radius 0.9.3 / mysql 4.0.16: no logging
Good morning all, We have a server with a really old copy of FreeRADIUS logging accounting data to mysql 3.xx. We are now in the process of upgrading to the latest stable of mysql 4 and freeradius. We've built the system on a separate machine and it works during testing, except it doesn't log anything to mysql. We have authorisation checks using flat files, but use mysql for logging. radtest works fine, nothing in mysql. radiusd -x shows it connects fine to the mysql server, and mysqld shows it has connected. Yet there is no sqltrace.sql file either. We have confirmed the username/password details can log in, and the table names are correct. The accounting{} part is as default, with 'sql' right above 'unix'. Some help would be appreciated. We are at a loss! Thanks, James Green - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius 0.9.3 / mysql 4.0.16: no logging
ZORBADELOS KONSTANTINOS wrote: At Mon, 15 Dec 2003 10:25:36 +, James Green wrote: Use radiusd -X and see what happens with the requests. You should see the sql queries that the server tries to execute. Zorbadelos, This has been done. That is how I know it connects to the database, but doesn't perform any SQL queries. I can get it to look up the user in the database even, it just refuses to log the result in the database. Its driving me up the wall :-( James Good morning all, We have a server with a really old copy of FreeRADIUS logging accounting data to mysql 3.xx. We are now in the process of upgrading to the latest stable of mysql 4 and freeradius. We've built the system on a separate machine and it works during testing, except it doesn't log anything to mysql. We have authorisation checks using flat files, but use mysql for logging. radtest works fine, nothing in mysql. radiusd -x shows it connects fine to the mysql server, and mysqld shows it has connected. Yet there is no sqltrace.sql file either. We have confirmed the username/password details can log in, and the table names are correct. The accounting{} part is as default, with 'sql' right above 'unix'. Some help would be appreciated. We are at a loss! Thanks, James Green - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html == Kostas Zorbadelos Currently at: Otenet IT Department mailto: [EMAIL PROTECTED] Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius 0.9.3 / mysql 4.0.16: no logging
ZORBADELOS KONSTANTINOS wrote: At Mon, 15 Dec 2003 12:57:24 +, James Green wrote: ZORBADELOS KONSTANTINOS wrote: You said you used radiusd -x and not radiusd -X (case is important). Please send the output you receive from radiusd -X. See the rlm_sql and radius_xlat messages. Perhaps something is wrong with the configuration of queries. Hello again. Right, we've just had our NAS configured to the same spec that the exising (non-test) one is which logs things fine. Yet we still don't see anything in our database on the test number. Here's the debug output - I hope someone can point the finger... rad_recv: Access-Request packet from host 81.20.32.130:2048, id=40, length=317 Attr-172818433 = 0x202449643a2041707469732e76696e666f2020496d6167654e616d653d6665706d64202056657273696f6e3d332e362e32703220204275696c644e756d6265723d3332383420204275696c64446174653d31322f31392f3230303020204275696c6454696d653d31363a33313a333820204d616368696e653d4255494c4430332020557365723d4275696c642020546172676574426f6172643d736363202054617267657450726f636573736f723d50504336303320204272616e63683d7033363220204578702024 NAS-IP-Address = 81.20.32.130 User-Name = [EMAIL PROTECTED] CHAP-Password = 0x017095d941e007b1ca52c6ee6137cf8d65 Called-Station-Id = 08714719098 Calling-Station-Id = 1493660030 NAS-Port = 17236748 NAS-Port-Type = Async Framed-Protocol = PPP Service-Type = Framed-User modcall: entering group authorize for request 3 modcall[authorize]: module preprocess returns ok for request 3 radius_xlat: '/var/log/radiusd/radacct/81.20.32.130/auth-detail-20031215' rlm_detail: /var/log/radiusd/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radiusd/radacct/81.20.32.130/auth-detail-20031215 modcall[authorize]: module auth_log returns ok for request 3 rlm_chap: Setting 'Auth-Type := CHAP' modcall[authorize]: module chap returns ok for request 3 modcall[authorize]: module eap returns noop for request 3 rlm_realm: Looking up realm wapmob for User-Name = [EMAIL PROTECTED] rlm_realm: Found realm wapmob rlm_realm: Adding Stripped-User-Name = james rlm_realm: Proxying request from user james to realm wapmob rlm_realm: Adding Realm = wapmob rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module suffix returns noop for request 3 radius_xlat: '[EMAIL PROTECTED]' rlm_sql (sql): sql_set_user escaped user -- '[EMAIL PROTECTED]' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = '[EMAIL PROTECTED]' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 1 rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = '[EMAIL PROTECTED]' ORDER BY id rlm_sql (sql): User [EMAIL PROTECTED] not found in radcheck radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = '[EMAIL