Re: ippool-dhcp and Oracle
I am not sure what is happening here so I will have to do some reading. Fixed. Git pull. -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radius.log on DB
Hi everybody is there any way log the requests for the radius in a DB like MySQL? In other words is possible to put radius.log entry in a DB without use the local system syslog daemon? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
change Access-Reject output of module with unlang
Dear ALL How change Access-Reject output of module with unlang in sites-enable to Access-Accept and do some update control ? I can not find what is the replay attribute of reject or accept to check in If condition and change them in update replay. and Do we have any reference for such variables? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: change Access-Reject output of module with unlang
Hi, How change Access-Reject output of module with unlang in sites-enable to Access-Accept and do some update control ? what method? you cant just 'Access-Accept' an EAP method that relies on the agreement between client and authentication server for the cipher keys etc alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius.log on DB
On 25.03.2013 09:26, AemNet wrote: Hi everybody is there any way log the requests for the radius in a DB like MySQL? In other words is possible to put radius.log entry in a DB without use the local system syslog daemon? This is not possible directly from freeradius. What you can do, is tell FreeRadius to log to your syslog deamon (like syslog-ng) and then tell syslog-ng to write the log within an INSERT statement for your database. Then you can send this to your database. Those two links might help you : http://wiki.freeradius.org/guide/Syslog-HOWTO http://vermeer.org/docs/1 But this is beyond the scope of the freeradius list Olivier - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: change Access-Reject output of module with unlang
On 03/25/2013 09:14 AM, Mehdi Ravanbakhsh wrote: Dear ALL How change Access-Reject output of module with unlang in sites-enable to Access-Accept and do some update control ? I don't think you can. And as AlanB says, it probably won't work anyway - you can't force accept on challenge/response auth. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius.log on DB
On 25/03/2013 11:05, Olivier Beytrison wrote: This is not possible directly from freeradius. What you can do, is tell FreeRadius to log to your syslog deamon (like syslog-ng) and then tell syslog-ng to write the log within an INSERT statement for your database. Then you can send this to your database. Those two links might help you : http://wiki.freeradius.org/guide/Syslog-HOWTO http://vermeer.org/docs/1 But this is beyond the scope of the freeradius list Olivier - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Thank you for the answer and for the links Olivier, but I prefer don't use the syslog system if it's possilbe. Do you think it's possible instead to use a script (perl/bash anything else) after the request arrive and put it in a DB? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius.log on DB
I the past I've tail'd a log file ( this was for squid and not freeradius) and piped that into a perl script that would then write things into a database but it's a lot easier using syslog talking to an rsyslog back end database that writes things into a database for you. Rgds alex On 25 Mar 2013, at 10:45, AemNet sysadmin-aem...@aemnet.it wrote: On 25/03/2013 11:05, Olivier Beytrison wrote: This is not possible directly from freeradius. What you can do, is tell FreeRadius to log to your syslog deamon (like syslog-ng) and then tell syslog-ng to write the log within an INSERT statement for your database. Then you can send this to your database. Those two links might help you : http://wiki.freeradius.org/guide/Syslog-HOWTO http://vermeer.org/docs/1 But this is beyond the scope of the freeradius list Olivier - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Thank you for the answer and for the links Olivier, but I prefer don't use the syslog system if it's possilbe. Do you think it's possible instead to use a script (perl/bash anything else) after the request arrive and put it in a DB? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius.log on DB
