Re: Proxy + copy accounting to passive home server
Hi Alan, Do you have any advice on my configuration? I want to send same accounting packages to multiple nodes like replication. But, I want to log home_servers responses. You advised configuring proxy. But, proxy mode only sends accounting packets to one node because of failover or loadbalance structure. Do you have any comment? Thanks. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Proxy-copy-accounting-to-passive-home-server-tp5598491p5615008.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy + copy accounting to passive home server
mimir wrote: Do you have any advice on my configuration? Read the documentation? I want to send same accounting packages to multiple nodes like replication. But, I want to log home_servers responses. You advised configuring proxy. So I did. But, proxy mode only sends accounting packets to one node because of failover or loadbalance structure. Do you have any comment? Yes. See the documentation for how to configure proxying. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy + copy accounting to passive home server
Hi Alan, I got your point. I need a reply. I can use proxying but I also need to send same accounting to all servers at the same time. I tried to build virtual servers to proxy accounting packets to other servers. For example: I am going to send accounting packets to 20 servers. First I create 20 virtual servers, and then point them to 20 remote servers one by one. ( Because proxy only supports failover and loadbalance) My configs: /sites-available/default preacct { preprocess update control { Proxy-To-Realm := TEST0 -- virtual server realm } } /sites-available/default2 preacct { preprocess update control { Proxy-To-Realm += TEST1 -- remote radius #Replicate-To-Realm += TEST2 #Replicate-To-Realm += TEST3 } # Session sta But when I tried it I got segmentation fault. rad_recv: Accounting-Request packet from host 135.243.68.36 port 55675, i d=112, length=94 User-Name = test2 Acct-Status-Type = Start Acct-Session-Id = 4680 Framed-Protocol = PPP Acct-Delay-Time = 5 Calling-Station-Id = 905436755108 NAS-Port = 1 Framed-IP-Address = 2.2.2.17 NAS-IP-Address = 135.243.90.68 Called-Station-Id = internet1 # Executing section preacct from file /usr/local/etc/raddb/sites-enabled/ default +- entering group preacct {...} [preprocess] hints: Matched DEFAULT at 85 [preprocess] sql_xlat [preprocess]expand: %{User-Name} - test2 [preprocess] sql_set_user escaped user -- 'test2' [preprocess]expand: SELECT id from deneme limit 1 - SELECT id from d eneme limit 1 rlm_sql (sql): Reserving sql socket id: 4 [preprocess] sql_xlat finished rlm_sql (sql): Released sql socket id: 4 [preprocess]expand: %{sql:SELECT id from deneme limit 1} - 5 [preprocess] sql_xlat [preprocess]expand: %{User-Name} - test2 [preprocess] sql_set_user escaped user -- 'test2' [preprocess]expand: SELECT id from deneme limit 1 - SELECT id from d eneme limit 1 rlm_sql (sql): Reserving sql socket id: 3 [preprocess] sql_xlat finished rlm_sql (sql): Released sql socket id: 3 [preprocess]expand: %{sql:SELECT id from deneme limit 1} - 5 ++[preprocess] returns ok ++[control] returns ok [acct_unique] Hashing 'NAS-Port = 1,Client-IP-Address = 135.243.68.36,NAS -IP-Address = 135.243.90.68,Acct-Session-Id = 4680,User-Name = test2' [acct_unique] Acct-Unique-Session-ID = 8106182d5455e91b. ++[acct_unique] returns ok [suffix] No '@' in User-Name = test2, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop # Executing section accounting from file /usr/local/etc/raddb/sites-enabl ed/default +- entering group accounting {...} [detail]expand: %{Packet-Src-IP-Address} - 135.243.68.36 [detail]expand: /var/log/radius/radacct/%{%{Packet-Src-IP-Address }:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d - /var/log/radius/radacct/1 35.243.68.36/detail-20120402 [detail] /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src -IPv6-Address}}/detail-%Y%m%d expands to /var/log/radius/radacct/135.243. 68.36/detail-20120402 [detail]expand: %t - Mon Apr 2 08:21:05 2012 ++[detail] returns ok ++[unix] returns ok [radutmp] expand: /var/log/radius/radutmp - /var/log/radius/radutm p [radutmp] expand: %{User-Name} - test2 ++[radutmp] returns ok [sql] expand: %{User-Name} - test2 [sql] sql_set_user escaped user -- 'test2' [sql] expand: %{Acct-Delay-Time} - 5 [sql] expand:INSERT INTO radacct (acctsessionid ,acctuniqueid, username, realm,nasipaddr ess, nasportid, nasporttype, acctstarttime,acct stoptime, acctsessiontime, acctauthentic,connectinfo_st
Re: Proxy + copy accounting to passive home server
