Re: FreeRADIUS FreeBSD port
On Mon, January 22, 2007 11:28 pm, David Wood wrote: > This is an rcorder thing - you may find man 8 rcorder and the output of: > rcorder /etc/rc.d/* /usr/local/etc/rc.d/* > interesting. > > I probably need to add extra entries to the REQUIRE line of > /usr/local/etc/rc.d/radiusd when some of the optional modules are > enabled. Indeed. However the ports should keep this in mind, and set the correct rcorder variables, to ensure they start up correctly. Most ports that depend on a DB that I've come by do take this in to account, but unfortunately not all. > In your case, assuming that the MySQL server runs on the same box, > adding mysql to the REQUIRE line to that it reads > # REQUIRE: NETWORKING SERVERS mysql > > should do the job. The rcorder command will help you check whether that > is going to work. Unfortunately its not that simple, that addition seems to make rcorder unhappy. --- rcorder: Circular dependency on provision `DAEMON' in file `/etc/rc.d/rwho'. ... rcorder: Circular dependency on file `/usr/local/etc/rc.d/radiusd'. --- > Maybe such an addition needs doing automagically in the port - as well > as the equivalent for Postgres. It wouldn't help any if the SQL server > wasn't running on the same box, but I'm not sure that it would do any > harm either. Yes, thats how most ports do it, the rc script is dynamically generated depending on config options. I don't believe the lack of a local server would not do any harm either. > I may need to think further on this one, though it's not as if a manual > edit to the rc.d script is that difficult. For a port maintainer that has a good grasp of the port and rcng system, maybe not, but for a user that installs and (rightly) expects the software to start, its not as trivial. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS FreeBSD port
On Sun, January 21, 2007 7:55 pm, David Wood wrote: > I'm not saying that I've got everything yet, but I think the port is now > in good shape. If anyone wants to suggest further changes, or audits the > port and finds any problems, I'm listening. Patches are particularly > welcome, of course. Thanks for taking the time to support the port. The only issue i have, and this may very well not be this ports fault, is that when defined to use mysql, the port starts before mysql is ready for it, so it dies, and never effectively starts up by itself. Here is an example of what goes on in the log: --- Sat Jan 20 23:31:35 2007 : Info: rlm_exec: Wait=yes but no output defined. Did you mean output=none? Sat Jan 20 23:31:36 2007 : Info: rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked Sat Jan 20 23:31:36 2007 : Info: rlm_sql (sql): Attempting to connect to [EMAIL PROTECTED]:/radius Sat Jan 20 23:31:36 2007 : Info: rlm_sql_mysql: Starting connect to MySQL server for #0 Sat Jan 20 23:31:36 2007 : Error: rlm_sql_mysql: Couldn't connect socket to MySQL server [EMAIL PROTECTED]:radius Sat Jan 20 23:31:36 2007 : Error: rlm_sql_mysql: Mysql error 'Can't connect to local MySQL server through socket '/tmp/mysql.sock Sat Jan 20 23:31:36 2007 : Error: rlm_sql (sql): Failed to connect DB handle #0 Sat Jan 20 23:31:36 2007 : Info: rlm_sql (sql): There are no DB handles to use! skipped 5, tried to connect 0 Sat Jan 20 23:31:36 2007 : Error: rlm_sql (sql): generate_sql_clients() returned error Sat Jan 20 23:31:36 2007 : Error: radiusd.conf[14]: sql: Module instantiation failed. Sat Jan 20 23:31:36 2007 : Error: radiusd.conf[1798] Unknown module "sql". Sat Jan 20 23:31:36 2007 : Error: radiusd.conf[1727] Failed to parse authorize section. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounts staying online past Session Timeout value
Alan DeKok wrote: Also, sometimes i have users who are getting disconnected and can not reconnect because they are still shown to be online, and i am limiting the sessions to 1. Again, would this be a problem with the NAS/network because freeradius is not receiving the stop packet? Yes. But "checkrad" should help here. I have just discovered that the NAS server has its time behind by more than 3 hours, is it possible that this can cause problems? i.e. (my "correct" time) Tue Nov 28 19:06:54 2006 (their time)Event-Timestamp = "Nov 28 2006 15:48:44 EST" - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounts staying online past Session Timeout value
Alan DeKok wrote: Also, sometimes i have users who are getting disconnected and can not reconnect because they are still shown to be online, and i am limiting the sessions to 1. Again, would this be a problem with the NAS/network because freeradius is not receiving the stop packet? Yes. But "checkrad" should help here. Thats what i assumed, but wanted to be sure. I guess i would need to install and configure SNMP for this to be actually useful, not sure if i can do that, but thanks for the advice. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Accounts staying online past Session Timeout value
