Re: Add LDAP groups as extra attributes
On Fri, Mar 15, 2013 at 2:03 PM, Arran Cudbard-Bell a.cudba...@freeradius.org wrote: I know, but that attribute isn't presented to the python function call. Is there another way such as an environmental variable or just please update the source? :) Did you check the control list (config item tuple)? As far as I can tell, the module only provides the request packet, request-packet-vps It does however update the config if provided from the module function. -- regards, Robin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
string up CUI for visiting eduroam users
Hi,
i'm in the process of setting up cui for visitors hear and for york user
visiting other institutions.
In the case of visiting eduroam users to our site, on an internal RADIUS server
I've got
pre-proxy {
if (Packet-Type == Access-Request) {
cui_authorize
# update request {
# Chargeable-User-Identity:='\\000'
# }
}
pre_proxy_log
}
working on the basis that we'll be proxying off the auth request to another
site.
I'm then assuming that in the response from the home server somewhere else on
the planet there'll be a non null CUI attribute which I can get at in the post
proxy clause. I also want to put the info into the chi table that i've created
in my back end mysql database.
I thought I'd be able to do
post-proxy {
#
# Visiting eduroam users using our wireless.
#
# If we've got a CUI coming back in the Access-Accept packet, do something with
it
#
# cui_updatedb
#
However, If I do a radius -X -d /etc/freeradius to check it, I get
/etc/freeradius/policy.conf[185]: SQL modules aren't allowed in 'post-proxy'
sections -- they have no such method.
/etc/freeradius/policy.conf[185]: Failed to parse cui entry.
/etc/freeradius/policy.conf[184]: Failed to parse if subsection.
/etc/freeradius/sites-enabled/default[492]: Errors parsing post-proxy section.
At which point can I get hold of the returning CUI data and put it into a
database.
Rgds
Alex
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
require_message_authenticator when sending
Hi, I just noticed something unintuitive when trying to enforce the presence of Message-Authenticator on a server which has FreeRADIUS 2.2.0 as a proxying client. In proxy.conf, home_server section, there is very strong wording that require_message_authenticator is good; and the default as spelt out in the config file is =yes. My config simply omits the keyword entirely. With all those nice words about how good it is I was somewhat expecting it to default to yes in the code as well and set require = yes on the clients.conf on the receiving end. If omitted, the code sets it to NULL though, which seems to be a no. Of course I'm fixing my config by making the yes explicit - but maybe adapting the defaults in realms.c might be a little more consistent behaviour. Greetings, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: string up CUI for visiting eduroam users
On 03/19/2013 10:11 AM, Alex Sharaz wrote: /etc/freeradius/policy.conf[185]: SQL modules aren't allowed in 'post-proxy' sections -- they have no such method. /etc/freeradius/policy.conf[185]: Failed to parse cui entry. /etc/freeradius/policy.conf[184]: Failed to parse if subsection. /etc/freeradius/sites-enabled/default[492]: Errors parsing post-proxy section. At which point can I get hold of the returning CUI data and put it into a database. post-auth? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: string up CUI for visiting eduroam users
On 19 Mar 2013, at 10:11, Alex Sharaz alex.sha...@york.ac.uk
wrote:
Hi,
working on the basis that we'll be proxying off the auth request to another
site.
I'm then assuming that in the response from the home server somewhere else on
the planet there'll be a non null CUI attribute which I can get at in the
post proxy clause. I also want to put the info into the chi table that i've
created in my back end mysql database.
I thought I'd be able to do
post-proxy {
#
# Visiting eduroam users using our wireless.
#
# If we've got a CUI coming back in the Access-Accept packet, do something
with it
#
# cui_updatedb
#
However, If I do a radius -X -d /etc/freeradius to check it, I get
/etc/freeradius/policy.conf[185]: SQL modules aren't allowed in
'post-proxy' sections -- they have no such method.
/etc/freeradius/policy.conf[185]: Failed to parse cui entry.
/etc/freeradius/policy.conf[184]: Failed to parse if subsection.
/etc/freeradius/sites-enabled/default[492]: Errors parsing post-proxy
section.
At which point can I get hold of the returning CUI data and put it into a
database.
Why not record the CUI in the post-auth section?
Regards
Scott
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: string up CUI for visiting eduroam users
Sigh!
