Re: Q:ABOUT:EXECUTE QUERY
Hello. My scenario is the next. I need to detect the telephone number that dial to my NAS (Network Access Server) and validate if that number exist in my database to retrieve some information, if that telephone number dosenĀ“t exist i need to insert it's data. Then. 1. How can i get the telephone number that dial to my NAS? 2. Ones that i get the telephone number, what is the correct form to implement a new query to validate the existense of the number an the insert of it's data if not? its scenarios like this that convinced me to use rlm_perl, then your custom perl authentication script can update your database as it sees fit. Other methods would be to use rlm_exec (for another scripting language) or using stored proceedures (supported in mysql 5 for example). Oh and i think the radius parameter you are looking for is Calling-Station-Id. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Mysql procedure and freeradius
I think maybe it could be a problem if the version of mysql.h that was during compilation used predates stored proceedures? Hi, That cant be the case, im using mysql 5 and a SP with freeradius 1.1.2 without any problems or recompiling. It must be an other issue. Maybe the sql user you let freeradius connect with has no rights to start the SP ? Regards, Jurgen -Oorspronkelijk bericht- Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Namens Alesha Verzonden: woensdag 9 augustus 2006 18:57 Aan: FreeRadius users mailing list Onderwerp: Re: Mysql procedure and freeradius ensure the user has Process_priv. Also there is the security_type flag in the mysql.proc table which defines who the proceedure runs as (invoker or definer) Its all quite well documented on the mysql website. On mysql website i found that for executing stored procedures need a special flag for connection(CLIENT_MULTI_STATEMENTS).So..i need to rewrite freeradius source code to enabling mysql procedures.This is very bad news for me..because i know C/C++ not very good.Maybe better to include special option for rlm_sql_mysql to enable SP in freeradius? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Unresponsive child
I do exactly the same thing as you - I get this problem from time to time
(usually accompanied by a few discarding duplicate request messages as the
nas re attempts).
The documentation says that if you get these its probably back end, and
its right. Usually its a slow query of some description, or the SQL server
fails to respond in a timely manner. Do you account to SQL as well?. You
could log slow queries in SQL and examine these.
Of course it could be a loop thats not exiting within your perl script or
something.
Heres a list of things that have caused it for me.
1) Could not connect to accounting database in a timely manner (fixed this
by putting a connect timeout and dropping the packet if no connection can
be made)
2) Queries were taking too long (added a couple of keys/indexes)
3) Disk filled up on accounting database (SQL just sat there and didn't
respond!)
Its always been my fault, never radius's. My suggestion, put some more
error checking in your script and if it cant do anything due to back end
return RLM_MODULE_FAIL (one of the constants in the example).
Each function in the perl script opens a mysql connection then closes it
before finishing the function. Could this be the problem? Should I
create an initial connection and use it throughout the script?
I find the simplest thing to do is create a persistent DBH, and create a
routine which checks the DBH handle at the beggining of my script like so
($dbh is a global):
sub ensuredbh{
#if the database connection raised an error at the last query or
if there isnt a database handle, then re-create one.
if(ref($dbh) $dbh-ping) {
return 1;
}
else{
print Database connection error - re-establishing\n;
our $dbh=DBI-connect($dbhdsn,$dbhuser,$dbhpass) or return
0);}
return(1);
}
}
in authenticate i can do
ensuredbh or return RLM_MODULE_FAIL;
After some recent changes to my rlm_perl perl script I am getting the
following messages all the time...
Tue Aug 8 08:08:50 2006 : Error: WARNING: Unresponsive child (id
2966633392) for request 28
Tue Aug 8 08:08:50 2006 : Error: WARNING: Unresponsive child (id
2977528752) for request 27
Tue Aug 8 08:08:50 2006 : Error: WARNING: Unresponsive child (id
2988153776) for request 25
Usually after a lot of these radius will crash and will need to be
restarted. I was receiving the sql running out of connections error but
I am not getting those anymore after tuning my tables. I don't believe
at this point that this is a mysql issue however any suggestions would
be appreciated. I do access mysql from my perl script so that could be
the problem.
Each function in the perl script opens a mysql connection then closes it
before finishing the function. Could this be the problem? Should I
create an initial connection and use it throughout the script?
Thanks Guys, I know you will know what the problem is.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mysql procedure and freeradius
ensure the user has Process_priv.
Also there is the security_type flag in the mysql.proc table which defines
who the proceedure runs as (invoker or definer)
Its all quite well documented on the mysql website.