Hello, I am having some problems lately with freeradius 1.1.2 + mysql, and users staying online past their session timeout value (4 hours). Can anyone shed some light on the matter? I can not find any problems with the server itself, the loads are low and everything seems to be functioning OK. Would this be a function of the NAS to disconnect the user and send a stop packet or is it up to freeradius? Also, sometimes i have users who are getting disconnected and can not reconnect because they are still shown to be online, and i am limiting the sessions to 1. Again, would this be a problem with the NAS/network because freeradius is not receiving the stop packet? This setup has been running for over 80 days without a problem, so it leads me to believe that the problem is not on the radius server, but i would like some second opinions. Thank You. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: Discarding duplicate request
Aleksandar Stojilkovic wrote: Hello, My log is full of this kind of errors: Owww, my eyes! Please don't post to mailing lists using HTML, and do everyone a favor, get rid off that yellow dot background from your email template. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Called-Station-Id not logged to sql when login fails csid check
Alan DeKok wrote: Mike Jakubik <[EMAIL PROTECTED]> wrote: It seems that the Called-Station-Id is not logged to SQL when the login fails the Called-Station-Id check using the rlm_checkval module. Any ideas why that is? It makes troubleshooting impossible. Do the SQL queries include Called-Station-Id? Which query would apply to this? I'm using basically the sample sql.conf that comes with freeradius. It's logged just fine if the authentication succeeds. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Called-Station-Id not logged to sql when login fails csid check
Hello, It seems that the Called-Station-Id is not logged to SQL when the login fails the Called-Station-Id check using the rlm_checkval module. Any ideas why that is? It makes troubleshooting impossible. Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How the hell do you use multiple NOT values with rlm_checkval and sql??
Alan DeKok wrote: Mike Jakubik <[EMAIL PROTECTED]> wrote: If there is a way to accomplish this outside of SQL, im quite open to suggestions. As long as i can refer to the groups which are in SQL. Basically, i need to be able to restrict certain user groups from dialing certain numbers. Use rlm_passwd to map many dial-in numbers to one dial-in group. Then, do: DEFAULT SQL-Group == "foo", Dial-in-group == "bar", Auth-Type := Reject And repeat for the combinations of SQL groups & dial-in groups. Uhm, in that case cant i just specify called-station-id in the user file? In any case, is SQL-Group a valid attribute? I cant find it in the documentation. I tried a simple : DEFAULT SQL-Group == "restricted", Called-Station-Id == "number", Auth-Type := Reject Restarted radius, and dialed "number", nothing happened, i logged in just fine. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How the hell do you use multiple NOT values with rlm_checkval and sql??
Alan DeKok wrote: Mike Jakubik <[EMAIL PROTECTED]> wrote: First of all, the above can be accomplished in SQL using the checkval module and the += OP. Thats great and dandy until you need to specify numbers that users can NOT dial to. In any case that will not work for me, as i need to do this for each group defined in SQL, not DEFAULT for all users. So add the group as an additional check item. It does not work with the != OP. This doesn't work quite the same in SQL, because the module doesn't support multiple entries. Yes it does, just not with a logical NOT. As I said, it's not really supported. I installed FreeRadius because it touted SQL support, now im finding out the features are limited, which is disappointing. There are few programs with unlimited features. That being said, I still think what you want is doable in FreeRADIUS. Perhaps you could try discussing the problem, rather than SQL as a solution. Odds are there's more than one way to reach the goal. If you're fixated on SQL, you may not see another solution. If there is a way to accomplish this outside of SQL, im quite open to suggestions. As long as i can refer to the groups which are in SQL. Basically, i need to be able to restrict certain user groups from dialing certain numbers. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How the hell do you use multiple NOT values with rlm_checkval and sql??
