Unexpected Accounting Response
Hi.
I'm configuring the radius server so that no duplicate
Calling-Station-Id values are found in the DB I'm logging to (Oracle),
which is the only destination I'm logging onto (not even "detail").
The quickest way I thought of was to add a unique index to the RADACCT
table so that any Accounting Start for a Calling-Station-Id already
present in the DB would fail.
Indeed I can see through the server log (started with -X) that the
INSERT statement fails because it attempts to violate the unique
constraint:
--
rlm_sql (sql): Couldn't insert SQL accounting START record - ORA-1:
unique constraint (RADUSER.RADACCT_IDX2) violated
--
However, just a few lines below I see:
--
modcall[accounting]: module "sql" returns ok for request 0
--
which probably is the root cause of unexpected (to me):
--
Sending Accounting-Response of id 241 to XXX.XXX.XXX.XXX:33863
--
This Accounting Response is unexpected to me because RFC 2866 says:
"If the RADIUS accounting server is unable to successfully record the
accounting packet it MUST NOT send an Accounting-Response
acknowledgment to the client".
Any help ?
Thanks in advance
Giuseppe
P.S. Here there's the whole log section related to the request
processing that raises the above issue:
-
rad_recv: Accounting-Request packet from host XXX.XXX.XXX.XX:33863,
id=241, length=92
User-Name = "testuser"
User-Password = "\001\272O\257UN\214\307\245\333%\261 \020d"
Acct-Status-Type = Start
Calling-Station-Id = "39348000"
Framed-IP-Address = XXX.XXX.XXX.XX
Acct-Session-Id = "c16a444a16927797"
Processing the preacct section of radiusd.conf
modcall: entering group preacct for request 0
modcall[preacct]: module "preprocess" returns noop for request 0
rlm_acct_unique: WARNING: Attribute NAS-Port was not found in request,
unique ID MAY be inconsistent
rlm_acct_unique: Hashing ',Client-IP-Address =
XXX.XXX.XXX.XXX,NAS-IP-Address = XXX.XXX.XXX.XXX,Acct-Session-Id =
"c16a444a16927797",User-Name = "testuser"'
rlm_acct_unique: Acct-Unique-Session-ID = "aecc3df0011c".
modcall[preacct]: module "acct_unique" returns ok for request 0
rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[preacct]: module "suffix" returns noop for request 0
modcall[preacct]: module "files" returns noop for request 0
modcall: group preacct returns ok for request 0
Processing the accounting section of radiusd.conf
modcall: entering group accounting for request 0
radius_xlat: 'testuser'
rlm_sql (sql): sql_set_user escaped user -- 'testuser'
radius_xlat: 'INSERT into radacct (RadAcctId, AcctSessionId,
AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType,
AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic,
ConnectInfo_start, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets,
CalledStationId, CallingStationId, AcctTerminateCause, ServiceType,
FramedProtocol, FramedIPAddress, AcctStartDelay, AcctStopDelay)
values('', 'c16a444a16927797', 'aecc3df0011c', 'testuser', '',
'XXX.XXX.XXX.XXX', '', '', TO_DATE('2005-09-28 19:46:43','-mm-dd
hh24:mi:ss'), NULL, '0', '', '', '', '0', '0', '', '39348000', '',
'', '', 'XXX.XXX.XXX.XXX', '', '0')'
radius_xlat: '/usr/local/var/log/radius/sqltrace.sql'
rlm_sql (sql): Reserving sql socket id: 4
INSERT into radacct (RadAcctId, AcctSessionId, AcctUniqueId, UserName,
Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime,
AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start,
ConnectInfo_stop, AcctInputOctets, AcctOutputOctets, CalledStationId,
CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol,
FramedIPAddress, AcctStartDelay, AcctStopDelay) values('',
'c16a444a16927797', 'aecc3df0011c', 'testuser', '',
'XXX.XXX.XXX.XXX', '', '', TO_DATE('2005-09-28 19:46:43','-mm-dd
hh24:mi:ss'), NULL, '0', '', '', '', '0', '0', '', '39348000', '',
'', '', 'XXX.XXX.XXX.XXX', '', '0')
rlm_sql_oracle: execute query failed in sql_query: ORA-1: unique
constraint (RADUSER.RADACCT_IDX2) violated
rlm_sql (sql): Attempting to connect rlm_sql_oracle #4
rlm_sql (sql): Connected new DB handle, #4
INSERT into radacct (RadAcctId, AcctSessionId, AcctUniqueId, UserName,
Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime,
AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start,
ConnectInfo_stop, AcctInputOctets, AcctOutputOctets, CalledStationId,
CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol,
FramedIPAddress, AcctStartDelay, AcctStopDelay) values('',
'c16a444a16927797', 'aecc3df0011c', 'testuser', '',
'XXX.XXX.XXX.XXX', '', '', TO_DATE('2005-09-28 19:46:43','-mm-dd
hh24:mi:ss'), NULL, '0', '', '', '', '0', '0', '', '39348000', '',
'', '', 'XXX.XXX.XXX.XX', '', '0')
rlm_sql_oracle: execute query failed in sql_query: ORA-1: unique
constraint (RADUSER.RADACCT_IDX2) violated
rlm_sql (sql): failed after re-connect
rlm_sql (sql): Couldn't insert SQL accounting START record -
Need of Help Regarding FreeRadius Server
