Re: How to store session info in external database?
Thanks, it works.
2013/8/6 Arran Cudbard-Bell a.cudba...@freeradius.org
On 6 Aug 2013, at 14:29, Maciej Lew mac...@lanserver.pl wrote:
The problem is we have databases in slave mode, only reading is allowed.
We want pass these informations to another database...
Modules can have multiple instances.
sql.conf
sql sql_write {
sql config
}
accounting {
sql_write
}
-Arran
Arran Cudbard-Bell a.cudba...@freeradius.org
FreeRADIUS Development Team
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
Pozdrawiam
Maciej Lew
tel. 883-376-062
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to store session info in external database?
Hi, I would like to store freeradius session information like
Acct-Session-Id, Acct-Start-Time, Acct-Stop-Time, Acct-Input-Octets,
Acct-Output-Octets, Framed-IP-Address, NAS-IP-Address in external database.
We have our devices connected to databases which are readonly so we cannot
store those informations there. Also we have database where we want to
store session statistics from all devices.
Is that possible to achieve ?
Till now we tried setting up virtual host with Auth-Type rules redirecting
to script but we cannot receive Acct-Session-Id. Here is how our
/etc/freeradius/sites-avaliable/default looks like:
authorize {
chap
mschap
sql
update control {
Auth-Type := `/etc/freeradius/bin/testradius '%{User-Name}'
'%{Calling-Station-Id}' '%{NAS-IP-Address}' '%{reply:Framed-IP-Address}'
'%{reply:Acct-Session-Id}' '%{reply:Acct-Unique-Session-Id}'`
}
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
}
preacct {
acct_unique
}
accounting {
# sql
}
session {
# sql
}
post-auth {
# sql
}
Sorry for any language mistakes :)
--
Pozdrawiam
Maciej Lew
tel. 883-376-062
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to store session info in external database?
The problem is we have databases in slave mode, only reading is allowed. We
want pass these informations to another database...
2013/8/6 a.l.m.bu...@lboro.ac.uk
Hi,
Hi, I would like to store freeradius session information like
Acct-Session-Id, Acct-Start-Time, Acct-Stop-Time, Acct-Input-Octets,
Acct-Output-Octets, Framed-IP-Address, NAS-IP-Address in external
database.
the defauly config does this - you just need to edit the SQL module to
be appropriate to your database (and have a DB you can write to!) and then
use the 'sql' option in the accounting section (thats the section that
will have
those details as they are in RADIUS Accounting packets).
accounting {
# sql
}
look. there.
to optimise you might then want to look at other virtual servers to do
this stuff like
bufferedsql or the remote accounting proxy one.and then make sure your
DB is
optimisedboth running environment (memory allocation, disk platters
etc) , the
table indexes and the DB engine used for the tables.
alan
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
Pozdrawiam
Maciej Lew
tel. 883-376-062
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius-1.0.5 compilation error (library -lz not found)
hi :: U need the zlib development package installed. On 1/2/06, K Pang [EMAIL PROTECTED] wrote: Hi All, Happy New Year to all of you! i encounterd some compilation errors when compiling freeradius-1.0.5 on solaris 8. below is the errors. /usr/local/src/freeradius-1.0.5-pi/libtool --mode=link gcc -release 1.0.5 \ -module -export-dynamic -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5 -I/usr/local/ssl/include -Wall -D_GNU_SOURCE -g -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -W -Wredundant-decls -Wundef -I../.. -I../../../../include \ -I/usr/local/mysql/include -I/usr/local/src/freeradius-1.0.5-pi/libltdl -o rlm_sql_mysql.la -rpath /usr/local/radius5/lib sql_mysql.lo -L/usr/local/mysql/lib/mysql -lmysqlclient -lnsl -lresolv -lsocket -lposix4 -lpthread -lz -lnsl -lresolv -lsocket -lposix4 -lpthread -lz rm -fr .libs/rlm_sql_mysql.la .libs/rlm_sql_mysql.* .libs/rlm_sql_mysql-1.0.5.* /usr/ccs/bin/ld -G -h rlm_sql_mysql-1.0.5.so -o .libs/rlm_sql_mysql-1.0.5.so sql_mysql.lo -R/usr/local/mysql/lib/mysql -R/usr/local/mysql/lib/mysql -L/usr/local/BerkeleyDB.4.2 -L/usr/local/mysql/lib/mysql /usr/local/mysql/lib/mysql/libmysqlclient.so -lnsl -lresolv -lsocket -lposix4 -lpthread -lz -lnsl -lresolv -lsocket -lposix4 -lpthread -lz -lc ld: fatal: library -lz: not found ld: fatal: library -lz: not found ld: fatal: File processing errors. No output written to .libs/rlm_sql_mysql-1.0.5.so make[10]: *** [rlm_sql_mysql.la] Error 1 make[10]: Leaving directory `/usr/local/src/freeradius-1.0.5-pi/src/modules/rlm_sql/drivers/rlm_sql_mysql' what's 'library -lz not found'? i've no idea what's this library. is it caused by missing of certain packages? if so, which package should i install? pls advise. thanks in advance! Rgds, Pang - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Weird Insert sql statement in sqltrace.sql
hi all ::
I have a Freeradius with Oracle 10.0 running but something weird
appeared in the sqltrace.sql.
