proxy questions
I need to be able to proxy accounting requests that arrive with no User-Name attribute. Is that possible? I haven't been able to make it work. Maybe I could insert a dummy User-Name pre-proxy and remove it post-proxy? Also, I notice that when running in -X mode, the accounting-response is not relayed to the original client. Works fine when not in -X mode. Here's a debug of a scenario where an accounting-request was proxied correctly; yet, the accounting-response is not relayed to the client by the proxy server: rad_recv: Accounting-Request packet from host 152.2.199.26 port 32823, id=155, length=86 User-Name = jcc NAS-Port = 5060 Sip-Src-IP = 152.2.199.26 Acct-Status-Type = Start Sip-Transport-Proto = TLS Acct-Session-Id = accounting-session-1-id Processing the preacct section of radiusd.conf modcall: entering group preacct for request 4 rlm_acct_unique: WARNING: Attribute Client-IP-Address was not found in request, unique ID MAY be inconsistent rlm_acct_unique: Hashing 'NAS-Port = 5060,,NAS-IP-Address = 152.2.199.26,Acct-Session-Id = accounting-session-1-id,User-Name = jcc' rlm_acct_unique: Acct-Unique-Session-ID = 7910d35136b9eb7a. rlm_realm: No '@' in User-Name = jcc, looking up realm NULL rlm_realm: Found realm NULL rlm_realm: Proxying request from user jcc to realm NULL rlm_realm: Adding Realm = NULL rlm_realm: Preparing to proxy accounting request to realm NULL modcall: group preacct returns noop for request 4 Processing the accounting section of radiusd.conf modcall: entering group accounting for request 4 radius_xlat: '/usr/local/var/log/radius/radacct/152.2.199.26/detail-20061114' rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/152.2.199.26/detail-20061114 radius_xlat: 'Tue Nov 14 12:15:11 2006' rlm_detail: Freeradius-Proxied-To set to 152.23.129.213 radius_xlat: '/usr/local/var/log/radius/radutmp' radius_xlat: 'jcc' modcall: group accounting returns ok for request 4 Sending Accounting-Request of id 227 to 152.23.129.213 port 1815 User-Name = jcc NAS-Port = 5060 Sip-Src-IP = 152.2.199.26 Acct-Status-Type = Start Sip-Transport-Proto = TLS Acct-Session-Id = accounting-session-1-id NAS-IP-Address = 152.2.199.26 Proxy-State = 0x313535 --- Walking the entire request list --- Cleaning up request 4 ID 155 with timestamp 4559f99f Nothing to do. Sleeping until we see a request. rad_recv: Accounting-Response packet from host 152.23.129.213 port 1815, id=227, length=25 No outstanding request was found for proxy reply from home server 152.23.129.213 port 1815 - ID 227 Nothing to do. Sleeping until we see a request. [EMAIL PROTECTED]:/usr/local/etc/raddb# radiusd -v radiusd: FreeRADIUS Version 2.0.0-pre0, for host i686-pc-linux-gnu, built on Sep 6 2006 at 16:44:16 Thanks. -jc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: proxy questions
Alan DeKok wrote: Justin Church [EMAIL PROTECTED] wrote: I need to be able to proxy accounting requests that arrive with no User-Name attribute. Is that possible? I haven't been able to make it work. Maybe I could insert a dummy User-Name pre-proxy and remove it post-proxy? No. Just set Proxy-To-Realm = realm. Not exactly sure where to set this. I've tried acct_users with no luck: rad_recv: Accounting-Request packet from host 152.2.199.26 port 32833, id=10, length=81 NAS-Port = 5060 Sip-Src-IP = 152.2.199.26 Acct-Status-Type = Start Sip-Transport-Proto = TLS Acct-Session-Id = accounting-session-1-id Processing the preacct section of radiusd.conf modcall: entering group preacct for request 0 rlm_acct_unique: WARNING: Attribute Client-IP-Address was not found in request, unique ID MAY be inconsistent rlm_acct_unique: WARNING: Attribute User-Name was not found in request, unique ID MAY be inconsistent rlm_acct_unique: Hashing 'NAS-Port = 5060,,NAS-IP-Address = 152.2.199.26,Acct-Session-Id = accounting-session-1-id,' rlm_acct_unique: Acct-Unique-Session-ID = 2c2e557e174a1b62. --rlm_realm: Proxy reply, or no User-Name. Ignoring. modcall: group preacct returns noop for request 0 Processing the accounting section of radiusd.conf modcall: entering group accounting for request 0 radius_xlat: '/usr/local/var/log/radius/radacct/152.2.199.26/detail-20061114' rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/152.2.199.26/detail-20061114 radius_xlat: 'Tue Nov 14 14:30:25 2006' radius_xlat: '/usr/local/var/log/radius/radutmp' radius_xlat: '' modcall: group accounting returns ok for request 0 Sending Accounting-Response of id 10 to 152.2.199.26 port 32833 Finished request 0 Going to the next request --- Walking the entire request list --- Cleaning up request 0 ID 10 with timestamp 455a1951 Nothing to do. Sleeping until we see a request. proxy.conf realm NULL { type= radius accthost = 152.23.129.213:1815 secret= removed nostrip } acct_users DEFAULT Proxy-To-Realm = NULL Thanks. -jc Also, I notice that when running in -X mode, the accounting-response is not relayed to the original client. Works fine when not in -X mode. Weird. Hmm... it may be cleaning up the request too aggressively. I'll take a look at it. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: proxy questions