Hi all please help me as i am new user of RADIUS. As i got stuck at this point and i m unable to proceed for further development. so i am desperately waiting for ur response. It's al about freeRadius-1.0.5 .After configuration and instalation i put a command as below n getting below problems [EMAIL PROTECTED] ~]# radiusd Thu Sep 29 10:54:56 2005 : Info: Starting - reading configuration files ... [EMAIL PROTECTED] ~]# radiusd -x Starting - reading configuration files ... Errors reading dictionary: dict_init: /usr/local/etc/raddb/dictionary[14]: Could n't open dictionary /usr/local/share/freeradius/dictionary: No such file o r directory Errors reading radiusd.conf [EMAIL PROTECTED] ~]# radius -y bash: radius: command not found [EMAIL PROTECTED] ~]# radiusd -y Thu Sep 29 11:03:19 2005 : Info: Starting - reading configuration files ... [EMAIL PROTECTED] ~]# radiusd -z Thu Sep 29 11:03:26 2005 : Info: Starting - reading configuration files ... [EMAIL PROTECTED] ~]# radiusd -xyz Starting - reading configuration files ... Errors reading dictionary: dict_init: /usr/local/etc/raddb/dictionary[14]: Couldn't open dictionary /usr/local/share/freeradius/dictionary: No such file or directory Errors reading radiusd.conf AGAIN AFTERWHEN I AM TRYING WITH radpwtst...se the below message.,.. [EMAIL PROTECTED] ~]# radpwtst Bad format in dictionary '/usr/local/etc/raddb/dictionary' at line 14: $INCLUDE /usr/local/share/freeradius/dictionary Attribute number 1 is not defined in your dictionary Attribute number 6 is not defined in your dictionary Attribute number 4 is not defined in your dictionary Attribute number 5 is not defined in your dictionary Attribute number 30 is not defined in your dictionary Attribute number 31 is not defined in your dictionary Attribute number 61 is not defined in your dictionary Attribute number 2 is not defined in your dictionary No such attribute Unknown No such attribute Unknown No such attribute Unknown No such attribute Unknown No such attribute Unknown No such attribute Unknown No such attribute Unknown No such attribute Unknown sending Access-Request... No reply Attribute number 1 is not defined in your dictionary Attribute number 6 is not defined in your dictionary Attribute number 4 is not defined in your dictionary Attribute number 5 is not defined in your dictionary Attribute number 61 is not defined in your dictionary Attribute number 44 is not defined in your dictionary Attribute number 40 is not defined in your dictionary Attribute number 30 is not defined in your dictionary Attribute number 31 is not defined in your dictionary Attribute number 41 is not defined in your dictionary No such attribute Unknown No such attribute Unknown No such attribute Unknown No such attribute Unknown No such attribute Unknown No such attribute Unknown No such attribute Unknown No such attribute Unknown No such attribute Unknown No such attribute Unknown sending Accounting-Request Start... No reply Attribute number 1 is not defined in your dictionary Attribute number 6 is not defined in your dictionary Attribute number 4 is not defined in your dictionary Attribute number 5 is not defined in your dictionary Attribute number 61 is not defined in your dictionary Attribute number 44 is not defined in your dictionary Attribute number 40 is not defined in your dictionary Attribute number 30 is not defined in your dictionary Attribute number 31 is not defined in your dictionary Attribute number 41 is not defined in your dictionary Attribute number 46 is not defined in your dictionary Attribute number 42 is not defined in your dictionary Attribute number 43 is not defined in your dictionary No such attribute Unknown No such attribute Unknown No such attribute Unknown No such attribute Unknown No such attribute Unknown No such attribute Unknown No such attribute Unknown No such attribute Unknown No such attribute Unknown No such attribute Unknown No such attribute Unknown No such attribute Unknown No such attribute Unknown sending Accounting-Request Stop... No reply bye. -- ___ Check out the latest SMS services @ http://www.linuxmail.org This allows you to send and receive SMS through your mailbox. Powered by Outblaze - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: rlm_perl
hi friends,
I am really sorry to post it again. Because still i
did not find any reply to solve my problems.
--- Abdul Lateef [EMAIL PROTECTED] wrote:
Hi,
Thanks for your reply. i am going here to post the
debug logs. from the log it seems rlm_per is loaded
successfully but when i am trying to call authorize
and authenticate function from example.pl, the
functions are not calling well.
Here is full configuration what i did to work with
perl module.
radreply table:
---
123456Auth-Type := perl
---
radiusd.conf
-
modules area:
perl {
module = /usr/local/etc/example.pl
func_accounting = accounting
func_authenticate = authenticate
func_authorize = authorize
func_preacct = preacct
func_checksimul = checksimul
func_xlat = xlat
}
authorize {
preprocess
chap
suffix
perl
}
authenticate {
Auth-Type Perl {
perl
}
}
-
example.pl
sub authorize {
return RLM_MODULE_OK;
}
sub authenticate {
if ($RAD_REQUEST{'User-Name'} =~ /^baduser/i) {
$RAD_REPLY{'Reply-Message'} = Denied access;
return RLM_MODULE_REJECT;
} else {
$RAD_REPLY{'h323-credit-time'} =
\h323-credit-time=200\;
return RLM_MODULE_OK;
}
}
Here is the Log:
===
Wed Sep 28 07:50:45 2005 : Info: Detach perl
0x93af7a0
Wed Sep 28 07:50:45 2005 : rlm_perl:
rlm_perl::Detaching. Reloading. Done.
Wed Sep 28 07:50:45 2005 : Info: detach at 0x93af7a0
returned status 0
Wed Sep 28 07:50:45 2005 : Info: Detach perl
0x94b0ec8
Wed Sep 28 07:50:45 2005 : rlm_perl:
rlm_perl::Detaching. Reloading. Done.
