Re: eap sim authorization problem
On 11.06.2013 22:21, Rodney Machado wrote:
After reading again the documentation, i got to this point:
[skipped]
I'm going to fix the user file and give it a try again.
rlm_eap_sim expects EAP-Sim-RAND1 (and friends) on reply list, not in
control list.
So correct users entry for EAP-SIM is:
1IMSI EAP-Type:=SIM
EAP-Sim-RAND1:=0x...,
...
EAP-Sim-KC3:=0x...
EAP-Type control attribute is used to set initial EAP method. Initial
EAP method selection performed by rlm_eap when Access-Request with
EAP-Response/Identity handled. If there is no EAP-Type in control list
default method is selected. Default outer EAP method is set in eap
module configuration (eap { default_eap_type = ... }). Default inner EAP
method is set in EAP-PEAP and EAP-TTLS method configuration (eap { peap
{ default_eap_type = ... }}).
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems freeradius and samba4
On 12.06.2013 4:19, ricardobarbosams wrote:
No my filter is
filter = ((objectClass=user)(sAMAccountName=%{User-Name}))
I do not talk about filter, I do talk about binding to the directory.
Your ldapsearch binds to the directory using one user and your radiusd
binds to directory as another user. These users can have different
authorization levels in the directory server. Directory may allow to
retrieve objects to us...@batlab.corp user but disallow it to
CN=freeradius,OU=noc,OU=batlab,DC=batlab,DC=corp user.
Configure radiusd to use the us...@batlab.corp user to bind to the
directory and you'll get same results as with ldapsearch.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Working around broken EAP client
On 11 Jun 2013, at 16:06, Alan DeKok al...@deployingradius.com wrote:
That's really not what I said to do. I said set User-Name to be the
MS-CHAP identity. You've got that inverted.
update request {
User-Name := %{mschap:User-Name}
}
This worked a treat. Thank you very much !
GTG
--
Gordon Ross
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap sim authorization problem
On 11.06.2013 12:27, raptor raptor wrote: 1. when i change users entry, i get notification that access-accept has succesfull but unfortunately, when i restart the system cant access-accept and i must change attribute in users from agsm program here the log: I do not understand clearly whether you think you succeed or no. 2. i've changed users entry as you suggest and i still get the same notification rlm_sim_files : isufficient number of challenges of challenges for imsi Changing users file will not fix simtriplets.dat. I do not understand why do you still bother about rlm_sim_files. You've already configured auth vectors using users file and it works well. Just comment out sim_files module invocation and isufficient number of challenges will go away. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FW: MSSQL using unixodbc and truncation of characters
Ok, so I've compiled 3 from scratch with support for the freetds and unixodbc
modules. I have some issues :
Using the unixodbc driver that was working before gives me this now :
rlm_sql (sql_postauth_lan0): Driver rlm_sql_unixodbc (module rlm_sql_unixodbc)
loaded and linked
rlm_sql (sql_postauth_lan0): Attempting to connect to database SATHSupport
rlm_sql (sql_postauth_lan0): Initialising connection pool
rlm_sql (sql_postauth_lan0): Opening additional connection (0)
rlm_sql_unixodbc: 01000 [unixODBC][Driver Manager]Can't open lib
'/usr/lib/x86_64-linux-gnu/odbc/libtdsodbc.so' : *¶?±: undefined symbol:
get_vtable
rlm_sql_unixodbc: SQL down 08003 [unixODBC][Driver Manager]Connnection does not
exist
rlm_sql_unixodbc: Can't allocate the statement
rlm_sql_sybase: Socket destructor called, closing socket
rlm_sql (sql_postauth_lan0): Opening connection failed (0)
rlm_sql (sql_postauth_lan0): Removing connection pool
/usr/local/etc/raddb/mods-enabled/sql_postauth_lan0[1]: Instantiation failed
for module sql_postauth_lan0
The libtdsodbc.so file exists, and I've briefly altered the permissions to no
avail. The .so file is from a package that ubuntu provides, and was working
fine with FR2.2.1, just with the previous issue noted (truncation)
Also, the rlm_sql_freetds module gives ,from a simple
update control {
SQLComputerID := %{sql_test_mssql:Select 123456})
}
Gives :
LITERAL: %{sql_test_mssql:Select 123456}
LITERAL: %{sql_test_mssql:Select 123456} -- %{sql_test_mssql:Select 123456}
EXPANSION: %{sql_test_mssql:Select 123456}
MOD: sql_test_mssql --
LITERAL: Select 123456}
xlat aprint 2
xlat aprint 0
expand mod sql_test_mssql -- 'Select 123456'
LITERAL: %{User-Name}
LITERAL: %{User-Name} -- %{User-Name}
EXPANSION: %{User-Name}
Looking for attribute name in User-Name
xlat aprint 3
expand attr User-Name -- '0023ae604b02'
(0) expand: '%{User-Name}' - '0023ae604b02'
(0) SQL-User-Name updated
rlm_sql (sql_test_mssql): Reserved connection (4)
rlm_sql (sql_test_mssql): Executing query: 'Select 123456'
rlm_sql_freetds sql_select_query(): unsupported
rlm_sql (sql_test_mssql): Database query error 'UNKNOWN'
rlm_sql (sql_test_mssql): Released connection (4)
rlm_sql (sql_test_mssql): Closing connection (0): Too many free connections (5
3)
rlm_sql_freetds: Socket destructor called, closing socket
I'm stuck, any ideas. Sorry to spam the mailing list so much but I've reached
the limit of my knowledge on this one..
