rlm_sql - authenticatione vs authorization - update internal attribute within sql module
hi list,
i'm trying to set one custom attribute during rad_check to use it while
selecting proper vsa in rad_reply.
these are my 4 steps: 1) add custom attribute to the dictionary; 2) get
it set by rad_check, if necessary; 3) modify dialup.conf to pass my
custom attribute to rad_reply [using control variable?]; 4) check my
custom attribute to choose reply vendor specific attributes;
i would set this custom attribute by returning it from radcheck query
but radreply query doesn't recognize it: where am i wrong? how can i
update custom attribute within sql module? can anyone please help me?
thanks,
duffy
my dictionary
$INCLUDE/usr/share/freeradius/dictionary
VENDOR Me 35612
BEGIN-VENDORMe
ATTRIBUTE Service-Type 1 integer
VALUE Service-Type Hotline 0
VALUE Service-Type DynamicUser 1
VALUE Service-Type StaticUser 2
ATTRIBUTE Hotlining-Enabled 2 integer
VALUE Hotlining-Enabled False 0
VALUE Hotlining-Enabled True 1
ATTRIBUTE Hotlining-Class 3 integer
VALUE Hotlining-Class User-New-Provisioning 0
VALUE Hotlining-Class User-Already-Connected 1
VALUE Hotlining-Class User-Not-Enabled 2
END-VENDOR Me
my radcheck stored procedure
SELECT * INTO userinfo FROM users WHERE inner_id = ParmInnerId;
hotlining = userinfo.hotline;
IF userinfo.isactive = False THEN
hotlining = TRUE;
END IF;
IF hotlining = TRUE THEN
RETURN QUERY SELECT 0, ParmInnerId, 'Hotlining-Enabled'::varchar,
':='::char(2), 'True'::varchar;
END IF;
RETURN QUERY
SELECT * FROM vsa_check
WHERE inner_id = ParmInnerId
ORDER BY id;
RETURN;
END
my dialup.conf
...
authorize_reply_query=\
SELECT id, inner_id, attribute, val, op \
FROM radreply(\
'%{SQL-User-Name}@%{Realm}',\
'%{NAS-Ip-Address}'::inet, \
COALESCE(NULLIF('%{control:Hotlining-Enabled}', ''), 'FALSE')::boolean);
...
my radiusd -X output
...
rlm_sql (sql): Reserving sql socket id: 2
[sql] expand: SELECT id, inner_id, attribute, val, op FROM radcheck(
COALESCE(NULLIF('%{Event-Timestamp}', ''), '%S')::timestamp with time
zone, '%{SQL-User-Name}', '%{Realm}', '%{Nas-Ip-Add
ress}'::inet, '%{Calling-Station-Id}'::macaddr,
parse_bssid(NULLIF('%{WiMAX-BS-Id}', '')),
COALESCE(NULLIF('%{WiMAX-PDFID}', ''), '0')::smallint); - SELECT id,
inner_id, attribute, val, op FROM
radcheck( COALESCE(NULLIF('Apr 4 2013 18:42:05 CEST', ''),
'2013-04-04 18:42:42')::timestamp with time zone, 'test',
'freeradius', '192.168.98.101'::inet, '0C4C399C58F7'::macaddr,
parse_bs
sid(NULLIF('0x303030303230303630313030', '')), COALESCE(NULLIF('',
''), '0')::smallint);rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 3 , fields = 5
[sql] User found in radcheck table
[sql] expand: SELECT id, inner_id, attribute, val, op FROM radreply(
'%{SQL-User-Name}@%{Realm}', '%{NAS-Ip-Address}'::inet,
COALESCE(NULLIF('%{control:Linkem-Hotlining-Enabled}', ''), 'FALSE'):
:boolean); - SELECT id, inner_id, attribute, val, op FROM radreply(
'test@freeradius', '192.168.98.101'::inet, COALESCE(NULLIF('', ''),
'FALSE')::boolean);
...
