RE: Ascend-Data-Filter with srcip from ippool
Hello Alan, as I see your result I better understand unlang and the mighty of it. Thx for your patience. All working perfectly well now. Kind Regards, Andreas -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Mittwoch, 2. April 2008 08:19 To: FreeRadius users mailing list Subject: Re: Ascend-Data-Filter with srcip from ippool Andreas Kalb (akalb) wrote: Now I'm back to my original problem, where I wanted to use an Ascend-filter with entries matching IP-address from pool. I still don't know, how to change order of modules to make the IP-address known to the files-module and appreciated your uidance again. You don't have to. You can add the ascend data filter via unlang, in the post-auth section, right after the test_pool module is called: post-auth { ... test-pool if (ok) { update reply { ... Ascend-Data-Filter := ip in forward srcip %{reply:Framed-IP-Address}/32 dstip 1.1.1.2/32 ... } } Again, this is documented. See man unlang, and the examples. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Ascend-Data-Filter with srcip from ippool
Hello Alan, I started from that by adding my own ippool to radiusd.conf after main_pool (line 1800, ippool test_pool {...). I understood from your reply, that I need to call it from sites-available/default and added test_pool right after main_pool in sites-available/default (in sections accounting and post-auth, as specified in radiusd.conf), but when starting the deamon I got: /usr/local/etc/raddb/radiusd.conf[1800]: Invalid version in module 'rlm_ippool' /usr/local/etc/raddb/sites-enabled/default[308]: Failed to find module test_pool. /usr/local/etc/raddb/sites-enabled/default[285]: Errors parsing accounting section. That mades me think I need to move the pool there either, sorry. Kind Regards, Andreas -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Dienstag, 1. April 2008 07:46 To: FreeRadius users mailing list Subject: Re: Ascend-Data-Filter with srcip from ippool Andreas Kalb (akalb) wrote: I'm unfortunately still not getting it to work anymore after upgrade to 2.0.3. I added the following to sites-available/default at top of document: server bb-10k { I'm not sure why. As the documentation suggests, starting with the default configuration is the best idea. accounting { ... post-auth { And no authorize or authenticate section. ippool test_pool { range-start = 172.16.100.1 Module configurations belong in the modules section of radiusd.conf. They do NOT go in a server section. and then get: /usr/local/etc/raddb/sites-enabled/default[70]: Failed to find module test_pool. /usr/local/etc/raddb/sites-enabled/default[66]: Errors parsing accounting section. So now I wonder how to specify the ippool section there. You don't. Again, start with the default configuration. Add ONE module: test_pool. Configure it, and get it to assign IP addresses. Then, once that works, configure the ascend filter attributes AFTER the test_pool module has been run in the post-auth section. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Ascend-Data-Filter with srcip from ippool
Hello again, based on the last experience having different servers existing, I build the system from scratch and stood as closely as possible to defaults. All is working well concerning the ip-pool. It was the duplicated server, Alan pointed out. Now I'm back to my original problem, where I wanted to use an Ascend-filter with entries matching IP-address from pool. I still don't know, how to change order of modules to make the IP-address known to the files-module and appreciated your uidance again. Kind Regards, Andreas users: DEFAULT User-Name := test_..., Pool-Name := test_pool, Cleartext-Password := cisco Service-Type == Framed-User, Framed-Protocol = PPP, Session-Timeout = 65000, Idle-Timeout = 3600, Ascend-Maximum-Time = 64000, Ascend-Idle-Limit = 3600, Ascend-Data-Filter := ip in forward srcip %{reply:Framed-IP-Address}/32 dstip 1.1.1.2/32 debugs: ... ++[unix] returns notfound users: Matched entry DEFAULT at line 125 expand: ip in forward