Re: accounting_stop request: bigint
On Mon, Dec 15, 2003 at 12:56:53PM -0600, Click Chebon wrote: Using Postgresql 4.7 I hope you mean 7.4 ;) rad_recv: Accounting-Request packet from host 192.168.0.1:3306, id=21, length=38 User-Name = clint Acct-Status-Type = Stop Acct-Session-Id = 816 ... radius_xlat: 'UPDATE radacct ??SET AcctStopTime = (now() - '0'::interval), AcctSessionTime = '', ^^^ ??AcctInputOctets = (('0'::bigint 32) + '0'::bigint), ??AcctOutputOctets = (('0'::bigint 3 2) + '0'::bigint), ??AcctTerminateCause = '', AcctStopDelay = '0', ??FramedIPAddress = NULLIF('', '')::inet, ConnectInfo_stop = '' ??WHERE AcctSessionId = '816' AND UserName = 'clint' ??AND NASI PAddress = '192.168.0.1' AND AcctStopTime IS NULL' There's no Acct-Session-Time in the request. Try using %{Acct-Session-Time:-0} in accounting_stop_query. -- Fduch M. Pravking - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: accounting_stop request: bigint
On Mon, Dec 15, 2003 at 04:36:00PM -0600, Click Chebon wrote: rlm_acct_unique: WARNING: Attribute NAS-Port-Id was not found in request, unique ID MAY be inconsistent Is it a real stop packet or just test? If it's a test packet, try more real data. If not, don't be lazy to configure rlm_acct_unique properly. rlm_sql_postgresql: query: UPDATE radacct ??SET AcctStopTime = (now() - '0'::interval), AcctSessionTime = '0', ??AcctInputOctets = (('0'::bigint 32) + '0'::bigint), ??AcctOutputOctets = (('0'::bigint 32) + '0'::bigint), ??AcctTerminateCause = '', AcctStopDelay = '0', ??FramedIPAddress = NULLIF('', '')::inet, ConnectInfo_stop = '' ??WHERE AcctSessionId = '816' AND UserName = 'clint' ??AND NASIPAddress = '192.168.0.1' AND AcctStopTime IS NULL rlm_sql_postgresql: Status: PGRES_COMMAND_OK rlm_sql_postgresql: affected rows = 0 radius_xlat: 'rlm_sql: Stop packet with zero session length. (user 'clint', nas '192.168.0.1')' rlm_sql: Stop packet with zero session length. (user 'clint', nas '192.168.0.1') The server couldn't find matching start record for this request (accounting_stop_query affected no rows), and trying to insert new record using accounting_stop query_alt which fails. rlm_sql_postgresql: query: INSERT into radacct ??(AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, ^ AcctStartTime, AcctStopTime, ??AcctSessionTime, AcctAuthentic, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, ??AcctTerminateCause, ServiceType, FramedProtocol, FramedIPAddress, AcctStopDelay) ??values('816', '38a313dce3842355', 'clint', '', '192.168.0.1', ??'', '', (now() - '0'::interval - '0'::interval), ^^ ??(now() - '0'::interval), '0', '', '', ??(('0'::bigint 32) + '0'::bigint), ??(('0'::bigint 32) + '0'::bigint), '', ??'', '', '', '', ??NULLIF('', '')::inet, '0') Similar thing as before. You can use %{Attr:-dev_value} syntax or NULLIF('%{Attr}', '') or just edit schema and postgresql.conf to be closer to your needs, e.g take NASPortId/NAS-Port away. -- Fduch M. Pravking - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PostgreSQL/freeradius/cisco ap350 problem
On Tue, Sep 30, 2003 at 04:02:44AM -0400, Nick Taylor wrote: The problem shows itself when I try to set up accounting with the database. ... rlm_sql_postgresql: query: UPDATE radacct SET FramedIPAddress = '' WHERE AcctSessionId = ' 700011' AND UserName = '00022d284b47' AND NASIPAddress= '192.168.1.209' AND AcctStopTime = 0 rlm_sql_postgresql: Status: PGRES_FATAL_ERROR rlm_sql_postgresql: affected rows = rlm_sql_postgresql: Postgresql check_error: PGRES_FATAL_ERROR, returning SQL_DOWN rlm_sql (sql): failed after re-connect rlm_sql (sql): Couldn't update SQL accounting for ALIVE packet - ERROR: invalid INET value '' rlm_sql (sql): Released sql socket id: 0 Try using in accounting_update_query: ... FramedIpAddress = '%{Framed-IP-Address:-0.0.0.0}' ... or ... FramedIpAddress = NULLIF('%{Framed-IP-Address}', '') ... The SQL server spits out: ERROR: Bad int8 external representation ERROR: Bad int8 external representation ERROR: invalid INET value '' ERROR: invalid INET value '' ERROR: invalid INET value '' ERROR: invalid INET value '' It seems that you have similar problem with some integers, but it's not in this radius log. Modify your postgresql.conf to use '%{Attribute-Name:-default value}' for all attributes which could be not present in packet, at least for those which are non-text in your database schema (integer, bigint, inet). -- Fduch M. Pravking - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Postgres Simultaneous use queries
On Wed, Aug 13, 2003 at 02:33:57PM +0200, Ulrich Walcher wrote: Is there any reason why the Simultaneous Use Checking Queries that are present in sql.conf and oraclesql.conf do not appear in postgresql.conf? They are in 0.9 and current CVS. Please check it. -- Fduch M. Pravking - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: postgres performance issues
On Tue, Aug 12, 2003 at 08:56:23AM -0400, Jeff Sullivan wrote: I have freeradius doing auth and acct to protgres. System is P3 1000 with 512MB RedHat. the other day I had to do some maintenance on my switch which severed the link between my dial-in ras and the radius server. When the link was established again, postgres could not keep up with all the stored accounting requests in the ras. The load average would climb to 14+ and not recover. I let the system run for about 20min and still no change. I stopped logging accounting to postgres and went to detail and the system dropped to less than 1. Now the load is 0.00 0.00 0.00 with accounting still going to detail. Normal load with all going to postgres was about 0.18. What can I do to prevent this from happening again? I would like to go back to all postgres. Did you ANALYZE accounting queries? Older versions of db_postgresql.sql used weird indices, which caused acct_stop_query to do a seq scan on the whole radAcct table. It probably was not a big problem in normal operation, but when request/sec rate grew up, the performance went down significally. Try creating a partial index (PG 7.2+): CREATE INDEX radacct_active_user_idx ON RadAcct (UserName) WHERE AcctStopTime IS NULL; See also db_postgresql.sql and postgresql.conf from 0.9 or current CVS. Hope this helps. -- Fduch M. Pravking - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Login-Time + SQL ?