Nevermind. I was using the wrong operator. Needed: DEFAULT Proxy-To-Realm := NULL Thanks. -jc Justin Church wrote: Alan DeKok wrote: Justin Church [EMAIL PROTECTED] wrote: I need to be able to proxy accounting requests that arrive with no User-Name attribute. Is that possible? I haven't been able to make it work. Maybe I could insert a dummy User-Name pre-proxy and remove it post-proxy? No. Just set Proxy-To-Realm = realm. Not exactly sure where to set this. I've tried acct_users with no luck: rad_recv: Accounting-Request packet from host 152.2.199.26 port 32833, id=10, length=81 NAS-Port = 5060 Sip-Src-IP = 152.2.199.26 Acct-Status-Type = Start Sip-Transport-Proto = TLS Acct-Session-Id = accounting-session-1-id Processing the preacct section of radiusd.conf modcall: entering group preacct for request 0 rlm_acct_unique: WARNING: Attribute Client-IP-Address was not found in request, unique ID MAY be inconsistent rlm_acct_unique: WARNING: Attribute User-Name was not found in request, unique ID MAY be inconsistent rlm_acct_unique: Hashing 'NAS-Port = 5060,,NAS-IP-Address = 152.2.199.26,Acct-Session-Id = accounting-session-1-id,' rlm_acct_unique: Acct-Unique-Session-ID = 2c2e557e174a1b62. --rlm_realm: Proxy reply, or no User-Name. Ignoring. modcall: group preacct returns noop for request 0 Processing the accounting section of radiusd.conf modcall: entering group accounting for request 0 radius_xlat: '/usr/local/var/log/radius/radacct/152.2.199.26/detail-20061114' rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/152.2.199.26/detail-20061114 radius_xlat: 'Tue Nov 14 14:30:25 2006' radius_xlat: '/usr/local/var/log/radius/radutmp' radius_xlat: '' modcall: group accounting returns ok for request 0 Sending Accounting-Response of id 10 to 152.2.199.26 port 32833 Finished request 0 Going to the next request --- Walking the entire request list --- Cleaning up request 0 ID 10 with timestamp 455a1951 Nothing to do. Sleeping until we see a request. proxy.conf realm NULL { type= radius accthost = 152.23.129.213:1815 secret= removed nostrip } acct_users DEFAULT Proxy-To-Realm = NULL Thanks. -jc Also, I notice that when running in -X mode, the accounting-response is not relayed to the original client. Works fine when not in -X mode. Weird. Hmm... it may be cleaning up the request too aggressively. I'll take a look at it. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl and accounting
I've been playing with freeradius version that contains the patch discussed in this thread, and I'm not receiving any Account-Response packets from the server, even though the request seems to be logged correctly. Here's my radiusd -X for my test packet: [EMAIL PROTECTED]:/usr/local/share/freeradius$ sudo radiusd -X Config: including file: /usr/local/etc/raddb/radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/eap.conf Config: including file: /usr/local/etc/raddb/sql.conf Config: including file: /usr/local/etc/raddb/sql/mysql-dialup.conf FreeRADIUS Version 2.0.0-pre0, for host i686-pc-linux-gnu, built on Sep 6 2006 at 16:44:16 Starting - reading configuration files ... read_config_files: reading dictionary main: prefix = /usr/local main: localstatedir = /usr/local/var main: logdir = /usr/local/var/log/radius main: libdir = /usr/local/lib main: radacctdir = /usr/local/var/log/radius/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /usr/local/var/log/radius/radius.log main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /usr/local/var/run/radiusd/radiusd.pid main: checkrad = /usr/local/sbin/checkrad main: debug_level = 0 main: proxy_requests = yes log: syslog_facility = daemon proxy: retry_delay = 5 proxy: retry_count = 3 proxy: default_fallback = yes proxy: dead_time = 120 proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no read_config_files: reading realms main: port = 1812 listen: type = auth listen: ipaddr = * listen: port = 0 listen: type = acct listen: ipaddr = * listen: port = 0 client: secret = testing123 client: shortname = localhost client: nastype = other client: secret = testing123 client: shortname = localhost client: secret = testing123 client: shortname = jcc-pc radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded exec exec: wait = yes exec: input_pairs = request exec: shell_escape = yes rlm_exec: wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded expiration expiration: reply-message = Password Has Expired Module: Instantiated expiration (expiration) Module: Loaded logintime logintime: reply-message = You are calling outside your allowed timespan logintime: minimum-timeout = 60 Module: Instantiated logintime (logintime) Module: Loaded PAP pap: encryption_scheme = auto pap: auto_header = no Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no Module: Instantiated mschap (mschap) Module: Loaded System unix: radwtmp = /usr/local/var/log/radius/radwtmp Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = md5 eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = Password: gtc: auth_type = PAP rlm_eap: Loaded and initialized type gtc mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = /usr/local/etc/raddb/huntgroups preprocess: hints = /usr/local/etc/raddb/hints preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no preprocess: with_alvarion_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = suffix realm: delimiter = @ realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = /usr/local/etc/raddb/users files: acctusersfile = /usr/local/etc/raddb/acct_users files: preproxy_usersfile = /usr/local/etc/raddb/preproxy_users files: compat = no Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port Module: Instantiated acct_unique (acct_unique) Module: Loaded perl perl: module = /usr/local/etc/raddb/ami_handler.pl perl: func_authorize = authorize perl: func_authenticate = authenticate perl: func_accounting = accounting perl: func_preacct = preacct perl: func_checksimul = checksimul perl:
Re: rlm_perl and accounting
The server created an entry in my detail file. Is that not considered logging? If not, where should I look to see why the server isn't logging? rad_recv: Accounting-Request packet from host 152.2.199.26 port 32839, id=139, length=80 User-Name = jcc NAS-Port = 5060 Sip-Src-IP = 152.2.199.26 Sip-Transport-Proto = TLS Acct-Session-Id = accounting-session-1-id Processing the preacct section of radiusd.conf modcall: entering group preacct for request 3 rlm_acct_unique: WARNING: Attribute Client-IP-Address was not found in request, unique ID MAY be inconsistent rlm_acct_unique: Hashing 'NAS-Port = 5060,,NAS-IP-Address = 152.2.199.26,Acct-Session-Id = accounting-session-1-id,User-Name = jcc' rlm_acct_unique: Acct-Unique-Session-ID = 7910d35136b9eb7a. rlm_realm: No '@' in User-Name = jcc, looking up realm NULL rlm_realm: No such realm NULL modcall: group preacct returns noop for request 3 Processing the accounting section of radiusd.conf modcall: entering group accounting for request 3 radius_xlat: '/usr/local/var/log/radius/radacct/152.2.199.26/detail-20060925' rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/152.2.199.26/detail-20060925 radius_xlat: 'Mon Sep 25 18:15:08 2006' radius_xlat: '/usr/local/var/log/radius/radacct/radrelay-detail' rlm_detail: /usr/local/var/log/radius/radacct/radrelay-detail expands to /usr/local/var/log/radius/radacct/radrelay-detail rlm_detail: Acquired filelock, tried 1 time(s) radius_xlat: 'Mon Sep 25 18:15:08 2006' rlm_detail: Released filelock rlm_unix: no Accounting-Status-Type attribute in request. rlm_radutmp: No Accounting-Status-Type record. modcall: group accounting returns noop for request 3 Finished request 3 Going to the next request --- Walking the entire request list --- Cleaning up request 3 ID 139 with timestamp 451854ec Nothing to do. Sleeping until we see a request. radrelay-detail: Mon Sep 25 18:15:08 2006 User-Name = jcc NAS-Port = 5060 Sip-Src-IP = 152.2.199.26 Sip-Transport-Proto = TLS Acct-Session-Id = accounting-session-1-id NAS-IP-Address = 152.2.199.26 Acct-Unique-Session-Id = 7910d35136b9eb7a Timestamp = 1159222508 Thanks. -jc Alan DeKok wrote: Justin Church [EMAIL PROTECTED] wrote: Anything in this debug indicate why the server doesn't send Accounting-Response? The server didn't log the accounting information anywhere, therefore it's not safe to tell the NAS that the accoutning information was stored on the server. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl and accounting
Nevermind. I turned off -X and found this in radius.log: Mon Sep 25 18:19:23 2006 : Error: rlm_unix: no Accounting-Status-Type attribute in request. It shows up in stdout with -X also, but not as an Error, so I overlooked it. Added Accounting-Status-Type to packet, and server is now responding. Thanks. -jc Alan DeKok wrote: Justin Church [EMAIL PROTECTED] wrote: Anything in this debug indicate why the server doesn't send Accounting-Response? The server didn't log the accounting information anywhere, therefore it's not safe to tell the NAS that the accoutning information was stored on the server. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl and accounting -- radrelay?