Sample weirdness record ::
INSERT into radacct (RadAcctId, AcctSessionId, AcctUniqueId, UserName,
Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime,
AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start,
ConnectInfo_stop, AcctInputOctets, AcctOutputOctets, CalledStationId,
CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol,
FramedIPAddress, AcctStartDelay, AcctStopDelay) values('',
'cb5241850008c698', '200a59703fc69d6d', '60131234567', '',
'203.82.65.xxx', '', 'Virtual', NULL, TO_DATE('2005-12-23
19:24:35','-mm-dd hh24:mi:ss'), '194', '', '', '', '35440',
'80779', 'streaming.com', '60131234567', '', '', '', '10.161.211.xxx',
'0', '');
By right when accouting start packet come in and the accounting start
time should be recorded and accounting stop time should be NULL. But
in my case as shown above the accounting start time is NULL and
accounting stop time is recorded.
Anybody have encountered this kind of weirdness before ?
Thanks !
Meery Christmas and Happy New Year.
regards
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
sqltrace.log
hi all :: Is it adviseable to turn on the sqltrace.log file under production environment ? Thanks ! BR - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Query local active session database (radutmp)
hi :: Is it possible to query freeradius local session database (radutmp) to check for simultaneous use.? If exists delete it using radzap command and then only accept the Accouting Start packet which then eventually written to radutmp. I can write the script to delete but I have not ideas how to configure the radiusd.conf for my environment ( if it is can be done ). / Thanks BR - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Query local active session database (radutmp)
hi :: My situation is complicated. I have freeradius running which accept accounting start and accounting stop forwarded from customer main radius (SB). Problem is I cannot query the NAS for simultaneous use and the NAS is using the same NAS Port for each accounting start packet. Since I am using radutmp for session database , the accounting start and accounting stop will update the session database. But due to some unexplained situation , no accounting stop packet was received (lost packet or whatever ?) and another accouting start arrived with the same MSISDN number ( username). In the end I have duplicate username in the session database. So i was thinking of before writing the accounting start packet to the session database , perhap it is possible to peform a pre-check on the sesssion database or some preprocess or preacct ? Thanks. BR On 11/17/05, Chris Carver [EMAIL PROTECTED] wrote: On Thu, 2005-11-17 at 23:03 +0800, TK Lew wrote: hi :: Is it possible to query freeradius local session database (radutmp) to check for simultaneous use.? If exists delete it using radzap command and then only accept the Accouting Start packet which then eventually written to radutmp. I can write the script to delete but I have not ideas how to configure the radiusd.conf for my environment ( if it is can be done ). / Thanks BR - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html What are you trying to do? radwho does the query against radutmp that you're referring to. The -r flag provides all the information radzap would need. I'm not sure what you're trying to do though. Please me more specific about what you're trying to achieve. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Query local active session database (radutmp)
hi Chris :: Thanks for the reply. Yes indeed my situation is a bit dodgy. I will explore the SQL option as session database. Thanks again. BR On 11/18/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Quoting TK Lew [EMAIL PROTECTED]: hi :: My situation is complicated. I have freeradius running which accept accounting start and accounting stop forwarded from customer main radius (SB). Problem is I cannot query the NAS for simultaneous use and the NAS is using the same NAS Port for each accounting start packet. Since I am using radutmp for session database , the accounting start and accounting stop will update the session database. But due to some unexplained situation , no accounting stop packet was received (lost packet or whatever ?) and another accouting start arrived with the same MSISDN number ( username). In the end I have duplicate username in the session database. So i was thinking of before writing the accounting start packet to the session database , perhap it is possible to peform a pre-check on the sesssion database or some preprocess or preacct ? Thanks. BR On 11/17/05, Chris Carver [EMAIL PROTECTED] wrote: On Thu, 2005-11-17 at 23:03 +0800, TK Lew wrote: hi :: Is it possible to query freeradius local session database (radutmp) to check for simultaneous use.? If exists delete it using radzap command and then only accept the Accouting Start packet which then eventually written to radutmp. I can write the script to delete but I have not ideas how to configure the radiusd.conf for my environment ( if it is can be done ). / Thanks BR - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html What are you trying to do? radwho does the query against radutmp that you're referring to. The -r flag provides all the information radzap would need. I'm not sure what you're trying to do though. Please me more specific about what you're trying to achieve. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html If you have no way to query the NAS for simultaneous use, this puts you in a particular situation regardless of what you do with radutmp. You can: A. Turn off simultaneous use checking and allow users to connect multiple times. B. Rely entirely upon the radutmp db to determine if a customer is already connected and accept the fact that due to UDP you will have some stale sessions. You will need to radzap these as your users file legitimate complaints about not being able to connect. This is a configuration option in the radutmp database. I am still a bit confused about your email and objective. Keep in mind radius accounting happens over udp and you WILL have some lost start/stop packets. This will cause radutmp to be incorrect. The function of checkrad is to query the NAS to find out if radutmp is correct or not. If you cannot query the NAS with checkrad, you have to settle for option A or B listed above. Chris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Interaction between accounting data and radutmp
hi alan :: Thanks but changing the NAS port is not an options for me :( since i am actually using Freeradius for a streaming projects where there are so many NAS's around. Based on the Freeradius mailing list , I think i came across a similar posting (i think your reply is there too). http://lists.freeradius.org/mailman/htdig/freeradius-users/2002-January/004570.html This guys basically hacks the rlm_radutmp to use session id. a. Is possible to use the hacks for session id if NAS port is not an option ? b. For high performance site , is radumtp perform well ? c. Or the last option is to use SQL based session database Thanks again ! Regards On 11/15/05, Alan DeKok [EMAIL PROTECTED] wrote: TK Lew [EMAIL PROTECTED] wrote: Ahthat why but all the NAS are using the same port ! Ask your NAS vendor. I understand that session index is based on NAS port . Any chance for it to be based on session id ? Is there a patch for it ?? No. That simply won't work. If you're doing session tracking, the server needs port information. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Interaction between accounting data and radutmp
hi all ::
I have a weird problem. If I am not mistaken sessions are logged and
remove on accouting-start and accouting-stop but I have encountered
where an active session for a particular users have been deleted from
the session database without the corresponding accounting stop packet.
I am running Freeradius 1.0.4 on Solaris 9.
Is there a problem with radutmp ??
My config file for radutmp under radiusd.conf ::
===
radutmp {
# Where the file is stored. It's not a log file,
# so it doesn't need rotating.
#
filename = ${logdir}/radutmp
# The field in the packet to key on for the
# 'user' name, If you have other fields which you want
# to use to key on to control Simultaneous-Use,
# then you can use them here.
#
# Note, however, that the size of the field in the
# 'utmp' data structure is small, around 32
# characters, so that will limit the possible choices
# of keys.
#
# You may want instead: %{Stripped-User-Name:-%{User-Name}}
username = %{User-Name}
# Whether or not we want to treat user the same
# as USER, or User. Some systems have problems
# with case sensitivity, so this should be set to
# 'no' to enable the comparisons of the key attribute
# to be case insensitive.
#
case_sensitive = yes
# Accounting information may be lost, so the user MAY
# have logged off of the NAS, but we haven't noticed.
# If so, we can verify this information with the NAS,
#
# If we want to believe the 'utmp' file, then this
# configuration entry can be set to 'no'.
#
check_with_nas = no
# Set the file permissions, as the contents of this file
# are usually private.
perm = 0600
callerid = yes
}
Thanks !
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Interaction between accounting data and radutmp
hi :: Ahthat why but all the NAS are using the same port ! I understand that session index is based on NAS port . Any chance for it to be based on session id ? Is there a patch for it ?? Thanks again ! On 11/15/05, Alan DeKok [EMAIL PROTECTED] wrote: TK Lew [EMAIL PROTECTED] wrote: I have a weird problem. If I am not mistaken sessions are logged and remove on accouting-start and accouting-stop but I have encountered where an active session for a particular users have been deleted from the session database without the corresponding accounting stop packet. Most likely because someone else logged in on the same port. Two people can't use the same port at the same time. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radutmp
hi :: Is radutmp attributes can added ? What I need to do if I want called-station-id attribute to be display when run radwho -R ? Thank for any reply. Regards - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
is this possible ?
hi :
I am not sure that anyone have done this before ::
We have a customer using Steelbelt radius that forward accounting
information to the freeradius server. We can receive the accounting
packet and stored it successfully.
