Re: How to store session info in external database?
Thanks, it works. 2013/8/6 Arran Cudbard-Bell a.cudba...@freeradius.org On 6 Aug 2013, at 14:29, Maciej Lew mac...@lanserver.pl wrote: The problem is we have databases in slave mode, only reading is allowed. We want pass these informations to another database... Modules can have multiple instances. sql.conf sql sql_write { sql config } accounting { sql_write } -Arran Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Pozdrawiam Maciej Lew tel. 883-376-062 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to store session info in external database?
Hi, I would like to store freeradius session information like Acct-Session-Id, Acct-Start-Time, Acct-Stop-Time, Acct-Input-Octets, Acct-Output-Octets, Framed-IP-Address, NAS-IP-Address in external database. We have our devices connected to databases which are readonly so we cannot store those informations there. Also we have database where we want to store session statistics from all devices. Is that possible to achieve ? Till now we tried setting up virtual host with Auth-Type rules redirecting to script but we cannot receive Acct-Session-Id. Here is how our /etc/freeradius/sites-avaliable/default looks like: authorize { chap mschap sql update control { Auth-Type := `/etc/freeradius/bin/testradius '%{User-Name}' '%{Calling-Station-Id}' '%{NAS-IP-Address}' '%{reply:Framed-IP-Address}' '%{reply:Acct-Session-Id}' '%{reply:Acct-Unique-Session-Id}'` } } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } } preacct { acct_unique } accounting { # sql } session { # sql } post-auth { # sql } Sorry for any language mistakes :) -- Pozdrawiam Maciej Lew tel. 883-376-062 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to store session info in external database?
The problem is we have databases in slave mode, only reading is allowed. We want pass these informations to another database... 2013/8/6 a.l.m.bu...@lboro.ac.uk Hi, Hi, I would like to store freeradius session information like Acct-Session-Id, Acct-Start-Time, Acct-Stop-Time, Acct-Input-Octets, Acct-Output-Octets, Framed-IP-Address, NAS-IP-Address in external database. the defauly config does this - you just need to edit the SQL module to be appropriate to your database (and have a DB you can write to!) and then use the 'sql' option in the accounting section (thats the section that will have those details as they are in RADIUS Accounting packets). accounting { # sql } look. there. to optimise you might then want to look at other virtual servers to do this stuff like bufferedsql or the remote accounting proxy one.and then make sure your DB is optimisedboth running environment (memory allocation, disk platters etc) , the table indexes and the DB engine used for the tables. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Pozdrawiam Maciej Lew tel. 883-376-062 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius-1.0.5 compilation error (library -lz not found)
hi :: U need the zlib development package installed. On 1/2/06, K Pang [EMAIL PROTECTED] wrote: Hi All, Happy New Year to all of you! i encounterd some compilation errors when compiling freeradius-1.0.5 on solaris 8. below is the errors. /usr/local/src/freeradius-1.0.5-pi/libtool --mode=link gcc -release 1.0.5 \ -module -export-dynamic -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5 -I/usr/local/ssl/include -Wall -D_GNU_SOURCE -g -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -W -Wredundant-decls -Wundef -I../.. -I../../../../include \ -I/usr/local/mysql/include -I/usr/local/src/freeradius-1.0.5-pi/libltdl -o rlm_sql_mysql.la -rpath /usr/local/radius5/lib sql_mysql.lo -L/usr/local/mysql/lib/mysql -lmysqlclient -lnsl -lresolv -lsocket -lposix4 -lpthread -lz -lnsl -lresolv -lsocket -lposix4 -lpthread -lz rm -fr .libs/rlm_sql_mysql.la .libs/rlm_sql_mysql.* .libs/rlm_sql_mysql-1.0.5.* /usr/ccs/bin/ld -G -h rlm_sql_mysql-1.0.5.so -o .libs/rlm_sql_mysql-1.0.5.so sql_mysql.lo -R/usr/local/mysql/lib/mysql -R/usr/local/mysql/lib/mysql -L/usr/local/BerkeleyDB.4.2 -L/usr/local/mysql/lib/mysql /usr/local/mysql/lib/mysql/libmysqlclient.so -lnsl -lresolv -lsocket -lposix4 -lpthread -lz -lnsl -lresolv -lsocket -lposix4 -lpthread -lz -lc ld: fatal: library -lz: not found ld: fatal: library -lz: not found ld: fatal: File processing errors. No output written to .libs/rlm_sql_mysql-1.0.5.so make[10]: *** [rlm_sql_mysql.la] Error 1 make[10]: Leaving directory `/usr/local/src/freeradius-1.0.5-pi/src/modules/rlm_sql/drivers/rlm_sql_mysql' what's 'library -lz not found'? i've no idea what's this library. is it caused by missing of certain packages? if so, which package should i install? pls advise. thanks in advance! Rgds, Pang - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Weird Insert sql statement in sqltrace.sql
