Re: FR-1.1.3 on solaris10 strange things
Alexander Serkin пишет: Alan DeKok пишет: Alexander Serkin [EMAIL PROTECTED] wrote: May be someone could give an advice how to debug the problem while the server will not be in production? Attach to it with gdb, and see what it's doing. Got some debugs on this. The problem does not depend on solaris version - both 9 and 10 have the same effects. The effect rises up when the request is proxied to other server and this server does not answer: ... After that the srings Walking/Waking rapidly appear during dead_time configured in proxy.conf and at the same time the process takes about 50% of CPU on slow netra 1120 (2x440MHz) and up to 99% on Netra-240 (1x1GHz). After dead_time we see: Sorry not after dead_time. After (retry_delay*retry_count). -- Sincerely Yours, Alexander - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR-1.1.3 on solaris10 strange things
Alexander Serkin wrote: Alexander Serkin wrote: ... After that the srings Walking/Waking rapidly appear during dead_time configured in proxy.conf and at the same time the process takes about 50% of CPU on slow netra 1120 (2x440MHz) and up to 99% on Netra-240 (1x1GHz). After dead_time we see: Sorry not after dead_time. After (retry_delay*retry_count). Sorry again. After max_request_time (60s). -- Sincerely Yours, Alexander - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
proxy the request by user type but not by realm?
hi, all: forgive my poor expression in english. :( server A as the proxy server, server B as the remote server validating the user in the access-request proxying by A. The exact thing that happens for A is this: 1. receive the access-request, check the user type, if match special type, proxy the request to B for special validation. if not match, local normal validation. 2. get the response from B, if access-accept, process the succeeding validation. and then respond with access-accept or access-reject. in general: can i: 1. proxy the access-request by user type? 2. perform the succeeding validation after receiving the response from the remote server B? and how can i do that? thanks! -- Leo Lei 2006-11-14 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius hanging for 5 secs at 2% of auth requests.
I have compiled FreeRadius 1.1.3 to work with OpenLDAP 2.2.23 on Fedora Core 4 . At 2% of auth requests freeradius is hanging for 5 secs , discarding duplicate requests and ignoring other requests. In debug mode it hangs at this line : rlm_ldap: - authenticate rlm_ldap: login attempt by user with password x rlm_ldap: user DN: cn=user,ou=People,dc=company,dc=ro rlm_ldap: (re)connect to ldap.company.ro:389, authentication 1 rlm_ldap: setting TLS CACert Directory to /var/openldap/cert/ rlm_ldap: bind as cn=user,ou=People,dc=company,dc=ro/x to ldap.company.ro:389 after 5 secs it continues and replies without any problem. rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: user user authenticated succesfully In this period any query to LDAP is working perfect. On a second machine with the same configuration this things doesn't happen . But when I have more than 20 requests per second freeradius is crashing. -- Mircea Harapu Abuse Engineer Bucharest NOC RCS RDS SA [EMAIL PROTECTED] Privileged/Confidential Information may be contained in this message. If you are not the addressee indicated in this message (or responsible for delivery of the message to such person), you may not copy or deliver this message to anyone. In such a case, you should destroy this message and kindly notify the sender by reply e-mail. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR-1.1.3 on solaris10 strange things
Sorry, sorry, sorry. It's all my fault. Proxy server instead of proxy server in proxy.conf. So it did not retries and set retry_delay to 0 and so on... -- Sincerely Yours, Alexander - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
build rpm packages on centOS
hey @all, trying to build freeradius-1.1.3 rpms for centOS with the description from http://wiki.freeradius.org/Build#Building_RedHat_packages ends with the following error: Executing(%doc): /bin/sh -e /var/tmp/rpm-tmp.73012 + umask 022 + cd /root/rpmbuild/BUILD + cd freeradius-1.1.3 + DOCDIR=/var/tmp/freeradius-root/usr/share/doc/freeradius-1.1.3 + export DOCDIR + rm -rf /var/tmp/freeradius-root/usr/share/doc/freeradius-1.1.3 + /bin/mkdir -p /var/tmp/freeradius-root/usr/share/doc/freeradius-1.1.3 + cp -pr suse/README.SuSE /var/tmp/freeradius-root/usr/share/doc/freeradius-1.1.3 + cp -pr doc/00-OLD doc/aaa.txt doc/Acct-Type doc/ascend doc/Autz-Type doc/bay doc/bugs doc/ChangeLog doc/cisco doc/coding-methods.txt doc/configurable_failover doc/CYGWIN doc/DIFFS doc/duplicate-users doc/examples doc/ldap_howto.txt doc/load-balance.txt doc/MACOSX doc/Makefile doc/misc-nas doc/module_interface doc/mssql doc/OS2 doc/performance-testing doc/Post-Auth-Type doc/processing_users_file doc/proxy doc/RADIUS-LDAP-eDirectory doc/RADIUS-SQL.schema doc/radrelay doc/README doc/release-method.txt doc/rfc doc/rlm_attr_filter doc/rlm_dbm doc/rlm_digest doc/rlm_eap doc/rlm_fastusers doc/rlm_krb5 doc/rlm_ldap doc/rlm_pam doc/rlm_passwd doc/rlm_python doc/rlm_sim_triplets doc/rlm_sql doc/rlm_sqlcounter doc/rlm_sqlippool doc/Session-Type doc/Simultaneous-Use doc/supervise-radiusd.txt doc/tuning_guide doc/variables.txt LICENSE COPYRIGHT CREDITS README /var/tmp/freeradius-root/usr/share/doc/freeradius-1.1.3 cp: will not overwrite just-created `/var/tmp/freeradius-root/usr/share/doc/freeradius-1.1.3/README' with `README' error: Bad exit status from /var/tmp/rpm-tmp.73012 (%doc) RPM build errors: Bad exit status from /var/tmp/rpm-tmp.73012 (%doc) any ideas? ca mIke - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: build rpm packages on centOS
Michael Messner wrote: hey @all, cp: will not overwrite just-created `/var/tmp/freeradius-root/usr/share/doc/freeradius-1.1.3/README' with `README' error: Bad exit status from /var/tmp/rpm-tmp.73012 (%doc) RPM build errors: Bad exit status from /var/tmp/rpm-tmp.73012 (%doc) any ideas? Have you tried compiling the source? What you will probably find is that make will fail, and will give you a more detailed description on where the compile is _actually_ failing. My suggestion is to try compile from source. I had a similar problem trying to build a php-java-bridge rpm on CentOS a while back. Turns out the gcc compiler was getting itself in a knot, and incorrectly reporting duplicate methods. My solution was to use make with the -i switch - ignore errors. If your problem is similar you can get around rpmbuild failing by editing the spec file and changing the make statement to make -i HTH Patric - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem with freeeradius, mysql setup
mysql SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupch eck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'test1' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id; ++---+--+---++ | id | GroupName | Attribute| Value | op | ++---+--+---++ | 1 | retea | Simultaneous-Use | 1 | = | | 2 | retea | Auth-Type| Local | := | ++---+--+---++ 2 rows in set (0.01 sec) Simultaneous-Use should have the op := -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473 pgpPgKay0rKcB.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius hanging for 5 secs at 2% of auth requests.
