Re: Access Accept
Hi @Alexandre, I add this to my post-auth { } section: update reply { 3GPP2-Prepaid-acct-Capability =%{request:3GPP2-Prepaid-acct-Capability} Acct-Multi-Session-Id =%{request:Acct-Multi-Session-Id} 3GPP2-Session-Termination-Capability =%{request:3GPP2-Session-Termination-Capability} 3GPP2-Release-Indicator =%{request:3GPP2-Release-Indicator} } From the debug I get: } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load /etc/raddb/sites-enabled/default[462]: ERROR: Unknown value %{request:3GPP2-Session-Termination-Capability} for attribute 3GPP2-Session-Termination-Capability /etc/raddb/sites-enabled/default[456]: Errors parsing post-auth section. Why I am getting 3GPP2-Session-Termination-Capability as unknown value (I have this attribute in my dictionaries) as this value (value of 3GPP2-Session-Termination-Capability attribute) is send in access-request packet? For 3GPP2-Session-Termination-Capability =%{request:3GPP2-Session-Termination-Capability} I am still getting Acct-Multi-Session-Id = "%{request:Acct-Multi-Session-Id}". Here is access-request from Wireshark for batter pictre: access-request: Attribute Value Pairs AVP: l=15 t=Acct-Multi-Session-Id(50): 1317016867140 (I need this one in access-accept) Acct-Multi-Session-Id: 1317016867140 AVP: l=41 t=Vendor-Specific(26) v=Cisco(9) VSA: l=35 t=Unknown-Attribute(130): 683332332d63616c6c696e672d656e74657270726973652d... Unknown-Attribute: 683332332d63616c6c696e672d656e74657270726973652d... AVP: l=10 t=Calling-Station-Id(31): 81609000 Calling-Station-Id: 81609000 AVP: l=13 t=NAS-Identifier(32): intraswitch AVP: l=6 t=NAS-IP-Address(4): xxx.xxx.xxx.xxx AVP: l=14 t=Vendor-Specific(26) v=3GPP2(5535) (I need this one in access-accept) VSA: l=8 t=3GPP2-Prepaid-acct-Capability(91): 01060002 3GPP2-Prepaid-acct-Capability: 01060002 AVP: l=12 t=Vendor-Specific(26) v=3GPP2(5535) (I need this one in access-accept) VSA: l=6 t=3GPP2-Session-Termination-Capability(88): 1 3GPP2-Session-Termination-Capability: 1 AVP: l=34 t=Vendor-Specific(26) v=Cisco(9) VSA: l=28 t=h323-conf-id(24): h323-conf-id=1317016867140 h323-conf-id: h323-conf-id=1317016867140 AVP: l=6 t=Vendor-Specific(26) v=Cisco(9) AVP: l=6 t=Event-Timestamp(55): Sep 26, 2011 08:01:07.0 Central Europe Daylight Time AVP: l=11 t=User-Name(1): 081609000 AVP: l=18 t=User-Password(2): Encrypted Thank you! BR, Miha On 9/24/2011 2:43 PM, Alexandre Chapellon wrote: Le 23/09/2011 22:01, Miha a crit: Hi @Alexandre, here is a copy from me default file: post-auth { # Get an address from the IP Pool. # main_pool update reply { 3GPP2-Prepaid-acct-Capability = %{request:3GPP2-Prepaid-acct-Capability} } update reply { Acct-Multi-Session-Id = %{request:Acct-Multi-Session-Id} } IIRC I use double quoted variables in my config. Anyway, this is odd it happens for the second attributes and not the first one. I have also try this way, but still the same: update reply { 3GPP2-Prepaid-acct-Capability = %{request:3GPP2-Prepaid-acct-Capability} Acct-Multi-Session-Id = %{request:Acct-Multi-Session-Id} } This sounds better. I do not see any problem with quotes. Thank you! Br, Miha -- View this message in context: http://freeradius.1045715.n5.nabble.com/Access-Accept-tp4832711p4834972.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Alexandre Chapellon Ingnierie des systmes open sources et rseaux. Follow me on twitter: @alxgomz - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Access Accept
@Alexandre, I have one more question. I am looking at this post post-auth { } section. I can see that the values are not added to attributes in access-accept. For example: Module: Checking post-auth {...} for more modules to load /etc/raddb/sites-enabled/default[460]: ERROR: Failed to find IP address for %{request:NAS-IP-Address} /etc/raddb/sites-enabled/default[456]: Errors parsing post-auth section. if I look in access-reqest section (I have comment %{request:NAS-IP-Address}): Ready to process requests. rad_recv: Access-Request packet from host xxx.xxx.xxx.xxx port 40239, id=140, length=206 Acct-Multi-Session-Id = "1317025759333" Cisco-Attr-130 = 0x683332332d63616c6c696e672d656e74657270726973652d69643d656e74504258 Calling-Station-Id = "81609000" NAS-Identifier = "intraswitch" NAS-IP-Address = xxx.xxx.xxx.xxx 3GPP2-Prepaid-acct-Capability = 0x01060002 3GPP2-Session-Termination-Capability = 1 h323-conf-id = "h323-conf-id=1317025759333" Vendor-Specific = 0x0009 Event-Timestamp = "Sep 26 2011 10:29:19 CEST" User-Name = "081609000" User-Password = "1122" I can see that the ip from NAS is send. If I have this line written (NAS-IP-Address = %{request:NAS-IP-Address}) the radius will not start. Should this be add the any other section then post-auth {...