Wed Sep 28 07:50:45 2005 : Info: detach at 0x94b0ec8
returned status 0
Wed Sep 28 07:50:45 2005 : Info: Detach perl
0x950b550
Wed Sep 28 07:50:45 2005 : rlm_perl:
rlm_perl::Detaching. Reloading. Done.
Wed Sep 28 07:50:45 2005 : Info: detach at 0x950b550
returned status 0
Wed Sep 28 07:50:45 2005 : Info: Detach perl
0x9565480
Wed Sep 28 07:50:45 2005 : rlm_perl:
rlm_perl::Detaching. Reloading. Done.
Wed Sep 28 07:50:45 2005 : Info: detach at 0x9565480
returned status 0
Wed Sep 28 07:50:45 2005 : Info: Detach perl
0x95bf180
Wed Sep 28 07:50:45 2005 : rlm_perl:
rlm_perl::Detaching. Reloading. Done.
Wed Sep 28 07:50:45 2005 : Info: detach at 0x95bf180
returned status 0
Wed Sep 28 07:50:45 2005 : rlm_perl:
rlm_perl::Detaching. Reloading. Done.
Wed Sep 28 07:50:48 2005 : Info: rlm_sql (sql):
Driver
rlm_sql_mysql (module rlm_sql_mysql) loaded and
linked
Wed Sep 28 07:50:48 2005 : Info: rlm_sql (sql):
Attempting to connect to [EMAIL PROTECTED]:/radius
Wed Sep 28 07:50:48 2005 : Info: rlm_sql_mysql:
Starting connect to MySQL server for #0
Wed Sep 28 07:50:48 2005 : Info: rlm_sql_mysql:
Starting connect to MySQL server for #1
=
I AM REALLY SORRY FOR BIG THREAD.
Yours,
Abdul Lateef
Computer Programmer
HATIF COM
Mob: +974 - 5405022
Tel: +974 - 4883068
ICQ: 276994704
YM!: abdul_zu
Fax: +974 - 4883063
Doha Qatar
http://www.hatif.com
__
Yahoo! Mail - PC Magazine Editors' Choice 2005
http://mail.yahoo.com
Yours,
Abdul Lateef
Computer Programmer
HATIF COM
Mob: +974 - 5405022
Tel: +974 - 4883068
ICQ: 276994704
YM!: abdul_zu
Fax: +974 - 4883063
Doha Qatar
http://www.hatif.com
__
Yahoo! Mail - PC Magazine Editors' Choice 2005
http://mail.yahoo.com
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Need of Help Regarding FreeRadius Server
Well, did you look at /usr/local/etc/dictionary? It generally points to /usr/local/share/freeradius/dictionary. If so (and it certainly appears to be so) then go look in /usr/local/share/freeradius/dictionary. It would appear that there is an error (or it did not get installed when you installed FR1.0.5). If so, the dictionary files are in the source tree and can be manually copied over. They are in $SOURCEDIR/share. cp -R $SOURCEDIR/share/* /usr/local/share/freeradius Should do the trick (replace $SOURCEDIR with the directory in which your freeradius-1.0.5 source is located). Rgds, Guy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of manoranjan pandey Sent: 29 September 2005 08:54 To: freeradius-users@lists.freeradius.org Subject: Need of Help Regarding FreeRadius Server Hi all please help me as i am new user of RADIUS. As i got stuck at this point and i m unable to proceed for further development. so i am desperately waiting for ur response. It's al about freeRadius-1.0.5 .After configuration and instalation i put a command as below n getting below problems [EMAIL PROTECTED] ~]# radiusd Thu Sep 29 10:54:56 2005 : Info: Starting - reading configuration files ... [EMAIL PROTECTED] ~]# radiusd -x Starting - reading configuration files ... Errors reading dictionary: dict_init: /usr/local/etc/raddb/dictionary[14]: Could n't open dictionary /usr/local/share/freeradius/dictionary: No such file o r directory Errors reading radiusd.conf [EMAIL PROTECTED] ~]# radius -y bash: radius: command not found [EMAIL PROTECTED] ~]# radiusd -y Thu Sep 29 11:03:19 2005 : Info: Starting - reading configuration files ... [EMAIL PROTECTED] ~]# radiusd -z Thu Sep 29 11:03:26 2005 : Info: Starting - reading configuration files ... [EMAIL PROTECTED] ~]# radiusd -xyz Starting - reading configuration files ... Errors reading dictionary: dict_init: /usr/local/etc/raddb/dictionary[14]: Couldn't open dictionary /usr/local/share/freeradius/dictionary: No such file or directory Errors reading radiusd.conf AGAIN AFTERWHEN I AM TRYING WITH radpwtst...se the below message.,.. [EMAIL PROTECTED] ~]# radpwtst Bad format in dictionary '/usr/local/etc/raddb/dictionary' at line 14: $INCLUDE /usr/local/share/freeradius/dictionary Attribute number 1 is not defined in your dictionary Attribute number 6 is not defined in your dictionary Attribute number 4 is not defined in your dictionary Attribute number 5 is not defined in your dictionary Attribute number 30 is not defined in your dictionary Attribute number 31 is not defined in your dictionary Attribute number 61 is not defined in your dictionary Attribute number 2 is not defined in your dictionary No such attribute Unknown No such attribute Unknown No such attribute Unknown No such attribute Unknown No such attribute Unknown No such attribute Unknown No such attribute Unknown No such attribute Unknown sending Access-Request... No reply Attribute number 1 is not defined in your dictionary Attribute number 6 is not defined in your dictionary Attribute number 4 is not defined in your dictionary Attribute number 5 is not defined in your dictionary Attribute number 61 is not defined in your dictionary Attribute number 44 is not defined in your dictionary Attribute number 40 is not defined in your dictionary Attribute number 30 is not defined in your dictionary Attribute number 31 is not defined in your dictionary Attribute number 41 is not defined in your dictionary No such attribute Unknown No such attribute