lifetime of dynamic clients

[steve at comitcon.be]

Replied in between
> steve at comitcon.be wrote:
>> first of all thank you for replying although I must sense quite some
>> hostility in your replies. On the other hand, I have read previous
>> emails
>> coming from your end and this appears to be the way you respond.
>
>   Perhaps you could read the *content* of my messages, instead of
> inventing some emotional projection.
>

Half of what you actually stated is reading the manual.
>> Secondly I have read the documentation, but RTFM still appears to be the
>> common way of responding (even after using Linux for over 15 years).
>
>   So you read the documentation saying that clients are defined by IP
> addresses, and then asked whether or not clients are defined by NAS or
> by user.
>

That is a) not the question b) I was trying to clear confusion on clients.



>   Did you (a) NOT read the documentation, or (b) read it and not
> understand it, or (c) read it, understand it, and ask a misleading
> question?
>

Correct I might have a asked a misleading question, considering I added
commands I send, how it is configured and your first response is 'not
recommended'

>> Thirdly , the case below is a true real life situation, which does not
>> only occur only for me, but also for other. Even though the module is
>> not
>> officially supported (maybe for the reason there are) it is in today's
>> world . You can decide, be a bernstein (like qmail) or adopt to a real
>> life situation. (Btw, if this was such uncommon, how come I find as many
>> question on it as there are. If YFI is actually supporting this, there
>> must be a need. Even if it is not meant like that.
>
>   People do all kinds of crazy things.  That doesn't mean those things
> are a good idea.  It's fairly conceited for you, a non-expert, to
> lecture me about RADIUS.
>

It is fairly clear that the experts claim they have the knowledge , but
are guarding it. But considering I am using linux since '95 I am quite
used to by now. Unfortunately, it is remarks and conceiled 'RTFM's that
keep people from using OSS.
Whether or not YFI is doing stuff with is crazy, it is what is needed in
the current day and age. You can decide it is crazy, but I prefer a
working crazy solution, next to a non-solution.

I am secondly not lecturing you on how to use Radius, but you are "expert"
are neither teaching me, by referring me to files I have read multiple
times. Trust me, I do not jump into something without considering, testing
and playing. Actually before working and trying this on a test system, I
spend multiple days just installing, reading etc...


>> Fourhtly, the issue I have has nothing to do with the whole running of
>> rlm_raw or any alike. Authentication works fine and as expected.
>
>   I'm not really clear on the issue you're having, because your
> statements are contradictory.
>

For the record
The IP address of a client is added using dynamic. I have set the lifetime
to 60 (and the file states seconds), but it is not removed after 1 minute
or even more. show client list in radmin also keeps showing it.

Therefor I was actually looking at finding the contents of the cache.

>   Am I allowed to get frustrated at that?

So you admit you are frustrated? With all best respect, I love people
being helpfull, willing to test and try out. But if the immediate respons
is "not recommended", well don't bother responding because people might
have proper reasons for using it this way. The question was also asked to
this mailinglist and not only you. There might be others who are using
this in a similar fashion.
>
>> And yes I have read the statements on caching , what is used and even
>> the
>> disclaimer that only the src ip is supported. So don't become
>> patronising
>> that I didn't.
>
>   Learn how to deal with people telling you you're wrong.  It's a skill
> many adults have.
>

Learn to adjust to the needs of the real world. This is not a student pet
thing here. I am merely walking the boundaries of what the system is
doing. You know, I could make the system check in using perl/php and
update the IP address as I am using SQL as a backend. Same deal. But no, I
don't see a purpose on a security level on doing it with rlm_raw / dynamic
clients etc...


>> I also scrobbled google for quite some time and I have read
>> the debug more than you can think. But guess what? If the only output
>> after authentication is
>> adding client xxx.xxx.xxx.xxx with shared secret
>>
>> it does not state
>> a) lifetime
>> b) anything else usefull.
>
>   It shows the IP of the client.  It does NOT say "adding client keyed
> by Called-Station-Id"
>
>   See?  The debug output says what it means, and means what it says.
> Because you're unwilling to take it at face value, you think it's useless.
>

You know, I just needed to find out if the lifetime 60 will work because I
don't see it. The changelog of FR actually state at a certain revision it
was defaulted to 1 hour in case of lacking. Maybe there is a minimum?


>   That says more about you than anything else.
>
>> Now I am running radmin show client list and see the IP appear. I am now
>> testing when it disappear.
>>
>> Please refrain from responding if it will only be a load of 'you did not
>> do this or that', while you have no clue on what I read or already have
>> done.
>
>   You have no business making that demand.  See the last paragraph of
> this message for my response.
>
What is the point is responding when you refer to something I have said.
And see the last paragraph in my message...

>   You asked a question and you got told an answer.  When you made
> mistakes, they were pointed out.  We CANNOT help you if your questions
> are unclear, or if your statements are contradictory.  You have NO
> BUSINESS getting offended when people try to help you.
>
>> If the response is coming to the basic question
>> "how can I check the lifetime of a dynamic client" feel free.
>>
>> Elsewise, let's keep this clean for people willing to find the proper
>> solution.
>
>   Read the documentation.  Follow instructions.  Don't argue with the
> experts.  It's not hard.
>
*hail to god?*

an expert who refuses to set up a system (might not even be in real life,
but a matter as experimenting?) Sorry from an expert I expect atleast the
full reasons (or links) to the security issues which are claimed. Secondly
an expert would give me the response to the simple question. Of course,
within this world you are the expert. Honestly, respect for that.
>
>   If you fail to follow instructions, or if you keep arguing about the
> instructions, or if you keep complaining when I answer your questions,
> you will be unsubscribed and permanently banned from this list.  Such
> behavior is anti-social, rude, and will NOT be tolerated.
>

You know, you are trully the entitlement of the linux guru. The one who
knows. But pay attention if you go one step beyond. But no problem, I'll
try YFI as they are willing to try that.  For the anti-social? An email
starts with a header, most people end with kind regards too. And I have
scrobbled a lot of your email. They refer to a documention which is
unclear, in text files and not in a book form. No offence, when I started
using linux (15+ years), there was flame wars, RTFM's etc... I though the
community became much more. Sad to see this is the evolution. So play god.

And for the record , you did not answer the question. You told me "it
should not be done" and I should read the documents. Next to giving me an
amusing evening, it did not help me, nor even pointed me to the proper
direction. And with all do respect. Radmin showed me the clients are
removed, just the time is unclear and it sure is not 60 seconds. So we
might focus on the lifetime which is not removing the client in the 60
seconds (or would the documentation be wrong and is it minutes?)

You really believe I care for this? If you can't make an argument because
you need to point out that you believe it's rude and you have rights??? Be
a god, if you are bigger than this, you might actually respond with
something usefull.

If Linus followed the directions, we would not have Linux. You move
boundaries. Are you doing that by stating the obvious?

Well guess I won't know the respons as I will probably be not on this list
any longer. But do yourself a favor... Read this again in 6 months and ask
yourself how many people moved to another solution because this is not
support. This is telling people they are too stupid to read and basically
"I won't support this".

I even did an strace. Did you know if the sql queries don't work properly
in dynamic_clients, FR crashes?
I used this because FR is the only free , OSS solution which seemed good
for my purpose. And yes, it is clear that you won't help me, nor are able
to as you never used rlm_raw (or are not willing to try it)

Now this you can call rude. I was being polite in the previous mails.



>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>