Question on processing delayed proxy packets
Greetings all,
Finally getting my system running nice and smoothly :)
I have a scenario I would like some opinions on, something to think about...
Lets say I have server A and server B getting requests from multiple
sources. They proxy these requests to each other as well. Consider the
following scenario:
server A gets a start record at 08h00, and proxies it to server B
immediately, so server A and server B each have an entry with start time
08h00.
An hour later server A gets an interim update acct_input_octets = 5. The
proxied packet is delayed due to a network issue.
Another hour later server _B_ gets an interim update acct_input_octets =
7. It proxies the request and server A is updated immediately, so now
server A and server B have an entry with start time 08h00 and
acct_input_octets = 7.
Great, all is right at this point. Then:
The delayed interim update (which has acct_input_octets = 5) from server
A finally gets through to server B, and server B processes the packet
using my accounting_update_query query, which is formatted as follows:
accounting_update_query = UPDATE ${acct_table_new} \
SET \
framed_ip_address = '%{Framed-IP-Address}', \
acct_session_time = '%{Acct-Session-Time}', \
x_ascend_xmit_rate = '%{X-Ascend-Xmit-Rate}', \
x_ascend_data_rate = '%{X-Ascend-Data-Rate}', \
acct_input_octets = '%{Acct-Input-Octets}', \
acct_output_octets = '%{Acct-Output-Octets}', \
acct_input_gigawords = '%{Acct-Input-Gigawords}', \
acct_output_gigawords = '%{Acct-Output-Gigawords}' \
WHERE \
acct_session_id = '%{Acct-Session-Id}' \
AND \
user_name = '%{SQL-User-Name}' \
AND \
nas_ip_address = '%{NAS-IP-Address}'
As you can see, the above query will set acct_input_octets = 5 on server
B, so now server A has acct_input_octets = 7 and server B has
acct_input_octets = 5.
Thats the problem.
The solution I am toying with is the following:
If a db entry exists, and the acct_input_octets in the db entry is more
than the current packet we are processing, then the packet data is older
than the db data in the record, so we want to ignore the packet and keep
the db data. (Obviously we will need to apply the check to
acct_output_octets and the gigaword fields as well...)
So the very first problem we see is that checking the record before
processing the new update is going to slow down the entire process. The
best way I can think to handle this is to check the acct_delay_time
field, and if it is a very small number we assume the record is fresh.
If the delay time is more than say 30 minutes, we first do the lookup.
This means that *most* requests wont need to do a lookup first, and only
the heavily delayed ones are then checked.
Im not even sure if it is possible to do this in the current setup, or
if its possible to do it with a more complex SQL statement, but I would
appreciate any comments on the idea and any experience others have had
with this.
Many thanks,
Patric
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Changing the format of a date attribute
Hi again all :)
Patric wrote:
Alan DeKok wrote:
Patric wrote:
Is there any way for me to get my FreeRADIUS-Acct-Session-Start-Time
attribute value into that date format?
http://dev.mysql.com/doc/refman/5.0/en/date-and-time-functions.html#function_from-unixtime
So now I have the following:
STR_TO_DATE('%{FreeRADIUS-Acct-Session-Start-Time}', '%M %d %Y %H:%i:%s'))
And that converts Dec 8 2009 09:14:14 GMT into 2009-12-08 09:14:14
I have a curious problem trying to format the date field in my MySQL
statement as shown above.
In my sql/mysql/dialup.conf I have the following:
accounting_start_query_alt = UPDATE ${acct_table_new} \
SET \
acct_start_time = STR_TO_DATE('%{FreeRADIUS-Acct-Session-Start-Time}',
'%M %d %Y %H:%i:%s'), \
...
The problem with the above is that some of those formatting options ('%M
%d %Y %H:%i:%s') are also defined as one-character variables, so instead
of formatting the date with those options, its replacing each with the
variable value, and when Im trying to end up with:
2009-12-08 09:14:14
instead Im ending up with:
2009-12-09 11:0126538264:AutoShapedVC
As you can see the minutes were replaced with the Calling Station ID and
the seconds were replaced with the Connect-Info...
Is there any way for me to perhaps escape my format string, or some
other work-around?
Many thanks
Patric
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Changing the format of a date attribute
Alan DeKok wrote:
On 09-12-09 11:37 AM, Patric wrote:
The problem with the above is that some of those formatting options ('%M
%d %Y %H:%i:%s') are also defined as one-character variables, so instead
of formatting the date with those options, its replacing each with the
variable value, and when Im trying to end up with:
Use %% to escape the %. That should work. e.g.
' ... %%M %%d %%Y %%H:%%i:%%s'
Thanks Ill give that a go :)
Patric
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Changing the format of a date attribute
Hi everyone,
Firstly, thanks Alan for your help with my acct_start_time problem, that
was exactly what I was after. The only problem that remains for me is
getting the value into a different format so I can store it in my
database table.
So I have the following setup currently:
share/dictionary.freeradius:
ATTRIBUTE FreeRADIUS-Acct-Session-Start-Time 2 date
Then in my preacct section:
update request {
FreeRADIUS-Acct-Session-Start-Time = %{expr: %l -
%{%{Acct-Session-Time}:-0} - %{%{Acct-Delay-Time}:-0}}
}
Then I can use %{FreeRADIUS-Acct-Session-Start-Time} which is in the
date format:
Dec 8 2009 09:14:14 GMT.
The database field I will be writing into is a MySQL DateTime field,
which is in the format -MM-DD HH:ii:ss, eg:
2009-12-08 11:27:34
Is there any way for me to get my FreeRADIUS-Acct-Session-Start-Time
attribute value into that date format?
Any advice would be very much appreciated.
Many thanks,
Patric
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Changing the format of a date attribute
Alan DeKok wrote:
Patric wrote:
Is there any way for me to get my FreeRADIUS-Acct-Session-Start-Time
attribute value into that date format?
http://dev.mysql.com/doc/refman/5.0/en/date-and-time-functions.html#function_from-unixtime
You sir are a genius :) It didnt even occur to me to do it in the SQL
statement...
So now I have the following:
STR_TO_DATE('%{FreeRADIUS-Acct-Session-Start-Time}', '%M %d %Y %H:%i:%s'))
And that converts Dec 8 2009 09:14:14 GMT into 2009-12-08 09:14:14
Thanks so much!
Patric
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Possible to add a NAS in any MySQL table?
Peter Carlstedt wrote:
Hello everyone,
I´ve been searching the net for answers but havent´been able to find
any information about how to add a NAS in the MySQL tables instead of
using the clients.conf file. It is possible to use one of the tables
that comes with Freeradius?
If it is possible, is there any HOW to guide for it somewhere?
sql.conf:
-
# Set to 'yes' to read radius clients from the database ('nas'
table)
# Clients will ONLY be read on server startup. For performance
# and security reasons, finding clients via SQL queries CANNOT
# be done live while the server is running.
#
readclients = yes
# Table to keep radius client info
nas_table = nas
sql/${database}/dialup.conf:
nas_query = SELECT id, nasname, shortname, type, secret FROM
${nas_table}
HTH
Patric
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Handling proxied accounting updates that have been delayed
Hi everyone,
I have an interesting dilemma that I would like to share with the list,
perhaps someone can shed some light on how they handle this kind of thing.
I have 2 freeradius 2.1.7 servers that receive accounting updates from
multiple clients, and proxy these accounting updates to eachother.
Sometimes (due to a number of reasons) the proxying is delayed.
When the proxied updates are eventually processed, they are written into
my account logs mysql table. The acct_start_time is written as the
current date and time, and the acct_delay_time holds the difference
between the actual time of the accounting update and now.
As closely as I can tell, this is what I have had happen:
At 08h00 Server A receives a start record. This is put in the detail
file to go to Server B. This is also written to the local accounting
table with:
acct_start_time = 2009-12-04 08:00:00
The proxy is delayed for 2 hours due to a network issue between Server A
and Server B.
At 09h00 Server B receives the next update stating that user 1 has used
7 input octets. This is put in the detail file to go to Server A. This
is also written to the local accounting table with:
acct_start_time = 2009-12-04 09:00:00
acct_input_octets = 7
This is because the record did not exist so the
accounting_update_query_alt was called which inserts instead of updating.
At 10h00 Server A and Server B can talk to each other, so Server A sends
its proxied start record to Server B.
The db record on Server B now reflects:
acct_start_time = 2009-12-04 10:00:00
acct_input_octets = 7
acct_delay_time = 3600 (delayed 2 hours)
Server B also sends its proxied update to server A, and now server A
reflects the following:
acct_start_time = 2009-12-04 08:00:00
acct_input_octets = 7
So what happened is that server A got the start record and created a new
db entry at 08h00. Server B then got an interim update and since the
record did not yet exist (proxied start record was delayed), it created
its own record at 09h00. Proxying then started again, and server B
received the start record and updated the start time to the current
time, 10h00.
Now server A says that the session started at 08h00 and server B says
the sessions tarted at 10h00
This is because the entry already existed on server B, so the alternate
start query was used, which is currently:
accounting_start_query_alt = UPDATE ${acct_table_new} \
SET \
acct_start_time = '%S', \
acct_delay_time = '%{Acct-Delay-Time}', \
connect_info = '%{Connect-Info}' \
WHERE \
acct_session_id = '%{Acct-Session-Id}' \
AND \
user_name = '%{SQL-User-Name}' \
AND \
nas_ip_address = '%{NAS-IP-Address}'
Currently my reporting software does not take into account the
acct_delay time, it just uses acct_start_time and acct_end_time to
calculate usage etc. So if the above situation occurs over midnight or
over the end of the month, my 2 servers reflect different daily/monthly
usage...
What do you guys do with situations such as these? Do you take into
account the acct_delay_time when reporting? I have been toying with the
idea of updating the accounting_start_query_alt not to update the
acct_start_time, so basically if the record already exists then leave
that as the start time? But as I type it now I realise this will break
the delay time calculation so there will be no way to calculate the real
start time...
Any advise or experiences would be much appreciated!
Many thanks
Patric
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy to multiple servers in FR 2.1.7
= 0x3137383533
Ok so sending to server A worked correctly. Now:
Fri Nov 13 09:19:59 2009 : Debug: Waking up in 0.3 seconds.
