Re: Access Accept
Hi @Alexandre,
I add this to my post-auth { } section:
update reply {
3GPP2-Prepaid-acct-Capability
=%{request:3GPP2-Prepaid-acct-Capability}
Acct-Multi-Session-Id =%{request:Acct-Multi-Session-Id}
3GPP2-Session-Termination-Capability
=%{request:3GPP2-Session-Termination-Capability}
3GPP2-Release-Indicator =%{request:3GPP2-Release-Indicator}
}
From the debug I get:
}
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
/etc/raddb/sites-enabled/default[462]: ERROR: Unknown value
%{request:3GPP2-Session-Termination-Capability} for attribute
3GPP2-Session-Termination-Capability
/etc/raddb/sites-enabled/default[456]: Errors parsing post-auth
section.
Why I am getting 3GPP2-Session-Termination-Capability as unknown
value (I have this attribute in my dictionaries) as this value
(value of 3GPP2-Session-Termination-Capability attribute) is send in
access-request packet?
For 3GPP2-Session-Termination-Capability
=%{request:3GPP2-Session-Termination-Capability} I am still getting
Acct-Multi-Session-Id = "%{request:Acct-Multi-Session-Id}".
Here is access-request from Wireshark for batter pictre:
access-request:
Attribute Value Pairs
AVP: l=15 t=Acct-Multi-Session-Id(50): 1317016867140 (I
need this one in access-accept)
Acct-Multi-Session-Id: 1317016867140
AVP: l=41 t=Vendor-Specific(26) v=Cisco(9)
VSA: l=35 t=Unknown-Attribute(130):
683332332d63616c6c696e672d656e74657270726973652d...
Unknown-Attribute:
683332332d63616c6c696e672d656e74657270726973652d...
AVP: l=10 t=Calling-Station-Id(31): 81609000
Calling-Station-Id: 81609000
AVP: l=13 t=NAS-Identifier(32): intraswitch
AVP: l=6 t=NAS-IP-Address(4): xxx.xxx.xxx.xxx
AVP: l=14 t=Vendor-Specific(26) v=3GPP2(5535) (I need this
one in access-accept)
VSA: l=8 t=3GPP2-Prepaid-acct-Capability(91):
01060002
3GPP2-Prepaid-acct-Capability: 01060002
AVP: l=12 t=Vendor-Specific(26) v=3GPP2(5535) (I need
this one in access-accept)
VSA: l=6 t=3GPP2-Session-Termination-Capability(88): 1
3GPP2-Session-Termination-Capability: 1
AVP: l=34 t=Vendor-Specific(26) v=Cisco(9)
VSA: l=28 t=h323-conf-id(24): h323-conf-id=1317016867140
h323-conf-id: h323-conf-id=1317016867140
AVP: l=6 t=Vendor-Specific(26) v=Cisco(9)
AVP: l=6 t=Event-Timestamp(55): Sep 26, 2011
08:01:07.0 Central Europe Daylight Time
AVP: l=11 t=User-Name(1): 081609000
AVP: l=18 t=User-Password(2): Encrypted
Thank you!
BR,
Miha
On 9/24/2011 2:43 PM, Alexandre Chapellon wrote:
Le 23/09/2011 22:01, Miha a crit:
Hi @Alexandre,
here is a copy from me default file:
post-auth {
# Get an address from the IP Pool.
# main_pool
update reply {
3GPP2-Prepaid-acct-Capability =
%{request:3GPP2-Prepaid-acct-Capability}
}
update reply {
Acct-Multi-Session-Id = %{request:Acct-Multi-Session-Id}
}
IIRC I use double quoted variables
in my config. Anyway, this is odd it happens for the second
attributes and not the first one.
I have also try this way, but still the same:
update reply {
3GPP2-Prepaid-acct-Capability =
%{request:3GPP2-Prepaid-acct-Capability}
Acct-Multi-Session-Id = %{request:Acct-Multi-Session-Id}
}
This sounds better.
I do not see any problem with quotes.
Thank you!
Br,
Miha
--
View this message in context: http://freeradius.1045715.n5.nabble.com/Access-Accept-tp4832711p4834972.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Alexandre Chapellon
Ingnierie des systmes open sources et
rseaux.
Follow me on twitter: @alxgomz
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Access Accept
@Alexandre,
I have one more question.
I am looking at this post post-auth { } section.