Hi All.
I have the trouble with mysql freeradius.I begin to write own
authorization
using mysql procedures.In sql.conf i have this
---
authorize_check_query = CALL DB.auth_check('%{SQL-User-Name}');
--
And in DB have procedure auth_check with this code:
---
CREATE TEMPORARY TABLE DB.make_auth (id int,username VARCHAR(40),attribute
VARCHAR(30),op VARCHAR(3),value VARCHAR(40)) ENGINE MEMORY;
certain checks...
INSERT INTO DB.make_auth (id,username,attribute,op,value) VALUES
(dbUID,username,User-Password,:=,dbPassword);
SELECT id,username,attribute,op,value FROM DB.make_auth;
--
So..this procedure when i call her from CLI return table like this
+--+--+---+--++
| id | username | attribute | op | value |
+--+--+---+--++
|1 | username | User-Password | := | password |
+--+--+---+--++
Look good..but when I'm trying to use radtest and radius -X i'm getting
this:
radius_xlat: 'username'
rlm_sql (sqlauth): sql_set_user escaped user -- 'username'
radius_xlat: 'CALL DB.auth_check('username');'
rlm_sql (sqlauth): Reserving sql socket id: 28
rlm_sql_mysql: query: CALL DB.auth_check('username');
rlm_sql_mysql: MYSQL check_error: 1312 received
rlm_sql_getvpdata: database query error
rlm_sql (sqlauth): SQL query error; rejecting user
rlm_sql (sqlauth): Released sql socket id: 28
---
What's wrong???
P.S.Sorry for my english)))
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: DynaLoader loading problem
Looks to me like the version of Dynaloader.so that rlm_perl is using is newer than the version of Dynaloader.pm thats in the path. Dynaloader.pm comes as part of perl, so there must be a version on your hard disk somewhere either not in the path or coming in lower down your path list than the one being used. Try temporarily moving /usr/libdata/perl/5.00503/DynaLoader.pm out of the way to a backup directory, or failing that searching your hard disk for instances of DynaLoader.pm and modifying @INC to include that search path at the top of your script would be a place to start. FreeBSD 4.11 FreeRADIUS 1.0.4 I've installed rlm_perl in 1.0.4 version since it's not by default installed.. and trying to add perl script to add attribute during authorization and while restart:- NOTE: newtimeout2.pl - using original example.pl with added one sub routine line 30 as reported is line with use Data::Dumper; DynaLoader object version 1.04 does not match $DynaLoader::VERSION 1.03 at /usr/libdata/perl/5.00503/DynaLoader.pm line 80. BEGIN failed--compilation aborted at /usr/local/etc/raddb/newtimeout2.pl line 30. rlm_perl: perl_parse failed: /usr/local/etc/raddb/newtimeout2.pl not found or has syntax errors. radiusd.conf[1643]: myperl: Module instantiation failed. # I've recently upgraded perl to 5.8.2 from 5.00503 Freeradius been installed during old perl. But although I've recompiled again radius 1.0.4 with new perl environment.. Still received above error.. --haizam - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to execute TWO OR MORE Sql statement?
Create a stored procedure in the database that contains all of the SQL queries necessary. Then call that stored procedure via sql.conf. This works fine with Postgres. MySQL 5 supports stored proceedures and functions, however I know that mysql proceedures can cause problems as they can/will return multiple data sets that can cause some apps problems (not sure about freeradius and its support for mysql). I gave up on such a method and moved to rlm_perl. Now I have a perl handling script that performs as many queries as I need and can put lots of logic in the script, strip bits out of usernames and whatnot. Also it can look for certain flags in the database and if present send AV Pairs or VSA's to the NAS to configure them differently. my only issue has been getting rlm_perl to compile properly on suse x86_64, and sometimes have had to goto the extreme of recompiling perl and manually linking DynaLoader into rlm_perl.so So in answer to the original question I recommend rlm_perl if you have the time and patience to get around the setup problems. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Cisco-AVPair Route Map
Hi Everyone. I'm struggling to find concise documentation on Cisco-AVPairs (and what pairs cisco support) - can anyone help me with this? Mainly I am trying to setup a walled garden system based on radius reply, using a route map with set next hop e.g. route-map walled-garden permit 10 set ip next-hop 1.1.1.1 My problem is how to apply this to a specific connection, do I just use lcp:interface-config=ip policy route-map walled-garden or are there better ways of doing this? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: perl scripts
This is the routine I use, uses the MD5 modules from CPAN.