Fri Nov 13 09:19:59 2009 : Debug: Polling for detail file
/var/log/radius/radacct/detail-combined2
Fri Nov 13 09:19:59 2009 : Debug: detail_recv: Renaming
/var/log/radius/radacct/detail-combined2 -
/var/log/radius/radacct/detail-combined2.work
detail_recv: Read packet from /var/log/radius/radacct/detail-combined2.work
User-Name = u...@realm
Fri Nov 13 09:19:59 2009 : Info: server copy-acct-to-server-B {
Fri Nov 13 09:19:59 2009 : Info: +- entering group preacct {...}
Fri Nov 13 09:19:59 2009 : Info: [suffix] Looking up realm realm for
User-Name = u...@realm
Fri Nov 13 09:19:59 2009 : Info: [suffix] Found realm DEFAULT
Fri Nov 13 09:19:59 2009 : Info: [suffix] Adding Realm = DEFAULT
Fri Nov 13 09:19:59 2009 : Info: [suffix] Proxying request from user
user to realm DEFAULT
Fri Nov 13 09:19:59 2009 : Info: [suffix] Preparing to proxy accounting
request to realm DEFAULT
Fri Nov 13 09:19:59 2009 : Info: ++[suffix] returns updated
Fri Nov 13 09:19:59 2009 : Info: +- entering group accounting {...}
Fri Nov 13 09:19:59 2009 : Info: ++[ok] returns ok
Fri Nov 13 09:19:59 2009 : Info: } # server copy-acct-to-server-B
Fri Nov 13 09:19:59 2009 : Info: WARNING: Empty section. Using
default return values.
Sending Accounting-Request of id 121 to ip_address_of_server_A port 1813
You can see from the line above that it is sending this request to
server A as well. This is where Im getting stuck :(
Any pointers, suggestions, examples appreciated as always.
Thanks again,
Patric
Craig Campbell wrote:
Re: Do I need a second site-enable/copy-acct-to-home-server1 file
that reads from a different detail file?
As far as I can tell (and have done) - Yes, you do.
Cheers,
-craig
- Original Message - From: Patric patri...@gmail.com
To: FreeRadius users mailing list
freeradius-users@lists.freeradius.org
Sent: Thursday, November 12, 2009 9:50 AM
Subject: Proxy to multiple servers in FR 2.1.7
Hi again all :)
I am attempting to proxy all accounting packets to 2 servers.
In my proxy.conf I am using a default realm.
realm DEFAULT {
acct_pool = my_acct_failover
nostrip
}
I create a home_server entry for each server, and add them to the
home_server_pool for that realm:
home_server copy-acct-to-home-server {
}
home_server copy-acct-to-home-server2 {
}
home_server_pool my_acct_failover {
home_server = copy-acct-to-home-server
home_server = copy-acct-to-home-server2
}
If I have site-enable/copy-acct-to-home-server it then appears to
work in a fail-over method, where it will send to the first server
until it is not reachable, then it sends to the second server.
Is there a way I can configure this to send to both at once? Do I
need a second site-enable/copy-acct-to-home-server1 file that reads
from a different detail file?
I am using the default realm so I dont know how to setup a second
home_server_pool either...
Any help is much appreciated, Im going in circles :)
Many thanks
Patric
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
__ Information from ESET Smart Security, version of virus
signature database 4600 (20091112) __
The message was checked by ESET Smart Security.
http://www.eset.com
__ Information from ESET Smart Security, version of virus
signature database 4600 (20091112) __
The message was checked by ESET Smart Security.
http://www.eset.com
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy to multiple servers in FR 2.1.7
Hi Alan,
Thanks for responding,
So now there is already a home_server_pool assigned to the default
realm, but I continue and create a home_server entry for server B
...
sites-enabled/copy-acct-to-server-B:
---
server copy-acct-to-home-server {
Uh... you have TWO virtual servers with the same name. This isn't
allowed. And this config isn't the same as what's shown in the debug log.
Can you explain why you're posting WRONG configurations? It's not
like we can't notice.
Sorry, I didnt clarify properly - I _repeated_ my original
configuration, this time including the changes I had made.
So right now my entire proxy.conf looks as follows:
proxy server {
default_fallback = no
}
home_server copy-acct-to-server-A {
type = acct
ipaddr = server_A
port = 1813
secret = secret
}
home_server copy-acct-to-server-B {
type = acct
ipaddr = server_B
port = 1813
secret = secret
}
home_server_pool my_acct_failover {
home_server = copy-acct-to-server-A
}
realm DEFAULT {
acct_pool = my_acct_failover
nostrip
}
detail_recv: Read packet from /var/log/radius/radacct/detail-combined.work
User-Name = u...@realm
Fri Nov 13 09:19:59 2009 : Info: server copy-acct-to-server-A {
Fri Nov 13 09:19:59 2009 : Info: +- entering group preacct {...}
Fri Nov 13 09:19:59 2009 : Info: [suffix] Looking up realm realm for
User-Name = u...@realm
Where did this come from? There's no preacct section in the config
you posted, and there's no suffix module, either.
I had attempted to only include relevant sections of my configuration in
an attempt to keep it short and readable, but perhaps this has confused
the issue more than helped, my apologies.
You can see from the line above that it is sending this request to
server A as well. This is where Im getting stuck :(
Because that's what you told it to do. Your config is telling it to
proxy BOTH requests to the DEFAULT realm. And it does so. The debug
log clearly shows this.
If you want the requests to be proxied to a DIFFERENT location, you
will need to set the Proxy-To-Realm attribute manually. i.e.
server a {
preacct {
update control {
Proxy-To-Realm := realm for home server A
}
}
}
And do the same thing for B. And configure two realms, too.
YES! This is where Im getting lost :) Maybe I am misunderstanding the
word realm.
All my requests are for a single realm, eg user@patric.com. This was
the reason I used the DEFAULT realm... It occurs to me now that
perhaps in the config file the word realm does not refer to my domain,
but instead are names I give to servers A and B? Or am I completely off
track?
Ok, so is it possible for me to create a realm for server A and another
realm for server B, but both are processing u...@patric.com ? If so
please could you point me to some docs that might help me understand
how, clearly Im missing or not understanding something *bangs head on wall*
Thanks for your patience and time!
Patric
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy to multiple servers in FR 2.1.7
Hi again,
Alan DeKok wrote:
sites-enabled/copy-acct-to-server-B:
---
server copy-acct-to-home-server {
Uh... you have TWO virtual servers with the same name. This isn't
allowed. And this config isn't the same as what's shown in the debug log.
Can you explain why you're posting WRONG configurations? It's not
like we can't notice.
I saw which part you were referring to after I replied. This was an
error in copying and pasting, my apologies. Amazing how one mis-paste
can change the entire thing :)
Current configuration, just for clarity on my previous reply:
proxy.conf:
---
proxy server {
default_fallback = no
}
home_server copy-acct-to-server-A {
type = acct
ipaddr = server_A
port = 1813
secret = secret
}
home_server copy-acct-to-server-B {
type = acct
ipaddr = server_B
port = 1813
secret = secret
}
home_server_pool my_acct_failover {
home_server = copy-acct-to-server-A
}
realm DEFAULT {
acct_pool = my_acct_failover
nostrip
}
sites-enabled/copy-acct-to-server-A:
---
server copy-acct-to-server-A {
listen {
type = detail
filename = ${radacctdir}/detail-combined
load_factor = 10
retry_interval = 10
}
preacct {
suffix
}
accounting {
ok
}
}
sites-enabled/copy-acct-to-server-B:
server copy-acct-to-server-B {
listen {
type = detail
filename = ${radacctdir}/detail-combined2
load_factor = 10
retry_interval = 10
}
preacct {
suffix
}
accounting {
ok
}
}
So yes, I realise that because I am using ream DEFAULT everything is
matching to server A.
The accounting packet that is coming in will be for u...@patric.com.
Then my question is how do I define realms for server A and server B so
they both process that packet?
Hope that clarifies a bit.
Thanks
Patric
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy to multiple servers in FR 2.1.7 [Solved]
Hi once again Alan,
I must apologize for my previous grasping at straws, it was not from
lack of trying, just lack of knowledge...
I have managed to figure it out thanks to your last comment
Alan DeKok wrote:
If you want the requests to be proxied to a DIFFERENT location, you
will need to set the Proxy-To-Realm attribute manually. i.e.
server a {
preacct {
update control {
Proxy-To-Realm := realm for home server A
}
}
}
And do the same thing for B. And configure two realms, too.
Since you are TELLING it what realm to use you can call your realm what
you like and you dont need to rely on your domain suffix...
Thanks to all the required fiddling I have a much better understanding
of the configuration files.
If anyone is stuck with this just drop me a mail, Ill be happy to help :)
Thanks again for your time and assistance Alan Craig, appreciated as
always,
Patric
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxy to multiple servers in FR 2.1.7
Hi again all :)
I am attempting to proxy all accounting packets to 2 servers.
In my proxy.conf I am using a default realm.
realm DEFAULT {
acct_pool = my_acct_failover
nostrip
}
I create a home_server entry for each server, and add them to the
home_server_pool for that realm:
home_server copy-acct-to-home-server {
}
home_server copy-acct-to-home-server2 {
}
home_server_pool my_acct_failover {
home_server = copy-acct-to-home-server
home_server = copy-acct-to-home-server2
}
If I have site-enable/copy-acct-to-home-server it then appears to work
in a fail-over method, where it will send to the first server until it
is not reachable, then it sends to the second server.
Is there a way I can configure this to send to both at once? Do I need a
second site-enable/copy-acct-to-home-server1 file that reads from a
different detail file?
I am using the default realm so I dont know how to setup a second
home_server_pool either...
Any help is much appreciated, Im going in circles :)
Many thanks
Patric
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Send accounting packets to multiple proxy servers
Hi all,
FreeRADIUS 2.1.7
I currently have a server A that proxies accounting packets to server B.
I would like server A to proxy those same accounting packets to server C
as well.
Currently this is my setup:
Server A
clients.conf:
-
client server_B_ip {
ipaddr = server_B_ip
secret = server_B_secret
require_message_authenticator = no
virtual_server = requests_from_server_B
}
sites-enabled/default:
--
...
accounting {
detail
detail-radrelay
}
...
server requests_from_server_B {
authorize {
files
}
preacct {
preprocess
acct_unique
}
accounting {
detail
sql
}
}
So as I understand it, all incoming accounting requests are written to
the detail and the detail-radrelay files, except if its from server B,
in which case it only writes to the detail file so that it is not
reproxied, correct?
