how to access CallingStationId and CalledStationId propertes in diaup.conf (sql.conf) in a SQL query
Dear ALL I use this query by calling stored procedure in database : simul_count_query = SELECT findout_cuncurrent_sessions_for_a_user('%{User-Name}','%{NAS-IP-Address}','%{CalledStationId}','%{CallingStationId}') but I can not access to the value of CallingStationId and CalledStationId. my radius.log file : rlm_sql_postgresql: query: SELECT findout_cuncurrent_sessions_for_a_user('test1','5.190.103.4','','') rlm_sql_postgresql: Status: PGRES_FATAL_ERROR rlm_sql_postgresql: Error invalid input syntax for type inet: rlm_sql_postgresql: Postgresql Fatal Error: [22P02: INVALID TEXT REPRESENTATION] Occurred!! rlm_sql (sql) sql_checksimul: Database query failed - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to access CallingStationId and CalledStationId propertes in diaup.conf (sql.conf) in a SQL query
On 03/23/2013 10:31 AM, Mehdi Ravanbakhsh wrote: Dear ALL I use this query by calling stored procedure in database : simul_count_query = SELECT findout_cuncurrent_sessions_for_a_user('%{User-Name}','%{NAS-IP-Address}','%{CalledStationId}','%{CallingStationId}') but I can not access to the value of CallingStationId and CalledStationId. You've spelt them wrong. They have hyphens in them. Run radiusd -X and look at what it shows you. Amongst other things, it will show you the actual attributes in the packet, and these are the names you can use. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Setting up EAP-TLS as the ONLY authentication mechanism?
I want to set up FreeRADIUS using EAP-TLS only. I'm running Ubuntu Server 12.04.2 LTS here with the packaged build of FreeRADIUS from the default Ubuntu/Debian apt-get package repository. I'm finding junk scattered all over the place for configuring this thing (typical), so my first objective is to get FreeRADIUS into a locked-down state so that 'freeradius -X' doesn't return things that bother me (i.e. pared back to minimal functionality first). Since I only want EAP-TLS, output lines like the following bother me (I've inlined my concerns): FreeRADIUS Version 2.1.10, for host x86_64-pc-linux-gnu, built on Sep 24 2012 at 17:58:57 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... ... including configuration file /etc/freeradius/modules/pam ... including configuration file /etc/freeradius/modules/chap ... ^^^ Does FreeRADIUS really need to load all of those config files to function? That is, does it hurt in any way to load all of the module config files? From what I can tell, they don't seem to be relevant until they are instantiated later on, but I would appreciate confirmation. radiusd: Loading Realms and Home Servers proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } ^ What does this do? I don't think I need a proxy server. My setup is just a consumer router plus a single Ubuntu box with FreeRADIUS on it. home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = auth secret = testing123 response_window = 20 max_outstanding = 65536 require_message_authenticator = yes zombie_period = 40 status_check = status-server ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 irt = 2 mrt = 16 mrc = 5 mrd = 30 } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } ^ All of this seems to be in proxy.conf. It doesn't look like I need any of it but I'm not sure if it is safe to get rid of it/comment it out. Again, this will be the only RADIUS server in the network and my understanding is that proxies are for forwarding requests to other RADIUS servers. Given my setup, can I safely comment out the '$INCLUDE proxy.conf' line in 'radiusd.conf'? radiusd: Loading Clients client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = testing123 nastype = other } ^ Not sure why I would need this either. Based on the 'secret' string's value, I'm wagering it has to do with the 'proxy.conf' settings, but I'm not 100% confident about that. radiusd: Instantiating modules instantiate { Module: Linked to module rlm_exec Module: Instantiating module exec from file /etc/freeradius/modules/exec exec { wait = no input_pairs = request shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating module expr from file /etc/freeradius/modules/expr Module: Linked to module rlm_expiration Module: Instantiating module expiration from file /etc/freeradius/modules/expiration expiration { reply-message = Password Has Expired } Module: Linked to module rlm_logintime Module: Instantiating module logintime from file /etc/freeradius/modules/logintime logintime { reply-message = You are calling outside your allowed timespan minimum-timeout = 60 } } ^^ Most of that seems irrelevant to EAP-TLS. A certificate isn't exactly a password - it can expire, but the message Password Has Expired seems like it will never appear (or, if it does, it'll be confusing to a user). I'm probably not going to use the 'logintime' features. 'exec' might be useful since I probably will use the external 'openssl' based 'verify' method in 'eap.conf' (unless someone can suggest a better approach). radiusd: Loading Virtual Servers ... ^^ Even when 'default' was the only thing in 'sites-enabled', it loaded a bunch of stuff other than EAP-TLS. I currently have nothing in 'sites-enabled' right now, but would like insight into what the configuration file should be to just do EAP-TLS. radiusd: Opening IP addresses and Ports listen { type = auth ipaddr = * port = 0 } listen { type = acct ipaddr = * port = 0 } Listening on authentication address * port
ippool-dhcp and Oracle
