Re: Proxy + copy accounting to passive home server
Hi Alan, Do you have any advice on my configuration? I want to send same accounting packages to multiple nodes like replication. But, I want to log home_servers responses. You advised configuring proxy. But, proxy mode only sends accounting packets to one node because of failover or loadbalance structure. Do you have any comment? Thanks. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Proxy-copy-accounting-to-passive-home-server-tp5598491p5615008.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy + copy accounting to passive home server
mimir wrote: Do you have any advice on my configuration? Read the documentation? I want to send same accounting packages to multiple nodes like replication. But, I want to log home_servers responses. You advised configuring proxy. So I did. But, proxy mode only sends accounting packets to one node because of failover or loadbalance structure. Do you have any comment? Yes. See the documentation for how to configure proxying. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy + copy accounting to passive home server
Hi Alan,
I got your point. I need a reply.
I can use proxying but I also need to send same accounting to all servers at
the same time.
I tried to build virtual servers to proxy accounting packets to other
servers.
For example: I am going to send accounting packets to 20 servers.
First I create 20 virtual servers, and then point them to 20 remote servers
one by one. ( Because proxy only supports failover and loadbalance)
My configs:
/sites-available/default
preacct {
preprocess
update control {
Proxy-To-Realm := TEST0 -- virtual server realm
}
}
/sites-available/default2
preacct {
preprocess
update control {
Proxy-To-Realm += TEST1 -- remote radius
#Replicate-To-Realm += TEST2
#Replicate-To-Realm += TEST3
}
# Session sta
But when I tried it I got segmentation fault.
rad_recv: Accounting-Request packet from host 135.243.68.36 port 55675, i
d=112, length=94
User-Name = test2
Acct-Status-Type = Start
Acct-Session-Id = 4680
Framed-Protocol = PPP
Acct-Delay-Time = 5
Calling-Station-Id = 905436755108
NAS-Port = 1
Framed-IP-Address = 2.2.2.17
NAS-IP-Address = 135.243.90.68
Called-Station-Id = internet1
# Executing section preacct from file /usr/local/etc/raddb/sites-enabled/
default
+- entering group preacct {...}
[preprocess] hints: Matched DEFAULT at 85
[preprocess] sql_xlat
[preprocess]expand: %{User-Name} - test2
[preprocess] sql_set_user escaped user -- 'test2'
[preprocess]expand: SELECT id from deneme limit 1 - SELECT id from d
eneme limit 1
rlm_sql (sql): Reserving sql socket id: 4
[preprocess] sql_xlat finished
rlm_sql (sql): Released sql socket id: 4
[preprocess]expand: %{sql:SELECT id from deneme limit 1} - 5
[preprocess] sql_xlat
[preprocess]expand: %{User-Name} - test2
[preprocess] sql_set_user escaped user -- 'test2'
[preprocess]expand: SELECT id from deneme limit 1 - SELECT id from d
eneme limit 1
rlm_sql (sql): Reserving sql socket id: 3
[preprocess] sql_xlat finished
rlm_sql (sql): Released sql socket id: 3
[preprocess]expand: %{sql:SELECT id from deneme limit 1} - 5
++[preprocess] returns ok
++[control] returns ok
[acct_unique] Hashing 'NAS-Port = 1,Client-IP-Address = 135.243.68.36,NAS
-IP-Address = 135.243.90.68,Acct-Session-Id = 4680,User-Name = test2'
[acct_unique] Acct-Unique-Session-ID = 8106182d5455e91b.
++[acct_unique] returns ok
[suffix] No '@' in User-Name = test2, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
# Executing section accounting from file /usr/local/etc/raddb/sites-enabl
ed/default
+- entering group accounting {...}
[detail]expand: %{Packet-Src-IP-Address} - 135.243.68.36
[detail]expand: /var/log/radius/radacct/%{%{Packet-Src-IP-Address
}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d - /var/log/radius/radacct/1
35.243.68.36/detail-20120402
[detail] /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src
-IPv6-Address}}/detail-%Y%m%d expands to /var/log/radius/radacct/135.243.
