Re: reset sqlcounter on the same day for each user
On Fri, Jun 4, 2010 at 11:52 AM, Антон Зайцев anton.zajt...@gmail.comwrote: Hello everyone. Need some help. I want to limit my users with MB traffic monthly. I have set up sqlcounter and it works great. But it resets in month starting user first connect to NAS. Users can register and connect on different day during the month and then it resets differently for each user. And this is the question. How can i reset counter on the certain day for certain user(example last day of month).And then counter can resets monthly for all users beginning from the first day of month. Maybe I need some attributes or ... Thanks Can anybody help with this. As I understand counters reset only hourly monthly or weekly. I did search on mail archive and nothing useful have found. Maybe give me some directions to look for to resolve this problem Maybe I should use expiration attribute or choose else way. Thanks Anton - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: about simultaneous when using mysql and freeradius
It should be done by NAS. For example PPPoE and PPTP have lcp packets, If no
response for some time from
client to NAS then NAS decides that session is down and sends acct-stop packet
to radius server. Radius
server sets the corresponding record to SQL session table.
Or there is another method: depending on NAS type radiusd can connect to NAS
and check activity of user
session directly on NAS - this is more reliable source of information. See
radcheck.pl.
On Tue, 1 Jun 2010 16:24:54 +0700
Spacelee fjct...@gmail.com wrote:
i want to limit user's behavior, such as a username can login only once at
the same time...
1、modifiy default and inner-tunnel in
# Session database, used for checking Simultaneous-Use. Either the radutmp
# or rlm_sql module can handle this.
# The rlm_sql module is *much* faster
session {
#radutmp
# See Simultaneous Use Checking Querie in sql.conf
sql
}
2、modify dialup.conf in etc/raddb/sql/mysql
# Uncomment simul_count_query to enable simultaneous use checking
simul_count_query = SELECT COUNT(*) \
FROM ${acct_table1} \
WHERE username = '%{SQL-User-Name}' \
AND acctstoptime IS NULL
3、add a entry to the table radgorucheck
INSERT INTO `radgroupcheck` ( `id` , `GroupName` , `Attribute` , `op` ,
`Value` )
VALUES (
NULL , ’user’, ’Simultaneous-Use’, ’:=’, ’1’
);
4. update the user test to the group user
i finally tried successfully, but if , i say if the radius server was down
suddenly or the user logout
improperly(such as he poweroff the computer directly). then the record will
still be record in the table as
he was still online ...so we need to modify the record, but how to ? can
freeradius judge it by itself, or
how to judge the user if offline ?
--
Spacelee
--
Spacelee
--
Anton [WARM-RIPE]
Stack ltd division head
tel. 8 (3822) 555-797
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: about simultaneous when using mysql and freeradius
Yes, this is /usr/sbin/checkrad. Sorry for mistake.
You should read this script ...
Radiusd can be down or unrichable or packet can be loss. If You have NAS one of
this type You can specify
this type in clients.conf (nastype = cisco). After than radiusd should use
/usr/sbin/checkrad to check
simultaneous logins.
But if You have a situation when NAS has opened working session and radiusd has
no records about it in
session table You can get double login. AFAIK in this case radiusd will not do
simultaneous check at all.
But it should not happen -- when radiusd goes down suddenly the records in SQL
session table should be stay
like opened sessions. And after radiusd starts again it thinks that that
sessions are active :-), in this case
radiusd will use checkrad if nastype is configured to check his SQL records.
Moreover if You will connect simultaneously very fast (faster then Your SQL can
handle queries) and without
using checkrad then You will get simultaneous logins too. This is because there
is no any transaction is SQL
schema or no other method to make single unique login attempt in a time for SQL
can see them like separate
tries.
On Tue, 1 Jun 2010 17:21:26 +0700
Spacelee fjct...@gmail.com wrote:
sorry, does the radcheck.pl included in freeradius now? does you mean
/usr/sbin/checkrad ?
and i search the keywords Simultaneous mysql radius down , but found no
results i need.
2010/6/1 Anton w...@stack.rumailto:w...@stack.ru
It should be done by NAS. For example PPPoE and PPTP have lcp packets, If no
response for some time from
client to NAS then NAS decides that session is down and sends acct-stop
packet to radius server. Radius
server sets the corresponding record to SQL session table.
Or there is another method: depending on NAS type radiusd can connect to NAS
and check activity of user
session directly on NAS - this is more reliable source of information. See
radcheck.plhttp://radcheck.pl.
On Tue, 1 Jun 2010 16:24:54 +0700
Spacelee fjct...@gmail.commailto:fjct...@gmail.com wrote:
i want to limit user's behavior, such as a username can login only once at
the same time...
1、modifiy default and inner-tunnel in
# Session database, used for checking Simultaneous-Use. Either the radutmp
# or rlm_sql module can handle this.
# The rlm_sql module is *much* faster
session {
#radutmp
# See Simultaneous Use Checking Querie in sql.conf
sql
}
2、modify dialup.conf in etc/raddb/sql/mysql
# Uncomment simul_count_query to enable simultaneous use checking
simul_count_query = SELECT COUNT(*) \
FROM ${acct_table1} \
WHERE username = '%{SQL-User-Name}' \
AND acctstoptime IS NULL
3、add a entry to the table radgorucheck
INSERT INTO `radgroupcheck` ( `id` , `GroupName` , `Attribute` , `op` ,
`Value` )
VALUES (
NULL , ’user’, ’Simultaneous-Use’, ’:=’, ’1’
);
4. update the user test to the group user
i finally tried successfully, but if , i say if the radius server was down
suddenly or the user logout
improperly(such as he poweroff the computer directly). then the record will
still be record in the table
as he was still online ...so we need to modify the record, but how to ? can
freeradius judge it by
itself, or how to judge the user if offline ?
--
Spacelee
--
Spacelee
--
Anton [WARM-RIPE]
Stack ltd division head
tel. 8 (3822) 555-797
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Spacelee
--
Anton [WARM-RIPE]
Stack ltd division head
tel. 8 (3822) 555-797
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Option 82 parse problems.
Ok. Please see attach. But I'm afraid that is may only case, my unfortunate radius configuration. This is not directly received from the switch packet but from switch-dhcrelay. On Fri, 28 May 2010 13:11:57 +0700 Alan DeKok al...@deployingradius.com wrote: Please supply a packet trace (wireshark / tcpdump) which contains that packet. If we had seen this issue in testing 2.1.9, we would have fixed it. How to use this announced feature of sub-option for opt82 ? It was tested to work with a number of different switches. How to find the reason why radiusd (2.1.9) eats 100% of CPU ? Supply a pcap file containing the packet, so we can reproduce the problem, and fix it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Anton [WARM-RIPE] Stack ltd division head tel. 8 (3822) 555-797 dhcp_on_client.dump Description: Binary data dhcp_on_server.dump Description: Binary data dhcrelay-to-radius.dump Description: Binary data - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Option 82 parse problems.
Good day.
I'm trying to set freeradius like dhcp server with option 82 parsing and SQL
data lookup. Now I use versions
2.1.8 and 2.1.9 with exactly the same configs and there is no SQL configuration
yet, only default dhcp
config with my test diff (see below). I have two questions for now:
1. In dictionary.dhcp there are two strings (version 2.1.8):
ATTRIBUTE DHCP-Agent-Circuit-Id 0x0152 octets
ATTRIBUTE DHCP-Agent-Remote-Id 0x0252 octets
but when I start radiusd -X I see only one whole string like:
DHCP-Relay-Agent-Information = 0x01060004006402080006000cce477c00
How can I get DHCP-Agent-Circuit-Id and DHCP-Agent-Remote-Id without using perl
post_auth ?
2. There is announced feature in 2.1.9 Add sub-option support for Option 82.
See dictionary.dhcp. When I
start radiusd -X (2.1.9) with its dictionary.dhcp it begin to eat 100% of CPU
with no any output in console
after the first dhcp packet received.
How to use this announced feature of sub-option for opt82 ?
How to find the reason why radiusd (2.1.9) eats 100% of CPU ?
My dhcp site config (with changed ip-addresses):
server dhcp {
listen {
ipaddr = 192.168.0.1
port = 67
type = dhcp
interface = eth0
}
dhcp DHCP-Discover {
update reply {
DHCP-DHCP-Server-Identifier = %{Packet-Dst-IP-Address}
}
linelog
update reply {
DHCP-Domain-Name-Server = 192.168.0.1
DHCP-Domain-Name-Server = 192.168.10.1
DHCP-Subnet-Mask = 255.255.255.240
DHCP-IP-Address-Lease-Time = 1800
}
mac2ip
linelog
ok
}
dhcp DHCP-Request {
update reply {
DHCP-DHCP-Server-Identifier = %{Packet-Dst-IP-Address}
}
linelog
update reply {
DHCP-Domain-Name-Server = 192.168.0.1
DHCP-Domain-Name-Server = 192.168.10.1
DHCP-Subnet-Mask = 255.255.255.224
DHCP-IP-Address-Lease-Time = 1800
}
linelog
ok
}
dhcp {
update reply {
DHCP-Message-Type = DHCP-NAK
}
}
}
passwd mac2ip {
filename = ${confdir}/mac2ip
format = *DHCP-Client-Hardware-Address:=DHCP-Your-IP-Address
delimiter = ,
}
--
Anton [WARM-RIPE]
Stack ltd division head
tel. 8 (3822) 555-797
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
{control:SQL-Group} in post-auth
Hello!
My user is inserted in group = my_pool in sql DB.
I try to use in my sites-enabled/default something like this
post-auth {
...
...
if ( SQL-Group == my_pool ) {
...
...
}
}
when my user comes I can see it :
Tue Oct 20 18:49:23 2009 : Info: [sqlauth] expand: SELECT
id,UserName,Attribute,Value,op FROM radcheck WHERE Username =
'%{SQL-User-Name}' ORDER BY id
...
Tue Oct 20 18:49:23 2009 : Info: [sqlauth] expand: SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
FROM radgroupcheck,usergroup WHERE (usergroup.Username =
'%{SQL-User-Name}' OR usergroup.CLID = '%{Calling-Station-Id}') AND
usergroup.GroupName = radgroupcheck.GroupName AND usergroup.GroupName =
'%{SQL-Group}' ORDER BY usergroup.PRIORITY,radgroupcheck.id
...
Tue Oct 20 18:49:23 2009 : Info: [sqlauth] User found in group my_pool
...
Ok, we can see that user is in my_pool group - this it ## point 1
...
Tue Oct 20 18:49:23 2009 : Info: +- entering group post-auth {...}
Tue Oct 20 18:49:23 2009 : Info: ++[exec] returns noop
Tue Oct 20 18:49:23 2009 : Info: ++? if (SQL-Group == pool )
Tue Oct 20 18:49:23 2009 : Info: sql_groupcmp
Tue Oct 20 18:49:23 2009 : Debug: rlm_sql (sqlacct): Reserving sql
socket id: 24
Tue Oct 20 18:49:23 2009 : Info: expand: SELECT GroupName FROM
usergroup WHERE UserName='%{SQL-User-Name}' OR
CLID='%{Calling-Station-Id}' order by priority - SELECT GroupName FROM
usergroup WHERE UserName='bebebeb' OR CLID='bebebeb' order by priority
Tue Oct 20 18:49:23 2009 : Info: sql_groupcmp finished: User is a member
of group pool
Tue Oct 20 18:49:23 2009 : Debug: rlm_sql (sqlacct): Released sql socket
id: 24
Tue Oct 20 18:49:23 2009 : Info: ? Evaluating (SQL-Group == pool ) - TRUE
Tue Oct 20 18:49:23 2009 : Info: ++? if (SQL-Group == pool ) - TRUE
Tue Oct 20 18:49:23 2009 : Info: ++- entering if (SQL-Group == pool ) {...}
Ok, we can see that because ###if ( SQL-Group == my_pool ) ### - so,
radius try to use new SQL query to sql DB.. But why? In this point
radius knows that user had been found in group my_pool - see ###point 1###.
