Re: Gigawords
Hello Mr. Mayers, I don't think so cause I've copied the very same sintax that can be found in oraclesql.conf of FR 1.1.7. Thank you. Guilherme Franco On 9/14/07, Phil Mayers [EMAIL PROTECTED] wrote: On Fri, 2007-09-14 at 00:05 -0300, Guilherme Franco wrote: Hello, I'm using rlm_sql_log in freeradius 1.1.4. In order to correctly work with acct-input/ output gigawords, I've replaced '%{Acct-Input-Octets}' with '%{%{Acct-Input-Gigawords}:-0}' 32 | '%{%{Acct-Input-Octets}:-0}' in the rlm_sql_log conf, but this results in invalid queries like: update radacct set... ...acctiputoctets = 0 32 | 98... Is that not because you put an invalid query template in? You need () around the (val N) bit. You also almost certain want to do: (giga 32) + words ...rather than using bitwise | operator - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Gigawords
Hi Mr. DeKok, Ok, I've just asked it because of: http://wiki.freeradius.org/index.php/FAQ#Why_do_Acct-Input-Octets_and_Acct-Output-Octets_wrap_at_4_GB.3F (which says that it should work in older versions) Also, the rlm_sql_log module version is the same in 1.1.7 as in 1.1.4 (v 1.3.2.2 2005/12/12). Thank you. Guilherme Franco On 9/14/07, Alan DeKok [EMAIL PROTECTED] wrote: Guilherme Franco wrote: Hello, I'm using rlm_sql_log in freeradius 1.1.4. In order to correctly work with acct-input/ output gigawords, Upgrade to 1.1.7. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Gigawords
Hello, I'm using rlm_sql_log in freeradius 1.1.4. In order to correctly work with acct-input/ output gigawords, I've replaced '%{Acct-Input-Octets}' with '%{%{Acct-Input-Gigawords}:-0}' 32 | '%{%{Acct-Input-Octets}:-0}' in the rlm_sql_log conf, but this results in invalid queries like: update radacct set... ...acctiputoctets = 0 32 | 98... Looks like the rlm_sql_log module was not compiled to parse that sintax. What can I do, please (besides create a procedure on the DB to treat that)? Thank you very much. Guilherme Franco - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Big VSA + Proxy problem
Hello, It's the same server with the very same config for both users in radcheck and radreply, except that in proxy.conf, only the proxy.com realm is set to be proxied to 192.168.1.2. When the user [EMAIL PROTECTED] (no proxy) logs in, the VSA ERX-Service-Bundle is sent to the B-RAS, while it's not when the user [EMAIL PROTECTED] (proxy) gets authenticated. Thank you. On 6/13/07, Alan Dekok [EMAIL PROTECTED] wrote: Guilherme Franco wrote: Hi, Sorry for bothering you guys. I would like to humbly ask if there's any ideas on this? There's a lot there, and it's not clear what's going on. Look at the differences between the two configurations. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Big VSA + Proxy problem
Hi, Sorry for bothering you guys. I would like to humbly ask if there's any ideas on this? Thanks. On 6/11/07, Guilherme Franco wrote: Hello Mr. Alan, Thank you for answering. Below, you will find a working local authentication, user [EMAIL PROTECTED] (without proxy), where the VSA ERX-Service-Bundle is found in radreply (although the debug doesn't says that) and sent back to the B-RAS: rad_recv: Access-Request packet from host 192.168.1.1:5, id=29, length=238 Mon Jun 11 11:18:18 2007 : Debug: --- Walking the entire request list --- Mon Jun 11 11:18:18 2007 : Debug: Waking up in 31 seconds... Mon Jun 11 11:18:18 2007 : Debug: Thread 2 got semaphore Mon Jun 11 11:18:18 2007 : Debug: Thread 2 handling request 1, (1 handled so far) User-Password = testing User-Name = [EMAIL PROTECTED] Acct-Session-Id = erx atm 3/2.42:100.132:0002097381 Service-Type = Framed-User Framed-Protocol = PPP ERX-Pppoe-Description = pppoe 12:34:56:78:9a:bc Calling-Station-Id = #BRAS-03#this is a description#100#132 Connect-Info = speed:UBR:12000 NAS-Port-Type = xDSL NAS-Port = 845414532 NAS-Port-Id = atm 3/2.42:100.132 NAS-IP-Address = 192.168.1.1 NAS-Identifier = BRAS-03 Mon Jun 11 11:18:18 2007 : Debug: Processing the authorize section of radiusd.conf Mon Jun 11 11:18:18 2007 : Debug: modcall: entering group authorize for request 1 Mon Jun 11 11:18:18 2007 : Debug: modsingle[authorize]: calling preprocess (rlm_preprocess) for request 1 Mon Jun 11 11:18:18 2007 : Debug: modsingle[authorize]: returned from preprocess (rlm_preprocess) for request 1 Mon Jun 11 11:18:18 2007 : Debug: modcall[authorize]: module preprocess returns ok for request 1 Mon Jun 11 11:18:18 2007 : Debug: modsingle[authorize]: calling auth_log (rlm_detail) for request 1 Mon Jun 11 11:18:18 2007 : Debug: radius_xlat: '/usr/local/var/log/radius/radacct/192.168.1.1/auth-detail-20070611' Mon Jun 11 11:18:18 2007 : Debug: rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/192.168.1.1/auth-detail-20070611 Mon Jun 11 11:18:18 2007 : Debug: modsingle[authorize]: returned from auth_log (rlm_detail) for request 1 Mon Jun 11 11:18:18 2007 : Debug: modcall[authorize]: module auth_log returns ok for request 1 Mon Jun 11 11:18:18 2007 : Debug: modsingle[authorize]: calling chap (rlm_chap) for request 1 Mon Jun 11 11:18:18 2007 : Debug: modsingle[authorize]: returned from chap (rlm_chap) for request 1 Mon Jun 11 11:18:18 2007 : Debug: modcall[authorize]: module chap returns noop for request 1 Mon Jun 11 11:18:18 2007 : Debug: modsingle[authorize]: calling suffix (rlm_realm) for request 1 Mon Jun 11 11:18:18 2007 : Debug: rlm_realm: Looking up realm local.com for User-Name = [EMAIL PROTECTED] Mon Jun 11 11:18:18 2007 : Debug: rlm_realm: No such realm local.com Mon Jun 11 11:18:18 2007 : Debug: modsingle[authorize]: returned from suffix (rlm_realm) for request 1 Mon Jun 11 11:18:18 2007 : Debug: modcall[authorize]: module suffix returns noop for request 1 Mon Jun 11 11:18:18 2007 : Debug: modsingle[authorize]: calling files (rlm_files) for request 1 Mon Jun 11 11:18:18 2007 : Debug: users: Matched entry DEFAULT at line 171 Mon Jun 11 11:18:18 2007 : Debug: users: Matched entry DEFAULT at line 183 Mon Jun 11 11:18:18 2007 : Debug: modsingle[authorize]: returned from files (rlm_files) for request 1 Mon Jun 11 11:18:18 2007 : Debug: modcall[authorize]: module files returns ok for request 1 Mon Jun 11 11:18:18 2007 : Debug: modsingle[authorize]: calling sql (rlm_sql) for request 1 Mon Jun 11 11:18:18 2007 : Debug: radius_xlat: '[EMAIL PROTECTED]' Mon Jun 11 11:18:18 2007 : Debug: rlm_sql (sql): sql_set_user escaped user -- '[EMAIL PROTECTED]' Mon Jun 11 11:18:18 2007 : Debug: radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = '[EMAIL PROTECTED]' ORDER BY id' Mon Jun 11 11:18:18 2007 : Debug: rlm_sql (sql): Reserving sql socket id: 30 Mon Jun 11 11:18:18 2007 : Debug: radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = '[EMAIL PROTECTED]' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' Mon Jun 11 11:18:18 2007 : Debug: radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = '[EMAIL PROTECTED]' ORDER BY id' Mon Jun 11 11:18:18 2007 : Debug: radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = '[EMAIL PROTECTED]' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' Mon Jun 11 11:18:18 2007 : Debug
Re: Big VSA + Proxy problem
Hello Mr. Alan, Thank you for answering. Below, you will find a working local authentication, user [EMAIL PROTECTED] (without proxy), where the VSA ERX-Service-Bundle is found in radreply (although the debug doesn't says that) and sent back to the B-RAS: rad_recv: Access-Request packet from host 192.168.1.1:5, id=29, length=238 Mon Jun 11 11:18:18 2007 : Debug: --- Walking the entire request list --- Mon Jun 11 11:18:18 2007 : Debug: Waking up in 31 seconds... Mon Jun 11 11:18:18 2007 : Debug: Thread 2 got semaphore Mon Jun 11 11:18:18 2007 : Debug: Thread 2 handling request 1, (1 handled so far) User-Password = testing User-Name = [EMAIL PROTECTED] Acct-Session-Id = erx atm 3/2.42:100.132:0002097381 Service-Type = Framed-User Framed-Protocol = PPP ERX-Pppoe-Description = pppoe 12:34:56:78:9a:bc Calling-Station-Id = #BRAS-03#this is a description#100#132 Connect-Info = speed:UBR:12000 NAS-Port-Type = xDSL NAS-Port = 845414532 NAS-Port-Id = atm 3/2.42:100.132 NAS-IP-Address = 192.168.1.1 NAS-Identifier = BRAS-03 Mon Jun 11 11:18:18 2007 : Debug: Processing the authorize section of radiusd.conf Mon Jun 11 11:18:18 2007 : Debug: modcall: entering group authorize for request 1 Mon Jun 11 11:18:18 2007 : Debug: modsingle[authorize]: calling preprocess (rlm_preprocess) for request 1 Mon Jun 11 11:18:18 2007 : Debug: modsingle[authorize]: returned from preprocess (rlm_preprocess) for request 1 Mon Jun 11 11:18:18 2007 : Debug: modcall[authorize]: module preprocess returns ok for request 1 Mon Jun 11 11:18:18 2007 : Debug: modsingle[authorize]: calling auth_log (rlm_detail) for request 1 Mon Jun 11 11:18:18 2007 : Debug: radius_xlat: '/usr/local/var/log/radius/radacct/192.168.1.1/auth-detail-20070611' Mon Jun 11 11:18:18 2007 : Debug: rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/192.168.1.1/auth-detail-20070611 Mon Jun 11 11:18:18 2007 : Debug: modsingle[authorize]: returned from auth_log (rlm_detail) for request 1 Mon Jun 11 11:18:18 2007 : Debug: modcall[authorize]: module auth_log returns ok for request 1 Mon Jun 11 11:18:18 2007 : Debug: modsingle[authorize]: calling chap (rlm_chap) for request 1 Mon Jun 11 11:18:18 2007 : Debug: modsingle[authorize]: returned from chap (rlm_chap) for request 1 Mon Jun 11 11:18:18 2007 : Debug: modcall[authorize]: module chap returns noop for request 1 Mon Jun 11 11:18:18 2007 : Debug: modsingle[authorize]: calling suffix (rlm_realm) for request 1 Mon Jun 11 11:18:18 2007 : Debug: rlm_realm: Looking up realm local.com for User-Name = [EMAIL PROTECTED] Mon Jun 11 11:18:18 2007 : Debug: rlm_realm: No such realm local.com Mon Jun 11 11:18:18 2007 : Debug: modsingle[authorize]: returned from suffix (rlm_realm) for request 1 Mon Jun 11 11:18:18 2007 : Debug: modcall[authorize]: module suffix returns noop for request 1 Mon Jun 11 11:18:18 2007 : Debug: modsingle[authorize]: calling files (rlm_files) for request 1 Mon Jun 11 11:18:18 2007 : Debug: users: Matched entry DEFAULT at line 171 Mon Jun 11 11:18:18 2007 : Debug: users: Matched entry DEFAULT at line 183 Mon Jun 11 11:18:18 2007 : Debug: modsingle[authorize]: returned from files (rlm_files) for request 1 Mon Jun 11 11:18:18 2007 : Debug: modcall[authorize]: module files returns ok for request 1 Mon Jun 11 11:18:18 2007 : Debug: modsingle[authorize]: calling sql (rlm_sql) for request 1 Mon Jun 11 11:18:18 2007 : Debug: radius_xlat: '[EMAIL PROTECTED]' Mon Jun 11 11:18:18 2007 : Debug: rlm_sql (sql): sql_set_user escaped user -- '[EMAIL PROTECTED]' Mon Jun 11 11:18:18 2007 : Debug: radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = '[EMAIL PROTECTED]' ORDER BY id' Mon Jun 11 11:18:18 2007 : Debug: rlm_sql (sql): Reserving sql socket id: 30 Mon Jun 11 11:18:18 2007 : Debug: radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = '[EMAIL PROTECTED]' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' Mon Jun 11 11:18:18 2007 : Debug: radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = '[EMAIL PROTECTED]' ORDER BY id' Mon Jun 11 11:18:18 2007 : Debug: radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = '[EMAIL PROTECTED]' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' Mon Jun 11 11:18:18 2007 : Debug: rlm_sql (sql): Released sql socket id: 30 Mon Jun 11 11:18:18 2007 : Debug: modsingle[authorize]: returned from sql (rlm_sql) for request 1 Mon Jun 11 11:18:18 2007 : Debug: modcall[authorize]: module sql returns ok for
Big VSA + Proxy problem
Hello, Running Freeradius 1.1.4 on RHEL with an Oracle backend. I'm at a Carrier and every @bar.com request is configured to be proxied but I have a problem where a VSA (in radreply table) is not even sent to bar.com. In my database: select * from radcheck; ID USERNAME ATTRIBUTE OP VALUE --- -- - --- 1 [EMAIL PROTECTED]User-Password := temp123 select * from radreply; ID USERNAME ATTRIBUTE OP VALUE --- -- --- 1 [EMAIL PROTECTED]ERX-Service-Bundle:= test1 ID USERNAME ATTRIBUTE OP VALUE --- -- 2 [EMAIL PROTECTED]Framed-IP-Address:= 192.168.254.199 Disabling the proxying for this realm works correctly (freeradius auths the user locally and sends the VSA to the router). With proxy configured, the user gets authenticated by bar.com but the VSA is not sent to bar.com (no traces of it in pre_proxy logs nor in radiusd -X debugs). I've already added ERX-Service-Bundle =* ANY in both attrs and attrs.pre-proxy and enabled the filters in radiusd.conf, but still no luck. Question: if that issue gets fixed and the VSA goes to bar.com, is there any way to bar.com return that same VSA untouched (considering that bar.com doesn't knows a thing about that VSA, i.e: it doesn't has any VSA info on it's database)? In fact, I don't need to send that VSA to bar.com, I just need to send it directly to my router(just like in the unproxied realm) but the proxy feature doesn't allow that. Please consider that I can't simply add ERX-Service-Bundle := test1 in attrs (like I do with DNS VSAs) because the value of that VSA is chained with the user in radreply and each user has it's own different value (test2, test5, etc.). I'm very worried. Can anyone please shed some light on this? Thank you very much! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 1.1.6 with rlm_sqlippool: ip=[] len=0
Mr. Alan and Mr. Peter, Sorry for the lack of information. I'll give more details about the problem on Monday. Thank you very much. On 5/12/07, Peter Nixon [EMAIL PROTECTED] wrote: On Sat 12 May 2007, Guilherme Franco wrote: Ok, But a lot of times, on the process of server restart (every hour on cron.hourly), freeradius hangs and Error: There appears to be another RADIUS server running on the authentication port 1812 messages appears. I have to manually kill -9 radiusd and start it again. Version 1.1.6 hangs more in this matter than 1.1.4 do. Also, I've tried to update to the latest CVS (freeradius-server-snapshot-20070511.tar.bz2) just to check out (because Mr. Nixon have told earlier that the postgresql driver was fixed in CVS), but Floating point Exception occurred. OK. Well, please give us more information about this problem (Back trace etc) so that we can try to fix it. -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 1.1.6 with rlm_sqlippool: ip=[] len=0
Ok, But a lot of times, on the process of server restart (every hour on cron.hourly), freeradius hangs and Error: There appears to be another RADIUS server running on the authentication port 1812 messages appears. I have to manually kill -9 radiusd and start it again. Version 1.1.6 hangs more in this matter than 1.1.4 do. Also, I've tried to update to the latest CVS (freeradius-server-snapshot-20070511.tar.bz2) just to check out (because Mr. Nixon have told earlier that the postgresql driver was fixed in CVS), but Floating point Exception occurred. That's it. Thanks. On 5/10/07, Alan DeKok [EMAIL PROTECTED] wrote: Guilherme Franco wrote: On my earlier posts (months ago, with 1.1.4), it has been told that the latest CVS would solve the problem. I thought that 1.1.6 would include the fix from the CVS head. 1.1.6 Changelog: *Fixed bug in PostgreSQL module that caused server crash. The error you posted is not a server crash. I thought that this would correct the behaviour as well, because the server did crash sometimes (I've sent some valgrind outputs to you in previous posts). Perhaps there are two unrelated bugs. One got fixed. I have no idea what the other bug is. Using the latest CVS will fix the problem? No. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 1.1.6 with rlm_sqlippool: ip=[] len=0
Hello Mr. DeKok, On my earlier posts (months ago, with 1.1.4), it has been told that the latest CVS would solve the problem. I thought that 1.1.6 would include the fix from the CVS head. 1.1.6 Changelog: *Fixed bug in PostgreSQL module that caused server crash. I thought that this would correct the behaviour as well, because the server did crash sometimes (I've sent some valgrind outputs to you in previous posts). Using the latest CVS will fix the problem? Thank you very much. On 5/10/07, Alan DeKok [EMAIL PROTECTED] wrote: Guilherme Franco wrote: This was happening with 1.1.4 and I thought that 1.1.6 would correct this. Wasn't 1.1.6 supposed to work this out? Which part of the ChangeLog said that? Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 1.1.6 with rlm_sqlippool: ip=[] len=0
Hello, Using Freeradius 1.1.6 on latest RHEL AS4 x64 with rlm_sqlippool, using PostgreSQL 8.2.1. After some hours operating, freeradius start to log lots of Info: rlm_sqlippool: ip=[] len=0. Running the allocate-find query directly under psql shows no problem. Issuing service radiusd restart solves the problem. I did a cron.hourly job with this then. This was happening with 1.1.4 and I thought that 1.1.6 would correct this. Wasn't 1.1.6 supposed to work this out? Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 1.1.4 stops responding to requests
Hello, Same with me, but acct is necessary. The solution was radsqlrelay. Regards, Guilherme On 2/13/07, Stefan Winter [EMAIL PROTECTED] wrote: Hi, 1.1.4 will run for a few hours and then either stop responding to requests or die. There is no seg fault warning in any log file. If I restart radius, it then begins answering again. Since it is a production environment in which 300-500 users are connected at any given time, we were unable to simply turn on debugging and look for problems. Once we realized the problem we had to quickly revert to 1.0.5 for now and make our relatively few Vista users for a little longer. Interesting... I've been seeing exactly this happening on our own system. In our case, I could track it down to the fact that it stopped responding shortly after accounting packets came in. Turning off accounting (already on NAS level) deterministically solved the problem for me, so I suspect the problem to be somewhere near there. I never followed this trace, because accounting is optional at our site (free wireless) and it was our prod environment, I didn't want to mess around without a good reason. So accounting is just off at the moment. I am going to try running it in debug mode over a weekend in a particular subset of the school's wireless network where not many users would be affected by a crash and see if I can collect any more information. I will do it on a system that never had any earlier version of freeradius installed on it, just to be safe. In the meantime, any advice would be appreciated. Is it an option to not do accounting? Or maybe queue the acct in files rather than a proper backend (for me, the issue happened in combination with mysql). I never tried if the hangs occur also when logging to a file. Greetings, Stefan Winter -- Stefan WINTER Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche - Ingénieur de recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Update: Major impact on authentication!
Hello, Even with radsqlrelay working, sqlippool loses dbhandles with postgresql. Because of this, the cron.hourly job is still necessary... -- Date: Feb 8, 2007 10:40 AM Subject: VALGRIND: Major impact on authentication! To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Hello Mr. Alan, Thank you for your concern! Just another message I've seen under /var/log/messages: kernel: radiusd[1672]: segfault at 0110 rip 002a97de2c1e rsp 007fbfffe340 error 4 Gonna implement radrelay now, then! (I was holding back because I've seen somewhere in this mail list that it breaks simultaneous-use). Thanks a lot! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Update: Major impact on authentication!
Sorry, Mr. Nixon, Freeradius 1.1.4 on latest RHEL AS4 x64 with rlm_sqlippool, using PostgreSQL 8.2.1 and Oracle10gR2 backends (postgresql and oracle are installed on another machine). radiusd.conf: max_servers = 32 postgresql.conf: num_sql_socks = 32 oraclesql.conf : num_sql_socks = 32 Oracle : radcheck, radacct and radpostauth; PGSQL: radippool. Aside the other problems valgrind has shown (which radsqlrelay circumvented), after some hours, freeradius start to log lots of Info: rlm_sqlippool: ip=[] len=0. Running the allocate-find query directly under psql shows no problem. Issuing service radiusd restart solves the problem. I did a cron.hourlyjob with this then. PostgreSQL have only one table radippool with just 28000 entries there. As you've told that this version of rlm_sqlippool is based upon a PostgreSQL Bug, I'm considering to update to the latest CVS head and try it with postgresql 8.2.3 and/or Oracle 10gr2. Thank you! --- On 2/12/07, Peter Nixon [EMAIL PROTECTED] wrote: Guilherme Can you please recap on your current configuration and version of FR? Regards Peter On Mon 12 Feb 2007 19:10, Guilherme Franco wrote: Hello, Even with radsqlrelay working, sqlippool loses dbhandles with postgresql. Because of this, the cron.hourly job is still necessary... -- Date: Feb 8, 2007 10:40 AM Subject: VALGRIND: Major impact on authentication! To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Hello Mr. Alan, Thank you for your concern! Just another message I've seen under /var/log/messages: kernel: radiusd[1672]: segfault at 0110 rip 002a97de2c1e rsp 007fbfffe340 error 4 Gonna implement radrelay now, then! (I was holding back because I've seen somewhere in this mail list that it breaks simultaneous-use). Thanks a lot! -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: VALGRIND: Major impact on authentication!
