aland | 1 Oct 01:33 2009

GIT Log for 2009-09-30 23:33 GMT

commit 4baebf8202d7db372a9ad2ce5026ec6c986f0de7
Author: Alan T. DeKok <aland <at> freeradius.org>
Date:   Wed Sep 30 09:54:25 2009 +0200

    Allow old-style dictionary formats, too
 src/lib/dict.c |   10 +++++++++-
 1 files changed, 9 insertions(+), 1 deletions(-)
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html

aland | 2 Oct 01:33 2009

GIT Log for 2009-10-01 23:33 GMT

commit 751e9a39b2221a2623001a4611021a8e01cf4375
Author: Alan T. DeKok <aland <at> freeradius.org>
Date:   Thu Oct 1 15:07:51 2009 +0200

    Increase max_sessions

Files changed:
 raddb/eap.conf |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

======================================================================
commit 382b6c2223ba1a233ca9f4d248beb888a0123f3e
Author: Alan T. DeKok <aland <at> freeradius.org>
Date:   Thu Oct 1 15:06:59 2009 +0200

    Print more descriptive error message for too many EAP sessions

Files changed:
 src/modules/rlm_eap/mem.c |   17 ++++++++++++++---
 1 files changed, 14 insertions(+), 3 deletions(-)

======================================================================
commit e237107e1dca922dab291c5b011468ee24b768c2
Author: Alan T. DeKok <aland <at> freeradius.org>
Date:   Thu Oct 1 11:15:55 2009 +0200

    event.c frees the listener, so we don't need to

Files changed:
 src/modules/frs_control/frs_control.c |    2 --
(Continue reading)

aland | 6 Oct 01:33 2009

GIT Log for 2009-10-05 23:33 GMT

commit 64700e41098a874581d683c8606c94f9ad23079d
Author: Alan T. DeKok <aland <at> freeradius.org>
Date:   Mon Oct 5 17:32:39 2009 +0200

    Check for undefined types, too

Files changed:
 src/lib/radius.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

======================================================================
commit ecf751a2a662d8749f45fa77f8b023b37b01056c
Author: Alan T. DeKok <aland <at> freeradius.org>
Date:   Mon Oct 5 17:12:33 2009 +0200

    Set broadcast && reuseaddr before binding to socket

Files changed:
 src/main/listen.c               |   59 +++++++++++++++++++++++++++++++++++++++
 src/modules/frs_dhcp/frs_dhcp.c |   15 ----------
 2 files changed, 59 insertions(+), 15 deletions(-)

======================================================================
commit f6e2dba8a7e4dd31d36d5b8ee434d21600e3f99f
Author: Alan T. DeKok <aland <at> freeradius.org>
Date:   Sun Oct 4 18:12:12 2009 +0200

    Simplify the code

Files changed:
(Continue reading)

aland | 7 Oct 01:33 2009

GIT Log for 2009-10-06 23:33 GMT

commit f2273694594b65174b30680bef077485c9372f92
Author: Alan T. DeKok <aland <at> freeradius.org>
Date:   Tue Oct 6 11:28:36 2009 +0200

    Forgot to include this...

Files changed:
 src/include/smodule.h |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

======================================================================
commit 9261f3e0026323b2c397af13d02fbc5780908143
Author: Alan T. DeKok <aland <at> freeradius.org>
Date:   Tue Oct 6 10:21:45 2009 +0200

    Ensure that there is a cleanup event for proxied packets

    If there was no reply, clean up, reject, etc. the request.

    This doesn't matter so much for normal clients, as they will retransmit
    and cause the old request to be deleted from the request hash.
    But detail requests have random ports (for other reasons), so
    they won't be cleaned up by new packets.  Therefore, we need to clean
    them up...

Files changed:
 src/main/event.c |    6 ++++++
 1 files changed, 6 insertions(+), 0 deletions(-)

======================================================================
(Continue reading)

Jakob Hirsch | 7 Oct 14:32 2009
Picon

--with-system-libtldl broken on stable

Hi,

easy fix:

diff --git a/configure.in b/configure.in
index 770068d..c7d41e6 100644
--- a/configure.in
+++ b/configure.in
 <at>  <at>  -75,7 +75,7  <at>  <at>  fi
 AC_ARG_WITH(system-libtldl,
 [  --with-system-libtldl   Use the libtltdl installed in your system
(default=use our own)],
 [
-LIBLTDL="-ltdl"
+LIBLTDL="-lltdl"
 INCLTDL=
 LTDL_SUBDIRS=
 ],

I'm not a expert in these things, so please excuse my dumb asking:
Why does freeradius want to use his own libtool and libltdl? Are the
ones out there that broken or is there any other reason?
And are there disadvantages of using the ones included in FR? Debian
seems to prefer the system's...

Regards,
Jakob
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html

(Continue reading)

Alexander Clouter | 7 Oct 18:29 2009
Picon

EAP proxing with client-balance

Hi,

Being part of the 'eduroam' clan we have a lot of EAP traffic proxying 
about the place, even more so being part of the 'University Triangle' in 
London so those peskey students and staff mooch where ever they can.