Was there any final word on the direction of this and when it might be available? Thanks. -jc Peter Nixon wrote: On Thu 07 Sep 2006 15:07, Alan DeKok wrote: Kostas Kalevras [EMAIL PROTECTED] wrote: Just a side note on the clone packets issue i ve come across it in another situation. We act as a proxy for various ISPs and we need to have a way to replicate accounting-on/off packets (which obviously don't carry a [EMAIL PROTECTED] attribute) to all ISPs. But currently this is not possible since we have a server logic of one request,one thread. Being able to use multiple Proxy-To-Realm attributes would be great. I think the easiest way to do this is to write a special-purpose 1-N proxying server. It's special purpose enough that I'm not sure that work belongs in the server core. i.e. Doing N proxies means what, exactly for pre/post-proxy sections? Do we add a queue of proxied packets to the REQUEST? The 1-N proxying server can look for special proxy to X attributes in the packet, strip them out, and proxy the packet to N different places. It can even read proxy.conf, so there's one source for configuration files. With a little more work, it can also read the detail files, and be radrelay, too. Being able to selectively replicate an accounting packet N times may not be a standard configuration (although certainly usefull) but proxying accounting-on/off packets to some/all downstream servers is something that almost _everyone_ proxying accounting will want to do. This probaby warrants a new config option in proxy.conf (acctonoff-shotgun=yes/no) In particular any downstream servers running ippools need this information... Not to mention people who charge by the minute for a particular service.. Cheers - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl and accounting -- radrelay?
Thanks for the great work, Alan. I've built the latest CVS head and am able to manipulate the attributes in %RAD_REQUEST with rlm_perl. However, I notice that radrelay has been deprecated and the functionality moved into radiusd. How am I to run simultaneous instances of radiusd on the same host - 1 to listen to type 'acct' and 1 to listen to type 'detail'? I apologize if I'm missing something simple. Also, when I try to run 'radiusd -n radrelay', I get an Abort with the following radius.log entries: Wed Sep 6 11:31:19 2006 : Info: FreeRADIUS Version 2.0.0-pre0, for host i686-pc-linux-gnu, built on Sep 6 2006 at 10:15:27 Wed Sep 6 11:31:19 2006 : Info: Starting - reading configuration files ... Wed Sep 6 11:31:19 2006 : Error: Assertion failed in listen.c, line 1996 [EMAIL PROTECTED]:/usr/local/var/log/radius# radiusd -v radiusd: FreeRADIUS Version 2.0.0-pre0, for host i686-pc-linux-gnu, built on Sep 6 2006 at 10:15:27 Thanks. -jc Alan DeKok wrote: Justin Church [EMAIL PROTECTED] wrote: Is this in the CVS head, yet? Yes. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl and accounting -- radrelay?