Thanks
Andy
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MSSQL using unixodbc and truncation of characters
I'm stuck, any ideas. Sorry to spam the mailing list so much but I've reached the limit of my knowledge on this one.. Ok, i'll take a closer took at it tonight. Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MSSQL using unixodbc and truncation of characters
On 13 Jun 2013, at 13:56, Arran Cudbard-Bell a.cudba...@freeradius.org wrote: I'm stuck, any ideas. Sorry to spam the mailing list so much but I've reached the limit of my knowledge on this one.. Ok, i'll take a closer took at it tonight. Um, apparently the original author didn't add select support to the freetds driver. Hence the error. https://github.com/FreeRADIUS/freeradius-server/blob/master/src/modules/rlm_sql/drivers/rlm_sql_freetds/rlm_sql_freetds.c#L175 Isn't the sybase driver equivalent? Doesn't it just use a different version of the API? I know I meant to delete one... The other one looks like a linker issue. Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: MSSQL using unixodbc and truncation of characters
Hi Aaran, The Sybase driver works for a simple select 123456, but then any real value gives, .e.g : rlm_sql (sql_test_mssql): Executing query: 'Select NetworkCardID from Audit_NetworkCard where macaddress='9C:B7:0D:84:0D:09'' Sybase Server message: number(208) severity(16) state(1) line(1) Invalid object name 'Audit_NetworkCard'. rlm_sql_sybase(sql_select_query): Unexpected result type from query rlm_sql (sql_test_mssql): Database query error '' This is because it doesn't properly set the database to the one asked for : (by the way is there a nice way to get shot of all these ansi escape codes from the radius.log? It looks nice in -X mode, but not great back-end) rlm_sql (sql_test_mssql): Creating new attribute sql_test_mssql-SQL-Group rlm_sql (sql_test_mssql): Couldn't find configuration for accounting, will return NOOP for calls from this section^[[$ ^[[1mrlm_sql (sql_test_mssql): Couldn't find configuration for post-auth, will return NOOP for calls from this section^[[0m ^[[1mrlm_sql (sql_test_mssql): Driver rlm_sql_sybase (module rlm_sql_sybase) loaded and linked^[[0m ^[[1mrlm_sql (sql_test_mssql): Attempting to connect to database SATHSupport^[[0m rlm_sql (sql_test_mssql): Initialising connection pool ^[[1mrlm_sql (sql_test_mssql): Opening additional connection (0)^[[0m ^[[31mSybase Server message: ^[[0m ^[[31mnumber(5701) severity(0) state(2) line(1) ^[[0m ^[[31mChanged database context to 'master'. ^[[0m ^[[31mSybase Server message: ^[[0m ^[[31mnumber(5703) severity(0) state(1) line(1) ^[[0m ^[[31mChanged language setting to us_english. ^[[0m ^[[1mrlm_sql (sql_test_mssql): Opening additional connection (1)^[[0m ^[[31mSybase Server message: ^[[0m ^[[31mnumber(5701) severity(0) state(2) line(1) ^[[0m ^[[31mChanged database context to 'master'. ^[[0m ^[[31mSybase Server message: ^[[0m ^[[31mnumber(5703) severity(0) state(1) line(1) ^[[0m ^[[31mChanged language setting to us_english. ^[[0m ... So I need to use an explicit sql call to set the database early on, but otherwise it works without too much hassle, and no truncation of returned value (!) Now, if only I could get the unixodbc rlm module working. You mentioned a linking problem - any ideas on progressing debug with that? Thanks VERY much, this list is great. Andy - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MSSQL using unixodbc and truncation of characters
Franks Andy (RLZ) IT Systems Engineer wrote: (by the way is there a nice way to get shot of all these ansi escape codes from the radius.log? It looks nice in -X mode, but not great back-end) See radiusd.conf, log subeection. Look for colourise. So I need to use an explicit sql call to set the database early on, but otherwise it works without too much hassle, and no truncation of returned value (!) That's good to hear. Thanks VERY much, this list is great. Thanks. It's what we do. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
unlang and update section
Can update sections contain if conditions? I get the following error: /etc/raddb/sites-enabled/default[573]: update sections cannot have subsections /etc/raddb/sites-enabled/default[465]: Errors parsing post-auth section. The documentation says The only contents permitted in an update section are attributes and values which I assume is the issue. Please confirm. Bill - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Exec problems in FR3.0
Sorry to send yet more emails with issues. I've moved to FR3 to test SQL
stuff and am having some problems with getting exec modules I previously
used to work. I know I could rewrite these in perl, but they worked
before in FR2.2.1 and I want to solve why they won't work now.