mimir wrote: But when I tried it I got segmentation fault. ... [eap] No pre-existing handler found Segmentation fault See doc/bugs Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy + copy accounting to passive home server
mimir wrote: I wonder another thing. Is it possible to get log/error or sth else if one of the replicated servers do not response? No. That's the whole POINT of the replicate module: it doesn't care if the home server responds. If you want a response, configure proxying. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy + copy accounting to passive home server
Hi, I installed latest version of freeradius and verified replicate module is existing. I can run replication via editing proxy.conf and acct_user. ( but I can replicate to only one server for now) I need to copy accountings to 20 servers. DEFAULT Proxy-To-Realm := TEST1 ( how can I add others ? ) But, I can not define multiple realms replication although it says: # Packets can be replicated to multiple destinations. Just set # Replicate-To-Realm multiple times. One packet will be sent for # each of the Replicate-To-Realm attribute in the control list. My configs are as below: home servers are introduced with their IPS. and created realms for each home server. home_server_pool test_failover1 { type = load-balance home_server = test1 } home_server_pool test_failover2 { type = load-balance home_server = test2 } home_server_pool test_failover3 { type = load-balance home_server = test3 } realm TEST1 { acct_pool = test_failover1 } realm TEST2 { acct_pool = test_failover2 } realm TEST3 { acct_pool = test_failover3 } Can you please help? Thanks. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Proxy-copy-accounting-to-passive-home-server-tp5598491p5606099.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy + copy accounting to passive home server
On Fri, Mar 30, 2012 at 4:01 PM, mimir erdem.mimiro...@alcatel-lucent.com wrote: Hi, I installed latest version of freeradius and verified replicate module is existing. I can run replication via editing proxy.conf and acct_user. ( but I can replicate to only one server for now) I need to copy accountings to 20 servers. DEFAULT Proxy-To-Realm := TEST1 ( how can I add others ? ) Don't use users file. Instead, on accounting section, use something like this (unstested, you need to verify this first) update control { Proxy-To-Realm := TEST1 Proxy-To-Realm += TEST2 Proxy-To-Realm += TEST3 } See http://freeradius.org/radiusd/man/unlang.html , look for operators # Packets can be replicated to multiple destinations. Just set # Replicate-To-Realm multiple times. One packet will be sent for # each of the Replicate-To-Realm attribute in the control list. exactly. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy + copy accounting to passive home server
Hi, Sorry, I wrote wrong in my previous post, I am trying to apply Replicate-To-Realm to send accounting messages to 20 servers from my radius server. I added as below in /sites-available/default accounting { update control { Replicate-To-Realm := TEST1 Replicate-To-Realm += TEST2 Replicate-To-Realm += TEST3 } . But, debug log says.. +[exec] returns noop ++[replicate] returns noop ++[control] returns noop I think it has no affect ? Thanks.. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Proxy-copy-accounting-to-passive-home-server-tp5598491p5606288.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy + copy accounting to passive home server
Hello, I added same definition to acct_users DEFAULT Replicate-To-Realm := TEST1,Replicate-To-Realm += TEST2,Replicate-To-Realm += TEST3 and it worked :) I can send 3 servers same accounting messages. I wonder another thing. Is it possible to get log/error or sth else if one of the replicated servers do not response? Thanks. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Proxy-copy-accounting-to-passive-home-server-tp5598491p5606305.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy + copy accounting to passive home server
On Fri, Mar 30, 2012 at 5:40 PM, mimir erdem.mimiro...@alcatel-lucent.com wrote: Hello, I added same definition to acct_users DEFAULT Replicate-To-Realm := TEST1,Replicate-To-Realm += TEST2,Replicate-To-Realm += TEST3 and it worked :) The earlier error is is probably my fault then. It might need to go on preacct section instead of accouting? It's been quite a while since I tested it. It'd be good if you can test on preacct and report the result :) I wonder another thing. Is it possible to get log/error or sth else if one of the replicated servers do not response? Nope. Replicate is send-and-forget kind-a-thing. If you REALLY want RELIABLE proxying setup, you need to use detail module to write to 3 different detail file, and basically configure 3 instances of sites-available/copy-acct-to-home-server. I wouldn't recommend it unless it's ABSOLUTELY necessary. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy + copy accounting to passive home server
