
need to treat that pools differently, say, POOL1 assigns static IPs
and POOL2 dynamic ones, or POOL1 is in databaseX and POOL2 in
databaseY.

So I did this sqlippool.conf:

sqlippool POOL1{...}
sqlippool POOL2{...}

And then in radiusd.conf

post-auth{
POOL1
POOL2
}

But the user that have Pool-Name := POOL2 in radcheck receives the IP
(because POOL2 exists in the database), but it's not treated by the
POOL2 instance created in sqlippool.conf (radiusd -X shows that both
module POOL1 and POOL2 are instantiated), it's being treated by the
POOL1 instance.

So, how can I tell that for users that belong to POOL2 use the POOL2
module, instead of POOL1 and vice-versa?

Thank you.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Error: Assertion failed in listen.c, line 620

[Guilherme Franco]

Hello,

Whenever I run radiusd alone, without the -X this error occurs in
the first authentication request:

Error: Assertion failed in listen.c, line 620

This line indicate the proxy part.

Running CVS radiusd -X generates no error at all.

Any clues?

Thanks.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Error: Assertion failed in listen.c, line 620

[Guilherme Franco]

Oh sorry, it's not the latest one because theres only cistron in the CVS page.

I can't download freeradius cvs then.

Please check the page: ftp://ftp.freeradius.org/pub/radius/CVS-snapshots/

Thanks.

On 10/25/06, Alan DeKok [EMAIL PROTECTED] wrote:

Guilherme Franco [EMAIL PROTECTED] wrote:
 Whenever I run radiusd alone, without the -X this error occurs in
 the first authentication request:

 Error: Assertion failed in listen.c, line 620

 Is this a recent version of CVS?  I thought I had fixed that weeks ago...

 Alan DeKok.
--
 http://deployingradius.com   - The web site of the book
 http://deployingradius.com/blog/ - The blog
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Error: Assertion failed in listen.c, line 620

[Guilherme Franco]

Yes, indeed, thanks. I just wanted to notify about the dead link as
well as the browse cvs tree:
http://www.freeradius.org/cgi-bin/cvsweb.cgi/radiusd/

By now, I'll use plain cvs to download it.

Thank you.

On 10/25/06, Alan DeKok [EMAIL PROTECTED] wrote:

Guilherme Franco [EMAIL PROTECTED] wrote:
 Oh sorry, it's not the latest one because theres only cistron in the CVS page.

 I can't download freeradius cvs then.

 You can use CVS to check out the latest version.

 Alan DeKok.
--
 http://deployingradius.com   - The web site of the book
 http://deployingradius.com/blog/ - The blog
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Important question about module instantiation

[Guilherme Franco]

Hello,

In sqlippool.conf I've instantiated:

sqlippool DYNAMIC{
...
allocate-find = SELECT framedipaddress FROM ${ippool_table} \
 WHERE pool_name = '%{check:Pool-Name}' AND expiry_time  'now'::timestamp(0) \
 ORDER BY RANDOM() \
 LIMIT 1 \
 FOR UPDATE
...
}

sqlippool STATIC{
...
allocate-find = SELECT framedipaddress FROM ${ippool_table} \
 WHERE pool_name = '%{check:Pool-Name}' AND expiry_time  'now'::timestamp(0) \
 ORDER BY (username  '%{SQL-User-Name}'), (callingstationid 
'%{Calling-Station-Id}'), expiry_time \
 LIMIT 1 \
 FOR UPDATE
...
}

So, the first one allocates dynamic IP addresses to the user and the
second assigns static ones.

Then in radiusd.conf:

post-auth {
DYNAMIC
STATIC
...
}

The problem is: when someone who have Pool-Name := STATIC in radcheck
logs in, the sqlippool module used for assigning IP to that user is
DYNAMIC because it was called first than STATIC in radiusd.conf.

As a result the user get a dynamic IP. That's a problem.

What can I do to solve this, please?

Thank you.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

cvs issue

[Guilherme Franco]

Hello,
I'm only seeing cistron on the cvs:

FTP directory /pub/radius/CVS-snapshots/ at
ftp.freeradius.org
Up to higher level directory
10/23/2006 09:10201,051 radiusd-cistron-1.6-snapshot-20061023.tar.gz

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: sqlippool + MySQL

[Guilherme Franco]

Hi Peter,

Regarding this post, the problem with Oracle and sqlippool still exists.

I've altered the postgresql inet to varchar and it works. But in
oracle, with varchar it does not works (the query return exactly the
same result in oracle's sqlplus as in postgresql, but freeradius keeps
saying sqlippool_query1: row[0] returned NULL
rlm_sqlippool: ip=[] len=0
radius_xlat:  'COMMIT'
rlm_sqlippool: IP number could not be allocated.
).

So this proves that it's not an issue with the queries (at least for oracle).

Cheers.

On 10/17/06, Peter Nixon [EMAIL PROTECTED] wrote:

Hi Jan and Roberto

We ARE doing serious work on sqlippool but it is all with Postgresql. As Jan
says someone with a little MySQL knowledge shoudn't have problems making
those queries work with MySQL. Once you have them working please send them to
my so I can include them in cvs.

Cheers

Peter


On Tue 17 Oct 2006 00:58, Jan Mulders wrote:
 Someone needs to do some serious work on sqlippool. I'd do so, but
 currently I have no need for SQL-assigned IPs, as I only have one
 RADIUS server - and if it fails over, the least thing I have to worry
 about is current IP assignments.

 I recommend finding someone who is adept at *SQL and buy them a pizza.
 Then ask them to 'translate' those queries for you.

 Jan

 On 16/10/06, Roberto Gonzalez Azevedo [EMAIL PROTECTED] wrote:
  -BEGIN PGP SIGNED MESSAGE-
  Hash: SHA1
 
  Does somebody knows how to configure sqlippool with MySQL ?
  The sqlippool.conf example is for pgsql. And for MySQL ?
 
  Here is my sqlippool.conf, corrected for MySQL:
  
 
  sqlippool sqlippool {
 
   #
   # SQL connection information
   #
   sql-instance-name = sql
 
   # lease_duration. fix for lost acc-stop packets
   lease-duration = 3600
 
   # Attribute which should be considered unique per NAS
   pool-key = %{Acct-Session-Id}
   pool-name = mypool
 
   # pool-key = %{Calling-Station-Id}
 
 
   #
   # This series of queries allocates an IP address
   #
   allocate-clear = UPDATE radippool \
SET NASIPAddress = '', pool_key = 0, CallingStationId = '', \
expiry_time = NOW() - INTERVAL 1 SECOND \
WHERE pool_key = '${pool-key}'
 
   # note the ORDER BY clause of next query, it'll try to allocate IPs
   # like Cisco internal pools do - it _trys_ to allocate the same
  IP-address # which user had last session...
   allocate-find = SELECT FramedIPAddress FROM radippool \
WHERE pool_name = '%{reply:Pool-Name}' AND expiry_time  NOW() \
ORDER BY pool_name, (UserName  '%{User-Name}'), (CallingStationId 
  '%{Calling-Station-Id}'), expiry_time \
LIMIT 1 \
FOR UPDATE
 
   allocate-update = UPDATE radippool \
SET NASIPAddress = '%{NAS-IP-Address}', pool_key = '${pool-key}', \
CallingStationId = '%{Calling-Station-Id}', UserName = '%{User-Name}',
  \ expiry_time = NOW() + INTERVAL ${lease-duration} SECOND \
WHERE FramedIPAddress = '%{Framed-IP-Address}'
 
 
 
   #
   # This series of queries frees an IP number when an accounting
   # START record arrives
   #
   start-update = UPDATE radippool \
SET expiry_time = NOW() + INTERVAL %J SECOND \
WHERE NASIPAddress = '%n' AND pool_key = '${pool-key}' AND pool_name =
  '%P'
 
   #
   # This series of queries frees an IP number when an accounting
   # STOP record arrives
   #
   stop-clear = UPDATE radippool \
SET NASIPAddress = '', pool_key = 0, CallingStationId = '', \
expiry_time = NOW() - INTERVAL 1 SECOND \
WHERE NASIPAddress = '%{NAS-IP-Address}' AND pool_key = '${pool-key}'
  AND UserName = '%{User-Name}' \
AND CallingStationId = '%{Calling-Station-Id}' AND FramedIPAddress =
  '%{Framed-IP-Address}'
 
 
 
 
   #
   # This series of queries frees an IP number when an accounting
   # ALIVE record arrives
   #
   alive-update = UPDATE radippool \
SET expiry_time = NOW() + INTERVAL ${lease-duration} SECOND \
WHERE NASIPAddress = '%{Nas-IP-Address}' AND pool_key = '${pool-key}'
  AND UserName = '%{User-Name}' \
AND CallingStationId = '%{Calling-Station-Id}' AND FramedIPAddress =
  '%{Framed-IP-Address}'
 
 
   #
   # This series of queries frees the IP numbers allocate to a
   # NAS when an accounting ON record arrives
   #
   on-clear = UPDATE radippool \
SET NASIPAddress = '', pool_key = 0, CallingStationId = '', \
expiry_time = NOW() - INTERVAL 1 SECOND \
WHERE NASIPAddress = '%{NAS-IP-Address}' AND UserName = '%{User-Name}'
  \ AND CallingStationId = '%{Calling-Station-Id}' AND FramedIPAddress =
  '%{Framed-IP-Address}'
 
   #
   # This series of queries frees the IP numbers allocate to a
   # NAS when an accounting OFF record arrives
   #
   off-clear = UPDATE radippool \
SET NASIPAddress = '', pool_key = 0, CallingStationId = '', \
expiry_time = NOW() - INTERVAL 1 SECOND \
WHERE NASIPAddress = '%{NAS-IP-Address}' AND UserName = '%{User-Name}'
  \ AND CallingStationId = '%{Calling-Station-Id}' AND FramedIPAddress =
  '%{Framed-IP-Address}'
 
 
  }
  
 
  Here is the radiusd -X:

block users on-the-fly

[Guilherme Franco]

Hi,

Does anyone already have a program to block freeradius on-the-fly?

ie: user has PAID = YES in radcheck table. Whenever I set PAID = NO,
the user would no longer authenticate the next time he/ she logs in.
OK, this works, but, if the user is already loged in, even if I set
PAID = NO, the user would not be rejected (for obvious reasons). This
is important because the grand number of Router mode ADSL users, that
never logs out. I'm building a program to verify every x minutes the
database and if PAID = NO, return a flag to freeradius and then reject
the user.

Is there any other means to do that?

Thanks.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: block users on-the-fly

[Guilherme Franco]

Thanks, I didn't know about the POD (it wasn't on the wiki when I've
read it before)

On 10/16/06, Peter Nixon [EMAIL PROTECTED] wrote:

On Mon 16 Oct 2006 16:25, Guilherme Franco wrote:
 Hi,

 Does anyone already have a program to block freeradius on-the-fly?

 ie: user has PAID = YES in radcheck table. Whenever I set PAID = NO,
 the user would no longer authenticate the next time he/ she logs in.
 OK, this works, but, if the user is already loged in, even if I set
 PAID = NO, the user would not be rejected (for obvious reasons). This
 is important because the grand number of Router mode ADSL users, that
 never logs out. I'm building a program to verify every x minutes the
 database and if PAID = NO, return a flag to freeradius and then reject
 the user.

Thats the wrong way to do it. Simply disconnect the user on your NAS at the
same time as setting PAID = NO. The way you do this depends on your NAS but
PoD comes to mind:

http://wiki.freeradius.org/POD

--

Peter Nixon
http://www.peternixon.net/
PGP Key: http://www.peternixon.net/public.asc
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html




--
Guilherme de Oliveira Franco
Damovo - Brasil
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: block users on-the-fly

[Guilherme Franco]

Thanks Owen

On 10/16/06, Owen DeLong [EMAIL PROTECTED] wrote:


On Oct 16, 2006, at 6:25 AM, Guilherme Franco wrote:

 Hi,

 Does anyone already have a program to block freeradius on-the-fly?

 ie: user has PAID = YES in radcheck table. Whenever I set PAID = NO,
 the user would no longer authenticate the next time he/ she logs in.
 OK, this works, but, if the user is already loged in, even if I set
 PAID = NO, the user would not be rejected (for obvious reasons). This
 is important because the grand number of Router mode ADSL users, that
 never logs out. I'm building a program to verify every x minutes the
 database and if PAID = NO, return a flag to freeradius and then reject
 the user.

 Is there any other means to do that?

 Thanks.
 - List info/subscribe/unsubscribe? See http://www.freeradius.org/
 list/users.html

The radius protocol only supports processing of authentication requests.
Unless you can get your hardware to send a periodic re-auth request,
there's no way to have them processed by radius again no matter what
you do to the database.  Radius has no push capability.

Your options are:
   +   Get your hardware to re-auth periodically.
   +   Use another process to boot users (forcing a reauth) when you
   change the database.

Owen



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html






--
Guilherme de Oliveira Franco
Damovo - Brasil
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: RHEL4 and Oracle Instant Client

[Guilherme Franco]

Hi,

You have to download it from oracle and then set all the needed paths,
like LD_LIBRARY_PATH and ORA_HOME, pointing to the place where you
descompressed oraclient. After that you need to recompile the
rlm_oracle module under freeradiusxxx/src/modules/.

