Code fix for next release
Hi, Can Bug 517 (Patch for radwho to correct time output and IP address outpu) be included in the next release? I've used the supplied patch and find it works quite well. Would be nice not to have to repatch on the next release. Thanks, Tuc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Kicking off billing scipt in accounting block
Submit a *useful* patch, and it will go in. Until then, please continue to profit from a project that sucks. A project to which you've contributed nothing. The sheer hypocrisy of that position should be evident to everyone. So does this mean that bug 517, which includes code which looks reasonable, and has been tested in my setup (For what thats worth) submitted on Feb 8, 2008... And missed the 2.0.2 version (Not sure when freeze was for that, since it was less than a week later)... And missed : 17 March 2008 - Version 2.0.3 30 April 2008 - Version 2.0.4 7 June 2008 - Version 2.0.5 will definitely make a 2.0.6 release? Thanks, Tuc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radacct/radutmp out of sync
Tuc at T-B-O-H.NET wrote: What are some possible causes in 2.0.4 for the radacct (MySQL) and radutmp (That feeds radwho) to get out of sync. It seems almost 100% of the time, radwho/radutmp isn't showing the user, while radacct has no acctstoptime. radutmp requires specific information to store a utmp record. If that information isn't in an accounting request, no record is created. Ok, thanks. I have to do more work to see if radutmp EVER had a record for the user or not. My initial thought was that when the user logged off and an accounting stop record was sent, that it updated the radutmp file, and then SOMETHING happened that the sql radacct didn't get updated. I never thought that for some reason the accounting start and interim update records were getting into sql but none of it ever making radutmp. Are radutmp entrys ONLY created during accounting start requests, and deleted during accounting stop records (Or Accounting On/Off for a NAS), or can an accounting interim-update cause the creation of a radutmp entry that wasn't there previously? Thanks, Tuc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radacct/radutmp out of sync
Tuc at T-B-O-H.NET wrote: Ok, thanks. I have to do more work to see if radutmp EVER had a record for the user or not. My initial thought was that when the user logged off and an accounting stop record was sent, that it updated the radutmp file, and then SOMETHING happened that the sql radacct didn't get updated. I never thought that for some reason the accounting start and interim update records were getting into sql but none of it ever making radutmp. radutmp is a historical hack. If you're using SQL, there's no need to use radutmp. Are radutmp entrys ONLY created during accounting start requests, and deleted during accounting stop records (Or Accounting On/Off for a NAS), or can an accounting interim-update cause the creation of a radutmp entry that wasn't there previously? I haven't looked at that module in a long time, sorry. I *really* suggest not using radumtp if you're using SQL. Is there an SQL version of radwho? I've taught the people to use radwho to determine who is logged on, and don't see another utility or string I can pass to radwho. From the README in doc directory : 4. LOG FILES 4a. /var/log/radutmp In this file the currently logged in users are held. The program radwho reads this file and gives you a summary. Rogue sessions can be deleted from this file with the radzap program. It also seems radzap depends on the accuracy of radwho to be able to pipe information ro radzap. So it seems to be able to use atleast 2 of the supplied utilities, radutmp is necessary and can't be substituted with SQL, unless I am looking in the wrong place. Thanks, Tuc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Code fix for next release
Tuc at T-B-O-H.NET wrote: Can Bug 517 (Patch for radwho to correct time output and IP address outpu) be included in the next release? I've used the supplied patch and find it works quite well. Would be nice not to have to repatch on the next release. Done. Many thanks. Tuc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radacct/radutmp out of sync
Hi, What are some possible causes in 2.0.4 for the radacct (MySQL) and radutmp (That feeds radwho) to get out of sync. It seems almost 100% of the time, radwho/radutmp isn't showing the user, while radacct has no acctstoptime. Thanks, Tuc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Goodbye SNMP, hello statistics.
Arran Cudbard-Bell wrote: But it also kinda limits the usefulness of the feature. Couldn't you place it in the hands of the server admins to decide which hosts can query and which can't? Another configuration item in clients? grumble It's possible. I guess. I think the safest thing to do is to have a socket that's *only* for these statistics. That way it's clear that no authentication can be done using it. and real clients have no business querying it. Maybe a quicker solution would be to enable libwrap for it? I understand the changes to the code to support libwrap aren't too much, and it can even be made optional via the ./configure . Tuc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Goodbye SNMP, hello statistics.
Tuc at T-B-O-H.NET wrote: Maybe a quicker solution would be to enable libwrap for it? I understand the changes to the code to support libwrap aren't too much, and it can even be made optional via the ./configure . Ugh. The IP configuration / filter in the server already does as much, if not more, than libwrap. Ok. It was just a suggestion, sorta like the one from 2004 with code : http://lists.cistron.nl/pipermail/freeradius-devel/2004-October/007608.html (Oddly, I think I saw that in the bug database and wondered why it didn't make it, and then when looking for an example to show how little it takes to integrate I happened on that email.) Thought maybe adding more configuration options or hooking into the current system was less to your liking. Tuc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simultaneous-Use and radwho
Copy the configs to a test machine. Run radsniff on the production machine to grab packets. Play them back on the test machine. Run radiusd -X on the test machine. Ok, wasn't aware of the functionality. I don't see a radsneeze, so I'm guessing you pipe them back in via echoing it to radclient? But it seems somehow they are able to race it : Wed Jun 11 18:19:53 2008 : Auth: Login OK: [regtum14/CHAP-Password] (from client SBC-2393 port 4 cli 00-13-02-20-F9-DC) Wed Jun 11 18:19:53 2008 : Auth: Login OK: [regtum14/CHAP-Password] (from client SBC-2393 port 2 cli 00-1B-9E-C4-9E-CD The NAS is delaying the accounting packets. DD-WRT running O-L-D Chillispot. Would switching to SQL be better? (Or is this something that MUST have a radiusd -X to resolve?) No. The way to fix it is to fix the code so that the user is marked conditionally logged in for 10-20 seconds after the Access-Accept. if there's no Accounting start, that record is erased. Otherwise, the accounting start marks the users as really logged in. That way, when the second login request comes, the server discovers that the first user is likely to be logged in, and rejects the second request. I'd love to help, but I'm a C compiler (I can find includes/functions and missing libraries) and not a C programmer. Is this something I should put a bug report in about a race condition or Dealing with slow NAS accounting or some other title? Is there someone on the list that maybe would be interested in working on a patch (I'm a great tester. :) ) Thanks, Tuc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Bug 517 - Can it make the next release?
Hi, Can Bug 517 (Patch for radwho to correct time output and IP address outpu) be included in the next release? I've used the supplied patch and find it works quite well. Thanks, Tuc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Simultaneous-Use and radwho
Hi, I haven't been given authorization to do a radiusd -X yet, but I'm seeing something in my logs that I don't get . User is logging in from multiple times, so I put on Simultaneous-Use and it goes against the radutmp. So I test it by hand and I get in radius.log Wed Jun 11 17:30:45 2008 : Auth: Multiple logins (max 1) : [regtum14/TESTING] (from client localhost port 1812) Ok, good. So I reset the device and make sure it gets an: Wed Jun 11 18:17:04 2008 : Info: rlm_radutmp: NAS 192.168.75.39 restarted (Accounting-On packet seen) Wed Jun 11 18:17:04 2008 : Info: rlm_sql (sql): received Acct On/Off packet But it seems somehow they are able to race it : Wed Jun 11 18:19:53 2008 : Auth: Login OK: [regtum14/CHAP-Password] (from client SBC-2393 port 4 cli 00-13-02-20-F9-DC) Wed Jun 11 18:19:53 2008 : Auth: Login OK: [regtum14/CHAP-Password] (from client SBC-2393 port 2 cli 00-1B-9E-C4-9E-CD Would switching to SQL be better? (Or is this something that MUST have a radiusd -X to resolve?) Thanks, Tuc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session-Timeout conditionally appearing
Hi,
Both tables empty. Debug is long, but I'm including the
run without any radacct records first, then the run with a radacct
record of 122 seconds used (They were only allocated 123). If you
want the whole log its at http://204.107.90.128/radacct.txt and
http://204.107.90.128/noradacct.txt respectively.