Alan DeKok wrote: Mike Jakubik <[EMAIL PROTECTED]> wrote: Great, now, how the heck do you specify NOT items? I want to specify the numbers that users can NOT dial to. This seems impossible. And what do you want to do after that? Reject the request? Then configure that. In the "users" file, you can do: DEFAULT Called-Station-Id == "5551212", Auth-Type := Reject First of all, the above can be accomplished in SQL using the checkval module and the += OP. Thats great and dandy until you need to specify numbers that users can NOT dial to. In any case that will not work for me, as i need to do this for each group defined in SQL, not DEFAULT for all users. This doesn't work quite the same in SQL, because the module doesn't support multiple entries. Yes it does, just not with a logical NOT. I installed FreeRadius because it touted SQL support, now im finding out the features are limited, which is disappointing. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How the hell do you use multiple NOT values with rlm_checkval and sql??
Ok, so after much frustration someone finally pointed out that using multiple values with checkval and sql is possible wen using the += OP. Great, now, how the heck do you specify NOT items? I want to specify the numbers that users can NOT dial to. This seems impossible. I have tried regexp, and using the !=, !~ OPS, none of the methods seem to work. I never knew Radius's configuration would be so frustrating... I'm ready to start pulling my hair out, someone please save my hair! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to specify multiple values for Called-Station-Id (checkval)
Kostas Kalevras wrote: Well, it does not in my case. Here is the table: +++---+++ | id | GroupName | Attribute | op | Value | +++---+++ | 11 | restricted | Called-Station-Id | := | 4166231473 | | 16 | restricted | Called-Station-Id | := | 4166231474 | | 17 | restricted | Called-Station-Id | := | 4166231475 | | 18 | restricted | Called-Station-Id | := | 4168489499 | I dial in to 4168489499 and this is what happens: Fri May 26 10:26:12 2006 : Auth: Invalid user (rlm_checkval: This Called-Station-Id is not allowed for the user): [mikej/xxx] (from client xxx port 1487 cli xxx) You r using the := operator. That way u ll be overwriting the Called-Station-Id value. Use the += operator instead. Ahh, finally!!! Thanks for that, this seems to do it. Do you by any chance know if there is a way to do a logical NOT on the numbers? I.e. I want to specify that the users can not call a list of specified numbers. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to specify multiple values for Called-Station-Id (checkval)
Alan DeKok wrote: Mike Jakubik <[EMAIL PROTECTED]> wrote: Well, it does not in my case. Here is the table: +++---+++ | id | GroupName | Attribute | op | Value | +++---+++ | 11 | restricted | Called-Station-Id | := | 4166231473 | | 16 | restricted | Called-Station-Id | := | 4166231474 | What you're trying to do is to "OR" the different entries. The SQL module doesn't do that, unfortunately. You'll have to have one entry & a regular expression for it to work. Thanks for clarifying that shortcoming. I guess i should just disable the checkval module then and just use regexp. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to specify multiple values for Called-Station-Id (checkval)
Kostas Kalevras wrote: As i said before you should just add more attribute/value pairs. It works. What does your radgroupcheck table look like when you add more than one number? Could someone please help me with this? I am stumped, is there a bug in the rlm_checkval module? --- Well, it does not in my case. Here is the table: +++---+++ | id | GroupName | Attribute | op | Value | +++---+++ | 11 | restricted | Called-Station-Id | := | 4166231473 | | 16 | restricted | Called-Station-Id | := | 4166231474 | | 17 | restricted | Called-Station-Id | := | 4166231475 | | 18 | restricted | Called-Station-Id | := | 4168489499 | I dial in to 4168489499 and this is what happens: Fri May 26 10:26:12 2006 : Auth: Invalid user (rlm_checkval: This Called-Station-Id is not allowed for the user): [mikej/xxx] (from client xxx port 1487 cli xxx) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to specify multiple values for Called-Station-Id (checkval)
Kostas Kalevras wrote: As i said before you should just add more attribute/value pairs. It works. What does your radgroupcheck table look like when you add more than one number? Well, it does not in my case. Here is the table: +++---+++ | id | GroupName | Attribute | op | Value | +++---+++ | 11 | restricted | Called-Station-Id | := | 4166231473 | | 16 | restricted | Called-Station-Id | := | 4166231474 | | 17 | restricted | Called-Station-Id | := | 4166231475 | | 18 | restricted | Called-Station-Id | := | 4168489499 | I dial in to 4168489499 and this is what happens: Fri May 26 10:26:12 2006 : Auth: Invalid user (rlm_checkval: This Called-Station-Id is not allowed for the user): [mikej/xxx] (from client xxx port 1487 cli xxx) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to specify multiple values for Called-Station-Id (checkval)