Cheers

On 10/10/06, Dourty, Brian R. (IATS) [EMAIL PROTECTED] wrote:

Has anyone gotten the source RPM's from RHEL4 to build with the oracle
module using the Oracle instant client? It keeps giving me the following
error no matter what I try:

checking for oci.h... yes
checking for oracle_init in -loracleclient... no
configure: warning: oracle libraries not found.  Use
--with-oracle-lib-dir=path.
configure: warning: sql submodule 'oracle' disabled

Thanks,

Brian Dourty
System Administrator - Team Lead
IAT Services
University of Missouri - Columbia
573-882-1035

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html




--
Guilherme de Oliveira Franco
Damovo - Brasil
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRADIUS user Survey

[Guilherme Franco]

Hello,

Survey Not Found
 Sorry but this survey is no longer available. Please contact us if
you require any further information.

For more information on GroupSurveys, you can visit our site at
http://www.group-surveys.com


On 10/5/06, Alan DeKok [EMAIL PROTECTED] wrote:

 In order to better understand the needs of people using FreeRADIUS,
I've set up a survey with 12 questions.  The goal is to understand
who's using FreeRADIUS, how they're using it, and what the users needs
are.  The page is:

   http://gs-survey.com/s.asp?s=1651

 Please take a few minutes to fill out the survey, and I'll be
posting a summary of the responses here.

 I expect to have a few more surveys after this one, to be able to
target future development.  Thanks for your efforts in supporting FreeRADIUS.

 Alan DeKok.
--
 http://deployingradius.com   - The web site of the book
 http://deployingradius.com/blog/ - The blog
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRADIUS user Survey

[Guilherme Franco]

Hello,

The problem persists:

http://gs-survey.com/s.asp?s=1651

Survey Not Found
 Sorry but this survey is no longer available. Please contact us if
you require any further information.

For more information on GroupSurveys, you can visit our site at
http://www.group-surveys.com


On 10/5/06, Alan DeKok [EMAIL PROTECTED] wrote:

Guilherme Franco [EMAIL PROTECTED] wrote:
 Survey Not Found

 Whoops... the make active link didn't work.  I poked it again.

 Alan DeKok.
--
 http://deployingradius.com   - The web site of the book
 http://deployingradius.com/blog/ - The blog
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html




--
Guilherme de Oliveira Franco
Damovo - Brasil
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

UPDATED: dumb humble question about sqlippool

[Guilherme Franco]

Hello,

I've installed Postgres with exactly the same configuration as
Oracle's and Postgres works.

The only point of failure using Oracle should be in radippool
Framedipaddress which is VARCHAR in Oracle but is INET in Postgres.

Could be a parsing error in rlm_sqlippool.c

That's because xlat outputs:
-
'SELECT framedipaddress FROM (select framedipaddress from radippool
WHERE pool_name = 'SPW' ORDER BY dbms_random.value) where rownum = 1'
sqlippool_query1: row[0] returned NULL
rlm_sqlippool: ip=[] len=0
radius_xlat:  'COMMIT'
rlm_sqlippool: IP number could not be allocated.
-

The same query on sqlplus is ok:
SQL SELECT framedipaddress FROM (select framedipaddress from
radippool WHERE pool_name = 'SPW' ORDER BY dbms_random.value) where
rownum = 1;

FRAMEDIPADDRESS
--
192.168.1.3

Now, considering that Postgres works like a breeze, how can I setup
just sqlippool.conf to look in postgres, but the regular user and
password queries to look in oracle?

I've created a sql.conf containing oracle's confs (sql{..}) and
sql2.conf containing postgres confs (sql2{...}).

If I specify sql-instance-name = sql2 in sqlippool.conf it does not works.

I appreciate any help on this issue. Thanks!


On 9/29/06, Peter Nixon [EMAIL PROTECTED] wrote:

On Fri 29 Sep 2006 15:23, Guilherme Franco wrote:
 Thanks for all the answers Mr. Peter!

 To clarify some things:
  NONE of the ippool modules let you set the pool name. You HAVE to set
  Pool-Name = whatever as a check
  item

 The radcheck table already have Pool-Name := whatever as a
 attribute, op, value for all users, but that's ok because I can set it
 manually in sqlippool.conf and the select DOES run in the correct
 table then (xlat outputs correctly then and I did a network sniff that
 shows the query is ok).

If you set it in sqlippool.conf it is ignored by the module It will
make no difference to the operation at all.

  Other issue is related to multiple pools, one with dynamic IP's and
  other with fixed ones (actually it's not possible to do that with only
  just one sqlippool.conf file without modifying rlm_sqlippool.c).
 
  IT IS!!
  Run two copies of the module!

 Sorry, i meant that I think that it is not possible without loading 2
 or more modules (just with one module and one sqlippool.conf) dumb
 question, sorry.

OK. We we specifically designed the module so you can run more than one
instance of it (like most other radius modules) and the different instances
may have different queries, tables and sql connections (Completely different
database types if you wish)

  Another thing lies in proxy - if the proxy returns IP 255.255.255.254
  for me, sqlippool does not overrides it and do nothing (it doesn't
  have the override = yes option like ippool).
 
 This can be added. Although why would you return an IP like that when you
  dont need to? Just return the Pool-Name and let the module do its job.

 I didn't think about it, thanks.

You are welcome :-)

Infact we have added today the capability to detect an ip address of
255.255.255.254 but this makes no sense except for when you are acting as a
proxy and wish to add an ip address from a pool to an accept packet comming
from a home server. Just use Pool-Name for all local users.

 Besides that I had to remove the BEGIN statement of allocate-begin
 (and all other begins)  because oracle does not need it, and if you
 need to specify begin, then it needs to be in a different way (through
 the sniff, I saw that the begin was stated, then 4 space chars and
 then a / which is the same as doing BEGIN;/ in sqlplus,
 generating ORA end-of-file errors) Don't know from where that /
 came from thought. To solve this, I had to change BEGIN in
 allocate-begin for commit (a normal oracle operation before any
 query).

Please send me a copy (privately if you wish) of your existing sqlippool.conf
and working source code (or patch) so that we can integrate it into the
existing code.

 About the postgresql installation, I was thinking in installing it. I
 will do that just to see it's behaviour, thanks.

OK. I assumed that you had done this long ago. Please do it as a test.

 THANKS A LOT AGAIN!

Cheers

--

Peter Nixon
http://www.peternixon.net/
PGP Key: http://www.peternixon.net/public.asc


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html





pgp8NfdSLPtkj.pgp
Description: PGP signature
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: UPDATED: dumb humble question about sqlippool

[Guilherme Franco]

Mr. Peter,

Thanks, I was using sql_instance2{...} instead of sql sql_instance2{...}

:)

Everything is working nice now with this hybrid oracle/postgresql
except when I'm proxying and sqlippool won't set an IP because of
255.255.255.254 answer from the proxy server.

As we talked earlier, there's no override = yes for this so I need to
put Pool-Name := FOO in radreply, but even with the reply, it
doesn't work. What I'm doing is convince the proxy ISP to change it's
conf so it don't send me 255.255.255.254 for now.

I have to thank you again for all your help! Now it's my turn to
contribute, as soon as I have the time to look for, I hope to patch
rlm_sqlippool.c and CVS it along with oracle.sqlippool.conf and
radippool schema for oracle.

Greetings

On 10/3/06, Peter Nixon [EMAIL PROTECTED] wrote:

On Tue 03 Oct 2006 19:29, Guilherme Franco wrote:
 Hello,

 I've installed Postgres with exactly the same configuration as
 Oracle's and Postgres works.

Good.

 The only point of failure using Oracle should be in radippool
 Framedipaddress which is VARCHAR in Oracle but is INET in Postgres.

 Could be a parsing error in rlm_sqlippool.c

Hmm. It could be. Patches to fix it are welcome :-)

 That's because xlat outputs:
 -
 'SELECT framedipaddress FROM (select framedipaddress from radippool
 WHERE pool_name = 'SPW' ORDER BY dbms_random.value) where rownum = 1'
 sqlippool_query1: row[0] returned NULL
 rlm_sqlippool: ip=[] len=0
 radius_xlat:  'COMMIT'
 rlm_sqlippool: IP number could not be allocated.
 -

 The same query on sqlplus is ok:
 SQL SELECT framedipaddress FROM (select framedipaddress from
 radippool WHERE pool_name = 'SPW' ORDER BY dbms_random.value) where
 rownum = 1;

 FRAMEDIPADDRESS
 --
 192.168.1.3

 Now, considering that Postgres works like a breeze, how can I setup
 just sqlippool.conf to look in postgres, but the regular user and
 password queries to look in oracle?

 I've created a sql.conf containing oracle's confs (sql{..}) and
 sql2.conf containing postgres confs (sql2{...}).

 If I specify sql-instance-name = sql2 in sqlippool.conf it does not
 works.

http://wiki.freeradius.org/Rlm_sql#Instances

Just give your instances different names as the documentation says.

 I appreciate any help on this issue. Thanks!

Cheers

--

Peter Nixon
http://www.peternixon.net/
PGP Key: http://www.peternixon.net/public.asc


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: UPDATED: dumb humble question about sqlippool

[Guilherme Franco]

Nevermind the proxy issue, I've managed to circumvent it using attrs file

Thanks

On 10/3/06, Guilherme Franco [EMAIL PROTECTED] wrote:

Mr. Peter,

Thanks, I was using sql_instance2{...} instead of sql sql_instance2{...}

:)

Everything is working nice now with this hybrid oracle/postgresql
except when I'm proxying and sqlippool won't set an IP because of
255.255.255.254 answer from the proxy server.

As we talked earlier, there's no override = yes for this so I need to
put Pool-Name := FOO in radreply, but even with the reply, it
doesn't work. What I'm doing is convince the proxy ISP to change it's
conf so it don't send me 255.255.255.254 for now.

I have to thank you again for all your help! Now it's my turn to
contribute, as soon as I have the time to look for, I hope to patch
rlm_sqlippool.c and CVS it along with oracle.sqlippool.conf and
radippool schema for oracle.

Greetings

On 10/3/06, Peter Nixon [EMAIL PROTECTED] wrote:
 On Tue 03 Oct 2006 19:29, Guilherme Franco wrote:
  Hello,
 
  I've installed Postgres with exactly the same configuration as
  Oracle's and Postgres works.

 Good.

  The only point of failure using Oracle should be in radippool
  Framedipaddress which is VARCHAR in Oracle but is INET in Postgres.
 
  Could be a parsing error in rlm_sqlippool.c

 Hmm. It could be. Patches to fix it are welcome :-)

  That's because xlat outputs:
  -
  'SELECT framedipaddress FROM (select framedipaddress from radippool
  WHERE pool_name = 'SPW' ORDER BY dbms_random.value) where rownum = 1'
  sqlippool_query1: row[0] returned NULL
  rlm_sqlippool: ip=[] len=0
  radius_xlat:  'COMMIT'
  rlm_sqlippool: IP number could not be allocated.
  -
 
  The same query on sqlplus is ok:
  SQL SELECT framedipaddress FROM (select framedipaddress from
  radippool WHERE pool_name = 'SPW' ORDER BY dbms_random.value) where
  rownum = 1;
 
  FRAMEDIPADDRESS
  --
  192.168.1.3
 
  Now, considering that Postgres works like a breeze, how can I setup
  just sqlippool.conf to look in postgres, but the regular user and
  password queries to look in oracle?
 
  I've created a sql.conf containing oracle's confs (sql{..}) and
  sql2.conf containing postgres confs (sql2{...}).
 
  If I specify sql-instance-name = sql2 in sqlippool.conf it does not
  works.

 http://wiki.freeradius.org/Rlm_sql#Instances

 Just give your instances different names as the documentation says.

  I appreciate any help on this issue. Thanks!

 Cheers

 --

 Peter Nixon
 http://www.peternixon.net/
 PGP Key: http://www.peternixon.net/public.asc


 -
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html




- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: dumb humble question about sqlippool

[Guilherme Franco]

Thanks for all the answers Mr. Peter!

To clarify some things:


NONE of the ippool modules let you set the pool name. You HAVE to set
Pool-Name = whatever as a check item


The radcheck table already have Pool-Name := whatever as a
attribute, op, value for all users, but that's ok because I can set it
manually in sqlippool.conf and the select DOES run in the correct
table then (xlat outputs correctly then and I did a network sniff that
shows the query is ok).


Other issue is related to multiple pools, one with dynamic IP's and
other with fixed ones (actually it's not possible to do that with only
just one sqlippool.conf file without modifying rlm_sqlippool.c).



IT IS!!
Run two copies of the module!


Sorry, i meant that I think that it is not possible without loading 2
or more modules (just with one module and one sqlippool.conf) dumb
question, sorry.


Another thing lies in proxy - if the proxy returns IP 255.255.255.254
for me, sqlippool does not overrides it and do nothing (it doesn't
have the override = yes option like ippool).



This can be added. Although why would you return an IP like that when you dont
need to? Just return the Pool-Name and let the module do its job.


I didn't think about it, thanks.

