Freeradius-Users Digest, Vol 85, Issue 14 - Use case Radclient

ulrich ramassamy ramassamy.ulrich at gmail.com
Mon May 7 11:10:57 CEST 2012


Hello everybody,

I have one problem with an options of raclient tool's:

I have create a little script:
(I have one file named "file1") and in this file, I have 3 columns (IP,
MSISDN,Acct-Session-Id):

IP MSISDN Acct-Session-Id
1.1.1.1 3368894XXXX 500A02B2382F3D8E
2.2.2.2 3368739XXXX 500A02B5383F27D9

###### BEGIN ######

old_IFS=$IFS
IFS=$'\n'

for i in `cat file1`
do echo $i | gawk '{print "Acct-Session-Id="$3"\n""NAS-IP-Address="$1}' |
radclient *-p 100* -r 2 -x 3.3.3.3:3799 disconnect ''secret''
done

IFS=$old_IFS

 ###### END ######

But in this script the parameter *-p *is not used!!!!

root at ulrich-Pod1:/etc/freeradius# old_IFS=$IFS
root at ulrich-Pod1:/etc/freeradius# IFS=$'\n'
root at ulrich-Pod1:/etc/freeradius#
root at ulrich-Pod1:/etc/freeradius# for i in `cat file1`
> do echo $i | gawk '{print "Acct-Session-Id="$3"\n""NAS-IP-Address="$1}' |
radclient -p 100 -r 2 -x 3.3.3.3:3799 disconnect ''secret''
> done
Sending Disconnect-Request of id 127 to 3.3.3.3 port 3799
Acct-Session-Id = "500A02B2382F3D8E"
NAS-IP-Address = 1.1.1.1
Sending Disconnect-Request of id 127 to 3.3.3.3 port 3799
Acct-Session-Id = "500A02B2382F3D8E"
NAS-IP-Address = 1.1.1.1
Sending Disconnect-Request of id 127 to 3.3.3.3 port 3799
Acct-Session-Id = "500A02B2382F3D8E"
NAS-IP-Address = 1.1.1.1
radclient: no response from server for ID 127 socket 3
Sending Disconnect-Request of id 206 to 3.3.3.3 port 3799
Acct-Session-Id = "500A02B5383F27D9"
NAS-IP-Address = 2.2.2.2
Sending Disconnect-Request of id 206 to 3.3.3.3 port 3799
Acct-Session-Id = "500A02B5383F27D9"
NAS-IP-Address = 2.2.2.2
Sending Disconnect-Request of id 206 to 3.3.3.3 port 3799
Acct-Session-Id = "500A02B5383F27D9"
NAS-IP-Address = 2.2.2.2
radclient: no response from server for ID 206 socket 3
root at ulrich-Pod1:/etc/freeradius#
root at ulrich-Pod1:/etc/freeradius# IFS=$old_IFS

The problem "radclient: no response from server" it's normal because it's
just a test and the "disconnect server" it's not configure!!
But the problem is that I specify in the script that we can send up to 100
requests in parallel but I see that the script sends only one request at a
time, and if there is no answer two other requests is sent

In the man of radclient i have this:
-p num_requests_in_parallel
Send num_requests_in_parallel, without waiting for a response for each one.
By default, radclient sends the first request it has read, waits for the
response, and once the response is received, sends the second request in
its list. This option allows you to send many requests at simultaneously.
Once num_requests_in_parallel are sent, radclient waits for all of the
responses to arrive (or for the requests to time out), before sending any
more packets.
This option permits you to discover the maximum load accepted by a RADIUS
server.

I thins it's the same problem with option -n!

It's a Bug!!!!!!!????