hi all :: I have a Freeradius with Oracle 10.0 running but something weird appeared in the sqltrace.sql. Sample weirdness record :: INSERT into radacct (RadAcctId, AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay, AcctStopDelay) values('', 'cb5241850008c698', '200a59703fc69d6d', '60131234567', '', '203.82.65.xxx', '', 'Virtual', NULL, TO_DATE('2005-12-23 19:24:35','-mm-dd hh24:mi:ss'), '194', '', '', '', '35440', '80779', 'streaming.com', '60131234567', '', '', '', '10.161.211.xxx', '0', ''); By right when accouting start packet come in and the accounting start time should be recorded and accounting stop time should be NULL. But in my case as shown above the accounting start time is NULL and accounting stop time is recorded. Anybody have encountered this kind of weirdness before ? Thanks ! Meery Christmas and Happy New Year. regards - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
sqltrace.log
hi all :: Is it adviseable to turn on the sqltrace.log file under production environment ? Thanks ! BR - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Query local active session database (radutmp)
hi :: Is it possible to query freeradius local session database (radutmp) to check for simultaneous use.? If exists delete it using radzap command and then only accept the Accouting Start packet which then eventually written to radutmp. I can write the script to delete but I have not ideas how to configure the radiusd.conf for my environment ( if it is can be done ). / Thanks BR - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Query local active session database (radutmp)
hi :: My situation is complicated. I have freeradius running which accept accounting start and accounting stop forwarded from customer main radius (SB). Problem is I cannot query the NAS for simultaneous use and the NAS is using the same NAS Port for each accounting start packet. Since I am using radutmp for session database , the accounting start and accounting stop will update the session database. But due to some unexplained situation , no accounting stop packet was received (lost packet or whatever ?) and another accouting start arrived with the same MSISDN number ( username). In the end I have duplicate username in the session database. So i was thinking of before writing the accounting start packet to the session database , perhap it is possible to peform a pre-check on the sesssion database or some preprocess or preacct ? Thanks. BR On 11/17/05, Chris Carver [EMAIL PROTECTED] wrote: On Thu, 2005-11-17 at 23:03 +0800, TK Lew wrote: hi :: Is it possible to query freeradius local session database (radutmp) to check for simultaneous use.? If exists delete it using radzap command and then only accept the Accouting Start packet which then eventually written to radutmp. I can write the script to delete but I have not ideas how to configure the radiusd.conf for my environment ( if it is can be done ). / Thanks BR - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html What are you trying to do? radwho does the query against radutmp that you're referring to. The -r flag provides all the information radzap would need. I'm not sure what you're trying to do though. Please me more specific about what you're trying to achieve. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Query local active session database (radutmp)
hi Chris :: Thanks for the reply. Yes indeed my situation is a bit dodgy. I will explore the SQL option as session database. Thanks again. BR On 11/18/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Quoting TK Lew [EMAIL PROTECTED]: hi :: My situation is complicated. I have freeradius running which accept accounting start and accounting stop forwarded from customer main radius (SB). Problem is I cannot query the NAS for simultaneous use and the NAS is using the same NAS Port for each accounting start packet. Since I am using radutmp for session database , the accounting start and accounting stop will update the session database. But due to some unexplained situation , no accounting stop packet was received (lost packet or whatever ?) and another accouting start arrived with the same MSISDN number ( username). In the end I have duplicate username in the session database. So i was thinking of before writing the accounting start packet to the session database , perhap it is possible to peform a pre-check on the sesssion database or some preprocess or preacct ? Thanks. BR On 11/17/05, Chris Carver [EMAIL PROTECTED] wrote: On Thu, 2005-11-17 at 23:03 +0800, TK Lew wrote: hi :: Is it possible to query freeradius local session database (radutmp) to check for simultaneous use.? If exists delete it using radzap command and then only accept the Accouting Start packet which then eventually written to radutmp. I can write the script to delete but I have not ideas how to configure the radiusd.conf for my environment ( if it is can be done ). / Thanks BR - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html What are you trying to do? radwho does the query against radutmp that you're referring to. The -r flag provides all the information radzap would need. I'm not sure what you're trying to do though. Please me more specific about what you're trying to achieve. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html If you have no way to query the NAS for simultaneous use, this puts you in a particular situation regardless of what you do with radutmp. You can: A. Turn off simultaneous use checking and allow users to connect multiple times. B. Rely entirely upon the radutmp db to determine if a customer is already connected and accept the fact that due to UDP you will have some stale sessions. You will need to radzap these as your users file legitimate complaints about not being able to connect. This is a configuration option in the radutmp database. I am still a bit confused about your email and objective. Keep in mind radius accounting happens over udp and you WILL have some lost start/stop packets. This will cause radutmp to be incorrect. The function of checkrad is to query the NAS to find out if radutmp is correct or not. If you cannot query the NAS with checkrad, you have to settle for option A or B listed above. Chris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Interaction between accounting data and radutmp
hi alan :: Thanks but changing the NAS port is not an options for me :( since i am actually using Freeradius for a streaming projects where there are so many NAS's around. Based on the Freeradius mailing list , I think i came across a similar posting (i think your reply is there too). http://lists.freeradius.org/mailman/htdig/freeradius-users/2002-January/004570.html This guys basically hacks the rlm_radutmp to use session id. a. Is possible to use the hacks for session id if NAS port is not an option ? b. For high performance site , is radumtp perform well ? c. Or the last option is to use SQL based session database Thanks again ! Regards On 11/15/05, Alan DeKok [EMAIL PROTECTED] wrote: TK Lew [EMAIL PROTECTED] wrote: Ahthat why but all the NAS are using the same port ! Ask your NAS vendor. I understand that session index is based on NAS port . Any chance for it to be based on session id ? Is there a patch for it ?? No. That simply won't work. If you're doing session tracking, the server needs port information. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Interaction between accounting data and radutmp
hi all :: I have a weird problem. If I am not mistaken sessions are logged and remove on accouting-start and accouting-stop but I have encountered where an active session for a particular users have been deleted from the session database without the corresponding accounting stop packet. I am running Freeradius 1.0.4 on Solaris 9. Is there a problem with radutmp ?? My config file for radutmp under radiusd.conf :: === radutmp { # Where the file is stored. It's not a log file, # so it doesn't need rotating. # filename = ${logdir}/radutmp # The field in the packet to key on for the # 'user' name, If you have other fields which you want # to use to key on to control Simultaneous-Use, # then you can use them here. # # Note, however, that the size of the field in the # 'utmp' data structure is small, around 32 # characters, so that will limit the possible choices # of keys. # # You may want instead: %{Stripped-User-Name:-%{User-Name}} username = %{User-Name} # Whether or not we want to treat user the same # as USER, or User. Some systems have problems # with case sensitivity, so this should be set to # 'no' to enable the comparisons of the key attribute # to be case insensitive. # case_sensitive = yes # Accounting information may be lost, so the user MAY # have logged off of the NAS, but we haven't noticed. # If so, we can verify this information with the NAS, # # If we want to believe the 'utmp' file, then this # configuration entry can be set to 'no'. # check_with_nas = no # Set the file permissions, as the contents of this file # are usually private. perm = 0600 callerid = yes } Thanks ! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Interaction between accounting data and radutmp
hi :: Ahthat why but all the NAS are using the same port ! I understand that session index is based on NAS port . Any chance for it to be based on session id ? Is there a patch for it ?? Thanks again ! On 11/15/05, Alan DeKok [EMAIL PROTECTED] wrote: TK Lew [EMAIL PROTECTED] wrote: I have a weird problem. If I am not mistaken sessions are logged and remove on accouting-start and accouting-stop but I have encountered where an active session for a particular users have been deleted from the session database without the corresponding accounting stop packet. Most likely because someone else logged in on the same port. Two people can't use the same port at the same time. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radutmp
hi :: Is radutmp attributes can added ? What I need to do if I want called-station-id attribute to be display when run radwho -R ? Thank for any reply. Regards - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
is this possible ?