Hello Everyone Could anyone advise me what would be required to us dhcp-ippool with Oracle? I had a quick look through the files in git and it seems to me that the only thing missing is queries.conf? If that is all that is required I am happy to do the work of porting the sql queries from the mysql version, but I just wanted the check that I am not missing something. Ben - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ippool-dhcp and Oracle
On 23 Mar 2013, at 12:22, Бен Томпсон b.thomp...@latera.ru wrote: Hello Everyone Could anyone advise me what would be required to us dhcp-ippool with Oracle? I had a quick look through the files in git and it seems to me that the only thing missing is queries.conf? If that is all that is required I am happy to do the work of porting the sql queries from the mysql version, but I just wanted the check that I am not missing something. Nope you're not. Please contribute a queries.conf file for Oracle and submit a pull request for master branch. Were actively trying to promote the use of the DHCP side, so such patches are very helpful. -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ippool-dhcp and Oracle
2013/3/23 Arran Cudbard-Bell a.cudba...@freeradius.org: On 23 Mar 2013, at 12:22, Бен Томпсон b.thomp...@latera.ru wrote: Hello Everyone Could anyone advise me what would be required to us dhcp-ippool with Oracle? I had a quick look through the files in git and it seems to me that the only thing missing is queries.conf? If that is all that is required I am happy to do the work of porting the sql queries from the mysql version, but I just wanted the check that I am not missing something. Nope you're not. Please contribute a queries.conf file for Oracle and submit a pull request for master branch. Were actively trying to promote the use of the DHCP side, so such patches are very helpful. -Arran Hi Arran Thanks for the quick reply, I will try and do it in the next few days. Ben - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to access CallingStationId and CalledStationId propertes in diaup.conf (sql.conf) in a SQL query
Thanks i am find correct name . On Sat, Mar 23, 2013 at 5:35 PM, Phil Mayers p.may...@imperial.ac.ukwrote: On 03/23/2013 10:31 AM, Mehdi Ravanbakhsh wrote: Dear ALL I use this query by calling stored procedure in database : simul_count_query = SELECT findout_cuncurrent_sessions_**for_a_user('%{User-Name}','%{** NAS-IP-Address}','%{**CalledStationId}','%{**CallingStationId}') but I can not access to the value of CallingStationId and CalledStationId. You've spelt them wrong. They have hyphens in them. Run radiusd -X and look at what it shows you. Amongst other things, it will show you the actual attributes in the packet, and these are the names you can use. - List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Setting up EAP-TLS as the ONLY authentication mechanism?
Thomas Hruska wrote: Since I only want EAP-TLS, output lines like the following bother me (I've inlined my concerns): ... Does FreeRADIUS really need to load all of those config files to function? No. That's why they config files are editable. So you can edit them. That is, does it hurt in any way to load all of the module config files? I don't understand the question. What can hurt about loading config files What does this do? Read raddb/proxy.conf. This is documented. Extensively. All of this seems to be in proxy.conf. It doesn't look like I need any of it but I'm not sure if it is safe to get rid of it/comment it out. Read proxy.conf. Again, this will be the only RADIUS server in the network and my understanding is that proxies are for forwarding requests to other RADIUS servers. Given my setup, can I safely comment out the '$INCLUDE proxy.conf' line in 'radiusd.conf'? This is documented. The comments above the line $INCLUDE proxy.conf tell you. And again, the reason the config files are text is so that you can edit them. What's the worst that can happen? If something goes wrong... just put the text back. Not sure why I would need this either. Based on the 'secret' string's value, I'm wagering it has to do with the 'proxy.conf' settings, but I'm not 100% confident about that. No. Clients have nothing to do with proxies. Do you plan on testing your server? If so, that entry can be useful. Most of that seems irrelevant to EAP-TLS. A certificate isn't exactly a password - it can expire, but the message Password Has Expired seems like it will never appear (or, if it does, it'll be confusing to a user). I'm probably not going to use the 'logintime' features. 'exec' might be useful since I probably will use the external 'openssl' based 'verify' method in 'eap.conf' (unless someone can suggest a better approach). So... delete the things you're not using. That's why there are comments explaining what those modules do. So you can learn, and think for yourself. Even when 'default' was the only thing in 'sites-enabled', it loaded a bunch of stuff other than EAP-TLS. I currently have nothing in 'sites-enabled' right now, but would like insight into what the configuration file should be to just do EAP-TLS. Read raddb/sites-enabled/default. Honestly, there is a *lot* of documentation on this included with the config files. I see no reason to cut paste it here. Instead, you should find the time to readit. What do I need to do to set up FreeRADIUS so that it only supports EAP-TLS? Configure only EAP, and EAP-TLS. Some of the stuff in 'eap.conf' is confusing. I've commented out 'md5', 'leap', 'mschapv2', etc. with only