68.36/detail-20120402
[detail]expand: %t - Mon Apr 2 08:21:05 2012
++[detail] returns ok
++[unix] returns ok
[radutmp] expand: /var/log/radius/radutmp - /var/log/radius/radutm
p
[radutmp] expand: %{User-Name} - test2
++[radutmp] returns ok
[sql] expand: %{User-Name} - test2
[sql] sql_set_user escaped user -- 'test2'
[sql] expand: %{Acct-Delay-Time} - 5
[sql] expand:INSERT INTO radacct (acctsessionid
,acctuniqueid, username, realm,nasipaddr
ess, nasportid, nasporttype, acctstarttime,acct
stoptime, acctsessiontime, acctauthentic,connectinfo_st
Re: Proxy + copy accounting to passive home server
mimir wrote: But when I tried it I got segmentation fault. ... [eap] No pre-existing handler found Segmentation fault See doc/bugs Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy + copy accounting to passive home server
mimir wrote: I wonder another thing. Is it possible to get log/error or sth else if one of the replicated servers do not response? No. That's the whole POINT of the replicate module: it doesn't care if the home server responds. If you want a response, configure proxying. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy + copy accounting to passive home server
Hi,
I installed latest version of freeradius and verified replicate module is
existing.
I can run replication via editing proxy.conf and acct_user. ( but I can
replicate to only one server for now)
I need to copy accountings to 20 servers.
DEFAULT Proxy-To-Realm := TEST1 ( how can I add others ? )
But, I can not define multiple realms replication although it says:
# Packets can be replicated to multiple destinations. Just set
# Replicate-To-Realm multiple times. One packet will be sent for
# each of the Replicate-To-Realm attribute in the control list.
My configs are as below:
home servers are introduced with their IPS. and created realms for each home
server.
home_server_pool test_failover1 {
type = load-balance
home_server = test1
}
home_server_pool test_failover2 {
type = load-balance
home_server = test2
}
home_server_pool test_failover3 {
type = load-balance
home_server = test3
}
realm TEST1 {
acct_pool = test_failover1
}
realm TEST2 {
acct_pool = test_failover2
}
realm TEST3 {
acct_pool = test_failover3
}
Can you please help?
Thanks.
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/Proxy-copy-accounting-to-passive-home-server-tp5598491p5606099.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy + copy accounting to passive home server
On Fri, Mar 30, 2012 at 4:01 PM, mimir
erdem.mimiro...@alcatel-lucent.com wrote:
Hi,
I installed latest version of freeradius and verified replicate module is
existing.
I can run replication via editing proxy.conf and acct_user. ( but I can
replicate to only one server for now)
I need to copy accountings to 20 servers.
DEFAULT Proxy-To-Realm := TEST1 ( how can I add others ? )
Don't use users file. Instead, on accounting section, use something
like this (unstested, you need to verify this first)
update control {
Proxy-To-Realm := TEST1
Proxy-To-Realm += TEST2
Proxy-To-Realm += TEST3
}
See http://freeradius.org/radiusd/man/unlang.html , look for operators
# Packets can be replicated to multiple destinations. Just set
# Replicate-To-Realm multiple times. One packet will be sent for
# each of the Replicate-To-Realm attribute in the control list.
exactly.
--
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy + copy accounting to passive home server
Hi,
Sorry, I wrote wrong in my previous post, I am trying to apply
Replicate-To-Realm to send accounting messages to 20 servers from my radius
server.
I added as below in /sites-available/default
accounting {
update control {
Replicate-To-Realm := TEST1
Replicate-To-Realm += TEST2
Replicate-To-Realm += TEST3
}
.
But, debug log says..
+[exec] returns noop
++[replicate] returns noop
++[control] returns noop
I think it has no affect ?
Thanks..
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/Proxy-copy-accounting-to-passive-home-server-tp5598491p5606288.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy + copy accounting to passive home server
Hello, I added same definition to acct_users DEFAULT Replicate-To-Realm := TEST1,Replicate-To-Realm += TEST2,Replicate-To-Realm += TEST3 and it worked :) I can send 3 servers same accounting messages. I wonder another thing. Is it possible to get log/error or sth else if one of the replicated servers do not response? Thanks. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Proxy-copy-accounting-to-passive-home-server-tp5598491p5606305.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy + copy accounting to passive home server
On Fri, Mar 30, 2012 at 5:40 PM, mimir erdem.mimiro...@alcatel-lucent.com wrote: Hello, I added same definition to acct_users DEFAULT Replicate-To-Realm := TEST1,Replicate-To-Realm += TEST2,Replicate-To-Realm += TEST3 and it worked :) The earlier error is is probably my fault then. It might need to go on preacct section instead of accouting? It's been quite a while since I tested it. It'd be good if you can test on preacct and report the result :) I wonder another thing. Is it possible to get log/error or sth else if one of the replicated servers do not response? Nope. Replicate is send-and-forget kind-a-thing. If you REALLY want RELIABLE proxying setup, you need to use detail module to write to 3 different detail file, and basically configure 3 instances of sites-available/copy-acct-to-home-server. I wouldn't recommend it unless it's ABSOLUTELY necessary. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy + copy accounting to passive home server
Hi Fajar, I also think that option. But, I can not configure it. I set up realms same in proxy.conf. But, how can we point it to sites-available/copy-acct-to-home-server ? How can we configure it? I can only see explanation of config file comments. Thanks, -- View this message in context: http://freeradius.1045715.n5.nabble.com/Proxy-copy-accounting-to-passive-home-server-tp5598491p5606529.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy + copy accounting to passive home server
I forgot to add. preacct also worked :) Thanks. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Proxy-copy-accounting-to-passive-home-server-tp5598491p5606585.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy + copy accounting to passive home server
On Fri, Mar 30, 2012 at 7:37 PM, mimir
erdem.mimiro...@alcatel-lucent.com wrote:
Hi Fajar,
I also think that option. But, I can not configure it.