hi : I am not sure that anyone have done this before :: We have a customer using Steelbelt radius that forward accounting information to the freeradius server. We can receive the accounting packet and stored it successfully. But the problem is we have another application that will do a mapping from IP address to MSISDN. In order to do the mapping from IP to MSISDN , the application need to talk?? to a radius server that have the information (that means freeradius that receive the accounting packet). The flow is below :: handset -- authenticated successfully -- Steelbelt radius forward accounting packet to Freeradius and the application will the a lookup for MSISDN that match the IP address before allow the handset to use the services. Is this possible ?? The application managed to authenticate itself successfully with Freeradius but I just cannot send the matching MSISDN back to the application. I have tried to use the variable such as %{Calling-Station-Id} in the access-repky message but no values assign. Any helps ? Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Users file
Hello, I have configured my users file to have the following entries :: steve Auth-Type := System Calling-Station-ID = calling-station-id I want freeradius to reply back with Calling-Station-Id whic basically the MSISDN but instead I got the calling-station-id? What is the correct syntax for calling-station-id ? Thanks for all ! TK - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: listen on freeradius 1.0.1
oh, shoot, stupid oversight on my part... #bind_address = * #port = 0 listen { ipaddr = 192.168.0.22 port = 0 type = auth } works much better... thanks, and sorry Thank you, Lew A GWI Operations On Tue, 5 Oct 2004, Kevin Bonner wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tuesday 05 October 2004 11:32, Lew A wrote: listen { bind_address = 192.168.0.22 port = 0 type = auth } This doesn't look like the example in the default radiusd.conf. Looking at a default radiusd.conf entry, there is no bind_address option. Look at a default radiusd.conf file and see what you're missing Kevin Bonner -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBYt9S/9i/ml3OBYMRAgMvAJ9o03U6MjgXJ8vsVgnzo2LCbHyb6gCfc3Cy Im5LqolwRjHLPxo8hYY2gDw= =cFH5 -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ldap and Ldap-Group
celtadmin authenticated succesfully modcall[authenticate]: module ldap returns ok for request 1 modcall: group Auth-Type returns ok for request 1 Sending Access-Accept of id 55 to 127.0.0.1:1838 Finished request 1 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 1 ID 55 with timestamp 413dd98b Nothing to do. Sleeping until we see a request. Why isn't the xlat stuff seeing the groupname_attribute stuff? Am I missing something? All the documentation I read seems to say that this should be working the way I have it setup. Thank you, Lew A GWI Operations On Fri, 3 Sep 2004, Lew A wrote: Hello, freeradius-0.9.3_1 openldap-2.2.6 freebsd-4.9-p11 For some reason this isn't working. I could have sworn I got it working before doing this. But this is my setup: radius.conf: ldap dialup { server = localhost identity = cn=Manager,dc=gwi,dc=net password = basedn = ou=Users,o=gwi.net,dc=gwi,dc=net filter = (uid=%{Stripped-User-Name:-%{User-Name}}) start_tls = no tls_mode = no dictionary_mapping = ${raddbdir}/ldap-dialup.attrmap ldap_connections_number = 5 groupname_attribute = gidNumber groupmembership_filter = (uid=%{Stripped-User-Name:-%{User-Name}}) timeout = 4 timelimit = 3 net_timeout = 1 compare_check_items = no } users: # Setup Auth Attributes DEFAULT Auth-Type = LDAP, Autz-Type = LDAP Fall-Through = Yes #Regular POP connection, then check for Static IP/Subnet POP connections DEFAULT Huntgroup-Name == dialup, Autz-Type := DIALUP Fall-Through = Yes #Reject mbox accounts DEFAULT Ldap-Group == 27 Idle-Timeout = 1, Filter-Id = denied It hits the first default, hits the second default, but doesn't hit the third default. I've read that groupname_attribute should = cn, but we'd really like to just use