Hi, Thank you for the answer and for the links Olivier, but I prefer don't use the syslog system if it's possilbe. Do you think it's possible instead to use a script (perl/bash anything else) after the request arrive and put it in a DB? the SQL module has the psotauth table... you could always create your own table, then use unlang to populate it with whatever you want in the post-auth section of the server - for accept or reject packets. that wont log ALL that might appear in radiusd logfile (eg server messages) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius.log on DB
Perl File::Tail works very well for things like this... On Mon, Mar 25, 2013 at 12:45 PM, AemNet sysadmin-aem...@aemnet.it wrote: On 25/03/2013 11:05, Olivier Beytrison wrote: This is not possible directly from freeradius. What you can do, is tell FreeRadius to log to your syslog deamon (like syslog-ng) and then tell syslog-ng to write the log within an INSERT statement for your database. Then you can send this to your database. Those two links might help you : http://wiki.freeradius.org/**guide/Syslog-HOWTOhttp://wiki.freeradius.org/guide/Syslog-HOWTO http://vermeer.org/docs/1 But this is beyond the scope of the freeradius list Olivier - List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html http://www.freeradius.org/list/users.html Thank you for the answer and for the links Olivier, but I prefer don't use the syslog system if it's possilbe. Do you think it's possible instead to use a script (perl/bash anything else) after the request arrive and put it in a DB? - List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html http://www.freeradius.org/list/users.html -- Regards, Chris Knipe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius.log on DB
On 25.03.2013 11:45, AemNet wrote: Thank you for the answer and for the links Olivier, but I prefer don't use the syslog system if it's possilbe. Do you think it's possible instead to use a script (perl/bash anything else) after the request arrive and put it in a DB? You could make a perl script which pipe the freeradius log file and then insert the text into a DB. But again that's beyond the scope of this list. Freeradius doesn't offer the ability to put the log file into a DB. Olivier B. -- Olivier Beytrison Network Security Engineer, HES-SO Fribourg Mail: oliv...@heliosnet.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: change Access-Reject output of module with unlang
You means that if modules such as SQL module in session section return reject i can not change that to accept and then update some control attribute ? and can i change sql module ?( i know SQL.conf but in that file i just can change the query ) Best regards. On Mon, Mar 25, 2013 at 2:45 PM, Phil Mayers p.may...@imperial.ac.ukwrote: On 03/25/2013 09:14 AM, Mehdi Ravanbakhsh wrote: Dear ALL How change Access-Reject output of module with unlang in sites-enable to Access-Accept and do some update control ? I don't think you can. And as AlanB says, it probably won't work anyway - you can't force accept on challenge/response auth. - List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Wrong destination port in reply to DHCP relay
Hello Everyone I have an issue with an installation of FreeRADIUS 2.2.0 configured for DHCP, and I am seeing a problem where FreeRADIUS is replying to the wrong port on the DHCP relay. The request comes in like this :- Received DHCP-Discover of id de6dc6f2 from 10.77.1.254:68 to 10.0.0.1:67 But the the server replys like this :- Sending DHCP-Offer of id de6dc6f2 to 10.77.1.254:68 The problem is that the relay is expecting the reply on port 67, so I am getting an ICMP port unreachable message back and the DHCP offer is lost. I found a similar thread from 2008 which says that this was fixed: http://lists.freeradius.org/pipermail/freeradius-users/2008-June/029146.html However, this is quite a while ago and I guess that lots of things have changed, so I would be grateful if someone could verify the current v2.2.0 code for me to check that the fix is in there. Thanks Ben - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap connection status