}? BR, MIha On 9/24/2011 2:43 PM, Alexandre Chapellon wrote: Le 23/09/2011 22:01, Miha a crit: Hi @Alexandre, here is a copy from me default file: post-auth { # Get an address from the IP Pool. # main_pool update reply { 3GPP2-Prepaid-acct-Capability = %{request:3GPP2-Prepaid-acct-Capability} } update reply { Acct-Multi-Session-Id = %{request:Acct-Multi-Session-Id} } IIRC I use double quoted variables in my config. Anyway, this is odd it happens for the second attributes and not the first one. I have also try this way, but still the same: update reply { 3GPP2-Prepaid-acct-Capability = %{request:3GPP2-Prepaid-acct-Capability} Acct-Multi-Session-Id = %{request:Acct-Multi-Session-Id} } This sounds better. I do not see any problem with quotes. Thank you! Br, Miha -- View this message in context: http://freeradius.1045715.n5.nabble.com/Access-Accept-tp4832711p4834972.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Alexandre Chapellon Ingnierie des systmes open sources et rseaux. Follow me on twitter: @alxgomz - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Access Accept
Miha Zoubek wrote: I add this to my post-auth { } section: update reply { 3GPP2-Prepaid-acct-Capability =%{request:3GPP2-Prepaid-acct-Capability} Acct-Multi-Session-Id =%{request:Acct-Multi-Session-Id} 3GPP2-Session-Termination-Capability =%{request:3GPP2-Session-Termination-Capability} 3GPP2-Release-Indicator =%{request:3GPP2-Release-Indicator} Put quotes around the values, as suggested in another email, and in the unlang documentation. 3GPP2-Release-Indicator = %{3GPP2-Release-Indicator} And you don't need the request portion. The documentation says the request list is used by default. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius CISCO ISG
Hi , Can any one please point me of how i can configure freeradius to support CISCO ISG . Best Regards ,,, Lily - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Access Accept
Hi, thank you for all your help!! Now it works perfectly!! Br, Miha On 9/26/2011 10:58 AM, Alan DeKok wrote: Miha Zoubek wrote: I add this to my post-auth { } section: update reply { 3GPP2-Prepaid-acct-Capability =%{request:3GPP2-Prepaid-acct-Capability} Acct-Multi-Session-Id =%{request:Acct-Multi-Session-Id} 3GPP2-Session-Termination-Capability =%{request:3GPP2-Session-Termination-Capability} 3GPP2-Release-Indicator =%{request:3GPP2-Release-Indicator} Put quotes around the values, as suggested in another email, and in the unlang documentation. 3GPP2-Release-Indicator = %{3GPP2-Release-Indicator} And you don't need the request portion. The documentation says the request list is used by default. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Permissions on Requests Log
Hi. Is there any way to set the permissions on the requests log file? I see how to do on the log files defined in modules/detail and detail.log. Thanks, John John Souvestre - Integrated Data Systems - (504) 355-0609 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
explain home_server vs virtual_server
Hello, Could someone explain difference between a home_server and a virtual_server in freeradius 2 (2.1.10+) ? Best regards Fred - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: explain home_server vs virtual_server
Fred wrote: Hello, Could someone explain difference between a home_server and a virtual_server in freeradius 2 (2.1.10+) ? raddb/sites-available/README Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP authentication accept, user not found
Hi all, I'm wondering if my freeradius is acting correctly against the request below: This Mikrotik CPE is authenticathing by an EAP certificate and ad a username with password is requested. The problem is that the CPE is authenticated with every username that doesn't exist in radcheck. why FR authenticate even with nonexistent username? rad_recv: Access-Request packet from host 10.25.66.8 port 56485, id=162, length=175 Service-Type = Framed-User Framed-MTU = 1400 User-Name = test155 State = 0x06c5601b03c36da7f69234e83e184b70 NAS-Port-Id = wlan2 Calling-Station-Id = 00-0C-42-B3-D1-F5 Called-Station-Id = 00-80-48-60-66-D9:WiNET-TR5G506106 EAP-Message = 0x020600060d00 Message-Authenticator = 0xd549039a41edfd3e25ff22bdb1f16d60 NAS-Identifier = ced-wl3 NAS-IP-Address = 10.25.66.8 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d - /var/log/freeradius/radacct/10.25.66.8/auth-detail-20110926 [auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/10.25.66.8/auth-detail-20110926 [auth_log] expand: %t - Mon Sep 26 16:35:21 2011 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = test155, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] EAP packet type response id 6 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop [sql] expand: %{User-Name} - test155 [sql] sql_set_user escaped user -- 'test155' rlm_sql (sql): Reserving sql socket id: 19 [sql] expand: SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id - SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = 'test155' ORDER BY id rlm_sql_postgresql: query: SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = 'test155' ORDER BY id rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: query affected rows = 0 , fields = 5 [sql] expand: SELECT GroupName FROM radusergroup WHERE UserName='%{SQL-User-Name}' ORDER BY priority - SELECT GroupName FROM radusergroup WHERE UserName='test155' ORDER BY priority rlm_sql_postgresql: query: SELECT GroupName FROM radusergroup WHERE UserName='test155' ORDER BY priority rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: query affected rows = 0 , fields = 1 rlm_sql (sql): Released sql socket id: 19 [sql] User test155 not found ++[sql] returns notfound ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS [tls] Received TLS ACK [tls] ACK handshake is finished [tls] eaptls_verify returned 3 [tls] eaptls_process returned 3 [tls] Adding user data to cached session [eap] Freeing handler ++[eap] returns ok Login OK: [test155] (from client ced-wl3 port 0 cli 00-0C-42-B3-D1-F5) # Executing section post-auth from file /etc/freeradius/sites-enabled/default +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 162 to 10.25.66.8 port 56485 MS-MPPE-Recv-Key = 0xd020f7a2efbb05c6fb255fe6665a12f09f354bdaa6d01b3d5d2c0786b07ca440 MS-MPPE-Send-Key = 0xa77aaf208423b318ff7f482401d4468af3f9248cbdb611857a5f356bea7725ca EAP-Message = 0x03060004 Message-Authenticator = 0x User-Name = test155 Finished request 69. -- View this message in context: http://freeradius.1045715.n5.nabble.com/EAP-authentication-accept-user-not-found-tp4841666p4841666.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP authentication accept, user not found
why FR authenticate even with nonexistent username? I don't know... Why don't you send the full debug log (you know, the bit where the certificates are actually being checked) instead of the last round, where EAP is just inserting the cached response. -Arran Arran Cudbard-Bell a.cudba...@freeradius.org Betelwiki, Betelwiki, Betelwiki http://wiki.freeradius.org/ ! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP authentication accept, user not found
http://freeradius.1045715.n5.nabble.com/file/n4841780/putty4.log putty4.log In the attached file the complete log, didn't noticed before that the process was so long.. -- View this message in context: http://freeradius.1045715.n5.nabble.com/EAP-authentication-accept-user-not-found-tp4841666p4841780.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP authentication accept, user not found
On 26 Sep 2011, at 17:27, andreapepa wrote: http://freeradius.1045715.n5.nabble.com/file/n4841780/putty4.log putty4.log In the attached file the complete log, didn't noticed before that the process was so long.. A notfound return code in the authorize section means continue with a priority of 1. The EAP module runs after the SQL module and returns handled. A handled return code in the authorize section means return and so the notfound return code is never processed. If you want the server to stop processing the request if the user isn't found in the SQL database, rewrite the notfound return code to reject. sql { notfound = reject } Unfortunately there's no way to signal the EAP module to send an EAP fail, so you have to do it manually... Add the following to policy.conf policy { eap_failure { if(EAP-Message =~ /^..([0-9a-f]{2})/i){ update reply { EAP-Message := 0x04%{1}0004 } } } ... } The add a call in post-auth { post-auth-type REJECT { eap_failure } } That rewrites the EAP message returned with the reject to be a 'fail' with the correct ID field value. Extremely hacky, but it works, and is the only way to do it currently... -Arran Arran Cudbard-Bell a.cudba...@freeradius.org Betelwiki, Betelwiki, Betelwiki http://wiki.freeradius.org/ ! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP authentication accept, user not found
Hi Arran, Thank you that works great! -- View this message in context: http://freeradius.1045715.n5.nabble.com/EAP-authentication-accept-user-not-found-tp4841666p4842017.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sql not checking radgroupreply