With no radacct records :
setup# radtest hotspot ICANSEE localhost 1212 testing123
User-Name = hotspot
User-Password = ICANSEE
NAS-IP-Address = 192.168.3.128
NAS-Port = 1212
Idle-Timeout = 900
(After ready to process)
rlm_sqlcounter: Entering module authorize code^M
sqlcounter_expand: 'SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='%{
User-Name}''^M
expand: SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='%{User-
Name}' - SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='hotspot'^M
sqlcounter_expand: '%{sql:SELECT SUM(AcctSessionTime) FROM radacct WHERE UserNa
me='hotspot'}'^M
rlm_sql (sql): - sql_xlat^M
expand: %{User-Name} - hotspot^M
rlm_sql (sql): sql_set_user escaped user -- 'hotspot'^M
expand: SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='hotspot
' - SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='hotspot'^M
expand: /usr/local/var/log/radius/sqltrace.sql - /usr/local/var/log/rad
ius/sqltrace.sql^M
rlm_sql (sql): Reserving sql socket id: 3^M
rlm_sql_postgresql: query: SELECT SUM(AcctSessionTime) FROM radacct WHERE UserNa
me='hotspot'^M
rlm_sql_postgresql: Status: PGRES_TUPLES_OK^M
rlm_sql_postgresql: query affected rows = 1 , fields = 1^M
rlm_sql (sql): - sql_xlat finished^M
rlm_sql (sql): Released sql socket id: 3^M
expand: %{sql:SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='h
otspot'} - ^M
rlm_sqlcounter: No integer found in string ^M
++[noresetcounter] returns noop^M
With the radacct table entry
setup# radtest hotspot ICANSEE localhost 1212 testing123
User-Name = hotspot
User-Password = ICANSEE
NAS-IP-Address = 192.168.3.128
NAS-Port = 1212
Idle-Timeout = 900
Session-Timeout = 1
rlm_sqlcounter: Entering module authorize code^M
sqlcounter_expand: 'SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='%{
User-Name}''^M
expand: SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='%{User-
Name}' - SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='hotspot'^M
sqlcounter_expand: '%{sql:SELECT SUM(AcctSessionTime) FROM radacct WHERE UserNa
me='hotspot'}'^M
rlm_sql (sql): - sql_xlat^M
expand: %{User-Name} - hotspot^M
rlm_sql (sql): sql_set_user escaped user -- 'hotspot'^M
expand: SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='hotspot
' - SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='hotspot'^M
expand: /usr/local/var/log/radius/sqltrace.sql - /usr/local/var/log/rad
ius/sqltrace.sql^M
rlm_sql (sql): Reserving sql socket id: 3^M
rlm_sql_postgresql: query: SELECT SUM(AcctSessionTime) FROM radacct WHERE UserNa
me='hotspot'^M
rlm_sql_postgresql: Status: PGRES_TUPLES_OK^M
rlm_sql_postgresql: query affected rows = 1 , fields = 1^M
rlm_sql (sql): - sql_xlat finished^M
rlm_sql (sql): Released sql socket id: 3^M
expand: %{sql:SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='h
otspot'} - 122^M
rlm_sqlcounter: Check item is greater than query result^M
rlm_sqlcounter: Authorized user hotspot, check_item=123, counter=122^M
rlm_sqlcounter: Sent Reply-Item for user hotspot, Type=Session-Timeout, value=1^
M
++[noresetcounter] returns ok^M
Tuc
Tuc,
Did you check you don't have anything for this user in
radgroupcheck/radgroupreply?
The debug log from freeradius might prove helpful.
On Fri, May 23, 2008 at 2:47 AM, Tuc at T-B-O-H.NET [EMAIL PROTECTED] wrote:
Hi,
I've run this on FR2.0.3 and 2.0.4, MySQL and Postgresql, and
I seem to see a pattern. I'm not sure if its the correct behaviour or
not.
Using counters, I add Max-All-Session := 123 into my database
for a user. when I run radtest, I get :
setup# radtest hotspot ICANSEE localhost 1212 testing123
User-Name = hotspot
User-Password = ICANSEE
NAS-IP-Address = 192.168.3.128
NAS-Port = 1212
Idle-Timeout = 900
I would think I would see a :
Session-Timeout = 123
If, though, I add a record for a 122 second session into radacct and
run again, I see :
setup# radtest hotspot ICANSEE localhost 1212 testing123
User-Name = hotspot
User-Password = ICANSEE
NAS-IP-Address = 192.168.3.128
NAS-Port = 1212
Idle-Timeout = 900
Session-Timeout = 1
Is Session-Timeout not showing due to misconfiguration on my
part (Fairly stock configuration), or because of some other reason?
Thanks, Tuc
-
List info/subscribe/unsubscribe? See
http
Need to understand flow
Hi, I'm having to write my own validation and accounting for a device, and I need to understand a little about the flow. Is there a good reference for this? I don't have to support much, basically user/pass authentication, updating accounting, timeout, logoff. I understand that I send it an Access-Request packet, and I get back either Access-Accept with potentially some Attributes, or an Access-Reject if it failed. I believe I next need to send an accounting_start packet. Some of the items I'm not sure where they come from (Acct-Session-Id, Acct-Unique-Session-Id) or how they might be generated. During the course of the user being on, I believe you send accounting_updates and at the end send an accounting_stop. One thing I really don't know is where does Max-All-Session come in? In my initial testing, it didn't come back as an attribute. (Maybe incorrectly). Thanks, Tuc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need to understand flow
I'm having to write my own validation and accounting for a device, Don't. Please. There are a number of RADIUS libraries available, including freeradius-client, on freeradius.org. It's supported, it works, and it's in use by a number of products. I have no issue using a library. Right now I'm working with Net::Radius. But to use it I need to understand the flow since it only seems to be able to assemble and disassemble the packets, not tell me how to do it. and I need to understand a little about the flow. Is there a good reference for this? I don't have to support much, basically user/pass authentication, updating accounting, timeout, logoff. See the RFC's. Ok. I was hoping for something more than RFC's, but if thats the starting point, off I'll go. I believe I next need to send an accounting_start packet. Some of the items I'm not sure where they come from (Acct-Session-Id, Acct-Unique-Session-Id) or how they might be generated. This is not a mailing list for general RADIUS questions. The RFC's exist. Please read them. Jawol. If you're doing this for a customer, you're getting paid. Don't expect anyone here to help you (for free) to create your product that has nothing to do with FreeRADIUS. Actually, no, I'm not doing this for a customer. I'm doing it for an OpenSource/Sourceforge project, but I really appreciate your support in it all. Tuc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MySQL noresetcounter / No reply-name or count attribute?
Hi, I've noticed on the default FR 2.0.4 MySQL counter.conf file, for the sqlcounter noresetcounter , there isn't a count-attribute of Acct-Session-Time or a reply-name of something like Session-Timeout. The dailycounter and monthlycounter both have a reply-name . Is this for a reason, and if so why? I'm just trying to grok why it might not have one compared to the others. Thanks, Tuc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Session-Timeout conditionally appearing
Hi, I've run this on FR2.0.3 and 2.0.4, MySQL and Postgresql, and I seem to see a pattern. I'm not sure if its the correct behaviour or not. Using counters, I add Max-All-Session := 123 into my database for a user. when I run radtest, I get : setup# radtest hotspot ICANSEE localhost 1212 testing123 User-Name = hotspot User-Password = ICANSEE NAS-IP-Address = 192.168.3.128 NAS-Port = 1212 Idle-Timeout = 900 I would think I would see a : Session-Timeout = 123 If, though, I add a record for a 122 second session into radacct and run again, I see : setup# radtest hotspot ICANSEE localhost 1212 testing123 User-Name = hotspot User-Password = ICANSEE NAS-IP-Address = 192.168.3.128 NAS-Port = 1212 Idle-Timeout = 900 Session-Timeout = 1 Is Session-Timeout not showing due to misconfiguration on my part (Fairly stock configuration), or because of some other reason? Thanks, Tuc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
accounting_onoff_query and acctsessiontime = 0
Hi,
For the following :
accounting_onoff_query = \
UPDATE ${acct_table1} \
SET \
acctstoptime = '%S', \
acctsessiontime= unix_timestamp('%S') - \
unix_timestamp(acctstarttime), \
acctterminatecause = '%{Acct-Terminate-Cause}', \
acctstopdelay = %{%{Acct-Delay-Time}:-0} \
WHERE acctsessiontime = 0 \
AND acctstoptime = NULL \
AND nasipaddress = '%{NAS-IP-Address}' \
AND acctstarttime = '%S'
Why is acctsessiontime = 0 ? If the unit has been rebooted,
the sessions left hanging, why do you search only for zero'd
acctsessiontime?