Besides that I had to remove the BEGIN statement of allocate-begin
(and all other begins)  because oracle does not need it, and if you
need to specify begin, then it needs to be in a different way (through
the sniff, I saw that the begin was stated, then 4 space chars and
then a / which is the same as doing BEGIN;/ in sqlplus,
generating ORA end-of-file errors) Don't know from where that /
came from thought. To solve this, I had to change BEGIN in
allocate-begin for commit (a normal oracle operation before any
query).

About the postgresql installation, I was thinking in installing it. I
will do that just to see it's behaviour, thanks.

THANKS A LOT AGAIN!

On 9/29/06, Peter Nixon [EMAIL PROTECTED] wrote:

On Fri 29 Sep 2006 01:02, Guilherme Franco wrote:
 Thank you very much for your kindness.

 I'm sorry, again, for posting too much questions about this.

 It's correct that I'm trying to put this in production as this is the
 only module that does not worked for me.

 I'm happy with dialup_admin, AAA and everything else in Oracle!

 The only missing thing is sqlippool :(

 I know that it is an experimental module and I also have limited time
 to work on this module as it's not for me, it's for another company.

 In the mean time, I'm using regular ippool db in a NFS with just 1
 radius active per time (to prevent lockups). That was the only way
 I've managed to do ippools with 2 servers (is there any
 alternatives?).

 As you see I can't abandon oracle, nor install postgre as it would
 break up some dependencies with other oracle databases that we have.

 I'm being such a pain for you guys because the sqlippool module is
 almost working! If I saw that it wouldn't work at all, I would never
 took the time to work in it as I'm taking now :)

 I appreciate your concerns and as I'm out of time to deliver the
 solution to the client, I think I can't try sqlippool anymore.

 That's a shame because I'm almost there!

 Now that I've managed to change somethings it's doing all the selects
 without any errors (that return ie: ip 1.1.1.1 in sqlplus) but it's
 stating sqlippool_query1: row[0] returned NULL in radiusd -X ( how can
 it be null if the select was successful? ). It's the only [EMAIL PROTECTED] 
thing
 that is preventing the user to get an IP!! That kind of things just
 take time to debug...

 Besides that, if I don't set pool_name = name_of_the_pool in
 sqlippool.conf, allocate-find tries to select from ippool (wich does
 not exists) instead of the one I've set in radippool table.

I would double check this behaviour. It should not select at all if there is
no pool-name.

NONE of the ippool modules let you set the pool name. You HAVE to set
Pool-Name = whatever as a check item



 Other issue is related to multiple pools, one with dynamic IP's and
 other with fixed ones (actually it's not possible to do that with only
 just one sqlippool.conf file without modifying rlm_sqlippool.c).

IT IS!!

Run two copies of the module!

 Another thing lies in proxy - if the proxy returns IP 255.255.255.254
 for me, sqlippool does not overrides it and do nothing (it doesn't
 have the override = yes option like ippool).

This can be added. Although why would you return an IP like that when you dont
need to? Just return the Pool-Name and let the module do its job.

 So, to close this out, I would REALLY LIKE to make this work and help
 you guys  as well, but because of lack of time, the only way would do
 this as an enhancement to the already deployed solution for the
 client, thanks.

Do you have sqlippool working with Postgresql?? it seems to me that you do not
quite understand how

Re: dumb humble question about sqlippool

[Guilherme Franco]

Thank you very much for your kindness.

I'm sorry, again, for posting too much questions about this.

It's correct that I'm trying to put this in production as this is the
only module that does not worked for me.

I'm happy with dialup_admin, AAA and everything else in Oracle!

The only missing thing is sqlippool :(

I know that it is an experimental module and I also have limited time
to work on this module as it's not for me, it's for another company.

In the mean time, I'm using regular ippool db in a NFS with just 1
radius active per time (to prevent lockups). That was the only way
I've managed to do ippools with 2 servers (is there any
alternatives?).

As you see I can't abandon oracle, nor install postgre as it would
break up some dependencies with other oracle databases that we have.

I'm being such a pain for you guys because the sqlippool module is
almost working! If I saw that it wouldn't work at all, I would never
took the time to work in it as I'm taking now :)

I appreciate your concerns and as I'm out of time to deliver the
solution to the client, I think I can't try sqlippool anymore.

That's a shame because I'm almost there!

Now that I've managed to change somethings it's doing all the selects
without any errors (that return ie: ip 1.1.1.1 in sqlplus) but it's
stating sqlippool_query1: row[0] returned NULL in radiusd -X ( how can
it be null if the select was successful? ). It's the only [EMAIL PROTECTED] 
thing
that is preventing the user to get an IP!! That kind of things just
take time to debug...

Besides that, if I don't set pool_name = name_of_the_pool in
sqlippool.conf, allocate-find tries to select from ippool (wich does
not exists) instead of the one I've set in radippool table.

Other issue is related to multiple pools, one with dynamic IP's and
other with fixed ones (actually it's not possible to do that with only
just one sqlippool.conf file without modifying rlm_sqlippool.c).

Another thing lies in proxy - if the proxy returns IP 255.255.255.254
for me, sqlippool does not overrides it and do nothing (it doesn't
have the override = yes option like ippool).

So, to close this out, I would REALLY LIKE to make this work and help
you guys  as well, but because of lack of time, the only way would do
this as an enhancement to the already deployed solution for the
client, thanks.

Thank you again!

On 9/28/06, Peter Nixon [EMAIL PROTECTED] wrote:

On Wed 27 Sep 2006 16:41, Guilherme Franco wrote:
 Hi,

 I know you guys must be angry with all the questions I'm posting here.

 In Devel-List, I found this: Is it usefull to community? (SQLIPPOOL
 and NASCATS) by Roman M. Bibikov on Thu, 16 Oct 2003 17:36:26 +1100.

 He says that created a sucessfull ip pool in Oracle (exactly what I'm
 trying to do) and also that developed stored functions and procedures
 handling in rlm_oracle (sql_runfunction() and sql_runprocedure())

 I didn't found out those functions and I'm wondering if it's because
 of this that I can't make sqlippool work in oracle...

Hi Guilherme

We are not angry. We are however busy, and have limited time.

Any posts you see about sqlippool prior to August 2006 do not directly relate
to the sqlippool module that is in FreeRADIUS 1.1.3 (Although it may share
some code.. There have been several different modules available on the net
called sqlippool prior to the one that is now available as part of
FreeRADIUS)

The code in CVS head has been modified even futher (as you know). sqlippool is
an EXPERIMENTAL module which is why it is not enabled by default. It is
currently tested ONLY on Postgresql. There are currently no _known_
production deployments of (our) sqlippool on Oracle although we are happy
that you are testing it and appreciate your feedback.

Currently you are writing many emails to the list with CRITICAL/URGENT etc
in the subject in relation to sqlippool and you are clearly trying to deploy
it for production use. I have very clearly told you previously these issues
and you KNOW that it is an experimental module!!

We are trying to help you as much as we can, but we expect you to also be
prepared to do testing and possibly some development yourself, otherwise
please dont use EXPERIMENTAL modules, especially not in production!

If you wish to have my company (Suntel Communications) develop, test and
support this module for/on an Oracle version of your choice then we would be
happy to do so for a fee (which we can discuss offlist without bothering
everyone else) otherwise you will have to make do with the (free) support we
are providing to you and everyone else via this mailing list in our spare
time.

Alternatively there is a list of other companies/people who would also be
happy to provide you support at http://www.freeradius.org/business/

Regards

--

Peter Nixon
http://www.peternixon.net/
PGP Key: http://www.peternixon.net/public.asc


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



- 
List info/subscribe/unsubscribe? See http

Accounting issues in Oracle solved

[Guilherme Franco]

Hello,

I had to modify oracle-dialup.conf to make accounting on/off to work.

In AcctSessionTime, the original query would generate expected
NUMBER, got INTERVAL error.

Here is the original:

accounting_onoff_query = UPDATE ${acct_table1} SET
AcctStopTime=TO_DATE('%S','-mm-dd hh24:mi:ss'),
AcctSessionTime=((TO_DATE('%S','-mm-dd hh24:mi:ss') -
AcctStartTime)*86400), AcctTerminateCause='%{Acct-Terminate-Cause}',
AcctStopDelay = %{Acct-Delay-Time:-0} WHERE AcctSessionTime=0 AND
AcctStopTime IS NULL AND NASIPAddress = '%{NAS-IP-Address}' AND
AcctStartTime = TO_DATE('%S','-mm-dd hh24:mi:ss')


So I modified it to:

accounting_onoff_query = UPDATE ${acct_table1} SET
AcctStopTime=TO_DATE('%S','-mm-dd hh24:mi:ss'),
AcctSessionTime=(to_number(TO_DATE('%S','-mm-dd hh24:mi:ss') -
cast(AcctStartTime as date))*86400),
AcctTerminateCause='%{Acct-Terminate-Cause}', AcctStopDelay =
%{Acct-Delay-Time:-0} WHERE AcctSessionTime=0 AND AcctStopTime IS NULL
AND NASIPAddress = '%{NAS-IP-Address}' AND AcctStartTime =
TO_DATE('%S','-mm-dd hh24:mi:ss')

And it works great now.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

dumb humble question about sqlippool

[Guilherme Franco]

Hi,

I know you guys must be angry with all the questions I'm posting here.

In Devel-List, I found this: Is it usefull to community? (SQLIPPOOL
and NASCATS) by Roman M. Bibikov on Thu, 16 Oct 2003 17:36:26 +1100.

He says that created a sucessfull ip pool in Oracle (exactly what I'm
trying to do) and also that developed stored functions and procedures
handling in rlm_oracle (sql_runfunction() and sql_runprocedure())

I didn't found out those functions and I'm wondering if it's because
of this that I can't make sqlippool work in oracle...

Thanks in advance
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: ULTRA IMPORTANT! Proxy - Assertion failed in listen.c, line 558 error

[Guilherme Franco]

Thank you very much!

On 9/27/06, Alan DeKok [EMAIL PROTECTED] wrote:

Guilherme Franco [EMAIL PROTECTED] wrote:
   Sending duplicate proxied request to home server foo.com port 1645 - ID: 
16
   Assertion failed in listen.c, line 558

  This is now fixed in CVS.  You'll have to do a cvs update and
re-build to get the fix.

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: ULTRA IMPORTANT! Proxy - Assertion failed in listen.c, line 558 error

[Guilherme Franco]

By the way, http://www.freeradius.org/cgi-bin/cvsweb.cgi/radiusd/ does not work:

Internal Server Error
The server encountered an internal error or misconfiguration and was
unable to complete your request.

Please contact the server administrator, [EMAIL PROTECTED] and
inform them of the time the error occurred, and anything you might
have done that may have caused the error.

More information about this error may be available in the server error log.

Microsoft-IIS/5.0 Server at us.freeradius.org Port 80

On 9/27/06, Guilherme Franco [EMAIL PROTECTED] wrote:

Thank you very much!

On 9/27/06, Alan DeKok [EMAIL PROTECTED] wrote:
 Guilherme Franco [EMAIL PROTECTED] wrote:
Sending duplicate proxied request to home server foo.com port 1645 - 
ID: 16
Assertion failed in listen.c, line 558

   This is now fixed in CVS.  You'll have to do a cvs update and
 re-build to get the fix.

   Alan DeKok.
 --
   http://deployingradius.com   - The web site of the book
   http://deployingradius.com/blog/ - The blog
 -
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

CRITICAL! NFS/ SQLIPPOOL :~(

[Guilherme Franco]

Hello,

I'm in a situation where I have 2 freeradius servers, working
perfectly with rlm_sql_oracle (the entire AAA is done in Oracle,
except the ippool).

It's not possible to have the same pool configured the same way in the
2 servers, and also It's totally out of question to configure range1
for radius1 and range2 for radius2. I can't create the pool in the
BRAS because of a limitation of itself.

So, another option would be NFS with db files for the ippool module
(which does not work also because of file locks).

The only option that I see is to use SQLIPPOOL, which is not working
for me in Oracle.

I''ve modified sqlippool.conf to suit Oracle's needs and even removed
the 'BEGIN' section from rlm_sqlippool.c and recompiled it (because
oracle does not need BEGIN and it was causing me more problems).

Even then, I'm still not able to use sqlippool!

If sqlippool in oracle does not work, the only option left would be
install postgre in the same machine as oracle (horrible!).

This is the output (without BEGIN):
--
rlm_sql (sql): Reserving sql socket id: 2
radius_xlat:  ''
sqlippool_command: xlat failed.
UPDATE radippool   SET nasipaddress = '', pool_key = 0,
callingstationid = '',   expiry_time = current_timestamp - interval
'1' second(1)   WHERE pool_key = '845414557'
SELECT framedipaddress FROM radippool   WHERE pool_name = 'POOL' AND
expiry_time  current_timestamp AND ROWNUM = 1   ORDER BY (select
username from radippool where username  ''), (select
callingstationid from radippool where callingstationid 
'#BRAS-01#this is a description#100#157'), expiry_time   FOR UPDATE
sqlippool_query1: SQL query did not succeed
rlm_sqlippool: ip=[] len=0
radius_xlat:  'COMMIT'
COMMIT
rlm_sqlippool: IP number could not be allocated.
rlm_sql (sql): Released sql socket id: 2
rlm_sql (sql): Processing sql_postauth
radius_xlat:  'test_user'
rlm_sql (sql): sql_set_user escaped user -- 'test_user'
--

The first sqlippool_command: xlat failed. is because I removed the
begin in rlm_sqlippool.c...

