Hello everybody,<br><br>I have one problem with an options of raclient tool's:<br><br>I have create a little script:<br>(I have one file named "file1") and in this file, I have 3 columns (IP, MSISDN,Acct-Session-Id):<br>
<br> IP MSISDN Acct-Session-Id<br> 1.1.1.1 3368894XXXX 500A02B2382F3D8E<br> 2.2.2.2 3368739XXXX 500A02B5383F27D9 <br><br>###### BEGIN ######<br><br>old_IFS=$IFS<br>IFS=$'\n'<br><br>for i in `cat file1`<br> do echo $i | gawk '{print "Acct-Session-Id="$3"\n""NAS-IP-Address="$1}' | radclient -p 100 -x <a href="http://3.3.3.3:3799">3.3.3.3:3799</a> disconnect ''secret''<br>
done<br><br>IFS=$old_IFS<br><br> ###### END ###### <br><br>But in this script the parameter -p is not used!!!!<br><br> root@ulrich-Pod1:/etc/freeradius# old_IFS=$IFS<br>root@ulrich-Pod1:/etc/freeradius# IFS=$'\n'<br>
root@ulrich-Pod1:/etc/freeradius# <br>root@ulrich-Pod1:/etc/freeradius# for i in `cat file1`<br> > do echo $i | gawk '{print "Acct-Session-Id="$3"\n""NAS-IP-Address="$1}' | radclient -p 100 -x <a href="http://3.3.3.3:3799">3.3.3.3:3799</a> disconnect ''secret''<br>
> done<br>Sending Disconnect-Request of id 127 to 3.3.3.3 port 3799<br> Acct-Session-Id = "500A02B2382F3D8E"<br> NAS-IP-Address = 1.1.1.1<br>Sending Disconnect-Request of id 127 to 3.3.3.3 port 3799<br> Acct-Session-Id = "500A02B2382F3D8E"<br>
NAS-IP-Address = 1.1.1.1<br>Sending Disconnect-Request of id 127 to 3.3.3.3 port 3799<br> Acct-Session-Id = "500A02B2382F3D8E"<br> NAS-IP-Address = 1.1.1.1<br>radclient: no response from server for ID 127 socket 3<br>
Sending Disconnect-Request of id 206 to 3.3.3.3 port 3799<br> Acct-Session-Id = "500A02B5383F27D9"<br> NAS-IP-Address = 2.2.2.2<br>Sending Disconnect-Request of id 206 to 3.3.3.3 port 3799<br> Acct-Session-Id = "500A02B5383F27D9"<br>
NAS-IP-Address = 2.2.2.2<br>Sending Disconnect-Request of id 206 to 3.3.3.3 port 3799<br> Acct-Session-Id = "500A02B5383F27D9"<br> NAS-IP-Address = 2.2.2.2<br>radclient: no response from server for ID 206 socket 3<br>
root@ulrich-Pod1:/etc/freeradius# <br>root@ulrich-Pod1:/etc/freeradius# IFS=$old_IFS<br><br>The problem "radclient: no response from server" it's normal because it's just a test and the "disconnect server" it's not configure!!<br>
But the problem is that I specify in the script that we can send up to 100 requests in parallel but I see that the script sends only one request at a time, and if there is no answer two other requests is sent<br><br>In the man of radclient i have this:<br>
-p num_requests_in_parallel<br> Send num_requests_in_parallel, without waiting for a response for each one. By default, radclient sends the first request it has read, waits for the response, and once the response is received, sends the second request in its list. This option allows you to send many requests at simultaneously. Once num_requests_in_parallel are sent, radclient waits for all of the responses to arrive (or for the requests to time out), before sending any more packets. <br>
This option permits you to discover the maximum load accepted by a RADIUS server.<br><br>I thins it's the same problem with option -n!<br><br>It's a Bug!!!!!!!????<br><br>Best Regards<br><br><div>Ulrich<br></div>
<div><br></div><div><br></div><br><div class="gmail_quote">2012/5/7 <span dir="ltr"><<a href="mailto:freeradius-users-request@lists.freeradius.org" target="_blank">freeradius-users-request@lists.freeradius.org</a>></span><br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Send Freeradius-Users mailing list submissions to<br>
<a href="mailto:freeradius-users@lists.freeradius.org">freeradius-users@lists.freeradius.org</a><br>
<br>
To subscribe or unsubscribe via the World Wide Web, visit<br>
<a href="http://lists.freeradius.org/mailman/listinfo/freeradius-users" target="_blank">http://lists.freeradius.org/mailman/listinfo/freeradius-users</a><br>
or, via email, send a message with subject or body 'help' to<br>
<a href="mailto:freeradius-users-request@lists.freeradius.org">freeradius-users-request@lists.freeradius.org</a><br>
<br>
You can reach the person managing the list at<br>
<a href="mailto:freeradius-users-owner@lists.freeradius.org">freeradius-users-owner@lists.freeradius.org</a><br>
<br>
When replying, please edit your Subject line so it is more specific<br>
than "Re: Contents of Freeradius-Users digest..."<br>
<br>
<br>
Today's Topics:<br>
<br>
1. radclient (ulrich ramassamy)<br>
2. Re: multiple ldap servers::solved:: (jeff donovan)<br>
3. Sync ldap-group with sql profiles (Mohsen Saeedi)<br>
4. NAS Client (Shawky Skaff)<br>
<br>
<br>
----------------------------------------------------------------------<br>
<br>
Message: 1<br>
Date: Sun, 6 May 2012 19:46:06 +0200<br>
From: ulrich ramassamy <<a href="mailto:ramassamy.ulrich@gmail.com">ramassamy.ulrich@gmail.com</a>><br>
To: <a href="mailto:freeradius-users@lists.freeradius.org">freeradius-users@lists.freeradius.org</a><br>
Subject: radclient<br>
Message-ID:<br>
<CAKYkJTp9Fi6kZAwSptUBZZXCq3To1B6jSrkTWvw5SRP=<a href="mailto:ZW_STw@mail.gmail.com">ZW_STw@mail.gmail.com</a>><br>
Content-Type: text/plain; charset="iso-8859-1"<br>
<br>
Hello,<br>
<br>
I am writing you because I need your help on using the tool "radclient".<br>
I need to send Packet Of Disconnect (POD). I have one file (for example<br>
name "file1") and in this file, I have 3 columns (IP, MSISDN,<br>
Acct-Session-Id):<br>
<br>
IP MSISDN Acct-Session-Id<br>
1.1.1.1 3368894XXXX 500A02B2382F3D8E<br>
2.2.2.2 3368739XXXX 500A02B5383F27D9<br>
<br>
I read on this site: "<a href="http://wiki.freeradius.org/Disconnect-Messages" target="_blank">http://wiki.freeradius.org/Disconnect-Messages</a>" and<br>
the proposed solution tells us to insert in a file "packet.txt" the<br>
attributes that we wish send. In this method we have to create one file for<br>
one POD. :(<br>
<br>
Now I want to use the file "file1" by selecting the attibutes to send POD<br>
one to one in one command (linux command) like this :<br>
<br>
Sending Disconnect-Request of id 214 to 1.1.1.1 port 3799<br>
Framed-IP-Address=1.1.1.1<br>
Acct-Session-ID=500A02B2382F3D8E<br>
rad_recv: Disconnect-ACK packet from host 1.1.1.1 port 3799, id= 214,<br>
length=20<br>
<br>
Sending Disconnect-Request of id 215 to 2.2.2.2 port 3799<br>
Framed-IP-Address=2.2.2.2<br>
Acct-Session-ID=500A02B5383F27D9<br>
rad_recv: Disconnect-ACK packet from host 2.2.2.2 port 3799, id=215,<br>
length=20<br>
<br>
I need to know if It's possible to do this (I think by using a loop<br>
"for"!!!)? Can you please help me?<br>
<br>
Thanks for your help.<br>
<br>
Best regards,<br>
<br>
Ulrich RAMASSAMY<br>
T?l: <a href="tel:%2B33671783501" value="+33671783501">+33671783501</a><br>
<br>
PS: Sorry for my english^^<br>
-------------- next part --------------<br>
An HTML attachment was scrubbed...<br>
URL: <<a href="http://lists.freeradius.org/pipermail/freeradius-users/attachments/20120506/5e1d7917/attachment-0001.html" target="_blank">http://lists.freeradius.org/pipermail/freeradius-users/attachments/20120506/5e1d7917/attachment-0001.html</a>><br>
<br>
------------------------------<br>
<br>
Message: 2<br>
Date: Sun, 6 May 2012 15:31:27 -0400<br>
From: jeff donovan <<a href="mailto:jdonovan@beth.k12.pa.us">jdonovan@beth.k12.pa.us</a>><br>
To: FreeRadius users mailing list<br>
<<a href="mailto:freeradius-users@lists.freeradius.org">freeradius-users@lists.freeradius.org</a>><br>
Subject: Re: multiple ldap servers::solved::<br>
Message-ID: <<a href="mailto:8EE81169-4AEF-41D0-9384-2E4BE9AF09B2@beth.k12.pa.us">8EE81169-4AEF-41D0-9384-2E4BE9AF09B2@beth.k12.pa.us</a>><br>
Content-Type: text/plain; charset="us-ascii"<br>
<br>
<br>
On May 5, 2012, at 5:09 AM, Alan DeKok wrote:<br>
<br>
> jeff donovan wrote:<br>
>> I made two changes. and it worked.,.. not sure if it the best syntax, but it's the first time I got both systems to call back.<br>
>><br>
>> authorize {<br>
>><br>
>> ldap1<br>
>> if (notfound) {<br>
>> ldap2<br>
>> }<br>
><br>
> This is OK.<br>
><br>
>> if (reject) {<br>
>> ldap2<br>
>> }<br>
><br>
> This doesn't do anything. If ldap1 rejects the user (which it won't<br>
> in the "authorize" section), then it will *immediately* return reject.<br>
> i.e. the "if reject" line won't be reached.<br>
<br>
you are correct. An authorize section would not return reject. i removed it and things work fine.<br>
<br>
><br>
><br>
>> authenticate {<br>
>><br>
>> Auth-Type LDAP {<br>
>> ldap1{<br>
>> reject = 1<br>
>> ok = return<br>
>> }<br>
>> ldap2 {<br>
>> reject = 1<br>
>> ok = return<br>
>> }<br>
>> }<br>
><br>
> This is wrong, too. You've forced "Auth-Type := LDAP" somewhere in<br>
> your config.<br>
<br>
the config Im using is stock ubuntu,..which has a few default includes. radiusd.conf specifies;<br>
$INCLUDE ${confdir}/modules/<br>
i have a file in modules called ldap. Located in this file are two ldap servers entries.<br>
#<br>
ldap ldap1 {<br>
<br>
server = "<a href="http://ldap1.example.com" target="_blank">ldap1.example.com</a>"<br>
basedn = "cn=users,dc=ldap1,dc=<a href="http://example.com" target="_blank">example.com</a>"<br>
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"<br>
ldap_connections_number = 5<br>
timeout = 4<br>
timelimit = 3<br>
net_timeout = 1<br>
tls {<br>
start_tls = no<br>
}<br>
dictionary_mapping = ${confdir}/ldap.attrmap<br>
#<br>
edir_account_policy_check = no<br>
#ldap_debug = 0x0028<br>
}<br>
ldap ldap2 {<br>
<br>
server = "<a href="http://ldap2.example.com" target="_blank">ldap2.example.com</a>"<br>
basedn = "cn=users,dc=ldap2,dc=<a href="http://example.com" target="_blank">example.com</a>"<br>
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"<br>
ldap_connections_number = 5<br>
timeout = 4<br>
timelimit = 3<br>
net_timeout = 1<br>
tls {<br>
start_tls = no<br>
}<br>
dictionary_mapping = ${confdir}/ldap.attrmap<br>
#<br>
edir_account_policy_check = no<br>
#ldap_debug = 0x0028<br>
}<br>
}<br>
> You could instead use "set_auth_type" in the modules/ldap<br>
> configuration. It's recommended to *not* use it, but it's fine here.<br>
><br>
> Then, just do:<br>
><br>
> authenticate {<br>
> ...<br>
> ldap1<br>
> ldap2<br>
> ...<br>
> }<br>
<br>
--- oof okay.<br>
<br>
authenticate {<br>
<br>
Auth-Type PAP {<br>
pap<br>
}<br>
<br>
Auth-Type CHAP {<br>
chap<br>
}<br>
<br>
Auth-Type MS-CHAP {<br>
mschap<br>
}<br>
<br>
digest<br>
# pam<br>
unix<br>
ldap1<br>
ldap2<br>
eap<br>
}<br>
<br>
Yes Totally works.!<br>
my bad i thought I had to set the AUTH type. similar to some of the other configs.<br>
<br>
<br>
><br>
> If the "ldap1" module finds the user, it sets Auth-Type = "ldap1".<br>
> And the same for ldap2.<br>
><br>
> This means that there are fewer queries to ldap1 in the "authenticate"<br>
> phase. That's nice.<br>
im into that. thanks for the help. hopefully my stumbles will aid someone in the future.<br>
-j<br>
-------------- next part --------------<br>
A non-text attachment was scrubbed...<br>
Name: smime.p7s<br>
Type: application/pkcs7-signature<br>
Size: 2497 bytes<br>
Desc: not available<br>
URL: <<a href="http://lists.freeradius.org/pipermail/freeradius-users/attachments/20120506/2a9b0ef3/attachment-0001.bin" target="_blank">http://lists.freeradius.org/pipermail/freeradius-users/attachments/20120506/2a9b0ef3/attachment-0001.bin</a>><br>
<br>
------------------------------<br>
<br>
Message: 3<br>
Date: Mon, 07 May 2012 01:10:16 +0430<br>
From: Mohsen Saeedi <<a href="mailto:mohsen.saeedi@gmail.com">mohsen.saeedi@gmail.com</a>><br>
To: <a href="mailto:freeradius-users@lists.freeradius.org">freeradius-users@lists.freeradius.org</a><br>
Subject: Sync ldap-group with sql profiles<br>
Message-ID: <<a href="mailto:4FA6E1B0.2040902@gmail.com">4FA6E1B0.2040902@gmail.com</a>><br>
Content-Type: text/plain; charset=UTF-8; format=flowed<br>
<br>
Hi<br>
<br>
I read more and more about my problem. but i didn't find any useful answer.<br>
<br>
I have freeradius-2.1.10 and i configured it with Active Directory. I<br>
know about openldap and radius profile and good attributes is exist<br>
under openldap for radius purpose.<br>
<br>
Now i'm able to find ldap-group with rlm_file module and with correct<br>
ldap module configuration. but i want to move our configuration from<br>
users to sql. i set everything on sql. such as nas configuration or<br>
profile definition. i defined some profile with needed attribute such as<br>
attribute is suitable for hotspot(coovachilli for example). but i'm not<br>
able to query ldap-group when i'm using rlm_sql and not rlm_file.<br>
<br>
how can i configure radius to get ldap-group query from AD to map AD<br>
group to sql profile?<br>
<br>
I know about unlang too. is it possible to write some unlang query for<br>
map ldap-group to sql profile?<br>
<br>
It's urget for me. please explain everything you know.<br>
<br>
I'm waiting for your answer man.<br>
<br>
Thanks<br>
<br>
<br>
<br>
<br>
<br>
------------------------------<br>
<br>
Message: 4<br>
Date: Mon, 7 May 2012 07:08:15 +0000<br>
From: Shawky Skaff <<a href="mailto:shawkys@ivox.com.au">shawkys@ivox.com.au</a>><br>
To: "<a href="mailto:freeradius-users@lists.freeradius.org">freeradius-users@lists.freeradius.org</a>"<br>
<<a href="mailto:freeradius-users@lists.freeradius.org">freeradius-users@lists.freeradius.org</a>><br>
Subject: NAS Client<br>
Message-ID:<br>
<2CA9C14D22D840499F775B7E7FD8C7452B7BEEE6@ivox3.ivox.local><br>
Content-Type: text/plain; charset="us-ascii"<br>
<br>
I've setup a NAS client that being a cisco7301 and have entered this into clients.conf. When I run radiusd -X and do the following radtest eftel-test test123 27.34.225.253 1812 testing123, it fails, I don't get anything appearing on my debug radiusd -X screen.<br>
<br>
<br>
<br>
If I change the clients.conf back to the localhost client and do radtest eftel-test test123 27.34.225.33 1812 testing123 I get the below. 27.34.225.33 is the IP of my radius box. I'm pretty sure I'm doing something wrong or missing something, but would appreciate your help in telling me what I need to do<br>
<br>
<br>
<br>
Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on command file /var/run/radiusd/radiusd.sock Listening on proxy address * port 1814 Ready to process requests.<br>
<br>
Ignoring request to authentication address * port 1812 from unknown client 27.34.225.33 port 60242 Ready to process requests.<br>
<br>
Ignoring request to authentication address * port 1812 from unknown client 27.34.225.33 port 60242 Ready to process requests.<br>
<br>
Ignoring request to authentication address * port 1812 from unknown client 27.34.225.33 port 60242 Ready to process requests.<br>
<br>
<br>
<br>
The NAS table has the following entry<br>
<br>
<br>
<br>
mysql> select * from nas;<br>
<br>
+----+-----------+-----------+-------+-------+-------------+-----------+-------------+<br>
<br>
| id | nasname | shortname | type | ports | secret | community | description |<br>
<br>
+----+-----------+-----------+-------+-------+-------------+-----------+-------------+<br>
<br>
| 2 | cisco7301 | C7301 | cisco | 1812 | ivox-radius | IVOX-RO | |<br>
<br>
+----+-----------+-----------+-------+-------+-------------+-----------+-------------+<br>
<br>
1 row in set (0.00 sec)<br>
<br>
<br>
<br>
<br>
<br>
My iptables firewall is disabled.<br>
<br>
<br>
<br>
[root@radius raddb]# netstat -antup | grep rad<br>
<br>
tcp 0 0 <a href="http://27.34.225.33:54306" target="_blank">27.34.225.33:54306</a> <a href="http://27.34.225.33:3306" target="_blank">27.34.225.33:3306</a> ESTABLISHED 4605/radiusd<br>
<br>
tcp 0 0 <a href="http://27.34.225.33:54307" target="_blank">27.34.225.33:54307</a> <a href="http://27.34.225.33:3306" target="_blank">27.34.225.33:3306</a> ESTABLISHED 4605/radiusd<br>
<br>
tcp 0 0 <a href="http://27.34.225.33:54310" target="_blank">27.34.225.33:54310</a> <a href="http://27.34.225.33:3306" target="_blank">27.34.225.33:3306</a> ESTABLISHED 4605/radiusd<br>
<br>
tcp 0 0 <a href="http://27.34.225.33:54308" target="_blank">27.34.225.33:54308</a> <a href="http://27.34.225.33:3306" target="_blank">27.34.225.33:3306</a> ESTABLISHED 4605/radiusd<br>
<br>
tcp 0 0 <a href="http://27.34.225.33:54309" target="_blank">27.34.225.33:54309</a> <a href="http://27.34.225.33:3306" target="_blank">27.34.225.33:3306</a> ESTABLISHED 4605/radiusd<br>
<br>
udp 0 0 <a href="http://0.0.0.0:1812" target="_blank">0.0.0.0:1812</a> 0.0.0.0:* 4605/radiusd<br>
<br>
udp 0 0 <a href="http://0.0.0.0:1813" target="_blank">0.0.0.0:1813</a> 0.0.0.0:* 4605/radiusd<br>
<br>
udp 0 0 <a href="http://0.0.0.0:1814" target="_blank">0.0.0.0:1814</a> 0.0.0.0:* 4605/radiusd<br>
<br>
<br>
Kind Regards,<br>
<br>
Shawky Skaf<br>
____________________________<br>
[Description: Description: cid:710305523@08062009-0910]<br>
<br>
<br>
<br>
iVox Communications<br>
<a href="http://www.ivox.com.au" target="_blank">www.ivox.com.au</a><<a href="http://www.ivox.com.au/" target="_blank">http://www.ivox.com.au/</a>><br>
<br>
P: <a href="tel:%2B61%202%208252%200205" value="+61282520205">+61 2 8252 0205</a><br>
F: <a href="tel:%2B61%202%208252%200202" value="+61282520202">+61 2 8252 0202</a><br>
<br>
<br>
The contents of this document may be privileged and confidential, any unauthorised use of the contents is expressly prohibited. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. iVox Communications is not liable for the proper and complete transmission of the information contained in this communication, nor for any delay in its receipt.<br>
<br>
<br>
<br>
-------------- next part --------------<br>
An HTML attachment was scrubbed...<br>
URL: <<a href="http://lists.freeradius.org/pipermail/freeradius-users/attachments/20120507/c15cc4d1/attachment.html" target="_blank">http://lists.freeradius.org/pipermail/freeradius-users/attachments/20120507/c15cc4d1/attachment.html</a>><br>
-------------- next part --------------<br>
A non-text attachment was scrubbed...<br>
Name: image001.gif<br>
Type: image/gif<br>
Size: 3160 bytes<br>
Desc: image001.gif<br>
URL: <<a href="http://lists.freeradius.org/pipermail/freeradius-users/attachments/20120507/c15cc4d1/attachment.gif" target="_blank">http://lists.freeradius.org/pipermail/freeradius-users/attachments/20120507/c15cc4d1/attachment.gif</a>><br>
<br>
------------------------------<br>
<br>
-<br>
List info/subscribe/unsubscribe? See <a href="http://www.freeradius.org/list/users.html" target="_blank">http://www.freeradius.org/list/users.html</a><br>
<br>
End of Freeradius-Users Digest, Vol 85, Issue 14<br>
************************************************<br>
</blockquote></div><br>