Re: mac authentication, log rejected device in radius.log
On 10/18/2013 11:00 AM, Alan DeKok wrote: Bertalan Voros wrote: I have one question, I would like to log a message in radius.log when a device is rejected based on its mac address. I would like to put a message saying that the device was unauthorised and the Calling-Station-Id into the radius.log logfile. See the radiusd.conf, the log subsection. There are limited possibilities for customizing the log messages. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html I use a modified module for syslog based off exec for this type of thing (on a UNIX system): exec syslog-portauth { wait = no program = /usr/bin/logger -p local3.info -t portauth switch %{NAS-IP-Address} port %{NAS-Port-Id} %{NAS-Port} - User %{sql_start2: select determineUserFromMac('%{User-Name}')} on MAC %{User-Name} assigned to %{reply:Tunnel-Private-Group-Id} input_pairs = request packet_type = Access-Accept shell_escape = no } Granted, you might need to execute this on an Access-Reject but you can log anything you want with that. I even grab some values from my database (MySQL functions actually) to include in the log line. - JohnD - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Case statement error
Hi, Ah... a fix wasn't pulled over from v3.0.x to master. I've just done that now. server now starts with such switch/case config present. cheers! alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Case statement error
Thank both, that's great news. I really need to teach myself some C.. Cheers Andy -Original Message- From: freeradius-users-bounces+andy.franks=sath.nhs...@lists.freeradius.org [mailto:freeradius-users-bounces+andy.franks=sath.nhs.uk@lists.freeradiu s.org] On Behalf Of a.l.m.bu...@lboro.ac.uk Sent: 14 October 2013 07:27 To: FreeRadius users mailing list Subject: Re: Case statement error Hi, Ah... a fix wasn't pulled over from v3.0.x to master. I've just done that now. server now starts with such switch/case config present. cheers! alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic VLAN assignment depending on LDAP user group and MAC address
On Fri, Oct 11, 2013 at 05:41:07PM +0100, Fabrizio Vecchi wrote: As you can see, the device wasn't listed in the file, the authentication went fine, saying that the tunnel that I should get has ID 40, but that wasn't overwritten by the authorized_macs check... Add DEFAULT Auth-Type := Reject to the bottom of your authorized_macs file. You might as well move the mac address check up above eap in the authorize section. There's no point going through all the eap processing if you're just going to reject afterwards based on something that could easily have been done first. Cheers Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic VLAN assignment depending on LDAP user group and MAC address
On Mon, Oct 14, 2013 at 10:40:19AM +0100, Matthew Newton wrote: On Fri, Oct 11, 2013 at 05:41:07PM +0100, Fabrizio Vecchi wrote: As you can see, the device wasn't listed in the file, the authentication went fine, saying that the tunnel that I should get has ID 40, but that wasn't overwritten by the authorized_macs check... DEFAULT Auth-Type := Reject I misread (and replied before I'd seen the other thread from your duplicate message...) - to set the vlan for any users that *don't* match other entries, then add this at the bottom: DEFAULT Tunnel-Type:0 := VLAN Tunnel-Medium-Type:0 := IEEE-802 Tunnel-Private-Group-Id:0 := 999 To Reject, you can do it in authorize. To set the VLAN, as Alan said, post-auth is the better place. Use := to force the values to be set. = will not change the values if already set by the inner tunnel, etc. Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Username format
Hi, Does FreeRADIUS give a fig about what the username is? If it were all numeric, say 123456789 I guess it is happy with that? It's just a string to FreeRADIUS? FreeRADIUS is just a RADIUS serverand hence any decisions made by it are all down to defined policies. so if you have a policy that cares about username format, case sensitivity etc...or have a backend that has such feelings and emotions then you will find out :-) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Case statement error
Franks Andy (RLZ) IT Systems Engineer wrote: Hi again, Sorry to bang on about this, but I'm struggling still. Brand new machine, Ubuntu 13.04 server, never had freeradius installed on it. Pulled from git, - (FreeRADIUS Version 3.1.0 (git #209982d), I didn't see the 3.1.0... At this point, you may want to be running from the 3.0.0 release, or the v3.0.x branch. There are NO new features in master (3.1.0) over 3.0.0. Our plan for 3.1.0 is to finish the conversion to talloc, which may introduce instabilities. In contrast, 2.2.x and 3.0.x will have minimal changes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Generating timing stats for ntlm_auth
On 10/10/13 15:03, a.l.m.bu...@lboro.ac.uk wrote: Samba 4 is lurvely... apparently 100% compatible with existing AD installations, although, as always, it's a bit finicky and info is a bit thin on the ground (and I've not written up a guide when I set my test environment up that uses an S4 server for EAP-MSCHAPv2). But at least it exists on RHEL/CentOS as a package. it can also BE an AD master etc. anyway, you dont know how tempting it was to yum install samba4 on our production system;-) I'd certainly like to see some samba3.x versus samba4 benchmarks in this sort of context This morning I upgraded a couple of our radius servers from samba 3.6.9 to 4.0.0-rc4. It works, but it's not yet clear how much of an improvement it makes. Early indication is that it helps spread the load more evenly between domain controllers at peak times, but it is by no means the magic bullet. Cheers, Jonathan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Terminate dsl ppp sessions daily
On 14 Oct 2013, at 15:52, Volker Lieder v.lie...@uvensys.de wrote: Hi list, we use freeradius for our dsl user authentication. We want to disconnect some users via radius at fixed times, e.g. 04:00 am. Which attribute and value should / can i use? Session-Timeout doesnt do the job. Calculate time difference between now at 04:00am and insert it into Session-Timeout? If your NAS doesn't implement Session-Timeout then you can use CoA/DM or SNMP. Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Generating timing stats for ntlm_auth
On 14/10/13 16:01, Jonathan Gazeley wrote: On 10/10/13 15:03, a.l.m.bu...@lboro.ac.uk wrote: Samba 4 is lurvely... apparently 100% compatible with existing AD installations, although, as always, it's a bit finicky and info is a bit thin on the ground (and I've not written up a guide when I set my test environment up that uses an S4 server for EAP-MSCHAPv2). But at least it exists on RHEL/CentOS as a package. it can also BE an AD master etc. anyway, you dont know how tempting it was to yum install samba4 on our production system;-) I'd certainly like to see some samba3.x versus samba4 benchmarks in this sort of context This morning I upgraded a couple of our radius servers from samba 3.6.9 to 4.0.0-rc4. It works, but it's not yet clear how much of an improvement it makes. Early indication is that it helps spread the load more evenly between domain controllers at peak times, but it is by no means the magic bullet. I am wondering if using ntlm_auth in pipe mode, in the same way Squid does, would improve this, as it would avoid forkexec. I might try and knock up a PoC patch. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Terminate dsl ppp sessions daily
Hi, we tried to calculate it via expr. How would you calculate it? Regards, Volker Am 14.10.2013 um 17:03 schrieb Arran Cudbard-Bell: On 14 Oct 2013, at 15:52, Volker Lieder v.lie...@uvensys.de wrote: Hi list, we use freeradius for our dsl user authentication. We want to disconnect some users via radius at fixed times, e.g. 04:00 am. Which attribute and value should / can i use? Session-Timeout doesnt do the job. Calculate time difference between now at 04:00am and insert it into Session-Timeout? If your NAS doesn't implement Session-Timeout then you can use CoA/DM or SNMP. Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Terminate dsl ppp sessions daily
On 14 Oct 2013, at 16:27, Volker Lieder v.lie...@uvensys.de wrote: Hi, we tried to calculate it via expr. How would you calculate it? Pretty sure the expiration module does exactly this. Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 3.0.0 return code priority / change?
On 14/10/13 16:18, Phil Mayers wrote: i.e. the noop from the files module is ignored. This is a change from 2.x where the most recent module return code can be checked. Have I missed the change, or is this not intentional? Looks like this happened in the modcall.c rewrite (d0aa96709cea) and has been ported to 2.x as well, so it'll change there too? https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/src/main/modcall.c#L959 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 3.0.0 return code priority / change?