I can see that the values are not added to attributes in
access-accept. For example:
Module: Checking post-auth {...} for more modules to load
/etc/raddb/sites-enabled/default[460]: ERROR: Failed to find IP
address for %{request:NAS-IP-Address}
/etc/raddb/sites-enabled/default[456]: Errors parsing post-auth
section.
if I look in access-reqest section (I have comment
%{request:NAS-IP-Address}):
Ready to process requests.
rad_recv: Access-Request packet from host xxx.xxx.xxx.xxx port
40239, id=140, length=206
Acct-Multi-Session-Id = "1317025759333"
Cisco-Attr-130 =
0x683332332d63616c6c696e672d656e74657270726973652d69643d656e74504258
Calling-Station-Id = "81609000"
NAS-Identifier = "intraswitch"
NAS-IP-Address = xxx.xxx.xxx.xxx
3GPP2-Prepaid-acct-Capability = 0x01060002
3GPP2-Session-Termination-Capability = 1
h323-conf-id = "h323-conf-id=1317025759333"
Vendor-Specific = 0x0009
Event-Timestamp = "Sep 26 2011 10:29:19 CEST"
User-Name = "081609000"
User-Password = "1122"
I can see that the ip from NAS is send. If I have this line written
(NAS-IP-Address = %{request:NAS-IP-Address}) the radius will not
start.
Should this be add the any other section then post-auth {...}?
BR,
MIha
On 9/24/2011 2:43 PM, Alexandre Chapellon wrote:
Le 23/09/2011 22:01, Miha a crit:
Hi @Alexandre,
here is a copy from me default file:
post-auth {
# Get an address from the IP Pool.
# main_pool
update reply {
3GPP2-Prepaid-acct-Capability =
%{request:3GPP2-Prepaid-acct-Capability}
}
update reply {
Acct-Multi-Session-Id = %{request:Acct-Multi-Session-Id}
}
IIRC I use double quoted variables
in my config. Anyway, this is odd it happens for the second
attributes and not the first one.
I have also try this way, but still the same:
update reply {
3GPP2-Prepaid-acct-Capability =
%{request:3GPP2-Prepaid-acct-Capability}
Acct-Multi-Session-Id = %{request:Acct-Multi-Session-Id}
}
This sounds better.
I do not see any problem with quotes.
Thank you!
Br,
Miha
--
View this message in context: http://freeradius.1045715.n5.nabble.com/Access-Accept-tp4832711p4834972.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Alexandre Chapellon
Ingnierie des systmes open sources et
rseaux.
Follow me on twitter: @alxgomz
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Access Accept
Miha Zoubek wrote:
I add this to my post-auth { } section:
update reply {
3GPP2-Prepaid-acct-Capability
=%{request:3GPP2-Prepaid-acct-Capability}
Acct-Multi-Session-Id =%{request:Acct-Multi-Session-Id}
3GPP2-Session-Termination-Capability
=%{request:3GPP2-Session-Termination-Capability}
3GPP2-Release-Indicator =%{request:3GPP2-Release-Indicator}
Put quotes around the values, as suggested in another email, and in
the unlang documentation.
3GPP2-Release-Indicator = %{3GPP2-Release-Indicator}
And you don't need the request portion. The documentation says the
request list is used by default.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius CISCO ISG
Hi , Can any one please point me of how i can configure freeradius to support CISCO ISG . Best Regards ,,, Lily - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Access Accept
Hi,
thank you for all your help!!
Now it works perfectly!!
Br,
Miha
On 9/26/2011 10:58 AM, Alan DeKok wrote:
Miha Zoubek wrote:
I add this to my post-auth { } section:
update reply {
3GPP2-Prepaid-acct-Capability
=%{request:3GPP2-Prepaid-acct-Capability}
Acct-Multi-Session-Id =%{request:Acct-Multi-Session-Id}
3GPP2-Session-Termination-Capability
=%{request:3GPP2-Session-Termination-Capability}
3GPP2-Release-Indicator =%{request:3GPP2-Release-Indicator}
Put quotes around the values, as suggested in another email, and in
the unlang documentation.
3GPP2-Release-Indicator = %{3GPP2-Release-Indicator}
And you don't need the request portion. The documentation says the
request list is used by default.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Permissions on Requests Log
Hi. Is there any way to set the permissions on the requests log file? I see how to do on the log files defined in modules/detail and detail.log. Thanks, John John Souvestre - Integrated Data Systems - (504) 355-0609 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
explain home_server vs virtual_server
Hello, Could someone explain difference between a home_server and a virtual_server in freeradius 2 (2.1.10+) ? Best regards Fred - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: explain home_server vs virtual_server
Fred wrote: Hello, Could someone explain difference between a home_server and a virtual_server in freeradius 2 (2.1.10+) ? raddb/sites-available/README Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP authentication accept, user not found
Hi all,
I'm wondering if my freeradius is acting correctly against the request
below:
This Mikrotik CPE is authenticathing by an EAP certificate and ad a username
with password is requested.
