There are no DB handles to use! skipped 0, tried to connect 0
hi, My configuration RedHat 9.0 Latest up2date FR 0.9.3 non CVS, ./configure --with-experimental-modules / make / make install MySQL Ver 12.20 Distrib 4.0.13, for pc-linux (i686) --- radius.log begin --- Mon Dec 15 12:30:23 2003 : Info: rlm_sql (sql): There are no DB handles to use! skipped 0, tried to connect 0 Mon Dec 15 12:30:38 2003 : Auth: Login OK: [ashok/CHAP-Password] (from client XXX port 6649 cli 00:07:95:50:8C:52) Mon Dec 15 12:30:39 2003 : Info: rlm_sql (sql): There are no DB handles to use! skipped 0, tried to connect 0 Mon Dec 15 12:31:21 2003 : Auth: Login OK: [nariman/CHAP-Password] (from client XXX port 6650 cli 00:E0:4C:77:43:22) Mon Dec 15 12:31:35 2003 : Auth: Login OK: [chheda/CHAP-Password] (from client YYY port 80 cli 00:00:E8:87:05:01) Mon Dec 15 12:32:48 2003 : Info: rlm_sql (sql): There are no DB handles to use! skipped 0, tried to connect 0 Mon Dec 15 12:33:39 2003 : Auth: Login OK: [imasol123/CHAP-Password] (from client XXX port 6651 cli 00:E0:4A:39:00:1F) Mon Dec 15 12:33:43 2003 : Info: rlm_sql (sql): There are no DB handles to use! skipped 0, tried to connect 0 Mon Dec 15 12:35:20 2003 : Info: rlm_sql (sql): There are no DB handles to use! skipped 0, tried to connect 0 Mon Dec 15 12:35:20 2003 : Info: rlm_sql (sql): There are no DB handles to use! skipped 0, tried to connect 0 Mon Dec 15 12:35:23 2003 : Auth: Login OK: [magice/CHAP-Password] (from client XXX port 6652 cli 00:0A:CD:03:CC:0E) Mon Dec 15 12:35:29 2003 : Auth: Login OK: [global/CHAP-Password] (from client ZZZ port 794 cli 00:00:1C:81:DA:B5) Mon Dec 15 12:35:29 2003 : Auth: Login OK: [sudeep/CHAP-Password] (from client YYY port 81 cli 00:08:A1:3E:A3:13) --- radius.log end --- at the client end the auth fails some times and a retry gets them connected -- pstree output for mysql --- |-mysqld_safe---mysqld---mysqld---24*[mysqld] --- pstree output for mysql --- # Example mysql config file for medium systems. my.cnf = my-medium.cnf cannot figure out why this is happening, about 100 users getting auth on this server per minute from four diff NAS servers with accounting enabled thanks Ripunjay Bararia - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl Client-IP-Address
On Mon, Dec 15, 2003 at 09:12:59AM +0800, Bruce Cook wrote: Hmm, don't see it in the current version I'm running, I'll suck the latest CVS and have a look at that. Mon Dec 1 23:20:53 2003 : Info: rlm_perl: ?/RAD_REQUEST: Mon Dec 1 23:20:53 2003 : Info: rlm_perl: ? Calling-Station-Id = wpp212100900202 Mon Dec 1 23:20:53 2003 : Info: rlm_perl: ? NAS-Port = 1627979978 Mon Dec 1 23:20:53 2003 : Info: rlm_perl: ? CHAP-Password = 0x5293ce878311839de112b3bc95946d7566 Mon Dec 1 23:20:53 2003 : Info: rlm_perl: ? Service-Type = Framed-User Mon Dec 1 23:20:53 2003 : Info: rlm_perl: ? NAS-Identifier = N9028384K-WPP2 Mon Dec 1 23:20:53 2003 : Info: rlm_perl: ? Acct-Session-Id = 18afe90b Mon Dec 1 23:20:53 2003 : Info: rlm_perl: ? User-Name = kz032 Mon Dec 1 23:20:53 2003 : Info: rlm_perl: ? Framed-Protocol = PPP Mon Dec 1 23:20:53 2003 : Info: rlm_perl: ? NAS-IP-Address = 172.31.22.192 Mon Dec 1 23:20:53 2003 : Info: rlm_perl: ?/RAD_REPLY: Mon Dec 1 23:20:53 2003 : Info: rlm_perl: ?/RAD_CHECK: Mon Dec 1 23:20:53 2003 : Info: rlm_perl: ?/RAD_CONFIG: Bruce You have to use preprocess module for Client-IP-Address from radiusd.conf authorize section. --//-- # It also adds a Client-IP-Address attribute to the request. preprocess --//-- Boian Jordanov wrote: On Fri, Dec 12, 2003 at 06:01:53PM +0800, Bruce Cook wrote: Is there any way to access Client-IP-Address within a perl script under rlm_perl. I can't seem to find any direct reference to it. $RAD_REQUEST{'Client-IP-Address'} Bruce Cook - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Auth: Login incorrect:
Joe Bonow wrote: After searching the limited archive I am unable to find info on how to have the Login Incorrect return the name of the nas that the login failed on. The CVS version has support for a postauth_query stanza in sql.conf which allows you to insert any value you want in the SQL query : the User-Name, the User-Password and the NAS-IP-Address for example. See raddb/sql.conf and doc/Post-Auth-Type to use this feature. -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Kill -HUP in debug mode eats all CPU
At Fri, 12 Dec 2003 19:24:03 +0200, ZORBADELOS KONSTANTINOS wrote: Here is the output after adding debug_level = 2 as the last line of radiusd.conf. Sorry for the delay I was off for the weekend. By the way I compiled freeradius on another SUN machine (much bigger) with gcc 2.95.3 and in the HUP signal it didn't eat the cpu (without connections to an sql database). Thanks Alan. --- Walking the entire request list --- Nothing to do. Sleeping until we see a request. Reloading configuration files. reread_config: reading radiusd.conf Config: including file: /export/home/radius/freeradius-0.9.3/BUILD/etc/raddb/proxy.conf Config: including file: /export/home/radius/freeradius-0.9.3/BUILD/etc/raddb/clients.conf Config: including file: /export/home/radius/freeradius-0.9.3/BUILD/etc/raddb/snmp.conf Config: including file: /export/home/radius/freeradius-0.9.3/BUILD/etc/raddb/oraclesql.conf main: prefix = /export/home/radius/freeradius-0.9.3/BUILD main: localstatedir = /export/home/radius/freeradius-0.9.3/BUILD/var main: logdir = /export/home/radius/freeradius-0.9.3/BUILD/var/log/radius main: libdir = /export/home/radius/freeradius-0.9.3/BUILD/lib main: radacctdir = /export/home/radius/freeradius-0.9.3/BUILD/var/log/radius/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /export/home/radius/freeradius-0.9.3/BUILD/var/log/radius/radius.log main: log_auth = yes main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /export/home/radius/freeradius-0.9.3/BUILD/var/run/radiusd/radiusd.pid main: user = radius main: group = other main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /export/home/radius/freeradius-0.9.3/BUILD/sbin/checkrad main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = yes proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 2 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients Using deprecated clients file. Support for this will go away soon. read_config_files: reading realms Using deprecated realms file. Support for this will go away soon. radiusd: entering modules setup rlm_sql (sql1): Closing sqlsocket 2 rlm_sql (sql1): Closing sqlsocket 1 rlm_sql (sql1): Closing sqlsocket 0 rlm_sql (sql2): Closing sqlsocket 2 rlm_sql (sql2): Closing sqlsocket 1 rlm_sql (sql2): Closing sqlsocket 0 Bus Error (core dumped) == Kostas Zorbadelos Currently at: Otenet IT Department mailto: [EMAIL PROTECTED] Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Digital Cert + Username/Password against LDAP = ???