I set up realms same in proxy.conf. But, how can we point it to
sites-available/copy-acct-to-home-server ?
Basically you need to configure sites-available/default to write to
different detail files (e.g. /var/log/radius/detail1,
/var/log/radius/detai2, etc.). Then you setup several copies of
sites-available/copy-acct-to-home-server (changing files and server
names as necessary, of course), each reading a different file (note
the line filename = ${radacctdir}/detail. Change that). Then don't
forget to create links on sites-enabled :)
--
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy + copy accounting to passive home server
mimir wrote: But, I want to send same packet to both servers when proxying. See the replicate module in 2.1.12. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy + copy accounting to passive home server
Hi Alan, Thanks for reply. How can I find a sample configuration for this? I see that this is new module and it is discussed in internet not much. Besides this, I can only add configuration to proxy server. I can not manage home_servers. Is it possible to apply my scenario via replicate module by deploying configuration only on proxy servers. Mimir. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Proxy-copy-accounting-to-passive-home-server-tp5598491p5599770.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy + copy accounting to passive home server
mimir wrote: Thanks for reply. How can I find a sample configuration for this? Look in the raddb/modules directory? Where else are configurations stored? I see that this is new module and it is discussed in internet not much. Besides this, I can only add configuration to proxy server. I can not manage home_servers. Is it possible to apply my scenario via replicate module by deploying configuration only on proxy servers. Go read the replicate documentation to see how it works. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy + copy accounting to passive home server
On Wed, Mar 28, 2012 at 3:13 PM, Alan DeKok al...@deployingradius.com wrote: mimir wrote: Thanks for reply. How can I find a sample configuration for this? Look in the raddb/modules directory? ... and in case you don't find it there, changes are you're running a fairly old version of FR. Upgrade to latest stable, and it should be there. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxy + copy accounting to passive home server
Hello, I am trying to deploy proxy configuration to my radius server. I added home_server_pool with two home_servers. I can successfully send accounting packets (with load-balance) to other two radius servers. I also can use attribute filtering for proxy via acct_users as below. acct_users: DEFAULT Called-Station-Id = internet1, Proxy-To-Realm := TEST1 But, I want to send same packet to both servers when proxying. If I proxied the accounting packet to server A successfully, then I want to also copy to it to the other radius server. (means that passive one for each packet while load-balancing) I read some forums and see that it can be done via copy-acct-to-home-server. But, I could not configure it. (I also could not understand where I should edit it? on proxy ? or home_servers? Can you please help me on this issue? Thanks... -- View this message in context: http://freeradius.1045715.n5.nabble.com/Proxy-copy-accounting-to-passive-home-server-tp5598480p5598480.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxy + copy accounting to passive home server
Hello, I am trying to deploy proxy configuration to my radius server. I added home_server_pool with two home_servers. I can successfully send accounting packets (with load-balance) to other two radius servers. I also can use attribute filtering for proxy via acct_users as below. acct_users: DEFAULT Called-Station-Id = internet1, Proxy-To-Realm := TEST1 But, I want to send same packet to both servers when proxying. If I proxied the accounting packet to server A successfully, then I want to also copy to it to the other radius server. (means that passive one for each packet while load-balancing) I read some forums and see that it can be done via copy-acct-to-home-server. But, I could not configure it. (I also could not understand where I should edit it? on proxy ? or home_servers? Can you please help me on this issue? Thanks... Mimir - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxy + copy accounting to passive home server