Hi, Wiki page of fail-over suggest authorize { preprocess redundant { sql1 sql2 notfound = return } files } I am trying to do similar but radius is giving error group { redundant { ldap_primary fail = return -*Entry with no value is invalid * } if(fail){ files_local } else { files } } Why this could be ? On Fri, Mar 15, 2013 at 6:13 PM, Olivier Beytrison oliv...@heliosnet.orgwrote: On 15.03.2013 12:08, Chitrang Srivastava wrote: Hi, I want to do something like this in *authorize* section ldap { fail = return } if(fail) { files_local } else { files } something like that should work. The ldap module will fail if the servers are unreachable. Olivier -- Olivier Beytrison Network Security Engineer, HES-SO Fribourg Mail: oliv...@heliosnet.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: change Access-Reject output of module with unlang
On 25/03/13 11:16, Mehdi Ravanbakhsh wrote: You means that if modules such as SQL module in session section return reject i can not change that to accept and then update some control attribute ? I don't think so. and can i change sql module ?( i know SQL.conf but in that file i just can change the query ) It won't help. If you don't want to reject the user, fix the reason they're being rejected. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap connection status
On 25.03.2013 13:00, Chitrang Srivastava wrote: I am trying to do similar but radius is giving error group { redundant { ldap_primary fail = return -*Entry with no value is invalid* } if(fail){ files_local } else { files } } Why this could be ? you have only one ldap instance. you don't need the redundant block authorize { #usual authorize stuff, preprocess, suffix, ect ldap_primary { fail = return } if(fail){ files_local } else { files } } this *should* work. Olivier -- Olivier Beytrison Network Security Engineer, HES-SO Fribourg Mail: oliv...@heliosnet.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap connection status
Even with ldap_secondary I get same error redundant { ldap_primary ldap_secondary fail = 1 } On Mon, Mar 25, 2013 at 5:57 PM, Olivier Beytrison oliv...@heliosnet.orgwrote: On 25.03.2013 13:00, Chitrang Srivastava wrote: I am trying to do similar but radius is giving error group { redundant { ldap_primary fail = return -*Entry with no value is invalid* } if(fail){ files_local } else { files } } Why this could be ? you have only one ldap instance. you don't need the redundant block authorize { #usual authorize stuff, preprocess, suffix, ect ldap_primary { fail = return } if(fail){ files_local } else { files } } this *should* work. Olivier -- Olivier Beytrison Network Security Engineer, HES-SO Fribourg Mail: oliv...@heliosnet.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap connection status
Chitrang Srivastava wrote: Even with ldap_secondary I get same error redundant { ldap_primary ldap_secondary fail = 1 } Read doc/configurable_failover, and man unlang. This is documented. Yout can't just randomly insert things into the configuration files. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap connection status
This is what wiki page says to do authorize { preprocess redundant { sql1 sql2 notfound = return } files } I am trying similar stuff On Mon, Mar 25, 2013 at 7:13 PM, Alan DeKok al...@deployingradius.comwrote: Chitrang Srivastava wrote: Even with ldap_secondary I get same error redundant { ldap_primary ldap_secondary fail = 1 } Read doc/configurable_failover, and man unlang. This is documented. Yout can't just randomly insert things into the configuration files. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ippool-dhcp and Oracle
On 25 Mar 2013, at 02:57, Arran Cudbard-Bell a.cudba...@freeradius.org wrote: I am not sure what is happening here so I will have to do some reading. Fixed. Git pull. Or would have been if git push hadn't hung... Sorry GitHub has been really flakey lately. -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: change Access-Reject output of module with unlang
thanks On Mon, Mar 25, 2013 at 4:40 PM, Phil Mayers p.may...@imperial.ac.ukwrote: On 25/03/13 11:16, Mehdi Ravanbakhsh wrote: You means that if modules such as SQL module in session section return reject i can not change that to accept and then update some control attribute ? I don't think so. and can i change sql module ?( i know SQL.conf but in that file i just can change the query ) It won't help. If you don't want to reject the user, fix the reason they're being rejected. - List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap connection status