# from my psql console
csnrads=# SELECT id, inner_id, attribute, val, op FROM radcheck(
COALESCE(NULLIF('Apr 4 2013 18:42:05 CEST', ''), '2013-04-04
18:42:42')::timestamp with time zone, 'test', 'freeradius',
'192.168.98.101'::inet, '0C4C399C58F7'::macaddr,
parse_bssid(NULLIF('0x303030303230303630313030', '')),
COALESCE(NULLIF('', ''), '0')::smallint);
id |inner_id |attribute | val | op
+-+--++
0 | test@freeradius | Hotlining-Enabled| True | :=
702095 | test@freeradius | Cleartext-Password | test01 | :=
702096 | test@freeradius | Simultaneous-Use | 1 | :=
(3 rows)
csnrads=# SELECT id, inner_id, attribute, val, op FROM radreply(
'test@freeradius', '192.168.98.101'::inet, COALESCE(NULLIF('True',
''), 'FALSE')::boolean);
id |inner_id |attribute |
val| op
-+-+--+--+
6 | test@freeradius | Hotline-Indicator| active
| :=
7 | test@freeradius | Hotline-Profile-Id |
freeradius/hotprofile| :=
11 | test@freeradius | Termination-Action | Radius-Request
| :=
35 | test@freeradius | Session-Timeout | 900
| :=
(4 rows)
-
List info/subscribe/unsubscribe? See
Re: MAC Address Auth
Hi good pple, have been reading on how to enforce the attribute of Mac-Addr and i have not seen it anywhere. Has anyone done it before, please help throw some light on how i can achieve this. I want user eric@ut3 with this Mac Address to log in , and if the MAC address is different he will not be granted access. eric@ut3 Cleartext-Password := eric, Simultaneous-Use := 1 Mac-Addr = 02-1B-9E-D3-0B-F0, Service-Type = Framed-User, Qos-Policy-Policing = broadband_128_policing, Qos-Policy-Metering = broadband_128_metering, Framed-Protocol = PPP, Ip_Address_Pool_Name = pool_128, Framed-Address = 255.255.255.254, Framed-Netmask = 255.255.255.255, Fall-Through = 0 Eric M From: Mulindwa meri...@yahoo.com To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Friday, April 5, 2013 9:07 AM Subject: Re: MAC Address Auth Thanks Mattias, I get an error saying; Unknown attribute Attr-2352-145 This is how i have it setup user20001@ut3 Password = 006060, Simultaneous-Use = 1 Attr-2352-145 = 5c-7d-5e-3f-d0-f7, Service-Type = Framed-User, Qos_Policy_Policing = broadband_128_policing, Qos_Policy_Metering = broadband_128_metering, Framed-Protocol = PPP, Ip_Address_Pool_Name = pool_128, Framed-Address = 255.255.255.254, Framed-Netmask = 255.255.255.255, Fall-Through = 0 Eric M From: Matthias Nagel matthias.h.na...@gmail.com To: freeradius-users@lists.freeradius.org Sent: Thursday, April 4, 2013 5:41 PM Subject: Re: MAC Address Auth Hello, add the correct check item to your user database. In the case below (User-Name = user2000@ut3) you should have the check item Attr-2352-145 == 5c-7d-5e-3f-d0-f7 for this speicifc user in your user database. Then you repeat this for every user/mac-address pair you want. Best regards, Matthias Am Donnerstag 04 April 2013, 07:25:55 schrieb Mulindwa: Great, i have run the debug and i did get the attribute required. If i want to full fill the two conditions i.e username/passwd and Mac Address = Attr-2352-145 How would i need to twick my radiusd.conf file to achieve this? User-Name = user2000@ut3 CHAP-Password = cccddd' CHAP-Challenge = Service-Type = Framed-User Framed-Protocol = PPP NAS-Identifier = UT-BRAS-EDGE NAS-IP-Address = x.x.x.x NAS-Port = 855649483 NAS_Real_Port = 855638816 NAS-Port-Type = Virtual Attr-87 = 3/3 vlan-id 800 pppoe 11467 Medium_Type = 11 Attr-2352-145 = 5c-7d-5e-3f-d0-f7 MAC Address Attr-2352-98 = 3 Attr-2352-112 = 6.2.1.9 Acct-Session-Id = 020268008FC9-515D8419 Eric M From: Mulindwa meri...@yahoo.com To: Alan DeKok al...@deployingradius.com; FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Thursday, April 4, 2013 4:58 PM Subject: Re: MAC Address Auth Thanks Alan, Let me do so. Eric M From: Alan DeKok al...@deployingradius.com To: Mulindwa meri...