Can I use another world for this check?, for example
if ( '%{control:SQL-Group}' == my_pool ) { }
because in this point I know exactly that my user belong to group
my_pool (see point 1).
If I can use previous sql-select (###point 1), I do not have to make
another SQL query every time when I use if (SQL-Group == my_pool) .
--
Yours faithfully,
Anton Borisov.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl / libtool / libltdl problem
Does this mean you are also having this problem with 2.2.6a of libtool/libltdl? Yes. There isn't a permanent solution that I know of yet. However, there is a workaround that you can use for now: LD_PRELOAD=path_to_libperl.so /usr/local/sbin/radiusd Thanks. It works. Where path_to_libperl.so is the full path for that file (e.g., it's /usr/local/lib/perl5/5.8.9/mach/CORE/libperl.so on one of my systems). -Original Message- From: freeradius-users-bounces+neal.garber=energyeast@lists.freeradius.org [mailto:freeradius-users-bounces+neal.garber=energyeast@lists.freeradius.org] On Behalf Of Anton Brinyov Sent: Sunday, August 23, 2009 6:17 PM To: FreeRadius users mailing list Subject: Re: rlm_perl / libtool / libltdl problem Hi, It means, there isn't solution for this problem now? Thanks, Anton - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: CoA-Ack and radclient/radiusd
Alan DeKok ?: Anton G. wrote: get today git/stable and tried - same result.. ( Are you sure you're using *that* version, and that you don't have multiple versions of the software installed? Yes, checked it twice.. Alan, can you please provide me some tips to do further debug of this? It involves looking through the hashes in src/lib/packet.c. It's not pretty... well, i have no choice, i should dig it out Not mentioning radiusd CoA, i`m pretty puzzled why radclient doesn`t want to handle CoA-ACK from nas.. I don't know... others have got this to work. i understand, radclient have coa support for a long time.. What's the OS / CPU? FreeBSD 7.1-RELEASE-p3 jail Could it be OS specific? or NAS specific ? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl / libtool / libltdl problem
Hi, It means, there isn't solution for this problem now? Thanks, Anton 2009/8/18 Garber, Neal neal.gar...@energyeast.com: Did I mention that I hate libtool and libltdl? They're close to *causing* more problems than they solve. Yes, on several occasions that I recall :) I share your sentiments... I actually started removing libltdl a while ago. See src/main/modules.c. Look for WITHOUT_LIBLTDL. I'll bet that if you spent a bit of time hacking the source, you could get it to build run *without* libltldl. At that point, the stupid can't load library issues will go away. If I get some spare time (what's that :)), I'll see what I can do.. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: CoA-Ack and radclient/radiusd
Alan DeKok ?: Anton G. wrote: I have a strange problem with CoA-Ack receive Which version of the software are you using? git/stable from Aug 13 10:07 GMT It works for me with the latest git stable tree... get today git/stable and tried - same result.. ( Alan, can you please provide me some tips to do further debug of this? Not mentioning radiusd CoA, i`m pretty puzzled why radclient doesn`t want to handle CoA-ACK from nas.. some# /usr/local/bin/radclient -t20 -r 1 -c 1 -f ./coa.rad -x 10.200.27.3:1700 coa su29 Sending CoA-Request of id 223 to 10.200.27.3 port 1700 User-Name = 10.200.27.42.vrf_nat1.vlan.5.0.0.951 ERX-Virtual-Router-Name = default:vrf_nat1 Framed-IP-Address = 10.200.27.42 ERX-Service-Activate:2 = setmv(10.200.27.42,00:0e:0c:b9:31:41,vrf_nat1) ERX-Service-Timeout:2 = 20 rad_recv: CoA-ACK packet from host 10.200.27.3 port 1700, id=223, length=20 radclient: received response to request we did not send. (id=223 socket 3) radclient: no response from server for ID 223 socket 3 some# tcpdump and radsniff didn`t show anything strange some# radsniff -x -I /home/ak/coa.dump -f udp PCAP filter: [udp] RADIUS secret: [testing123] CoA-Request Id 223 10.200.3.4:56318 - 10.200.27.3:1700(1 packets) +0.000 User-Name = 10.200.27.42.vrf_nat1.vlan.5.0.0.951 ERX-Virtual-Router-Name = default:vrf_nat1 Framed-IP-Address = 10.200.27.42 ERX-Service-Activate:2 = setmv(10.200.27.42,00:0e:0c:b9:31:41,vrf_nat1) ERX-Service-Timeout:2 = 20 CoA-ACK Id 223 10.200.27.3:1700 - 10.200.3.4:56318(2 packets) +7.069 Done sniffing some# - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MSChap via ntlm_auth problem
Hi,
I try to move samba's ntlm_auth program and replace it by simple shell script:
#!/bin/sh
echo Test!
But NOTHING CHANGED!
I think, radius don't call ntlm_auth program, but I don't know why.
Thanks,
Anton
2009/8/20 Anton Brinyov anton.brin...@gmail.com:
Here are my sites-enabled/default and sites-enabled/inner-tunnel files.
Thanks,
Anton
2009/8/19 Alan Buxey a.l.m.bu...@lboro.ac.uk:
Hi,
I have another freeradius host (freeradius 2.1.3) with the same
authentication scheme.
I look at debug output on it:
Found Auth-Type = MSCHAP
+- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Told to do MS-CHAPv2 for BAS with NT-Password
[mschap] WARNING: Deprecated conditional expansion :-. See man
unlang for details
[mschap] WARNING: Deprecated conditional expansion :-. See man
unlang for details
[mschap] expand:
--username=%{Stripped-User-Name:-%{User-Name:-None}} - --username=BAS
[mschap] mschap2: bb
[mschap] expand: --challenge=%{mschap:Challenge:-00} -
--challenge=205180e1818e1214
[mschap] expand: --nt-response=%{mschap:NT-Response:-00} -
--nt-response=0a9b4e0053367b750904915b08aa65b792be3274e312aa78
Exec-Program output: NT_KEY: A9B342EC3E218E54A330556C468415CD
Exec-Program-Wait: plaintext: NT_KEY: A9B342EC3E218E54A330556C468415CD
Exec-Program: returned: 0
[mschap] adding MS-CHAPv2 MPPE keys
++[mschap] returns ok
ntlm_auth comands is the same on both hosts.
The difference is Exec-Program output:
Why?
your previous emails only listed the mschap module and radiusd.conf - but
not the sites-enabled/default or sites-enabled/inner-tunnel files.
alan
-
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MSChap via ntlm_auth problem
Oh!
I notice in /var/log/messages follow line after each auth attempt:
Aug 22 18:28:33 gate1 kernel: pid 78473 (radiusd), uid 133: exited on signal 12
Thanks,
Anton
2009/8/22 Anton Brinyov anton.brin...@gmail.com:
Hi,
I try to move samba's ntlm_auth program and replace it by simple shell script:
#!/bin/sh
echo Test!
But NOTHING CHANGED!
I think, radius don't call ntlm_auth program, but I don't know why.
Thanks,
Anton
2009/8/20 Anton Brinyov anton.brin...@gmail.com:
Here are my sites-enabled/default and sites-enabled/inner-tunnel files.
Thanks,
Anton
2009/8/19 Alan Buxey a.l.m.bu...@lboro.ac.uk:
Hi,
I have another freeradius host (freeradius 2.1.3) with the same
authentication scheme.
I look at debug output on it:
Found Auth-Type = MSCHAP
+- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Told to do MS-CHAPv2 for BAS with NT-Password
[mschap] WARNING: Deprecated conditional expansion :-. See man
unlang for details
[mschap] WARNING: Deprecated conditional expansion :-. See man
unlang for details
[mschap] expand:
--username=%{Stripped-User-Name:-%{User-Name:-None}} - --username=BAS
[mschap] mschap2: bb
[mschap] expand: --challenge=%{mschap:Challenge:-00} -
--challenge=205180e1818e1214
[mschap] expand: --nt-response=%{mschap:NT-Response:-00} -
--nt-response=0a9b4e0053367b750904915b08aa65b792be3274e312aa78
Exec-Program output: NT_KEY: A9B342EC3E218E54A330556C468415CD
Exec-Program-Wait: plaintext: NT_KEY: A9B342EC3E218E54A330556C468415CD
Exec-Program: returned: 0
[mschap] adding MS-CHAPv2 MPPE keys
++[mschap] returns ok
ntlm_auth comands is the same on both hosts.
The difference is Exec-Program output:
Why?
your previous emails only listed the mschap module and radiusd.conf - but
not the sites-enabled/default or sites-enabled/inner-tunnel files.
alan
-
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MSChap via ntlm_auth problem
Hmmm...
Problem was solved by recompiling kernel and freeradius.
Thanks,
Anton.
2009/8/22 Anton Brinyov anton.brin...@gmail.com:
Oh!
I notice in /var/log/messages follow line after each auth attempt:
Aug 22 18:28:33 gate1 kernel: pid 78473 (radiusd), uid 133: exited on signal
12
Thanks,
Anton
2009/8/22 Anton Brinyov anton.brin...@gmail.com:
Hi,
I try to move samba's ntlm_auth program and replace it by simple shell
script:
#!/bin/sh
echo Test!
But NOTHING CHANGED!
I think, radius don't call ntlm_auth program, but I don't know why.
Thanks,
Anton
2009/8/20 Anton Brinyov anton.brin...@gmail.com:
Here are my sites-enabled/default and sites-enabled/inner-tunnel files.
Thanks,
Anton
2009/8/19 Alan Buxey a.l.m.bu...@lboro.ac.uk:
Hi,
I have another freeradius host (freeradius 2.1.3) with the same
authentication scheme.
I look at debug output on it:
Found Auth-Type = MSCHAP
+- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Told to do MS-CHAPv2 for BAS with NT-Password
[mschap] WARNING: Deprecated conditional expansion :-. See man
unlang for details
[mschap] WARNING: Deprecated conditional expansion :-. See man
unlang for details
[mschap] expand:
--username=%{Stripped-User-Name:-%{User-Name:-None}} - --username=BAS
[mschap] mschap2: bb
[mschap] expand: --challenge=%{mschap:Challenge:-00} -
--challenge=205180e1818e1214
[mschap] expand: --nt-response=%{mschap:NT-Response:-00} -
--nt-response=0a9b4e0053367b750904915b08aa65b792be3274e312aa78
Exec-Program output: NT_KEY: A9B342EC3E218E54A330556C468415CD
Exec-Program-Wait: plaintext: NT_KEY: A9B342EC3E218E54A330556C468415CD
Exec-Program: returned: 0
[mschap] adding MS-CHAPv2 MPPE keys
++[mschap] returns ok
ntlm_auth comands is the same on both hosts.