Then I have:
proxy.conf:
---
home_server copy-acct-to-home-server {
type = acct
ipaddr = server_B_ip
port = 1813
secret = server_B_secret
response_window = 10
zombie_period= 20
no_response_fail = yes
}
home_server_pool my_acct_failover {
home_server = copy-acct-to-home-server
}
realm DEFAULT {
acct_pool = my_acct_failover
nostrip
}
sites-enabled/copy-acct-to-home-server:
---
server copy-acct-to-home-server {
listen {
type = detail
filename = ${radacctdir}/detail-combined
load_factor = 10
retry_interval = 10
}
preacct {
suffix
}
accounting {
ok
}
}
What do I need to add to get the detail-combined entries sent to server
C as well? Does my proxy.conf need to look like this?:
home_server copy-acct-to-home-server {
type = acct
ipaddr = server_B_ip
port = 1813
secret = server_B_secret
response_window = 10
zombie_period= 20
no_response_fail = yes
}
home_server copy-acct-to-server-C {
type = acct
ipaddr = server_C_ip
port = 1813
secret = server_C_secret
response_window = 10
zombie_period= 20
no_response_fail = yes
}
home_server_pool my_acct_failover {
home_server = copy-acct-to-home-server
home_server = copy-acct-to-server-C
}
realm DEFAULT {
acct_pool = my_acct_failover
nostrip
}
Im not too sure where to go here, any help would be much appreciated as
always!
Many thanks,
Patric
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No NAS-Port seen warning
Robert White wrote: Hey, Or can I make rlm_acct_unique look for Quintum-NAS-Port instead of just NAS-Port? Yup, just update modules/acct_unique HTH Patric - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Question regarding retrying of requests in detail-combined file
Hi all :) FreeRADIUS 2.1.7 CentOS 5.2 I am not too sure where to start here so I will describe the symptoms first: I have 2 freeradius servers that both receive accounting requests, and proxy these requests to each other, as well as log these requests to a detail file. I have noticed now that while server A is processing the detail-combined file and proxying the requests to server B, server B will fail to get a lock on its detail file, and the request will fail. When this happens it is not passing anything back to server A, and server A does not seem to be timing out the request, so it stops processing the detail-combined file and just sits there. A bit more in depth, server B is still running FR 1.1.6. I am in the process of updating to 2.1.7 but am being delayed due to outdated OS, so am moving this lot to a new server. The lock fail is occurring when server B tries to get a lock on the detail-combined file, so it is very likely that I have had the proxying setup incorrectly here all along, but since it is 1.1.6 I do not expect help here... What I would like to try figure out is how to get server A (2.1.7) to time out a proxy request and retry it... Any pointers to sections/docs would be great as always, Thanks a mill! Patric - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question regarding retrying of requests in detail-combined file
Tim Sylvester wrote:
Add this line to the home server configuration of Server A (running 2.1.7):
no_response_fail = yes
Hi Tim,
That worked perfectly! Thank you :)
Rejecting request 191 (proxy Id 218) due to lack of any response from
home server xxx.xxx.xxx.xxx port 1813
No response configured for request 191. Will retry in 30 seconds
Finished request 191.
Cleaning up request 191 ID 56389 with timestamp +140
PROXY: Marking home server xxx.xxx.xxx.xxx port 1813 as zombie (it looks
like it is dead).
Sending Status-Server of id 46 to xxx.xxx.xxx.xxx port 1813
Message-Authenticator := 0x
NAS-Identifier := Status Check. Are you alive?
Waking up in 0.8 seconds.
Waking up in 3.9 seconds.
rad_recv: Access-Accept packet from host xxx.xxx.xxx.xxx port 1813,
id=46, length=49
And 30 seconds later the request is retried and succeeds :)
Is there any way for me to decrease the retry delay? In my specific case
I know why its failing so retrying sooner should not be a problem.
Also, since both servers are mine, I have setup my virtual server with
the following parameters. Any suggestions or tweaks would be appreciated :)
home_server copy-acct-to-server-b {
type = acct
ipaddr = xxx.xxx.xxx.xxx
port = 1813
secret = my_secret
response_window = 10
zombie_period = 20
#revive_interval = 120 (read in the docs that use of this is not
recommended?)
status_check = status-server
check_interval = 10
num_answers_to_alive = 1
no_response_fail = yes
}
Thanks again!
Patric
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Small suggestion for FreeRadius debug output
Hi again, Alan I have a very small suggestion, if I may - what about adding a timestamp to the debug output? I am not familiar with C, so dont know how difficult it would be to implement though... I have been going through debug output for the last couple of days now attempting to resolve various configuration problems, and while not essential, it would be nice to see how much time has elapsed between a request and response for example... Something like this: [2009-10-15 10:00:00] Sending Accounting-Response of id 0 to xxx.xxx.xxx.xxx port 59807 Proxy-State = 0x323138 [2009-10-15 10:00:00] Finished request 701. [2009-10-15 10:00:01] Cleaning up request 701 ID 0 with timestamp +1286 [2009-10-15 10:00:01] Going to the next request [2009-10-15 10:00:02] Waking up in 0.3 seconds. Just a thought :) Thanks for everything! Patric - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Small suggestion for FreeRadius debug output
Alan Buxey wrote: add a small 'x' ie radiusd -Xx (this was mentioned on this list a couple of days back) Arg, Im a dumbass... Sorry I must have missed it :) Thanks! Patric - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question regarding retrying of requests in detail-combined file
Alan DeKok wrote:
Patric wrote:
And 30 seconds later the request is retried and succeeds :)
Is there any way for me to decrease the retry delay?
See the retry_interval configuration in the detail listener.
Hi Alan,
Would I be correct in my understanding that I add that here:
sites-enabled/copy-acct-to-home-server:
-
server copy-acct-to-home-server {
listen {
type = detail
filename = ${radacctdir}/detail-combined
load_factor = 10
retry_interval = 10 -
}
}
Thank you :)
Patric
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Adding vendor specific attributes to dictionary
Hi all :) Hope someone can point me in the right direction once again! freeradius v 2.1.3 I am attempting to add vendor specific attributes to my dictionary without success :( I was given the following information to add: Class Number Attribute Value Type VENDORATTR 12345 Vendor-Attribute-A 1 string VENDORATTR 12345 Vendor-Attribute-A 2 string Now since VENDORATTR is not a freeradius dictionary format I assume this comes from a different RADIUS server, which I need to now implement in my freeradius dicitonary. I have had a look at the dictionary man page, and see that one can use ATTRIBUTE for this, but since the Number is the same for both attributes I would assume that I need to define a vendor specific attribute encapsulation so that I can list multiple attributes for this vendor, but this does not seem to be working for me - This is what I have done: File dictionary: $INCLUDE/usr/share/freeradius/dictionary $INCLUDE/etc/raddb/dictionary.myvendor File dictionary.myvendor: - VENDOR MyVendor 12345 BEGIN-VENDOR MyVendor ATTRIBUTE Vendor-Attribute-A 1 string ATTRIBUTE Vendor-Attribute-B 2 string END-VENDOR MyVendor When I attempt to start my freeradius server with this dictionary file all I get is the following message to std out: Errors reading dictionary: dict_init: /etc/raddb/dictionary.myvendor[1]: dict_init: /etc/raddb/dictionary.myvendor[1]: dict_init: /etc/ Thats it - even in debug mode no other message is printed. Any pointers would as always be very much appreciated :) Many thanks and have a great Friday, Patric - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Adding vendor specific attributes to dictionary
Ivan Kalik wrote: ... File dictionary.myvendor: - VENDOR MyVendor 12345 BEGIN-VENDOR MyVendor ATTRIBUTE Vendor-Attribute-A 1 string ATTRIBUTE Vendor-Attribute-B 2 string END-VENDOR MyVendor That looks OK. As always thank you for your reply Ivan :) I have narrowed the problem down to the number field. The actual number I have been given to use is 32768, and the problem seems to be the fact that the number is 5 digits long. If I make the number 4 digits long my server starts up without complaint. Any suggestions? Many thanks, Patric - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Adding vendor specific attributes to dictionary
Alan DeKok wrote: Patric wrote: I have narrowed the problem down to the number field. The actual number I have been given to use is 32768, Install 2.1.7. See doc/ChangeLog Aaah, 2.1.7 Changelog: * Allowed vendor IDs to be be higher than 32767. Fantastic, upgrading now, thank you once again Alan Ivan :) Have a great weekend, Patric - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Setting up a virtual server to handle incoming proxied requests
Alan DeKok wrote: Patric wrote: I see I see, so I would only add a listen section if I were listening on a different interface or port? Yes. I think I get the proxying now :) proxy_requests = yes just makes the server process the detail-combined log right? No. The listen section that references it tells the server to process it. The detail module that references it tells the server to write the data which will be processed later by the listen section. So by not writing to the detail-combined you are effectively disabling proxying to a specified client. No. By not setting Proxy-To-Ream in the virtual server, you are telling it to not proxy the requests. Ah ok, thanks for the clarification :) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Setting up a virtual server to handle incoming proxied requests
Hi again all :)
I have a primary and secondary server, each of which receive accounting
requests from multiple NAS servers.
Both my servers proxy these requests to each other to stay in sync.
I would like to setup a virtual server on my secondary to handle the
incoming proxy requests from the primary.
My secondary is running freeradius 2.1.3
I have read the sites-available/README documentation and have a few
questions.
First I include my current configuration for your consideration.
radiusd.conf
listen {
ipaddr = *
port = 0# Use /etc/services for ports
type = auth
}
listen {
ipaddr = *
port = 0# Use /etc/services for ports
type = acct
}
proxy_requests = yes
$INCLUDE proxy.conf
...
clients.conf
Nothing
proxy.conf
--
home_server copy-acct-to-home-server {
type = acct
ipaddr = primary_server_ip
port = 1813
secret = shared_key
response_window = 20
zombie_period = 40
revive_interval = 120
}
home_server_pool my_acct_failover {
home_server = copy-acct-to-home-server
}
realm DEFAULT {
acct_pool = my_acct_failover
nostrip
}
Currently my clients reside in the nas table in my database.
With the above config I have listen sections for auth and acct.
Do I understand the documentation correctly if I add this to the above
existing config:
client primary_server {
ipaddr= primary_server_ip
secret= shared_secret
require_message_authenticator = no
nastype = other
virtual_server= requests_from_primary
}
server requests_from_primary {
listen {
ipaddr = *
port = 0
type = acct
}
proxy_requests = no # Can this be done here? If not how would I
disable proxying for this virtual server?
# Do I just exclude my detail-radrelay in the
accounting section?