Best Regards

Ulrich




2012/5/7 <freeradius-users-request at lists.freeradius.org>

> Send Freeradius-Users mailing list submissions to
>        freeradius-users at lists.freeradius.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>        http://lists.freeradius.org/mailman/listinfo/freeradius-users
> or, via email, send a message with subject or body 'help' to
>        freeradius-users-request at lists.freeradius.org
>
> You can reach the person managing the list at
>        freeradius-users-owner at lists.freeradius.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Freeradius-Users digest..."
>
>
> Today's Topics:
>
>   1. radclient (ulrich ramassamy)
>   2. Re: multiple ldap servers::solved:: (jeff donovan)
>   3. Sync ldap-group with sql profiles (Mohsen Saeedi)
>   4. NAS Client (Shawky Skaff)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Sun, 6 May 2012 19:46:06 +0200
> From: ulrich ramassamy <ramassamy.ulrich at gmail.com>
> To: freeradius-users at lists.freeradius.org
> Subject: radclient
> Message-ID:
>        <CAKYkJTp9Fi6kZAwSptUBZZXCq3To1B6jSrkTWvw5SRP=ZW_STw at mail.gmail.com
> >
> Content-Type: text/plain; charset="iso-8859-1"
>
> Hello,
>
> I am writing you because I need your help on using the tool "radclient".
> I need to send Packet Of Disconnect (POD). I have one file (for example
> name "file1") and in this file, I have 3 columns (IP, MSISDN,
> Acct-Session-Id):
>
> IP MSISDN Acct-Session-Id
> 1.1.1.1 3368894XXXX 500A02B2382F3D8E
> 2.2.2.2 3368739XXXX 500A02B5383F27D9
>
> I read on this site: "http://wiki.freeradius.org/Disconnect-Messages" and
> the proposed solution tells us to insert in a file "packet.txt" the
> attributes that we wish send. In this method we have to create one file for
> one POD. :(
>
> Now I want to use the file "file1" by selecting the attibutes to send POD
> one to one in one command (linux command) like this :
>
> Sending Disconnect-Request of id 214 to 1.1.1.1 port 3799
> Framed-IP-Address=1.1.1.1
> Acct-Session-ID=500A02B2382F3D8E
> rad_recv: Disconnect-ACK packet from host 1.1.1.1 port 3799, id= 214,
> length=20
>
> Sending Disconnect-Request of id 215 to 2.2.2.2 port 3799
>  Framed-IP-Address=2.2.2.2
> Acct-Session-ID=500A02B5383F27D9
> rad_recv: Disconnect-ACK packet from host 2.2.2.2 port 3799, id=215,
> length=20
>
> I need to know if It's possible to do this (I think by using a loop
> "for"!!!)? Can you please help me?
>
> Thanks for your help.
>
> Best regards,
>
> Ulrich RAMASSAMY
> T?l: +33671783501
>
> PS: Sorry for my english^^
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <
> http://lists.freeradius.org/pipermail/freeradius-users/attachments/20120506/5e1d7917/attachment-0001.html
> >
>
> ------------------------------
>
> Message: 2
> Date: Sun, 6 May 2012 15:31:27 -0400
> From: jeff donovan <jdonovan at beth.k12.pa.us>
> To: FreeRadius users mailing list
>        <freeradius-users at lists.freeradius.org>
> Subject: Re: multiple ldap servers::solved::
> Message-ID: <8EE81169-4AEF-41D0-9384-2E4BE9AF09B2 at beth.k12.pa.us>
> Content-Type: text/plain; charset="us-ascii"
>
>
> On May 5, 2012, at 5:09 AM, Alan DeKok wrote:
>
> > jeff donovan wrote:
> >> I made two changes. and it worked.,.. not sure if it the best syntax,
> but it's the first time I got both systems to call back.
> >>
> >> authorize {
> >>
> >>      ldap1
> >>      if (notfound) {
> >>              ldap2
> >>      }
> >
> >  This is OK.
> >
> >>      if (reject) {
> >>              ldap2
> >>      }
> >
> >  This doesn't do anything.  If ldap1 rejects the user (which it won't
> > in the "authorize" section), then it will *immediately* return reject.
> > i.e. the "if reject" line won't be reached.
>
> you are correct. An authorize section would not return reject. i removed
> it and things work fine.
>
> >
> >
> >> authenticate {
> >>
> >>      Auth-Type LDAP {
> >>              ldap1{
> >>              reject = 1
> >>              ok = return
> >>              }
> >>              ldap2 {
> >>              reject = 1
> >>              ok = return
> >>              }
> >>      }
> >
> >  This is wrong, too.  You've forced "Auth-Type := LDAP" somewhere in