On Sun, 14 Dec 2003, Patrick Mowry wrote: Hello, I have a requirement for two stage authentication for wireless networks. Before the wireless Windows 2000/XP client is even allowed to reach the domain, it must authenticate to the network with Digital Certs issued from an iPlanet certificate server (EAP-TLS) and also a username/password against LDAP. Would this be EAP-TTLS? If someone can point me to the correct keyword I'm sure I can figure it out from there. Yes that would be EAP-TTLS. You can also set the EAP-TLS-Require-Client-Cert attribute to 1 so that the TLS code will also require a valid client certificate Thanks, -Patrick - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radius 0.9.3 / mysql 4.0.16: no logging
Good morning all, We have a server with a really old copy of FreeRADIUS logging accounting data to mysql 3.xx. We are now in the process of upgrading to the latest stable of mysql 4 and freeradius. We've built the system on a separate machine and it works during testing, except it doesn't log anything to mysql. We have authorisation checks using flat files, but use mysql for logging. radtest works fine, nothing in mysql. radiusd -x shows it connects fine to the mysql server, and mysqld shows it has connected. Yet there is no sqltrace.sql file either. We have confirmed the username/password details can log in, and the table names are correct. The accounting{} part is as default, with 'sql' right above 'unix'. Some help would be appreciated. We are at a loss! Thanks, James Green - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PEAP problem - HELP PLEASE
hello everybody! I am tryong to make a secure wireless access using PEAP, but I have a problem during authentication. I had successfully configured TLS module, and all work fine. But when I want to have a peap authentication, there is a problem. In fact could someone try to look at my log, and tell me where is my problem? I would be great! Another point is the configuration of the users file, for peap. I've read the list but nobody gave a real answer to this question.. how this file have to be configured?? I tried : username Auth-type := EAP , User-password == xxx or username Auth-type := Local , User-password == xxx or ... I don't really know which syntax is good according to peap authentication..maybe my problem is here? Thank you for your help! there are my logs : ... auth: type EAP modcall: entering group authenticate for request 15 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Proceeding to decode tunneled attributes. rlm_eap_peap: Identity - NOMADE\ourson rlm_eap_peap: Tunneled data is valid. PEAP: Got tunneled EAP-Message EAP-Message = 0x02810012014e4f4d4144455c6f7572736f6e PEAP: Got tunneled identity of NOMADE\ourson PEAP: Setting default EAP type for tunneled EAP session. PEAP: Sending tunneled request EAP-Message = 0x02810012014e4f4d4144455c6f7572736f6e Freeradius-Proxied-To = 127.0.0.1 User-Name = NOMADE\\ourson modcall: entering group authorize for request 15 modcall[authorize]: module preprocess returns ok for request 15 radius_xlat: '/usr/local/var/log/radius/radacct/127.0.0.1/auth-detail-20031215' rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/127.0.0.1/auth-detail-20031215 modcall[authorize]: module auth_log returns ok for request 15 rlm_eap: EAP packet type response id 129 length 18 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 15 rlm_realm: No '@' in User-Name = NOMADE\ourson, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 15 modcall[authorize]: module files returns notfound for request 15 modcall: group authorize returns updated for request 15 rad_check_password: Found Auth-Type EAP auth: type EAP modcall: entering group authenticate for request 15 rlm_eap: EAP Identity rlm_eap: processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge modcall[authenticate]: module eap returns handled for request 15 modcall: group authenticate returns handled for request 15 PEAP: Got tunneled reply RADIUS code 11 EAP-Message = 0x018200271a01820022104c50168820c00ade9de928725f57b2964e4f4d4144455c6f7572736f6e Message-Authenticator = 0x State = 0xc2efbd051aa877ec625ee103a4a76b76 PEAP: Got tunneled Access-Challenge modcall[authenticate]: module eap returns handled for request 15 modcall: group authenticate returns handled for request 15 Sending Access-Challenge of id 158 to 192.168.1.2:2462 EAP-Message = 0x0182003e19001703010033d078dd9a67221656dce0acbb5519d8b9af452bb0eaf5f600fcabafd63a385dfe8b1d076837f1798de3ca6d5b2a0d7269ad9f2f Message-Authenticator = 0x State = 0x55cbafd5eafc1a8c249ad219c5d26a3b Finished request 15 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.1.2:2463, id=159, length=250 User-Name = NOMADE\\ourson Cisco-AVPair = ssid=bebe NAS-IP-Address = 192.168.1.2 Called-Station-Id = 00409656deff Calling-Station-Id = 000af49c507f NAS-Identifier = AP350-56deff NAS-Port = 37 Framed-MTU = 1400 State = 0x55cbafd5eafc1a8c249ad219c5d26a3b NAS-Port-Type = Wireless-802.11 Service-Type = Login-User EAP-Message = 0x028200581900170301004d7375a04660bd286865a528793617699cb52551682fc670d49518765d8d8c78754448d9e3eea2d3d4c05fe1367daa485f6e915eebd1fa6d301bb4996dac7906667fa1013b41e11f29e367 Message-Authenticator = 0x63157043cdd0b024b172ecaf24dfb290 modcall: entering group authorize for request 16 modcall[authorize]: module preprocess returns ok for request 16 radius_xlat: '/usr/local/var/log/radius/radacct/192.168.1.2/auth-detail-20031215' rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/192.168.1.2/auth-detail-20031215 modcall[authorize]: module auth_log returns ok for request 16 rlm_eap: EAP packet type response id 130 length 88 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
Help
Hello everyone, I am a new user of Freeradius server. I have installed freeradius (beta version) and tested radius server using 'radtest' command and found in working. I have a windows user connected through AP600 (NAS), and it is not responding. (I ran 'radiusd' with -X option ..and found it not showing any message, when the windows-user tried to access. It's allowing user to access the NAS without asking for any password). Please help me in configuring radius server. Thanks in advance for all the help. -- =-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-= --Best Regards, Shashi. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius 0.9.3 / mysql 4.0.16: no logging
At Mon, 15 Dec 2003 10:25:36 +, James Green wrote: Use radiusd -X and see what happens with the requests. You should see the sql queries that the server tries to execute. Good morning all, We have a server with a really old copy of FreeRADIUS logging accounting data to mysql 3.xx. We are now in the process of upgrading to the latest stable of mysql 4 and freeradius. We've built the system on a separate machine and it works during testing, except it doesn't log anything to mysql. We have authorisation checks using flat files, but use mysql for logging. radtest works fine, nothing in mysql. radiusd -x shows it connects fine to the mysql server, and mysqld shows it has connected. Yet there is no sqltrace.sql file either. We have confirmed the username/password details can log in, and the table names are correct. The accounting{} part is as default, with 'sql' right above 'unix'. Some help would be appreciated. We are at a loss! Thanks, James Green - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html == Kostas Zorbadelos Currently at: Otenet IT Department mailto: [EMAIL PROTECTED] Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius 0.9.3 / mysql 4.0.16: no logging
ZORBADELOS KONSTANTINOS wrote: At Mon, 15 Dec 2003 10:25:36 +, James Green wrote: Use radiusd -X and see what happens with the requests. You should see the sql queries that the server tries to execute. Zorbadelos, This has been done. That is how I know it connects to the database, but doesn't perform any SQL queries. I can get it to look up the user in the database even, it just refuses to log the result in the database. Its driving me up the wall :-( James Good morning all, We have a server with a really old copy of FreeRADIUS logging accounting data to mysql 3.xx. We are now in the process of upgrading to the latest stable of mysql 4 and freeradius. We've built the system on a separate machine and it works during testing, except it doesn't log anything to mysql. We have authorisation checks using flat files, but use mysql for logging. radtest works fine, nothing in mysql. radiusd -x shows it connects fine to the mysql server, and mysqld shows it has connected. Yet there is no sqltrace.sql file either. We have confirmed the username/password details can log in, and the table names are correct. The accounting{} part is as default, with 'sql' right above 'unix'. Some help would be appreciated. We are at a loss! Thanks, James Green - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html == Kostas Zorbadelos Currently at: Otenet IT Department mailto: [EMAIL PROTECTED] Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius 0.9.3 / mysql 4.0.16: no logging
At Mon, 15 Dec 2003 12:57:24 +, James Green wrote: ZORBADELOS KONSTANTINOS wrote: You said you used radiusd -x and not radiusd -X (case is important). Please send the output you receive from radiusd -X. See the rlm_sql and radius_xlat messages. Perhaps something is wrong with the configuration of queries. At Mon, 15 Dec 2003 10:25:36 +, James Green wrote: Use radiusd -X and see what happens with the requests. You should see the sql queries that the server tries to execute. Zorbadelos, This has been done. That is how I know it connects to the database, but doesn't perform any SQL queries. I can get it to look up the user in the database even, it just refuses to log the result in the database. Its driving me up the wall :-( James Good morning all, We have a server with a really old copy of FreeRADIUS logging accounting data to mysql 3.xx. We are now in the process of upgrading to the latest stable of mysql 4 and freeradius. We've built the system on a separate machine and it works during testing, except it doesn't log anything to mysql. We have authorisation checks using flat files, but use mysql for logging. radtest works fine, nothing in mysql. radiusd -x shows it connects fine to the mysql server, and mysqld shows it has connected. Yet there is no sqltrace.sql file either. We have confirmed the username/password details can log in, and the table names are correct. The accounting{} part is as default, with 'sql' right above 'unix'. Some help would be appreciated. We are at a loss! Thanks, James Green - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html == Kostas Zorbadelos Currently at: Otenet IT Department mailto: [EMAIL PROTECTED] Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html == Kostas Zorbadelos Currently at: Otenet IT Department mailto: [EMAIL PROTECTED] Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Digital Cert + Username/Password against LDAP = ???