The difference is Exec-Program output:
Why?
your previous emails only listed the mschap module and radiusd.conf - but
not the sites-enabled/default or sites-enabled/inner-tunnel files.
alan
-
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
CoA-Ack and radclient/radiusd
Hello,
I have a strange problem with CoA-Ack receive
I send test Coa packet to nas (juniper erx), the nas sees the packet and do
corresponding action as well, and sends Coa-Ack back
Nothing strange in nas debug or tcpdump
But radclient says:
some# /usr/local/bin/radclient -t20 -r 1 -c 1 -f ./user-81-200-27-42.rad -x
10.200.27.3:1700 coa su29
Sending CoA-Request of id 44 to 10.200.27.3 port 1700
User-Name = 10.200.27.42.vrf_nat1.vlan.5.0.0.951
ERX-Virtual-Router-Name = default:vrf_nat1
Framed-IP-Address = 10.200.27.42
ERX-Service-Activate:2 = setmv(10.200.27.42,000e.0cb9.3140,vrf_nat1)
ERX-Service-Timeout:2 = 20
rad_recv: CoA-ACK packet from host 10.200.27.3 port 1700, id=44, length=20
radclient: received response to request we did not send. (id=44 socket 3)
radclient: no response from server for ID 44 socket 3
some#
I can`t clearly understand why..
And using radiusd CoA functionality i get similar behavior,
but in that case i`m not sure if my config is ok to handle CoA-Ack
Have update action in acconting section
accounting {
if (%{Acct-Session-Id} =~ /:/) {
if (%{Acct-Status-Type} == Start) {
update coa {
User-Name := %{User-Name}
ERX-Virtual-Router-Name := default:vrf_nat1
ERX-Service-Activate:2 += setmv(10.200.27.42, 000e.0cb9.3141, vrf_nat1)
ERX-Service-Timeout:2 += 20
}
}
}
ok
}
and get
rad_recv: Accounting-Request packet from host 10.200.27.3 port 50125, id=187,
length=283
Acct-Status-Type = Start
User-Name = 10.200.27.42.vrf_nat1.vlan.5.0.0.951
Event-Timestamp = Aug 21 2009 13:25:51 MSD
Acct-Delay-Time = 0
NAS-Identifier = bsr01-su29
Acct-Session-Id = 0024163640:0016777349
ERX-Service-Session =
inetpublic(10.200.27.42,000e.0cb9.3141,vrf_nat1,gi5/0/0.951,0,0,20485760,20485760)
NAS-IP-Address = 10.200.27.3
Framed-IP-Address = 10.200.27.42
Calling-Station-Id = #bsr01-su29#E50#951
NAS-Port-Type = Ethernet
NAS-Port = 671089591
NAS-Port-Id = GigabitEthernet 5/0/0.951:951
Acct-Authentic = RADIUS
+- entering group preacct {...}
++[preprocess] returns ok
++[files] returns noop
+- entering group accounting {...}
++? if (%{Acct-Session-Id} =~ /:/)
expand: %{Acct-Session-Id} - 0024163640:0016777349
? Evaluating (%{Acct-Session-Id} =~ /:/) - TRUE
++? if (%{Acct-Session-Id} =~ /:/) - TRUE
++- entering if (%{Acct-Session-Id} =~ /:/) {...}
+++? if (%{Acct-Status-Type} == Start)
expand: %{Acct-Status-Type} - Start
? Evaluating (%{Acct-Status-Type} == Start) - TRUE
+++? if (%{Acct-Status-Type} == Start) - TRUE
+++- entering if (%{Acct-Status-Type} == Start) {...}
expand: %{User-Name} - 10.200.27.42.vrf_nat1.vlan.5.0.0.951
[coa] returns noop
+++- if (%{Acct-Status-Type} == Start) returns noop
++- if (%{Acct-Session-Id} =~ /:/) returns noop
++[ok] returns ok
Sending Accounting-Response of id 187 to 10.200.27.3 port 50125
WARNING: Empty section. Using default return values.
Sending CoA-Request of id 128 to 10.200.27.3 port 1700
User-Name = 10.200.27.42.vrf_nat1.vlan.5.0.0.951
ERX-Virtual-Router-Name = default:vrf_nat1
ERX-Service-Activate:2 = setmv(10.200.27.42, 000e.0cb9.3141, vrf_nat1)
ERX-Service-Timeout:2 = 20
ERX-Service-Statistics:2 = disabled
Finished request 2.
Cleaning up request 2 ID 187 with timestamp +4
Going to the next request
Waking up in 2.1 seconds.
Sending CoA-Request of id 128 to 10.200.27.3 port 1700
User-Name = 10.200.27.42.vrf_nat1.vlan.5.0.0.951
ERX-Virtual-Router-Name = default:vrf_nat1
ERX-Service-Activate:2 = setmv(10.200.27.42, 000e.0cb9.3141, vrf_nat1)
ERX-Service-Timeout:2 = 20
ERX-Service-Statistics:2 = disabled
Waking up in 1.5 seconds.
Cleaning up request 0 ID 52 with timestamp +3
Waking up in 2.7 seconds.
Sending CoA-Request of id 128 to 10.200.27.3 port 1700
User-Name = 10.200.27.42.vrf_nat1.vlan.5.0.0.951
ERX-Virtual-Router-Name = default:vrf_nat1
ERX-Service-Activate:2 = setmv(10.200.27.42, 000e.0cb9.3141, vrf_nat1)
ERX-Service-Timeout:2 = 20
ERX-Service-Statistics:2 = disabled
Waking up in 8.7 seconds.
rad_recv: CoA-ACK packet from host 10.200.27.3 port 1700, id=128, length=20
Ignoring proxy reply that arrived after we sent a reply to the NAS
Waking up in 8.3 seconds.
Sending CoA-Request of id 128 to 10.200.27.3 port 1700
User-Name = 10.200.27.42.vrf_nat1.vlan.5.0.0.951
ERX-Virtual-Router-Name = default:vrf_nat1
ERX-Service-Activate:2 = setmv(10.200.27.42, 000e.0cb9.3141, vrf_nat1)
ERX-Service-Timeout:2 = 20
ERX-Service-Statistics:2 = disabled
Waking up in 14.6 seconds.
rad_recv: CoA-ACK packet from host 10.200.27.3 port 1700, id=128, length=20
Ignoring proxy reply that arrived after we sent a reply to the NAS
Waking up in 14.6 seconds.
No response to CoA request sent to 10.200.27.3
Found
MSChap via ntlm_auth problem
Here are my sites-enabled/default and sites-enabled/inner-tunnel files.
Thanks,
Anton
2009/8/19 Alan Buxey a.l.m.bu...@lboro.ac.uk:
Hi,
I have another freeradius host (freeradius 2.1.3) with the same
authentication scheme.
I look at debug output on it:
Found Auth-Type = MSCHAP
+- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Told to do MS-CHAPv2 for BAS with NT-Password
[mschap] WARNING: Deprecated conditional expansion :-. See man
unlang for details
[mschap] WARNING: Deprecated conditional expansion :-. See man
unlang for details
[mschap] expand:
--username=%{Stripped-User-Name:-%{User-Name:-None}} - --username=BAS
[mschap] mschap2: bb
[mschap] expand: --challenge=%{mschap:Challenge:-00} -
--challenge=205180e1818e1214
[mschap] expand: --nt-response=%{mschap:NT-Response:-00} -
--nt-response=0a9b4e0053367b750904915b08aa65b792be3274e312aa78
Exec-Program output: NT_KEY: A9B342EC3E218E54A330556C468415CD
Exec-Program-Wait: plaintext: NT_KEY: A9B342EC3E218E54A330556C468415CD
Exec-Program: returned: 0
[mschap] adding MS-CHAPv2 MPPE keys
++[mschap] returns ok
ntlm_auth comands is the same on both hosts.
The difference is Exec-Program output:
Why?
your previous emails only listed the mschap module and radiusd.conf - but
not the sites-enabled/default or sites-enabled/inner-tunnel files.
alan
-
default
Description: Binary data
inner-tunnel
Description: Binary data
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MSChap via ntlm_auth problem
Hi,
I have another freeradius host (freeradius 2.1.3) with the same
authentication scheme.
I look at debug output on it:
Found Auth-Type = MSCHAP
+- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Told to do MS-CHAPv2 for BAS with NT-Password
[mschap] WARNING: Deprecated conditional expansion :-. See man
unlang for details
[mschap] WARNING: Deprecated conditional expansion :-. See man
unlang for details
[mschap]expand:
--username=%{Stripped-User-Name:-%{User-Name:-None}} - --username=BAS
[mschap] mschap2: bb
[mschap]expand: --challenge=%{mschap:Challenge:-00} -
--challenge=205180e1818e1214
[mschap]expand: --nt-response=%{mschap:NT-Response:-00} -
--nt-response=0a9b4e0053367b750904915b08aa65b792be3274e312aa78
Exec-Program output: NT_KEY: A9B342EC3E218E54A330556C468415CD
Exec-Program-Wait: plaintext: NT_KEY: A9B342EC3E218E54A330556C468415CD
Exec-Program: returned: 0
[mschap] adding MS-CHAPv2 MPPE keys
++[mschap] returns ok
ntlm_auth comands is the same on both hosts.
The difference is Exec-Program output:
Why?
Thanks,
Anton.
2009/8/18 Anton Brinyov anton.brin...@gmail.com:
2009/8/18 Alan Buxey a.l.m.bu...@lboro.ac.uk:
Hi,
The problem appears in any case - with or without require-membership option.
which version of SAMBA are you running? Latest version is known to have
issues - they've changed things with its output.
I use samba 3.0.35 on FreeBSD 7.2 box.
also, recommend you change the command to have this instead
--username=%{Stripped-User-Name:-%{User-Name:-None}}
that'll get rid of that annoying output error
I have the following command:
ntlm_auth = /usr/local/bin/ntlm_auth --request-nt-key
--require-membership-of=CENTAURA+InternetUsers
--username=%{Stripped-User-Name:-%{User-Name:-None}}
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}
If I call it from shell with options from radius request - I get result:
# /usr/local/bin/ntlm_auth --request-nt-key
--require-membership-of=CENTAURA+InternetUsers --username=BAS
--challenge=6b6f49357dccee7c
--nt-response=ce2480f1e35c222a4d3481b83ee78854094394517f29d9ec
NT_KEY: A9B342EC3E218E54A330556C468415CD
What can I do for getting some details about error?
clutching at straws
maybe escape the + in your command (ie \+ ?
/clutching
*The problem appears in any case - with or without require-membership option.*
The command can be looked like
ntlm_auth = /usr/local/bin/ntlm_auth --request-nt-key
--username=%{Stripped-User-Name:-%{User-Name:-None}}
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}
And output is the same as in previous case.
Thanks,
Anton
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MSChap via ntlm_auth problem
Here my sites-enabled/default and sites-enabled/inner-tunnel files.
Thanks,
Anton
2009/8/19 Alan Buxey a.l.m.bu...@lboro.ac.uk:
Hi,
I have another freeradius host (freeradius 2.1.3) with the same
authentication scheme.