Unknown No such attribute Unknown No such attribute Unknown No such attribute Unknown No such attribute Unknown No such attribute Unknown No such attribute Unknown No such attribute Unknown No such attribute Unknown sending Accounting-Request Start... No reply Attribute number 1 is not defined in your dictionary Attribute number 6 is not defined in your dictionary Attribute number 4 is not defined in your dictionary Attribute number 5 is not defined in your dictionary Attribute number 61 is not defined in your dictionary Attribute number 44 is not defined in your dictionary Attribute number 40 is not defined in your dictionary Attribute number 30 is not defined in your dictionary Attribute number 31 is not defined in your dictionary Attribute number 41 is not defined in your dictionary Attribute number 46 is not defined in your dictionary Attribute number 42 is not defined in your dictionary Attribute number 43 is not defined in your dictionary No such attribute Unknown No such attribute Unknown No such attribute Unknown No such attribute Unknown No such attribute Unknown No such attribute Unknown No such attribute Unknown No such attribute Unknown No such attribute Unknown No such attribute Unknown No such attribute Unknown No such attribute Unknown No such attribute Unknown sending Accounting-Request Stop... No reply bye. -- ___ Check out the latest SMS services @
Re: Need of Help Regarding FreeRadius Server
manoranjan pandey [EMAIL PROTECTED] writes: Errors reading dictionary: dict_init: /usr/local/etc/raddb/dictionary[14]: Could n't open dictionary /usr/local/share/freeradius/dictionary: No such file o r directory Is this unclear? Bjørn - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl
Abdul Lateef [EMAIL PROTECTED] writes: I am really sorry to post it again. I'm curious... what good do you think that possibly could do? Because still i did not find any reply to solve my problems. I noticed you got this answer: Run the server in Debug mode and see what happens. Maybe you missed it? Bjørn - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl
On Thursday 29 September 2005 11:11, Abdul Lateef wrote: I am really sorry to post it again. Because still i did not find any reply to solve my problems. please send output of radiusd -X -- Best Regards, Boian Jordanov SNE Orbitel - Next Generation Telecom tel. +359 2 4004 723 tel. +359 2 4004 002 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP and groups
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello there, I have a small problem. And I read the documentation. And I can't find what's wrong. I have a corporate LDAP with users and group. Each group is a groupOfUniqueNames, with uniquemember. In the user defintion, no group definition is set. I need to authenticate members of a certain groups, and not of another ... Every doc I read mention that you have to create an attribute per user ... Any other way ? Regards, Jean-Francois Gobin - -- Jean-Francois Gobin - Administrateur gobinjf.be http://www.gobinjf.be mailto:[EMAIL PROTECTED] -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (FreeBSD) Comment: Made with pgp4pine 1.76 iD8DBQFDO6+pkkg3QInH2uURAkoTAJ9CiiYoljx0B2zP/tInkSG4TwiwIgCbBWft g16kNx6wUzO1va189DJmHRA= =kTQn -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Crashes with 1.0.4/1.0.5, perhaps connected with slow LDAP backend?
Yes. If all of the threads are blocked forever, waiting for the DB to return data, then the queue of requests grows without bounds. At some point, the server says I'm not making progress, and I can't recover from this, and kills itself. hm, I thought the timeout values were for this, but I now understand that an LDAP communication might get stuck halfway, thus _not_ triggering a timeout event. Since the server is *already* effectively dead at that point, it makes no difference to your network. The solution is to fix the database so that it doesn't kill the server. well, we should perhaps be able to wait for a database going and come back again after a minute without crashing the daemon. Anyway, I'm now going with an increased ldap_connections_number (100 instead of 5), and increased LDAP timeouts as well. What about max_request_time and delete_blocked_requests -- isn't this exactly what is needed to protect the server from being blocked? Cheers, Martin -- Dr. Martin Pauly Fax:49-6421-28-26994 HRZ Univ. MarburgPhone: 49-6421-28-23527 Hans-Meerwein-Str. E-Mail: [EMAIL PROTECTED] D-35032 Marburg - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxy of Accounting Requests