Patrick Mowry [EMAIL PROTECTED] wrote: I have a requirement for two stage authentication for wireless networks. Before the wireless Windows 2000/XP client is even allowed to reach the domain, it must authenticate to the network with Digital Certs issued from an iPlanet certificate server (EAP-TLS) and also a username/password against LDAP. Would this be EAP-TTLS? Yes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Upgrade questions
Nick Marino [EMAIL PROTECTED] wrote: Can anyone point in the direction of the best way to upgrade to Freeradius version 0.9.3 from version FreeRADIUS Version 0.8-pre with out losing my current configuration? $ make install Read the output. It warns you in big letters that it hasn't changed the configuration files. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP problem - HELP PLEASE
[EMAIL PROTECTED] wrote: In fact could someone try to look at my log, and tell me where is my problem? I would be great! The log you posted to the list contains a description of what is wrong. Another point is the configuration of the users file, for peap. I've read the list but nobody gave a real answer to this question.. how this file have to be configured?? I tried : username Auth-type := EAP , User-password == xxx or username Auth-type := Local , User-password == xxx You often don't need to do anything to the 'users' file. The simplest change to make (if you're not using LDAP or SQL), is to add the tunneled user name, with a password: tunnel-user User-Password = password That's it. rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: No LM-Password or NT-Password attribute found. Cannot perform MS-CHAP authentication. It needs a password. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help
Shashidhara S Bapat [EMAIL PROTECTED] wrote: I have a windows user connected through AP600 (NAS), and it is not responding. (I ran 'radiusd' with -X option ..and found it not showing any message, when the windows-user tried to access. It's allowing user to access the NAS without asking for any password). Then it's a problem with the NAS configuration. Nothing you do to FreeRADIUS will help. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with attr_filter
This is my last message on this topic, in the naive hope that you will pay attention to what I'm saying. Stephan von Krawczynski [EMAIL PROTECTED] wrote: You are not wrong, you simply don't listen or don't at least try to understand the problem, again: I have a freeradius 0.8.1 and let it send vendor attributes to a freeradius 0.9.3 proxy that tries to filter _that very same_ vendor attributes and does not recognise them. Bullshit. Total, absolute, bullshit. I explained why in my previous message. Go back and read it. _That_ is a real issue. It is likely that 0.8.1 is different somehow regarding vendor info behaviour (maybe buggy, I don't know). My expectation was you had some knowledge about this. Do you? Yes. I told you to go read dictionay.ascend. You obviously haven't. To hint again: one is a VSA, one is not. The attributes are incomparable. If the names look similar to you, that's an illusion, and has nothing to do with the problem at hand. If the attribute numbers look similar, that, too, is unimportant. .. as long as they don't belong to the _same_ dictionary, which is exactly the case here. Sorry, you're wrong. I could explain why, but you'd just argue with me again. Why does a packet come out different from 0.8.1 using the same dictionary as 0.9.3 ? drum roll Because the dictionaries have changed? And you're too damn lazy to go check? Or, you're too damn proud to follow my instructions? See, I would have thought you READ my messages, and put 2 and 2 together: 1) go read dictionary.ascend 2) if the attribute isn't being sent as a VSA, update the dictionary so that it IS sent as a VSA. You did READ the dictionary, to see if the attribute was a VSA, didn't you? You did try to update the dictionary, to make the attribute a VSA, didn't you? But I doubt you have. You're only asking questions to prove me wrong, and to avoid all of my instructions as to how to fix the problem. Something that came to my mind while debugging was: is there a (simple) way to make freeradius write a protocol of all access-packets very like the accounting packets' protocol (detail-file)? I mean besides freeradius debugging mode. That would be very handy (I really don't like tcpdump for long-term protocols). You did read 'radiusd.conf', didn't you? That question is answered there. Obviously not... Honestly, I don't know why it's so hard for you to read my responses, and do as I say. I do know that I'm wasting my time, and I don't see the point in discussing it any further. I've told you exactly what's wrong, and I've told you exactly how to fix it. Yet that isn't good enough for you. You still argue with me, ignore what I say, and tell me I'm wrong. I can only conclude that you're uninterested in solving your problem. You're only interested in social gossip on the list. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Upgrade questions
--- Alan DeKok [EMAIL PROTECTED] wrote: Nick Marino [EMAIL PROTECTED] wrote: Can anyone point in the direction of the best way to upgrade to Freeradius version 0.9.3 from version FreeRADIUS Version 0.8-pre with out losing my current configuration? $ make install Read the output. It warns you in big letters that it hasn't changed the configuration files. Alan DeKok. yeah I have done that exactly before and it did overwrite my config that is one of the reasons I am asking. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius 0.9.3 / mysql 4.0.16: no logging
ZORBADELOS KONSTANTINOS wrote: At Mon, 15 Dec 2003 12:57:24 +, James Green wrote: ZORBADELOS KONSTANTINOS wrote: You said you used radiusd -x and not radiusd -X (case is important). Please send the output you receive from radiusd -X. See the rlm_sql and radius_xlat messages. Perhaps something is wrong with the configuration of queries. Hello again. Right, we've just had our NAS configured to the same spec that the exising (non-test) one is which logs things fine. Yet we still don't see anything in our database on the test number. Here's the debug output - I hope someone can point the finger... rad_recv: Access-Request packet from host 81.20.32.130:2048, id=40, length=317 Attr-172818433 = 0x202449643a2041707469732e76696e666f2020496d6167654e616d653d6665706d64202056657273696f6e3d332e362e32703220204275696c644e756d6265723d3332383420204275696c64446174653d31322f31392f3230303020204275696c6454696d653d31363a33313a333820204d616368696e653d4255494c4430332020557365723d4275696c642020546172676574426f6172643d736363202054617267657450726f636573736f723d50504336303320204272616e63683d7033363220204578702024 NAS-IP-Address = 81.20.32.130 User-Name = [EMAIL PROTECTED] CHAP-Password = 0x017095d941e007b1ca52c6ee6137cf8d65 Called-Station-Id = 08714719098 Calling-Station-Id = 1493660030 NAS-Port = 17236748 NAS-Port-Type = Async Framed-Protocol = PPP Service-Type = Framed-User modcall: entering group authorize for request 3 modcall[authorize]: module preprocess returns ok for request 3 radius_xlat: '/var/log/radiusd/radacct/81.20.32.130/auth-detail-20031215' rlm_detail: /var/log/radiusd/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radiusd/radacct/81.20.32.130/auth-detail-20031215 modcall[authorize]: module auth_log returns ok for request 3 rlm_chap: Setting 'Auth-Type := CHAP' modcall[authorize]: module chap returns ok for request 3 modcall[authorize]: module eap returns noop for request 3 rlm_realm: Looking up realm wapmob for User-Name = [EMAIL PROTECTED] rlm_realm: Found realm wapmob rlm_realm: Adding Stripped-User-Name = james rlm_realm: Proxying request from user james to realm wapmob rlm_realm: Adding Realm = wapmob rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module suffix returns noop for request 3 radius_xlat: '[EMAIL PROTECTED]' rlm_sql (sql): sql_set_user escaped user -- '[EMAIL PROTECTED]' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = '[EMAIL PROTECTED]' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 1 rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = '[EMAIL PROTECTED]' ORDER BY id rlm_sql (sql): User [EMAIL PROTECTED] not found in radcheck radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = '[EMAIL PROTECTED]' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' rlm_sql_mysql: query: SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = '[EMAIL PROTECTED]' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = '[EMAIL PROTECTED]' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql_mysql: query: SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = '[EMAIL PROTECTED]' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id rlm_sql (sql): User [EMAIL PROTECTED] not found in radgroupcheck rlm_sql (sql): User not found rlm_sql (sql): Released sql socket id: 1 modcall[authorize]: module sql returns notfound for request 3 users: Matched DEFAULT at 152 users: Matched DEFAULT at 159 modcall[authorize]: module files returns ok for request 3 modcall[authorize]: module mschap returns noop for request 3 modcall: group authorize returns ok for request 3 rad_check_password: Found Auth-Type Local auth: type Local auth: user supplied CHAP-Password matches local User-Password Login OK: [james/CHAP-Password] (from client intelliplus port 17236748 cli 1493660030) modcall: entering group post-auth for request 3 radius_xlat: '/var/log/radiusd/radacct/81.20.32.130/reply-detail-20031215' rlm_detail: /var/log/radiusd/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d expands to /var/log/radiusd/radacct/81.20.32.130/reply-detail-20031215 modcall[post-auth]: module reply_log returns ok for request 3 modcall: group post-auth returns ok for request 3
Re: strange, but minor issue with 0.9.3 and ./debian/rules
So I need to put something into debian/changlog that indicates version 0.9.3 and the debian packaging system will then correctly name the deb files ??? I am trying to learn this this stuff, and am at the point I am very dangerous to my systems. :-) I try to procede with caution in areas I know very little about. Richard Richard, I have instructions on my website for building .deb freeradius packages if you'd like to take a look: http://mrtizmo.com/freeradius/ Step 7 instructs people to change the top of the changelog, which will then be used to name the .deb packages. Nick -- Nick Davis Associate Systems Administrator [EMAIL PROTECTED] Internet Exposure, Inc. http://www.iexposure.com (612)676-1946 Web Development-Web Marketing-ISP Services - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius 0.9.3 / mysql 4.0.16: no logging