My setup is generally:
----
home_server_pool eduroam {
        #type           = fail-over           <-- works
        #type           = client-balance      <-- grumbles
        #type           = client-port-balance <-- grumbles
        type            = keyed-balance       <-- grumbles

        home_server     = jrs.0
        home_server     = jrs.1
        home_server     = jrs.2
}
----

The proxy topology in eduroam (incase you do not know) is:
  [us x 2] ---------- [ .ja.net proxies x 3 ] ---------- [them x 2]

<ramble>
I used 'keyed-balance' as 'client-balance'/'client-port-balance' load 
balance terribly when your NAS's use the same source port and most of 
our traffic comes from the same IP (the single infernal WLC 4400 we 
have).

This however is not important, as I only started to use 'keyed-balance' 
(Continue reading)

Alan Buxey | 7 Oct 20:23 2009
Picon

Re: EAP proxing with client-balance

Hi,

> I used 'keyed-balance' as 'client-balance'/'client-port-balance' load 
> balance terribly when your NAS's use the same source port and most of 
> our traffic comes from the same IP (the single infernal WLC 4400 we 
> have).

yep - especially when a certain vendor is always using the same port :-(

> moved to 'fail-over' and everything started working.  Alas I cannot 
> leave it on 'fail-over' otherwise Alan Buxey gets grumbly.

;-) a name check will always get my attention... okay..not quite 'grumbly'
but if everyone used such a a method then we'd have to look at loads from
each end site and email them about what order they should do their 
National Proxies in... at least with some reasonable client balance
thet architecture might get used fairly and evenly. heck...maybe someday
Status-Server will find its way a little more fully into the system
and then if NRPS get busy they can just dynamically tell clients
tthat they arent well and bother another box :-)

> 'currently_outstanding' or 'fr_rand()' when there is EAP traffic; I 
> decided to add the clause !HOME_POOL_LOAD_BALANCE; things now work.

ouch. that should already be inherent within the EAP balance?

> What do you think of the following patch, I think there is sound 
> reasoning behind it, however of course I am just a network monkey?

doesnt this patch just make the 'balance' system become exactly
(Continue reading)

Alexander Clouter | 7 Oct 22:20 2009
Picon

Re: EAP proxing with client-balance

Alan Buxey <A.L.M.Buxey <at> lboro.ac.uk> wrote:
> 
>> 'currently_outstanding' or 'fr_rand()' when there is EAP traffic; I 
>> decided to add the clause !HOME_POOL_LOAD_BALANCE; things now work.
> 
> ouch. that should already be inherent within the EAP balance?
> 
Looking at the code, it's the sort of thing I would have overlooked

>> What do you think of the following patch, I think there is sound 
>> reasoning behind it, however of course I am just a network monkey?
> 
> doesnt this patch just make the 'balance' system become exactly
> the same as the fail-over system? ie, find a live one and stick with it
> for all times...
> 
Look in the top half of that function (honkingly large switch(){} 
statement), you will see the hashing algorithm (the 'start'ing hint) 
depends on what load balancing algorithm you want.

As a offtopic note, for FreeRADIUS 'eduroam' users we might want to 
start touting the following to be dropped into 'authorize[}':
----
if (Realm == "DEFAULT") {
  # workaround crappy load-balancing, thanks to Cisco's static src port
  update control {
    Load-Balance-Key := "%{NAS-IP-Address} %{NAS-Port} %{User-Name} %{Calling-Station-ID}"
  }

  handled
(Continue reading)

John Morrissey | 8 Oct 18:52 2009
Picon

PATCH: allow detail listeners to write to other files

I noticed[1] that detail listeners refuse to write detail entries to files,
even if the destination filename is different from the source filename.

The attached patch fixes that. It also centralizes the listen_detail_t
definition, removing the 'stub' definition in src/main/event.c.

john

[1] https://lists.freeradius.org/pipermail/freeradius-users/2009-October/msg00182.html

--

-- 
John Morrissey          _o            /\         ----  __o
jwm <at> horde.net        _-< \_          /  \       ----  <  \,
www.horde.net/    __(_)/_(_)________/    \_______(_) /_(_)__
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html
Alan DeKok | 9 Oct 22:30 2009

Re: EAP proxing with client-balance

Alexander Clouter wrote:
> <ramble>
> I used 'keyed-balance' as 'client-balance'/'client-port-balance' load 
> balance terribly when your NAS's use the same source port and most of 
> our traffic comes from the same IP (the single infernal WLC 4400 we 
> have).

  They're meant to be used with more than one client.

> Looking closer at the detail logs I saw that mid-EAP conversation the 
> packets started to get proxied to different national proxies which 
> resulted (expectedly) with a Access-Reject; also explaining why my 
> counterparts never saw an inner authentication.

  Ah.  If they're going through different proxies, but making back to
the *same* home server, that will be an issue.

> Looks like MS IAS does not really care where the proxied packets come 
> from, it only key's on Proxy-State (I'm guessing here); FreeRADIUS being 
> a lot more picky...which is just what I like :)  With this in mind I 
> moved to 'fail-over' and everything started working.  Alas I cannot 
> leave it on 'fail-over' otherwise Alan Buxey gets grumbly.

  I won't speak ill of another Alan.

> The conclusion, we should not be paying any attention to 
> 'currently_outstanding' or 'fr_rand()' when there is EAP traffic; I 
> decided to add the clause !HOME_POOL_LOAD_BALANCE; things now work.
> 
> What do you think of the following patch, I think there is sound 
(Continue reading)


Gmane