I have compiled FreeRadius 1.1.3 to work with OpenLDAP 2.2.23 on Fedora Core 4 . At 2% of auth requests freeradius is hanging for 5 secs , discarding duplicate requests and ignoring other requests. In debug mode it hangs at this line : rlm_ldap: - authenticate rlm_ldap: login attempt by user with password x rlm_ldap: user DN: cn=user,ou=People,dc=company,dc=ro rlm_ldap: (re)connect to ldap.company.ro:389, authentication 1 rlm_ldap: setting TLS CACert Directory to /var/openldap/cert/ rlm_ldap: bind as cn=user,ou=People,dc=company,dc=ro/x to ldap.company.ro:389 I figured out that it was a DNS problem because of using hostname for LDAP . after 5 secs it continues and replies without any problem. rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: user user authenticated succesfully In this period any query to LDAP is working perfect. On a second machine with the same configuration this things doesn't happen . But when I have more than 20 requests per second freeradius is crashing. Still got no clue for crashing at more than 20 requests per second -- Mircea Harapu Abuse Engineer Bucharest NOC RCS RDS SA [EMAIL PROTECTED] Privileged/Confidential Information may be contained in this message. If you are not the addressee indicated in this message (or responsible for delivery of the message to such person), you may not copy or deliver this message to anyone. In such a case, you should destroy this message and kindly notify the sender by reply e-mail. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: build rpm packages on centOS
Patric sagte: Michael Messner wrote: hey @all, cp: will not overwrite just-created `/var/tmp/freeradius-root/usr/share/doc/freeradius-1.1.3/README' with `README' error: Bad exit status from /var/tmp/rpm-tmp.73012 (%doc) RPM build errors: Bad exit status from /var/tmp/rpm-tmp.73012 (%doc) any ideas? Have you tried compiling the source? that works! What you will probably find is that make will fail, and will give you a more detailed description on where the compile is _actually_ failing. My suggestion is to try compile from source. I had a similar problem trying to build a php-java-bridge rpm on CentOS a while back. Turns out the gcc compiler was getting itself in a knot, and incorrectly reporting duplicate methods. My solution was to use make with the -i switch - ignore errors. if I add the -i in the spec file there is no change ... same error! thanks mIke - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: build rpm packages on centOS
Michael Messner wrote: Patric sagte: Have you tried compiling the source? that works! if I add the -i in the spec file there is no change ... same error! thanks mIke So it compiles from source? Ok, what is your rpmbuild command? Patric - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem with freeeradius, mysql setup
Alexandru Matei [EMAIL PROTECTED] wrote: One last tought: I think Freeradius could de improved if in debug mode caould say what is the sql result it doesn't like. Sure. Send a patch. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Again problem with freeeradius, mysql setup
Hi again, I run into trouble again. I want to authenticate with chap and radius failed with: rad_recv: Access-Request packet from host 127.0.0.1:32769, id=110, length=70 Service-Type = Framed-User Framed-Protocol = PPP User-Name = test1 CHAP-Password = 0xfaf5457967797fc6264e6925d24689d299 NAS-IP-Address = 127.0.0.1 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 14 modcall[authorize]: module preprocess returns ok for request 14 rlm_chap: Setting 'Auth-Type := CHAP' modcall[authorize]: module chap returns ok for request 14 modcall[authorize]: module mschap returns noop for request 14 rlm_realm: No '@' in User-Name = test1, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 14 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 14 radius_xlat: 'test1' rlm_sql (sql): sql_set_user escaped user -- 'test1' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'test1' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 4 rlm_sql_mysql: query: SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'test1' ORDER BY id radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'test1' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' rlm_sql_mysql: query: SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'test1' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = 'test1' ORDER BY id' rlm_sql_mysql: query: SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = 'test1' ORDER BY id radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'test1' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql_mysql: query: SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'test1' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id rlm_sql (sql): Released sql socket id: 4 modcall[authorize]: module sql returns ok for request 14 modcall: leaving group authorize (returns ok) for request 14 rad_check_password: Found Auth-Type CHAP auth: type CHAP Processing the authenticate section of radiusd.conf modcall: entering group CHAP for request 14 rlm_chap: login attempt by test1 with CHAP password rlm_chap: Using clear text password password for user test1 authentication. rlm_chap: Pasword check failed modcall[authenticate]: module chap returns reject for request 14 modcall: leaving group CHAP (returns reject) for request 14 auth: Failed to validate the user. I don't undrestand why in rlm_chap: login attempt by test1 with CHAP password the password isn't listed, altough the freeradius is in debug mode. Alex Alexandru Matei wrote: Thank you, that was it! Still, I'll be gratefull if somebody can point me into right direction with some documentation describing what Attributes -Type -Values are more usually used. That's besides the dictionaries... One last tought: I think Freeradius could de improved if in debug mode caould say what is the sql result it doesn't like. Regards, Alex Stefan Winter wrote: - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Mysql and usage of radgroupcheck