@yahoo.com; FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Thursday, April 4, 2013 4:47 PM Subject: Re: MAC Address Auth Mulindwa wrote: Hi All, Have been trying to authenticate my ADSL users using Mac Address Auth, however i have failed even after going through the documentation. I want to authenticate with the highlighted, anyone done this and can help? It's been done. This is how the accounting file looks; If you're trying to debug authentication, it helps to look at *authentication* traffic, and not *accounting* data. And run the server in debugging mode as suggested in the FAQ, man page, web pages, and daily on this list. Honestly, there is NO excuse for refusing to do this. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Matthias Nagel Willy-Andreas-Allee 1, Zimmer 506 76131 Karlsruhe Telefon: +49-721-8695-1506 Mobil: +49-151-15998774 e-Mail: matthias.h.na...@gmail.com ICQ: 499797758 Skype: nagmat84 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC Address Auth
Add eric@ut3 Calling-Station-Id == 02:1B:9E:D3:0B:F0 inside radcheck table or inside users file eric@ut3 Cleartext-Password := eric, Simultaneous-Use := 1 Calling-Station-Id == 02:1B:9E:D3:0B:F0 Service-Type = Framed-User, Qos-Policy-Policing = broadband_128_policing, Qos-Policy-Metering = broadband_128_metering, Framed-Protocol = PPP, Ip_Address_Pool_Name = pool_128, Framed-Address = 255.255.255.254, Framed-Netmask = 255.255.255.255, Fall-Through = 0 NOtice the double = sign On 8.4.2013 13:18, Mulindwa wrote: Hi good pple, have been reading on how to enforce the attribute of Mac-Addr and i have not seen it anywhere. Has anyone done it before, please help throw some light on how i can achieve this. I want user eric@ut3 with this Mac Address to log in , and if the MAC address is different he will not be granted access. eric@ut3 Cleartext-Password := eric, Simultaneous-Use := 1 Mac-Addr = 02-1B-9E-D3-0B-F0, Service-Type = Framed-User, Qos-Policy-Policing = broadband_128_policing, Qos-Policy-Metering = broadband_128_metering, Framed-Protocol = PPP, Ip_Address_Pool_Name = pool_128, Framed-Address = 255.255.255.254, Framed-Netmask = 255.255.255.255, Fall-Through = 0 Eric M *From:* Mulindwa meri...@yahoo.com *To:* FreeRadius users mailing list freeradius-users@lists.freeradius.org *Sent:* Friday, April 5, 2013 9:07 AM *Subject:* Re: MAC Address Auth Thanks Mattias, I get an error saying; Unknown attribute Attr-2352-145 This is how i have it setup user20001@ut3 Password = 006060, Simultaneous-Use = 1 Attr-2352-145 = 5c-7d-5e-3f-d0-f7, Service-Type = Framed-User, Qos_Policy_Policing = broadband_128_policing, Qos_Policy_Metering = broadband_128_metering, Framed-Protocol = PPP, Ip_Address_Pool_Name = pool_128, Framed-Address = 255.255.255.254, Framed-Netmask = 255.255.255.255, Fall-Through = 0 Eric M *From:* Matthias Nagel matthias.h.na...@gmail.com *To:* freeradius-users@lists.freeradius.org *Sent:* Thursday, April 4, 2013 5:41 PM *Subject:* Re: MAC Address Auth Hello, add the correct check item to your user database. In the case below (User-Name = user2000@ut3) you should have the check item Attr-2352-145 == 5c-7d-5e-3f-d0-f7 for this speicifc user in your user database. Then you repeat this for every user/mac-address pair you want. Best regards, Matthias Am Donnerstag 04 April 2013, 07:25:55 schrieb Mulindwa: Great, i have run the debug and i did get the attribute required. If i want to full fill the two conditions i.e username/passwd and Mac Address = Attr-2352-145 How would i need to twick my radiusd.conf file to achieve this? User-Name = user2000@ut3 CHAP-Password = cccddd' CHAP-Challenge = Service-Type = Framed-User Framed-Protocol = PPP NAS-Identifier = UT-BRAS-EDGE NAS-IP-Address = x.x.x.x NAS-Port = 855649483 NAS_Real_Port = 855638816 NAS-Port-Type = Virtual Attr-87 = 3/3 vlan-id 800 pppoe 11467 Medium_Type = 11 Attr-2352-145 = 5c-7d-5e-3f-d0-f7 MAC Address Attr-2352-98 = 3 Attr-2352-112 = 6.2.1.9 Acct-Session-Id = 020268008FC9-515D8419 Eric M From: Mulindwa meri...@yahoo.com mailto:meri...@yahoo.com To: Alan DeKok al...@deployingradius.com mailto:al...@deployingradius.com; FreeRadius users mailing list freeradius-users@lists.freeradius.org mailto:freeradius-users@lists.freeradius.org Sent: Thursday, April 4, 2013 4:58 PM Subject: Re: MAC Address Auth Thanks Alan, Let me do so. Eric M From: Alan DeKok al...