Hello, Thank you for the consulting offer Mr. Peter but, as you told, there seems to be some bugs in the rlm_sql oracle driver. As everything was good before and now it's breaking, the most probable cause is the increase in the number of auth users, which brings lots of acct (0 users in September 2006 and now with 4000 online users pumping radacct). The oracle tables are well indexed so the response time is low. What comes to my mind is that the driver is having trouble to work with high acct throughput under peak time, starving all the 32 threads. I've considered radrelay/sqllog before, but wouldn't that break the Simultaneous-Use functionality? Thank you! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
VALGRIND: Major impact on authentication!
Hello Mr. Alan, Thank you for your concern! Just another message I've seen under /var/log/messages: kernel: radiusd[1672]: segfault at 0110 rip 002a97de2c1e rsp 007fbfffe340 error 4 Gonna implement radrelay now, then! (I was holding back because I've seen somewhere in this mail list that it breaks simultaneous-use). Thanks a lot! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Again: Major impact on authentication!
Hello, Of course, I can test sqlippool with Oracle. I just need to do it after midnight because the earlier problems with Freeradius were so dramatic that I've received orders to remove freeradius and install some commercial software. Also, those tests would need to be synthetic ones, since the default allocate-find does not get nor fix the static IP's for me and the current users would lose their static IPs. With the cron.hourly job to do a service radiusd restart, the environment flows smooth. Removing the job and letting radiusd working for a few hours creeps everything. Considering this, how come those problems could be related to slow DB, if by simply reloading freeradius things start to work good? Now, even with the cron.hourly job, radiusd hanged sometimes, needing a kill -9 to free it. Some valgrind messages related to the oracle backend in radiusd initialization: ==11562== Conditional jump or move depends on uninitialised value(s) ==11562==at 0x615F6B2: ztvo5ke (in /usr/local/instantclient_10_2/libclntsh.so.10.1) ==11562==by 0x5EEC3DC: kpu8lgn (in /usr/local/instantclient_10_2/libclntsh.so.10.1) ==11562==by 0x5EEA628: kpuauthxa (in /usr/local/instantclient_10_2/libclntsh.so.10.1) ==11562==by 0x5EEA031: kpuauth (in /usr/local/instantclient_10_2/libclntsh.so.10.1) ==11562==by 0x5E179A0: kpulon (in /usr/local/instantclient_10_2/libclntsh.so.10.1) ==11562==by 0x5F45A3F: OCILogon (in /usr/local/instantclient_10_2/libclntsh.so.10.1) ==11562==by 0x5A6B131: sql_init_socket (sql_oracle.c:158) ==11562==by 0x59667B1: connect_single_socket (sql.c:70) ==11562==by 0x5966907: sql_init_socketpool (sql.c:131) ==11562==by 0x5964EC5: rlm_sql_instantiate (rlm_sql.c:695) ==11562==by 0x40C31A: find_module_instance (in /usr/local/sbin/radiusd) ==11562==by 0x40DA4C: (within /usr/local/sbin/radiusd) ==11562== Syscall param write(buf) points to uninitialised byte(s) ==11562==at 0x397270B012: __write_nocancel (in /lib64/tls/libpthread- 2.3.4.so) ==11562==by 0x61FF1A9: snttwrite (in /usr/local/instantclient_10_2/libclntsh.so.10.1) ==11562==by 0x61FBEBE: nttwr (in /usr/local/instantclient_10_2/libclntsh.so.10.1) ==11562==by 0x6132971: nsntwrn (in /usr/local/instantclient_10_2/libclntsh.so.10.1) ==11562==by 0x6138B41: nspsend (in /usr/local/instantclient_10_2/libclntsh.so.10.1) ==11562==by 0x611A93C: nsdofls (in /usr/local/instantclient_10_2/libclntsh.so.10.1) ==11562==by 0x611600E: nsdo (in /usr/local/instantclient_10_2/libclntsh.so.10.1) ==11562==by 0x611543A: nsdosend (in /usr/local/instantclient_10_2/libclntsh.so.10.1) ==11562==by 0x6151207: nioqrc (in /usr/local/instantclient_10_2/libclntsh.so.10.1) ==11562==by 0x62BEB4E: ttcdrv (in /usr/local/instantclient_10_2/libclntsh.so.10.1) ==11562==by 0x6159AD7: nioqwa (in /usr/local/instantclient_10_2/libclntsh.so.10.1) ==11562==by 0x5F80BA6: upirtrc (in /usr/local/instantclient_10_2/libclntsh.so.10.1) ==11562== Address 0x4F0AFE7 is 47 bytes inside a block of size 2,070 alloc'd ==11562==at 0x490631D: calloc (vg_replace_malloc.c:279) ==11562==by 0x61C52C1: nsbGet (in /usr/local/instantclient_10_2/libclntsh.so.10.1) ==11562==by 0x61C50F8: nsballoc (in /usr/local/instantclient_10_2/libclntsh.so.10.1) ==11562==by 0x615566C: niotns (in /usr/local/instantclient_10_2/libclntsh.so.10.1) ==11562==by 0x61D63AA: nigcall (in /usr/local/instantclient_10_2/libclntsh.so.10.1) ==11562==by 0x615A399: osncon (in /usr/local/instantclient_10_2/libclntsh.so.10.1) ==11562==by 0x5E168EF: kpuadef (in /usr/local/instantclient_10_2/libclntsh.so.10.1) ==11562==by 0x5F814E7: upiini (in /usr/local/instantclient_10_2/libclntsh.so.10.1) ==11562==by 0x5F5E619: upiah0 (in /usr/local/instantclient_10_2/libclntsh.so.10.1) ==11562==by 0x5E162EF: kpuatch (in /usr/local/instantclient_10_2/libclntsh.so.10.1) ==11562==by 0x5E17873: kpulon (in /usr/local/instantclient_10_2/libclntsh.so.10.1) ==11562==by 0x5F45A3F: OCILogon (in /usr/local/instantclient_10_2/libclntsh.so.10.1) ==11562== Use of uninitialised value of size 8 ==11562==at 0x61F5CFA: ztceaencbk (in /usr/local/instantclient_10_2/libclntsh.so.10.1) ==11562==by 0x61F0193: ztcebn (in /usr/local/instantclient_10_2/libclntsh.so.10.1) ==11562==by 0x61EE024: ztcen (in /usr/local/instantclient_10_2/libclntsh.so.10.1) ==11562==by 0x61EDE14: ztceenc (in /usr/local/instantclient_10_2/libclntsh.so.10.1) ==11562==by 0x615F72E: ztvo5ke (in /usr/local/instantclient_10_2/libclntsh.so.10.1) ==11562==by 0x5EEC3DC: kpu8lgn (in /usr/local/instantclient_10_2/libclntsh.so.10.1) ==11562==by 0x5EEA628: kpuauthxa (in /usr/local/instantclient_10_2/libclntsh.so.10.1) ==11562==by 0x5EEA031: kpuauth (in /usr/local/instantclient_10_2/libclntsh.so.10.1) ==11562==by 0x5E179A0: kpulon (in /usr/local/instantclient_10_2/libclntsh.so.10.1) ==11562==by 0x5F45A3F: OCILogon (in
VALGRIND: Major impact on authentication!
Hi, I did run valgrind radiusd -xxx at Wed Feb 7 19:15:08 2007 and at Wed Feb 7 20:59:04 2007 radiusd DIED. Afterwards, service radius restart would not work and of lots of Error: Internal error processing module entry, Error: rlm_sql_oracle: fetch failed in sql_fetch_row: ORA-24338: statement handle not executed, and Error: rlm_sql (sql): failed after re-connect appeared. I've just disabled accounting in the NAS and then service radiusd start worked. Last messages (I have the entire log, 70MB, if you want): Wed Feb 7 20:59:04 2007 : Debug: radius_xlat: 'UPDATE radacct SET AcctStopTime = TO_DATE('2007-02-07 20:56:41','-mm-dd hh24:mi:ss'), AcctSessionTime = '0', AcctInputOctets = '0', AcctOutputOctets = '0', AcctTerminateCause = 'User-Request', AcctStopDelay = '21', ConnectInfo_stop = '' WHERE AcctSessionId = 'erx GigabitEthernet 11/0.109:2109:0021188786' AND UserName = '[EMAIL PROTECTED]' AND NASIPAddress = '10.10.1.2' AND AcctStopTime IS NULL' Wed Feb 7 20:59:04 2007 : Debug: rlm_sql (sql): Reserving sql socket id: 19 65746D6F 6F632E6C 72622E6D 4E412027 44432044 49544953 31203D20 444E4120 50545320 45504F47 203D2052 20275327 20444E41 4C425453 414F 3D204F49 274E2720 44524F20 42205245 64692059 202068E0 04A238D4 63726573 65746D6F 6F632E6C 72622E6D 04A238DF 72677265 2E70756F 203D2065 67646172 70756F72 6C706572 72472E79 4E70756F 20206320 Argument/Register addr=be20748. Dump of memory from 0x00BE20708 to 0x00BE20848 0BE20748 0080 0078 0BE207C0 0BE28C78 0BE29950 0BE2A838 0BEAFAD8 0078 77C8 F8E9DACB 0105 0BE207C0 8048 0BE28648 0BE28738 0BE26CE0 0BE20DB8 Argument/Register addr=4e936d0. Dump of memory from 0x004E93690 to 0x004E937D0 36353433 2E393837 203A5F2D 002F 0078 0038 006C7173 0038 0150 006C7173 Repeat 4 times Argument/Register addr=4e91e9a. Dump of memory from 0x004E91E5A to 0x004E91F9A 20444E41 49534443 3D204954 41203120 5320444E 4F475054 20524550 5327203D 4E412027 54532044 514F4C42 4F494555 27203D20 4F20274E 52454452 20594220 6469 00D0 0098 454C4553 69205443 73552C64 614E7265 412C656D 69727474 65747562 6C61562C 6F2C6575 52462070 72204D4F 65726461 20796C70 52454857 73552045 616E7265 3D20656D 7B252720 2D4C5153 72657355 6D614E2D 20277D65 4544524F 59422052 00646920 0098 0138 454C4553 72205443 72676461 6370756F 6B636568 2C64692E 67646172 70756F72 63656863 72472E6B 4E70756F 2C656D61 67646172 Argument/Register addr=20206270. Dump of memory from 0x020206230 to 0x020206370 44432044 49544953 31203D20 444E4120 50545320 45504F47 203D2052 20275327 20444E41 4C425453 414F 3D204F49 274E2720 44524F20 42205245 64692059 202068E0 04A238D4 63726573 65746D6F 6F632E6C 72622E6D 04A238DF 72677265 2E70756F 203D2065 67646172 70756F72 6C706572 72472E79 4E70756F 20206320 0FB0B12C 3231 0FB0B12C 0FB0B12C 20206440 04A238D4 0006 0FBADC38 0FB0B12C 7185CFB9 0039 FBAD8001 0FB0B12C 0FB0B12C 0FB0B12C 0FB0B12C 0FB0B137 0FB0B12C - End of Call Stack Trace - ==30772== ==30772== Invalid write of size 1 ==30772== at 0x5E82AD0: kpuhhrsp (in
Again: Major impact on authentication!
Hello, Thanks to everyone! I'm using Oracle just for radcheck/radacct and PostgreSQL for radippool only. No, Mr. Peter, no one is using dial-up admin nor anything alike when the problem occurs, just pure auth (without acct). I've disabled the cron.hourly job and the problem appeared again after some hours. A simple radiusd restart solves the problem. As this causes impact, I can't afford to do this all the time just to debug, but I think I gonna run a script to capture all the radiusd -xxx messages, so when the behaviour starts, I can see what's happening. Also, it's important to note that this server is the proxy radius and those error messages appear: Error: Discarding duplicate request from client ERX-1:5 - ID: 115 due to unfinished request 32 Info: The maximum number of threads (32) are active, cannot spawn new thread to handle request Error: WARNING: Unresponsive child (id 1315006816) for request 105 With acct: Error: rlm_sql (sql) in sql_accounting: stop packet with zero session length. [user '[EMAIL PROTECTED]', nas '10.10.2.1'] Error: Internal error processing module entry Thank you. On 2/6/07, Peter Nixon [EMAIL PROTECTED] wrote: On Mon 05 Feb 2007 13:05, [EMAIL PROTECTED] wrote: Hi, Freeradius 1.1.4 is randomly losing connection to both databases and it's causing total loss in the authentication process: from a historical perspective you may find that is wasnt the 1.1.4 upgrade that has broken things - your database may have finally become too big and unwieldy. this has certainly been the case in many such cases. I would check how long your database queries/inserts are taking. perhaps vacuum/optimise the tables, move/drop older entries, create better KEYs for the purposes you need. The _random_ problems don't coincide with a user running a usage report from a web interface by any chance do they?? Regards -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Again: Major impact on authentication!
Thanks Mr. DeKok, I've already downloaded valgrind, just need to setup everything in a time where the user won't suffer from the downtime. Mr. Marshall, the only transaction is in rlm_sqlippool. Thanks. On 2/6/07, Alan DeKok [EMAIL PROTECTED] wrote: Guilherme Franco wrote: Also, it's important to note that this server is the proxy radius and those error messages appear: Error: Discarding duplicate request from client ERX-1:5 - ID: 115 due to unfinished request 32 Info: The maximum number of threads (32) are active, cannot spawn new thread to handle request Error: WARNING: Unresponsive child (id 1315006816) for request 105 All of those messages are caused by the same problem: something is preventing the server from working. Find out what it is, and fix the problem. Error: Internal error processing module entry It might have helped if you posted that message earlier. Internal errors ALWAYS indicate something bad happening. In this case, you're running 1.1.x, and somehow the data structures in the server have gotten corrupted. That's a VERY likely reason why the server is broken. As yo how to see what's going wrong, run the server under valgrind. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Again: Major impact on authentication!
Hello Mr. Nixon! No, the radius server and the DB server are connected in the same switch, using gigabit UTP, resulting in 0.090ms RTT. The proxy server is also directly connected to this switch. I've been using CVS builds mainly because the rlm_sqlippool was under development with constant updates done by you. The last one I've used was freeradius-server-snapshot-20070120.tar.bz2 but the same behaviour appeared, then I've switched to 1.1.4. Humm Oracle support would be great! But I remember that in the previous builds, I had to remove the BEGIN from allocate-begin in rlm_sqlippool.c and recompile it because Oracle understands BEGIN as a function/procedure/transaction start and the next steps taken by rlm_sqlippool didn't fit in the correct structure (missing END; and other statements). That way, no errors raised but sqlippool wouldn't recognize the IP queried by the SELECT then. Mr. Peter, also importantly, as we have both static and dynamic ippools, two instances of sqlippool was running, namely sqlippool DYNAMIC and sqlippool STATIC, called in this order by radiusd. The allocate-find was not working correctly, not giving the same static IPs to the user every time, so I've decided to remove one sqlippool instance and I've created the following function: CREATE OR REPLACE FUNCTION FOOBAR(user text, pool text, nas text) RETURNS inet AS $$ declare ip_temp inet := null; BEGIN if pool = 'DYNAMIC' then select framedipaddress into ip_temp from radippool where expiry_time 'now'::timestamp(0) and pool_name = pool ORDER BY (username user), (callingstationid nas), expiry_time LIMIT 1 FOR UPDATE; return ip_temp; end if; if pool 'DYNAMIC' then select framedipaddress into ip_temp from radippool where username = user and pool_name = pool; if ip_temp is not null then return ip_temp; end if; if ip_temp is null then select framedipaddress into ip_temp from radippool where expiry_time 'now'::timestamp(0) and username = '' and pool_name = pool LIMIT 1 FOR UPDATE; UPDATE radippool SET username = user where framedipaddress = ip_temp; return ip_temp; end if; END IF; END; $$ LANGUAGE plpgsql; That way, allocate-find became just allocate-find = select FOOBAR('%{User-Name}','%{check:Pool-Name}','%{Calling-Station-Id}') No fail-over would occur anymore, the function works in less than 50ms, the static ip of the user is permanently written in the DB so I think it became better this way, at least for me. This setup was running fine since October 2006, until now that things started to freak out. Thank you! On 2/6/07, Peter Nixon [EMAIL PROTECTED] wrote: On Tue 06 Feb 2007 15:27, Alan DeKok wrote: Guilherme Franco wrote: Also, it's important to note that this server is the proxy radius and those error messages appear: Error: Discarding duplicate request from client ERX-1:5 - ID: 115 due to unfinished request 32 Info: The maximum number of threads (32) are active, cannot spawn new thread to handle request Error: WARNING: Unresponsive child (id 1315006816) for request 105 Do you by any chance have a statefull firewall between your radius server and database? All of those messages are caused by the same problem: something is preventing the server from working. Find out what it is, and fix the problem. Error: Internal error processing module entry It might have helped if you posted that message earlier. Internal errors ALWAYS indicate something bad happening. In this case, you're running 1.1.x, and somehow the data structures in the server have gotten corrupted. That's a VERY likely reason why the server is broken. As yo how to see what's going wrong, run the server under valgrind. There _may_ be a problem with rlm_sqlippool in 1.1.4 (it is marked as an unstable module in 1.1.4) If at all possible please consider updating to CVS head as there has been allot of work on sqlippool and the postgresql driver. In-fact the latest version of sqlippool _should_ work on Oracle (which I remember you wanted to do previously) although I have not tested this functionality. (rlm_sqlippool in 1.1.4 relies on a bug in rlm_sql_postgresql to work, hence the reason it doesn't work properly with other DBs) Alternatively you could backport the cvs head version of sqlippool to 1.1.4 which is something I have been considering for the 1.1.5 release but have yet to find the time to do (but would happily accept donations to do so :-) -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Again: Major impact on authentication!
Mr. Peter, On 2/6/07, Peter Nixon [EMAIL PROTECTED] wrote: OK. Well we have added a few more things this week. The last commit was just over an hour ago for: http://bugs.freeradius.org/show_bug.cgi?id=414 Yes, I've been watching the progress in Automatic report from sources (radiusd) in the devel list, thanks. Can you please confirm whether on not Oracle supports the SQL99 syntax? If so I will change all the BEGINs to START TRANSACTION. If it does not I will do the opposite. Oracle automatically treats every changing aspect of the tables as a transaction so there's no START TRANSACTION command in it. Every BEGIN needs to have a END; and a dot . in after END;. Basically you need the Transaction so you can do the FOR UPDATE command to lock that framedipaddress temporally. In Oracle thou need no BEGIN, just do the select ... for update and then the COMMIT; in the end. The patches I committed today and yesterday improved the exit codes which should make failover more flexible. I don't know if the new CVS will suit for me because with the PostgreSQL function that I've made there's no need to use 2 sqlippool instances. Again, I don't have anything against the module fail-over, I'm just using the function mainly because the native allocate-find didn't fixed the users IP correctly for me (also one module is a bit quicker). A quick valgrind run detected some errors in rlm_sql for the oracle connection. Gonna do a massive debugging after midnight to see if there's something weird going on. Thank you and everyone for the prompt answers! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Major impact on authentication!
Hi, Freeradius 1.1.4 is randomly losing connection to both databases and it's causing total loss in the authentication process: Info: rlm_sql (sql): There are no DB handles to use! skipped 0, tried to connect 0 Info: rlm_sql (sql_postgresql): There are no DB handles to use! skipped 0, tried to connect 0 Info: The maximum number of threads (32) are active, cannot spawn new thread to handle request Running either in multi or single threaded mode, that messages appeared 47.099,00 times since Jan 27! Freeradius is configured with 32 max_servers and 32 connections to each DB. There's no starving since no accounting is being used and the server have to handle just 3 auths per second. Every time this happens, no one can authenticate and doing a restart in Freeradius solves the problem. To circumvent the problem, I've added a cron.hourly job so each hour a service radiusd restart is issued. As this is random, it's hard to debug, but at the same time freeradius loses the connection, several other applications can successfully connect/ maintain previous established connections to the databases. I've enabled all sorts of debug in the databases trying to better understand why freeradius is doing this, but there was no luck. I've installed the latest CVS and the same problem appeared, please help! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Major impact on authentication!
Hello, Thank you all for your prompt answers! The database takes between 15ms and 40ms to answer to freeradius and has only 40.000 entries there, so it isn't big. PostgreSQL is updated to it's latest version and vaccum runs every night. The queries are from sqlippool.conf, so... Thanks! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hibernating: Major impact on authentication!
Hello, Considering that all things indicate that there might be a problem with the DB, I did some tweaks in PostgreSQL and took off the cron.hourly job. Gonna watch out for problems then, thanks! - Hi, Freeradius 1.1.4 is randomly losing connection to both databases and it's causing total loss in the authentication process: Info: rlm_sql (sql): There are no DB handles to use! skipped 0, tried to connect 0 Info: rlm_sql (sql_postgresql): There are no DB handles to use! skipped 0, tried to connect 0 Info: The maximum number of threads (32) are active, cannot spawn new thread to handle request Running either in multi or single threaded mode, that messages appeared 47.099,00 times since Jan 27! Freeradius is configured with 32 max_servers and 32 connections to each DB. There's no starving since no accounting is being used and the server have to handle just 3 auths per second. Every time this happens, no one can authenticate and doing a restart in Freeradius solves the problem. To circumvent the problem, I've added a cron.hourly job so each hour a service radiusd restart is issued. As this is random, it's hard to debug, but at the same time freeradius loses the connection, several other applications can successfully connect/ maintain previous established connections to the databases. I've enabled all sorts of debug in the databases trying to better understand why freeradius is doing this, but there was no luck. I've installed the latest CVS and the same problem appeared, please help! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Major impact on authentication!