On Wed, Aug 06, 2003 at 02:31:50PM +0200, Patrick wrote: xsitest0005 Password == xsitest0005, Login-Time := Any-1000 Service-Type = Framed-User, Framed-Protocol = PPP ... mysql select * from radgroupreply where GroupName = XSInetDaytime; ++---+-++-+--+ | id | GroupName | Attribute | op | Value | prio | ++---+-++-+--+ | 3 | XSInetDaytime | Service-Type| := | Framed-User |0 | | 4 | XSInetDaytime | Framed-Protocol | := | PPP |0 | | 6 | XSInetDaytime | Login-Time | := | Al-0020 |0 | ++---+-++-+--+ 3 rows in set (0.00 sec) So don't you see that it's a *check* item in your users file and a *reply* item in SQL? -- Fduch M. Pravking - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply message from the counter module
On Tue, Jul 29, 2003 at 10:52:59AM -0400, Alan DeKok wrote: Alexander M. Pravking [EMAIL PROTECTED] wrote: By the way, %{Simultaneuos-Use} will not work, since there's no way to expand check items from the request... Nonsense. See 'doc/variables.txt' Huh? Hmm... if it's not there, then it's trivial enough to add. ~10 lines in src/main/xlat.c should do it. Here's a patch. I used check: as a prefix, maybe someone suggests more reasonable one? Index: doc/variables.txt === RCS file: /source/radiusd/doc/variables.txt,v retrieving revision 1.7 diff -u -p -r1.7 variables.txt --- doc/variables.txt 11 Apr 2003 17:54:58 - 1.7 +++ doc/variables.txt 29 Jul 2003 16:16:06 - @@ -4,6 +4,8 @@ The variables defined by the server are: in request %{request:Attribute-Name} Corresponding value for Attribute-Name in request + %{check:Attribute-Name} Corresponding value for Attribute-Name + in check items %{reply:Attribute-Name} Corresponding value for Attribute-Name in reply %{proxy-reply:Attribute-Name} Corresponding value for Attribute-Name @@ -12,9 +14,9 @@ The variables defined by the server are: %{config:section.subsection.item} Corresponding value in 'radiusd.conf' for the string value of that item. - The %{config:...} variables should be used VERY carefully, as they -may leak secret information from your RADIUS server, if you use them -in reply attributes to the NAS! + The %{config:...} and %{check:... } variables should be used VERY +carefully, as they may leak secret information from your RADIUS server, +if you use them in reply attributes to the NAS! e.g. Index: src/main/xlat.c === RCS file: /source/radiusd/src/main/xlat.c,v retrieving revision 1.55 diff -u -p -r1.55 xlat.c --- src/main/xlat.c 18 Mar 2003 05:50:54 - 1.55 +++ src/main/xlat.c 29 Jul 2003 16:17:53 - @@ -232,6 +232,16 @@ static void decode_attribute(const char } /* +* Find an attibute from the config items +*/ + } else if (strncasecmp(attrname,check:,6) == 0) { + if((tmpda = dict_attrbyname(attrname[6])) + (tmppair = pairfind(request-config_items, tmpda-attr))) { + q += valuepair2str(q,freespace,tmppair,tmpda-type, func); + found = 1; + } + + /* * Find an attribute from the request. */ } else if (strncasecmp(attrname,request:,8) == 0) { -- Fduch M. Pravking - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply message from the counter module
On Mon, Jul 28, 2003 at 02:02:22PM -0400, Alan DeKok wrote: Dear developers, how about customizable messages? Something like this in radiusd.conf: messages { multiple_login = You are already logged in %{Simultaneous-Use} times\r\n timespan_violation = You are calling outside allowed timespan\r\n ... } Sure. Almost done. I could get rid of radius_xlat calls, if the user_msg == NULL check is removed around the following block (auth.c, lines 850-865): /* * Filter (possibly multiple) Reply-Message attributes * through radius_xlat, modifying them in place. */ if (user_msg == NULL) { reply_item = pairfind(request-reply-vps, PW_REPLY_MESSAGE); while (reply_item) { radius_xlat(buf, sizeof(reply_item-strvalue), (char *)reply_item-strvalue, request, NULL); strNcpy((char *)reply_item-strvalue, buf, sizeof(reply_item-strvalue)); reply_item-length = strlen((char *)reply_item-strvalue); user_msg = NULL; reply_item = pairfind(reply_item-next, PW_REPLY_MESSAGE); } } There's no more need for it, I think. Also, the mentioned xlat.c patch should be applied too to allow expansion of %{check:...} attributes. Local tests are OK. -- Fduch M. Pravking Index: src/include/radiusd.h === RCS file: /source/radiusd/src/include/radiusd.h,v retrieving revision 1.140 diff -u -p -r1.140 radiusd.h --- src/include/radiusd.h 23 Jul 2003 19:50:38 - 1.140 +++ src/include/radiusd.h 29 Jul 2003 21:28:42 - @@ -172,6 +172,15 @@ typedef struct main_config_t { REALM *realms; } MAIN_CONFIG_T; +typedef struct messages_config_t { + const char *expiration; + const char *double_login; + const char *multiple_login; + const char *timespan_violation; + const char *exec_failure; + const char *auth_failure; +} MESSAGE_CONFIG_T; + #define DEBUG if(debug_flag)log_debug #define DEBUG2 if (debug_flag 1)log_debug @@ -364,6 +373,7 @@ extern int total_active_threads /* mainconfig.h */ /* Define a global config structure */ extern struct main_config_t mainconfig; +extern struct messages_config_t server_messages; int read_mainconfig(int reload); int free_mainconfig(void); Index: src/main/mainconfig.c === RCS file: /source/radiusd/src/main/mainconfig.c,v retrieving revision 1.21 diff -u -p -r1.21 mainconfig.c --- src/main/mainconfig.c 22 Jul 2003 18:16:23 - 1.21 +++ src/main/mainconfig.c 29 Jul 2003 21:30:39 - @@ -45,6 +45,7 @@ struct main_config_t mainconfig; +struct messages_config_t server_messages; /* * Local variables for stuff. @@ -83,6 +84,25 @@ static CONF_PARSER security_config[] = { }; /* + * A list of global messages sent back in certain cases + */ +static CONF_PARSER messages_config[] = { + { expiration, PW_TYPE_STRING_PTR, 0, server_messages.expiration, + Password Has Expired\r\n }, + { double_login, PW_TYPE_STRING_PTR, 0, server_messages.double_login, + \r\nYou are already logged in - access denied\r\n }, + { multiple_login, PW_TYPE_STRING_PTR, 0, server_messages.multiple_login, + \r\nYou are already logged in %{check:Simultaneous-Use} times - access denied\r\n }, + { timespan_violation, PW_TYPE_STRING_PTR, 0, server_messages.timespan_violation, + You are calling outside your allowed timespan\r\n }, + { exec_failure, PW_TYPE_STRING_PTR, 0, server_messages.exec_failure, + \r\nAccess denied (external check failed).\r\n }, + { auth_failure, PW_TYPE_STRING_PTR, 0, server_messages.auth_failure, + }, + { NULL, -1, 0, NULL, NULL } +}; + +/* * A mapping of configuration file names to internal variables */ static CONF_PARSER server_config[] = { @@ -126,6 +146,7 @@ static CONF_PARSER server_config[] = { { proxy_requests, PW_TYPE_BOOLEAN, 0, mainconfig.proxy_requests, yes }, { proxy, PW_TYPE_SUBSECTION, 0, proxy_config, NULL }, { security, PW_TYPE_SUBSECTION, 0, security_config, NULL }, + { messages, PW_TYPE_SUBSECTION, 0, messages_config, NULL }, { debug_level, PW_TYPE_INTEGER, 0, mainconfig.debug_level, 0}, { NULL, -1, 0, NULL, NULL } }; Index: src/main/auth.c === RCS file: /source/radiusd/src/main/auth.c,v retrieving revision 1.127 diff -u -p -r1.127 auth.c --- src/main/auth.c 24 Jun 2003 14:22:19 - 1.127 +++ src/main/auth.c 29 Jul 2003 21:31:08 - @@ -66,6 +66,7 @@ char *auth_name(char *buf, size_t buflen
Re: Reply message from the counter module
