proxy questions
I need to be able to proxy accounting requests that arrive with no
User-Name attribute. Is that possible? I haven't been able to make it
work. Maybe I could insert a dummy User-Name pre-proxy and remove it
post-proxy?
Also, I notice that when running in -X mode, the accounting-response is
not relayed to the original client. Works fine when not in -X mode.
Here's a debug of a scenario where an accounting-request was proxied
correctly; yet, the accounting-response is not relayed to the client by
the proxy server:
rad_recv: Accounting-Request packet from host 152.2.199.26 port 32823,
id=155, length=86
User-Name = jcc
NAS-Port = 5060
Sip-Src-IP = 152.2.199.26
Acct-Status-Type = Start
Sip-Transport-Proto = TLS
Acct-Session-Id = accounting-session-1-id
Processing the preacct section of radiusd.conf
modcall: entering group preacct for request 4
rlm_acct_unique: WARNING: Attribute Client-IP-Address was not found in
request, unique ID MAY be inconsistent
rlm_acct_unique: Hashing 'NAS-Port = 5060,,NAS-IP-Address =
152.2.199.26,Acct-Session-Id = accounting-session-1-id,User-Name = jcc'
rlm_acct_unique: Acct-Unique-Session-ID = 7910d35136b9eb7a.
rlm_realm: No '@' in User-Name = jcc, looking up realm NULL
rlm_realm: Found realm NULL
rlm_realm: Proxying request from user jcc to realm NULL
rlm_realm: Adding Realm = NULL
rlm_realm: Preparing to proxy accounting request to realm NULL
modcall: group preacct returns noop for request 4
Processing the accounting section of radiusd.conf
modcall: entering group accounting for request 4
radius_xlat:
'/usr/local/var/log/radius/radacct/152.2.199.26/detail-20061114'
rlm_detail:
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d
expands to /usr/local/var/log/radius/radacct/152.2.199.26/detail-20061114
radius_xlat: 'Tue Nov 14 12:15:11 2006'
rlm_detail: Freeradius-Proxied-To set to 152.23.129.213
radius_xlat: '/usr/local/var/log/radius/radutmp'
radius_xlat: 'jcc'
modcall: group accounting returns ok for request 4
Sending Accounting-Request of id 227 to 152.23.129.213 port 1815
User-Name = jcc
NAS-Port = 5060
Sip-Src-IP = 152.2.199.26
Acct-Status-Type = Start
Sip-Transport-Proto = TLS
Acct-Session-Id = accounting-session-1-id
NAS-IP-Address = 152.2.199.26
Proxy-State = 0x313535
--- Walking the entire request list ---
Cleaning up request 4 ID 155 with timestamp 4559f99f
Nothing to do. Sleeping until we see a request.
rad_recv: Accounting-Response packet from host 152.23.129.213 port 1815,
id=227, length=25
No outstanding request was found for proxy reply from home server
152.23.129.213 port 1815 - ID 227
Nothing to do. Sleeping until we see a request.
[EMAIL PROTECTED]:/usr/local/etc/raddb# radiusd -v
radiusd: FreeRADIUS Version 2.0.0-pre0, for host i686-pc-linux-gnu,
built on Sep 6 2006 at 16:44:16
Thanks.
-jc
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: proxy questions
Alan DeKok wrote:
Justin Church [EMAIL PROTECTED] wrote:
I need to be able to proxy accounting requests that arrive with no
User-Name attribute. Is that possible? I haven't been able to make it
work. Maybe I could insert a dummy User-Name pre-proxy and remove it
post-proxy?
No. Just set Proxy-To-Realm = realm.