I have set up Freeradius working fine with a users-file. I did some tests to change to Mysql and all was ok, until I want to add some conditions for users in more than one group. This looks like a simple setup for Mysql, but it's not working as I thought it would: mysql select * from usergroup; +--+---+--+ | UserName | GroupName | priority | +--+---+--+ | user1| Group1|1 | | user1| Group2|2 | +--+---+--+ 2 rows in set (0.00 sec) mysql select * from radcheck; ++--+---+++ | id | UserName | Attribute | op | Value | ++--+---+++ | 1 | user1| User-Password | == | paswoordje | ++--+---+++ 1 row in set (0.00 sec) mysql select * from radreply; Empty set (0.00 sec) mysql select * from radgroupcheck; ++---+++--+ | id | GroupName | Attribute | op | Value| ++---+++--+ | 1 | Group1| NAS-IP-Address | == | 172.16.224.1 | | 2 | Group2| NAS-IP-Address | == | 172.16.224.2 | ++---+++--+ 2 rows in set (0.01 sec) mysql select * from radgroupreply; ++---+---++--+ | id | GroupName | Attribute | op | Value| ++---+---++--+ | 1 | Group1| Class | := | groepje1 | | 2 | Group2| Class | := | groepje2 | ++---+---++--+ 2 rows in set (0.00 sec) I use ntradping to check the setup. When I use NAS-IP-Address = 172.16.224.1 I get the correct class (groepje1), but when I use the NAS-IP-Address = 172.16.224.2 I get a reject and not as I was expecting the class-attribute groepje2. I can't figure out why this is the case. The debug output is not helping me, either. Anyone a suggestion on solving this? DEBUG output for NAS-IP-Address = 172.16.224.1-- rad_recv: Access-Request packet from host 157.193.39.138:3674, id=65, length=51 User-Name = user1 User-Password = paswoordje NAS-IP-Address = 172.16.224.1 Tue Nov 14 16:37:17 2006 : Debug: Processing the authorize section of radiusd.conf Tue Nov 14 16:37:17 2006 : Debug: modcall: entering group authorize for request 37 Tue Nov 14 16:37:17 2006 : Debug: modsingle[authorize]: calling preprocess (rlm_preprocess) for request 37 Tue Nov 14 16:37:17 2006 : Debug: modsingle[authorize]: returned from preprocess (rlm_preprocess) for request 37 Tue Nov 14 16:37:17 2006 : Debug: modcall[authorize]: module preprocess returns ok for request 37 Tue Nov 14 16:37:17 2006 : Debug: modsingle[authorize]: calling chap (rlm_chap) for request 37 Tue Nov 14 16:37:17 2006 : Debug: modsingle[authorize]: returned from chap (rlm_chap) for request 37 Tue Nov 14 16:37:17 2006 : Debug: modcall[authorize]: module chap returns noop for request 37 Tue Nov 14 16:37:17 2006 : Debug: modsingle[authorize]: calling mschap (rlm_mschap) for request 37 Tue Nov 14 16:37:17 2006 : Debug: modsingle[authorize]: returned from mschap (rlm_mschap) for request 37 Tue Nov 14 16:37:17 2006 : Debug: modcall[authorize]: module mschap returns noop for request 37 Tue Nov 14 16:37:17 2006 : Debug: modsingle[authorize]: calling suffix (rlm_realm) for request 37 Tue Nov 14 16:37:17 2006 : Debug: rlm_realm: No '@' in User-Name = user1, looking up realm NULL Tue Nov 14 16:37:17 2006 : Debug: rlm_realm: No such realm NULL Tue Nov 14 16:37:17 2006 : Debug: modsingle[authorize]: returned from suffix (rlm_realm) for request 37 Tue Nov 14 16:37:17 2006 : Debug: modcall[authorize]: module suffix returns noop for request 37 Tue Nov 14 16:37:17 2006 : Debug: modsingle[authorize]: calling eap (rlm_eap) for request 37 Tue Nov 14 16:37:17 2006 : Debug: rlm_eap: No EAP-Message, not doing EAP Tue Nov 14 16:37:17 2006 : Debug: modsingle[authorize]: returned from eap (rlm_eap) for request 37 Tue Nov 14 16:37:17 2006 : Debug: modcall[authorize]: module eap returns noop for request 37 Tue Nov 14 16:37:17 2006 : Debug: modsingle[authorize]: calling files (rlm_files) for request 37 Tue Nov 14 16:37:17 2006 : Debug: modsingle[authorize]: returned from files (rlm_files) for request 37 Tue Nov 14 16:37:17 2006 : Debug: modcall[authorize]: module files returns notfound for request 37 Tue Nov 14 16:37:17 2006 : Debug: modsingle[authorize]: calling sql (rlm_sql) for request 37 Tue Nov 14 16:37:17 2006 : Debug: radius_xlat: 'user1' Tue Nov 14 16:37:17 2006 : Debug: rlm_sql (sql): sql_set_user escaped user -- 'user1' Tue Nov 14 16:37:17 2006 : Debug: radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'user1' ORDER BY id' Tue Nov 14 16:37:17 2006 : Debug: rlm_sql (sql): Reserving sql socket id: 2 Tue Nov 14 16:37:17
problem with freeeradius, mysql setup