Hi Fajar, I also think that option. But, I can not configure it. I set up realms same in proxy.conf. But, how can we point it to sites-available/copy-acct-to-home-server ? How can we configure it? I can only see explanation of config file comments. Thanks, -- View this message in context: http://freeradius.1045715.n5.nabble.com/Proxy-copy-accounting-to-passive-home-server-tp5598491p5606529.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy + copy accounting to passive home server
I forgot to add. preacct also worked :) Thanks. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Proxy-copy-accounting-to-passive-home-server-tp5598491p5606585.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy + copy accounting to passive home server
On Fri, Mar 30, 2012 at 7:37 PM, mimir erdem.mimiro...@alcatel-lucent.com wrote: Hi Fajar, I also think that option. But, I can not configure it. I set up realms same in proxy.conf. But, how can we point it to sites-available/copy-acct-to-home-server ? Basically you need to configure sites-available/default to write to different detail files (e.g. /var/log/radius/detail1, /var/log/radius/detai2, etc.). Then you setup several copies of sites-available/copy-acct-to-home-server (changing files and server names as necessary, of course), each reading a different file (note the line filename = ${radacctdir}/detail. Change that). Then don't forget to create links on sites-enabled :) -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy + copy accounting to passive home server
mimir wrote: But, I want to send same packet to both servers when proxying. See the replicate module in 2.1.12. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy + copy accounting to passive home server
Hi Alan, Thanks for reply. How can I find a sample configuration for this? I see that this is new module and it is discussed in internet not much. Besides this, I can only add configuration to proxy server. I can not manage home_servers. Is it possible to apply my scenario via replicate module by deploying configuration only on proxy servers. Mimir. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Proxy-copy-accounting-to-passive-home-server-tp5598491p5599770.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy + copy accounting to passive home server
mimir wrote: Thanks for reply. How can I find a sample configuration for this? Look in the raddb/modules directory? Where else are configurations stored? I see that this is new module and it is discussed in internet not much. Besides this, I can only add configuration to proxy server. I can not manage home_servers. Is it possible to apply my scenario via replicate module by deploying configuration only on proxy servers. Go read the replicate documentation to see how it works. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy + copy accounting to passive home server
On Wed, Mar 28, 2012 at 3:13 PM, Alan DeKok al...@deployingradius.com wrote: mimir wrote: Thanks for reply. How can I find a sample configuration for this? Look in the raddb/modules directory? ... and in case you don't find it there, changes are you're running a fairly old version of FR. Upgrade to latest stable, and it should be there. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxy + copy accounting to passive home server
Hello, I am trying to deploy proxy configuration to my radius server. I added home_server_pool with two home_servers. I can successfully send accounting packets (with load-balance) to other two radius servers. I also can use attribute filtering for proxy via acct_users as below. acct_users: DEFAULT Called-Station-Id = internet1, Proxy-To-Realm := TEST1 But, I want to send same packet to both servers when proxying. If I proxied the accounting packet to server A successfully, then I want to also copy to it to the other radius server. (means that passive one for each packet while load-balancing) I read some forums and see that it can be done via copy-acct-to-home-server. But, I could not configure it. (I also could not understand where I should edit it? on proxy ? or home_servers? Can you please help me on this issue? Thanks... -- View this message in context: http://freeradius.1045715.n5.nabble.com/Proxy-copy-accounting-to-passive-home-server-tp5598480p5598480.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxy + copy accounting to passive home server
Hello, I am trying to deploy proxy configuration to my radius server. I added home_server_pool with two home_servers. I can successfully send accounting packets (with load-balance) to other two radius servers. I also can use attribute filtering for proxy via acct_users as below. acct_users: DEFAULT Called-Station-Id = internet1, Proxy-To-Realm := TEST1 But, I want to send same packet to both servers when proxying. If I proxied the accounting packet to server A successfully, then I want to also copy to it to the other radius server. (means that passive one for each packet while load-balancing) I read some forums and see that it can be done via copy-acct-to-home-server. But, I could not configure it. (I also could not understand where I should edit it? on proxy ? or home_servers? Can you please help me on this issue? Thanks... Mimir - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxy + copy accounting to passive home server
Hello, I am trying to deploy proxy configuration to my radius server. I added home_server_pool with two home_servers. I can successfully send accounting packets (with load-balance) to other two radius servers. I also can use attribute filtering for proxy via acct_users as below. acct_users: DEFAULT Called-Station-Id = internet1, Proxy-To-Realm := TEST1 But, I want to send same packet to both servers when proxying. If I proxied the accounting packet to server A successfully, then I want to also copy to it to the other radius server. (means that passive one for each packet while load-balancing) I read some forums and see that it can be done via copy-acct-to-home-server. But, I could not configure it. (I also could not understand where I should edit it? on proxy ? or home_servers? Can you please help me on this issue? Thanks... Mimir -- View this message in context: http://freeradius.1045715.n5.nabble.com/Proxy-copy-accounting-to-passive-home-server-tp5598491p5598491.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No Reply Proxy for Accounting Requests
David Bickle wrote: In some versions of RADIUS it is possible using the proxy feature to forward accounting requests to a home radius server or some other 3rd party server without having to wait for a response packet. I'm not sure at 100%, but I don't think it's possible with FreeRADIUS. I'd suggest to log accounting in a file with module rlm_detail, and write a little program to send the accounting data (without waiting) to the 3rd party application. You may look at src/main/radrelay.c and doc/radrelay. radrelay can replicate accounting data but wait for an answer, though. Nicolas Baradakis -- A: Yes. Q: Are you sure? A: Because it reverses the logical flow of conversation. Q: Why is top posting annoying in email? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
No Reply Proxy for Accounting Requests
Does anyone know how to configure a proxy for the forwarding of no reply accounting requests? In particular I am interested in accounting start/stop packets. Thanks, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No Reply Proxy for Accounting Requests
On Fri, 16 Dec 2005, David Bickle wrote: Does anyone know how to configure a proxy for the forwarding of no reply accounting requests? In particular I am interested in accounting start/stop packets. Thanks, What does forwarding of no reply accounting requests mean? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No Reply Proxy for Accounting Requests
In some versions of RADIUS it is possible using the proxy feature to forward accounting requests to a home radius server or some other 3rd party server without having to wait for a response packet. Typically this is accomplished by configuring an attribute (ie. IgnoreAccountingResponse) in the proxy section where the forwarding server is instructed to not wait for a reply. I have examined the proxy.conf file and there appears to be no equivalent functionality in FreeRadius. Is this true? Is there a work around? On 12/16/05 9:54 AM, Dusty Doris [EMAIL PROTECTED] wrote: On Fri, 16 Dec 2005, David Bickle wrote: Does anyone know how to configure a proxy for the forwarding of no reply accounting requests? In particular I am interested in accounting start/stop packets. Thanks, What does forwarding of no reply accounting requests mean? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Proxy of accounting message (Ashwin Gobind)