> > your config.
>
> the config Im using is stock ubuntu,..which has a few default includes.
> radiusd.conf specifies;
>        $INCLUDE ${confdir}/modules/
> i have a file in modules called ldap. Located in this file are two ldap
> servers entries.
> #
> ldap ldap1 {
>
>        server = "ldap1.example.com"
>        basedn = "cn=users,dc=ldap1,dc=example.com"
>        filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
>        ldap_connections_number = 5
>        timeout = 4
>        timelimit = 3
>        net_timeout = 1
>        tls {
>                start_tls = no
>                }
>        dictionary_mapping = ${confdir}/ldap.attrmap
>        #
>        edir_account_policy_check = no
>        #ldap_debug = 0x0028
> }
> ldap ldap2 {
>
>        server = "ldap2.example.com"
>        basedn = "cn=users,dc=ldap2,dc=example.com"
>        filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
>        ldap_connections_number = 5
>        timeout = 4
>        timelimit = 3
>        net_timeout = 1
>        tls {
>                start_tls = no
>                }
>        dictionary_mapping = ${confdir}/ldap.attrmap
>        #
>        edir_account_policy_check = no
>        #ldap_debug = 0x0028
> }
> }
> >  You could instead use "set_auth_type" in the modules/ldap
> > configuration.  It's recommended to *not* use it, but it's fine here.
> >
> >  Then, just do:
> >
> > authenticate {
> >       ...
> >       ldap1
> >       ldap2
> >       ...
> > }
>
> --- oof okay.
>
> authenticate {
>
>        Auth-Type PAP {
>                pap
>        }
>
>        Auth-Type CHAP {
>                chap
>        }
>
>        Auth-Type MS-CHAP {
>                mschap
>        }
>
>        digest
> #       pam
>        unix
>        ldap1
>        ldap2
>        eap
> }
>
> Yes Totally works.!
> my bad i thought I had to set the AUTH type. similar to some of the other
> configs.
>
>
> >
> >  If the "ldap1" module finds the user, it sets Auth-Type = "ldap1".
> > And the same for ldap2.
> >
> >  This means that there are fewer queries to ldap1 in the "authenticate"
> > phase.  That's nice.
> im into that. thanks for the help. hopefully my stumbles will aid someone
> in the future.
> -j
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: smime.p7s
> Type: application/pkcs7-signature
> Size: 2497 bytes
> Desc: not available
> URL: <
> http://lists.freeradius.org/pipermail/freeradius-users/attachments/20120506/2a9b0ef3/attachment-0001.bin
> >
>
> ------------------------------
>
> Message: 3
> Date: Mon, 07 May 2012 01:10:16 +0430
> From: Mohsen Saeedi <mohsen.saeedi at gmail.com>
> To: freeradius-users at lists.freeradius.org
> Subject: Sync ldap-group with sql profiles
> Message-ID: <4FA6E1B0.2040902 at gmail.com>
> Content-Type: text/plain; charset=UTF-8; format=flowed
>
> Hi
>
> I read more and more about my problem. but i didn't find any useful answer.
>
> I have freeradius-2.1.10 and i configured it with Active Directory. I
> know about openldap and radius profile and good attributes is exist
> under openldap for radius purpose.
>
> Now i'm able to find ldap-group with rlm_file module and with correct
> ldap module configuration. but i want to move our configuration from
> users to sql. i set everything  on sql. such as nas configuration or
> profile definition. i defined some profile with needed attribute such as
> attribute is suitable for hotspot(coovachilli for example). but i'm not
> able to query ldap-group when i'm using rlm_sql and not rlm_file.
>
> how can i configure radius to get ldap-group query from AD to map AD
> group to sql profile?
>
> I know about unlang too. is it possible to write some unlang query for
> map ldap-group to sql profile?
>
> It's urget for me. please explain everything you know.
>
> I'm waiting for your answer man.
>
> Thanks
>
>
>
>
>
> ------------------------------
>
> Message: 4
> Date: Mon, 7 May 2012 07:08:15 +0000
> From: Shawky Skaff <shawkys at ivox.com.au>
> To: "freeradius-users at lists.freeradius.org"
>        <freeradius-users at lists.freeradius.org>
> Subject: NAS Client
> Message-ID:
>        <2CA9C14D22D840499F775B7E7FD8C7452B7BEEE6 at ivox3.ivox.local>