This is the output (with BEGIN):
--
rlm_sql (sql): Reserving sql socket id: 2
radius_xlat:  'BEGIN'
BEGIN
rlm_sql_oracle: execute query failed in sql_query: ORA-06550: line 1,
column 5: PLS-00103: Encountered the symbol end-of-file when
expecting one of the following: begin case declare exit for goto
if loop mod null pragmaraise return select update while with an
identifiera double-quoted delimited-identifier a bind
variable close current delete fetch lock insert open rollback
savepoint set sql execute commit forall merge pipe
rlm_sql_oracle: OCI_SERVER_NORMAL
sqlippool_command: database query error
UPDATE radippool   SET nasipaddress = '', pool_key = 0,
callingstationid = '',   expiry_time = current_timestamp - interval
'1' second(1)   WHERE pool_key = '845414558'
SELECT framedipaddress FROM radippool   WHERE pool_name = 'POOL' AND
expiry_time  current_timestamp AND ROWNUM = 1   ORDER BY (select
username from radippool where username  ''), (select
callingstationid from radippool where callingstationid 
'#BRAS-01#this is a description#100#158'), expiry_time   FOR UPDATE
sqlippool_query1: SQL query did not succeed
rlm_sqlippool: ip=[] len=0
radius_xlat:  'COMMIT'
COMMIT
rlm_sqlippool: IP number could not be allocated.
rlm_sql (sql): Released sql socket id: 2
rlm_sql (sql): Processing sql_postauth
radius_xlat:  'test_user'
rlm_sql (sql): sql_set_user escaped user -- 'test_user'
--

Can anybody help me, please?
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Apologies for Mr. Peter Nixon and updated sqlippool debug

[Guilherme Franco]

Hello,

But how can my first query work if the pool-key was not saved anywhere
in the database?

When I do the same query without the where pool_key = something, it works:

UPDATE radippool   SET nasipaddress = '', pool_key =
0,callingstationid = '',   expiry_time = current_timestamp - interval
'1' second(1);

4 rows updated.

SQL select * from radippool;

   ID POOL_NAME  NASIPADDRESS
-- -- --
   1   FOO
NAS_PORT
--
EXPIRY_TIME
26-SEP-06 09.27.54 AM
---
USERNAME

FRAMEDIPADDRESS
192.168.1.1
POOL_KEYCALLINGSTATIONID
--
0


Sorry, in the second query I pasted an old query earlier for you. The
second query works, it is:

SQL SELECT framedipaddress FROM radippool   WHERE pool_name = 'FOO'
AND expiry_time  current_timestamp AND ROWNUM = 1   ORDER BY (select
username from radippool where username  ''), (select
callingstationid from radippool where callingstationid 
''),expiry_time   FOR UPDATE;

FRAMEDIPADDRESS
--
192.168.1.1

Thanks.

On 9/26/06, Peter Nixon [EMAIL PROTECTED] wrote:

On Tue 26 Sep 2006 14:45, Guilherme Franco wrote:
 Hi,

 This is what happens:

 SQL UPDATE radippool   SET nasipaddress = '', pool_key =
 0,callingstationid = '',   expiry_time = current_timestamp - interval
 '1' second(1)   WHERE pool_key = '2398432';

 0 rows updated.

 SQL SELECT framedipaddress FROM radippool   WHERE pool_name = 'FOO'
 AND expiry_time  current_timestamp AND ROWNUM = 1   ORDER BY (select
 username from radippool where username  ''), (select
 callingstationid from radippool where callingstationid 
 ''),expiry_time   FOR UPDATE;

 no rows selected

So there you go. You found the problem.. Why doesn't it find any rows?

--

Peter Nixon
http://www.peternixon.net/
PGP Key: http://www.peternixon.net/public.asc


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

debug for sqlippool

[Guilherme Franco]

Hello!

I've created a new sqlippool.conf customized for Oracle.

The queries in there returns no error but I get this:

modcall:  entering group post-auth for request 0
Value Of the Pool-Name is [FOO] and its [3] Chars
rlm_sql (sql): Reserving sql socket id: 2
radius_xlat:  'BEGIN'
BEGIN
rlm_sql_oracle: execute query failed in sql_query: ORA-06550: line 1,
column 5: PLS-00103: Encountered the symbol end-of-file when
expecting one of the following: begin case declare exit for goto
if loop mod null pragmaraise return select update while with an
identifiera double-quoted delimited-identifier a bind
variable close current delete fetch lock insert open rollback
savepoint set sql execute commit forall merge pipe
rlm_sql_oracle: OCI_SERVER_NORMAL
sqlippool_command: database query error
radius_xlat:  'UPDATE radippool   SET nasipaddress = '', pool_key = 0,
callingstationid = '',   expiry_time = current_timestamp - interval
'1' second(1)   WHERE pool_key = '845414518''
UPDATE radippool   SET nasipaddress = '', pool_key = 0,
callingstationid = '',   expiry_time = current_timestamp - interval
'1' second(1)   WHERE pool_key = '845414518'
radius_xlat:  'SELECT framedipaddress FROM radippool   WHERE pool_name
= 'SPW' AND expiry_time  current_timestamp AND ROWNUM = 1   ORDER BY
(select username from radippool where username  ''), (select
callingstationid from radippool where callingstationid 
'#BRAS-01#this is a description#100#118'), expiry_time   FOR UPDATE'
SELECT framedipaddress FROM radippool   WHERE pool_name = 'SPW' AND
expiry_time  current_timestamp AND ROWNUM = 1   ORDER BY (select
username from radippool where username  ''), (select
callingstationid from radippool where callingstationid 
'#BRAS-01#this is a description#100#118'), expiry_time   FOR UPDATE


So, radiusd -X just stops there (it does not quit), without any more
messages (resulting in a time out for the BRAS).

I know that the only place a BEGIN instance exists is in rlm_sqlippool.c.

Even with sql_trace = yes, I can't see from where this error
(ORA-06550: line 1, column 5: ) is coming from. As a result I don't
know what is in line 1, column 5 to fix it.

Any tips?

After all this help you guys deserve to drink some beer here in Brazil :)

Thanks a lot!
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: sqlippool not working

[Guilherme Franco]

Hello,

Unfortunately, even with  freeradius-snapshot-20060920.tar.gz and
using the ./configure --with-modules=rlm_sqlippool option, the
module did not install.

I needed again, to compile it manually from
freeradius-snapshot-20060920/src/modules/rlm_sqlippool/

And then, the same problem persists:

Module: Loaded SQL IP Pool
 sqlippool: sql-instance-name = sql
 sqlippool: lease-duration = 86400
 sqlippool: pool-name = 
 sqlippool: allocate-begin = BEGIN
 sqlippool: allocate-clear = 
 sqlippool: allocate-find = 
 sqlippool: allocate-update = 
 sqlippool: allocate-commit = COMMIT
 sqlippool: allocate-rollback = ROLLBACK
 sqlippool: start-begin = BEGIN
 sqlippool: start-update = 
 sqlippool: start-commit = COMMIT
 sqlippool: start-rollback = ROLLBACK
 sqlippool: alive-begin = BEGIN
 sqlippool: alive-update = 
 sqlippool: alive-commit = COMMIT
 sqlippool: alive-rollback = ROLLBACK
 sqlippool: stop-begin = BEGIN
 sqlippool: stop-clear = 
 sqlippool: stop-commit = COMMIT
 sqlippool: stop-rollback = ROLLBACK
 sqlippool: on-begin = BEGIN
 sqlippool: on-clear = 
 sqlippool: on-commit = COMMIT
 sqlippool: on-rollback = ROLLBACK
 sqlippool: off-begin = BEGIN
 sqlippool: off-clear = 
 sqlippool: off-commit = COMMIT
 sqlippool: off-rollback = ROLLBACK
rlm_sqlippool: the 'allocate-clear' statement must be set.

The following is in my radiusd.conf:

 $INCLUDE  ${confdir}/sqlippool.conf

   sqlippool foo {

   range-start = 192.168.1.1
   range-stop = 192.168.3.254

   netmask = 255.255.255.0
   cache-size = 800
   override = no
   maximum-timeout = 0
   }



I didn't modified my sqlippool.conf, so it's the same as
sqlipool.conf,v 1.3 2006/09/13 12:49:37 pnixon Exp $

What can it be?

Also, what values should I populate in radippool table?

PS. Some things left:
IN configure.in (rlm_sql_oracle)
checking for oci.h... configure: WARNING: PETER 1.

IN oracle-dialup.conf
# Optional Query - pnixon
   #accounting_stop_query =3D

Another issue: with oracle instant_client_10_2, rlm_sql_oracle would
not find it's libs, even when the required paths are configured. The
only way that I managed to install it was copying the whole oracle
folder to the freeradius server. I know that simply a matter of
changing the 10.1.0.3 version and something to the new one in
configure.in of rlm_sql_oracle, but I was in a rush:

# Look for Oracle10g Instant Client installed from RPM
   if test x$ORACLE_INCLUDE = x; then
   old_CFLAGS=$CFLAGS

   AC_MSG_WARN([PETER 1.])
   FR_LOCATE_DIR(oracle_include_dir,oci.h)
   for try in /usr/include/oracle/10.1.0.3/

THANK YOU!


On 9/20/06, Peter Nixon [EMAIL PROTECTED] wrote:

On Wed 20 Sep 2006 05:49, Guilherme Franco wrote:
 I need to thank you again and congratulate you guys for such a great
 support.

You're welcome. Thanks for helping us make FreeRADIUS better :-)

 Question: Even with freeradius-snapshot-20060920.tar.gz I will need to
 use ./configure --with-modules=rlm_sqlippool?

Yes. This is because the module is sill considered experimental and is
therefore not enabled by default.

 If all works well, I assume that in radcheck table, the users need to
 have Pool-Name := test_pool right?

Yes. You need to tell FreeRADIUS which pool (if any) to use for that user.
With sqlippool there is effectively no limit on the number of pools you may
have configured (Only limit is disk space on your SQL server and IP space on
your network)

Cheers

--

Peter Nixon
http://www.peternixon.net/
PGP Key: http://www.peternixon.net/public.asc


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

ULTRA IMPORTANT! Proxy - Assertion failed in listen.c, line 558 error

[Guilherme Franco]

HI,

Please, this is a very important problem that is affecting thousands
of customers of mine:

I have 2 realms for send proxy requests (foo.com and bar.net)

If the proxy server foo.com goes down (for whatever reason) this happens:

rad_recv: Access-Request packet from host 192.168.1.1 port 1385,
id=21, length=60
   User-Name = [EMAIL PROTECTED]
   User-Password = password
 Processing the authorize section of radiusd.conf
modcall:  entering group authorize for request 20
   rlm_realm: Looking up realm foo.com for User-Name = [EMAIL PROTECTED]
   rlm_realm: Found realm foo.com
   rlm_realm: Proxying request from user user to realm foo.com
   rlm_realm: Adding Realm = foo.com
   rlm_realm: Preparing to proxy authentication request to realm foo.com
 rlm_eap: No EAP-Message, not doing EAP
modcall: group authorize returns noop for request 20
Sending Access-Request of id 16 to foo.com port 1645
   User-Name = [EMAIL PROTECTED]
   User-Password = password
   NAS-IP-Address = 192.168.1.1
   Proxy-State = 0x3231
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
rad_recv: Access-Request packet from host 192.168.1.1 port 1385,
id=21, length=60
Sending duplicate proxied request to home server foo.com port 1645 - ID: 16
Assertion failed in listen.c, line 558
Aborted

Then my radiusd dies and I need to bring it up again.

This is incredibly critical because if domain foo.com dies, my
freeradius server dies too, and in consequence, I can't proxy requests
to bar.net (which have more than 21.000,00 users!)

Thanks!
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: ULTRA IMPORTANT! Proxy - Assertion failed in listen.c, line 558 error

[Guilherme Franco]

Sorry Mr. Alan, for not answering the HUP question before.

No, I'm not HUP'ing the server.

The server is a minimal RHEL AS 4 r3 installation, only with gcc added.

Nothing installed except freeradius-snapshot-20060920.

Is there any other way to generate core dumps without reinstalling
freeradius with ./configure --enable-developer?

If not, it will take only a couple of minutes to get it recompiled again.

Thank you!


On 9/20/06, Alan DeKok [EMAIL PROTECTED] wrote:

Guilherme Franco [EMAIL PROTECTED] wrote:
 If the proxy server foo.com goes down (for whatever reason) this happens:
...
 Sending duplicate proxied request to home server foo.com port 1645 - ID: 16
 Assertion failed in listen.c, line 558

  Are you sure you're not HUP'ing the server?  I asked that before,
and you didn't respond.

  The current CVS code has an issue where it doesn't deal well with
HUPs.  I've been planning on addressing it for a while, but maybe now
is the time to look at it.

  And can you get a core file?  That may help.  See doc/bugs.

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: sqlippool not working

[Guilherme Franco]

Thanks, that's ok now.

I removed the block as you said and now it shows the queries. I had
added those block earlier because I've seen this configuration from
another post as a working sqlippool configuration...

Now, if netmask does not exist, nor range-start - range-stop, how can
I specify that in radippool?