gidNumber (that's the group their in). Here is a log of a user connecting (that should be getting the denied filter-id). For some reason it's completely ignoring my groupname_attribute and groupmembership_filter settings, and just using the defaults. rad_recv: Access-Request packet from host 127.0.0.1:4272, id=221, length=61 User-Name = celtadmin User-Password = *** NAS-IP-Address = 207.5.128.1 NAS-Port = 2 modcall: entering group authorize for request 68 modcall[authorize]: module preprocess returns ok for request 68 rlm_realm: No '@' in User-Name = celtadmin, looking up realm NULL rlm_realm: Found realm NULL rlm_realm: Adding Stripped-User-Name = celtadmin rlm_realm: Proxying request from user celtadmin to realm NULL rlm_realm: Adding Realm = NULL rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module suffix returns noop for request 68 users: Matched DEFAULT at 49 huntgroups: Matched dialup at 47 users: Matched DEFAULT at 57 rlm_ldap: Entering ldap_groupcmp() radius_xlat: 'ou=Users,o=gwi.net,dc=gwi,dc=net' radius_xlat: '(uid=celtadmin)' ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=Users,o=gwi.net,dc=gwi,dc=net, with filter (uid=celtadmin) ldap_release_conn: Release Id: 0 radius_xlat: '(|((objectClass=GroupOfNames)(member=uid=celtadmin,ou=Users,o=gwi.net,dc=gwi,dc=net))((objectClass=GroupOfUniqueNames)(uniquemember=uid=celtadmin,ou=Users,o=gwi.net,dc=gwi,dc=net)))' ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=Users,o=gwi.net,dc=gwi,dc=net, with filter ((cn=25)(|((objectClass=GroupOfNames)(member=uid=celtadmin,ou=Users,o=gwi.net,dc=gwi,dc=net))((objectClass=GroupOfUniqueNames)(uniquemember=uid=celtadmin,ou=Users,o=gwi.net,dc=gwi,dc=net rlm_ldap: object not found or got ambiguous search result ldap_release_conn: Release Id: 0 rlm_ldap::ldap_groupcmp: Group 25 not found or user is not a member. rlm_ldap: Entering ldap_groupcmp() radius_xlat: 'ou=Users,o=gwi.net,dc=gwi,dc=net' radius_xlat: '(|((objectClass=GroupOfNames)(member=uid=celtadmin,ou=Users,o=gwi.net,dc=gwi,dc=net))((objectClass=GroupOfUniqueNames)(uniquemember=uid=celtadmin,ou=Users,o=gwi.net,dc=gwi,dc=net)))' ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=Users,o=gwi.net,dc=gwi,dc=net, with filter ((cn=26)(|((objectClass=GroupOfNames)(member=uid=celtadmin,ou=Users,o=gwi.net,dc=gwi,dc=net))((objectClass=GroupOfUniqueNames)(uniquemember=uid=celtadmin,ou=Users,o=gwi.net,dc=gwi,dc=net rlm_ldap: object not found or got ambiguous search result ldap_release_conn: Release Id: 0 rlm_ldap::ldap_groupcmp: Group 26 not found or user is not a member. rlm_ldap: Entering ldap_groupcmp() radius_xlat: 'ou=Users,o=gwi.net,dc=gwi,dc=net' radius_xlat
Ldap and Ldap-Group
=celtadmin,ou=Users,o=gwi.net,dc=gwi,dc=net))((objectClass=GroupOfUniqueNames)(uniquemember=uid=celtadmin,ou=Users,o=gwi.net,dc=gwi,dc=net)))' ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=Users,o=gwi.net,dc=gwi,dc=net, with filter ((cn=28)(|((objectClass=GroupOfNames)(member=uid=celtadmin,ou=Users,o=gwi.net,dc=gwi,dc=net))((objectClass=GroupOfUniqueNames)(uniquemember=uid=celtadmin,ou=Users,o=gwi.net,dc=gwi,dc=net rlm_ldap: object not found or got ambiguous search result ldap_release_conn: Release Id: 0 rlm_ldap::ldap_groupcmp: Group 28 not found or user is not a member. rlm_ldap: Entering ldap_groupcmp() radius_xlat: 'ou=Users,o=gwi.net,dc=gwi,dc=net' radius_xlat: '(|((objectClass=GroupOfNames)(member=uid=celtadmin,ou=Users,o=gwi.net,dc=gwi,dc=net))((objectClass=GroupOfUniqueNames)(uniquemember=uid=celtadmin,ou=Users,o=gwi.net,dc=gwi,dc=net)))' ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=Users,o=gwi.net,dc=gwi,dc=net, with filter ((cn=29)(|((objectClass=GroupOfNames)(member=uid=celtadmin,ou=Users,o=gwi.net,dc=gwi,dc=net))((objectClass=GroupOfUniqueNames)(uniquemember=uid=celtadmin,ou=Users,o=gwi.net,dc=gwi,dc=net rlm_ldap: object not found or got ambiguous search result ldap_release_conn: Release Id: 0 rlm_ldap::ldap_groupcmp: Group 29 not found or user is not a member. modcall[authorize]: module files returns ok for request 