Re: reset sqlcounter on the same day for each user
On Fri, Jun 4, 2010 at 11:52 AM, Антон Зайцев anton.zajt...@gmail.comwrote: Hello everyone. Need some help. I want to limit my users with MB traffic monthly. I have set up sqlcounter and it works great. But it resets in month starting user first connect to NAS. Users can register and connect on different day during the month and then it resets differently for each user. And this is the question. How can i reset counter on the certain day for certain user(example last day of month).And then counter can resets monthly for all users beginning from the first day of month. Maybe I need some attributes or ... Thanks Can anybody help with this. As I understand counters reset only hourly monthly or weekly. I did search on mail archive and nothing useful have found. Maybe give me some directions to look for to resolve this problem Maybe I should use expiration attribute or choose else way. Thanks Anton - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: about simultaneous when using mysql and freeradius
It should be done by NAS. For example PPPoE and PPTP have lcp packets, If no response for some time from client to NAS then NAS decides that session is down and sends acct-stop packet to radius server. Radius server sets the corresponding record to SQL session table. Or there is another method: depending on NAS type radiusd can connect to NAS and check activity of user session directly on NAS - this is more reliable source of information. See radcheck.pl. On Tue, 1 Jun 2010 16:24:54 +0700 Spacelee fjct...@gmail.com wrote: i want to limit user's behavior, such as a username can login only once at the same time... 1、modifiy default and inner-tunnel in # Session database, used for checking Simultaneous-Use. Either the radutmp # or rlm_sql module can handle this. # The rlm_sql module is *much* faster session { #radutmp # See Simultaneous Use Checking Querie in sql.conf sql } 2、modify dialup.conf in etc/raddb/sql/mysql # Uncomment simul_count_query to enable simultaneous use checking simul_count_query = SELECT COUNT(*) \ FROM ${acct_table1} \ WHERE username = '%{SQL-User-Name}' \ AND acctstoptime IS NULL 3、add a entry to the table radgorucheck INSERT INTO `radgroupcheck` ( `id` , `GroupName` , `Attribute` , `op` , `Value` ) VALUES ( NULL , ’user’, ’Simultaneous-Use’, ’:=’, ’1’ ); 4. update the user test to the group user i finally tried successfully, but if , i say if the radius server was down suddenly or the user logout improperly(such as he poweroff the computer directly). then the record will still be record in the table as he was still online ...so we need to modify the record, but how to ? can freeradius judge it by itself, or how to judge the user if offline ? -- Spacelee -- Spacelee -- Anton [WARM-RIPE] Stack ltd division head tel. 8 (3822) 555-797 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: about simultaneous when using mysql and freeradius
Yes, this is /usr/sbin/checkrad. Sorry for mistake. You should read this script ... Radiusd can be down or unrichable or packet can be loss. If You have NAS one of this type You can specify this type in clients.conf (nastype = cisco). After than radiusd should use /usr/sbin/checkrad to check simultaneous logins. But if You have a situation when NAS has opened working session and radiusd has no records about it in session table You can get double login. AFAIK in this case radiusd will not do simultaneous check at all. But it should not happen -- when radiusd goes down suddenly the records in SQL session table should be stay like opened sessions. And after radiusd starts again it thinks that that sessions are active :-), in this case radiusd will use checkrad if nastype is configured to check his SQL records. Moreover if You will connect simultaneously very fast (faster then Your SQL can handle queries) and without using checkrad then You will get simultaneous logins too. This is because there is no any transaction is SQL schema or no other method to make single unique login attempt in a time for SQL can see them like separate tries. On Tue, 1 Jun 2010 17:21:26 +0700 Spacelee fjct...@gmail.com wrote: sorry, does the radcheck.pl included in freeradius now? does you mean /usr/sbin/checkrad ? and i search the keywords Simultaneous mysql radius down , but found no results i need. 2010/6/1 Anton w...@stack.rumailto:w...@stack.ru It should be done by NAS. For example PPPoE and PPTP have lcp packets, If no response for some time from client to NAS then NAS decides that session is down and sends acct-stop packet to radius server. Radius server sets the corresponding record to SQL session table. Or there is another method: depending on NAS type radiusd can connect to NAS and check activity of user session directly on NAS - this is more reliable source of information. See radcheck.plhttp://radcheck.pl. On Tue, 1 Jun 2010 16:24:54 +0700 Spacelee fjct...@gmail.commailto:fjct...@gmail.com wrote: i want to limit user's behavior, such as a username can login only once at the same time... 1、modifiy default and inner-tunnel in # Session database, used for checking Simultaneous-Use. Either the radutmp # or rlm_sql module can handle this. # The rlm_sql module is *much* faster session { #radutmp # See Simultaneous Use Checking Querie in sql.conf sql } 2、modify dialup.conf in etc/raddb/sql/mysql # Uncomment simul_count_query to enable simultaneous use checking simul_count_query = SELECT COUNT(*) \ FROM ${acct_table1} \ WHERE username = '%{SQL-User-Name}' \ AND acctstoptime IS NULL 3、add a entry to the table radgorucheck INSERT INTO `radgroupcheck` ( `id` , `GroupName` , `Attribute` , `op` , `Value` ) VALUES ( NULL , ’user’, ’Simultaneous-Use’, ’:=’, ’1’ ); 4. update the user test to the group user i finally tried successfully, but if , i say if the radius server was down suddenly or the user logout improperly(such as he poweroff the computer directly). then the record will still be record in the table as he was still online ...so we need to modify the record, but how to ? can freeradius judge it by itself, or how to judge the user if offline ? -- Spacelee -- Spacelee -- Anton [WARM-RIPE] Stack ltd division head tel. 8 (3822) 555-797 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Spacelee -- Anton [WARM-RIPE] Stack ltd division head tel. 8 (3822) 555-797 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Option 82 parse problems.
Ok. Please see attach. But I'm afraid that is may only case, my unfortunate radius configuration. This is not directly received from the switch packet but from switch-dhcrelay. On Fri, 28 May 2010 13:11:57 +0700 Alan DeKok al...@deployingradius.com wrote: Please supply a packet trace (wireshark / tcpdump) which contains that packet. If we had seen this issue in testing 2.1.9, we would have fixed it. How to use this announced feature of sub-option for opt82 ? It was tested to work with a number of different switches. How to find the reason why radiusd (2.1.9) eats 100% of CPU ? Supply a pcap file containing the packet, so we can reproduce the problem, and fix it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Anton [WARM-RIPE] Stack ltd division head tel. 8 (3822) 555-797 dhcp_on_client.dump Description: Binary data dhcp_on_server.dump Description: Binary data dhcrelay-to-radius.dump Description: Binary data - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Option 82 parse problems.
Good day. I'm trying to set freeradius like dhcp server with option 82 parsing and SQL data lookup. Now I use versions 2.1.8 and 2.1.9 with exactly the same configs and there is no SQL configuration yet, only default dhcp config with my test diff (see below). I have two questions for now: 1. In dictionary.dhcp there are two strings (version 2.1.8): ATTRIBUTE DHCP-Agent-Circuit-Id 0x0152 octets ATTRIBUTE DHCP-Agent-Remote-Id 0x0252 octets but when I start radiusd -X I see only one whole string like: DHCP-Relay-Agent-Information = 0x01060004006402080006000cce477c00 How can I get DHCP-Agent-Circuit-Id and DHCP-Agent-Remote-Id without using perl post_auth ? 2. There is announced feature in 2.1.9 Add sub-option support for Option 82. See dictionary.dhcp. When I start radiusd -X (2.1.9) with its dictionary.dhcp it begin to eat 100% of CPU with no any output in console after the first dhcp packet received. How to use this announced feature of sub-option for opt82 ? How to find the reason why radiusd (2.1.9) eats 100% of CPU ? My dhcp site config (with changed ip-addresses): server dhcp { listen { ipaddr = 192.168.0.1 port = 67 type = dhcp interface = eth0 } dhcp DHCP-Discover { update reply { DHCP-DHCP-Server-Identifier = %{Packet-Dst-IP-Address} } linelog update reply { DHCP-Domain-Name-Server = 192.168.0.1 DHCP-Domain-Name-Server = 192.168.10.1 DHCP-Subnet-Mask = 255.255.255.240 DHCP-IP-Address-Lease-Time = 1800 } mac2ip linelog ok } dhcp DHCP-Request { update reply { DHCP-DHCP-Server-Identifier = %{Packet-Dst-IP-Address} } linelog update reply { DHCP-Domain-Name-Server = 192.168.0.1 DHCP-Domain-Name-Server = 192.168.10.1 DHCP-Subnet-Mask = 255.255.255.224 DHCP-IP-Address-Lease-Time = 1800 } linelog ok } dhcp { update reply { DHCP-Message-Type = DHCP-NAK } } } passwd mac2ip { filename = ${confdir}/mac2ip format = *DHCP-Client-Hardware-Address:=DHCP-Your-IP-Address delimiter = , } -- Anton [WARM-RIPE] Stack ltd division head tel. 8 (3822) 555-797 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
{control:SQL-Group} in post-auth
Hello! My user is inserted in group = my_pool in sql DB. I try to use in my sites-enabled/default something like this post-auth { ... ... if ( SQL-Group == my_pool ) { ... ... } } when my user comes I can see it : Tue Oct 20 18:49:23 2009 : Info: [sqlauth] expand: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id ... Tue Oct 20 18:49:23 2009 : Info: [sqlauth] expand: SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE (usergroup.Username = '%{SQL-User-Name}' OR usergroup.CLID = '%{Calling-Station-Id}') AND usergroup.GroupName = radgroupcheck.GroupName AND usergroup.GroupName = '%{SQL-Group}' ORDER BY usergroup.PRIORITY,radgroupcheck.id ... Tue Oct 20 18:49:23 2009 : Info: [sqlauth] User found in group my_pool ... Ok, we can see that user is in my_pool group - this it ## point 1 ... Tue Oct 20 18:49:23 2009 : Info: +- entering group post-auth {...} Tue Oct 20 18:49:23 2009 : Info: ++[exec] returns noop Tue Oct 20 18:49:23 2009 : Info: ++? if (SQL-Group == pool ) Tue Oct 20 18:49:23 2009 : Info: sql_groupcmp Tue Oct 20 18:49:23 2009 : Debug: rlm_sql (sqlacct): Reserving sql socket id: 24 Tue Oct 20 18:49:23 2009 : Info: expand: SELECT GroupName FROM usergroup WHERE UserName='%{SQL-User-Name}' OR CLID='%{Calling-Station-Id}' order by priority - SELECT GroupName FROM usergroup WHERE UserName='bebebeb' OR CLID='bebebeb' order by priority Tue Oct 20 18:49:23 2009 : Info: sql_groupcmp finished: User is a member of group pool Tue Oct 20 18:49:23 2009 : Debug: rlm_sql (sqlacct): Released sql socket id: 24 Tue Oct 20 18:49:23 2009 : Info: ? Evaluating (SQL-Group == pool ) - TRUE Tue Oct 20 18:49:23 2009 : Info: ++? if (SQL-Group == pool ) - TRUE Tue Oct 20 18:49:23 2009 : Info: ++- entering if (SQL-Group == pool ) {...} Ok, we can see that because ###if ( SQL-Group == my_pool ) ### - so, radius try to use new SQL query to sql DB.. But why? In this point radius knows that user had been found in group my_pool - see ###point 1###. Can I use another world for this check?, for example if ( '%{control:SQL-Group}' == my_pool ) { } because in this point I know exactly that my user belong to group my_pool (see point 1). If I can use previous sql-select (###point 1), I do not have to make another SQL query every time when I use if (SQL-Group == my_pool) . -- Yours faithfully, Anton Borisov. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl / libtool / libltdl problem