Thanks, Tuc
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: accounting_onoff_query and acctsessiontime = 0
Hi,
For the following :
accounting_onoff_query = \
UPDATE ${acct_table1} \
SET \
acctstoptime = '%S', \
acctsessiontime= unix_timestamp('%S') - \
unix_timestamp(acctstarttime), \
acctterminatecause = '%{Acct-Terminate-Cause}', \
acctstopdelay = %{%{Acct-Delay-Time}:-0} \
WHERE acctsessiontime = 0 \
AND acctstoptime = NULL \
AND nasipaddress = '%{NAS-IP-Address}' \
AND acctstarttime = '%S'
Why is acctsessiontime = 0 ? If the unit has been rebooted,
the sessions left hanging, why do you search only for zero'd
acctsessiontime?
Thanks, Tuc
Hi,
This changed between 2.0.3 and 2.0.4, didn't it?
Thanks, Tuc
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: accounting_onoff_query and acctsessiontime = 0
Hi Ivan,
Ok, thanks. I like the one that does for all packets, so I've
made that change.
The other thing I'm finding is that the statement isn't getting
all the records anyway. I went into phpMyAdmin and tried to cut/paste
from sqltrace.sql, and no records were updated. I went into phpMyAdmin
and entered the (now) 3 search fields, and no records. It wasn't until
I change acctstoptime = NULL to acctstoptime IS NULL
did it find the records. (I'm running the 5.0.45-community-log from
RPM). I've changed my accounting_onoff_query to be the IS. Should
FR as distributed be changed, or IS ( ;) ) there a problem with
my server?
Thanks, Tuc
Yes. This query doesn't update sessions that have recieved accounting
update packets but are left open when NAS rebooted. Query in 2.0.4 does
it for those packets as well.
Ivan Kalik
Kalik Informatika ISP
Dana 18/5/2008, Tuc at T-B-O-H.NET [EMAIL PROTECTED] pi?e:
Hi,
For the following :
accounting_onoff_query = \
UPDATE ${acct_table1} \
SET \
acctstoptime = '%S', \
acctsessiontime= unix_timestamp('%S') - \
unix_timestamp(acctstarttime), \
acctterminatecause = '%{Acct-Terminate-Cause}', \
acctstopdelay = %{%{Acct-Delay-Time}:-0} \
WHERE acctsessiontime = 0 \
AND acctstoptime = NULL \
AND nasipaddress = '%{NAS-IP-Address}' \
AND acctstarttime = '%S'
Why is acctsessiontime = 0 ? If the unit has been rebooted,
the sessions left hanging, why do you search only for zero'd
acctsessiontime?
Thanks, Tuc
Hi,
This changed between 2.0.3 and 2.0.4, didn't it?
Thanks, Tuc
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Another possibility to reconcile?
Hi Ivan, We have many Chillispot systems, but as I mentioned before, combined, at the time it was approximately 14. I was hoping that there would be some way to have checkrad do that for us, but since DD-WRT runs Chillispot and not Coova, we don't have access to a great utility Coova implemented which would be able to tell us what sessions it has active at the time. Since I wrote the email, I've learned more. It seems that the DD-WRT units reboot daily as their version of Garbage Collection. It also seems that unlike Coova, the old Chilli did not send Accounting_On when it booted, and Accounting_Off when it was shutting down. I have to do some more log and file investigation, but I'm thinking that the combination of those 2 issues is whats causing all the dirty sessions. Since all the units send output to syslog, I'm thinking about having syslog output to a perl program that parses all the lines and if it sees the beginning of a DD-WRT reboot, it will forge an Accounting_On packet (If that is possible. I'm not sure if I'll run into the same issue I did with trying to run a radtest from the radius server with the IP and secret for a remote unit). I'll also see, but I'm sure it'll be pretty difficult, if I can convince the DD-WRT people to port the Accounting_On/Off function, and hopefully Coova itself! Thanks, Tuc OK, you have 90 sessions open in radacct. How many users does Chillispot see as current? If there is a big difference than you are not getting all accounting Stop packets. You should run a script that removes stale entries (those open for longer than x hours) from radacct. Ivan Kalik Kalik Informatika ISP Dana 16/5/2008, Tuc at T-B-O-H.NET [EMAIL PROTECTED] pi?e: Hi, I'm looking to implement the Simultaneous-User Value in radcheck. (FR 2.0.3) I'm having the issue that, for whatever reason (I'd blame the network in a heartbeat, not FR at all), the accounting for a logged in user never gets from a NULL acctstoptime to one filled in. At the current time, radwho on the server shows approximately 22 active users. In reality I think it'd be more like 1/2 of that. A SELECT count( * ) FROM radacct WHERE acctstoptime IS NULL ; shows 91 records. Due to the version of the NAS we are running (DD-WRT with Chillispot), we can't get checkrad to help true up the information. Is there another way to help keep everything in sync, so we don't have users who pay for a single ID, doing things like : lobnic14 00-13-02-25-8C- shell S1 Thu 17:3 192.168.7 192.168.182.3 lobnic14 00-1B-77-11-F4- shell S2 Thu 22:1 192.168.7 192.168.182.4 damrap600-0E-35-C0-16- shell S1 Thu 22:1 192.168.5 192.168.182.5 damrap600-11-24-8F-27- shell S3 Thu 20:2 192.168.5 192.168.182.10 damrap600-1B-77-06-2F- shell S4 Thu 20:2 192.168.5 192.168.182.11 Thanks, Tuc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Feature request procedure?
Hi,
Is there a procedure to follow to ask for a new feature to be added?
I seem to have some sort of anomoly that sqltrace is active in my server
even though its not in debug mode. Thats not a big deal.
What I would like, though, is in src/modules/rlm_sql/sql.c for a
timestamp to prepend the sql output. I'm trying to track down the last time
a specific unit sent an accounting record, and I'd like to track it down to
a time. Unfortunately, the sql statement is :
UPDATE radacct SET framedipaddress =
'192.168.182.2', acctsessiontime = '4032',
acctinputoctets = '0' 32 |
'4028824', acctoutputoctets= '0' 32 |
'2535198' WHERE acctsessionid = '481f03510001'
AND username= 'gasmac6' AND nasipaddress=
'192.168.50.35';
I realize I could add acctsessiontime to the original :
INSERT INTO radacct (acctsessionid,acctuniqueid,
username, realm,nasipaddress, nasportid,
nasporttype, acctstarttime,acctstoptime,
acctsessiontime, acctauthentic,connectinfo_start,
connectinfo_stop, acctinputoctets, acctoutputoctets,
calledstationid, callingstationid, acctterminatecause,
servicetype, framedprotocol, framedipaddress,
acctstartdelay, acctstopdelay,xascendsessionsvrkey) VALUES
('481f03510001', 'dbbf6395a6c658d9', 'gasmac6',
'', '192.168.50.35', '1', 'Wireless-802.11', '2008-05-05
13:11:36', NULL, '0', '', '', '', '0', '0',
'00-16-01-D2-AE-F8', '00-13-02-B5-79-7C', '', '', '',
'192.168.182.2', '0', '0', '');
and come up with the time... But I'd prefer to have confirmation it was
4032 later in reality.
Thanks, Tuc
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Feature request procedure?
I seem to have some sort of anomoly that sqltrace is active in my server
even though its not in debug mode. Thats not a big deal.
no. that'll be right. sqltrace is nothing directly to do with server
debug mode - its a debug mode of the sql module - its enabled and disabled
in sql.conf
But the comments are :
# Print all SQL statements when in debug mode (-x)
sqltrace = yes
sqltracefile = ${logdir}/sqltrace.sql
I'm not in -x mode :
[EMAIL PROTECTED] raddb]# ps ax|grep rad|grep -v gre
29294 ?Ssl0:00 /usr/local/sbin/radiusd
Its not that I *DONT* want it, I really do want it. Its just
that the comments led me to believe otherwise.
Thanks, Tuc
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Feature request procedure?