Radiator required a valid Authenticator to be part of the Accouning Request. I am proxying from freeradius to radiator. How can this be resolved ? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: 30 September 2005 06:12 PM To: freeradius-users@lists.freeradius.org Subject: Freeradius-Users Digest, Vol 5, Issue 103 Send Freeradius-Users mailing list submissions to freeradius-users@lists.freeradius.org To subscribe or unsubscribe via the World Wide Web, visit http://lists.freeradius.org/mailman/listinfo/freeradius-users or, via email, send a message with subject or body 'help' to [EMAIL PROTECTED] You can reach the person managing the list at [EMAIL PROTECTED] When replying, please edit your Subject line so it is more specific than Re: Contents of Freeradius-Users digest... Today's Topics: 1. RE: Proxy of accounting message (Ashwin Gobind) 2. EAP-PEAP-MSCHAPv2: use_tunneled_reply = yes (Bjarni Hardarson) 3. Re: freeradius and MS SQL -- anyone got it working? (Duane Cox) 4. Re: Expose RADIUS packet's identifier (James J J Hooper) 5. Re: Segmentation Fault - 1.0.5 (Alan DeKok) 6. Re: SSL3_GET_CLIENT_KEY_EXCHANGE (Alan DeKok) 7. Re: freeradius and MS SQL -- anyone got it working? (Alan DeKok) 8. Re: Proxy of accounting message (Alan DeKok) -- Message: 1 Date: Fri, 30 Sep 2005 14:39:18 +0200 From: Ashwin Gobind [EMAIL PROTECTED] Subject: RE: Proxy of accounting message To: freeradius-users@lists.freeradius.org Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=us-ascii Thanks nick. However when I proxy the message, the message-authenticator field has an INVAILID TOKEN (see trace below). Why is this Sending Accounting-Request of id 1 to 10.113.46.170:1813 Acct-Status-Type = Start Service-Type = Framed-User Called-Station-Id = vlive Framed-Protocol = GPRS-PDP-Context Framed-Protocol = GPRS-PDP-Context Acct-Delay-Time = 5 Calling-Station-Id = 27829800729 NAS-Identifier = GMC-GGSN0-13-2 Acct-Session-Id = 20050529 User-Name = 27829800729 User-Name = 27829800729 NAS-Port = 6000 NAS-Port-Type = Virtual NAS-IP-Address = 10.111.14.46 Message-Authenticator INVALID-TOKEN 0x Proxy-State = 0x30 This e-mail is sent on the Terms and Conditions that can be accessed by Clicking on this link http://www.vodacom.net/legal/email.aspx -- Message: 2 Date: Fri, 30 Sep 2005 14:51:25 +0200 From: Bjarni Hardarson [EMAIL PROTECTED] Subject: EAP-PEAP-MSCHAPv2: use_tunneled_reply = yes To: freeradius-users@lists.freeradius.org Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=us-ascii Hi all, I'm using FreeRADIUS with Cisco 1200 Series Access points for dynamic VLAN assignment. When i set use_tunneled_reply = yes for PEAP i get an Access-Challenge with the correct attributes but the final Access-Accept has no attributes and the User-Name is the anonymous one from the outer tunnel. This username is then used by the AP for accounting. Is this by design or is my configuration wrong? Partial debug, Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 24 rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 rlm_eap: Freeing handler modcall[authenticate]: module eap returns ok for request 24 modcall: group authenticate returns ok for request 24 PEAP: Got tunneled reply RADIUS code 2 User-Name = radtest Tunnel-Private-Group-Id:0 = 310 Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Type:0 = VLAN EAP-Message = 0x03080004 Message-Authenticator = 0x PEAP: Processing from tunneled session code 0x818f508 2 User-Name = radtest Tunnel-Private-Group-Id:0 = 310 Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Type:0 = VLAN EAP-Message = 0x03080004 Message-Authenticator = 0x PEAP: Tunneled authentication was successful. rlm_eap_peap: SUCCESS modcall[authenticate]: module eap returns handled for request 24 modcall: group authenticate returns handled for request 24 Sending Access-Challenge of id 8 to 127.0.0.1:33229 User-Name = radtest Tunnel-Private-Group-Id:0 = 310 Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Type:0 = VLAN Message-Authenticator = 0x EAP-Message = 0x010900501900170301002079fdf7026cf88ffd8c978e4fb62290b4d4f4a1596c767f55 7ada bdaf51b7437d17030100209a1de8e9b88b4654d03b0754d4f5a04887b57b329c94a6494e f84d 2bf74f294c State = 0x3c86d1f16a6312263ae7a01dbfc81a28
Re: Proxy of accounting message (Ashwin Gobind)
Ashwin Gobind [EMAIL PROTECTED] wrote: Radiator required a valid Authenticator to be part of the Accouning Request. A Message-Authenticator? I doubt that VERY much. Radiator works with multiple RADIUS implementations, very few of which send Message-Authenticator in Accounting-Request. I am proxying from freeradius to radiator. How can this be resolved ? a) Patch Radiator so that it doesn't require a Message-Authenticator. b) Patch FreeRADIUS to create the *non-standard* Message-Authenticator that Radiator expects. For (b), you will have to find out what algorithm Radiator uses to calculate Message-Authenticator. Since it's non-standard, you wil l have to ask the Radiator people how they did it. Alan DEKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Proxy of accounting message