I have the read_groups setting set to yes in sql.conf and the debug log would make it appear that it's reading it in correctly. The mac is found in radcheck and any attributes in radreply are correctly returned, but rlm_sql never checks for any group memberships at all. I've done a trace on the sql server and it confirms what I see in the debug log from radius - it just never checks. Thoughts? Weird... Have you tried setting Fall-Through := yes in radcheck... In theory you shouldn't need to, but just to see if it works. -Arran Arran Cudbard-Bell a.cudba...@freeradius.org Betelwiki, Betelwiki, Betelwiki http://wiki.freeradius.org/ ! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: rlm_sql not checking radgroupreply
Arran, Yea - I did give that a try. I'm not sure if fall-through appears in the reply list at the end of the transaction like the other attributes do, but it didn't show up, nor did the group attributes show up. JD Re: rlm_sql not checking radgroupreply To: FreeRadius users mailing list freeradius-users@lists.freeradius.org ( mailto:freeradius-users%40lists.freeradius.org ) Subject: Re: rlm_sql not checking radgroupreply From: Arran Cudbard-Bell a.cudba...@freeradius.org ( mailto:a.cudbardb%40freeradius.org ) Date: Mon, 26 Sep 2011 18:50:32 +0200 In-reply-to: ( mailto:4E806228.97D9.0098.1%40wsc.edu )4e806228.97d9.009...@wsc.edu ( http://lists.freeradius.org/pipermail/freeradius-users/2011-September/msg00530.html ) References: ( mailto:4E806228.97D9.0098.1%40wsc.edu )4e806228.97d9.009...@wsc.edu ( http://lists.freeradius.org/pipermail/freeradius-users/2011-September/msg00530.html ) Reply-to: FreeRadius users mailing list freeradius-users@lists.freeradius.org ( mailto:freeradius-users%40lists.freeradius.org ) I have the read_groups setting set to yes in sql.conf and the debug log would make it appear that it's reading it in correctly. The mac is found in radcheck and any attributes in radreply are correctly returned, but rlm_sql never checks for any group memberships at all. I've done a trace on the sql server and it confirms what I see in the debug log from radius - it just never checks. Thoughts? Weird... Have you tried setting Fall-Through := yes in radcheck... In theory you shouldn't need to, but just to see if it works. -Arran Arran Cudbard-Bell a.cudba...@freeradius.org Betelwiki, Betelwiki, Betelwiki http://wiki.freeradius.org/ ! References: rlm_sql not checking radgroupreply ( http://lists.freeradius.org/pipermail/freeradius-users/2011-September/msg00530.html ) From: John Dunning jodun...@wsc.edu Previous by Date: Re: EAP authentication accept, user not found ( http://lists.freeradius.org/pipermail/freeradius-users/2011-September/msg00531.html ) Previous by Thread: rlm_sql not checking radgroupreply ( http://lists.freeradius.org/pipermail/freeradius-users/2011-September/msg00530.html ) Next by Thread: run more than one radius on single machine ( http://lists.freeradius.org/pipermail/freeradius-users/2011-September/msg00077.html ) Freeradius-Users September 2011 archives indexes sorted by: [ thread ] ( http://lists.freeradius.org/pipermail/freeradius-users/2011-September/thread.html ) [ subject ] ( http://lists.freeradius.org/pipermail/freeradius-users/2011-September/subject.html ) [ author ] ( http://lists.freeradius.org/pipermail/freeradius-users/2011-September/author.html ) [ date ] ( http://lists.freeradius.org/pipermail/freeradius-users/2011-September/date.html ) Freeradius-Users list archive Table of Contents ( http://lists.freeradius.org/pipermail/freeradius-users/index.html ) More information about the Freeradius-Users mailing list ( http://lists.freeradius.org/mailman/listinfo/freeradius-users ) This archive was generated by a fusion of Pipermail (Mailman edition) and MHonArc ( http://www.mhonarc.org/ ). - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: rlm_sql not checking radgroupreply