Please remember that I'm using Oracle and it does not have inet like
postgres, so I've created the tables like this:

CREATE TABLE radippool (
   id   INT PRIMARY KEY,
   pool_nameVARCHAR(30) NOT NULL,
   framedipaddress  VARCHAR(30) NOT NULL,
   nasipaddress VARCHAR(30) NOT NULL,
   nas_port INT NOT NULL,
   calling_station_id   VARCHAR(30) NOT NULL,
   expiry_time  timestamp(0) NOT NULL,
   username VARCHAR(100)
);

CREATE INDEX radippool_poolname_ipaadr ON radippool (pool_name,
framedipaddress);
CREATE INDEX radippool_poolname_expire ON radippool (pool_name, expiry_time);
CREATE INDEX radippool_nasipaddr_port ON radippool (nas_ip_address, nas_port);
CREATE INDEX radippool_nasipaddr_calling ON radippool (nas_ip_address,
calling_station_id);

CREATE SEQUENCE radippool_seq START WITH 1 INCREMENT BY 1;

CREATE OR REPLACE TRIGGER radippool_serialnumber
BEFORE INSERT OR UPDATE OF id ON radippool
FOR EACH ROW
BEGIN
if ( :new.id = 0 or :new.id is null ) then
SELECT radippool_seq.nextval into :new.id from dual;
end if;
END;
/


How can I use this, please?

Sorry for bothering about everything, but everytime I have a question,
I first search through the entire freeradius maillist, man pages, docs
as well as thoroughly in google. The problem is that usually I don't
find much information about those things, so I come back here to ask.

Thanks a lot!


On 9/20/06, Tuyan Ozipek [EMAIL PROTECTED] wrote:

On Wed, 2006-09-20 at 14:14 -0300, Guilherme Franco wrote:
 Hello,

 Unfortunately, even with  freeradius-snapshot-20060920.tar.gz and
 using the ./configure --with-modules=rlm_sqlippool option, the
 module did not install.

 I needed again, to compile it manuallyThe following is in my radiusd.conf:



$INCLUDE  ${confdir}/sqlippool.conf

get rid of this block, since there is no need for
range,netmask,cache-size,override,timeout...
in sqlipoool..
---
sqlippool foo {

range-start = 192.168.1.1
range-stop = 192.168.3.254

netmask = 255.255.255.0
cache-size = 800
override = no
maximum-timeout = 0
   }


you are missing the first pools trace in the messages and
all youre seeing is the misconfiguration on the second sqlippool
instance..
just keep the $INCLUDE directive, and remove the rest..
there is already an ippool configured in the sqlippool.conf file..


Cheers

Tuyan


 freeradius-snapshot-20060920/src/modules/rlm_sqlippool/

 And then, the same problem persists:

 Module: Loaded SQL IP Pool
   sqlippool: sql-instance-name = sql
   sqlippool: lease-duration = 86400
   sqlippool: pool-name = 
   sqlippool: allocate-begin = BEGIN
   sqlippool: allocate-clear = 
   sqlippool: allocate-find = 
   sqlippool: allocate-update = 
   sqlippool: allocate-commit = COMMIT
   sqlippool: allocate-rollback = ROLLBACK
   sqlippool: start-begin = BEGIN
   sqlippool: start-update = 
   sqlippool: start-commit = COMMIT
   sqlippool: start-rollback = ROLLBACK
   sqlippool: alive-begin = BEGIN
   sqlippool: alive-update = 
   sqlippool: alive-commit = COMMIT
   sqlippool: alive-rollback = ROLLBACK
   sqlippool: stop-begin = BEGIN
   sqlippool: stop-clear = 
   sqlippool: stop-commit = COMMIT
   sqlippool: stop-rollback = ROLLBACK
   sqlippool: on-begin = BEGIN
   sqlippool: on-clear = 
   sqlippool: on-commit = COMMIT
   sqlippool: on-rollback = ROLLBACK
   sqlippool: off-begin = BEGIN
   sqlippool: off-clear = 
   sqlippool: off-commit = COMMIT
   sqlippool: off-rollback = ROLLBACK
 rlm_sqlippool: the 'allocate-clear' statement must be set.

 The following is in my radiusd.conf:

   $INCLUDE  ${confdir}/sqlippool.conf

 sqlippool foo {

 range-start = 192.168.1.1
 range-stop = 192.168.3.254

 netmask = 255.255.255.0
 cache-size = 800
 override = no
 maximum-timeout = 0
 }

 

 I didn't modified my sqlippool.conf, so it's the same as
 sqlipool.conf,v 1.3 2006/09/13 12:49:37 pnixon Exp $

 What can it be?

 Also, what values should I populate in radippool table?

 PS. Some things left:
 IN configure.in (rlm_sql_oracle)
 checking for oci.h... configure: WARNING: PETER 1.

 IN oracle-dialup.conf
 # Optional Query - pnixon
 #accounting_stop_query =3D

 Another issue: with oracle instant_client_10_2, rlm_sql_oracle would

Re: ULTRA IMPORTANT! Proxy - Assertion failed in listen.c, line 558 error

[Guilherme Franco]

Hello,

Because I need the sqlippool.

I was using 1.1.2 and when 1.1.3 was released, I was in a rush to
deliver a working environment to the client. 1.1.3 broke somethings
for me. Because of that I started to use CVS nightly builds.

Until now, no other problem has appeared besides the listen.c one.

Thanks.


On 9/20/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:

Hi,

 Nothing installed except freeradius-snapshot-20060920.

critical service for thousands of users and you're using
a developmental snapshot version?  What about using
a standard release, eg 1.1.3 ?

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: sqlippool not working

[Guilherme Franco]

Thanks,

I used that broken config because it was stated in freeradius user
list as Sucsessfully installed rlm_sqlippool from Alfred H. Dahl in
Tue, 8 Feb 2005 20:58:34 +0100.

I did read the docs.

I only didn't know how could I specify 192.168.1.1/28, if I do not
have inet, but that's ok.

Thanks everybody, I'm going to test all until it works now!

Case closed, thanks.

On 9/20/06, Peter Nixon [EMAIL PROTECTED] wrote:

On Wed 20 Sep 2006 23:32, Guilherme Franco wrote:
 Thanks, that's ok now.

 I removed the block as you said and now it shows the queries. I had
 added those block earlier because I've seen this configuration from
 another post as a working sqlippool configuration...

OK. Well, if you had just used the existing config files instead of adding
your own broken config it would have worked all along :-)

 Now, if netmask does not exist, nor range-start - range-stop, how can
 I specify that in radippool?

You do not! As doc/rlm_sqlippool states:

The initialization of the radippool table is left to the user instead of
being handled inside the module. This allows pool management to be done
from any sql capable programming language and pools can be created,
resized, deleted at run time without radiusd needing to be restarted.

The only required fields are, pool_name and ip_address. A pool consists
of one or more rows in the table with the same pool_name and a different
ip_address. The is no restriction on which ip addresses/ranges may be in
the same pool, and addresses do not need to be concurrent.



The fact that you are asking this means that you did NOT read the docs :-)

 Please remember that I'm using Oracle and it does not have inet like
 postgres, so I've created the tables like this:

You are going to have to work out the oracle specifics yourself but the
structure you have looks ok to me. The INET type is not necessary, although
it IS more efficient.

Cheers

--

Peter Nixon
http://www.peternixon.net/
PGP Key: http://www.peternixon.net/public.asc


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Oracle conf Attached: sqlippool not working

[Guilherme Franco]

Hi Mr. Peter,

Like you told me before, you did some cleanups in the sqlippool.conf.

Well, I've tried to install todays freeradius CVS, and it installed
without the sqlippool module, don't know why.

So, I've compiled it manually from
freeradius-snapshot-20060918/src/modules/rlm_sqlippool/

OK, but when I run radiusd -X, I got this in the end, regardless of my
configuration in sqlippool.conf and radiusd.conf:

Module: Loaded SQL IP Pool
 sqlippool: sql-instance-name = sql
 sqlippool: lease-duration = 86400
 sqlippool: pool-name = 
 sqlippool: allocate-begin = BEGIN
 sqlippool: allocate-clear = 
 sqlippool: allocate-find = 
 sqlippool: allocate-update = 
 sqlippool: allocate-commit = COMMIT
 sqlippool: allocate-rollback = ROLLBACK
 sqlippool: start-begin = BEGIN
 sqlippool: start-update = 
 sqlippool: start-commit = COMMIT
 sqlippool: start-rollback = ROLLBACK
 sqlippool: alive-begin = BEGIN
 sqlippool: alive-update = 
 sqlippool: alive-commit = COMMIT
 sqlippool: alive-rollback = ROLLBACK
 sqlippool: stop-begin = BEGIN
 sqlippool: stop-clear = 
 sqlippool: stop-commit = COMMIT
 sqlippool: stop-rollback = ROLLBACK
 sqlippool: on-begin = BEGIN
 sqlippool: on-clear = 
 sqlippool: on-commit = COMMIT
 sqlippool: on-rollback = ROLLBACK
 sqlippool: off-begin = BEGIN
 sqlippool: off-clear = 
 sqlippool: off-commit = COMMIT
 sqlippool: off-rollback = ROLLBACK
rlm_sqlippool: the 'allocate-clear' statement must be set.

My radiusd.conf

sqlippool testpool {
   $INCLUDE ${confdir}/sqlippool.conf

   sql-server == x.x.x.x
   sql-login == foo
   sql-password == foo
   sql-db == foo

   range-start == 1.1.1.1
   range-stop == 1.1.1.100
   netmask == 255.255.255.0
   lease-duration == 86400
   }

My DB:
CREATE TABLE radippool (
   id   INT PRIMARY KEY,
   pool_nameVARCHAR(30) NOT NULL,
   framedipaddress  VARCHAR(30) NOT NULL,
   nasipaddress VARCHAR(30) NOT NULL,
   nas_port INT NOT NULL,
   calling_station_id   VARCHAR(30) NOT NULL,
   expiry_time  timestamp(0) NOT NULL,
   username VARCHAR(100)
);
with all the sequences, indexes and triggers included

It's not even trying to access the Oracle server.

What can it be?

Thanks!
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

ERROR! Proxy listen.c error

[Guilherme Franco]

Indeed, but it's happening, and now, even with ADSL modem, as you can
see in the radiusd -X output below:

This occurs if user mistypes password or if the realm server is down:

rad_recv: Access-Request packet from host 192.168.1.1 port 1385,
id=21, length=60
   User-Name = [EMAIL PROTECTED]
   User-Password = password
 Processing the authorize section of radiusd.conf
modcall:  entering group authorize for request 20
   rlm_realm: Looking up realm realm.com for User-Name = [EMAIL PROTECTED]
   rlm_realm: Found realm realm.com
   rlm_realm: Proxying request from user user to realm realm.com
   rlm_realm: Adding Realm = realm.com
   rlm_realm: Preparing to proxy authentication request to realm realm.com
 rlm_eap: No EAP-Message, not doing EAP
modcall: group authorize returns noop for request 20
Sending Access-Request of id 16 to 192.168.1.2 port 1645
   User-Name = [EMAIL PROTECTED]
   User-Password = password
   NAS-IP-Address = 192.168.1.1
   Proxy-State = 0x3231
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
rad_recv: Access-Request packet from host 192.168.1.1 port 1385,
id=21, length=60
Sending duplicate proxied request to home server 192.168.1.2 port 1645 - ID: 16
Assertion failed in listen.c, line 558
Aborted


Thanks.

Guilherme Franco guilhermefranco at gmail.com wrote:

I was worried about this, but when I tested with the user
authenticating from an ADSL modem, there are no problems.

So, might be just another of ERX's crazy behaviors.


 Still... it shouldn't kill the server.

 Alan DeKok.
--
 http://deployingradius.com   - The web site of the book
 http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Matter of Life and Death - SQL and Proxy

[Guilherme Franco]

Hello,

I work in a Carrier and have an important question regarding SQL query check:

I need to check a value in authorize_check_query (oracle-dialup.conf)
to see if the user has paid his ADSL service. If he did paid the
service, the request would be proxied to the ISP radius to
authenticate the user, otherwise, the access needs to be rejected. So
, the query would be checked like that:

authorize_check_query = SELECT id,UserName,Attribute,Value,op,PAID
FROM ${authcheck_table} WHERE Username = '%{SQL-User-Name}' AND PAID =
'YES' ORDER BY id

The problem is, If PAID != YES, the user is not found by the SELECT
(correctly) but the request is still proxied to the ISP (normal proxy
behaviour).

What can I do to reject the request and not proxy it?

Please help!

Thank you.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: sqlippool not working

[Guilherme Franco]

Gentlemen,

Thank you very much for lending me your time.

I'm downloading freeradius-snapshot-20060919.tar.gz right now.

Yes, my allocate-clear is configured exactly as Tuyan's and that's why
I stated before that regardless of my configuration in sqlippool.conf
and radiusd.conf the trace is always empty.

For example, if in sqlippool.conf I set sql-instance-name = foobar,
the output of radiusd -X is always:

Module: Loaded SQL IP Pool
sqlippool: sql-instance-name = sql

That's OK, I'm using the regular ippool in radiusd.conf for now and it
works great when in table radcheck the values of the username are
Pool-Name := test_pool.

I'm going to compile the latest build and see if it works.