I have an exec module thus :
exec mactodelimitedmac {
wait = yes
input_pairs = config
output_pairs = config
shell_escape = yes
program = /usr/local/etc/raddb/mactodelimitedmac.sh
%{User-Name} :
}
It just takes a mac address and adds a delimited to each component of
the address, updating the control value DelimitedMac via the standard
echo Variable := \value\
I used to instantiate it in radiusd.conf and then call it directly from,
say, the post-auth section
Mactodelimitedmac
Which updated that value.
If I do it that way now it gives :
(0) WARNING: mactodelimitedmac : List INVALID is not available
LITERAL: %{User-Name}
LITERAL: %{User-Name} -- %{User-Name}
EXPANSION: %{User-Name}
Looking for attribute name in User-Name
xlat aprint 3
expand attr User-Name -- '0023ae604b02'
(0) mactodelimitedmac : expand: '%{User-Name}' - '0023ae604b02'
(0) mactodelimitedmac : Program output is
(0) ERROR: mactodelimitedmac : Abnormal child exit: Success
(0) [mactodelimitedmac] = reject
(0) Using Post-Auth-Type Reject
If I instead do
Update control {
DelimitedMac :=
%{mactodelimitedmac:/etc/freeradius/mactodelimitedmac.sh %{user-name}
:}
}
And change the script so that it just returns the bare variable it says
:
expand mod mactodelimitedmac --
'/usr/local/etc/raddb/mactodelimitedmac.sh 0023ae604b02 :'
(0) Executing /usr/local/etc/raddb/mactodelimitedmac.sh 0023ae604b02 :
(0) Program output is ?[1m?[33m(0) WARNING: Failed to execute
/usr/local/etc/raddb/mactodelimitedmac.sh: Bad address?[0m
(0) ERROR: Child returned error 1
(0) result 1 -- '?[1m?[33m(0) WARNING: Failed to execute
/usr/local/etc/raddb/mactodelimitedmac.sh: Bad address?[0m '
Again, I'm struggling. Sorry to be a pain.
Andy
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: unlang and update section
On 13/06/13 16:07, Bill Schoolfield wrote: Can update sections contain if conditions? I get the following error: No. /etc/raddb/sites-enabled/default[573]: update sections cannot have subsections /etc/raddb/sites-enabled/default[465]: Errors parsing post-auth section. The documentation says The only contents permitted in an update section are attributes and values which I assume is the issue. Please confirm. The documentation is authoritative. It should need to be confirmed. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: unlang and update section
On 13/06/13 16:26, Phil Mayers wrote: The documentation is authoritative. It should need to be confirmed. Shouldn't. Sigh. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: unlang and update section
Bill Schoolfield wrote: Can update sections contain if conditions? I get the following error: /etc/raddb/sites-enabled/default[573]: update sections cannot have subsections What is unclear about that? /etc/raddb/sites-enabled/default[465]: Errors parsing post-auth section. The documentation says The only contents permitted in an update section are attributes and values which I assume is the issue. Please confirm. I can confirm that the error message is correct. I can confirm that the documentation is correct. Now, are you going to ask a useful question? And what did you put in the section starting on line 573? Is it a secret? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: unlang and update section
Yes, i have come across this error once. there is little mistake in your
unlang code. understand form following working code.