modcall[authorize]: module preprocess returns ok for request 3 radius_xlat: '/var/log/radiusd/radacct/81.20.32.130/auth-detail-20031215' rlm_detail: /var/log/radiusd/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radiusd/radacct/81.20.32.130/auth-detail-20031215 modcall[authorize]: module auth_log returns ok for request 3 [snip] modcall: entering group post-auth for request 3 radius_xlat: '/var/log/radiusd/radacct/81.20.32.130/reply-detail-20031215' rlm_detail: /var/log/radiusd/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d expands to /var/log/radiusd/radacct/81.20.32.130/reply-detail-20031215 modcall[post-auth]: module reply_log returns ok for request 3 [snip] modcall[accounting]: module sql returns ok for request 4 radius_xlat: '/var/log/radiusd/radacct/81.20.32.130/detail-20031215' rlm_detail: /var/log/radiusd/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /var/log/radiusd/radacct/81.20.32.130/detail-20031215 modcall[accounting]: module detail returns ok for request 4 modcall[accounting]: module unix returns ok for request 4 radius_xlat: '/var/log/radiusd/radutmp' radius_xlat: '[EMAIL PROTECTED]' modcall[accounting]: module radutmp returns ok for request 4 modcall: group accounting returns ok for request 4 Please bear in mind that authentication and authorisation is done using flat files, accounting is done in a database. The latter doesn't work. James, All of your accounting data is being written to the details files. You must not have put sql in the accounting section of radius.conf. Also make sure the sql queries in sql.conf are correct for the radacct table. Take a look at my radius.conf for reference to using mysql for accounting and user/pass/groups (auth). http://mrtizmo.com/freeradius/ Hope some of this helps! Nick -- Nick Davis Associate Systems Administrator [EMAIL PROTECTED] Internet Exposure, Inc. http://www.iexposure.com (612)676-1946 Web Development-Web Marketing-ISP Services - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Testers Please - MySQL and PostgreSQL compatability patch
I hoped these patches would have been applied to CVS by now, but they haven't. If anyone is interested in PostgreSQL support for freeradius, please check out the site I have setup, and send feedback if you find any problems. I have verified my patch against the CVS as of 2003 Dec 15 10:15. Have anice day Guy Fraser wrote: This patch has been made against the CVS tree, I have verified that it applies to the CVS as of Dec 10 16:11 2003 MDT. This is a unified patch that will patch the radiusd directory. I have solved, all the compatibility issues between MySQL and PostgreSQL for Dialup Admin,as far as I can tell. I tested all the dialupadmin interfaces with PostgreSQL and MySQL. They both work and all I have to do to switch between them is change the sql driver and port in conf/admin.conf. I have done a considerable amount of work getting this code to work with PostgreSQL and ensuring that MySQL works without having to modify the SQL tables, data or any of the other config files. It is dead easy to see that the code works. I have provided a patch, some sample data for both MySQL and PostgreSQL and a demo site running with both configurations. The homepage for the site is at : http://sphinx.incentre.net/ Please have a look, and get back to me with your suggestions. I would like to see this put into cvs soon. I have a fair amout of other development to do, and don't want to have too many patch levels to maintain. For the non developers watching this post, these are the steps required to test this patch : mkdir test-dir cd test-dir cvs -d :pserver:[EMAIL PROTECTED]:/source login enter the password : anoncvs cvs -d :pserver:[EMAIL PROTECTED]:/source checkout radiusd cvs -d :pserver:[EMAIL PROTECTED]:/source logout patch dialupadmin-pg-compatability.patch The radiusd directory should now be patched. I will put the patches for the dialup_admin/bin files once I get feedback. RSVP -- Guy Fraser Network Administrator The Internet Centre 780-450-6787 , 1-888-450-6787 There is a fine line between genius and lunacy, fear not, walk the line with pride. Not all things will end up as you wanted, but you will certainly discover things the meek and timid will miss out on. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Upgrade questions
[EMAIL PROTECTED] [EMAIL PROTECTED] wrote: yeah I have done that exactly before and it did overwrite my config that is one of the reasons I am asking. That must have been a very old version of the server. The current version does not overwrite any files in raddb/ Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Support for Safeword tokens in synchronous mode
Szelepcsenyi Robert [EMAIL PROTECTED] wrote: I would like to replace the Safeword server with some open source software, if possible. However, we are using tokens in synchronous mode for dialup, VPN etc. Freeradius seems to support Safeword Tokens in asynchronous mode only. I would like to ask whether synchronous mode is planned sometime in the future. Nope. I have not been able to find any specs concerning the synchronous mode. I also tried to extract the counter value form import0.dat (it is the last item of a record), but encrypting it using the DES key did not yield the desirec password. Without the algorithm, it's impossible to implement. And if the algorithm is patented, it's even more impossible to implement. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius 0.9.3 / mysql 4.0.16: no logging
Nick Davis wrote: James, All of your accounting data is being written to the details files. You must not have put sql in the accounting section of radius.conf. You mean this?: accounting { # # Ensure that we have a semi-unique identifier for every # request, and many NAS boxes are broken. acct_unique sql # # Create a 'detail'ed log of the packets. # Note that accounting requests which are proxied # are also logged in the detail file. detail # daily unix# wtmp file # # For Simultaneous-Use tracking. # # Due to packet losses in the network, the data here # may be incorrect. There's little we can do about it. radutmp # sradutmp # Return an address to the IP Pool when we see a stop record. # main_pool } Been there for some time. Also make sure the sql queries in sql.conf are correct for the radacct table. I've not touched them. The only thing I did was make it use radacct_table1/table2, for which I searched and replaced. mysql.err shows nothing, and I've logged into the mysql server using the radius user account and successfully inserted some data. I find it suspicous that although I see SQL queries to SELECT data in the authorisation and authentication phase, I see no SQL being performed for accounting data. Take a look at my radius.conf for reference to using mysql for accounting and user/pass/groups (auth). http://mrtizmo.com/freeradius/ Thanks for this, can't see much in there that's different to mine! James Hope some of this helps! Nick - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Denying Access by NAS-Port-Type
Is it possible to deny an Access-Request by the NASPortType? The current issue at hand is as follows: Our RADIUS servers handles the authentication for standard 56K dial-up, 64K ISDN, and 128K ISDN. The current problem is that if somebody purchases a dial-up account (which is restricted to Simultaneous-Use 1), they can obtain a 64K ISDN connection, without paying the additional fee for the service. So, since dial-up gets reported as NASPortType Async and ISDN is reported as ISDN, I was wondering if populating 'radgroupcheck' for the DialUp group with 'NASPortType' Async would disallow somebody from making an 64K ISDN connection when their 'radgroup' group is set for the DialUp group. Thanks, --Josh Snyder, Linux/UNIX Systems Administrator NetNITCO Internet Services [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL Help!
Deramus, Chris [EMAIL PROTECTED] wrote: What file(s) should I run ldd against? rlm_sql_mysql.so Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: There are no DB handles to use! skipped 0, tried to connect 0
Ripunjay Bararia [EMAIL PROTECTED] wrote: --- radius.log begin --- Mon Dec 15 12:30:23 2003 : Info: rlm_sql (sql): There are no DB handles to use! skipped 0, tried to connect 0 Find out why your SQL database is slow. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Upgrade questions
--- Alan DeKok [EMAIL PROTECTED] wrote: [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: yeah I have done that exactly before and it did overwrite my config that is one of the reasons I am asking. That must have been a very old version of the server. The current version does not overwrite any files in raddb/ Alan DeKok. So the config files are competely the same between versions? Are any modifications needed on the config files after the install or will 0.9.3 run with 0.8 pre config files? What about new fields in the mysql database are they also the same? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Denying Access by NAS-Port-Type
NetNITCO Systems Administration [EMAIL PROTECTED] wrote: So, since dial-up gets reported as NASPortType Async and ISDN is reported as ISDN, I was wondering if populating 'radgroupcheck' for the DialUp group with 'NASPortType' Async would disallow somebody from making an 64K ISDN connection when their 'radgroup' group is set for the DialUp group. It should work. Check, though, that the NAS is actually sending Async. This should let the ISDN people also do dial-up, but will prevent the dial-up people from using ISDN. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Upgrade questions
[EMAIL PROTECTED] [EMAIL PROTECTED] wrote: So the config files are competely the same between versions? No. Are any modifications needed on the config files after the install or will 0.9.3 run with 0.8 pre config files? Maybe. What about new fields in the mysql database are they also the same? I don't recall. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Denying Access by NAS-Port-Type
On Mon, 2003-12-15 at 10:51, Alan DeKok wrote: It should work. Check, though, that the NAS is actually sending Async. I checked the 'radacct' table to verify that our HiPerARCs are sending Async for dial-up and ISDN for ISDN. This should let the ISDN people also do dial-up, but will prevent the dial-up people from using ISDN. That was my thought as well. Obviously, if you're paying for 64K ISDN, but for some reason you need to use standard dial-up, you should be able to. Thanks a lot Alan! --Josh - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Auth: Login incorrect:
Thanks for the patched log_badlogins it takes care of the issue for me and is greatly appreciated. Thanks also to all who replied with other solutions. Guy Fraser wrote: You have to configure and run dialup_admin/bin/log_badlogins to process you radius.log file and put the entries into your DB. I have written a patch that makes log_badlogins, use the raddb/clients.conf file to determine the NAS-IP-Address. This patch is not in CVS yet, I am waiting for some more important patches to applied to CVS before I resubmit this patch. Here is a patched version for you to try. Joe Bonow wrote: Hello: After searching the limited archive I am unable to find info on how to have the Login Incorrect return the name of the nas that the login failed on. As an example my radius.log file shows this line: Thu Dec 11 11:42:17 2003 : Auth: Login incorrect: [test/abc] (from client ip99 port 1) I am using dialup admin to check for bad logins and after reviewing the script it seems that the ip99 response should be more long the lines of say nameofnas or nameofnas.domain. Any help would be appreciated. Oh I am using a Livingston Portmaster 2e as the nas and the version of freeradius i am running is 0.9.2. Thanks in advance for assistance. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html #!/usr/bin/perl # # Log failed logins in the sql database # Works only with mysql an postgresql {look for PG and change commented lines} # It will read the sql parameters from the admin.conf file # # Usage: # log_badlogins radius.log [admin.conf] [all] # # Defaults: # radius.log: none # admin.conf: /usr/local/dialup_admin/conf/admin.conf # all:no. Go to the end of the file. Don't read it all. use Date::Manip qw(ParseDate UnixDate); use Digest::MD5; $|=1; $file=shift||'none'; $conf=shift||'/usr/local/dialup_admin/conf/admin.conf'; $all_file=shift||'no'; # # # CHANGE THESE TO MATCH YOUR SETUP # #$regexp = 'from client localhost port 135|from client blabla '; $tmpfile='/var/tmp/sql.input'; # # open CONF, $conf or die Could not open configuration file\n; while(CONF){ chomp; ($key,$val)=(split /:\s*/,$_); $sql_server = $val if ($key eq 'sql_server'); $sql_username = $val if ($key eq 'sql_username'); $sql_password = $val if ($key eq 'sql_password'); $sql_database = $val if ($key eq 'sql_database'); $sql_accounting_table = $val if ($key eq 'sql_accounting_table'); $realm_strip = $val if ($key eq 'general_strip_realms'); $realm_del = $val if ($key eq 'general_realm_delimiter'); $realm_for = $val if ($key eq 'general_realm_format'); $domain = $val if ($key eq 'general_domain'); $sql_timeout = $val if ($key eq 'sql_connect_timeout'); $sql_extra = $val if ($key eq 'sql_extra_servers'); $sqlcmd = $val if ($key eq 'sql_command'); $clients= $val if ($key eq 'general_clients_conf'); } close CONF; open CLIENTS, $clients or die Could not open $clients file\n; while(CLIENTS){ chomp; s/^\s*//g; s/\s*#.*//g; if (!/^\s*$/ /=/) { ($key,$val)=(split /\s*=\s*/,$_); $client_short = $val if ($key eq 'shortname'); } else { if (/\{/) { s/.*client\s+([^\s]*)\s+\{.*$/\1/; if (/^\d+\.\d+\.\d+\.\d+/) { $client = $_; } else { if (/\./ || /localhost/) { $name = $_ ; } else { $name = $_...$domain; } $addr = gethostbyname $name; ($a,$b,$c,$d)=unpack('C4',$addr); $client = $a.$b.$c.$d; #DEBUG# print $name. = .$client.\n; } } else { if (/\}/) { $client_array{$client_short} .= $client; } } } } close CLIENTS; $realm_del = '@' if ($realm_del eq ''); $realm_for = 'suffix' if ($realm_for eq ''); $pass = ($sql_password ne '') ? -p$sql_password : ''; die SQL server not defined\n if ($sql_server eq ''); die sql_command directive is not set in admin.conf\n if ($sqlcmd eq ''); die Could not find sql binary. Please make sure that the \$sqlcmd variable points to the right location\n if (! -x $sqlcmd); $opt = -O connect_timeout=$sql_timeout if ($sql_timeout); @servers = (split /\s+/,$sql_extra) if ($sql_extra ne ''); unshift @servers, $sql_server; open LOG, $file or die Could not open file $file\n; seek LOG, 0, 2 if ($all_file eq 'no'); for(;;){ while(LOG){
MySQL Success
Title: Message To all, I finall got it, go figure it was a very obvious answer. I simply re-configured FreeRADIUS using ./configure --with-static-modules="sql sql_mysql" command. When I executed a make, it errored out saying it could not find ../modules/rlm_sql_mysql. I simply made a symbolic link to include the rlm_sql_mysql sub-directory in the ../modules/ directory and re-ran make. Everything works great now, thanks! Cordially, Chris DeRamus OCIO VPN Administrator SAIC -Original Message-From: Deramus, Chris Sent: Sunday, December 14, 2003 11:09 PMTo: '[EMAIL PROTECTED]'Subject: RE: MySQL Help! Chris, Thanks for the input, however, when I updated the configure script with your extra code configure would not find lmysqlclient and prompted that I specify the path to the library files by using --with-mysql-lib= When I put in the path to the MySQL library files, it still would not find lmysqlclient. Any other thoughts? If I get it I'll be sure to let you know what it was, thanks so much. Chris DeRamus OCIO VPN Administrator SAIC -Original Message- From: Chris Parker [mailto:[EMAIL PROTECTED]] Sent: Friday, December 12, 2003 5:14 PM To: [EMAIL PROTECTED] Subject: Re: MySQL Help! At 03:42 PM 12/12/2003, Rob Genovesi wrote: oh boy, I remember kicking this around for ever as well ... My solution was to 1) be sure you have development rpms installed and 2) do not use "--disable-shared" when running configure. I don't know exactly why this changed things, but compiling with shared libraries it was able to find and use all the necessary mysql libs and includes. I installed the following MySQL rpms (Redhat) : MySQL-devel-4.0.16-0 MySQL-shared-compat-4.0.16-0 MySQL-client-4.0.16-0 MySQL-server-4.0.16-0 Aha. Mysql4 changes some stuff. On Solaris we had to change some of the Makefiles manually to get all of the appropriate libs included to build the rlm_mysql driver built. It may be the same on RH as well. Helpfully, MySQL 3 build syntax is not totally workable with MySQL 4 at least as far as FR is concerned. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless! \ Director, Engineering | @ @ | \ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Cisco VPN3000 with freeradius
Hello there, i'am successfully authenticate Certificate users against freeradius 0.9.0 (from suse 9.0). BUT: only the 'first' time. That means: wait a 'long' time (av. 15 min) authenticate successfull wait a very short time authentication fails wait authentication fails wait 'long' time authentication successfull The debugg from the radius shows nothing special: --- rad_recv: Access-Request packet from host 10.1.50.10:1064, id=38, length=125 User-Name = TC_TEST User-Password = 12345 NAS-Port = 0 Service-Type = Framed-User Framed-Protocol = PPP Called-Station-Id = 10.1.50.10 Calling-Station-Id = 10.1.3.132 Tunnel-Client-Endpoint:0 = 10.1.3.132 Attr-201588758 = 0x0001 NAS-IP-Address = 10.1.50.10 NAS-Port-Type = Virtual modcall: entering group authorize modcall[authorize]: module preprocess returns ok modcall[authorize]: module chap returns noop rlm_eap: EAP-Message not found modcall[authorize]: module eap returns noop rlm_realm: No '@' in User-Name = TC_TEST, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop users: Matched TC_TEST at 76 modcall[authorize]: module files returns ok modcall[authorize]: module mschap returns noop modcall: group authorize returns ok rad_check_password: Found Auth-Type Local auth: type Local auth: user supplied User-Password matches local User-Password Sending Access-Accept of id 38 to 10.1.50.10:1064 CVPN3000-IPSec-Banner1 = Authenticated by FREERADIUS Class = 0x46524545524144495553 Finished request 4 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 4 ID 38 with timestamp 3fde1931 Nothing to do. Sleeping until we see a request. - The CISCO Access Control Server ACS did not show this behauvior. I search the archive and the FAQ and did't find anything... Has someone seen this before? regards, Arne --- Datenzentrale Schleswig-Holstein Altenholzer Str. 10-14, 24161 Altenholz, Germany http://www.dzsh.de/ mailto:[EMAIL PROTECTED] Tel: +49.431.3295.6840 Fax: +49.431.3295.410 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
accounting_stop request: bigint
Using Postgresql 4.7 and FreeRadius 0.9.3 on FreeBSD 5.1 On sending an Accounting Stop Request to Freeradius I get some errors in summary invalid input syntax for type bigint: below is the error log and Below the log is the standard part of postgresql.conf I am using it unmodified Nothing to do. Sleeping until we see a request. rad_recv: Accounting-Request packet from host 192.168.0.1:3306, id=21, length=38 User-Name = clint Acct-Status-Type = Stop Acct-Session-Id = 816 modcall: entering group preacct for request 3 modcall[preacct]: module preprocess returns noop for request 3 rlm_realm: No '@' in User-Name = clint, looking up realm NULL rlm_realm: No such realm NULL modcall[preacct]: module suffix returns noop for request 3 modcall: group preacct returns noop for request 3 modcall: entering group accounting for request 3 rlm_acct_unique: WARNING: Attribute NAS-Port-Id was not found in request, unique ID MAY be incons istent rlm_acct_unique: Hashing ',Client-IP-Address = 192.168.0.1,NAS-IP-Address = 192.168.0.1,Acct-Sess ion-Id = 816,User-Name = clint' rlm_acct_unique: Acct-Unique-Session-ID = 38a313dce3842355. modcall[accounting]: module acct_unique returns ok for request 3 radius_xlat: '/usr/local/var/log/radius/radacct/192.168.0.1/detail-20031213' rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /usr/ local/var/log/radius/radacct/192.168.0.1/detail-20031213 modcall[accounting]: module detail returns ok for request 3 modcall[accounting]: module unix returns noop for request 3 radius_xlat: 'clint' rlm_sql (sql): sql_set_user escaped user -- 'clint' radius_xlat: 'UPDATE radacct ??SET AcctStopTime = (now() - '0'::interval), AcctSessionTime = '', ??AcctInputOctets = (('0'::bigint 32) + '0'::bigint), ??AcctOutputOctets = (('0'::bigint 3 2) + '0'::bigint), ??AcctTerminateCause = '', AcctStopDelay = '0', ??FramedIPAddress = NULLIF('', '')::inet, ConnectInfo_stop = '' ??WHERE AcctSessionId = '816' AND UserName = 'clint' ??AND NASI PAddress = '192.168.0.1' AND AcctStopTime IS NULL' radius_xlat: '/usr/local/var/log/radius/sqltrace.sql' rlm_sql (sql): Reserving sql socket id: 1 rlm_sql_postgresql: query: UPDATE radacct ??SET AcctStopTime = (now() - '0'::interval), AcctSessi onTime = '', ??AcctInputOctets = (('0'::bigint 32) + '0'::bigint), ??AcctOutputOctets = (('0': :bigint 32) + '0'::bigint), ??AcctTerminateCause = '', AcctStopDelay = '0', ??FramedIPAddress = NULLIF('', '')::inet, ConnectInfo_stop = '' ??WHERE AcctSessionId = '816' AND UserName = 'clint ' ??AND NASIPAddress = '192.168.0.1' AND AcctStopTime IS NULL rlm_sql_postgresql: Status: PGRES_FATAL_ERROR rlm_sql_postgresql: affected rows = rlm_sql_postgresql: Postgresql check_error: PGRES_FATAL_ERROR, returning SQL_DOWN rlm_sql (sql): Attempting to connect rlm_sql_postgresql #1 rlm_sql (sql): Connected new DB handle, #1 rlm_sql_postgresql: query: UPDATE radacct ??SET AcctStopTime = (now() - '0'::interval), AcctSessi onTime = '', ??AcctInputOctets = (('0'::bigint 32) + '0'::bigint), ??AcctOutputOctets = (('0': :bigint 32) + '0'::bigint), ??AcctTerminateCause = '', AcctStopDelay = '0', ??FramedIPAddress = NULLIF('', '')::inet, ConnectInfo_stop = '' ??WHERE AcctSessionId = '816' AND UserName = 'clint ' ??AND NASIPAddress = '192.168.0.1' AND AcctStopTime IS NULL rlm_sql_postgresql: Status: PGRES_FATAL_ERROR rlm_sql_postgresql: affected rows = rlm_sql_postgresql: Postgresql check_error: PGRES_FATAL_ERROR, returning SQL_DOWN rlm_sql (sql): failed after re-connect rlm_sql (sql): Couldn't update SQL accounting STOP record - ERROR: invalid input syntax for type bigint: rlm_sql (sql): Released sql socket id: 1 modcall[accounting]: module sql returns fail for request 3 modcall: group accounting returns fail for request 3 Finished request 3 Going to the next request --- Walking the entire request list --- Cleaning up request 3 ID 21 with timestamp 3fdb4e3b Nothing to do. Sleeping until we see a request. rad_recv: Accounting-Request packet from host 192.168.0.1:3307, id=22, length=38 User-Name = clint Acct-Status-Type = Stop Acct-Session-Id = 816 modcall: entering group preacct for request 4 modcall[preacct]: module preprocess returns noop for request 4 rlm_realm: No '@' in User-Name = clint, looking up realm NULL rlm_realm: No such realm NULL modcall[preacct]: module suffix returns noop for request 4 modcall: group preacct returns noop for request 4 modcall: entering group accounting for request 4 rlm_acct_unique: WARNING: Attribute NAS-Port-Id was not found in request, unique ID MAY be incons istent rlm_acct_unique: Hashing ',Client-IP-Address = 192.168.0.1,NAS-IP-Address = 192.168.0.1,Acct-Sess ion-Id = 816,User-Name = clint' rlm_acct_unique: Acct-Unique-Session-ID = 38a313dce3842355. modcall[accounting]: module acct_unique returns ok for request 4 radius_xlat: '/usr/local/var/log/radius/radacct/192.168.0.1/detail-20031213'
RE: There are no DB handles to use! skipped 0, tried to connect 0
thanks Alan, for the comment, My SQL server and FR are running on the same box, will separating them be a good idea, I need to do AAA for about 1500 concurrent users what kind of a machine would I need for FR and how much load will it put on the MySQL server so that I can scale both of the machines accordingly currently both are running on P-IV 2.6 Intel 856 based board 512MB DDR 266Mhz 9.1GB X 2 SCSI disks thanks Ripunjay Bararia -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Alan DeKok Sent: Monday, December 15, 2003 10:19 PM To: [EMAIL PROTECTED] Subject: Re: There are no DB handles to use! skipped 0, tried to connect 0 Ripunjay Bararia [EMAIL PROTECTED] wrote: --- radius.log begin --- Mon Dec 15 12:30:23 2003 : Info: rlm_sql (sql): There are no DB handles to use! skipped 0, tried to connect 0 Find out why your SQL database is slow. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Acct users
Hi everybody. I am trying to set up a freeradius, but i cant execute external program at acct_users file. it takes no action. does anyone know hot to set it up? thanks Lucas OliveiraWeb ManagerPrompt Tecnologiawww.prompt-tecnologia.com.br
Re: There are no DB handles to use! skipped 0, tried to connect 0
Ripunjay Bararia [EMAIL PROTECTED] wrote: My SQL server and FR are running on the same box, will separating them be a good idea, It shouldn't matter. I need to do AAA for about 1500 concurrent users what kind of a machine would I need for FR Almost any machine available today will do this easily. and how much load will it put on the MySQL server Almost no load. Something in your SQL database is taking a long time, and preventing the server from working properly. Find out what that is, and the server will be OK. I don't know much about SQL, so I can't help you there, sorry. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco VPN3000 with freeradius
Spetzler, Arne (DZ-SH) [EMAIL PROTECTED] wrote: i'am successfully authenticate Certificate users against freeradius = 0.9.0 (from suse 9.0). BUT: only the 'first' time. That means: wait a 'long' time (av. 15 min) authenticate successfull This has nothing to do with FreeRADIUS. If the client/NAS doesn't contact the server, there's nothing that FreeRADIUS can do to speed up the process. The CISCO Access Control Server ACS did not show this behauvior. I would suggest seeing what attributes are sent back from the Cisco server, and make FreeRADIUS send back the same attributes. Whatever the problem is, that is the only fix. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to start/stop/restart FR
hi just had this silly question what is the preferred/normal way to start/stop/restart FR running on a RedHat box with or without init.d scripts Ripunjay Bararia - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: How to start/stop/restart FR
Title: RE: How to start/stop/restart FR Ripunjay, I have been running FreeRADIUS successfully for over a year on various versions of Redhat. I simply just copied the radiusd executable into /etc/init.d and created a symbolic link to this file in /etc/rc3.d Each time the machine is restarted or powered on it will then start this process. When I terminate the process I usually just executed a pkill -9 rad which is not the recommended way but it's a bad habit that I have :). Thanks, Chris DeRamus OCIO VPN Administrator SAIC -Original Message- From: Ripunjay Bararia [mailto:[EMAIL PROTECTED]] Sent: Monday, December 15, 2003 2:45 PM To: [EMAIL PROTECTED] Subject: How to start/stop/restart FR hi just had this silly question what is the preferred/normal way to start/stop/restart FR running on a RedHat box with or without init.d scripts Ripunjay Bararia - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: There are no DB handles to use! skipped 0, tried to connect 0
Thanks Alan I will try to see what can be done about the MySQL interface thanks Ripunjay -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Alan DeKok Sent: Tuesday, December 16, 2003 1:08 AM To: [EMAIL PROTECTED] Subject: Re: There are no DB handles to use! skipped 0, tried to connect 0 Ripunjay Bararia [EMAIL PROTECTED] wrote: My SQL server and FR are running on the same box, will separating them be a good idea, It shouldn't matter. I need to do AAA for about 1500 concurrent users what kind of a machine would I need for FR Almost any machine available today will do this easily. and how much load will it put on the MySQL server Almost no load. Something in your SQL database is taking a long time, and preventing the server from working properly. Find out what that is, and the server will be OK. I don't know much about SQL, so I can't help you there, sorry. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: response-authenticator decrypt fail
Finally I found the problem. Looks like the Cisco router messed up the secrets of different Radius Servers. I have two Radius Servers configured on the same router for different purposes. When both of them are enabled, neither of them is working. The same error message comes out. But if only one is enabled, there is no problem. - Original Message - From: Bo [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, December 12, 2003 4:49 PM Subject: Re: response-authenticator decrypt fail Did anyone experience the same problem? Your help is really appreciated. Thanks, - Original Message - From: Bo [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, December 11, 2003 2:08 PM Subject: Re: response-authenticator decrypt fail I have double checked the shared secret on both sides. I even changed it from 15 digits to 10 digits. Still I got the same Error. Any idea? Thanks. - Original Message - From: Alan DeKok [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, December 11, 2003 1:48 PM Subject: Re: response-authenticator decrypt fail Bo [EMAIL PROTECTED] wrote: I installed the FreeRadius 0.9.3 on Redhat 8.0 and did some tests with the Cisco AS5400 for authenticating the dial-up users. From the server side, everything was OK and it sent the Access-Accept back. But unfortunately I got the following error message on AS5400. Your shared secret is wrong. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: There are no DB handles to use! skipped 0, tried to connect 0
On Tue, 16 Dec 2003, Ripunjay Bararia wrote: thanks Alan, for the comment, My SQL server and FR are running on the same box, will separating them be a good idea, I need to do AAA for about 1500 concurrent users what kind of a machine would I need for FR and how much load will it put on the MySQL server so that I can scale both of the machines accordingly currently both are running on P-IV 2.6 Intel 856 based board 512MB DDR 266Mhz 9.1GB X 2 SCSI disks The hardware is more than adequate. And there's no need to separate them. Read doc/tuning_guide and especially the section on the sql module. In general for mysql EXPLAIN SELECT is your friend. Run all the SELECT queries (and also transform all the UPDATE queries to corresponding SELECT queries) through an EXPLAIN SELECT statement to see how many candidate rows are there. Example outputs: mysql explain select * from radacct where acctstoptime is null; +-+--+---+--+-+---+--+-+ | table | type | possible_keys | key | key_len | ref | rows | Extra | +-+--+---+--+-+---+--+-+ | radacct | ref | AcctStopTime | AcctStopTime | 8 | const | 315 | Using ^ where | +-+--+---+--+-+---+--+-+ 1 row in set (0.02 sec) mysql explain select * from radacct where acctstoptime = '2003-12-15 21:00:00'; +-+--+---+--+-+---+--+-+ | table | type | possible_keys | key | key_len | ref | rows | Extra | +-+--+---+--+-+---+--+-+ | radacct | ref | AcctStopTime | AcctStopTime | 8 | const |1 | Using ^ where | +-+--+---+--+-+---+--+-+ The rows and possible_keys columns are important. If you see that the candidate rows are more than a few, or that an index is never used (for example: mysql explain select * from radacct where acctterminatecause = 'User-Request'; +-+--+---+--+-+--++-+ | table | type | possible_keys | key | key_len | ref | rows | Extra | +-+--+---+--+-+--++-+ | radacct | ALL | NULL | NULL |NULL | NULL | 971518 | Using where | +-+--+---+--+-+--++-+ 1 row in set (0.00 sec) then you should either rearrange your queries to use a proper index (like using the acctuniqueid column in the accounting_stop query) or add a corresponding index. If you are using MySQL 3.X maybe you should think of moving to 4.X and to the InnoDB tables (instead of MyISAM which have global instead of per row locking). Hope the above was helpful. thanks Ripunjay Bararia -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Alan DeKok Sent: Monday, December 15, 2003 10:19 PM To: [EMAIL PROTECTED] Subject: Re: There are no DB handles to use! skipped 0, tried to connect 0 Ripunjay Bararia [EMAIL PROTECTED] wrote: --- radius.log begin --- Mon Dec 15 12:30:23 2003 : Info: rlm_sql (sql): There are no DB handles to use! skipped 0, tried to connect 0 Find out why your SQL database is slow. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: There are no DB handles to use! skipped 0, tried to connect 0