Hello, I am trying to deploy proxy configuration to my radius server. I added home_server_pool with two home_servers. I can successfully send accounting packets (with load-balance) to other two radius servers. I also can use attribute filtering for proxy via acct_users as below. acct_users: DEFAULT Called-Station-Id = internet1, Proxy-To-Realm := TEST1 But, I want to send same packet to both servers when proxying. If I proxied the accounting packet to server A successfully, then I want to also copy to it to the other radius server. (means that passive one for each packet while load-balancing) I read some forums and see that it can be done via copy-acct-to-home-server. But, I could not configure it. (I also could not understand where I should edit it? on proxy ? or home_servers? Can you please help me on this issue? Thanks... Mimir -- View this message in context: http://freeradius.1045715.n5.nabble.com/Proxy-copy-accounting-to-passive-home-server-tp5598491p5598491.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No Reply Proxy for Accounting Requests
David Bickle wrote: In some versions of RADIUS it is possible using the proxy feature to forward accounting requests to a home radius server or some other 3rd party server without having to wait for a response packet. I'm not sure at 100%, but I don't think it's possible with FreeRADIUS. I'd suggest to log accounting in a file with module rlm_detail, and write a little program to send the accounting data (without waiting) to the 3rd party application. You may look at src/main/radrelay.c and doc/radrelay. radrelay can replicate accounting data but wait for an answer, though. Nicolas Baradakis -- A: Yes. Q: Are you sure? A: Because it reverses the logical flow of conversation. Q: Why is top posting annoying in email? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
No Reply Proxy for Accounting Requests
Does anyone know how to configure a proxy for the forwarding of no reply accounting requests? In particular I am interested in accounting start/stop packets. Thanks, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No Reply Proxy for Accounting Requests
On Fri, 16 Dec 2005, David Bickle wrote: Does anyone know how to configure a proxy for the forwarding of no reply accounting requests? In particular I am interested in accounting start/stop packets. Thanks, What does forwarding of no reply accounting requests mean? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No Reply Proxy for Accounting Requests
In some versions of RADIUS it is possible using the proxy feature to forward accounting requests to a home radius server or some other 3rd party server without having to wait for a response packet. Typically this is accomplished by configuring an attribute (ie. IgnoreAccountingResponse) in the proxy section where the forwarding server is instructed to not wait for a reply. I have examined the proxy.conf file and there appears to be no equivalent functionality in FreeRadius. Is this true? Is there a work around? On 12/16/05 9:54 AM, Dusty Doris [EMAIL PROTECTED] wrote: On Fri, 16 Dec 2005, David Bickle wrote: Does anyone know how to configure a proxy for the forwarding of no reply accounting requests? In particular I am interested in accounting start/stop packets. Thanks, What does forwarding of no reply accounting requests mean? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Proxy of accounting message (Ashwin Gobind)
Radiator required a valid Authenticator to be part of the Accouning Request. I am proxying from freeradius to radiator. How can this be resolved ? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: 30 September 2005 06:12 PM To: freeradius-users@lists.freeradius.org Subject: Freeradius-Users Digest, Vol 5, Issue 103 Send Freeradius-Users mailing list submissions to freeradius-users@lists.freeradius.org To subscribe or unsubscribe via the World Wide Web, visit http://lists.freeradius.org/mailman/listinfo/freeradius-users or, via email, send a message with subject or body 'help' to [EMAIL PROTECTED] You can reach the person managing the list at [EMAIL PROTECTED] When replying, please edit your Subject line so it is more specific than Re: Contents of Freeradius-Users digest... Today's Topics: 1. RE: Proxy of accounting message (Ashwin Gobind) 2. EAP-PEAP-MSCHAPv2: use_tunneled_reply = yes (Bjarni Hardarson) 3. Re: freeradius and MS SQL -- anyone got it working? (Duane Cox) 4. Re: Expose RADIUS packet's identifier (James J J Hooper) 5. Re: Segmentation Fault - 1.0.5 (Alan DeKok) 6. Re: SSL3_GET_CLIENT_KEY_EXCHANGE (Alan DeKok) 7. Re: freeradius and MS SQL -- anyone got