Hi all, I have some problems setting up Freeradius 1.1.3, with mysql 3.23.54 on Redhat9. Here's the log for radiusd (relevant part): Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1:32769, id=216, length=57 User-Name = test1 User-Password = password NAS-IP-Address = 255.255.255.255 NAS-Port = 500 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = test1, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 0 radius_xlat: 'test1' rlm_sql (sql): sql_set_user escaped user -- 'test1' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'test1' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 4 rlm_sql_mysql: query: SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'test1' ORDER BY id radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'test1' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' rlm_sql_mysql: query: SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'test1' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = 'test1' ORDER BY id' rlm_sql_mysql: query: SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = 'test1' ORDER BY id radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'test1' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql_mysql: query: SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'test1' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id rlm_sql (sql): Released sql socket id: 4 rlm_sql (sql): No matching entry in the database for request from user [test1] modcall[authorize]: module sql returns notfound for request 0 modcall: leaving group authorize (returns ok) for request 0 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 216 to 127.0.0.1 port 32769 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 216 with timestamp 4559bead Nothing to do. Sleeping until we see a request. On the mysql front all seems good: mysql -u dialup_admin -ppassword -D radius Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 134 to server version: 3.23.54-log Type 'help;' or '\h' for help. Type '\c' to clear the buffer. mysql SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'test1' ORDER BY id; ++--+---+--++ | id | UserName | Attribute | Value| op | ++--+---+--++ | 3 | test1| User-Password | password | := | ++--+---+--++ 1 row in set (0.00 sec) mysql SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'test1' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id; ++---+--+---++ | id | GroupName | Attribute| Value | op | ++---+--+---++ | 1 | retea | Simultaneous-Use | 1 | = | | 2 | retea | Auth-Type| Local | := |
Re: rewriting usernames
Christopher Carver wrote: Hello, How do I rewrite the value of the User-Name attribute based on Called-Station-Id? I need to do a series of these logical decisions and replace the username with username@some-isp.com based on what the value of Called-Station-Id is. hmm that is a tricky one! One possible solution (untried, so YMMV) may be an approach such as: 1) Define a local attribute My-ISP-Realm in etc/raddb/dictionary 2) In the users and/or acct_users file you could have default entries like: DEFAULT Calling-Station-Id == isp1, My-ISP-Realm := isp1.com DEFAULT Calling-Station-Id == isp2, My-ISP-Realm := isp2.com 3) Define an attr_rewrite module that has a replace string something like: replace = [EMAIL PROTECTED] As I said, un-tried and un-tested and un-guaranteed, but it may be somewhere to look if noone else comes up with a solution. I'm sure someone else will come up with something better though! Goodluck! cheers, Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem with freeeradius, mysql setup
Thank you, that was it! Still, I'll be gratefull if somebody can point me into right direction with some documentation describing what Attributes -Type -Values are more usually used. That's besides the dictionaries... One last tought: I think Freeradius could de improved if in debug mode caould say what is the sql result it doesn't like. Regards, Alex Stefan Winter wrote: mysql SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupch eck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'test1' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id; ++---+--+---++ | id | GroupName | Attribute| Value | op | ++---+--+---++ | 1 | retea | Simultaneous-Use | 1 | = | | 2 | retea | Auth-Type| Local | := | ++---+--+---++ 2 rows in set (0.01 sec) Simultaneous-Use should have the op := - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius hanging for 5 secs at 2% of auth requests.
Mircea Harapu [EMAIL PROTECTED] wrote: At 2% of auth requests freeradius is hanging for 5 secs , discarding duplicate requests and ignoring other requests. In debug mode it hangs at this line : ... rlm_ldap: bind as cn=user,ou=People,dc=company,dc=ro/x to ldap.company.ro:389 Do an strace, or tcpdump to see what it's doing. My suspicion is that it's a DNS problem. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius hanging for 5 secs at 2% of auth requests.
On Tue 14 Nov 2006 11:41, Mircea Harapu wrote: I have compiled FreeRadius 1.1.3 to work with OpenLDAP 2.2.23 on Fedora Core 4 . At 2% of auth requests freeradius is hanging for 5 secs , discarding duplicate requests and ignoring other requests. In debug mode it hangs at this line : rlm_ldap: - authenticate rlm_ldap: login attempt by user with password x rlm_ldap: user DN: cn=user,ou=People,dc=company,dc=ro rlm_ldap: (re)connect to ldap.company.ro:389, authentication 1 rlm_ldap: setting TLS CACert Directory to /var/openldap/cert/ rlm_ldap: bind as cn=user,ou=People,dc=company,dc=ro/x to ldap.company.ro:389 after 5 secs it continues and replies without any problem. DNS Problems? See if its the same when you just use an IP. -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
proxy questions
I need to be able to proxy accounting requests that arrive with no
User-Name attribute. Is that possible? I haven't been able to make it
work. Maybe I could insert a dummy User-Name pre-proxy and remove it
post-proxy?
Also, I notice that when running in -X mode, the accounting-response is
not relayed to the original client. Works fine when not in -X mode.