Not exactly sure where to set this. I've tried acct_users with no luck:
rad_recv: Accounting-Request packet from host 152.2.199.26 port 32833,
id=10, length=81
NAS-Port = 5060
Sip-Src-IP = 152.2.199.26
Acct-Status-Type = Start
Sip-Transport-Proto = TLS
Acct-Session-Id = accounting-session-1-id
Processing the preacct section of radiusd.conf
modcall: entering group preacct for request 0
rlm_acct_unique: WARNING: Attribute Client-IP-Address was not found in
request, unique ID MAY be inconsistent
rlm_acct_unique: WARNING: Attribute User-Name was not found in request,
unique ID MAY be inconsistent
rlm_acct_unique: Hashing 'NAS-Port = 5060,,NAS-IP-Address =
152.2.199.26,Acct-Session-Id = accounting-session-1-id,'
rlm_acct_unique: Acct-Unique-Session-ID = 2c2e557e174a1b62.
--rlm_realm: Proxy reply, or no User-Name. Ignoring.
modcall: group preacct returns noop for request 0
Processing the accounting section of radiusd.conf
modcall: entering group accounting for request 0
radius_xlat:
'/usr/local/var/log/radius/radacct/152.2.199.26/detail-20061114'
rlm_detail:
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d
expands to /usr/local/var/log/radius/radacct/152.2.199.26/detail-20061114
radius_xlat: 'Tue Nov 14 14:30:25 2006'
radius_xlat: '/usr/local/var/log/radius/radutmp'
radius_xlat: ''
modcall: group accounting returns ok for request 0
Sending Accounting-Response of id 10 to 152.2.199.26 port 32833
Finished request 0
Going to the next request
--- Walking the entire request list ---
Cleaning up request 0 ID 10 with timestamp 455a1951
Nothing to do. Sleeping until we see a request.
proxy.conf
realm NULL {
type= radius
accthost = 152.23.129.213:1815
secret= removed
nostrip
}
acct_users
DEFAULT Proxy-To-Realm = NULL
Thanks.
-jc
Also, I notice that when running in -X mode, the accounting-response is
not relayed to the original client. Works fine when not in -X mode.
Weird.
Hmm... it may be cleaning up the request too aggressively. I'll
take a look at it.
Alan DeKok.
--
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: proxy questions
Nevermind. I was using the wrong operator. Needed:
DEFAULT Proxy-To-Realm := NULL
Thanks.
-jc
Justin Church wrote:
Alan DeKok wrote:
Justin Church [EMAIL PROTECTED] wrote:
I need to be able to proxy accounting requests that arrive with no
User-Name attribute. Is that possible? I haven't been able to make
it work. Maybe I could insert a dummy User-Name pre-proxy and remove
it post-proxy?
No. Just set Proxy-To-Realm = realm.
Not exactly sure where to set this. I've tried acct_users with no luck:
rad_recv: Accounting-Request packet from host 152.2.199.26 port 32833,
id=10, length=81
NAS-Port = 5060
Sip-Src-IP = 152.2.199.26
Acct-Status-Type = Start
Sip-Transport-Proto = TLS
Acct-Session-Id = accounting-session-1-id
Processing the preacct section of radiusd.conf
modcall: entering group preacct for request 0
rlm_acct_unique: WARNING: Attribute Client-IP-Address was not found in
request, unique ID MAY be inconsistent
rlm_acct_unique: WARNING: Attribute User-Name was not found in request,
unique ID MAY be inconsistent
rlm_acct_unique: Hashing 'NAS-Port = 5060,,NAS-IP-Address =
152.2.199.26,Acct-Session-Id = accounting-session-1-id,'
rlm_acct_unique: Acct-Unique-Session-ID = 2c2e557e174a1b62.
--rlm_realm: Proxy reply, or no User-Name. Ignoring.
modcall: group preacct returns noop for request 0
Processing the accounting section of radiusd.conf
modcall: entering group accounting for request 0
radius_xlat:
'/usr/local/var/log/radius/radacct/152.2.199.26/detail-20061114'
rlm_detail:
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d
expands to /usr/local/var/log/radius/radacct/152.2.199.26/detail-20061114
radius_xlat: 'Tue Nov 14 14:30:25 2006'
radius_xlat: '/usr/local/var/log/radius/radutmp'
radius_xlat: ''
modcall: group accounting returns ok for request 0
Sending Accounting-Response of id 10 to 152.2.199.26 port 32833
Finished request 0
Going to the next request
--- Walking the entire request list ---
Cleaning up request 0 ID 10 with timestamp 455a1951
Nothing to do. Sleeping until we see a request.
proxy.conf
realm NULL {
type= radius
accthost = 152.23.129.213:1815
secret= removed
nostrip
}
acct_users
DEFAULT Proxy-To-Realm = NULL
Thanks.
