how to access CallingStationId and CalledStationId propertes in diaup.conf (sql.conf) in a SQL query
Dear ALL
I use this query by calling stored procedure in database :
simul_count_query = SELECT
findout_cuncurrent_sessions_for_a_user('%{User-Name}','%{NAS-IP-Address}','%{CalledStationId}','%{CallingStationId}')
but I can not access to the value of CallingStationId and CalledStationId.
my radius.log file :
rlm_sql_postgresql: query: SELECT
findout_cuncurrent_sessions_for_a_user('test1','5.190.103.4','','')
rlm_sql_postgresql: Status: PGRES_FATAL_ERROR
rlm_sql_postgresql: Error invalid input syntax for type inet:
rlm_sql_postgresql: Postgresql Fatal Error: [22P02: INVALID TEXT
REPRESENTATION] Occurred!!
rlm_sql (sql) sql_checksimul: Database query failed
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to access CallingStationId and CalledStationId propertes in diaup.conf (sql.conf) in a SQL query
On 03/23/2013 10:31 AM, Mehdi Ravanbakhsh wrote:
Dear ALL
I use this query by calling stored procedure in database :
simul_count_query = SELECT
findout_cuncurrent_sessions_for_a_user('%{User-Name}','%{NAS-IP-Address}','%{CalledStationId}','%{CallingStationId}')
but I can not access to the value of CallingStationId and CalledStationId.
You've spelt them wrong. They have hyphens in them.
Run radiusd -X and look at what it shows you. Amongst other things, it
will show you the actual attributes in the packet, and these are the
names you can use.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Setting up EAP-TLS as the ONLY authentication mechanism?
I want to set up FreeRADIUS using EAP-TLS only. I'm running Ubuntu
Server 12.04.2 LTS here with the packaged build of FreeRADIUS from the
default Ubuntu/Debian apt-get package repository. I'm finding junk
scattered all over the place for configuring this thing (typical), so my
first objective is to get FreeRADIUS into a locked-down state so that
'freeradius -X' doesn't return things that bother me (i.e. pared back to
minimal functionality first).
Since I only want EAP-TLS, output lines like the following bother me
(I've inlined my concerns):
FreeRADIUS Version 2.1.10, for host x86_64-pc-linux-gnu, built on Sep 24
2012 at 17:58:57
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
...
including configuration file /etc/freeradius/modules/pam
...
including configuration file /etc/freeradius/modules/chap
...
^^^
Does FreeRADIUS really need to load all of those config files to
function? That is, does it hurt in any way to load all of the module
config files? From what I can tell, they don't seem to be relevant
until they are instantiated later on, but I would appreciate confirmation.
radiusd: Loading Realms and Home Servers
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
^
What does this do? I don't think I need a proxy server. My setup is
just a consumer router plus a single Ubuntu box with FreeRADIUS on it.
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = auth
secret = testing123
response_window = 20
max_outstanding = 65536
require_message_authenticator = yes
zombie_period = 40
status_check = status-server
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
^
All of this seems to be in proxy.conf. It doesn't look like I need any
of it but I'm not sure if it is safe to get rid of it/comment it out.
Again, this will be the only RADIUS server in the network and my
understanding is that proxies are for forwarding requests to other
RADIUS servers. Given my setup, can I safely comment out the '$INCLUDE
proxy.conf' line in 'radiusd.conf'?
radiusd: Loading Clients
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = testing123
nastype = other
}
^
Not sure why I would need this either. Based on the 'secret' string's
value, I'm wagering it has to do with the 'proxy.conf' settings, but I'm
not 100% confident about that.
radiusd: Instantiating modules
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating module exec from file /etc/freeradius/modules/exec
exec {
wait = no
input_pairs = request
shell_escape = yes
}
Module: Linked to module rlm_expr
Module: Instantiating module expr from file /etc/freeradius/modules/expr
Module: Linked to module rlm_expiration
Module: Instantiating module expiration from file
/etc/freeradius/modules/expiration
expiration {
reply-message = Password Has Expired
}
Module: Linked to module rlm_logintime
Module: Instantiating module logintime from file
/etc/freeradius/modules/logintime
logintime {
reply-message = You are calling outside your allowed timespan
minimum-timeout = 60
}
}
^^
Most of that seems irrelevant to EAP-TLS. A certificate isn't exactly a
password - it can expire, but the message Password Has Expired seems
like it will never appear (or, if it does, it'll be confusing to a
user). I'm probably not going to use the 'logintime' features. 'exec'
might be useful since I probably will use the external 'openssl' based
'verify' method in 'eap.conf' (unless someone can suggest a better
approach).
radiusd: Loading Virtual Servers
...