On 14/10/13 17:15, Phil Mayers wrote: On 14/10/13 16:18, Phil Mayers wrote: i.e. the noop from the files module is ignored. This is a change from 2.x where the most recent module return code can be checked. Have I missed the change, or is this not intentional? Looks like this happened in the modcall.c rewrite (d0aa96709cea) and has been ported to 2.x as well, so it'll change there too? Fix seems easy; assuming the old behaviour is what's wanted: https://github.com/philmayers/freeradius-server/commit/51c43419 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: configure freeradius to use UPN instead of samaccountname
Angelica Delgado wrote: We have our freeradius setup to authenticate with Active Directory for EAP. Currently, it uses the samaccountname but we want to use UPN instead. We get NT_STATUS_NO_SUCH_USER when testing with ntlm through command line. ntlm_auth --request-nt-key --domain=test.local --username=tu...@pub.com Can you please let us know what needs to be configured to support the UPN? ntlm_auth is from Samba. It's not part of FreeRADIUS. Ask the Samba people how it works. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: configure freeradius to use UPN instead of samaccountname
You might want to do an LDAP lookup first on your UPN to find the samAccountName, then use that with ntlm_auth. Stefan From: freeradius-users-bounces+stefan.paetow=diamond.ac...@lists.freeradius.org [mailto:freeradius-users-bounces+stefan.paetow=diamond.ac...@lists.freeradius.org] On Behalf Of Angelica Delgado Sent: 14 October 2013 21:51 To: FreeRadius users mailing list Subject: configure freeradius to use UPN instead of samaccountname We have our freeradius setup to authenticate with Active Directory for EAP. Currently, it uses the samaccountname but we want to use UPN instead. We get NT_STATUS_NO_SUCH_USER when testing with ntlm through command line. ntlm_auth --request-nt-key --domain=test.local --username=tu...@pub.commailto:tu...@pub.com Can you please let us know what needs to be configured to support the UPN? Thanks. -- This e-mail and any attachments may contain confidential, copyright and or privileged material, and are for the use of the intended addressee only. If you are not the intended addressee or an authorised recipient of the addressee please notify us of receipt by returning the e-mail and do not use, copy, retain, distribute or disclose the information in or attached to the e-mail. Any opinions expressed within this e-mail are those of the individual and not necessarily of Diamond Light Source Ltd. Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments are free from viruses and we cannot accept liability for any damage which you may sustain as a result of software viruses which may be transmitted in or with the message. Diamond Light Source Limited (company no. 4375679). Registered in England and Wales with its registered office at Diamond House, Harwell Science and Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Case statement error
Hi again, Sorry to bang on about this, but I'm struggling still. Brand new machine, Ubuntu 13.04 server, never had freeradius installed on it. Pulled from git, - (FreeRADIUS Version 3.1.0 (git #209982d), for host x86_64-unknown-linux-gnu, built on Oct 13 2013 at 18:42:55) ./configure Make Make install Nothing else except putting this in the authorize section of a brand new default vs switch %{control:Tmp-String-0} { case { update control { Tmp-String-0 := new value } } } Same outcome : # Loading authorize {...} /usr/local/etc/raddb/sites-enabled/default[222]: case statements may only appear within a switch section /usr/local/etc/raddb/sites-enabled/default[222]: Failed to parse case subsection. /usr/local/etc/raddb/sites-enabled/default[220]: Errors parsing authorize section. It just can't be an old binary, guaranteed this machine has never been near FR. Any ideas? Does anyone mind trying it? Thanks Andy -Original Message- From: freeradius-users-bounces+andy.franks=sath.nhs...@lists.freeradius.org [mailto:freeradius-users-bounces+andy.franks=sath.nhs.uk@lists.freeradiu s.org] On Behalf Of Alan DeKok Sent: 11 October 2013 18:59 To: FreeRadius users mailing list Subject: Re: Case statement error Franks Andy (RLZ) IT Systems Engineer wrote: I still get # Loading authorize {...} /usr/local/etc/raddb/sites-enabled/default[222]: case statements may only appear within a switch section You need to upgrade your binary. You're not using the latest version. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Case statement error
Hi, this error is also present with 3.1.0 when using the provided orginate-coa virtual-server - so its reproducable with a minimally adjusted configuration (just drop originate-coa from sites-available to sites-enabled) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Case statement error
a.l.m.bu...@lboro.ac.uk wrote: this error is also present with 3.1.0 when using the provided orginate-coa virtual-server - so its reproducable with a minimally adjusted configuration (just drop originate-coa from sites-available to sites-enabled) Ah... a fix wasn't pulled over from v3.0.x to master. I've just done that now. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic VLAN assignment depending on LDAP user group and MAC address
Fabrizio Vecchi wrote: First of all, sorry if my email is very long, I am just trying not to leave any important details out. :) That's good. So far, I managed to do the dynamic VLAN assignment, but cannot seem to get it to work together with the MAC checking. They key thing to remember is that they are two independent pieces. Get them working independently. Then, put the pieces together. I can get an auth to be refused if the MAC is not listed in the authorized_macs file, but can't quite put the two things together. Perhaps I am a bit confused with regards to where to put the MAC check. Put it into authorize. For now, I just managed to get the check to work only on the authorization phase in sites-enabled/default, but then the VLAN assignment, which is done in the internal-tunnel, seems to overwrite my changes. That can be fixed. So I tried to put the MAC check in the post-auth section in the default file, but the MAC check doesn't seem to ever work. Because the users file works differently there. Here are the relevant config files: Which seem to use a reasonable approach. As you can see, the device wasn't listed in the file, the authentication went fine, saying that the tunnel that I should get has ID 40, but that wasn't overwritten by the authorized_macs check... I think part of the problem is you're juggling a lot. You also mentioned MACs and VLANs... and then halfway through the message Oh, there's an inner-tunnel, too. Stop with all of your solutions. Instead, write down exactly what you have. Write down what you want to happen in plain English. Write down what should happen, and when. Then, convert it to the configuration. Your system is using TTLS. OK... I'll ignore the question of *why* you're authenticating unknown MACs. That seems weird. The debug log shows this: [ttls] Got tunneled reply code 2 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = 40 Where did that VLAN come from? Why is it there? If you don't know, that's a huge problem. Generally, the policies should be arranged like this: authorize: allow only known kinds of authentication decide which authentication method to use grab known good passwords authenticate: run authentication methods post-auth: return attributes for a successfully authenticated user In your case, I'd say return to a default configuration. Then, get the MAC address filtering working in post-auth. Once that's working, add VLAN assignment. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with compiling freeradius on Ubuntu Linux
On 12 Oct 2013, at 17:40, Andrei Petru Mura mapand...@gmail.com wrote: Hello, I imported FreeRADIUS from git on Eclipse, and tried to build it, but this error occurs while building the project: threads.h:47:2: error: #error WITH_THREADS defined, but pthreads not available Can anybody guide me how to solve this issue? Thanks. This is an invalid state. The configure script will not define WITH_THREADS unless the pthread headers are available. Check if HAVE_PTHREAD_H and WITH_THREADS are defined src/include/autoheader.h. If they're both defined then Eclipse is messing with the build system, if one is defined and the other is not, then autoconf/the configure scripts are broken. Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic VLAN assignment depending on LDAP user group and MAC address
Hi Alan and thanks for the reply. On 12 October 2013 13:42, Alan DeKok al...@deployingradius.com wrote: So far, I managed to do the dynamic VLAN assignment, but cannot seem to get it to work together with the MAC checking. Get them working independently. Then, put the pieces together. I managed to get them to work independently, it's the putting together phase that I can't quite crack... :) I can get an auth to be refused if the MAC is not listed in the authorized_macs file, but can't quite put the two things together. Perhaps I am a bit confused with regards to where to put the MAC check. Put it into authorize. If I put the MAC check in the authorize section, then I can allow users to use only the devices in the authorized_macs file (unless I am missing something). I would like the users to use any device, but just have a limited access to the network if the device isn't listed in the authorized_macs file... For now, I just managed to get the check to work only on the authorization phase in sites-enabled/default, but then the VLAN assignment, which is done in the internal-tunnel, seems to overwrite my changes. That can be fixed. So I tried to put the MAC check in the post-auth section in the default file, but the MAC check doesn't seem to ever work. Because the users file works differently there. Can you point me to some part of the docs that explain what is different, please? Here are the relevant config files: Which seem to use a reasonable approach. As you can see, the device wasn't listed in the file, the authentication went fine, saying that the tunnel that I should get has ID 40, but that wasn't overwritten by the authorized_macs check... I think part of the problem is you're juggling a lot. You also mentioned MACs and VLANs... and then halfway through the message Oh, there's an inner-tunnel, too. Stop with all of your solutions. Instead, write down exactly what you have. Write down what you want to happen in plain English. Write down what should happen, and when. Then, convert it to the configuration. Your system is using TTLS. OK... I'll ignore the question of *why* you're authenticating unknown MACs. That seems weird. What I am trying to achieve is the following: 1. Authenticate the users through LDAP 2. IF the user is using a device listed in the authorized_macs file, then assign a VLAN which depends on the user's LDAP group. 3. IF the user is using another (their own), allow them to access an isolated VLAN, which doesn't allow the device to talk to our servers. This will allow my colleagues to connect to the Internet with their devices, but not to mess around with our servers in case there is malware installed on them. Does this make sense? The debug log shows this: [ttls] Got tunneled reply code 2 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = 40 Where did that VLAN come from? Why is it there? If you don't know, that's a huge problem. SO SORRY! I pasted twice the sites-available/default file! It comes from the post-auth section in the inner-tunnel file. In inner-tunnel, I check if the user belongs to the dept_tech_corporate_it group, and if so, I update the outher request by assigning a VLAN with ID 40. This part of the config works properly, as showed by the following few lines of debug output: rlm_ldap::ldap_groupcmp: User found in group cn=dept_tech_corporate_it,ou= Groups,c=gb,dc=mindcandy,dc=com [ldap] ldap_release_conn: Release Id: 0 ? Evaluating (LDAP-Group == cn=dept_tech_corporate_it,ou=Groups,c=gb,dc=mindcandy,dc=com) - TRUE Generally, the policies should be arranged like this: authorize: allow only known kinds of authentication decide which authentication method to use grab known good passwords authenticate: run authentication methods post-auth: return attributes for a successfully authenticated user In your case, I'd say return to a default configuration. Then, get the MAC address filtering working in post-auth. Once that's working, add VLAN assignment. That seems to be an approach similar to the one I am trying to use. I would like to do the check of the MAC address for last, so that I can associate the right VLAN to the user. But for some reason this check doesn't seem to work. I guess at the end of the day my question boils down to the following: where should I put the MAC check, so that the user gets assigned to the right VLAN? If I put it in the authorize part of sites-enabled/default, the VLAN update request will get overwritten by the post-auth part of sites-enabled/inner-tunnel; and if I put it in the post-auth of the file sites-enabled/default file (which gets executed after inner-tunnel), the authorized_macs function always returns noop. If I could get any pointers towards a working solution, I'd be really grateful. Thanks, Fabrizio - List