-jc
Also, I notice that when running in -X mode, the accounting-response
is not relayed to the original client. Works fine when not in -X mode.
Weird.
Hmm... it may be cleaning up the request too aggressively. I'll
take a look at it.
Alan DeKok.
--
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog
- List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl and accounting
I've been playing with freeradius version that contains the patch discussed in this thread, and I'm not receiving any Account-Response packets from the server, even though the request seems to be logged correctly. Here's my radiusd -X for my test packet: [EMAIL PROTECTED]:/usr/local/share/freeradius$ sudo radiusd -X Config: including file: /usr/local/etc/raddb/radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/eap.conf Config: including file: /usr/local/etc/raddb/sql.conf Config: including file: /usr/local/etc/raddb/sql/mysql-dialup.conf FreeRADIUS Version 2.0.0-pre0, for host i686-pc-linux-gnu, built on Sep 6 2006 at 16:44:16 Starting - reading configuration files ... read_config_files: reading dictionary main: prefix = /usr/local main: localstatedir = /usr/local/var main: logdir = /usr/local/var/log/radius main: libdir = /usr/local/lib main: radacctdir = /usr/local/var/log/radius/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /usr/local/var/log/radius/radius.log main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /usr/local/var/run/radiusd/radiusd.pid main: checkrad = /usr/local/sbin/checkrad main: debug_level = 0 main: proxy_requests = yes log: syslog_facility = daemon proxy: retry_delay = 5 proxy: retry_count = 3 proxy: default_fallback = yes proxy: dead_time = 120 proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no read_config_files: reading realms main: port = 1812 listen: type = auth listen: ipaddr = * listen: port = 0 listen: type = acct listen: ipaddr = * listen: port = 0 client: secret = testing123 client: shortname = localhost client: nastype = other client: secret = testing123 client: shortname = localhost client: secret = testing123 client: shortname = jcc-pc radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded exec exec: wait = yes exec: input_pairs = request exec: shell_escape = yes rlm_exec: wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded expiration expiration: reply-message = Password Has Expired Module: Instantiated expiration (expiration) Module: Loaded logintime logintime: reply-message = You are calling outside your allowed timespan logintime: minimum-timeout = 60 Module: Instantiated logintime (logintime) Module: Loaded PAP pap: encryption_scheme = auto pap: auto_header = no Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no Module: Instantiated mschap (mschap) Module: Loaded System unix: radwtmp = /usr/local/var/log/radius/radwtmp Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = md5 eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = Password: gtc: auth_type = PAP rlm_eap: Loaded and initialized type gtc mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = /usr/local/etc/raddb/huntgroups preprocess: hints = /usr/local/etc/raddb/hints preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no preprocess: with_alvarion_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = suffix realm: delimiter = @ realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = /usr/local/etc/raddb/users files: acctusersfile = /usr/local/etc/raddb/acct_users files: preproxy_usersfile = /usr/local/etc/raddb/preproxy_users files: compat = no Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port Module: Instantiated acct_unique (acct_unique) Module: Loaded perl perl: module = /usr/local/etc/raddb/ami_handler.pl perl: func_authorize = authorize perl: func_authenticate = authenticate perl: func_accounting = accounting perl: func_preacct = preacct perl: func_checksimul = checksimul perl:
Re: rlm_perl and accounting
The server created an entry in my detail file. Is that not considered
logging? If not, where should I look to see why the server isn't logging?