Here's a debug of a scenario where an accounting-request was proxied
correctly; yet, the accounting-response is not relayed to the client by
the proxy server:
rad_recv: Accounting-Request packet from host 152.2.199.26 port 32823,
id=155, length=86
User-Name = jcc
NAS-Port = 5060
Sip-Src-IP = 152.2.199.26
Acct-Status-Type = Start
Sip-Transport-Proto = TLS
Acct-Session-Id = accounting-session-1-id
Processing the preacct section of radiusd.conf
modcall: entering group preacct for request 4
rlm_acct_unique: WARNING: Attribute Client-IP-Address was not found in
request, unique ID MAY be inconsistent
rlm_acct_unique: Hashing 'NAS-Port = 5060,,NAS-IP-Address =
152.2.199.26,Acct-Session-Id = accounting-session-1-id,User-Name = jcc'
rlm_acct_unique: Acct-Unique-Session-ID = 7910d35136b9eb7a.
rlm_realm: No '@' in User-Name = jcc, looking up realm NULL
rlm_realm: Found realm NULL
rlm_realm: Proxying request from user jcc to realm NULL
rlm_realm: Adding Realm = NULL
rlm_realm: Preparing to proxy accounting request to realm NULL
modcall: group preacct returns noop for request 4
Processing the accounting section of radiusd.conf
modcall: entering group accounting for request 4
radius_xlat:
'/usr/local/var/log/radius/radacct/152.2.199.26/detail-20061114'
rlm_detail:
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d
expands to /usr/local/var/log/radius/radacct/152.2.199.26/detail-20061114
radius_xlat: 'Tue Nov 14 12:15:11 2006'
rlm_detail: Freeradius-Proxied-To set to 152.23.129.213
radius_xlat: '/usr/local/var/log/radius/radutmp'
radius_xlat: 'jcc'
modcall: group accounting returns ok for request 4
Sending Accounting-Request of id 227 to 152.23.129.213 port 1815
User-Name = jcc
NAS-Port = 5060
Sip-Src-IP = 152.2.199.26
Acct-Status-Type = Start
Sip-Transport-Proto = TLS
Acct-Session-Id = accounting-session-1-id
NAS-IP-Address = 152.2.199.26
Proxy-State = 0x313535
--- Walking the entire request list ---
Cleaning up request 4 ID 155 with timestamp 4559f99f
Nothing to do. Sleeping until we see a request.
rad_recv: Accounting-Response packet from host 152.23.129.213 port 1815,
id=227, length=25
No outstanding request was found for proxy reply from home server
152.23.129.213 port 1815 - ID 227
Nothing to do. Sleeping until we see a request.
[EMAIL PROTECTED]:/usr/local/etc/raddb# radiusd -v
radiusd: FreeRADIUS Version 2.0.0-pre0, for host i686-pc-linux-gnu,
built on Sep 6 2006 at 16:44:16
Thanks.
-jc
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: build rpm packages on centOS
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Patric schrieb: Michael Messner wrote: Patric sagte: Have you tried compiling the source? that works! if I add the -i in the spec file there is no change ... same error! thanks mIke So it compiles from source? Ok, what is your rpmbuild command? jep from source it compiles, 16:05:16 Xradius ~/rpmbuild/SPECS [root]rpmbuild -ba freeradius.spec ca mIke -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFWf9OyUY4xkIcFVQRAhcqAJ0XV6gi2ada9H/bJ0EVtN2TXQtIWwCfWc5F W6pZEmCtTHMtUnafFcu3gXg= =nmPH -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: build rpm packages on centOS
Patric sagte: Michael Messner wrote: Patric sagte: Have you tried compiling the source? that works! if I add the -i in the spec file there is no change ... same error! thanks mIke So it compiles from source? Ok, what is your rpmbuild command? jep from source it compiles, 16:05:16 Xradius ~/rpmbuild/SPECS [root]rpmbuild -ba freeradius.spec ca mIke - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: proxy questions
Justin Church [EMAIL PROTECTED] wrote: I need to be able to proxy accounting requests that arrive with no User-Name attribute. Is that possible? I haven't been able to make it work. Maybe I could insert a dummy User-Name pre-proxy and remove it post-proxy? No. Just set Proxy-To-Realm = realm. Also, I notice that when running in -X mode, the accounting-response is not relayed to the original client. Works fine when not in -X mode. Weird. Hmm... it may be cleaning up the request too aggressively. I'll take a look at it. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
huntgroup issue, multiple huntgroups per device
Is it possible to have multiple huntgroups for the same NAS-IP-ADDRESS? I am running into this issue trying to configure a vpn appliance that uses the same freeRADIUS server to authenticate its users as well as its admins. The huntgroups file gets checked from top to bottom, so depending which specified group comes first, the other gets denied access. i.e. ../raddb/huntgroups vpnNAS-IP-Address == 10.20.30.1 Group = VPNUSERS vpn-admin NAS-IP-Address == 10.20.30.1 User-Name = admin1, User-Name = admin2 This config keeps the admins out of the vty but lets the users vpn in. Debug reveals: No huntgroup access: [admin1] (from client vpn.foo.com port 6256 cli 10.10.10.10) modcall[authorize]: module preprocess returns reject for request 1 modcall: leaving group authorize (returns reject) for request 1 FYI, my users file checks for admins first then falls through to framed users... I would like to avoid adding another ip address to the vpn appliance if at all possible. Regards from sunny Florida, -Charles Tompkins Master timed out! Holding election... I am declaring myself the master! CONFIDENTIAL NOTICE: This email including any attachments, contains confidential information belonging to the sender. It may also be privileged or otherwise protected by work product immunity or other legal rules. This information is intended only for the use of the individual or entity named above. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution or the taking of any action in reliance on the contents of this emailed information is strictly prohibited. If you have received this email in error, please immediately notify us by reply email of the error and then delete this email immediately. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: proxy questions
Alan DeKok wrote:
Justin Church [EMAIL PROTECTED] wrote:
I need to be able to proxy accounting requests that arrive with no
User-Name attribute. Is that possible? I haven't been able to make it
work. Maybe I could insert a dummy User-Name pre-proxy and remove it
post-proxy?
No. Just set Proxy-To-Realm = realm.