68 modcall: group authorize returns ok for request 68 modcall: entering group Autz-Type for request 68 rlm_ldap: - authorize rlm_ldap: performing user authorization for celtadmin radius_xlat: '(uid=celtadmin)' radius_xlat: 'ou=Users,o=gwi.net,dc=gwi,dc=net' ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=Users,o=gwi.net,dc=gwi,dc=net, with filter (uid=celtadmin) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user celtadmin authorized to use remote access ldap_release_conn: Release Id: 0 modcall[authorize]: module dialup returns ok for request 68 modcall: group Autz-Type returns ok for request 68 rad_check_password: Found Auth-Type LDAP auth: type LDAP modcall: entering group Auth-Type for request 68 rlm_ldap: - authenticate rlm_ldap: login attempt by celtadmin with password *** rlm_ldap: user DN: uid=celtadmin,ou=Users,o=gwi.net,dc=gwi,dc=net rlm_ldap: (re)connect to localhost:389, authentication 1 rlm_ldap: bind as uid=celtadmin,ou=Users,o=gwi.net,dc=gwi,dc=net/hucKle to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: user celtadmin authenticated succesfully modcall[authenticate]: module ldap returns ok for request 68 modcall: group Auth-Type returns ok for request 68 Sending Access-Accept of id 221 to 127.0.0.1:4272 Thank you, Lew A GWI Operations - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Rejecting connections
On Fri, 2 Jul 2004, Alan DeKok wrote: Lew A [EMAIL PROTECTED] wrote: To do this I had to setup some xlat functions, but we're having a problem. If say we have a customer tester, he doesn't have any static assignments, but he decided to connect to us with a P, it would return a static assignment of 255.255.255.255 (basically a null responce from ldap). Which gets the user connected, but they can't do anything (obviously). We're trying to avoid this. My suggestion would be to put the users into groups, and reject them if they're not doing the right thing. e.g. DEFAULT Prefix == P, Group != allowed_to_use_p, Auth-Type := Reject Reply-Message = Go away Not sure that'll work, if I have a customer with 1 static ip (P) and a subnet assigment (S), they will be able to connect with P and S, but not Q. We're only using LDAP as the backend database, so I guess I'd have to use Ldap-Group, but that doesn't let me have more than one 'allowed_to_use_X' value. So customer would only be able to use P or Q or S (exclusively), but not any combination of them (inclusively). Thank you, Lew A GWI Operations. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ldap.attrmap core dump
Hello, Not a big deal to me, but I was screwing around with the ldap.attrmap, and i removed all but one replyItem (basically because i have a service that we only need on reply from, and the rest of everything can be ignored... anyways, it core dumped. It works fine with only one checkItem. let me know if you need anything else. ludo# gdb -c radiusd.core GNU gdb 4.18 (FreeBSD) Copyright 1998 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type show copying to see the conditions. There is absolutely no warranty for GDB. Type show warranty for details. This GDB was configured as i386-unknown-freebsd. Core was generated by `radiusd'. Program terminated with signal 11, Segmentation fault. #0 0x10384843 in ?? () (gdb) Thank you, Lew A GWI Operations - A tiger can smile A snake will say it loves you Lies make us evil - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Rejecting connections