I had this very same error several times. This answer may be way off base, but I found that MySQL was putting mysql.sock in /tmp. I changed /etc/my.conf to socket = /var/lib/mysql/mysql.sock and it fixed it. Again, I am no expert in MySQL or FreeRADIUS but I am learning. - Original Message - From: Alan DeKok [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, December 15, 2003 1:37 PM Subject: Re: There are no DB handles to use! skipped 0, tried to connect 0 Ripunjay Bararia [EMAIL PROTECTED] wrote: My SQL server and FR are running on the same box, will separating them be a good idea, It shouldn't matter. I need to do AAA for about 1500 concurrent users what kind of a machine would I need for FR Almost any machine available today will do this easily. and how much load will it put on the MySQL server Almost no load. Something in your SQL database is taking a long time, and preventing the server from working properly. Find out what that is, and the server will be OK. I don't know much about SQL, so I can't help you there, sorry. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: accounting_stop request: bigint
On Mon, Dec 15, 2003 at 12:56:53PM -0600, Click Chebon wrote: Using Postgresql 4.7 I hope you mean 7.4 ;) rad_recv: Accounting-Request packet from host 192.168.0.1:3306, id=21, length=38 User-Name = clint Acct-Status-Type = Stop Acct-Session-Id = 816 ... radius_xlat: 'UPDATE radacct ??SET AcctStopTime = (now() - '0'::interval), AcctSessionTime = '', ^^^ ??AcctInputOctets = (('0'::bigint 32) + '0'::bigint), ??AcctOutputOctets = (('0'::bigint 3 2) + '0'::bigint), ??AcctTerminateCause = '', AcctStopDelay = '0', ??FramedIPAddress = NULLIF('', '')::inet, ConnectInfo_stop = '' ??WHERE AcctSessionId = '816' AND UserName = 'clint' ??AND NASI PAddress = '192.168.0.1' AND AcctStopTime IS NULL' There's no Acct-Session-Time in the request. Try using %{Acct-Session-Time:-0} in accounting_stop_query. -- Fduch M. Pravking - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: accounting_stop request: bigint
Check the Acct_Session-Time in /usr/local/var/log/radius/radacct/192.168.0.1/detail-20031213 for the stop record of session 816. The sql is attempting to set AcctSessionTime = '' AcctSessionTime is a bigint, and '' is not an integer, that is why you are getting the error. Click Chebon wrote: Using Postgresql 4.7 and FreeRadius 0.9.3 on FreeBSD 5.1 On sending an Accounting Stop Request to Freeradius I get some errors in summary invalid input syntax for type bigint: below is the error log and Below the log is the standard part of postgresql.conf I am using it unmodified Nothing to do. Sleeping until we see a request. rad_recv: Accounting-Request packet from host 192.168.0.1:3306, id=21, length=38 User-Name = clint Acct-Status-Type = Stop Acct-Session-Id = 816 modcall: entering group preacct for request 3 modcall[preacct]: module preprocess returns noop for request 3 rlm_realm: No '@' in User-Name = clint, looking up realm NULL rlm_realm: No such realm NULL modcall[preacct]: module suffix returns noop for request 3 modcall: group preacct returns noop for request 3 modcall: entering group accounting for request 3 rlm_acct_unique: WARNING: Attribute NAS-Port-Id was not found in request, unique ID MAY be incons istent rlm_acct_unique: Hashing ',Client-IP-Address = 192.168.0.1,NAS-IP-Address = 192.168.0.1,Acct-Sess ion-Id = 816,User-Name = clint' rlm_acct_unique: Acct-Unique-Session-ID = 38a313dce3842355. modcall[accounting]: module acct_unique returns ok for request 3 radius_xlat: '/usr/local/var/log/radius/radacct/192.168.0.1/detail-20031213' rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /usr/ local/var/log/radius/radacct/192.168.0.1/detail-20031213 ...snip... rlm_sql (sql): Connected new DB handle, #1 rlm_sql_postgresql: query: UPDATE radacct ??SET AcctStopTime = (now() - '0'::interval), AcctSessi onTime = '', ??AcctInputOctets = (('0'::bigint 32) + '0'::bigint), ??AcctOutputOctets = (('0': :bigint 32) + '0'::bigint), ??AcctTerminateCause = '', AcctStopDelay = '0', ??FramedIPAddress = NULLIF('', '')::inet, ConnectInfo_stop = '' ??WHERE AcctSessionId = '816' AND UserName = 'clint ' ??AND NASIPAddress = '192.168.0.1' AND AcctStopTime IS NULL rlm_sql_postgresql: Status: PGRES_FATAL_ERROR rlm_sql_postgresql: affected rows = rlm_sql_postgresql: Postgresql check_error: PGRES_FATAL_ERROR, returning SQL_DOWN rlm_sql (sql): failed after re-connect rlm_sql (sql): Couldn't update SQL accounting STOP record - ERROR: invalid input syntax for type bigint: ...snip... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: accounting_stop request: bigint
I did mean Postgresql 7.4 whoops fat fingers today After the suggested change There's no Acct-Session-Time in the request. Try using %{Acct-Session-Time:-0} in accounting_stop_query. now i receive the following : rad_recv: Accounting-Request packet from host 192.168.0.1:3358, id=30, length=44 User-Name = clint Acct-Status-Type = Stop Acct-Session-Id = 816 Termination-Action = RADIUS-Request modcall: entering group preacct for request 0 modcall[preacct]: module preprocess returns noop for request 0 rlm_realm: No '@' in User-Name = clint, looking up realm NULL rlm_realm: No such realm NULL modcall[preacct]: module suffix returns noop for request 0 modcall: group preacct returns noop for request 0 modcall: entering group accounting for request 0 rlm_acct_unique: WARNING: Attribute NAS-Port-Id was not found in request, unique ID MAY be inconsistent rlm_acct_unique: Hashing ',Client-IP-Address = 192.168.0.1,NAS-IP-Address = 192.168.0.1,Acct-Session-Id = 816,User-Name = clint' rlm_acct_unique: Acct-Unique-Session-ID = 38a313dce3842355. modcall[accounting]: module acct_unique returns ok for request 0 radius_xlat: '/usr/local/var/log/radius/radacct/192.168.0.1/detail-20031215' rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/192.168.0.1/detail-20031215 modcall[accounting]: module detail returns ok for request 0 modcall[accounting]: module unix returns noop for request 0 radius_xlat: 'clint' rlm_sql (sql): sql_set_user escaped user -- 'clint' radius_xlat: 'UPDATE radacct ??SET AcctStopTime = (now() - '0'::interval), AcctSessionTime = '0', ??AcctInputOctets = (('0'::bigint 32) + '0'::bigint), ??AcctOutputOctets = (('0'::bigint 32) + '0'::bigint), ??AcctTerminateCause = '', AcctStopDelay = '0', ??FramedIPAddress = NULLIF('', '')::inet, ConnectInfo_stop = '' ??WHERE AcctSessionId = '816' AND UserName = 'clint' ??AND NASIPAddress = '192.168.0.1' AND AcctStopTime IS NULL' radius_xlat: '/usr/local/var/log/radius/sqltrace.sql' rlm_sql (sql): Reserving sql socket id: 4 rlm_sql_postgresql: query: UPDATE radacct ??SET AcctStopTime = (now() - '0'::interval), AcctSessionTime = '0', ??AcctInputOctets = (('0'::bigint 32) + '0'::bigint), ??AcctOutputOctets = (('0'::bigint 32) + '0'::bigint), ??AcctTerminateCause = '', AcctStopDelay = '0', ??FramedIPAddress = NULLIF('', '')::inet, ConnectInfo_stop = '' ??WHERE AcctSessionId = '816' AND UserName = 'clint' ??AND NASIPAddress = '192.168.0.1' AND AcctStopTime IS NULL rlm_sql_postgresql: Status: PGRES_COMMAND_OK rlm_sql_postgresql: affected rows = 0 radius_xlat: 'rlm_sql: Stop packet with zero session length. (user 'clint', nas '192.168.0.1')' rlm_sql: Stop packet with zero session length. (user 'clint', nas '192.168.0.1') rlm_sql (sql): Released sql socket id: 4 radius_xlat: 'INSERT into radacct ??(AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctStopTime, ??AcctSessionTime, AcctAuthentic, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, ??AcctTerminateCause, ServiceType, FramedProtocol, FramedIPAddress, AcctStopDelay) ??values('816', '38a313dce3842355', 'clint', '', '192.168.0.1', ??'', '', (now() - '0'::interval - '0'::interval), ??(now() - '0'::interval), '0', '', '', ??(('0'::bigint 32) + '0'::bigint), ??(('0'::bigint 32) + '0'::bigint), '', ??'', '', '', '', ??NULLIF('', '')::inet, '0')' radius_xlat: '/usr/local/var/log/radius/sqltrace.sql' rlm_sql_postgresql: query: INSERT into radacct ??(AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctStopTime, ??AcctSessionTime, AcctAuthentic, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, ??AcctTerminateCause, ServiceType, FramedProtocol, FramedIPAddress, AcctStopDelay) ??values('816', '38a313dce3842355', 'clint', '', '192.168.0.1', ??'', '', (now() - '0'::interval - '0'::interval), ??(now() - '0'::interval), '0', '', '', ??(('0'::bigint 32) + '0'::bigint), ??(('0'::bigint 32) + '0'::bigint), '', ??'', '', '', '', ??NULLIF('', '')::inet, '0') rlm_sql_postgresql: Status: PGRES_FATAL_ERROR rlm_sql_postgresql: affected rows = rlm_sql_postgresql: Postgresql check_error: PGRES_FATAL_ERROR, returning SQL_DOWN rlm_sql (sql): Attempting to connect rlm_sql_postgresql #4 rlm_sql (sql): Connected new DB handle, #4 rlm_sql_postgresql: query: INSERT into radacct ??(AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctStopTime, ??AcctSessionTime, AcctAuthentic, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, ??AcctTerminateCause, ServiceType, FramedProtocol, FramedIPAddress, AcctStopDelay) ??values('816', '38a313dce3842355', 'clint', '', '192.168.0.1', ??'', '', (now() - '0'::interval - '0'::interval), ??(now() - '0'::interval), '0
Custom SQL Query
Hello I need to put some custom query after I receive accounting packet. Where I should look into it? rlm_sql.c is that correct file? Or I could add into accounting query? Thanks
Re: Custom SQL Query
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Monday 15 December 2003 18:03, Amgaabaatar Purevjal wrote: Hello I need to put some custom query after I receive accounting packet. Where I should look into it? rlm_sql.c is that correct file? Or I could add into accounting query? Thanks sql.conf (by default) is where you should specify any query. There are defaults in there which can be modified so that they work with your local table structure. Kevin Bonner -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE/3kAk/9i/ml3OBYMRAi3RAKCKrHJWCBVZNDJKoArQdUN2XRJeSgCgmrMJ ky0g9ymuz57CzJnBExTt+as= =AbDr -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: accounting_stop request: bigint
Show us the detail file entry. You have no valid data in that record, other than the NAS-IP-Address, User-Name, and Acct-Session-Id. What are you using to generate the accounting record? If this is comming from a NAS, then why is the Acct-Session-Id the same in both your examples. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: accounting_stop request: bigint
