Re: sqlippool reject authentication if no IP?
Peter Nixon [EMAIL PROTECTED] said: On Thu 28 Jun 2007, Hugh Messenger wrote: Peter Nixon [EMAIL PROTECTED] said: On Thu 28 Jun 2007, Alan DeKok wrote: Hugh Messenger wrote: With my current configuration, if sqlippool cannot assign an IP, the authentication still succeeds. The module returns NOOP. It could arguable return fail. Just a nitpick, but for pool depletion it returns 'notfound'. Can you suggest a better return code? Not at all. I was just responding to Alan's comment above that the module returns NOOP. My bad, trying to respond to two people in one email. I am assuming you have already read: http://wiki.freeradius.org/Rlm_sqlippool If not please do so :-) I had read it (several times) but as is often the case I misunderstood some of it. I now realize the failover example does do what I'd expect (not failing over on a notfound). Speaking of which. What would be the simplest way of having an email alert if a 'notfound' happens? This is all for PPPOE wireless clients, which are carefully provisioned. So we should never end up running out of dynamic pool space, and I need to know about it if we do. logwatch/swatch/splunk etc ;-) I'm a splunker, as it happens. Which was indeed what I figured I'd use if there was no built in mechanism. [inserted from your followup mail] Of course you COULD write an external mail script and run it as a radiusd exec module. (or something with rlm_perl/rlm_python) I've been looking for a simple test case to try out rlm_perl, I might give that a go. Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc As usual, thanks for your help. -- hugh - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sqlippool reject authentication if no IP?
Peter Nixon [EMAIL PROTECTED] said:
On Thu 28 Jun 2007, Alan DeKok wrote:
Hugh Messenger wrote:
With my current configuration, if sqlippool cannot assign an IP, the
authentication still succeeds.
The module returns NOOP. It could arguable return fail.
Just a nitpick, but for pool depletion it returns 'notfound'.
How can I set things up so if no IP is available, the authentication
will fail with some informative Reply-Message, like the simultaneous
use
session control does?
Use configurable failover (see doc/configurable_failover). It's not
yet integrated into the unlang nicely. I'd like to do that before
releasing -pre2.
Yeah. Its currently designed to allow you to run two copies of the module
side by side and have the second one assign the IP if the first one
doesn't
(Simply by listing one module after the other). This is to allow
replicated
pools on 2 different physical database servers. Additionally I use it with
one table for dynamic ips, and a separate table for static ips.
OK, that makes sense. I see why it returns 'NOOP' rather than 'fail'.
Wow, that was easy! Freeradius rocks. I just skimmed the
configurable_failover doc, and tried this:
post-auth {
# Get an address from the IP Pool.
sqlippool {
# not much point auth'ing them if we can't give them an IP
notfound = reject
noop = reject
}
...
}
... which seems to do exactly what I need. When I add a second sql server,
I'll work out how to handle the noop so it fails over, whilst still
rejecting on a notfound.
OK, that's the functionality. How about setting the informative
Reply-Message? Even if the customer doesn't see them, at least it'll be in
my Mtik logs.
Speaking of which. What would be the simplest way of having an email alert
if a 'notfound' happens? This is all for PPPOE wireless clients, which are
carefully provisioned. So we should never end up running out of dynamic
pool space, and I need to know about it if we do.
Peter Nixon
http://www.peternixon.net/
PGP Key: http://www.peternixon.net/public.asc
-- hugh
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sqlippool reject authentication if no IP?
On Thu 28 Jun 2007, Hugh Messenger wrote:
Peter Nixon [EMAIL PROTECTED] said:
On Thu 28 Jun 2007, Alan DeKok wrote:
Hugh Messenger wrote:
With my current configuration, if sqlippool cannot assign an IP, the
authentication still succeeds.
The module returns NOOP. It could arguable return fail.
Just a nitpick, but for pool depletion it returns 'notfound'.
Can you suggest a better return code?
How can I set things up so if no IP is available, the authentication
will fail with some informative Reply-Message, like the simultaneous
use
session control does?
Use configurable failover (see doc/configurable_failover). It's not
yet integrated into the unlang nicely. I'd like to do that before
releasing -pre2.
Yeah. Its currently designed to allow you to run two copies of the
module side by side and have the second one assign the IP if the first
one doesn't
(Simply by listing one module after the other). This is to allow
replicated
pools on 2 different physical database servers. Additionally I use it
with one table for dynamic ips, and a separate table for static ips.
OK, that makes sense. I see why it returns 'NOOP' rather than 'fail'.
Wow, that was easy! Freeradius rocks. I just skimmed the
configurable_failover doc, and tried this:
post-auth {
# Get an address from the IP Pool.
sqlippool {
# not much point auth'ing them if we can't give them an IP
notfound = reject
noop = reject
}
...
}
... which seems to do exactly what I need. When I add a second sql
server, I'll work out how to handle the noop so it fails over, whilst
still rejecting on a notfound.
I am assuming you have already read:
http://wiki.freeradius.org/Rlm_sqlippool
If not please do so :-)
After you finish reading it, if you have time, please feel free to update/fix
anything you think is unclear, and add your above config as an example :-)
OK, that's the functionality. How about setting the informative
Reply-Message? Even if the customer doesn't see them, at least it'll be
in my Mtik logs.
I think that would be best done in unlang rather than in
Speaking of which. What would be the simplest way of having an email
alert if a 'notfound' happens? This is all for PPPOE wireless clients,
which are carefully provisioned. So we should never end up running out of
dynamic pool space, and I need to know about it if we do.
logwatch/swatch/splunk etc ;-)
Cheers
--
Peter Nixon
http://www.peternixon.net/
PGP Key: http://www.peternixon.net/public.asc
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sqlippool reject authentication if no IP?
On Thu 28 Jun 2007, Peter Nixon wrote: Speaking of which. What would be the simplest way of having an email alert if a 'notfound' happens? This is all for PPPOE wireless clients, which are carefully provisioned. So we should never end up running out of dynamic pool space, and I need to know about it if we do. logwatch/swatch/splunk etc ;-) Of course you COULD write an external mail script and run it as a radiusd exec module. (or something with rlm_perl/rlm_python) -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sqlippool reject authentication if no IP?
Hugh Messenger wrote: With my current configuration, if sqlippool cannot assign an IP, the authentication still succeeds. The module returns NOOP. It could arguable return fail. How can I set things up so if no IP is available, the authentication will fail with some informative Reply-Message, like the simultaneous use session control does? Use configurable failover (see doc/configurable_failover). It's not yet integrated into the unlang nicely. I'd like to do that before releasing -pre2. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sqlippool reject authentication if no IP?
On Thu 28 Jun 2007, Alan DeKok wrote: Hugh Messenger wrote: With my current configuration, if sqlippool cannot assign an IP, the authentication still succeeds. The module returns NOOP. It could arguable return fail. How can I set things up so if no IP is available, the authentication will fail with some informative Reply-Message, like the simultaneous use session control does? Use configurable failover (see doc/configurable_failover). It's not yet integrated into the unlang nicely. I'd like to do that before releasing -pre2. Yeah. Its currently designed to allow you to run two copies of the module side by side and have the second one assign the IP if the first one doesn't (Simply by listing one module after the other). This is to allow replicated pools on 2 different physical database servers. Additionally I use it with one table for dynamic ips, and a separate table for static ips. Cheers -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