Hello, running FreeRadius 0.9.3 w/ LDAP Backend on FreeBSD 4.9p9: I have 4 Autz-Types, LDAP, SNS, POPS, PPPoE LDAP = regular auth SNS, POPS = Dialup PPPoE = DSL We have it setup and working so if a customer connects with a P, Q or S prefix they will get their static IP assignment. Basically one customer can have up to 2 static assignments (P/Q) and 1 subnet assignmnet (S): To do this I had to setup some xlat functions, but we're having a problem. If say we have a customer tester, he doesn't have any static assignments, but he decided to connect to us with a P, it would return a static assignment of 255.255.255.255 (basically a null responce from ldap). Which gets the user connected, but they can't do anything (obviously). We're trying to avoid this. We tried rejecting on Framed-IP-Address == 255.255.255.255 but that didn't work, we also tried rejecting on Framed-IP-Address =~ 255.255.255.255, but no dice. Is there a better method to be using? Or maybe a better way to have this setup? For cleanliness I'd like to try and avoid having more then 4 modules setup in the radiusd.conf, but if that can't be avoided I'll go that route. Thanks for any help and insight. users file: # Static IP P Assignment DEFAULT Prefix == P Framed-IP-Address = `%{ldap:ldap:///ou=Users,o=gwi.net,dc=gwi,dc=net?radiusFramedIPAddressP?sub?uid=%{Stripped-User-Name:-%{User-Name}}}`, Framed-IP-Netmask = 255.255.255.255, Idle-Timeout = `%{ldap:ldap:///ou=Users,o=gwi.net,dc=gwi,dc=net?radiusIdleTimeoutP?sub?uid=%{Stripped-User-Name:-%{User-Name}}}`, Framed-Protocol == PPP, Fall-Through = Yes # Static IP Q Assignment DEFAULT Prefix == Q Framed-IP-Address = `%{ldap:ldap:///ou=Users,o=gwi.net,dc=gwi,dc=net?radiusFramedIPAddressQ?sub?uid=%{Stripped-User-Name:-%{User-Name}}}`, Framed-IP-Netmask = 255.255.255.255, Idle-Timeout = `%{ldap:ldap:///ou=Users,o=gwi.net,dc=gwi,dc=net?radiusIdleTimeoutQ?sub?uid=%{Stripped-User-Name:-%{User-Name}}}`, Framed-Protocol == PPP, Fall-Through = Yes # Subnet Assignment DEFAULT Prefix == S Framed-IP-Address = `%{ldap:ldap:///ou=Users,o=gwi.net,dc=gwi,dc=net?radiusFramedIPAddressS?sub?uid=%{Stripped-User-Name:-%{User-Name}}}`, Framed-IP-Netmask = `%{ldap:ldap:///ou=Users,o=gwi.net,dc=gwi,dc=net?radiusFramedIPNetmaskS?sub?uid=%{Stripped-User-Name:-%{User-Name}}}`, Idle-Timeout = `%{ldap:ldap:///ou=Users,o=gwi.net,dc=gwi,dc=net?radiusIdleTimeoutS?sub?uid=%{Stripped-User-Name:-%{User-Name}}}`, Framed-Protocol == PPP, Fall-Through = Yes # Setup Auth Attributes DEFAULT Auth-Type = LDAP, Autz-Type = LDAP Fall-Through = Yes DEFAULT Huntgroup-Name == pops, Autz-Type := POPS Reply-Message = Connecting to POPs, Fall-Through = Yes DEFAULT Huntgroup-Name == sns, Autz-Type := SNS Reply-Message = Connecting to SNS, Fall-Through = Yes DEFAULT Huntgroup-Name == stinger, Autz-Type := PPPoE Ascend-PPPoE-Enable = PPPoE-Yes, Ascend-Call-Type = 0, Service-Type = Framed-user, Framed-Protocol = PPP this is my hints file: DEFAULT Prefix == P, Strip-User-Name = Yes Hint = PPP, Service-Type = Framed-User, Framed-Protocol = PPP DEFAULT Prefix == Q, Strip-User-Name = Yes Hint = PPP, Service-Type = Framed-User, Framed-Protocol = PPP DEFAULT Prefix == S, Strip-User-Name = Yes Hint = PPP, Service-Type = Framed-User, Framed-Protocol = PPP Thank you, Lew A GWI Operations - A tiger can smile A snake will say it loves you Lies make us evil - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Reject connect based on Ldap Attributes
I'm trying to set it up so, when a connection comes in from a certain NAS-IP-Address, and the user trying to connect has a specific Ldap Attribute set they won't be able to connect. I haven't been able to successfully figure out how to do this. I'm using FreeRadius 0.98. It matches default 93, then does ldap stuff, then because it auths with ldap is just returns. Is there a way to get it to go back to users so I can deny based on an ldap attribute? This is what I have setup: huntgroup: ludo NAS-IP-Address == 255.255.255.255 users: DEFAULT Auth-Type = Ldap = default 93 Fall-Through = 1 DEFAULT Huntgroup-Name == ludo, Test == 28, Auth-Type := Reject Reply-Message = woah. This is a radtest: ludo# radtest WWWtstmnky test123 localhost 3 testing123 Sending Access-Request of id 33 to 127.0.0.1:1812 User-Name = WWWtstmnky User-Password = abc123 NAS-IP-Address = ludo.gwi.net NAS-Port = 3 rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=33, length=32 Test = 28 This is radiusd debugging output: rad_recv: Access-Request packet from host 127.0.0.1:4948, id=33, length=62 User-Name = WWWtstmnky User-Password = test123 NAS-IP-Address = 255.255.255.255 NAS-Port = 3 modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 