it working? (Alan DeKok) 8. Re: Proxy of accounting message (Alan DeKok) -- Message: 1 Date: Fri, 30 Sep 2005 14:39:18 +0200 From: Ashwin Gobind [EMAIL PROTECTED] Subject: RE: Proxy of accounting message To: freeradius-users@lists.freeradius.org Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=us-ascii Thanks nick. However when I proxy the message, the message-authenticator field has an INVAILID TOKEN (see trace below). Why is this Sending Accounting-Request of id 1 to 10.113.46.170:1813 Acct-Status-Type = Start Service-Type = Framed-User Called-Station-Id = vlive Framed-Protocol = GPRS-PDP-Context Framed-Protocol = GPRS-PDP-Context Acct-Delay-Time = 5 Calling-Station-Id = 27829800729 NAS-Identifier = GMC-GGSN0-13-2 Acct-Session-Id = 20050529 User-Name = 27829800729 User-Name = 27829800729 NAS-Port = 6000 NAS-Port-Type = Virtual NAS-IP-Address = 10.111.14.46 Message-Authenticator INVALID-TOKEN 0x Proxy-State = 0x30 This e-mail is sent on the Terms and Conditions that can be accessed by Clicking on this link http://www.vodacom.net/legal/email.aspx -- Message: 2 Date: Fri, 30 Sep 2005 14:51:25 +0200 From: Bjarni Hardarson [EMAIL PROTECTED] Subject: EAP-PEAP-MSCHAPv2: use_tunneled_reply = yes To: freeradius-users@lists.freeradius.org Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=us-ascii Hi all, I'm using FreeRADIUS with Cisco 1200 Series Access points for dynamic VLAN assignment. When i set use_tunneled_reply = yes for PEAP i get an Access-Challenge with the correct attributes but the final Access-Accept has no attributes and the User-Name is the anonymous one from the outer tunnel. This username is then used by the AP for accounting. Is this by design or is my configuration wrong? Partial debug, Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 24 rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 rlm_eap: Freeing handler modcall[authenticate]: module eap returns ok for request 24 modcall: group authenticate returns ok for request 24 PEAP: Got tunneled reply RADIUS code 2 User-Name = radtest Tunnel-Private-Group-Id:0 = 310 Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Type:0 = VLAN EAP-Message = 0x03080004 Message-Authenticator = 0x PEAP: Processing from tunneled session code 0x818f508 2 User-Name = radtest Tunnel-Private-Group-Id:0 = 310 Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Type:0 = VLAN EAP-Message = 0x03080004 Message-Authenticator = 0x PEAP: Tunneled authentication was successful. rlm_eap_peap: SUCCESS modcall[authenticate]: module eap returns handled for request 24 modcall: group authenticate returns handled for request 24 Sending Access-Challenge of id 8 to 127.0.0.1:33229 User-Name = radtest Tunnel-Private-Group-Id:0 = 310 Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Type:0 = VLAN Message-Authenticator = 0x EAP-Message = 0x010900501900170301002079fdf7026cf88ffd8c978e4fb62290b4d4f4a1596c767f55 7ada bdaf51b7437d17030100209a1de8e9b88b4654d03b0754d4f5a04887b57b329c94a6494e f84d 2bf74f294c State = 0x3c86d1f16a6312263ae7a01dbfc81a28
Re: Proxy of accounting message (Ashwin Gobind)
Ashwin Gobind [EMAIL PROTECTED] wrote: Radiator required a valid Authenticator to be part of the Accouning Request. A Message-Authenticator? I doubt that VERY much. Radiator works with multiple RADIUS implementations, very few of which send Message-Authenticator in Accounting-Request. I am proxying from freeradius to radiator. How can this be resolved ? a) Patch Radiator so that it doesn't require a Message-Authenticator. b) Patch FreeRADIUS to create the *non-standard* Message-Authenticator that Radiator expects. For (b), you will have to find out what algorithm Radiator uses to calculate Message-Authenticator. Since it's non-standard, you wil l have to ask the Radiator people how they did it. Alan DEKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Proxy of accounting message
Thanks nick. However when I proxy the message, the message-authenticator field has an INVAILID TOKEN (see trace below). Why is this Sending Accounting-Request of id 1 to 10.113.46.170:1813 Acct-Status-Type = Start Service-Type = Framed-User Called-Station-Id = vlive Framed-Protocol = GPRS-PDP-Context Framed-Protocol = GPRS-PDP-Context Acct-Delay-Time = 5 Calling-Station-Id = 27829800729 NAS-Identifier = GMC-GGSN0-13-2 Acct-Session-Id = 20050529 User-Name = 27829800729 User-Name = 27829800729 NAS-Port = 6000 NAS-Port-Type = Virtual NAS-IP-Address = 10.111.14.46 Message-Authenticator INVALID-TOKEN 0x Proxy-State = 0x30 This e-mail is sent on the Terms and Conditions that can be accessed by Clicking on this link http://www.vodacom.net/legal/email.aspx - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxy of Accounting Requests