^^
Even when 'default' was the only thing in 'sites-enabled', it loaded a
bunch of stuff other than EAP-TLS. I currently have nothing in
'sites-enabled' right now, but would like insight into what the
configuration file should be to just do EAP-TLS.
radiusd: Opening IP addresses and Ports
listen {
type = auth
ipaddr = *
port = 0
}
listen {
type = acct
ipaddr = *
port = 0
}
Listening on authentication address * port
ippool-dhcp and Oracle
Hello Everyone Could anyone advise me what would be required to us dhcp-ippool with Oracle? I had a quick look through the files in git and it seems to me that the only thing missing is queries.conf? If that is all that is required I am happy to do the work of porting the sql queries from the mysql version, but I just wanted the check that I am not missing something. Ben - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ippool-dhcp and Oracle
On 23 Mar 2013, at 12:22, Бен Томпсон b.thomp...@latera.ru wrote: Hello Everyone Could anyone advise me what would be required to us dhcp-ippool with Oracle? I had a quick look through the files in git and it seems to me that the only thing missing is queries.conf? If that is all that is required I am happy to do the work of porting the sql queries from the mysql version, but I just wanted the check that I am not missing something. Nope you're not. Please contribute a queries.conf file for Oracle and submit a pull request for master branch. Were actively trying to promote the use of the DHCP side, so such patches are very helpful. -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ippool-dhcp and Oracle
2013/3/23 Arran Cudbard-Bell a.cudba...@freeradius.org: On 23 Mar 2013, at 12:22, Бен Томпсон b.thomp...@latera.ru wrote: Hello Everyone Could anyone advise me what would be required to us dhcp-ippool with Oracle? I had a quick look through the files in git and it seems to me that the only thing missing is queries.conf? If that is all that is required I am happy to do the work of porting the sql queries from the mysql version, but I just wanted the check that I am not missing something. Nope you're not. Please contribute a queries.conf file for Oracle and submit a pull request for master branch. Were actively trying to promote the use of the DHCP side, so such patches are very helpful. -Arran Hi Arran Thanks for the quick reply, I will try and do it in the next few days. Ben - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to access CallingStationId and CalledStationId propertes in diaup.conf (sql.conf) in a SQL query
Thanks i am find correct name .
On Sat, Mar 23, 2013 at 5:35 PM, Phil Mayers p.may...@imperial.ac.ukwrote:
On 03/23/2013 10:31 AM, Mehdi Ravanbakhsh wrote:
Dear ALL
I use this query by calling stored procedure in database :
simul_count_query = SELECT
findout_cuncurrent_sessions_**for_a_user('%{User-Name}','%{**
NAS-IP-Address}','%{**CalledStationId}','%{**CallingStationId}')
but I can not access to the value of CallingStationId and
CalledStationId.
You've spelt them wrong. They have hyphens in them.
Run radiusd -X and look at what it shows you. Amongst other things, it
will show you the actual attributes in the packet, and these are the names
you can use.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/**
list/users.html http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Setting up EAP-TLS as the ONLY authentication mechanism?
Thomas Hruska wrote: Since I only want EAP-TLS, output lines like the following bother me (I've inlined my concerns): ... Does FreeRADIUS really need to load all of those config files to function? No. That's why they config files are editable. So you can edit them. That is, does it hurt in any way to load all of the module config files? I don't understand the question. What can hurt about loading config files What does this do? Read raddb/proxy.conf. This is documented. Extensively. All of this seems to be in proxy.conf. It doesn't look like I need any of it but I'm not sure if it is safe to get rid of it/comment it out. Read proxy.conf. Again, this will be the only RADIUS server in the network and my understanding is that proxies are for forwarding requests to other RADIUS servers. Given my setup, can I safely comment out the '$INCLUDE proxy.conf' line in 'radiusd.conf'? This is documented. The comments above the line $INCLUDE proxy.conf tell you. And again, the reason the config files are text is so that you can edit them. What's the worst that can happen? If something goes wrong... just put the text back. Not sure why I would need this either. Based on the 'secret' string's value, I'm wagering it has to do with the 'proxy.conf' settings, but I'm not 100% confident about that. No. Clients have nothing to do with proxies. Do you plan on testing your server? If so, that entry can be useful. Most of that seems irrelevant to EAP-TLS. A certificate isn't exactly a password - it can expire, but the message Password Has Expired seems like it will never appear (or, if it does, it'll be confusing to a user). I'm probably not going to use the 'logintime' features. 'exec' might be useful since I probably will use the external 'openssl' based 'verify' method in 'eap.conf' (unless someone can suggest a better approach). So... delete the things you're not using. That's why there are comments explaining what those modules do. So you can learn, and think for yourself. Even when 'default' was the only thing in 'sites-enabled', it loaded a bunch of stuff other than EAP-TLS. I currently have nothing in 'sites-enabled' right now, but would like insight into what the configuration file should be to just do EAP-TLS. Read raddb/sites-enabled/default. Honestly, there is a *lot* of documentation on this included with the config files. I see no reason to cut paste it here. Instead, you should find the time to readit. What do I need to do to set up FreeRADIUS so that it only supports EAP-TLS? Configure only EAP, and EAP-TLS. Some of the stuff in 'eap.conf' is confusing. I've commented out 'md5', 'leap', 'mschapv2', etc. with only the 'tls' section left uncommented and set 'default_eap_type = tls', but I'm not sure if that is all I need to do. Documentation on setting up an EAP-TLS only RADIUS server is limited. Nonsense. I don't mean that there's lots of documentation on setting up your exact desired configuration. I mean it's nonsense to *expect* that there will be lots of documentation on setting up your exact desired configuration. What is the best method of setting it up so that only the router can communicate with the RADIUS server on port 1812? Firewalls. Then, making sure that the server is only listening on port 1812 Most of these questions are The server does A and B, but I only want it to do A. What do I do? And the answer is edit the config files so that it doesn't do B. You're looking for reassurance that editing the config files won't cause the server to explode in flaming metal. It won't. Edit them. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Setting up EAP-TLS as the ONLY authentication mechanism?