Very messy and stolen from about 5 different sources...
The three inputs are the hashed reply, the actual password from your
database and the challenge that was sent to the user.
I think this works OK.
my $cpass =$_[0];
my $actualpass = $_[1];
my $cchal = $_[2];
#Freeradius adds 0x to the beginning of the chap password.
#this little hack removes the first two characters
$cpass=substr($cpass,2);
$cchal=substr($cchal,2);
#pack the hex stuff into 8bit code
my $chap_password = pack(H*, $cpass);
my $chap_challenge = pack(H*, $cchal);
# Compile an MD5 digest of the authentication information
my $md5 = new MD5;
$md5-reset;
$md5-add(substr($chap_password, 0, 1)); # Packet ID
$md5-add($actualpass);
$md5-add($chap_challenge);
# Check that the digest matches the CHAP password
if ($md5-digest() ne substr($chap_password, 1)) {
# CHAP doesnt match.
return 0 ;
}
return 1;
OK. I the user authentication works.
But how do I decode the password in my script.
The user sends CHAP password and I dont know how to decode this password
to match the value to mo password that is in my database.
Is it possible ??
- Original Message -
From: Thor Spruyt
To: FreeRadius users mailing list
Sent: Wednesday, March 15, 2006 8:24 PM
Subject: Re: perl scripts
Add this in your script and then run radiusd in debugging mode:
for (keys %RAD_REQUEST) {
radiusd::radlog(1, RAD_REQUEST: $_ = $RAD_REQUEST{$_});
}
--
Groeten, Regards, Salutations,
Thor Spruyt
M: +32 (0)475 67 22 65
E: [EMAIL PROTECTED]
W: www.thor-spruyt.com
www.salesguide.be
www.telenethotspot.be
- Original Message -
From: debik
To: FreeRadius users mailing list
Sent: Wednesday, March 15, 2006 7:38 PM
Subject: Re: perl scripts
Hello again. I have stuckon writing that perl script to autheticate
users from onother database.
How can i grep the User-Name and Password from RAD_REQUEST to my perl
script as a variable.
I have tried to do something like this:
my $username = $RAD_REQUEST{'User-Name'}
Is it anyway possibble what im trying to do ?
- Original Message -
From: debik
To: FreeRadius users mailing list
Sent: Sunday, March 12, 2006 12:28 PM
Subject: Re: perl scripts
I tried to add new sql1.conf. But when i trie starting te radius
server he told me that the database is nit in the Attribute Value. I
that onother dsatabase i have got users of my network, and i wont,
that teh radius server use that logins which are in that database.
Sorry for that HTML, and for my english.
- Original Message -
From: mnisay
To: 'FreeRadius users mailing list'
Sent: Sunday, March 12, 2006 10:55 AM
Subject: RE: perl scripts
what do you want to achieve with this perl script, freeradius can
do the authentication.
is this script for management of database? if it is, you can use
server side php scripts as well.
if its not, does the perl script manipulates user database
differently?
sorry i think i did not get you well.
From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
On Behalf Of debik
Sent: Saturday, March 11, 2006 2:43 PM
To: FreeRadius users mailing list
Subject: Re: perl scripts
Yes. But that onother database is not in radius format like: op,
value, etc. So I have to write a perl script.
- Original Message -
From: mnisay
To: 'FreeRadius users mailing list'
Sent: Saturday, March 11, 2006 11:27 AM
Subject: RE: perl scripts
--
From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
On Behalf Of debik
Sent: Friday, March 10, 2006 8:41 PM
To: FreeRadius users mailing list
Subject: Re: perl scripts
I have got onother mysql base and i wont to write perl
script to tel the radius server to use the data in that
database.
do you mean use MySQL for freeradius authentication?
- Original Message -
From: mnisay
To: 'FreeRadius users mailing list'
Sent: Friday, March 10, 2006 11:26 AM
Subject: RE: perl scripts
Could somebody share with some scripts that authorize users
in radius.
Im trying to write my own script, but i don't find any
docs.
Could somebody help me.
authorize users in radius?
Re: problems compiling, but works, or don't??