Something like this seems to be working group *{* *fail =1 - is this OK ?* redundant { ldap_primary ldap_secondary } *}* if(fail){ files_local } else { files } On Mon, Mar 25, 2013 at 7:53 PM, Chitrang Srivastava chitrang.srivast...@gmail.com wrote: This is what wiki page says to do authorize { preprocess redundant { sql1 sql2 notfound = return } files } I am trying similar stuff On Mon, Mar 25, 2013 at 7:13 PM, Alan DeKok al...@deployingradius.comwrote: Chitrang Srivastava wrote: Even with ldap_secondary I get same error redundant { ldap_primary ldap_secondary fail = 1 } Read doc/configurable_failover, and man unlang. This is documented. Yout can't just randomly insert things into the configuration files. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Update reply to DHCP-Ack
I have a small problem that I do not know how to solve. Freeradius works correctly as DHCP server delivering static IPs, but I need to write a log in the PostAuth database if the transaction finalizes with a DHCP-Ack. Currently when transaction ends with a DHCP-Ack, this configuration log a DHCP-Request instead of DHCP-Ack. This is my setup: server dhcp { listen { type = dhcp ipaddr = 255.255.255.255 port = 67 interface = eth1.2 broadcast = yes } dhcp DHCP-Discover { update reply { DHCP-Message-Type = DHCP-Offer } update reply { DHCP-Domain-Name-Server = 0.0.0.0 DHCP-IP-Address-Lease-Time = 7200 DHCP-DHCP-Server-Identifier = 172.31.1.1 } deselabs_dhcp_cpes.authorize ok } dhcp DHCP-Request { update reply { # Is not the type supposed to be changed here? DHCP-Message-Type = DHCP-Ack } update reply { DHCP-Domain-Name-Server = 0.0.0.0 DHCP-IP-Address-Lease-Time = 7200 DHCP-DHCP-Server-Identifier = 172.31.1.1 Reply-Message = Framed protocol is } deselabs_dhcp_cpes.authorize deselabs_dhcp_cpes.post-auth ok } dhcp { # send a DHCP NAK. reject } } This is the debug output: Received DHCP-Discover of id 7ca9d708 from 0.0.0.0:68 to 255.255.255.255:67 DHCP-Opcode = Client-Message DHCP-Hardware-Type = Ethernet DHCP-Hardware-Address-Length = 6 DHCP-Hop-Count = 0 DHCP-Transaction-Id = 2091505416 DHCP-Number-of-Seconds = 0 DHCP-Flags = Broadcast DHCP-Client-IP-Address = 0.0.0.0 DHCP-Your-IP-Address = 0.0.0.0 DHCP-Server-IP-Address = 0.0.0.0 DHCP-Gateway-IP-Address = 0.0.0.0 DHCP-Client-Hardware-Address = 00:50:c2:31:24:4f DHCP-Message-Type = DHCP-Discover DHCP-Client-Identifier = 0x010050c231244f00 DHCP-IP-Address-Lease-Time = 4294967040 DHCP-IP-Address-Lease-Time = 4294967295 DHCP-Parameter-Request-List = DHCP-Subnet-Mask DHCP-Parameter-Request-List = DHCP-Router-Address DHCP-Parameter-Request-List = DHCP-Domain-Name-Server DHCP-Parameter-Request-List = DHCP-Domain-Name DHCP-Parameter-Request-List = DHCP-Bootp-Extensions-Path DHCP-Parameter-Request-List = DHCP-TFTP-Server-Name DHCP-Parameter-Request-List = DHCP-SIP-Servers-DHCP-Option DHCP-Parameter-Request-List = DHCP-HTTP-Proxy DHCP-Parameter-Request-List = 213 DHCP-Parameter-Request-List = 214 DHCP-Parameter-Request-List = 215 server dhcp { Trying sub-section dhcp DHCP-Discover {...} +- entering group DHCP-Discover {...} ++[reply] returns noop ++[reply] returns noop [deselabs_dhcp_cpes]expand: %{DHCP-Client-Hardware-Address} - 00:50:c2:31:24:4f [deselabs_dhcp_cpes] sql_set_user escaped user -- '00:50:c2:31:24:4f' rlm_sql (deselabs_dhcp_cpes): Reserving sql socket id: 4 [deselabs_dhcp_cpes]expand: SELECT '1', mac_address, 'Cleartext-Password', REPLACE('%{SQL-User-Name}', ':', ''), ':=' FROM cpes WHERE mac_address = REPLACE('%{SQL-User-Name}', ':', '') UNION SELECT '2', mac_address, 'Auth-Type', 'Accept', ':=' FROM cpes WHERE mac_address = REPLACE('%{SQL-User-Name}', ':', '') - SELECT '1', mac_address, 'Cleartext-Password', REPLACE('00:50:c2:31:24:4f', ':', ''), ':=' FROM cpes WHERE mac_address = REPLACE('00:50:c2:31:24:4f', ':', '') UNION SELECT '2', mac_address, 'Auth-Type', 'Accept', ':=' FROM cpes WHERE mac_address = REPLACE('00:50:c2:31:24:4f', ':', '') [deselabs_dhcp_cpes] User found in radcheck table [deselabs_dhcp_cpes]expand: SELECT '1', mac_address as username, 'DHCP-Your-IP-Address' AS attribute, CONCAT_WS('.', nets.net_prefix, cpes.ip_host) AS value, '=' AS op FROM cpes LEFT OUTER JOIN nets ON cpes.net=nets.net_id WHERE cpes.mac_address = REPLACE('%{SQL-User-Name}', ':', '') UNION SELECT '2' as id, mac_address, 'DHCP-Subnet-Mask' AS attribute, nets.netmask AS value, '=' AS op FROM cpes LEFT OUTER JOIN nets ON cpes.net=nets.net_id WHERE cpes.mac_address = REPLACE('%{SQL-User-Name}', ':', '') UNION SELECT '3' as id, mac_address, 'DHCP-Router-Address' AS attribute, nets.gateway AS value, '=' AS opFROM cpes LEFT OUTER JOIN nets ON cpes.net=nets.net_id WHERE cpes.mac_address = REPLACE('%{SQL-User-Name}', ':', '') UNION SELECT '4' as id, mac_address, 'DHCP-Bootp-Extensions-Path' AS