## Authorization Area Starts Here
# If user not present allow them free access
# Between 10:00 and 12:59PM ('Any1000-1259')
# Whole Day ('Any-2359')
# File Module Retuns noop sql Module Returns notfound
server accept_everyone {
authorize {
sql
if(ok) {
update control {
Login-Time := 'Any-1259'
Auth-Type := Accept
}
}
update reply {
WISPr-Redirection-URL := http://www.yale.edu;
}
else {
update control {
Auth-Type := Reject
}
update reply {
WISPr-Redirection-URL := http://41.139.28.1;
}
}
}
pap
files
logintime
expiration
preprocess
dailycounter
forevertimecounter
# Fix ForThe WARNING That Says: Unknown Value Specified For
Post-Auth-Type. Cannot Perform Requested Action #
# Do Not Remove The Post-Auth Configuration From Authorization Section
(Here): #
post-auth {
Post-Auth-Type REJECT {
noop
notfound
}
}
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
digest
unix
eap
}
# END
Thanks
--RM
On Thu, Jun 13, 2013 at 3:07 PM, Bill Schoolfield b...@billmax.com wrote:
Can update sections contain if conditions? I get the following error:
/etc/raddb/sites-enabled/**default[573]: update sections cannot have
subsections
/etc/raddb/sites-enabled/**default[465]: Errors parsing post-auth section.
The documentation says The only contents permitted in an update section
are attributes
and values which I assume is the issue. Please confirm.
Bill -
List info/subscribe/unsubscribe? See http://www.freeradius.org/**
list/users.html http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: unlang and update section
On 6/13/2013 10:33 AM, Alan DeKok wrote: Bill Schoolfield wrote: Can update sections contain if conditions? I get the following error: /etc/raddb/sites-enabled/default[573]: update sections cannot have subsections What is unclear about that? /etc/raddb/sites-enabled/default[465]: Errors parsing post-auth section. The documentation says The only contents permitted in an update section are attributes and values which I assume is the issue. Please confirm. I can confirm that the error message is correct. I can confirm that the documentation is correct. Now, are you going to ask a useful question? And what did you put in the section starting on line 573? Is it a secret? From my perspective, yes it was useful to me. I didn't know those were line numbers. Now I know. It seems clear in retrospect but I've seen quite a bit of misleading, outdated or wrong documentation (mostly elsewhere but sometimes at freeradius.org) so I thought I'd get confirmation. Any harm in that? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: unlang and update section
Bill Schoolfield wrote: From my perspective, yes it was useful to me. I didn't know those were line numbers. Now I know. It seems clear in retrospect but I've seen quite a bit of misleading, outdated or wrong documentation (mostly elsewhere but sometimes at freeradius.org) so I thought I'd get confirmation. Any harm in that? Yes. Your message amounted to asking this: The documentation says you can't do X, and when I try to do it, I get an error. Is that correct? The harm in these questions is the total waste of everyone's time. This is a free support list. It presumes that people asking questions have put some minor thought into the process. If you're not willing to put a little effort into it, then you should expect to get told you need to put a little effort into it. And no, you don't need to run a Perl script. Instead of putting the if inside of an update section, you can put it outside of the update section. Or even use *two* update sections. Think out of the box. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec problems in FR3.0
Phil Mayers wrote: Confirmed. Looks like a bug has crept into the exec code in HEAD: 28619 execve(0x6461202e2e2e2000, [0x6461202e2e2e2000, 0x77656e20676e6964, 0x2074656b636f7320, 0x7325, 0x612064656c696146, 0x727020676e696464, 0x6b636f732079786f, 0x7325203a7465, 0x612064656c696146, 0x766520676e696464, 0x646e616820746e65, 0x20726f662072656c, 0x2174656b636f73, 0x7265206c61746146, 0x6565726620726f72, 0x636f 7320676e697a, ...], [/* 2 vars */]) = -1 EFAULT (Bad address) 28619 write(1, \33[1m\33[33m(0) WARNING: myexec : F..., 91) = 91 Will investigate. It may be related to the use of argv in exec.c. Coverity says: 107 CID 1020962 (#1 of 1): Uninitialized scalar variable (UNINIT) 2. uninit_use_in_call: Using uninitialized element of array argv when calling memcpy(void * restrict, void const * restrict, size_t). 108memcpy(argv_p, argv, sizeof(argv_p)); 109 So that's probably it. I haven't had a chance to look into it yet. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Calling-Station-Id Not Getting Updated in radacct table
Hi
We are on version 2.2.1 (github release).