OK. The patch worked, since I can now run radiusd -n radrelay w/o the Abort, but I still am not seeing a way to replicate to multiple accounting servers with radiusd -n radrelay. I need to take accounting requests that arrive at main-radius in radrelay-detail and replicate them to remote-radius1, remote-radius2, remote-radius3 in parallel. It appears as if my only two options in radrelay.conf are to store accounting data in sql or proxy to other servers. Proxy is closer to what I want, but from looking at proxy.conf, it seems I can only proxy each accounting request received to a single remote-radius server either in failover or round-robin mode. With the old radrelay, I believe I could have just run #radrelay -r remote-radius1 radrelay-detail; radrelay -r remote-radius2 radrelay-detail; radrelay -r remote-radius3 radrelay-detail. Am I missing something, and is this still possible with radiusd -n radrelay? Thanks. -jc Alan DeKok wrote: Justin Church [EMAIL PROTECTED] wrote: However, I notice that radrelay has been deprecated and the functionality moved into radiusd. How am I to run simultaneous instances of radiusd on the same host - 1 to listen to type 'acct' and 1 to listen to type 'detail'? I apologize if I'm missing something simple. Yes. See raddb/radrelay.conf Wed Sep 6 11:31:19 2006 : Info: FreeRADIUS Version 2.0.0-pre0, for host i686-pc-linux-gnu, built on Sep 6 2006 at 10:15:27 Wed Sep 6 11:31:19 2006 : Info: Starting - reading configuration files ... Wed Sep 6 11:31:19 2006 : Error: Assertion failed in listen.c, line 1996 That's a bug. I've just committed a fix. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl and accounting
When might this be available? Alan DeKok wrote: I see the patch you're referring to, but after rethinking my question, I think what I'm really trying to do is rewrite $RAD_REQUEST, not $RAD_REPLY, and it does not appear that I can alter $RAD_REQUEST in any way - either change or add. Hmm... looking into it in a little more detail, I think it would be even easier to do it another way. The code in CVS head has been updated to allow for :=, to over-write existing attributes. But I think it might be even easier to simply use the hashes as-is, and replace the existing attribute lists. i.e. put the attributes into perl hashes, and then make those perl hashes definitive for the new values of the attributes. This would involve throwing away the previous attributes entirely. So you would have to be *very* careful about modifying the hashes, but you would have complete flexibility. Comments? I don't think this will go into 1.1.3, though... Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_perl and accounting
I'm running freeradius v. 1.1.0 and am trying to use rlm_perl to rewrite accounting attributes before they are written to log with detail and then replicated with radrelay. Here is the version of example.pl that I'm using (I've only added a single statement to the preacct function): use strict; # use ... # This is very important ! Without this script will not get the filled hashesh from main. use vars qw(%RAD_REQUEST %RAD_REPLY %RAD_CHECK); #use Data::Dumper; # This is hash wich hold original request from radius #my %RAD_REQUEST; # In this hash you add values that will be returned to NAS. #my %RAD_REPLY; #This is for check items #my %RAD_CHECK; # # This the remapping of return values # use constantRLM_MODULE_REJECT=0;# /* immediately reject the request */ use constantRLM_MODULE_FAIL= 1;# /* module failed, don't reply */ use constantRLM_MODULE_OK=2;# /* the module is OK, continue */ use constantRLM_MODULE_HANDLED= 3;# /* the module handled the request, so stop. */ use constantRLM_MODULE_INVALID= 4;# /* the module considers the request invalid. */ use constantRLM_MODULE_USERLOCK= 5;# /* reject the request (user is locked out) */ use constantRLM_MODULE_NOTFOUND= 6;# /* user not found */ use constantRLM_MODULE_NOOP= 7;# /* module succeeded without doing anything */ use constantRLM_MODULE_UPDATED= 8;# /* OK (pairs modified) */ use constantRLM_MODULE_NUMCODES= 9;# /* How many return codes there are */ # Function to handle authorize sub authorize { # For debugging purposes only # log_request_attributes; # Here's where your authorization code comes # You can call another function from here: test_call; return RLM_MODULE_OK; } # Function to handle authenticate sub authenticate { # For debugging purposes only # log_request_attributes; if ($RAD_REQUEST{'User-Name'} =~ /^baduser/i) { # Reject user and tell him why $RAD_REPLY{'Reply-Message'} = Denied access by rlm_perl function; return RLM_MODULE_REJECT; } else { # Accept user and set some attribute $RAD_REPLY{'h323-credit-amount'} = 100; return RLM_MODULE_OK; } } # Function to handle preacct sub preacct { # For debugging purposes only #log_request_attributes; $RAD_REPLY{'Acct-Session-Id'} = new-session-value; return RLM_MODULE_OK; } # Function to handle accounting sub accounting { # For debugging purposes only # log_request_attributes; # You can call another subroutine from here #test_call; return RLM_MODULE_OK; } # Function to handle checksimul sub checksimul { # For debugging purposes only # log_request_attributes; return RLM_MODULE_OK; } # Function to handle pre_proxy sub pre_proxy { # For debugging purposes only # log_request_attributes; return RLM_MODULE_OK; } # Function to handle post_proxy sub post_proxy { # For debugging purposes only # log_request_attributes; return RLM_MODULE_OK; } # Function to handle post_auth sub post_auth { # For debugging purposes only # log_request_attributes; return RLM_MODULE_OK; } # Function to handle xlat sub xlat { # For debugging purposes only # log_request_attributes; # Loads some external perl and evaluate it my ($filename,$a,$b,$c,$d) = @_; radiusd::radlog(1, From xlat $filename ); radiusd::radlog(1,From xlat $a $b $c $d ); local *FH; open FH, $filename or die open '$filename' $!; local($/) = undef; my $sub = FH; close FH; my $eval = qq{ sub handler{ $sub;} }; eval $eval; eval {main-handler;}; } # Function to handle detach sub detach { # For debugging purposes only # log_request_attributes; # Do some logging. radiusd::radlog(0,rlm_perl::Detaching. Reloading. Done.); } # # Some functions that can be called from other functions # sub test_call { # Some code goes here } sub log_request_attributes { # This shouldn't be done in production environments! # This is only meant for debugging! for (keys %RAD_REQUEST) { radiusd::radlog(1, RAD_REQUEST: $_ = $RAD_REQUEST{$_}); } } Here's the output of freeradius -X: [EMAIL PROTECTED]:/etc/freeradius# freeradius -X ... Module: Loaded perl perl: module = /home/jcc/scripts/example.pl perl: func_authorize = authorize perl: func_authenticate = authenticate perl: func_accounting = accounting perl: func_preacct = preacct perl: func_checksimul = checksimul perl: func_detach = detach perl: func_xlat = xlat perl: func_pre_proxy = pre_proxy perl: func_post_proxy
Re: rlm_perl and accounting
I see the patch you're referring to, but after rethinking my question, I think what I'm really trying to do is rewrite $RAD_REQUEST, not $RAD_REPLY, and it does not appear that I can alter $RAD_REQUEST in any way - either change or add. If I understand correctly, $RAD_REPLY is the hash of attributes that the server will send back to the NAS, and $RAD_REQUEST is the hash of attributes that is actually written when the detail module is called. My goal is to inspect the received attributes using rlm_perl in the preacct{} phase before they are written to log in the accounting{} phase and possibly remove/rewrite/add attributes before they are logged. Is this possible with rlm_perl? Also, I've observed that the freeradius will not start when my example.pl script contains use Data::Dumper; It looks as if others have had this problem when their perl was not compiled with ITHREADS support, but my perl does have ITHREADS support, and neither perl -c -MData::Dumper nor perl example.pl returns an error. [EMAIL PROTECTED]:~/scripts$ perl -v This is perl, v5.8.7 built for i486-linux-gnu-thread-multi [EMAIL PROTECTED]:~/scripts$ perl -V | grep ITHREADS Compile-time options: MULTIPLICITY USE_ITHREADS USE_LARGE_FILES Thanks. -jc Alex French wrote: Yes, this is due to the way rlm_perl works by default (new pairs can be added but existing ones not changed). Look back a week or so in the mailing list archives to the problem I was having. There is a patch on the list that will allegedly make it into HEAD. The patch works nicely for me. Alex On 22/08/06, *Justin Church* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: I'm running freeradius v. 1.1.0 and am trying to use rlm_perl to rewrite accounting attributes before they are written to log with detail and then replicated with radrelay. Here is the version of example.pl that I'm using (I've only added a single statement to the preacct function): - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl and accounting
Alan DeKok wrote: I see the patch you're referring to, but after rethinking my question, I think what I'm really trying to do is rewrite $RAD_REQUEST, not $RAD_REPLY, and it does not appear that I can alter $RAD_REQUEST in any way - either change or add. Hmm... looking into it in a little more detail, I think it would be even easier to do it another way. The code in CVS head has been updated to allow for :=, to over-write existing attributes. But I think it might be even easier to simply use the hashes as-is, and replace the existing attribute lists. i.e. put the attributes into perl hashes, and then make those perl hashes definitive for the new values of the attributes. This would involve throwing away the previous attributes entirely. So you would have to be *very* careful about modifying the hashes, but you would have complete flexibility. Comments? I don't think this will go into 1.1.3, though... That's exactly what I'm looking for. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
how to rewrite and replicate accounting?
I want to take all accounting packets received and either rewrite received attributes or append new attributes using a custom dictionary and then replicate the rewritten packets to multiple radius servers. Freeradius documentation seems to indicate this should be doable, but I can't seem to find any specific examples. Looks like I need some combination of the rlm_attr_rewrite, rlm_preprocess, and rlm_proxy modules? Is this correct? Thanks in advance. -jc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html