Hi John, Your sql configuration lacks of group_membership_query . Whitout this one, group checking is disabled silently during start up. Hope this helps! Angelo 2011/9/26 John Dunning jodun...@wsc.edu Arran, Yea - I did give that a try. I'm not sure if fall-through appears in the reply list at the end of the transaction like the other attributes do, but it didn't show up, nor did the group attributes show up. JD Re: rlm_sql not checking radgroupreply -- - *To*: FreeRadius users mailing list freeradius-users@lists.freeradius.org - *Subject*: Re: rlm_sql not checking radgroupreply - *From*: Arran Cudbard-Bell a.cudba...@freeradius.org - *Date*: Mon, 26 Sep 2011 18:50:32 +0200 - *In-reply-to*: 4E806228.97D9.0098.1%40wsc.edu 4e806228.97d9.009...@wsc.eduhttp://lists.freeradius.org/pipermail/freeradius-users/2011-September/msg00530.html - *References*: 4E806228.97D9.0098.1%40wsc.edu 4e806228.97d9.009...@wsc.eduhttp://lists.freeradius.org/pipermail/freeradius-users/2011-September/msg00530.html - *Reply-to*: FreeRadius users mailing list freeradius-users@lists.freeradius.org -- I have the read_groups setting set to yes in sql.conf and the debug log would make it appear that it's reading it in correctly. The mac is found in radcheck and any attributes in radreply are correctly returned, but rlm_sql never checks for any group memberships at all. I've done a trace on the sql server and it confirms what I see in the debug log from radius - it just never checks. Thoughts? Weird... Have you tried setting Fall-Through := yes in radcheck... In theory you shouldn't need to, but just to see if it works. -Arran Arran Cudbard-Bell a.cudba...@freeradius.org Betelwiki, Betelwiki, Betelwiki http://wiki.freeradius.org/ ! -- - *References*: - *rlm_sql not checking radgroupreplyhttp://lists.freeradius.org/pipermail/freeradius-users/2011-September/msg00530.html * - *From:* John Dunning jodun...@wsc.edu - Previous by Date: Re: EAP authentication accept, user not foundhttp://lists.freeradius.org/pipermail/freeradius-users/2011-September/msg00531.html - Previous by Thread: rlm_sql not checking radgroupreplyhttp://lists.freeradius.org/pipermail/freeradius-users/2011-September/msg00530.html - Next by Thread: run more than one radius on single machinehttp://lists.freeradius.org/pipermail/freeradius-users/2011-September/msg00077.html - Freeradius-Users September 2011 archives indexes sorted by: [ thread ]http://lists.freeradius.org/pipermail/freeradius-users/2011-September/thread.html [ subject ]http://lists.freeradius.org/pipermail/freeradius-users/2011-September/subject.html [ author ]http://lists.freeradius.org/pipermail/freeradius-users/2011-September/author.html [ date ]http://lists.freeradius.org/pipermail/freeradius-users/2011-September/date.html - Freeradius-Users list archive Table of Contentshttp://lists.freeradius.org/pipermail/freeradius-users/index.html - More information about the Freeradius-Users mailing listhttp://lists.freeradius.org/mailman/listinfo/freeradius-users -- *This archive was generated by a fusion of Pipermail (Mailman edition) and MHonArc http://www.mhonarc.org/.* - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: rlm_sql not checking radgroupreply
Angelo - that was it!! Thanks so much. Just a note to the maintainersI used the dialup.conf from the 2.1.10 source. The debian packages don't have a dialup.conf for mssql, so I used the 2.1.10 source mssql directory and created a logical link for iodbc. It was, evidently, fixed in 2.1.11 as the one from that version has the query. Thanks all!! JD Angelo Compagnucci angelo.compagnu...@gmail.com 9/26/2011 12:46 PM Hi John, Your sql configuration lacks of group_membership_query . Whitout this one, group checking is disabled silently during start up. Hope this helps! Angelo 2011/9/26 John Dunning jodun...@wsc.edu Arran, Yea - I did give that a try. I'm not sure if fall-through appears in the reply list at the end of the transaction like the other attributes do, but it didn't show up, nor did the group attributes show up. JD Re: rlm_sql not checking radgroupreply To: FreeRadius users mailing list freeradius-users@lists.freeradius.org ( mailto:freeradius-users%40lists.freeradius.org ) Subject: Re: rlm_sql not checking radgroupreply From: Arran Cudbard-Bell a.cudba...@freeradius.org ( mailto:a.cudbardb%40freeradius.org ) Date: Mon, 26 Sep 2011 18:50:32 +0200 In-reply-to: ( mailto:4E806228.97D9.0098.1%40wsc.edu )4e806228.97d9.009...@wsc.edu ( http://lists.freeradius.org/pipermail/freeradius-users/2011-September/msg00530.html ) References: ( mailto:4E806228.97D9.0098.1%40wsc.edu )4e806228.97d9.009...@wsc.edu ( http://lists.freeradius.org/pipermail/freeradius-users/2011-September/msg00530.html ) Reply-to: FreeRadius users mailing list freeradius-users@lists.freeradius.org ( mailto:freeradius-users%40lists.freeradius.org ) I have the read_groups setting set to yes in sql.conf and the debug log would make it appear that it's reading it in correctly. The mac is found in radcheck and any attributes in radreply are correctly returned, but rlm_sql never checks for any group memberships at all. I've done a trace on the sql server and it confirms what I see in the debug log from radius - it just never checks. Thoughts? Weird... Have you tried setting Fall-Through := yes in radcheck... In theory you shouldn't need to, but just to see if it works. -Arran Arran Cudbard-Bell a.cudba...