Does this mean you are also having this problem with 2.2.6a of libtool/libltdl? Yes. There isn't a permanent solution that I know of yet. However, there is a workaround that you can use for now: LD_PRELOAD=path_to_libperl.so /usr/local/sbin/radiusd Thanks. It works. Where path_to_libperl.so is the full path for that file (e.g., it's /usr/local/lib/perl5/5.8.9/mach/CORE/libperl.so on one of my systems). -Original Message- From: freeradius-users-bounces+neal.garber=energyeast@lists.freeradius.org [mailto:freeradius-users-bounces+neal.garber=energyeast@lists.freeradius.org] On Behalf Of Anton Brinyov Sent: Sunday, August 23, 2009 6:17 PM To: FreeRadius users mailing list Subject: Re: rlm_perl / libtool / libltdl problem Hi, It means, there isn't solution for this problem now? Thanks, Anton - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: CoA-Ack and radclient/radiusd
Alan DeKok ?: Anton G. wrote: get today git/stable and tried - same result.. ( Are you sure you're using *that* version, and that you don't have multiple versions of the software installed? Yes, checked it twice.. Alan, can you please provide me some tips to do further debug of this? It involves looking through the hashes in src/lib/packet.c. It's not pretty... well, i have no choice, i should dig it out Not mentioning radiusd CoA, i`m pretty puzzled why radclient doesn`t want to handle CoA-ACK from nas.. I don't know... others have got this to work. i understand, radclient have coa support for a long time.. What's the OS / CPU? FreeBSD 7.1-RELEASE-p3 jail Could it be OS specific? or NAS specific ? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl / libtool / libltdl problem
Hi, It means, there isn't solution for this problem now? Thanks, Anton 2009/8/18 Garber, Neal neal.gar...@energyeast.com: Did I mention that I hate libtool and libltdl? They're close to *causing* more problems than they solve. Yes, on several occasions that I recall :) I share your sentiments... I actually started removing libltdl a while ago. See src/main/modules.c. Look for WITHOUT_LIBLTDL. I'll bet that if you spent a bit of time hacking the source, you could get it to build run *without* libltldl. At that point, the stupid can't load library issues will go away. If I get some spare time (what's that :)), I'll see what I can do.. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: CoA-Ack and radclient/radiusd
Alan DeKok ?: Anton G. wrote: I have a strange problem with CoA-Ack receive Which version of the software are you using? git/stable from Aug 13 10:07 GMT It works for me with the latest git stable tree... get today git/stable and tried - same result.. ( Alan, can you please provide me some tips to do further debug of this? Not mentioning radiusd CoA, i`m pretty puzzled why radclient doesn`t want to handle CoA-ACK from nas.. some# /usr/local/bin/radclient -t20 -r 1 -c 1 -f ./coa.rad -x 10.200.27.3:1700 coa su29 Sending CoA-Request of id 223 to 10.200.27.3 port 1700 User-Name = 10.200.27.42.vrf_nat1.vlan.5.0.0.951 ERX-Virtual-Router-Name = default:vrf_nat1 Framed-IP-Address = 10.200.27.42 ERX-Service-Activate:2 = setmv(10.200.27.42,00:0e:0c:b9:31:41,vrf_nat1) ERX-Service-Timeout:2 = 20 rad_recv: CoA-ACK packet from host 10.200.27.3 port 1700, id=223, length=20 radclient: received response to request we did not send. (id=223 socket 3) radclient: no response from server for ID 223 socket 3 some# tcpdump and radsniff didn`t show anything strange some# radsniff -x -I /home/ak/coa.dump -f udp PCAP filter: [udp] RADIUS secret: [testing123] CoA-Request Id 223 10.200.3.4:56318 - 10.200.27.3:1700(1 packets) +0.000 User-Name = 10.200.27.42.vrf_nat1.vlan.5.0.0.951 ERX-Virtual-Router-Name = default:vrf_nat1 Framed-IP-Address = 10.200.27.42 ERX-Service-Activate:2 = setmv(10.200.27.42,00:0e:0c:b9:31:41,vrf_nat1) ERX-Service-Timeout:2 = 20 CoA-ACK Id 223 10.200.27.3:1700 - 10.200.3.4:56318(2 packets) +7.069 Done sniffing some# - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MSChap via ntlm_auth problem
Hi, I try to move samba's ntlm_auth program and replace it by simple shell script: #!/bin/sh echo Test! But NOTHING CHANGED! I think, radius don't call ntlm_auth program, but I don't know why. Thanks, Anton 2009/8/20 Anton Brinyov anton.brin...@gmail.com: Here are my sites-enabled/default and sites-enabled/inner-tunnel files. Thanks, Anton 2009/8/19 Alan Buxey a.l.m.bu...@lboro.ac.uk: Hi, I have another freeradius host (freeradius 2.1.3) with the same authentication scheme. I look at debug output on it: Found Auth-Type = MSCHAP +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Told to do MS-CHAPv2 for BAS with NT-Password [mschap] WARNING: Deprecated conditional expansion :-. See man unlang for details [mschap] WARNING: Deprecated conditional expansion :-. See man unlang for details [mschap] expand: --username=%{Stripped-User-Name:-%{User-Name:-None}} - --username=BAS [mschap] mschap2: bb [mschap] expand: --challenge=%{mschap:Challenge:-00} - --challenge=205180e1818e1214 [mschap] expand: --nt-response=%{mschap:NT-Response:-00} - --nt-response=0a9b4e0053367b750904915b08aa65b792be3274e312aa78 Exec-Program output: NT_KEY: A9B342EC3E218E54A330556C468415CD Exec-Program-Wait: plaintext: NT_KEY: A9B342EC3E218E54A330556C468415CD Exec-Program: returned: 0 [mschap] adding MS-CHAPv2 MPPE keys ++[mschap] returns ok ntlm_auth comands is the same on both hosts. The difference is Exec-Program output: Why? your previous emails only listed the mschap module and radiusd.conf - but not the sites-enabled/default or sites-enabled/inner-tunnel files. alan - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MSChap via ntlm_auth problem
Oh! I notice in /var/log/messages follow line after each auth attempt: Aug 22 18:28:33 gate1 kernel: pid 78473 (radiusd), uid 133: exited on signal 12 Thanks, Anton 2009/8/22 Anton Brinyov anton.brin...@gmail.com: Hi, I try to move samba's ntlm_auth program and replace it by simple shell script: #!/bin/sh echo Test! But NOTHING CHANGED! I think, radius don't call ntlm_auth program, but I don't know why. Thanks, Anton 2009/8/20 Anton Brinyov anton.brin...@gmail.com: Here are my sites-enabled/default and sites-enabled/inner-tunnel files. Thanks, Anton 2009/8/19 Alan Buxey a.l.m.bu...@lboro.ac.uk: Hi, I have another freeradius host (freeradius 2.1.3) with the same authentication scheme. I look at debug output on it: Found Auth-Type = MSCHAP +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Told to do MS-CHAPv2 for BAS with NT-Password [mschap] WARNING: Deprecated conditional expansion :-. See man unlang for details [mschap] WARNING: Deprecated conditional expansion :-. See man unlang for details [mschap] expand: --username=%{Stripped-User-Name:-%{User-Name:-None}} - --username=BAS [mschap] mschap2: bb [mschap] expand: --challenge=%{mschap:Challenge:-00} - --challenge=205180e1818e1214 [mschap] expand: --nt-response=%{mschap:NT-Response:-00} - --nt-response=0a9b4e0053367b750904915b08aa65b792be3274e312aa78 Exec-Program output: NT_KEY: A9B342EC3E218E54A330556C468415CD Exec-Program-Wait: plaintext: NT_KEY: A9B342EC3E218E54A330556C468415CD Exec-Program: returned: 0 [mschap] adding MS-CHAPv2 MPPE keys ++[mschap] returns ok ntlm_auth comands is the same on both hosts. The difference is Exec-Program output: Why? your previous emails only listed the mschap module and radiusd.conf - but not the sites-enabled/default or sites-enabled/inner-tunnel files. alan - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MSChap via ntlm_auth problem
Hmmm... Problem was solved by recompiling kernel and freeradius. Thanks, Anton. 2009/8/22 Anton Brinyov anton.brin...@gmail.com: Oh! I notice in /var/log/messages follow line after each auth attempt: Aug 22 18:28:33 gate1 kernel: pid 78473 (radiusd), uid 133: exited on signal 12 Thanks, Anton 2009/8/22 Anton Brinyov anton.brin...@gmail.com: Hi, I try to move samba's ntlm_auth program and replace it by simple shell script: #!/bin/sh echo Test! But NOTHING CHANGED! I think, radius don't call ntlm_auth program, but I don't know why. Thanks, Anton 2009/8/20 Anton Brinyov anton.brin...@gmail.com: Here are my sites-enabled/default and sites-enabled/inner-tunnel files. Thanks, Anton 2009/8/19 Alan Buxey a.l.m.bu...@lboro.ac.uk: Hi, I have another freeradius host (freeradius 2.1.3) with the same authentication scheme. I look at debug output on it: Found Auth-Type = MSCHAP +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Told to do MS-CHAPv2 for BAS with NT-Password [mschap] WARNING: Deprecated conditional expansion :-. See man unlang for details [mschap] WARNING: Deprecated conditional expansion :-. See man unlang for details [mschap] expand: --username=%{Stripped-User-Name:-%{User-Name:-None}} - --username=BAS [mschap] mschap2: bb [mschap] expand: --challenge=%{mschap:Challenge:-00} - --challenge=205180e1818e1214 [mschap] expand: --nt-response=%{mschap:NT-Response:-00} - --nt-response=0a9b4e0053367b750904915b08aa65b792be3274e312aa78 Exec-Program output: NT_KEY: A9B342EC3E218E54A330556C468415CD Exec-Program-Wait: plaintext: NT_KEY: A9B342EC3E218E54A330556C468415CD Exec-Program: returned: 0 [mschap] adding MS-CHAPv2 MPPE keys ++[mschap] returns ok ntlm_auth comands is the same on both hosts. The difference is Exec-Program output: Why? your previous emails only listed the mschap module and radiusd.conf - but not the sites-enabled/default or sites-enabled/inner-tunnel files. alan - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
CoA-Ack and radclient/radiusd