Good day. I am using freeradius 1.05 I want to proxy accounting requests originating from certain hosts to another server, how can I do this. Also I am using Jradius to handle accounting request. But this certain request I don't want JRadius to handle, but freeradius just to proxy it. Here is an example of the request Thanks Acct-Session-Id = C42EA2A31F96530 Framed-Protocol = GPRS-PDP-Context Called-Station-Id = vlive Calling-Station-Id = 27829800529 Framed-IP-Address = 10.19.128.6 3GPP-IMSI = 65501982252 3GPP-Charging-ID = 33121584 3GPP-PDP-Type = 0 3GPP-GGSN-Address = 196.46.162.163 3GPP-IMSI-MCC-MNC = 65501 3GPP-GGSN-MCC-MNC = 65501 3GPP-NSAPI = 5 3GPP-Selection-Mode = 0 3GPP-Charging-Gateway-Address = 10.25.0.10 3GPP-GPRS-Negotiated-QoS-profile = 99-23931F9396979774FB0808 3GPP-SGSN-Address = 196.6.254.49 User-Name = 27829800529 Cisco-AVPair = connect-progress=Call Up Acct-Authentic = RADIUS Acct-Status-Type = Start NAS-Port-Type = Virtual Cisco-NAS-Port = GGSN NAS-Port = 6 Class = [Binary Data] Service-Type = Framed-User NAS-IP-Address = 10.31.1.122 NAS-Identifier = GMC-GGSN0-12-2 Acct-Delay-Time = 0 Client-IP-Address = 10.113.60.6 Acct-Unique-Session-Id = b30a3d4d494c8a87 This e-mail is sent on the Terms and Conditions that can be accessed by Clicking on this link http://www.vodacom.net/legal/email.aspx - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy of Accounting Requests
Ashwin Gobind wrote: I want to proxy accounting requests originating from certain hosts to another server, how can I do this. You could add something like this in file acct_users: DEFAULT Client-IP-Address == 10.0.0.1, Proxy-To-Realm := realm1 DEFAULT Client-IP-Address == 10.0.0.2, Proxy-To-Realm := realm2 -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Proxy of Accounting Requests
Can you also do this in SQL? J. -- Jonathan De Graeve Network/System Administrator Imelda vzw Informatica Dienst 015/50.52.98 [EMAIL PROTECTED] - Always read the manual for the correct way to do things because the number of incorrect ways to do things is almost infinite - -Oorspronkelijk bericht- Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Namens Nicolas Baradakis Verzonden: donderdag 29 september 2005 13:55 Aan: FreeRadius users mailing list Onderwerp: Re: Proxy of Accounting Requests Ashwin Gobind wrote: I want to proxy accounting requests originating from certain hosts to another server, how can I do this. You could add something like this in file acct_users: DEFAULT Client-IP-Address == 10.0.0.1, Proxy-To-Realm := realm1 DEFAULT Client-IP-Address == 10.0.0.2, Proxy-To-Realm := realm2 -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy and Accounting
It is working for me now so please ignore this
message. I had an entry in proxy.conf as follows which
was the problem i think and when I took it away, the
proxy server started sending accounting information to
the other radius server.
realm LOCAL {
type = radius
authhost = LOCAL
accthost = LOCAL
}
regards
khurram
--- Khurram Jahangir [EMAIL PROTECTED]
wrote:
Hello All,
I am using FreeRadius-1.0.1. The client is 802.1x
client on windows XP with PEAP. The authenticator is
an HP 2524 switch (10.0.1.20 in the log file).
For me things are working fine with one radius
server
and
AAA works pretty good and I can also check the
simultaneous-use for a user.
Now I am trying to use the same setup and introduce
the proxy radius server (10.0.1.5 in the log file).
The XP client sends the credentials to main radius
server and based on the Realm (THESIS.COM in the log
file), the request is proxied to another
freeradius server (10.0.1.15) which does the actual
authetication.
Everything works fine upto this point. But then the
problem is that the proxy radius server does not
send
any accounting information to the other radius
server.
Now it means that if there are multiple users trying
to get connected using the same username/password,
there is no way to restrict them until and
Simultaneous-Use works and for this, Radisu server
should have accounting information. Note that the
proxy server has the accounting information and I
can
see the connected user (authenticated by the 2nd
radius server) using radwho.
Probably I am making some mistake somewhere which I
cannot figure out after trying so many times. I will
really appreciate any pointers in this regard.