We noticed that Calling-Station-Id is not getting updated in radacct table if
the NAS sends the Calling-Station-Id in octet format (ex:
\000\240\274/\370\260).
Based on the documentation below in default conf (sites-enabled/default) file
under authorization section
#
# The WiMAX specification says that the Calling-Station-Id
# is 6 octets of the MAC. This definition conflicts with
# RFC 3580, and all common RADIUS practices. Un-commenting
# the wimax module here means that it will fix the
# Calling-Station-Id attribute to the normal format as
# specified in RFC 3580 Section 3.21
wimax
By Uncommenting the wimax above, this fixed the issue of Calling-Station-ID not
getting updated in cui table, but accounting table (radacct) still show blank
value.
In the dialup.conf and cui.conf both use the same attribute
%{Calling-Station-Id}.
If NAS pass the Calling-Station-Id in String format (ex: 00-1C-B3-AA-AA-AA)
both cui and radacct gets updated with Calling-Station-Id correctly.
Similar to the above wimax configuration for authorize section, do we need to
enable any setting for accounting to fix the Calling-Station-Id attribute that
will populate the radacct correctly as string?
Here is the debug log when the NAS sends the Calling Station Id in octet format
Calling Station Id being sent by NAS is \000\240\274/\370\260
= Begin Debug Log =
Thread 3 handling request 16, (4 handled so far)
[thread] # Executing section authorize from file
/opt/freeradius/etc/raddb/sites-enabled/default
[thread] +- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand: %{Packet-Src-IP-Address} - 75.104.249.138
[auth_log] expand:
/opt/freeradius/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
- /opt/freeradius/var/log/radius/radacct/75.104.249.138/auth-detail-20130613
[auth_log]
/opt/freeradius/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to
/opt/freeradius/var/log/radius/radacct/75.104.249.138/auth-detail-20130613
[auth_log] expand: %t - Thu Jun 13 08:49:13 2013
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
rlm_wimax: Fixing WiMAX binary Calling-Station-Id to 00-a0-bc-2f-f8-b0
*** As you can see based on the uncommenting of wimax in default config of
authorize section, the Calling-Station-Id is fixed to string format
++[wimax] returns ok
[suffix] Looking up realm viasat-oss for User-Name = 00A0BC2FF8B0@viasat-oss
[suffix] Found realm viasat-oss
[suffix] Adding Stripped-User-Name = 00A0BC2FF8B0
[suffix] Adding Realm = viasat-oss
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[eap] EAP packet type response id 6 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
[sql] expand: %{Stripped-User-Name} - 00A0BC2FF8B0
[sql] expand: %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}} -
00A0BC2FF8B0
[sql] sql_set_user escaped user -- '00A0BC2FF8B0'
rlm_sql (sql): Reserving sql socket id: 2
[sql] expand: SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -
SELECT id, username, attribute, value, op FROM radcheck
WHERE username = '00A0BC2FF8B0' ORDER BY id
rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '00A0BC2FF8B0' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup WHERE
username = '%{SQL-User-Name}' OR (NOT EXISTS (select 1 from
radreply where username='%{SQL-User-Name}') AND
username='DEFAULT-ISF') ORDER BY priority - SELECT groupname
FROM radusergroup WHERE username = '00A0BC2FF8B0' OR
(NOT EXISTS (select 1 from radreply where username='00A0BC2FF8B0')
AND username='DEFAULT-ISF') ORDER BY priority
rlm_sql_mysql: query: SELECT groupname FROM radusergroup
WHERE username = '00A0BC2FF8B0' OR (NOT EXISTS (select 1 from
radreply where username='00A0BC2FF8B0') AND