Thanks nick. However when I proxy the message, the message-authenticator field has an INVAILID TOKEN (see trace below). Why is this Sending Accounting-Request of id 1 to 10.113.46.170:1813 Acct-Status-Type = Start Service-Type = Framed-User Called-Station-Id = vlive Framed-Protocol = GPRS-PDP-Context Framed-Protocol = GPRS-PDP-Context Acct-Delay-Time = 5 Calling-Station-Id = 27829800729 NAS-Identifier = GMC-GGSN0-13-2 Acct-Session-Id = 20050529 User-Name = 27829800729 User-Name = 27829800729 NAS-Port = 6000 NAS-Port-Type = Virtual NAS-IP-Address = 10.111.14.46 Message-Authenticator INVALID-TOKEN 0x Proxy-State = 0x30 This e-mail is sent on the Terms and Conditions that can be accessed by Clicking on this link http://www.vodacom.net/legal/email.aspx - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxy of Accounting Requests
Good day. I am using freeradius 1.05 I want to proxy accounting requests originating from certain hosts to another server, how can I do this. Also I am using Jradius to handle accounting request. But this certain request I don't want JRadius to handle, but freeradius just to proxy it. Here is an example of the request Thanks Acct-Session-Id = C42EA2A31F96530 Framed-Protocol = GPRS-PDP-Context Called-Station-Id = vlive Calling-Station-Id = 27829800529 Framed-IP-Address = 10.19.128.6 3GPP-IMSI = 65501982252 3GPP-Charging-ID = 33121584 3GPP-PDP-Type = 0 3GPP-GGSN-Address = 196.46.162.163 3GPP-IMSI-MCC-MNC = 65501 3GPP-GGSN-MCC-MNC = 65501 3GPP-NSAPI = 5 3GPP-Selection-Mode = 0 3GPP-Charging-Gateway-Address = 10.25.0.10 3GPP-GPRS-Negotiated-QoS-profile = 99-23931F9396979774FB0808 3GPP-SGSN-Address = 196.6.254.49 User-Name = 27829800529 Cisco-AVPair = connect-progress=Call Up Acct-Authentic = RADIUS Acct-Status-Type = Start NAS-Port-Type = Virtual Cisco-NAS-Port = GGSN NAS-Port = 6 Class = [Binary Data] Service-Type = Framed-User NAS-IP-Address = 10.31.1.122 NAS-Identifier = GMC-GGSN0-12-2 Acct-Delay-Time = 0 Client-IP-Address = 10.113.60.6 Acct-Unique-Session-Id = b30a3d4d494c8a87 This e-mail is sent on the Terms and Conditions that can be accessed by Clicking on this link http://www.vodacom.net/legal/email.aspx - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy of Accounting Requests
Ashwin Gobind wrote: I want to proxy accounting requests originating from certain hosts to another server, how can I do this. You could add something like this in file acct_users: DEFAULT Client-IP-Address == 10.0.0.1, Proxy-To-Realm := realm1 DEFAULT Client-IP-Address == 10.0.0.2, Proxy-To-Realm := realm2 -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Proxy of Accounting Requests
Can you also do this in SQL? J. -- Jonathan De Graeve Network/System Administrator Imelda vzw Informatica Dienst 015/50.52.98 [EMAIL PROTECTED] - Always read the manual for the correct way to do things because the number of incorrect ways to do things is almost infinite - -Oorspronkelijk bericht- Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Namens Nicolas Baradakis Verzonden: donderdag 29 september 2005 13:55 Aan: FreeRadius users mailing list Onderwerp: Re: Proxy of Accounting Requests Ashwin Gobind wrote: I want to proxy accounting requests originating from certain hosts to another server, how can I do this. You could add something like this in file acct_users: DEFAULT Client-IP-Address == 10.0.0.1, Proxy-To-Realm := realm1 DEFAULT Client-IP-Address == 10.0.0.2, Proxy-To-Realm := realm2 -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy and Accounting
It is working for me now so please ignore this message. I had an entry in proxy.conf as follows which was the problem i think and when I took it away, the proxy server started sending accounting information to the other radius server. realm LOCAL { type = radius authhost = LOCAL accthost = LOCAL } regards khurram --- Khurram Jahangir [EMAIL PROTECTED] wrote: Hello All, I am using FreeRadius-1.0.1. The client is 802.1x client on windows XP with PEAP. The authenticator is an HP 2524 switch (10.0.1.20 in the log file). For me things are working fine with one radius server and AAA works pretty good and I can also check the simultaneous-use for a user. Now I am trying to use the same setup and introduce the proxy radius server (10.0.1.5 in the log file). The XP client sends the credentials to main radius server and based on the Realm (THESIS.COM in the log file), the request is proxied to another freeradius server (10.0.1.15) which does the actual authetication. Everything