Good day. I am using freeradius 1.05 I want to proxy accounting requests originating from certain hosts to another server, how can I do this. Also I am using Jradius to handle accounting request. But this certain request I don't want JRadius to handle, but freeradius just to proxy it. Here is an example of the request Thanks Acct-Session-Id = C42EA2A31F96530 Framed-Protocol = GPRS-PDP-Context Called-Station-Id = vlive Calling-Station-Id = 27829800529 Framed-IP-Address = 10.19.128.6 3GPP-IMSI = 65501982252 3GPP-Charging-ID = 33121584 3GPP-PDP-Type = 0 3GPP-GGSN-Address = 196.46.162.163 3GPP-IMSI-MCC-MNC = 65501 3GPP-GGSN-MCC-MNC = 65501 3GPP-NSAPI = 5 3GPP-Selection-Mode = 0 3GPP-Charging-Gateway-Address = 10.25.0.10 3GPP-GPRS-Negotiated-QoS-profile = 99-23931F9396979774FB0808 3GPP-SGSN-Address = 196.6.254.49 User-Name = 27829800529 Cisco-AVPair = connect-progress=Call Up Acct-Authentic = RADIUS Acct-Status-Type = Start NAS-Port-Type = Virtual Cisco-NAS-Port = GGSN NAS-Port = 6 Class = [Binary Data] Service-Type = Framed-User NAS-IP-Address = 10.31.1.122 NAS-Identifier = GMC-GGSN0-12-2 Acct-Delay-Time = 0 Client-IP-Address = 10.113.60.6 Acct-Unique-Session-Id = b30a3d4d494c8a87 This e-mail is sent on the Terms and Conditions that can be accessed by Clicking on this link http://www.vodacom.net/legal/email.aspx - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy of Accounting Requests
Ashwin Gobind wrote: I want to proxy accounting requests originating from certain hosts to another server, how can I do this. You could add something like this in file acct_users: DEFAULT Client-IP-Address == 10.0.0.1, Proxy-To-Realm := realm1 DEFAULT Client-IP-Address == 10.0.0.2, Proxy-To-Realm := realm2 -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Proxy of Accounting Requests
Can you also do this in SQL? J. -- Jonathan De Graeve Network/System Administrator Imelda vzw Informatica Dienst 015/50.52.98 [EMAIL PROTECTED] - Always read the manual for the correct way to do things because the number of incorrect ways to do things is almost infinite - -Oorspronkelijk bericht- Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Namens Nicolas Baradakis Verzonden: donderdag 29 september 2005 13:55 Aan: FreeRadius users mailing list Onderwerp: Re: Proxy of Accounting Requests Ashwin Gobind wrote: I want to proxy accounting requests originating from certain hosts to another server, how can I do this. You could add something like this in file acct_users: DEFAULT Client-IP-Address == 10.0.0.1, Proxy-To-Realm := realm1 DEFAULT Client-IP-Address == 10.0.0.2, Proxy-To-Realm := realm2 -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SSL3_GET_CLIENT_KEY_EXCHANGE
The protocol specification describes this. The implementation in
src/modules/rlm_eap/ contains diagrams of the packets it expects to
receive.
Alan DeKok.
Thank you Alan, but now I have a new problem. I have been reading the
src/modules/rlm_eap/ to understand my problem but I don't find the
issue. In TLS establishment, the public key in the server.cert is 128
bytes length. I generate a random string of 46 bytes and the protocol
version (TLS 1.0 (0x03, 0x01)) and I use the SSL function
RSA_public_encrypt() with server's public key to encrypt the
PreMasterSecret. As a result I get a 128 length string. As I send this
data to the server, I get a tls rsa encrypted length is wrong:
s3_srvr.c: 1450:
Can anybody please tell me where can be my problem? Here is my code
for exemple.
void Client_Key_Exchange (SSLData *ClientSSLData, unsigned short
*length, char *HandshakeMessages, unsigned short *length_Hndshk, char
*buff)
{
char *PreMasterSecret = (char*) _MEMORY_Allocate (58 ,
true);
char *EncryptedPreMasterSecret = (char*) _MEMORY_Allocate (128, true);
char *temp = (char*) _MEMORY_Allocate
(58 , true);
unsigned char *tmpCert= _MEMORY_Allocate
(ClientSSLData-certificate_len + 128, true);
_RANDOM_MakeCharString (temp, 46);
PreMasterSecret [0] = 0x03;
PreMasterSecret [1] = 0x01;
for (register int i = 0; i46; i++)
{
PreMasterSecret[i+2]= temp [i];
ClientSSLData-PreMasterSecret[i] = PreMasterSecret[i];
}
for (i = 0; i ClientSSLData-certificate_len; i++)
tmpCert[i] =(unsigned char) ClientSSLData-certificate[i];
//- OpenSSL Functions -
RSA *server_public_key;
X509 *cert = X509_new ();
EVP_PKEY *evp = EVP_PKEY_new ();
X509 *err = d2i_X509 (cert, (unsigned char**) tmpCert,
(ClientSSLData-certificate_len) );
//- d2i_509 Function retrives tmpCert pointer advanced the number
of bytes read -
tmpCert = tmpCert - (ClientSSLData-certificate_len);
//- We get the public key from the Server certificate -
evp = X509_get_pubkey(cert);
server_public_key = (RSA *) evp-pkey.ptr;
int rsasize = RSA_size(server_public_key);
//- We get the PreMasterSecret encrypted -
int Encrypted_len = RSA_public_encrypt(48, (BYTE*) PreMasterSecret,
(unsigned char*)EncryptedPreMasterSecret, server_public_key,
RSA_PKCS1_PADDING);
ClientSSLData-bufferSSL[(*length)++] = 0x16; // Handshake
Message
ClientSSLData-bufferSSL[(*length)++] = 0x03; // Version
ClientSSLData-bufferSSL[(*length)++] = 0x01; // Version
ClientSSLData-bufferSSL[(*length)++] = (Encrypted_len + 6) / 256;
// Length
ClientSSLData-bufferSSL[(*length)++] = (Encrypted_len + 6) % 256;
// Length
ClientSSLData-bufferSSL[(*length)++] = 0x10; // Client key
exchange
ClientSSLData-bufferSSL[(*length)++] = 0x00;
// Length
ClientSSLData-bufferSSL[(*length)++] = (Encrypted_len ) / 256;
// Length
ClientSSLData-bufferSSL[(*length)++] = (Encrypted_len ) % 256;
// Length
//- Public key exchange -
for (i = 0; i Encrypted_len; i++)
{
buff[i] = EncryptedPreMasterSecret[i];
HandshakeMessages[(*length_Hndshk)++] =
EncryptedPreMasterSecret[i];
}
free (PreMasterSecret);
free (EncryptedPreMasterSecret);
free (temp);
free (tmpCert);
}
Thank you for your help. Juan Daniel MORENO
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
(no subject)