PROTECTED]' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' rlm_sql_mysql: query: SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = '[EMAIL PROTECTED]' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = '[EMAIL PROTECTED]' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql_mysql: query: SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = '[EMAIL PROTECTED]' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id rlm_sql (sql): User [EMAIL PROTECTED] not found in radgroupcheck rlm_sql (sql): User not found rlm_sql (sql): Released sql socket id: 1 modcall[authorize]: module sql returns notfound for request 3 users: Matched DEFAULT at 152 users: Matched DEFAULT at 159 modcall[authorize]: module files returns ok for request 3 modcall[authorize]: module mschap returns noop for request 3 modcall: group authorize returns ok for request 3 rad_check_password: Found Auth-Type Local auth: type Local auth: user supplied CHAP-Password matches local User-Password Login OK: [james/CHAP-Password] (from client intelliplus port 17236748 cli 1493660030) modcall: entering group post-auth for request 3 radius_xlat: '/var/log/radiusd/radacct/81.20.32.130/reply-detail-20031215' rlm_detail: /var/log/radiusd/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d expands to /var/log/radiusd/radacct/81.20.32.130/reply-detail-20031215 modcall[post-auth]: module reply_log returns ok for request 3 modcall: group post-auth returns ok for request 3
Re: radius 0.9.3 / mysql 4.0.16: no logging
Nick Davis wrote: James, All of your accounting data is being written to the details files. You must not have put sql in the accounting section of radius.conf. You mean this?: accounting { # # Ensure that we have a semi-unique identifier for every # request, and many NAS boxes are broken. acct_unique sql # # Create a 'detail'ed log of the packets. # Note that accounting requests which are proxied # are also logged in the detail file. detail # daily unix# wtmp file # # For Simultaneous-Use tracking. # # Due to packet losses in the network, the data here # may be incorrect. There's little we can do about it. radutmp # sradutmp # Return an address to the IP Pool when we see a stop record. # main_pool } Been there for some time. Also make sure the sql queries in sql.conf are correct for the radacct table. I've not touched them. The only thing I did was make it use radacct_table1/table2, for which I searched and replaced. mysql.err shows nothing, and I've logged into the mysql server using the radius user account and successfully inserted some data. I find it suspicous that although I see SQL queries to SELECT data in the authorisation and authentication phase, I see no SQL being performed for accounting data. Take a look at my radius.conf for reference to using mysql for accounting and user/pass/groups (auth). http://mrtizmo.com/freeradius/ Thanks for this, can't see much in there that's different to mine! James Hope some of this helps! Nick - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL Cisco Call Detail
Mail_Man wrote: Can someone point me in the right direction to where I can find information on setting up Free Radius so that it collects all the call detail records from a cisco as5300 gateway and stores it in a database? TIA -Seth Call detail? You mean calltracker? If so then good luck :D. We did it by: - configure the cisco to use calltracker and output it to the syslog. - tell the cisco to forward the syslog onto a linux box - configure the linux box to accept the incoming syslog requests and pipe it through to a perl script - write a perl script to accept the syslog lines, process them and store them in the database using the ct_hndl field as the key. You cannot match the ct_hndl to the radius keys though, so you won't be able to easily match the calltracker logs to the radius logs. We contacted our cisco gold partner resellers and they contacted cisco themselves, and no-one could figure out a reliable matching system. Cisco advised to not bother with the radius logs, but use the calltracker logs instead. Thanks, James Green - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Time limits
Alan DeKok wrote: James Green [EMAIL PROTECTED] wrote: For example, if [EMAIL PROTECTED] logged in, we might have him on a 2 hours per day access permitted tariff. rlm_counter I guess then rlm_sqlcounter is the only way forward, since rlm_counter doesn't have any documentation that I can detect? James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Time limits
Hi all, Apologies if this in a FAQ somewhere. I have a working FreeRadius installation and have been asked to implement a situation whereby we can assign time credits to logged-in users upon payment. For example, if [EMAIL PROTECTED] logged in, we might have him on a 2 hours per day access permitted tariff. I am however lost in the documentation - I don't know where to look. Can someone please provide some pointers? Many thanks, James Green - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Modems can login but ISDN users cannot?
Hi all, Got a FreeRadius installation working fine for analog modem users. A client is now trying to send through loads of ISDN traffic, and he's getting the following: 691: username/password declined (windows errors message) radius.log shows his test username as Login: ok. Yet Radius isn't logging him in the details logs at all. Any ideas? Thanks, James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Can't log new attribs?
Hi all, I've configured a Cisco to send through the Cisco-NAS-Port attribute during an accounting start query and stop query. I can see the attribute appear in our radius log files, but I can't get the new attribute into our mysql database. I added Cisco-NAS-Port as a column to the radacct_start table, and modified sql.conf thus: accounting_start_query = INSERT into ${acct_table1} (RadAcctId, AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay, AcctStopDelay, Cisco-NAS-Port) values('', '%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', '%S', '0', '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '%{Acct-Delay-Time}', '0', '%{Cisco-NAS-Port}') Restarted freeradius, dialled in, got logged in, but no logging occured at all in mysql. Waited a bit, still nothing. Disconnected, edited the file back to original, restarted and then logs came through as normal (data was therefore being lost). Can someone point out what it wrong above, or what I am missing please? Thanks, James Green - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
No radius attribs?
Hi there, Slightly odd problem. We have a Nortel NAS box with 1,000 modems taking calls and as the radius query comes in, tcpdump shows this: 14:53:47.158236 81.20.32.130.2048 mars.uk.stealthnet.net.datametrics: rad-access-req 320 [id 91] Attr[ Pass [|radius] 14:53:47.159057 mars.uk.stealthnet.net.datametrics 81.20.32.130.2048: rad-access-accept 20 [id 91] (DF) As you can see, no attribs. This causes the connection to fail pretty much immediately. We also have a Cisco, which presents the right attribs and works fine: 14:53:50.262689 europa.21748 mars.uk.stealthnet.net.datametrics: rad-access-req 136 [id 178] Attr[ Framed_proto{PPP} [EMAIL PROTECTED] [|radius] 14:53:50.263259 mars.uk.stealthnet.net.datametrics europa.21748: rad-access-accept 20 [id 178] (DF) Any ideas why this would be happening? We believe the secret is correct, etc. The guys working on the Nortel have one theory but we're looking for some enlightenment from kind selves too if we may. Anything off the top of your heads? Thanks in advance! James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No radius attribs?
James Green wrote: Hi there, Slightly odd problem. We have a Nortel NAS box with 1,000 modems taking calls and as the radius query comes in, tcpdump shows this: This has been resolved. Apparently the Nortel box wasn't assigning IPs correctly. James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Username Length Restrictions?
Hi there, I have a client who uses auto-generated usernames used for logging into radius, and he has complained that his usernames are unable to log in to our equipment (a cisco 5350 + freeradius 0.8.1). The username consists of 59 characters, then 11 for the @realm. I see from radiusd.h the following: typedef struct radclient { uint32_tipaddr; uint32_tnetmask; charlongname[256]; u_char secret[32]; charshortname[32]; charnastype[32]; charlogin[32]; charpassword[32]; struct radclient*next; } RADCLIENT; Is this, with the 'login[32]' causing the length limit? If so can it be increased to say login[255] without causing other elements to break? Some assistance or advice would be appreciated. It is doubtful that the usernames being auto-generated can be reduced in length. Thanks, James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Logging - how to specify what to log?
Hi there, I've been asked as a matter of urgency to ensure that the logs we get from RADIUS include the CLI (Caller-ID), that is, the telephone number of the person making the call. This should prove they called us. I believe I need to log the %{Calling-Station-Id} attribute. Problem: I have no idea what file to edit. I can see a slew of attributes being logged to the detail-* files, except this attribute. Maybe FreeRADIUS doesn't get this attribute? It's a Cisco AS5350 talking to it, with a couple of E1 ISDN-30s plugged in. I can't find much about this on Cisco's website or the freeradius mailing list. Indeed, apart from a mention as part of a list of attributes, the Oreilly RADIUS book doesn't cover it. Help! :-) Thanks a lot. James Green - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html