But the problem is we have another application that will do a mapping
from IP address to MSISDN. In order to do the mapping from IP to
MSISDN , the application need to talk?? to a radius server that have
the information (that means freeradius that receive the accounting
packet). The flow is below ::
handset -- authenticated successfully -- Steelbelt radius forward
accounting packet to Freeradius and the application will the a lookup
for MSISDN that match the IP address before allow the handset to use
the services.
Is this possible ?? The application managed to authenticate itself
successfully with Freeradius but I just cannot send the matching
MSISDN back to the application.
I have tried to use the variable such as %{Calling-Station-Id} in the
access-repky message but no values assign.
Any helps ?
Thanks
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Users file
Hello, I have configured my users file to have the following entries :: steve Auth-Type := System Calling-Station-ID = calling-station-id I want freeradius to reply back with Calling-Station-Id whic basically the MSISDN but instead I got the calling-station-id? What is the correct syntax for calling-station-id ? Thanks for all ! TK - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: listen on freeradius 1.0.1
oh, shoot, stupid oversight on my part...
#bind_address = *
#port = 0
listen {
ipaddr = 192.168.0.22
port = 0
type = auth
}
works much better... thanks, and sorry
Thank you,
Lew A
GWI Operations
On Tue, 5 Oct 2004, Kevin Bonner wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Tuesday 05 October 2004 11:32, Lew A wrote:
listen {
bind_address = 192.168.0.22
port = 0
type = auth
}
This doesn't look like the example in the default radiusd.conf. Looking at a
default radiusd.conf entry, there is no bind_address option. Look at a
default radiusd.conf file and see what you're missing
Kevin Bonner
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFBYt9S/9i/ml3OBYMRAgMvAJ9o03U6MjgXJ8vsVgnzo2LCbHyb6gCfc3Cy
Im5LqolwRjHLPxo8hYY2gDw=
=cFH5
-END PGP SIGNATURE-
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ldap and Ldap-Group
celtadmin authenticated succesfully
modcall[authenticate]: module ldap returns ok for request 1
modcall: group Auth-Type returns ok for request 1
Sending Access-Accept of id 55 to 127.0.0.1:1838
Finished request 1
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 1 ID 55 with timestamp 413dd98b
Nothing to do. Sleeping until we see a request.
Why isn't the xlat stuff seeing the groupname_attribute stuff?
Am I missing something? All the documentation I read seems to say that
this should be working the way I have it setup.
Thank you,
Lew A
GWI Operations
On Fri, 3 Sep 2004, Lew A wrote:
Hello,
freeradius-0.9.3_1
openldap-2.2.6
freebsd-4.9-p11
For some reason this isn't working. I could have sworn I got it working
before doing this. But this is my setup:
radius.conf:
ldap dialup {
server = localhost
identity = cn=Manager,dc=gwi,dc=net
password =
basedn = ou=Users,o=gwi.net,dc=gwi,dc=net
filter = (uid=%{Stripped-User-Name:-%{User-Name}})
start_tls = no
tls_mode = no
dictionary_mapping = ${raddbdir}/ldap-dialup.attrmap
ldap_connections_number = 5
groupname_attribute = gidNumber
groupmembership_filter = (uid=%{Stripped-User-Name:-%{User-Name}})
timeout = 4
timelimit = 3
net_timeout = 1
compare_check_items = no
}
users:
# Setup Auth Attributes
DEFAULT Auth-Type = LDAP, Autz-Type = LDAP
Fall-Through = Yes
#Regular POP connection, then check for Static IP/Subnet POP connections
DEFAULT Huntgroup-Name == dialup, Autz-Type := DIALUP
Fall-Through = Yes
#Reject mbox accounts
DEFAULT Ldap-Group == 27
Idle-Timeout = 1,
Filter-Id = denied
It hits the first default, hits the second default, but doesn't hit the
third default. I've read that groupname_attribute should = cn, but we'd
really like to just use gidNumber (that's the group their in). Here is a
log of a user connecting (that should be getting the denied filter-id).