I'm testing PostgreSQL performance with various tools. Thanks! On 2/5/07, Dennis Skinner [EMAIL PROTECTED] wrote: Alan DeKok wrote: As this is random, it's hard to debug, but at the same time freeradius loses the connection, several other applications can successfully connect/ maintain previous established connections to the databases. FreeRADIUS is NOT losing its connection to the DB. If you think that's happening, you will try to fix a problem that doesn't exist, and will NOT solve the real problem. I've enabled all sorts of debug in the databases trying to better understand why freeradius is doing this, but there was no luck. Find out why the database isn't responding to FreeRADIUS. I had similar issues at one time with MySQL and FreeRADIUS. There is an app out there for MySQL called Mytop which is basically like the unix top command, but looks at MySQL processes. This makes it very easy to watch and see what processes are taking too long and holding up the rest. I'm not sure if there is a similar app out there for postgresql, but it'd be worth a look. -- Dennis Skinner Systems Administrator BlueFrog Internet http://www.bluefrog.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Log notfound users
Hello, In authorize section I have the following: sql { notfound = reject } In post-auth: Post-Auth-Type REJECT { sql attr_filter.access_reject } Both works correctly but I would like to log notfound users into radpostauth table as well, just like in post-auth. How may I do this, please? Thank you. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SEVERE! radiusd 2.0 and 1.1.4 dying! Segmentation fault
Hi, Freeradius 2.0 alpha was working correctly since November 1st. Then, this month, suddenly the server started to die, complaining of Info: rlm_sql (sql): There are no DB handles to use! skipped 0, tried to connect 0. The server runs threaded with max_servers = 32 and num_sql_socks = 32 (there are 5 reqs per seconds, no more than that). Ok so I've tried to run it single threaded (-X), but then, it's slow and it missess some access requests, due to processing the accounting. I've uninstalled it and installed 1.1.4, but the same occurs! Restarting radiusd when it fails gives another 15 minutes before it dies again. Also, disabling accounting helps prolong the server lifetime. Any clue on that? Thanks. Sat Jan 27 19:13:16 2007 : Debug: modsingle[accounting]: returned from detail (rlm_detail) for request 108 Sat Jan 27 19:13:16 2007 : Debug: modcall[accounting]: module detail returns ok for request 108 Sat Jan 27 19:13:16 2007 : Debug: modsingle[accounting]: calling ippool (rlm_sqlippool) for request 108 Sat Jan 27 19:13:16 2007 : Debug: rlm_sql (sql_postgresql): Reserving sql socket id: 11 Sat Jan 27 19:13:16 2007 : Debug: radius_xlat: 'BEGIN' ** Internal heap ERROR 17177 addr=(nil) * ** HEAP DUMP heap name=Alloc statemen desc=0x77e2b8 extent sz=0x1040 alt=32767 het=32767 rec=0 flg=2 opc=3 parent=0x77adb0 owner=(nil) nex=(nil) xsz=0x1040 EXTENT 0 addr=0x788818 Chunk000788828 sz= 3752free Chunk0007896d0 sz= 312freeable assoc with mark prv=(nil) nxt=(nil) Chunk000789808 sz= 80freeable assoc with mark prv=(nil) nxt=(nil) EXTENT 1 addr=0x77d3e8 Chunk00077d3f8 sz= 2448perm perm alo=32 Total heap size= 6592 FREE LISTS: Bucket 0 size=160 Bucket 1 size=288 Bucket 2 size=544 Bucket 3 size=1056 Bucket 4 size=2080 Chunk000788828 sz= 3752free Bucket 5 size=4128 Bucket 6 size=16416 Bucket 7 size=32800 Total free space = 3752 UNPINNED RECREATABLE CHUNKS (lru first): PERMANENT CHUNKS: Chunk00077d3f8 sz= 2448perm perm alo=32 Permanent space= 2448 ** Hla: 255 ORA-21500: internal error code, arguments: [17177], [0x0], [], [], [], [], [], [] Errors in file : ORA-21500: internal error code, arguments: [17177], [0x0], [], [], [], [], [], [] - Call Stack Trace - calling call entryargument values in hex location type point(? means dubious value) Cannot seek to string table section header in /proc/11022/exe. Cannot seek to string table section header in /proc/11022/exe. 9688CDEF CALL 9660C588 0 ? 0 ? 774EC8 ? 0 ? 1 ? 0 ? 96DA64D8 CALLr 0 ? 0 ? 655680 ? 0 ? 4FA13060 ? 0 ? 96DA6CD4 CALL 965ED0E8 Sat Jan 27 19:13:16 2007 : Debug: radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = '[EMAIL PROTECTED]' ORDER BY id' 0 ? 0 ? FF ? 0 ? 0 ? 0 ? 96DA6898 CALL 96605AC8 4FA13090 ? 0 ? 655680 ? 0 ? FF ? 0 ? 96D75B7F CALL 965FF0C8 0 ? 0 ? 0 ? 0 ? 788ED0 ? 0 ? 96D9135D CALL 96D757AA 0 ? 0 ? 0 ? 0 ? 0 ? 0 ? 966CA4FA CALL 96607898 0 ? 0 ? 0 ? 0 ? 0 ? 0 ? 966DF8CE CALL 966070F8 77DDA8 ? 0 ? 781BF0 ? 0 ? 4FA15E50 ? 0 ? 966DF582 CALL 965F7D68 0 ? 0 ? B0D0A8C0 ? 3E ? B0D0AE20 ? 3E ? 966DBF1E CALL 965FEC88 0 ? 0 ? 0 ? 0 ? 0 ? 0 ? 9678A292 CALL 9660F088 0 ? 0 ? 4FA161D0 ? 0 ? 772E10 ?Sat Jan 27 19:13:16 2007 : Debug: radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = '[EMAIL PROTECTED]' ORDER BY id' 0 ? 962BB4F6 CALL 962BAD60 4FA160C0 ? 0 ? 6536A4 ? 0 ? 4FA162E2 ? 0 ? 0077C450 CALLs - Argument/Register Address Dump - Argument/Register addr=774ec8. Dump of memory from 0x000774E88 to 0x000774FC8 007773F0 0077AB38 0077AEE0
Re: SEVERE! radiusd 2.0 and 1.1.4 dying! Segmentation fault
Thanks Mr. Mayers, The database is Oracle on a powerful machine which only do acct/ auth. All the relevant auth/ accounting queries are indexed to speed things up. There's a PostgreSQL database to take care of the sqlippool module. The strange thing is that even when the accounting is off (with low load then) the error appears randomly. Also, if the proxy realm dies the problem occurs too. That segfault was captured by running radiusd -xxx, which pinpoints to an Oracle OCI error in this case (with acct on). I can't give you a gdb because the server is running fine now, but who knows when it may happen... That setup was running fine for almost 3 months. All indicates a resource starving problem, but the load is low :( Thank you very much. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Log notfound users
Hello, In authorize section I have the following: sql { notfound = reject } In post-auth: Post-Auth-Type REJECT { sql attr_filter.access_reject } Both works correctly but I would like to log notfound users into radpostauth table as well, just like in post-auth. How may I do this, please? Thank you. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RADIUS will no longer start!
Michelle, Seems like someone took off your NASes either from your naslist or clients.conf files, in your raddb dir. In those files you need at least an entry like this (for clients.conf): client 10.10.10.1 { secret = secret123 } Where 10.10.10.1 would be your NAS address and secret123 your secret. By your debug, it seems that you're using the naslist file. As naslist in deprecated, please use the clients.conf instead. Hope this helps. Guilherme On 1/24/07, Michelle Gates [EMAIL PROTECTED] wrote: All, Our RADIUS server has been up and running fine for 127 days now. Suddenly today it no longer runs. I tried to put it into debug mode and got the following output: [EMAIL PROTECTED] ~]# /opt/freeradius/sbin/radiusd -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /opt/freeradius/etc/raddb/proxy.conf Config: including file: /opt/freeradius/etc/raddb/trs_proxy.conf Config: including file: /opt/freeradius/etc/raddb/clients.conf Config: including file: /opt/freeradius/etc/raddb/trs_clients.conf Config: including file: /opt/freeradius/etc/raddb/snmp.conf Config: including file: /opt/freeradius/etc/raddb/sqlcounter.conf Config: including file: /opt/freeradius/etc/raddb/eap.conf Config: including file: /opt/freeradius/etc/raddb/sql.conf main: prefix = /opt/freeradius main: localstatedir = /opt/freeradius/var main: logdir = /opt/freeradius/var/log/radius main: libdir = /opt/freeradius/lib main: radacctdir = /opt/freeradius/var/log/radius/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /opt/freeradius/var/log/radius/radius.log main: log_auth = yes main: log_auth_badpass = yes main: log_auth_goodpass = no main: pidfile = /opt/freeradius/var/run/radiusd/radiusd.pid main: user = trustive main: group = trustive main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /opt/freeradius/sbin/checkrad main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients /opt/freeradius/etc/raddb/radiusd.conf[751]: Missing client name - Can anyone shed any light on this? Unfortunately for me, one of our developers was working on our production server but *claims* not to have changed anything of any consequence... I'm really unsure of where this is coming from! Has anyone seen this error before or could anyone at least point me in the right direction? Best regards, -michelle. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: !!! Assertion failed in listen.c, line 621 !!!
So, that was it! It works now, thanks. Back to the threads again :) On 12/12/06, Guilherme Franco [EMAIL PROTECTED] wrote: Thanks a lot! I gonna test it right now! On 12/12/06, Alan DeKok [EMAIL PROTECTED] wrote: Peter Nixon wrote: Running CVS HEAD in single threaded mode works around the problem for the time being... Ugh. After staring at the code a little more, the bug is in threads.c, where it was passing 'request-proxysecret' rather than 'request' to the 'listener-send' function. It should be fixed now. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: !!! Assertion failed in listen.c, line 621 !!!
Yes, I'm using it single-threaded, since September. I don't want to go back to 1.1.3 since it gave me problems. Thanks. On 12/12/06, Peter Nixon [EMAIL PROTECTED] wrote: On Tue 12 Dec 2006 03:08, Guilherme Franco wrote: No way man! :) I've done a CVS clean install now (EVERYTHING old deleted before install and rebooted machine) but the same error occurs! It's just like the log from the previous post (below). radiusd dies after Sending Access-Request to the proxy, every single time. I'm not using any old conf, configured it from scratch. Please help! Running CVS HEAD in single threaded mode works around the problem for the time being... This is on the TODO list to fix before the 2.0 release :-) http://wiki.freeradius.org/Development_Roadmap#Version_2.0 -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: !!! Assertion failed in listen.c, line 621 !!!
Thanks a lot! I gonna test it right now! On 12/12/06, Alan DeKok [EMAIL PROTECTED] wrote: Peter Nixon wrote: Running CVS HEAD in single threaded mode works around the problem for the time being... Ugh. After staring at the code a little more, the bug is in threads.c, where it was passing 'request-proxysecret' rather than 'request' to the 'listener-send' function. It should be fixed now. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Assertion failed in listen.c, line 621
Hello, I did a set follow-fork-mode child in gdb now but then, there's no assertion failed! The radiusd child process keeps running now but no one can authenticate: [EMAIL PROTECTED] tmp]# cat /usr/local/var/log/radius/radius.log Sat Dec 9 15:47:02 2006 : Info: FreeRADIUS Version 2.0.0-pre0, for host x86_64-unknown-linux-gnu, built on Dec 3 2006 at 21:00:48 Sat Dec 9 15:47:02 2006 : Info: Starting - reading configuration files ... Sat Dec 9 15:47:03 2006 : Info: rlm_sql (sql): Driver rlm_sql_oracle (module rlm_sql_oracle) loaded and linked Sat Dec 9 15:47:03 2006 : Info: rlm_sql (sql): Attempting to connect to [EMAIL PROTECTED]:/(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=10.10.10.1 )(PORT=1521))(CONNECT_DATA=(SID=DB_R))) Sat Dec 9 15:47:03 2006 : Info: rlm_sql (sql_postgresql): Driver rlm_sql_postgresql (module rlm_sql_postgresql) loaded and linked Sat Dec 9 15:47:03 2006 : Info: rlm_sql (sql_postgresql): Attempting to connect to [EMAIL PROTECTED]:/DB_R Sat Dec 9 15:47:04 2006 : Info: Ready to process requests. Sat Dec 9 15:47:52 2006 : Error: Discarding duplicate request from client NAS-1 port 5 - ID: 57 due to unfinished request 0 Sat Dec 9 15:47:58 2006 : Error: Discarding duplicate request from client NAS-1 port 5 - ID: 57 due to unfinished request 0 Sat Dec 9 15:48:04 2006 : Error: Discarding duplicate request from client NAS-1 port 5 - ID: 57 due to unfinished request 0 Sat Dec 9 15:48:16 2006 : Error: TIMEOUT for request 0 in module server core, component server core Sat Dec 9 15:48:23 2006 : Error: Discarding duplicate request from client NAS-1 port 5 - ID: 58 due to unfinished request 3 Sat Dec 9 15:48:29 2006 : Error: Discarding duplicate request from client NAS-1 port 5 - ID: 58 due to unfinished request 3 Sat Dec 9 15:48:35 2006 : Error: Discarding duplicate request from client NAS-1 port 5 - ID: 58 due to unfinished request 3 Sat Dec 9 15:48:40 2006 : Error: TIMEOUT for request 1 in module server core, component server core Sat Dec 9 15:48:46 2006 : Error: TIMEOUT for request 2 in module server core, component server core Sat Dec 9 15:48:47 2006 : Error: TIMEOUT for request 3 in module server core, component server core Sat Dec 9 15:49:19 2006 : Error: Discarding duplicate request from client NAS-1 port 5 - ID: 59 due to unfinished request 22 So: Running radiusd alone, without gdb, generates Assertion failed in listen.c, line 621; Running radiusd inside gdb generates no error, but does not works (as shown in the logs); Running radiusd -X alone or inside gdb works without any problems. What might it be? ps. Regarding the previous post, the Assertion failed occurs only when the first packet is received. Thanks you! On 12/6/06, Alan DeKok [EMAIL PROTECTED] wrote: Guilherme Franco wrote: I'm not HUPing the server in any way, never. Ok.. GDB output: Starting program: /usr/local/sbin/radiusd [Thread debugging using libthread_db enabled] [New Thread 182896328384 (LWP 31483)] Detaching after fork from child process 31486. Program exited normally. sigh You've just printed out the GDB information from the server process that starts the daemon... which exits normally. Please send the gdb information from the core file. i.e. the program that is failing. Wed Dec 6 20:33:09 2006 : Info: Ready to process requests. Wed Dec 6 20:33:09 2006 : Error: Assertion failed in listen.c, line 621 Immediately? Without ever receiving packets? That's very weird... Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Assertion failed in listen.c, line 621
Mr. Alan. Sorry for bothering you. If I run radiusd and setup the NAS to not send any requests to this radius server, radiusd stays up all day in Info: Ready to process requests.. In the momment that I setup the NAS to send request to the radius server and the first request goes to it, radiusd dies. Maybe sometimes radiusd is not even taking a chance to log that someone tried to auth and just dies. But of all the logs that I have, just ONE shows the following: Wed Dec 7 09:15:04 2006 : Info: Ready to process requests. Wed Dec 7 09:15:04 2006 : Auth: Invalid user: [EMAIL PROTECTED] (from client NAS-4 port 2952792216) Wed Dec 7 09:15:04 2006 : Error: Assertion failed in listen.c, line 621 All the other are just like: Wed Dec 6 11:02:46 2006 : Info: Ready to process requests. Wed Dec 6 11:02:46 2006 : Error: Assertion failed in listen.c, line 621 Besides that, I've installed the latest CVS above the old one, not a clean install. That might be the problem, what do you think? Thank you. On 12/11/06, Alan DeKok [EMAIL PROTECTED] wrote: Guilherme Franco wrote: Hello, I did a set follow-fork-mode child in gdb now but then, there's no assertion failed! And the server doesn't process any requests, either. ps. Regarding the previous post, the Assertion failed occurs only when the first packet is received. That's not what the debug log showed. The log you posted showed NOTHING being received, and the server dying. I find that very hard to believe. Please post a debug log showing that the server dies AFTER receiving a packet, and AFTER deciding that the packet has to be proxied. You posted: Wed Dec 6 20:33:09 2006 : Info: Ready to process requests. Wed Dec 6 20:33:09 2006 : Error: Assertion failed in listen.c, line 621 i.e. NOT packet received, AND it dies. That's pretty much impossible. It looks to me like you're still running the old version of the server, without the fix for that problem. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Assertion failed in listen.c, line 621
Ok, The log is below, thank you. Gonna delete and clean install it, I just thought that ./configure, make, make install would overwrite everything except the confs. radiusd -xxx Mon Dec 11 19:47:58 2006 : Info: Ready to process requests. Mon Dec 11 19:47:58 2006 : Debug: Nothing to do. Sleeping until we see a request. Mon Dec 11 19:47:58 2006 : Debug: Thread 1 waiting to be assigned a request Mon Dec 11 19:47:58 2006 : Debug: Thread 2 waiting to be assigned a request Mon Dec 11 19:47:58 2006 : Debug: Thread 5 waiting to be assigned a request Mon Dec 11 19:47:58 2006 : Debug: Thread 3 waiting to be assigned a request Mon Dec 11 19:47:58 2006 : Debug: Thread 4 waiting to be assigned a request rad_recv: Access-Request packet from host 10.10.2.11 port 5, id=206, length=234 Mon Dec 11 19:48:17 2006 : Debug: --- Walking the entire request list --- Mon Dec 11 19:48:17 2006 : Debug: Thread 1 got semaphore Mon Dec 11 19:48:17 2006 : Debug: Threads: total/active/spare threads = 5/0/5 Mon Dec 11 19:48:17 2006 : Debug: Thread 1 handling request 0, (1 handled so far) Mon Dec 11 19:48:17 2006 : Debug: Waking up in 1 seconds... User-Password = bogus123 User-Name = [EMAIL PROTECTED] Acct-Session-Id = nas GigabitEthernet 11/0.165:2165:0028716608 Service-Type = Framed-User Framed-Protocol = PPP ERX-Pppoe-Description = pppoe 00:0b:23:fd:1d:8c Calling-Station-Id = NAS-01#2165 NAS-Port-Type = Ethernet NAS-Port = 2952792181 NAS-Port-Id = GigabitEthernet 11/0.165:2165 NAS-IP-Address = 10.10.2.11 NAS-Identifier = NAS-01 Mon Dec 11 19:48:17 2006 : Debug: Processing the authorize section of radiusd.conf Mon Dec 11 19:48:17 2006 : Debug: modcall: entering group authorize for request 0 Mon Dec 11 19:48:17 2006 : Debug: modsingle[authorize]: calling preprocess (rlm_preprocess) for request 0 Mon Dec 11 19:48:17 2006 : Debug: modsingle[authorize]: returned from preprocess (rlm_preprocess) for request 0 Mon Dec 11 19:48:17 2006 : Debug: modcall[authorize]: module preprocess returns ok for request 0 Mon Dec 11 19:48:17 2006 : Debug: modsingle[authorize]: calling auth_log (rlm_detail) for request 0 Mon Dec 11 19:48:17 2006 : Debug: radius_xlat: '/usr/local/var/log/radius/radacct/10.10.2.11/auth-detail-20061211' Mon Dec 11 19:48:17 2006 : Debug: rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/10.10.2.11/auth-detail-20061211 Mon Dec 11 19:48:17 2006 : Debug: radius_xlat: 'Mon Dec 11 19:48:17 2006' Mon Dec 11 19:48:17 2006 : Debug: modsingle[authorize]: returned from auth_log (rlm_detail) for request 0 Mon Dec 11 19:48:17 2006 : Debug: modcall[authorize]: module auth_log returns ok for request 0 Mon Dec 11 19:48:17 2006 : Debug: modsingle[authorize]: calling chap (rlm_chap) for request 0 Mon Dec 11 19:48:17 2006 : Debug: modsingle[authorize]: returned from chap (rlm_chap) for request 0 Mon Dec 11 19:48:17 2006 : Debug: modcall[authorize]: module chap returns noop for request 0 Mon Dec 11 19:48:17 2006 : Debug: modsingle[authorize]: calling mschap (rlm_mschap) for request 0 Mon Dec 11 19:48:17 2006 : Debug: modsingle[authorize]: returned from mschap (rlm_mschap) for request 0 Mon Dec 11 19:48:17 2006 : Debug: modcall[authorize]: module mschap returns noop for request 0 Mon Dec 11 19:48:17 2006 : Debug: modsingle[authorize]: calling unix (rlm_unix) for request 0 Mon Dec 11 19:48:17 2006 : Debug: modsingle[authorize]: returned from unix (rlm_unix) for request 0 Mon Dec 11 19:48:17 2006 : Debug: modcall[authorize]: module unix returns notfound for request 0 Mon Dec 11 19:48:17 2006 : Debug: modsingle[authorize]: calling suffix (rlm_realm) for request 0 Mon Dec 11 19:48:17 2006 : Debug: rlm_realm: Looking up realm foo.com for User-Name = [EMAIL PROTECTED] Mon Dec 11 19:48:17 2006 : Debug: rlm_realm: Found realm foo.com Mon Dec 11 19:48:17 2006 : Debug: rlm_realm: Adding Stripped-User-Name = bogus Mon Dec 11 19:48:17 2006 : Debug: rlm_realm: Proxying request from user bogus to realm foo.com Mon Dec 11 19:48:17 2006 : Debug: rlm_realm: Adding Realm = foo.com Mon Dec 11 19:48:17 2006 : Debug: rlm_realm: Preparing to proxy authentication request to realm foo.com Mon Dec 11 19:48:17 2006 : Debug: modsingle[authorize]: returned from suffix (rlm_realm) for request 0 Mon Dec 11 19:48:17 2006 : Debug: modcall[authorize]: module suffix returns updated for request 0 Mon Dec 11 19:48:17 2006 : Debug: modsingle[authorize]: calling files (rlm_files) for request 0 Mon Dec 11 19:48:17 2006 : Debug: users: Matched entry DEFAULT at line 173 Mon Dec 11 19:48:17 2006 : Debug: modsingle[authorize]: returned from files (rlm_files) for request 0 Mon Dec 11 19:48:17 2006 : Debug: modcall[authorize]: module files returns ok for request 0 Mon Dec 11 19:48:17 2006 : Debug: modsingle[authorize]: calling sql (rlm_sql) for
!!! Assertion failed in listen.c, line 621 !!!