Should have thought of that. Thanks,
moved cui config to post-auth and it's up and running now
Rgds
Alex
On 19 Mar 2013, at 10:24, Scott Armitage s.p.armit...@lboro.ac.uk wrote:
On 19 Mar 2013, at 10:11, Alex Sharaz alex.sha...@york.ac.uk
wrote:
Hi,
working on the basis that we'll be proxying off the auth request to another
site.
I'm then assuming that in the response from the home server somewhere else
on the planet there'll be a non null CUI attribute which I can get at in the
post proxy clause. I also want to put the info into the chi table that i've
created in my back end mysql database.
I thought I'd be able to do
post-proxy {
#
# Visiting eduroam users using our wireless.
#
# If we've got a CUI coming back in the Access-Accept packet, do something
with it
#
# cui_updatedb
#
However, If I do a radius -X -d /etc/freeradius to check it, I get
/etc/freeradius/policy.conf[185]: SQL modules aren't allowed in
'post-proxy' sections -- they have no such method.
/etc/freeradius/policy.conf[185]: Failed to parse cui entry.
/etc/freeradius/policy.conf[184]: Failed to parse if subsection.
/etc/freeradius/sites-enabled/default[492]: Errors parsing post-proxy
section.
At which point can I get hold of the returning CUI data and put it into a
database.
Why not record the CUI in the post-auth section?
Regards
Scott
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: require_message_authenticator when sending
On 19/03/13 10:18, Stefan Winter wrote: Of course I'm fixing my config by making the yes explicit - but maybe adapting the defaults in realms.c might be a little more consistent behaviour. I believe Message-Authenticator is now always sent in 3.0, unconditionally. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: require_message_authenticator when sending
Phil Mayers wrote: I believe Message-Authenticator is now always sent in 3.0, unconditionally. Yes. It's best to always send it. It enables security and debugging checks that are otherwise not possible. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: require_message_authenticator when sending
Stefan Winter wrote: Of course I'm fixing my config by making the yes explicit - but maybe adapting the defaults in realms.c might be a little more consistent behaviour. Done. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
cuncurrent-session control
Hello ALL
I have Some problem in using Unlang.
I need to call some function in PostgreSQL database send some parameter
from request attribute to it , get replay from function and then change
some check attribute item (such as Pool-Name).or replay attribute
Unlang :
cuncurrent-session-status =”{%sql:select
public.findout_cuncurrent_sessions_for_a_user(%{request:User-Name},%{request:Acct-Session-Id},%{request:NAS-IP-Address},%{request:NAS-Port})}”;
if (cuncurrent-session-status=='Accept')
{
ok
}
elseif (cuncurrent-session-status=='Reject')
{
update control
{Pool-Name='Exceeded-Concurrent-Session'}
}
i know that i have some mistake in script but i can not find where !
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: cuncurrent-session control
On 19 Mar 2013, at 18:15, Mehdi Ravanbakhsh baba...@gmail.com wrote:
Hello ALL
I have Some problem in using Unlang.
I need to call some function in PostgreSQL database send some parameter from
request attribute to it , get replay from function and then change some
check attribute item (such as Pool-Name).or replay attribute
Unlang :
cuncurrent-session-status =”{%sql:select
public.findout_cuncurrent_sessions_for_a_user(%{request:User-Name},%{request:Acct-Session-Id},%{request:NAS-IP-Address},%{request:NAS-Port})}”;
if (cuncurrent-session-status=='Accept')
{
ok
}
elseif (cuncurrent-session-status=='Reject')
{
update control
{Pool-Name='Exceeded-Concurrent-Session'}
}
i know that i have some mistake in script but i can not find where !
wow...
man unlang
-Arran
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
send multiple parameter to stored procedure in database
can i send multiple Parameter to stored procedure ( function) in database by SQL xlat? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: send multiple parameter to stored procedure in database
Mehdi Ravanbakhsh wrote: can i send multiple Parameter to stored procedure ( function) in database by SQL xlat? Yes. If you want to debug something, you will need to run the server in debugging mode as suggested in the FAQ, man page, web pages, and daily on this list. I'd also suggest reading raddb/dictionary. You've assigned the output of SQL to... something. I don't know what it is, but it's not a RADIUS attribute. And the format of the policy you wrote does *not* follow the examples in the configuration files, or the syntax as documented in man unlang. You can't just put random text into the configuration and expect it to do what you want. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