On Mon, Jul 28, 2003 at 02:02:22PM -0400, Alan DeKok wrote: Dear developers, how about customizable messages? Something like this in radiusd.conf: messages { multiple_login = You are already logged in %{Simultaneous-Use} times\r\n timespan_violation = You are calling outside allowed timespan\r\n ... } Sure. By the way, %{Simultaneuos-Use} will not work, since there's no way to expand check items from the request... I probably could work on that, but I need some guidelines: 1. Should it be a set of static variables, or searchable list like dictionary? I'm not sure what you mean by that. How about, say, new integer attribute like FreeRADIUS-Reply-Code, which will be automatically replaced with a corresponding Reply-Message just before reply? However, in this case we still need some mapping from FreeRADIUS-Reply-Code to Reply-Message, other than dictionary. I dislike this idea more and more... 2. Should it be per-module configuration, or global? Many messages are global. They should be in a global config. Well, I'll try global messages first. I always felt myself uncomfortable with silent auth-failures, so it's reasonable to have auth_failure message, IMHO. However, some people might want to leave it silent, so maybe it should be empty by default. But there's an issue with sending empty strings in FreeRADIUS currently. RFC 2865 says: string1-253 octets containing binary data (values 0 through 255 decimal, inclusive). Strings of length zero (0) MUST NOT be sent; omit the entire attribute instead. And FreeRADIUS sends attributes no matter of their length. A small patch solves this (works for me, please, test it): Index: src/lib/radius.c === RCS file: /source/radiusd/src/lib/radius.c,v retrieving revision 1.101 diff -u -p -r1.101 radius.c --- src/lib/radius.c23 Jul 2003 19:44:35 - 1.101 +++ src/lib/radius.c28 Jul 2003 22:37:34 - @@ -226,6 +226,14 @@ int rad_send(RADIUS_PACKET *packet, cons } /* + *Don't send empty attributes, omit 'em + */ + if (((reply-type == PW_TYPE_ABINARY) || + (reply-type == PW_TYPE_STRING) || + (reply-type == PW_TYPE_OCTETS)) + reply-length == 0) + continue; + /* *Print out ONLY the attributes which *we're sending over the wire, and print *them out BEFORE they're encrypted. One more question. Which operator should I use to add Reply-Message? := or = or +=? -- Fduch M. Pravking - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply message from the counter module
On Mon, Jul 28, 2003 at 08:11:26PM -0400, Alan DeKok wrote: Alexander M. Pravking [EMAIL PROTECTED] wrote: By the way, %{Simultaneuos-Use} will not work, since there's no way to expand check items from the request... Nonsense. See 'doc/variables.txt' Huh? %{Attribute-Name} Corresponding value for %Attribute-Name in request %{request:Attribute-Name} Corresponding value for %Attribute-Name in request %{reply:Attribute-Name} Corresponding value for %Attribute-Name in reply %{proxy-reply:Attribute-Name} Corresponding value for %Attribute-Name in the proxy reply (if it exists) %{config:section.subsection.item} Corresponding value in 'radiusd.conf' for the string value of that item. The xlat sources says the same. Did I miss something? One more question. Which operator should I use to add Reply-Message? := or = or +=? It depends if you want one, or more than one. See the 'man' page for the 'users' file. Wrong question - wrong answer... I mean, which one should be used in radiusd code when adding the Reply-Message? Hmm, what's the matter with me? The code already uses some operators, so I'll simply leave them. Right? -- Fduch M. Pravking - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply message from the counter module
On Sat, Jul 26, 2003 at 07:09:38PM -0700, Alex Chen wrote: I finally get the counter module to work but there is a small question about the reply message issued by the counter when the accumulated time exceeds the value of the 'check-name' attribute. I set the 'reset' to 'never' and when the limit, say, 60 seconds, is reached, the reply message says: Reply-Message = Your maximum never usage time has been reached It is not a problem but does not sound normal. May I suggest, in the next release, that you make the reply message a user configurable item in the counter module, e.g. counter { filename = ${raddbdir}/counterdb key = User-Name count-attribute = Acct-Session-Time reset = never reply-message = Your maximum access time has been reached } Yeah, it's not the only place where configurable messages could be useful. I've already suggested such a thing, but the silence was an answer... If anyone of developers got interested, see http://lists.cistron.nl/archives/freeradius-users/2003/06/frm00625.html -- Fduch M. Pravking - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: counter module
On Fri, Jul 25, 2003 at 10:20:13PM -0700, Alex Chen wrote: The counter module as a configuration element 'check-name'. In the example shown in radiusd.conf it is set to Max-Daily-Session. The comment indicates that this 'Max-Daily-Session' can be specified in DEFAULT stanza. I am pretty sure when I tried to set DEFAULT Max-Daily-Session := 20 in 'users', the radiusd complained that it could not find such attribute and bailed out. Did you see something like 'rlm_files: matched DEFAULT at NNN' in debug output? If not, your DEFAULT entry did not match. That's the reason I tried to use 'Session-Timeout'. But when I tested it again with freeradius 0.9, the server too it. I do not know if it was my typo previously or something changed in the server. What version was it? The 0.9 release of FreeRADIUS has a lot of bug fixes from 0.8.1. Anyway, I cannot find an attribute name called 'Max-Daily-Session' in the dictionary. How does the server know this? I thought only an attribute can be specified in the 'users' file, or can we just use anything we want? Other than 'Max-Daily-Session' what else can be used? This attribute is not in dictionary, it's dynamic. You can use whatever you want attribute name in check-name, the counter module will register this attribute during initialization. -- Fduch M. Pravking - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PostgreSql Radacct Problems
On Mon, Jul 21, 2003 at 01:27:04PM +0900, CW wrote: Please exuse my last post I accidentily sent it off before I was done I am running redhat 9.0 with postgresql 7.3 and freeradius-0.8.1. I use it for authentication for our fiber connections. Everything was working well untill lately. I have noticed that I get an error like the following in my radius.log and after that it looses the connection with postgresql server and I have to restart the freeradius process. Fri Jul 4 06:03:09 2003 : Error: rlm_sql (sql): Couldn't update SQL accounting STOP record - ERROR: pg_atoi: error reading 2618979488: Numerical result out of range I suspect that it is trying to write the acctoutputoctets for a session into the radacct table but I am not positive. My postgresql radacct table was created with the following script CREATE TABLE radacct ( RadAcctId SERIAL, AcctSessionId VARCHAR(32) DEFAULT '' NOT NULL, AcctUniqueId VARCHAR(32) DEFAULT '' NOT NULL, UserName VARCHAR(32) DEFAULT '' NOT NULL, Realm VARCHAR(30) DEFAULT '', NASIPAddress VARCHAR(15) DEFAULT '' NOT NULL, NASPortId NUMERIC(12), NASPortType VARCHAR(32), AcctStartTime timestamp, AcctStopTime timestamp, AcctSessionTime NUMERIC(12), AcctAuthentic VARCHAR(32), ConnectInfo_start VARCHAR(32), ConnectInfo_stop VARCHAR(32), AcctInputOctets NUMERIC(12), AcctOutputOctets NUMERIC(12), CalledStationId VARCHAR(10) DEFAULT '' NOT NULL, CallingStationId VARCHAR(10) DEFAULT '' NOT NULL, AcctTerminateCause VARCHAR(32) DEFAULT '' NOT NULL, ServiceType VARCHAR(32), FramedProtocol VARCHAR(32), FramedIPAddress VARCHAR(15) DEFAULT '' NOT NULL, AcctStartDelay NUMERIC(12), AcctStopDelay NUMERIC(12), PRIMARY KEY (RadAcctId) ); Are you sure you didn't modify the schema? It seems that you are using integer for AcctOutputOctets, because 2618979488 is a valid value for numeric(12): fduch=# SELECT '2618979488'::numeric(12); numeric 2618979488 (1 record) You could set up another database with more appropriate RadAcct table (see schema and queries from 0.9-pre), and configure 2 sql modules to do accounting - one to the old database, and second to the new one. When everything OK, disable first. Note, however, that current database schema and queries are significally different from yours, so you should first test if you can convert your old accounting data into new database. -- Fduch M. Pravking - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can rlm_expr be used with check items?