@freeradius.org Betelwiki, Betelwiki, Betelwikihttp://wiki.freeradius.org/ ! References: rlm_sql not checking radgroupreply ( http://lists.freeradius.org/pipermail/freeradius-users/2011-September/msg00530.html ) From:John Dunning jodun...@wsc.edu Previous by Date:Re: EAP authentication accept, user not found ( http://lists.freeradius.org/pipermail/freeradius-users/2011-September/msg00531.html ) Previous by Thread:rlm_sql not checking radgroupreply ( http://lists.freeradius.org/pipermail/freeradius-users/2011-September/msg00530.html ) Next by Thread:run more than one radius on single machine ( http://lists.freeradius.org/pipermail/freeradius-users/2011-September/msg00077.html ) Freeradius-Users September 2011 archives indexes sorted by:[ thread ] ( http://lists.freeradius.org/pipermail/freeradius-users/2011-September/thread.html )[ subject ] ( http://lists.freeradius.org/pipermail/freeradius-users/2011-September/subject.html )[ author ] ( http://lists.freeradius.org/pipermail/freeradius-users/2011-September/author.html )[ date ] ( http://lists.freeradius.org/pipermail/freeradius-users/2011-September/date.html ) Freeradius-Users list archiveTable of Contents ( http://lists.freeradius.org/pipermail/freeradius-users/index.html ) More information about the Freeradius-Users mailing list ( http://lists.freeradius.org/mailman/listinfo/freeradius-users ) This archive was generated by a fusion of Pipermail (Mailman edition) andMHonArc ( http://www.mhonarc.org/ ). - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: rlm_sql not checking radgroupreply
A month ago, I had to read the source code to understand why the group membership was disabled in my configuration! I'm using odbc also with mssql! How have you resolved the unix_timestamp issue? I had to rewrite queries converting the unix_timestamp to something like CONVERT(datetime, '%S', 20) to accomodate my db. Angelo 2011/9/26 John Dunning jodun...@wsc.edu Angelo - that was it!! Thanks so much. Just a note to the maintainersI used the dialup.conf from the 2.1.10 source. The debian packages don't have a dialup.conf for mssql, so I used the 2.1.10 source mssql directory and created a logical link for iodbc. It was, evidently, fixed in 2.1.11 as the one from that version has the query. Thanks all!! JD Angelo Compagnucci angelo.compagnu...@gmail.com 9/26/2011 12:46 PM Hi John, Your sql configuration lacks of group_membership_query . Whitout this one, group checking is disabled silently during start up. Hope this helps! Angelo 2011/9/26 John Dunning jodun...@wsc.edu Arran, Yea - I did give that a try. I'm not sure if fall-through appears in the reply list at the end of the transaction like the other attributes do, but it didn't show up, nor did the group attributes show up. JD Re: rlm_sql not checking radgroupreply -- - *To*: FreeRadius users mailing list freeradius-users@lists.freeradius.org - *Subject*: Re: rlm_sql not checking radgroupreply - *From*: Arran Cudbard-Bell a.cudba...@freeradius.org - *Date*: Mon, 26 Sep 2011 18:50:32 +0200 - *In-reply-to*: 4E806228.97D9.0098.1%40wsc.edu 4e806228.97d9.009...@wsc.eduhttp://lists.freeradius.org/pipermail/freeradius-users/2011-September/msg00530.html - *References*: 4E806228.97D9.0098.1%40wsc.edu 4e806228.97d9.009...@wsc.eduhttp://lists.freeradius.org/pipermail/freeradius-users/2011-September/msg00530.html - *Reply-to*: FreeRadius users mailing list freeradius-users@lists.freeradius.org -- I have the read_groups setting set to yes in sql.conf and the debug log would make it appear that it's reading it in correctly. The mac is found in radcheck and any attributes in radreply are correctly returned, but rlm_sql never checks for any group memberships at all. I've done a trace on the sql server and it confirms what I see in the debug log from radius - it just never checks. Thoughts? Weird... Have you tried setting Fall-Through := yes in radcheck... In theory you shouldn't need to, but just to see if it works. -Arran Arran Cudbard-Bell a.cudba...@freeradius.org Betelwiki, Betelwiki, Betelwiki http://wiki.freeradius.org/ ! -- - *References*: - *rlm_sql not checking radgroupreplyhttp://lists.freeradius.org/pipermail/freeradius-users/2011-September/msg00530.html * - *From:* John Dunning jodun...