I look at debug output on it:
Found Auth-Type = MSCHAP
+- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Told to do MS-CHAPv2 for BAS with NT-Password
[mschap] WARNING: Deprecated conditional expansion :-. See man
unlang for details
[mschap] WARNING: Deprecated conditional expansion :-. See man
unlang for details
[mschap] expand:
--username=%{Stripped-User-Name:-%{User-Name:-None}} - --username=BAS
[mschap] mschap2: bb
[mschap] expand: --challenge=%{mschap:Challenge:-00} -
--challenge=205180e1818e1214
[mschap] expand: --nt-response=%{mschap:NT-Response:-00} -
--nt-response=0a9b4e0053367b750904915b08aa65b792be3274e312aa78
Exec-Program output: NT_KEY: A9B342EC3E218E54A330556C468415CD
Exec-Program-Wait: plaintext: NT_KEY: A9B342EC3E218E54A330556C468415CD
Exec-Program: returned: 0
[mschap] adding MS-CHAPv2 MPPE keys
++[mschap] returns ok
ntlm_auth comands is the same on both hosts.
The difference is Exec-Program output:
Why?
your previous emails only listed the mschap module and radiusd.conf - but
not the sites-enabled/default or sites-enabled/inner-tunnel files.
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
default
Description: Binary data
inner-tunnel
Description: Binary data
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MSChap via ntlm_auth problem
Oh, sorry. I tried to get some about ntlm_auth output and forgot to remove changes. I delete pipe but it did't remove problem. ..now post the debug again Please, find in attachment. Nothing changed. radiusd.out.1 Description: Binary data - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MSChap via ntlm_auth problem
Hi,
2009/8/18 Alan Buxey a.l.m.bu...@lboro.ac.uk:
hmm, not sure about the require-membership bit as I've never used it.
The problem appears in any case - with or without require-membership option.
which version of SAMBA are you running? Latest version is known to have
issues - they've changed things with its output.
I use samba 3.0.35 on FreeBSD 7.2 box.
also, recommend you change the command to have this instead
--username=%{Stripped-User-Name:-%{User-Name:-None}}
that'll get rid of that annoying output error
I have the following command:
ntlm_auth = /usr/local/bin/ntlm_auth --request-nt-key
--require-membership-of=CENTAURA+InternetUsers
--username=%{Stripped-User-Name:-%{User-Name:-None}}
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}
If I call it from shell with options from radius request - I get result:
# /usr/local/bin/ntlm_auth --request-nt-key
--require-membership-of=CENTAURA+InternetUsers --username=BAS
--challenge=6b6f49357dccee7c
--nt-response=ce2480f1e35c222a4d3481b83ee78854094394517f29d9ec
NT_KEY: A9B342EC3E218E54A330556C468415CD
What can I do for getting some details about error?
Thanks,
Anton.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MSChap via ntlm_auth problem
2009/8/18 Alan Buxey a.l.m.bu...@lboro.ac.uk:
Hi,
The problem appears in any case - with or without require-membership option.
which version of SAMBA are you running? Latest version is known to have
issues - they've changed things with its output.
I use samba 3.0.35 on FreeBSD 7.2 box.
also, recommend you change the command to have this instead
--username=%{Stripped-User-Name:-%{User-Name:-None}}
that'll get rid of that annoying output error
I have the following command:
ntlm_auth = /usr/local/bin/ntlm_auth --request-nt-key
--require-membership-of=CENTAURA+InternetUsers
--username=%{Stripped-User-Name:-%{User-Name:-None}}
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}
If I call it from shell with options from radius request - I get result:
# /usr/local/bin/ntlm_auth --request-nt-key
--require-membership-of=CENTAURA+InternetUsers --username=BAS
--challenge=6b6f49357dccee7c
--nt-response=ce2480f1e35c222a4d3481b83ee78854094394517f29d9ec
NT_KEY: A9B342EC3E218E54A330556C468415CD
What can I do for getting some details about error?
clutching at straws
maybe escape the + in your command (ie \+ ?
/clutching
*The problem appears in any case - with or without require-membership option.*
The command can be looked like
ntlm_auth = /usr/local/bin/ntlm_auth --request-nt-key
--username=%{Stripped-User-Name:-%{User-Name:-None}}
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}
And output is the same as in previous case.
Thanks,
Anton
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MSChap via ntlm_auth problem
2009/8/17 Alan Buxey a.l.m.bu...@lboro.ac.uk whoa! you are piping the output via tee to a log file - therefore the code isnt getting the return value - hence the badness. How can I get return value? 2009/8/17 Garber, Neal neal.gar...@energyeast.com: Try removing the single double quote (“) just before the last right curly brace (“}”) at the bottom of the mschap file Sorry, it's casual noise. It's not a cause of problem. Thanks, Anton. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MSChap via ntlm_auth problem
2009/8/18 Alan DeKok al...@deployingradius.com: Don't use the pipe. Use ntlm_auth as configured in the mschap module, without any extra changes. Oh, sorry. I tried to get some about ntlm_auth output and forgot to remove changes. I delete pipe but it did't remove problem. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem configuring CoA
Alan DeKok ?:
Anton G. wrote:
/usr/local/etc/raddb/clients.conf[30]: No such home_server or
home_server_pool localhost-coa
some#
What am i missing?
Weird. I guess the code got changed after the feature was tested and
added. Oh well.
I've committed a fix to git. You can grab that, or wait an hour or
two for the pre/ directory to have a tested and updated tar file.
Alan DeKok.
Thanks alot, Alan!
grabbed today stable from git and tried.
As far as i can see - works.
But i`ve notice one thing:
Home_server of type coa must be listed in any home_server pool (no matter is the
pool used or not) to get it work.
If it is not - i get
/usr/local/etc/raddb/clients.conf[178]: No such home_server or home_server_pool
so
---WORKS
home_server coa1 {
type = coa
secret = testing123
ipaddr = 10.1.3.5
port = 1700
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server_pool coa {
type = fail-over
home_server = coa1
}
client test1 {
ipaddr = 10.1.3.5
netmask = 32
secret = testing321
nastype = other
coa_server = coa1
}
-
---DOESN`T WORKS
home_server coa1 {
type = coa
ipaddr = 10.1.3.5
port = 1700
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
client test1 {
ipaddr = 10.1.3.5
netmask = 32
secret = testing321
nastype = other
coa_server = coa1
}
-
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem configuring CoA
Alan DeKok ?:
DILLIOTT Tony wrote:
I still get the following error when I run radiusd -Xx :
/usr/local/etc/raddb/clients.conf[30]: No such home_server or
home_server_pool localhost-coa
I've put a patch into git that should fix the problem. See the
stable branch.
Or, wait a few hours, and grab it from http://git.freeradius.org/pre/
If it works, then everything is OK. If it doesn't work, you probably
didn't wait long enough for the auto-build process to grab the relevant
patch.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hello, Alan.
I`ve grabbed http://git.freeradius.org/pre/freeradius-server-2.1.7.tar.gz
today (date says 11-Aug-2009 20:38)
and tried CoA again.
Almost default config, just
coa_server = localhost-coa
in clients.conf
and get
some# radiusd -X
radiusd: Loading Realms and Home Servers
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = auth
secret = testing123
response_window = 20
max_outstanding = 65536
require_message_authenticator = no
zombie_period = 40
status_check = status-server
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
home_server localhost-coa {
ipaddr = 127.0.0.1
port = 3799
type = coa
secret = testing1234
response_window = 30
max_outstanding = 65536
zombie_period = 40
status_check = none
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 300
status_check_timeout = 4
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
home_server_pool coa {
type = fail-over
virtual_server = originate-coa.example.com
home_server = localhost-coa
}
radiusd: Loading Clients
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = testing123
nastype = other
coa_server = localhost-coa
}
/usr/local/etc/raddb/clients.conf[30]: No such home_server or home_server_pool
localhost-coa
some#
What am i missing?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: coa functionality in server question
Alan DeKok ?: Anton G. wrote: It seems that i didn`t understand sites-available/originate-coa right and miss something in my conf Could You please clarify it for me? You need to link it into sites-enabled/originate-coa. The server reads only sites-enabled, not sites-available. Alan DeKok. Thanks, Alan. I have originate-coa link in sites-enabled, just misstyped in starting letter. Also tried default config including default originate-coa example and get /usr/local/etc/raddb/sites-enabled/originate-coa[154]: home_server localhost-coa does not exist It seems that server does not see home_servers type of CoA in my case So maybe i`m missing anything else in my conf? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
coa functionality in server question
Hello,
Running FR 2.1.6 on freebs7.1
I`m trying to implement CoA origination by server.
read sites-available/originate-coa and
added home_server
home_server coa1 {
type = coa
ipaddr = 10.1.3.5
port = 1700
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
and coa_server to client
client test1 {
ipaddr = 10.1.3.5
netmask = 32
secret = testing321
nastype = other
coa_server = coa1
}
radiusd -X says
...
radiusd: Loading Clients
client test1 {
ipaddr = 81.200.3.4
netmask = 32
require_message_authenticator = no
secret = testing321
nastype = other
coa_server = coa1
}
/usr/local/etc/raddb/clients.conf[7]: No such home_server or home_server_pool
coa1
It seems that i didn`t understand sites-available/originate-coa right and miss
something in my conf
Could You please clarify it for me?
Anton G.K.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sql insert via unlang
Good day!
We have made sql oracle function. This function insert data into sql
table, but we call into this funtion as
select myfunction ('aaa','bb') from dual and it returns
OK: Quota consumed.
And... this is wotking!!
In unlang we added:
if (%{sqlauth: select myfunction ('...','...') from dual}) {
ok
}
Now:
Wed Jan 28 16:15:43 2009 : Info:expand: select myfunction...
Wed Jan 28 16:15:43 2009 : Debug: rlm_sql (sqlauth): Reserving sql
socket id: 0
Wed Jan 28 16:15:43 2009 : Info: sql_xlat finished
Wed Jan 28 16:15:43 2009 : Debug: rlm_sql (sqlauth): Released sql socket
id: 0
Wed Jan 28 16:15:43 2009 : Info: expand: %{sqlauth: select
myfunction... - OK: Quota consumed.
Wed Jan 28 16:15:43 2009 : Info: [reply] returns noop
So, I can see my data from Access-Request in my sql table.
t...@kalik.net wrote:
I try to add prepaid system to my equipment.
In this case when quota is reached, equipment sends Access-Request with
quota comsumed and I need to store this data in sql. But. Unfortunately,
I must think about how many on-line customers send quota to sql in same
time. Yes, I can write perl script with sql insert and update and
freeradius will execute this one every time for quota data. But, I think
this is not for system with many customers.
Perl is very fast but it needs to open (and close) the connection to the
database and that is expensive. Unlang uses threads open by freeradius
at startup. So it will work faster. But I don't think that INSERT is
supported.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Yours faithfully,
Anton Borisov.
smime.p7s
Description: S/MIME Cryptographic Signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sql insert via unlang
Good day!
So, I try to INSERT (unlang) data into my sql table;
I made in site-enable/default something like this:
if ( Service-Type == Framed-User ) {
if ( %{sqlauth: INSERT into MYTAB VALUES ('1','2','3','4')} ) {
ok
}
}
and it does not work
Tue Jan 27 23:06:32 2009 : Info: expand: INSERT into MYTAB ...