# Since this is just processing accounting requests do I still need
to define the authorize, authenticate other sections?
preacct {
preprocess
acct_unique
}
accounting {
detail
sql
# detail-radrelay - Exclude this so that these requests are not
proxied?
}
}
I *think* Im on the right track but would appreciate any pointers :)
Many thanks
Patric
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Setting up a virtual server to handle incoming proxied requests
Ivan Kalik wrote:
With the above config I have listen sections for auth and acct.
Do I understand the documentation correctly if I add this to the above
existing config:
client primary_server {
ipaddr= primary_server_ip
secret= shared_secret
require_message_authenticator = no
nastype = other
virtual_server= requests_from_primary
}
OK.
Thanks for your response Ivan Alan, Im finally starting to understand
how they fit together :)
I started implementing this but ran into a snag Im not sure which is the
correct way to get around.
As I mentioned all my clients reside in the nas table of my database,
and my sql.conf has readclients = yes to load them from there.
When I attempt to define the above client so that I can set the
virtual_server parameter, I get the following error (obviously...)
rlm_sql (sql): Adding client primary_server_ip (Primary, server=none)
to clients list
Failed to add duplicate client Primary
rlm_sql (sql): Failed to add client primary_server_ip (Primary) to
clients list. Maybe there's a duplicate?
Failed to load clients from SQL.
To resolve this should I now remove the primary server from my nas table
as I am defining it in the clients.conf ? Or is there a way to leave it
in the nas table and assign a virtual_server directive to it?
Thanks for the time and patience
Patric
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Setting up a virtual server to handle incoming proxied requests
Alan DeKok wrote:
Patric wrote:
server requests_from_primary {
listen {
ipaddr = *
port = 0
type = acct
}
Delete that listen section. It conflicts with the global one.
The global one will accept packets on the accounting port, IP *, and
will look up the client. If the client is the primary, it will run the
requests_from_primary virtual server.
I see I see, so I would only add a listen section if I were listening on
a different interface or port?
proxy_requests = no # Can this be done here? If not how would I
disable proxying for this virtual server?
You don't disable proxying. You just configure it so that it
doesn't proxy.
I think I get the proxying now :) proxy_requests = yes just makes the
server process the detail-combined log right?
So by not writing to the detail-combined you are effectively disabling
proxying to a specified client.
Thanks guys!
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Setting up a virtual server to handle incoming proxied requests
Ivan Kalik wrote: To resolve this should I now remove the primary server from my nas table as I am defining it in the clients.conf ? Yes, pick one. Or is there a way to leave it in the nas table and assign a virtual_server directive to it? Yes. In 2.1.7 schema supports virtual servers but that line is commented out in nas.sql by default. You can add (and use) the server column. Thanks so much for your help Ivan Alan, I believe I have it running correctly now :D According to the debug info when I get an accounting request from my primary it adds it to the detail file, runs the sql update and returns a response - 100% what I was trying to achieve! Have a great weekend! Patric - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem with proxying accounting packets on FR 2.1.3
Hi all,
I hope I can explain this clearly and concisely :)
I have 2 freeradius servers:
Primary: freeradius 1.1.6 (I know, its old, busy trying to get issues
resolved so that I can update...)
Secondary: freeradius 2.1.3
I have radrelay proxying accounting packets from the primary to the
secondary which appears to be working fine.
I am trying to get the secondary to proxy accounting requests to the
primary as well, but there seems to be some trouble.
It *appears* that the secondary is receiving proxy updates from the
primary, applying them, and then proxying them back to the primary.
I eventually noticed that the secondary is not adding the
Client-IP-Address to incoming requests (I found the posts in the archive
mentioning that this is normal and is no longer done in FR2). So I
suspect the primary is sending the update to the secondary, the
secondary is applying it and sending it back instead of stopping there.
My question is: How do I get the secondary to realize it must not send
the proxied request back again.
I include my secondary config in case ive munged it somewhere. Any
pointers would be very much appreciated!
Freeradius 2.1.3
radiusd.conf
proxy_requests = yes
$INCLUDE proxy.conf
proxy.conf
--
proxy server {
default_fallback = no
}
home_server copy-acct-to-home-server {
type = acct
ipaddr = ip_of_primary_server
port = 1813
secret = shared_secret
response_window = 20
zombie_period = 40
revive_interval = 120
}
home_server_pool my_acct_failover {
home_server = copy-acct-to-home-server
}
realm DEFAULT {
acct_pool = my_acct_failover
nostrip
}
sites-enabled/default
-
authorize {
preprocess
files
exec-radauth # custom authorization...
}
authenticate {
}
preacct {
preprocess
acct_unique
}
accounting {
detail
detail-radrelay
sql
}
pre-proxy {
}
post-proxy {
}
sites-enabled/copy-acct-to-home-server
--
server copy-acct-to-home-server {
listen {
type = detail
filename = ${radacctdir}/detail-combined
load_factor = 10
}
preacct {
suffix
}
accounting {
ok
}
I have tried include all relevant info but please advise if anything
further is required.
Many many thanks as always
Patric
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with proxying accounting packets on FR 2.1.3
Because you're treating the primary as a client just like the others. See raddb/sites-available/README. You can have a *separate* virtual server on the secondary that handles packets from the primary. Configure it to log to the detail file, and to *not* proxy the request at all. Great thanks Alan, Ill give that a bash. Patric - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radclient PHP
AHMED KHIDR wrote: Hii All , Please Any one have an idea how to make a PHP code to run Radclient in order to disconnect users , Thanks $Command = 'echo -e User-Name=\'.$UserName.'\, Framed-IP-Address = \'.$FramedIP.'\, NAS-IP-Address = \'.$NASIP.'\ | radclient -n 1 -r 3 -x '.$RadiusIP.' disconnect '.$RadiusPassword.' 21'; $CommandResult = shell_exec($Command); $CommandResult will hold the entire result. HTH Patric - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Relaying of accounting requests between Freeradius servers
a.l.m.bu...@lboro.ac.uk wrote: I have finally been able to upgrade my secondary freeradius server to 2.1.3 and I must commend everyone on their hard work, the changes are great :) any reason why not 2.1.4 ? :-) 2.1.3 was what was available when I downloaded... :) But now that Im onto version 2 it will be much easier to update regularly! Is my understanding in this correct, that server 1 will send the request to server 2, and server 2 will try to send it to server 1 again but will fail with a duplication error? it should refuse/ignore a packet its seen before.. Great, implementing suggestion by Ivan, will see if that solves my problem :) Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Relaying of accounting requests between Freeradius servers
Morning :)
t...@kalik.net wrote:
Configure server 2 *not* to proxy requests coming from server 1 back to
it. And server 1 not to proxy requests coming from server 2 back to it.
There is no reason to send them back.
if (NAS-IP-Address != server1) {
update control {
Proxy-To-Realm := server1
}
}
I began attempting to implement this (was trying to figure out where to
put it) when I noticed that the proxied accounting requests sent from
one server to the other maintains the original NAS-IP-Address, and not
the freeradius servers IP address. I then thought that I might be able
to update it in the pre-proxy section, but then it occurred to me that I
need to preserve the NAS-IP-Address as this is one of the values I need
to send in a disconnect request :(
Anything else you might be able to suggest?
Many thanks
Patric
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Relaying of accounting requests between Freeradius servers
Alan DeKok wrote: Use Client-IP-Address, not NAS-IP-Address. The Client-IP-Address is the source address of the RADIUS packet. NAS-IP-Address is an attribute inside of the RADIUS packet. It can have nearly any value, including 127.0.0.1, or 0.0.0.0. Thanks Alan, I will see if I can figure out how to implement this :) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Relaying of accounting requests between Freeradius servers
Hi again :)
t...@kalik.net wrote:
Configure server 2 *not* to proxy requests coming from server 1 back to
it. And server 1 not to proxy requests coming from server 2 back to it.
There is no reason to send them back.
if (NAS-IP-Address != server1) {
update control {
Proxy-To-Realm := server1
}
}
Ok I think I understand this, please advise if I am on the right track
or not.
Instead of a realm DEFAULT in my proxy.conf to proxy all requests, I
instead setup something else like realm PROXYME, and then in my
pre-proxy section I setup the following
if (Client-IP-Address != other_freeradius_server_ip) {
update control {
Proxy-To-Realm := PROXYME
}
}
Many thanks
Patric
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Relaying of accounting requests between Freeradius servers
Greetings list, I have finally been able to upgrade my secondary freeradius server to 2.1.3 and I must commend everyone on their hard work, the changes are great :) I am having some trouble but would like to clarify my understanding before posting all my problem details in case I have misunderstood something. My question is independent of server or platform version and addresses the fundamental mechanics of the relaying process. I am using a virtual server setup to proxy accounting requests between 2 servers for mirroring purposes. As I understand the process server 1 receives an accounting request, which it will process according to its accounting section (in my case inserted into a table via the sql module). If successful, it will then proxy the request to server 2, which will also process it according to its own accounting section. Server 2 will then attempt to proxy the request to server 1 as per its proxy configuration, but will fail on a duplicate record, which will stop duplication from occuring. Is my understanding in this correct, that server 1 will send the request to server 2, and server 2 will try to send it to server 1 again but will fail with a duplication error? Many thanks Patric - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Relaying of accounting requests between Freeradius servers
Fantastic Ivan, thats exactly what I was heading towards :)
Let me try this and see if my root problem is resolved!
Thanks
Configure server 2 *not* to proxy requests coming from server 1 back to
it. And server 1 not to proxy requests coming from server 2 back to it.
There is no reason to send them back.
if (NAS-IP-Address != server1) {
update control {
Proxy-To-Realm := server1
}
}
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to return Reply-Message when user submitted wrong password
Lee Sing Chyun wrote: Hi, Is there a way to reply with a intuitive Reply-Message (for e.g., 'Wrong Password') when the user tries to authenticate with a wrong password? My current configuration is using rlm_pap and rlm_sql for authorization and authentication. FreeRADIUS version is 1.1.7. Thanks in advance! -- Best Regards, SC Be careful with this, do you REALLY want to tell a possible attacker what they are doing wrong? Also many clients will completely ignore the reply message anyway... HTH Patric -- Q: I want to be a sysadmin. What should I do? A: Seek professional help. -- Get a free email address with REAL anti-spam protection. http://www.bluebottle.com/tag/1 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Access-Reject in a php script
Alan DeKok wrote:
Yes, the debug output helped. It looks like it's an issue with
src/main/exec.c. The code calling module_authorize() should treat FAIL
the same as REJECT.