Kostas Kalevras wrote: On Wed, 24 May 2006, Mike Jakubik wrote: Hello, I am trying to setup group checks for Called-Station-Id in freeradius 1.1.1 and mysql. I have enabled the checkval module in radiusd.conf and set notfound-reject = yes. In my radgroupcheck table when i specify "restricted Called-Station-Id := number", it works fine. However i need to specify more than one number. I have tried the following format; number, number, number and "number, number, number" and "number", "number" but none of those seem to work. Could someone please tell me how this can be accomplished? You just need to add more attribute/value pairs, one for each number you wantto allow. You can also use a regular expression if you use the =~ operator. I have tried that, but it does not work either. I have also tried using regexp, while it seems to function, it no longer seems to use the checkval module and throws the following notice: Info: rlm_sql (sql): No matching entry in the database for request from user [user] But the checkval module shows: Auth: Invalid user (rlm_checkval: This Called-Station-Id is not allowed for the user) Whats the point of this checkval module if it can only check a single value? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to specify multiple values for Called-Station-Id (checkval)
Hello, I am trying to setup group checks for Called-Station-Id in freeradius 1.1.1 and mysql. I have enabled the checkval module in radiusd.conf and set notfound-reject = yes. In my radgroupcheck table when i specify "restricted Called-Station-Id := number", it works fine. However i need to specify more than one number. I have tried the following format; number, number, number and "number, number, number" and "number", "number" but none of those seem to work. Could someone please tell me how this can be accomplished? Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Trouble with Freeradius 1.1.1 built with FreeBSD ports on 4.11
Chris Knipe wrote: Hi Mark, sql: postauth_table = "radpostauth" sql: postauth_query = "" sql: safe-characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /" Bus error I went through the same thing not to long ago. Compile FreeRadius without thread support (--without-threads), and make sure Perl does not have threads support either... That solved my issues. It would seem that there are *still* threading issues with FreeRadius on FreeBSD... Maybe on 4.x, which is end of life. Works fine on 6.1. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Restricting logins with Calling-Station-Id in MySQL
Kostas Kalevras wrote: On Thu, 18 May 2006, Mike Jakubik wrote: Hello, I need help restricting users based on the number they called. I am using Freeradius 1.1.1 and a MySQL backend. I tried adding Called-Station-Id == "number,number,..." in to radgroupcheck, but it does not seem to be functioning. Could someone shed some light on the problem? Check the checkval module. You can use a := operator in that case Are you saying that this cant be done by simply putting in Called-Station-Id in the database, but only with the checkval module? Also, how would one send a message to the users stating that they dialed in to the wrong number? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Restricting logins with Calling-Station-Id in MySQL
Christopher Carver wrote: In radgroupcheck set up something like this: ++-+--++-+ | id | GroupName | Attribute | op | Value | ++-+--++-+ | 1 | restricted | Called-Station-ID | == | 111222 | | 2 | restricted | Auth-Type| := | reject | ++-+--++-+ The thing a lot of people mess up is they don't realize Auth-Type := reject needs to go in radgroupcheck not radgroupreply. Yes, thats exactly what I've done, except for Called-Station-Id value i used "number,number,number". That seems to give an error. Adding the Auth-Type := Reject results in every login attempt being incorrect . - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Restricting logins with Calling-Station-Id in MySQL
Christopher Carver wrote: In the users file you could have a line... DEFAULT Called-Station-ID == 111222, Auth-Type := Reject As i mentioned, i need to do this in the sql database and for each group. Adding the Called-Station-ID to radgroupcheck results in the following error: Thu May 18 16:39:13 2006 : Info: rlm_sql (sql): No matching entry in the database for request from user [xxx] Thu May 18 16:39:13 2006 : Auth: Login incorrect: [xxx/xxx] (from client xxx port 1485 cli xxx) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Restricting logins with Calling-Station-Id in MySQL
Hello, I need help restricting users based on the number they called. I am using Freeradius 1.1.1 and a MySQL backend. I tried adding Called-Station-Id == "number,number,..." in to radgroupcheck, but it does not seem to be functioning. Could someone shed some light on the problem? Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html