@deployingradius.com mailto:al...@deployingradius.com To: Mulindwa meri...@yahoo.com mailto:meri...@yahoo.com; FreeRadius users mailing list freeradius-users@lists.freeradius.org mailto:freeradius-users@lists.freeradius.org Sent: Thursday, April 4, 2013 4:47 PM Subject: Re: MAC Address Auth Mulindwa wrote: Hi All, Have been trying to authenticate my ADSL users using Mac Address Auth, however i have failed even after going through the documentation. I want to authenticate with the highlighted, anyone done this and can help? It's been done. This is how the accounting file looks; If you're trying to debug authentication, it helps to look at *authentication* traffic, and not *accounting* data. And run the server in debugging mode as suggested in the FAQ, man page, web pages, and daily on this list. Honestly, there is NO excuse for refusing to do this. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
perl examples
Hi, There don't seem to be many examples relating to using perl to access remote databases…. in fact there don't seem to be many perl examples at all. Got example.pl configured a wee bit and running on test server but could do with a better db related example. Unfortunately my perl skills aren't ts good as they could be. In post-auth I want to extract the nas-ip address and calling station-id of the client device open a db connection and perform a query that'll let me decide what vlan-id to send back in the access-accept packet write radius attributes into the access-accept reply Anyone got some form of template I could use for the above? Rgds Alex - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC Address Auth
On 2013-04-08 15:18, Mulindwa wrote: Hi good pple, have been reading on how to enforce the attribute of Mac-Addr and i have not seen it anywhere. You don't read carefully what good pple reply to you. Ironically, the reply to your question is attached to your question. As Matthias already pointed out: 1. Put *Mac-Addr* to your dictionary (or make sure it's already there). 2. Remove it from your reply list and put it into the check list. *From:* Matthias Nagel matthias.h.na...@gmail.com *To:* freeradius-users@lists.freeradius.org *Sent:* Thursday, April 4, 2013 5:41 PM *Subject:* Re: MAC Address Auth Hello, add the correct check item to your user database. In the case below (User-Name = user2000@ut3) you should have the check item Attr-2352-145 == 5c-7d-5e-3f-d0-f7 for this speicifc user in your user database. Then you repeat this for every user/mac-address pair you want. Best regards, Matthias -- George Chelidze - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: perl examples
Hi, There don't seem to be many examples relating to using perl to access remote databases…. in fact there don't seem to be many perl examples at all. thats because its a PERL issue not a FreeRADIUS one :-) In post-auth I want to extract the nas-ip address and calling station-id of the client device open a db connection and perform a query that'll let me decide what vlan-id to send back in the access-accept packet write radius attributes into the access-accept reply you need to use DBI PERL to open the connection and then create the query. for the query you can use values straight from the FreeRADIUS PERL hook - or assign them to variables and use those variables, then run the query and look at the results. of course, you will need to verify that the connection was okay, that the query was okay and that the results are okay. Anyone got some form of template I could use for the above? each case requires new codebut a quick Google will show you how to do the DB query stuff...I can provide you some templte for assigning variables alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SV: perl examples
Since i was just in the making of some hooks using DBI I took some time to copy
paste something that could be something towards the thing you wanted?
This is just an example so don't take it to serious..