the 'tls' section left uncommented and set 'default_eap_type = tls', but I'm not sure if that is all I need to do. Documentation on setting up an EAP-TLS only RADIUS server is limited. Nonsense. I don't mean that there's lots of documentation on setting up your exact desired configuration. I mean it's nonsense to *expect* that there will be lots of documentation on setting up your exact desired configuration. What is the best method of setting it up so that only the router can communicate with the RADIUS server on port 1812? Firewalls. Then, making sure that the server is only listening on port 1812 Most of these questions are The server does A and B, but I only want it to do A. What do I do? And the answer is edit the config files so that it doesn't do B. You're looking for reassurance that editing the config files won't cause the server to explode in flaming metal. It won't. Edit them. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Setting up EAP-TLS as the ONLY authentication mechanism?
On 3/23/2013 3:54 PM, Alan DeKok wrote: Thomas Hruska wrote: snip Read proxy.conf. [Sigh] I have. It doesn't make sense to me. Why enable it as a default if it isn't necessary for basic functionality? Hopefully you can see how the average user might be confused, Hey the authors enabled this by default. Maybe there is a very important reason for that. I'll go ahead and leave it alone because they know better. But I see an open port and wonder if it is actually necessary. So I figured I would ask to obtain some knowledge of why it is enabled by default, hence the original questions. Here's the text from 'radiusd.conf': # PROXY CONFIGURATION # # proxy_requests: Turns proxying of RADIUS requests on or off. # # The server has proxying turned on by default. If your system is NOT # set up to proxy requests to another server, then you can turn proxying # off here. This will save a small amount of resources on the server. # # If you have proxying turned off, and your configuration files say # to proxy a request, then an error message will be logged. # # To disable proxying, change the yes to no, and comment the # $INCLUDE line. # # allowed values: {no, yes} # Nowhere in there does it explain why proxying is on by default. It just says that it can be turned off. I want to know why it is on by default in the first place. From what I'm beginning to understand, based on your reply, FreeRADIUS opens a port that isn't necessary for basic functionality as part of its default installation. That sort of behavior should at least raise an eyebrow if not a few red flags. Not sure why I would need this either. Based on the 'secret' string's value, I'm wagering it has to do with the 'proxy.conf' settings, but I'm not 100% confident about that. No. Clients have nothing to do with proxies. Do you plan on testing your server? If so, that entry can be useful. The default client secrets(s) should be different from the default proxy secret(s) to avoid confusion for first-time users. I missed that it is there for testing. And I see why: ### # # Define RADIUS clients (usually a NAS, Access Point, etc.). # # Defines a RADIUS client. # # '127.0.0.1' is another name for 'localhost'. It is enabled by default, # to allow testing of the server after an initial installation. If you # are not going to be permitting RADIUS queries from localhost, we suggest # that you delete, or comment out, this entry. # # # # Each client has a short name that is used to distinguish it from # other clients. # # In version 1.x, the string after the word client was the IP # address of the client. In 2.0, the IP address is configured via # the ipaddr or ipv6addr fields. For compatibility, the 1.x # format is still accepted. # Most of that seems irrelevant to EAP-TLS. A certificate isn't exactly a password - it can expire, but the message Password Has Expired seems like it will never appear (or, if it does, it'll be confusing to a user). I'm probably not going to use the 'logintime' features. 'exec' might be useful since I probably will use the external 'openssl' based 'verify' method in 'eap.conf' (unless someone can suggest a better approach). So... delete the things you're not using. That's why there are comments explaining what those modules do. So you can learn, and think for yourself. Again, defaults exist for a reason. The reasons for the defaults are what I'm actually after here. Some of the stuff in 'eap.conf' is confusing. I've commented out 'md5', 'leap', 'mschapv2', etc. with only the 'tls' section left uncommented and set 'default_eap_type = tls', but I'm not sure if that is all I need to do. Documentation on setting up an EAP-TLS only RADIUS server is limited. I mean it's nonsense to *expect* that there will be lots of documentation on setting up your exact desired configuration. All I was asking here was if commenting out those protocols in 'eap.conf' was all I have to do to disable them? A simple confirmation would suffice. You're looking for reassurance that editing the config files won't cause the server to explode in flaming metal. It won't. Edit them. I admit that there is a little of that, but I'm just trying to save myself from breaking things too badly by understanding why the defaults are the defaults before I go and blow away large portions of config. -- Thomas Hruska CubicleSoft President I've got great, time saving software that you might find useful. http://cubiclesoft.com/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Setting up EAP-TLS as the ONLY authentication mechanism?