Re: Dynamic VLAN assignment depending on LDAP user group and MAC address
Fabrizio Vecchi wrote: I guess at the end of the day my question boils down to the following: where should I put the MAC check, so that the user gets assigned to the right VLAN? In post-auth. If I put it in the authorize part of sites-enabled/default, the VLAN update request will get overwritten by the post-auth part of sites-enabled/inner-tunnel; The default configuration for the inner-tunnel does *not* set a VLAN in post-auth. So one configuration you added prevents you from using another configuration you added. and if I put it in the post-auth of the file sites-enabled/default file (which gets executed after inner-tunnel), the authorized_macs function always returns noop. Delete the set VLAN stuff from the post-auth of the inner tunnel. As you've seen, it breaks the other configuration you're trying to use. When you put authorized_macs into the post-auth, it runs the post-auth processing. Which doesn't read the users file... as the users file is done only in the authorize section. You should be able to put authorized_macs.authorize in the post-auth section. That will make it process the users file, and do what you want. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: clone break freeradius
hi, you must ensure you 'sign out' of the AD before you clone as otherwise both objects are the same...and, as you have found, doing something with the cloen breaks the first server. or just dont bind to the AD before cloning. to fix, you need to ensure that both machines have their own identity (eg /etc/hosts and $HOSTNAME all refer to a unique name per machine) and that there is nothing in the AD referencing either system. THEN net ads join each boxbut this isnt a freeradius question. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: clone break freeradius
Did you also change the MAC address for the network adapter in the VMWare settings? Otherwise VMWare believes (and possibly your network too) the two machines are the same. After changing the MAC address, reconfigure your network settings on the clone and reboot. Delete the trust (computer) account for the original machine from Active Directory. Then retry the net join command for both machines. Stefan From: freeradius-users-bounces+stefan.paetow=diamond.ac...@lists.freeradius.org [mailto:freeradius-users-bounces+stefan.paetow=diamond.ac...@lists.freeradius.org] On Behalf Of trevor obba Sent: 11 October 2013 00:38 To: freeradius-users@lists.freeradius.org Subject: clone break freeradius I configured freeradius version 2.2.0 running on Ubuntu 12.04 to authenticate against active directory and it is working fine until I decide to clone (vmware) the machine. Once the machine is clone I changed the IP address, hostname in (/etc/hosts and /etc/hostname) and also changed the name in /etc/samba/smb.conf Finally I tried to join the clone machine using “net join –U administrator” unfortunately this break the original freeradius machine by no longer authenticating to active directory and the clone machine will not join the Domain also. I think the clone machine is still referring the original machine which breaks the original machine unfortunately I do not know how to fix it. How do I fix the original machine? What else do I change on the clone machine so that I can successfully join it to domain with breaking the original machine? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Case statement error
Hi again. I'm confused now. I've recompiled, renamed all old folder under /usr/local and done a complete reinstall. I've pared it all down and simply put switch %{control:Tmp-String-0} { case { update control { Tmp-String-0 := new value } } } In the default VS. I still get # Loading authorize {...} /usr/local/etc/raddb/sites-enabled/default[222]: case statements may only appear within a switch section /usr/local/etc/raddb/sites-enabled/default[222]: Failed to parse case subsection. /usr/local/etc/raddb/sites-enabled/default[220]: Errors parsing authorize section. I'm running git #57e69c9 Sorry, but I can't see what I'm doing wrong! Thanks Andy -Original Message- From: freeradius-users-bounces+andy.franks=sath.nhs...@lists.freeradius.org [mailto:freeradius-users-bounces+andy.franks=sath.nhs.uk@lists.freeradiu s.org] On Behalf Of Alan DeKok Sent: 09 October 2013 15:26 To: FreeRadius users mailing list Subject: Re: Case statement error Franks Andy (RLZ) IT Systems Engineer wrote: Trying version #d166290 results in Which is old. The bug has already been fixed. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Eaps TTLS and Plain Text
Gilbert T. Gutierrez, Jr. wrote: I have a Free Radius Server (2.1.10-5 packaged with CentOS 6) that is configured to handle radius authentication eaps ttls in a tunnel (Motorola/Cambium Canopy Product). I want to be able to authenticate plain text requests from other devices that do not support eaps. Can Free Radius handle both encrypted and unencrypted connections at the same time? If it can, can someone lead me down the correct path? Yes. And there's nothing to do. Just configure a user with a password. *All* authentication types will work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MSCHAPv2 use_tunneling_reply problem
So what you're saying is that even though the users are using anonymous outerid and want anonymity you want to release their id to the site they are at? -- Sent from my Android device with K-9 Mail. Please excuse my brevity.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 2.2.0 on Fedora and oracle module
Hi, I'e installed oracle instant client from rpm packages (basic + devel) okay. if you've done this rather than manually installing from Oracle then its most likely that the paths are different...you will need to check where your Oracle files have been installed and use those paths instead alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 2.2.0 on Fedora and oracle module
On Thu, Oct 10, 2013 at 2:22 PM, Puzzel puzzel1...@gmail.com wrote: --with-oracle-include-dir=/usr/lib/oracle/11.2/client64 ** ** configure: WARNING: oracle headers not found. Use --with-oracle-include-dir=path.configure: WARNING: silently not building rlm_sql_oracle. configure: WARNING: FAILURE: rlm_sql_oracle requires: oci.h. configure: creating ./config.status ** ** Could you help me with that? ** Does oci.h exist on that directory? -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: freeradius 2.2.0 on Fedora and oracle module
Yes, you are right, the oracle inlcude path was in the different location (/usr/include/oracle/11.2/client64 not /usr/lib...). Now i've got another problem. ./configure --with-oracle-lib-dir=/usr/lib/oracle/11.2/client64/lib --with-oracle-include-dir=/usr/include/oracle/11.2/client64 checking for oci.h... checking for gcc... gcc checking whether the C compiler works... yes checking for C compiler default output file name... a.out checking for suffix of executables... checking whether we are cross compiling... no checking for suffix of object files... o checking whether we are using the GNU C compiler... yes checking whether gcc accepts -g... yes checking for gcc option to accept ISO C89... none needed yes configure: WARNING: oracle libraries not found. Use --with-oracle-lib-dir=path. configure: WARNING: silently not building rlm_sql_oracle. configure: WARNING: FAILURE: rlm_sql_oracle requires: libclntsh libnnz. configure: creating ./config.status config.status: creating Makefile In the folder i've made ln links ls -la /usr/lib/oracle/11.2/client64/lib/ razem 151112 drwxr-xr-x. 2 root root 4096 10-10 10:14 . drwxr-xr-x. 4 root root 4096 10-09 14:46 .. lrwxrwxrwx. 1 root root 17 10-10 10:14 libclntsh - libclntsh.so.11.1 lrwxrwxrwx. 1 root root 17 10-09 14:46 libclntsh.so - libclntsh.so.11.1 -rw-r--r--. 1 root root 48797739 2009-08-15 libclntsh.so.11.1 -rw-r--r--. 1 root root15365 2009-08-15 libheteroxa11.so lrwxrwxrwx. 1 root root 11 10-10 10:09 libnnz - libnnz11.so -rw-r--r--. 1 root root 787 2009-08-15 libnnz11.so lrwxrwxrwx. 1 root root 15 10-09 14:46 libocci.so - libocci.so.11.1 -rw-r--r--. 1 root root 1261302 2009-08-15 libocci.so.11.1 -rw-r--r--. 1 root root 89382994 2009-08-15 libociei.so -rw-r--r--. 1 root root 165157 2009-08-15 libocijdbc11.so -rw-r--r--. 1 root root 997069 2009-08-15 libsqora.so.11.1 -rw-r--r--. 1 root root 1996228 2009-08-15 ojdbc5.jar -rw-r--r--. 1 root root 2111220 2009-08-15 ojdbc6.jar -rw-r--r--. 1 root root 1656280 2009-08-15 orai18n.jar -rw-r--r--. 1 root root82983 2009-08-15 orai18n-mapping.jar -rw-r--r--. 1 root root 298388 2009-08-15 ottclasses.zip -rw-r--r--. 1 root root37807 2009-08-15 xstreams.jar but it didn't help. -Original Message- From: freeradius-users-bounces+puzzel1982=gmail@lists.freeradius.org [mailto:freeradius-users-bounces+puzzel1982=gmail@lists.freeradius.org] On Behalf Of a.l.m.bu...@lboro.ac.uk Sent: Thursday, October 10, 2013 9:41 AM To: FreeRadius users mailing list Subject: Re: freeradius 2.2.0 on Fedora and oracle module Hi, I'e installed oracle instant client from rpm packages (basic + devel) okay. if you've done this rather than manually installing from Oracle then its most likely that the paths are different...you will need to check where your Oracle files have been installed and use those paths instead alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 2.2.0 on Fedora and oracle module
On 10 Oct 2013, at 09:22, Puzzel puzzel1...@gmail.com wrote: Yes, you are right, the oracle inlcude path was in the different location (/usr/include/oracle/11.2/client64 not /usr/lib...). Now i've got another problem. ./configure --with-oracle-lib-dir=/usr/lib/oracle/11.2/client64/lib --with-oracle-include-dir=/usr/include/oracle/11.2/client64 checking for oci.h... checking for gcc... gcc checking whether the C compiler works... yes checking for C compiler default output file name... a.out checking for suffix of executables... checking whether we are cross compiling... no checking for suffix of object files... o checking whether we are using the GNU C compiler... yes checking whether gcc accepts -g... yes checking for gcc option to accept ISO C89... none needed yes configure: WARNING: oracle libraries not found. Use --with-oracle-lib-dir=path. configure: WARNING: silently not building rlm_sql_oracle. configure: WARNING: FAILURE: rlm_sql_oracle requires: libclntsh libnnz. configure: creating ./config.status config.status: creating Makefile Please use version 3.0.0 the configure script is much better. http://freeradius.org/download.html Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: freeradius 2.2.0 on Fedora and oracle module
Tnx Arran, ./configure went fine and then created all.mk file. What to do next? make don't work. I'm sorry i'm not very much experienced in linux. -Original Message- From: freeradius-users-bounces+puzzel1982=gmail@lists.freeradius.org [mailto:freeradius-users-bounces+puzzel1982=gmail@lists.freeradius.org] On Behalf Of Arran Cudbard-Bell Sent: Thursday, October 10, 2013 11:04 AM To: FreeRadius users mailing list Subject: Re: freeradius 2.2.0 on Fedora and oracle module On 10 Oct 2013, at 09:22, Puzzel puzzel1...@gmail.com wrote: Yes, you are right, the oracle inlcude path was in the different location (/usr/include/oracle/11.2/client64 not /usr/lib...). Now i've got another problem. ./configure --with-oracle-lib-dir=/usr/lib/oracle/11.2/client64/lib --with-oracle-include-dir=/usr/include/oracle/11.2/client64 checking for oci.h... checking for gcc... gcc checking whether the C compiler works... yes checking for C compiler default output file name... a.out checking for suffix of executables... checking whether we are cross compiling... no checking for suffix of object files... o checking whether we are using the GNU C compiler... yes checking whether gcc accepts -g... yes checking for gcc option to accept ISO C89... none needed yes configure: WARNING: oracle libraries not found. Use --with-oracle-lib-dir=path. configure: WARNING: silently not building rlm_sql_oracle. configure: WARNING: FAILURE: rlm_sql_oracle requires: libclntsh libnnz. configure: creating ./config.status config.status: creating Makefile Please use version 3.0.0 the configure script is much better. http://freeradius.org/download.html Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: well almost got FR 3.0 to compile on OS X :-)
o.k deinstalled the package and package manager I was using, installed homebrew, installed latest openssl and talloc and ….. just compiled and installed. Simples! Thanks for that A On 9 Oct 2013, at 11:54, Arran Cudbard-Bell a.cudba...@freeradius.org wrote: On 9 Oct 2013, at 11:21, Alex Sharaz alex.sha...@york.ac.uk wrote: you don't know how hard it was to wait till the official release :-) A brew install talloc brew link talloc ./configure make make install ? Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 2.2.0 on Fedora and oracle module