Hello, I have a strange problem with CoA-Ack receive I send test Coa packet to nas (juniper erx), the nas sees the packet and do corresponding action as well, and sends Coa-Ack back Nothing strange in nas debug or tcpdump But radclient says: some# /usr/local/bin/radclient -t20 -r 1 -c 1 -f ./user-81-200-27-42.rad -x 10.200.27.3:1700 coa su29 Sending CoA-Request of id 44 to 10.200.27.3 port 1700 User-Name = 10.200.27.42.vrf_nat1.vlan.5.0.0.951 ERX-Virtual-Router-Name = default:vrf_nat1 Framed-IP-Address = 10.200.27.42 ERX-Service-Activate:2 = setmv(10.200.27.42,000e.0cb9.3140,vrf_nat1) ERX-Service-Timeout:2 = 20 rad_recv: CoA-ACK packet from host 10.200.27.3 port 1700, id=44, length=20 radclient: received response to request we did not send. (id=44 socket 3) radclient: no response from server for ID 44 socket 3 some# I can`t clearly understand why.. And using radiusd CoA functionality i get similar behavior, but in that case i`m not sure if my config is ok to handle CoA-Ack Have update action in acconting section accounting { if (%{Acct-Session-Id} =~ /:/) { if (%{Acct-Status-Type} == Start) { update coa { User-Name := %{User-Name} ERX-Virtual-Router-Name := default:vrf_nat1 ERX-Service-Activate:2 += setmv(10.200.27.42, 000e.0cb9.3141, vrf_nat1) ERX-Service-Timeout:2 += 20 } } } ok } and get rad_recv: Accounting-Request packet from host 10.200.27.3 port 50125, id=187, length=283 Acct-Status-Type = Start User-Name = 10.200.27.42.vrf_nat1.vlan.5.0.0.951 Event-Timestamp = Aug 21 2009 13:25:51 MSD Acct-Delay-Time = 0 NAS-Identifier = bsr01-su29 Acct-Session-Id = 0024163640:0016777349 ERX-Service-Session = inetpublic(10.200.27.42,000e.0cb9.3141,vrf_nat1,gi5/0/0.951,0,0,20485760,20485760) NAS-IP-Address = 10.200.27.3 Framed-IP-Address = 10.200.27.42 Calling-Station-Id = #bsr01-su29#E50#951 NAS-Port-Type = Ethernet NAS-Port = 671089591 NAS-Port-Id = GigabitEthernet 5/0/0.951:951 Acct-Authentic = RADIUS +- entering group preacct {...} ++[preprocess] returns ok ++[files] returns noop +- entering group accounting {...} ++? if (%{Acct-Session-Id} =~ /:/) expand: %{Acct-Session-Id} - 0024163640:0016777349 ? Evaluating (%{Acct-Session-Id} =~ /:/) - TRUE ++? if (%{Acct-Session-Id} =~ /:/) - TRUE ++- entering if (%{Acct-Session-Id} =~ /:/) {...} +++? if (%{Acct-Status-Type} == Start) expand: %{Acct-Status-Type} - Start ? Evaluating (%{Acct-Status-Type} == Start) - TRUE +++? if (%{Acct-Status-Type} == Start) - TRUE +++- entering if (%{Acct-Status-Type} == Start) {...} expand: %{User-Name} - 10.200.27.42.vrf_nat1.vlan.5.0.0.951 [coa] returns noop +++- if (%{Acct-Status-Type} == Start) returns noop ++- if (%{Acct-Session-Id} =~ /:/) returns noop ++[ok] returns ok Sending Accounting-Response of id 187 to 10.200.27.3 port 50125 WARNING: Empty section. Using default return values. Sending CoA-Request of id 128 to 10.200.27.3 port 1700 User-Name = 10.200.27.42.vrf_nat1.vlan.5.0.0.951 ERX-Virtual-Router-Name = default:vrf_nat1 ERX-Service-Activate:2 = setmv(10.200.27.42, 000e.0cb9.3141, vrf_nat1) ERX-Service-Timeout:2 = 20 ERX-Service-Statistics:2 = disabled Finished request 2. Cleaning up request 2 ID 187 with timestamp +4 Going to the next request Waking up in 2.1 seconds. Sending CoA-Request of id 128 to 10.200.27.3 port 1700 User-Name = 10.200.27.42.vrf_nat1.vlan.5.0.0.951 ERX-Virtual-Router-Name = default:vrf_nat1 ERX-Service-Activate:2 = setmv(10.200.27.42, 000e.0cb9.3141, vrf_nat1) ERX-Service-Timeout:2 = 20 ERX-Service-Statistics:2 = disabled Waking up in 1.5 seconds. Cleaning up request 0 ID 52 with timestamp +3 Waking up in 2.7 seconds. Sending CoA-Request of id 128 to 10.200.27.3 port 1700 User-Name = 10.200.27.42.vrf_nat1.vlan.5.0.0.951 ERX-Virtual-Router-Name = default:vrf_nat1 ERX-Service-Activate:2 = setmv(10.200.27.42, 000e.0cb9.3141, vrf_nat1) ERX-Service-Timeout:2 = 20 ERX-Service-Statistics:2 = disabled Waking up in 8.7 seconds. rad_recv: CoA-ACK packet from host 10.200.27.3 port 1700, id=128, length=20 Ignoring proxy reply that arrived after we sent a reply to the NAS Waking up in 8.3 seconds. Sending CoA-Request of id 128 to 10.200.27.3 port 1700 User-Name = 10.200.27.42.vrf_nat1.vlan.5.0.0.951 ERX-Virtual-Router-Name = default:vrf_nat1 ERX-Service-Activate:2 = setmv(10.200.27.42, 000e.0cb9.3141, vrf_nat1) ERX-Service-Timeout:2 = 20 ERX-Service-Statistics:2 = disabled Waking up in 14.6 seconds. rad_recv: CoA-ACK packet from host 10.200.27.3 port 1700, id=128, length=20 Ignoring proxy reply that arrived after we sent a reply to the NAS Waking up in 14.6 seconds. No response to CoA request sent to 10.200.27.3 Found
MSChap via ntlm_auth problem
Here are my sites-enabled/default and sites-enabled/inner-tunnel files. Thanks, Anton 2009/8/19 Alan Buxey a.l.m.bu...@lboro.ac.uk: Hi, I have another freeradius host (freeradius 2.1.3) with the same authentication scheme. I look at debug output on it: Found Auth-Type = MSCHAP +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Told to do MS-CHAPv2 for BAS with NT-Password [mschap] WARNING: Deprecated conditional expansion :-. See man unlang for details [mschap] WARNING: Deprecated conditional expansion :-. See man unlang for details [mschap] expand: --username=%{Stripped-User-Name:-%{User-Name:-None}} - --username=BAS [mschap] mschap2: bb [mschap] expand: --challenge=%{mschap:Challenge:-00} - --challenge=205180e1818e1214 [mschap] expand: --nt-response=%{mschap:NT-Response:-00} - --nt-response=0a9b4e0053367b750904915b08aa65b792be3274e312aa78 Exec-Program output: NT_KEY: A9B342EC3E218E54A330556C468415CD Exec-Program-Wait: plaintext: NT_KEY: A9B342EC3E218E54A330556C468415CD Exec-Program: returned: 0 [mschap] adding MS-CHAPv2 MPPE keys ++[mschap] returns ok ntlm_auth comands is the same on both hosts. The difference is Exec-Program output: Why? your previous emails only listed the mschap module and radiusd.conf - but not the sites-enabled/default or sites-enabled/inner-tunnel files. alan - default Description: Binary data inner-tunnel Description: Binary data - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MSChap via ntlm_auth problem
Hi, I have another freeradius host (freeradius 2.1.3) with the same authentication scheme. I look at debug output on it: Found Auth-Type = MSCHAP +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Told to do MS-CHAPv2 for BAS with NT-Password [mschap] WARNING: Deprecated conditional expansion :-. See man unlang for details [mschap] WARNING: Deprecated conditional expansion :-. See man unlang for details [mschap]expand: --username=%{Stripped-User-Name:-%{User-Name:-None}} - --username=BAS [mschap] mschap2: bb [mschap]expand: --challenge=%{mschap:Challenge:-00} - --challenge=205180e1818e1214 [mschap]expand: --nt-response=%{mschap:NT-Response:-00} - --nt-response=0a9b4e0053367b750904915b08aa65b792be3274e312aa78 Exec-Program output: NT_KEY: A9B342EC3E218E54A330556C468415CD Exec-Program-Wait: plaintext: NT_KEY: A9B342EC3E218E54A330556C468415CD Exec-Program: returned: 0 [mschap] adding MS-CHAPv2 MPPE keys ++[mschap] returns ok ntlm_auth comands is the same on both hosts. The difference is Exec-Program output: Why? Thanks, Anton. 2009/8/18 Anton Brinyov anton.brin...@gmail.com: 2009/8/18 Alan Buxey a.l.m.bu...@lboro.ac.uk: Hi, The problem appears in any case - with or without require-membership option. which version of SAMBA are you running? Latest version is known to have issues - they've changed things with its output. I use samba 3.0.35 on FreeBSD 7.2 box. also, recommend you change the command to have this instead --username=%{Stripped-User-Name:-%{User-Name:-None}} that'll get rid of that annoying output error I have the following command: ntlm_auth = /usr/local/bin/ntlm_auth --request-nt-key --require-membership-of=CENTAURA+InternetUsers --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} If I call it from shell with options from radius request - I get result: # /usr/local/bin/ntlm_auth --request-nt-key --require-membership-of=CENTAURA+InternetUsers --username=BAS --challenge=6b6f49357dccee7c --nt-response=ce2480f1e35c222a4d3481b83ee78854094394517f29d9ec NT_KEY: A9B342EC3E218E54A330556C468415CD What can I do for getting some details about error? clutching at straws maybe escape the + in your command (ie \+ ? /clutching *The problem appears in any case - with or without require-membership option.* The command can be looked like ntlm_auth = /usr/local/bin/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} And output is the same as in previous case. Thanks, Anton - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MSChap via ntlm_auth problem
Here my sites-enabled/default and sites-enabled/inner-tunnel files. Thanks, Anton 2009/8/19 Alan Buxey a.l.m.bu...@lboro.ac.uk: Hi, I have another freeradius host (freeradius 2.1.3) with the same authentication scheme. I look at debug output on it: Found Auth-Type = MSCHAP +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Told to do MS-CHAPv2 for BAS with NT-Password [mschap] WARNING: Deprecated conditional expansion :-. See man unlang for details [mschap] WARNING: Deprecated conditional expansion :-. See man unlang for details [mschap] expand: --username=%{Stripped-User-Name:-%{User-Name:-None}} - --username=BAS [mschap] mschap2: bb [mschap] expand: --challenge=%{mschap:Challenge:-00} - --challenge=205180e1818e1214 [mschap] expand: --nt-response=%{mschap:NT-Response:-00} - --nt-response=0a9b4e0053367b750904915b08aa65b792be3274e312aa78 Exec-Program output: NT_KEY: A9B342EC3E218E54A330556C468415CD Exec-Program-Wait: plaintext: NT_KEY: A9B342EC3E218E54A330556C468415CD Exec-Program: returned: 0 [mschap] adding MS-CHAPv2 MPPE keys ++[mschap] returns ok ntlm_auth comands is the same on both hosts. The difference is Exec-Program output: Why? your previous emails only listed the mschap module and radiusd.conf - but not the sites-enabled/default or sites-enabled/inner-tunnel files. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html default Description: Binary data inner-tunnel Description: Binary data - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MSChap via ntlm_auth problem
Oh, sorry. I tried to get some about ntlm_auth output and forgot to remove changes. I delete pipe but it did't remove problem. ..now post the debug again Please, find in attachment. Nothing changed. radiusd.out.1 Description: Binary data - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MSChap via ntlm_auth problem
Hi, 2009/8/18 Alan Buxey a.l.m.bu...@lboro.ac.uk: hmm, not sure about the require-membership bit as I've never used it. The problem appears in any case - with or without require-membership option. which version of SAMBA are you running? Latest version is known to have issues - they've changed things with its output. I use samba 3.0.35 on FreeBSD 7.2 box. also, recommend you change the command to have this instead --username=%{Stripped-User-Name:-%{User-Name:-None}} that'll get rid of that annoying output error I have the following command: ntlm_auth = /usr/local/bin/ntlm_auth --request-nt-key --require-membership-of=CENTAURA+InternetUsers --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} If I call it from shell with options from radius request - I get result: # /usr/local/bin/ntlm_auth --request-nt-key --require-membership-of=CENTAURA+InternetUsers --username=BAS --challenge=6b6f49357dccee7c --nt-response=ce2480f1e35c222a4d3481b83ee78854094394517f29d9ec NT_KEY: A9B342EC3E218E54A330556C468415CD What can I do for getting some details about error? Thanks, Anton. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MSChap via ntlm_auth problem
2009/8/18 Alan Buxey a.l.m.bu...@lboro.ac.uk: Hi, The problem appears in any case - with or without require-membership option. which version of SAMBA are you running? Latest version is known to have issues - they've changed things with its output. I use samba 3.0.35 on FreeBSD 7.2 box. also, recommend you change the command to have this instead --username=%{Stripped-User-Name:-%{User-Name:-None}} that'll get rid of that annoying output error I have the following command: ntlm_auth = /usr/local/bin/ntlm_auth --request-nt-key --require-membership-of=CENTAURA+InternetUsers --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} If I call it from shell with options from radius request - I get result: # /usr/local/bin/ntlm_auth --request-nt-key --require-membership-of=CENTAURA+InternetUsers --username=BAS --challenge=6b6f49357dccee7c --nt-response=ce2480f1e35c222a4d3481b83ee78854094394517f29d9ec NT_KEY: A9B342EC3E218E54A330556C468415CD What can I do for getting some details about error? clutching at straws maybe escape the + in your command (ie \+ ? /clutching *The problem appears in any case - with or without require-membership option.* The command can be looked like ntlm_auth = /usr/local/bin/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} And output is the same as in previous case. Thanks, Anton - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MSChap via ntlm_auth problem