Not exactly sure where to set this. I've tried acct_users with no luck:
rad_recv: Accounting-Request packet from host 152.2.199.26 port 32833,
id=10, length=81
NAS-Port = 5060
Sip-Src-IP = 152.2.199.26
Acct-Status-Type = Start
Sip-Transport-Proto = TLS
Acct-Session-Id = accounting-session-1-id
Processing the preacct section of radiusd.conf
modcall: entering group preacct for request 0
rlm_acct_unique: WARNING: Attribute Client-IP-Address was not found in
request, unique ID MAY be inconsistent
rlm_acct_unique: WARNING: Attribute User-Name was not found in request,
unique ID MAY be inconsistent
rlm_acct_unique: Hashing 'NAS-Port = 5060,,NAS-IP-Address =
152.2.199.26,Acct-Session-Id = accounting-session-1-id,'
rlm_acct_unique: Acct-Unique-Session-ID = 2c2e557e174a1b62.
--rlm_realm: Proxy reply, or no User-Name. Ignoring.
modcall: group preacct returns noop for request 0
Processing the accounting section of radiusd.conf
modcall: entering group accounting for request 0
radius_xlat:
'/usr/local/var/log/radius/radacct/152.2.199.26/detail-20061114'
rlm_detail:
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d
expands to /usr/local/var/log/radius/radacct/152.2.199.26/detail-20061114
radius_xlat: 'Tue Nov 14 14:30:25 2006'
radius_xlat: '/usr/local/var/log/radius/radutmp'
radius_xlat: ''
modcall: group accounting returns ok for request 0
Sending Accounting-Response of id 10 to 152.2.199.26 port 32833
Finished request 0
Going to the next request
--- Walking the entire request list ---
Cleaning up request 0 ID 10 with timestamp 455a1951
Nothing to do. Sleeping until we see a request.
proxy.conf
realm NULL {
type= radius
accthost = 152.23.129.213:1815
secret= removed
nostrip
}
acct_users
DEFAULT Proxy-To-Realm = NULL
Thanks.
-jc
Also, I notice that when running in -X mode, the accounting-response is
not relayed to the original client. Works fine when not in -X mode.
Weird.
Hmm... it may be cleaning up the request too aggressively. I'll
take a look at it.
Alan DeKok.
--
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: huntgroup issue, multiple huntgroups per device
So sorry! [EMAIL PROTECTED] ~]# radiusd -v radiusd: FreeRADIUS Version 2.0.0-pre0, for host i686-pc-linux-gnu, built on Apr 29 2006 at 19:51:21 Copyright (C) 2000-2003 The FreeRADIUS server project. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License. For more information about these matters, see the file named COPYRIGHT. Master timed out! Holding election... I am declaring myself the master! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charles Tompkins Sent: Tuesday, November 14, 2006 2:36 PM To: 'FreeRadius users mailing list' Subject: huntgroup issue, multiple huntgroups per device Is it possible to have multiple huntgroups for the same NAS-IP-ADDRESS? I am running into this issue trying to configure a vpn appliance that uses the same freeRADIUS server to authenticate its users as well as its admins. The huntgroups file gets checked from top to bottom, so depending which specified group comes first, the other gets denied access. i.e. ../raddb/huntgroups vpnNAS-IP-Address == 10.20.30.1 Group = VPNUSERS vpn-admin NAS-IP-Address == 10.20.30.1 User-Name = admin1, User-Name = admin2 This config keeps the admins out of the vty but lets the users vpn in. Debug reveals: No huntgroup access: [admin1] (from client vpn.foo.com port 6256 cli 10.10.10.10) modcall[authorize]: module preprocess returns reject for request 1 modcall: leaving group authorize (returns reject) for request 1 FYI, my users file checks for admins first then falls through to framed users... I would like to avoid adding another ip address to the vpn appliance if at all possible. Regards from sunny Florida, -Charles Tompkins Master timed out! Holding election... I am declaring myself the master! CONFIDENTIAL NOTICE: This email including any attachments, contains confidential information belonging to the sender. It may also be privileged or otherwise protected by work product immunity or other legal rules. This information is intended only for the use of the individual or entity named above. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution or the taking of any action in reliance on the contents of this emailed information is strictly prohibited. If you have received this email in error, please immediately notify us by reply email of the error and then delete this email immediately. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html CONFIDENTIAL NOTICE: This email including any attachments, contains confidential information belonging to the sender. It may also be privileged or otherwise protected by work product immunity or other legal rules. This information is intended only for the use of the individual or entity named above. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution or the taking of any action in reliance on the contents of this emailed information is strictly prohibited. If you have received this email in error, please immediately notify us by reply email of the error and then delete this email immediately. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: proxy questions
Nevermind. I was using the wrong operator. Needed:
DEFAULT Proxy-To-Realm := NULL
Thanks.
-jc
Justin Church wrote:
Alan DeKok wrote:
Justin Church [EMAIL PROTECTED] wrote:
I need to be able to proxy accounting requests that arrive with no
User-Name attribute. Is that possible? I haven't been able to make
it work. Maybe I could insert a dummy User-Name pre-proxy and remove
it post-proxy?
No. Just set Proxy-To-Realm = realm.
Not exactly sure where to set this. I've tried acct_users with no luck:
rad_recv: Accounting-Request packet from host 152.2.199.26 port 32833,
id=10, length=81
NAS-Port = 5060
Sip-Src-IP = 152.2.199.26
Acct-Status-Type = Start
Sip-Transport-Proto = TLS
Acct-Session-Id = accounting-session-1-id
Processing the preacct section of radiusd.conf
modcall: entering group preacct for request 0
rlm_acct_unique: WARNING: Attribute Client-IP-Address was not found in
request, unique ID MAY be inconsistent
rlm_acct_unique: WARNING: Attribute User-Name was not found in request,
unique ID MAY be inconsistent
rlm_acct_unique: Hashing 'NAS-Port = 5060,,NAS-IP-Address =
152.2.199.26,Acct-Session-Id = accounting-session-1-id,'
rlm_acct_unique: Acct-Unique-Session-ID = 2c2e557e174a1b62.