P.S: Tuyan, do you run sqlippool in production using ORACLE? Because
I'm using Oracle 10g r2 64-bit and it does not work for now.

Thank you very much!






On 9/19/06, Peter Nixon [EMAIL PROTECTED] wrote:

It turns out that sqlippool.conf was in the Makefile for 1.1.x but not for CVS
head. It didnt affect us because we use an rpm.

Guilherme can you please test a new cvs checkout?

Also, because sqlippool is still experimental you need to explicitly enable it
with

./configure --with-modules=rlm_sqlippool

Cheers

Peter

On Tue 19 Sep 2006 17:44, Tuyan Ozipek wrote:
 Hi Peter,

 When i installed (compiled from source) the
 freeradius-snapshot-20060918 tarball, the only missing thing was
 the sqlippool.conf file (which i copied from some other test
 environment). Since sqlippool module is not(yeah, we run it on
 production happily for sometime..) considered stable yet, we do not
 build it by default.(Lets check sqlippool.conf file installation in the
 makefiles tho.)

 I am running it now on my development machine with no problems.

 The only thing possible is there is some type of typo in the config file
 that Guilherme Franco is using.

 also, trace shows that there is no allocate-clear statement set for
 sqlippool to use.


 here is the allocate-clear statement that i used for my test..

  allocate-clear = UPDATE radippool \
   SET nasipaddress = '', pool_key = 0, callingstationid = '', \
   expiry_time = 'now'::timestamp(0) - '1 second'::interval \
   WHERE pool_key = '${pool-key}'



 Regards

 On Tue, 2006-09-19 at 00:27 +0300, Peter Nixon wrote:
  --  Forwarded Message  --
 
  Subject: sqlippool not working
  Date: Mon 18 Sep 2006 23:40
  From: Guilherme Franco [EMAIL PROTECTED]
  To: FreeRadius users mailing list
  freeradius-users@lists.freeradius.org
 
  Hi Peter,
 
  Like you told me before, you did some cleanups in the sqlippool.conf.
 
  Well, I've tried to install todays freeradius CVS, and it installed
  without the sqlippool module, don't know why.
 
  So, I've compiled it manually from
  freeradius-snapshot-20060918/src/modules/rlm_sqlippool/
 
  OK, but when I run radiusd -X, I got this in the end, regardless of my
  configuration in sqlippool.conf and radiusd.conf:
 
  Module: Loaded SQL IP Pool
sqlippool: sql-instance-name = sql
sqlippool: lease-duration = 86400
sqlippool: pool-name = 
sqlippool: allocate-begin = BEGIN
sqlippool: allocate-clear = 
sqlippool: allocate-find = 
sqlippool: allocate-update = 
sqlippool: allocate-commit = COMMIT
sqlippool: allocate-rollback = ROLLBACK
sqlippool: start-begin = BEGIN
sqlippool: start-update = 
sqlippool: start-commit = COMMIT
sqlippool: start-rollback = ROLLBACK
sqlippool: alive-begin = BEGIN
sqlippool: alive-update = 
sqlippool: alive-commit = COMMIT
sqlippool: alive-rollback = ROLLBACK
sqlippool: stop-begin = BEGIN
sqlippool: stop-clear = 
sqlippool: stop-commit = COMMIT
sqlippool: stop-rollback = ROLLBACK
sqlippool: on-begin = BEGIN
sqlippool: on-clear = 
sqlippool: on-commit = COMMIT
sqlippool: on-rollback = ROLLBACK
sqlippool: off-begin = BEGIN
sqlippool: off-clear = 
sqlippool: off-commit = COMMIT
sqlippool: off-rollback = ROLLBACK
  rlm_sqlippool: the 'allocate-clear' statement must be set.
 
  It's not even trying to access the Oracle server.
 
  What can it be?
 
  Thanks!
 
  ---

--
Peter Nixon mailto:[EMAIL PROTECTED] Chief Technologist
Suntel Communicationshttp://www.suntel.com.tr
TR tel:+902123369299   US tel:+13103177825   UK tel:+448700685002
VoIP sip:[EMAIL PROTECTED]  IM jabber:[EMAIL PROTECTED]

Absolutum obsoletum. (If it works, it's out of date.) -- Stafford Beer
--

Peter Nixon
http://www.peternixon.net/
PGP Key: http://www.peternixon.net/public.asc



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: sqlippool not working

[Guilherme Franco]

Thank you.

That's the problem, I have 2 RADIUS servers working concurrently. If I
set one ippool in server1, server2 needs another ippool with another
range, and that's a grand problem.

This is why I need sqlippool.

I'm going to test freeradius-snapshot-20060920.tar.gz and see if it works.

Is there any other way to success with 2 radius servers (other than
creating the pool in the BRAS)? I'm kinda stuck here with this.

Thank you very much.

On 9/19/06, Peter Nixon [EMAIL PROTECTED] wrote:

Hi Guilherme

A couple of things.

I just updated the cvs so freeradius-snapshot-20060919.tar.gz is not current
enough. You need to get freeradius-snapshot-20060920.tar.gz once it is rolled
latter tonight, or get the latest code from the repository using cvs

Secondly, Tuyan works together with me. All of our production deployments of
sqlippool are currently on Postgresql although we do plan on deploying on
Oracle for some customers in future (After we have finished code development
on sqlippool)

Thirdly if you have only one RADIUS server and only one ippool then using
rlm_ippool is probably the way to go. If you have more than one RADIUS server
then you definately need a centralised database (which sqlippool allows). If
you have many ippools then sqlippool also allows you to modify them on the
fly without a service restart.

Cheers

Peter

On Tue 19 Sep 2006 21:58, you wrote:
 Gentlemen,

 Thank you very much for lending me your time.

 I'm downloading freeradius-snapshot-20060919.tar.gz right now.

 Yes, my allocate-clear is configured exactly as Tuyan's and that's why
 I stated before that regardless of my configuration in sqlippool.conf
 and radiusd.conf the trace is always empty.

 For example, if in sqlippool.conf I set sql-instance-name = foobar,
 the output of radiusd -X is always:

 Module: Loaded SQL IP Pool
 sqlippool: sql-instance-name = sql

 That's OK, I'm using the regular ippool in radiusd.conf for now and it
 works great when in table radcheck the values of the username are
 Pool-Name := test_pool.

 I'm going to compile the latest build and see if it works.

 P.S: Tuyan, do you run sqlippool in production using ORACLE? Because
 I'm using Oracle 10g r2 64-bit and it does not work for now.

 Thank you very much!

 On 9/19/06, Peter Nixon [EMAIL PROTECTED] wrote:
  It turns out that sqlippool.conf was in the Makefile for 1.1.x but not
  for CVS head. It didnt affect us because we use an rpm.
 
  Guilherme can you please test a new cvs checkout?
 
  Also, because sqlippool is still experimental you need to explicitly
  enable it with
 
  ./configure --with-modules=rlm_sqlippool
 
  Cheers
 
  Peter
 
  On Tue 19 Sep 2006 17:44, Tuyan Ozipek wrote:
   Hi Peter,
  
   When i installed (compiled from source) the
   freeradius-snapshot-20060918 tarball, the only missing thing was
   the sqlippool.conf file (which i copied from some other test
   environment). Since sqlippool module is not(yeah, we run it on
   production happily for sometime..) considered stable yet, we do not
   build it by default.(Lets check sqlippool.conf file installation in the
   makefiles tho.)
  
   I am running it now on my development machine with no problems.
  
   The only thing possible is there is some type of typo in the config
   file that Guilherme Franco is using.
  
   also, trace shows that there is no allocate-clear statement set for
   sqlippool to use.
  
  
   here is the allocate-clear statement that i used for my test..
  
allocate-clear = UPDATE radippool \
 SET nasipaddress = '', pool_key = 0, callingstationid = '', \
 expiry_time = 'now'::timestamp(0) - '1 second'::interval \
 WHERE pool_key = '${pool-key}'
  
  
  
   Regards
  
   On Tue, 2006-09-19 at 00:27 +0300, Peter Nixon wrote:
--  Forwarded Message  --
   
Subject: sqlippool not working
Date: Mon 18 Sep 2006 23:40
From: Guilherme Franco [EMAIL PROTECTED]
To: FreeRadius users mailing list
freeradius-users@lists.freeradius.org
   
Hi Peter,
   
Like you told me before, you did some cleanups in the sqlippool.conf.
   
Well, I've tried to install todays freeradius CVS, and it installed
without the sqlippool module, don't know why.
   
So, I've compiled it manually from
freeradius-snapshot-20060918/src/modules/rlm_sqlippool/
   
OK, but when I run radiusd -X, I got this in the end, regardless of
my configuration in sqlippool.conf and radiusd.conf:
   
Module: Loaded SQL IP Pool
  sqlippool: sql-instance-name = sql
  sqlippool: lease-duration = 86400
  sqlippool: pool-name = 
  sqlippool: allocate-begin = BEGIN
  sqlippool: allocate-clear = 
  sqlippool: allocate-find = 
  sqlippool: allocate-update = 
  sqlippool: allocate-commit = COMMIT
  sqlippool: allocate-rollback = ROLLBACK
  sqlippool: start-begin = BEGIN
  sqlippool: start-update = 
  sqlippool: start-commit = COMMIT
  sqlippool: start-rollback

Re: Matter of Life and Death - SQL and Proxy

[Guilherme Franco]

Thank you very much, I will test it out

In the mean time I figured out to use radgroupcheck with values
Auth-Type=Reject and some users associated to that usergroup.

Thanks again!


06, Alan DeKok [EMAIL PROTECTED] wrote:

Guilherme Franco [EMAIL PROTECTED] wrote:
 The problem is, If PAID != YES, the user is not found by the SELECT
 (correctly) but the request is still proxied to the ISP (normal proxy
 behaviour).

 What can I do to reject the request and not proxy it?

  Configure an SQL module instance *just* for this query.  See
doc/configurable_failover for an example sql sql1   Let's call
this module is_paid.  See doc/configurable_failover again for what
to do on module return codes.

  Then in the authorize section, do:
...
  is_paid {
  notfound = reject
  }
...


  This will make the user be rejected if they are not paid up.

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: sqlippool not working

[Guilherme Franco]

Yes, that's true.

Unfortunately, the IT area developed a software that creates users in
a GUI and then those users goes to Oracle. The application would also
create and manage ip-pools. (just like a Dialup-up admin).

Because of that, I desperately need sqlippool in oracle. Can't be done
in the BRAS manually then.

Thanks.

On 9/19/06, Peter Nixon [EMAIL PROTECTED] wrote:

If you can (ie. If you control the NAS equipment) then I recommend you create
your dynamic pools there and only assign static ips from radius as a NAS will
ALWAYs be better at knowing who is connected to it than RADIUS will.

In the case where you do not control the NAS equipment, then radius based
IPPools come to the rescue.

Cheers

Peter

On Tue 19 Sep 2006 22:55, you wrote:
 Thank you.

 That's the problem, I have 2 RADIUS servers working concurrently. If I
 set one ippool in server1, server2 needs another ippool with another
 range, and that's a grand problem.

 This is why I need sqlippool.

 I'm going to test freeradius-snapshot-20060920.tar.gz and see if it works.

 Is there any other way to success with 2 radius servers (other than
 creating the pool in the BRAS)? I'm kinda stuck here with this.

 Thank you very much.

 On 9/19/06, Peter Nixon [EMAIL PROTECTED] wrote:
  Hi Guilherme
 
  A couple of things.
 
  I just updated the cvs so freeradius-snapshot-20060919.tar.gz is not
  current enough. You need to get freeradius-snapshot-20060920.tar.gz once
  it is rolled latter tonight, or get the latest code from the repository
  using cvs
 
  Secondly, Tuyan works together with me. All of our production deployments
  of sqlippool are currently on Postgresql although we do plan on deploying
  on Oracle for some customers in future (After we have finished code
  development on sqlippool)
 
  Thirdly if you have only one RADIUS server and only one ippool then using
  rlm_ippool is probably the way to go. If you have more than one RADIUS
  server then you definately need a centralised database (which sqlippool
  allows). If you have many ippools then sqlippool also allows you to
  modify them on the fly without a service restart.
 
  Cheers
 
  Peter
 
  On Tue 19 Sep 2006 21:58, you wrote:
   Gentlemen,
  
   Thank you very much for lending me your time.
  
   I'm downloading freeradius-snapshot-20060919.tar.gz right now.
  
   Yes, my allocate-clear is configured exactly as Tuyan's and that's why
   I stated before that regardless of my configuration in sqlippool.conf
   and radiusd.conf the trace is always empty.
  
   For example, if in sqlippool.conf I set sql-instance-name = foobar,
   the output of radiusd -X is always:
  
   Module: Loaded SQL IP Pool
   sqlippool: sql-instance-name = sql
  
   That's OK, I'm using the regular ippool in radiusd.conf for now and it
   works great when in table radcheck the values of the username are
   Pool-Name := test_pool.
  
   I'm going to compile the latest build and see if it works.
  
   P.S: Tuyan, do you run sqlippool in production using ORACLE? Because
   I'm using Oracle 10g r2 64-bit and it does not work for now.
  
   Thank you very much!
  