The problem is that the CPE is authenticated with every username that
doesn't exist in radcheck.
why FR authenticate even with nonexistent username?
rad_recv: Access-Request packet from host 10.25.66.8 port 56485, id=162,
length=175
Service-Type = Framed-User
Framed-MTU = 1400
User-Name = test155
State = 0x06c5601b03c36da7f69234e83e184b70
NAS-Port-Id = wlan2
Calling-Station-Id = 00-0C-42-B3-D1-F5
Called-Station-Id = 00-80-48-60-66-D9:WiNET-TR5G506106
EAP-Message = 0x020600060d00
Message-Authenticator = 0xd549039a41edfd3e25ff22bdb1f16d60
NAS-Identifier = ced-wl3
NAS-IP-Address = 10.25.66.8
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand:
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -
/var/log/freeradius/radacct/10.25.66.8/auth-detail-20110926
[auth_log]
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands
to /var/log/freeradius/radacct/10.25.66.8/auth-detail-20110926
[auth_log] expand: %t - Mon Sep 26 16:35:21 2011
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = test155, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] EAP packet type response id 6 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
[sql] expand: %{User-Name} - test155
[sql] sql_set_user escaped user -- 'test155'
rlm_sql (sql): Reserving sql socket id: 19
[sql] expand: SELECT id, UserName, Attribute, Value, Op FROM radcheck
WHERE Username = '%{SQL-User-Name}' ORDER BY id - SELECT id, UserName,
Attribute, Value, Op FROM radcheck WHERE Username = 'test155' ORDER BY
id
rlm_sql_postgresql: query: SELECT id, UserName, Attribute, Value, Op FROM
radcheck WHERE Username = 'test155' ORDER BY id
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 0 , fields = 5
[sql] expand: SELECT GroupName FROM radusergroup WHERE
UserName='%{SQL-User-Name}' ORDER BY priority - SELECT GroupName FROM
radusergroup WHERE UserName='test155' ORDER BY priority
rlm_sql_postgresql: query: SELECT GroupName FROM radusergroup WHERE
UserName='test155' ORDER BY priority
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 0 , fields = 1
rlm_sql (sql): Released sql socket id: 19
[sql] User test155 not found
++[sql] returns notfound
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
[tls] Received TLS ACK
[tls] ACK handshake is finished
[tls] eaptls_verify returned 3
[tls] eaptls_process returned 3
[tls] Adding user data to cached session
[eap] Freeing handler
++[eap] returns ok
Login OK: [test155] (from client ced-wl3 port 0 cli 00-0C-42-B3-D1-F5)
# Executing section post-auth from file
/etc/freeradius/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 162 to 10.25.66.8 port 56485
MS-MPPE-Recv-Key =
0xd020f7a2efbb05c6fb255fe6665a12f09f354bdaa6d01b3d5d2c0786b07ca440
MS-MPPE-Send-Key =
0xa77aaf208423b318ff7f482401d4468af3f9248cbdb611857a5f356bea7725ca
EAP-Message = 0x03060004
Message-Authenticator = 0x
User-Name = test155
Finished request 69.
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/EAP-authentication-accept-user-not-found-tp4841666p4841666.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP authentication accept, user not found
why FR authenticate even with nonexistent username? I don't know... Why don't you send the full debug log (you know, the bit where the certificates are actually being checked) instead of the last round, where EAP is just inserting the cached response. -Arran Arran Cudbard-Bell a.cudba...@freeradius.org Betelwiki, Betelwiki, Betelwiki http://wiki.freeradius.org/ ! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP authentication accept, user not found
http://freeradius.1045715.n5.nabble.com/file/n4841780/putty4.log putty4.log In the attached file the complete log, didn't noticed before that the process was so long.. -- View this message in context: http://freeradius.1045715.n5.nabble.com/EAP-authentication-accept-user-not-found-tp4841666p4841780.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP authentication accept, user not found
On 26 Sep 2011, at 17:27, andreapepa wrote:
http://freeradius.1045715.n5.nabble.com/file/n4841780/putty4.log putty4.log
In the attached file the complete log, didn't noticed before that the
process was so long..
A notfound return code in the authorize section means continue with a priority
of 1.
The EAP module runs after the SQL module and returns handled. A handled return
code in the authorize section means return and so the notfound return code is
never processed.
If you want the server to stop processing the request if the user isn't found
in the SQL database, rewrite the notfound return code to reject.
sql {
notfound = reject
}
Unfortunately there's no way to signal the EAP module to send an EAP fail, so
you have to do it manually...
Add the following to policy.conf
policy {
eap_failure {
if(EAP-Message =~ /^..([0-9a-f]{2})/i){
update reply {
EAP-Message := 0x04%{1}0004
}
}
}
...
}
The add a call in
post-auth {
post-auth-type REJECT {
eap_failure
}
}
That rewrites the EAP message returned with the reject to be a 'fail' with the
correct ID field value. Extremely hacky, but it works, and is the only way to
do it currently...