On 10 Oct 2013, at 10:31, Puzzel puzzel1...@gmail.com wrote: Tnx Arran, ./configure went fine and then created all.mk file. What to do next? make don't work. I'm sorry i'm not very much experienced in linux. You need to do make in the top level directory not in the module directory. all.mk is a make include not an actual make file. It should pick up that rlm_sql_oracle has been configured (even if it's not marked as stable) and build it. -Arran Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: well almost got FR 3.0 to compile on OS X :-)
On 10 Oct 2013, at 10:44, Alex Sharaz alex.sha...@york.ac.uk wrote: o.k deinstalled the package and package manager I was using, installed homebrew, installed latest openssl and talloc and ….. just compiled and installed. Simples! Hmm wonder what rudix was doing to mess up talloc installation. Anyway, we have our own set of AC_CHECK_LIB and AC_CHECK_HEADERS functions which are smarter than the stadard ones, and search in places like /usr/local/lib. They also add -L and -I for libs/headers in non-standard locations, so the majority of the time 3.0.0 configure/make should just work. Were you installing your own version of SSL to get around the OpenSSL header/library mismatch? Apple messed up and bumped the library version for OpenSSL without bumping the header versions. You can just edit the system headers to match, though that's a bit icky. Hopefully apple will just drop OpenSSL in Mavericks and we can do a clean install without all the stupid deprecated pragmas from another package management system. Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: well almost got FR 3.0 to compile on OS X :-)
On 10 Oct 2013, at 12:02, Arran Cudbard-Bell a.cudba...@freeradius.org wrote: On 10 Oct 2013, at 10:44, Alex Sharaz alex.sha...@york.ac.uk wrote: o.k deinstalled the package and package manager I was using, installed homebrew, installed latest openssl and talloc and ….. just compiled and installed. Simples! Hmm wonder what rudix was doing to mess up talloc installation. Anyway, we have our own set of AC_CHECK_LIB and AC_CHECK_HEADERS functions which are smarter than the stadard ones, and search in places like /usr/local/lib. They also add -L and -I for libs/headers in non-standard locations, so the majority of the time 3.0.0 configure/make should just work. Were you installing your own version of SSL to get around the OpenSSL header/library mismatch? Apple messed up and bumped the library version for OpenSSL without bumping the header versions. Yup. Had that problem with FR 2 as well. You can just edit the system headers to match, though that's a bit icky. Hopefully apple will just drop OpenSSL in Mavericks and we can do a clean install without all the stupid deprecated pragmas from another package management system. Probably a good idea. Anyway, can now look at radsec /IPv4 - radsec/Pv6 using FR now. A Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 2.2.0 on Fedora and oracle module
On 10 Oct 2013, at 12:34, Puzzel puzzel1...@gmail.com wrote: When i do make at top level, i'm getting this output: make Makefile:10: *** Missing 'Make.inc' Run './configure [options]' and retry. Stop. - Missing - Something is not there that should be. - 'Make.inc' - The thing that should be there but isn't. - Run - Execute a command. - './configure' - The command you should execute. - '[options]' - Any additional options you want to add like --prefix or --with-shared-libs=no. - and - There's something additional you have to do as well as running the previous command. - retry - Repeat the previous command which generated this error message. *sigh* -Arran -Original Message- From: freeradius-users-bounces+puzzel1982=gmail@lists.freeradius.org [mailto:freeradius-users-bounces+puzzel1982=gmail@lists.freeradius.org] On Behalf Of Arran Cudbard-Bell Sent: Thursday, October 10, 2013 12:50 PM To: FreeRadius users mailing list Subject: Re: freeradius 2.2.0 on Fedora and oracle module On 10 Oct 2013, at 10:31, Puzzel puzzel1...@gmail.com wrote: Tnx Arran, ./configure went fine and then created all.mk file. What to do next? make don't work. I'm sorry i'm not very much experienced in linux. You need to do make in the top level directory not in the module directory. all.mk is a make include not an actual make file. It should pick up that rlm_sql_oracle has been configured (even if it's not marked as stable) and build it. -Arran Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Generating timing stats for ntlm_auth
Hi, Thu Oct 10 11:52:16 2013 : Info: WARNING: Module rlm_eap became unblocked for request 47516341 ...since the return of our students this year. I am 99% sure this is ntlm_auth being slow, and I have a strong suspicion this is related to some changes in our AD infrastructure over the summer. I've contacted our AD guys about a couple of tweaks they can do for 'legacy' authentications (as microsoft call it) - but I'm also looking at samba4 - as it has a new option that will balance ntlm_auth against all known boxes rather than the first box it latches onto - to spread the load. I'm also now getting suspicious about a couple of tuesday patches that got deployed over summer... (we're also thinking about EAP-TLS again ;-) ) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: freeradius 2.2.0 on Fedora and oracle module
I've made configure at top level ./configure --with-oracle-lib-dir=/usr/lib/oracle/11.2/client64/lib --with-oracle-include-dir=/usr/include/oracle/11.2/client64 Then i made make, but i still can't find rlm_sql_oracle.so file. :/ -Original Message- From: freeradius-users-bounces+puzzel1982=gmail@lists.freeradius.org [mailto:freeradius-users-bounces+puzzel1982=gmail@lists.freeradius.org] On Behalf Of Arran Cudbard-Bell Sent: Thursday, October 10, 2013 1:51 PM To: FreeRadius users mailing list Subject: Re: freeradius 2.2.0 on Fedora and oracle module On 10 Oct 2013, at 12:34, Puzzel puzzel1...@gmail.com wrote: When i do make at top level, i'm getting this output: make Makefile:10: *** Missing 'Make.inc' Run './configure [options]' and retry. Stop. - Missing - Something is not there that should be. - 'Make.inc' - The thing that should be there but isn't. - Run - Execute a command. - './configure' - The command you should execute. - '[options]' - Any additional options you want to add like --prefix or --with-shared-libs=no. - and - There's something additional you have to do as well as running the previous command. - retry - Repeat the previous command which generated this error message. *sigh* -Arran -Original Message- From: freeradius-users-bounces+puzzel1982=gmail@lists.freeradius.org [mailto:freeradius-users-bounces+puzzel1982=gmail.com@lists.freeradius .org] On Behalf Of Arran Cudbard-Bell Sent: Thursday, October 10, 2013 12:50 PM To: FreeRadius users mailing list Subject: Re: freeradius 2.2.0 on Fedora and oracle module On 10 Oct 2013, at 10:31, Puzzel puzzel1...@gmail.com wrote: Tnx Arran, ./configure went fine and then created all.mk file. What to do next? make don't work. I'm sorry i'm not very much experienced in linux. You need to do make in the top level directory not in the module directory. all.mk is a make include not an actual make file. It should pick up that rlm_sql_oracle has been configured (even if it's not marked as stable) and build it. -Arran Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Generating timing stats for ntlm_auth
Phil Mayers wrote: In order to prove this to the AD team, I need to gather some timing stats for ntlm_auth; can anyone think of an easy way to do this within FreeRADIUS? I had patches for this a while ago. But they won't apply to the current code. The idea was to update the modsingle struct to have an elapsed entry/array. Then, call_modsingle() calls gettimeofday() before and after the call to the module. It takes the elapsed time, and updates the modsingle struct. After a few more hooks, you can get at the stats via radmin. Any obvious/easy thing I'm missing? Nope. Instrumentation is hard. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Generating timing stats for ntlm_auth
On 10/10/13 12:56, a.l.m.bu...@lboro.ac.uk wrote: Hi, Thu Oct 10 11:52:16 2013 : Info: WARNING: Module rlm_eap became unblocked for request 47516341 ...since the return of our students this year. I am 99% sure this is ntlm_auth being slow, and I have a strong suspicion this is related to some changes in our AD infrastructure over the summer. I've contacted our AD guys about a couple of tweaks they can do for 'legacy' Any chance you can point me in the direction of these? authentications (as microsoft call it) - but I'm also looking at samba4 - as it has a new option that will balance ntlm_auth against all known boxes rather than the first box it latches onto - to spread the load. Hmm. I'm also now getting suspicious about a couple of tuesday patches that got deployed over summer... Interesting - which ones? (we're also thinking about EAP-TLS again ;-) ) Semi-related, but to my annoyance we're seeing rather less SSL resumption than I would expect, given that iOS and Android both do it by default. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 2.2.0 on Fedora and oracle module
On 10 Oct 2013, at 13:39, Puzzel puzzel1...@gmail.com wrote: I've made configure at top level ./configure --with-oracle-lib-dir=/usr/lib/oracle/11.2/client64/lib --with-oracle-include-dir=/usr/include/oracle/11.2/client64 Then i made make, but i still can't find rlm_sql_oracle.so file. :/ run the configure script in src/modules/rlm_sql/drivers/rlm_sql_oracle and post the output and config.log file. -Arran Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 2.2.0 on Fedora and oracle module
Puzzel wrote: I've made configure at top level ./configure --with-oracle-lib-dir=/usr/lib/oracle/11.2/client64/lib --with-oracle-include-dir=/usr/include/oracle/11.2/client64 If the build is having issues, you should READ the output of configure. It tells you what it's building, and what it's not building. Just look for oracle in the output. It's not hard. Then i made make, but i still can't find rlm_sql_oracle.so file. :/ Again, READ the output of make. Look for oracle. It's not hard. You're like someone who's sitting next to a road sign, and claiming he's lost. Well... look up. You're not lost. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 2.2.0 on Fedora and oracle module
On 10/10/2013 08:39 AM, Puzzel wrote: I've made configure at top level ./configure --with-oracle-lib-dir=/usr/lib/oracle/11.2/client64/lib --with-oracle-include-dir=/usr/include/oracle/11.2/client64 Then i made make, but i still can't find rlm_sql_oracle.so file. :/ Try reading the output of the build process, it will tell you what went wrong. Hint: Redirection: do_something 21 | tee -a some_file -- John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Generating timing stats for ntlm_auth
authentications (as microsoft call it) - but I'm also looking at samba4 - as it has a new option that will balance ntlm_auth against all known boxes rather than the first box it latches onto - to spread the load. Samba 4 is lurvely... apparently 100% compatible with existing AD installations, although, as always, it's a bit finicky and info is a bit thin on the ground (and I've not written up a guide when I set my test environment up that uses an S4 server for EAP-MSCHAPv2). But at least it exists on RHEL/CentOS as a package. Stefan -- This e-mail and any attachments may contain confidential, copyright and or privileged material, and are for the use of the intended addressee only. If you are not the intended addressee or an authorised recipient of the addressee please notify us of receipt by returning the e-mail and do not use, copy, retain, distribute or disclose the information in or attached to the e-mail. Any opinions expressed within this e-mail are those of the individual and not necessarily of Diamond Light Source Ltd. Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments are free from viruses and we cannot accept liability for any damage which you may sustain as a result of software viruses which may be transmitted in or with the message. Diamond Light Source Limited (company no. 4375679). Registered in England and Wales with its registered office at Diamond House, Harwell Science and Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Generating timing stats for ntlm_auth
Hi, Any chance you can point me in the direction of these? heres one: http://support.microsoft.com/kb/2688798 Semi-related, but to my annoyance we're seeing rather less SSL resumption than I would expect, given that iOS and Android both do it by default. Cisco wireless problem? theres go to be something messing us up here as we are using the same FreeRADIUS as last year (2.2.0), seeing the same number of concurrent clients as at the end of the last academic year (around 8k) and we didnt have this number of those errors then alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Generating timing stats for ntlm_auth
Hi, Samba 4 is lurvely... apparently 100% compatible with existing AD installations, although, as always, it's a bit finicky and info is a bit thin on the ground (and I've not written up a guide when I set my test environment up that uses an S4 server for EAP-MSCHAPv2). But at least it exists on RHEL/CentOS as a package. it can also BE an AD master etc. anyway, you dont know how tempting it was to yum install samba4 on our production system ;-) I'd certainly like to see some samba3.x versus samba4 benchmarks in this sort of context alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Generating timing stats for ntlm_auth