For some reason it's completely ignoring my groupname_attribute and
groupmembership_filter settings, and just using the defaults.
rad_recv: Access-Request packet from host 127.0.0.1:4272, id=221,
length=61
User-Name = celtadmin
User-Password = ***
NAS-IP-Address = 207.5.128.1
NAS-Port = 2
modcall: entering group authorize for request 68
modcall[authorize]: module preprocess returns ok for request 68
rlm_realm: No '@' in User-Name = celtadmin, looking up realm NULL
rlm_realm: Found realm NULL
rlm_realm: Adding Stripped-User-Name = celtadmin
rlm_realm: Proxying request from user celtadmin to realm NULL
rlm_realm: Adding Realm = NULL
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module suffix returns noop for request 68
users: Matched DEFAULT at 49
huntgroups: Matched dialup at 47
users: Matched DEFAULT at 57
rlm_ldap: Entering ldap_groupcmp()
radius_xlat: 'ou=Users,o=gwi.net,dc=gwi,dc=net'
radius_xlat: '(uid=celtadmin)'
ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=Users,o=gwi.net,dc=gwi,dc=net, with
filter (uid=celtadmin)
ldap_release_conn: Release Id: 0
radius_xlat:
'(|((objectClass=GroupOfNames)(member=uid=celtadmin,ou=Users,o=gwi.net,dc=gwi,dc=net))((objectClass=GroupOfUniqueNames)(uniquemember=uid=celtadmin,ou=Users,o=gwi.net,dc=gwi,dc=net)))'
ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=Users,o=gwi.net,dc=gwi,dc=net, with
filter
((cn=25)(|((objectClass=GroupOfNames)(member=uid=celtadmin,ou=Users,o=gwi.net,dc=gwi,dc=net))((objectClass=GroupOfUniqueNames)(uniquemember=uid=celtadmin,ou=Users,o=gwi.net,dc=gwi,dc=net
rlm_ldap: object not found or got ambiguous search result
ldap_release_conn: Release Id: 0
rlm_ldap::ldap_groupcmp: Group 25 not found or user is not a member.
rlm_ldap: Entering ldap_groupcmp()
radius_xlat: 'ou=Users,o=gwi.net,dc=gwi,dc=net'
radius_xlat:
'(|((objectClass=GroupOfNames)(member=uid=celtadmin,ou=Users,o=gwi.net,dc=gwi,dc=net))((objectClass=GroupOfUniqueNames)(uniquemember=uid=celtadmin,ou=Users,o=gwi.net,dc=gwi,dc=net)))'
ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=Users,o=gwi.net,dc=gwi,dc=net, with
filter
((cn=26)(|((objectClass=GroupOfNames)(member=uid=celtadmin,ou=Users,o=gwi.net,dc=gwi,dc=net))((objectClass=GroupOfUniqueNames)(uniquemember=uid=celtadmin,ou=Users,o=gwi.net,dc=gwi,dc=net
rlm_ldap: object not found or got ambiguous search result
ldap_release_conn: Release Id: 0
rlm_ldap::ldap_groupcmp: Group 26 not found or user is not a member.
rlm_ldap: Entering ldap_groupcmp()
radius_xlat: 'ou=Users,o=gwi.net,dc=gwi,dc=net'
radius_xlat
Ldap and Ldap-Group
=celtadmin,ou=Users,o=gwi.net,dc=gwi,dc=net))((objectClass=GroupOfUniqueNames)(uniquemember=uid=celtadmin,ou=Users,o=gwi.net,dc=gwi,dc=net)))' ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=Users,o=gwi.net,dc=gwi,dc=net, with filter ((cn=28)(|((objectClass=GroupOfNames)(member=uid=celtadmin,ou=Users,o=gwi.net,dc=gwi,dc=net))((objectClass=GroupOfUniqueNames)(uniquemember=uid=celtadmin,ou=Users,o=gwi.net,dc=gwi,dc=net rlm_ldap: object not found or got ambiguous search result ldap_release_conn: Release Id: 0 rlm_ldap::ldap_groupcmp: Group 28 not found or user is not a member. rlm_ldap: Entering ldap_groupcmp() radius_xlat: 'ou=Users,o=gwi.net,dc=gwi,dc=net' radius_xlat: '(|((objectClass=GroupOfNames)(member=uid=celtadmin,ou=Users,o=gwi.net,dc=gwi,dc=net))((objectClass=GroupOfUniqueNames)(uniquemember=uid=celtadmin,ou=Users,o=gwi.net,dc=gwi,dc=net)))' ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=Users,o=gwi.net,dc=gwi,dc=net, with filter ((cn=29)(|((objectClass=GroupOfNames)(member=uid=celtadmin,ou=Users,o=gwi.net,dc=gwi,dc=net))((objectClass=GroupOfUniqueNames)(uniquemember=uid=celtadmin,ou=Users,o=gwi.net,dc=gwi,dc=net rlm_ldap: object not found or got ambiguous search result ldap_release_conn: Release Id: 0 rlm_ldap::ldap_groupcmp: Group 29 not found or user is not a member. modcall[authorize]: module files returns