On non i386 32bit architecture (both sun and intel 64) i've had some problems compiling rlm_perl with the distributed libtool, yet had problems compiling the rest using --with-system-libtool! Unfortunately I didnt collect enough information to submit a bug report, but errors varied from what was listed below, to missing object names (DynaLoader.so was a frequent one). To work around it I compiled and installed radius using --without-rlm-perl, then reran configure using --with-system-libtool (this time including perl), went into the src/modules/rlm_perl folder and did a make install. I also had problems with a non-shared version of perl being installed so used CPAN to upgrade perl and build a new version of libperl.so not sure if its the same with freeradius' built in libtool but often missing so file errors can be fixed by adding the path to the file into /etc/ld.so.conf and running ldconfig Of course if you dont need perl then you are better off just not compiling it! pelusa vali [EMAIL PROTECTED] wrote: *** Warning: Linking the shared library rlm_perl.la against the *** static library /usr/lib/perl/5.8/auto/DynaLoader/DynaLoader.a is not portable! rm -fr .libs/rlm_perl.la .libs/rlm_perl.* .libs/rlm_perl-1.0.5.* gcc -shared rlm_perl.lo -L/usr/local/lib /usr/lib/perl/5.8/auto/DynaLoader/DynaLoader.a -L/usr/lib/perl/5.8/CORE -lperl -ldl -lm -lpthread -lc -lcrypt -lssl -lcrypto -lnsl -lresolv -lpthread -Wl,-E -Wl,-soname -Wl,rlm_perl-1.0.5.so -o .libs/rlm_perl-1.0.5.so /usr/bin/ld: cannot find -lperl You need a libperl.so in order to build rlm_perl.so. If you don't plan on using rlm_perl, just delete src/modules/rlm_perl before you run configure. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RLM_perl and Cisco-AVPair
1.0.5, could potentially be the problem but it didn't look like the code
had changed much.
I have a version 1.1.0 server in transit at the moment so will test it on
this once I have it back online.
At least i'm not going mad and the perl method im using is correct, thanks
for your help!
On Wednesday 25 January 2006 00:17, Alan Lumb wrote:
push(@avpairs,'ip:dns-servers=$dns1 $dns2');
push(@avpairs,ip:route=$$thisroute{network} $$thisroute{subnet});
$RAD_REPLY{'Cisco-AVPair'[EMAIL PROTECTED];
This code works for me on freeradius 1.1.0. Which version you are using ?
--
Best Regards,
Boian Jordanov
SNE
Orbitel - Next Generation Telecom
tel. +359 2 4004 723
tel. +359 2 4004 002
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RLM_perl and Cisco-AVPair
Im trying to get RLM_perl to respond with two Cisco-AVPair lines (what would usually be done with += in users) So try that with rlm_perl the server functions that update the list need to see the += operator. I don't believe it works like that with rlm_perl, as += in perl means 'add as an integer to the scalar specified'. There is no way of specifying the operator in your reply items, the code within rlm_perl asks for you to give it a scalar reference, which is what ive done. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RLM_perl and Cisco-AVPair
Hi everyone.
Im trying to get RLM_perl to respond with two Cisco-AVPair lines (what
would usually be done with += in users)
Unfortunately only the first seems to get sent back to the nas - debug
output follows
rlm_perl: Added pair Cisco-AVPair = ip:dns-servers=10.10.10.10 10.10.10.12
rlm_perl: Added pair Cisco-AVPair = ip:route=10.10.0.0 255.255.255.0
rlm_perl: Added pair Framed-IP-Address = 10.10.10.12
rlm_perl: Added pair Framed-IP-Netmask = 255.255.255.255
rlm_perl: Added pair Auth-Type = perl
rlm_perl: Added pair Service-Type = Framed-User
rlm_perl: Added pair Auth-Type = System
modcall[authenticate]: module perl returns ok for request 25
modcall: group Auth-Type returns ok for request 25
Sending Access-Accept of id 56 to 127.0.0.1:34529
Cisco-AVPair = ip:dns-servers=10.10.10.10 10.10.10.12
Framed-IP-Address = 10.10.10.10
Framed-IP-Netmask = 255.255.255.255
Service-Type = Framed-User
As you can see, rlm_perl logs that it is adding the pair twice but only
the first is returned.
I've gone so far as to looking at the code for rlm_perl and it looks to me
like it should have worked from what i have done, the coder has asked for
a reference to an array.
my code basically does this
push(@avpairs,'ip:dns-servers=$dns1 $dns2');
push(@avpairs,ip:route=$$thisroute{network} $$thisroute{subnet});
$RAD_REPLY{'Cisco-AVPair'[EMAIL PROTECTED];
Anyone any ideas? Doesn't look like many people use rlm_perl yet
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