it can also BE an AD master etc. anyway, you dont know how tempting it was to yum install samba4 on our production system ;-) Indeed. That's exactly what I'm using it for. :-) I'd certainly like to see some samba3.x versus samba4 benchmarks in this sort of context Yes, versus Windows 2008 R2 or 2012 as well... just for good measure. :-) Stefan -- This e-mail and any attachments may contain confidential, copyright and or privileged material, and are for the use of the intended addressee only. If you are not the intended addressee or an authorised recipient of the addressee please notify us of receipt by returning the e-mail and do not use, copy, retain, distribute or disclose the information in or attached to the e-mail. Any opinions expressed within this e-mail are those of the individual and not necessarily of Diamond Light Source Ltd. Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments are free from viruses and we cannot accept liability for any damage which you may sustain as a result of software viruses which may be transmitted in or with the message. Diamond Light Source Limited (company no. 4375679). Registered in England and Wales with its registered office at Diamond House, Harwell Science and Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR3 Debugging Switches
On 09/10/13 19:09, Alan DeKok wrote: That is *exactly* what the server does for TCP. ...in which case my comment is entirely redundant, please disregard! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Generating timing stats for ntlm_auth
Phil wrote: I could wrap ntlm_auth in a script that times it and lots the info, but I'm slightly wary of that - it might perturb the timings. Any obvious/easy thing I'm missing? You might be able to run FR under gdb (or attach/resume a running FR), and set breakpoints with commands that resume after running the GDB commands. Google gdb breakpoint commands Note sure how that would impact the overall timing. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Generating timing stats for ntlm_auth
On 10/10/13 17:16, Brian Julin wrote: You might be able to run FR under gdb (or attach/resume a running FR), and set breakpoints with commands that resume after running the GDB commands. That's in inventive one, but I'm not *that* desperate yet! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error messages in debug on 3.0
On 10/10/13 18:32, Phil Mayers wrote: I've just ported our config to 3.0 and I'm seeing a few error messages; they don't seem to be critical but are concerning me. Specifically I'm seeing: We're also getting: Info: Invalid operator for item Sql-Group: reverting to '==' ...which is logged to radiusd.log. This seems to be spurious - all our comparisons to SQL-Group are, of course using ==. Other than that, it all seems OK! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error messages in debug on 3.0
On 10 Oct 2013, at 18:32, Phil Mayers p.may...@imperial.ac.uk wrote: I've just ported our config to 3.0 and I'm seeing a few error messages; they don't seem to be critical but are concerning me. Specifically I'm seeing: ERROR: Conditional evaluation failed due to internal sanity check. ...whenever I try to compare against absent attributes. What's the correct syntax for this now - do I need: if ((Attr) (Attr op RHS)) { Yes. ...or can I ignore the message? I'm also seeing this with: if (%{outer.request:Blah}) ...if I'm not in a tunnel (in some generic logging policy); what's the right syntax for that? possibly if (outer.request Sorry about the errors, I think they should be more descriptive in master unless Alan changed something when he did the second pass fix up for conditions. But yes, in general a presence check is now required. It makes it easier to spot attributes which should be there but aren't. -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error messages in debug on 3.0
On 10/10/13 18:51, Arran Cudbard-Bell wrote: possibly if (outer.request Hmm, no same thing, and worse it's squashing Module-Failure-Message :o( - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error messages in debug on 3.0
Phil Mayers wrote: I've just ported our config to 3.0 and I'm seeing a few error messages; they don't seem to be critical but are concerning me. Specifically I'm seeing: ERROR: Conditional evaluation failed due to internal sanity check. That should be fixed. Either it can be deleted, or reworded. ...whenever I try to compare against absent attributes. What's the correct syntax for this now - do I need: if ((Attr) (Attr op RHS)) { ...or can I ignore the message? Yes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Generating timing stats for ntlm_auth
On 10/10/13 15:01, a.l.m.bu...@lboro.ac.uk wrote: Hi, Any chance you can point me in the direction of these? heres one: http://support.microsoft.com/kb/2688798 Semi-related, but to my annoyance we're seeing rather less SSL resumption than I would expect, given that iOS and Android both do it by default. Cisco wireless problem? theres go to be something messing us up here as we are using the same FreeRADIUS as last year (2.2.0), seeing the same number of concurrent clients as at the end of the last academic year (around 8k) and we didnt have this number of those errors then alan - Can confirm that we at Bristol (Cisco wireless, MS AD auth backend) are also seeing load problems at peak times (every hour, at lecture change-over time when approximately one billion iPhones start roaming the campus). We're also not seeing as much session resumption as we'd expect. We're also seeing the same messages as reported in this thread. Will be watching this thread with interest - happy to test patches etc. Cheers, Jonathan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error messages in debug on 3.0
On 10 Oct 2013, at 22:23, Alan DeKok al...@deployingradius.com wrote: Phil Mayers wrote: I've just ported our config to 3.0 and I'm seeing a few error messages; they don't seem to be critical but are concerning me. Specifically I'm seeing: ERROR: Conditional evaluation failed due to internal sanity check. That should be fixed. Either it can be deleted, or reworded. I've reworded it. The code in master actually tells you what was wrong, but the changes were quite extensive so it didn't get ported to v3.0.x. I've also removed the error on accessing a request which doesn't exist, so presence checks work as expected. The actual presence check itself is ok. In radius_evaluate_tmpl: case VPT_TYPE_ATTR: case VPT_TYPE_LIST: if (radius_vpt_get_vp(request, vpt) != NULL) { rcode = true; } else { rcode = false; } break; Which works for if (outer.request:Attribute) and if (outer.request) It's just one of the functions called to convert the enumerated request type to an actual REQUEST threw an error when the request didn't exist. Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: unlang - delete attribute - !*
On 9 Oct 2013, at 07:05, Hachmer, Tobias tobias.hach...@stadt-frankfurt.de wrote: Hello list, I want to delete one reply attribute from the reply list if the access-request is originating not from a special NAS-IP-Address. Currently I have solved this by adding this unlang code in authorize section: if(!NAS-IP-Address == x.x.x.x) { update reply { Aruba-Admin-Role := } } The man page of unlang says: !* Delete all occurances of the named attribute, no matter what the value. I think this is the better way than just to clear the attribute value. But how can I use this, what’s the correct syntax? I have tested the following without success: Aruba-Admin-Role !* Aruba-Admin-Role !* !* Aruba-Admin-Role update reply { Aruba-Admin-Role !* ANY } Will delete all. update reply { Aruba-Admin-Role -= %{reply:Aruba-Admin-Role} } Will delete the first instance. -Arran Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Managing Data Volume Control More Than 4GB FR CoovaChilli
Dear Aran C. Bell Thanks for everything, Here is update. 1.) All-In-MB counter works. Please note, when a user has downloaded his quota, counter do not force log off . Saying other way, if the user is online, he would remain online until he log off him self or stop browsing. But point to be noted that counter prevents from login him again. user cannot login again if he has already hit quota threshold. Please look the example of reject. This user is allowed for 7GB, please mind that *check_item which shows 7168*is specified in MB. *[gigawordcounter] expand: %{sql:SELECT SUM(AcctInputOctets) / (1024*1024) + SUM(AcctOutputOctets) / (1024*1024) FROM radacct WHERE UserName='quotauser'} - 7389.1705* *rlm_sqlcounter: (Check item - counter) is less than zero* *rlm_sqlcounter: Rejected user quotauser, check_item=7168, counter=7389* *++[gigawordcounter] returns reject* Which basically means that initially authorization is done by SQL then max_all_mb, checks are only done once when the user makes the logon attempt and checks are never done again. This is where i have failed. Since you are more in to this, is there a way to perform this check on frequent basis and send reply to NAS to logoff user? then it should work. Counter: sqlcounter gigawordcounter { counter-name = Max-All-MB check-name = Max-All-MB reply-name = Max-All-MB reply-message = You have reached your bandwidth limit sqlmod-inst = sql key = User-Name reset = never query = SELECT SUM(AcctInputOctets) / (1024*1024) + SUM(AcctOutputOctets) / (1024*1024) FROM radacct WHERE UserName='%{%k}' } *2.) Solution offered by You. * I tried your recommendations also, i tried to maintain following in local FR dictionary */etc/freeradius/dictionary* and Chilli dictionary ATTRIBUTE Acct-Input-Octets64 3005integer64 ATTRIBUTE Acct-Output-Octets643006integer64 Results: failed to start FR reason for failing: : un recognized value specified in * /etc/freeradius/dictionary* reason for failing: : un recognized value specified in * /usr/share/freeradius/dictionary.chillihotspot* Thanks / Regards RM -- On Tue, Oct 8, 2013 at 3:38 PM, Arran Cudbard-Bell a.cudba...@freeradius.org wrote: On 8 Oct 2013, at 15:40, Russell Mike radius@gmail.com wrote: Dear Arran C. Bell, Thank you very much, i am extremely grateful for your advise and guidelines for troubleshoot also. i am currently experimenting a different rlm_sqlcounter using CoovaChilli dictionary All-In-MB. In result, i can store short number in db. This counter would reset at 2TB with same 32bit number. i have actually tested up to 6GB. it just works!!!. Next test is in progress to logout user when 7GB downloaded. i really appreciated your input and TIME. i will try your proposed solution as well after All-In-MB has tested. After the successful practical of both solutions. i would like to document this topic on one page for archives, so that it can help others. i may need your support incase i came across some challenges during the test of your solution. wiki.freeradius.org is the place to do that :) Thanks once again !!! No problem, glad I could help. -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: load balancing radius with F5 devices
On Wed, Oct 9, 2013 at 3:41 PM, Alex Sharaz alex.sha...@york.ac.uk wrote: While we have 900 switches doing mac and 802.1x based auth, we can have 6000+ users on our wireless network all authenticating to RADIUS via 3 RAS clients. Looking at the back end server log files, it does look as if, in general, all wireless RADIUS auths head for the same back end server. I was wondering if there's a way off having a bit more granularity in terms of how the f5 load balances incoming RADIUS requests. Have you asked F5? At the very least, common load balancers (e.g. keepalived on linux, a frontend for ipvs) should have the option of distributing traffic to backends based on source IP. Since you say you have 3 RAS clients, it should work somewhat. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: load balancing radius with F5 devices
Am Mittwoch, 9. Oktober 2013, 09:41:19 schrieb Alex Sharaz: Hi, Is anyone out there load balancing RADIUS with an F5 load balancer? We're doing it here, but I can't help thinking that the actual load balancing algorithm need some tweaking. As far as I'm aware ( systems section support the F5 boxes) 1). We're using round robin to spread the load over 2 back end radius servers. 2). There is some general sticky persistence so that once a RAS device starts talking to a particular back end server it continues to talk to that server for a predetermined length of time ( might be an hour, not sure). This ensures that an eap dialogue will always talk to the same back end server for the duration of the stuck time. Not sure what happens when you get to the end of the time interval though. According to the F5 statistics, overall radius traffic seems to be shared evenly over the 2 back end servers. However, our most heavily loaded RAS client is our wireless network. While we have 900 switches doing mac and 802.1x based auth, we can have 6000+ users on our wireless network all authenticating to RADIUS via 3 RAS clients. Looking at the back end server log files, it does look as if, in general, all wireless RADIUS auths head for the same back end server. I was wondering if there's a way off having a bit more granularity in terms of how the f5 load balances incoming RADIUS requests. You would need to use application layer load balancing on the BigIPs. But I don't think that you can configure this on the BigIPs. The RADIUS protocol is stateless, so there is no criteria in the application that a load balancer could use to balance inside the application. Greetings, -- Mit freundlichen Grüßen, Michael Schwartzkopff -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein signature.asc Description: This is a digitally signed message part. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: well almost got FR 3.0 to compile on OS X :-)