Good morning! I have successfully configured freeradius server with using postgresql database to storage users which i want to authenticate. when i put it in debug mode to test he works well. But when I run it as deamon the server radius don't see the postgresql server. In the radius's log file i look this: Driver rlm_sql_postgresql (module rlm_sql_postgresql) loaded and linked Info: rlm_sql (sql): Attempting to connect to [EMAIL PROTECTED]:/radiusdb Error: rlm_sql_postgresql: Couldn't connect socket to PostgreSQL server [EMAIL PROTECTED]:radiusdb Error: rlm_sql_postgresql: Postgresql error 'could not connect to server: Permission denied ?Is the server running on host localhost and accepting ?TCP/IP connections on port 5432? ' Error: rlm_sql (sql): Failed to connect DB handle #0 Info: Ready to process requests. I use fedora core4 as Operating System and freeradius 1.0.4-1, postgresql 8.0.3-1. In the postgresql's file pg_hba.conf i make this configuration: #TYPE DATABASEUSER CIDR-ADDRESS METHOD #IPv4 local connections: hostradiusdb radiusadmin 127.0.0.1/32 trust I don't why this dysfonctionnement Please help me and thanks for your assistance. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Postgresql+freeradius configuration
Good morning! I have successfully configured freeradius server with using postgresql database to storage users which i want to authenticate. when i put it in debug mode to test he works well. But when I run it as deamon the server radius don't see the postgresql server. In the radius's log file i look this: Driver rlm_sql_postgresql (module rlm_sql_postgresql) loaded and linked Info: rlm_sql (sql): Attempting to connect to [EMAIL PROTECTED]:/radiusdb Error: rlm_sql_postgresql: Couldn't connect socket to PostgreSQL server [EMAIL PROTECTED]:radiusdb Error: rlm_sql_postgresql: Postgresql error 'could not connect to server: Permission denied ?Is the server running on host localhost and accepting ?TCP/IP connections on port 5432? ' Error: rlm_sql (sql): Failed to connect DB handle #0 Info: Ready to process requests. I use fedora core4 as Operating System and freeradius 1.0.4-1, postgresql 8.0.3-1. In the postgresql's file pg_hba.conf i make this configuration: #TYPE DATABASEUSER CIDR-ADDRESS METHOD #IPv4 local connections: hostradiusdb radiusadmin 127.0.0.1/32 trust I don't why this dysfonctionnement Please help me and thanks for your assistance. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How can i tell which version of freeradius i'm running?
Linda PagilloDirector of Technical ServicesN2 The Net, LLC[EMAIL PROTECTED]931-372-9179 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Segmentation Fault
I just installed the newest version of Freeradius (1.0.5)on my Linux Redhat 9 server. All went well except this... when i start the radius in debug mode.. all starts fine, but when the first user tries to authenticate, i get a Segmentation Fault and the radius stops. Any ideas? Linda PagilloDirector of Technical ServicesN2 The Net, LLC[EMAIL PROTECTED]931-372-9179 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How can i tell which version of freeradius i'm running?
radiusd -v check the radiusd manpage for more info on startup flags On Thu, 29 Sep 2005, Linda Pagillo wrote: Linda Pagillo Director of Technical Services N2 The Net, LLC [EMAIL PROTECTED] 931-372-9179 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
My server is up and running. Thanks to all who helped
Hi Guys: I finally got Freeradius upgraded to the most current version. Thanks to all who helped. Linda PagilloDirector of Technical ServicesN2 The Net, LLC[EMAIL PROTECTED]931-372-9179 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Unexpected Accounting Response
Giuseppe [EMAIL PROTECTED] wrote: This Accounting Response is unexpected to me because RFC 2866 says: If the RADIUS accounting server is unable to successfully record the accounting packet it MUST NOT send an Accounting-Response acknowledgment to the client. It appears to be an issue with the SQL module: rlm_sql_oracle: execute query failed in sql_query: ORA-1: unique constraint (RADUSER.RADACCT_IDX2) violated rlm_sql (sql): failed after re-connect rlm_sql (sql): Couldn't insert SQL accounting START record - ORA-1: unique constraint (RADUSER.RADACCT_IDX2) violated ... rlm_sql (sql): Released sql socket id: 4 modcall[accounting]: module sql returns ok for request 0 If something fails, the SQL module shouldn't return ok. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SSL3_GET_CLIENT_KEY_EXCHANGE
Juan Daniel Moreno [EMAIL PROTECTED] wrote: Thank you Alan, but now I have a new problem. I have been reading the src/modules/rlm_eap/ to understand my problem but I don't find the issue. In TLS establishment, the public key in the server.cert is 128 bytes length. I generate a random string of 46 bytes and the protocol version (TLS 1.0 (0x03, 0x01)) and I use the SSL function RSA_public_encrypt() with server's public key to encrypt the PreMasterSecret. As a result I get a 128 length string. As I send this data to the server, I get a tls rsa encrypted length is wrong: s3_srvr.c: 1450: I have no idea what the problem is, sorry. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How can i tell which version of freeradius i'm running?