rad_recv: Accounting-Request packet from host 152.2.199.26 port 32839,
id=139, length=80
User-Name = jcc
NAS-Port = 5060
Sip-Src-IP = 152.2.199.26
Sip-Transport-Proto = TLS
Acct-Session-Id = accounting-session-1-id
Processing the preacct section of radiusd.conf
modcall: entering group preacct for request 3
rlm_acct_unique: WARNING: Attribute Client-IP-Address was not found in
request, unique ID MAY be inconsistent
rlm_acct_unique: Hashing 'NAS-Port = 5060,,NAS-IP-Address =
152.2.199.26,Acct-Session-Id = accounting-session-1-id,User-Name = jcc'
rlm_acct_unique: Acct-Unique-Session-ID = 7910d35136b9eb7a.
rlm_realm: No '@' in User-Name = jcc, looking up realm NULL
rlm_realm: No such realm NULL
modcall: group preacct returns noop for request 3
Processing the accounting section of radiusd.conf
modcall: entering group accounting for request 3
radius_xlat:
'/usr/local/var/log/radius/radacct/152.2.199.26/detail-20060925'
rlm_detail:
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d
expands to /usr/local/var/log/radius/radacct/152.2.199.26/detail-20060925
radius_xlat: 'Mon Sep 25 18:15:08 2006'
radius_xlat: '/usr/local/var/log/radius/radacct/radrelay-detail'
rlm_detail: /usr/local/var/log/radius/radacct/radrelay-detail expands to
/usr/local/var/log/radius/radacct/radrelay-detail
rlm_detail: Acquired filelock, tried 1 time(s)
radius_xlat: 'Mon Sep 25 18:15:08 2006'
rlm_detail: Released filelock
rlm_unix: no Accounting-Status-Type attribute in request.
rlm_radutmp: No Accounting-Status-Type record.
modcall: group accounting returns noop for request 3
Finished request 3
Going to the next request
--- Walking the entire request list ---
Cleaning up request 3 ID 139 with timestamp 451854ec
Nothing to do. Sleeping until we see a request.
radrelay-detail:
Mon Sep 25 18:15:08 2006
User-Name = jcc
NAS-Port = 5060
Sip-Src-IP = 152.2.199.26
Sip-Transport-Proto = TLS
Acct-Session-Id = accounting-session-1-id
NAS-IP-Address = 152.2.199.26
Acct-Unique-Session-Id = 7910d35136b9eb7a
Timestamp = 1159222508
Thanks.
-jc
Alan DeKok wrote:
Justin Church [EMAIL PROTECTED] wrote:
Anything in this debug indicate why the server doesn't send
Accounting-Response?
The server didn't log the accounting information anywhere, therefore
it's not safe to tell the NAS that the accoutning information was
stored on the server.
Alan DeKok.
--
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl and accounting
Nevermind. I turned off -X and found this in radius.log: Mon Sep 25 18:19:23 2006 : Error: rlm_unix: no Accounting-Status-Type attribute in request. It shows up in stdout with -X also, but not as an Error, so I overlooked it. Added Accounting-Status-Type to packet, and server is now responding. Thanks. -jc Alan DeKok wrote: Justin Church [EMAIL PROTECTED] wrote: Anything in this debug indicate why the server doesn't send Accounting-Response? The server didn't log the accounting information anywhere, therefore it's not safe to tell the NAS that the accoutning information was stored on the server. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl and accounting -- radrelay?
Was there any final word on the direction of this and when it might be available? Thanks. -jc Peter Nixon wrote: On Thu 07 Sep 2006 15:07, Alan DeKok wrote: Kostas Kalevras [EMAIL PROTECTED] wrote: Just a side note on the clone packets issue i ve come across it in another situation. We act as a proxy for various ISPs and we need to have a way to replicate accounting-on/off packets (which obviously don't carry a [EMAIL PROTECTED] attribute) to all ISPs. But currently this is not possible since we have a server logic of one request,one thread. Being able to use multiple Proxy-To-Realm attributes would be great. I think the easiest way to do this is to write a special-purpose 1-N proxying server. It's special purpose enough that I'm not sure that work belongs in the server core. i.e. Doing N proxies means what, exactly for pre/post-proxy sections? Do we add a queue of proxied packets to the REQUEST? The 1-N proxying server can look for special proxy to X attributes in the packet, strip them out, and proxy the packet to N different places. It can even read proxy.conf, so there's one source for configuration files. With a little more work, it can also read the detail files, and be radrelay, too. Being able to selectively replicate an accounting packet N times may not be a standard configuration (although certainly usefull) but proxying accounting-on/off packets to some/all downstream servers is something that almost _everyone_ proxying accounting will want to do. This probaby warrants a new config option in proxy.conf (acctonoff-shotgun=yes/no) In particular any downstream servers running ippools need this information... Not to mention people who charge by the minute for a particular service.. Cheers - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl and accounting -- radrelay?