Hi, Just got a wee bit of trouble linking in the talloc libraries, but I'm sure its not insurmountable Alan uses OSX so I'm *SURE* it compiles fine with the right support stuff present - you should have been compiling it before the official release ;-) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: load balancing radius with F5 devices
On 09.10.2013 10:41, Alex Sharaz wrote: Hi, Is anyone out there load balancing RADIUS with an F5 load balancer? We're doing it here, but I can't help thinking that the actual load balancing algorithm need some tweaking. I have f5 loadbalancers but atm I don't use them for our RADIUS trafic As far as I'm aware ( systems section support the F5 boxes) 1). We're using round robin to spread the load over 2 back end radius servers. 2). There is some general sticky persistence so that once a RAS device starts talking to a particular back end server it continues to talk to that server for a predetermined length of time ( might be an hour, not sure). This ensures that an eap dialogue will always talk to the same back end server for the duration of the stuck time. Not sure what happens when you get to the end of the time interval though. Point 2 should be setup carefully. I recommend using the iApp to deploy your radius through the f5 [1] (they use Freeradius as an example) I was wondering if there's a way off having a bit more granularity in terms of how the f5 load balances incoming RADIUS requests. You can play with an iRule to statically assign one of your two pool member to your RAS servers. you can even decode the radius packet and base your load-balancing decision based on radius attributes [2] As you said, the most important thing is to ensure that a Client/NAS always talk to the same pool member, otherwise EAP won't work. Olivier [1] http://www.f5.com/pdf/deployment-guides/iapp-radius-dg.pdf [2] https://devcentral.f5.com/articles/radius-aware-load-balancing-via-irules#.UlUfIobjx1Y -- Olivier Beytrison Network Security Engineer, HES-SO Fribourg Mail: oliv...@heliosnet.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: load balancing radius with F5 devices
On 9 Oct 2013, at 10:16, Fajar A. Nugraha l...@fajar.net wrote: On Wed, Oct 9, 2013 at 3:41 PM, Alex Sharaz alex.sha...@york.ac.uk wrote: While we have 900 switches doing mac and 802.1x based auth, we can have 6000+ users on our wireless network all authenticating to RADIUS via 3 RAS clients. Looking at the back end server log files, it does look as if, in general, all wireless RADIUS auths head for the same back end server. I was wondering if there's a way off having a bit more granularity in terms of how the f5 load balances incoming RADIUS requests. Have you asked F5? At the very least, common load balancers (e.g. keepalived on linux, a frontend for ipvs) should have the option of distributing traffic to backends based on source IP. Since you say you have 3 RAS clients, it should work somewhat. You had a nose round the f5 site and subscribed to some of the communities. Shall we say that the response wasn't that great! A -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: load balancing radius with F5 devices
On 09.10.2013 11:25, Olivier Beytrison wrote: On 09.10.2013 10:41, Alex Sharaz wrote: I was wondering if there's a way off having a bit more granularity in terms of how the f5 load balances incoming RADIUS requests. Another nice thing to do is to do persistence based on radius AVP https://devcentral.f5.com/questions/radius-load-bnalancing-persistence So you can load balance incoming requests based on any standard AVP (User-Name, NAS-IP-Address, Calling-Station-Id ) Olivier -- Olivier Beytrison Network Security Engineer, HES-SO Fribourg Mail: oliv...@heliosnet.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: load balancing radius with F5 devices
Hi, Just to give some infos if I can help (this mailing has helped me a lot !) I have F5 BigIP devices in two 2 DCs. They have each a VirtualServer with a shared IP (not activated in VLANs used to communicate between the 2 DC to avoid IP conflits, a much simple config for NAS - only one IP address for server). Everything works fine with the following config : The Virtual Server ( IP is A.B.C.D has it's public for external DC ...) ltm virtual /Common/VS-RADIUS-AUTH { destination /Common/A.B.C.D:1812 ip-protocol udp mask 255.255.255.255 pool /Common/POOL-RADIUS-AUTH profiles { /Common/radiusLB { } /Common/udp { } } source 0.0.0.0/0 translate-address enabled translate-port enabled vlans { [...] } vlans-enabled } The pool used : ltm pool /Common/POOL-RADIUS-AUTH { members { /Common/10.10.6.7:1812 { address 10.10.6.7 } /Common/10.20.6.3:1812 { address 10.20.6.3 } } monitor /Common/Radius-Auth } The monitor : ltm monitor radius /Common/Radius-Auth { debug no defaults-from /Common/radius destination *:* interval 30 nas-ip-address 10.16.81.11 password Monitor secret ** time-until-up 0 timeout 31 username radius@domain } Profile radiusLB is the following : ltm profile radius radiusLB { clients none persist-avp none } And one other not used but available in default config. ltm profile radius radiusLB-subscriber-aware { defaults-from radiusLB subscriber-aware enabled } If I look at pool statistics, each servers has equivalent volume of requests (48.1k against 48.2k). You could play with Priority Group depending location or failover architecture of Radius if you want Fabien VINCENT Ingénieur Réseaux Sécurité / ASSR Produits Niveau 3 - Infrastructure Produits fabien.vinc...@coreye.fr De : freeradius-users-bounces+fabien.vincent=coreye...@lists.freeradius.org [mailto:freeradius-users-bounces+fabien.vincent=coreye...@lists.freeradius.org] De la part de Michael Schwartzkopff Envoyé : mercredi 9 octobre 2013 11:17 À : FreeRadius users mailing list Objet : Re: load balancing radius with F5 devices Am Mittwoch, 9. Oktober 2013, 09:41:19 schrieb Alex Sharaz: Hi, Is anyone out there load balancing RADIUS with an F5 load balancer? We're doing it here, but I can't help thinking that the actual load balancing algorithm need some tweaking. As far as I'm aware ( systems section support the F5 boxes) 1). We're using round robin to spread the load over 2 back end radius servers. 2). There is some general sticky persistence so that once a RAS device starts talking to a particular back end server it continues to talk to that server for a predetermined length of time ( might be an hour, not sure). This ensures that an eap dialogue will always talk to the same back end server for the duration of the stuck time. Not sure what happens when you get to the end of the time interval though. According to the F5 statistics, overall radius traffic seems to be shared evenly over the 2 back end servers. However, our most heavily loaded RAS client is our wireless network. While we have 900 switches doing mac and 802.1x based auth, we can have 6000+ users on our wireless network all authenticating to RADIUS via 3 RAS clients. Looking at the back end server log files, it does look as if, in general, all wireless RADIUS auths head for the same back end server. I was wondering if there's a way off having a bit more granularity in terms of how the f5 load balances incoming RADIUS requests. You would need to use application layer load balancing on the BigIPs. But I don't think that you can configure this on the BigIPs. The RADIUS protocol is stateless, so there is no criteria in the application that a load balancer could use to balance inside the application. Greetings, -- Mit freundlichen Grüßen, Michael Schwartzkopff -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: well almost got FR 3.0 to compile on OS X :-)
you don't know how hard it was to wait till the official release :-) A On 9 Oct 2013, at 10:19, a.l.m.bu...@lboro.ac.uk wrote: Hi, Just got a wee bit of trouble linking in the talloc libraries, but I'm sure its not insurmountable Alan uses OSX so I'm *SURE* it compiles fine with the right support stuff present - you should have been compiling it before the official release ;-) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: load balancing radius with F5 devices
Many thanks for this Olivier, much appreciated Rgds A On 9 Oct 2013, at 11:07, Olivier Beytrison oliv...@heliosnet.org wrote: On 09.10.2013 11:25, Olivier Beytrison wrote: On 09.10.2013 10:41, Alex Sharaz wrote: I was wondering if there's a way off having a bit more granularity in terms of how the f5 load balances incoming RADIUS requests. Another nice thing to do is to do persistence based on radius AVP https://devcentral.f5.com/questions/radius-load-bnalancing-persistence So you can load balance incoming requests based on any standard AVP (User-Name, NAS-IP-Address, Calling-Station-Id ) Olivier -- Olivier Beytrison Network Security Engineer, HES-SO Fribourg Mail: oliv...@heliosnet.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: well almost got FR 3.0 to compile on OS X :-)
On 9 Oct 2013, at 10:19, a.l.m.bu...@lboro.ac.uk wrote: Hi, Just got a wee bit of trouble linking in the talloc libraries, but I'm sure its not insurmountable Alan uses OSX so I'm *SURE* it compiles fine with the right support stuff present - you should have been compiling it before the official release ;-) Ah! that explains it. When I 1st compiled FR 2.x.x on my Lion box I do remember being impressed with the fact that it just talked to the back end open directory without doing anything . Looking forward to setting up radsec in FR3 A alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: well almost got FR 3.0 to compile on OS X :-)
On 9 Oct 2013, at 11:21, Alex Sharaz alex.sha...@york.ac.uk wrote: you don't know how hard it was to wait till the official release :-) A brew install talloc brew link talloc ./configure make make install ? Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 3 and DHCP
On 10/08/2013 07:09 PM, Arran Cudbard-Bell wrote: On 8 Oct 2013, at 17:44, Phil Mayers p.may...@imperial.ac.uk wrote: On 08/10/13 17:01, Rok Kosir wrote: authentication to mysql), when i run freeradius -X, i get Segmentation Fault when it reaches dhcp listner. See doc/bugs. and skip to section 2. :) Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Rebuilt manually and with dhcp it started the server, when dhcp request came it crashed. I did use --enable-development when configuring All i got in logs is kernel: [7949524.015421] radiusd[19648] general protection ip:7fa7082c1670 sp:7fff9dcc1a48 error:0 in libc-2.15.so[7fa70817f000+1b5000] no other coredump available except from gdb Generated gdb http://pastebin.com/raw.php?i=C1NYzckb Also debug from radiusd -X http://pastebin.com/raw.php?i=B8tRs1xh config options were: ./configure --build x86_64-linux-gnu --config-cache --enable-developer --prefix=/usr --exec-prefix=/usr --mandir=/usr/share/man --sysconfdir=/etc --libdir=/usr/lib/freeradius --datadir=/usr/share --localstatedir=/var --with-raddbdir=/etc/freeradius --with-logdir=/var/log/freeradius --with-large-files --with-udpfromto --without-rlm_eap_tnc --without-rlm_eap_ikev2 --without-rlm_sql_oracle --without-rlm_sql_unixodbc on Ubuntu 12.04 kernel 3.2.0-29-generic - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Usage of Session-Timeout
Volker Lieder wrote: Within the old version, we used a database config for groups with an attribute Session-Timeout and the value `%{expr:06:00}` Which never worked. 06:00 isn't a number. You can't just invent syntax and use i. With new version freeradius send an error while looking in debug mode like: Tue Oct 1 16:15:23 2013 : Info: [sql]expand: 06:00 - 06:00 Tue Oct 1 16:15:23 2013 : Info: [sql] Not a number at :00 Tue Oct 1 16:15:23 2013 : Info: [sql]expand: %{expr:06:00} - Can you explain why this value isnt working with new version or what we have to change to set the Session-Timeout that user get disconnected e.g. at 06:00 am? It didn't work in the old version, either. It just didn't complain. You should use the Expiration attribute: bob Cleartext-Password := hello, Expiration := 06:00 That should work. Or, calculate the Session-Timeout manually. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Managing Data Volume Control More Than 4GB FR CoovaChilli