srcip %{reply:Framed-IP-Address}/32 dstip 1.1.1.2/32 - ip in forward srcip /32 dstip 1.1.1.2/32 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated rad_check_password: Found Auth-Type auth: type PAP +- entering group PAP rlm_pap: login attempt with password cisco rlm_pap: Using clear text password cisco rlm_pap: User authenticated successfully ++[pap] returns ok Login OK: [test_001/cisco] (from client bb-10k port 808583209) +- entering group post-auth expand: %{NAS-IP-Address} %{NAS-Port} - 172.16.1.7 808583209 rlm_ippool: MD5 on 'key' directive maps to: 4c8d9b7e94410e9a58cd8ec24b47f8b1 rlm_ippool: Searching for an entry for key: '4c8d9b7e94410e9a58cd8ec24b47f8b1' rlm_ippool: Allocating ip to key: '4c8d9b7e94410e9a58cd8ec24b47f8b1' rlm_ippool: num: 1 rlm_ippool: Allocated ip 172.16.100.69 to client key: 4c8d9b7e94410e9a58cd8ec24b47f8b1 ++[test_pool] returns ok Service-Type == Framed-User Framed-Protocol = PPP Session-Timeout = 65000 Idle-Timeout = 3600 Ascend-Maximum-Time = 64000 Ascend-Idle-Limit = 3600 Ascend-Data-Filter := ip in forward dstip 1.1.1.2/32 0 Framed-IP-Address = 172.16.100.69 Framed-IP-Netmask = 255.255.255.0 Finished request 1. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Ascend-Data-Filter with srcip from ippool
Hello, I'm trying to use Ascend-data-filters together with IP-pool DEFAULT Pool-Name := test_pool Fall-Through = Yes DEFAULT User-Name := test_..., Cleartext-Password := test Service-Type = Framed-User, Framed-Protocol = PPP, Session-Timeout = 65000, Idle-Timeout = 3600, Ascend-Maximum-Time = 64000, Ascend-Idle-Limit = 3600, Ascend-Data-Filter := ip in forward srcip %{Framed-IP-Address}/32 dstip 1.1.1.2/32 The pool is working well, but the filter doesn't: Login OK: [test_001/test] (from client bb-10k port 808583209) Processing the post-auth section of radiusd.conf modcall: entering group post-auth for request 0 rlm_ippool: Searching for an entry for nas/port: 172.16.1.7/808583209 rlm_ippool: Found a stale entry for ip/port: 172.16.100.135/808583209 rlm_ippool: num: 0 rlm_ippool: Searching for an entry for nas/port: 172.16.1.7/808583209 rlm_ippool: Allocating ip to nas/port: 172.16.1.7/808583209 rlm_ippool: num: 1 rlm_ippool: Allocated ip 172.16.103.107 to client on nas 172.16.1.7,port 808583209 modcall[post-auth]: module test_pool returns ok for request 0 modcall: leaving group post-auth (returns ok) for request 0 Sending Access-Accept of id 195 to 172.16.1.7 port 21646 Service-Type = Framed-User Framed-Protocol = PPP Session-Timeout = 65000 Idle-Timeout = 3600 Ascend-Maximum-Time = 64000 Ascend-Idle-Limit = 3600 Ascend-Data-Filter := ip in forward dstip 1.1.1.2/32 0 Framed-IP-Address = 172.16.103.107 Framed-IP-Netmask = 255.255.255.0 Looks like IP is taken from pool after users-file got processed. I wouldn't know how to change that order or where to add the filter then. Pls let me know whether this should work in some way and how to configure it then? Kind Regards, Andreas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Ascend-Data-Filter with srcip from ippool
Hello Alan, pls see my response inline akalb. Thx for your quick feedback. Kind Regards, Andreas -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Montag, 31. März 2008 16:29 To: FreeRadius users mailing list Subject: Re: Ascend-Data-Filter with srcip from ippool Andreas Kalb (akalb) wrote: I'm trying to use Ascend-data-filters together with IP-pool ... DEFAULT User-Name := test_..., Cleartext-Password := test ... Ascend-Data-Filter := ip in forward srcip %{Framed-IP-Address}/32 dstip 1.1.1.2/32 The pool is working well, but the filter doesn't: Because there's no Framed-IP-Address attribute in the request. Use %{reply:Framed-IP-Address}. For version 1.x, this is documented in doc/variables.txt. akalb Had a try with: akalb akalbAscend-Data-Filter := ip in forward srcip %{reply:Framed-IP-Address}/32 dstip 1.1.1.2/32 akalb akalb also, no difference. I expect because of order of modules you mentioned later. Login OK: [test_001/test] (from client bb-10k port 808583209) Processing