I also don't think you should do it as post_auth hook but a authorize hook so
Don't forget to add module = /etc/freeradius/myscript.pl and uncomment
#func_authorize = authorize ANDS/OR #func_post_auth = post_auth in modules/perl
And add perl and sql tp your default
vi sites-enabled/default
authorize {
preprocess
perl## ---
auth_log
sql ## ---
expiration
logintime
}
## Example myscript.pl script ##
#!/usr/bin/perl
use strict;
use warnings;
use diagnostics;
use DBI;
use Data::Dumper;
### Radius HASH Tables ###
our (%RAD_REQUEST, %RAD_REPLY, %RAD_CHECK);
use constantRLM_MODULE_REJECT=0;# /* immediately reject the request */
use constantRLM_MODULE_FAIL= 1;# /* module failed, don't reply */
use constantRLM_MODULE_OK=2;# /* the module is OK, continue */
use constantRLM_MODULE_HANDLED= 3;# /* the module handled the request,
so stop. */
use constantRLM_MODULE_INVALID= 4;# /* the module considers the request
invalid. */
use constantRLM_MODULE_USERLOCK= 5;# /* reject the request (user is
locked out) */
use constantRLM_MODULE_NOTFOUND= 6;# /* user not found */
use constantRLM_MODULE_NOOP= 7;# /* module succeeded without doing
anything */
use constantRLM_MODULE_UPDATED= 8;# /* OK (pairs modified) */
use constantRLM_MODULE_NUMCODES= 9;# /* How many return codes there are
*/
sub authorize{
### DB Connection variables ###
our ($driver) = mysql;
our ($user) = dbuser;
our ($pw) = mypassword;
our ($database) = radius;
our ($host) = localhost:3306;
our $dsn = DBI:$driver:$database:$host;
## For good manners you should add something here that only makes the
db connect if code eq Access-Request or something something...
our $dbh = DBI-connect ($dsn, $user, $pw, { RaiseError = 1 });
our $sth;
### Other variables ###
my $NAS_IP_ADDRESS = $RAD_REQUEST{'NAS-IP-Address'};
my $CALLING_STATION_ID = $RAD_REQUEST{'Calling-Station-Id'};
my $NAS_PORT_ID = $RAD_REQUEST{'NAS-Port-Id'};
my $USER_NAME = $RAD_REQUEST{'User-Name'};
my $MAC = $RAD_REQUEST{'some-Client-Hardware-Addr'};
my $VENDOR_ID = $RAD_REQUEST{'some-DHCP-Vendor-Class-Id'};
if (!$VENDOR_ID)
{
$RAD_REQUEST{'some-DHCP-Vendor-Class-Id'} = NO_VENDOR_ID;
}
### ETC ETC...
$sth = $dbh-prepare(SELECT vlan FROM my_vlan_table WHERE
NAS_IP_ADDRESS = '$NAS_IP_ADDRESS' AND CALLING_STATION_ID =
'$CALLING_STATION_ID'); ## -- Or something.
$sth-execute ();
my $VLAN = $sth-fetchrow_array();
$sth-finish ();
if (!$VLAN)
{
### SOmething something
### Or maybe a default account..
$RAD_REQUEST{'User-Name'} = my_default_user_account;
$RAD_REPLY{'Auth-Type'} = Accept;
$RAD_REPLY{'User-Name'} = $USER_NAME;
$RAD_REPLY{'needed-reply-attribute-Subsc-ID-Str'} = $MAC;
$RAD_REPLY{'needed-reply-attribute-Subsc-Prof-Str'} =
direct_access;
$RAD_REPLY{'needed-reply-attribute-SLA-Prof-Str'} =
150-BB-10-10;
### ETC ETC...
}
else
{
$RAD_REPLY{'vlan-id-attribute-to-send-back'} = $VLAN;
$RAD_REPLY{'Auth-Type'} = Accept;
$RAD_REPLY{'User-Name'} = $USER_NAME;
$RAD_REPLY{'needed-reply-attribute-Subsc-ID-Str'} = $MAC;
$RAD_REPLY{'needed-reply-attribute-Subsc-Prof-Str'} =
direct_access;
$RAD_REPLY{'needed-reply-attribute-SLA-Prof-Str'} =
150-BB-10-10;
}
$dbh-disconnect ();
return RLM_MODULE_OK;
}
-Ursprungligt meddelande-
Från:
freeradius-users-bounces+alexander.silverohrt=itux...@lists.freeradius.org
[mailto:freeradius-users-bounces+alexander.silverohrt=itux...@lists.freeradius.org]
För Alex Sharaz
Skickat: den 8 april 2013 13:37
Till: FreeRadius users mailing list
Ämne: perl examples
Hi,
There don't seem to be many examples relating to using perl to access remote
databases in fact there don't seem to be many perl examples at all.
Got example.pl configured a wee bit and running on test server but could do
with a better db related example.
Unfortunately my perl skills aren't ts good as they could be.