Tue Jan 27 23:06:32 2009 : Debug: rlm_sql (sqlauth): Reserving sql
socket id: 0
Tue Jan 27 23:06:32 2009 : Error: rlm_sql_oracle: query failed in
sql_select_query: ORA-24333: zero iteration count
Tue Jan 27 23:06:32 2009 : Error: rlm_sql_oracle: OCI_SERVER_NORMAL
well, if I change my INSERT - SELECT (for example)
if ( Service-Type == Framed-User ) {
if ( %{sqlauth: SELECT COUNT from MYTAB} ) {
ok
}
}
this works well..
Tue Jan 27 23:06:57 2009 : Debug: rlm_sql (sqlauth): Reserving sql
socket id: 0
Tue Jan 27 23:06:57 2009 : Info: sql_xlat finished
^^
Tue Jan 27 23:06:57 2009 : Debug: rlm_sql (sqlauth): Released sql socket
id: 0
In rlm_sql.c :
/*
* sql xlat function. Right now only SELECTs are supported. Only
* the first element of the SELECT result will be used.
*/
Oh, I am really very interested in INSERT sql. Please, tell me, Is this
right? Can I insert or update any data into my DB? Can I use another way
for INSERT sql data when I do not use sql accounting and
accounting_start_query/stop_query statement?
I need to insert or update sql data when my customers do authorize check.
Thank you.
Alan DeKok:
Flamur Rogova wrote:
in my authorize section, I have this,
...
check_password
if(notfound) {
# log notfound to sql, the line below gives error...
%{sql: INSERT INTO test.logs SET test.logs.user='%{User-Name}',
test.description='user not found' }
You cannot put strings into the configuration like that.
man unlang says it is possible to obtain results from db, but I need to
execute only sql INSERT,
is my syntax wrong ?
Yes. Nothing in the documentation says that this will work.
You can do:
if (%{sql:INSERT ...) {
ok
}
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Yours faithfully,
Anton Borisov.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sql insert via unlang
Good day! Thank you for your reply. I try to add prepaid system to my equipment. In this case when quota is reached, equipment sends Access-Request with quota comsumed and I need to store this data in sql. But. Unfortunately, I must think about how many on-line customers send quota to sql in same time. Yes, I can write perl script with sql insert and update and freeradius will execute this one every time for quota data. But, I think this is not for system with many customers. Do you mean Exec-programm perl? If you are talking about something else, please, give me some examples... Sorry for my language. Thank you! t...@kalik.net wrote: /* * sql xlat function. Right now only SELECTs are supported. Only * the first element of the SELECT result will be used. */ Oh, I am really very interested in INSERT sql. Please, tell me, Is this right? Can I insert or update any data into my DB? Can I use another way for INSERT sql data when I do not use sql accounting and accounting_start_query/stop_query statement? I need to insert or update sql data when my customers do authorize check. I use perl. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Yours faithfully, Anton Borisov. smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Some SQL radgroupcheck/reply troubles.
= radgroupreply.GroupName AND usergroup.GroupName =
'%{SQL-Group}' ORDER BY usergroup.PRIORITY - SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
FROM radgroupreply,usergroup WHERE (usergroup.Username = 'c-user' OR
usergroup.CLID = '250097000222612') AND usergroup.GroupName =
radgroupreply.GroupName AND usergroup.GroupName = 'b-group' ORDER BY
usergroup.PRIORITY
Tue Jan 13 13:28:04 2009 : Debug: rlm_sql (sqlauth): Released sql socket
id: 0
Tue Jan 13 13:28:04 2009 : Info: ++[sqlauth] returns ok
And correct result:
rad_recv: Access-Accept packet from host 127.0.0.01 port 1812, id=133,
length=47
Reply-Message = c-reply
Reply-Message = a-group
Reply-Message = b-group
All in all:
We have TWO selects about TWO groups and we use Fall-Through for check
all groups. All are working!
First select in debug:
SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
FROM radgroupreply,usergroup WHERE (usergroup.Username = 'c-user' OR
usergroup.CLID = '250097000222612') AND usergroup.GroupName =
radgroupreply.GroupName AND usergroup.GroupName = 'a-group' ORDER BY
usergroup.PRIORITY
GROUPNAME ATTRIBUTEVALUE OP
a-groupFall-Through Yes =
a-groupReply-Messagea-group +=
Second select:
SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
FROM radgroupreply,usergroup WHERE (usergroup.Username = 'c-user' OR
usergroup.CLID = '250097000222612') AND usergroup.GroupName =
radgroupreply.GroupName AND usergroup.GroupName = 'b-group' ORDER BY
usergroup.PRIORITY
GROUPNAME ATTRIBUTE VALUE OP
b-groupReply-Message b-group +=
What do you think?
--
Yours faithfully,
Anton Borisov.
smime.p7s
Description: S/MIME Cryptographic Signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program in acct_users file
Thank you for your reply.
Yes, yes.
I have uncommented exec in post-auth section in
/etc/raddb/sites-enabled/default config.
So, another way in 2.1.1 - I've configured this program only with
accounting module.
Some examples:
/etc/raddb/sites-enabled/default
accounting {
...
...
Acct-Type BILL {
if ( Acct-Status-Type =~ /Start|Stop/ ) {
dns
}
}
...
cat /etc/raddb/modules/exec
...
...
exec dns {
wait = yes
program = /path-to-my-programm.sh
input_pairs = request
output_pairs = reply
}
This is working, but more quickly and easily only add Exec-Programm to
acct_users (like in 1.7.7 version)
Would you be so kind and give some examples for acct_usrs in 2.1.1?
Alan DeKok wrote:
Anton Borisov wrote:
I used Start and Stop in accounting for some DNS registrations of my
clients, like this:
~# cat acct_users
...
...
DEFAULT Realm == 'dyndns', Acct-Status-Type == Start, Acct-Type
:= BILL
...
and this works in 1.1.7 !
But for 2.1.1 - this does not work.
You need to list the exec module in the post-auth section.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Yours faithfully,
Anton Borisov.
smime.p7s
Description: S/MIME Cryptographic Signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Exec-Program in acct_users file
Good day!
Does everyone know about Exec-Program in acct_users in Freeradius 2.1.1?
I upgrade my from 1.1.7 to 2.1.1 and do not see exec in debug.
I used Start and Stop in accounting for some DNS registrations of my
clients, like this:
~# cat acct_users
...
...
DEFAULT Realm == 'dyndns', Acct-Status-Type == Start, Acct-Type
:= BILL
Exec-Program = /opt/fr/bin/dyndns.acctstart.pl
DEFAULT Realm == 'dyndns', Acct-Status-Type == Stop, Acct-Type
:= BILL
Exec-Program = /opt/fr/bin/dyndns.acctstop.pl
and this works in 1.1.7 !
But for 2.1.1 - this does not work.
Mon Dec 22 18:19:19 2008 : Info: ++[preprocess] returns ok
Mon Dec 22 18:19:19 2008 : Info: [suffix] Looking up realm dyndns for
User-Name = 12...@dyndns
Mon Dec 22 18:19:19 2008 : Info: [suffix] Found realm dyndns
Mon Dec 22 18:19:19 2008 : Info: [suffix] Adding Stripped-User-Name =
12345
Mon Dec 22 18:19:19 2008 : Info: [suffix] Adding Realm = dyndns
Mon Dec 22 18:19:19 2008 : Info: [suffix] Accounting realm is LOCAL.
Mon Dec 22 18:19:19 2008 : Info: ++[suffix] returns ok
Mon Dec 22 18:19:19 2008 : Info: [files] expand: %{NAS-IP-Address} -
212.119.106.21
Mon Dec 22 18:19:19 2008 : Info: [files] acct_users: Matched entry
DEFAULT at line 32
in this point (32 line - Realm == 'dyndns', 33 line Exec-Program =
blabla in acct_users) doesn not work.
Mon Dec 22 18:19:19 2008 : Info: ++[files] returns ok
Mon Dec 22 18:19:19 2008 : Debug: Found Acct-Type BILL
Mon Dec 22 18:19:19 2008 : Info: +- entering group BILL {...}
Tue Dec 23 10:40:52 2008 : Info: [acct_unique] Hashing 'NAS-IP-Address =
212.119.106.21,Acct-Session-Id = D4776A151004A3344'
Tue Dec 23 10:40:52 2008 : Info: [acct_unique] Acct-Unique-Session-ID =
eddc8ecb616eae58.
Tue Dec 23 10:40:52 2008 : Info: ++[acct_unique] returns ok
Tue Dec 23 10:40:52 2008 : Info: [BILL] expand:
/opt/fr2/radacct/files/cdr.%Y%m%d.%H -
/opt/fr2/radacct/files/cdr.20081223.10
Tue Dec 23 10:40:52 2008 : Info: [BILL]
/opt/fr2/radacct/files/cdr.%Y%m%d.%H expands to
/opt/fr2/radacct/files/cdr.20081223.10
Tue Dec 23 10:40:52 2008 : Info: [BILL] Acquired filelock, tried 1 time(s)
Tue Dec 23 10:40:52 2008 : Info: [BILL] expand: %t - Tue Dec 23
10:40:52 2008
Tue Dec 23 10:40:52 2008 : Info: [BILL] Released filelock
Tue Dec 23 10:40:52 2008 : Info: ++[BILL] returns ok
Sending Accounting-Response of id 66 to 128.1.134.55 port 50812
in this point does not work again...
Tue Dec 23 10:40:52 2008 : Info: Finished request 0.
Tue Dec 23 10:40:52 2008 : Info: Cleaning up request 0 ID 66 with
timestamp +3
Tue Dec 23 10:40:52 2008 : Debug: Going to the next request
in 1.1.7
Tue Dec 23 10:28:56 2008 : Debug: rlm_acct_unique:
Acct-Unique-Session-ID = fd9494068cfbfd81.
Tue Dec 23 10:28:56 2008 : Debug: modsingle[accounting]: returned from
acct_unique (rlm_acct_unique) for request 1
Tue Dec 23 10:28:56 2008 : Debug: modcall[accounting]: module
acct_unique returns ok for request 1
Tue Dec 23 10:28:56 2008 : Debug: modsingle[accounting]: calling BILL
(rlm_detail) for request 1
Tue Dec 23 10:28:56 2008 : Debug: radius_xlat:
'/opt/fr/radacct/files/cdr.20081223.10'
Tue Dec 23 10:28:56 2008 : Debug: rlm_detail:
/opt/fr/radacct/files/cdr.%Y%m%d.%H expands to
/opt/fr/radacct/files/cdr.20081223.10
Tue Dec 23 10:28:56 2008 : Debug: rlm_detail: Acquired filelock, tried 1
time(s)
Tue Dec 23 10:28:56 2008 : Debug: rlm_detail: Released filelock
Tue Dec 23 10:28:56 2008 : Debug: modsingle[accounting]: returned from
BILL (rlm_detail) for request 1
Tue Dec 23 10:28:56 2008 : Debug: modcall[accounting]: module BILL
returns ok for request 1
Tue Dec 23 10:28:56 2008 : Debug: modcall: leaving group BILL (returns
ok) for request 1
in this point my script is working.