On Fri, Jul 18, 2003 at 12:39:55PM -0400, Alan DeKok wrote: Tero Turtiainen [EMAIL PROTECTED] wrote: After this discussion it seems that setting attribute values cannot be done, SOME attributes can be set: configuration items. Some cannot be: attributes in the request. Alan, could you please describe the difference between them and put it in the FAQ? Something like (correct me please if it's wrong or incomplete or too hard to understand): Q. What are request attributes? A. Those which were send by a NAS to the server. Based on these attributes and collected config items for this user, the server decides what to do with this user. Q. What are config/check items for? A. They tell the server: a) to compare attributes in the request with given values (so-called check items), e.g. NAS-IP-Address == 127.0.0.1, NAS-Port 64; b) or to do something special with this user later (so-called config items), e.g. Auth-Type += System, Proxy-To-Realm := foo.com. Config and check are often used as synonyms here. You tried to set request attributes, which CANNOT be done in the 'users' file. Q. Can I use them to re-write Some-Attribute in the request? A. No, you can't. Attributes in the request are commonly not changed. Try using attr_rewrite module, if you *really* need it. -- Fduch M. Pravking - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Logging passwords from rlm_ldap?
In debug mode, rlm_ldap prints out all the passwords it uses for bind. I think it's reasonable enough to disallow it or at least make it configurable. Here's a quick-patch, relying on log_auth_goodpass. Index: rlm_ldap.c === RCS file: /source/radiusd/src/modules/rlm_ldap/rlm_ldap.c,v retrieving revision 1.108 diff -u -p -r1.108 rlm_ldap.c --- rlm_ldap.c 7 Jul 2003 19:07:08 - 1.108 +++ rlm_ldap.c 14 Jul 2003 10:59:57 - @@ -1468,10 +1468,16 @@ ldap_connect(void *instance, const char #endif /* HAVE_LDAP_START_TLS */ if (inst-is_url){ - DEBUG(rlm_ldap: bind as %s/%s to %s, dn, password, inst-server); + DEBUG(rlm_ldap: bind as %s/%s to %s, + dn, + mainconfig.log_auth_goodpass ? password : *, + inst-server); } else{ - DEBUG(rlm_ldap: bind as %s/%s to %s:%d, dn, password, inst-server, inst-port); + DEBUG(rlm_ldap: bind as %s/%s to %s:%d, + dn, + mainconfig.log_auth_goodpass ? password : *, + inst-server, inst-port); } msgid = ldap_bind(ld, dn, password,LDAP_AUTH_SIMPLE); if (msgid == -1) { It's probably a better idea to make own rlm_ldap's config variable to control this behavour... The second place from where user passwords shine is Access-Request packet dump. It's much harder to fix it, since it's done from libradius. Can somebody point me in a right direction to make it, please? -- Fduch M. Pravking - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Logging passwords from rlm_ldap?
On Mon, Jul 14, 2003 at 09:53:21AM -0400, Alan DeKok wrote: Alexander M. Pravking [EMAIL PROTECTED] wrote: In debug mode, rlm_ldap prints out all the passwords it uses for bind. I think it's reasonable enough to disallow it or at least make it configurable. I don't see why. It's debug mode, so it prints out a number of worse things (from a security point of view) than the LDAP password. Am I the only crasy one who runs production server in debug mode? If there's anyone else who does, please answer me. It's really hard sometimes to reproduce the critical situation once more, so I prefer to have 20-40 megs of daily logs and be able to determine a problem very quickly rather than restart the server in debug mode and wait the problem to be repeated. I'm probably wrong here... In any case, FreeRADIUS' logging system is far, far from perfect... -- Fduch M. Pravking - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Logging passwords from rlm_ldap?