Is that src/main/exec.c or src/main/auth.c?
If I look at src/main/auth.c I see the following :
int rad_authenticate(REQUEST *request)
{
...
/* Get the user's authorization information from the database */
autz_redo:
result = module_authorize(autz_type, request);
switch (result) {
case RLM_MODULE_NOOP:
case RLM_MODULE_NOTFOUND:
case RLM_MODULE_OK:
case RLM_MODULE_UPDATED:
break;
case RLM_MODULE_FAIL:
case RLM_MODULE_HANDLED:
return result;
case RLM_MODULE_INVALID:
case RLM_MODULE_REJECT:
case RLM_MODULE_USERLOCK:
default:
...
Is this the code you are referring to? Should RLM_MODULE_FAIL go in with
the last few that drop into the default case?
So this would fix it :
result = module_authorize(autz_type, request);
switch (result) {
case RLM_MODULE_NOOP:
case RLM_MODULE_NOTFOUND:
case RLM_MODULE_OK:
case RLM_MODULE_UPDATED:
break;
/*case RLM_MODULE_FAIL:*/
case RLM_MODULE_HANDLED:
return result;
case RLM_MODULE_FAIL:
case RLM_MODULE_INVALID:
case RLM_MODULE_REJECT:
case RLM_MODULE_USERLOCK:
default:
Makes sense, because the default case returns a reject...
Alan you are a genius!
Is this even considered a bug? Can we expect this to be changed in the
future?
Thanks a stack for all the time Alan!
--
Q: I want to be a sysadmin. What should I do?
A: Seek professional help.
--
Get a free email address with REAL anti-spam protection.
http://www.bluebottle.com/tag/1
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Access-Reject in a php script
Alan DeKok wrote: Is this even considered a bug? Can we expect this to be changed in the future? Yes. Not sure if you looked at the changes I originally made to rlm_exec.c but if you did, I was curious as to whether those changes contradicted the FreeRadius RFC's at all? I dont *think* so, but you never know :] -- Q: I want to be a sysadmin. What should I do? A: Seek professional help. -- Get a free email address with REAL anti-spam protection. http://www.bluebottle.com/tag/1 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Access-Reject in a php script
Alan DeKok wrote: There is no need to change the code. If your script exits with a non-zero exit code, then the authentication fails. If this isn't happening, then something else is going on, or you're not doing what you're saying you're doing. Rather than discuss what you think you're doing, post the debug output. This is in the FAQ, README, and INSTALL. The debug output WILL tell you what's going on. There is no extra magic we have in reading the debug output. But we READ IT. Alan DeKok. I am sure that Alan is correct here, otherwise many other users would have the same problem. With such a large user base, there *must* be other people using php authentication scripts, yet so far only 2 of us have battled?! Something just occurred to me that I dont think I tried before. What happens if instead of doing an exit(2); you do a return(2); This way your script will still exit clean, so freeradius wont pick it up as a script failure, but hopefully will still get the result? -- Q: I want to be a sysadmin. What should I do? A: Seek professional help. -- Finally - A spam blocker that actually works. http://www.bluebottle.com/tag/4 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Access-Reject in a php script
manIP wrote: Hi everyone! Thank your for your answers... Alan, Patric has totally right. I've set the reject_delay to 0 and the result was the same. I really don't want to touch to the source code and I am sure we can find another way 1) if there is a server timeout, is it assumed as an Access-reject (or does the user will be given access ?) It is not assumed as an access-reject, it is taken as a no-response, which is not desirable, but the outcome is the same - The user will be denied access. 2) for instance, executing a script from another language which exit 2 from PHP...I tried it with a sh script and it does not work 3) If I reply with a Session-Timeout := 0...may be it will be the same effect (I know it is not clean but I have no other choice I dont think you want to do this. If for example, the client has been set to reconnect on disconnect, you will be flooded with connection attempts. 4) If the previous solutions do not work, I will probably have to change the code...so Patric, I think the name of the file has changed: it is rlm_exec.c instead of exec.c. Also, After compiling it, could you give some hints to uninstall the previous version and to install the new version properly. Yes the file name is rlm_exec.c What I did was download the source rpm, install it, make the changes in the /usr/src/redhat/BUILD/ directory, change the version in the spec file, and build an rpm. This way you can manage your installation much better. Thank you for your comprehension. Khalid HTH -- Q: I want to be a sysadmin. What should I do? A: Seek professional help. -- Finally - A spam blocker that actually works. http://www.bluebottle.com/tag/4 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Access-Reject in a php script
Alan DeKok wrote:
Patric wrote:
Something just occurred to me that I dont think I tried before.
What happens if instead of doing an
exit(2);
you do a
return(2);
This way your script will still exit clean, so freeradius wont pick it
up as a script failure, but hopefully will still get the result?
No. If the script succeeds, the output is either a text message, or
RADIUS attributes that go into an Access-Accept.
If the script fails, the server sends an Access-Reject.
Stop playing games with PHP and post the output of radiusd -X. I'll
bet money that the solution is right there in the debug output.
According to the code you are 100% correct :
result = radius_exec_program(inst-program, request,
inst-wait, NULL, 0,
in, answer);
if (result != 0) {
radlog(L_ERR, rlm_exec (%s): External script failed,
inst-xlat_name);
return RLM_MODULE_FAIL;
}
For some reason I could not get freeradius to return an access-reject
before the request timed out, even when I set reject_delay = 0
I think I understand you now, and that is where my problem lay - I
should have figured out why the reject was not being sent back in time,
instead of changing the code?
Is that right?
--
Q: I want to be a sysadmin. What should I do?
A: Seek professional help.
--
Get a free email account with anti spam protection.
http://www.bluebottle.com/tag/2
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Access-Reject in a php script
manIP wrote: hereunder is the output debug: rad_recv: Access-Request packet from host x.x.x.x:2658, id=49, length=58 User-Name = xxx User-Password = xxx Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: Looking up realm xxx for User-Name = xxx rlm_realm: No such realm modcall[authorize]: module suffix returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 0 Exec-Program output: Exec-Program: returned: 2 rlm_exec (myauth): External script failed modcall[authorize]: module myauth returns fail for request 0 modcall: leaving group authorize (returns fail) for request 0 Finished request 0 Going to the next request For comparison sake here is my debug output (running on my modified code): rad_recv: Access-Request packet from host xxx.xxx.xxx.xxx:, id=146, length=159 Framed-Protocol = PPP User-Name = xyz User-Password = 123 NAS-Port-Type = Virtual NAS-Port = NAS-Port-Id = x/x/x/xx.xx Connect-Info = AutoShaped Service-Type = Framed-User NAS-IP-Address = xxx.xxx.xxx.xxx Proxy-State = 0x313938 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 9 modcall[authorize]: module preprocess returns ok for request 9 modcall[authorize]: module chap returns noop for request 9 modcall[authorize]: module mschap returns noop for request 9 rlm_realm: Looking up realm myrealm.com for User-Name = xyz rlm_realm: No such realm myrealm.com modcall[authorize]: module suffix returns noop for request 9 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 9 users: Matched entry DEFAULT at line 54 modcall[authorize]: module files returns ok for request 9 radius_xlat: 'u:xyz' radius_xlat: 'p:123' Exec-Program output: Exec-Program: returned: 0 rlm_exec (exec-radauth): External script rejected user modcall[authorize]: module exec-radauth returns reject for request 9 modcall: leaving group authorize (returns reject) for request 9 Invalid user: [xyz/123] (from client abcd port 123456789) Sending Access-Reject of id 146 to xxx.xxx.xxx.xxx port Proxy-State = 0x313938 Finished request 9 Going to the next request Obviously my changes make it different... I would be very interested to find out what we are doing wrong, as I'm sure you can imagine I would much rather be running the official version of the code! Thanks for all the time Alan, it is as always much appreciated -- Q: I want to be a sysadmin. What should I do? A: Seek professional help. -- Get a free email account with anti spam protection. http://www.bluebottle.com/tag/2 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Access-Reject in a php script
[EMAIL PROTECTED] wrote: Hi, echo Session-Timeout:=100; else echo Access-Reject; //NOT WORKING!! hmmm, normally/properly you dont send such attributes back - thats a server job. you should simply exit with the return code that equals reject. alan That is correct. I had exactly the same problem and it took me a good while to figure out. I am still not certain if what I did was correct as far as how freeradius was designed, but it worked perfectly for me (and still is), so I am happy with the changes. I posted them to the list back then, check it out here: http://lists.cistron.nl/pipermail/freeradius-users/2007-May/063112.html What I found was that unlike perl and other languages where you can return an error code and exit clean, with PHP you have to exit with that error code - EG: exit(2); But when you exit(2) in PHP, freeradius thinks that the script failed and does not respond to the access-request... HTH Patric -- Q: I want to be a sysadmin. What should I do? A: Seek professional help. -- Find out how you can get spam free email. http://www.bluebottle.com/tag/3 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Access-Reject in a php script
Alan DeKok wrote: Patric wrote: But when you exit(2) in PHP, freeradius thinks that the script failed and does not respond to the access-request... It delays the Access-Reject. See the debug output. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Ah is that what happens! That delay was causing the access requests time out, and it appeared from the NAS point of view that it was getting no response... Thanks Alan -- Q: I want to be a sysadmin. What should I do? A: Seek professional help. -- Finally - A spam blocker that actually works. http://www.bluebottle.com/tag/4 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Access-Reject in a php script
manIP wrote: Hi, I have put exit(2) but as Patric said, freeradius thinks that the script failed and does not respond to the access-request. In the client side, there is a server time out...I don't know if that server time out is assumed as an Access-Reject? No it does not assume an access-reject - it registers it as no response, which is undesirable. As Alan said : It delays the Access-Reject. See the debug output. I tried setting reject_delay = 0 in the radius.conf but that did not help. May be the problem comes from PHP and I could use the UNIX system() function send back the code 2. I believe that this specific scenario only occurs with PHP as I said before, because of the way it sends its status codes (in the exit call). I don't know how else to do it, which is why I changed the code for my use... -- Q: I want to be a sysadmin. What should I do? A: Seek professional help. -- Free pop3 email with a spam filter. http://www.bluebottle.com/tag/5 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LOGs of free radius
[EMAIL PROTECTED] wrote:
Hi
I am doing eap-tls authentication with free radius.I am getting tow log files
which are radius.log and radwatch.log.
Can anyone tell me how to rotate theses log file.