On 3/23/2013 3:54 PM, Alan DeKok wrote:
Thomas Hruska wrote:
snip
Read proxy.conf.
[Sigh] I have. It doesn't make sense to me. Why enable it as a
default if it isn't necessary for basic functionality? Hopefully you
can see how the average user might be confused, Hey the authors enabled
this by default. Maybe there is a very important reason for that. I'll
go ahead and leave it alone because they know better. But I see an
open port and wonder if it is actually necessary. So I figured I would
ask to obtain some knowledge of why it is enabled by default, hence the
original questions. Here's the text from 'radiusd.conf':
# PROXY CONFIGURATION
#
# proxy_requests: Turns proxying of RADIUS requests on or off.
#
# The server has proxying turned on by default. If your system is NOT
# set up to proxy requests to another server, then you can turn proxying
# off here. This will save a small amount of resources on the server.
#
# If you have proxying turned off, and your configuration files say
# to proxy a request, then an error message will be logged.
#
# To disable proxying, change the yes to no, and comment the
# $INCLUDE line.
#
# allowed values: {no, yes}
#
Nowhere in there does it explain why proxying is on by default. It just
says that it can be turned off. I want to know why it is on by default
in the first place. From what I'm beginning to understand, based on
your reply, FreeRADIUS opens a port that isn't necessary for basic
functionality as part of its default installation. That sort of
behavior should at least raise an eyebrow if not a few red flags.
Not sure why I would need this either. Based on the 'secret' string's
value, I'm wagering it has to do with the 'proxy.conf' settings, but I'm
not 100% confident about that.
No. Clients have nothing to do with proxies.
Do you plan on testing your server? If so, that entry can be useful.
The default client secrets(s) should be different from the default proxy
secret(s) to avoid confusion for first-time users.
I missed that it is there for testing. And I see why:
###
#
# Define RADIUS clients (usually a NAS, Access Point, etc.).
#
# Defines a RADIUS client.
#
# '127.0.0.1' is another name for 'localhost'. It is enabled by default,
# to allow testing of the server after an initial installation. If you
# are not going to be permitting RADIUS queries from localhost, we suggest
# that you delete, or comment out, this entry.
#
#
#
# Each client has a short name that is used to distinguish it from
# other clients.
#
# In version 1.x, the string after the word client was the IP
# address of the client. In 2.0, the IP address is configured via
# the ipaddr or ipv6addr fields. For compatibility, the 1.x
# format is still accepted.
#
Most of that seems irrelevant to EAP-TLS. A certificate isn't exactly a
password - it can expire, but the message Password Has Expired seems
like it will never appear (or, if it does, it'll be confusing to a
user). I'm probably not going to use the 'logintime' features. 'exec'
might be useful since I probably will use the external 'openssl' based
'verify' method in 'eap.conf' (unless someone can suggest a better
approach).
So... delete the things you're not using. That's why there are
comments explaining what those modules do. So you can learn, and think
for yourself.
Again, defaults exist for a reason. The reasons for the defaults are
what I'm actually after here.
Some of the stuff in 'eap.conf' is confusing. I've commented
out 'md5', 'leap', 'mschapv2', etc. with only the 'tls' section left
uncommented and set 'default_eap_type = tls', but I'm not sure if that
is all I need to do. Documentation on setting up an EAP-TLS only
RADIUS server is limited.
I mean it's nonsense to *expect*
that there will be lots of documentation on setting up your exact
desired configuration.