Sending Accounting-Response of id 232 to 128.1.134.55 port 33228
Tue Dec 23 10:28:56 2008 : Debug: Finished request 1
Tue Dec 23 10:28:56 2008 : Debug: Going to the next request
--
Yours faithfully,
Anton Borisov.
smime.p7s
Description: S/MIME Cryptographic Signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SUN_LEN Error
Good day! Thank you! It is working! Could I ask about key for Solaris OS in future? Something like --without-SUN_LEN... Sorry about duplicate, I thought my first message was rejected by mail-filter. Alan DeKok wrote: Anton Borisov wrote: Good day! You don't need to post the same message multiple times. I try to use new version 2.1.3 in Solaris10. (uname -a SunOS x 5.10 Generic_125100-06 sun4u sparc SUNW,Netra-240) ... Undefined first referenced symbol in file SUN_LEN .libs/listen.o You need to add: #define SUN_LEN(su) (sizeof(*(su)) - sizeof((su)-sun_path) + strlen((su)-sun_path)) to src/include/radiusd.h Apparently Solaris doesn't have SUN_LEN Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Yours faithfully, Anton Borisov. smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SUN_LEN Error
Good day! I try to use new version 2.1.3 in Solaris10. (uname -a SunOS x 5.10 Generic_125100-06 sun4u sparc SUNW,Netra-240) I have installed 2.1.1 - ./configure + make + make install - all of them work fine, but when I try to make new version I get error: ./configure is ok, make is: ... ... ... creating .libs/radiusdS.c (cd .libs gcc -g -O2 -c -fno-builtin radiusdS.c) rm -f .libs/radiusdS.c .libs/radiusd.nm .libs/radiusd.nmS .libs/radiusd.nmT gcc .libs/radiusdS.o -o .libs/radiusd .libs/acct.o .libs/auth.o .libs/client.o .libs/conffile.o .libs/crypt.o .libs/exec.o .libs/files.o .libs/listen.o .libs/log.o .libs/mainconfig.o .libs/modules.o .libs/modcall.o .libs/radiusd.o .libs/stats.o .libs/session.o .libs/threads.o .libs/util.o .libs/valuepair.o .libs/version.o .libs/xlat.o .libs/event.o .libs/realms.o .libs/evaluate.o .libs/vmps.o .libs/detail.o /usr/local/src/freeradius-server-2.1.3/src/lib/.libs/libfreeradius-radius.so -lnsl -lresolv -lsocket -lposix4 -lpthread -lcrypt /usr/local/src/freeradius-server-2.1.3/libltdl/.libs/libltdl.so -ldl -R/opt/fr2/lib Undefined first referenced symbol in file SUN_LEN .libs/listen.o ld: fatal: Symbol referencing errors. No output written to .libs/radiusd collect2: ld returned 1 exit status make[4]: *** [radiusd] Error 1 make[4]: Leaving directory `/opt/src/freeradius-server-2.1.3/src/main' make[3]: *** [common] Error 2 make[3]: Leaving directory `/opt/src/freeradius-server-2.1.3/src' make[2]: *** [all] Error 2 make[2]: Leaving directory `/opt/src/freeradius-server-2.1.3/src' make[1]: *** [common] Error 2 make[1]: Leaving directory `/opt/src/freeradius-server-2.1.3' make: *** [all] Error 2 So, would you be so kind and tell me, where I make my mistake? -- Yours faithfully, Anton Borisov. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SUN_LEN Error
Good day! I try to use new version 2.1.3 in Solaris10. (uname -a SunOS x 5.10 Generic_125100-06 sun4u sparc SUNW,Netra-240) I have installed 2.1.1 - ./configure + make + make install - all of them work fine, but when I try to make new version I get error: ./configure is ok, make is: ... ... ... creating .libs/radiusdS.c (cd .libs gcc -g -O2 -c -fno-builtin radiusdS.c) rm -f .libs/radiusdS.c .libs/radiusd.nm .libs/radiusd.nmS .libs/radiusd.nmT gcc .libs/radiusdS.o -o .libs/radiusd .libs/acct.o .libs/auth.o .libs/client.o .libs/conffile.o .libs/crypt.o .libs/exec.o .libs/files.o .libs/listen.o .libs/log.o .libs/mainconfig.o .libs/modules.o .libs/modcall.o .libs/radiusd.o .libs/stats.o .libs/session.o .libs/threads.o .libs/util.o .libs/valuepair.o .libs/version.o .libs/xlat.o .libs/event.o .libs/realms.o .libs/evaluate.o .libs/vmps.o .libs/detail.o /usr/local/src/freeradius-server-2.1.3/src/lib/.libs/libfreeradius-radius.so -lnsl -lresolv -lsocket -lposix4 -lpthread -lcrypt /usr/local/src/freeradius-server-2.1.3/libltdl/.libs/libltdl.so -ldl -R/opt/fr2/lib Undefined first referenced symbol in file SUN_LEN .libs/listen.o ld: fatal: Symbol referencing errors. No output written to .libs/radiusd collect2: ld returned 1 exit status make[4]: *** [radiusd] Error 1 make[4]: Leaving directory `/opt/src/freeradius-server-2.1.3/src/main' make[3]: *** [common] Error 2 make[3]: Leaving directory `/opt/src/freeradius-server-2.1.3/src' make[2]: *** [all] Error 2 make[2]: Leaving directory `/opt/src/freeradius-server-2.1.3/src' make[1]: *** [common] Error 2 make[1]: Leaving directory `/opt/src/freeradius-server-2.1.3' make: *** [all] Error 2 So, would you be so kind and tell me, where I make my mistake... -- Yours faithfully, Anton Borisov. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program and length of arguments
If I add to users file this:
When I used exec-program all the attributes I wanted were in the
environment.
And how can I exploit it? I get only this:
--
$ cat /home/engineer/acrad.sh
#!/bin/sh
printenv /tmp/exec-program-wait
--
bob Auth-Type := Local, User-Password == bob
Reply-Message = Hello, %u,
Exec-Program = /home/engineer/acrad.sh
--
after radtest in /tmp/exec-program-wait I found only
$ cat /tmp/exec-program-wait
CLIENT_IP_ADDRESS=127.0.0.1
NAS_IP_ADDRESS=255.255.255.255
PATH=/usr/bin:/bin:/usr/sbin:/sbin:/usr/X11R6/bin:/usr/local/bin
NAS_PORT=0
USER_PASSWORD=bob
USER_NAME=bob
But this is far less than what I wait for... I need to do the same
that SQL accounting do. If I look at raddb/pgsql-voip.conf, I can see
the pretty accounting_stop_query, which put many interestiong info to
database. I think it can put all the
%{User-Name} : %{Service-Type} : %{Acct-Status-Type} :
%{Acct-Session-Id} : %{Framed-Protocol} : %{NAS-Identifier} :
%{NAS-Port-Id} : %{NAS-IP-Address} : %{Calling-Station-Id} :
%{Called-Station-Id} : %{Framed-IP-Address} : %{Acct-Input-Octets} :
%{Acct-Output-Octets} : %{Acct-Input-Packets} : %{Acct-Output-Packets}
: %{Acct-Session-Time} : %{Acct-Terminate-Cause}
Am I right?
So, how can I do the same, but with perl/shell script (e.g. pass all
this variables as arguments or environment) ?
From radiusd.conf
#
# The attributes which are placed into the
# environment variables for the program.
#
# Allowed values are:
#
# request attributes from the request
# config attributes from the
configuration items list
# reply attributes from the reply
# proxy-request attributes from the proxy request
# proxy-reply attributes from the proxy reply
#
# Note that some attributes may not exist at some
# stages. e.g. There may be no proxy-reply
# attributes if this module is used in the
# 'authorize' section.
I read this. But I just newbie, sorry. I tried this
exec echo {
wait = yes
program = /home/engineer/acrad.sh %{User-Name}
input_pairs = request
output_pairs = reply
}
instantiate {
exec
...
but it seems that program not started at all.
--
engineer
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Exec-Program and length of arguments
Hi.
If I add to users file this:
bob Auth-Type := Local, User-Password == bob
Reply-Message = Hello, %u,
Exec-Program = /home/engineer/acrad.pl User-Name=%{User-Name}
Service-Type=%{Service-Type} Acct-Status-Type=%{Acct-Status-Type}
Acct-Session-Id=%{Acct-Session-Id} Framed-Protocol=%{Framed-Protocol}
NAS-Identifier=%{NAS-Identifier} NAS-Port-Id=%{NAS-Port-Id}
it work. But I need to pass more arguments to my program, but as far
as I can see there is some limit. If I add this:
Exec-Program = /home/engineer/acrad.sh User-Name=%{User-Name}
Service-Type=%{Service-Type} Acct-Status-Type=%{Acct-Status-Type}
Acct-Session-Id=%{Acct-Session-Id} Framed-Protocol=%{Framed-Protocol}
NAS-Identifier=%{NAS-Identifier} NAS-Port-Id=%{NAS-Port-Id}
NAS-IP-Address=%{NAS-IP-Address}
Calling-Station-Id=%{Calling-Station-Id}
Called-Station-Id=%{Called-Station-Id}
Framed-IP-Address=%{Framed-IP-Address}
Acct-Input-Octets=%{Acct-Input-Octets}
Acct-Output-Octets=%{Acct-Output-Octets}
Acct-Input-Packets=%{Acct-Input-Packets}
Acct-Output-Packets=%{Acct-Output-Packets}
Acct-Session-Time=%{Acct-Session-Time}
Acct-Terminate-Cause=%{Acct-Terminate-Cause}
# radiusd -sfxxyz -l stdout 21
...
Module: Loaded files
files: usersfile = /etc/raddb/users
files: acctusersfile = /etc/raddb/acct_users
files: preproxy_usersfile = /etc/raddb/preproxy_users
files: compat = no
/etc/raddb/users[220]: Parse error (reply) for entry bob: Expected end
of line or comma
Errors reading /etc/raddb/users
radiusd.conf[1047]: files: Module instantiation failed.
radiusd.conf[1791] Unknown module files.
radiusd.conf[1727] Failed to parse authorize section.
and same with hints file.
The main goal is that I need to do some accounting by my script. I
saw at experimental.conf (at perl section), but for now I not
understand can I utilize it for my needs somehow.
What can I do?