ok for request 68 modcall: group authorize returns ok for request 68 modcall: entering group Autz-Type for request 68 rlm_ldap: - authorize rlm_ldap: performing user authorization for celtadmin radius_xlat: '(uid=celtadmin)' radius_xlat: 'ou=Users,o=gwi.net,dc=gwi,dc=net' ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=Users,o=gwi.net,dc=gwi,dc=net, with filter (uid=celtadmin) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user celtadmin authorized to use remote access ldap_release_conn: Release Id: 0 modcall[authorize]: module dialup returns ok for request 68 modcall: group Autz-Type returns ok for request 68 rad_check_password: Found Auth-Type LDAP auth: type LDAP modcall: entering group Auth-Type for request 68 rlm_ldap: - authenticate rlm_ldap: login attempt by celtadmin with password *** rlm_ldap: user DN: uid=celtadmin,ou=Users,o=gwi.net,dc=gwi,dc=net rlm_ldap: (re)connect to localhost:389, authentication 1 rlm_ldap: bind as uid=celtadmin,ou=Users,o=gwi.net,dc=gwi,dc=net/hucKle to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: user celtadmin authenticated succesfully modcall[authenticate]: module ldap returns ok for request 68 modcall: group Auth-Type returns ok for request 68 Sending Access-Accept of id 221 to 127.0.0.1:4272 Thank you, Lew A GWI Operations - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Rejecting connections
On Fri, 2 Jul 2004, Alan DeKok wrote: Lew A [EMAIL PROTECTED] wrote: To do this I had to setup some xlat functions, but we're having a problem. If say we have a customer tester, he doesn't have any static assignments, but he decided to connect to us with a P, it would return a static assignment of 255.255.255.255 (basically a null responce from ldap). Which gets the user connected, but they can't do anything (obviously). We're trying to avoid this. My suggestion would be to put the users into groups, and reject them if they're not doing the right thing. e.g. DEFAULT Prefix == P, Group != allowed_to_use_p, Auth-Type := Reject Reply-Message = Go away Not sure that'll work, if I have a customer with 1 static ip (P) and a subnet assigment (S), they will be able to connect with P and S, but not Q. We're only using LDAP as the backend database, so I guess I'd have to use Ldap-Group, but that doesn't let me have more than one 'allowed_to_use_X' value. So customer would only be able to use P or Q or S (exclusively), but not any combination of them (inclusively). Thank you, Lew A GWI Operations. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ldap.attrmap core dump
Hello, Not a big deal to me, but I was screwing around with the ldap.attrmap, and i removed all but one replyItem (basically because i have a service that we only need on reply from, and the rest of everything can be ignored... anyways, it core dumped. It works fine with only one checkItem. let me know if you need anything else. ludo# gdb -c radiusd.core GNU gdb 4.18 (FreeBSD) Copyright 1998 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type show copying to see the conditions. There is absolutely no warranty for GDB. Type show warranty for details. This GDB was configured as i386-unknown-freebsd. Core was generated by `radiusd'. Program terminated with signal 11, Segmentation fault. #0 0x10384843 in ?? () (gdb) Thank you, Lew A GWI Operations - A tiger can smile A snake will say it loves you Lies make us evil - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Rejecting connections
Hello,
running FreeRadius 0.9.3 w/ LDAP Backend on FreeBSD 4.9p9:
I have 4 Autz-Types, LDAP, SNS, POPS, PPPoE
LDAP = regular auth
SNS, POPS = Dialup
PPPoE = DSL
We have it setup and working so if a customer connects with a P, Q or S
prefix they will get their static IP assignment. Basically one customer
can have up to 2 static assignments (P/Q) and 1 subnet assignmnet (S):
To do this I had to setup some xlat functions, but we're having a problem.