In post-auth I want to
extract the nas-ip address and calling station-id of the client device
open a db connection and perform a query that'll let me decide what vlan-id to
send back in the access-accept packet
write
Re: perl examples
On 8 Apr 2013, at 13:32, a.l.m.bu...@lboro.ac.uk wrote: Hi, There don't seem to be many examples relating to using perl to access remote databases…. in fact there don't seem to be many perl examples at all. thats because its a PERL issue not a FreeRADIUS one :-) :-)) but its perl being used within Freeradius (he says batting the ball over then) In post-auth I want to extract the nas-ip address and calling station-id of the client device open a db connection and perform a query that'll let me decide what vlan-id to send back in the access-accept packet write radius attributes into the access-accept reply you need to use DBI PERL to open the connection and then create the query. for the query you can use values straight from the FreeRADIUS PERL hook - or assign them to variables and use those variables, then run the query and look at the results. of course, you will need to verify that the connection was okay, that the query was okay and that the results are okay. o.k. can do much of that. \ Anyone got some form of template I could use for the above? each case requires new codebut a quick Google will show you how to do the DB query stuff...I can provide you some templte for assigning variables That would be great if you could Rgds Alex alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC Address Auth
On Mon, Apr 08, 2013 at 04:18:54AM -0700, Mulindwa wrote: I want user eric@ut3 with this Mac Address to log in, and if the MAC address is different he will not be granted access. Move the Mac-Addr attribute from the reply list to the check list, and make it a check operator (==) not assignment (=): eric@ut3 Cleartext-Password := eric, Simultaneous-Use := 1, Mac-Addr == 02-1B-9E-D3-0B-F0 Service-Type = Framed-User, Qos-Policy-Policing = broadband_128_policing, Qos-Policy-Metering = broadband_128_metering, Framed-Protocol = PPP, Ip_Address_Pool_Name = pool_128, Framed-Address = 255.255.255.254, Framed-Netmask = 255.255.255.255, Fall-Through = 0 Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: perl examples
Magic! many thanks, got all the bits I needed One question though, Why auth and not post-auth? I'm working on the basis that the stuff I do doesn't have anything to do with the actual auth process, in post-auth I'm doing things like setting session-timeouts. vlan assignments etc. based upon whether it's an access-request or an access-reject. Is there something wrong with that logic? Rgds alex On 8 Apr 2013, at 14:10, Alex Sharaz alex.sha...@york.ac.uk wrote: On 8 Apr 2013, at 13:32, a.l.m.bu...@lboro.ac.uk wrote: Hi, There don't seem to be many examples relating to using perl to access remote databases…. in fact there don't seem to be many perl examples at all. thats because its a PERL issue not a FreeRADIUS one :-) :-)) but its perl being used within Freeradius (he says batting the ball over the net ) In post-auth I want to extract the nas-ip address and calling station-id of the client device open a db connection and perform a query that'll let me decide what vlan-id to send back in the access-accept packet write radius attributes into the access-accept reply you need to use DBI PERL to open the connection and then create the query. for the query you can use values straight from the FreeRADIUS PERL hook - or assign them to variables and use those variables, then run the query and look at the results. of course, you will need to verify that the connection was okay, that the query was okay and that the results are okay. o.k. can do much of that. \ Anyone got some form of template I could use for the above? each case requires new codebut a quick Google will show you how to do the DB query stuff...I can provide you some templte for assigning variables That would be great if you could Rgds Alex alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: perl examples
Hi,
In post-auth I want to
extract the nas-ip address and calling station-id of the client device
open a db connection and perform a query that'll let me decide what vlan-id
to send back in the access-accept packet
write radius attributes into the access-accept reply
one more comment...for somethign so 'trivial' I would seriously
consider using unlang to do this anyway eg
update reply {
Tunnel-Private-Group-ID =%{sql:SELECT vlan from authtable
where NAS='%{NAS-IP-Address}' and csi='%{Calling-Station-Id}'}
Tunnel-Medium-Type = IEEE-802
Tunnel-Type = VLAN
}
..or such...