On Mon, Dec 15, 2003 at 04:36:00PM -0600, Click Chebon wrote: rlm_acct_unique: WARNING: Attribute NAS-Port-Id was not found in request, unique ID MAY be inconsistent Is it a real stop packet or just test? If it's a test packet, try more real data. If not, don't be lazy to configure rlm_acct_unique properly. rlm_sql_postgresql: query: UPDATE radacct ??SET AcctStopTime = (now() - '0'::interval), AcctSessionTime = '0', ??AcctInputOctets = (('0'::bigint 32) + '0'::bigint), ??AcctOutputOctets = (('0'::bigint 32) + '0'::bigint), ??AcctTerminateCause = '', AcctStopDelay = '0', ??FramedIPAddress = NULLIF('', '')::inet, ConnectInfo_stop = '' ??WHERE AcctSessionId = '816' AND UserName = 'clint' ??AND NASIPAddress = '192.168.0.1' AND AcctStopTime IS NULL rlm_sql_postgresql: Status: PGRES_COMMAND_OK rlm_sql_postgresql: affected rows = 0 radius_xlat: 'rlm_sql: Stop packet with zero session length. (user 'clint', nas '192.168.0.1')' rlm_sql: Stop packet with zero session length. (user 'clint', nas '192.168.0.1') The server couldn't find matching start record for this request (accounting_stop_query affected no rows), and trying to insert new record using accounting_stop query_alt which fails. rlm_sql_postgresql: query: INSERT into radacct ??(AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, ^ AcctStartTime, AcctStopTime, ??AcctSessionTime, AcctAuthentic, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, ??AcctTerminateCause, ServiceType, FramedProtocol, FramedIPAddress, AcctStopDelay) ??values('816', '38a313dce3842355', 'clint', '', '192.168.0.1', ??'', '', (now() - '0'::interval - '0'::interval), ^^ ??(now() - '0'::interval), '0', '', '', ??(('0'::bigint 32) + '0'::bigint), ??(('0'::bigint 32) + '0'::bigint), '', ??'', '', '', '', ??NULLIF('', '')::inet, '0') Similar thing as before. You can use %{Attr:-dev_value} syntax or NULLIF('%{Attr}', '') or just edit schema and postgresql.conf to be closer to your needs, e.g take NASPortId/NAS-Port away. -- Fduch M. Pravking - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
US STOCK MARKET - NMMG - After Hours NEWS...janice
US Stock Market - Stock Profile of the Week Symbol: NMMG Market: OTC.BB Sector: LED TECHNOLOGY Before we begin our profile we have very exciting after-market news... Monday December 15, 4:58 pm ET - New Millennium Media Engages Leading Product Commercialization Consulting Firm BREAKING NEWS - CLEARWATER, Fla.--(BUSINESS WIRE)--Dec. 15, 2003--New Millennium Media International Inc., (OTCBB: NMMG) announced today that they have engaged Global Works Consulting to assist with the product commercialization of their next generation light emitting diode (LED) video displays utilizing their proprietary OnScreen (TM) technology. With Dr. Shalom Flank as its Principal, Global Works has been working with local and national clients to commercialize leading-edge technology since 1999. Dr. Flank is an Associate with Haft, Harrison, and Wolfson, Inc., and also operates as a Principal of iPrime Group, a consortium of senior professional consultants. According to Steve Velte, NMMG's Director of Research Development: Dr. Flank has been working with technology for over 15 years as it goes from abstract innovation to successful implementation. He has been a strategy advisor to start-ups, universities, defense contractors, and investment funds, including AnswerLogic, DevelopmentSpace, GlobalWisdom, the University of Maryland, the Information Sciences Institute, Veridian Systems, and the Washington Square Capital Fund. His experience covers software applications and algorithms, including knowledge management, enterprise portals, bioinformatics, natural language processing, e-learning, and on-line travel. He has also worked with user interfaces and human factors, networked sensors, renewable energy, and defense technology. His unique expertise lies at the intersection of business and technology - understanding the potential, the pitfalls, and the path for creating utility and profit out of new technology. Before immersing himself in the entrepreneurial community in Washington, Dr. Flank directly managed over $60M of investment in advanced information technology projects as a Program Manager at the Defense Advanced Research Projects Agency (DARPA). Dr. Flank has also been visiting scientist at the Monterey Institute of International Studies, has served on the staff of Lawrence Livermore National Laboratory, Stanford University, and the U.S. House of Representatives, and has had appointments at Harvard and MIT. Dr. Flank earned a Ph.D. in a multi-disciplinary program at MIT, along with a Master of Science in Nuclear Engineering, and received a B.A. in Physics from Cornell University. STOCK PROFILE OF THE WEEK New Millennium Media International (OTCBB: NMMG) specializes in cutting-edge motion display advertising solutions. Their unique Advertising Display Boards and LED Digital Displays offer up a dynamic and cost efficient way to effectively market products and promote brand awareness. NMMG holds the exclusive United States and Canadian distribution rights to the patented, IllumiSign EyeCatcher Advertising Display Board. IllumiSign EyeCatcher, the exclusive marketing company for this product, has launched an aggressive national marketing campaign, targeted not only at advertisers, but business opportunity seekers as well. This advertising medium presents excellent benefits to advertisers and lucrative business opportunities to franchisees and corporate sponsors, alike. IllumiSign EyeCatcher has an inventive, profit sharing program in place called Partners In Profit (PIP), which is structured to provide revenue incentives for larger national corporations and venues to tap deeper into their market share by allowing placement of the board in their high traffic and Point of Sales areas. This program has the potential to generate millions of dollars in additional annual revenue for qualifying corporate sponsors, while providing the means for greater public exposure to the IllumiSign EyeCatcher Advertising Boards. NMMG has partnered with E-Vision LED, Inc., a US based company whose affiliates manufacture their state-of-the-art LED displays. This high technology media is the only truly effective way, television aside, for advertisers to display their products in true form. Their LED displays can operate any commercial format on any size board. This gives them a strong competitive advantage with regard to flexibility and ease of control, since the images are programmed and controlled right from their central office. ON-SCREEN TECHNOLOGY The OnScreen LED Display Architecture is a radical new type of Bright LED video display architecture that is expected to provide key design improvements in cost, weight and brightness of LED displays for such applications as billboards, large outdoor venue video screens and outdoor video advertising. Worldwide, the outdoor advertising market is approximately 19 billion dollars, with the US representing 5.2 billion in 2001,
join.
_ Leonardo D. Pabroquez Jr. 00-51582 Department of Computer Science, College of Engineering University of the Philippines Diliman, Quezon City - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl Client-IP-Address
Boian Jordanov wrote: On Mon, Dec 15, 2003 at 09:12:59AM +0800, Bruce Cook wrote: Hmm, don't see it in the current version I'm running, I'll suck the latest CVS and have a look at that. [...] You have to use preprocess module for Client-IP-Address from radiusd.conf authorize section. --//-- # It also adds a Client-IP-Address attribute to the request. preprocess --//-- Excellent, I'll take a look at that, Thanks. Bruce - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Configure Errors with OpenSSL NetSNMP
This may have been covered before, but I cannot seem to find it when searching the archives. I am new to FreeRadius, but not new to Linux. I tried configuring FreeRadius, when checking for checking for asn1.h,snmp.h,snmp_impl.h... it would not find the NetSNMP installation. The location of the installation is /usr/local. It is looking in all the places but /usr/local/include/net-snmp/. I editied out the configure script to work, by changing the includes. It also could not find the correct library in th next step. So i had to edit again to include the correct library -lnetsnmp. then edit the code so it will look for the headers in the right place net-snmp. I dunno if this is a flaw in the autoconf not being updated or what. On to OpenSSL, OpenSSL was compiled and installed in /usr/local/ssl and it cannot be found by the configure script. I added the usual LDFLAGS, etc to get it to find it, but there was more mess. In the end I just bypassed the checks altogether and told it it was okay to go ahead and include that. In the config.log I get lots of undefinded references like these configure:1029: checking for SSL_new in -lssl configure:1044: gcc -o conftest -g -O2 -I/usr/local/ssl/include -I/usr/local/pgsql/include -I/usr/local/include/net-snmp/library -L/usr/local/ssl/lib -L/usr/local/pgsql/lib -L/usr/lo cal/lib conftest.c -lnsl -lresolv -lpthread -lcrypto -lssl 15 /usr/local/ssl/lib/libssl.a(ssl_lib.o)(.text+0x3c): In function `SSL_clear': : undefined reference to `ERR_put_error' Then I checked the confdefs.h file, it is 100% empty, something is getting stomped on here. no included ssl headers. when I change that to add in the ssl headers like below. I get the next bad result. -- echo configure:1029: checking for SSL_new in -lssl 5 smart_lib= smart_lib_dir= old_LIBS=$LIBS LIBS=$LIBS -lssl cat conftest.$ac_ext EOF #line 1037 configure #include confdefs.h #include openssl/ssl.h extern char SSL_new(); int main() { SSL_new() ; return 0; } EOF -- Now we get this in the config.log file. -- configure:1029: checking for SSL_new in -lssl configure:1044: gcc -o conftest -g -O2 -I/usr/local/ssl/include -I/usr/local/pgsql/include -I/usr/local/include/net-snmp/library -L/usr/local/ssl/lib -L/usr/local/pgsql/lib -L/usr/lo cal/lib conftest.c -lnsl -lresolv -lpthread -lcrypto -lssl 15 configure:1039: conflicting types for `SSL_new' /usr/local/ssl/include/openssl/ssl.h:1304: previous declaration of `SSL_new' configure: failed program was: #line 1037 configure #include confdefs.h #include openssl/ssl.h extern char SSL_new(); int main() { SSL_new() ; return 0; } -- FreeRadius is the only one which does not seem to get a hold of OpenSSL easy. I dunno what is going on, but I had to hand edit the configure script to get it all to work. Maybe this is all worth a good looking over. As for all of my code I write I use my own home-made configure scripts so I dunno how to fit it all up with autoconf. If you need anything further than this feel free to email me. -M (the above examples are for the rlm_eap_tls directory, but is represenative of all of the looking for SSL_new in all the parts of the configure script) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html