Tuc at T-B-O-H.NET [EMAIL PROTECTED] writes: Is there a procedure to follow to ask for a new feature to be added? AFAIK: - develop a patch - create a bug report requesting the new feature - attach the patch to the report Only issue with that is sql.c is written in, well, C. Unfortunately, sans one module I wrote in C for ATT in the 90's (To make a Telephone Switch act like a web server) I don't program C. If you want it in perlized, just change : fputs(querystr, sqlfile); to fputs(time. - .querystr, sqlfile); and it'd work for me. I can run Date::Manip to translate to a proper format. I'm not sure if I understand exactly what you want to do, but if the only thing you need is a modification timestamp, and you are using MySQL, then you can make MySQL do this for you: Just add a timestamp type column to the radacct table. MySQL will automatically update it whenever an entry is modified. See http://dev.mysql.com/doc/refman/5.0/en/timestamp.html I'm planning to do that already... But I also need to see in the sqltrace file the timestamp it claims the command was done too. The timestamp column would only be able to tell me the last time it happened. I need to see the interim ones which sqltrace would show me, and the time it actually did it. Right now the querystr doesn't have the time it actually occurs. Thanks, Tuc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Feature request procedure?
Tuc at T-B-O-H.NET wrote:
I seem to have some sort of anomoly that sqltrace is active in my server
even though its not in debug mode. Thats not a big deal.
no. that'll be right. sqltrace is nothing directly to do with server
debug mode - its a debug mode of the sql module - its enabled and disabled
in sql.conf
But the comments are :
# Print all SQL statements when in debug mode (-x)
sqltrace = yes
sqltracefile = ${logdir}/sqltrace.sql
That comment is wrong. sqltrace is independent of debug mode of the daemon.
And its behaving independent too, which is a good thing to me. :)
WHILE ON THE SUBJECT, it looks like it opens the file, writes, and
closes
it. Does this mean I can move the file nightly without sending radius any
signals,
and the next time it goes to write to it it'll create a new file?
Thanks, Tuc
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Another possibility to reconcile?
Hi Ivan, Thanks. Heard alot about it, but it doesn't run Chilli or Coova native in the distribution. Client wouldn't allow me to piecemeal a solution. Thanks, Tuc Try this instead of DD-WRT: http://www.polarcloud.com/tomato Ivan Kalik Kalik Informatika ISP Dana 16/5/2008, Tuc at T-B-O-H.NET [EMAIL PROTECTED] pi?e: Hi Ivan, We have many Chillispot systems, but as I mentioned before, combined, at the time it was approximately 14. I was hoping that there would be some way to have checkrad do that for us, but since DD-WRT runs Chillispot and not Coova, we don't have access to a great utility Coova implemented which would be able to tell us what sessions it has active at the time. Since I wrote the email, I've learned more. It seems that the DD-WRT units reboot daily as their version of Garbage Collection. It also seems that unlike Coova, the old Chilli did not send Accounting_On when it booted, and Accounting_Off when it was shutting down. I have to do some more log and file investigation, but I'm thinking that the combination of those 2 issues is whats causing all the dirty sessions. Since all the units send output to syslog, I'm thinking about having syslog output to a perl program that parses all the lines and if it sees the beginning of a DD-WRT reboot, it will forge an Accounting_On packet (If that is possible. I'm not sure if I'll run into the same issue I did with trying to run a radtest from the radius server with the IP and secret for a remote unit). I'll also see, but I'm sure it'll be pretty difficult, if I can convince the DD-WRT people to port the Accounting_On/Off function, and hopefully Coova itself! Thanks, Tuc OK, you have 90 sessions open in radacct. How many users does Chillispot see as current? If there is a big difference than you are not getting all accounting Stop packets. You should run a script that removes stale entries (those open for longer than x hours) from radacct. Ivan Kalik Kalik Informatika ISP Dana 16/5/2008, Tuc at T-B-O-H.NET [EMAIL PROTECTED] pi?e: Hi, I'm looking to implement the Simultaneous-User Value in radcheck. (FR 2.0.3) I'm having the issue that, for whatever reason (I'd blame the network in a heartbeat, not FR at all), the accounting for a logged in user never gets from a NULL acctstoptime to one filled in. At the current time, radwho on the server shows approximately 22 active users. In reality I think it'd be more like 1/2 of that. A SELECT count( * ) FROM radacct WHERE acctstoptime IS NULL ; shows 91 records. Due to the version of the NAS we are running (DD-WRT with Chillispot), we can't get checkrad to help true up the information. Is there another way to help keep everything in sync, so we don't have users who pay for a single ID, doing things like : lobnic14 00-13-02-25-8C- shell S1 Thu 17:3 192.168.7 192.168.182.3 lobnic14 00-1B-77-11-F4- shell S2 Thu 22:1 192.168.7 192.168.182.4 damrap600-0E-35-C0-16- shell S1 Thu 22:1 192.168.5 192.168.182.5 damrap600-11-24-8F-27- shell S3 Thu 20:2 192.168.5 192.168.182.10 damrap600-1B-77-06-2F- shell S4 Thu 20:2 192.168.5 192.168.182.11 Thanks, Tuc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Accounting-Request/Accounting-Response question
Hi,
This isn't specific to FreeRadius, so if its not for
this group, please let me know.
I'm looking into the Accounting-Request packet for
the following :
*** DUMP OF RADIUS PACKET (Net::Radius::Packet=HASH(0x834ac1c))
Code: Accounting-Request
Identifier: 1
Authentic:
\x{0}\x{0}\x{0}\x{0}\x{0}\x{0}\x{0}\x{0}\x{0}\x{0}\x{0}\x{0}\x{0}\x{0}\x{0}\x{0}
Attributes:
Acct-Status-Type:Accounting-On
NAS-IP-Address: 192.168.3.100
Called-Station-Id: 00-BD-5D-FD-4D-38
NAS-Identifier: nas01
Acct-Terminate-Cause: NAS-Reboot
When I get it back, I get :
Code: Accounting-Response
Identifier: 1
Authentic: \x{a}\x{da}\%\x{1f}\x{ff}o\`\x{bf}\(\x{b0}V\x{aa}\x{ba}J;\x{99}
Attributes:
Is there anything that would make this NOT come back like that?
(Except maybe the secret being incorrect).
When I send it, I set :
$req-set_code('Accounting-Request');
$req-set_attr('Acct-Status-Type' = 'Accounting-On');
$req-set_attr('NAS-IP-Address' = '192.168.3.100');
$req-set_attr('Called-Station-Id' = '00-BD-5D-FD-4D-38');
$req-set_attr('NAS-Identifier' = 'nas01');
$req-set_attr('Acct-Terminate-Cause' = 'NAS-Reboot');
$req-set_identifier($ident);
$req-set_authenticator(); # random authenticator required
though I see from the UPDATE statement:
accounting_onoff_query = \
UPDATE ${acct_table1} \
SET \
acctstoptime = '%S', \
acctsessiontime= unix_timestamp('%S') - \
unix_timestamp(acctstarttime), \
acctterminatecause = '%{Acct-Terminate-Cause}', \
acctstopdelay = %{%{Acct-Delay-Time}:-0} \
WHERE acctstoptime = NULL \
AND nasipaddress = '%{NAS-IP-Address}' \
AND acctstarttime = '%S'
it seems to only really need Acct-Terminate-Cause and
NAS-IP-Address .
Thanks, Tuc
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Another possibility to reconcile?
Hi, I'm looking to implement the Simultaneous-User Value in radcheck. (FR 2.0.3) I'm having the issue that, for whatever reason (I'd blame the network in a heartbeat, not FR at all), the accounting for a logged in user never gets from a NULL acctstoptime to one filled in. At the current time, radwho on the server shows approximately 22 active users. In reality I think it'd be more like 1/2 of that. A SELECT count( * ) FROM radacct WHERE acctstoptime IS NULL ; shows 91 records. Due to the version of the NAS we are running (DD-WRT with Chillispot), we can't get checkrad to help true up the information. Is there another way to help keep everything in sync, so we don't have users who pay for a single ID, doing things like : lobnic14 00-13-02-25-8C- shell S1 Thu 17:3 192.168.7 192.168.182.3 lobnic14 00-1B-77-11-F4- shell S2 Thu 22:1 192.168.7 192.168.182.4 damrap600-0E-35-C0-16- shell S1 Thu 22:1 192.168.5 192.168.182.5 damrap600-11-24-8F-27- shell S3 Thu 20:2 192.168.5 192.168.182.10 damrap600-1B-77-06-2F- shell S4 Thu 20:2 192.168.5 192.168.182.11 Thanks, Tuc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Move from text to SQL(Postgresql)
Hey Tuc,
Regarding your issue, check the radiusd.conf file, in the modules{} section
for
the pap module settings, you probably have it set to encryption_scheme =
crypt, if so, change it to clear.