--rlm_realm: Proxy reply, or no User-Name. Ignoring.
modcall: group preacct returns noop for request 0
Processing the accounting section of radiusd.conf
modcall: entering group accounting for request 0
radius_xlat:
'/usr/local/var/log/radius/radacct/152.2.199.26/detail-20061114'
rlm_detail:
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d
expands to /usr/local/var/log/radius/radacct/152.2.199.26/detail-20061114
radius_xlat: 'Tue Nov 14 14:30:25 2006'
radius_xlat: '/usr/local/var/log/radius/radutmp'
radius_xlat: ''
modcall: group accounting returns ok for request 0
Sending Accounting-Response of id 10 to 152.2.199.26 port 32833
Finished request 0
Going to the next request
--- Walking the entire request list ---
Cleaning up request 0 ID 10 with timestamp 455a1951
Nothing to do. Sleeping until we see a request.
proxy.conf
realm NULL {
type= radius
accthost = 152.23.129.213:1815
secret= removed
nostrip
}
acct_users
DEFAULT Proxy-To-Realm = NULL
Thanks.
-jc
Also, I notice that when running in -X mode, the accounting-response
is not relayed to the original client. Works fine when not in -X mode.
Weird.
Hmm... it may be cleaning up the request too aggressively. I'll
take a look at it.
Alan DeKok.
--
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog
- List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: proxy questions
Justin Church [EMAIL PROTECTED] wrote: Not exactly sure where to set this. I've tried acct_users with no luck: The debug log shows that the files module isn't even being called. So... you edited radiusd.conf to tell it to NOT look at acct_users. Don't do that. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: huntgroup issue, multiple huntgroups per device
Is it possible to have multiple huntgroups for the same NAS-IP-ADDRESS? I am running into this issue trying to configure a vpn appliance that uses the same freeRADIUS server to authenticate its users as well as its admins. Yes, but something needs to distinguish the two (another attribute). Are you saying that your appliance is using radius to authenticate VPN users as well as to authenticate admins. that are using telnet/ssh/http to administratively manage the appliance? If so, check the request attributes for each type of access. Then, you can add the attribute that lets you tell what access type the user is requesting. For instance, I have an AP that uses FR to authenticate 802.11 users as well as for local logons to the AP itself. In my case, the NAS-Port-Type allows me to discern the difference between the two types of access. For 802.11 user access, the AP sends NAS-Port-Type = Wireless-802.11 and for local logon, the AP sends NAS-Port-Type = Async or Virtual. Figure out what's different in the request and then you can have multiple NAS-IP-Address == 10.20.30.1 entries with different values in the other attribute. For example: vpnNAS-IP-Address == 10.20.30.1, NAS-Port-Type == XXX Group = VPNUSERS vpn-admin NAS-IP-Address == 10.20.30.1, NAS-Port-Type == YYY User-Name = admin1, User-Name = admin2 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Configure option for /usr/sbin/radiusd
Hi, I'm experiencing a problem with freeradius 1.1.2 when I configure and compile. It writes the binaries and configuration files to the correct directories, but /usr/sbin/radiusd tries to source config files in /usr/etc instead of /etc/raddb. I can change this via /usr/sbin/radiusd -X -d /etc/raddb I know but is there a way to change the default at configure so it always will look in /etc/raddb? Thanks, Corey My configure options are: ./configure --with-edir --localstatedir=/var --sysconfdir=/etc --exec-prefix=/usr Corey Dow Solution Test Center Engineer ProCurve Networking Hewlett-Packard Company 8000 Foothills Blvd. (MS 5549) Roseville, CA 95747 Tel : 1-916-785-8003 smime.p7s Description: S/MIME cryptographic signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Assigning IPs on a per-NAS basis?
Hello, Trying to do a very simple task here - create a new check attribute Pool-Name := servername, depending on what NAS sends the request to the RADIUS server (identifiable by IP address or by name or whatever in the request attributes). What's the best way of doing this? Thanks, Jan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius-Users Digest, Vol 19, Issue 38
Hi,Thanks a lot for the response. But I have two problems. The first is my english: I am Brazilian and I might not write in english very well... ; )The second and more important problem is this: I configured my freeradius server, I can authenticate with my users ldap... but I configured my mysql server too, but I can't to authenticate with the mysql users... the access is denied... even when the user and password is correct... hoI think that the server isn't looking for my users in mysql database. Someone knows how I can to test if the freeradius is looking for my users in my mysql database too?Thanks a lot,Marilene - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configure option for /usr/sbin/radiusd
Hi, I'm experiencing a problem with freeradius 1.1.2 when I configure and compile. It writes the binaries and configuration files to the correct directories, but /usr/sbin/radiusd tries to source config files in /usr/etc instead of /etc/raddb. I can change this via /usr/sbin/radiusd -X -d /etc/raddb I know but is there a way to change the default at configure so it always will look in /etc/raddb? Thanks, Corey My configure options are: ./configure --with-edir --localstatedir=/var --sysconfdir=/etc --exec-prefix=/usr --with-raddbdir=/etc/raddb alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rewriting usernames