@wsc.edu - Previous by Date: Re: EAP authentication accept, user not foundhttp://lists.freeradius.org/pipermail/freeradius-users/2011-September/msg00531.html - Previous by Thread: rlm_sql not checking radgroupreplyhttp://lists.freeradius.org/pipermail/freeradius-users/2011-September/msg00530.html - Next by Thread: run more than one radius on single machinehttp://lists.freeradius.org/pipermail/freeradius-users/2011-September/msg00077.html - Freeradius-Users September 2011 archives indexes sorted by: [ thread ]http://lists.freeradius.org/pipermail/freeradius-users/2011-September/thread.html [ subject ]http://lists.freeradius.org/pipermail/freeradius-users/2011-September/subject.html [ author ]http://lists.freeradius.org/pipermail/freeradius-users/2011-September/author.html [ date ]http://lists.freeradius.org/pipermail/freeradius-users/2011-September/date.html - Freeradius-Users list archive Table of Contentshttp://lists.freeradius.org/pipermail/freeradius-users/index.html - More information about the Freeradius-Users mailing listhttp://lists.freeradius.org/mailman/listinfo/freeradius-users -- *This archive was generated by a fusion of Pipermail (Mailman edition) and MHonArc http://www.mhonarc.org/.* - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: rlm_sql not checking radgroupreply
Honestly Angelo, I haven't gotten that far yetwas just trying to get auth working. Logging and accounting are still on the to do list. If I figure out something I'll let you know! JD Angelo Compagnucci angelo.compagnu...@gmail.com 9/26/2011 2:43 PM A month ago,I had to read the source code to understand why the group membership was disabled in my configuration! I'm using odbc also with mssql! How have you resolved theunix_timestamp issue? I had to rewrite queries converting theunix_timestamp to something like CONVERT(datetime, '%S', 20) to accomodate my db. Angelo 2011/9/26 John Dunning jodun...@wsc.edu Angelo - that was it!! Thanks so much. Just a note to the maintainersI used the dialup.conf from the 2.1.10 source. The debian packages don't have a dialup.conf for mssql, so I used the 2.1.10 source mssql directory and created a logical link for iodbc. It was, evidently, fixed in 2.1.11 as the one from that version has the query. Thanks all!! JD Angelo Compagnucci angelo.compagnu...@gmail.com 9/26/2011 12:46 PM Hi John, Your sql configuration lacks of group_membership_query . Whitout this one, group checking is disabled silently during start up. Hope this helps! Angelo 2011/9/26 John Dunning jodun...@wsc.edu Arran, Yea - I did give that a try. I'm not sure if fall-through appears in the reply list at the end of the transaction like the other attributes do, but it didn't show up, nor did the group attributes show up. JD Re: rlm_sql not checking radgroupreply To: FreeRadius users mailing list freeradius-users@lists.freeradius.org ( mailto:freeradius-users%40lists.freeradius.org ) Subject: Re: rlm_sql not checking radgroupreply From: Arran Cudbard-Bell a.cudba...@freeradius.org ( mailto:a.cudbardb%40freeradius.org ) Date: Mon, 26 Sep 2011 18:50:32 +0200 In-reply-to: ( mailto:4E806228.97D9.0098.1%40wsc.edu )4e806228.97d9.009...@wsc.edu ( http://lists.freeradius.org/pipermail/freeradius-users/2011-September/msg00530.html ) References: ( mailto:4E806228.97D9.0098.1%40wsc.edu )4e806228.97d9.009...@wsc.edu ( http://lists.freeradius.org/pipermail/freeradius-users/2011-September/msg00530.html ) Reply-to: FreeRadius users mailing list freeradius-users@lists.freeradius.org ( mailto:freeradius-users%40lists.freeradius.org ) I have the read_groups setting set to yes in sql.conf and the debug log would make it appear that it's reading it in correctly. The mac is found in radcheck and any attributes in radreply are correctly returned, but rlm_sql never checks for any group memberships at all. I've done a trace on the sql server and it confirms what I see in the debug log from radius - it just never checks. Thoughts? Weird... Have you tried setting Fall-Through := yes in radcheck... In theory you shouldn't need to, but just to see if it works. -Arran Arran Cudbard-Bell a.cudba...@freeradius.org Betelwiki, Betelwiki, Betelwikihttp://wiki.freeradius.org/ ! References: rlm_sql not checking radgroupreply ( http://lists.freeradius.org/pipermail/freeradius-users/2011-September/msg00530.html ) From:John Dunning jodun...