No, its the standard :
pap {
auto_header = no
}
I had followed (I thought) :
http://wiki.freeradius.org/SQL_HOWTO
just like I did (I think) for MySQL and had that working straight
off.
[Discussion of his sourceforge project that comes with just about
every reply he does deleted]
So not sure whats happening or not happening..
Tuc
Liran.
On Tue, May 13, 2008 at 3:20 AM, Tuc at T-B-O-H.NET [EMAIL PROTECTED] wrote:
Hi,
I've got a new install, and I have it working fine with plain text
files. I'm trying to go this time to Postgresql (Don't ask) and I'm
just not having a good time of it. I don't get why its doing the following
(2.0.4 with Postgresql 8.1.11) :
Ready to process requests.
User-Name = tuc
User-Password = ICANSEE
NAS-IP-Address = 192.168.3.128
NAS-Port = 1812
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = tuc, looking up realm NULL
rlm_realm: No such realm NULL
++[suffix] returns noop
rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns updated
++[files] returns noop
expand: %{User-Name} - tuc
rlm_sql (sql): sql_set_user escaped user -- 'tuc'
rlm_sql (sql): Reserving sql socket id: 4
expand: SELECT id, UserName, Attribute, Value, Op FROM radcheck
WHERE Username = '%{SQL-User-Name}' ORDER BY id - SELECT id, UserName,
Attribute, Value, Op FROM radcheck WHERE Username = 'tuc' ORDER BY id
rlm_sql_postgresql: query: SELECT id, UserName, Attribute, Value, Op
FROM radcheck WHERE Username = 'tuc' ORDER BY id
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 1 , fields = 5
rlm_sql (sql): User found in radcheck table
expand: SELECT id, UserName, Attribute, Value, Op FROM radreply
WHERE Username = '%{SQL-User-Name}' ORDER BY id - SELECT id, UserName,
Attribute, Value, Op FROM radreply WHERE Username = 'tuc' ORDER BY id
rlm_sql_postgresql: query: SELECT id, UserName, Attribute, Value, Op
FROM radreply WHERE Username = 'tuc' ORDER BY id
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 1 , fields = 5
expand: SELECT GroupName FROM radusergroup WHERE
UserName='%{SQL-User-Name}' ORDER BY priority - SELECT GroupName FROM
radusergroup WHERE UserName='tuc' ORDER BY priority
rlm_sql_postgresql: query: SELECT GroupName FROM radusergroup WHERE
UserName='tuc' ORDER BY priority
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 0 , fields = 1
rlm_sql (sql): Released sql socket id: 4
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
rad_check_password: Found Auth-Type
auth: type PAP
+- entering group PAP
rlm_pap: login attempt with password ICANSEE
rlm_pap: Using CRYPT encryption.
rlm_pap: Passwords don't match
++[pap] returns reject
auth: Failed to validate the user.
Login incorrect (rlm_pap: CRYPT password check failed): [tuc/ICANSEE]
(from client localhost port 1812)
Found Post-Auth-Type Reject
+- entering group REJECT
expand: %{User-Name} - tuc
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Why does it head to crypt? I have in radcheck :
Welcome to psql 8.1.11, the PostgreSQL interactive terminal.
Type: \copyright for distribution terms
\h for help with SQL commands
\? for help with psql commands
\g or terminate with semicolon to execute query
\q to quit
radius= select * from radcheck;
id | username | attribute | op | value
+--+++-
2 | tuc | Cleartext-Password | := | ICANSEE
(1 row)
radius=
Thanks, Tuc
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Move from text to SQL(Postgresql)
Hi,
Hey Tuc,
Regarding your issue, check the radiusd.conf file, in the modules{}
section
for
the pap module settings, you probably have it set to encryption_scheme =
crypt, if so, change it to clear.
No, its the standard :
pap {
auto_header = no
}
change this to 'yes' so that the PAP module can be more clever
I copied the configs from a working MySQL backended 2.0.3 system. I
changed
mysql to postgresql anywhere needed... Still wasn't working. I put in this
suggestion,
and :
rad_check_password: Found Auth-Type
auth: type PAP
+- entering group PAP
rlm_pap: login attempt with password ICANSEE
rlm_pap: Using CRYPT encryption.
rlm_pap: Passwords don't match
++[pap] returns reject
auth: Failed to validate the user.
Login incorrect (rlm_pap: CRYPT password check failed): [tuc/ICANSEE] (from
client localhost port 1812)
Found Post-Auth-Type Reject
+- entering group REJECT
expand: %{User-Name} - tuc
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
I don't get it..
Tuc
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Move from text to SQL(Postgresql)
Tuc at T-B-O-H.NET wrote:
No, its the standard :
pap {
auto_header = no
}
It looks like you have something else in the system adding a
Crypt-Password for the user... before the SQL module is called. Check
the unix module. It WILL say something in debug mode about this.
RAGAFRASSEN BIDDA FRIGINA..
How the heck come this doesn't do it on the OTHER system. I
have a local unix user there called tuc too, but I had
tuc User-Password:=ICANSEE on the Linux system (This is FreeBSD)
and it never tripped me up there!
SIGH Thank you very much for pointing out my stupidity.
I'll try to be more aware to look at ALL the debug in the future.
Tuc
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Move from text to SQL(Postgresql)
Hi, +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = tuc, looking up realm NULL rlm_realm: No such realm NULL ++[suffix] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns updated unix returns updated does it? so , you have the unix module enabled in the authenticate section...which means its looking in /etc/password - and theres a nice entry in there for 'tuc'? Unfortunately, yup, exactly correct. The weird thing is that I took the config VERBATIM off a functioning Linux/FR2.0.3/MySQL system (Changing to postgresql) where I was ALSO a local user, and it never did that! As soon as I changed the user to be one NOT in unix, it worked. As soon as I used my unix password with tuc, it worked. Thanks... I didn't even notice it, I was concentrating too much on the sql section. Tuc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Move from text to SQL(Postgresql)
Hi,
I've got a new install, and I have it working fine with plain text
files. I'm trying to go this time to Postgresql (Don't ask) and I'm
just not having a good time of it. I don't get why its doing the following
(2.0.4 with Postgresql 8.1.11) :
Ready to process requests.
User-Name = tuc
User-Password = ICANSEE
NAS-IP-Address = 192.168.3.128
NAS-Port = 1812
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = tuc, looking up realm NULL
rlm_realm: No such realm NULL
++[suffix] returns noop
rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns updated
++[files] returns noop
expand: %{User-Name} - tuc
rlm_sql (sql): sql_set_user escaped user -- 'tuc'
rlm_sql (sql): Reserving sql socket id: 4
expand: SELECT id, UserName, Attribute, Value, Op FROM radcheck
WHERE Username = '%{SQL-User-Name}' ORDER BY id - SELECT id, UserName,
Attribute, Value, Op FROM radcheck WHERE Username = 'tuc' ORDER BY id
rlm_sql_postgresql: query: SELECT id, UserName, Attribute, Value, Op FROM
radcheck WHERE Username = 'tuc' ORDER BY id
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 1 , fields = 5
rlm_sql (sql): User found in radcheck table
expand: SELECT id, UserName, Attribute, Value, Op FROM radreply
WHERE Username = '%{SQL-User-Name}' ORDER BY id - SELECT id, UserName,
Attribute, Value, Op FROM radreply WHERE Username = 'tuc' ORDER BY id
rlm_sql_postgresql: query: SELECT id, UserName, Attribute, Value, Op FROM
radreply WHERE Username = 'tuc' ORDER BY id
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 1 , fields = 5
expand: SELECT GroupName FROM radusergroup WHERE
UserName='%{SQL-User-Name}' ORDER BY priority - SELECT GroupName FROM
radusergroup WHERE UserName='tuc' ORDER BY priority
rlm_sql_postgresql: query: SELECT GroupName FROM radusergroup WHERE
UserName='tuc' ORDER BY priority
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 0 , fields = 1
rlm_sql (sql): Released sql socket id: 4
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
rad_check_password: Found Auth-Type
auth: type PAP
+- entering group PAP
rlm_pap: login attempt with password ICANSEE
rlm_pap: Using CRYPT encryption.
rlm_pap: Passwords don't match
++[pap] returns reject
auth: Failed to validate the user.