No way man! :) I've done a CVS clean install now (EVERYTHING old deleted before install and rebooted machine) but the same error occurs! It's just like the log from the previous post (below). radiusd dies after Sending Access-Request to the proxy, every single time. I'm not using any old conf, configured it from scratch. Please help! Thanks. On 12/11/06, Guilherme Franco [EMAIL PROTECTED] wrote: Ok, The log is below, thank you. Gonna delete and clean install it, I just thought that ./configure, make, make install would overwrite everything except the confs. radiusd -xxx Mon Dec 11 19:47:58 2006 : Info: Ready to process requests. Mon Dec 11 19:47:58 2006 : Debug: Nothing to do. Sleeping until we see a request. Mon Dec 11 19:47:58 2006 : Debug: Thread 1 waiting to be assigned a request Mon Dec 11 19:47:58 2006 : Debug: Thread 2 waiting to be assigned a request Mon Dec 11 19:47:58 2006 : Debug: Thread 5 waiting to be assigned a request Mon Dec 11 19:47:58 2006 : Debug: Thread 3 waiting to be assigned a request Mon Dec 11 19:47:58 2006 : Debug: Thread 4 waiting to be assigned a request rad_recv: Access-Request packet from host 10.10.2.11 port 5, id=206, length=234 Mon Dec 11 19:48:17 2006 : Debug: --- Walking the entire request list --- Mon Dec 11 19:48:17 2006 : Debug: Thread 1 got semaphore Mon Dec 11 19:48:17 2006 : Debug: Threads: total/active/spare threads = 5/0/5 Mon Dec 11 19:48:17 2006 : Debug: Thread 1 handling request 0, (1 handled so far) Mon Dec 11 19:48:17 2006 : Debug: Waking up in 1 seconds... User-Password = bogus123 User-Name = [EMAIL PROTECTED] Acct-Session-Id = nas GigabitEthernet 11/0.165:2165:0028716608 Service-Type = Framed-User Framed-Protocol = PPP ERX-Pppoe-Description = pppoe 00:0b:23:fd:1d:8c Calling-Station-Id = NAS-01#2165 NAS-Port-Type = Ethernet NAS-Port = 2952792181 NAS-Port-Id = GigabitEthernet 11/0.165:2165 NAS-IP-Address = 10.10.2.11 NAS-Identifier = NAS-01 Mon Dec 11 19:48:17 2006 : Debug: Processing the authorize section of radiusd.conf Mon Dec 11 19:48:17 2006 : Debug: modcall: entering group authorize for request 0 Mon Dec 11 19:48:17 2006 : Debug: modsingle[authorize]: calling preprocess (rlm_preprocess) for request 0 Mon Dec 11 19:48:17 2006 : Debug: modsingle[authorize]: returned from preprocess (rlm_preprocess) for request 0 Mon Dec 11 19:48:17 2006 : Debug: modcall[authorize]: module preprocess returns ok for request 0 Mon Dec 11 19:48:17 2006 : Debug: modsingle[authorize]: calling auth_log (rlm_detail) for request 0 Mon Dec 11 19:48:17 2006 : Debug: radius_xlat: '/usr/local/var/log/radius/radacct/10.10.2.11/auth-detail-20061211' Mon Dec 11 19:48:17 2006 : Debug: rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/10.10.2.11/auth-detail-20061211 Mon Dec 11 19:48:17 2006 : Debug: radius_xlat: 'Mon Dec 11 19:48:17 2006' Mon Dec 11 19:48:17 2006 : Debug: modsingle[authorize]: returned from auth_log (rlm_detail) for request 0 Mon Dec 11 19:48:17 2006 : Debug: modcall[authorize]: module auth_log returns ok for request 0 Mon Dec 11 19:48:17 2006 : Debug: modsingle[authorize]: calling chap (rlm_chap) for request 0 Mon Dec 11 19:48:17 2006 : Debug: modsingle[authorize]: returned from chap (rlm_chap) for request 0 Mon Dec 11 19:48:17 2006 : Debug: modcall[authorize]: module chap returns noop for request 0 Mon Dec 11 19:48:17 2006 : Debug: modsingle[authorize]: calling mschap (rlm_mschap) for request 0 Mon Dec 11 19:48:17 2006 : Debug: modsingle[authorize]: returned from mschap (rlm_mschap) for request 0 Mon Dec 11 19:48:17 2006 : Debug: modcall[authorize]: module mschap returns noop for request 0 Mon Dec 11 19:48:17 2006 : Debug: modsingle[authorize]: calling unix (rlm_unix) for request 0 Mon Dec 11 19:48:17 2006 : Debug: modsingle[authorize]: returned from unix (rlm_unix) for request 0 Mon Dec 11 19:48:17 2006 : Debug: modcall[authorize]: module unix returns notfound for request 0 Mon Dec 11 19:48:17 2006 : Debug: modsingle[authorize]: calling suffix (rlm_realm) for request 0 Mon Dec 11 19:48:17 2006 : Debug: rlm_realm: Looking up realm foo.com for User-Name = [EMAIL PROTECTED] Mon Dec 11 19:48:17 2006 : Debug: rlm_realm: Found realm foo.com Mon Dec 11 19:48:17 2006 : Debug: rlm_realm: Adding Stripped-User-Name = bogus Mon Dec 11 19:48:17 2006 : Debug: rlm_realm: Proxying request from user bogus to realm foo.com Mon Dec 11 19:48:17 2006 : Debug: rlm_realm: Adding Realm = foo.com Mon Dec 11 19:48:17 2006 : Debug: rlm_realm: Preparing to proxy authentication request to realm foo.com Mon Dec 11 19:48:17 2006 : Debug: modsingle[authorize]: returned from suffix (rlm_realm) for request 0 Mon Dec 11 19:48:17 2006 : Debug: modcall[authorize]: module suffix returns updated for request 0 Mon Dec 11 19:48:17 2006 : Debug: modsingle[authorize
Re: !!! Assertion failed in listen.c, line 621 !!!
I have to thank you very much for all your effort! This is a very weird problem, but I remember that Peter Nixon kinda had the same problem. I saw that in the devel forum: http://lists.freeradius.org/mailman/htdig/freeradius-devel/2006-September/010273.html Also, from Tuyan: http://lists.freeradius.org/mailman/htdig/freeradius-devel/2006-September/010357.html And a similar one from Chaigneau, but with 1.1.3, without crashes: http://lists.freeradius.org/mailman/htdig/freeradius-devel/2006-November/010478.html If is there anything that I can do to help, please let me know. Thanks again! On 12/11/06, Alan DeKok [EMAIL PROTECTED] wrote: Guilherme Franco wrote: I've done a CVS clean install now (EVERYTHING old deleted before install and rebooted machine) but the same error occurs! OK... it's just that I have a difficult time reproducing the problem, so it's kind of hard to figure out what's going wrong. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Assertion failed in listen.c, line 621
Hello, I did a set follow-fork-mode child in gdb now but then, there's no assertion failed! The radiusd child process keeps running now but no one can authenticate: [EMAIL PROTECTED] tmp]# cat /usr/local/var/log/radius/radius.log Sat Dec 9 15:47:02 2006 : Info: FreeRADIUS Version 2.0.0-pre0, for host x86_64-unknown-linux-gnu, built on Dec 3 2006 at 21:00:48 Sat Dec 9 15:47:02 2006 : Info: Starting - reading configuration files ... Sat Dec 9 15:47:03 2006 : Info: rlm_sql (sql): Driver rlm_sql_oracle (module rlm_sql_oracle) loaded and linked Sat Dec 9 15:47:03 2006 : Info: rlm_sql (sql): Attempting to connect to [EMAIL PROTECTED]:/(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=10.10.10.1)(PORT=1521))(CONNECT_DATA=(SID=DB_R))) Sat Dec 9 15:47:03 2006 : Info: rlm_sql (sql_postgresql): Driver rlm_sql_postgresql (module rlm_sql_postgresql) loaded and linked Sat Dec 9 15:47:03 2006 : Info: rlm_sql (sql_postgresql): Attempting to connect to [EMAIL PROTECTED]:/DB_R Sat Dec 9 15:47:04 2006 : Info: Ready to process requests. Sat Dec 9 15:47:52 2006 : Error: Discarding duplicate request from client NAS-1 port 5 - ID: 57 due to unfinished request 0 Sat Dec 9 15:47:58 2006 : Error: Discarding duplicate request from client NAS-1 port 5 - ID: 57 due to unfinished request 0 Sat Dec 9 15:48:04 2006 : Error: Discarding duplicate request from client NAS-1 port 5 - ID: 57 due to unfinished request 0 Sat Dec 9 15:48:16 2006 : Error: TIMEOUT for request 0 in module server core, component server core Sat Dec 9 15:48:23 2006 : Error: Discarding duplicate request from client NAS-1 port 5 - ID: 58 due to unfinished request 3 Sat Dec 9 15:48:29 2006 : Error: Discarding duplicate request from client NAS-1 port 5 - ID: 58 due to unfinished request 3 Sat Dec 9 15:48:35 2006 : Error: Discarding duplicate request from client NAS-1 port 5 - ID: 58 due to unfinished request 3 Sat Dec 9 15:48:40 2006 : Error: TIMEOUT for request 1 in module server core, component server core Sat Dec 9 15:48:46 2006 : Error: TIMEOUT for request 2 in module server core, component server core Sat Dec 9 15:48:47 2006 : Error: TIMEOUT for request 3 in module server core, component server core Sat Dec 9 15:49:19 2006 : Error: Discarding duplicate request from client NAS-1 port 5 - ID: 59 due to unfinished request 22 So: Running radiusd alone, without gdb, generates Assertion failed in listen.c, line 621; Running radiusd inside gdb generates no error, but does not works (as shown in the logs); Running radiusd -X alone or inside gdb works without any problems. What might it be? ps. Regarding the previous post, the Assertion failed occurs only when the first packet is received. Thanks you! On 12/6/06, Alan DeKok [EMAIL PROTECTED] wrote: Guilherme Franco wrote: I'm not HUPing the server in any way, never. Ok.. GDB output: Starting program: /usr/local/sbin/radiusd [Thread debugging using libthread_db enabled] [New Thread 182896328384 (LWP 31483)] Detaching after fork from child process 31486. Program exited normally. sigh You've just printed out the GDB information from the server process that starts the daemon... which exits normally. Please send the gdb information from the core file. i.e. the program that is failing. Wed Dec 6 20:33:09 2006 : Info: Ready to process requests. Wed Dec 6 20:33:09 2006 : Error: Assertion failed in listen.c, line 621 Immediately? Without ever receiving packets? That's very weird... Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Assertion failed in listen.c, line 621
Hi, I'm not HUPing the server in any way, never. GDB output: Starting program: /usr/local/sbin/radiusd [Thread debugging using libthread_db enabled] [New Thread 182896328384 (LWP 31483)] Detaching after fork from child process 31486. Program exited normally. (gdb) info threads No registers. (gdb) thread apply all bt full (gdb) Quit -- [EMAIL PROTECTED] ~]# /usr/local/var/log/radius/radius.log: Wed Dec 6 20:33:08 2006 : Info: FreeRADIUS Version 2.0.0-pre0, for host x86_64-unknown-linux-gnu, built on Dec 3 2006 at 21:00:48 Wed Dec 6 20:33:08 2006 : Info: Starting - reading configuration files ... Wed Dec 6 20:33:08 2006 : Info: rlm_sql (sql): Driver rlm_sql_oracle (module rlm_sql_oracle) loaded and linked Wed Dec 6 20:33:08 2006 : Info: rlm_sql (sql): Attempting to connect to [EMAIL PROTECTED]:/(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)( HOST=10.10.10.2)(PORT=1521))(CONNECT_DATA=(SID=DB_R))) Wed Dec 6 20:33:09 2006 : Info: rlm_sql (sql_postgresql): Driver rlm_sql_postgresql (module rlm_sql_postgresql) loaded and linked Wed Dec 6 20:33:09 2006 : Info: rlm_sql (sql_postgresql): Attempting to connect to [EMAIL PROTECTED]:/DB_R Wed Dec 6 20:33:09 2006 : Info: Ready to process requests. Wed Dec 6 20:33:09 2006 : Error: Assertion failed in listen.c, line 621 Thank you. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Assertion failed in listen.c, line 621
Hello, Freeradius-snapshot-20061203 crashes, when running just radiusd with proxy (radiusd -X doesn't crash): It logs the following Error: Assertion failed in listen.c, line 621, which is rad_assert(request-proxy_listener == listener); Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
(CVS) Error: Assertion failed in listen.c, line 621
Hello, I'm having problems again, when running radiusd (radiusd -X doesn't crash): Before, in freeradius-snapshot-20061002 it was Error: Assertion failed in listen.c, line 620, which was: rad_assert(request-proxy_listener == listener); Now, in freeradius-snapshot-20061203 it gives me Error: Assertion failed in listen.c, line 621, which also is: rad_assert(request-proxy_listener == listener); That error was reported by Mr. Peter Nixon in September and by me in October, but Mr. Alan DeKok said that it was already corrected. Please note that freeradius-snapshot-20061203 was installed as an update on top of freeradius-snapshot-20061002, not a clean install. Any concerns on this? Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
CVS error
Hello, I'm trying to do a CVS login and got this error: cvs -d :pserver:[EMAIL PROTECTED]:/source login Logging in to :pserver:[EMAIL PROTECTED]:2401:/source CVS password: *** cvs [login aborted]: connect to cvs.freeradius.org:2401 failed: A connection attempt failed because the connected party did not properly respond after a periodof time, or established connection failed because connected host has failed to respond. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
CVS problem
Hello, I'm trying to do a cvs checkout but it won't let me: cvs -d :pserver:[EMAIL PROTECTED]:/source login Logging in to :pserver:[EMAIL PROTECTED]:2401/source CVS password: anoncvs cvs -d :pserver:[EMAIL PROTECTED]:/source checkout radiusd It just hangs in the checkout part... Any problems with the server? Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PROBLEM - Proxy + SQLIPPOOL + Framed-IP-Address
Hi, Doing proxy, freeradius always ignore the static Framed-IP-Address set in radreply table and sets the random SQLIPPOOL instead. Without proxy, SQLIPPOOL won't assign an IP from the pool and grabs the Framed-IP-Address correctly. I guess it's because the Framed-IP-Address = 255.255.255.254 contained in the Access-Accept packet from the proxy home server. Played with attrs but no luck. Please help! Thanks! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
'{%SQL-User-Name}' does not work for SQLIPPOOL
Hello, '{%SQL-User-Name}' does not work for SQLIPPOOL, it always appears blank. What should I use in order to get the username? Thank you. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SOLVED '{%SQL-User-Name}' does not work for SQLIPPOOL
Nevermind, I used %{User-Name} and it works. Hello, '{%SQL-User-Name}' does not work for SQLIPPOOL, it always appears blank. What should I use in order to get the username? Thank you. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQLIPPOOL problem
Thanks Peter, that will do. But I came into another problem, regarding this. I've created entries in radreply such as [EMAIL PROTECTED] Framed-IP-Address = 1.1.1.2. When the user authenticates, freeradius finds the data from radreply, but sqlippool still assigns a random IP. What can it be, please? Thank you very much. On 10/28/06, Peter Nixon [EMAIL PROTECTED] wrote: On Fri 27 Oct 2006 01:50, Guilherme Franco wrote: Hi, This is very important, please. In ippool module I can use two or more pools just by setting ippool POOL1{...} ippool POOL2{...} In SQLIPPOOL, I know that I can create as many pools as I wan't but I need to treat that pools differently, say, POOL1 assigns static IPs and POOL2 dynamic ones, or POOL1 is in databaseX and POOL2 in databaseY. So I did this sqlippool.conf: sqlippool POOL1{...} sqlippool POOL2{...} And then in radiusd.conf post-auth{ POOL1 POOL2 } But the user that have Pool-Name := POOL2 in radcheck receives the IP (because POOL2 exists in the database), but it's not treated by the POOL2 instance created in sqlippool.conf (radiusd -X shows that both module POOL1 and POOL2 are instantiated), it's being treated by the POOL1 instance. So, how can I tell that for users that belong to POOL2 use the POOL2 module, instead of POOL1 and vice-versa? With sqlippool the name of the module has no relation to the Pool-Name attribute. The easiest way to do what you want is simply make the 2nd module use a different database table and don't put the same Pool-Name is both tables.. Cheers -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Guilherme de Oliveira Franco Damovo - Brasil - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SQLIPPOOL problem
Hi, This is very important, please. In ippool module I can use two or more pools just by setting ippool POOL1{...} ippool POOL2{...} In SQLIPPOOL, I know that I can create as many pools as I wan't but I need to treat that pools differently, say, POOL1 assigns static IPs and POOL2 dynamic ones, or POOL1 is in databaseX and POOL2 in databaseY. So I did this sqlippool.conf: sqlippool POOL1{...} sqlippool POOL2{...} And then in radiusd.conf post-auth{ POOL1 POOL2 } But the user that have Pool-Name := POOL2 in radcheck receives the IP (because POOL2 exists in the database), but it's not treated by the POOL2 instance created in sqlippool.conf (radiusd -X shows that both module POOL1 and POOL2 are instantiated), it's being treated by the POOL1 instance. So, how can I tell that for users that belong to POOL2 use the POOL2 module, instead of POOL1 and vice-versa? Thank you. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Error: Assertion failed in listen.c, line 620
Hello, Whenever I run radiusd alone, without the -X this error occurs in the first authentication request: Error: Assertion failed in listen.c, line 620 This line indicate the proxy part. Running CVS radiusd -X generates no error at all. Any clues? Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: Assertion failed in listen.c, line 620
Oh sorry, it's not the latest one because theres only cistron in the CVS page. I can't download freeradius cvs then. Please check the page: ftp://ftp.freeradius.org/pub/radius/CVS-snapshots/ Thanks. On 10/25/06, Alan DeKok [EMAIL PROTECTED] wrote: Guilherme Franco [EMAIL PROTECTED] wrote: Whenever I run radiusd alone, without the -X this error occurs in the first authentication request: Error: Assertion failed in listen.c, line 620 Is this a recent version of CVS? I thought I had fixed that weeks ago... Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: Assertion failed in listen.c, line 620
Yes, indeed, thanks. I just wanted to notify about the dead link as well as the browse cvs tree: http://www.freeradius.org/cgi-bin/cvsweb.cgi/radiusd/ By now, I'll use plain cvs to download it. Thank you. On 10/25/06, Alan DeKok [EMAIL PROTECTED] wrote: Guilherme Franco [EMAIL PROTECTED] wrote: Oh sorry, it's not the latest one because theres only cistron in the CVS page. I can't download freeradius cvs then. You can use CVS to check out the latest version. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Important question about module instantiation
Hello, In sqlippool.conf I've instantiated: sqlippool DYNAMIC{ ... allocate-find = SELECT framedipaddress FROM ${ippool_table} \ WHERE pool_name = '%{check:Pool-Name}' AND expiry_time 'now'::timestamp(0) \ ORDER BY RANDOM() \ LIMIT 1 \ FOR UPDATE ... } sqlippool STATIC{ ... allocate-find = SELECT framedipaddress FROM ${ippool_table} \ WHERE pool_name = '%{check:Pool-Name}' AND expiry_time 'now'::timestamp(0) \ ORDER BY (username '%{SQL-User-Name}'), (callingstationid '%{Calling-Station-Id}'), expiry_time \ LIMIT 1 \ FOR UPDATE ... } So, the first one allocates dynamic IP addresses to the user and the second assigns static ones. Then in radiusd.conf: post-auth { DYNAMIC STATIC ... } The problem is: when someone who have Pool-Name := STATIC in radcheck logs in, the sqlippool module used for assigning IP to that user is DYNAMIC because it was called first than STATIC in radiusd.conf. As a result the user get a dynamic IP. That's a problem. What can I do to solve this, please? Thank you. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
cvs issue
Hello, I'm only seeing cistron on the cvs: FTP directory /pub/radius/CVS-snapshots/ at ftp.freeradius.org Up to higher level directory 10/23/2006 09:10201,051 radiusd-cistron-1.6-snapshot-20061023.tar.gz - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sqlippool + MySQL
Hi Peter, Regarding this post, the problem with Oracle and sqlippool still exists. I've altered the postgresql inet to varchar and it works. But in oracle, with varchar it does not works (the query return exactly the same result in oracle's sqlplus as in postgresql, but freeradius keeps saying sqlippool_query1: row[0] returned NULL rlm_sqlippool: ip=[] len=0 radius_xlat: 'COMMIT' rlm_sqlippool: IP number could not be allocated. ). So this proves that it's not an issue with the queries (at least for oracle). Cheers. On 10/17/06, Peter Nixon [EMAIL PROTECTED] wrote: Hi Jan and Roberto We ARE doing serious work on sqlippool but it is all with Postgresql. As Jan says someone with a little MySQL knowledge shoudn't have problems making those queries work with MySQL. Once you have them working please send them to my so I can include them in cvs. Cheers Peter On Tue 17 Oct 2006 00:58, Jan Mulders wrote: Someone needs to do some serious work on sqlippool. I'd do so, but currently I have no need for SQL-assigned IPs, as I only have one RADIUS server - and if it fails over, the least thing I have to worry about is current IP assignments. I recommend finding someone who is adept at *SQL and buy them a pizza. Then ask them to 'translate' those queries for you. Jan On 16/10/06, Roberto Gonzalez Azevedo [EMAIL PROTECTED] wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Does somebody knows how to configure sqlippool with MySQL ? The sqlippool.conf example is for pgsql. And for MySQL ? Here is my sqlippool.conf, corrected for MySQL: sqlippool sqlippool { # # SQL connection information # sql-instance-name = sql # lease_duration. fix for lost acc-stop packets lease-duration = 3600 # Attribute which should be considered unique per NAS pool-key = %{Acct-Session-Id} pool-name = mypool # pool-key = %{Calling-Station-Id} # # This series of queries allocates an IP address # allocate-clear = UPDATE radippool \ SET NASIPAddress = '', pool_key = 0, CallingStationId = '', \ expiry_time = NOW() - INTERVAL 1 SECOND \ WHERE pool_key = '${pool-key}' # note the ORDER BY clause of next query, it'll try to allocate IPs # like Cisco internal pools do - it _trys_ to allocate the same IP-address # which user had last session... allocate-find = SELECT FramedIPAddress FROM radippool \ WHERE pool_name = '%{reply:Pool-Name}' AND expiry_time NOW() \ ORDER BY pool_name, (UserName '%{User-Name}'), (CallingStationId '%{Calling-Station-Id}'), expiry_time \ LIMIT 1 \ FOR UPDATE allocate-update = UPDATE radippool \ SET NASIPAddress = '%{NAS-IP-Address}', pool_key = '${pool-key}', \ CallingStationId = '%{Calling-Station-Id}', UserName = '%{User-Name}', \ expiry_time = NOW() + INTERVAL ${lease-duration} SECOND \ WHERE FramedIPAddress = '%{Framed-IP-Address}' # # This series of queries frees an IP number when an accounting # START record arrives # start-update = UPDATE radippool \ SET expiry_time = NOW() + INTERVAL %J SECOND \ WHERE NASIPAddress = '%n' AND pool_key = '${pool-key}' AND pool_name = '%P' # # This series of queries frees an IP number when an accounting # STOP record arrives # stop-clear = UPDATE radippool \ SET NASIPAddress = '', pool_key = 0, CallingStationId = '', \ expiry_time = NOW() - INTERVAL 1 SECOND \ WHERE NASIPAddress = '%{NAS-IP-Address}' AND pool_key = '${pool-key}' AND UserName = '%{User-Name}' \ AND CallingStationId = '%{Calling-Station-Id}' AND FramedIPAddress = '%{Framed-IP-Address}' # # This series of queries frees an IP number when an accounting # ALIVE record arrives # alive-update = UPDATE radippool \ SET expiry_time = NOW() + INTERVAL ${lease-duration} SECOND \ WHERE NASIPAddress = '%{Nas-IP-Address}' AND pool_key = '${pool-key}' AND UserName = '%{User-Name}' \ AND CallingStationId = '%{Calling-Station-Id}' AND FramedIPAddress = '%{Framed-IP-Address}' # # This series of queries frees the IP numbers allocate to a # NAS when an accounting ON record arrives # on-clear = UPDATE radippool \ SET NASIPAddress = '', pool_key = 0, CallingStationId = '', \ expiry_time = NOW() - INTERVAL 1 SECOND \ WHERE NASIPAddress = '%{NAS-IP-Address}' AND UserName = '%{User-Name}' \ AND CallingStationId = '%{Calling-Station-Id}' AND FramedIPAddress = '%{Framed-IP-Address}' # # This series of queries frees the IP numbers allocate to a # NAS when an accounting OFF record arrives # off-clear = UPDATE radippool \ SET NASIPAddress = '', pool_key = 0, CallingStationId = '', \ expiry_time = NOW() - INTERVAL 1 SECOND \ WHERE NASIPAddress = '%{NAS-IP-Address}' AND UserName = '%{User-Name}' \ AND CallingStationId = '%{Calling-Station-Id}' AND FramedIPAddress = '%{Framed-IP-Address}' } Here is the radiusd -X:
block users on-the-fly
Hi, Does anyone already have a program to block freeradius on-the-fly? ie: user has PAID = YES in radcheck table. Whenever I set PAID = NO, the user would no longer authenticate the next time he/ she logs in. OK, this works, but, if the user is already loged in, even if I set PAID = NO, the user would not be rejected (for obvious reasons). This is important because the grand number of Router mode ADSL users, that never logs out. I'm building a program to verify every x minutes the database and if PAID = NO, return a flag to freeradius and then reject the user. Is there any other means to do that? Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: block users on-the-fly
Thanks, I didn't know about the POD (it wasn't on the wiki when I've read it before) On 10/16/06, Peter Nixon [EMAIL PROTECTED] wrote: On Mon 16 Oct 2006 16:25, Guilherme Franco wrote: Hi, Does anyone already have a program to block freeradius on-the-fly? ie: user has PAID = YES in radcheck table. Whenever I set PAID = NO, the user would no longer authenticate the next time he/ she logs in. OK, this works, but, if the user is already loged in, even if I set PAID = NO, the user would not be rejected (for obvious reasons). This is important because the grand number of Router mode ADSL users, that never logs out. I'm building a program to verify every x minutes the database and if PAID = NO, return a flag to freeradius and then reject the user. Thats the wrong way to do it. Simply disconnect the user on your NAS at the same time as setting PAID = NO. The way you do this depends on your NAS but PoD comes to mind: http://wiki.freeradius.org/POD -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Guilherme de Oliveira Franco Damovo - Brasil - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: block users on-the-fly
Thanks Owen On 10/16/06, Owen DeLong [EMAIL PROTECTED] wrote: On Oct 16, 2006, at 6:25 AM, Guilherme Franco wrote: Hi, Does anyone already have a program to block freeradius on-the-fly? ie: user has PAID = YES in radcheck table. Whenever I set PAID = NO, the user would no longer authenticate the next time he/ she logs in. OK, this works, but, if the user is already loged in, even if I set PAID = NO, the user would not be rejected (for obvious reasons). This is important because the grand number of Router mode ADSL users, that never logs out. I'm building a program to verify every x minutes the database and if PAID = NO, return a flag to freeradius and then reject the user. Is there any other means to do that? Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html The radius protocol only supports processing of authentication requests. Unless you can get your hardware to send a periodic re-auth request, there's no way to have them processed by radius again no matter what you do to the database. Radius has no push capability. Your options are: + Get your hardware to re-auth periodically. + Use another process to boot users (forcing a reauth) when you change the database. Owen - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Guilherme de Oliveira Franco Damovo - Brasil - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RHEL4 and Oracle Instant Client
Hi, You have to download it from oracle and then set all the needed paths, like LD_LIBRARY_PATH and ORA_HOME, pointing to the place where you descompressed oraclient. After that you need to recompile the rlm_oracle module under freeradiusxxx/src/modules/. Cheers On 10/10/06, Dourty, Brian R. (IATS) [EMAIL PROTECTED] wrote: Has anyone gotten the source RPM's from RHEL4 to build with the oracle module using the Oracle instant client? It keeps giving me the following error no matter what I try: checking for oci.h... yes checking for oracle_init in -loracleclient... no configure: warning: oracle libraries not found. Use --with-oracle-lib-dir=path. configure: warning: sql submodule 'oracle' disabled Thanks, Brian Dourty System Administrator - Team Lead IAT Services University of Missouri - Columbia 573-882-1035 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Guilherme de Oliveira Franco Damovo - Brasil - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS user Survey
Hello, Survey Not Found Sorry but this survey is no longer available. Please contact us if you require any further information. For more information on GroupSurveys, you can visit our site at http://www.group-surveys.com On 10/5/06, Alan DeKok [EMAIL PROTECTED] wrote: In order to better understand the needs of people using FreeRADIUS, I've set up a survey with 12 questions. The goal is to understand who's using FreeRADIUS, how they're using it, and what the users needs are. The page is: http://gs-survey.com/s.asp?s=1651 Please take a few minutes to fill out the survey, and I'll be posting a summary of the responses here. I expect to have a few more surveys after this one, to be able to target future development. Thanks for your efforts in supporting FreeRADIUS. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS user Survey
Hello, The problem persists: http://gs-survey.com/s.asp?s=1651 Survey Not Found Sorry but this survey is no longer available. Please contact us if you require any further information. For more information on GroupSurveys, you can visit our site at http://www.group-surveys.com On 10/5/06, Alan DeKok [EMAIL PROTECTED] wrote: Guilherme Franco [EMAIL PROTECTED] wrote: Survey Not Found Whoops... the make active link didn't work. I poked it again. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Guilherme de Oliveira Franco Damovo - Brasil - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
UPDATED: dumb humble question about sqlippool
Hello, I've installed Postgres with exactly the same configuration as Oracle's and Postgres works. The only point of failure using Oracle should be in radippool Framedipaddress which is VARCHAR in Oracle but is INET in Postgres. Could be a parsing error in rlm_sqlippool.c That's because xlat outputs: - 'SELECT framedipaddress FROM (select framedipaddress from radippool WHERE pool_name = 'SPW' ORDER BY dbms_random.value) where rownum = 1' sqlippool_query1: row[0] returned NULL rlm_sqlippool: ip=[] len=0 radius_xlat: 'COMMIT' rlm_sqlippool: IP number could not be allocated. - The same query on sqlplus is ok: SQL SELECT framedipaddress FROM (select framedipaddress from radippool WHERE pool_name = 'SPW' ORDER BY dbms_random.value) where rownum = 1; FRAMEDIPADDRESS -- 192.168.1.3 Now, considering that Postgres works like a breeze, how can I setup just sqlippool.conf to look in postgres, but the regular user and password queries to look in oracle? I've created a sql.conf containing oracle's confs (sql{..}) and sql2.conf containing postgres confs (sql2{...}). If I specify sql-instance-name = sql2 in sqlippool.conf it does not works. I appreciate any help on this issue. Thanks! On 9/29/06, Peter Nixon [EMAIL PROTECTED] wrote: On Fri 29 Sep 2006 15:23, Guilherme Franco wrote: Thanks for all the answers Mr. Peter! To clarify some things: NONE of the ippool modules let you set the pool name. You HAVE to set Pool-Name = whatever as a check item The radcheck table already have Pool-Name := whatever as a attribute, op, value for all users, but that's ok because I can set it manually in sqlippool.conf and the select DOES run in the correct table then (xlat outputs correctly then and I did a network sniff that shows the query is ok). If you set it in sqlippool.conf it is ignored by the module It will make no difference to the operation at all. Other issue is related to multiple pools, one with dynamic IP's and other with fixed ones (actually it's not possible to do that with only just one sqlippool.conf file without modifying rlm_sqlippool.c). IT IS!! Run two copies of the module! Sorry, i meant that I think that it is not possible without loading 2 or more modules (just with one module and one sqlippool.conf) dumb question, sorry. OK. We we specifically designed the module so you can run more than one instance of it (like most other radius modules) and the different instances may have different queries, tables and sql connections (Completely different database types if you wish) Another thing lies in proxy - if the proxy returns IP 255.255.255.254 for me, sqlippool does not overrides it and do nothing (it doesn't have the override = yes option like ippool). This can be added. Although why would you return an IP like that when you dont need to? Just return the Pool-Name and let the module do its job. I didn't think about it, thanks. You are welcome :-) Infact we have added today the capability to detect an ip address of 255.255.255.254 but this makes no sense except for when you are acting as a proxy and wish to add an ip address from a pool to an accept packet comming from a home server. Just use Pool-Name for all local users. Besides that I had to remove the BEGIN statement of allocate-begin (and all other begins) because oracle does not need it, and if you need to specify begin, then it needs to be in a different way (through the sniff, I saw that the begin was stated, then 4 space chars and then a / which is the same as doing BEGIN;/ in sqlplus, generating ORA end-of-file errors) Don't know from where that / came from thought. To solve this, I had to change BEGIN in allocate-begin for commit (a normal oracle operation before any query). Please send me a copy (privately if you wish) of your existing sqlippool.conf and working source code (or patch) so that we can integrate it into the existing code. About the postgresql installation, I was thinking in installing it. I will do that just to see it's behaviour, thanks. OK. I assumed that you had done this long ago. Please do it as a test. THANKS A LOT AGAIN! Cheers -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html pgp8NfdSLPtkj.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: UPDATED: dumb humble question about sqlippool
Mr. Peter, Thanks, I was using sql_instance2{...} instead of sql sql_instance2{...} :) Everything is working nice now with this hybrid oracle/postgresql except when I'm proxying and sqlippool won't set an IP because of 255.255.255.254 answer from the proxy server. As we talked earlier, there's no override = yes for this so I need to put Pool-Name := FOO in radreply, but even with the reply, it doesn't work. What I'm doing is convince the proxy ISP to change it's conf so it don't send me 255.255.255.254 for now. I have to thank you again for all your help! Now it's my turn to contribute, as soon as I have the time to look for, I hope to patch rlm_sqlippool.c and CVS it along with oracle.sqlippool.conf and radippool schema for oracle. Greetings On 10/3/06, Peter Nixon [EMAIL PROTECTED] wrote: On Tue 03 Oct 2006 19:29, Guilherme Franco wrote: Hello, I've installed Postgres with exactly the same configuration as Oracle's and Postgres works. Good. The only point of failure using Oracle should be in radippool Framedipaddress which is VARCHAR in Oracle but is INET in Postgres. Could be a parsing error in rlm_sqlippool.c Hmm. It could be. Patches to fix it are welcome :-) That's because xlat outputs: - 'SELECT framedipaddress FROM (select framedipaddress from radippool WHERE pool_name = 'SPW' ORDER BY dbms_random.value) where rownum = 1' sqlippool_query1: row[0] returned NULL rlm_sqlippool: ip=[] len=0 radius_xlat: 'COMMIT' rlm_sqlippool: IP number could not be allocated. - The same query on sqlplus is ok: SQL SELECT framedipaddress FROM (select framedipaddress from radippool WHERE pool_name = 'SPW' ORDER BY dbms_random.value) where rownum = 1; FRAMEDIPADDRESS -- 192.168.1.3 Now, considering that Postgres works like a breeze, how can I setup just sqlippool.conf to look in postgres, but the regular user and password queries to look in oracle? I've created a sql.conf containing oracle's confs (sql{..}) and sql2.conf containing postgres confs (sql2{...}). If I specify sql-instance-name = sql2 in sqlippool.conf it does not works. http://wiki.freeradius.org/Rlm_sql#Instances Just give your instances different names as the documentation says. I appreciate any help on this issue. Thanks! Cheers -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: UPDATED: dumb humble question about sqlippool
Nevermind the proxy issue, I've managed to circumvent it using attrs file Thanks On 10/3/06, Guilherme Franco [EMAIL PROTECTED] wrote: Mr. Peter, Thanks, I was using sql_instance2{...} instead of sql sql_instance2{...} :) Everything is working nice now with this hybrid oracle/postgresql except when I'm proxying and sqlippool won't set an IP because of 255.255.255.254 answer from the proxy server. As we talked earlier, there's no override = yes for this so I need to put Pool-Name := FOO in radreply, but even with the reply, it doesn't work. What I'm doing is convince the proxy ISP to change it's conf so it don't send me 255.255.255.254 for now. I have to thank you again for all your help! Now it's my turn to contribute, as soon as I have the time to look for, I hope to patch rlm_sqlippool.c and CVS it along with oracle.sqlippool.conf and radippool schema for oracle. Greetings On 10/3/06, Peter Nixon [EMAIL PROTECTED] wrote: On Tue 03 Oct 2006 19:29, Guilherme Franco wrote: Hello, I've installed Postgres with exactly the same configuration as Oracle's and Postgres works. Good. The only point of failure using Oracle should be in radippool Framedipaddress which is VARCHAR in Oracle but is INET in Postgres. Could be a parsing error in rlm_sqlippool.c Hmm. It could be. Patches to fix it are welcome :-) That's because xlat outputs: - 'SELECT framedipaddress FROM (select framedipaddress from radippool WHERE pool_name = 'SPW' ORDER BY dbms_random.value) where rownum = 1' sqlippool_query1: row[0] returned NULL rlm_sqlippool: ip=[] len=0 radius_xlat: 'COMMIT' rlm_sqlippool: IP number could not be allocated. - The same query on sqlplus is ok: SQL SELECT framedipaddress FROM (select framedipaddress from radippool WHERE pool_name = 'SPW' ORDER BY dbms_random.value) where rownum = 1; FRAMEDIPADDRESS -- 192.168.1.3 Now, considering that Postgres works like a breeze, how can I setup just sqlippool.conf to look in postgres, but the regular user and password queries to look in oracle? I've created a sql.conf containing oracle's confs (sql{..}) and sql2.conf containing postgres confs (sql2{...}). If I specify sql-instance-name = sql2 in sqlippool.conf it does not works. http://wiki.freeradius.org/Rlm_sql#Instances Just give your instances different names as the documentation says. I appreciate any help on this issue. Thanks! Cheers -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dumb humble question about sqlippool
Thanks for all the answers Mr. Peter! To clarify some things: NONE of the ippool modules let you set the pool name. You HAVE to set Pool-Name = whatever as a check item The radcheck table already have Pool-Name := whatever as a attribute, op, value for all users, but that's ok because I can set it manually in sqlippool.conf and the select DOES run in the correct table then (xlat outputs correctly then and I did a network sniff that shows the query is ok). Other issue is related to multiple pools, one with dynamic IP's and other with fixed ones (actually it's not possible to do that with only just one sqlippool.conf file without modifying rlm_sqlippool.c). IT IS!! Run two copies of the module! Sorry, i meant that I think that it is not possible without loading 2 or more modules (just with one module and one sqlippool.conf) dumb question, sorry. Another thing lies in proxy - if the proxy returns IP 255.255.255.254 for me, sqlippool does not overrides it and do nothing (it doesn't have the override = yes option like ippool). This can be added. Although why would you return an IP like that when you dont need to? Just return the Pool-Name and let the module do its job. I didn't think about it, thanks. Besides that I had to remove the BEGIN statement of allocate-begin (and all other begins) because oracle does not need it, and if you need to specify begin, then it needs to be in a different way (through the sniff, I saw that the begin was stated, then 4 space chars and then a / which is the same as doing BEGIN;/ in sqlplus, generating ORA end-of-file errors) Don't know from where that / came from thought. To solve this, I had to change BEGIN in allocate-begin for commit (a normal oracle operation before any query). About the postgresql installation, I was thinking in installing it. I will do that just to see it's behaviour, thanks. THANKS A LOT AGAIN! On 9/29/06, Peter Nixon [EMAIL PROTECTED] wrote: On Fri 29 Sep 2006 01:02, Guilherme Franco wrote: Thank you very much for your kindness. I'm sorry, again, for posting too much questions about this. It's correct that I'm trying to put this in production as this is the only module that does not worked for me. I'm happy with dialup_admin, AAA and everything else in Oracle! The only missing thing is sqlippool :( I know that it is an experimental module and I also have limited time to work on this module as it's not for me, it's for another company. In the mean time, I'm using regular ippool db in a NFS with just 1 radius active per time (to prevent lockups). That was the only way I've managed to do ippools with 2 servers (is there any alternatives?). As you see I can't abandon oracle, nor install postgre as it would break up some dependencies with other oracle databases that we have. I'm being such a pain for you guys because the sqlippool module is almost working! If I saw that it wouldn't work at all, I would never took the time to work in it as I'm taking now :) I appreciate your concerns and as I'm out of time to deliver the solution to the client, I think I can't try sqlippool anymore. That's a shame because I'm almost there! Now that I've managed to change somethings it's doing all the selects without any errors (that return ie: ip 1.1.1.1 in sqlplus) but it's stating sqlippool_query1: row[0] returned NULL in radiusd -X ( how can it be null if the select was successful? ). It's the only [EMAIL PROTECTED] thing that is preventing the user to get an IP!! That kind of things just take time to debug... Besides that, if I don't set pool_name = name_of_the_pool in sqlippool.conf, allocate-find tries to select from ippool (wich does not exists) instead of the one I've set in radippool table. I would double check this behaviour. It should not select at all if there is no pool-name. NONE of the ippool modules let you set the pool name. You HAVE to set Pool-Name = whatever as a check item Other issue is related to multiple pools, one with dynamic IP's and other with fixed ones (actually it's not possible to do that with only just one sqlippool.conf file without modifying rlm_sqlippool.c). IT IS!! Run two copies of the module! Another thing lies in proxy - if the proxy returns IP 255.255.255.254 for me, sqlippool does not overrides it and do nothing (it doesn't have the override = yes option like ippool). This can be added. Although why would you return an IP like that when you dont need to? Just return the Pool-Name and let the module do its job. So, to close this out, I would REALLY LIKE to make this work and help you guys as well, but because of lack of time, the only way would do this as an enhancement to the already deployed solution for the client, thanks. Do you have sqlippool working with Postgresql?? it seems to me that you do not quite understand how
Re: dumb humble question about sqlippool