The log file is attached with the email as
radiuslog.
I added this line in the users file
DEFAULT Proxy-To-Realm := THESIS.COM
Following is the proxy.conf file for the proxy
server
proxy server {
synchronous = yes
retry_delay = 5
retry_count = 3
dead_time = 120
default_fallback = yes
post_proxy_authorize = yes
}
realm LOCAL {
type= radius
authhost= LOCAL
accthost= LOCAL
}
realm NULL {
type= radius
authhost= LOCAL
accthost= LOCAL
secret = testing123
}
realm THESIS.COM {
type= radius
authhost= 10.0.1.15:1812
accthost= 10.0.1.15:1813
secret = testing123
}
Best Regards
Khurram
__
Do you Yahoo!?
Meet the all-new My Yahoo! - Try it today!
http://my.yahoo.com
ATTACHMENT part 2 application/octet-stream
name=radiuslog
__
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy and Accounting
Hi again,
If someone has some suggestions or comments about this
problem descrbied below.
Appreciate any kind of help
Khurram
--- Khurram Jahangir [EMAIL PROTECTED]
wrote:
Hello All,
I am using FreeRadius-1.0.1. The client is 802.1x
client on windows XP with PEAP. The authenticator is
an HP 2524 switch (10.0.1.20 in the log file).
For me things are working fine with one radius
server
and
AAA works pretty good and I can also check the
simultaneous-use for a user.
Now I am trying to use the same setup and introduce
the proxy radius server (10.0.1.5 in the log file).
The XP client sends the credentials to main radius
server and based on the Realm (THESIS.COM in the log
file), the request is proxied to another
freeradius server (10.0.1.15) which does the actual
authetication.
Everything works fine upto this point. But then the
problem is that the proxy radius server does not
send
any accounting information to the other radius
server.
Now it means that if there are multiple users trying
to get connected using the same username/password,
there is no way to restrict them until and
Simultaneous-Use works and for this, Radisu server
should have accounting information. Note that the
proxy server has the accounting information and I
can
see the connected user (authenticated by the 2nd
radius server) using radwho.
Probably I am making some mistake somewhere which I
cannot figure out after trying so many times. I will
really appreciate any pointers in this regard.
The log file is attached with the email as
radiuslog.
I added this line in the users file
DEFAULT Proxy-To-Realm := THESIS.COM
Following is the proxy.conf file for the proxy
server
proxy server {
synchronous = yes
retry_delay = 5
retry_count = 3
dead_time = 120
default_fallback = yes
post_proxy_authorize = yes
}
realm LOCAL {
type= radius
authhost= LOCAL
accthost= LOCAL
}
realm NULL {
type= radius
authhost= LOCAL
accthost= LOCAL
secret = testing123
}
realm THESIS.COM {
type= radius
authhost= 10.0.1.15:1812
accthost= 10.0.1.15:1813
secret = testing123
}
Best Regards
Khurram
__
Do you Yahoo!?
Meet the all-new My Yahoo! - Try it today!
http://my.yahoo.com
ATTACHMENT part 2 application/octet-stream
name=radiuslog
__
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxy and Accounting
Hello All,
I am using FreeRadius-1.0.1. The client is 802.1x
client on windows XP with PEAP. The authenticator is
an HP 2524 switch (10.0.1.20 in the log file).
For me things are working fine with one radius server
and
AAA works pretty good and I can also check the
simultaneous-use for a user.
Now I am trying to use the same setup and introduce
the proxy radius server (10.0.1.5 in the log file).
The XP client sends the credentials to main radius
server and based on the Realm (THESIS.COM in the log
file), the request is proxied to another
freeradius server (10.0.1.15) which does the actual
authetication.
Everything works fine upto this point. But then the
problem is that the proxy radius server does not send
any accounting information to the other radius server.
Now it means that if there are multiple users trying
to get connected using the same username/password,
there is no way to restrict them until and
Simultaneous-Use works and for this, Radisu server
should have accounting information. Note that the
proxy server has the accounting information and I can
see the connected user (authenticated by the 2nd
radius server) using radwho.
Probably I am making some mistake somewhere which I
cannot figure out after trying so many times. I will
really appreciate any pointers in this regard.
The log file is attached with the email as radiuslog.