I don\'t want the radwatch.log also .How can i remoce this radwach.log
Regards
Anoop
This is the log rotation script that was installed with my freeradius
package, it will rotate all the freeradius files.
Content of /etc/logrotate.d/radiusd :
# You can use this to rotate the /var/log/radius/* files, simply copy
# it to /etc/logrotate.d/radiusd
# There are different detail-rotating strategies you can use. One is
# to write to a single detail file per IP and use the rotate config
# below. Another is to write to a daily detail file per IP with:
# detailfile = ${radacctdir}/%{Client-IP-Address}/%Y%m%d-detail
# (or similar) in radiusd.conf, without rotation. If you go with the
# second technique, you will need another cron job that removes old
# detail files. You do not need to comment out the below for method #2.
/var/log/radius/radacct/*/detail {
monthly
rotate 4
nocreate
missingok
compress
}
/var/log/radius/checkrad.log {
monthly
rotate 4
create
missingok
compress
}
/var/log/radius/radius.log {
monthly
rotate 4
create
missingok
compress
}
/var/log/radius/radutmp {
monthly
rotate 4
create
compress
missingok
}
/var/log/radius/radwtmp {
monthly
rotate 4
create
compress
missingok
}
/var/log/radius/sqltrace.sql {
monthly
rotate 4
create
compress
missingok
}
HTH
Patric
--
Q: I want to be a sysadmin. What should I do?
A: Seek professional help.
--
Get a free email address with REAL anti-spam protection.
http://www.bluebottle.com/tag/1
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Will connection attempts from NAS' not in nas table be logged?
Hi Guys, Just a quick question, as the per the subject line : If my freeradius server receives a connection attempt from a NAS not listed in the NAS table (as specified in sql.conf : nas_table = nas), will that attempt appear in the radius.log, or would such information only appear in debug mode? Many thanks! Patric -- Q: I want to be a sysadmin. What should I do? A: Seek professional help. -- Find out how you can get spam free email. http://www.bluebottle.com/tag/3 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Will connection attempts from NAS' not in nas table be logged?
Patric wrote: Hi Guys, Just a quick question, as the per the subject line : If my freeradius server receives a connection attempt from a NAS not listed in the NAS table (as specified in sql.conf : nas_table = nas), will that attempt appear in the radius.log, or would such information only appear in debug mode? Many thanks! Patric And then I go and answer my own question after further digging... radius.log:Thu Sep 6 09:46:55 2007 : Error: Ignoring request from unknown client xxx.xxx.xxx.xxx:x Sorry to have bothered everyone :] Thanks -- Q: I want to be a sysadmin. What should I do? A: Seek professional help. -- Finally - A spam blocker that actually works. http://www.bluebottle.com/tag/4 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: UNSUBSCRIBE
Florian Reinholz wrote: UNSUBSCRIBE No! ;] -- Q: I want to be a sysadmin. What should I do? A: Seek professional help. -- Free pop3 email with a spam filter. http://www.bluebottle.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Including Vendor specific dictionary file
[EMAIL PROTECTED] wrote:
Hi,
I have created a vendor specific dictionary file for freeradius.
This file includes two attributes for our mini switches.
Is it possible to include this file within the next freeradius release?
AFAIK you can just include it via the {sysconfig path}/raddb/dictionary
file like this :
$INCLUDE/path/to/custom.dictionary.file
HTH
Patrick
--
Finally - A spam blocker that actually works.
http://www.bluebottle.com
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius pauses before responding when not running in debug mode
Hi all, As per the subject, I have found the following interesting behaviour with freeradius 1.1.6 When running the server in normal mode or in debug level 1 mode : radiusd -y or radiusd -y -x (lowercase x) When sending an access request, the server pauses for a few seconds somewhere in the exec part of the authorize section. When running the server in more verbose debug mode : Radiusd -y -X (uppercase X) This pause does not occur. I am using exec to run external authentication, and would have thought it was my script causing the pause, but it does not appear when running with -X Anybody else experience something like this? Thanks Patrick -- Find out how you can get spam free email. http://www.bluebottle.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FYI : My workaround for freeradius not sending back an Access-Reject on a failed external script
Hey guys,
Thought it might interest some of you as to how I worked around the
problem where freeradius does not return an Access-Reject if my php
script does not exit successfully (in my case because a user should be
rejected).
The original code that checks the exit status of the script is this :
src/modules/rlm_exec/rlm_exec.c :
/*
* Dispatch an exec method
*/
static int exec_dispatch(void *instance, REQUEST *request)
{
...
if (result != 0) {
radlog(L_ERR, rlm_exec (%s): External script failed,
inst-xlat_name);
return RLM_MODULE_FAIL;
}
...
return RLM_MODULE_OK;
}
So basically if my script does not return 0, it failed, regardless of
its exit status.
According to the RLM_MODULE_* definitions :
enum {
RLM_MODULE_REJECT, /* 0 - immediately reject the request */
RLM_MODULE_FAIL,/* 1 - module failed, don't reply */
RLM_MODULE_OK, /* 2 - the module is OK, continue */
RLM_MODULE_HANDLED, /* 3 - the module handled the request,
so stop. */
RLM_MODULE_INVALID, /* 4 - the module considers the request
invalid. */
RLM_MODULE_USERLOCK,/* 5 - reject the request (user is
locked out) */
RLM_MODULE_NOTFOUND,/* 6 - user not found */
RLM_MODULE_NOOP,/* 7 - module succeeded without doing
anything */
RLM_MODULE_UPDATED, /* 8 - OK (pairs modified) */
RLM_MODULE_NUMCODES /* 9 - How many return codes there are */
};
So if I wanted to authenticate a user I should *actually* be returning 2.
If I wanted to *reject* the user I should be returning 0.
But according to the code above if I return 2 the external script
failed, and if I return 0, the external script was successful and my
user is authenticated successfully.
This is how I changed the logic :
I *removed* :
...
if (result != 0) {
radlog(L_ERR, rlm_exec (%s): External script failed,
inst-xlat_name);
return RLM_MODULE_FAIL;
}
...
And replaced it with :
...
switch (result) {
case 0: // Rejected
return RLM_MODULE_REJECT;
break;
case 1: // Failed
return RLM_MODULE_FAIL;
break;
case 2: // OK
break;
case 3: // Handled
return RLM_MODULE_HANDLED;
break;
case 4: // Invalid
return RLM_MODULE_INVALID;
break;
case 5: // UserLock
return RLM_MODULE_USERLOCK;
break;
case 6: // Not Found
return RLM_MODULE_NOTFOUND;
break;
case 7: // No Op
return RLM_MODULE_NOOP;
break;
case 8: // Updated
return RLM_MODULE_UPDATED;
break;
case 9: // Num Codes
return RLM_MODULE_NUMCODES;
break;
default: // Fail
return RLM_MODULE_FAIL;
break;
}
...
In this way, if the result is 2 (user is OK), the process will drop out
of the switch statement, and process the original code for handling a
successful authentication.
Now in my external script I can do :
exit(2); -- User was accepted.
OR
exit(0); -- User was rejected.
I realise that this is a bit of a contradiction for the external script,
because for a reject it is exiting successfully, and for a successful
authentication it is in fact failing with exit code 2. BUT in this way I
can use the codes determined by freeradius in my external script.
I do not think that this is the actual bug that Alan refered to, but it
was a problem in my case.
The original code is actually correct in that the external script *did*
fail, but it was ignoring the exit code to determine what action to take.
I believe that the actual bug is that freeradius does not return a reply
to the authentication request if the status is set to RLM_MODULE_FAIL.
From what I could tell the only time that freeradius replies to a
request is if the status is RLM_MODULE_OK, or RLM_MODULE_REJECT and
possibly RLM_MODULE_USERLOCK.
I hope that this is understandable, I have the whole scenario in my head
but its a bit difficult to verbalise...
Please advise if any of my presumptions or understandings are incorrect,
as I am happy to learn!
Thanks for all your responses to my questions, Im back on track now!
Patrick
--
Get a free email address with REAL anti-spam protection.
http://www.bluebottle.com
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question regarding external script authentication
Alan DeKok wrote: Patric wrote: I just want to clarify, if I set the reject_delay to 0, and in my external script the only thing I do is exit(1);, then freeradius will return a reject response to the NAS? It will send a reject to the NAS. Thanks Alan, you're an absolute gem! Patrick -- Free pop3 email with a spam filter. http://www.bluebottle.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question regarding external script authentication
Alan DeKok wrote: Patric wrote: I just want to clarify, if I set the reject_delay to 0, and in my external script the only thing I do is exit(1);, then freeradius will return a reject response to the NAS? It will send a reject to the NAS. Sorry if Im flogging a dead horse here... I furthered my investigation and found the following interesting results: After making reject_delay = 0, I ran the freeradius in debug mode on my test environment to see what happens, and indeed it does return an Access-Reject : ... rad_recv: Access-Request packet from host 127.0.0.1:32770, id=12, length=95 User-Name = [EMAIL PROTECTED] User-Password = TestUser NAS-IP-Address = 255.255.255.255 NAS-Port = 100 NAS-Port-Type = Virtual Exec-Program: /usr/local/freeradius/radauth.php -- u:[EMAIL PROTECTED] p:TestUser n:100 t:Virtual Exec-Program: returned: 1 rlm_exec (exec-radauth): External script failed Sending Access-Reject of id 12 to 127.0.0.1 port 32770 ... All of the above is spot on! Now riddle me this: When I make the same changes to my production server and run it in debug mode it does all of the above *except* return the Access-Reject! ... rad_recv: Access-Request packet from host xxx.xxx.xxx.xxx:1820, id=83, length=140 Framed-Protocol = PPP User-Name = [EMAIL PROTECTED] User-Password = TestUser NAS-Port-Type = Virtual NAS-Port = 1010101010 NAS-Port-Id = x/x/x/xx.xxx Connect-Info = AutoShapedVC Service-Type = Framed-User NAS-IP-Address = xxx.xxx.xxx.xxx Proxy-State = 0x323037 Exec-Program: /usr/local/freeradius/radauth.php -- u:[EMAIL PROTECTED] p:TestUser n:1010101010 t:Virtual Exec-Program: returned: 1 rlm_exec (exec-radauth): External script failed rad_recv: Access-Request packet from host xxx.xxx.xxx.xxx:1820, id=170, length=140 ... As you can see it goes onto the next access request. I did let the debug run longer, but after a minute there was still no Access-Reject. Test environment is running : CentOS release 4.4 (Final) 2.6.16.33-xen_3.0.4.1 #1 SMP Fri Jan 5 10:40:15 EST 2007 i686 i686 i386 GNU/Linux radiusd: FreeRADIUS Version 1.1.3, for host i686-pc-linux-gnu, built on Oct 5 2006 at 10:52:23 Production environment is running : Red Hat Enterprise Linux ES release 3 (Taroon Update 8) 2.4.21-40.EL #1 Wed Mar 15 14:30:04 EST 2006 i686 i686 i386 GNU/Linux radiusd: FreeRADIUS Version 1.1.3, for host i686-redhat-linux-gnu, built on Sep 20 2006 at 14:13:13 I have searched through the conf file and docs and googled this but I cant find any reason why the server is not returning the Access-Reject Any ideas? Thanks again Patrick -- Get a free email address with REAL anti-spam protection. http://www.bluebottle.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question regarding external script authentication
[EMAIL PROTECTED] wrote:
you have various other attributes in your real production system - perhaps
you have matching DEFAULT values (eg in users file) which are aiding the
access accept?
If that were the case, then wouldnt this eliminate the problem:
My radiusd.conf authorize section contains only this :
authorize {
files
exec-radauth
}
My users file contains only this :
DEFAULT Auth-Type = Accept
If I understand it correctly this would mean that the only
authentication done is by my script.
I did the above on the production server, but I am still not returning
an access-reject...
I have now also upgrading freeradius on the production server to 1.1.6,
also with the same result - no access-reject returned...
I am now at a loss as to where else to look, but I suspect its some kind
of config setting. Where? I dont know :[
Thanks guys
Patrick
--
Get a free email address with REAL anti-spam protection.
http://www.bluebottle.com
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question regarding external script authentication
As per my ramblings below, I ran the server in debug level 3, and one
can see that it is the correct DEFAULT entry that it is picking up :
rad_recv: Access-Request packet from host xxx.xxx.xxx.xxx:1820, id=80,
length=139
Framed-Protocol = PPP
User-Name = [EMAIL PROTECTED]
User-Password = TestUser
NAS-Port-Type = Virtual
NAS-Port = 1234567890
NAS-Port-Id = 1/1/1/1.1
Connect-Info = AutoShapedVC
Service-Type = Framed-User
NAS-IP-Address = xxx.xxx.xxx.xxx
Proxy-State = 0x3439
Fri May 18 13:39:07 2007 : Debug: Processing the authorize section of
radiusd.conf
Fri May 18 13:39:07 2007 : Debug: modcall: entering group authorize for
request 21
Fri May 18 13:39:07 2007 : Debug: modsingle[authorize]: calling
preprocess (rlm_preprocess) for request 21
Fri May 18 13:39:07 2007 : Debug: modsingle[authorize]: returned from
preprocess (rlm_preprocess) for request 21
Fri May 18 13:39:07 2007 : Debug: modcall[authorize]: module
preprocess returns ok for request 21
Fri May 18 13:39:07 2007 : Debug: modsingle[authorize]: calling chap
(rlm_chap) for request 21
Fri May 18 13:39:07 2007 : Debug: modsingle[authorize]: returned from
chap (rlm_chap) for request 21
Fri May 18 13:39:07 2007 : Debug: modcall[authorize]: module chap
returns noop for request 21
Fri May 18 13:39:07 2007 : Debug: modsingle[authorize]: calling mschap
(rlm_mschap) for request 21
Fri May 18 13:39:07 2007 : Debug: modsingle[authorize]: returned from
mschap (rlm_mschap) for request 21
Fri May 18 13:39:07 2007 : Debug: modcall[authorize]: module mschap
returns noop for request 21
Fri May 18 13:39:07 2007 : Debug: modsingle[authorize]: calling suffix
(rlm_realm) for request 21
Fri May 18 13:39:07 2007 : Debug: rlm_realm: Looking up realm
realm.com for User-Name = [EMAIL PROTECTED]
Fri May 18 13:39:07 2007 : Debug: rlm_realm: No such realm realm.com
Fri May 18 13:39:07 2007 : Debug: modsingle[authorize]: returned from
suffix (rlm_realm) for request 21
Fri May 18 13:39:07 2007 : Debug: modcall[authorize]: module suffix
returns noop for request 21
Fri May 18 13:39:07 2007 : Debug: modsingle[authorize]: calling eap
(rlm_eap) for request 21
Fri May 18 13:39:07 2007 : Debug: rlm_eap: No EAP-Message, not doing EAP
Fri May 18 13:39:07 2007 : Debug: modsingle[authorize]: returned from
eap (rlm_eap) for request 21
Fri May 18 13:39:07 2007 : Debug: modcall[authorize]: module eap
returns noop for request 21
Fri May 18 13:39:07 2007 : Debug: modsingle[authorize]: calling files
(rlm_files) for request 21
*Fri May 18 13:39:07 2007 : Debug: users: Matched entry DEFAULT at
line 54*
Fri May 18 13:39:07 2007 : Debug: modsingle[authorize]: returned from
files (rlm_files) for request 21
Fri May 18 13:39:07 2007 : Debug: modcall[authorize]: module files
returns ok for request 21
Fri May 18 13:39:07 2007 : Debug: modsingle[authorize]: calling
exec-radauth (rlm_exec) for request 21
Fri May 18 13:39:07 2007 : Debug: radius_xlat: 'u:[EMAIL PROTECTED]'
Fri May 18 13:39:07 2007 : Debug: radius_xlat: 'p:TestUser'
Fri May 18 13:39:07 2007 : Debug: radius_xlat: 'n:1234567890'
Fri May 18 13:39:07 2007 : Debug: radius_xlat: 't:Virtual'
Fri May 18 13:39:07 2007 : Debug: Exec-Program output:
Fri May 18 13:39:07 2007 : Debug: Exec-Program: returned: 1
Fri May 18 13:39:07 2007 : Error: rlm_exec (exec-radauth): External
script failed
Fri May 18 13:39:07 2007 : Debug: modsingle[authorize]: returned from
exec-radauth (rlm_exec) for request 21
Fri May 18 13:39:07 2007 : Debug: modcall[authorize]: module
exec-radauth returns fail for request 21
Fri May 18 13:39:07 2007 : Debug: modcall: leaving group authorize
(returns fail) for request 21
Fri May 18 13:39:07 2007 : Debug: Finished request 21
Fri May 18 13:39:07 2007 : Debug: Going to the next request
Fri May 18 13:39:07 2007 : Debug: --- Walking the entire request list ---
Fri May 18 13:39:07 2007 : Debug: Waking up in 3 seconds...
Line 54 of my users file contains :
DEFAULT Auth-Type = Accept
I dont know if that helps at all, but this one has me well and truly
stumped... :~[
Patrick
Patric wrote:
[EMAIL PROTECTED] wrote:
you have various other attributes in your real production system - perhaps
you have matching DEFAULT values (eg in users file) which are aiding the
access accept?
If that were the case, then wouldnt this eliminate the problem:
My radiusd.conf authorize section contains only this :
authorize {
files
exec-radauth
}
My users file contains only this :
DEFAULT Auth-Type = Accept
If I understand it correctly this would mean that the only
authentication done is by my script.
I did the above on the production server, but I am still not returning
an access-reject...
I have now also upgrading freeradius on the production server to 1.1.6,
also with the same result - no access-reject returned...
I am now
Re: Question regarding external script authentication
Alan DeKok wrote: It's a bug in 1.1.x. It's fixed in 2.0.0 Ah great, at least that explains it! I see the latest public release is 1.1.6, is 2.0.0 available perhaps in the cvs? Would you say it is stable enough to run in production yet? If not any ETA? Otherwise can you suggest any previous version that may not have this bug, and is security safe enough to run in a production environment? It would seem the 1.1.3 build I have on my test environment does not have that bug... *shrugs* Thanks a stack Alan, you have been a great help! Patrick -- Find out how you can get spam free email. http://www.bluebottle.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question regarding external script authentication
Alan DeKok wrote: See the main web page? It's all there... Read, and understood :] Out of curiosity I did compile the latest snapshot, and I see that it is fixed, and even returns the correct status based on what your external script returns (1 - rejected, 4 - handled, 5 - invalid, etc...). Thats fantastic, cant wait till its ready for release! It has the bug. Yes, undoubtedly, but what I meant was the server still returns the access-reject... Well thanks so much, you've helped me clear up and understand a lot more of freeradius! -- Get a free email address with REAL anti-spam protection. http://www.bluebottle.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question regarding external script authentication
Alan DeKok wrote: [EMAIL PROTECTED] wrote: It seems to be in the news section on all the pages *except* the main one. Your browser has cached the main page. Alan you're gonna give us all an inferiority complex if you continue to be right all the time! ;] Cheers -- Get a free email address with REAL anti-spam protection. http://www.bluebottle.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Question regarding external script authentication
Hi all, I am currently using exec to authenticate users through an external script. When all criteria match I return the correct access-accept pairs and the users authenticate successfully. When the criteria are NOT met, I exit(1) my php script to hand control back to the freeradius server. This seems to be causing authentication requests to time out, as I guess I am not sending anything back... My question is this: Would it be correct to return Auth-Type=Reject in the cases where I want the user to be rejected? TIA! Patrick -- Free pop3 email with a spam filter. http://www.bluebottle.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question regarding external script authentication
Hi Alan, Thanks for ur response. Alan DeKok wrote: Set reject_delay = 0 in radiusd.conf. I just want to clarify, if I set the reject_delay to 0, and in my external script the only thing I do is exit(1);, then freeradius will return a reject response to the NAS? Or will it simply not respond? Because the complaint my NAS maintainer has is that he is getting no response. Thanks a stack! Patrick -- Get a free email account with anti spam protection. http://www.bluebottle.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Duplicate accounting log entries
Hi again,
Thanks a stack for your responses, I have a much better understanding of
how it works now! Yes I do have the acct_unique_id setup as below, and
have managed to weed out a lot of the duplication now.
Dennis Skinner wrote:
No. Look in the radius.conf for a section that looks like this:
acct_unique {
key = User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port
}
That creates the second key (the one that doesn't come from the NAS)
that is based on the first one. Notice the User-Name is part of the
mix, hence Alan's question about how they could be the same.
After further investigation with my newly gained knowledge, I have been
able to find in more detail what the problems are.
In 1 instance, I have 2 accounting start's for the same username at the
same time, but from 2 DIFFERENT NAS'! Which then results in 2 different
unique id's, as the client-ip is different...