Thank you very much for your kindness. I'm sorry, again, for posting too much questions about this. It's correct that I'm trying to put this in production as this is the only module that does not worked for me. I'm happy with dialup_admin, AAA and everything else in Oracle! The only missing thing is sqlippool :( I know that it is an experimental module and I also have limited time to work on this module as it's not for me, it's for another company. In the mean time, I'm using regular ippool db in a NFS with just 1 radius active per time (to prevent lockups). That was the only way I've managed to do ippools with 2 servers (is there any alternatives?). As you see I can't abandon oracle, nor install postgre as it would break up some dependencies with other oracle databases that we have. I'm being such a pain for you guys because the sqlippool module is almost working! If I saw that it wouldn't work at all, I would never took the time to work in it as I'm taking now :) I appreciate your concerns and as I'm out of time to deliver the solution to the client, I think I can't try sqlippool anymore. That's a shame because I'm almost there! Now that I've managed to change somethings it's doing all the selects without any errors (that return ie: ip 1.1.1.1 in sqlplus) but it's stating sqlippool_query1: row[0] returned NULL in radiusd -X ( how can it be null if the select was successful? ). It's the only [EMAIL PROTECTED] thing that is preventing the user to get an IP!! That kind of things just take time to debug... Besides that, if I don't set pool_name = name_of_the_pool in sqlippool.conf, allocate-find tries to select from ippool (wich does not exists) instead of the one I've set in radippool table. Other issue is related to multiple pools, one with dynamic IP's and other with fixed ones (actually it's not possible to do that with only just one sqlippool.conf file without modifying rlm_sqlippool.c). Another thing lies in proxy - if the proxy returns IP 255.255.255.254 for me, sqlippool does not overrides it and do nothing (it doesn't have the override = yes option like ippool). So, to close this out, I would REALLY LIKE to make this work and help you guys as well, but because of lack of time, the only way would do this as an enhancement to the already deployed solution for the client, thanks. Thank you again! On 9/28/06, Peter Nixon [EMAIL PROTECTED] wrote: On Wed 27 Sep 2006 16:41, Guilherme Franco wrote: Hi, I know you guys must be angry with all the questions I'm posting here. In Devel-List, I found this: Is it usefull to community? (SQLIPPOOL and NASCATS) by Roman M. Bibikov on Thu, 16 Oct 2003 17:36:26 +1100. He says that created a sucessfull ip pool in Oracle (exactly what I'm trying to do) and also that developed stored functions and procedures handling in rlm_oracle (sql_runfunction() and sql_runprocedure()) I didn't found out those functions and I'm wondering if it's because of this that I can't make sqlippool work in oracle... Hi Guilherme We are not angry. We are however busy, and have limited time. Any posts you see about sqlippool prior to August 2006 do not directly relate to the sqlippool module that is in FreeRADIUS 1.1.3 (Although it may share some code.. There have been several different modules available on the net called sqlippool prior to the one that is now available as part of FreeRADIUS) The code in CVS head has been modified even futher (as you know). sqlippool is an EXPERIMENTAL module which is why it is not enabled by default. It is currently tested ONLY on Postgresql. There are currently no _known_ production deployments of (our) sqlippool on Oracle although we are happy that you are testing it and appreciate your feedback. Currently you are writing many emails to the list with CRITICAL/URGENT etc in the subject in relation to sqlippool and you are clearly trying to deploy it for production use. I have very clearly told you previously these issues and you KNOW that it is an experimental module!! We are trying to help you as much as we can, but we expect you to also be prepared to do testing and possibly some development yourself, otherwise please dont use EXPERIMENTAL modules, especially not in production! If you wish to have my company (Suntel Communications) develop, test and support this module for/on an Oracle version of your choice then we would be happy to do so for a fee (which we can discuss offlist without bothering everyone else) otherwise you will have to make do with the (free) support we are providing to you and everyone else via this mailing list in our spare time. Alternatively there is a list of other companies/people who would also be happy to provide you support at http://www.freeradius.org/business/ Regards -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http
Accounting issues in Oracle solved
Hello, I had to modify oracle-dialup.conf to make accounting on/off to work. In AcctSessionTime, the original query would generate expected NUMBER, got INTERVAL error. Here is the original: accounting_onoff_query = UPDATE ${acct_table1} SET AcctStopTime=TO_DATE('%S','-mm-dd hh24:mi:ss'), AcctSessionTime=((TO_DATE('%S','-mm-dd hh24:mi:ss') - AcctStartTime)*86400), AcctTerminateCause='%{Acct-Terminate-Cause}', AcctStopDelay = %{Acct-Delay-Time:-0} WHERE AcctSessionTime=0 AND AcctStopTime IS NULL AND NASIPAddress = '%{NAS-IP-Address}' AND AcctStartTime = TO_DATE('%S','-mm-dd hh24:mi:ss') So I modified it to: accounting_onoff_query = UPDATE ${acct_table1} SET AcctStopTime=TO_DATE('%S','-mm-dd hh24:mi:ss'), AcctSessionTime=(to_number(TO_DATE('%S','-mm-dd hh24:mi:ss') - cast(AcctStartTime as date))*86400), AcctTerminateCause='%{Acct-Terminate-Cause}', AcctStopDelay = %{Acct-Delay-Time:-0} WHERE AcctSessionTime=0 AND AcctStopTime IS NULL AND NASIPAddress = '%{NAS-IP-Address}' AND AcctStartTime = TO_DATE('%S','-mm-dd hh24:mi:ss') And it works great now. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
dumb humble question about sqlippool
Hi, I know you guys must be angry with all the questions I'm posting here. In Devel-List, I found this: Is it usefull to community? (SQLIPPOOL and NASCATS) by Roman M. Bibikov on Thu, 16 Oct 2003 17:36:26 +1100. He says that created a sucessfull ip pool in Oracle (exactly what I'm trying to do) and also that developed stored functions and procedures handling in rlm_oracle (sql_runfunction() and sql_runprocedure()) I didn't found out those functions and I'm wondering if it's because of this that I can't make sqlippool work in oracle... Thanks in advance - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ULTRA IMPORTANT! Proxy - Assertion failed in listen.c, line 558 error
Thank you very much! On 9/27/06, Alan DeKok [EMAIL PROTECTED] wrote: Guilherme Franco [EMAIL PROTECTED] wrote: Sending duplicate proxied request to home server foo.com port 1645 - ID: 16 Assertion failed in listen.c, line 558 This is now fixed in CVS. You'll have to do a cvs update and re-build to get the fix. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ULTRA IMPORTANT! Proxy - Assertion failed in listen.c, line 558 error
By the way, http://www.freeradius.org/cgi-bin/cvsweb.cgi/radiusd/ does not work: Internal Server Error The server encountered an internal error or misconfiguration and was unable to complete your request. Please contact the server administrator, [EMAIL PROTECTED] and inform them of the time the error occurred, and anything you might have done that may have caused the error. More information about this error may be available in the server error log. Microsoft-IIS/5.0 Server at us.freeradius.org Port 80 On 9/27/06, Guilherme Franco [EMAIL PROTECTED] wrote: Thank you very much! On 9/27/06, Alan DeKok [EMAIL PROTECTED] wrote: Guilherme Franco [EMAIL PROTECTED] wrote: Sending duplicate proxied request to home server foo.com port 1645 - ID: 16 Assertion failed in listen.c, line 558 This is now fixed in CVS. You'll have to do a cvs update and re-build to get the fix. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
CRITICAL! NFS/ SQLIPPOOL :~(
Hello, I'm in a situation where I have 2 freeradius servers, working perfectly with rlm_sql_oracle (the entire AAA is done in Oracle, except the ippool). It's not possible to have the same pool configured the same way in the 2 servers, and also It's totally out of question to configure range1 for radius1 and range2 for radius2. I can't create the pool in the BRAS because of a limitation of itself. So, another option would be NFS with db files for the ippool module (which does not work also because of file locks). The only option that I see is to use SQLIPPOOL, which is not working for me in Oracle. I''ve modified sqlippool.conf to suit Oracle's needs and even removed the 'BEGIN' section from rlm_sqlippool.c and recompiled it (because oracle does not need BEGIN and it was causing me more problems). Even then, I'm still not able to use sqlippool! If sqlippool in oracle does not work, the only option left would be install postgre in the same machine as oracle (horrible!). This is the output (without BEGIN): -- rlm_sql (sql): Reserving sql socket id: 2 radius_xlat: '' sqlippool_command: xlat failed. UPDATE radippool SET nasipaddress = '', pool_key = 0, callingstationid = '', expiry_time = current_timestamp - interval '1' second(1) WHERE pool_key = '845414557' SELECT framedipaddress FROM radippool WHERE pool_name = 'POOL' AND expiry_time current_timestamp AND ROWNUM = 1 ORDER BY (select username from radippool where username ''), (select callingstationid from radippool where callingstationid '#BRAS-01#this is a description#100#157'), expiry_time FOR UPDATE sqlippool_query1: SQL query did not succeed rlm_sqlippool: ip=[] len=0 radius_xlat: 'COMMIT' COMMIT rlm_sqlippool: IP number could not be allocated. rlm_sql (sql): Released sql socket id: 2 rlm_sql (sql): Processing sql_postauth radius_xlat: 'test_user' rlm_sql (sql): sql_set_user escaped user -- 'test_user' -- The first sqlippool_command: xlat failed. is because I removed the begin in rlm_sqlippool.c... This is the output (with BEGIN): -- rlm_sql (sql): Reserving sql socket id: 2 radius_xlat: 'BEGIN' BEGIN rlm_sql_oracle: execute query failed in sql_query: ORA-06550: line 1, column 5: PLS-00103: Encountered the symbol end-of-file when expecting one of the following: begin case declare exit for goto if loop mod null pragmaraise return select update while with an identifiera double-quoted delimited-identifier a bind variable close current delete fetch lock insert open rollback savepoint set sql execute commit forall merge pipe rlm_sql_oracle: OCI_SERVER_NORMAL sqlippool_command: database query error UPDATE radippool SET nasipaddress = '', pool_key = 0, callingstationid = '', expiry_time = current_timestamp - interval '1' second(1) WHERE pool_key = '845414558' SELECT framedipaddress FROM radippool WHERE pool_name = 'POOL' AND expiry_time current_timestamp AND ROWNUM = 1 ORDER BY (select username from radippool where username ''), (select callingstationid from radippool where callingstationid '#BRAS-01#this is a description#100#158'), expiry_time FOR UPDATE sqlippool_query1: SQL query did not succeed rlm_sqlippool: ip=[] len=0 radius_xlat: 'COMMIT' COMMIT rlm_sqlippool: IP number could not be allocated. rlm_sql (sql): Released sql socket id: 2 rlm_sql (sql): Processing sql_postauth radius_xlat: 'test_user' rlm_sql (sql): sql_set_user escaped user -- 'test_user' -- Can anybody help me, please? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Apologies for Mr. Peter Nixon and updated sqlippool debug
Hello, But how can my first query work if the pool-key was not saved anywhere in the database? When I do the same query without the where pool_key = something, it works: UPDATE radippool SET nasipaddress = '', pool_key = 0,callingstationid = '', expiry_time = current_timestamp - interval '1' second(1); 4 rows updated. SQL select * from radippool; ID POOL_NAME NASIPADDRESS -- -- -- 1 FOO NAS_PORT -- EXPIRY_TIME 26-SEP-06 09.27.54 AM --- USERNAME FRAMEDIPADDRESS 192.168.1.1 POOL_KEYCALLINGSTATIONID -- 0 Sorry, in the second query I pasted an old query earlier for you. The second query works, it is: SQL SELECT framedipaddress FROM radippool WHERE pool_name = 'FOO' AND expiry_time current_timestamp AND ROWNUM = 1 ORDER BY (select username from radippool where username ''), (select callingstationid from radippool where callingstationid ''),expiry_time FOR UPDATE; FRAMEDIPADDRESS -- 192.168.1.1 Thanks. On 9/26/06, Peter Nixon [EMAIL PROTECTED] wrote: On Tue 26 Sep 2006 14:45, Guilherme Franco wrote: Hi, This is what happens: SQL UPDATE radippool SET nasipaddress = '', pool_key = 0,callingstationid = '', expiry_time = current_timestamp - interval '1' second(1) WHERE pool_key = '2398432'; 0 rows updated. SQL SELECT framedipaddress FROM radippool WHERE pool_name = 'FOO' AND expiry_time current_timestamp AND ROWNUM = 1 ORDER BY (select username from radippool where username ''), (select callingstationid from radippool where callingstationid ''),expiry_time FOR UPDATE; no rows selected So there you go. You found the problem.. Why doesn't it find any rows? -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
debug for sqlippool
Hello! I've created a new sqlippool.conf customized for Oracle. The queries in there returns no error but I get this: modcall: entering group post-auth for request 0 Value Of the Pool-Name is [FOO] and its [3] Chars rlm_sql (sql): Reserving sql socket id: 2 radius_xlat: 'BEGIN' BEGIN rlm_sql_oracle: execute query failed in sql_query: ORA-06550: line 1, column 5: PLS-00103: Encountered the symbol end-of-file when expecting one of the following: begin case declare exit for goto if loop mod null pragmaraise return select update while with an identifiera double-quoted delimited-identifier a bind variable close current delete fetch lock insert open rollback savepoint set sql execute commit forall merge pipe rlm_sql_oracle: OCI_SERVER_NORMAL sqlippool_command: database query error radius_xlat: 'UPDATE radippool SET nasipaddress = '', pool_key = 0, callingstationid = '', expiry_time = current_timestamp - interval '1' second(1) WHERE pool_key = '845414518'' UPDATE radippool SET nasipaddress = '', pool_key = 0, callingstationid = '', expiry_time = current_timestamp - interval '1' second(1) WHERE pool_key = '845414518' radius_xlat: 'SELECT framedipaddress FROM radippool WHERE pool_name = 'SPW' AND expiry_time current_timestamp AND ROWNUM = 1 ORDER BY (select username from radippool where username ''), (select callingstationid from radippool where callingstationid '#BRAS-01#this is a description#100#118'), expiry_time FOR UPDATE' SELECT framedipaddress FROM radippool WHERE pool_name = 'SPW' AND expiry_time current_timestamp AND ROWNUM = 1 ORDER BY (select username from radippool where username ''), (select callingstationid from radippool where callingstationid '#BRAS-01#this is a description#100#118'), expiry_time FOR UPDATE So, radiusd -X just stops there (it does not quit), without any more messages (resulting in a time out for the BRAS). I know that the only place a BEGIN instance exists is in rlm_sqlippool.c. Even with sql_trace = yes, I can't see from where this error (ORA-06550: line 1, column 5: ) is coming from. As a result I don't know what is in line 1, column 5 to fix it. Any tips? After all this help you guys deserve to drink some beer here in Brazil :) Thanks a lot! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sqlippool not working
Hello, Unfortunately, even with freeradius-snapshot-20060920.tar.gz and using the ./configure --with-modules=rlm_sqlippool option, the module did not install. I needed again, to compile it manually from freeradius-snapshot-20060920/src/modules/rlm_sqlippool/ And then, the same problem persists: Module: Loaded SQL IP Pool sqlippool: sql-instance-name = sql sqlippool: lease-duration = 86400 sqlippool: pool-name = sqlippool: allocate-begin = BEGIN sqlippool: allocate-clear = sqlippool: allocate-find = sqlippool: allocate-update = sqlippool: allocate-commit = COMMIT sqlippool: allocate-rollback = ROLLBACK sqlippool: start-begin = BEGIN sqlippool: start-update = sqlippool: start-commit = COMMIT sqlippool: start-rollback = ROLLBACK sqlippool: alive-begin = BEGIN sqlippool: alive-update = sqlippool: alive-commit = COMMIT sqlippool: alive-rollback = ROLLBACK sqlippool: stop-begin = BEGIN sqlippool: stop-clear = sqlippool: stop-commit = COMMIT sqlippool: stop-rollback = ROLLBACK sqlippool: on-begin = BEGIN sqlippool: on-clear = sqlippool: on-commit = COMMIT sqlippool: on-rollback = ROLLBACK sqlippool: off-begin = BEGIN sqlippool: off-clear = sqlippool: off-commit = COMMIT sqlippool: off-rollback = ROLLBACK rlm_sqlippool: the 'allocate-clear' statement must be set. The following is in my radiusd.conf: $INCLUDE ${confdir}/sqlippool.conf sqlippool foo { range-start = 192.168.1.1 range-stop = 192.168.3.254 netmask = 255.255.255.0 cache-size = 800 override = no maximum-timeout = 0 } I didn't modified my sqlippool.conf, so it's the same as sqlipool.conf,v 1.3 2006/09/13 12:49:37 pnixon Exp $ What can it be? Also, what values should I populate in radippool table? PS. Some things left: IN configure.in (rlm_sql_oracle) checking for oci.h... configure: WARNING: PETER 1. IN oracle-dialup.conf # Optional Query - pnixon #accounting_stop_query =3D Another issue: with oracle instant_client_10_2, rlm_sql_oracle would not find it's libs, even when the required paths are configured. The only way that I managed to install it was copying the whole oracle folder to the freeradius server. I know that simply a matter of changing the 10.1.0.3 version and something to the new one in configure.in of rlm_sql_oracle, but I was in a rush: # Look for Oracle10g Instant Client installed from RPM if test x$ORACLE_INCLUDE = x; then old_CFLAGS=$CFLAGS AC_MSG_WARN([PETER 1.]) FR_LOCATE_DIR(oracle_include_dir,oci.h) for try in /usr/include/oracle/10.1.0.3/ THANK YOU! On 9/20/06, Peter Nixon [EMAIL PROTECTED] wrote: On Wed 20 Sep 2006 05:49, Guilherme Franco wrote: I need to thank you again and congratulate you guys for such a great support. You're welcome. Thanks for helping us make FreeRADIUS better :-) Question: Even with freeradius-snapshot-20060920.tar.gz I will need to use ./configure --with-modules=rlm_sqlippool? Yes. This is because the module is sill considered experimental and is therefore not enabled by default. If all works well, I assume that in radcheck table, the users need to have Pool-Name := test_pool right? Yes. You need to tell FreeRADIUS which pool (if any) to use for that user. With sqlippool there is effectively no limit on the number of pools you may have configured (Only limit is disk space on your SQL server and IP space on your network) Cheers -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ULTRA IMPORTANT! Proxy - Assertion failed in listen.c, line 558 error
HI, Please, this is a very important problem that is affecting thousands of customers of mine: I have 2 realms for send proxy requests (foo.com and bar.net) If the proxy server foo.com goes down (for whatever reason) this happens: rad_recv: Access-Request packet from host 192.168.1.1 port 1385, id=21, length=60 User-Name = [EMAIL PROTECTED] User-Password = password Processing the authorize section of radiusd.conf modcall: entering group authorize for request 20 rlm_realm: Looking up realm foo.com for User-Name = [EMAIL PROTECTED] rlm_realm: Found realm foo.com rlm_realm: Proxying request from user user to realm foo.com rlm_realm: Adding Realm = foo.com rlm_realm: Preparing to proxy authentication request to realm foo.com rlm_eap: No EAP-Message, not doing EAP modcall: group authorize returns noop for request 20 Sending Access-Request of id 16 to foo.com port 1645 User-Name = [EMAIL PROTECTED] User-Password = password NAS-IP-Address = 192.168.1.1 Proxy-State = 0x3231 --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... rad_recv: Access-Request packet from host 192.168.1.1 port 1385, id=21, length=60 Sending duplicate proxied request to home server foo.com port 1645 - ID: 16 Assertion failed in listen.c, line 558 Aborted Then my radiusd dies and I need to bring it up again. This is incredibly critical because if domain foo.com dies, my freeradius server dies too, and in consequence, I can't proxy requests to bar.net (which have more than 21.000,00 users!) Thanks! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ULTRA IMPORTANT! Proxy - Assertion failed in listen.c, line 558 error
Sorry Mr. Alan, for not answering the HUP question before. No, I'm not HUP'ing the server. The server is a minimal RHEL AS 4 r3 installation, only with gcc added. Nothing installed except freeradius-snapshot-20060920. Is there any other way to generate core dumps without reinstalling freeradius with ./configure --enable-developer? If not, it will take only a couple of minutes to get it recompiled again. Thank you! On 9/20/06, Alan DeKok [EMAIL PROTECTED] wrote: Guilherme Franco [EMAIL PROTECTED] wrote: If the proxy server foo.com goes down (for whatever reason) this happens: ... Sending duplicate proxied request to home server foo.com port 1645 - ID: 16 Assertion failed in listen.c, line 558 Are you sure you're not HUP'ing the server? I asked that before, and you didn't respond. The current CVS code has an issue where it doesn't deal well with HUPs. I've been planning on addressing it for a while, but maybe now is the time to look at it. And can you get a core file? That may help. See doc/bugs. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sqlippool not working
Thanks, that's ok now. I removed the block as you said and now it shows the queries. I had added those block earlier because I've seen this configuration from another post as a working sqlippool configuration... Now, if netmask does not exist, nor range-start - range-stop, how can I specify that in radippool? Please remember that I'm using Oracle and it does not have inet like postgres, so I've created the tables like this: CREATE TABLE radippool ( id INT PRIMARY KEY, pool_nameVARCHAR(30) NOT NULL, framedipaddress VARCHAR(30) NOT NULL, nasipaddress VARCHAR(30) NOT NULL, nas_port INT NOT NULL, calling_station_id VARCHAR(30) NOT NULL, expiry_time timestamp(0) NOT NULL, username VARCHAR(100) ); CREATE INDEX radippool_poolname_ipaadr ON radippool (pool_name, framedipaddress); CREATE INDEX radippool_poolname_expire ON radippool (pool_name, expiry_time); CREATE INDEX radippool_nasipaddr_port ON radippool (nas_ip_address, nas_port); CREATE INDEX radippool_nasipaddr_calling ON radippool (nas_ip_address, calling_station_id); CREATE SEQUENCE radippool_seq START WITH 1 INCREMENT BY 1; CREATE OR REPLACE TRIGGER radippool_serialnumber BEFORE INSERT OR UPDATE OF id ON radippool FOR EACH ROW BEGIN if ( :new.id = 0 or :new.id is null ) then SELECT radippool_seq.nextval into :new.id from dual; end if; END; / How can I use this, please? Sorry for bothering about everything, but everytime I have a question, I first search through the entire freeradius maillist, man pages, docs as well as thoroughly in google. The problem is that usually I don't find much information about those things, so I come back here to ask. Thanks a lot! On 9/20/06, Tuyan Ozipek [EMAIL PROTECTED] wrote: On Wed, 2006-09-20 at 14:14 -0300, Guilherme Franco wrote: Hello, Unfortunately, even with freeradius-snapshot-20060920.tar.gz and using the ./configure --with-modules=rlm_sqlippool option, the module did not install. I needed again, to compile it manuallyThe following is in my radiusd.conf: $INCLUDE ${confdir}/sqlippool.conf get rid of this block, since there is no need for range,netmask,cache-size,override,timeout... in sqlipoool.. --- sqlippool foo { range-start = 192.168.1.1 range-stop = 192.168.3.254 netmask = 255.255.255.0 cache-size = 800 override = no maximum-timeout = 0 } you are missing the first pools trace in the messages and all youre seeing is the misconfiguration on the second sqlippool instance.. just keep the $INCLUDE directive, and remove the rest.. there is already an ippool configured in the sqlippool.conf file.. Cheers Tuyan freeradius-snapshot-20060920/src/modules/rlm_sqlippool/ And then, the same problem persists: Module: Loaded SQL IP Pool sqlippool: sql-instance-name = sql sqlippool: lease-duration = 86400 sqlippool: pool-name = sqlippool: allocate-begin = BEGIN sqlippool: allocate-clear = sqlippool: allocate-find = sqlippool: allocate-update = sqlippool: allocate-commit = COMMIT sqlippool: allocate-rollback = ROLLBACK sqlippool: start-begin = BEGIN sqlippool: start-update = sqlippool: start-commit = COMMIT sqlippool: start-rollback = ROLLBACK sqlippool: alive-begin = BEGIN sqlippool: alive-update = sqlippool: alive-commit = COMMIT sqlippool: alive-rollback = ROLLBACK sqlippool: stop-begin = BEGIN sqlippool: stop-clear = sqlippool: stop-commit = COMMIT sqlippool: stop-rollback = ROLLBACK sqlippool: on-begin = BEGIN sqlippool: on-clear = sqlippool: on-commit = COMMIT sqlippool: on-rollback = ROLLBACK sqlippool: off-begin = BEGIN sqlippool: off-clear = sqlippool: off-commit = COMMIT sqlippool: off-rollback = ROLLBACK rlm_sqlippool: the 'allocate-clear' statement must be set. The following is in my radiusd.conf: $INCLUDE ${confdir}/sqlippool.conf sqlippool foo { range-start = 192.168.1.1 range-stop = 192.168.3.254 netmask = 255.255.255.0 cache-size = 800 override = no maximum-timeout = 0 } I didn't modified my sqlippool.conf, so it's the same as sqlipool.conf,v 1.3 2006/09/13 12:49:37 pnixon Exp $ What can it be? Also, what values should I populate in radippool table? PS. Some things left: IN configure.in (rlm_sql_oracle) checking for oci.h... configure: WARNING: PETER 1. IN oracle-dialup.conf # Optional Query - pnixon #accounting_stop_query =3D Another issue: with oracle instant_client_10_2, rlm_sql_oracle would