-Arran
Arran Cudbard-Bell
a.cudba...@freeradius.org
Betelwiki, Betelwiki, Betelwiki http://wiki.freeradius.org/ !
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP authentication accept, user not found
Hi Arran, Thank you that works great! -- View this message in context: http://freeradius.1045715.n5.nabble.com/EAP-authentication-accept-user-not-found-tp4841666p4842017.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sql not checking radgroupreply
I have the read_groups setting set to yes in sql.conf and the debug log would make it appear that it's reading it in correctly. The mac is found in radcheck and any attributes in radreply are correctly returned, but rlm_sql never checks for any group memberships at all. I've done a trace on the sql server and it confirms what I see in the debug log from radius - it just never checks. Thoughts? Weird... Have you tried setting Fall-Through := yes in radcheck... In theory you shouldn't need to, but just to see if it works. -Arran Arran Cudbard-Bell a.cudba...@freeradius.org Betelwiki, Betelwiki, Betelwiki http://wiki.freeradius.org/ ! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: rlm_sql not checking radgroupreply
Arran, Yea - I did give that a try. I'm not sure if fall-through appears in the reply list at the end of the transaction like the other attributes do, but it didn't show up, nor did the group attributes show up. JD Re: rlm_sql not checking radgroupreply To: FreeRadius users mailing list freeradius-users@lists.freeradius.org ( mailto:freeradius-users%40lists.freeradius.org ) Subject: Re: rlm_sql not checking radgroupreply From: Arran Cudbard-Bell a.cudba...@freeradius.org ( mailto:a.cudbardb%40freeradius.org ) Date: Mon, 26 Sep 2011 18:50:32 +0200 In-reply-to: ( mailto:4E806228.97D9.0098.1%40wsc.edu )4e806228.97d9.009...@wsc.edu ( http://lists.freeradius.org/pipermail/freeradius-users/2011-September/msg00530.html ) References: ( mailto:4E806228.97D9.0098.1%40wsc.edu )4e806228.97d9.009...@wsc.edu ( http://lists.freeradius.org/pipermail/freeradius-users/2011-September/msg00530.html ) Reply-to: FreeRadius users mailing list freeradius-users@lists.freeradius.org ( mailto:freeradius-users%40lists.freeradius.org ) I have the read_groups setting set to yes in sql.conf and the debug log would make it appear that it's reading it in correctly. The mac is found in radcheck and any attributes in radreply are correctly returned, but rlm_sql never checks for any group memberships at all. I've done a trace on the sql server and it confirms what I see in the debug log from radius - it just never checks. Thoughts? Weird... Have you tried setting Fall-Through := yes in radcheck... In theory you shouldn't need to, but just to see if it works. -Arran Arran Cudbard-Bell a.cudba...@freeradius.org Betelwiki, Betelwiki, Betelwiki http://wiki.freeradius.org/ ! References: rlm_sql not checking radgroupreply ( http://lists.freeradius.org/pipermail/freeradius-users/2011-September/msg00530.html ) From: John Dunning jodun...@wsc.edu Previous by Date: Re: EAP authentication accept, user not found ( http://lists.freeradius.org/pipermail/freeradius-users/2011-September/msg00531.html ) Previous by Thread: rlm_sql not checking radgroupreply ( http://lists.freeradius.org/pipermail/freeradius-users/2011-September/msg00530.html ) Next by Thread: run more than one radius on single machine ( http://lists.freeradius.org/pipermail/freeradius-users/2011-September/msg00077.html ) Freeradius-Users September 2011 archives indexes sorted by: [ thread ] ( http://lists.freeradius.org/pipermail/freeradius-users/2011-September/thread.html ) [ subject ] ( http://lists.freeradius.org/pipermail/freeradius-users/2011-September/subject.html ) [ author ] ( http://lists.freeradius.org/pipermail/freeradius-users/2011-September/author.html ) [ date ] ( http://lists.freeradius.org/pipermail/freeradius-users/2011-September/date.html ) Freeradius-Users list archive Table of Contents ( http://lists.freeradius.org/pipermail/freeradius-users/index.html ) More information about the Freeradius-Users mailing list ( http://lists.freeradius.org/mailman/listinfo/freeradius-users ) This archive was generated by a fusion of Pipermail (Mailman edition) and MHonArc ( http://www.mhonarc.org/ ). - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: rlm_sql not checking radgroupreply