works fine upto this point. But then the problem is that the proxy radius server does not send any accounting information to the other radius server. Now it means that if there are multiple users trying to get connected using the same username/password, there is no way to restrict them until and Simultaneous-Use works and for this, Radisu server should have accounting information. Note that the proxy server has the accounting information and I can see the connected user (authenticated by the 2nd radius server) using radwho. Probably I am making some mistake somewhere which I cannot figure out after trying so many times. I will really appreciate any pointers in this regard. The log file is attached with the email as radiuslog. I added this line in the users file DEFAULT Proxy-To-Realm := THESIS.COM Following is the proxy.conf file for the proxy server proxy server { synchronous = yes retry_delay = 5 retry_count = 3 dead_time = 120 default_fallback = yes post_proxy_authorize = yes } realm LOCAL { type= radius authhost= LOCAL accthost= LOCAL } realm NULL { type= radius authhost= LOCAL accthost= LOCAL secret = testing123 } realm THESIS.COM { type= radius authhost= 10.0.1.15:1812 accthost= 10.0.1.15:1813 secret = testing123 } Best Regards Khurram __ Do you Yahoo!? Meet the all-new My Yahoo! - Try it today! http://my.yahoo.com ATTACHMENT part 2 application/octet-stream name=radiuslog __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy and Accounting
Hi again, If someone has some suggestions or comments about this problem descrbied below. Appreciate any kind of help Khurram --- Khurram Jahangir [EMAIL PROTECTED] wrote: Hello All, I am using FreeRadius-1.0.1. The client is 802.1x client on windows XP with PEAP. The authenticator is an HP 2524 switch (10.0.1.20 in the log file). For me things are working fine with one radius server and AAA works pretty good and I can also check the simultaneous-use for a user. Now I am trying to use the same setup and introduce the proxy radius server (10.0.1.5 in the log file). The XP client sends the credentials to main radius server and based on the Realm (THESIS.COM in the log file), the request is proxied to another freeradius server (10.0.1.15) which does the actual authetication. Everything works fine upto this point. But then the problem is that the proxy radius server does not send any accounting information to the other radius server. Now it means that if there are multiple users trying to get connected using the same username/password, there is no way to restrict them until and Simultaneous-Use works and for this, Radisu server should have accounting information. Note that the proxy server has the accounting information and I can see the connected user (authenticated by the 2nd radius server) using radwho. Probably I am making some mistake somewhere which I cannot figure out after trying so many times. I will really appreciate any pointers in this regard. The log file is attached with the email as radiuslog. I added this line in the users file DEFAULT Proxy-To-Realm := THESIS.COM Following is the proxy.conf file for the proxy server proxy server { synchronous = yes retry_delay = 5 retry_count = 3 dead_time = 120 default_fallback = yes post_proxy_authorize = yes } realm LOCAL { type= radius authhost= LOCAL accthost= LOCAL } realm NULL { type= radius authhost= LOCAL accthost= LOCAL secret = testing123 } realm THESIS.COM { type= radius authhost= 10.0.1.15:1812 accthost= 10.0.1.15:1813 secret = testing123 } Best Regards Khurram __ Do you Yahoo!? Meet the all-new My Yahoo! - Try it today! http://my.yahoo.com ATTACHMENT part 2 application/octet-stream name=radiuslog __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxy and Accounting
Hello All, I am using FreeRadius-1.0.1. The client is 802.1x client on windows XP with PEAP. The authenticator is an HP 2524 switch (10.0.1.20 in the log file). For me things are working fine with one radius server and AAA works pretty good and I can also check the simultaneous-use for a user. Now I am trying to use the same setup and introduce the proxy radius server (10.0.1.5 in the log file). The XP client sends the credentials to main radius server and based on the Realm (THESIS.COM in the log file), the request is proxied to another freeradius server (10.0.1.15) which does the actual authetication. Everything works fine upto this point. But then the problem is that the proxy radius server does not send any accounting information to the other radius server. Now it means that if there are multiple users trying to get connected using the same username/password, there is no way to restrict them