> Content-Type: text/plain; charset="us-ascii"
>
> I've setup a NAS client that being a cisco7301 and have entered this into
> clients.conf. When I run radiusd -X and do the following radtest eftel-test
> test123 27.34.225.253 1812 testing123, it fails, I don't get anything
> appearing on my debug radiusd -X screen.
>
>
>
> If I change the clients.conf back to the localhost client and do radtest
> eftel-test test123 27.34.225.33 1812 testing123 I get the below.
> 27.34.225.33 is the IP of my radius box. I'm pretty sure I'm doing
> something wrong or missing something, but would appreciate your help in
> telling me what I need to do
>
>
>
> Listening on authentication address * port 1812 Listening on accounting
> address * port 1813 Listening on command file /var/run/radiusd/radiusd.sock
> Listening on proxy address * port 1814 Ready to process requests.
>
> Ignoring request to authentication address * port 1812 from unknown client
> 27.34.225.33 port 60242 Ready to process requests.
>
> Ignoring request to authentication address * port 1812 from unknown client
> 27.34.225.33 port 60242 Ready to process requests.
>
> Ignoring request to authentication address * port 1812 from unknown client
> 27.34.225.33 port 60242 Ready to process requests.
>
>
>
> The NAS table has the following entry
>
>
>
> mysql> select * from nas;
>
>
> +----+-----------+-----------+-------+-------+-------------+-----------+-------------+
>
> | id | nasname   | shortname | type  | ports | secret      | community |
> description |
>
>
> +----+-----------+-----------+-------+-------+-------------+-----------+-------------+
>
> |  2 | cisco7301 | C7301     | cisco |  1812 | ivox-radius | IVOX-RO   |
>           |
>
>
> +----+-----------+-----------+-------+-------+-------------+-----------+-------------+
>
> 1 row in set (0.00 sec)
>
>
>
>
>
> My iptables firewall is disabled.
>
>
>
> [root at radius raddb]# netstat -antup | grep rad
>
> tcp        0      0 27.34.225.33:54306          27.34.225.33:3306
>   ESTABLISHED 4605/radiusd
>
> tcp        0      0 27.34.225.33:54307          27.34.225.33:3306
>   ESTABLISHED 4605/radiusd
>
> tcp        0      0 27.34.225.33:54310          27.34.225.33:3306
>   ESTABLISHED 4605/radiusd
>
> tcp        0      0 27.34.225.33:54308          27.34.225.33:3306
>   ESTABLISHED 4605/radiusd
>
> tcp        0      0 27.34.225.33:54309          27.34.225.33:3306
>   ESTABLISHED 4605/radiusd
>
> udp        0      0 0.0.0.0:1812                0.0.0.0:*
>               4605/radiusd
>
> udp        0      0 0.0.0.0:1813                0.0.0.0:*
>               4605/radiusd
>
> udp        0      0 0.0.0.0:1814                0.0.0.0:*
>               4605/radiusd
>
>
> Kind Regards,
>
> Shawky Skaf
> ____________________________
> [Description: Description: cid:710305523 at 08062009-0910]
>
>
>
> iVox Communications
> www.ivox.com.au<http://www.ivox.com.au/>
>
> P: +61 2 8252 0205
> F: +61 2 8252 0202
>
>
> The contents of this document may be privileged and confidential, any
> unauthorised use of the contents is expressly prohibited. If you are not
> the intended recipient, any disclosure, copying, distribution or any action
> taken or omitted to be taken in reliance on it, is prohibited and may be
> unlawful. iVox Communications is not liable for the proper and complete
> transmission of the information contained in this communication, nor for
> any delay in its receipt.
>
>
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <
> http://lists.freeradius.org/pipermail/freeradius-users/attachments/20120507/c15cc4d1/attachment.html
> >
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: image001.gif
> Type: image/gif
> Size: 3160 bytes
> Desc: image001.gif
> URL: <
> http://lists.freeradius.org/pipermail/freeradius-users/attachments/20120507/c15cc4d1/attachment.gif
> >
>
> ------------------------------
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
> End of Freeradius-Users Digest, Vol 85, Issue 14
> ************************************************
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20120507/b097f091/attachment-0001.html>


More information about the Freeradius-Users mailing list