Hi John, Your sql configuration lacks of group_membership_query . Whitout this one, group checking is disabled silently during start up. Hope this helps! Angelo 2011/9/26 John Dunning jodun...@wsc.edu Arran, Yea - I did give that a try. I'm not sure if fall-through appears in the reply list at the end of the transaction like the other attributes do, but it didn't show up, nor did the group attributes show up. JD Re: rlm_sql not checking radgroupreply -- - *To*: FreeRadius users mailing list freeradius-users@lists.freeradius.org - *Subject*: Re: rlm_sql not checking radgroupreply - *From*: Arran Cudbard-Bell a.cudba...@freeradius.org - *Date*: Mon, 26 Sep 2011 18:50:32 +0200 - *In-reply-to*: 4E806228.97D9.0098.1%40wsc.edu 4e806228.97d9.009...@wsc.eduhttp://lists.freeradius.org/pipermail/freeradius-users/2011-September/msg00530.html - *References*: 4E806228.97D9.0098.1%40wsc.edu 4e806228.97d9.009...@wsc.eduhttp://lists.freeradius.org/pipermail/freeradius-users/2011-September/msg00530.html - *Reply-to*: FreeRadius users mailing list freeradius-users@lists.freeradius.org -- I have the read_groups setting set to yes in sql.conf and the debug log would make it appear that it's reading it in correctly. The mac is found in radcheck and any attributes in radreply are correctly returned, but rlm_sql never checks for any group memberships at all. I've done a trace on the sql server and it confirms what I see in the debug log from radius - it just never checks. Thoughts? Weird... Have you tried setting Fall-Through := yes in radcheck... In theory you shouldn't need to, but just to see if it works. -Arran Arran Cudbard-Bell a.cudba...@freeradius.org Betelwiki, Betelwiki, Betelwiki http://wiki.freeradius.org/ ! -- - *References*: - *rlm_sql not checking radgroupreplyhttp://lists.freeradius.org/pipermail/freeradius-users/2011-September/msg00530.html * - *From:* John Dunning jodun...@wsc.edu - Previous by Date: Re: EAP authentication accept, user not foundhttp://lists.freeradius.org/pipermail/freeradius-users/2011-September/msg00531.html - Previous by Thread: rlm_sql not checking radgroupreplyhttp://lists.freeradius.org/pipermail/freeradius-users/2011-September/msg00530.html - Next by Thread: run more than one radius on single machinehttp://lists.freeradius.org/pipermail/freeradius-users/2011-September/msg00077.html - Freeradius-Users September 2011 archives indexes sorted by: [ thread ]http://lists.freeradius.org/pipermail/freeradius-users/2011-September/thread.html [ subject ]http://lists.freeradius.org/pipermail/freeradius-users/2011-September/subject.html [ author ]http://lists.freeradius.org/pipermail/freeradius-users/2011-September/author.html [ date ]http://lists.freeradius.org/pipermail/freeradius-users/2011-September/date.html - Freeradius-Users list archive Table of Contentshttp://lists.freeradius.org/pipermail/freeradius-users/index.html - More information about the Freeradius-Users mailing listhttp://lists.freeradius.org/mailman/listinfo/freeradius-users -- *This archive was generated by a fusion of Pipermail (Mailman edition) and MHonArc http://www.mhonarc.org/.* - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: rlm_sql not checking radgroupreply
Angelo - that was it!! Thanks so much. Just a note to the maintainersI used the dialup.conf from the 2.1.10 source. The debian packages don't have a dialup.conf for mssql, so I used the 2.1.10 source mssql directory and created a logical link for iodbc. It was, evidently, fixed in 2.1.11 as the one from that version has the query. Thanks all!! JD Angelo Compagnucci angelo.compagnu...@gmail.com 9/26/2011 12:46 PM Hi John, Your sql configuration lacks of group_membership_query . Whitout this one, group checking is disabled silently during start up. Hope this helps! Angelo 2011/9/26 John Dunning jodun...@wsc.edu Arran, Yea - I did give that a try. I'm not sure if fall-through appears in the reply list at the end of the transaction like the other attributes do, but it didn't show up, nor did the group attributes show up. JD Re: rlm_sql not checking radgroupreply To: FreeRadius users mailing list freeradius-users@lists.freeradius.org ( mailto:freeradius-users%40lists.freeradius.org ) Subject: Re: rlm_sql not checking radgroupreply From: Arran Cudbard-Bell a.cudba...@freeradius.org ( mailto:a.cudbardb%40freeradius.org ) Date: Mon, 26 Sep 2011 18:50:32 +0200 In-reply-to: ( mailto:4E806228.97D9.0098.1%40wsc.edu )4e806228.97d9.009...@wsc.edu ( http://lists.freeradius.org/pipermail/freeradius-users/2011-September/msg00530.html ) References: ( mailto:4E806228.97D9.0098.1%40wsc.edu )4e806228.97d9.009...@wsc.edu ( http://lists.freeradius.org/pipermail/freeradius-users/2011-September/msg00530.html ) Reply-to: FreeRadius users mailing list freeradius-users@lists.freeradius.org ( mailto:freeradius-users%40lists.freeradius.org ) I have the read_groups setting set to yes in sql.conf and the debug log would make it appear that it's reading it in correctly. The mac is found in radcheck and any attributes in radreply are correctly returned, but rlm_sql never checks for any group memberships at all. I've done a trace on the sql server and it confirms what I see in the debug log from radius - it just never checks. Thoughts? Weird... Have you tried setting Fall-Through := yes in radcheck... In theory you shouldn't need to, but just to see if it works. -Arran Arran Cudbard-Bell a.cudba...