I added this line in the users file
DEFAULT Proxy-To-Realm := THESIS.COM
Following is the proxy.conf file for the proxy server
proxy server {
synchronous = yes
retry_delay = 5
retry_count = 3
dead_time = 120
default_fallback = yes
post_proxy_authorize = yes
}
realm LOCAL {
type= radius
authhost= LOCAL
accthost= LOCAL
}
realm NULL {
type= radius
authhost= LOCAL
accthost= LOCAL
secret = testing123
}
realm THESIS.COM {
type= radius
authhost= 10.0.1.15:1812
accthost= 10.0.1.15:1813
secret = testing123
}
Best Regards
Khurram
__
Do you Yahoo!?
Meet the all-new My Yahoo! - Try it today!
http://my.yahoo.com
radiuslog
Description: radiuslog
Re: Cisco SIP Proxy Server accounting to Freeradius
Lasse Kim Christiansen [EMAIL PROTECTED] wrote: I'm in the process of setting up a cisco sip proxy server CSPS. It can only do accounting to a Radius and therefore i installed Freeradius 0.9.3 on the redhat 7.3 running the CSPS Server. My problem is that the accounting is rejected as follows: eceived Accounting-Request packet from 127.0.0.1 with invalid signature! (Shared secret is incorrect.) And i cannot seem to find out why that is ? Your shared secret is incorrect. Fix it. Nothing else will solve the problem. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Cisco SIP Proxy Server accounting to Freeradius
Hi All,
I'm in the process of setting up a cisco sip proxy server CSPS. It can only do
accounting to a Radius and therefore i installed Freeradius 0.9.3 on the redhat
7.3 running the CSPS Server. My problem is that the accounting is rejected as
follows:
eceived Accounting-Request packet from 127.0.0.1 with invalid signature!
(Shared secret is incorrect.)
And i cannot seem to find out why that is ?
This is what i've been doing:
Since i'm only doing accounting i just configured the /etc/raddb/clients.conf
file and included the following
client 127.0.0.1 {
secret = testing123
shortname = voip1
nastype = other
}
Starting radiusd manually using
[EMAIL PROTECTED] root]# radiusd -xxyz -l stdout
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /usr/local/etc/raddb/proxy.conf
Config: including file: /usr/local/etc/raddb/clients.conf
Config: including file: /usr/local/etc/raddb/snmp.conf
Config: including file: /usr/local/etc/raddb/sql.conf
main: prefix = /usr/local
main: localstatedir = /usr/local/var
main: logdir = /usr/local/var/log/radius
main: libdir = /usr/local/lib
main: radacctdir = /usr/local/var/log/radius/radacct
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = /usr/local/var/log/radius/radius.log
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = /usr/local/var/run/radiusd/radiusd.pid
main: user = (null)
main: group = (null)
main: usercollide = no
main: lower_user = no
main: lower_pass = no
main: nospace_user = no
main: nospace_pass = no
main: checkrad = /usr/local/sbin/checkrad
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = yes
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
Using deprecated clients file. Support for this will go away soon.
read_config_files: reading realms
Using deprecated realms file. Support for this will go away soon.
radiusd: entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = crypt
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: passwd = (null)
mschap: authtype = MS-CHAP
Module: Instantiated mschap (mschap)
Module: Loaded System
unix: cache = no
unix: passwd = (null)
unix: shadow = (null)
unix: group = (null)
unix: radwtmp = /usr/local/var/log/radius/radwtmp
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded eap
eap: default_eap_type = md5
eap: timer_expire = 60
rlm_eap: Loaded and initialized the type md5
rlm_eap: Loaded and initialized the type leap
Module: Instantiated eap (eap)
Module: Loaded preprocess
preprocess: huntgroups = /usr/local/etc/raddb/huntgroups
preprocess: hints = /usr/local/etc/raddb/hints
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
realm: format = suffix
realm: delimiter = @
Module: Instantiated realm (suffix)
Module: Loaded files
files: usersfile = /usr/local/etc/raddb/users
files: acctusersfile = /usr/local/etc/raddb/acct_users
files: preproxy_usersfile = /usr/local/etc/raddb/preproxy_users
files: compat = no
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
acct_unique: key = User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port-Id
Module: Instantiated acct_unique (acct_unique)
Module: Loaded detail
detail: detailfile =
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded radutmp
radutmp: filename = /usr/local/var/log/radius/radutmp
radutmp: username = %{User-Name}
radutmp: case_sensitive = yes
radutmp: check_with_nas = yes
radutmp: perm = 384
radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
Initializing the thread pool...
thread: start_servers = 5
thread: max_servers = 32
thread: min_spare_servers = 3
thread: max_spare_servers = 10
thread: max_requests_per_server