2009/8/17 Alan Buxey a.l.m.bu...@lboro.ac.uk whoa! you are piping the output via tee to a log file - therefore the code isnt getting the return value - hence the badness. How can I get return value? 2009/8/17 Garber, Neal neal.gar...@energyeast.com: Try removing the single double quote (“) just before the last right curly brace (“}”) at the bottom of the mschap file Sorry, it's casual noise. It's not a cause of problem. Thanks, Anton. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MSChap via ntlm_auth problem
2009/8/18 Alan DeKok al...@deployingradius.com: Don't use the pipe. Use ntlm_auth as configured in the mschap module, without any extra changes. Oh, sorry. I tried to get some about ntlm_auth output and forgot to remove changes. I delete pipe but it did't remove problem. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem configuring CoA
Alan DeKok ?: Anton G. wrote: /usr/local/etc/raddb/clients.conf[30]: No such home_server or home_server_pool localhost-coa some# What am i missing? Weird. I guess the code got changed after the feature was tested and added. Oh well. I've committed a fix to git. You can grab that, or wait an hour or two for the pre/ directory to have a tested and updated tar file. Alan DeKok. Thanks alot, Alan! grabbed today stable from git and tried. As far as i can see - works. But i`ve notice one thing: Home_server of type coa must be listed in any home_server pool (no matter is the pool used or not) to get it work. If it is not - i get /usr/local/etc/raddb/clients.conf[178]: No such home_server or home_server_pool so ---WORKS home_server coa1 { type = coa secret = testing123 ipaddr = 10.1.3.5 port = 1700 coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } } home_server_pool coa { type = fail-over home_server = coa1 } client test1 { ipaddr = 10.1.3.5 netmask = 32 secret = testing321 nastype = other coa_server = coa1 } - ---DOESN`T WORKS home_server coa1 { type = coa ipaddr = 10.1.3.5 port = 1700 coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } } client test1 { ipaddr = 10.1.3.5 netmask = 32 secret = testing321 nastype = other coa_server = coa1 } - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem configuring CoA
Alan DeKok ?: DILLIOTT Tony wrote: I still get the following error when I run radiusd -Xx : /usr/local/etc/raddb/clients.conf[30]: No such home_server or home_server_pool localhost-coa I've put a patch into git that should fix the problem. See the stable branch. Or, wait a few hours, and grab it from http://git.freeradius.org/pre/ If it works, then everything is OK. If it doesn't work, you probably didn't wait long enough for the auto-build process to grab the relevant patch. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Hello, Alan. I`ve grabbed http://git.freeradius.org/pre/freeradius-server-2.1.7.tar.gz today (date says 11-Aug-2009 20:38) and tried CoA again. Almost default config, just coa_server = localhost-coa in clients.conf and get some# radiusd -X radiusd: Loading Realms and Home Servers proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = auth secret = testing123 response_window = 20 max_outstanding = 65536 require_message_authenticator = no zombie_period = 40 status_check = status-server ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 irt = 2 mrt = 16 mrc = 5 mrd = 30 } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } home_server localhost-coa { ipaddr = 127.0.0.1 port = 3799 type = coa secret = testing1234 response_window = 30 max_outstanding = 65536 zombie_period = 40 status_check = none ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 300 status_check_timeout = 4 irt = 2 mrt = 16 mrc = 5 mrd = 30 } home_server_pool coa { type = fail-over virtual_server = originate-coa.example.com home_server = localhost-coa } radiusd: Loading Clients client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = testing123 nastype = other coa_server = localhost-coa } /usr/local/etc/raddb/clients.conf[30]: No such home_server or home_server_pool localhost-coa some# What am i missing? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: coa functionality in server question
Alan DeKok ?: Anton G. wrote: It seems that i didn`t understand sites-available/originate-coa right and miss something in my conf Could You please clarify it for me? You need to link it into sites-enabled/originate-coa. The server reads only sites-enabled, not sites-available. Alan DeKok. Thanks, Alan. I have originate-coa link in sites-enabled, just misstyped in starting letter. Also tried default config including default originate-coa example and get /usr/local/etc/raddb/sites-enabled/originate-coa[154]: home_server localhost-coa does not exist It seems that server does not see home_servers type of CoA in my case So maybe i`m missing anything else in my conf? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
coa functionality in server question
Hello, Running FR 2.1.6 on freebs7.1 I`m trying to implement CoA origination by server. read sites-available/originate-coa and added home_server home_server coa1 { type = coa ipaddr = 10.1.3.5 port = 1700 coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } } and coa_server to client client test1 { ipaddr = 10.1.3.5 netmask = 32 secret = testing321 nastype = other coa_server = coa1 } radiusd -X says ... radiusd: Loading Clients client test1 { ipaddr = 81.200.3.4 netmask = 32 require_message_authenticator = no secret = testing321 nastype = other coa_server = coa1 } /usr/local/etc/raddb/clients.conf[7]: No such home_server or home_server_pool coa1 It seems that i didn`t understand sites-available/originate-coa right and miss something in my conf Could You please clarify it for me? Anton G.K. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sql insert via unlang
Good day! We have made sql oracle function. This function insert data into sql table, but we call into this funtion as select myfunction ('aaa','bb') from dual and it returns OK: Quota consumed. And... this is wotking!! In unlang we added: if (%{sqlauth: select myfunction ('...','...') from dual}) { ok } Now: Wed Jan 28 16:15:43 2009 : Info:expand: select myfunction... Wed Jan 28 16:15:43 2009 : Debug: rlm_sql (sqlauth): Reserving sql socket id: 0 Wed Jan 28 16:15:43 2009 : Info: sql_xlat finished Wed Jan 28 16:15:43 2009 : Debug: rlm_sql (sqlauth): Released sql socket id: 0 Wed Jan 28 16:15:43 2009 : Info: expand: %{sqlauth: select myfunction... - OK: Quota consumed. Wed Jan 28 16:15:43 2009 : Info: [reply] returns noop So, I can see my data from Access-Request in my sql table. t...@kalik.net wrote: I try to add prepaid system to my equipment. In this case when quota is reached, equipment sends Access-Request with quota comsumed and I need to store this data in sql. But. Unfortunately, I must think about how many on-line customers send quota to sql in same time. Yes, I can write perl script with sql insert and update and freeradius will execute this one every time for quota data. But, I think this is not for system with many customers. Perl is very fast but it needs to open (and close) the connection to the database and that is expensive. Unlang uses threads open by freeradius at startup. So it will work faster. But I don't think that INSERT is supported. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Yours faithfully, Anton Borisov. smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sql insert via unlang
Good day! So, I try to INSERT (unlang) data into my sql table; I made in site-enable/default something like this: if ( Service-Type == Framed-User ) { if ( %{sqlauth: INSERT into MYTAB VALUES ('1','2','3','4')} ) { ok } } and it does not work Tue Jan 27 23:06:32 2009 : Info: expand: INSERT into MYTAB ... Tue Jan 27 23:06:32 2009 : Debug: rlm_sql (sqlauth): Reserving sql socket id: 0 Tue Jan 27 23:06:32 2009 : Error: rlm_sql_oracle: query failed in sql_select_query: ORA-24333: zero iteration count Tue Jan 27 23:06:32 2009 : Error: rlm_sql_oracle: OCI_SERVER_NORMAL well, if I change my INSERT - SELECT (for example) if ( Service-Type == Framed-User ) { if ( %{sqlauth: SELECT COUNT from MYTAB} ) { ok } } this works well.. Tue Jan 27 23:06:57 2009 : Debug: rlm_sql (sqlauth): Reserving sql socket id: 0 Tue Jan 27 23:06:57 2009 : Info: sql_xlat finished ^^ Tue Jan 27 23:06:57 2009 : Debug: rlm_sql (sqlauth): Released sql socket id: 0 In rlm_sql.c : /* * sql xlat function. Right now only SELECTs are supported. Only * the first element of the SELECT result will be used. */ Oh, I am really very interested in INSERT sql. Please, tell me, Is this right? Can I insert or update any data into my DB? Can I use another way for INSERT sql data when I do not use sql accounting and accounting_start_query/stop_query statement? I need to insert or update sql data when my customers do authorize check. Thank you. Alan DeKok: Flamur Rogova wrote: in my authorize section, I have this, ... check_password if(notfound) { # log notfound to sql, the line below gives error... %{sql: INSERT INTO test.logs SET test.logs.user='%{User-Name}', test.description='user not found' } You cannot put strings into the configuration like that. man unlang says it is possible to obtain results from db, but I need to execute only sql INSERT, is my syntax wrong ? Yes. Nothing in the documentation says that this will work. You can do: if (%{sql:INSERT ...) { ok } Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Yours faithfully, Anton Borisov. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sql insert via unlang
Good day! Thank you for your reply. I try to add prepaid system to my equipment. In this case when quota is reached, equipment sends Access-Request with quota comsumed and I need to store this data in sql. But. Unfortunately, I must think about how many on-line customers send quota to sql in same time. Yes, I can write perl script with sql insert and update and freeradius will execute this one every time for quota data. But, I think this is not for system with many customers. Do you mean Exec-programm perl? If you are talking about something else, please, give me some examples... Sorry for my language. Thank you! t...@kalik.net wrote: /* * sql xlat function. Right now only SELECTs are supported. Only * the first element of the SELECT result will be used. */ Oh, I am really very interested in INSERT sql. Please, tell me, Is this right? Can I insert or update any data into my DB? Can I use another way for INSERT sql data when I do not use sql accounting and accounting_start_query/stop_query statement? I need to insert or update sql data when my customers do authorize check. I use perl. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Yours faithfully, Anton Borisov. smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Some SQL radgroupcheck/reply troubles.