@freeradius.org Betelwiki, Betelwiki, Betelwikihttp://wiki.freeradius.org/ ! References: rlm_sql not checking radgroupreply ( http://lists.freeradius.org/pipermail/freeradius-users/2011-September/msg00530.html ) From:John Dunning jodun...@wsc.edu Previous by Date:Re: EAP authentication accept, user not found ( http://lists.freeradius.org/pipermail/freeradius-users/2011-September/msg00531.html ) Previous by Thread:rlm_sql not checking radgroupreply ( http://lists.freeradius.org/pipermail/freeradius-users/2011-September/msg00530.html ) Next by Thread:run more than one radius on single machine ( http://lists.freeradius.org/pipermail/freeradius-users/2011-September/msg00077.html ) Freeradius-Users September 2011 archives indexes sorted by:[ thread ] ( http://lists.freeradius.org/pipermail/freeradius-users/2011-September/thread.html )[ subject ] ( http://lists.freeradius.org/pipermail/freeradius-users/2011-September/subject.html )[ author ] ( http://lists.freeradius.org/pipermail/freeradius-users/2011-September/author.html )[ date ] ( http://lists.freeradius.org/pipermail/freeradius-users/2011-September/date.html ) Freeradius-Users list archiveTable of Contents ( http://lists.freeradius.org/pipermail/freeradius-users/index.html ) More information about the Freeradius-Users mailing list ( http://lists.freeradius.org/mailman/listinfo/freeradius-users ) This archive was generated by a fusion of Pipermail (Mailman edition) andMHonArc ( http://www.mhonarc.org/ ). - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: rlm_sql not checking radgroupreply
A month ago, I had to read the source code to understand why the group membership was disabled in my configuration! I'm using odbc also with mssql! How have you resolved the unix_timestamp issue? I had to rewrite queries converting the unix_timestamp to something like CONVERT(datetime, '%S', 20) to accomodate my db. Angelo 2011/9/26 John Dunning jodun...@wsc.edu Angelo - that was it!! Thanks so much. Just a note to the maintainersI used the dialup.conf from the 2.1.10 source. The debian packages don't have a dialup.conf for mssql, so I used the 2.1.10 source mssql directory and created a logical link for iodbc. It was, evidently, fixed in 2.1.11 as the one from that version has the query. Thanks all!! JD Angelo Compagnucci angelo.compagnu...@gmail.com 9/26/2011 12:46 PM Hi John, Your sql configuration lacks of group_membership_query . Whitout this one, group checking is disabled silently during start up. Hope this helps! Angelo 2011/9/26 John Dunning jodun...@wsc.edu Arran, Yea - I did give that a try. I'm not sure if fall-through appears in the reply list at the end of the transaction like the other attributes do, but it didn't show up, nor did the group attributes show up. JD Re: rlm_sql not checking radgroupreply -- - *To*: FreeRadius users mailing list freeradius-users@lists.freeradius.org - *Subject*: Re: rlm_sql not checking radgroupreply - *From*: Arran Cudbard-Bell a.cudba...@freeradius.org - *Date*: Mon, 26 Sep 2011 18:50:32 +0200 - *In-reply-to*: 4E806228.97D9.0098.1%40wsc.edu 4e806228.97d9.009...@wsc.eduhttp://lists.freeradius.org/pipermail/freeradius-users/2011-September/msg00530.html - *References*: 4E806228.97D9.0098.1%40wsc.edu 4e806228.97d9.009...@wsc.eduhttp://lists.freeradius.org/pipermail/freeradius-users/2011-September/msg00530.html - *Reply-to*: FreeRadius users mailing list freeradius-users@lists.freeradius.org -- I have the read_groups setting set to yes in sql.conf and the debug log would make it appear that it's reading it in correctly. The mac is found in radcheck and any attributes in radreply are correctly returned, but rlm_sql never checks for any group memberships at all. I've done a trace on the sql server and it confirms what I see in the debug log from radius - it just never checks. Thoughts? Weird... Have you tried setting Fall-Through := yes in radcheck... In theory you shouldn't need to, but just to see if it works. -Arran Arran Cudbard-Bell a.cudba...@freeradius.org Betelwiki, Betelwiki, Betelwiki http://wiki.freeradius.org/ ! -- - *References*: - *rlm_sql not checking radgroupreplyhttp://lists.freeradius.org/pipermail/freeradius-users/2011-September/msg00530.html * - *From:* John Dunning jodun...@wsc.edu - Previous by Date: Re: EAP authentication accept, user not foundhttp://lists.freeradius.org/pipermail/freeradius-users/2011-September/msg00531.html - Previous by Thread: rlm_sql not checking radgroupreplyhttp://lists.freeradius.org/pipermail/freeradius-users/2011-September/msg00530.html - Next by Thread: run more than one radius on single machinehttp://lists.freeradius.org/pipermail/freeradius-users/2011-September/msg00077.html - Freeradius-Users September 2011 archives indexes sorted by: [ thread ]http://lists.freeradius.org/pipermail/freeradius-users/2011-September/thread.html [ subject ]http://lists.freeradius.org/pipermail/freeradius-users/2011-September/subject.html [ author ]http://lists.freeradius.org/pipermail/freeradius-users/2011-September/author.html [ date ]http://lists.freeradius.org/pipermail/freeradius-users/2011-September/date.html - Freeradius-Users list archive Table of Contentshttp://lists.freeradius.org/pipermail/freeradius-users/index.html - More information about the Freeradius-Users mailing listhttp://lists.freeradius.org/mailman/listinfo/freeradius-users -- *This archive was generated by a fusion of Pipermail (Mailman edition) and MHonArc http://www.mhonarc.org/.* - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: rlm_sql not checking radgroupreply
Honestly Angelo, I haven't gotten that far yetwas just trying to get auth working. Logging and accounting are still on the to do list. If I figure out something I'll let you know! JD Angelo Compagnucci angelo.compagnu...@gmail.com 9/26/2011 2:43 PM A month ago,I had to read the source code to understand why the group membership was disabled in my configuration! I'm using odbc also with mssql! How have you resolved theunix_timestamp issue? I had to rewrite queries converting theunix_timestamp to something like CONVERT(datetime, '%S', 20) to accomodate my db. Angelo 2011/9/26 John Dunning jodun...@wsc.edu Angelo - that was it!! Thanks so much. Just a note to the maintainersI used the dialup.conf from the 2.1.10 source. The debian packages don't have a dialup.conf for mssql, so I used the 2.1.10 source mssql directory and created a logical link for iodbc. It was, evidently, fixed in 2.1.11 as the one from that version has the query. Thanks all!! JD Angelo Compagnucci angelo.compagnu...@gmail.com 9/26/2011 12:46 PM Hi John, Your sql configuration lacks of group_membership_query . Whitout this one, group checking is disabled silently during start up. Hope this helps! Angelo 2011/9/26 John Dunning jodun...@wsc.edu Arran, Yea - I did give that a try. I'm not sure if fall-through appears in the reply list at the end of the transaction like the other attributes do, but it didn't show up, nor did the group attributes show up. JD Re: rlm_sql not checking radgroupreply To: FreeRadius users mailing list freeradius-users@lists.freeradius.org ( mailto:freeradius-users%40lists.freeradius.org ) Subject: Re: rlm_sql not checking radgroupreply From: Arran Cudbard-Bell a.cudba...@freeradius.org ( mailto:a.cudbardb%40freeradius.org ) Date: Mon, 26 Sep 2011 18:50:32 +0200 In-reply-to: ( mailto:4E806228.97D9.0098.1%40wsc.edu )4e806228.97d9.009...@wsc.edu ( http://lists.freeradius.org/pipermail/freeradius-users/2011-September/msg00530.html ) References: ( mailto:4E806228.97D9.0098.1%40wsc.edu )4e806228.97d9.009...@wsc.edu ( http://lists.freeradius.org/pipermail/freeradius-users/2011-September/msg00530.html ) Reply-to: FreeRadius users mailing list freeradius-users@lists.freeradius.org ( mailto:freeradius-users%40lists.freeradius.org ) I have the read_groups setting set to yes in sql.conf and the debug log would make it appear that it's reading it in correctly. The mac is found in radcheck and any attributes in radreply are correctly returned, but rlm_sql never checks for any group memberships at all. I've done a trace on the sql server and it confirms what I see in the debug log from radius - it just never checks. Thoughts? Weird... Have you tried setting Fall-Through := yes in radcheck... In theory you shouldn't need to, but just to see if it works. -Arran Arran Cudbard-Bell a.cudba...@freeradius.org Betelwiki, Betelwiki, Betelwikihttp://wiki.freeradius.org/ ! References: rlm_sql not checking radgroupreply ( http://lists.freeradius.org/pipermail/freeradius-users/2011-September/msg00530.html ) From:John Dunning jodun...@wsc.edu Previous by Date:Re: EAP authentication accept, user not found ( http://lists.freeradius.org/pipermail/freeradius-users/2011-September/msg00531.html ) Previous by Thread:rlm_sql not checking radgroupreply ( http://lists.freeradius.org/pipermail/freeradius-users/2011-September/msg00530.html ) Next by Thread:run more than one radius on single machine ( http://lists.freeradius.org/pipermail/freeradius-users/2011-September/msg00077.html ) Freeradius-Users September 2011 archives indexes sorted by:[ thread ] ( http://lists.freeradius.org/pipermail/freeradius-users/2011-September/thread.html )[ subject ] ( http://lists.freeradius.org/pipermail/freeradius-users/2011-September/subject.html )[ author ] ( http://lists.freeradius.org/pipermail/freeradius-users/2011-September/author.html )[ date ] ( http://lists.freeradius.org/pipermail/freeradius-users/2011-September/date.html ) Freeradius-Users list archiveTable of Contents ( http://lists.freeradius.org/pipermail/freeradius-users/index.html ) More information about the Freeradius-Users mailing list ( http://lists.freeradius.org/mailman/listinfo/freeradius-users ) This archive was generated by a fusion of Pipermail (Mailman edition) andMHonArc ( http://www.mhonarc.org/ ). - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Post-auth and Rejected logins
Hi,
Hope the following makes sense.