On Mon, Jul 14, 2003 at 11:42:46AM -0400, Alan DeKok wrote: Alexander M. Pravking [EMAIL PROTECTED] wrote: Am I the only crasy one who runs production server in debug mode? No, other people do, too. Well, why not to try to make it more configurable then? It's really hard sometimes to reproduce the critical situation once more, so I prefer to have 20-40 megs of daily logs and be able to determine a problem very quickly rather than restart the server in debug mode and wait the problem to be repeated. I'm probably wrong here... In any case, FreeRADIUS' logging system is far, far from perfect... It's light-years better than most of the commercial servers I've seen: Error! Unable to perform requested action That's about average, and totally unhelpful. I think commercial companies have a fear of giving useful debugging information. Maybe, maybe :)) Yeah, I agree that FreeRADIUS gives me enough detailed info to dig the problem, if any. But sometimes there's a lot of useless and even unwanted details, like in this case. I just don't want user passwords to be logged at all. I have tried GNU RADIUS in my time, and was impressed of its logging subsystem. Of course, I understand that it's too difficult to change / break such a global things that stay here for years... -- Fduch M. Pravking - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Acct-Output-Gigawords, Acct-Input-Gigawords
On Sun, Jul 13, 2003 at 03:46:08AM +1000, Paul Hampson wrote: Just looking at some of my records, would I be right in observing that the default *sql.conf files don't account for Acct-Output-Gigawords and Acct-Input-Gigawords? In the process of repairing damage done to my Calling-Station-ID and NASPortId fields by too-short field lengths, I noticed that several of my customers had managed to get a 1 in their Acct-Output-Gigawords, but that hadn't been taken into account in the mysql table... If I'm right and it's not being accounted for, is there any reason I wouldn't want to modify the query to be SET AcctInputOctets = %{Acct-Input-Octets} + (%{Acct-Input-Gigawords} * 4294967296) Or SET AcctInputOctets = (cast(%{Acct-Input-Gigawords:-0} as 64-bit-integer) 32) + %{Acct-Input-Octets:-0} if binary shift is supported by DBMS. However, default *sql schemas use numeric(N) fields for *Octets, which 1) are slow; 2) sometimes require explicit value casting; 3) need to be expanded to numeric(20) to avoid overflows... So I'll vote for second solution: Otherwise I'll add the Gigaword columns as extra columns. You could put both of them into *sql.conf as an example, and let admins to decide themselves which one to use :) -- Fduch M. Pravking - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: postgres error
RadAcctId SERIAL, AcctSessionId VARCHAR(32) DEFAULT '' NOT NULL, AcctUniqueId VARCHAR(32) DEFAULT '' NOT NULL, UserName VARCHAR(32) DEFAULT '' NOT NULL, Realm VARCHAR(30) DEFAULT '', NASIPAddress VARCHAR(15) DEFAULT '' NOT NULL, NASPortId NUMERIC(12), NASPortType VARCHAR(32), AcctStartTime timestamptz, AcctStopTime timestamptz, ??? did you copy and paste this or did you type it in? timestamptz is not a valid Postgres field type afaik. No, it's an alias to timestamp with time zone since 7.2. -- Fduch M. Pravking - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 0.8.1 and postgresql problems
On Thu, Jul 03, 2003 at 12:07:31PM -0600, Kevin Fenzi wrote: This seems like something wrong in the postgresql.conf accounting stop sql, but I'm not sure what. Use '%{Radius-Attribute:-0}' for numeric ones. Look at postgresql.conf from current CVS. -- Fduch M. Pravking - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 0.8.1 and postgresql problems
On Fri, Jul 04, 2003 at 11:38:20AM -0700, Tom Emerson wrote: On Thursday 03 July 2003 11:07 am, Kevin Fenzi wrote: I am seeing a problem with a new freeradius 0.8.1 install using postgresql as the backend. [...] Nothing to do. Sleeping until we see a request. [...] [reformatting for readability] rlm_sql_postgresql: query: UPDATE radacct SET AcctStopTime = '2003-07-02 15:33:30', AcctSessionTime = '', AcctInputOctets = CASE WHEN '' = '' THEN 0 ELSE '' END, AcctOutputOctets = CASE WHEN '' = '' THEN 0 ELSE '' END, AcctTerminateCause = '', AcctStopDelay = '0', FramedIPAd dress = '', ConnectInfo_stop = '' WHERE AcctSessionId = '1808' AND UserName = 'root' AND NASIPAddress = '127.0.0.1' AND AcctStopTime IS NU LL The first thing that caught my attention were the case when '' = ''... elements, which I suspect indicates something isn't being expanded properly, Yes, Acct-Input-Octets and Acct-Output-Octets seem to not be in the request, but that's not the problem - CASE WHEN '' = '' THEN 0 ELSE '' expands to 0. but when I went through reformatting it, two lines jumped out immediately: FramedIPAd dress = '', AND AcctStopTime IS NU LL I only inserted CR's and spaces to line things up -- those embedded spaces were in your original message -- they COULD be an artifact of your cut-n-paste action to create the message in the first place, but if not, Yes, they seem to be. Note the error: rlm_sql (sql): Couldn't update SQL accounting STOP record - ERROR: Bad numeric input format '' The problem is absent Acct-Session-Time attribute which is xlated as ''. That was my fault, there's still AcctSessionTime = %{Acct-Session-Time} in accounting_stop_query of current CVS' postgresql.conf, without any checks. BTW, '%{Attr:-0}' or '%{Attr:-NULL}' is shorter and simpler than CASE. P.S. A long time ago, a great patch was applied, that allows milti-line strings in config files: accounting_stop_query = UPDATE ${acct_table2} \ SET AcctStopTime = '%S', \ ... Did anyone cognize it? -- Fduch M. Pravking - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Strange Message using Exec-Program-Wait
On Fri, Jul 04, 2003 at 12:25:35PM -0600, Miranda Gomez Miguel Angel wrote: Hi People. Im running freeradius 0.8.1 with accounting and userinfo in a postgres 7.3 database, i want to use the exec-program-wait function, i have configured the radgroupreply table with the following information radius=# select * from radgroupreply; id | groupname | attribute | op | value +---+---++-- 2 | prepago | Exec-Program-Wait | = | /usr/local/bin/calcula_tiempo.pl (1 row) All seems to work ok, but im having this message when running in debug mode: rlm_sql: The 'op' field for attribute 'Exec-Program-Wait = /usr/local/bin/calcula_tiempo.pl' is NULL, or non-existent. rlm_sql: You MUST FIX THIS if you want the configuration to behave as you expect. It means that your query does not return the op field. -- Fduch M. Pravking - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: simultaneous-use reply-message
On Fri, Jun 20, 2003 at 11:57:46AM +0300, gunce ciftci wrote: Dear list, I am using (v0.8.1) simultaneous-use attribute with Bay RAC 8000 without problems. Users also get and see the You are already logged in - access denied message through NAS-Prompt when they are trying to connect beyond the limit. To make life easier for hot-line staff, we should have it in native language. Are you sure your NAS won't go crazy because of non-ascii characters? Don't you expect charset problems? I don't know if somebody ever needed it.I looked for the this reply message in radiusd.conf,radcheck,could not see.. It's hard-coded currently, so you can edit the sources and then recompile radius. Dear developers, how about customizable messages? Something like this in radiusd.conf: messages { multiple_login = You are already logged in %{Simultaneous-Use} times\r\n timespan_violation = You are calling outside allowed timespan\r\n ... } I probably could work on that, but I need some guidelines: 1. Should it be a set of static variables, or searchable list like dictionary? 2. Should it be per-module configuration, or global? 3. Where to put these parameters in config? 4. Recommended naming conventions? -- Fduch M. Pravking - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: module counter
On Fri, Jun 20, 2003 at 01:53:06PM +0300, Kostas Kalevras wrote: On Wed, 18 Jun 2003, Roberto Pioli wrote: when he module counter return: rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair modcall[authorize]: module counter returns noop modcall: group authorize returns ok What's the matter? Isn't it obvious? IMHO, it looks like a warning. Maybe it's better to silently return? Or print something like DEBUG2(rlm_counter: nothing to do - no %s for the user, inst-check_name); ? Same for rlm_sqlcounter. -- Fduch M. Pravking - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: module counter