Thanks for the great work, Alan. I've built the latest CVS head and am able to manipulate the attributes in %RAD_REQUEST with rlm_perl. However, I notice that radrelay has been deprecated and the functionality moved into radiusd. How am I to run simultaneous instances of radiusd on the same host - 1 to listen to type 'acct' and 1 to listen to type 'detail'? I apologize if I'm missing something simple. Also, when I try to run 'radiusd -n radrelay', I get an Abort with the following radius.log entries: Wed Sep 6 11:31:19 2006 : Info: FreeRADIUS Version 2.0.0-pre0, for host i686-pc-linux-gnu, built on Sep 6 2006 at 10:15:27 Wed Sep 6 11:31:19 2006 : Info: Starting - reading configuration files ... Wed Sep 6 11:31:19 2006 : Error: Assertion failed in listen.c, line 1996 [EMAIL PROTECTED]:/usr/local/var/log/radius# radiusd -v radiusd: FreeRADIUS Version 2.0.0-pre0, for host i686-pc-linux-gnu, built on Sep 6 2006 at 10:15:27 Thanks. -jc Alan DeKok wrote: Justin Church [EMAIL PROTECTED] wrote: Is this in the CVS head, yet? Yes. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl and accounting -- radrelay?
OK. The patch worked, since I can now run radiusd -n radrelay w/o the Abort, but I still am not seeing a way to replicate to multiple accounting servers with radiusd -n radrelay. I need to take accounting requests that arrive at main-radius in radrelay-detail and replicate them to remote-radius1, remote-radius2, remote-radius3 in parallel. It appears as if my only two options in radrelay.conf are to store accounting data in sql or proxy to other servers. Proxy is closer to what I want, but from looking at proxy.conf, it seems I can only proxy each accounting request received to a single remote-radius server either in failover or round-robin mode. With the old radrelay, I believe I could have just run #radrelay -r remote-radius1 radrelay-detail; radrelay -r remote-radius2 radrelay-detail; radrelay -r remote-radius3 radrelay-detail. Am I missing something, and is this still possible with radiusd -n radrelay? Thanks. -jc Alan DeKok wrote: Justin Church [EMAIL PROTECTED] wrote: However, I notice that radrelay has been deprecated and the functionality moved into radiusd. How am I to run simultaneous instances of radiusd on the same host - 1 to listen to type 'acct' and 1 to listen to type 'detail'? I apologize if I'm missing something simple. Yes. See raddb/radrelay.conf Wed Sep 6 11:31:19 2006 : Info: FreeRADIUS Version 2.0.0-pre0, for host i686-pc-linux-gnu, built on Sep 6 2006 at 10:15:27 Wed Sep 6 11:31:19 2006 : Info: Starting - reading configuration files ... Wed Sep 6 11:31:19 2006 : Error: Assertion failed in listen.c, line 1996 That's a bug. I've just committed a fix. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl and accounting
When might this be available? Alan DeKok wrote: I see the patch you're referring to, but after rethinking my question, I think what I'm really trying to do is rewrite $RAD_REQUEST, not $RAD_REPLY, and it does not appear that I can alter $RAD_REQUEST in any way - either change or add. Hmm... looking into it in a little more detail, I think it would be even easier to do it another way. The code in CVS head has been updated to allow for :=, to over-write existing attributes. But I think it might be even easier to simply use the hashes as-is, and replace the existing attribute lists. i.e. put the attributes into perl hashes, and then make those perl hashes definitive for the new values of the attributes. This would involve throwing away the previous attributes entirely. So you would have to be *very* careful about modifying the hashes, but you would have complete flexibility. Comments? I don't think this will go into 1.1.3, though... Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_perl and accounting
I'm running freeradius v. 1.1.0 and am trying to use rlm_perl to rewrite
accounting attributes before they are written to log with detail and
then replicated with radrelay. Here is the version of example.pl that
I'm using (I've only added a single statement to the preacct function):
use strict;
# use ...
# This is very important ! Without this script will not get the filled
hashesh from main.