the post-auth section of radiusd.conf modcall: entering group post-auth for request 0 ... rlm_ippool: Allocated ip 172.16.103.107 to client on nas 172.16.1.7,port 808583209 Which runs after the files module. So the files module doesn't have access to the IP address. akalb Not sure how to see/change this: # Livingston-style 'users' file files { ... ippool test_pool { ... files files ... Looks like IP is taken from pool after users-file got processed. I wouldn't know how to change that order or where to add the filter then. Read the documentation and see the examples. The modules are processed in the order that they are listed in radiusd.conf. akalb I tried to look it up, but was unable so far, sorry. I need to mention that I'm new to FreeRadius at all, sorry. Pls let me know whether this should work in some way and how to configure it then? It's pretty easy to do in 2.0. See man unlang. I suggest you upgrade. What you want to do will be a LOT easier in 2.0. akalb I'll do right away. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Ascend-Data-Filter with srcip from ippool
Hello, sorry for my ignorance, I'm still a novice on FreeRadius :-( After installing 2.0.3 I'm even facing more trouble (most likely because parts of radiusd.conf are split now and I'm unsure how to get the ippool called). Where was the related functionality moved to? Kind Regards, Andreas -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Montag, 31. März 2008 16:29 To: FreeRadius users mailing list Subject: Re: Ascend-Data-Filter with srcip from ippool Andreas Kalb (akalb) wrote: I'm trying to use Ascend-data-filters together with IP-pool ... DEFAULT User-Name := test_..., Cleartext-Password := test ... Ascend-Data-Filter := ip in forward srcip %{Framed-IP-Address}/32 dstip 1.1.1.2/32 The pool is working well, but the filter doesn't: Because there's no Framed-IP-Address attribute in the request. Use %{reply:Framed-IP-Address}. For version 1.x, this is documented in doc/variables.txt. Login OK: [test_001/test] (from client bb-10k port 808583209) Processing the post-auth section of radiusd.conf modcall: entering group post-auth for request 0 ... rlm_ippool: Allocated ip 172.16.103.107 to client on nas 172.16.1.7,port 808583209 Which runs after the files module. So the files module doesn't have access to the IP address. Looks like IP is taken from pool after users-file got processed. I wouldn't know how to change that order or where to add the filter then. Read the documentation and see the examples. The modules are processed in the order that they are listed in radiusd.conf. Pls let me know whether this should work in some way and how to configure it then? It's pretty easy to do in 2.0. See man unlang. I suggest you upgrade. What you want to do will be a LOT easier in 2.0. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Ascend-Data-Filter with srcip from ippool
Hello, I'm unfortunately still not getting it to work anymore after upgrade to 2.0.3. I added the following to sites-available/default at top of document: server bb-10k { client 172.16.1.6 { ... ... accounting { detail unix radutmp test_pool } ... post-auth { test_pool } ... ippool test_pool { range-start = 172.16.100.1 range-stop = 172.16.103.254 ... and then get: /usr/local/etc/raddb/sites-enabled/default[70]: Failed to find module test_pool. /usr/local/etc/raddb/sites-enabled/default[66]: Errors parsing accounting section. So now I wonder how to specify the ippool section there. Kind Regards, Andreas -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Montag, 31. März 2008 19:59 To: FreeRadius users mailing list Subject: Re: Ascend-Data-Filter with srcip from ippool Andreas Kalb (akalb) wrote: Hello, sorry for my ignorance, I'm still a novice on FreeRadius :-( After installing 2.0.3 I'm even facing more trouble (most likely because parts of radiusd.conf are split now and I'm unsure how to get the ippool called). Where was the related functionality moved to? raddb/sites-available/default Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html