On Fri, Jun 20, 2003 at 09:30:51AM -0700, Tom Emerson wrote: Content-Description: signed data On Friday 20 June 2003 3:53 am, Kostas Kalevras wrote: On Wed, 18 Jun 2003, Roberto Pioli wrote: when he module counter return: rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair modcall[authorize]: module counter returns noop modcall: group authorize returns ok What's the matter? Isn't it obvious? Actually, it isn't. I ran into this problem when I first started to use this, and it was rather annoying because as far as I could tell, I **had** defined a check item, so I was totally bewildered by the comment could not find it. My line of thinking was that the counter module CREATED a variable (i.e., the counter-name) that later modules could compare against for a pass/fail condition test. Yes, it does this, but only on demand. It registers a function which performs comparison on counter attribute (say, Daily-Session-Time), and this function is called on every occurance of this attribute in *check* items. In this case you even need not to list counter in authorize {} section (only in instantiate {}) - it will be called automatically. It took several passes through the documentation to understand this is backward: other modules set the check-name variable to a particular cutoff value, and THEN the counter module performs the comparison. This is the second way to use it. You supply *configuration* item (say, Max-Daily-Session) for this counter somewhere, and list the instance in authorize {} section. And being called from where, counter will search config items for the attribute and do its magic if one was found. Unfortunately, *config* and *check* items are synonims in freeradius... In re-reading the documentation right now, I think I see why I thought that AND a possible impossible situation. The comments read: # The counter-name can also be used like below: # # DEFAULT Daily-Session-Time 3600, Auth-Type = Reject # Reply-Message = You've used up more than one hour today which would appear in the users file and/or in an SQL table. The implication with this comment is that the counter module has to occur FIRST in order to define a value of daily-session-time so the comparison can take place... As I said, counter module defines its value in the very moment of comparison, moreover, it does the comparison itself. I hope I'm clear enough :) To be quite honest about it, I had to dig the source in my time ;) -- Fduch M. Pravking - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: attr_rewrite troubles
On Tue, Jun 17, 2003 at 03:05:07PM -0700, System Administrator wrote: Freeradius version 0.8.1 FreeBSD version 4.8 I am trying to rewrite the User-Name attribute using attr_rewrite add_realm { attribute = User-Name searchin = packet searchfor = ^[a-z0-9_\-]+$ replacewith = @domain ignore_case = yes max_matches = 1 new_attribute = no append = yes } First, you shouldn't escape '-' inside [], however it doesn't matter here. Second, the end-of-string-match ('$') will not work because the '$' character is always eaten by radius_xlat(), but that's another story. This sort of works, but what the detail file contains is as follows Tue Jun 17 14:57:54 2003 Acct-Session-Id = EB32 User-Name = username NAS-IP-Address = 10.10.10.1 NAS-Port = 0 NAS-Port-Type = Async Acct-Status-Type = Start Acct-Authentic = RADIUS Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Address = 10.10.10.2 Acct-Delay-Time = 0 Client-IP-Address = 10.10.10.1 Stripped-User-Name = [EMAIL PROTECTED] Realm = NULL Acct-Unique-Session-Id = e44b1b3600511703 Timestamp = 1055887074 It modifies the Stripped-User-Name and not the User-Name attribute which is what I am after. Any suggestions would be most helpful, thank you. Shit. That's all because rlm_realm makes request-username to point to newly-appended Stripped-User-Name valuepair, and some code does a smart-hack: when the User-Name valuepair is being searched, it returns that pointer immediately... Try one of the following: 1. add a realm NULL with nostrip option in proxy.conf 2. comment out instance of rlm_realm from your preacct {} section (suffix or prefix) 3. disable proxying at all (proxy_requests = no, don't include proxy.conf) All three work well for me. Hope this helps. -- Fduch M. Pravking - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sql and escaping of strings
On Mon, Jun 02, 2003 at 06:45:56PM +0400, Alexander M. Pravking wrote: On Tue, May 27, 2003 at 11:47:26AM +0400, Alexander M. Pravking wrote: Shouldn't escaping be driver-specific? I beleve also, most database libraries have their own escape function, e.g. PQescapeString in PostgreSQL. I'm almost ready to submit a patch for rlm_sql which will allow driver-side escaping: each driver supplies its own escape function, and while doing xlat, rlm_sql uses either that function or the default escape function (which is used now) if driver did not provide one. Is there anybody interested at all? -- Fduch M. Pravking - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: archive search
On Wed, Jun 04, 2003 at 04:03:25PM +0200, Mauro wrote: Is there a way to search a particular argument in the freeradius archive list, as the only fields available are INDEX DATE ??? There were searchable FreeRADIUS archives at http://www.mail-archive.com/[EMAIL PROTECTED]/ but they're down currently due to 'technical problems'... -- Fduch M. Pravking - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Cisco re-sends packets with different ids
I discovered that our Cisco 5200 resends acct-requests (not sure about auth-requests) with different request identifiers, which violates RFC 2866. Here is sample debug output (note the id's!): rad_recv: Accounting-Request packet from host cisco-5200:1646, id=205, length=119 Sun Jun 1 13:57:15 2003 : Debug: Thread 4 assigned request 7988 Sun Jun 1 13:57:15 2003 : Debug: --- Walking the entire request list --- Sun Jun 1 13:57:15 2003 : Debug: Waking up in 1 seconds... Sun Jun 1 13:57:15 2003 : Debug: Thread 4 handling request 7988, (1373 handled so far) NAS-IP-Address = ... NAS-Port = 52 NAS-Port-Type = Async User-Name = some-user Acct-Status-Type = Start Acct-Authentic = RADIUS Service-Type = Framed-User Acct-Session-Id = 00010CC2 Framed-Protocol = PPP Framed-IP-Address = ... Acct-Delay-Time = 0 ... (this request was being processed more than 5 seconds) ... rad_recv: Accounting-Request packet from host cisco-5200:1646, id=206, length=119 Sun Jun 1 13:57:20 2003 : Debug: Thread 7 assigned request 7992 Sun Jun 1 13:57:20 2003 : Debug: --- Walking the entire request list --- Sun Jun 1 13:57:20 2003 : Debug: Threads: total/active/spare threads = 7/1/6 Sun Jun 1 13:57:20 2003 : Debug: Waking up in 1 seconds... Sun Jun 1 13:57:20 2003 : Debug: Thread 7 handling request 7992, (543 handled so far) NAS-IP-Address = ... NAS-Port = 52 NAS-Port-Type = Async User-Name = user-name Acct-Status-Type = Start Acct-Authentic = RADIUS Service-Type = Framed-User Acct-Session-Id = 00010CC2 Framed-Protocol = PPP Framed-IP-Address = ... Acct-Delay-Time = 5 Finally, both requests are logged successfully, so we got two active sessions for the same request. Alan would say So, fix the NAS!, but it doesn't seem possible. (I'll feel myself happy if I'm wrong) Please, let me know if you saw similar things and if you have found a workarond. Thanks in advance. -- Fduch M. Pravking - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco re-sends packets with different ids
On Tue, Jun 03, 2003 at 09:14:01AM -0500, Chris Parker wrote: At 05:53 PM 6/3/2003 +0400, Alexander M. Pravking wrote: I discovered that our Cisco 5200 resends acct-requests (not sure about auth-requests) with different request identifiers, which violates RFC 2866. Here is sample debug output (note the id's!): Acct-Delay-Time has changed. It is not the same packet. Of course, it's changed - it retransmits it because it timed out waiting the responce. But RFC 2866 says: Identifier The Identifier field is one octet, and aids in matching requests and replies. The RADIUS server can detect a duplicate request if it has the same client source IP address and source UDP port and Identifier within a short span of time. Once ids are different, radiusd can't detect duplicate request and process them as they were independent. The solution is to figure out why your cisco nas isn't seeing an acct-accept from the radius server and is retransmitting acct requests. As I said, the server processed the first request too long - more than 5 seconds. It happens sometimes, and I don't think it's too bad. In any way, thanks for the input. -- Fduch M. Pravking - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco re-sends packets with different ids