--
engineer
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_eap.so
Nicolas Baradakis пишет: I don't see libeap.so in the output of ldd. Something is wrong here, because rlm_eap depends on libeap. You could try to re-build FreeRADIUS with ./configure --disable-shared. It is undesirable to use static libraries. I have found similar problem in the Internet: = Adding -leap -L../../libeap to the RLM_LIBS line in src/modules/rlm_eap/types/rlm_eap_ttls/Makefile fixed that, but I'm almost positive that's not the right solution. It means rlm_eap_ttls.so shows rlm_eap.so in its ldd output. http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg03597.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
libeap.so
Hm... Warning: Linking the executable radeapclient against the loadable module libeap.so is not portable! [EMAIL PROTECTED] root]# ls /usr/lib/freeradius/libeap.so /usr/lib/freeradius/libeap.so - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_eap.so
Nicolas Baradakis пишет: You could try to re-build FreeRADIUS with ./configure --disable-shared. It is undesirable to use static libraries. Then you could try to build FreeRADIUS from a CVS snapshot: the build process of rlm_eap and libeap should work better. freenibs not build from cvs. configure: warning: CC=gcc: invalid host type configure: warning: CFLAGS=-pipe -Wall -O2 -march=i686: invalid host type configure: error: can only configure for one host and one target at a time configure: error: /bin/sh './configure' failed for src/modules/rlm_nibs - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_eap.so
I'v compiled fresh verison FreeRADIUS (Version 1.1.0) from http://www.freeradius.org/ but i'v got error on program startup: Module: Loaded eap eap: default_eap_type = md5 eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no radiusd: symbol lookup error: /usr/lib/freeradius/rlm_eap.so: undefined symbol: eaptype_name2type [EMAIL PROTECTED] freeradius-1.1.0]# ldd /usr/lib/freeradius/rlm_eap.so libssl.so.4 = /lib/libssl.so.4 (0x00128000) libcrypto.so.4 = /lib/libcrypto.so.4 (0x00158000) libnsl.so.1 = /lib/libnsl.so.1 (0x00253000) libresolv.so.2 = /lib/libresolv.so.2 (0x00268000) libpthread.so.0 = /lib/libpthread.so.0 (0x0027b000) libc.so.6 = /lib/libc.so.6 (0x002ce000) libdl.so.2 = /lib/libdl.so.2 (0x003db000) /lib/ld-linux.so.2 = /lib/ld-linux.so.2 (0x8000) [EMAIL PROTECTED] rlm_eap]# uname -a Linux ring.local 2.4.26-std-up-alt13 #1 Mon Nov 14 00:25:14 MSK 2005 i686 unknown unknown GNU/Linux - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticate via rlm_pap/rlm_chap/rlm_mschap against external password
Well, then I guess, the problem is to replace User-Password, NT-Password and
LM-Password in request-config_items pairlist (using some external module) at
the authorization stage so that chained rlm_pap/rlm_chap/rlm_mschap modules
could check against them during authentication stage, like this:
modules {
...
exec_new ext_script { # an abstract exec-like module that fetches passwords
and installs them into request-config_items
wait = yes
program = /usr/local/sbin/AuthRadius %Z
}
...
}
authorize {
...
ext_script
...
}
authenticate {
Auth-Type EXEC {
group {
pap {
fail = 1
invalid = 2
reject = 3
noop = 4
ok = return
updated = return
userlock = return
handled = return
}
chap {
fail = 1
invalid = 2
reject = 3
noop = 4
ok = return
updated = return
userlock = return
handled = return
}
mschap {
fail = 1
invalid = 2
reject = 3
noop = 4
ok = return
updated = return
userlock = return
handled = return
}
}
}
Is it ever possible (even with rlm_exec modification)?
27 2004 21:19 Alan DeKok (a):
Anton Voronin [EMAIL PROTECTED] wrote:
Is it possible to somehow make rlm_pap, rlm_chap or rlm_mschap to
authenticate against a password (or NT/LM hash) taken from an external
source (for example, using rlm_exec or rlm_perl)?
MS-CHAP does this already. If you would have tried it, you would
see that it works.
It's impossible to do for CHAP.
The PAP module could do it I guess, but it would require code
changes.
--
Anton Voronin
Intersvyaz JSC
http://www.chelcom.ru
+7 (3512) 655199
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
a bug in the ippool.c
Hello there. I've posted previously before but noone got it as a bug. I'm using freebsd pptp+ppp+freeradius+mysql. I've tryed to setup ippool so I can get a dynamic assigned ips from the radius server. It worked just fine with radtest , I got right answer with the ip addres and all fine. But! When I tryed trough ppp (set radius /etc/ppp/radius.conf) I didn't get any ip number , just got authenticated. According to the debug information ippool failed to give me ip address because the ppp didn't send any NAS-Port = port it returned NAS-Port-Type = Virtual I tgouht this is a ppp bug but look at this answer from the freebsd-net list(and rfcs): --- NAS-Port is not required. From RFC2865 section 4.1: An Access-Request SHOULD contain a NAS-Port or NAS-Port-Type attribute or both unless the type of access being requested does not involve a port or the NAS does not distinguish among its ports. NAS-Port is intended to specify the physical (modem) port on a dialin server. It does not mean the UDP port from/to which RADIUS requests are sent. The bug, if any, is in whatever is demanding that the attribute be present. --- I took a look at the ippool.c and there is a if statement that returns noop if there is not NAS-Port. I think this should be considered as a bug in freeradius ipool... what would you say guys? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to Auth-Type
19 2004 15:51 Mike Groeneweg (a): I've done it in my custom rlm_perl module, in the authorization stage, I look at the Called-Number attribute to see which IP pool and user list I want to use (ie Staff vs Student, in a Uni environment): Thanks Mike, unfortinately rlm_perl doesn't work on my old system :( I'll try to look at other modules (rlm_exec for example) -- Anton Voronin Intersvyaz JSC http://www.chelcom.ru +7 (3512) 655199 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
NAS-Port-Type = Virtual || NAS-Port = 1812 ????!!! Please help!
Hello there, I'm running freeradius on my freebsd box and now I'm trying to configure it to set dynamic ips, I've configured it and it works just fine with radtest BUT! when I try to connect rough my pptp server I got authenitcated but I don't get an ip addres!! I've debugged for a while and saw this: when I run : radtest bla bla 192.168.0.100 1812 blabla I got: rad_recv: Access-Request packet from host 192.168.0.100:3137, id=255, length=55 User-Name = bla User-Password = bla NAS-IP-Address = 255.255.255.255 NAS-Port = 1812 modcall: entering group authorize for request 38 and I get an ip address assinged fomr the dynamic range: rad_recv: Access-Accept packet from host 192.168.0.100:1812, id=99, length=44 Framed-Protocol = PPP Service-Type = Framed-User Framed-IP-Address = 192.168.12.192 Framed-IP-Netmask = 255.255.254.0 BUT!!! when I try to connect trough the pptp (ppp implementation under freebsd 4.9 using set radius in the ppp.conf I get this: rad_recv: Access-Request packet from host 192.168.0.1:1421, id=109, length=142 User-Name = bla Service-Type = Framed-User Framed-Protocol = PPP MS-CHAP-Challenge = 0x35303437363836363834343734393632 MS-CHAP2-Response = 0x010085a16d8c4d564e0b754f61fff6680efa032b2a37754168ca3fd20909891b617982a445a7e6670623 NAS-Identifier = valqk.upper.lan NAS-Port-Type = Virtual and after that: rlm_ippool: Could not find nas port information. Return NOOP. modcall[post-auth]: module access_pool returns noop for request 35 Is this some kind of bug and can anyone tell me why is this happenig??? I'd greatly appriciate any help!! 10x in advance!!! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: module calling logic
19 2004 11:11 Anton Voronin (a):
2) I cannot define a custom instance of exec module (for example,
exec_xxx). If I define exec xxx {...} in module configuration section,
I cannot refer it from authenticate{...} or authorize{...} as exec_xxx,
because the server complains ERROR: Cannot find a configuration entry for
module exec_xxx.
Please ignore (2), I should have referred it as just xxx :)
--
Anton Voronin
Intersvyaz JSC
http://www.chelcom.ru
+7 (3512) 655199
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Rlm_perl :how to add
19 2004 11:37 Truong Manh Cuong (a):
I want to write a perl script to control something in authorize session
and authenticate session. How can I do that?
Please give me a small example.
where can I put the line that declare the script. where and what I have
to add to config file when I want to use perl script.
THanks and Regards,
Manh Cuong.
Try the following:
modules {
...
perl {
module = path/to/your/script
}
...
}
--
Anton Voronin
Intersvyaz JSC
http://www.chelcom.ru
+7 (3512) 655199
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Dynamic IP assignment?
Hello to everyone! I'm pretty new in the radius using, I've made my freeradius to talk with mysql and it works just fine, but now I want my radius to assign ips , because I don't want a static ips for my users, I've looked around and saw that there is a way, using rlm_ippool. I'm using freebsd 4.9 and it's very important to me because ppp itself can't assing ips dynamically. Can anyone help me(that has done this before)? I need to have my mysql setuped so different groups has different range of ips(even different networks) , and also when I put static ip to a user, he get this ip, not a dynamic one. If anyone can help, I'd appriciate it very much! 10x in advance!!! have a nice day. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic IP assignment?
10x a lot for the quick and aqurate answer!!!
This list is just great, the right answer was RTFM but you've answered
exaplining how to do it.
THANKS A LOT
I thought I'd have to install something spearate form the freeradius!
FreeRadius is just GREAT!
KEEP DOING THE GOOD THING GUYS!
10x a lot again!
On Вт , 2004-02-17 at 14:42, [EMAIL PROTECTED] wrote:
On Tue, Feb 17, 2004 at 01:59:58PM +0200, Anton Blajev wrote:
I'm pretty new in the radius using, I've made my freeradius to talk with
mysql and it works just fine, but now I want my radius to assign ips ,
because I don't want a static ips for my users, I've looked around and
saw that there is a way, using rlm_ippool.
I'm using freebsd 4.9 and it's very important to me because ppp itself
can't assing ips dynamically.
Can anyone help me(that has done this before)?
I need to have my mysql setuped so different groups has different range
of ips(even different networks) , and also when I put static ip to a
user, he get this ip, not a dynamic one.
(Almost) complete solution can be found in radiusd.conf
# Example:
# radiusd.conf: ippool students { [...] }
# users file : DEFAULT Group == students,
# Pool-Name := students
So, all you have to do is define several ippools and assign
correct pool to each group.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem installing freeradius+rlm_sql_mysql under freebsd ! Strange!
Hello all out there, I'm using FreeBSD as my server machine, I wanted to run radius+mysql auth for my pptp users. I got freeradius work just fine, but ! When I've tryed to get it working with mysql I wasn't able :(. It returnd error freeradius can't load rlm_sql_mysq module. I've made ls -la in the lib dir, there was rlm_sql.so ponting to rlm_sql_postgresql.so I've installed freeradius a lot of times after, with different options ( I'm installing it from /usr/ports , I have the exact version of mysql server + client). I'm defining -DWITH_MYSQL_VER=40 as described in the Makefile in /usr/ports/net/freeradius/Makefile, but nothing!!! I get the same result every time, freeradius got built witn postgre and no mysql :((( Any ideas why's that? 10x in advance! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem installing freeradius+rlm_sql_mysql under freebsd ! Strange!
Yep! It worked!
So, in conclusion as it has been said when you install freeradius in
freebsd from ports, use make -WITH_MYSQL=yes not make -D.anything
here as you used to define something
it worked! I have rlm_sql_mysql.so!!
Thanks a lot guys!
On Ср , 2004-02-11 at 21:34, Guy Fraser wrote:
Anton Blajev wrote:
Hello all out there,
I'm using FreeBSD as my server machine, I wanted to run radius+mysql
auth for my pptp users.
I got freeradius work just fine, but !
When I've tryed to get it working with mysql I wasn't able :(.
It returnd error freeradius can't load rlm_sql_mysq module.
I've made ls -la in the lib dir, there was rlm_sql.so ponting to
rlm_sql_postgresql.so
I've installed freeradius a lot of times after, with different options
( I'm installing it from /usr/ports , I have the exact version of mysql
server + client).