I have now sent a query to the maintainers of the NAS, as I feel this is
a valid query, but if anyone could verify for me that this should NOT be
happening?
My second worry is this. If a dsl user connects multiple times on the
same line, what is the typical NAS behaviour for accounting?
Does the NAS combine the traffic of all the connections and send that,
or does it monitor each connection seperately.
I am getting duplicate update's for that user from the NAS, where
everything is identical including the input and output octets, which
leads me to believe that the traffic is being combined and I actually
only need 1 of the records.
If I then make my unique_id column unique I will prevent this duplication.
Thanks again guys, as always any input is much appreciated!
Patrick
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Duplicate accounting log entries
Hi guys, The NAS maintainer was nice enough to get back to me, and problem has been sorted out. This is what was happening: Their proxy servers are behind a load sharing device, which is why the retransmission of one of the records had a different client_ip_address, but both entries came from the same NAS-ip-address. I have removed the client_ip_address from the unique_id declaration, and made the unique_id column unique in my database, so this should solve all my problems :] Thanks so much for your time and help! Patrick - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Duplicate accounting log entries
Hi guys, Hope someone can help, as this has me banging my head on the wall :] I am getting duplicate updates from my NAS, and Im trying to figure out how to prevent them from being written to my accounting logs table. I unfortunately have absolutely no control over the NAS, so thats not even an option. What I want to do is make the acct_session_id or acct_unique_id fields unique, or even make a composite key of them both, but I have found entries in my table where the following happens: This scenario is with DSL accounts: I have 3 records for 3 different users all with the same acct_session_id. 2 of these records have the same acct_unique_id, and the 3rd has a different acct_unique_id. Everything else in the records is identical. If I make a composite key combining the session and unique id's I will get rid 1 of the 2 records that have the same unique id, but I will still be sitting with 2 duplicate entries, each with a different unique id. I then thought to make the acct_session_id unique, which would solve the above scenario, but then I came across another problem. This scenario deals with dialup accounts: I have 2 records with the same acct_session_id but they are for 2 different users. Each record has a different acct_unique_id though. So if I make a composite key combining the session and unique id's both these records will exist, which is correct as they are for 2 different users. If I make only the acct_session_id unique to solve the DSL problem above, then one of these records wont be inserted, and an update will occur instead, as per the alternate accounting query. Am I missing something? Is there any other way to do this? I do not know why I am getting duplicate acct_session_id's from my NAS, but as I said there is no way for me to go that route... Any help or guidance would REALLY be appreciated! Thanks Patrick - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Duplicate accounting log entries
My apologies, a piece of my explanation is not right... please see below. Sorry, bit of a complex explanation... :] Hi guys, Hope someone can help, as this has me banging my head on the wall :] I am getting duplicate updates from my NAS, and Im trying to figure out how to prevent them from being written to my accounting logs table. I unfortunately have absolutely no control over the NAS, so thats not even an option. What I want to do is make the acct_session_id or acct_unique_id fields unique, or even make a composite key of them both, but I have found entries in my table where the following happens: This scenario is with DSL accounts: I have 3 records for the SAME user, all with the same acct_session_id. 2 of these records have the same acct_unique_id, and the 3rd has a different acct_unique_id. Everything else in the records is identical. If I make a composite key combining the session and unique id's I will get rid 1 of the 2 records that have the same unique id, but I will still be sitting with 2 duplicate entries, each with a different unique id. I then thought to make the acct_session_id unique, which would solve the above scenario, but then I came across another problem. This scenario deals with dialup accounts: I have 2 records with the same acct_session_id but they are for 2 different users. Each record has a different acct_unique_id though. So if I make a composite key combining the session and unique id's both these records will exist, which is correct as they are for 2 different users. If I make only the acct_session_id unique to solve the DSL problem above, then one of these records wont be inserted, and an update will occur instead, as per the alternate accounting query. Am I missing something? Is there any other way to do this? I do not know why I am getting duplicate acct_session_id's from my NAS, but as I said there is no way for me to go that route... Any help or guidance would REALLY be appreciated! Thanks Patrick - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Duplicate accounting log entries
Alan DeKok wrote: Your NAS is broken. Knowing that doesn't help much, but your NAS is definitely broken. I suspected as much. Unfortunately it is a huge company whose NAS it is, and it is doubtful that the would notice my little squeek from down here... :] 2 of these records have the same acct_unique_id, How? The default configuration of the server includes User-Name in the unique ID calculation. So unless you've edited the configuration to *remove* that, I don't see how its possible. Is my understanding correct that the NAS generates the unique ID? Because it exists in the detail files that I get from the NAS... In which case I dont know if they removed it... Post the key for the acct_unique module. Explain how two different User-Names can result in the same key. I couldnt begin to explain if I tried! lol I guess Im going to HAVE to try get some results from the people that control the NAS. Thanks for your help, much appreciated. Patrick - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Auth Type when running exec script to authenticate
Hi all,
Up till now have been using sql to authenticate, and am trying to change
to my own script and mysql db.
In radiusd.conf I have :
modules {
exec exec-radauth {
wait = yes
program = /path/to/script.php -- %{User-Name} %{Password}
input_pairs = request
output_pairs = reply
}
authorize {
exec-radauth
}
This all works perfectly when I include files in the authorize section
and place the following in the users file :
DEFAULT Auth-Type = Accept
But if I exclude files from the authorize section I get :
auth: No authenticate method (Auth-Type) configuration found for the
request: Rejecting the user
auth: Failed to validate the user.
Can anyone point me in the right direction with this problem?
radiusd: FreeRADIUS Version 1.1.3, for host i686-redhat-linux-gnu, built
on Sep 20 2006 at 14:13:13
Thanks in advance
Patric
--
Click for free info on adult education and start making $150k/ year
http://tags.bluebottle.com/fc/CAaCMPJnSlqlx5S4A8vYLM5adNYw4Lck/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Setting check pairs in script when using exec
Hi guys,
This is my previous mail phrased differently, as after further
investigation I found what Im supposed to be asking.
Up till now have been using sql to authenticate, and am trying to change
to my own script and mysql db.
In radiusd.conf I have :
modules {
exec exec-radauth {
wait = yes
program = /path/to/script.php -- %{User-Name} %{Password}
input_pairs = request
output_pairs = reply
}
authorize {
exec-radauth
}
This all works perfectly when I include files in the authorize section
and place the following in the users file :
DEFAULT Auth-Type = Accept
But if I exclude files from the authorize section I get :
auth: No authenticate method (Auth-Type) configuration found for the
request: Rejecting the user
auth: Failed to validate the user.
So now I know that I need to set the Auth-Type check pair in my external
authentication script, but am not sure how to accomplish this.
Can anyone point me in the right direction with this problem?
radiusd: FreeRADIUS Version 1.1.3, for host i686-redhat-linux-gnu, built
on Sep 20 2006 at 14:13:13
Thanks in advance
Patric
--
Looking For the Right College?
Let us help find the best online criminal justice program for you!
http://tags.bluebottle.com/fc/MhtYWUjFdpo7ZzqpDkaZhGRgrChcJrdZy3oBy/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: proxy authentication
Dubi Lego wrote: we need also to be notified on any attempt of a user to authenticate through the RADIUS. Are you familiar with any solution to do that? Thanks in advance for your help, Dubi You could create a script that logs any authentication attempts to a file/table, and execute the script via exec during authentication. I do something similar to log failed/unsuccessful login attempts. HTH Patric -- Earn Your Teaching Degree Online Become a teacher with our elite online program. Get free info today! http://tags.bluebottle.com/fc/BgLEQfJD3qPBoOCHP71Qh0lX26WfHY8fCvcg/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: DEFAULT access-reject Reply-Message
Alex M wrote: Hi, How can I add default Reply-Message to the situation where Access-Reject was sent because of incorrect password? Are you sure you want to inform the user of the reason they are getting rejected? Sounds like a nice way to help a brute-force attacker...? Also have a look at what Windoze does with Reply-Messages - nothing! It dumps them. HTH Patric -- Online Criminal Justice Programs Criminal Justice careers are booming. Education-Advancement offers... http://tagline.bidsystem.com/fc/BgLEQfJAsToxV9QYIoqyqfdUJdZDqLv50SJ4/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: build rpm packages on centOS
Michael Messner wrote: hey @all, cp: will not overwrite just-created `/var/tmp/freeradius-root/usr/share/doc/freeradius-1.1.3/README' with `README' error: Bad exit status from /var/tmp/rpm-tmp.73012 (%doc) RPM build errors: Bad exit status from /var/tmp/rpm-tmp.73012 (%doc) any ideas? Have you tried compiling the source? What you will probably find is that make will fail, and will give you a more detailed description on where the compile is _actually_ failing. My suggestion is to try compile from source. I had a similar problem trying to build a php-java-bridge rpm on CentOS a while back. Turns out the gcc compiler was getting itself in a knot, and incorrectly reporting duplicate methods. My solution was to use make with the -i switch - ignore errors. If your problem is similar you can get around rpmbuild failing by editing the spec file and changing the make statement to make -i HTH Patric - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: build rpm packages on centOS
Michael Messner wrote: Patric sagte: Have you tried compiling the source? that works! if I add the -i in the spec file there is no change ... same error! thanks mIke So it compiles from source? Ok, what is your rpmbuild command? Patric - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple input_pairs?
Alan DeKok wrote: Patric [EMAIL PROTECTED] wrote: Is it possible to specify multiple input pairs? No. If you want that functionality, use rlm_perl. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Thanks Alan, will read up on rlm_perl Patric - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_exec documentation
Hi guys, Im busy trying to figure out how to implement rlm_exec, and am really battling to find documentation to this end. Can anybody point me in the right direction, I dont mind doing the legwork myself, but Im getting nowhere fast... I am using freeradius 1.1.3 Thanks a stack! Patric - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_exec documentation
Patric wrote: Hi guys, Im busy trying to figure out how to implement rlm_exec, and am really battling to find documentation to this end. Can anybody point me in the right direction, I dont mind doing the legwork myself, but Im getting nowhere fast... I am using freeradius 1.1.3 Thanks a stack! Patric - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html As per Murphy I found what I was looking for just after sending this off... Still a bit sketchy on the details but will read up a bit more before posting agaian. Thanks! Patric - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Multiple input_pairs?
Hi,
Is it possible to specify multiple input pairs?
EG:
exec {
wait = yes
input_pairs = request,config
shell_escape = yes
output = none
}
If it is possible would the above syntax be correct?
TIA
Patric
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