username='DEFAULT-ISF') ORDER BY priority
rlm_sql (sql): Released sql socket id: 2
[sql] User 00A0BC2FF8B0 not found
++[sql] returns notfound
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /opt/freeradius/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
[tls] Received TLS ACK
[tls] ACK handshake
Re: Calling-Station-Id Not Getting Updated in radacct table
On 2013-06-13, at 2:37 PM, Cholleti, Hanumantha hanumantha.choll...@viasat.com wrote: Similar to the above wimax configuration for authorize section, do we need to enable any setting for accounting to fix the Calling-Station-Id attribute that will populate the radacct correctly as string? List wimax in the preacct section. It will fix the attribute there, too. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Calling-Station-Id Not Getting Updated in radacct table
Thanks a lot Alan, that fixed the issue :-)... We tried this option before, but only tested with radclient and it doesn't update the calling-station-id. Here is the command we used: radclient 10.25.37.61 auto HANU -f acct_start_test1.txt The 'acct_start_test1.txt' file as the following lines: Packet-Type=4 Packet-Dst-Port=1813 Acct-Session-Id = 4D2BB8AC-0098 Acct-Status-Type = Start Acct-Authentic = RADIUS User-Name = Release2-build11@viasat-oss User-Password = password NAS-Port = 100 Called-Station-Id = 00-02-6F-AA-AA-AA:My Wireless Calling-Station-Id = \000\240\274/\370\260 NAS-Port-Type = Wireless-802.11 Connect-Info = CONNECT 48Mbps 802.11b This time tested with the actual NAS with real UT, and it works great. :-) Thanks again -Hanu -Original Message- From: freeradius-users-bounces+hanumantha.cholleti=viasat@lists.freeradius.org [mailto:freeradius-users-bounces+hanumantha.cholleti=viasat@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Thursday, June 13, 2013 12:30 PM To: FreeRadius users mailing list Subject: Re: Calling-Station-Id Not Getting Updated in radacct table On 2013-06-13, at 2:37 PM, Cholleti, Hanumantha hanumantha.choll...@viasat.com wrote: Similar to the above wimax configuration for authorize section, do we need to enable any setting for accounting to fix the Calling-Station-Id attribute that will populate the radacct correctly as string? List wimax in the preacct section. It will fix the attribute there, too. Alan DeKok. - List info/subscribe/unsubscribe? See https://urldefense.proofpoint.com/v1/url?u=http://www.freeradius.org/list/users.htmlk=OWT%2FB14AE7ysJN06F7d2nQ%3D%3D%0Ar=RbstrbGHTDEX5Lhn9%2F%2FI6NK56FT6UXWy%2BZ7zzvTZGx0%3D%0Am=h7466jNJ7JhWxGNz%2F6LQfMg7WMTuyeE87ZTOken%2Fsfc%3D%0As=e956bd3d2375f80f132368b8bf087352e4d7bd705ebd5cdcd54ba5b78ff4a742 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
evaluating unlang IF with sql results
I can't seem to make this work. I'm comparing some values in the post-auth
section:
if((%{expr: %{check:Max-All-Session}-%{sql:select sum(acctsessiontime) from radacct
where username='%{User-Name}'}}) (%{expr: %{sql:select
unix_timestamp(str_to_date('%{check:Expiration}', '%%b %%d %%Y %%H:%%i:%%s'))+0}})) {
update reply {
Session-Timeout := %{expr:
%{check:Max-All-Session}-%{sql:select sum(acctsessiontime) from radacct where
username='%{User-Name}'}}
}
}
else {
update reply {
Session-Timeout := %{expr: (%{sql:select
unix_timestamp(str_to_date('%{check:Expiration}', '%%b %%d %%Y %%H:%%i:%%s'))})}
}
}
The above code fails with a message (below) that says (Right field is not a number
at: (1371158700)). I tried adding
a zero to force a number interpretation but this does nothing.
I have checked every source I can find and I don't see anyhing that addresses
this problem.
Thoughts anyone?