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC Address Auth
Thanks Matthew, Sorry to askm but where is the reply list and where is the check list? Eric M From: Matthew Newton m...@leicester.ac.uk To: Mulindwa meri...@yahoo.com; FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Monday, April 8, 2013 4:16 PM Subject: Re: MAC Address Auth On Mon, Apr 08, 2013 at 04:18:54AM -0700, Mulindwa wrote: I want user eric@ut3 with this Mac Address to log in, and if the MAC address is different he will not be granted access. Move the Mac-Addr attribute from the reply list to the check list, and make it a check operator (==) not assignment (=): eric@ut3 Cleartext-Password := eric, Simultaneous-Use := 1, Mac-Addr == 02-1B-9E-D3-0B-F0 Service-Type = Framed-User, Qos-Policy-Policing = broadband_128_policing, Qos-Policy-Metering = broadband_128_metering, Framed-Protocol = PPP, Ip_Address_Pool_Name = pool_128, Framed-Address = 255.255.255.254, Framed-Netmask = 255.255.255.255, Fall-Through = 0 Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: perl examples
On 8 Apr 2013, at 14:24, a.l.m.bu...@lboro.ac.uk wrote:
Hi,
In post-auth I want to
extract the nas-ip address and calling station-id of the client device
open a db connection and perform a query that'll let me decide what vlan-id
to send back in the access-accept packet
write radius attributes into the access-accept reply
one more comment...for somethign so 'trivial' I would seriously
consider using unlang to do this anyway eg
update reply {
Tunnel-Private-Group-ID =%{sql:SELECT vlan from authtable
where NAS='%{NAS-IP-Address}' and csi='%{Calling-Station-Id}'}
Tunnel-Medium-Type = IEEE-802
Tunnel-Type = VLAN
}
..or such…
looks neat, but getting the vlan associated with the switch and the calling
station id isn't that simple. but I'll have a look anyway
Rgds
Alex
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC Address Auth
Do you plan to read anything or you think we're here in a chat room, waiting for your questions (the same questions every day...) ? On 8.4.2013 15:32, Mulindwa wrote: Thanks Matthew, Sorry to askm but where is the reply list and where is the check list? Eric M *From:* Matthew Newton m...@leicester.ac.uk *To:* Mulindwa meri...@yahoo.com; FreeRadius users mailing list freeradius-users@lists.freeradius.org *Sent:* Monday, April 8, 2013 4:16 PM *Subject:* Re: MAC Address Auth On Mon, Apr 08, 2013 at 04:18:54AM -0700, Mulindwa wrote: I want user eric@ut3 with this Mac Address to log in, and if the MAC address is different he will not be granted access. Move the Mac-Addr attribute from the reply list to the check list, and make it a check operator (==) not assignment (=): eric@ut3 Cleartext-Password := eric, Simultaneous-Use := 1, Mac-Addr == 02-1B-9E-D3-0B-F0 Service-Type = Framed-User, Qos-Policy-Policing = broadband_128_policing, Qos-Policy-Metering = broadband_128_metering, Framed-Protocol = PPP, Ip_Address_Pool_Name = pool_128, Framed-Address = 255.255.255.254, Framed-Netmask = 255.255.255.255, Fall-Through = 0 Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk mailto:m...@le.ac.uk Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk mailto:ith...@le.ac.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC Address Auth
I have read and read, and i have not seen where thr reply list or check list is Eric M From: Marinko Tarlać mangi...@gmail.com To: freeradius-users@lists.freeradius.org Sent: Monday, April 8, 2013 5:02 PM Subject: Re: MAC Address Auth Do you plan to read anything or you think we're here in a chat room, waiting for your questions (the same questions every day...) ? On 8.4.2013 15:32, Mulindwa wrote: Thanks Matthew, Sorry to askm but where is the reply list and where is the check list? Eric M From: Matthew Newton m...@leicester.ac.uk To: Mulindwa meri...@yahoo.com; FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Monday, April 8, 2013 4:16 PM Subject: Re: MAC Address Auth On Mon, Apr 08, 2013 at 04:18:54AM -0700, Mulindwa wrote: I want user eric@ut3 with this Mac Address to log in, and if the MAC address is different he will not be granted access. Move the Mac-Addr attribute from the reply list to the check list, and make it a check operator (==) not assignment (=): eric@ut3 Cleartext-Password := eric, Simultaneous-Use := 1, Mac-Addr == 02-1B-9E-D3-0B-F0 Service-Type = Framed-User, Qos-Policy-Policing = broadband_128_policing, Qos-Policy-Metering = broadband_128_metering, Framed-Protocol = PPP, Ip_Address_Pool_Name = pool_128, Framed-Address = 255.255.255.254, Framed-Netmask = 255.255.255.255, Fall-Through = 0 Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: perl examples