Russell Mike wrote: All-In-MB counter works. Please note, when a user has downloaded his quota, counter do not force log off . The counter modules DOES NOT DO THAT. To see why, ask yourself what does FreeRADIUS see when the user has downloaded his quota? The answer is nothing. The users traffic doesn't go through FreeRADIUS, because FreeRADIUS isn't a router. What FreeRADIUS *may* see is an Accounting-Request for the user. Which contains the total traffic for the user. So if you want to do something when the users traffic is over the quota, you have to do it in the accounting section. You have to update the SQL database, and then check if the user is over quota. If so, send a Disconnect-Message, or exec a program to kick the user offline. Which basically means that initially authorization is done by SQL then max_all_mb, checks are only done once when the user makes the logon attempt and checks are never done again. Yes. That's what you've configured. If you want more, you need to tell the server to do more This is where i have failed. Since you are more in to this, is there a way to perform this check on frequent basis and send reply to NAS to logoff user? then it should work. Read the debug output. You'll see the server receiving Accounting-Request packets, with the users traffic over quota. THAT is when FreeRADIUS can do something. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 3 and DHCP
On 9 Oct 2013, at 11:56, Rok Kosir rok.ko...@cosylab.com wrote: On 10/08/2013 07:09 PM, Arran Cudbard-Bell wrote: On 8 Oct 2013, at 17:44, Phil Mayers p.may...@imperial.ac.uk wrote: On 08/10/13 17:01, Rok Kosir wrote: authentication to mysql), when i run freeradius -X, i get Segmentation Fault when it reaches dhcp listner. See doc/bugs. and skip to section 2. :) Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Rebuilt manually and with dhcp it started the server, when dhcp request came it crashed. I did use --enable-development when configuring All i got in logs is kernel: [7949524.015421] radiusd[19648] general protection ip:7fa7082c1670 sp:7fff9dcc1a48 error:0 in libc-2.15.so[7fa70817f000+1b5000] no other coredump available except from gdb Generated gdb http://pastebin.com/raw.php?i=C1NYzckb Thanks for that. git clone g...@github.com:FreeRADIUS/freeradius-server.git cd freeradius-server git checkout v3.0.x Should no longer segv. Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Case statement error
Franks Andy (RLZ) IT Systems Engineer wrote: Trying version #d166290 results in Which is old. The bug has already been fixed. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Managing Data Volume Control More Than 4GB FR CoovaChilli
Thanks Alan. D So if you want to do something when the users traffic is over the quota, you have to do it in the accounting section. Could you please kindly indicate what should i do there ? i tried to perform the check again when user is online by adding counter entry in * session* section. but did not work either. session { sql gigawordcounter } You have to update the SQL database, and then check if the user is over quota. If so, send a Disconnect-Message, or exec a program to kick the user offline. I am not very clear how to update mysql db perform the check on frequent basis. base on the output from the counter module (ok,noop,etc..), i understand how to update the reply from un-lang to log off user. Thanks / Regards RM-- On Wed, Oct 9, 2013 at 1:12 PM, Alan DeKok al...@deployingradius.comwrote: Russell Mike wrote: All-In-MB counter works. Please note, when a user has downloaded his quota, counter do not force log off . The counter modules DOES NOT DO THAT. To see why, ask yourself what does FreeRADIUS see when the user has downloaded his quota? The answer is nothing. The users traffic doesn't go through FreeRADIUS, because FreeRADIUS isn't a router. What FreeRADIUS *may* see is an Accounting-Request for the user. Which contains the total traffic for the user. So if you want to do something when the users traffic is over the quota, you have to do it in the accounting section. You have to update the SQL database, and then check if the user is over quota. If so, send a Disconnect-Message, or exec a program to kick the user offline. Which basically means that initially authorization is done by SQL then max_all_mb, checks are only done once when the user makes the logon attempt and checks are never done again. Yes. That's what you've configured. If you want more, you need to tell the server to do more This is where i have failed. Since you are more in to this, is there a way to perform this check on frequent basis and send reply to NAS to logoff user? then it should work. Read the debug output. You'll see the server receiving Accounting-Request packets, with the users traffic over quota. THAT is when FreeRADIUS can do something. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR3 Debugging Switches
Adam Bishop wrote: It appears the debugging switches don't work quite as I'd expect in FreeRADIUS 3 when RadSec is configured. Yes. Because of OpenSSL limitations, the server MUST have multiple threads when using radsec. # radiusd -fxx -l stdout Works as expected (threaded debugging with no timestamps), however: # radiusd -fXx -l stdout snip Wed Oct 9 14:44:18 2013 : Error: /opt/freeradiuss/etc/raddb/sites-enabled/tls[7]: Threading must be enabled for TLS sockets to function properly. Wed Oct 9 14:44:18 2013 : Error: /opt/freeradiuss/etc/raddb/sites-enabled/tls[7]: You probably need to do 'radiusd -fxx -l stdout' for debugging So... what's wrong with following that documentation? '-fXxx -l stdout' reacts in the same way, Because the -X means -f, which is invalid for radsec. but '-fxxx -l stdout' does run and produce timestamps, Which is what the error message says to use. What's wrong with that? so I think this one is just a documentation issue - I can't find anything doc/ that says xxx is a valid combination. radiusd --help also indicates that -fXx should still be valid. Similarly, when doing a config check: # ./sbin/radiusd -Cfxx -l stdout snip /opt/freeradiuss/etc/raddb/sites-enabled/tls[7]: Threading must be enabled for TLS sockets to function properly. /opt/freeradiuss/etc/raddb/sites-enabled/tls[7]: You probably need to do 'radiusd -fxx -l stdout' for debugging The init scripts for debian (possibly RHEL too) trigger the latter one, as it runs a config check on restart (which bails out due to the error above). The -C code should be changed to remove it's setting of -f. We'll fix that for 3.0.1. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR3 Debugging Switches
Hi, It appears the debugging switches don't work quite as I'd expect in FreeRADIUS 3 when RadSec is configured. # radiusd -fxx -l stdout yep. if you try 'radiusd -X' it will tell you to run it like that. # radiusd -fXx -l stdout # ./sbin/radiusd -Cfxx -l stdout single thread methods wont work with RADSEC being present. the docs probably need a slight update with the presence of TLS alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR3 Debugging Switches
On 9 Oct 2013, at 15:22, Adam Bishop adam.bis...@ja.net wrote: It appears the debugging switches don't work quite as I'd expect in FreeRADIUS 3 when RadSec is configured. # radiusd -fxx -l stdout Works as expected (threaded debugging with no timestamps), however: # radiusd -fXx -l stdout snip Wed Oct 9 14:44:18 2013 : Error: /opt/freeradiuss/etc/raddb/sites-enabled/tls[7]: Threading must be enabled for TLS sockets to function properly. Wed Oct 9 14:44:18 2013 : Error: /opt/freeradiuss/etc/raddb/sites-enabled/tls[7]: You probably need to do 'radiusd -fxx -l stdout' for debugging '-fXxx -l stdout' reacts in the same way, but '-fxxx -l stdout' does run and produce timestamps, so I think this one is just a documentation issue - I can't find anything doc/ that says xxx is a valid combination. radiusd --help also indicates that -fXx should still be valid. man radiusd -x Finer-grained debug mode. In this mode the server will print details of every request on it's stdout output. You can specify this option multiple times (-x -x or -xx) to get more detailed output. -X will FORCE the server into single threaded mode, -f -x != -X, and so the server will refuse to start when TCP is required. Similarly, when doing a config check: # ./sbin/radiusd -Cfxx -l stdout snip /opt/freeradiuss/etc/raddb/sites-enabled/tls[7]: Threading must be enabled for TLS sockets to function properly. /opt/freeradiuss/etc/raddb/sites-enabled/tls[7]: You probably need to do 'radiusd -fxx -l stdout' for debugging The init scripts for debian (possibly RHEL too) trigger the latter one, as it runs a config check on restart (which bails out due to the error above). Ok that's a legitimate issue and should be fixed. Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Managing Data Volume Control More Than 4GB FR CoovaChilli
Russell Mike wrote: So if you want to do something when the users traffic is over the quota, you have to do it in the accounting section. Could you please kindly indicate what should i do there ? i tried to perform the check again when user is online by adding counter entry in *session* section. but did not work either. Uh... you do know that session is not the same as accounting, right? Why are you doing something wrong? I am not very clear how to update mysql db perform the check on frequent basis. base on the output from the counter module (ok,noop,etc..), i understand how to update the reply from un-lang to log off user. Do you understand what the server does when it receives an accounting packet? Have you tried running the server in debugging mode, and seeing what happens when it receives an accounting packet? Do that before asking more questions. Watch the server go update SQL. Now... how do you query SQL (independent of RADIUS) to see if the users session is over quota? Then... put that query into the accounting section, via unlang. Check if the user is over quota. If so, send a disconnect message. See raddb/sites-available/originate-coa for examples of originating a disconnect message. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: well almost got FR 3.0 to compile on OS X :-)
o.k. different method of getting talloc onto machine :-) I used curl -s https://raw.github.com/rudix-mac/package-manager/master/rudix.py | sudo python - install rudix then rudix install talloc :-)) On 9 Oct 2013, at 11:54, Arran Cudbard-Bell a.cudba...@freeradius.org wrote: On 9 Oct 2013, at 11:21, Alex Sharaz alex.sha...@york.ac.uk wrote: you don't know how hard it was to wait till the official release :-) A brew install talloc brew link talloc ./configure make make install ? Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR3 Debugging Switches
On 9 Oct 2013, at 15:47, Alan DeKok al...@deployingradius.com wrote: Adam Bishop wrote: It appears the debugging switches don't work quite as I'd expect in FreeRADIUS 3 when RadSec is configured. Yes. Because of OpenSSL limitations, the server MUST have multiple threads when using radsec. Isn't it required for doing any RADIUS over TCP? Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Managing Data Volume Control More Than 4GB FR CoovaChilli
Thanks Alan D understood. I will use unlang in accounting. Thanks On Wednesday, October 9, 2013, Alan DeKok wrote: Russell Mike wrote: So if you want to do something when the users traffic is over the quota, you have to do it in the accounting section. Could you please kindly indicate what should i do there ? i tried to perform the check again when user is online by adding counter entry in *session* section. but did not work either. Uh... you do know that session is not the same as accounting, right? Why are you doing something wrong? I am not very clear how to update mysql db perform the check on frequent basis. base on the output from the counter module (ok,noop,etc..), i understand how to update the reply from un-lang to log off user. Do you understand what the server does when it receives an accounting packet? Have you tried running the server in debugging mode, and seeing what happens when it receives an accounting packet? Do that before asking more questions. Watch the server go update SQL. Now... how do you query SQL (independent of RADIUS) to see if the users session is over quota? Then... put that query into the accounting section, via unlang. Check if the user is over quota. If so, send a disconnect message. See raddb/sites-available/originate-coa for examples of originating a disconnect message. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Version 3.0.0 has been released
On 10/07/2013 04:18 PM, Alan DeKok wrote: After many years of development, the FreeRADIUS team is happy to announce Version 3 of the world's most popular server. The release was delayed from June in order to track down and solve a number of last-minute issues. We'd like to thank all of the beta testers for helping with that process. The release announcement is available on the web site: http://freeradius.org/press/index.html#3.0.0 3.0 is not on the download page http://freeradius.org/download.html nor is there a download link on the above announcement page. BTW, I do know I can get it directly from ftp://ftp.freeradius.org/pub/freeradius/ but there should be links. -- John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR3 Debugging Switches