If say we have a customer tester, he doesn't have any static assignments,
but he decided to connect to us with a P, it would return a static
assignment of 255.255.255.255 (basically a null responce from ldap). Which
gets the user connected, but they can't do anything (obviously). We're
trying to avoid this. We tried rejecting on Framed-IP-Address ==
255.255.255.255 but that didn't work, we also tried rejecting on
Framed-IP-Address =~ 255.255.255.255, but no dice. Is there a better
method to be using? Or maybe a better way to have this setup? For
cleanliness I'd like to try and avoid having more then 4 modules setup in
the radiusd.conf, but if that can't be avoided I'll go that route. Thanks
for any help and insight.
users file:
# Static IP P Assignment
DEFAULT Prefix == P
Framed-IP-Address =
`%{ldap:ldap:///ou=Users,o=gwi.net,dc=gwi,dc=net?radiusFramedIPAddressP?sub?uid=%{Stripped-User-Name:-%{User-Name}}}`,
Framed-IP-Netmask = 255.255.255.255,
Idle-Timeout =
`%{ldap:ldap:///ou=Users,o=gwi.net,dc=gwi,dc=net?radiusIdleTimeoutP?sub?uid=%{Stripped-User-Name:-%{User-Name}}}`,
Framed-Protocol == PPP,
Fall-Through = Yes
# Static IP Q Assignment
DEFAULT Prefix == Q
Framed-IP-Address =
`%{ldap:ldap:///ou=Users,o=gwi.net,dc=gwi,dc=net?radiusFramedIPAddressQ?sub?uid=%{Stripped-User-Name:-%{User-Name}}}`,
Framed-IP-Netmask = 255.255.255.255,
Idle-Timeout =
`%{ldap:ldap:///ou=Users,o=gwi.net,dc=gwi,dc=net?radiusIdleTimeoutQ?sub?uid=%{Stripped-User-Name:-%{User-Name}}}`,
Framed-Protocol == PPP,
Fall-Through = Yes
# Subnet Assignment
DEFAULT Prefix == S
Framed-IP-Address =
`%{ldap:ldap:///ou=Users,o=gwi.net,dc=gwi,dc=net?radiusFramedIPAddressS?sub?uid=%{Stripped-User-Name:-%{User-Name}}}`,
Framed-IP-Netmask =
`%{ldap:ldap:///ou=Users,o=gwi.net,dc=gwi,dc=net?radiusFramedIPNetmaskS?sub?uid=%{Stripped-User-Name:-%{User-Name}}}`,
Idle-Timeout =
`%{ldap:ldap:///ou=Users,o=gwi.net,dc=gwi,dc=net?radiusIdleTimeoutS?sub?uid=%{Stripped-User-Name:-%{User-Name}}}`,
Framed-Protocol == PPP,
Fall-Through = Yes
# Setup Auth Attributes
DEFAULT Auth-Type = LDAP, Autz-Type = LDAP
Fall-Through = Yes
DEFAULT Huntgroup-Name == pops, Autz-Type := POPS
Reply-Message = Connecting to POPs,
Fall-Through = Yes
DEFAULT Huntgroup-Name == sns, Autz-Type := SNS
Reply-Message = Connecting to SNS,
Fall-Through = Yes
DEFAULT Huntgroup-Name == stinger, Autz-Type := PPPoE
Ascend-PPPoE-Enable = PPPoE-Yes,
Ascend-Call-Type = 0,
Service-Type = Framed-user,
Framed-Protocol = PPP
this is my hints file:
DEFAULT Prefix == P, Strip-User-Name = Yes
Hint = PPP,
Service-Type = Framed-User,
Framed-Protocol = PPP
DEFAULT Prefix == Q, Strip-User-Name = Yes
Hint = PPP,
Service-Type = Framed-User,
Framed-Protocol = PPP
DEFAULT Prefix == S, Strip-User-Name = Yes
Hint = PPP,
Service-Type = Framed-User,
Framed-Protocol = PPP
Thank you,
Lew A
GWI Operations
-
A tiger can smile
A snake will say it loves you
Lies make us evil
-
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Reject connect based on Ldap Attributes
I'm trying to set it up so, when a connection comes in from a certain NAS-IP-Address, and the user trying to connect has a specific Ldap Attribute set they won't be able to connect. I haven't been able to successfully figure out how to do this. I'm using FreeRadius 0.98. It matches default 93, then does ldap stuff, then because it auths with ldap is just returns. Is there a way to get it to go back to users so I can deny based on an ldap attribute? This is what I have setup: huntgroup: ludo NAS-IP-Address == 255.255.255.255 users: DEFAULT Auth-Type = Ldap = default 93 Fall-Through = 1 DEFAULT Huntgroup-Name == ludo, Test == 28, Auth-Type := Reject Reply-Message = woah. This is a radtest: ludo# radtest WWWtstmnky test123 localhost 3 testing123 Sending Access-Request of id 33 to 127.0.0.1:1812 User-Name = WWWtstmnky User-Password = abc123 NAS-IP-Address = ludo.gwi.net NAS-Port = 3 rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=33, length=32 Test = 28 This is radiusd debugging output: rad_recv: Access-Request packet from host 127.0.0.1:4948, id=33, length=62 User-Name = WWWtstmnky User-Password = test123 