= radgroupreply.GroupName AND usergroup.GroupName = '%{SQL-Group}' ORDER BY usergroup.PRIORITY - SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE (usergroup.Username = 'c-user' OR usergroup.CLID = '250097000222612') AND usergroup.GroupName = radgroupreply.GroupName AND usergroup.GroupName = 'b-group' ORDER BY usergroup.PRIORITY Tue Jan 13 13:28:04 2009 : Debug: rlm_sql (sqlauth): Released sql socket id: 0 Tue Jan 13 13:28:04 2009 : Info: ++[sqlauth] returns ok And correct result: rad_recv: Access-Accept packet from host 127.0.0.01 port 1812, id=133, length=47 Reply-Message = c-reply Reply-Message = a-group Reply-Message = b-group All in all: We have TWO selects about TWO groups and we use Fall-Through for check all groups. All are working! First select in debug: SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE (usergroup.Username = 'c-user' OR usergroup.CLID = '250097000222612') AND usergroup.GroupName = radgroupreply.GroupName AND usergroup.GroupName = 'a-group' ORDER BY usergroup.PRIORITY GROUPNAME ATTRIBUTEVALUE OP a-groupFall-Through Yes = a-groupReply-Messagea-group += Second select: SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE (usergroup.Username = 'c-user' OR usergroup.CLID = '250097000222612') AND usergroup.GroupName = radgroupreply.GroupName AND usergroup.GroupName = 'b-group' ORDER BY usergroup.PRIORITY GROUPNAME ATTRIBUTE VALUE OP b-groupReply-Message b-group += What do you think? -- Yours faithfully, Anton Borisov. smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program in acct_users file
Thank you for your reply. Yes, yes. I have uncommented exec in post-auth section in /etc/raddb/sites-enabled/default config. So, another way in 2.1.1 - I've configured this program only with accounting module. Some examples: /etc/raddb/sites-enabled/default accounting { ... ... Acct-Type BILL { if ( Acct-Status-Type =~ /Start|Stop/ ) { dns } } ... cat /etc/raddb/modules/exec ... ... exec dns { wait = yes program = /path-to-my-programm.sh input_pairs = request output_pairs = reply } This is working, but more quickly and easily only add Exec-Programm to acct_users (like in 1.7.7 version) Would you be so kind and give some examples for acct_usrs in 2.1.1? Alan DeKok wrote: Anton Borisov wrote: I used Start and Stop in accounting for some DNS registrations of my clients, like this: ~# cat acct_users ... ... DEFAULT Realm == 'dyndns', Acct-Status-Type == Start, Acct-Type := BILL ... and this works in 1.1.7 ! But for 2.1.1 - this does not work. You need to list the exec module in the post-auth section. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Yours faithfully, Anton Borisov. smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Exec-Program in acct_users file
Good day! Does everyone know about Exec-Program in acct_users in Freeradius 2.1.1? I upgrade my from 1.1.7 to 2.1.1 and do not see exec in debug. I used Start and Stop in accounting for some DNS registrations of my clients, like this: ~# cat acct_users ... ... DEFAULT Realm == 'dyndns', Acct-Status-Type == Start, Acct-Type := BILL Exec-Program = /opt/fr/bin/dyndns.acctstart.pl DEFAULT Realm == 'dyndns', Acct-Status-Type == Stop, Acct-Type := BILL Exec-Program = /opt/fr/bin/dyndns.acctstop.pl and this works in 1.1.7 ! But for 2.1.1 - this does not work. Mon Dec 22 18:19:19 2008 : Info: ++[preprocess] returns ok Mon Dec 22 18:19:19 2008 : Info: [suffix] Looking up realm dyndns for User-Name = 12...@dyndns Mon Dec 22 18:19:19 2008 : Info: [suffix] Found realm dyndns Mon Dec 22 18:19:19 2008 : Info: [suffix] Adding Stripped-User-Name = 12345 Mon Dec 22 18:19:19 2008 : Info: [suffix] Adding Realm = dyndns Mon Dec 22 18:19:19 2008 : Info: [suffix] Accounting realm is LOCAL. Mon Dec 22 18:19:19 2008 : Info: ++[suffix] returns ok Mon Dec 22 18:19:19 2008 : Info: [files] expand: %{NAS-IP-Address} - 212.119.106.21 Mon Dec 22 18:19:19 2008 : Info: [files] acct_users: Matched entry DEFAULT at line 32 in this point (32 line - Realm == 'dyndns', 33 line Exec-Program = blabla in acct_users) doesn not work. Mon Dec 22 18:19:19 2008 : Info: ++[files] returns ok Mon Dec 22 18:19:19 2008 : Debug: Found Acct-Type BILL Mon Dec 22 18:19:19 2008 : Info: +- entering group BILL {...} Tue Dec 23 10:40:52 2008 : Info: [acct_unique] Hashing 'NAS-IP-Address = 212.119.106.21,Acct-Session-Id = D4776A151004A3344' Tue Dec 23 10:40:52 2008 : Info: [acct_unique] Acct-Unique-Session-ID = eddc8ecb616eae58. Tue Dec 23 10:40:52 2008 : Info: ++[acct_unique] returns ok Tue Dec 23 10:40:52 2008 : Info: [BILL] expand: /opt/fr2/radacct/files/cdr.%Y%m%d.%H - /opt/fr2/radacct/files/cdr.20081223.10 Tue Dec 23 10:40:52 2008 : Info: [BILL] /opt/fr2/radacct/files/cdr.%Y%m%d.%H expands to /opt/fr2/radacct/files/cdr.20081223.10 Tue Dec 23 10:40:52 2008 : Info: [BILL] Acquired filelock, tried 1 time(s) Tue Dec 23 10:40:52 2008 : Info: [BILL] expand: %t - Tue Dec 23 10:40:52 2008 Tue Dec 23 10:40:52 2008 : Info: [BILL] Released filelock Tue Dec 23 10:40:52 2008 : Info: ++[BILL] returns ok Sending Accounting-Response of id 66 to 128.1.134.55 port 50812 in this point does not work again... Tue Dec 23 10:40:52 2008 : Info: Finished request 0. Tue Dec 23 10:40:52 2008 : Info: Cleaning up request 0 ID 66 with timestamp +3 Tue Dec 23 10:40:52 2008 : Debug: Going to the next request in 1.1.7 Tue Dec 23 10:28:56 2008 : Debug: rlm_acct_unique: Acct-Unique-Session-ID = fd9494068cfbfd81. Tue Dec 23 10:28:56 2008 : Debug: modsingle[accounting]: returned from acct_unique (rlm_acct_unique) for request 1 Tue Dec 23 10:28:56 2008 : Debug: modcall[accounting]: module acct_unique returns ok for request 1 Tue Dec 23 10:28:56 2008 : Debug: modsingle[accounting]: calling BILL (rlm_detail) for request 1 Tue Dec 23 10:28:56 2008 : Debug: radius_xlat: '/opt/fr/radacct/files/cdr.20081223.10' Tue Dec 23 10:28:56 2008 : Debug: rlm_detail: /opt/fr/radacct/files/cdr.%Y%m%d.%H expands to /opt/fr/radacct/files/cdr.20081223.10 Tue Dec 23 10:28:56 2008 : Debug: rlm_detail: Acquired filelock, tried 1 time(s) Tue Dec 23 10:28:56 2008 : Debug: rlm_detail: Released filelock Tue Dec 23 10:28:56 2008 : Debug: modsingle[accounting]: returned from BILL (rlm_detail) for request 1 Tue Dec 23 10:28:56 2008 : Debug: modcall[accounting]: module BILL returns ok for request 1 Tue Dec 23 10:28:56 2008 : Debug: modcall: leaving group BILL (returns ok) for request 1 in this point my script is working. Sending Accounting-Response of id 232 to 128.1.134.55 port 33228 Tue Dec 23 10:28:56 2008 : Debug: Finished request 1 Tue Dec 23 10:28:56 2008 : Debug: Going to the next request -- Yours faithfully, Anton Borisov. smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SUN_LEN Error
Good day! Thank you! It is working! Could I ask about key for Solaris OS in future? Something like --without-SUN_LEN... Sorry about duplicate, I thought my first message was rejected by mail-filter. Alan DeKok wrote: Anton Borisov wrote: Good day! You don't need to post the same message multiple times. I try to use new version 2.1.3 in Solaris10. (uname -a SunOS x 5.10 Generic_125100-06 sun4u sparc SUNW,Netra-240) ... Undefined first referenced symbol in file SUN_LEN .libs/listen.o You need to add: #define SUN_LEN(su) (sizeof(*(su)) - sizeof((su)-sun_path) + strlen((su)-sun_path)) to src/include/radiusd.h Apparently Solaris doesn't have SUN_LEN Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Yours faithfully, Anton Borisov. smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SUN_LEN Error
Good day! I try to use new version 2.1.3 in Solaris10. (uname -a SunOS x 5.10 Generic_125100-06 sun4u sparc SUNW,Netra-240) I have installed 2.1.1 - ./configure + make + make install - all of them work fine, but when I try to make new version I get error: ./configure is ok, make is: ... ... ... creating .libs/radiusdS.c (cd .libs gcc -g -O2 -c -fno-builtin radiusdS.c) rm -f .libs/radiusdS.c .libs/radiusd.nm .libs/radiusd.nmS .libs/radiusd.nmT gcc .libs/radiusdS.o -o .libs/radiusd .libs/acct.o .libs/auth.o .libs/client.o .libs/conffile.o .libs/crypt.o .libs/exec.o .libs/files.o .libs/listen.o .libs/log.o .libs/mainconfig.o .libs/modules.o .libs/modcall.o .libs/radiusd.o .libs/stats.o .libs/session.o .libs/threads.o .libs/util.o .libs/valuepair.o .libs/version.o .libs/xlat.o .libs/event.o .libs/realms.o .libs/evaluate.o .libs/vmps.o .libs/detail.o /usr/local/src/freeradius-server-2.1.3/src/lib/.libs/libfreeradius-radius.so -lnsl -lresolv -lsocket -lposix4 -lpthread -lcrypt /usr/local/src/freeradius-server-2.1.3/libltdl/.libs/libltdl.so -ldl -R/opt/fr2/lib Undefined first referenced symbol in file SUN_LEN .libs/listen.o ld: fatal: Symbol referencing errors. No output written to .libs/radiusd collect2: ld returned 1 exit status make[4]: *** [radiusd] Error 1 make[4]: Leaving directory `/opt/src/freeradius-server-2.1.3/src/main' make[3]: *** [common] Error 2 make[3]: Leaving directory `/opt/src/freeradius-server-2.1.3/src' make[2]: *** [all] Error 2 make[2]: Leaving directory `/opt/src/freeradius-server-2.1.3/src' make[1]: *** [common] Error 2 make[1]: Leaving directory `/opt/src/freeradius-server-2.1.3' make: *** [all] Error 2 So, would you be so kind and tell me, where I make my mistake? -- Yours faithfully, Anton Borisov. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SUN_LEN Error