@wsc.edu Previous by Date:Re: EAP authentication accept, user not found ( http://lists.freeradius.org/pipermail/freeradius-users/2011-September/msg00531.html ) Previous by Thread:rlm_sql not checking radgroupreply ( http://lists.freeradius.org/pipermail/freeradius-users/2011-September/msg00530.html ) Next by Thread:run more than one radius on single machine ( http://lists.freeradius.org/pipermail/freeradius-users/2011-September/msg00077.html ) Freeradius-Users September 2011 archives indexes sorted by:[ thread ] ( http://lists.freeradius.org/pipermail/freeradius-users/2011-September/thread.html )[ subject ] ( http://lists.freeradius.org/pipermail/freeradius-users/2011-September/subject.html )[ author ] ( http://lists.freeradius.org/pipermail/freeradius-users/2011-September/author.html )[ date ] ( http://lists.freeradius.org/pipermail/freeradius-users/2011-September/date.html ) Freeradius-Users list archiveTable of Contents ( http://lists.freeradius.org/pipermail/freeradius-users/index.html ) More information about the Freeradius-Users mailing list ( http://lists.freeradius.org/mailman/listinfo/freeradius-users ) This archive was generated by a fusion of Pipermail (Mailman edition) andMHonArc ( http://www.mhonarc.org/ ). - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Post-auth and Rejected logins
Hi, Hope the following makes sense. I have a perl module that runs in post-auth. It checks various things that confirms whether the user may have access and, if not, would turn an Accept into a Reject. I want this perl module to run whether the authentication previously failed or not. I'm using the documented method of the following: post-auth { my_perl Post-Auth-Type REJECT { my_perl } } The problem comes in here. If authentication failed, the module runs once only (in the Post-Auth-Type REJECT stanza) If authentication was OK, and my perl module also OK's the request, it runs once only (in the non Post-Auth_type REJECT stanza). But If the auhtentication as OK, and my perl module then decides to reject the Authentication (by returning RLM_MODULE_REJECT), the perl module runs twice. I've tried swopping around the post-auth section as follows: post-auth { Post-Auth-Type REJECT { my_perl } my_perl } The REJECT stanza is still executed if the non-REJECT stanza turns the accept into a reject. The only solution I can come up with is to set a Tmp-String, and using unlang try to force the perl to not run again. Does anyone know of a more elegant way? Thanks! -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 Before acting on this email or opening any attachments you should read Cape PC Service's email disclaimer at: http://www.pcservices.co.za/disclaimer.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Post-auth and Rejected logins
Johan Meiring wrote: If the auhtentication as OK, and my perl module then decides to reject the Authentication (by returning RLM_MODULE_REJECT), Don't do that. The post-auth section is for running modules AFTER the user has been accepted or rejected. It doesn't make much sense to accept the user, and then reject them. Instead, reject the user earlier in the packet processing. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Post-auth and Rejected logins
On 2011/09/26 11:38 PM, Alan DeKok wrote: Johan Meiring wrote: If the auhtentication as OK, and my perl module then decides to reject the Authentication (by returning RLM_MODULE_REJECT), Don't do that. The post-auth section is for running modules AFTER the user has been accepted or rejected. It doesn't make much sense to accept the user, and then reject them. Instead, reject the user earlier in the packet processing. Hi Alan, What you say makes sense. My perl code used to run in the Authorisation section. The reason I moved it down (to post auth), is because some of my queries are very database intensive (complex system). i.e. What I had was: 1) Authorisation (using rlm_perl): Check various stuff If OK so far, create Cleartext-Password, else reject 2) Authentication, PAP/CHAP/whatever What I tried to avoid was that the check various stuff runs if the user supplied the wrong password. I therefore modified the setup as follows: 1) Authorisation - Create Cleartext-Password (using rlm_mysql) 2) Authentication - PAP/CHAP/whatever 3) Post-Auth - Check the various stuff and reject (using rlm_perl) This saves a lot of unnecesary (database) CPU cycles. Using a Tmp-String works. My post-auth now looks as follows: post-auth { my_perl Post-Auth-Type REJECT { if (%{reply:Tmp-String-0} != DONTRUNAGAIN) { my_perl } } } the perl post-auth subrouting simply contains the following: $RAD_REPLY{'Tmp-String-0'} = 'DONTRUNAGAIN'; This works as expected. I was just hoping for a more elegant solutions. Thanks again!! -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 Before acting on this email or opening any attachments you should read Cape PC Service's email disclaimer at: http://www.pcservices.co.za/disclaimer.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html