NAS-IP-Address = 255.255.255.255 NAS-Port = 3 modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 rlm_realm: No '@' in User-Name = WWWtstmnky, looking up realm NULL rlm_realm: Found realm NULL rlm_realm: Adding Stripped-User-Name = WWWtstmnky rlm_realm: Proxying request from user WWWtstmnky to realm NULL rlm_realm: Adding Realm = NULL rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module suffix returns noop for request 0 users: Matched DEFAULT at 93 rlm_ldap: Entering ldap_groupcmp() radius_xlat: 'ou=Users,o=gwi.net,dc=gwi,dc=net' radius_xlat: '(uid=WWWtstmnky)' ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to localhost:389, authentication 0 rlm_ldap: bind as cn=Manager,dc=gwi,dc=net/jogging cures the common cold to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: performing search in ou=Users,o=gwi.net,dc=gwi,dc=net, with filter (uid=WWWtstmnky) ldap_release_conn: Release Id: 0 radius_xlat: '(|((objectClass=GroupOfNames)(member=uid=WWWtstmnky,ou=Users,o=gwi.net,dc=gwi,dc=net))((objectClass=GroupOfUniqueNames)(uniquemember=uid=WWWtstmnky,ou=Users,o=gwi.net,dc=gwi,dc=net)))' ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=Users,o=gwi.net,dc=gwi,dc=net, with filter ((cn=true)(|((objectClass=GroupOfNames)(member=uid=WWWtstmnky,ou=Users,o=gwi.net,dc=gwi,dc=net))((objectClass=GroupOfUniqueNames)(uniquemember=uid=WWWtstmnky,ou=Users,o=gwi.net,dc=gwi,dc=net rlm_ldap: object not found or got ambiguous search result ldap_release_conn: Release Id: 0 rlm_ldap::ldap_groupcmp: Group true not found or user is not a member. modcall[authorize]: module files returns ok for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for WWWtstmnky radius_xlat: '(uid=WWWtstmnky)' radius_xlat: 'ou=Users,o=gwi.net,dc=gwi,dc=net' ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=Users,o=gwi.net,dc=gwi,dc=net, with filter (uid=WWWtstmnky) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: Adding gidNumber as Test, value 28 op=11 rlm_ldap: user WWWtstmnky authorized to use remote access ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type Ldap auth: type LDAP modcall: entering group Auth-Type for request 0 rlm_ldap: - authenticate rlm_ldap: login attempt by WWWtstmnky with password test123 rlm_ldap: user DN: uid=WWWtstmnky,ou=Users,o=gwi.net,dc=gwi,dc=net rlm_ldap: (re)connect to localhost:389, authentication 1 rlm_ldap: bind as uid=WWWtstmnky,ou=Users,o=gwi.net,dc=gwi,dc=net/test123 to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: user WWWtstmnky authenticated succesfully modcall[authenticate]: module ldap returns ok for request 0 modcall: group Auth-Type returns ok for request 0 Sending Access-Accept of id 33 to 127.0.0.1:4948 Test = 28 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 33 with timestamp 40d985a6 Nothing to do. Sleeping until we see a request. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Ldap Multiple Attributes
Hello, We're going to be starting to use FreeRadius, converting from the old BSDi Cistron Radius. I have FreeRadius installed on two FreeBSD machines and running fine with ldap as the backend database. We're trying to get away from the users file and use ldap for static IP assignment. This is what we need and what I can't figure out how to do, yet. We have customers with multiple (5) static IPs. When the connect they will specify which static they want based on the prefix of their name, example: Acustomer = 192.168.1.1 Bcustomer = 192.168.1.2 Ccustomer = 192.168.1.3 Dcustomer = 192.168.1.4 Ccustomer = 192.168.1.5 I'm running into an issue of how to tell FreeRadius that I want to use 'Framed-IP-Address3' if the customer connects with a prefix of C and 'Framed-IP-Address1' if they connect with a prefix of A. Basically I think I need to setup a hint for each prefix and a DEFAULT statement in the users file for each type of static allowed. Does anyone have any insight on what I need to do? or where I can find documentation for this specific problem? Thank you, Lew A GWI Operations - A tiger can smile A snake will say it loves you Lies make us evil - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