All I was asking here was if commenting out those protocols in
'eap.conf' was all I have to do to disable them? A simple confirmation
would suffice.
You're looking for reassurance that editing the config files won't
cause the server to explode in flaming metal. It won't. Edit them.
I admit that there is a little of that, but I'm just trying to save
myself from breaking things too badly by understanding why the defaults
are the defaults before I go and blow away large portions of config.
--
Thomas Hruska
CubicleSoft President
I've got great, time saving software that you might find useful.
http://cubiclesoft.com/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Setting up EAP-TLS as the ONLY authentication mechanism?
On 23 Mar 2013, at 23:32, Thomas Hruska thru...@cubiclesoft.com wrote:
On 3/23/2013 3:54 PM, Alan DeKok wrote:
Thomas Hruska wrote:
snip
Read proxy.conf.
[Sigh] I have. It doesn't make sense to me. Why enable it as a default if
it isn't necessary for basic functionality? Hopefully you can see how the
average user might be confused, Hey the authors enabled this by default.
Maybe there is a very important reason for that.
Nope, just means more things work with less tweaking.
I'll go ahead and leave it alone because they know better. But I see an
open port and wonder if it is actually necessary. So I figured I would ask
to obtain some knowledge of why it is enabled by default, hence the original
questions. Here's the text from 'radiusd.conf':
# PROXY CONFIGURATION
#
# proxy_requests: Turns proxying of RADIUS requests on or off.
#
# The server has proxying turned on by default. If your system is NOT
# set up to proxy requests to another server, then you can turn proxying
# off here. This will save a small amount of resources on the server.
#
# If you have proxying turned off, and your configuration files say
# to proxy a request, then an error message will be logged.
#
# To disable proxying, change the yes to no, and comment the
# $INCLUDE line.
#
# allowed values: {no, yes}
#
Nowhere in there does it explain why proxying is on by default. It just says
that it can be turned off. I want to know why it is on by default in the
first place. From what I'm beginning to understand, based on your reply,
FreeRADIUS opens a port that isn't necessary for basic functionality as part
of its default installation. That sort of behavior should at least raise an
eyebrow if not a few red flags.
Why is authentication on by default, you might just want to do accounting? why
is accounting on by default, you might just want to do authentication? It's on
by default because it does no harm having it on by default, and makes it easier
for people with no knowledge of the server to use the server.
You just add a realm, and it works, instead of having to toggle different bits
of config to make it work.
I think the configs could probably do with trimming a bit, but it does not make
sense to disable these things by default, as there are no security
implications, just a slight increase in memory usage.
Not sure why I would need this either. Based on the 'secret' string's
value, I'm wagering it has to do with the 'proxy.conf' settings, but I'm
not 100% confident about that.
No. Clients have nothing to do with proxies.
Do you plan on testing your server? If so, that entry can be useful.
The default client secrets(s) should be different from the default proxy
secret(s) to avoid confusion for first-time users.
I missed that it is there for testing. And I see why:
That sentence is ambiguous.
Most of that seems irrelevant to EAP-TLS. A certificate isn't exactly a
password - it can expire, but the message Password Has Expired seems
like it will never appear (or, if it does, it'll be confusing to a
user). I'm probably not going to use the 'logintime' features. 'exec'
might be useful since I probably will use the external 'openssl' based
'verify' method in 'eap.conf' (unless someone can suggest a better
approach).
So... delete the things you're not using. That's why there are
comments explaining what those modules do. So you can learn, and think
for yourself.
Again, defaults exist for a reason. The reasons for the defaults are what
I'm actually after here.
Again it's so things just work. For rlm_logintime, if you read the code:
https://github.com/FreeRADIUS/freeradius-server/blob/master/src/modules/rlm_logintime/rlm_logintime.c#L157
If there's no Login-Time attribute in the request it does nothing. If there is
a Login-Time attribute in the request it ensures the user can only login before
that time.
It means you can add Login-Time in a users file, and it'll just work, instead
if hunting through the server to figure out where to turn on the Login-Time
module.
Some of the stuff in 'eap.conf' is confusing. I've commented
out 'md5', 'leap', 'mschapv2', etc. with only the 'tls' section left
uncommented and set 'default_eap_type = tls', but I'm not sure if that
is all I need to do. Documentation on setting up an EAP-TLS only
RADIUS server is limited.
I mean it's nonsense to *expect*
that there will be lots of documentation on setting up your exact
desired configuration.
All I was asking here was if commenting out those protocols in 'eap.conf' was
all I have to do to disable them? A simple confirmation would suffice.
Yes. It's all you have to do to disable them.
You're looking for reassurance that editing the config files won't
cause the server to explode in flaming metal. It won't. Edit them.
I admit that there is a little of that, but I'm just trying to save