rlm_realm: No '@' in User-Name = WWWtstmnky, looking up realm NULL rlm_realm: Found realm NULL rlm_realm: Adding Stripped-User-Name = WWWtstmnky rlm_realm: Proxying request from user WWWtstmnky to realm NULL rlm_realm: Adding Realm = NULL rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module suffix returns noop for request 0 users: Matched DEFAULT at 93 rlm_ldap: Entering ldap_groupcmp() radius_xlat: 'ou=Users,o=gwi.net,dc=gwi,dc=net' radius_xlat: '(uid=WWWtstmnky)' ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to localhost:389, authentication 0 rlm_ldap: bind as cn=Manager,dc=gwi,dc=net/jogging cures the common cold to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: performing search in ou=Users,o=gwi.net,dc=gwi,dc=net, with filter (uid=WWWtstmnky) ldap_release_conn: Release Id: 0 radius_xlat: '(|((objectClass=GroupOfNames)(member=uid=WWWtstmnky,ou=Users,o=gwi.net,dc=gwi,dc=net))((objectClass=GroupOfUniqueNames)(uniquemember=uid=WWWtstmnky,ou=Users,o=gwi.net,dc=gwi,dc=net)))' ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=Users,o=gwi.net,dc=gwi,dc=net, with filter ((cn=true)(|((objectClass=GroupOfNames)(member=uid=WWWtstmnky,ou=Users,o=gwi.net,dc=gwi,dc=net))((objectClass=GroupOfUniqueNames)(uniquemember=uid=WWWtstmnky,ou=Users,o=gwi.net,dc=gwi,dc=net rlm_ldap: object not found or got ambiguous search result ldap_release_conn: Release Id: 0 rlm_ldap::ldap_groupcmp: Group true not found or user is not a member. modcall[authorize]: module files returns ok for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for WWWtstmnky radius_xlat: '(uid=WWWtstmnky)' radius_xlat: 'ou=Users,o=gwi.net,dc=gwi,dc=net' ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=Users,o=gwi.net,dc=gwi,dc=net, with filter (uid=WWWtstmnky) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: Adding gidNumber as Test, value 28 op=11 rlm_ldap: user WWWtstmnky authorized to use remote access ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type Ldap auth: type LDAP modcall: entering group Auth-Type for request 0 rlm_ldap: - authenticate rlm_ldap: login attempt by WWWtstmnky with password test123 rlm_ldap: user DN: uid=WWWtstmnky,ou=Users,o=gwi.net,dc=gwi,dc=net rlm_ldap: (re)connect to localhost:389, authentication 1 rlm_ldap: bind as uid=WWWtstmnky,ou=Users,o=gwi.net,dc=gwi,dc=net/test123 to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: user WWWtstmnky authenticated succesfully modcall[authenticate]: module ldap returns ok for request 0 modcall: group Auth-Type returns ok for request 0 Sending Access-Accept of id 33 to 127.0.0.1:4948 Test = 28 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 33 with timestamp 40d985a6 Nothing to do. Sleeping until we see a request. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Ldap Multiple Attributes
Hello, We're going to be starting to use FreeRadius, converting from the old BSDi Cistron Radius. I have FreeRadius installed on two FreeBSD machines and running fine with ldap as the backend database. We're trying to get away from the users file and use ldap for static IP assignment. This is what we need and what I can't figure out how to do, yet. We have customers with multiple (5) static IPs. When the connect they will specify which static they want based on the prefix of their name, example: Acustomer = 192.168.1.1 Bcustomer = 192.168.1.2 Ccustomer = 192.168.1.3 Dcustomer = 192.168.1.4 Ccustomer = 192.168.1.5 I'm running into an issue of how to tell FreeRadius that I want to use 'Framed-IP-Address3' if the customer connects with a prefix of C and 'Framed-IP-Address1' if they connect with a prefix of A. Basically I think I need to setup a hint for each prefix and a DEFAULT statement in the users file for each type of static allowed. Does anyone have any insight on what I need to do? or where I can find documentation for this specific problem? Thank you, Lew A GWI Operations - A tiger can smile A snake will say it loves you Lies make us evil - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html