from:"Andreas Kalb \(akalb\)"

RE: Ascend-Data-Filter with srcip from ippool

2008-04-02 Thread Andreas Kalb (akalb)

Hello Alan,

as I see your result I better understand unlang and the mighty of it.
Thx for your patience. All working perfectly well now.

Kind Regards,

Andreas 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
On Behalf Of Alan DeKok
Sent: Mittwoch, 2. April 2008 08:19
To: FreeRadius users mailing list
Subject: Re: Ascend-Data-Filter with srcip from ippool

Andreas Kalb (akalb) wrote:
 Now I'm back to my original problem, where I wanted to use an 
 Ascend-filter with entries matching IP-address from pool. I still 
 don't know, how to change order of modules to make the IP-address 
 known to the files-module and appreciated your uidance again.

  You don't have to.  You can add the ascend data filter via unlang,
in the post-auth section, right after the test_pool module is
called:

post-auth {
...
test-pool
if (ok) {
update reply {
...
Ascend-Data-Filter := ip in forward srcip
%{reply:Framed-IP-Address}/32 dstip 1.1.1.2/32
...
}
}

  Again, this is documented.  See man unlang, and the examples.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Ascend-Data-Filter with srcip from ippool

2008-04-01 Thread Andreas Kalb (akalb)

Hello Alan,

I started from that by adding my own ippool to radiusd.conf after
main_pool (line 1800, ippool test_pool {...). I understood from your
reply, that I need to call it from sites-available/default and added
test_pool right after main_pool in sites-available/default (in
sections accounting and post-auth, as specified in radiusd.conf), but
when starting the deamon I got:

/usr/local/etc/raddb/radiusd.conf[1800]: Invalid version in module
'rlm_ippool'
/usr/local/etc/raddb/sites-enabled/default[308]: Failed to find module
test_pool.
/usr/local/etc/raddb/sites-enabled/default[285]: Errors parsing
accounting section.

That mades me think I need to move the pool there either, sorry.
Kind Regards,

   Andreas

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
On Behalf Of Alan DeKok
Sent: Dienstag, 1. April 2008 07:46
To: FreeRadius users mailing list
Subject: Re: Ascend-Data-Filter with srcip from ippool

Andreas Kalb (akalb) wrote:
 I'm unfortunately still not getting it to work anymore after upgrade
to 2.0.3.
 
 I added the following to sites-available/default at top of document:
 
 server bb-10k {

  I'm not sure why.  As the documentation suggests, starting with the
default configuration is the best idea.

   accounting {
 ...
   post-auth {

  And no authorize or authenticate section.

   ippool test_pool {
 range-start = 172.16.100.1

  Module configurations belong in the modules section of radiusd.conf.
 They do NOT go in a server section.

 and then get:
 /usr/local/etc/raddb/sites-enabled/default[70]: Failed to find module
test_pool.
 /usr/local/etc/raddb/sites-enabled/default[66]: Errors parsing
accounting section. 
 
 So now I wonder how to specify the ippool section there.

  You don't.

  Again, start with the default configuration.  Add ONE module:
test_pool.  Configure it, and get it to assign IP addresses.  Then, once
that works, configure the ascend filter attributes AFTER the test_pool
module has been run in the post-auth section.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Ascend-Data-Filter with srcip from ippool

2008-04-01 Thread Andreas Kalb (akalb)

Hello again,

based on the last experience having different servers existing, I build
the system from scratch and stood as closely as possible to defaults.

All is working well concerning the ip-pool. It was the duplicated
server, Alan pointed out.

Now I'm back to my original problem, where I wanted to use an
Ascend-filter with entries matching IP-address from pool. I still don't
know, how to change order of modules to make the IP-address known to the
files-module and appreciated your uidance again.

Kind Regards,

Andreas

users:
DEFAULT User-Name := test_..., Pool-Name := test_pool,
Cleartext-Password := cisco
Service-Type == Framed-User,
Framed-Protocol = PPP,
Session-Timeout = 65000,
Idle-Timeout = 3600,
Ascend-Maximum-Time = 64000,
Ascend-Idle-Limit = 3600,
Ascend-Data-Filter := ip in forward srcip
%{reply:Framed-IP-Address}/32 dstip 1.1.1.2/32