Good day! I try to use new version 2.1.3 in Solaris10. (uname -a SunOS x 5.10 Generic_125100-06 sun4u sparc SUNW,Netra-240) I have installed 2.1.1 - ./configure + make + make install - all of them work fine, but when I try to make new version I get error: ./configure is ok, make is: ... ... ... creating .libs/radiusdS.c (cd .libs gcc -g -O2 -c -fno-builtin radiusdS.c) rm -f .libs/radiusdS.c .libs/radiusd.nm .libs/radiusd.nmS .libs/radiusd.nmT gcc .libs/radiusdS.o -o .libs/radiusd .libs/acct.o .libs/auth.o .libs/client.o .libs/conffile.o .libs/crypt.o .libs/exec.o .libs/files.o .libs/listen.o .libs/log.o .libs/mainconfig.o .libs/modules.o .libs/modcall.o .libs/radiusd.o .libs/stats.o .libs/session.o .libs/threads.o .libs/util.o .libs/valuepair.o .libs/version.o .libs/xlat.o .libs/event.o .libs/realms.o .libs/evaluate.o .libs/vmps.o .libs/detail.o /usr/local/src/freeradius-server-2.1.3/src/lib/.libs/libfreeradius-radius.so -lnsl -lresolv -lsocket -lposix4 -lpthread -lcrypt /usr/local/src/freeradius-server-2.1.3/libltdl/.libs/libltdl.so -ldl -R/opt/fr2/lib Undefined first referenced symbol in file SUN_LEN .libs/listen.o ld: fatal: Symbol referencing errors. No output written to .libs/radiusd collect2: ld returned 1 exit status make[4]: *** [radiusd] Error 1 make[4]: Leaving directory `/opt/src/freeradius-server-2.1.3/src/main' make[3]: *** [common] Error 2 make[3]: Leaving directory `/opt/src/freeradius-server-2.1.3/src' make[2]: *** [all] Error 2 make[2]: Leaving directory `/opt/src/freeradius-server-2.1.3/src' make[1]: *** [common] Error 2 make[1]: Leaving directory `/opt/src/freeradius-server-2.1.3' make: *** [all] Error 2 So, would you be so kind and tell me, where I make my mistake... -- Yours faithfully, Anton Borisov. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program and length of arguments
If I add to users file this: When I used exec-program all the attributes I wanted were in the environment. And how can I exploit it? I get only this: -- $ cat /home/engineer/acrad.sh #!/bin/sh printenv /tmp/exec-program-wait -- bob Auth-Type := Local, User-Password == bob Reply-Message = Hello, %u, Exec-Program = /home/engineer/acrad.sh -- after radtest in /tmp/exec-program-wait I found only $ cat /tmp/exec-program-wait CLIENT_IP_ADDRESS=127.0.0.1 NAS_IP_ADDRESS=255.255.255.255 PATH=/usr/bin:/bin:/usr/sbin:/sbin:/usr/X11R6/bin:/usr/local/bin NAS_PORT=0 USER_PASSWORD=bob USER_NAME=bob But this is far less than what I wait for... I need to do the same that SQL accounting do. If I look at raddb/pgsql-voip.conf, I can see the pretty accounting_stop_query, which put many interestiong info to database. I think it can put all the %{User-Name} : %{Service-Type} : %{Acct-Status-Type} : %{Acct-Session-Id} : %{Framed-Protocol} : %{NAS-Identifier} : %{NAS-Port-Id} : %{NAS-IP-Address} : %{Calling-Station-Id} : %{Called-Station-Id} : %{Framed-IP-Address} : %{Acct-Input-Octets} : %{Acct-Output-Octets} : %{Acct-Input-Packets} : %{Acct-Output-Packets} : %{Acct-Session-Time} : %{Acct-Terminate-Cause} Am I right? So, how can I do the same, but with perl/shell script (e.g. pass all this variables as arguments or environment) ? From radiusd.conf # # The attributes which are placed into the # environment variables for the program. # # Allowed values are: # # request attributes from the request # config attributes from the configuration items list # reply attributes from the reply # proxy-request attributes from the proxy request # proxy-reply attributes from the proxy reply # # Note that some attributes may not exist at some # stages. e.g. There may be no proxy-reply # attributes if this module is used in the # 'authorize' section. I read this. But I just newbie, sorry. I tried this exec echo { wait = yes program = /home/engineer/acrad.sh %{User-Name} input_pairs = request output_pairs = reply } instantiate { exec ... but it seems that program not started at all. -- engineer - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Exec-Program and length of arguments
Hi. If I add to users file this: bob Auth-Type := Local, User-Password == bob Reply-Message = Hello, %u, Exec-Program = /home/engineer/acrad.pl User-Name=%{User-Name} Service-Type=%{Service-Type} Acct-Status-Type=%{Acct-Status-Type} Acct-Session-Id=%{Acct-Session-Id} Framed-Protocol=%{Framed-Protocol} NAS-Identifier=%{NAS-Identifier} NAS-Port-Id=%{NAS-Port-Id} it work. But I need to pass more arguments to my program, but as far as I can see there is some limit. If I add this: Exec-Program = /home/engineer/acrad.sh User-Name=%{User-Name} Service-Type=%{Service-Type} Acct-Status-Type=%{Acct-Status-Type} Acct-Session-Id=%{Acct-Session-Id} Framed-Protocol=%{Framed-Protocol} NAS-Identifier=%{NAS-Identifier} NAS-Port-Id=%{NAS-Port-Id} NAS-IP-Address=%{NAS-IP-Address} Calling-Station-Id=%{Calling-Station-Id} Called-Station-Id=%{Called-Station-Id} Framed-IP-Address=%{Framed-IP-Address} Acct-Input-Octets=%{Acct-Input-Octets} Acct-Output-Octets=%{Acct-Output-Octets} Acct-Input-Packets=%{Acct-Input-Packets} Acct-Output-Packets=%{Acct-Output-Packets} Acct-Session-Time=%{Acct-Session-Time} Acct-Terminate-Cause=%{Acct-Terminate-Cause} # radiusd -sfxxyz -l stdout 21 ... Module: Loaded files files: usersfile = /etc/raddb/users files: acctusersfile = /etc/raddb/acct_users files: preproxy_usersfile = /etc/raddb/preproxy_users files: compat = no /etc/raddb/users[220]: Parse error (reply) for entry bob: Expected end of line or comma Errors reading /etc/raddb/users radiusd.conf[1047]: files: Module instantiation failed. radiusd.conf[1791] Unknown module files. radiusd.conf[1727] Failed to parse authorize section. and same with hints file. The main goal is that I need to do some accounting by my script. I saw at experimental.conf (at perl section), but for now I not understand can I utilize it for my needs somehow. What can I do? -- engineer - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_eap.so
Nicolas Baradakis пишет: I don't see libeap.so in the output of ldd. Something is wrong here, because rlm_eap depends on libeap. You could try to re-build FreeRADIUS with ./configure --disable-shared. It is undesirable to use static libraries. I have found similar problem in the Internet: = Adding -leap -L../../libeap to the RLM_LIBS line in src/modules/rlm_eap/types/rlm_eap_ttls/Makefile fixed that, but I'm almost positive that's not the right solution. It means rlm_eap_ttls.so shows rlm_eap.so in its ldd output. http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg03597.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
libeap.so
Hm... Warning: Linking the executable radeapclient against the loadable module libeap.so is not portable! [EMAIL PROTECTED] root]# ls /usr/lib/freeradius/libeap.so /usr/lib/freeradius/libeap.so - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_eap.so
Nicolas Baradakis пишет: You could try to re-build FreeRADIUS with ./configure --disable-shared. It is undesirable to use static libraries. Then you could try to build FreeRADIUS from a CVS snapshot: the build process of rlm_eap and libeap should work better. freenibs not build from cvs. configure: warning: CC=gcc: invalid host type configure: warning: CFLAGS=-pipe -Wall -O2 -march=i686: invalid host type configure: error: can only configure for one host and one target at a time configure: error: /bin/sh './configure' failed for src/modules/rlm_nibs - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_eap.so
I'v compiled fresh verison FreeRADIUS (Version 1.1.0) from http://www.freeradius.org/ but i'v got error on program startup: Module: Loaded eap eap: default_eap_type = md5 eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no radiusd: symbol lookup error: /usr/lib/freeradius/rlm_eap.so: undefined symbol: eaptype_name2type [EMAIL PROTECTED] freeradius-1.1.0]# ldd /usr/lib/freeradius/rlm_eap.so libssl.so.4 = /lib/libssl.so.4 (0x00128000) libcrypto.so.4 = /lib/libcrypto.so.4 (0x00158000) libnsl.so.1 = /lib/libnsl.so.1 (0x00253000) libresolv.so.2 = /lib/libresolv.so.2 (0x00268000) libpthread.so.0 = /lib/libpthread.so.0 (0x0027b000) libc.so.6 = /lib/libc.so.6 (0x002ce000) libdl.so.2 = /lib/libdl.so.2 (0x003db000) /lib/ld-linux.so.2 = /lib/ld-linux.so.2 (0x8000) [EMAIL PROTECTED] rlm_eap]# uname -a Linux ring.local 2.4.26-std-up-alt13 #1 Mon Nov 14 00:25:14 MSK 2005 i686 unknown unknown GNU/Linux - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticate via rlm_pap/rlm_chap/rlm_mschap against external password