until and Simultaneous-Use works and for this, Radisu server should have accounting information. Note that the proxy server has the accounting information and I can see the connected user (authenticated by the 2nd radius server) using radwho. Probably I am making some mistake somewhere which I cannot figure out after trying so many times. I will really appreciate any pointers in this regard. The log file is attached with the email as radiuslog. I added this line in the users file DEFAULT Proxy-To-Realm := THESIS.COM Following is the proxy.conf file for the proxy server proxy server { synchronous = yes retry_delay = 5 retry_count = 3 dead_time = 120 default_fallback = yes post_proxy_authorize = yes } realm LOCAL { type= radius authhost= LOCAL accthost= LOCAL } realm NULL { type= radius authhost= LOCAL accthost= LOCAL secret = testing123 } realm THESIS.COM { type= radius authhost= 10.0.1.15:1812 accthost= 10.0.1.15:1813 secret = testing123 } Best Regards Khurram __ Do you Yahoo!? Meet the all-new My Yahoo! - Try it today! http://my.yahoo.com radiuslog Description: radiuslog
Re: Cisco SIP Proxy Server accounting to Freeradius
Lasse Kim Christiansen [EMAIL PROTECTED] wrote: I'm in the process of setting up a cisco sip proxy server CSPS. It can only do accounting to a Radius and therefore i installed Freeradius 0.9.3 on the redhat 7.3 running the CSPS Server. My problem is that the accounting is rejected as follows: eceived Accounting-Request packet from 127.0.0.1 with invalid signature! (Shared secret is incorrect.) And i cannot seem to find out why that is ? Your shared secret is incorrect. Fix it. Nothing else will solve the problem. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Cisco SIP Proxy Server accounting to Freeradius
Hi All, I'm in the process of setting up a cisco sip proxy server CSPS. It can only do accounting to a Radius and therefore i installed Freeradius 0.9.3 on the redhat 7.3 running the CSPS Server. My problem is that the accounting is rejected as follows: eceived Accounting-Request packet from 127.0.0.1 with invalid signature! (Shared secret is incorrect.) And i cannot seem to find out why that is ? This is what i've been doing: Since i'm only doing accounting i just configured the /etc/raddb/clients.conf file and included the following client 127.0.0.1 { secret = testing123 shortname = voip1 nastype = other } Starting radiusd manually using [EMAIL PROTECTED] root]# radiusd -xxyz -l stdout Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = /usr/local main: localstatedir = /usr/local/var main: logdir = /usr/local/var/log/radius main: libdir = /usr/local/lib main: radacctdir = /usr/local/var/log/radius/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /usr/local/var/log/radius/radius.log main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /usr/local/var/run/radiusd/radiusd.pid main: user = (null) main: group = (null) main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/local/sbin/checkrad main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients Using deprecated clients file. Support for this will go away soon. read_config_files: reading realms Using deprecated realms file. Support for this will go away soon. radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = crypt Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: passwd = (null) mschap: authtype = MS-CHAP Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = (null) unix: shadow = (null) unix: group = (null) unix: radwtmp = /usr/local/var/log/radius/radwtmp unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = md5 eap: timer_expire = 60 rlm_eap: Loaded and initialized the type md5 rlm_eap: Loaded and initialized the type leap Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = /usr/local/etc/raddb/huntgroups preprocess: hints = /usr/local/etc/raddb/hints preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = suffix realm: delimiter = @ Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = /usr/local/etc/raddb/users files: acctusersfile = /usr/local/etc/raddb/acct_users files: preproxy_usersfile = /usr/local/etc/raddb/preproxy_users files: compat = no Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port-Id Module: Instantiated acct_unique (acct_unique) Module: Loaded detail detail: detailfile = /usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename = /usr/local/var/log/radius/radutmp radutmp: username = %{User-Name} radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Initializing the thread pool... thread: start_servers = 5 thread: max_servers = 32 thread: min_spare_servers = 3 thread: max_spare_servers = 10 thread: max_requests_per_server