Linda Pagillo [EMAIL PROTECTED] wrote: Linda Pagillo ... man radiusd or radiusd -h would help. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Crashes with 1.0.4/1.0.5, perhaps connected with slow LDAP backend?
Martin Pauly [EMAIL PROTECTED] wrote: What about max_request_time and delete_blocked_requests -- isn't this exactly what is needed to protect the server from being blocked? Yes, but the server doesn't deal well with blocked threads. The delete_blocked_requests doesn't really work. We hope to fix this in the next major version of the server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius + oracle
Hi, Is it possible to install and run freeradius on an Oracle App Server?. The database server is another server located at another local network. Is it possible to achieve this configuration? Which are the requirements of freeradius for compiling with oracle support? Can I download the code and compile it in the app server? I'll really appreciate your advice. Best regards, -- chabral - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
setting password from an application
All, I am having a problem setting password from the http application. It is getting reset to NULL inside pam_authenticate somehow. The only place I can see password is set to NULL is in the function
void _pam_sanitize(pam_handle_t *pamh) in pam_misc.c file. I've also commented out the invocation of _pam_sanitize from pam api. Also I have syslog trace in the pam_sanitize function. However, for some reason I am losing the password inside pam_authenticate inspite of all the changesand also I don't see any trace from the function
pam_sanitize. If anybody has any idea aboutthis, please reply.
retval = pam_start(http, auth_userpass, conv, pamh);
syslog(LOG_INFO, before pam_set_item..\n); pam_set_item(pamh, PAM_AUTHTOK, pwd); if (retval == PAM_SUCCESS) {
retval = pam_authenticate(pamh, 0); /* is user really user? */ } else { syslog(LOG_INFO, --Not authenticated - pam start failed\n);
}
/* This is where we have been authorized or not. */
if (retval == PAM_SUCCESS) { syslog(LOG_INFO, Authentication successful for %s from %s\n, auth_userpass, req-remote_ip_addr); strncpy(req-user, auth_userpass, 15);
req-user[15] = '\0'; if (pam_end(pamh,retval) != PAM_SUCCESS) { /* close Linux-PAM */ pamh = NULL;
syslog(LOG_ERR, http: failed to release pam authenticator\n); } return 1;
}
Thanks,
N
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segmentation Fault
Linda Pagillo [EMAIL PROTECTED] wrote: I just installed the newest version of Freeradius (1.0.5) on my Linux Redhat 9 server. All went well except this... when i start the radius in debug mode.. all starts fine, but when the first user tries to authenticate, i get a Segmentation Fault and the radius stops. Any ideas? See doc/bugs Also, ensure that you *don't* have an older version of FreeRADIUS installed on the same box. Using old modules with a new server may cause problems. Alan Dekok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PEAP and ntlm_auth
Hi all,
I've got a small problem with FreeRadius, I'm trying to forward NTLM
authentication to a NT domain by using ntlm_auth but the %{Stripped-User-Name}
is empty.
I've enabled ntdomain in authorize { } and preacct { }, but it doesn't seem to
translate %{User-name} as NTCORP01\\USER to %{Stripped-User-Name}
asUSER.
When I use ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --username=USER it
works (but only for USER ;-)).
with_ntdomain_hack in preprocess { } it breaks PEAP (as mentioned earlier on
this list).
Should I create a wrapper script for ntlm_auth (to strip the %{User-name}) as a
workaround or can I use another FreeRadius trick?
Thanks,
Dick
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Crashes with 1.0.4/1.0.5, perhaps connected with slow LDAP backend?
hi, we are crashing every couple of hours or so now, but at least this time got something in the log: Thu Sep 29 20:33:19 2005 : Error: Assertion failed in modcall.c, line 68 Looks like there might be some more bug-squashing ahead? :-)) I will try to run in debug mode tomorrow so we can get some more information on the problems (at least, they seem fairly reproducible). Martin -- Dr. Martin Pauly Fax:49-6421-28-26994 HRZ Univ. MarburgPhone: 49-6421-28-23527 Hans-Meerwein-Str. E-Mail: [EMAIL PROTECTED] D-35032 Marburg - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segmentation Fault
I've been upgrading a few times.. but this is the one that need cleaning old version before installing new one.. Is there a way to remove all old modules ? or just simply delete the lib files... Do we need to recompile again after cleaning it up... or just make install again..? - Original Message - From: Alan DeKok [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Friday, September 30, 2005 04:53 Subject: Re: Segmentation Fault Linda Pagillo [EMAIL PROTECTED] wrote: I just installed the newest version of Freeradius (1.0.5) on my Linux Redhat 9 server. All went well except this... when i start the radius in debug mode.. all starts fine, but when the first user tries to authenticate, i get a Segmentation Fault and the radius stops. Any ideas? See doc/bugs Also, ensure that you *don't* have an older version of FreeRADIUS installed on the same box. Using old modules with a new server may cause problems. Alan Dekok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius and MS SQL -- anyone got it working?