Re: ULTRA IMPORTANT! Proxy - Assertion failed in listen.c, line 558 error
Hello, Because I need the sqlippool. I was using 1.1.2 and when 1.1.3 was released, I was in a rush to deliver a working environment to the client. 1.1.3 broke somethings for me. Because of that I started to use CVS nightly builds. Until now, no other problem has appeared besides the listen.c one. Thanks. On 9/20/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Hi, Nothing installed except freeradius-snapshot-20060920. critical service for thousands of users and you're using a developmental snapshot version? What about using a standard release, eg 1.1.3 ? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sqlippool not working
Thanks, I used that broken config because it was stated in freeradius user list as Sucsessfully installed rlm_sqlippool from Alfred H. Dahl in Tue, 8 Feb 2005 20:58:34 +0100. I did read the docs. I only didn't know how could I specify 192.168.1.1/28, if I do not have inet, but that's ok. Thanks everybody, I'm going to test all until it works now! Case closed, thanks. On 9/20/06, Peter Nixon [EMAIL PROTECTED] wrote: On Wed 20 Sep 2006 23:32, Guilherme Franco wrote: Thanks, that's ok now. I removed the block as you said and now it shows the queries. I had added those block earlier because I've seen this configuration from another post as a working sqlippool configuration... OK. Well, if you had just used the existing config files instead of adding your own broken config it would have worked all along :-) Now, if netmask does not exist, nor range-start - range-stop, how can I specify that in radippool? You do not! As doc/rlm_sqlippool states: The initialization of the radippool table is left to the user instead of being handled inside the module. This allows pool management to be done from any sql capable programming language and pools can be created, resized, deleted at run time without radiusd needing to be restarted. The only required fields are, pool_name and ip_address. A pool consists of one or more rows in the table with the same pool_name and a different ip_address. The is no restriction on which ip addresses/ranges may be in the same pool, and addresses do not need to be concurrent. The fact that you are asking this means that you did NOT read the docs :-) Please remember that I'm using Oracle and it does not have inet like postgres, so I've created the tables like this: You are going to have to work out the oracle specifics yourself but the structure you have looks ok to me. The INET type is not necessary, although it IS more efficient. Cheers -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Oracle conf Attached: sqlippool not working
Hi Mr. Peter, Like you told me before, you did some cleanups in the sqlippool.conf. Well, I've tried to install todays freeradius CVS, and it installed without the sqlippool module, don't know why. So, I've compiled it manually from freeradius-snapshot-20060918/src/modules/rlm_sqlippool/ OK, but when I run radiusd -X, I got this in the end, regardless of my configuration in sqlippool.conf and radiusd.conf: Module: Loaded SQL IP Pool sqlippool: sql-instance-name = sql sqlippool: lease-duration = 86400 sqlippool: pool-name = sqlippool: allocate-begin = BEGIN sqlippool: allocate-clear = sqlippool: allocate-find = sqlippool: allocate-update = sqlippool: allocate-commit = COMMIT sqlippool: allocate-rollback = ROLLBACK sqlippool: start-begin = BEGIN sqlippool: start-update = sqlippool: start-commit = COMMIT sqlippool: start-rollback = ROLLBACK sqlippool: alive-begin = BEGIN sqlippool: alive-update = sqlippool: alive-commit = COMMIT sqlippool: alive-rollback = ROLLBACK sqlippool: stop-begin = BEGIN sqlippool: stop-clear = sqlippool: stop-commit = COMMIT sqlippool: stop-rollback = ROLLBACK sqlippool: on-begin = BEGIN sqlippool: on-clear = sqlippool: on-commit = COMMIT sqlippool: on-rollback = ROLLBACK sqlippool: off-begin = BEGIN sqlippool: off-clear = sqlippool: off-commit = COMMIT sqlippool: off-rollback = ROLLBACK rlm_sqlippool: the 'allocate-clear' statement must be set. My radiusd.conf sqlippool testpool { $INCLUDE ${confdir}/sqlippool.conf sql-server == x.x.x.x sql-login == foo sql-password == foo sql-db == foo range-start == 1.1.1.1 range-stop == 1.1.1.100 netmask == 255.255.255.0 lease-duration == 86400 } My DB: CREATE TABLE radippool ( id INT PRIMARY KEY, pool_nameVARCHAR(30) NOT NULL, framedipaddress VARCHAR(30) NOT NULL, nasipaddress VARCHAR(30) NOT NULL, nas_port INT NOT NULL, calling_station_id VARCHAR(30) NOT NULL, expiry_time timestamp(0) NOT NULL, username VARCHAR(100) ); with all the sequences, indexes and triggers included It's not even trying to access the Oracle server. What can it be? Thanks! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ERROR! Proxy listen.c error
Indeed, but it's happening, and now, even with ADSL modem, as you can see in the radiusd -X output below: This occurs if user mistypes password or if the realm server is down: rad_recv: Access-Request packet from host 192.168.1.1 port 1385, id=21, length=60 User-Name = [EMAIL PROTECTED] User-Password = password Processing the authorize section of radiusd.conf modcall: entering group authorize for request 20 rlm_realm: Looking up realm realm.com for User-Name = [EMAIL PROTECTED] rlm_realm: Found realm realm.com rlm_realm: Proxying request from user user to realm realm.com rlm_realm: Adding Realm = realm.com rlm_realm: Preparing to proxy authentication request to realm realm.com rlm_eap: No EAP-Message, not doing EAP modcall: group authorize returns noop for request 20 Sending Access-Request of id 16 to 192.168.1.2 port 1645 User-Name = [EMAIL PROTECTED] User-Password = password NAS-IP-Address = 192.168.1.1 Proxy-State = 0x3231 --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... rad_recv: Access-Request packet from host 192.168.1.1 port 1385, id=21, length=60 Sending duplicate proxied request to home server 192.168.1.2 port 1645 - ID: 16 Assertion failed in listen.c, line 558 Aborted Thanks. Guilherme Franco guilhermefranco at gmail.com wrote: I was worried about this, but when I tested with the user authenticating from an ADSL modem, there are no problems. So, might be just another of ERX's crazy behaviors. Still... it shouldn't kill the server. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Matter of Life and Death - SQL and Proxy
Hello, I work in a Carrier and have an important question regarding SQL query check: I need to check a value in authorize_check_query (oracle-dialup.conf) to see if the user has paid his ADSL service. If he did paid the service, the request would be proxied to the ISP radius to authenticate the user, otherwise, the access needs to be rejected. So , the query would be checked like that: authorize_check_query = SELECT id,UserName,Attribute,Value,op,PAID FROM ${authcheck_table} WHERE Username = '%{SQL-User-Name}' AND PAID = 'YES' ORDER BY id The problem is, If PAID != YES, the user is not found by the SELECT (correctly) but the request is still proxied to the ISP (normal proxy behaviour). What can I do to reject the request and not proxy it? Please help! Thank you. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sqlippool not working
Gentlemen, Thank you very much for lending me your time. I'm downloading freeradius-snapshot-20060919.tar.gz right now. Yes, my allocate-clear is configured exactly as Tuyan's and that's why I stated before that regardless of my configuration in sqlippool.conf and radiusd.conf the trace is always empty. For example, if in sqlippool.conf I set sql-instance-name = foobar, the output of radiusd -X is always: Module: Loaded SQL IP Pool sqlippool: sql-instance-name = sql That's OK, I'm using the regular ippool in radiusd.conf for now and it works great when in table radcheck the values of the username are Pool-Name := test_pool. I'm going to compile the latest build and see if it works. P.S: Tuyan, do you run sqlippool in production using ORACLE? Because I'm using Oracle 10g r2 64-bit and it does not work for now. Thank you very much! On 9/19/06, Peter Nixon [EMAIL PROTECTED] wrote: It turns out that sqlippool.conf was in the Makefile for 1.1.x but not for CVS head. It didnt affect us because we use an rpm. Guilherme can you please test a new cvs checkout? Also, because sqlippool is still experimental you need to explicitly enable it with ./configure --with-modules=rlm_sqlippool Cheers Peter On Tue 19 Sep 2006 17:44, Tuyan Ozipek wrote: Hi Peter, When i installed (compiled from source) the freeradius-snapshot-20060918 tarball, the only missing thing was the sqlippool.conf file (which i copied from some other test environment). Since sqlippool module is not(yeah, we run it on production happily for sometime..) considered stable yet, we do not build it by default.(Lets check sqlippool.conf file installation in the makefiles tho.) I am running it now on my development machine with no problems. The only thing possible is there is some type of typo in the config file that Guilherme Franco is using. also, trace shows that there is no allocate-clear statement set for sqlippool to use. here is the allocate-clear statement that i used for my test.. allocate-clear = UPDATE radippool \ SET nasipaddress = '', pool_key = 0, callingstationid = '', \ expiry_time = 'now'::timestamp(0) - '1 second'::interval \ WHERE pool_key = '${pool-key}' Regards On Tue, 2006-09-19 at 00:27 +0300, Peter Nixon wrote: -- Forwarded Message -- Subject: sqlippool not working Date: Mon 18 Sep 2006 23:40 From: Guilherme Franco [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Hi Peter, Like you told me before, you did some cleanups in the sqlippool.conf. Well, I've tried to install todays freeradius CVS, and it installed without the sqlippool module, don't know why. So, I've compiled it manually from freeradius-snapshot-20060918/src/modules/rlm_sqlippool/ OK, but when I run radiusd -X, I got this in the end, regardless of my configuration in sqlippool.conf and radiusd.conf: Module: Loaded SQL IP Pool sqlippool: sql-instance-name = sql sqlippool: lease-duration = 86400 sqlippool: pool-name = sqlippool: allocate-begin = BEGIN sqlippool: allocate-clear = sqlippool: allocate-find = sqlippool: allocate-update = sqlippool: allocate-commit = COMMIT sqlippool: allocate-rollback = ROLLBACK sqlippool: start-begin = BEGIN sqlippool: start-update = sqlippool: start-commit = COMMIT sqlippool: start-rollback = ROLLBACK sqlippool: alive-begin = BEGIN sqlippool: alive-update = sqlippool: alive-commit = COMMIT sqlippool: alive-rollback = ROLLBACK sqlippool: stop-begin = BEGIN sqlippool: stop-clear = sqlippool: stop-commit = COMMIT sqlippool: stop-rollback = ROLLBACK sqlippool: on-begin = BEGIN sqlippool: on-clear = sqlippool: on-commit = COMMIT sqlippool: on-rollback = ROLLBACK sqlippool: off-begin = BEGIN sqlippool: off-clear = sqlippool: off-commit = COMMIT sqlippool: off-rollback = ROLLBACK rlm_sqlippool: the 'allocate-clear' statement must be set. It's not even trying to access the Oracle server. What can it be? Thanks! --- -- Peter Nixon mailto:[EMAIL PROTECTED] Chief Technologist Suntel Communicationshttp://www.suntel.com.tr TR tel:+902123369299 US tel:+13103177825 UK tel:+448700685002 VoIP sip:[EMAIL PROTECTED] IM jabber:[EMAIL PROTECTED] Absolutum obsoletum. (If it works, it's out of date.) -- Stafford Beer -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sqlippool not working
Thank you. That's the problem, I have 2 RADIUS servers working concurrently. If I set one ippool in server1, server2 needs another ippool with another range, and that's a grand problem. This is why I need sqlippool. I'm going to test freeradius-snapshot-20060920.tar.gz and see if it works. Is there any other way to success with 2 radius servers (other than creating the pool in the BRAS)? I'm kinda stuck here with this. Thank you very much. On 9/19/06, Peter Nixon [EMAIL PROTECTED] wrote: Hi Guilherme A couple of things. I just updated the cvs so freeradius-snapshot-20060919.tar.gz is not current enough. You need to get freeradius-snapshot-20060920.tar.gz once it is rolled latter tonight, or get the latest code from the repository using cvs Secondly, Tuyan works together with me. All of our production deployments of sqlippool are currently on Postgresql although we do plan on deploying on Oracle for some customers in future (After we have finished code development on sqlippool) Thirdly if you have only one RADIUS server and only one ippool then using rlm_ippool is probably the way to go. If you have more than one RADIUS server then you definately need a centralised database (which sqlippool allows). If you have many ippools then sqlippool also allows you to modify them on the fly without a service restart. Cheers Peter On Tue 19 Sep 2006 21:58, you wrote: Gentlemen, Thank you very much for lending me your time. I'm downloading freeradius-snapshot-20060919.tar.gz right now. Yes, my allocate-clear is configured exactly as Tuyan's and that's why I stated before that regardless of my configuration in sqlippool.conf and radiusd.conf the trace is always empty. For example, if in sqlippool.conf I set sql-instance-name = foobar, the output of radiusd -X is always: Module: Loaded SQL IP Pool sqlippool: sql-instance-name = sql That's OK, I'm using the regular ippool in radiusd.conf for now and it works great when in table radcheck the values of the username are Pool-Name := test_pool. I'm going to compile the latest build and see if it works. P.S: Tuyan, do you run sqlippool in production using ORACLE? Because I'm using Oracle 10g r2 64-bit and it does not work for now. Thank you very much! On 9/19/06, Peter Nixon [EMAIL PROTECTED] wrote: It turns out that sqlippool.conf was in the Makefile for 1.1.x but not for CVS head. It didnt affect us because we use an rpm. Guilherme can you please test a new cvs checkout? Also, because sqlippool is still experimental you need to explicitly enable it with ./configure --with-modules=rlm_sqlippool Cheers Peter On Tue 19 Sep 2006 17:44, Tuyan Ozipek wrote: Hi Peter, When i installed (compiled from source) the freeradius-snapshot-20060918 tarball, the only missing thing was the sqlippool.conf file (which i copied from some other test environment). Since sqlippool module is not(yeah, we run it on production happily for sometime..) considered stable yet, we do not build it by default.(Lets check sqlippool.conf file installation in the makefiles tho.) I am running it now on my development machine with no problems. The only thing possible is there is some type of typo in the config file that Guilherme Franco is using. also, trace shows that there is no allocate-clear statement set for sqlippool to use. here is the allocate-clear statement that i used for my test.. allocate-clear = UPDATE radippool \ SET nasipaddress = '', pool_key = 0, callingstationid = '', \ expiry_time = 'now'::timestamp(0) - '1 second'::interval \ WHERE pool_key = '${pool-key}' Regards On Tue, 2006-09-19 at 00:27 +0300, Peter Nixon wrote: -- Forwarded Message -- Subject: sqlippool not working Date: Mon 18 Sep 2006 23:40 From: Guilherme Franco [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Hi Peter, Like you told me before, you did some cleanups in the sqlippool.conf. Well, I've tried to install todays freeradius CVS, and it installed without the sqlippool module, don't know why. So, I've compiled it manually from freeradius-snapshot-20060918/src/modules/rlm_sqlippool/ OK, but when I run radiusd -X, I got this in the end, regardless of my configuration in sqlippool.conf and radiusd.conf: Module: Loaded SQL IP Pool sqlippool: sql-instance-name = sql sqlippool: lease-duration = 86400 sqlippool: pool-name = sqlippool: allocate-begin = BEGIN sqlippool: allocate-clear = sqlippool: allocate-find = sqlippool: allocate-update = sqlippool: allocate-commit = COMMIT sqlippool: allocate-rollback = ROLLBACK sqlippool: start-begin = BEGIN sqlippool: start-update = sqlippool: start-commit = COMMIT sqlippool: start-rollback
Re: Matter of Life and Death - SQL and Proxy
Thank you very much, I will test it out In the mean time I figured out to use radgroupcheck with values Auth-Type=Reject and some users associated to that usergroup. Thanks again! 06, Alan DeKok [EMAIL PROTECTED] wrote: Guilherme Franco [EMAIL PROTECTED] wrote: The problem is, If PAID != YES, the user is not found by the SELECT (correctly) but the request is still proxied to the ISP (normal proxy behaviour). What can I do to reject the request and not proxy it? Configure an SQL module instance *just* for this query. See doc/configurable_failover for an example sql sql1 Let's call this module is_paid. See doc/configurable_failover again for what to do on module return codes. Then in the authorize section, do: ... is_paid { notfound = reject } ... This will make the user be rejected if they are not paid up. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sqlippool not working
Yes, that's true. Unfortunately, the IT area developed a software that creates users in a GUI and then those users goes to Oracle. The application would also create and manage ip-pools. (just like a Dialup-up admin). Because of that, I desperately need sqlippool in oracle. Can't be done in the BRAS manually then. Thanks. On 9/19/06, Peter Nixon [EMAIL PROTECTED] wrote: If you can (ie. If you control the NAS equipment) then I recommend you create your dynamic pools there and only assign static ips from radius as a NAS will ALWAYs be better at knowing who is connected to it than RADIUS will. In the case where you do not control the NAS equipment, then radius based IPPools come to the rescue. Cheers Peter On Tue 19 Sep 2006 22:55, you wrote: Thank you. That's the problem, I have 2 RADIUS servers working concurrently. If I set one ippool in server1, server2 needs another ippool with another range, and that's a grand problem. This is why I need sqlippool. I'm going to test freeradius-snapshot-20060920.tar.gz and see if it works. Is there any other way to success with 2 radius servers (other than creating the pool in the BRAS)? I'm kinda stuck here with this. Thank you very much. On 9/19/06, Peter Nixon [EMAIL PROTECTED] wrote: Hi Guilherme A couple of things. I just updated the cvs so freeradius-snapshot-20060919.tar.gz is not current enough. You need to get freeradius-snapshot-20060920.tar.gz once it is rolled latter tonight, or get the latest code from the repository using cvs Secondly, Tuyan works together with me. All of our production deployments of sqlippool are currently on Postgresql although we do plan on deploying on Oracle for some customers in future (After we have finished code development on sqlippool) Thirdly if you have only one RADIUS server and only one ippool then using rlm_ippool is probably the way to go. If you have more than one RADIUS server then you definately need a centralised database (which sqlippool allows). If you have many ippools then sqlippool also allows you to modify them on the fly without a service restart. Cheers Peter On Tue 19 Sep 2006 21:58, you wrote: Gentlemen, Thank you very much for lending me your time. I'm downloading freeradius-snapshot-20060919.tar.gz right now. Yes, my allocate-clear is configured exactly as Tuyan's and that's why I stated before that regardless of my configuration in sqlippool.conf and radiusd.conf the trace is always empty. For example, if in sqlippool.conf I set sql-instance-name = foobar, the output of radiusd -X is always: Module: Loaded SQL IP Pool sqlippool: sql-instance-name = sql That's OK, I'm using the regular ippool in radiusd.conf for now and it works great when in table radcheck the values of the username are Pool-Name := test_pool. I'm going to compile the latest build and see if it works. P.S: Tuyan, do you run sqlippool in production using ORACLE? Because I'm using Oracle 10g r2 64-bit and it does not work for now. Thank you very much! On 9/19/06, Peter Nixon [EMAIL PROTECTED] wrote: It turns out that sqlippool.conf was in the Makefile for 1.1.x but not for CVS head. It didnt affect us because we use an rpm. Guilherme can you please test a new cvs checkout? Also, because sqlippool is still experimental you need to explicitly enable it with ./configure --with-modules=rlm_sqlippool Cheers Peter On Tue 19 Sep 2006 17:44, Tuyan Ozipek wrote: Hi Peter, When i installed (compiled from source) the freeradius-snapshot-20060918 tarball, the only missing thing was the sqlippool.conf file (which i copied from some other test environment). Since sqlippool module is not(yeah, we run it on production happily for sometime..) considered stable yet, we do not build it by default.(Lets check sqlippool.conf file installation in the makefiles tho.) I am running it now on my development machine with no problems. The only thing possible is there is some type of typo in the config file that Guilherme Franco is using. also, trace shows that there is no allocate-clear statement set for sqlippool to use. here is the allocate-clear statement that i used for my test.. allocate-clear = UPDATE radippool \ SET nasipaddress = '', pool_key = 0, callingstationid = '', \ expiry_time = 'now'::timestamp(0) - '1 second'::interval \ WHERE pool_key = '${pool-key}' Regards On Tue, 2006-09-19 at 00:27 +0300, Peter Nixon wrote: -- Forwarded Message -- Subject: sqlippool not working Date: Mon 18 Sep 2006 23:40 From: Guilherme Franco [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Hi