use vars qw(%RAD_REQUEST %RAD_REPLY %RAD_CHECK);
#use Data::Dumper;
# This is hash wich hold original request from radius
#my %RAD_REQUEST;
# In this hash you add values that will be returned to NAS.
#my %RAD_REPLY;
#This is for check items
#my %RAD_CHECK;
#
# This the remapping of return values
#
use constantRLM_MODULE_REJECT=0;# /* immediately
reject the request */
use constantRLM_MODULE_FAIL= 1;# /* module failed,
don't reply */
use constantRLM_MODULE_OK=2;# /* the module is
OK, continue */
use constantRLM_MODULE_HANDLED= 3;# /* the module
handled the request, so stop. */
use constantRLM_MODULE_INVALID= 4;# /* the module
considers the request invalid. */
use constantRLM_MODULE_USERLOCK= 5;# /* reject the
request (user is locked out) */
use constantRLM_MODULE_NOTFOUND= 6;# /* user not found */
use constantRLM_MODULE_NOOP= 7;# /* module succeeded
without doing anything */
use constantRLM_MODULE_UPDATED= 8;# /* OK (pairs
modified) */
use constantRLM_MODULE_NUMCODES= 9;# /* How many return
codes there are */
# Function to handle authorize
sub authorize {
# For debugging purposes only
# log_request_attributes;
# Here's where your authorization code comes
# You can call another function from here:
test_call;
return RLM_MODULE_OK;
}
# Function to handle authenticate
sub authenticate {
# For debugging purposes only
# log_request_attributes;
if ($RAD_REQUEST{'User-Name'} =~ /^baduser/i) {
# Reject user and tell him why
$RAD_REPLY{'Reply-Message'} = Denied access by
rlm_perl function;
return RLM_MODULE_REJECT;
} else {
# Accept user and set some attribute
$RAD_REPLY{'h323-credit-amount'} = 100;
return RLM_MODULE_OK;
}
}
# Function to handle preacct
sub preacct {
# For debugging purposes only
#log_request_attributes;
$RAD_REPLY{'Acct-Session-Id'} = new-session-value;
return RLM_MODULE_OK;
}
# Function to handle accounting
sub accounting {
# For debugging purposes only
# log_request_attributes;
# You can call another subroutine from here
#test_call;
return RLM_MODULE_OK;
}
# Function to handle checksimul
sub checksimul {
# For debugging purposes only
# log_request_attributes;
return RLM_MODULE_OK;
}
# Function to handle pre_proxy
sub pre_proxy {
# For debugging purposes only
# log_request_attributes;
return RLM_MODULE_OK;
}
# Function to handle post_proxy
sub post_proxy {
# For debugging purposes only
# log_request_attributes;
return RLM_MODULE_OK;
}
# Function to handle post_auth
sub post_auth {
# For debugging purposes only
# log_request_attributes;
return RLM_MODULE_OK;
}
# Function to handle xlat
sub xlat {
# For debugging purposes only
# log_request_attributes;
# Loads some external perl and evaluate it
my ($filename,$a,$b,$c,$d) = @_;
radiusd::radlog(1, From xlat $filename );
radiusd::radlog(1,From xlat $a $b $c $d );
local *FH;
open FH, $filename or die open '$filename' $!;
local($/) = undef;
my $sub = FH;
close FH;
my $eval = qq{ sub handler{ $sub;} };
eval $eval;
eval {main-handler;};
}
# Function to handle detach
sub detach {
# For debugging purposes only
# log_request_attributes;
# Do some logging.
radiusd::radlog(0,rlm_perl::Detaching. Reloading. Done.);
}
#
# Some functions that can be called from other functions
#
sub test_call {
# Some code goes here
}
sub log_request_attributes {
# This shouldn't be done in production environments!
# This is only meant for debugging!
for (keys %RAD_REQUEST) {
radiusd::radlog(1, RAD_REQUEST: $_ = $RAD_REQUEST{$_});
}
}
Here's the output of freeradius -X:
[EMAIL PROTECTED]:/etc/freeradius# freeradius -X
...