On Tue, Jun 03, 2003 at 07:06:38AM -0700, Jim Underwood wrote: That's what those acct-session-ids are for... Don't think developers will hack radius for this very Cisco's bug :) -- Fduch M. Pravking - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco re-sends packets with different ids
On Tue, Jun 03, 2003 at 10:52:45AM -0500, Chris Parker wrote: At 07:45 PM 6/3/2003 +0400, Alexander M. Pravking wrote: It's not a dupe because it is different, that's the point. It is not the same set of a/v pairs that was originally sent. I don't see anything violating the RFC here. Hmm... Maybe I'm wrong here, assuming that NAS should re-send packet with the same id. But then what the duplicate requests for? And in which case should we expect 'em? As I said, the server processed the first request too long - more than 5 seconds. It happens sometimes, and I don't think it's too bad. Then increase the retry timeout on the cisco so it waits longer for a response. Yes, but what if request will be processed more longer? Alternatively, fix your radius server so it doesn't take 5 *seconds* to process a request. :) I can do nothing here - it's proxied to remote server. -- Fduch M. Pravking - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco re-sends packets with different ids
On Tue, Jun 03, 2003 at 08:16:52PM +0400, Alexander M. Pravking wrote: Hmm... Maybe I'm wrong here, assuming that NAS should re-send packet with the same id. I think I'm not. Here's the PortMaster 2 example: rad_recv: Accounting-Request packet from host pm2:1026, id=168, length=129 Sun Jun 1 13:22:57 2003 : Debug: Thread 5 assigned request 7679 Sun Jun 1 13:22:57 2003 : Debug: Waking up in 2 seconds... Sun Jun 1 13:22:57 2003 : Debug: Thread 5 handling request 7679, (1331 handled so far) Acct-Session-Id = 5B012519 User-Name = user-name NAS-IP-Address = ... NAS-Port = 10 NAS-Port-Type = Async Acct-Status-Type = Stop Acct-Session-Time = 1527 Acct-Authentic = RADIUS Acct-Input-Octets = 620905 Acct-Output-Octets = 3171185 Acct-Terminate-Cause = User-Request Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Address = ... Acct-Delay-Time = 0 ... rad_recv: Accounting-Request packet from host pm2:1026, id=168, length=129 Sun Jun 1 13:23:43 2003 : Debug: Thread 6 assigned request 7688 Sun Jun 1 13:23:43 2003 : Debug: --- Walking the entire request list --- Sun Jun 1 13:23:43 2003 : Debug: Threads: total/active/spare threads = 7/1/6 Sun Jun 1 13:23:43 2003 : Debug: Waking up in 5 seconds... Sun Jun 1 13:23:43 2003 : Debug: Thread 6 handling request 7688, (501 handled so far) Acct-Session-Id = 5B012519 User-Name = user-name NAS-IP-Address = ... NAS-Port = 10 NAS-Port-Type = Async Acct-Status-Type = Stop Acct-Session-Time = 1527 Acct-Authentic = RADIUS Acct-Input-Octets = 620905 Acct-Output-Octets = 3171185 Acct-Terminate-Cause = User-Request Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Address = ... Acct-Delay-Time = 45 -- Fduch M. Pravking - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco re-sends packets with different ids
On Tue, Jun 03, 2003 at 11:53:48AM -0500, Chris Parker wrote: At 08:38 PM 6/3/2003 +0400, Alexander M. Pravking wrote: On Tue, Jun 03, 2003 at 08:16:52PM +0400, Alexander M. Pravking wrote: Hmm... Maybe I'm wrong here, assuming that NAS should re-send packet with the same id. I think I'm not. Here's the PortMaster 2 example: There is no 'wrong' or 'right'. They simply do it different ways. So is it possible to make freeradius determine both? -- Fduch M. Pravking - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco re-sends packets with different ids
On Tue, Jun 03, 2003 at 02:04:26PM -0400, Puneet B wrote: Accounting Requests are slightly different if your NAS includes the attribute Acct-Delay-Time. This needs to be updated in each retransmit, and since now the contents of the packet change, a new Identifier is needed. Here is the relevant section from RFC 2866: Note that if Acct-Delay-Time is included in the attributes of an Accounting-Request then the Acct-Delay-Time value will be updated when the packet is retransmitted, changing the content of the Attributes field and requiring a new Identifier and Request Authenticator. Without this attribute the NAS can use the same identifier and you might still see 'duplicate' requests on the server. Thanks, I got it. It's really useful to read docs accurately :) -- Fduch M. Pravking - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco re-sends packets with different ids
On Tue, Jun 03, 2003 at 12:14:58PM -0500, Chris Parker wrote: At 09:05 PM 6/3/2003 +0400, Alexander M. Pravking wrote: There is no 'wrong' or 'right'. They simply do it different ways. So is it possible to make freeradius determine both? For what purpose? What do you want Freeradius to do? When freeradius receives a request, it checks if there was already a request with same id/nas/udp-port a little time ago (cleanup_delay in radiusd.conf) or is being processed now. If it was, it re-sends the reply to NAS if the request was already processed, or otherwise simply drops retransmitted request due to live request id NNN. Right? It would be nice if freeradius did the same when ids are different, but Acct-Session-Id's are the same. Don't know if it's a good idea... Well, I can make it within sql module by doing something like acct_stop_query = \ INSERT INTO ${acct_table} \ (username, ...) \ VALUES ( SELECT '%u' WHERE NOT EXISTS ( \ SELECT 1 FROM ${acct_table} \ WHERE userName = '%u' \ AND sessionId = '%{Acct-Session-Id}' \ AND nasIpAddress = '%n' \ AND nasPort = '%{NAS-Port}' \ AND it-is-OPEN-session \ ), \ ... ) assuming userName declared as NOT NULL, so the INSERT will fail in case of re-sent packet and successfully processed original packet. Thanks all for the input, let's consider the problem solved... unless someone offers another solution :) -- Fduch M. Pravking - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: All Sockets being used!
On Fri, May 30, 2003 at 08:37:08AM -0800, Matthew Schumacher wrote: Alan, I also use ldap for autz/auth and sql/detail for accounting and have also seen this problem. I just didn't have enough information to really troubleshoot it further. Which version do you running? Which db engine do you use? I'm in process of configuring FR snapshot of 2003-04-24 (keeping it up-to-date, so let's say it's a current snapshot), so able to experiment as extremely as I can. I use files+LDAP (OpenLDAP 2.0.25) in autz, LDAP in auth, 2 sqlcounters in post-auth (blame me, developers!), and detail+sql (PostgreSQL 7.3.2, on the same machine) in acct and sql in session. I also have check items like Attribute := `%{sql:...}` for some users. Let's dig a little: 1. radius running OK, handling access- acct- requests right. 2. I kill -9 main postgres process, so no new conns can be done, then I also kill -9 one of five postgres processes serving radiusd. Most of Access-Requests are still handled fine. For others one of the following occurs: a) sqlcounters treat database error as if accumulated resource (daily/monthly session time) was unconsumed; b) group session returns fail, so radius has nothing to do but consider user isn't online; c) `%{sql:...}` expands to empty string. Accept or Reject only depends on valid user credentials. As for accounting, unhandled requests successfully failed over to detail. 3. I kill the rest postgres processes. Now all of Access-Requests are processed the way described in (2). 4. Once I restart postgres, those go away immediately, radius continues normal operation. So I can't see any BIG problem in my case. What I really need to do is get the latest CVS running in the lab and start trying to break it by kicking the database/ldap from under it. Let's see if it helps... -- Fduch M. Pravking - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: All Sockets being used!