Bill
rad_recv: Access-Request packet from host 127.0.0.1 port 59971, id=77, length=74
User-Name = wrs
CHAP-Password = 0x4dab7bdecf6c70f078b77bfa11cebd490d
NAS-IP-Address = 10.0.0.147
NAS-Port = 0
Message-Authenticator = 0xcf99944924652eda7706d17c69afca2c
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[chap] Setting 'Auth-Type := CHAP'
++[chap] returns ok
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = wrs, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
[sql] expand: %{User-Name} - wrs
[sql] sql_set_user escaped user -- 'wrs'
rlm_sql (sql): Reserving sql socket id: 3
[sql] expand: SELECT id, username, attribute, value, op FROM radcheck
WHERE username = '%{SQL-User-Name}' ORDER BY id - SELECT
id, username, attribute, value, op FROM radcheck WHERE
username = 'wrs' ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op FROM radreply
WHERE username = '%{SQL-User-Name}' ORDER BY id - SELECT
id, username, attribute, value, op FROM radreply WHERE
username = 'wrs' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup WHERE
username = '%{SQL-User-Name}' ORDER BY priority - SELECT groupname
FROM radusergroup WHERE username = 'wrs' ORDER BY
priority
rlm_sql (sql): Released sql socket id: 3
++[sql] returns ok
[expiration] Checking Expiration time: '13 Jun 2013 21:25:00'
++[expiration] returns ok
++[logintime] returns noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
rlm_sqlcounter: Entering module authorize code
WARNING: Please replace '%k' with '${key}'
sqlcounter_expand: 'SELECT IFNULL(SUM(AcctSessionTime),0) FROM radacct WHERE
UserName='%{User-Name}''
[noresetcounter]expand: SELECT IFNULL(SUM(AcctSessionTime),0) FROM radacct
WHERE UserName='%{User-Name}' - SELECT IFNULL(SUM(AcctSessionTime),0) FROM
radacct WHERE UserName='wrs'
WARNING: Please replace '%S' with '${sqlmod-inst}'
sqlcounter_expand: '%{sql:SELECT IFNULL(SUM(AcctSessionTime),0) FROM radacct
WHERE UserName='wrs'}'
[noresetcounter] sql_xlat
[noresetcounter]expand: %{User-Name} - wrs
[noresetcounter] sql_set_user escaped user -- 'wrs'
[noresetcounter]expand: SELECT IFNULL(SUM(AcctSessionTime),0) FROM radacct
WHERE UserName='wrs' - SELECT IFNULL(SUM(AcctSessionTime),0) FROM radacct
WHERE UserName='wrs'
rlm_sql (sql): Reserving sql socket id: 2
[noresetcounter] sql_xlat finished
rlm_sql (sql): Released sql socket id: 2
[noresetcounter]expand: %{sql:SELECT IFNULL(SUM(AcctSessionTime),0) FROM
radacct WHERE UserName='wrs'} - 12
rlm_sqlcounter: Check item is greater than query result
rlm_sqlcounter: Authorized user wrs, check_item=600, counter=12
rlm_sqlcounter: Sent Reply-Item for user wrs, Type=Session-Timeout, value=180
++[noresetcounter] returns ok
Found Auth-Type = CHAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group CHAP {...}
[chap] login attempt by wrs with CHAP password
[chap] Using clear text password test123 for user wrs authentication.
[chap] chap user wrs authenticated succesfully
++[chap] returns ok
# Executing section post-auth from file /etc/raddb/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
++? if ((%{expr: %{check:Max-All-Session}-%{sql:select sum(acctsessiontime) from radacct where
username='%{User-Name}'}}) (%{expr: %{sql:select
unix_timestamp(str_to_date('%{check:Expiration}', '%%b %%d %%Y %%H:%%i:%%s'))+0}}))
sql_xlat
expand: %{User-Name} - wrs
Re: evaluating unlang IF with sql results
Bill Schoolfield wrote: The above code fails with a message (below) that says (Right field is not a number at: (1371158700)). I tried adding a zero to force a number interpretation but this does nothing. That error is produced by the SQL database, not by FreeRADIUS. My guess is that the error is because the number is larger than 2^32. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
initial accept, but then fails
Hello,
I'm having an issue with our radius server authorising users.
The initial request is fine, the customer connects and receives an IP
address
rad_recv: Access-Request packet from host 10.8.13.254 port 1645, id=5,
length=236
Framed-Protocol = PPP
User-Name = micha...@example.com
CHAP-Password = 0x974cfb5d4d64e91407e0c85a3b1611a584
Calling-Station-Id = GigabitEthernet
14/0/3.31010096:3101-96#587204450###pppoe 00:04:ed:d1:78:85#QTNITE4025M atm
1/1/04/27:8.35#
Connect-Info = 10
NAS-Port-Type = Virtual
NAS-Port = 501
NAS-Port-Id = Uniq-Sess-ID501
Service-Type = Framed-User
NAS-IP-Address = 10.8.13.254
Fri Jun 14 11:44:14 2013 : Info: # Executing section authorize from file
/etc/freeradius/sites-enabled/default
Fri Jun 14 11:44:14 2013 : Info: +- entering group authorize {...}
Fri Jun 14 11:44:14 2013 : Info: ++[preprocess] returns ok
Fri Jun 14 11:44:14 2013 : Info: [chap] Setting 'Auth-Type := CHAP'
Fri Jun 14 11:44:14 2013 : Info: ++[chap] returns ok
Fri Jun 14 11:44:14 2013 : Info: ++[mschap] returns noop
Fri Jun 14 11:44:14 2013 : Info: ++[digest] returns noop
Fri Jun 14 11:44:14 2013 : Info: [suffix] Looking up realm example.com
for User-Name = micha...@example.com
Fri Jun 14 11:44:14 2013 : Info: [suffix] Found realm example.com
Fri Jun 14 11:44:14 2013 : Info: [suffix] Adding Stripped-User-Name =
michaelr
Fri Jun 14 11:44:14 2013 : Info: [suffix] Adding Realm = example.com
Fri Jun 14 11:44:14 2013 : Info: [suffix] Authentication realm is LOCAL.