Login incorrect (rlm_pap: CRYPT password check failed): [tuc/ICANSEE] (from
client localhost port 1812)
Found Post-Auth-Type Reject
+- entering group REJECT
expand: %{User-Name} - tuc
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Why does it head to crypt? I have in radcheck :
Welcome to psql 8.1.11, the PostgreSQL interactive terminal.
Type: \copyright for distribution terms
\h for help with SQL commands
\? for help with psql commands
\g or terminate with semicolon to execute query
\q to quit
radius= select * from radcheck;
id | username | attribute | op | value
+--+++-
2 | tuc | Cleartext-Password | := | ICANSEE
(1 row)
radius=
Thanks, Tuc
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Weird shared secret issues
hi, are you sure that there isnt a legacy secret entry in clients.conf file? Nope... [EMAIL PROTECTED] sbin]# more /usr/local/etc/raddb/clients.conf #** #** #** #** #** #** # THIS FILE IS NO LONGER USED. UPDATE ALL NAS IN NOC #** #** #** #** #** #** [EMAIL PROTECTED] sbin]# I did find the problem (Error between eyes and brain of the tech installing the units. Put the secret as the community and visa versa.) that caused me to look into using radtest... It still leaves one item open. I can't seem to get radclient to be able to take the NAS-IP-Address and then the secret for that NAS-IP-Address. It seems no matter what, it wants to use the secret for the localhost. Is this how its supposed to work, or is there a bug somewhere? Thanks, Tuc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Weird shared secret issues
Hi, It still leaves one item open. I can't seem to get radclient to be able to take the NAS-IP-Address and then the secret for that NAS-IP-Address. It seems no matter what, it wants to use the secret for the localhost. Is this how its supposed to work, or is there a bug somewhere? man radclient Packet-Dst-IP-Address - if this attribute is present in the request then the packet will be sent to that address. ie it wont go to 127.0.0.1 if you specify the real IP of the server. alternately, use the IP address of the server and not its canonical 'localhost' which will always be 127.0.0.1 unless you've played with the systems IP stack. alan I guess I'm not clear in what I was attempting to accomplish, maybe subsequently I went about it the wrong way. Tech calls in and say that he can't get an appliance working in the field. I ask him what secret he's using and the IP address of the appliance. I want to be able to be locally logged onto the radius server and use radtest/radclient/rad to be able to query radius asking If I was IP, and I gave you SECRET, would you authorize me?. So I want to be on 1.2.3.4, but say I'm on 3.4.5.6 . Right now, If I say I'm on 3.4.5.6, it still wants the secret for 1.2.3.4 . Thanks, Tuc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Weird shared secret issues
Hi, Tech calls in and say that he can't get an appliance working in the field. I ask him what secret he's using and the IP address of the appliance. I want to be able to be locally logged onto the radius server and use radtest/radclient/rad to be able to query radius asking If I was IP, and I gave you SECRET, would you authorize me?. So I want to be on 1.2.3.4, but say I'm on 3.4.5.6 . Right now, If I say I'm on 3.4.5.6, it still wants the secret for 1.2.3.4 . you want to spoof the source address? tricky. one 'easy' way to do this would be to create a local VPN/GRE tunnel on the linux box under which you could emulate a remote link. configure freeradius to also listen on that virtual address, run the radclient with the destination being the end point of the VPN - the linux routing tables would then come into play. you'd have to reconfigure the VPN end addresses etc each time to emulate an outside world link...but it would work. Not worth it. All I'm looking to do is get programatic confirmation that the ip/secret combination in the field is correct. Since this is an appliance, not an OS, I don't have access to radtest on the appliance. To have someone start setting up VPN/GRE/etc is more hassle than its worth. I just have to tell the tech to RTFD closer. I was just hoping I could put together a local form on a webserver that could shell out to a script to make the test. We'll just have to suffer. :) (Or ask the manufacturer to include a utility in the diagnostic section) Thanks, Tuc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Weird shared secret issues
Hi Ivan, Really, I appreciate the information. I'm sure between the suggestions given I could do it. However, if it is more than a command line or script on the radius server itself, its too involved for the person I have to turn it over to. I just saw that radtest took nasname as an option and thought it would have a bearing on the secret. Not the case, so I know better. :) Thanks, Tuc If you have a spare box on a local network, switch that supports VLANs and a router that can tag VLANs - you can spoof the whole outside network with simple IP/VLAN configuration: configure a gateway IP interface for the network you want to spoof on your router and tag it with testing VLAN ID - that will create a locally connected routing table entry - no creative manual entries needed configure testing VLAN ID on the switchport to which you will connect the testing box configure IP you want to spoof on the testing box That shouldn't take more than 5 minutes. Just make sure that you remove the spoofed gateway interface from the router after testing in order to be able to use the real network. Ivan Kalik Kalik Informatika ISP Dana 4/5/2008, Tuc at T-B-O-H.NET [EMAIL PROTECTED] pi?e: Hi, Tech calls in and say that he can't get an appliance working in the field. I ask him what secret he's using and the IP address of the appliance. I want to be able to be locally logged onto the radius server and use radtest/radclient/rad to be able to query radius asking If I was IP, and I gave you SECRET, would you authorize me?. So I want to be on 1.2.3.4, but say I'm on 3.4.5.6 . Right now, If I say I'm on 3.4.5.6, it still wants the secret for 1.2.3.4 . you want to spoof the source address? tricky. one 'easy' way to do this would be to create a local VPN/GRE tunnel on the linux box under which you could emulate a remote link. configure freeradius to also listen on that virtual address, run the radclient with the destination being the end point of the VPN - the linux routing tables would then come into play. you'd have to reconfigure the VPN end addresses etc each time to emulate an outside world link...but it would work. Not worth it. All I'm looking to do is get programatic confirmation that the ip/secret combination in the field is correct. Since this is an appliance, not an OS, I don't have access to radtest on the appliance. To have someone start setting up VPN/GRE/etc is more hassle than its worth. I just have to tell the tech to RTFD closer. I was just hoping I could put together a local form on a webserver that could shell out to a script to make the test. We'll just have to suffer. :) (Or ask the manufacturer to include a utility in the diagnostic section) Thanks, Tuc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Weird shared secret issues
Hi, I have a record for 127.0.0.1, and for the ip of the machine itself (Fixed dedicated IP). The end result is that I found that no matter what IP I used to pass on the NAS-IP-Address, it used the machines IP to match the secret. The problem I had is we placed the device out in the field, and I wanted to verify the tech used the right secret. I was hoping to be able to tell radclient to pretend it was another IP, and therefore search for that IPs secret to try. Unfortunately, it doesn't seem like it has that capability. I don't understand what use then is the ability to change the NAS-IP-Address if it still only cared about the secret for the local machine. Thanks, Tuc Hey Tuc, This might happen because of interface changes. Also add a record to the nas table for the 127.0.0.1 ip address (or the other IP address you have configured on your ethernet interface). And I'm also assuming you have configured the nas table in sql.conf Regards, Liran Tal. On Wed, Apr 30, 2008 at 11:41 PM, Tuc at T-B-O-H.NET [EMAIL PROTECTED] wrote= : Hi, Running FreeRadius 2.0.3 built from source on Centos 5.1 with a Mysql 5.0.45 back end. We've been doing testing on our setup for MONTHS (First FR1, now FR2) and its been flawless. Today we went to put our first unit into production and am having issues. We are reading NAS from SQL. The entry is : (3,'192.168.25.13','SBC-1918','other',0,'KhLcPALLdzTcJs3f','GLRXTAFLfhf3N= 4zT','First Install') From the user table I have : (1, 'tuc','User-Password',':=3D','PLAINTEXT') And when I run : #!