On 23 Mar 2013, at 23:32, Thomas Hruska thru...@cubiclesoft.com wrote: On 3/23/2013 3:54 PM, Alan DeKok wrote: Thomas Hruska wrote: snip Read proxy.conf. [Sigh] I have. It doesn't make sense to me. Why enable it as a default if it isn't necessary for basic functionality? Hopefully you can see how the average user might be confused, Hey the authors enabled this by default. Maybe there is a very important reason for that. Nope, just means more things work with less tweaking. I'll go ahead and leave it alone because they know better. But I see an open port and wonder if it is actually necessary. So I figured I would ask to obtain some knowledge of why it is enabled by default, hence the original questions. Here's the text from 'radiusd.conf': # PROXY CONFIGURATION # # proxy_requests: Turns proxying of RADIUS requests on or off. # # The server has proxying turned on by default. If your system is NOT # set up to proxy requests to another server, then you can turn proxying # off here. This will save a small amount of resources on the server. # # If you have proxying turned off, and your configuration files say # to proxy a request, then an error message will be logged. # # To disable proxying, change the yes to no, and comment the # $INCLUDE line. # # allowed values: {no, yes} # Nowhere in there does it explain why proxying is on by default. It just says that it can be turned off. I want to know why it is on by default in the first place. From what I'm beginning to understand, based on your reply, FreeRADIUS opens a port that isn't necessary for basic functionality as part of its default installation. That sort of behavior should at least raise an eyebrow if not a few red flags. Why is authentication on by default, you might just want to do accounting? why is accounting on by default, you might just want to do authentication? It's on by default because it does no harm having it on by default, and makes it easier for people with no knowledge of the server to use the server. You just add a realm, and it works, instead of having to toggle different bits of config to make it work. I think the configs could probably do with trimming a bit, but it does not make sense to disable these things by default, as there are no security implications, just a slight increase in memory usage. Not sure why I would need this either. Based on the 'secret' string's value, I'm wagering it has to do with the 'proxy.conf' settings, but I'm not 100% confident about that. No. Clients have nothing to do with proxies. Do you plan on testing your server? If so, that entry can be useful. The default client secrets(s) should be different from the default proxy secret(s) to avoid confusion for first-time users. I missed that it is there for testing. And I see why: That sentence is ambiguous. Most of that seems irrelevant to EAP-TLS. A certificate isn't exactly a password - it can expire, but the message Password Has Expired seems like it will never appear (or, if it does, it'll be confusing to a user). I'm probably not going to use the 'logintime' features. 'exec' might be useful since I probably will use the external 'openssl' based 'verify' method in 'eap.conf' (unless someone can suggest a better approach). So... delete the things you're not using. That's why there are comments explaining what those modules do. So you can learn, and think for yourself. Again, defaults exist for a reason. The reasons for the defaults are what I'm actually after here. Again it's so things just work. For rlm_logintime, if you read the code: https://github.com/FreeRADIUS/freeradius-server/blob/master/src/modules/rlm_logintime/rlm_logintime.c#L157 If there's no Login-Time attribute in the request it does nothing. If there is a Login-Time attribute in the request it ensures the user can only login before that time. It means you can add Login-Time in a users file, and it'll just work, instead if hunting through the server to figure out where to turn on the Login-Time module. Some of the stuff in 'eap.conf' is confusing. I've commented out 'md5', 'leap', 'mschapv2', etc. with only the 'tls' section left uncommented and set 'default_eap_type = tls', but I'm not sure if that is all I need to do. Documentation on setting up an EAP-TLS only RADIUS server is limited. I mean it's nonsense to *expect* that there will be lots of documentation on setting up your exact desired configuration. All I was asking here was if commenting out those protocols in 'eap.conf' was all I have to do to disable them? A simple confirmation would suffice. Yes. It's all you have to do to disable them. You're looking for reassurance that editing the config files won't cause the server to explode in flaming metal. It won't. Edit them. I admit that there is a little of that, but I'm just trying to save