I have a perl module that runs in post-auth.
It checks various things that confirms whether the user may have access and,
if not, would turn an Accept into a Reject.
I want this perl module to run whether the authentication previously failed
or not.
I'm using the documented method of the following:
post-auth {
my_perl
Post-Auth-Type REJECT {
my_perl
}
}
The problem comes in here.
If authentication failed, the module runs once only (in the Post-Auth-Type
REJECT stanza)
If authentication was OK, and my perl module also OK's the request, it runs
once only (in the non Post-Auth_type REJECT stanza).
But
If the auhtentication as OK, and my perl module then decides to reject the
Authentication (by returning RLM_MODULE_REJECT), the perl module runs twice.
I've tried swopping around the post-auth section as follows:
post-auth {
Post-Auth-Type REJECT {
my_perl
}
my_perl
}
The REJECT stanza is still executed if the non-REJECT stanza turns the
accept into a reject.
The only solution I can come up with is to set a Tmp-String, and using
unlang try to force the perl to not run again.
Does anyone know of a more elegant way?
Thanks!
--
Johan Meiring
Cape PC Services CC
Tel: (021) 883-8271
Fax: (021) 886-7782
Before acting on this email or opening any attachments
you should read Cape PC Service's email disclaimer at:
http://www.pcservices.co.za/disclaimer.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Post-auth and Rejected logins
Johan Meiring wrote: If the auhtentication as OK, and my perl module then decides to reject the Authentication (by returning RLM_MODULE_REJECT), Don't do that. The post-auth section is for running modules AFTER the user has been accepted or rejected. It doesn't make much sense to accept the user, and then reject them. Instead, reject the user earlier in the packet processing. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Post-auth and Rejected logins
On 2011/09/26 11:38 PM, Alan DeKok wrote:
Johan Meiring wrote:
If the auhtentication as OK, and my perl module then decides to reject
the Authentication (by returning RLM_MODULE_REJECT),
Don't do that.
The post-auth section is for running modules AFTER the user has been
accepted or rejected. It doesn't make much sense to accept the user,
and then reject them.
Instead, reject the user earlier in the packet processing.
Hi Alan,
What you say makes sense.
My perl code used to run in the Authorisation section.
The reason I moved it down (to post auth), is because some of my queries
are very database intensive (complex system).
i.e.
What I had was:
1) Authorisation (using rlm_perl):
Check various stuff
If OK so far, create Cleartext-Password, else reject
2) Authentication, PAP/CHAP/whatever
What I tried to avoid was that the check various stuff runs if the user
supplied the wrong password.
I therefore modified the setup as follows:
1) Authorisation - Create Cleartext-Password (using rlm_mysql)
2) Authentication - PAP/CHAP/whatever
3) Post-Auth - Check the various stuff and reject (using rlm_perl)
This saves a lot of unnecesary (database) CPU cycles.
Using a Tmp-String works.
My post-auth now looks as follows:
post-auth {
my_perl
Post-Auth-Type REJECT {
if (%{reply:Tmp-String-0} != DONTRUNAGAIN) {
my_perl
}
}
}
the perl post-auth subrouting simply contains the following:
$RAD_REPLY{'Tmp-String-0'} = 'DONTRUNAGAIN';
This works as expected.
I was just hoping for a more elegant solutions.
Thanks again!!
--
Johan Meiring
Cape PC Services CC
Tel: (021) 883-8271
Fax: (021) 886-7782
Before acting on this email or opening any attachments
you should read Cape PC Service's email disclaimer at:
http://www.pcservices.co.za/disclaimer.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