On 09/10/13 16:36, Arran Cudbard-Bell wrote: On 9 Oct 2013, at 15:47, Alan DeKok al...@deployingradius.com wrote: Adam Bishop wrote: It appears the debugging switches don't work quite as I'd expect in FreeRADIUS 3 when RadSec is configured. Yes. Because of OpenSSL limitations, the server MUST have multiple threads when using radsec. Isn't it required for doing any RADIUS over TCP? Perhaps architecturally, but not inherently; you could, at least in theory: 1. Receive 4-byte length 2. Sanity-check the length 3. Allocate buffer 4. Read on TCP socket non-blocking in normal select loop until you've filled the buffer 5. Parse packet from buffer, dispatch packet SSL presents the slight (ahem) complication of having to route the read/write via a memory BIO and check for the want read / want write state (same way EAP does). So... it's almost certainly *easier* and more sanity-preserving from a development PoV to use threads ;o) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Version 3.0.0 has been released
John Dennis wrote: 3.0 is not on the download page http://freeradius.org/download.html nor is there a download link on the above announcement page. The announcement says: Version 3.0.0 (sig) has been released... The 3.0.0 is a link. I've added a link on the download page. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR3 Debugging Switches
Arran Cudbard-Bell wrote: Isn't it required for doing any RADIUS over TCP? Nope. Only SSL. The reason is that sometimes reading from an SSL socket requires SSL writing data to the other end. So you end up with both ends waiting for something. And that knowledge is buried inside of OpenSSL. Having threads means that each thread can wait without blocking anything else. It can probably be fixed, but it's hard. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR3 Debugging Switches
Phil Mayers wrote: Perhaps architecturally, but not inherently; you could, at least in theory: 1. Receive 4-byte length 2. Sanity-check the length 3. Allocate buffer 4. Read on TCP socket non-blocking in normal select loop until you've filled the buffer 5. Parse packet from buffer, dispatch packet That is *exactly* what the server does for TCP. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 2.2.2 release date
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Why are you so keen for 2.2.2 release? The delay is down to an issue which needs identifying and testing. people who download the HEAD of 2.2.x and test help at this point. alan - -- Sent from my Android device with K-9 Mail. Please excuse my brevity. -BEGIN PGP SIGNATURE- Version: APG v1.0.8 iHkEAREIADkFAlJSacUyHEFsYW4gQnV4ZXkgKEFsYW4gQnV4ZXkpIDxhLmwubS5i dXhleUBsYm9yby5hYy51az4ACgkQobRdvRSkLC4+9gCfalIHe8vJaMdqi9rN+Zpq wHZ5pvMAn3u6blRvzJA4bkIcR3IIAWbLXhrI =Bu4r -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Managing Data Volume Control More Than 4GB FR CoovaChilli
On 8 Oct 2013, at 10:10, Russell Mike radius@gmail.com wrote: Hi List Members i have been reading archives and tying to understand for some days now, but unsuccessful. i am currently working to extend data volume control up to 10GB, which is requirement for the organization. Is anyone able to manage more then 4GB using CoovaChilli Freeradius? Since there is no one piece of information available on the net. Until now, i am unclear about the components needs to be fine tune. i understand that FR has 32 bit integers but it is not the limitation to manage more than 4GB, if NAS supports the Gigaword attributes. It seems that my sql_counter or MySQL it self is the problem. NOTE: It is working setup up to 4GB, if i assigne 6GB to a user, counter rolls up on 4GB 1.) I came across a post where guys are tell that sqlcounter module uses 32-bit integers in it's source code. Should it be change to 64-bit integers? Yes. I've just done this in 3.0.x and master branches. Check and reply attributes will now be treated as unsigned 64bit integers. There's no downside to this and the change should be fully backwards compatible. 2.) CoovaChilli has built in support for gigaword attributes, which is enable. Ok. 3.) is it possible by rlm_sql or rlm_perl must be used Well yes, rlm_sql needs to be used. The default queries will correctly convert Acct-Input-Octets and Acct-Input-Gigawords into a proper 64bit value which is stored in the database. 4.) Counter rolls up on 4GB. You'll need to create a local 64bit attribute to use as the check and reply items Something like: ATTRIBUTE Acct-Input-Octets64 3005integer64 ATTRIBUTE Acct-Output-Octets643006integer64 And specify their value in bytes. It might actually be an idea to add those to the internal dictionary to make it a bit easier. -Arran Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Managing Data Volume Control More Than 4GB FR CoovaChilli
It might actually be an idea to add those to the internal dictionary to make it a bit easier. Just to clarify there are two reasons why your current config isn't working: 1. rlm_sql stores the value as a proper 64bit integer, not in the two 32bit chunks represented by Acct-Input-Gigawords and Acct-Input-Octets. When this value is pulled out into rlm_sqlcounter the value is truncated because internally it only deals with 32bit unsigned ints. I've now fixed this. 2. You're comparing gigawords to bytes, with no conversion, so even with the updated module you'll find the user is rejected way way too early. You also invented counter-type and check-unit config pairs. The server isn't magic, just because it doesn't error out, doesn't mean it knows about those config pairs or will use values assigned to them. Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Version 3.0.0 has been released
Congratulations! Thank you again for all of the countless hours you spend on improving the best and most flexible RADIUS server. One question though - is there a typo in the V2 upgrade link below? When I click on it I get a 404 error.. Upgrading instructions are available here: https://github.com/FreeRADIUS/freeradius-server/blob/release_branch_3.0.0/raddb/README.rst - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: 2.2.2 release date
Alan, We run 2.2.1. About couple of weeks ago, radius started to have out of memory issue. I made some configuration changes so radius would periodically clean up memory. Still in midday when load is high, radius would quit. I do have a cron to check radiusd and restart it if it dies. I'd like to upgrade to 2.2.2 to see if the memory issue improves. Thanks, Yu Wang -Original Message- From: Alan Buxey [mailto:a.l.m.bu...@lboro.ac.uk] Sent: Monday, October 07, 2013 3:59 AM To: FreeRadius users mailing list; Wang, Yu Subject: Re: 2.2.2 release date -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Why are you so keen for 2.2.2 release? The delay is down to an issue which needs identifying and testing. people who download the HEAD of 2.2.x and test help at this point. alan - -- Sent from my Android device with K-9 Mail. Please excuse my brevity. -BEGIN PGP SIGNATURE- Version: APG v1.0.8 iHkEAREIADkFAlJSacUyHEFsYW4gQnV4ZXkgKEFsYW4gQnV4ZXkpIDxhLmwubS5i dXhleUBsYm9yby5hYy51az4ACgkQobRdvRSkLC4+9gCfalIHe8vJaMdqi9rN+Zpq wHZ5pvMAn3u6blRvzJA4bkIcR3IIAWbLXhrI =Bu4r -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Managing Data Volume Control More Than 4GB FR CoovaChilli
Dear Arran C. Bell, Thank you very much, i am extremely grateful for your advise and guidelines for troubleshoot also. i am currently experimenting a different rlm_sqlcounter using CoovaChilli dictionary All-In-MB. In result, i can store short number in db. This counter would reset at 2TB with same 32bit number. i have actually tested up to 6GB. it just works!!!. Next test is in progress to logout user when 7GB downloaded. i really appreciated your input and TIME. i will try your proposed solution as well after All-In-MB has tested. After the successful practical of both solutions. i would like to document this topic on one page for archives, so that it can help others. i may need your support incase i came across some challenges during the test of your solution. Thanks once again !!! Regards --RM On Tue, Oct 8, 2013 at 12:16 PM, Arran Cudbard-Bell a.cudba...@freeradius.org wrote: It might actually be an idea to add those to the internal dictionary to make it a bit easier. Just to clarify there are two reasons why your current config isn't working: 1. rlm_sql stores the value as a proper 64bit integer, not in the two 32bit chunks represented by Acct-Input-Gigawords and Acct-Input-Octets. When this value is pulled out into rlm_sqlcounter the value is truncated because internally it only deals with 32bit unsigned ints. I've now fixed this. 2. You're comparing gigawords to bytes, with no conversion, so even with the updated module you'll find the user is rejected way way too early. You also invented counter-type and check-unit config pairs. The server isn't magic, just because it doesn't error out, doesn't mean it knows about those config pairs or will use values assigned to them. Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Version 3.0.0 has been released
Neal wrote: When I click on it I get a 404 error.. Upgrading instructions are available here: https://github.com/FreeRADIUS/freeradius- server/blob/release_branch_3.0.0/raddb/README.rst That link would have changed when the release was officially renamed from release_branch_3.0.0 to v3.0.x, so use: https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/raddb/README.rst Basically it is just a link into a web view of the git repository, so you could also just pull the source and you'd have it. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Version 3.0.0 has been released
Congratulations! Thank you again for all of the countless hours you spend on improving the best and most flexible RADIUS server. One question though - is there a typo in the V2 upgrade link below? When I click on it I get a 404 error.. Upgrading instructions are available here: https://github.com/FreeRADIUS/freeradius- server/blob/release_branch_3.0.0/raddb/README.rst That's because the branch has been renamed. The file you want is: https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/raddb/README.rst :-) Stefan -- This e-mail and any attachments may contain confidential, copyright and or privileged material, and are for the use of the intended addressee only. If you are not the intended addressee or an authorised recipient of the addressee please notify us of receipt by returning the e-mail and do not use, copy, retain, distribute or disclose the information in or attached to the e-mail. Any opinions expressed within this e-mail are those of the individual and not necessarily of Diamond Light Source Ltd. Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments are free from viruses and we cannot accept liability for any damage which you may sustain as a result of software viruses which may be transmitted in or with the message. Diamond Light Source Limited (company no. 4375679). Registered in England and Wales with its registered office at Diamond House, Harwell Science and Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Version 3.0.0 has been released
On 8 Oct 2013, at 14:09, Garber, Neal neal.gar...@iberdrolausa.com wrote: Congratulations! Thank you again for all of the countless hours you spend on improving the best and most flexible RADIUS server. One question though - is there a typo in the V2 upgrade link below? When I click on it I get a 404 error.. Upgrading instructions are available here: https://github.com/FreeRADIUS/freeradius-server/blob/release_branch_3.0.0/raddb/README.rst Ok, no more renaming branches for me :( Upgrade instructions are here: https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/raddb/README.rst Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Managing Data Volume Control More Than 4GB FR CoovaChilli
On 8 Oct 2013, at 15:40, Russell Mike radius@gmail.com wrote: Dear Arran C. Bell, Thank you very much, i am extremely grateful for your advise and guidelines for troubleshoot also. i am currently experimenting a different rlm_sqlcounter using CoovaChilli dictionary All-In-MB. In result, i can store short number in db. This counter would reset at 2TB with same 32bit number. i have actually tested up to 6GB. it just works!!!. Next test is in progress to logout user when 7GB downloaded. i really appreciated your input and TIME. i will try your proposed solution as well after All-In-MB has tested. After the successful practical of both solutions. i would like to document this topic on one page for archives, so that it can help others. i may need your support incase i came across some challenges during the test of your solution. wiki.freeradius.org is the place to do that :) Thanks once again !!! No problem, glad I could help. -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Changing User Profile after depletion of set Volume
Dear pple, I have looked for this and failed to get it, i have users with set volume limits and they get knocked off once they hit the limit, however ; i want to have this taken to the next level, i.e once the limit is hit, the user's profile be changed and they can only get to certain website /URL/IPs . How can i achieve this? Eric M- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html