   On 9/19/06, Peter Nixon [EMAIL PROTECTED] wrote:
It turns out that sqlippool.conf was in the Makefile for 1.1.x but
not for CVS head. It didnt affect us because we use an rpm.
   
Guilherme can you please test a new cvs checkout?
   
Also, because sqlippool is still experimental you need to explicitly
enable it with
   
./configure --with-modules=rlm_sqlippool
   
Cheers
   
Peter
   
On Tue 19 Sep 2006 17:44, Tuyan Ozipek wrote:
 Hi Peter,

 When i installed (compiled from source) the
 freeradius-snapshot-20060918 tarball, the only missing thing was
 the sqlippool.conf file (which i copied from some other test
 environment). Since sqlippool module is not(yeah, we run it on
 production happily for sometime..) considered stable yet, we do not
 build it by default.(Lets check sqlippool.conf file installation in
 the makefiles tho.)

 I am running it now on my development machine with no problems.

 The only thing possible is there is some type of typo in the config
 file that Guilherme Franco is using.

 also, trace shows that there is no allocate-clear statement set for
 sqlippool to use.


 here is the allocate-clear statement that i used for my test..

  allocate-clear = UPDATE radippool \
   SET nasipaddress = '', pool_key = 0, callingstationid = '', \
   expiry_time = 'now'::timestamp(0) - '1 second'::interval \
   WHERE pool_key = '${pool-key}'



 Regards

 On Tue, 2006-09-19 at 00:27 +0300, Peter Nixon wrote:
  --  Forwarded Message  --
 
  Subject: sqlippool not working
  Date: Mon 18 Sep 2006 23:40
  From: Guilherme Franco [EMAIL PROTECTED]
  To: FreeRadius users mailing list
  freeradius-users@lists.freeradius.org
 
  Hi

Re: sqlippool not working

[Guilherme Franco]

I need to thank you again and congratulate you guys for such a great support.

Question: Even with freeradius-snapshot-20060920.tar.gz I will need to
use ./configure --with-modules=rlm_sqlippool?

If all works well, I assume that in radcheck table, the users need to
have Pool-Name := test_pool right?

Thanks a lot.

On 9/19/06, Peter Nixon [EMAIL PROTECTED] wrote:

On Wed 20 Sep 2006 01:51, Tuyan Ozipek wrote:
 Hi everybody,
 Sorry for not being able to cc to radius-users list.
 I will be on the list as soon as possible.

  Gentlemen,
 
  Thank you very much for lending me your time.

 That's ok. Thank you for testing the software...

  I'm downloading freeradius-snapshot-20060919.tar.gz right now.
 
  Yes, my allocate-clear is configured exactly as Tuyan's and that's why
  I stated before that regardless of my configuration in sqlippool.conf
  and radiusd.conf the trace is always empty.
 
  For example, if in sqlippool.conf I set sql-instance-name = foobar,
  the output of radiusd -X is always:
 
  Module: Loaded SQL IP Pool
  sqlippool: sql-instance-name = sql

 There should be something wrong with your sqlippool.conf file, are you
 sure you are including the right one from the main radius configuration
 file? All the variables that we see in your trace, are the default
 ones.Basically we are putting them in case there is no value set for
 that variable..
 For example : If there is no sql-instance-name set in your
 sqlippool.conf file, we set it as sql internally.

 Please double check your include paths for the sqlippool.conf file.
 Is there any sqlippool { } directives hanging around in your
 radiusd.conf? Maybe a clean install with ./configure --prefix=/xxx/xxx
 can help you to find the config problem as well..

My guess is that his problem is caused by the way he built sqlippool:

 Well, I've tried to install todays freeradius CVS, and it installed
 without the sqlippool module, don't know why.
 So, I've compiled it manually from
 freeradius-snapshot-20060918/src/modules/rlm_sqlippool/

If he does a clean install from tonight's cvs I think everything will work as
expected.

--

Peter Nixon
http://www.peternixon.net/
PGP Key: http://www.peternixon.net/public.asc



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: ERROR! Proxy listen.c error

[Guilherme Franco]

Hello, Mr. DeKok,

I've figured out that this problem only appears if I do a test aaa
ppp user password from Juniper's ERX (and only if proxying is used).

I was worried about this, but when I tested with the user
authenticating from an ADSL modem, there are no problems.

So, might be just another of ERX's crazy behaviors.

Thanks!

On 9/18/06, Alan DeKok [EMAIL PROTECTED] wrote:

Guilherme Franco [EMAIL PROTECTED] wrote:
 Using Proxy, when user mistypes the password, radiusd -X crashes with
 Assertion failed in listen.c, line 558

  I don't see that here...  Are you HUP'ing the server?

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Fwd: VSA does not work when using PROXY

[Guilherme Franco]

Hello,

I've just managed to make it work using := instead of == in attrs file.

:)


-- Forwarded message --
From: Guilherme Franco [EMAIL PROTECTED]
Date: Sep 15, 2006 3:51 PM
Subject: VSA does not work when using PROXY
To: FreeRadius users mailing list freeradius-users@lists.freeradius.org


Hello,

Please Help!

Using latest CVS - Proxy-Radius does not pass the VSA, as below (in users):

DEFAULT Pool-Name := test
  X-Ascend-Client-Primary-DNS = x.x.x.x,
  X-Ascend-Client-Assign-DNS = 1,
  ERX-Virtual-Router-Name = default,
  Framed-Routing == None,
  Framed-Protocol = PPP,
  Service-Type = Framed-User

note: those vsa works correctly when I try with local users (no proxy):

In attrs file:

realm
  Service-Type == Framed-User,
  Framed-Protocol == PPP,
  X-Ascend-Client-Primary-DNS == x.x.x.x,
  X-Ascend-Client-Assign-DNS == 1,
  ERX-Virtual-Router-Name == default,
  Idle-Timeout = 600,
  Session-Timeout = 28800

Output:

rad_recv: Access-Request packet from host x.x.x.x port 5, id=55, length=251
   User-Password = xxx
   User-Name = [EMAIL PROTECTED]
   Acct-Session-Id = erx atm 3/2.42:100.221:0009437817
   Service-Type = Framed-User
   Framed-Protocol = PPP
   ERX-Pppoe-Description = pppoe 12:34:56:78:9a:bc
   Calling-Station-Id = #BRAS-01#this is a description#100#221
   Connect-Info = speed:UBR:12000
   NAS-Port-Type = xDSL
   NAS-Port = 845414621
   NAS-Port-Id = atm 3/2.42:100.221
   NAS-IP-Address = x.x.x.x
   NAS-Identifier = BRAS-01
 Processing the authorize section of radiusd.conf
modcall:  entering group authorize for request 0
   rlm_realm: Looking up realm realm for User-Name = xxx
   rlm_realm: Found realm realm
   rlm_realm: Adding Stripped-User-Name = xxx
   rlm_realm: Proxying request from user xxx to realm realm
   rlm_realm: Adding Realm = realm
   rlm_realm: Preparing to proxy authentication request to realm realm
 rlm_eap: No EAP-Message, not doing EAP
   users: Matched entry DEFAULT at line 194
modcall: group authorize returns noop for request 0
Sending Access-Request of id 155 to x.x.x.x port 1645
   User-Password = xxx
   User-Name = xxx
   Acct-Session-Id = erx atm 3/2.42:100.221:0009437817
   Service-Type = Framed-User
   Framed-Protocol = PPP
   ERX-Pppoe-Description = pppoe 12:34:56:78:9a:bc
   Calling-Station-Id = #BRAS-01#this is a description#100#221
   Connect-Info = speed:UBR:12000
   NAS-Port-Type = xDSL
   NAS-Port = 845414621
   NAS-Port-Id = atm 3/2.42:100.221
   NAS-IP-Address = x.x.x.x
   NAS-Identifier = BRAS-01
   Proxy-State = 0x3535
--- Walking the entire request list ---
Waking up in 1 seconds...
rad_recv: Access-Accept packet from host x.x.x.x port 1645, id=155, length=60
   Framed-IP-Address = 255.255.255.254
   Framed-IP-Netmask = 255.255.255.255
   Framed-MTU = 576
   Service-Type = Framed-User
   Framed-Protocol = PPP
   Framed-Compression = Van-Jacobson-TCP-IP
   Proxy-State = 0x3535
 Processing the post-proxy section of radiusd.conf
modcall:  entering group post-proxy for request 0
attr_filter: Matched entry realm at line 52
modcall: group post-proxy returns noop for request 0
authorize: Skipping authorize in post-proxy stage
 rad_check_password:  Found Auth-Type
 rad_check_password: Auth-Type = Accept, accepting the user
 Processing the post-auth section of radiusd.conf
modcall:  entering group post-auth for request 0
radius_xlat:  'x.x.x.x 845414621'
rlm_ippool: MD5 on 'key' directive maps to: 6e4d4f13b0396f83e15609738a3bc036
rlm_ippool: Searching for an entry for key: '6e4d4f13b0396f83e15609738a3bc036'
rlm_ippool: Allocating ip to key: '6e4d4f13b0396f83e15609738a3bc036'
rlm_ippool: num: 1
rlm_ippool: Allocated ip x.x.x.x to client key: 6e4d4f13b0396f83e15609738a3bc036
modcall: group post-auth returns ok for request 0
Sending Access-Accept of id 55 to x.x.x.x port 5
   Service-Type = Framed-User
   Framed-Protocol = PPP
   Framed-IP-Address = x.x.x.x
   Framed-IP-Netmask = 255.255.255.255
Finished request 0
Going to the next request
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 55 with timestamp 450b0ba9
Nothing to do.  Sleeping until we see a request.

As you can see, The VSA was not included in the Access-Accept response.

Please HELP!


THANKS!
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

sqlippool not working

[Guilherme Franco]

Hi Peter,

Like you told me before, you did some cleanups in the sqlippool.conf.

Well, I've tried to install todays freeradius CVS, and it installed
without the sqlippool module, don't know why.

So, I've compiled it manually from
freeradius-snapshot-20060918/src/modules/rlm_sqlippool/

OK, but when I run radiusd -X, I got this in the end, regardless of my
configuration in sqlippool.conf and radiusd.conf:

Module: Loaded SQL IP Pool
 sqlippool: sql-instance-name = sql
 sqlippool: lease-duration = 86400
 sqlippool: pool-name = 
 sqlippool: allocate-begin = BEGIN
 sqlippool: allocate-clear = 
 sqlippool: allocate-find = 
 sqlippool: allocate-update = 
 sqlippool: allocate-commit = COMMIT
 sqlippool: allocate-rollback = ROLLBACK
 sqlippool: start-begin = BEGIN
 sqlippool: start-update = 
 sqlippool: start-commit = COMMIT
 sqlippool: start-rollback = ROLLBACK
 sqlippool: alive-begin = BEGIN
 sqlippool: alive-update = 
 sqlippool: alive-commit = COMMIT
 sqlippool: alive-rollback = ROLLBACK
 sqlippool: stop-begin = BEGIN
 sqlippool: stop-clear = 
 sqlippool: stop-commit = COMMIT
 sqlippool: stop-rollback = ROLLBACK
 sqlippool: on-begin = BEGIN
 sqlippool: on-clear = 
 sqlippool: on-commit = COMMIT
 sqlippool: on-rollback = ROLLBACK
 sqlippool: off-begin = BEGIN
 sqlippool: off-clear = 
 sqlippool: off-commit = COMMIT
 sqlippool: off-rollback = ROLLBACK
rlm_sqlippool: the 'allocate-clear' statement must be set.

It's not even trying to access the Oracle server.

What can it be?

Thanks!
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

URGENT! User does not get VSA attribute If override = yes and in radiusd.conf and using PROXY

[Guilherme Franco]

Hi,

I need to set override = yes in radiusd.conf in order to the user get an IP.

This way because it's a proxy request.
i.e: [EMAIL PROTECTED] - proxy to realm - realm authorize user -
myradius sets the IP

The IP assignment does not work with override = no, because the proxy
radius tends to set the IP 255.255.255.254.

Ok, if override = yes, the users get the correcty ip from the pool,
but not the VSA, as below:

DEFAULT Pool-Name := test
  X-Ascend-Client-Primary-DNS = x.x.x.x,
  X-Ascend-Client-Secondary-DNS = x.x.x.x,
  X-Ascend-Client-Assign-DNS = 1,
  ERX-Virtual-Router-Name = default,
  Framed-Routing == None,
  Framed-Protocol = PPP,
  Service-Type = Framed-User

note: those vsa works correctly when I specify local users like this
(not proxy):

testuser  Auth-Type := local, User-Password == foo, Pool-Name := test
   X-Ascend-Client-Primary-DNS = x.x.x.x,
   X-Ascend-Client-Secondary-DNS = x.x.x.x,
   X-Ascend-Client-Assign-DNS = 1,
   ERX-Virtual-Router-Name = default,
   Fall-Through = Yes


Please HELP!

THANKS!
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

ERROR! Proxy listen.c error

[Guilherme Franco]

Hello,

Using Proxy, when user mistypes the password, radiusd -X crashes with
Assertion failed in listen.c, line 558

Line 558 = rad_assert(request-listener == listener);

Thanks.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

VSA does not work when using PROXY

[Guilherme Franco]

Hello,

Please Help!