I'm defining -DWITH_MYSQL_VER=40 as described in the Makefile in
/usr/ports/net/freeradius/Makefile, but nothing!!!
I get the same result every time, freeradius got built witn postgre and
no mysql :(((
Any ideas why's that?
10x in advance!
Change directory to :
/usr/ports/net/freradius
Type these commands as root or use sudo :
make deinstall
make clean
make WITH_MYSQL=yes
make install
You should now have freeradius installed with mysql support.
If you want to build from cvs...
As root :
cvs -d :pserver:[EMAIL PROTECTED]:/source login
{cvs password is : anoncvs}
cvs -d :pserver:[EMAIL PROTECTED]:/source checkout radiusd
cvs -d :pserver:[EMAIL PROTECTED]:/source logout
cd radiusd
./configure --quiet --with-logdir=/var/log --localstatedir=/var \
--disable-ltdl-install --with-ltdl-include=/usr/local/include \
--with-ltdl-lib=/usr/local/lib --with-large-files \
--without-rlm_x99_token
make
make install
I am currently working on a FreeBSD 5.2 machine with FreeRadius from CVS.
You will probably want to make sure your ports tree is up to date before
you build freeradius from ports. The current port should be 0.9.3. I have built it
with MySQL support and it does work.
Hope that helps.
Have a nice day.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[4]: freeradius MSCHAPv2 possible bug
Hello Alan,
You've been absolutely right. The bug was in radius module for pppd
and it sent wrong MS-CHAP2-Response value for freeradius. Problem was
in function, which compose this attribute from client authentication
response. Format of PPP response packet and MS-CHAP-Response av pair
differs slightly, confirming the comments of the developer of the
plug-in (something about idiots).
I've seen here that 3 person in this mailing list are suffering from
the same bug, so, could you please excuse the posting of the patch? It was made
against the latest cvs version of pppd from samba.org:
Index: radius.c
===
RCS file: /cvsroot/ppp/pppd/plugins/radius/radius.c,v
retrieving revision 1.21
diff -u -r1.21 radius.c
--- radius.c25 Nov 2003 11:50:10 - 1.21
+++ radius.c7 Jan 2004 19:18:43 -
@@ -425,7 +425,7 @@
case CHAP_MICROSOFT_V2:
{
/* MS-CHAP-Challenge and MS-CHAP2-Response */
- MS_Chap2Response *rmd = (MS_Chap2Response *) (response + 1);
+ MS_Chap2Response *rmd = (MS_Chap2Response *) response;
u_char *p = cpassword;
if (response_len != MS_CHAP2_RESPONSE_LEN)
It completely fixes the problem of authenticating with pppd against
freeradius using MSCHAPv2.
I sent this patch to one of the maintainers of the pppd and asked to
commit it to the source tree. Hope fixed pppd will be available for wide
public soon.
Kind regards,
Anton Golubev
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[2]: freeradius MSCHAPv2 possible bug
Hello Alan, AD It's still base64 encoded. I have no clue why some mail programs AD thing that base64 encoding text is a good idea. Fortunately it didn't prevent you from reading my mail. Hope this time it will be plain text. AD That says to me that you have both User-Password and NT-Password for AD the user in your SQL database, and that the NT-Password is wrong. AD Delete the NT-Password from the SQL database. The MS-CHAP module AD can use a clear-text password to do it's authentication. It will AD work. It is not actually true. My radcheck table has only one line, namely: mysql select * from radcheck; ++--+---++---+ | id | UserName | Attribute | op | Value | ++--+---++---+ | 1 | anton| User-Password | == | anton | ++--+---++---+ 1 row in set (0.00 sec) To make things clear, there is the content of radreply table: mysql select * from radreply; ++--+---++-+ | id | UserName | Attribute | op | Value | ++--+---++-+ | 1 | anton| Framed-IP-Address | := | 172.16.1.10 | ++--+---++-+ 1 row in set (0.00 sec) Recently I checked another suggestion, which says that in some cases WinXP appends \ symbols to login name, which brakes the authentication. This idea was inspired by the patch from recent FreeBSD stable ports collection against freeradius rlm_mschap.c: --- src/modules/rlm_mschap/rlm_mschap.c.origTue Apr 8 11:53:05 2003 +++ src/modules/rlm_mschap/rlm_mschap.c Tue Apr 8 11:53:32 2003 @@ -260,10 +260,15 @@ SHA1_CTX Context; char hash[20]; + const char *name; + + name = strchr(user_name, '\\'); + name = name == NULL ? user_name : name + 1; + SHA1Init(Context); SHA1Update(Context, peer_challenge, 16); SHA1Update(Context, auth_challenge, 16); - SHA1Update(Context, user_name, strlen(user_name)); + SHA1Update(Context, name, strlen(name)); SHA1Final(hash, Context); memcpy(challenge, hash, 8); } But it was void try since debugging shows, that user_name has correct value: modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type MS-CHAP auth: type MS-CHAP modcall: entering group Auth-Type for request 0 rlm_mschap: doing MS-CHAPv2 with NT-Password user_name=anton - DEBUG2(user_name=%s, user_name); rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module mschap returns reject for request 0 modcall: group Auth-Type returns reject for request 0 auth: Failed to validate the user. I have no other ideas, how to fix it. Any suggestions? Best regards, Anton - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius MSCHAPv2 possible bug
Hello all!
I am trying to setup a working solution of PPTP + FreeRADIUS + MySQL.
Software involved: FreeRADIUS 0.9.3, poptop-1.1.4, pppd 2.4.2 (from
pptpclient.sf.org).
I use the following setup:
1. enabled radius plug-in for pppd:
[EMAIL PROTECTED] ppp]# cat options.pptpd
require-mschap-v2
plugin radius.so
radius-config-file /etc/radiusclient/radiusclient.conf
2. enabled MySQL storage for RADIUS:
excerpts from radiusd.conf
mschap {
authtype = MS-CHAP
}
}
authorize {
preprocess
suffix
sql
mschap
}
authenticate {
mschap
}
preacct {
preprocess
suffix
files
}
accounting {
acct_unique
detail
sql
}
session {
sql
}
My problem is that Windows XP box can't log in with MS-CHAP v2.
From pppd point of view it looks like this:
Jan 5 05:31:56 ahome pppd[27471]: Connect: ppp0 -- /dev/pts/9
Jan 5 05:31:56 ahome pppd[27471]: sent [LCP ConfReq id=0x1 asyncmap 0x0 auth chap
MS-v2 magic 0x7e30b849 pcomp accomp]
Jan 5 05:31:56 ahome pptpd[27470]: GRE: Bad checksum from pppd.
Jan 5 05:31:56 ahome pppd[27471]: rcvd [LCP ConfAck id=0x1 asyncmap 0x0 auth chap
MS-v2 magic 0x7e30b849 pcomp accomp]
Jan 5 05:31:58 ahome pppd[27471]: rcvd [LCP ConfReq id=0x1 mru 1400 magic
0x726c72fa pcomp accomp callback CBCP]
Jan 5 05:31:58 ahome pppd[27471]: sent [LCP ConfRej id=0x1 callback CBCP]
Jan 5 05:31:58 ahome pppd[27471]: rcvd [LCP ConfReq id=0x2 mru 1400 magic
0x726c72fa pcomp accomp]
Jan 5 05:31:58 ahome pppd[27471]: sent [LCP ConfAck id=0x2 mru 1400 magic
0x726c72fa pcomp accomp]
Jan 5 05:31:58 ahome pppd[27471]: sent [CHAP Challenge id=0xfa
75602b06d0e80c3cac7244da0d1df804, name = pptp]
Jan 5 05:31:58 ahome pptpd[27470]: CTRL: Received PPTP Control Message (type: 15)
Jan 5 05:31:58 ahome pptpd[27470]: CTRL: Ignored a SET LINK INFO packet with real
ACCMs!
Jan 5 05:31:58 ahome pppd[27471]: rcvd [LCP code=0xc id=0x3 72 6c 72 fa 4d 53 52 41
53 56 35 2e 31 30]
Jan 5 05:31:58 ahome pppd[27471]: sent [LCP CodeRej id=0x2 0c 03 00 12 72 6c 72 fa 4d
53 52 41 53 56 35 2e 31 30]
Jan 5 05:31:58 ahome pppd[27471]: rcvd [LCP code=0xc id=0x4 72 6c 72 fa 4d 53 52 41
53 2d 30 2d 47 4f 4c 41 4e 54]
Jan 5 05:31:58 ahome pppd[27471]: sent [LCP CodeRej id=0x3 0c 04 00 16 72 6c 72 fa 4d
53 52 41 53 2d 30 2d 47 4f 4c 41 4e 54]
Jan 5 05:31:58 ahome pppd[27471]: rcvd [CHAP Response id=0xfa
f7624c397cabc2504b37d007f5c3b5e908358fb7d79f0d6ad3b93c7e5e597b38aca7f5e6a23e3ba600,
name = anton]
Jan 5 05:32:00 ahome pppd[27471]: Peer anton failed CHAP authentication
Jan 5 05:32:00 ahome pppd[27471]: sent [CHAP Failure id=0xfa p\3777605\010\010P]
Jan 5 05:32:00 ahome pppd[27471]: sent [LCP TermReq id=0x4 Authentication failed]
FreeRadius with full debugging wrote this:
...
rlm_sql (sql): Released sql socket id: 0
modcall[authorize]: module sql returns ok for request 19
rlm_mschap: Found MS-CHAP attributes. Setting 'Auth-Type := MS-CHAP'
modcall[authorize]: module mschap returns ok for request 19
modcall: group authorize returns ok for request 19
rad_check_password: Found Auth-Type MS-CHAP
auth: type MS-CHAP
modcall: entering group Auth-Type for request 19
rlm_mschap: doing MS-CHAPv2 with NT-Password
rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
modcall[authenticate]: module mschap returns reject for request 19
modcall: group Auth-Type returns reject for request 19
auth: Failed to validate the user.
Login incorrect: [anton/no User-Password attribute] (from client localhost port 0)
...
The most strange thing all about this is that when we change
require-mschap-v2 in options.pptp to require-chap or require-pap,
is works just fine.
I have had some ideas about the reasons of such behavior, but no one
of them proved itself. It is not the case that WinXP sends as login
one string and hashes for CHAP challenge another with e.g. domain name
appended since changing authentication method from MS-CHAPv2 to
MS-CHAPv1 solves the problem without any manipulations on the client
side.
I also think that some postings here was reasoned by the same problem,
but because of different matters won't finished till solution
(freeradius and mschap2 problem by Mauro Luzi, MS-CHAPv2 + MySQL +
group authtype failure by Eliot Gable).
I think that I use the latest possible version of programs.
radius.c from ppp package is 1.21 2003/11/25 11:50:10 paulus,
rlm_mschap.c from freeradius is 1.41.2.1 2003/09/16 18:40:56 phampson.
I don't have enough skill to trace this problem down, so I look for
your advice. I think that the problem can be either in calculating
and/or comparing hash values in rlm_mschap.c, i.e. mistake in making
decision about challenge/response pair. Or problem can be in radius.c
of pppd which provide RADIUS with wrong composed challenge/response
attributes, i.e. misunderstanding between pppd and freeradius. The
argument in favor of the second supposition is that the presentation
of CHAP request-responce pair is differs in PPP