Fri Jun 14 11:44:14 2013 : Info: ++[suffix] returns ok
Fri Jun 14 11:44:14 2013 : Info: [eap] No EAP-Message, not doing EAP
Fri Jun 14 11:44:14 2013 : Info: ++[eap] returns noop
Fri Jun 14 11:44:14 2013 : Info: [files] users: Matched entry DEFAULT at
line 172
Fri Jun 14 11:44:14 2013 : Info: ++[files] returns ok
Fri Jun 14 11:44:14 2013 : Info: [sql] expand: %{Stripped-User-Name} -
michaelr
Fri Jun 14 11:44:14 2013 : Info: [sql] expand:
%{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}} - michaelr
Fri Jun 14 11:44:14 2013 : Info: [sql] sql_set_user escaped user --
'michaelr'
Fri Jun 14 11:44:14 2013 : Debug: rlm_sql (sql): Reserving sql socket id: 0
Fri Jun 14 11:44:14 2013 : Info: [sql] expand: SELECT id, username,
attribute, value, op FROM radcheck WHERE username =
'%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribute,
value, op FROM radcheck WHERE username =
'michaelr' ORDER BY id
Fri Jun 14 11:44:14 2013 : Info: [sql] User found in radcheck table
Fri Jun 14 11:44:14 2013 : Info: [sql] expand: SELECT id, username,
attribute, value, op FROM radreply WHERE username =
'%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribute,
value, op FROM radreply WHERE username =
'michaelr' ORDER BY id
Fri Jun 14 11:44:14 2013 : Info: [sql] expand: SELECT groupname
FROM radusergroup WHERE username = '%{SQL-User-Name}'
ORDER BY priority - SELECT groupname FROM radusergroup
WHERE username = 'michaelr' ORDER BY priority
Fri Jun 14 11:44:14 2013 : Info: [sql] expand: SELECT id, groupname,
attribute, Value, op FROM radgroupcheck WHERE
groupname = '%{Sql-Group}' ORDER BY id - SELECT id, groupname,
attribute, Value, op FROM radgroupcheck WHERE
groupname = 'Layer2-L2TP' ORDER BY id
Fri Jun 14 11:44:14 2013 : Info: [sql] User found in group Layer2-L2TP
Fri Jun 14 11:44:14 2013 : Info: [sql] expand: SELECT id, groupname,
attribute, value, op FROM radgroupreply WHERE
groupname = '%{Sql-Group}' ORDER BY id - SELECT id, groupname,
attribute, value, op FROM radgroupreply WHERE
groupname = 'Layer2-L2TP' ORDER BY id
Fri Jun 14 11:44:14 2013 : Debug: rlm_sql (sql): Released sql socket id: 0
Fri Jun 14 11:44:14 2013 : Info: ++[sql] returns ok
Fri Jun 14 11:44:14 2013 : Info: ++[expiration] returns noop
Fri Jun 14 11:44:14 2013 : Info: ++[logintime] returns noop
Fri Jun 14 11:44:14 2013 : Info: [pap] WARNING: Auth-Type already set. Not
setting to PAP
Fri Jun 14 11:44:14 2013 : Info: ++[pap] returns noop
Fri Jun 14 11:44:14 2013 : Info: Found Auth-Type = Local
Fri Jun 14 11:44:14 2013 : Info:
!!!
Fri Jun 14 11:44:14 2013 : Info: !!!Replacing User-Password in config
items with Cleartext-Password. !!!
Fri Jun 14 11:44:14 2013 : Info:
!!!
Fri Jun 14 11:44:14 2013 : Info: !!! Please update your configuration so
that the known good !!!
Fri Jun 14 11:44:14 2013 : Info: !!! clear text password is in
Cleartext-Password, and not in User-Password. !!!
Fri Jun 14 11:44:14 2013 : Info:
