hi, your ldap connection pool is borked. you have horrible values. start with the default (in fact, if you have no problem with long lived connections then disable the auto pool stuff and just have eg 8 connections. alan On Wed, 12 Feb 2020 at 10:59, Сергей Черевко via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
Hi!
I have Unifi wifi — freeradius — ldap
In LDAP i have SSHA password for users.
This config on github help me to setup normal auth with SSHA passwords (instead plaintext) https://github.com/hacor/unifi-freeradius-ldap
i use ttls + pap
All ok, but i have some troubles with timeout (or something else)
After a few hours wifi on clients (ios,android,pc) stops working. And users must manually reconnect to the wifi network
When we use plaintext password and auth PEAP — all it’s ok. Clients do not stops working
Logs
Info: rlm_ldap (ldap): Closing connection (11428): Hit idle_timeout, was idle for 61 seconds Info: rlm_ldap (ldap): Closing connection (11433): Hit idle_timeout, was idle for 61 seconds Info: Need 6 more connections to reach 10 spares Info: rlm_ldap (ldap): Opening additional connection (11440), 1 of 28 pending slots used Info: Need 5 more connections to reach 10 spares Info: rlm_ldap (ldap): Opening additional connection (11441), 1 of 27 pending slots used Info: Need 4 more connections to reach 10 spares Info: rlm_ldap (ldap): Opening additional connection (11442), 1 of 26 pending slots used Info: Need 3 more connections to reach 10 spares Info: rlm_ldap (ldap): Opening additional connection (11443), 1 of 25 pending slots used
Info: rlm_ldap (ldap): Closing connection (11440): Hit idle_timeout, was idle for 116 seconds Info: rlm_ldap (ldap): Closing connection (11438): Hit idle_timeout, was idle for 116 seconds Info: rlm_ldap (ldap): Closing connection (11426): Hit idle_timeout, was idle for 116 seconds Info: rlm_ldap (ldap): Closing connection (11439): Hit idle_timeout, was idle for 116 seconds Info: rlm_ldap (ldap): Closing connection (11445): Hit idle_timeout, was idle for 105 seconds Info: rlm_ldap (ldap): Closing connection (11442): Hit idle_timeout, was idle for 105 seconds Info: rlm_ldap (ldap): Closing connection (11429): Hit idle_timeout, was idle for 105 seconds Info: rlm_ldap (ldap): Closing connection (11443): Hit idle_timeout, was idle for 105 seconds
An here is my config freeradius
EAP
eap { default_eap_type = ttls timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = ${max_requests} md5 { } leap { } gtc { auth_type = PAP } tls-config tls-common { private_key_password = XXX private_key_file = ${certdir}/server.pem certificate_file = ${certdir}/server.pem ca_file = ${cadir}/ca.pem dh_file = ${certdir}/dh ca_path = ${cadir} cipher_list = "DEFAULT" cipher_server_preference = no ecdh_curve = "prime256v1" cache { enable = no lifetime = 24 # hours } verify { } ocsp { enable = no override_cert_url = yes url = " http://127.0.0.1/ocsp/ " } }
tls { tls = tls-common } ttls { tls = tls-common default_eap_type = gtc copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" } peap { tls = tls-common default_eap_type = mschapv2 copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" } mschapv2 { } }
DEFAULT
server default { listen { type = auth ipaddr = * port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { ipaddr = * port = 0 type = acct limit { } } authorize { filter_username preprocess digest suffix eap { ok = return #updated = return } files -sql ldap expiration logintime pap if (User-Password) { update control { Auth-Type := ldap } } } authenticate { Auth-Type PAP { #pap ldap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } mschap digest #Auth-Type LDAP { ldap #} eap } preacct { preprocess acct_unique suffix files } accounting { detail unix -sql exec attr_filter.accounting_response } session { } post-auth { if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) { update reply { &User-Name !* ANY } } update { &reply: += &session-state: }
if (LDAP-Group == "vpn") { vpn_l2tp_pool } elsif (LDAP-Group == "vpn-ext") { vpn_l2tp_ext_pool } elsif (LDAP-Group == "vpn-1c") { ok } else { reject } -sql exec remove_reply_message_if_eap Post-Auth-Type REJECT { -sql attr_filter.access_reject eap remove_reply_message_if_eap } Post-Auth-Type Challenge { } } pre-proxy { } post-proxy { eap } }
INNER TUNNEL
server inner-tunnel { listen { ipaddr = * port = 18120 type = auth } authorize { filter_username suffix update control { &Proxy-To-Realm := LOCAL } eap { ok = return } -sql ldap expiration logintime pap if (User-Password) { update control { Auth-Type := ldap } } } authenticate { Auth-Type PAP { #pap ldap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } mschap # Auth-Type LDAP { ldap # } eap } session { radutmp } post-auth { -sql if (LDAP-Group == "wifi") { noop } else { reject } if (0) { update reply { User-Name !* ANY Message-Authenticator !* ANY EAP-Message !* ANY Proxy-State !* ANY MS-MPPE-Encryption-Types !* ANY MS-MPPE-Encryption-Policy !* ANY MS-MPPE-Send-Key !* ANY MS-MPPE-Recv-Key !* ANY } update { &outer.session-state: += &reply: } } Post-Auth-Type REJECT { -sql attr_filter.access_reject update outer.session-state { &Module-Failure-Message := &request:Module-Failure-Message } } } pre-proxy { } post-proxy { eap } }
LDAP
ldap { server = 'localhost' identity = 'cn=admin,dc=fusioncore,dc=local' password = fusioncore base_dn = 'ou=people,dc=fusioncore,dc=local' sasl { } update { control:Password-With-Header += 'userPassword' control: += 'radiusControlAttribute' request: += 'radiusRequestAttribute' reply: += 'radiusReplyAttribute' } user { base_dn = "${..base_dn}" filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" sasl { } } group { base_dn = "ou=groups,dc=fusioncore,dc=local" filter = '(objectClass=GroupOfNames)' name_attribute = cn membership_filter = "(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))" membership_attribute = 'memberUid' } profile { } client { base_dn = "${..base_dn}" filter = '(objectClass=radiusClient)' template { } attribute { ipaddr = 'radiusClientIdentifier' secret = 'radiusClientSecret' } } accounting { reference = "%{tolower:type.%{Acct-Status-Type}}" type { start { update { description := "Online at %S" } } interim-update { update { description := "Last seen at %S" } } stop { update { description := "Offline at %S" } } } } post-auth { update { description := "Authenticated at %S" } } options { chase_referrals = yes rebind = yes res_timeout = 10 srv_timelimit = 3 net_timeout = 1 idle = 60 probes = 3 interval = 3 ldap_debug = 0x0028 } tls { start_tls = no } ldap_connections_number = 5 pool { start = ${thread[pool].start_servers} min = ${thread[pool].min_spare_servers} max = ${thread[pool].max_servers} spare = ${thread[pool].max_spare_servers} uses = 0 retry_delay = 30 lifetime = 0 idle_timeout = 60 } }
----------------------------------------------------------------------
----------------------------------------------------------------------
----------------------------------------------------------------------
----------------------------------------------------------------------
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html