On 08/04/13 14:47, Alex Sharaz wrote:
On 8 Apr 2013, at 14:24, a.l.m.bu...@lboro.ac.uk wrote:
Hi,
In post-auth I want to
extract the nas-ip address and calling station-id of the client
device open a db connection and perform a query that'll let me
decide what vlan-id to send back in the access-accept packet
write radius attributes into the access-accept reply
one more comment...for somethign so 'trivial' I would seriously
consider using unlang to do this anyway eg
update reply { Tunnel-Private-Group-ID =%{sql:SELECT vlan from
authtable where NAS='%{NAS-IP-Address}' and
csi='%{Calling-Station-Id}'} Tunnel-Medium-Type = IEEE-802
Tunnel-Type = VLAN }
..or such…
looks neat, but getting the vlan associated with the switch and the
calling station id isn't that simple. but I'll have a look anyway
FWIW we use unlang and a simple stored procedure that returns a little
blob:
vlan,something,somemore
...which we split using a regexp in the next unlang statemenr. This is
also a handy place to check for an empty xlat result (which indicates
failure of the SQL lookup) and do logging, and possibly set
Do-Not-Respond to allow the other RADIUS server a chance to succeed
the auth.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC Address Auth
Mulindwa wrote: I have read and read, and i have not seen where thr reply list or check list is $ man unlang Read doc/rlm_sql I have no idea which files you're reading. But it's clear you're *not* reading the documentation that comes with the server. Don't google for random pages on the net. Read the documentation. Read the Wiki. 99% of questions are answered there. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC Address Auth
Great, thanx Alan Eric M From: Alan DeKok al...@deployingradius.com To: Mulindwa meri...@yahoo.com; FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Monday, April 8, 2013 5:21 PM Subject: Re: MAC Address Auth Mulindwa wrote: I have read and read, and i have not seen where thr reply list or check list is $ man unlang Read doc/rlm_sql I have no idea which files you're reading. But it's clear you're *not* reading the documentation that comes with the server. Don't google for random pages on the net. Read the documentation. Read the Wiki. 99% of questions are answered there. Alan DeKok.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: perl examples
ok.
This looks easier
Thx
A
On 8 Apr 2013, at 15:18, Phil Mayers p.may...@imperial.ac.uk wrote:
On 08/04/13 14:47, Alex Sharaz wrote:
On 8 Apr 2013, at 14:24, a.l.m.bu...@lboro.ac.uk wrote:
Hi,
In post-auth I want to
extract the nas-ip address and calling station-id of the client
device open a db connection and perform a query that'll let me
decide what vlan-id to send back in the access-accept packet
write radius attributes into the access-accept reply
one more comment...for somethign so 'trivial' I would seriously
consider using unlang to do this anyway eg
update reply { Tunnel-Private-Group-ID =%{sql:SELECT vlan from
authtable where NAS='%{NAS-IP-Address}' and
csi='%{Calling-Station-Id}'} Tunnel-Medium-Type = IEEE-802
Tunnel-Type = VLAN }
..or such…
looks neat, but getting the vlan associated with the switch and the
calling station id isn't that simple. but I'll have a look anyway
FWIW we use unlang and a simple stored procedure that returns a little blob:
vlan,something,somemore
...which we split using a regexp in the next unlang statemenr. This is also a
handy place to check for an empty xlat result (which indicates failure of the
SQL lookup) and do logging, and possibly set Do-Not-Respond to allow the
other RADIUS server a chance to succeed the auth.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: perl examples
Hi, Why auth and not post-auth? I'm working on the basis that the stuff I do doesn't have anything to do with the actual auth process, in post-auth I'm doing things like setting session-timeouts. vlan assignments etc. based upon whether it's an access-request or an access-reject. Is there something wrong with that logic? no. post-auth in the inner-tunnel is where we do it. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: perl examples
That's fine then, that's where I'm doing this A On 8 Apr 2013, at 15:49, a.l.m.bu...@lboro.ac.uk wrote: Hi, Why auth and not post-auth? I'm working on the basis that the stuff I do doesn't have anything to do with the actual auth process, in post-auth I'm doing things like setting session-timeouts. vlan assignments etc. based upon whether it's an access-request or an access-reject. Is there something wrong with that logic? no. post-auth in the inner-tunnel is where we do it. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