Re: sqlippool not working
I need to thank you again and congratulate you guys for such a great support. Question: Even with freeradius-snapshot-20060920.tar.gz I will need to use ./configure --with-modules=rlm_sqlippool? If all works well, I assume that in radcheck table, the users need to have Pool-Name := test_pool right? Thanks a lot. On 9/19/06, Peter Nixon [EMAIL PROTECTED] wrote: On Wed 20 Sep 2006 01:51, Tuyan Ozipek wrote: Hi everybody, Sorry for not being able to cc to radius-users list. I will be on the list as soon as possible. Gentlemen, Thank you very much for lending me your time. That's ok. Thank you for testing the software... I'm downloading freeradius-snapshot-20060919.tar.gz right now. Yes, my allocate-clear is configured exactly as Tuyan's and that's why I stated before that regardless of my configuration in sqlippool.conf and radiusd.conf the trace is always empty. For example, if in sqlippool.conf I set sql-instance-name = foobar, the output of radiusd -X is always: Module: Loaded SQL IP Pool sqlippool: sql-instance-name = sql There should be something wrong with your sqlippool.conf file, are you sure you are including the right one from the main radius configuration file? All the variables that we see in your trace, are the default ones.Basically we are putting them in case there is no value set for that variable.. For example : If there is no sql-instance-name set in your sqlippool.conf file, we set it as sql internally. Please double check your include paths for the sqlippool.conf file. Is there any sqlippool { } directives hanging around in your radiusd.conf? Maybe a clean install with ./configure --prefix=/xxx/xxx can help you to find the config problem as well.. My guess is that his problem is caused by the way he built sqlippool: Well, I've tried to install todays freeradius CVS, and it installed without the sqlippool module, don't know why. So, I've compiled it manually from freeradius-snapshot-20060918/src/modules/rlm_sqlippool/ If he does a clean install from tonight's cvs I think everything will work as expected. -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ERROR! Proxy listen.c error
Hello, Mr. DeKok, I've figured out that this problem only appears if I do a test aaa ppp user password from Juniper's ERX (and only if proxying is used). I was worried about this, but when I tested with the user authenticating from an ADSL modem, there are no problems. So, might be just another of ERX's crazy behaviors. Thanks! On 9/18/06, Alan DeKok [EMAIL PROTECTED] wrote: Guilherme Franco [EMAIL PROTECTED] wrote: Using Proxy, when user mistypes the password, radiusd -X crashes with Assertion failed in listen.c, line 558 I don't see that here... Are you HUP'ing the server? Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Fwd: VSA does not work when using PROXY
Hello, I've just managed to make it work using := instead of == in attrs file. :) -- Forwarded message -- From: Guilherme Franco [EMAIL PROTECTED] Date: Sep 15, 2006 3:51 PM Subject: VSA does not work when using PROXY To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Hello, Please Help! Using latest CVS - Proxy-Radius does not pass the VSA, as below (in users): DEFAULT Pool-Name := test X-Ascend-Client-Primary-DNS = x.x.x.x, X-Ascend-Client-Assign-DNS = 1, ERX-Virtual-Router-Name = default, Framed-Routing == None, Framed-Protocol = PPP, Service-Type = Framed-User note: those vsa works correctly when I try with local users (no proxy): In attrs file: realm Service-Type == Framed-User, Framed-Protocol == PPP, X-Ascend-Client-Primary-DNS == x.x.x.x, X-Ascend-Client-Assign-DNS == 1, ERX-Virtual-Router-Name == default, Idle-Timeout = 600, Session-Timeout = 28800 Output: rad_recv: Access-Request packet from host x.x.x.x port 5, id=55, length=251 User-Password = xxx User-Name = [EMAIL PROTECTED] Acct-Session-Id = erx atm 3/2.42:100.221:0009437817 Service-Type = Framed-User Framed-Protocol = PPP ERX-Pppoe-Description = pppoe 12:34:56:78:9a:bc Calling-Station-Id = #BRAS-01#this is a description#100#221 Connect-Info = speed:UBR:12000 NAS-Port-Type = xDSL NAS-Port = 845414621 NAS-Port-Id = atm 3/2.42:100.221 NAS-IP-Address = x.x.x.x NAS-Identifier = BRAS-01 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 rlm_realm: Looking up realm realm for User-Name = xxx rlm_realm: Found realm realm rlm_realm: Adding Stripped-User-Name = xxx rlm_realm: Proxying request from user xxx to realm realm rlm_realm: Adding Realm = realm rlm_realm: Preparing to proxy authentication request to realm realm rlm_eap: No EAP-Message, not doing EAP users: Matched entry DEFAULT at line 194 modcall: group authorize returns noop for request 0 Sending Access-Request of id 155 to x.x.x.x port 1645 User-Password = xxx User-Name = xxx Acct-Session-Id = erx atm 3/2.42:100.221:0009437817 Service-Type = Framed-User Framed-Protocol = PPP ERX-Pppoe-Description = pppoe 12:34:56:78:9a:bc Calling-Station-Id = #BRAS-01#this is a description#100#221 Connect-Info = speed:UBR:12000 NAS-Port-Type = xDSL NAS-Port = 845414621 NAS-Port-Id = atm 3/2.42:100.221 NAS-IP-Address = x.x.x.x NAS-Identifier = BRAS-01 Proxy-State = 0x3535 --- Walking the entire request list --- Waking up in 1 seconds... rad_recv: Access-Accept packet from host x.x.x.x port 1645, id=155, length=60 Framed-IP-Address = 255.255.255.254 Framed-IP-Netmask = 255.255.255.255 Framed-MTU = 576 Service-Type = Framed-User Framed-Protocol = PPP Framed-Compression = Van-Jacobson-TCP-IP Proxy-State = 0x3535 Processing the post-proxy section of radiusd.conf modcall: entering group post-proxy for request 0 attr_filter: Matched entry realm at line 52 modcall: group post-proxy returns noop for request 0 authorize: Skipping authorize in post-proxy stage rad_check_password: Found Auth-Type rad_check_password: Auth-Type = Accept, accepting the user Processing the post-auth section of radiusd.conf modcall: entering group post-auth for request 0 radius_xlat: 'x.x.x.x 845414621' rlm_ippool: MD5 on 'key' directive maps to: 6e4d4f13b0396f83e15609738a3bc036 rlm_ippool: Searching for an entry for key: '6e4d4f13b0396f83e15609738a3bc036' rlm_ippool: Allocating ip to key: '6e4d4f13b0396f83e15609738a3bc036' rlm_ippool: num: 1 rlm_ippool: Allocated ip x.x.x.x to client key: 6e4d4f13b0396f83e15609738a3bc036 modcall: group post-auth returns ok for request 0 Sending Access-Accept of id 55 to x.x.x.x port 5 Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Address = x.x.x.x Framed-IP-Netmask = 255.255.255.255 Finished request 0 Going to the next request Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 55 with timestamp 450b0ba9 Nothing to do. Sleeping until we see a request. As you can see, The VSA was not included in the Access-Accept response. Please HELP! THANKS! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
sqlippool not working
Hi Peter, Like you told me before, you did some cleanups in the sqlippool.conf. Well, I've tried to install todays freeradius CVS, and it installed without the sqlippool module, don't know why. So, I've compiled it manually from freeradius-snapshot-20060918/src/modules/rlm_sqlippool/ OK, but when I run radiusd -X, I got this in the end, regardless of my configuration in sqlippool.conf and radiusd.conf: Module: Loaded SQL IP Pool sqlippool: sql-instance-name = sql sqlippool: lease-duration = 86400 sqlippool: pool-name = sqlippool: allocate-begin = BEGIN sqlippool: allocate-clear = sqlippool: allocate-find = sqlippool: allocate-update = sqlippool: allocate-commit = COMMIT sqlippool: allocate-rollback = ROLLBACK sqlippool: start-begin = BEGIN sqlippool: start-update = sqlippool: start-commit = COMMIT sqlippool: start-rollback = ROLLBACK sqlippool: alive-begin = BEGIN sqlippool: alive-update = sqlippool: alive-commit = COMMIT sqlippool: alive-rollback = ROLLBACK sqlippool: stop-begin = BEGIN sqlippool: stop-clear = sqlippool: stop-commit = COMMIT sqlippool: stop-rollback = ROLLBACK sqlippool: on-begin = BEGIN sqlippool: on-clear = sqlippool: on-commit = COMMIT sqlippool: on-rollback = ROLLBACK sqlippool: off-begin = BEGIN sqlippool: off-clear = sqlippool: off-commit = COMMIT sqlippool: off-rollback = ROLLBACK rlm_sqlippool: the 'allocate-clear' statement must be set. It's not even trying to access the Oracle server. What can it be? Thanks! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
URGENT! User does not get VSA attribute If override = yes and in radiusd.conf and using PROXY
Hi, I need to set override = yes in radiusd.conf in order to the user get an IP. This way because it's a proxy request. i.e: [EMAIL PROTECTED] - proxy to realm - realm authorize user - myradius sets the IP The IP assignment does not work with override = no, because the proxy radius tends to set the IP 255.255.255.254. Ok, if override = yes, the users get the correcty ip from the pool, but not the VSA, as below: DEFAULT Pool-Name := test X-Ascend-Client-Primary-DNS = x.x.x.x, X-Ascend-Client-Secondary-DNS = x.x.x.x, X-Ascend-Client-Assign-DNS = 1, ERX-Virtual-Router-Name = default, Framed-Routing == None, Framed-Protocol = PPP, Service-Type = Framed-User note: those vsa works correctly when I specify local users like this (not proxy): testuser Auth-Type := local, User-Password == foo, Pool-Name := test X-Ascend-Client-Primary-DNS = x.x.x.x, X-Ascend-Client-Secondary-DNS = x.x.x.x, X-Ascend-Client-Assign-DNS = 1, ERX-Virtual-Router-Name = default, Fall-Through = Yes Please HELP! THANKS! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ERROR! Proxy listen.c error
Hello, Using Proxy, when user mistypes the password, radiusd -X crashes with Assertion failed in listen.c, line 558 Line 558 = rad_assert(request-listener == listener); Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
VSA does not work when using PROXY
Hello, Please Help! Using latest CVS - Proxy-Radius does not pass the VSA, as below (in users): DEFAULT Pool-Name := test X-Ascend-Client-Primary-DNS = x.x.x.x, X-Ascend-Client-Assign-DNS = 1, ERX-Virtual-Router-Name = default, Framed-Routing == None, Framed-Protocol = PPP, Service-Type = Framed-User note: those vsa works correctly when I try with local users (no proxy): In attrs file: realm Service-Type == Framed-User, Framed-Protocol == PPP, X-Ascend-Client-Primary-DNS == x.x.x.x, X-Ascend-Client-Assign-DNS == 1, ERX-Virtual-Router-Name == default, Idle-Timeout = 600, Session-Timeout = 28800 Output: rad_recv: Access-Request packet from host x.x.x.x port 5, id=55, length=251 User-Password = xxx User-Name = [EMAIL PROTECTED] Acct-Session-Id = erx atm 3/2.42:100.221:0009437817 Service-Type = Framed-User Framed-Protocol = PPP ERX-Pppoe-Description = pppoe 12:34:56:78:9a:bc Calling-Station-Id = #BRAS-01#this is a description#100#221 Connect-Info = speed:UBR:12000 NAS-Port-Type = xDSL NAS-Port = 845414621 NAS-Port-Id = atm 3/2.42:100.221 NAS-IP-Address = x.x.x.x NAS-Identifier = BRAS-01 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 rlm_realm: Looking up realm realm for User-Name = xxx rlm_realm: Found realm realm rlm_realm: Adding Stripped-User-Name = xxx rlm_realm: Proxying request from user xxx to realm realm rlm_realm: Adding Realm = realm rlm_realm: Preparing to proxy authentication request to realm realm rlm_eap: No EAP-Message, not doing EAP users: Matched entry DEFAULT at line 194 modcall: group authorize returns noop for request 0 Sending Access-Request of id 155 to x.x.x.x port 1645 User-Password = xxx User-Name = xxx Acct-Session-Id = erx atm 3/2.42:100.221:0009437817 Service-Type = Framed-User Framed-Protocol = PPP ERX-Pppoe-Description = pppoe 12:34:56:78:9a:bc Calling-Station-Id = #BRAS-01#this is a description#100#221 Connect-Info = speed:UBR:12000 NAS-Port-Type = xDSL NAS-Port = 845414621 NAS-Port-Id = atm 3/2.42:100.221 NAS-IP-Address = x.x.x.x NAS-Identifier = BRAS-01 Proxy-State = 0x3535 --- Walking the entire request list --- Waking up in 1 seconds... rad_recv: Access-Accept packet from host x.x.x.x port 1645, id=155, length=60 Framed-IP-Address = 255.255.255.254 Framed-IP-Netmask = 255.255.255.255 Framed-MTU = 576 Service-Type = Framed-User Framed-Protocol = PPP Framed-Compression = Van-Jacobson-TCP-IP Proxy-State = 0x3535 Processing the post-proxy section of radiusd.conf modcall: entering group post-proxy for request 0 attr_filter: Matched entry realm at line 52 modcall: group post-proxy returns noop for request 0 authorize: Skipping authorize in post-proxy stage rad_check_password: Found Auth-Type rad_check_password: Auth-Type = Accept, accepting the user Processing the post-auth section of radiusd.conf modcall: entering group post-auth for request 0 radius_xlat: 'x.x.x.x 845414621' rlm_ippool: MD5 on 'key' directive maps to: 6e4d4f13b0396f83e15609738a3bc036 rlm_ippool: Searching for an entry for key: '6e4d4f13b0396f83e15609738a3bc036' rlm_ippool: Allocating ip to key: '6e4d4f13b0396f83e15609738a3bc036' rlm_ippool: num: 1 rlm_ippool: Allocated ip x.x.x.x to client key: 6e4d4f13b0396f83e15609738a3bc036 modcall: group post-auth returns ok for request 0 Sending Access-Accept of id 55 to x.x.x.x port 5 Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Address = x.x.x.x Framed-IP-Netmask = 255.255.255.255 Finished request 0 Going to the next request Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 55 with timestamp 450b0ba9 Nothing to do. Sleeping until we see a request. As you can see, The VSA was not included in the Access-Accept response. Please HELP! THANKS! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radippool table for Oracle
Thank you! I'm downloading it right now. Thanks again! On 9/13/06, Peter Nixon [EMAIL PROTECTED] wrote: Hi Please update to the latest sqlippool.conf in cvs as I have just committed a lot of cleanups to it. Cheers Peter On Tue 12 Sep 2006 23:56, Guilherme Franco wrote: Mr. Peter, Thanks, yes, that's correct. But what I need is this behaviour even if the user disconnects and even if I run out of IPs in the pool. Basically, John logs in for the first time and randomly catches ip 1.1.1.130. When John logs out and comes back next week, he should be able to get 1.1.1.130 again, so that IP can't be reused. Is there any form to do that? Sorry, maybe I've described the problem in a wrong way earlier. Thank you very much for the answers, I hope to contribute later to freeradius posting my oracle schema. On 9/12/06, Peter Nixon [EMAIL PROTECTED] wrote: On Tue 12 Sep 2006 22:44, Guilherme Franco wrote: Thanks Mr. Nixon, I thought that someone might have already created such a schema. But that's not a problem. I'll be playing with the errors and as I get a working schema I'll post back. Just another doubt: Is there any way to create a pool of addresses and when someone receives one ip from this pool, this ip stays assigned to that user forever (lease forever, just like a static IP)? I need this so that I assign an IP only based in the group (which has some pools assigned to it), no need to manually create Frammed-Ip-Address = x.x.x.x for that user. That is basically what the default sqlippool config does unless you run out of IPs in the pool, in which case it will start to hand reusing IPs that are currently not connected. -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radippool table for Oracle
Mr. Peter, Thanks, yes, that's correct. But what I need is this behaviour even if the user disconnects and even if I run out of IPs in the pool. Basically, John logs in for the first time and randomly catches ip 1.1.1.130. When John logs out and comes back next week, he should be able to get 1.1.1.130 again, so that IP can't be reused. Is there any form to do that? Sorry, maybe I've described the problem in a wrong way earlier. Thank you very much for the answers, I hope to contribute later to freeradius posting my oracle schema. On 9/12/06, Peter Nixon [EMAIL PROTECTED] wrote: On Tue 12 Sep 2006 22:44, Guilherme Franco wrote: Thanks Mr. Nixon, I thought that someone might have already created such a schema. But that's not a problem. I'll be playing with the errors and as I get a working schema I'll post back. Just another doubt: Is there any way to create a pool of addresses and when someone receives one ip from this pool, this ip stays assigned to that user forever (lease forever, just like a static IP)? I need this so that I assign an IP only based in the group (which has some pools assigned to it), no need to manually create Frammed-Ip-Address = x.x.x.x for that user. That is basically what the default sqlippool config does unless you run out of IPs in the pool, in which case it will start to hand reusing IPs that are currently not connected. -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: URGENT! Dialupadmin Could not connect to SQL database
Thanks,I've already managed to make it work using oracle instant client and custom tnsnames.ora. I was using the entire oracle enterprise install before and it didn't work! Crazy, but it's working now.Thanks. On 9/1/06, Edoardo Causarano [EMAIL PROTECTED] wrote: Make sure you pass the checklist onhttp://ora-12154.ora-code.com/ Personally I've seen oracle clients that suddenly refuse to work because it decides that it wants ip-name mappings. Usually a trip to the dns or /etc/hosts solves the prob eOn 31/ago/06, at 16:38GMT+02:00, Guilherme Franco wrote:Mr. Peter,I did a test right now with the command line php, for example php test.php and it works!test.php is a program I've created to retrieve some tables from the oracle server. (tcpdump in oracle server shows traffic correctly this way) But when I try to open test.php from the apache web page, it states Parse error: syntax error, unexpected '' in /www/htdocs/test.php on line 10 (then, tcpdump in oracle server shows nothing) I think that the same problem is blocking dialupadmin from connecting with oracle. What might it be?Thanks. On 8/31/06, Guilherme Franco [EMAIL PROTECTED] wrote: Hello,Yes, I configured it with the option --with-oci8, and phpinfo() shows oci8 support as enabled. This machine (dialupadmin server) is standalone (oracle in other server and radius in other). I'm trying to use sqlplus from the dialupadmin server but it gives me either ORA-12546 TNS permission denied or ORA-12514 TNS listener does not currently know of service requested in connect descriptor. I've researched a lot about this problems but found nothing. note: (I've read somewhere that oci does not work well with modules, just with static php links)Please help.Thank you very much. On 8/31/06, Peter Nixon [EMAIL PROTECTED] wrote: On Thu 31 Aug 2006 16:17, Guilherme Franco wrote: URGENT! Hi, I'm getting this error *Could not connect to SQL database. *in dialupadmin. (using OCI8 with ORACLE) * *Radiusd connects to Oracle without any problems, dialupadmin don't.Does your PHP module have Oracle support?--Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc -List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
URGENT! Dialupadmin Could not connect to SQL database
URGENT!Hi,I'm getting this error Could not connect to SQL database. in dialupadmin. (using OCI8 with ORACLE) Radiusd connects to Oracle without any problems, dialupadmin don't.Please help.Thank you. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: URGENT! Dialupadmin Could not connect to SQL database
Hello,Yes, I configured it with the option --with-oci8, and phpinfo() shows oci8 support as enabled.This machine (dialupadmin server) is standalone (oracle in other server and radius in other). I'm trying to use sqlplus from the dialupadmin server but it gives me either ORA-12546 TNS permission denied or ORA-12514 TNS listener does not currently know of service requested in connect descriptor.I've researched a lot about this problems but found nothing. note: (I've read somewhere that oci does not work well with modules, just with static php links)Please help.Thank you very much.On 8/31/06, Peter Nixon [EMAIL PROTECTED] wrote: On Thu 31 Aug 2006 16:17, Guilherme Franco wrote: URGENT! Hi, I'm getting this error *Could not connect to SQL database. *in dialupadmin. (using OCI8 with ORACLE) * *Radiusd connects to Oracle without any problems, dialupadmin don't.Does your PHP module have Oracle support?--Peter Nixonhttp://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc-List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: URGENT! Dialupadmin Could not connect to SQL database
Mr. Peter,I did a test right now with the command line php, for example php test.php and it works!test.php is a program I've created to retrieve some tables from the oracle server. (tcpdump in oracle server shows traffic correctly this way) But when I try to open test.php from the apache web page, it states Parse error: syntax error, unexpected '' in /www/htdocs/test.php on line 10 (then, tcpdump in oracle server shows nothing) I think that the same problem is blocking dialupadmin from connecting with oracle. What might it be?Thanks.On 8/31/06, Guilherme Franco [EMAIL PROTECTED] wrote: Hello,Yes, I configured it with the option --with-oci8, and phpinfo() shows oci8 support as enabled.This machine (dialupadmin server) is standalone (oracle in other server and radius in other). I'm trying to use sqlplus from the dialupadmin server but it gives me either ORA-12546 TNS permission denied or ORA-12514 TNS listener does not currently know of service requested in connect descriptor.I've researched a lot about this problems but found nothing. note: (I've read somewhere that oci does not work well with modules, just with static php links)Please help.Thank you very much. On 8/31/06, Peter Nixon [EMAIL PROTECTED] wrote: On Thu 31 Aug 2006 16:17, Guilherme Franco wrote: URGENT! Hi, I'm getting this error *Could not connect to SQL database. *in dialupadmin. (using OCI8 with ORACLE) * *Radiusd connects to Oracle without any problems, dialupadmin don't.Does your PHP module have Oracle support?--Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc-List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html