Well, then I guess, the problem is to replace User-Password, NT-Password and LM-Password in request-config_items pairlist (using some external module) at the authorization stage so that chained rlm_pap/rlm_chap/rlm_mschap modules could check against them during authentication stage, like this: modules { ... exec_new ext_script { # an abstract exec-like module that fetches passwords and installs them into request-config_items wait = yes program = /usr/local/sbin/AuthRadius %Z } ... } authorize { ... ext_script ... } authenticate { Auth-Type EXEC { group { pap { fail = 1 invalid = 2 reject = 3 noop = 4 ok = return updated = return userlock = return handled = return } chap { fail = 1 invalid = 2 reject = 3 noop = 4 ok = return updated = return userlock = return handled = return } mschap { fail = 1 invalid = 2 reject = 3 noop = 4 ok = return updated = return userlock = return handled = return } } } Is it ever possible (even with rlm_exec modification)? 27 2004 21:19 Alan DeKok (a): Anton Voronin [EMAIL PROTECTED] wrote: Is it possible to somehow make rlm_pap, rlm_chap or rlm_mschap to authenticate against a password (or NT/LM hash) taken from an external source (for example, using rlm_exec or rlm_perl)? MS-CHAP does this already. If you would have tried it, you would see that it works. It's impossible to do for CHAP. The PAP module could do it I guess, but it would require code changes. -- Anton Voronin Intersvyaz JSC http://www.chelcom.ru +7 (3512) 655199 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
a bug in the ippool.c
Hello there. I've posted previously before but noone got it as a bug. I'm using freebsd pptp+ppp+freeradius+mysql. I've tryed to setup ippool so I can get a dynamic assigned ips from the radius server. It worked just fine with radtest , I got right answer with the ip addres and all fine. But! When I tryed trough ppp (set radius /etc/ppp/radius.conf) I didn't get any ip number , just got authenticated. According to the debug information ippool failed to give me ip address because the ppp didn't send any NAS-Port = port it returned NAS-Port-Type = Virtual I tgouht this is a ppp bug but look at this answer from the freebsd-net list(and rfcs): --- NAS-Port is not required. From RFC2865 section 4.1: An Access-Request SHOULD contain a NAS-Port or NAS-Port-Type attribute or both unless the type of access being requested does not involve a port or the NAS does not distinguish among its ports. NAS-Port is intended to specify the physical (modem) port on a dialin server. It does not mean the UDP port from/to which RADIUS requests are sent. The bug, if any, is in whatever is demanding that the attribute be present. --- I took a look at the ippool.c and there is a if statement that returns noop if there is not NAS-Port. I think this should be considered as a bug in freeradius ipool... what would you say guys? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to Auth-Type
19 2004 15:51 Mike Groeneweg (a): I've done it in my custom rlm_perl module, in the authorization stage, I look at the Called-Number attribute to see which IP pool and user list I want to use (ie Staff vs Student, in a Uni environment): Thanks Mike, unfortinately rlm_perl doesn't work on my old system :( I'll try to look at other modules (rlm_exec for example) -- Anton Voronin Intersvyaz JSC http://www.chelcom.ru +7 (3512) 655199 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
NAS-Port-Type = Virtual || NAS-Port = 1812 ????!!! Please help!
Hello there, I'm running freeradius on my freebsd box and now I'm trying to configure it to set dynamic ips, I've configured it and it works just fine with radtest BUT! when I try to connect rough my pptp server I got authenitcated but I don't get an ip addres!! I've debugged for a while and saw this: when I run : radtest bla bla 192.168.0.100 1812 blabla I got: rad_recv: Access-Request packet from host 192.168.0.100:3137, id=255, length=55 User-Name = bla User-Password = bla NAS-IP-Address = 255.255.255.255 NAS-Port = 1812 modcall: entering group authorize for request 38 and I get an ip address assinged fomr the dynamic range: rad_recv: Access-Accept packet from host 192.168.0.100:1812, id=99, length=44 Framed-Protocol = PPP Service-Type = Framed-User Framed-IP-Address = 192.168.12.192 Framed-IP-Netmask = 255.255.254.0 BUT!!! when I try to connect trough the pptp (ppp implementation under freebsd 4.9 using set radius in the ppp.conf I get this: rad_recv: Access-Request packet from host 192.168.0.1:1421, id=109, length=142 User-Name = bla Service-Type = Framed-User Framed-Protocol = PPP MS-CHAP-Challenge = 0x35303437363836363834343734393632 MS-CHAP2-Response = 0x010085a16d8c4d564e0b754f61fff6680efa032b2a37754168ca3fd20909891b617982a445a7e6670623 NAS-Identifier = valqk.upper.lan NAS-Port-Type = Virtual and after that: rlm_ippool: Could not find nas port information. Return NOOP. modcall[post-auth]: module access_pool returns noop for request 35 Is this some kind of bug and can anyone tell me why is this happenig??? I'd greatly appriciate any help!! 10x in advance!!! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: module calling logic
19 2004 11:11 Anton Voronin (a): 2) I cannot define a custom instance of exec module (for example, exec_xxx). If I define exec xxx {...} in module configuration section, I cannot refer it from authenticate{...} or authorize{...} as exec_xxx, because the server complains ERROR: Cannot find a configuration entry for module exec_xxx. Please ignore (2), I should have referred it as just xxx :) -- Anton Voronin Intersvyaz JSC http://www.chelcom.ru +7 (3512) 655199 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Rlm_perl :how to add
19 2004 11:37 Truong Manh Cuong (a): I want to write a perl script to control something in authorize session and authenticate session. How can I do that? Please give me a small example. where can I put the line that declare the script. where and what I have to add to config file when I want to use perl script. THanks and Regards, Manh Cuong. Try the following: modules { ... perl { module = path/to/your/script } ... } -- Anton Voronin Intersvyaz JSC http://www.chelcom.ru +7 (3512) 655199 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Dynamic IP assignment?
Hello to everyone! I'm pretty new in the radius using, I've made my freeradius to talk with mysql and it works just fine, but now I want my radius to assign ips , because I don't want a static ips for my users, I've looked around and saw that there is a way, using rlm_ippool. I'm using freebsd 4.9 and it's very important to me because ppp itself can't assing ips dynamically. Can anyone help me(that has done this before)? I need to have my mysql setuped so different groups has different range of ips(even different networks) , and also when I put static ip to a user, he get this ip, not a dynamic one. If anyone can help, I'd appriciate it very much! 10x in advance!!! have a nice day. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic IP assignment?
10x a lot for the quick and aqurate answer!!! This list is just great, the right answer was RTFM but you've answered exaplining how to do it. THANKS A LOT I thought I'd have to install something spearate form the freeradius! FreeRadius is just GREAT! KEEP DOING THE GOOD THING GUYS! 10x a lot again! On Вт , 2004-02-17 at 14:42, [EMAIL PROTECTED] wrote: On Tue, Feb 17, 2004 at 01:59:58PM +0200, Anton Blajev wrote: I'm pretty new in the radius using, I've made my freeradius to talk with mysql and it works just fine, but now I want my radius to assign ips , because I don't want a static ips for my users, I've looked around and saw that there is a way, using rlm_ippool. I'm using freebsd 4.9 and it's very important to me because ppp itself can't assing ips dynamically. Can anyone help me(that has done this before)? I need to have my mysql setuped so different groups has different range of ips(even different networks) , and also when I put static ip to a user, he get this ip, not a dynamic one. (Almost) complete solution can be found in radiusd.conf # Example: # radiusd.conf: ippool students { [...] } # users file : DEFAULT Group == students, # Pool-Name := students So, all you have to do is define several ippools and assign correct pool to each group. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem installing freeradius+rlm_sql_mysql under freebsd ! Strange!
Hello all out there, I'm using FreeBSD as my server machine, I wanted to run radius+mysql auth for my pptp users. I got freeradius work just fine, but ! When I've tryed to get it working with mysql I wasn't able :(. It returnd error freeradius can't load rlm_sql_mysq module. I've made ls -la in the lib dir, there was rlm_sql.so ponting to rlm_sql_postgresql.so I've installed freeradius a lot of times after, with different options ( I'm installing it from /usr/ports , I have the exact version of mysql server + client). I'm defining -DWITH_MYSQL_VER=40 as described in the Makefile in /usr/ports/net/freeradius/Makefile, but nothing!!! I get the same result every time, freeradius got built witn postgre and no mysql :((( Any ideas why's that? 10x in advance! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem installing freeradius+rlm_sql_mysql under freebsd ! Strange!