Using latest CVS - Proxy-Radius does not pass the VSA, as below (in users):

DEFAULT Pool-Name := test
  X-Ascend-Client-Primary-DNS = x.x.x.x,
  X-Ascend-Client-Assign-DNS = 1,
  ERX-Virtual-Router-Name = default,
  Framed-Routing == None,
  Framed-Protocol = PPP,
  Service-Type = Framed-User

note: those vsa works correctly when I try with local users (no proxy):

In attrs file:

realm
  Service-Type == Framed-User,
  Framed-Protocol == PPP,
  X-Ascend-Client-Primary-DNS == x.x.x.x,
  X-Ascend-Client-Assign-DNS == 1,
  ERX-Virtual-Router-Name == default,
  Idle-Timeout = 600,
  Session-Timeout = 28800

Output:

rad_recv: Access-Request packet from host x.x.x.x port 5, id=55, length=251
   User-Password = xxx
   User-Name = [EMAIL PROTECTED]
   Acct-Session-Id = erx atm 3/2.42:100.221:0009437817
   Service-Type = Framed-User
   Framed-Protocol = PPP
   ERX-Pppoe-Description = pppoe 12:34:56:78:9a:bc
   Calling-Station-Id = #BRAS-01#this is a description#100#221
   Connect-Info = speed:UBR:12000
   NAS-Port-Type = xDSL
   NAS-Port = 845414621
   NAS-Port-Id = atm 3/2.42:100.221
   NAS-IP-Address = x.x.x.x
   NAS-Identifier = BRAS-01
 Processing the authorize section of radiusd.conf
modcall:  entering group authorize for request 0
   rlm_realm: Looking up realm realm for User-Name = xxx
   rlm_realm: Found realm realm
   rlm_realm: Adding Stripped-User-Name = xxx
   rlm_realm: Proxying request from user xxx to realm realm
   rlm_realm: Adding Realm = realm
   rlm_realm: Preparing to proxy authentication request to realm realm
 rlm_eap: No EAP-Message, not doing EAP
   users: Matched entry DEFAULT at line 194
modcall: group authorize returns noop for request 0
Sending Access-Request of id 155 to x.x.x.x port 1645
   User-Password = xxx
   User-Name = xxx
   Acct-Session-Id = erx atm 3/2.42:100.221:0009437817
   Service-Type = Framed-User
   Framed-Protocol = PPP
   ERX-Pppoe-Description = pppoe 12:34:56:78:9a:bc
   Calling-Station-Id = #BRAS-01#this is a description#100#221
   Connect-Info = speed:UBR:12000
   NAS-Port-Type = xDSL
   NAS-Port = 845414621
   NAS-Port-Id = atm 3/2.42:100.221
   NAS-IP-Address = x.x.x.x
   NAS-Identifier = BRAS-01
   Proxy-State = 0x3535
--- Walking the entire request list ---
Waking up in 1 seconds...
rad_recv: Access-Accept packet from host x.x.x.x port 1645, id=155, length=60
   Framed-IP-Address = 255.255.255.254
   Framed-IP-Netmask = 255.255.255.255
   Framed-MTU = 576
   Service-Type = Framed-User
   Framed-Protocol = PPP
   Framed-Compression = Van-Jacobson-TCP-IP
   Proxy-State = 0x3535
 Processing the post-proxy section of radiusd.conf
modcall:  entering group post-proxy for request 0
attr_filter: Matched entry realm at line 52
modcall: group post-proxy returns noop for request 0
authorize: Skipping authorize in post-proxy stage
 rad_check_password:  Found Auth-Type
 rad_check_password: Auth-Type = Accept, accepting the user
 Processing the post-auth section of radiusd.conf
modcall:  entering group post-auth for request 0
radius_xlat:  'x.x.x.x 845414621'
rlm_ippool: MD5 on 'key' directive maps to: 6e4d4f13b0396f83e15609738a3bc036
rlm_ippool: Searching for an entry for key: '6e4d4f13b0396f83e15609738a3bc036'
rlm_ippool: Allocating ip to key: '6e4d4f13b0396f83e15609738a3bc036'
rlm_ippool: num: 1
rlm_ippool: Allocated ip x.x.x.x to client key: 6e4d4f13b0396f83e15609738a3bc036
modcall: group post-auth returns ok for request 0
Sending Access-Accept of id 55 to x.x.x.x port 5
   Service-Type = Framed-User
   Framed-Protocol = PPP
   Framed-IP-Address = x.x.x.x
   Framed-IP-Netmask = 255.255.255.255
Finished request 0
Going to the next request
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 55 with timestamp 450b0ba9
Nothing to do.  Sleeping until we see a request.

As you can see, The VSA was not included in the Access-Accept response.

Please HELP!


THANKS!
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: radippool table for Oracle

[Guilherme Franco]

Thank you!

I'm downloading it right now.

Thanks again!


On 9/13/06, Peter Nixon [EMAIL PROTECTED] wrote:

Hi

Please update to the latest sqlippool.conf in cvs as I have just committed a
lot of cleanups to it.

Cheers

Peter

On Tue 12 Sep 2006 23:56, Guilherme Franco wrote:
 Mr. Peter,

 Thanks, yes, that's correct.

 But what I need is this behaviour even if the user disconnects and
 even if I run out of IPs in the pool. Basically, John logs in for the
 first time and randomly catches ip 1.1.1.130. When John logs out and
 comes back next week, he should be able to get 1.1.1.130 again, so
 that IP can't be reused.

 Is there any form to do that?

 Sorry, maybe I've described the problem in a wrong way earlier.

 Thank you very much for the answers, I hope to contribute later to
 freeradius posting my oracle schema.

 On 9/12/06, Peter Nixon [EMAIL PROTECTED] wrote:
  On Tue 12 Sep 2006 22:44, Guilherme Franco wrote:
   Thanks Mr. Nixon,
  
   I thought that someone might have already created such a schema.
  
   But that's not a problem.
  
   I'll be playing with the errors and as I get a working schema I'll post
   back.
  
   Just another doubt: Is there any way to create a pool of addresses and
   when someone receives one ip  from this pool, this ip stays assigned
   to that user forever (lease forever, just like a static IP)? I need
   this so that I assign an IP only based in the group (which has some
   pools assigned to it), no need to manually create Frammed-Ip-Address =
   x.x.x.x for that user.
 
  That is basically what the default sqlippool config does unless you run
  out of IPs in the pool, in which case it will start to hand reusing IPs
  that are currently not connected.
 
  --
 
  Peter Nixon
  http://www.peternixon.net/
  PGP Key: http://www.peternixon.net/public.asc
 
 
  -
  List info/subscribe/unsubscribe? See
  http://www.freeradius.org/list/users.html

 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html

--

Peter Nixon
http://www.peternixon.net/
PGP Key: http://www.peternixon.net/public.asc


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: radippool table for Oracle

[Guilherme Franco]

Mr. Peter,

Thanks, yes, that's correct.

But what I need is this behaviour even if the user disconnects and
even if I run out of IPs in the pool. Basically, John logs in for the
first time and randomly catches ip 1.1.1.130. When John logs out and
comes back next week, he should be able to get 1.1.1.130 again, so
that IP can't be reused.

Is there any form to do that?

Sorry, maybe I've described the problem in a wrong way earlier.

Thank you very much for the answers, I hope to contribute later to
freeradius posting my oracle schema.


On 9/12/06, Peter Nixon [EMAIL PROTECTED] wrote:

On Tue 12 Sep 2006 22:44, Guilherme Franco wrote:
 Thanks Mr. Nixon,

 I thought that someone might have already created such a schema.

 But that's not a problem.

 I'll be playing with the errors and as I get a working schema I'll post
 back.

 Just another doubt: Is there any way to create a pool of addresses and
 when someone receives one ip  from this pool, this ip stays assigned
 to that user forever (lease forever, just like a static IP)? I need
 this so that I assign an IP only based in the group (which has some
 pools assigned to it), no need to manually create Frammed-Ip-Address =
 x.x.x.x for that user.

That is basically what the default sqlippool config does unless you run out of
IPs in the pool, in which case it will start to hand reusing IPs that are
currently not connected.

--

Peter Nixon
http://www.peternixon.net/
PGP Key: http://www.peternixon.net/public.asc


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: URGENT! Dialupadmin Could not connect to SQL database

[Guilherme Franco]

Thanks,I've already managed to make it work using oracle instant client and custom tnsnames.ora. I was using the entire oracle enterprise install before and it didn't work! Crazy, but it's working now.Thanks.
On 9/1/06, Edoardo Causarano [EMAIL PROTECTED] wrote:
Make sure you pass the checklist onhttp://ora-12154.ora-code.com/ Personally I've seen oracle clients that suddenly refuse to work because it decides that it wants ip-name mappings. Usually a trip to the dns or /etc/hosts solves the prob
eOn 31/ago/06, at 16:38GMT+02:00, Guilherme Franco wrote:Mr. Peter,I did a test right now with the command line php, for example php 
test.php and it works!test.php is a program I've created to retrieve some tables from the oracle server. (tcpdump in oracle server shows traffic correctly this way) But when I try to open test.php from the apache web page, it states 
Parse error: syntax error, unexpected '' in /www/htdocs/test.php on line 10 (then, tcpdump in oracle server shows nothing)
 I think that the same problem is blocking dialupadmin from connecting with oracle.
 What might it be?Thanks.
On 8/31/06, Guilherme Franco [EMAIL PROTECTED] wrote:
 Hello,Yes, I configured it with the option --with-oci8, and phpinfo() shows oci8 support as enabled.
This machine (dialupadmin server) is standalone (oracle in other server and radius in other).  I'm trying to use sqlplus from the dialupadmin server but it gives me either ORA-12546 TNS permission denied or ORA-12514 TNS listener does not currently know of service requested in connect descriptor.
I've researched a lot about this problems but found nothing. note: (I've read somewhere that oci does not work well with modules, just with static php links)Please help.Thank you very much.
 On 8/31/06,  Peter Nixon 
[EMAIL PROTECTED] wrote: 
 On Thu 31 Aug 2006 16:17, Guilherme Franco wrote: URGENT! Hi, I'm getting this error *Could not connect to SQL database. *in dialupadmin. (using OCI8 with ORACLE) * 
  *Radiusd connects to Oracle without any problems, dialupadmin don't.Does your PHP module have Oracle support?--Peter Nixon
 http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc
-List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html 
 -List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html 
-List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

URGENT! Dialupadmin Could not connect to SQL database

[Guilherme Franco]

URGENT!Hi,I'm getting this error Could not connect to SQL database. in dialupadmin. (using OCI8 with ORACLE)
Radiusd connects to Oracle without any problems, dialupadmin don't.Please help.Thank you.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: URGENT! Dialupadmin Could not connect to SQL database

[Guilherme Franco]

Hello,Yes, I configured it with the option --with-oci8, and phpinfo() shows oci8 support as enabled.This machine (dialupadmin server) is standalone (oracle in other server and radius in other).
I'm trying to use sqlplus from the dialupadmin server but it gives me either ORA-12546 TNS permission denied or ORA-12514 TNS listener does not currently know of service requested in connect descriptor.I've researched a lot about this problems but found nothing.
note: (I've read somewhere that oci does not work well with modules, just with static php links)Please help.Thank you very much.On 8/31/06, 
Peter Nixon [EMAIL PROTECTED] wrote:
On Thu 31 Aug 2006 16:17, Guilherme Franco wrote: URGENT! Hi, I'm getting this error *Could not connect to SQL database. *in dialupadmin. (using OCI8 with ORACLE) *
 *Radiusd connects to Oracle without any problems, dialupadmin don't.Does your PHP module have Oracle support?--Peter Nixonhttp://www.peternixon.net/
PGP Key: http://www.peternixon.net/public.asc-List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: URGENT! Dialupadmin Could not connect to SQL database

[Guilherme Franco]

Mr. Peter,I did a test right now with the command line php, for example php test.php and it works!test.php is a program I've created to retrieve some tables from the oracle server. (tcpdump in oracle server shows traffic correctly this way)
But when I try to open test.php from the apache web page, it states Parse error: syntax error, unexpected '' in 
/www/htdocs/test.php on line 10 (then, tcpdump in oracle server shows nothing)
I think that the same problem is blocking dialupadmin from connecting with oracle.
What might it be?Thanks.On 8/31/06, Guilherme Franco
 [EMAIL PROTECTED] wrote:
Hello,Yes, I configured it with the option --with-oci8, and phpinfo() shows oci8 support as enabled.This machine (dialupadmin server) is standalone (oracle in other server and radius in other).

I'm trying to use sqlplus from the dialupadmin server but it gives me either ORA-12546 TNS permission denied or ORA-12514 TNS listener does not currently know of service requested in connect descriptor.I've researched a lot about this problems but found nothing.
note: (I've read somewhere that oci does not work well with modules, just with static php links)Please help.Thank you very much.
On 8/31/06, 
Peter Nixon [EMAIL PROTECTED] wrote:

On Thu 31 Aug 2006 16:17, Guilherme Franco wrote: URGENT! Hi, I'm getting this error *Could not connect to SQL database. *in dialupadmin. (using OCI8 with ORACLE) *

 *Radiusd connects to Oracle without any problems, dialupadmin don't.Does your PHP module have Oracle support?--Peter Nixon
http://www.peternixon.net/
PGP Key: http://www.peternixon.net/public.asc-List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html