Re: ippool-dhcp and Oracle
2013/3/25 Arran Cudbard-Bell a.cudba...@freeradius.org: On 25 Mar 2013, at 02:57, Arran Cudbard-Bell a.cudba...@freeradius.org wrote: I am not sure what is happening here so I will have to do some reading. Fixed. Git pull. Or would have been if git push hadn't hung... Sorry GitHub has been really flakey lately. Many thanks. I will give it a try. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[no subject]
Hi All I am create stored persedure in postgresql database named findout_cuncurrent_session_for_a_user_result that return Deny or Permit . I need to call this persidure in session section but it not working i check all policy that be explaned in unlang man page but this cod is not working : session { if ({%sql:select findout_cuncurrent_session_for_a_user_result ('%{User-Name}','%{NAS-IP-Address}','%{Called-Station-Id}','%{Calling-Station-Id}')} == Deny) { update control { Pool-Name := Exceeded-Concurrent-Session } } } What is the problem? Do i write sql query write ? (this query is work fine in sql.conf ) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: your mail
Hi, session { if ({%sql:select findout_cuncurrent_session_for_a_user_result ('%{User-Name}','%{NAS-IP-Address}','%{Called-Station-Id}','%{Calling-Station-Id}')} == Deny) { update control { Pool-Name := Exceeded-Concurrent-Session } } } What is the problem? Do i write sql query write ? (this query is work fine in sql.conf ) what does the output in debug mode show? what got used/sent/queried? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Auth-Type krb5 not recognized by v2.1.12
Hi folks, Recently my server received an in-place upgrade from Debian squeeze to wheezy (still testing). Along with that, freeradius was upgraded from version 2.1.10 to 2.1.12, but as a result it no longer works. The problem is that I use DEFAULT Auth-Type = krb5 in /etc/freeradius/ users, and this now leads to an error in the radius.log that prevents freeradius from starting up: Error: /etc/freeradius/users[207]: Parse error (check) for \ entry DEFAULT: Unknown value krb5 for attribute Auth-Type Interestingly, if I use kerberos instead of krb5 for the default auth- type, there is no such error in the radius.log, but I still can't authenticate. Downgrading to 2.1.10 quickly fixes the problem. Is this new behavior intentional, or is it simply a bug? In either case, is there a workaround or a code fix for this, or should I continue to use 2.1.10? Thanks, Jaap - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
unlang CONDITIONS and sql query
Hi All I am create stored procedure in postgresql database named findout_cuncurrent_session_for_a_user_result that return Deny or Permit . I need to call this procedure in session section but it not working i check all policy that be explaned in unlang man page but this is not working : session { if ({%sql:select findout_cuncurrent_session_for_a_user_result ('%{User-Name}','%{NAS-IP-Address}','%{Called-Station-Id}','%{Calling-Station-Id}')} == Deny) { update control { Pool-Name := Exceeded-Concurrent-Session } } } What is the problem? Do i write sql query write ? (this query is work fine in sql.conf ) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: your mail
i dont have any information in session section in radius.log just one line: # Executing section session from file /usr/local/etc/raddb/sites-enabled/default # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default On Tue, Mar 26, 2013 at 3:47 AM, a.l.m.bu...@lboro.ac.uk wrote: Hi, session { if ({%sql:select findout_cuncurrent_session_for_a_user_result ('%{User-Name}','%{NAS-IP-Address}','%{Called-Station-Id}','%{Calling-Station-Id}')} == Deny) { update control { Pool-Name := Exceeded-Concurrent-Session } } } What is the problem? Do i write sql query write ? (this query is work fine in sql.conf ) what does the output in debug mode show? what got used/sent/queried? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html