Yep! It worked! So, in conclusion as it has been said when you install freeradius in freebsd from ports, use make -WITH_MYSQL=yes not make -D.anything here as you used to define something it worked! I have rlm_sql_mysql.so!! Thanks a lot guys! On Ср , 2004-02-11 at 21:34, Guy Fraser wrote: Anton Blajev wrote: Hello all out there, I'm using FreeBSD as my server machine, I wanted to run radius+mysql auth for my pptp users. I got freeradius work just fine, but ! When I've tryed to get it working with mysql I wasn't able :(. It returnd error freeradius can't load rlm_sql_mysq module. I've made ls -la in the lib dir, there was rlm_sql.so ponting to rlm_sql_postgresql.so I've installed freeradius a lot of times after, with different options ( I'm installing it from /usr/ports , I have the exact version of mysql server + client). I'm defining -DWITH_MYSQL_VER=40 as described in the Makefile in /usr/ports/net/freeradius/Makefile, but nothing!!! I get the same result every time, freeradius got built witn postgre and no mysql :((( Any ideas why's that? 10x in advance! Change directory to : /usr/ports/net/freradius Type these commands as root or use sudo : make deinstall make clean make WITH_MYSQL=yes make install You should now have freeradius installed with mysql support. If you want to build from cvs... As root : cvs -d :pserver:[EMAIL PROTECTED]:/source login {cvs password is : anoncvs} cvs -d :pserver:[EMAIL PROTECTED]:/source checkout radiusd cvs -d :pserver:[EMAIL PROTECTED]:/source logout cd radiusd ./configure --quiet --with-logdir=/var/log --localstatedir=/var \ --disable-ltdl-install --with-ltdl-include=/usr/local/include \ --with-ltdl-lib=/usr/local/lib --with-large-files \ --without-rlm_x99_token make make install I am currently working on a FreeBSD 5.2 machine with FreeRadius from CVS. You will probably want to make sure your ports tree is up to date before you build freeradius from ports. The current port should be 0.9.3. I have built it with MySQL support and it does work. Hope that helps. Have a nice day. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[4]: freeradius MSCHAPv2 possible bug
Hello Alan, You've been absolutely right. The bug was in radius module for pppd and it sent wrong MS-CHAP2-Response value for freeradius. Problem was in function, which compose this attribute from client authentication response. Format of PPP response packet and MS-CHAP-Response av pair differs slightly, confirming the comments of the developer of the plug-in (something about idiots). I've seen here that 3 person in this mailing list are suffering from the same bug, so, could you please excuse the posting of the patch? It was made against the latest cvs version of pppd from samba.org: Index: radius.c === RCS file: /cvsroot/ppp/pppd/plugins/radius/radius.c,v retrieving revision 1.21 diff -u -r1.21 radius.c --- radius.c25 Nov 2003 11:50:10 - 1.21 +++ radius.c7 Jan 2004 19:18:43 - @@ -425,7 +425,7 @@ case CHAP_MICROSOFT_V2: { /* MS-CHAP-Challenge and MS-CHAP2-Response */ - MS_Chap2Response *rmd = (MS_Chap2Response *) (response + 1); + MS_Chap2Response *rmd = (MS_Chap2Response *) response; u_char *p = cpassword; if (response_len != MS_CHAP2_RESPONSE_LEN) It completely fixes the problem of authenticating with pppd against freeradius using MSCHAPv2. I sent this patch to one of the maintainers of the pppd and asked to commit it to the source tree. Hope fixed pppd will be available for wide public soon. Kind regards, Anton Golubev - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[2]: freeradius MSCHAPv2 possible bug
Hello Alan, AD It's still base64 encoded. I have no clue why some mail programs AD thing that base64 encoding text is a good idea. Fortunately it didn't prevent you from reading my mail. Hope this time it will be plain text. AD That says to me that you have both User-Password and NT-Password for AD the user in your SQL database, and that the NT-Password is wrong. AD Delete the NT-Password from the SQL database. The MS-CHAP module AD can use a clear-text password to do it's authentication. It will AD work. It is not actually true. My radcheck table has only one line, namely: mysql select * from radcheck; ++--+---++---+ | id | UserName | Attribute | op | Value | ++--+---++---+ | 1 | anton| User-Password | == | anton | ++--+---++---+ 1 row in set (0.00 sec) To make things clear, there is the content of radreply table: mysql select * from radreply; ++--+---++-+ | id | UserName | Attribute | op | Value | ++--+---++-+ | 1 | anton| Framed-IP-Address | := | 172.16.1.10 | ++--+---++-+ 1 row in set (0.00 sec) Recently I checked another suggestion, which says that in some cases WinXP appends \ symbols to login name, which brakes the authentication. This idea was inspired by the patch from recent FreeBSD stable ports collection against freeradius rlm_mschap.c: --- src/modules/rlm_mschap/rlm_mschap.c.origTue Apr 8 11:53:05 2003 +++ src/modules/rlm_mschap/rlm_mschap.c Tue Apr 8 11:53:32 2003 @@ -260,10 +260,15 @@ SHA1_CTX Context; char hash[20]; + const char *name; + + name = strchr(user_name, '\\'); + name = name == NULL ? user_name : name + 1; + SHA1Init(Context); SHA1Update(Context, peer_challenge, 16); SHA1Update(Context, auth_challenge, 16); - SHA1Update(Context, user_name, strlen(user_name)); + SHA1Update(Context, name, strlen(name)); SHA1Final(hash, Context); memcpy(challenge, hash, 8); } But it was void try since debugging shows, that user_name has correct value: modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type MS-CHAP auth: type MS-CHAP modcall: entering group Auth-Type for request 0 rlm_mschap: doing MS-CHAPv2 with NT-Password user_name=anton - DEBUG2(user_name=%s, user_name); rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module mschap returns reject for request 0 modcall: group Auth-Type returns reject for request 0 auth: Failed to validate the user. I have no other ideas, how to fix it. Any suggestions? Best regards, Anton - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius MSCHAPv2 possible bug
Hello all! I am trying to setup a working solution of PPTP + FreeRADIUS + MySQL. Software involved: FreeRADIUS 0.9.3, poptop-1.1.4, pppd 2.4.2 (from pptpclient.sf.org). I use the following setup: 1. enabled radius plug-in for pppd: [EMAIL PROTECTED] ppp]# cat options.pptpd require-mschap-v2 plugin radius.so radius-config-file /etc/radiusclient/radiusclient.conf 2. enabled MySQL storage for RADIUS: excerpts from radiusd.conf mschap { authtype = MS-CHAP } } authorize { preprocess suffix sql mschap } authenticate { mschap } preacct { preprocess suffix files } accounting { acct_unique detail sql } session { sql } My problem is that Windows XP box can't log in with MS-CHAP v2. From pppd point of view it looks like this: Jan 5 05:31:56 ahome pppd[27471]: Connect: ppp0 -- /dev/pts/9 Jan 5 05:31:56 ahome pppd[27471]: sent [LCP ConfReq id=0x1 asyncmap 0x0 auth chap MS-v2 magic 0x7e30b849 pcomp accomp] Jan 5 05:31:56 ahome pptpd[27470]: GRE: Bad checksum from pppd. Jan 5 05:31:56 ahome pppd[27471]: rcvd [LCP ConfAck id=0x1 asyncmap 0x0 auth chap MS-v2 magic 0x7e30b849 pcomp accomp] Jan 5 05:31:58 ahome pppd[27471]: rcvd [LCP ConfReq id=0x1 mru 1400 magic 0x726c72fa pcomp accomp callback CBCP] Jan 5 05:31:58 ahome pppd[27471]: sent [LCP ConfRej id=0x1 callback CBCP] Jan 5 05:31:58 ahome pppd[27471]: rcvd [LCP ConfReq id=0x2 mru 1400 magic 0x726c72fa pcomp accomp] Jan 5 05:31:58 ahome pppd[27471]: sent [LCP ConfAck id=0x2 mru 1400 magic 0x726c72fa pcomp accomp] Jan 5 05:31:58 ahome pppd[27471]: sent [CHAP Challenge id=0xfa 75602b06d0e80c3cac7244da0d1df804, name = pptp] Jan 5 05:31:58 ahome pptpd[27470]: CTRL: Received PPTP Control Message (type: 15) Jan 5 05:31:58 ahome pptpd[27470]: CTRL: Ignored a SET LINK INFO packet with real ACCMs! Jan 5 05:31:58 ahome pppd[27471]: rcvd [LCP code=0xc id=0x3 72 6c 72 fa 4d 53 52 41 53 56 35 2e 31 30] Jan 5 05:31:58 ahome pppd[27471]: sent [LCP CodeRej id=0x2 0c 03 00 12 72 6c 72 fa 4d 53 52 41 53 56 35 2e 31 30] Jan 5 05:31:58 ahome pppd[27471]: rcvd [LCP code=0xc id=0x4 72 6c 72 fa 4d 53 52 41 53 2d 30 2d 47 4f 4c 41 4e 54] Jan 5 05:31:58 ahome pppd[27471]: sent [LCP CodeRej id=0x3 0c 04 00 16 72 6c 72 fa 4d 53 52 41 53 2d 30 2d 47 4f 4c 41 4e 54] Jan 5 05:31:58 ahome pppd[27471]: rcvd [CHAP Response id=0xfa f7624c397cabc2504b37d007f5c3b5e908358fb7d79f0d6ad3b93c7e5e597b38aca7f5e6a23e3ba600, name = anton] Jan 5 05:32:00 ahome pppd[27471]: Peer anton failed CHAP authentication Jan 5 05:32:00 ahome pppd[27471]: sent [CHAP Failure id=0xfa p\3777605\010\010P] Jan 5 05:32:00 ahome pppd[27471]: sent [LCP TermReq id=0x4 Authentication failed] FreeRadius with full debugging wrote this: ... rlm_sql (sql): Released sql socket id: 0 modcall[authorize]: module sql returns ok for request 19 rlm_mschap: Found MS-CHAP attributes. Setting 'Auth-Type := MS-CHAP' modcall[authorize]: module mschap returns ok for request 19 modcall: group authorize returns ok for request 19 rad_check_password: Found Auth-Type MS-CHAP auth: type MS-CHAP modcall: entering group Auth-Type for request 19 rlm_mschap: doing MS-CHAPv2 with NT-Password rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module mschap returns reject for request 19 modcall: group Auth-Type returns reject for request 19 auth: Failed to validate the user. Login incorrect: [anton/no User-Password attribute] (from client localhost port 0) ... The most strange thing all about this is that when we change require-mschap-v2 in options.pptp to require-chap or require-pap, is works just fine. I have had some ideas about the reasons of such behavior, but no one of them proved itself. It is not the case that WinXP sends as login one string and hashes for CHAP challenge another with e.g. domain name appended since changing authentication method from MS-CHAPv2 to MS-CHAPv1 solves the problem without any manipulations on the client side. I also think that some postings here was reasoned by the same problem, but because of different matters won't finished till solution (freeradius and mschap2 problem by Mauro Luzi, MS-CHAPv2 + MySQL + group authtype failure by Eliot Gable). I think that I use the latest possible version of programs. radius.c from ppp package is 1.21 2003/11/25 11:50:10 paulus, rlm_mschap.c from freeradius is 1.41.2.1 2003/09/16 18:40:56 phampson. I don't have enough skill to trace this problem down, so I look for your advice. I think that the problem can be either in calculating and/or comparing hash values in rlm_mschap.c, i.e. mistake in making decision about challenge/response pair. Or problem can be in radius.c of pppd which provide RADIUS with wrong composed challenge/response attributes, i.e. misunderstanding between pppd and freeradius. The argument in favor of the second supposition is that the presentation of CHAP request-responce pair is differs in PPP