Hi list, What is the status of MS SQL support for freeradius? Did anyone get it working? And if yes, which version do you use and what is required to get it work? I'm currently using freeradius 1.0.2 on Debian Sarge and I didn't manage to get it connect to the MS SQL server. As the rlm_sql_freetds module states that it is under development ans so, not enabled by default, I was wondering, if the iODBC or the unixodbc modules would work and if yes, how to set this up (aside from freeradius.. seems the 'drivers' are missing, whatever this means). Need some help here. Anyone? Cheers Arne -- Arne Götje (高盛華) [EMAIL PROTECTED] PGP/GnuPG key: 1024D/685D1E8C Fingerprint: 2056 F6B7 DEA8 B478 311F 1C34 6E9F D06E 685D 1E8C Key available at wwwkeys.pgp.net. Encrypted e-mail preferred. pgp22vLV6zACC.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius + EAP-TLS + DHCP = not working. Help!
todays, i am trying to setup EAP-TLS with aironet 350 client adapter ( vendor : cisco ) for long working to setup EAP-TLS, i decided ipw driver might have some bug but i don't sure whrere the problem is ... check ipw developer mailling list From: [EMAIL PROTECTED] Reply-To: FreeRadius users mailing list freeradius-users@lists.freeradius.org To: freeradius-users@lists.freeradius.org Subject: Freeradius + EAP-TLS + DHCP = not working. Help! Date: Tue, 27 Sep 2005 17:25:15 -0400 I have the same problem do you have any solution? Saludos Alberto Ibarrar#65533;n G. Information Technology Boehringer Ingelheim Promeco (52) 55 56 29 8300 ext. 8631 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
how to config radiusclient!
Dear all, I wish to use softphone X-lite on SER and radius in db_mode. When I installed both freeradius 1.0.4 and radiusclient 0.4.3 on the same server which ser 0.8.14 has installed on, I could log in X-lite through radius authorization. And now I want radiusclient (on server A) to send the request to a remote radius server (on server B) to realize authorization. I have changed those config files: /usr/local/etc/radiusclient/servers, /usr/local/etc/radiusclient/radiusclient.conf and /usr/local/etc/raddb/clients.conf as the document (http://www.iptel.org/ser/doc/ser_radius/ser_radius.html#AEN193) did. Then I test the radius server as the above document said on server A: radclient -f digest server B auth testing123 and I received expected replied message from server B. But when I log in x-lite (UA), there are error messages: Sep 29 17:11:06 localhost ser[4408]: rc_ip_hostname: couldn't look up host by addr: DA61FC29 Sep 29 17:11:06 localhost ser[4408]: rc_send_server: no reply from RADIUS server unknown:1812 And the number DA61FC29 is exactly the hexadecimal value of the ip address of radius server. How come? Did I mis-config anything? Many thanks for your reply! Shuai http://www.goldentek.biz - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius and MS SQL -- anyone got it working?
Arne =?utf-8?q?G=C3=B6tje?= (=?utf-8?q?=E9=AB=98=E7=9B=9B=E8=8F=AF?=) [EMAIL PROTECTED] wrote: I'm currently using freeradius 1.0.2 on Debian Sarge and I didn't manage to get it connect to the MS SQL server. As the rlm_sql_freetds module states that it is under development ans so, not enabled by default, I was wondering, if the iODBC or the unixodbc modules would work and if yes, how to set this up (aside from freeradius.. seems the 'drivers' are missing, whatever this means). The iodbc or unixodbc drivers should work. There have been reports of them working with MS SQL in the past. As for the drivers being missing, the rlm_sql_* files are just the interface between FreeRADIUS and the iODBC libraries. If you don't have the iODBC libraries (or other DB libraries), then the FreeRADIUS modules that require them will not be built or installed. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segmentation Fault
Rohaizam Abu Bakar [EMAIL PROTECTED] wrote: Is there a way to remove all old modules ? or just simply delete the lib files... No just deleting the old files should be OK. Do we need to recompile again after cleaning it up... or just make install again..? If you install to a completely different directory, and se that directory via configure --prefix=..., then everything should work. It's only installing multiple versions of the server on top of each other that causes problems. My suggestion there is to delete the old files, and *then* compile * reinstall. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MSCHAPv2, MySQL, Freeradius
Hi, Is there a way in which I can have encrypted passwords in the mysql database and use MSCHAPv2 to authenticate users? If I used a third party tool like mkntpwd to create NT Hashes, could I put premade hashes in the database and use them to authenticate or would rlm_mschap encrypt the password attribute anyway? Thanks in advance for any help you can offer, Daniel Russell Lead Technician In-HouseIT Services PH (03) 50210044 FX (03) 50210066 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Multiple Questions
hello, i've got multiple questions.. 1) I'm running Debian Sarge, currently im using 1.02-4 (stable deb package) I need the sql_counter mod installed , is their anyway of installing it without reinstalling Freerad? I had removed freeradius 1.02-4 and went to install 1.0.5 via source but during make / make install came up with errors (that i cant remember). ( i was using the experimental flag ) 2) Is there a way of setting up some sort of Redundancy i.e. having 2 radius servers if one drops all authentication will go to the next radius server (MySQL backend). I was thinking maybe have a DB server and have the 2 radius servers using that one DB server.. At this point im Not sure which AP's / Router(s) the company is using (wireless enviroment). 3) How would I setup freeradius to have MAC address authentication via SQL if verified they would have inet access if rejected they wouldnt. Im not sure as to what settings are required in the Users table i.e. compression / type of user framed etc or what not or how they would automatically obtain an IP# / internet access via dhcp if / when their authentication was accepted. ( im using dialup admin for entering in nas / user info ) My mind is at a blank atm but im sure ill have many more questions. I've read the documentationa and unfortunatly some of it made lil to no sense to me or the documentation was vague at best. Last radius server i used was a Macintosh based GUI for dialup customers 2 clicks and i was done so to speak :)... 4) what settings if any would i have to enter into a router (yes i know another silly question that i dont know the answer to) Once again Thanks for any and all help/support :) Nick B. Newb to Freeradius / Radius in general. BC Technologies. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