/bin/sh (echo 'User-Name =3D tuc' echo 'User-Password =3D PLAINTEXT' echo 'NAS-IP-Address =3D 192.168.25.13' echo 'NAS-Port =3D 0') | /usr/local/bin/radclient -x localhost auth KhLcPALLdzTcJs3f I get : [EMAIL PROTECTED] ~]# sh TESTRAD User-Name =3D tuc User-Password =3D PLAINTEXT NAS-IP-Address =3D 192.168.25.13 NAS-Port =3D 0 rad_verify: Received Access-Reject packet from client 127.0.0.1 port 1812 with invalid signature (err=3D2)! (Shared secret is incorrect.) and in radius.log I see : Wed Apr 30 16:38:43 2008 : Auth: Login incorrect: [tuc/eY\261=E3=A1(c)\226`\305\020y\366/=C2?\333] (from client localhost p= ort 0) HELP... I can't see what I'm doing wrong. Thanks, Tuc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --=_Part_6964_29469845.1209627227987 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Hey Tuc,brbrThis might happen because of interface changes.brAlso add= a record to the nas table for the a href=3Dhttp://127.0.0.1;127.0.0.1/= a ip address (or the otherbrIP address you have configured on your ether= net interface).br And I#39;m also assuming you have configured the nas table in sql.confbr= brbrRegards,brLiran Tal.brbrdiv class=3Dgmail_quoteOn Wed, Ap= r 30, 2008 at 11:41 PM, Tuc at a href=3Dhttp://T-B-O-H.NET;T-B-O-H.NET/= a lt;a href=3Dmailto:[EMAIL PROTECTED][EMAIL PROTECTED]/agt; wrote:br blockquote class=3Dgmail_quote style=3Dborder-left: 1px solid rgb(204, = 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;Hi,br br nbsp; nbsp; nbsp; nbsp;Running FreeRadius 2.0.3 built from source on C= entos 5.1 withbr a Mysql 5.0.45 back end.br br nbsp; nbsp; nbsp; nbsp;We#39;ve been doing testing on our setup for M= ONTHS (First FR1,br now FR2) and its been flawless. Today we went to put our first unit intobr= production and am having issues.br br nbsp; nbsp; nbsp; nbsp;We are reading NAS from SQL. The entry is :br br (3,#39;a href=3Dhttp://192.168.25.13; target=3D_blank192.168.25.13/a= #39;,#39;SBC-1918#39;,#39;other#39;,0,#39;KhLcPALLdzTcJs3f#39;,#39= ;GLRXTAFLfhf3N4zT#39;,#39;First Install#39;)br br nbsp; nbsp; nbsp; nbsp;From the user table I have :br br (1, #39;tuc#39;,#39;User-Password#39;,#39;:=3D#39;,#39;PLAINTEXT#39= ;)br br nbsp; nbsp; nbsp; nbsp;And when I run :br br #!/bin/shbr (echo #39;User-Name =3D quot;tucquot;#39;br echo #39;User-Password =3D quot;PLAINTEXTquot;#39;br echo #39;NAS-IP-Address =3D a href=3Dhttp://192.168.25.13; target=3D_bl= ank192.168.25.13/a#39;br echo #39;NAS-Port =3D 0#39;) | /usr/local/bin/radclient -x localhost auth= nbsp;KhLcPALLdzTcJs3fbr br nbsp; nbsp; nbsp; nbsp;I get :br br [EMAIL PROTECTED] ~]# sh TESTRADbr nbsp; nbsp; nbsp; nbsp;User-Name =3D quot;tucquot;br nbsp; nbsp; nbsp; nbsp;User-Password =3D quot;PLAINTEXTquot;br nbsp; nbsp; nbsp; nbsp;NAS-IP-Address =3D a href=3Dhttp://192.168.25= .13 target=3D_blank192.168.25.13/abr nbsp; nbsp; nbsp; nbsp;NAS-Port =3D 0br rad_verify: Received Access-Reject packet from client a href=3Dhttp://127= .0.0.1 target=3D_blank127.0.0.1/a port 1812 with invalid signature (e
Weird shared secret issues
Hi, Running FreeRadius 2.0.3 built from source on Centos 5.1 with a Mysql 5.0.45 back end. We've been doing testing on our setup for MONTHS (First FR1, now FR2) and its been flawless. Today we went to put our first unit into production and am having issues. We are reading NAS from SQL. The entry is : (3,'192.168.25.13','SBC-1918','other',0,'KhLcPALLdzTcJs3f','GLRXTAFLfhf3N4zT','First Install') From the user table I have : (1, 'tuc','User-Password',':=','PLAINTEXT') And when I run : #!/bin/sh (echo 'User-Name = tuc' echo 'User-Password = PLAINTEXT' echo 'NAS-IP-Address = 192.168.25.13' echo 'NAS-Port = 0') | /usr/local/bin/radclient -x localhost auth KhLcPALLdzTcJs3f I get : [EMAIL PROTECTED] ~]# sh TESTRAD User-Name = tuc User-Password = PLAINTEXT NAS-IP-Address = 192.168.25.13 NAS-Port = 0 rad_verify: Received Access-Reject packet from client 127.0.0.1 port 1812 with invalid signature (err=2)! (Shared secret is incorrect.) and in radius.log I see : Wed Apr 30 16:38:43 2008 : Auth: Login incorrect: [tuc/eY\261???\226`\305\020y\366/??\333] (from client localhost port 0) HELP... I can't see what I'm doing wrong. Thanks, Tuc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS list update without restarting radius server.
Hi Ivan,
Thanks for the reply. I think its starting to sink in. :)
I have to test out how we'll do a bit of it, but I think I get the
jist of it. I don't see how any of the netmask, require_message_authenticator
or virtual_server fit into it... But since I wasn't using it anyway, I
won't push my luck. ;) (Unless for netmask your saying the nasname
could be 192.168.3.0/24)
Thanks, Tuc
nasname on your AP goes into NAS-Identifier filed in access request.
It's not the same as nasname in nas table which takes NAS IP or FQDN.
You can put it in shortname filed. Secret per NAS = Secret per NAS
IP address.
Ivan Kalik
Kalik Informatika ISP
Dana 11/4/2008, Tuc at T-B-O-H.NET [EMAIL PROTECTED] pi?e:
Hi,
If I choose DNS name, and I don't fully qualify it,
does it follow the standard BIND rules of using the domain
setting, or going down the search path?
Reason I'm trying to avoid the IP or the FQDN is that
I was hoping to use the nasname along with the secret in
the UAM program I'm using for a Secret per NAS situation.
The hotspots are already using just a nasname currently (Which
is just something like SBC-1427). (Then again, getting the
client to put all the NAS into DNS is going to be a tough
sell too)
Thanks, Tuc
IP address (or DNS name) goes into nasname field.
Ivan Kalik
Kalik Informatika ISP
Dana 11/4/2008, Tuc at T-B-O-H.NET [EMAIL PROTECTED] pi?e:
Hi,
I had actually kept this email in my queue to implement
someday. Today is someday. But I have a question.
The config file contains IP addresses, which the nas.sql
doesn't. How do I sync up the format of the clients.conf with
the nas.sql?
client nas_shortname {
ipaddr = ??
(or)
ipv6addr =
netmask =
secret = nas_secret
require_message_authenticator =
shortname = nas_shortname
nastype = nas_type
virtual_server =
}
Thanks, Tuc
Hi,
in sql.conf it says:
Set readclients to 'yes' to read radius clients from the database
('nas' table)
Clients will ONLY be read on server startup. For performance
and security reasons, finding clients via SQL queries CANNOT
be done live while the server is running.
Best,
Walter
Am 22.01.2008 um 19:30 schrieb Pawel Cieplinski:
Hi there
Everything works fine so far, but after adding a new NAS to DB,
radius server need restart to read this data, I am trying to
manipulate nas list without restarting freeradius, but due to lack
od documentation could you help me with that please.
Pawel Cieplinski
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS list update without restarting radius server.
Hi,
I had actually kept this email in my queue to implement
someday. Today is someday. But I have a question.
The config file contains IP addresses, which the nas.sql
doesn't. How do I sync up the format of the clients.conf with
the nas.sql?
client nas_shortname {
ipaddr = ??
(or)
ipv6addr =
netmask =
secret = nas_secret
require_message_authenticator =
shortname = nas_shortname
nastype = nas_type
virtual_server =
}
Thanks, Tuc
Hi,
in sql.conf it says:
Set readclients to 'yes' to read radius clients from the database
('nas' table)
Clients will ONLY be read on server startup. For performance
and security reasons, finding clients via SQL queries CANNOT
be done live while the server is running.
Best,
Walter
Am 22.01.2008 um 19:30 schrieb Pawel Cieplinski:
Hi there
Everything works fine so far, but after adding a new NAS to DB,
radius server need restart to read this data, I am trying to
manipulate nas list without restarting freeradius, but due to lack
od documentation could you help me with that please.
Pawel Cieplinski
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Restrict to initial NAS used to logon
Hi,
I will have to consider the NAS-Identifier replacing NAS-IP-Address.
This is not for our use, this is at a customer site. I'm leary about using
a field for something other than its intention (Or adding a field that is
unexpected) due to the possibility of them installing a package later on
that has certainly expectations of the data being a certain way).