On Monday 13 November 2006 22:24, Christopher Carver wrote: Hello, How do I rewrite the value of the User-Name attribute based on Called-Station-Id? I need to do a series of these logical decisions and replace the username with username@some-isp.com based on what the value of Called-Station-Id is. rlm_attr_rewrite seems the obvious choice, but I can't figure out how to use various instances of that module only when Called-Station-Id has a certain value. It seems like a strange thing to need to do, but I've thought about our problem and this is really the only scalable way. I can give a lot of background as to why, but I figured I would ask the question first. So, does anyone have any ideas? Also, thank you for all the hard work on Freeradius. Its a great piece of software. Thanks Chris Carver Not a crazy question at all. We used a hints file entry like: DEFAULT Called-Station-Id =~ ^(012)?3456789$ User-Name := [EMAIL PROTECTED] After that, it's pretty easy. Just make sure the some-isp.com realm is in proxy.conf and it should act like any other normal request. Kevin Bonner pgpi4KAtzr2tA.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mysql and usage of radgroupcheck
Anne,The only diference from your table radgroup and my is the value priority. All entries in my radgroup table has 1 as priority.I really don't know if make sense... Try it and check if will run Regards,FabianoOn 11/14/06, Anne-Mie Vandermeeren [EMAIL PROTECTED] wrote:I have set up Freeradius working fine with a users-file. I did some tests to change to Mysql and all was ok, until I want to add some conditions forusers in more than one group.This looks like a simple setup for Mysql, but it's not working as Ithought it would:mysql select * from usergroup; +--+---+--+| UserName | GroupName | priority |+--+---+--+| user1| Group1|1 || user1| Group2|2 |+--+---+--+ 2 rows in set (0.00 sec)mysql select * from radcheck;++--+---+++| id | UserName | Attribute | op | Value|++--+---+++ |1 | user1| User-Password | == | paswoordje |++--+---+++1 row in set (0.00 sec)mysql select * from radreply;Empty set (0.00 sec)mysql select * from radgroupcheck; ++---+++--+| id | GroupName | Attribute| op | Value|++---+++--+|1 | Group1| NAS-IP-Address | == | 172.16.224.1 ||2 | Group2| NAS-IP-Address | == | 172.16.224.2 |++---+++--+2 rows in set (0.01 sec)mysql select * from radgroupreply;++---+---++--+| id | GroupName | Attribute | op | Value|++---+---++--+|1 | Group1| Class | := | groepje1 | |2 | Group2| Class | := | groepje2 |++---+---++--+2 rows in set (0.00 sec)I use ntradping to check the setup.When I use NAS-IP-Address = 172.16.224.1 I get the correct class(groepje1), but when I use the NAS-IP-Address = 172.16.224.2 I get areject and not as I was expecting the class-attribute groepje2. I can't figure out why this is the case.The debug output is not helping me, either. Anyone a suggestion on solvingthis? DEBUG output for NAS-IP-Address = 172.16.224.1--rad_recv: Access-Request packet from host 157.193.39.138:3674, id=65,length=51User-Name = user1User-Password = paswoordjeNAS-IP-Address = 172.16.224.1Tue Nov 14 16:37:17 2006 : Debug: Processing the authorize section ofradiusd.confTue Nov 14 16:37:17 2006 : Debug: modcall: entering group authorize forrequest 37Tue Nov 14 16:37:17 2006 : Debug: modsingle[authorize]: calling preprocess (rlm_preprocess) for request 37Tue Nov 14 16:37:17 2006 : Debug: modsingle[authorize]: returned frompreprocess (rlm_preprocess) for request 37Tue Nov 14 16:37:17 2006 : Debug: modcall[authorize]: module preprocess returns ok for request 37Tue Nov 14 16:37:17 2006 : Debug: modsingle[authorize]: calling chap(rlm_chap) for request 37Tue Nov 14 16:37:17 2006 : Debug: modsingle[authorize]: returned from chap (rlm_chap) for request 37Tue Nov 14 16:37:17 2006 : Debug: modcall[authorize]: module chapreturns noop for request 37Tue Nov 14 16:37:17 2006 : Debug: modsingle[authorize]: calling mschap (rlm_mschap) for request 37Tue Nov 14 16:37:17 2006 : Debug: modsingle[authorize]: returned frommschap (rlm_mschap) for request 37Tue Nov 14 16:37:17 2006 : Debug: modcall[authorize]: module mschap returns noop for request 37Tue Nov 14 16:37:17 2006 : Debug: modsingle[authorize]: calling suffix(rlm_realm) for request 37Tue Nov 14 16:37:17 2006 : Debug: rlm_realm: No '@' in User-Name =user1, looking up realm NULL Tue Nov 14 16:37:17 2006 : Debug: rlm_realm: No such realm NULLTue Nov 14 16:37:17 2006 : Debug: modsingle[authorize]: returned fromsuffix (rlm_realm) for request 37Tue Nov 14 16:37:17 2006 : Debug: modcall[authorize]: module suffix returns noop for request 37Tue Nov 14 16:37:17 2006 : Debug: modsingle[authorize]: calling eap(rlm_eap) for request 37Tue Nov 14 16:37:17 2006 : Debug: rlm_eap: No EAP-Message, not doing EAPTue Nov 14 16:37:17 2006 : Debug: modsingle[authorize]: returned from eap (rlm_eap) for request 37Tue Nov 14 16:37:17 2006 : Debug: modcall[authorize]: module eapreturns noop for request 37Tue Nov 14 16:37:17 2006 : Debug: modsingle[authorize]: calling files (rlm_files) for request 37Tue Nov 14 16:37:17 2006 : Debug: modsingle[authorize]: returned fromfiles (rlm_files) for request 37Tue Nov 14 16:37:17 2006 : Debug: modcall[authorize]: module files returns notfound for request 37Tue Nov 14 16:37:17 2006 : Debug: modsingle[authorize]: calling sql(rlm_sql) for request 37Tue Nov 14 16:37:17 2006 : Debug: radius_xlat:'user1'Tue Nov 14 16:37:17 2006 : Debug: rlm_sql (sql): sql_set_user escaped user -- 'user1'Tue Nov 14 16:37:17 2006 : Debug: radius_xlat:'SELECT id, UserName,Attribute, Value, op FROM radcheck WHERE Username ='user1' ORDER BY id'Tue Nov 14 16:37:17 2006 : Debug: rlm_sql (sql): Reserving sql socket id: 2Tue Nov 14 16:37:17 2006 : Debug: rlm_sql_mysql:
