david at wood2.org.uk
Mon Aug 4 10:09:10 CEST 2008
In message <001501c8f58c$f3bd38b0$c2d3000a at surfer>, Maxim Sirenko
<freeradius at mail.rv.ua> writes
>Could you answer the question on the basis of your experience?
>Since what version of freeradius you was successfull in using
>rlm_sqlippool with postgresql and what little fixes you had to do to
>make it work?
>I have 1.1.7_3 port on FreeBSD 6.2 and I'm unsuccessfull in forcing to
>assign an IP from sql pool rather from NAS configuration pool.
>In docs we encouraged to use 2.0.x to have this feature working.
>I cannot upgrade to 2.0.x now because my radius is under 24*7 load and
>I don't have spare server to test it.
FreeBSD 6.2 is End of Life - there is no support from the FreeBSD
security team, and the ports tree no longer supports 6.2. You are
recommended to upgrade to FreeBSD 6.3-RELEASE (plus security patches) or
FreeBSD 7.0-RELEASE (plus security patches). 6.3 will be the easier
upgrade, as you won't have to rebuild all your ports.
Obviously you should back up your server before doing this.
The actual downtime for a 6.3 upgrade should be minimal. It may be worth
going via the c(v)sup, make buildworld, make buildkernel, make
installkernel, (downtime starts) reboot in single user mode, make
installworld, mergemaster, make delete-old, reboot in multi user route
(downtime ends) - but if you're going to do that, make sure you read the
instructions in the FreeBSD handbook and in /usr/src/UPDATING first.
Once you've done that, create yourself a jail as a RADIUS configuration
sandbox. This will need a spare IPv4 address on your network, and will
give you somewhere to install a completely separate FreeRADIUS for
Probably the easiest way to do this is ezjail - the sysutils/ezjail
port. This is where having done a make buildworld, and hence a populated
/usr/obj, helps - you can use ezjail_update -i to build your basejail.
Get yourself an up to date ports tree in the jail - portsnap fetch
extract should do the job.
Build the net/freeradius2 port, which is FreeRADIUS 2.0.5. There's
several enhancements in the net/freeradius2 port that I haven't
backported to the net/freeradius port - and the 2.x server is much
better than the 1.x one.
Configure FreeRADIUS 2.0.5 to your requirements, testing each change.
(To that end, I'm intending to create an eapol_test port when I have the
time - though your system doesn't sound like it would need it).
It's then a case of deploying the net/freeradius2 based setup on your
live server when you're ready. It may be worth continuing to run
FreeRADIUS in an ezjail if the restriction of a single IPv4 address
isn't an issue - it makes it so much easier to switch testing and live
configurations around, or to switch FreeRADIUS to a different FreeBSD
host machine by moving the jail.
Of course, jails are valuable to help secure your servers as well -
they're one of the nicest features of FreeBSD in my opinion.
Hopefully the single IPv4 address per jail restriction will be solved by
the time that FreeBSD 8 is released - full network virtualisation for
jails has been mooted, but I'm not sure whether anyone is actively
working on it.
david at wood2.org.uk
More information about the Freeradius-Users