I later realized that SOMETHING would need to be set in the
radcheck , but was hoping for it to be a bit self contained. I
see things like the Simultaneous use, and the ability to check max
access-period, and was hoping I could somehow tell the system
to SELECT the nasname (if that field existed) from radacct, and
compare against the current nasname from the record. If there was
no current, go ahead. If there was a current, if it matched go
ahead. Maybe even something with the COUNT of unique nasname,
and if it was 0 , its ok. If its 1, better match the current one.
NAS-Identifier is not stored in radacct by default. But you can add it to
or replace NAS-IP-Address with it in radacct table and accounting
queries.
radacct is used for - accounting. You need to put NAS-Identifier check in
radcheck to stop users from connecting from other APs. You can a script
at logon to insert it or run outside script at certain intervals that
will set it up for you. Anyway you need to:
- check radacct if user has logged on before
- if not insert NAS-Identifier check into radcheck table with the value
of the current request
If you add NAS-Identifier field into radacct table you don't need to add
anything into radcheck. Just run a script at logon that will:
- check radacct to see if user had logged on before
- if he had check that value of NAS-Identifier in the request matches the
one in radacct table
I was trying to avoid as much outside stuff as possible. I guess I
could perl it if it means that much to me. I was just hopinf after seeing
some of the sqlcounter stuff, if there was some way to accomplish it
that way.
Thanks, Tuc
Ivan Kalik
Kalik Informatika ISP
Dana 10/4/2008, Tuc at T-B-O-H.NET [EMAIL PROTECTED] pi?e:
Is anyone doing anything like this already?
They usually use equipment that sends a NAS identifier.
Hi,
Sorry for a second followup, but I just looked over
the radacct file and don't see anywhere that NAS-Identifier would
be stored. Or are you saying that I need to still use the
%{NAS-Identifier} in some sort of check-name?
Thanks, Tuc
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS list update without restarting radius server.
Hi,
If I choose DNS name, and I don't fully qualify it,
does it follow the standard BIND rules of using the domain
setting, or going down the search path?
Reason I'm trying to avoid the IP or the FQDN is that
I was hoping to use the nasname along with the secret in
the UAM program I'm using for a Secret per NAS situation.
The hotspots are already using just a nasname currently (Which
is just something like SBC-1427). (Then again, getting the
client to put all the NAS into DNS is going to be a tough
sell too)
Thanks, Tuc
IP address (or DNS name) goes into nasname field.
Ivan Kalik
Kalik Informatika ISP
Dana 11/4/2008, Tuc at T-B-O-H.NET [EMAIL PROTECTED] pi?e:
Hi,
I had actually kept this email in my queue to implement
someday. Today is someday. But I have a question.
The config file contains IP addresses, which the nas.sql
doesn't. How do I sync up the format of the clients.conf with
the nas.sql?
client nas_shortname {
ipaddr = ??
(or)
ipv6addr =
netmask =
secret = nas_secret
require_message_authenticator =
shortname = nas_shortname
nastype = nas_type
virtual_server =
}
Thanks, Tuc
Hi,
in sql.conf it says:
Set readclients to 'yes' to read radius clients from the database
('nas' table)
Clients will ONLY be read on server startup. For performance
and security reasons, finding clients via SQL queries CANNOT
be done live while the server is running.
Best,
Walter
Am 22.01.2008 um 19:30 schrieb Pawel Cieplinski:
Hi there
Everything works fine so far, but after adding a new NAS to DB,
radius server need restart to read this data, I am trying to
manipulate nas list without restarting freeradius, but due to lack
od documentation could you help me with that please.
Pawel Cieplinski
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Restrict to initial NAS used to logon
Hi, Looking to restrict a user to only be able to log in and re-log in to the initial NAS they first ever logged onto. (Hotspot) Looking at the radacct file where it looks like the check-items normally go against, I'm not seeing anything I can use as an identifier. The nasipaddress is always 0.0.0.0. Maybe calledstationid, except if we swap equipment out during the lifetime of a users id it won't match. Is anyone doing anything like this already? Thanks, Tuc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Restrict to initial NAS used to logon
Tuc at T-B-O-H.NET wrote: Looking to restrict a user to only be able to log in and re-log in to the initial NAS they first ever logged onto. (Hotspot) Looking at the radacct file where it looks like the check-items normally go against, I'm not seeing anything I can use as an identifier. The nasipaddress is always 0.0.0.0. Maybe calledstationid, except if we swap equipment out during the lifetime of a users id it won't match. Is anyone doing anything like this already? They usually use equipment that sends a NAS identifier. Hrm I just originally went on the assumption that the sending side was partially braindead, and wasn't sending it. Your comment made me dump a session on 1812 and 1813... 1812: Radius Protocol Code: Access-Request (1) Packet identifier: 0x0 (0) Length: 216 Authenticator: A9A4B05B3C01784A8DF58849DB987135 [The response to this request is in frame 2] Attribute Value Pairs AVP: l=5 t=User-Name(1): tuc AVP: l=18 t=CHAP-Challenge(60): 894209E703975A194529D13926790197 AVP: l=19 t=CHAP-Password(3): 0A6E0AEA789A9A0AF0E2A7F15B04E6A289 AVP: l=6 t=NAS-IP-Address(4): 0.0.0.0 AVP: l=6 t=Service-Type(6): Login-User(1) AVP: l=6 t=Framed-IP-Address(8): 192.168.182.4 AVP: l=19 t=Calling-Station-Id(31): 00-10-A4-10-8D-A6 AVP: l=19 t=Called-Station-Id(30): 00-16-01-91-E9-46 AVP: l=10 t=NAS-Identifier(32): TBOH2173 AVP: l=18 t=Acct-Session-Id(44): 47fe006e AVP: l=6 t=NAS-Port-Type(61): Wireless-802.11(19) AVP: l=6 t=NAS-Port(5): 0 AVP: l=18 t=Message-Authenticator(80): F0AE0A9EE7DAC32F9AA6089A5A9C3A70 AVP: l=40 t=Vendor-Specific(26) v=WISPr(14122) 1813: Radius Protocol Code: Accounting-Request (4) Packet identifier: 0x6 (6) Length: 142 Authenticator: 48DCF71BE50EC2E9ECC17825FB6D2417 [The response to this request is in frame 2] Attribute Value Pairs AVP: l=6 t=Acct-Status-Type(40): Start(1) AVP: l=5 t=User-Name(1): tuc AVP: l=11 t=Class(25): 303730333435363738 AVP: l=19 t=Calling-Station-Id(31): 00-10-A4-10-8D-A6 AVP: l=19 t=Called-Station-Id(30): 00-16-01-91-E9-46 AVP: l=6 t=NAS-Port-Type(61): Wireless-802.11(19) AVP: l=6 t=NAS-Port(5): 0 AVP: l=10 t=NAS-Port-Id(87): AVP: l=6 t=NAS-IP-Address(4): 0.0.0.0 AVP: l=10 t=NAS-Identifier(32): TBOH2173 AVP: l=6 t=Framed-IP-Address(8): 192.168.182.4 AVP: l=18 t=Acct-Session-Id(44): 47fe006e So it looks like its sending it, just not making it into the radacct files. :-/ So where to start looking for that? Or, use the Packet-Src-IP-Address attribute. Thats gonna take a bit of headscratching to figure out about. :) But thanks for the lead. Tuc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Restrict to initial NAS used to logon
Is anyone doing anything like this already?
They usually use equipment that sends a NAS identifier.
Hi,
Sorry for a second followup, but I just looked over
the radacct file and don't see anywhere that NAS-Identifier would
be stored. Or are you saying that I need to still use the
%{NAS-Identifier} in some sort of check-name?
Thanks, Tuc
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_sqlcounter + reset=never
Hi, I'm using the sqlcounter noresetcounter which sets the reset to never. When it sends back the reply, it ends up looking like : Your maximum never usage time has been reached Is there a way to change it short of just changing the line : snprintf(msg, sizeof(msg), Your maximum %s usage time has been reached, data-reset); not to insert data-reset ? Thanks, Tuc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
clients.conf and SQL?
Hi, I can't seem to find any reference to making the contents of the clients.conf accessible via SQL. We are constantly making edits, and having to constantly reload the server doesn't make sense. Pointers to where I missed putting it into MySQL, or if anyone knows how to would be appreciated. Thanks, Tuc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