debugs:
...
++[unix] returns notfound
users: Matched entry DEFAULT at line 125
expand: ip in forward srcip %{reply:Framed-IP-Address}/32 dstip
1.1.1.2/32 - ip in forward srcip /32 dstip 1.1.1.2/32
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
  rad_check_password:  Found Auth-Type 
auth: type PAP
+- entering group PAP
rlm_pap: login attempt with password cisco
rlm_pap: Using clear text password cisco
rlm_pap: User authenticated successfully
++[pap] returns ok
Login OK: [test_001/cisco] (from client bb-10k port 808583209)
+- entering group post-auth
expand: %{NAS-IP-Address} %{NAS-Port} - 172.16.1.7 808583209
rlm_ippool: MD5 on 'key' directive maps to:
4c8d9b7e94410e9a58cd8ec24b47f8b1
rlm_ippool: Searching for an entry for key:
'4c8d9b7e94410e9a58cd8ec24b47f8b1'
rlm_ippool: Allocating ip to key: '4c8d9b7e94410e9a58cd8ec24b47f8b1'
rlm_ippool: num: 1
rlm_ippool: Allocated ip 172.16.100.69 to client key:
4c8d9b7e94410e9a58cd8ec24b47f8b1
++[test_pool] returns ok
Service-Type == Framed-User
Framed-Protocol = PPP
Session-Timeout = 65000
Idle-Timeout = 3600
Ascend-Maximum-Time = 64000
Ascend-Idle-Limit = 3600
Ascend-Data-Filter := ip in forward dstip 1.1.1.2/32 0
Framed-IP-Address = 172.16.100.69
Framed-IP-Netmask = 255.255.255.0
Finished request 1.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Ascend-Data-Filter with srcip from ippool

2008-03-31 Thread Andreas Kalb (akalb)

Hello,

I'm trying to use Ascend-data-filters together with IP-pool

DEFAULT Pool-Name := test_pool
Fall-Through = Yes

DEFAULT User-Name := test_..., Cleartext-Password := test
Service-Type = Framed-User,
Framed-Protocol = PPP,
Session-Timeout = 65000,
Idle-Timeout = 3600,
Ascend-Maximum-Time = 64000,
Ascend-Idle-Limit = 3600,
Ascend-Data-Filter := ip in forward srcip
%{Framed-IP-Address}/32 dstip 1.1.1.2/32

The pool is working well, but the filter doesn't:

Login OK: [test_001/test] (from client bb-10k port 808583209)
  Processing the post-auth section of radiusd.conf
modcall: entering group post-auth for request 0
rlm_ippool: Searching for an entry for nas/port: 172.16.1.7/808583209
rlm_ippool: Found a stale entry for ip/port: 172.16.100.135/808583209
rlm_ippool: num: 0
rlm_ippool: Searching for an entry for nas/port: 172.16.1.7/808583209
rlm_ippool: Allocating ip to nas/port: 172.16.1.7/808583209
rlm_ippool: num: 1
rlm_ippool: Allocated ip 172.16.103.107 to client on nas 172.16.1.7,port
808583209
  modcall[post-auth]: module test_pool returns ok for request 0
modcall: leaving group post-auth (returns ok) for request 0
Sending Access-Accept of id 195 to 172.16.1.7 port 21646
Service-Type = Framed-User
Framed-Protocol = PPP
Session-Timeout = 65000
Idle-Timeout = 3600
Ascend-Maximum-Time = 64000
Ascend-Idle-Limit = 3600
Ascend-Data-Filter := ip in forward dstip 1.1.1.2/32 0
Framed-IP-Address = 172.16.103.107
Framed-IP-Netmask = 255.255.255.0

Looks like IP is taken from pool after users-file got processed. I
wouldn't know how to change that order or where to add the filter then.

Pls let me know whether this should work in some way and how to
configure it then?

Kind Regards,

Andreas

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Ascend-Data-Filter with srcip from ippool

2008-03-31 Thread Andreas Kalb (akalb)

Hello Alan,

pls see my response inline akalb. Thx for your quick feedback.

Kind Regards,

Andreas 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok
Sent: Montag, 31. März 2008 16:29
To: FreeRadius users mailing list
Subject: Re: Ascend-Data-Filter with srcip from ippool

Andreas Kalb (akalb) wrote:
 I'm trying to use Ascend-data-filters together with IP-pool
...
 DEFAULT User-Name := test_..., Cleartext-Password := test
...
 Ascend-Data-Filter := ip in forward srcip
 %{Framed-IP-Address}/32 dstip 1.1.1.2/32
 
 The pool is working well, but the filter doesn't:

  Because there's no Framed-IP-Address attribute in the request.  Use 
%{reply:Framed-IP-Address}.  For version 1.x, this is documented in 
doc/variables.txt.

akalb Had a try with:
akalb 
akalbAscend-Data-Filter := ip in forward srcip 
%{reply:Framed-IP-Address}/32 dstip 1.1.1.2/32
akalb 
akalb also, no difference. I expect because of order of modules you mentioned 
later.