Module: Loaded perl
perl: module = /home/jcc/scripts/example.pl
perl: func_authorize = authorize
perl: func_authenticate = authenticate
perl: func_accounting = accounting
perl: func_preacct = preacct
perl: func_checksimul = checksimul
perl: func_detach = detach
perl: func_xlat = xlat
perl: func_pre_proxy = pre_proxy
perl: func_post_proxy
Re: rlm_perl and accounting
I see the patch you're referring to, but after rethinking my question, I
think what I'm really trying to do is rewrite $RAD_REQUEST, not
$RAD_REPLY, and it does not appear that I can alter $RAD_REQUEST in any
way - either change or add. If I understand correctly, $RAD_REPLY is
the hash of attributes that the server will send back to the NAS, and
$RAD_REQUEST is the hash of attributes that is actually written when the
detail module is called. My goal is to inspect the received attributes
using rlm_perl in the preacct{} phase before they are written to log in
the accounting{} phase and possibly remove/rewrite/add attributes before
they are logged. Is this possible with rlm_perl?
Also, I've observed that the freeradius will not start when my
example.pl script contains use Data::Dumper; It looks as if others have
had this problem when their perl was not compiled with ITHREADS support,
but my perl does have ITHREADS support, and neither perl -c
-MData::Dumper nor perl example.pl returns an error.
[EMAIL PROTECTED]:~/scripts$ perl -v
This is perl, v5.8.7 built for i486-linux-gnu-thread-multi
[EMAIL PROTECTED]:~/scripts$ perl -V | grep ITHREADS
Compile-time options: MULTIPLICITY USE_ITHREADS USE_LARGE_FILES
Thanks.
-jc
Alex French wrote:
Yes, this is due to the way rlm_perl works by default (new pairs can be
added but existing ones not changed). Look back a week or so in the
mailing list archives to the problem I was having. There is a patch on
the list that will allegedly make it into HEAD. The patch works nicely
for me.
Alex
On 22/08/06, *Justin Church* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]
wrote:
I'm running freeradius v. 1.1.0 and am trying to use rlm_perl to rewrite
accounting attributes before they are written to log with detail and
then replicated with radrelay. Here is the version of example.pl that
I'm using (I've only added a single statement to the preacct function):
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl and accounting
Alan DeKok wrote: I see the patch you're referring to, but after rethinking my question, I think what I'm really trying to do is rewrite $RAD_REQUEST, not $RAD_REPLY, and it does not appear that I can alter $RAD_REQUEST in any way - either change or add. Hmm... looking into it in a little more detail, I think it would be even easier to do it another way. The code in CVS head has been updated to allow for :=, to over-write existing attributes. But I think it might be even easier to simply use the hashes as-is, and replace the existing attribute lists. i.e. put the attributes into perl hashes, and then make those perl hashes definitive for the new values of the attributes. This would involve throwing away the previous attributes entirely. So you would have to be *very* careful about modifying the hashes, but you would have complete flexibility. Comments? I don't think this will go into 1.1.3, though... That's exactly what I'm looking for. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
how to rewrite and replicate accounting?
I want to take all accounting packets received and either rewrite received attributes or append new attributes using a custom dictionary and then replicate the rewritten packets to multiple radius servers. Freeradius documentation seems to indicate this should be doable, but I can't seem to find any specific examples. Looks like I need some combination of the rlm_attr_rewrite, rlm_preprocess, and rlm_proxy modules? Is this correct? Thanks in advance. -jc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