On Fri, May 30, 2003 at 10:18:52PM +0400, Alexander M. Pravking wrote: Let's dig a little: Continuing tests... I limited num_sql_socks to 1, created a test user profile which initiates nearly infinite sql query during authorization, and tried to log in by this user. Of cource, it hung up :) Radius could not get an sql socket for other requests and reported 'There are no DB handles to use!' warnings, but, again, authorized / authenticated other users successfully. Hmm... rlm_sql/sql.c seems to been patched seriously last 2 months - see http://www.freeradius.org/cgi-bin/cvsweb.cgi/radiusd/src/modules/rlm_sql/sql.c#rev1.62 and higher. And can anyone send -xxx output showing unexpected access-rejects when all sockets are used? -- Fduch M. Pravking - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Attr_rewrite
On Sat, May 31, 2003 at 02:24:44AM -0400, Gene Parks wrote: I have tried using attr_rewrite to get the User-Name attribute to appear in the detail file as just the username without the realm. It seems the system is already stripping the realm off of it before it gets processed by the attr_rewrite. So basically it has no effect. Then it seems to put the realm back on the username before it commits it to the detail file. Has anyone got and ideas on how I might get the User-Name to appear as I need it to? User-Name in request is never stripped. Instead, new attribute Stripped-User-Name is added. Try using replace_with = %{Stripped-User-Name} -- Fduch M. Pravking - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: High CPU Load
On Wed, May 28, 2003 at 04:03:43PM -0400, Jeff Sullivan wrote: Wed May 28 16:01:01 2003 : Error: rlm_sql (sql): Couldn't update SQL accounting STOP record - ERROR: pg_atoi: zero-length string I believe It's trying to put absent attribute into integer field (Acct-Session-Time, Acct-Input-Octets, etc), which is xlat'ed as empty string (bug?). Try using AcctSessionTime = '%{Acct-Session-Time:-0}' or AcctSessionTime = %{Acct-Session-Time:-NULL} or AcctSessionTime = NULLIF('%{Acct-Session-Time}', '') in update query. This becomes a FAQ... -- Fduch M. Pravking - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Different Services
On Thu, Jan 23, 2003 at 03:06:50PM +, Didi Rieder wrote: Quoting Brian Johnson [EMAIL PROTECTED]: Ahh I see what you are asking. :) Since the users are authenticating, do you use a username for each service they use? Do users have multiple services and use the same username? The same username for all services... What is the NAS you're using? If it could recognize Service-Type and send it in RADIUS packets, then you can configure freeradius and database schema to do auth/acct based on (User-Name, Service-Type) key, instead of only User-Name. Otherwise, you should use different User-Names, I think... -- Fduch M. Pravking - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Regexp in huntgroups file
On Tue, Jan 21, 2003 at 05:03:30AM -0500, Alan DeKok wrote: Nils =?ISO-8859-1?Q?R=F8nhovde?= [EMAIL PROTECTED] wrote: If I have a group of NAS'es in the address-range 10.1.1.0-32, how should I express this in a single statement i the huntgroups file. My best idea is like this testNAS-Ip-Address =~ ^10\.1\.1\.[0-32] Regular expressions are over *characters*, not *numbers*. Try: test NAS-IP-Address =~ ^10\.1\.1\.(0|1[0-9]?|2[0-9]?|3[0-2]?|[4-9]) Looks slightly unreadable, doesn't it? :) Alan, how about to implement a few operators on IP's? E.g., '' for 'is contained within', so, in this case: NAS-IP-Address 10.1.1.0/27. -- Fduch M. Pravking - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco NAS: how to reject user?
On Mon, Oct 14, 2002 at 01:11:49PM +0800, Ruslan A Dautkhanov wrote: Hi, I have to reject an dial-in user, when some events occur. Can anybody know what SNMP OID should I use to administratively disconnect user (I think that Cisco may have a number of such OIDs - one for rejecting user by IP, one for SessionID, one another for rejecting user by name, CallingNumber, and so on..). Can you list exactly numbers (.1.3.6), if it is possible? Thanks a lot. In addition to Kostas' suggestion: you can set interfaces.ifTable.ifEntry.ifAdminStatus.NN (.1.3.6.1.2.1.2.2.1.7.NN) to 2 (down) and then to 1 (up). You can determine interface index (NN) using following equations: 1. by ip - ip.ipAddrTable.ipAddrEntry.ipAdEntIfIndex.{Framed-IP-Address} = NN (.1.3.6.1.2.1.4.20.1.2.{Framed-IP-Address} = NN) 2. by NAS-Port - interfaces.ifTable.ifEntry.ifDescr.NN = Async{NAS-Port} (.1.3.6.1.2.1.2.2.1.2.NN = Async{NAS-Port}) -- Fduch M. Pravking - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm-sql_postgres
On Fri, Sep 27, 2002 at 09:50:18AM -0400, Paul Khavkine wrote: In the schema for postgres for radacct table: AcctStartTime datetime DEFAULT now() NOT NULL, AcctStopTime datetime DEFAULT now() NOT NULL, So these can not be NULL. So override it! You can freely edit database schema for your own: see src/modules/rlm_sql/drivers/rlm_sql_postgresql/db_postgresql.sql. DATETIME type is for backward compatibility only, use TIMESTAMP/TIMESTAMP WITH TIME ZONE instead. I'd also recommend you remove all DEFAULT '' NOT NULL modifiers (it's also some kind of mySQLism) and change NUMERICs to [BIG]INTEGERs - they're faster. Note also that PostgreSQL 7.2+ drops an exception when trying to insert VARCHAR value larger than specified (unlike simply trimming it in earlier versions), so you can consider using TEXT instead in some places like ConnectInfo_*. -- Fduch M. Pravking - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Insert error - Freeradius-0.07
On Thu, Aug 08, 2002 at 08:38:13AM -0500, Rick Eicher II wrote: Hello all, We use freeside to manage out system and ICRadius for our dailup users. We are wanting to move to freeradius but seem to have a problem when inserting users. failed: ERROR: Cannot insert a duplicate key into unique index radcheck_pkey at ... failed: can't insert into groupname table: ERROR: Cannot insert a duplicate key into unique index usergroup_pkey at ... Sounds like PosgreSQL error messages... The fields that are indexed are of type serial so they should increment themselves with out our help. Yes and no. If you specify its value, then _this value_ is inserted, e.g.INSERT INTO radcheck VALUES (0, 'Some-User', 'Some-Attribute', 'Some-Value', '==') If you specify no value, then the default value is inserted, which is nextval('radcheck_id_seq') for SERIAL type. e.g.INSERT INTO radcheck (username, attribute, value, op) VALUES ('Some-User', 'Some-Attribute', 'Some-Value', '==') If I drop the indexes but not the sequence and then do the insert it works with out error, but the id field in question is set to '0' for all records. This makes me think that the sequence is not working. So I did a select nextval on the sequence a few times to watch it work. It seems to have no problems. This same code does an insert on ICRadius with out error. I checked the table structure of freeradius and ICRadius. They seem to be equivalent when comparing MySql and postgresql. Do you use mysql with ICRadius? And what is the source of data you inserting into Postgres? -- Fduch M. Pravking - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html