 Login OK: [test_001/test] (from client bb-10k port 808583209)
   Processing the post-auth section of radiusd.conf
 modcall: entering group post-auth for request 0
...
 rlm_ippool: Allocated ip 172.16.103.107 to client on nas 
 172.16.1.7,port
 808583209

  Which runs after the files module.  So the files module doesn't have 
access to the IP address.

akalb Not sure how to see/change this:
# Livingston-style 'users' file
files {
...
  ippool test_pool {
...
files
files
...

 Looks like IP is taken from pool after users-file got processed. I 
 wouldn't know how to change that order or where to add the filter then.

  Read the documentation and see the examples.  The modules are processed in 
the order that they are listed in radiusd.conf.

akalb I tried to look it up, but was unable so far, sorry. I need to mention 
that I'm new to FreeRadius at all, sorry.

 Pls let me know whether this should work in some way and how to 
 configure it then?

  It's pretty easy to do in 2.0.  See man unlang.

  I suggest you upgrade.  What you want to do will be a LOT easier in 2.0.

akalb I'll do right away.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Ascend-Data-Filter with srcip from ippool

2008-03-31 Thread Andreas Kalb (akalb)

Hello,

sorry for my ignorance, I'm still a novice on FreeRadius :-( After installing 
2.0.3 I'm even facing more trouble (most likely because parts of radiusd.conf 
are split now and I'm unsure how to get the ippool called).

Where was the related functionality moved to?

Kind Regards,

   Andreas

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok
Sent: Montag, 31. März 2008 16:29
To: FreeRadius users mailing list
Subject: Re: Ascend-Data-Filter with srcip from ippool

Andreas Kalb (akalb) wrote:
 I'm trying to use Ascend-data-filters together with IP-pool
...
 DEFAULT User-Name := test_..., Cleartext-Password := test
...
 Ascend-Data-Filter := ip in forward srcip
 %{Framed-IP-Address}/32 dstip 1.1.1.2/32
 
 The pool is working well, but the filter doesn't:

  Because there's no Framed-IP-Address attribute in the request.  Use 
%{reply:Framed-IP-Address}.  For version 1.x, this is documented in 
doc/variables.txt.

 Login OK: [test_001/test] (from client bb-10k port 808583209)
   Processing the post-auth section of radiusd.conf
 modcall: entering group post-auth for request 0
...
 rlm_ippool: Allocated ip 172.16.103.107 to client on nas 
 172.16.1.7,port
 808583209

  Which runs after the files module.  So the files module doesn't have 
access to the IP address.

 Looks like IP is taken from pool after users-file got processed. I 
 wouldn't know how to change that order or where to add the filter then.

  Read the documentation and see the examples.  The modules are processed in 
the order that they are listed in radiusd.conf.

 Pls let me know whether this should work in some way and how to 
 configure it then?

  It's pretty easy to do in 2.0.  See man unlang.

  I suggest you upgrade.  What you want to do will be a LOT easier in 2.0.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Ascend-Data-Filter with srcip from ippool

2008-03-31 Thread Andreas Kalb (akalb)

Hello,

I'm unfortunately still not getting it to work anymore after upgrade to 2.0.3.

I added the following to sites-available/default at top of document:

server bb-10k {
  client 172.16.1.6 {
...
...
  accounting {
detail
unix
radutmp
test_pool
  }
...
  post-auth {
   test_pool 
  } 
...
  ippool test_pool {
range-start = 172.16.100.1
range-stop = 172.16.103.254
...

and then get:
/usr/local/etc/raddb/sites-enabled/default[70]: Failed to find module 
test_pool.
/usr/local/etc/raddb/sites-enabled/default[66]: Errors parsing accounting 
section. 

So now I wonder how to specify the ippool section there.

Kind Regards,

Andreas


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok
Sent: Montag, 31. März 2008 19:59
To: FreeRadius users mailing list
Subject: Re: Ascend-Data-Filter with srcip from ippool

Andreas Kalb (akalb) wrote:
 Hello,
 
 sorry for my ignorance, I'm still a novice on FreeRadius :-( After installing 
 2.0.3 I'm even facing more trouble (most likely because parts of radiusd.conf 
 are split now and I'm unsure how to get the ippool called).
 
 Where was the related functionality moved to?

  raddb/sites-available/default

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Ascend-Data-Filter with srcip from ippool

RE: Ascend-Data-Filter with srcip from ippool

RE: Ascend-Data-Filter with srcip from ippool

Ascend-Data-Filter with srcip from ippool

RE: Ascend-Data-Filter with srcip from ippool

RE: Ascend-Data-Filter with srcip from ippool

RE: Ascend-Data-Filter with srcip from ippool

7 matches

Site Navigation

Mail list logo

Footer information