Re: Selective Update of User-Name
Hi All So after a little playing this is how I got it to work. We wrote a python program which set the Proxy-To-Realm as a control item in the return. Then wrote some unlang code for authorize and preacct which uses this to selectively rewrite the username so that it has a realm. I have another question about unlang I'll ask in a new email Cheers Mike Mike O'Connor wrote: Hi Guys This email tries to ask my question in a different way, to last time. I need to Rewrite the User-Name of individual accounts to add a realm, this would need to reliable up to at least 1 users. Does any one have any ideas on how this might be done, in a way that can be updated with out restarting Freeradius ? We do have some python code running in this proxy which might be able to help. Thanks Mike O'Connor - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
unlang: matching for 'Access-Accept'
Hi Guys How would I match for the packet type ie 'Access-Accept' in unlang Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: unlang: matching for 'Access-Accept'
Ivan Kalik wrote: How would I match for the packet type ie 'Access-Accept' in unlang Answers to questions like this can be found examining dictionary.freeradius.internal. These attributes are mostly on control list. So it should be: if(control:Packet-Type == Access-Accept) { ... Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Hi Ivan Did not know that this information was available there. Thanks. There does seem to be a problem, the %control:Packet-Type does not seem to expand to a value. rad_recv: Access-Accept packet from host 118.67.xxx.xxx port 1812, id=10, length=25 Proxy-State = 0x313534 +- entering group post-proxy {...} ++? if (control:Packet-Type == Access-Accept) expand: %{control:Packet-Type} - ? Evaluating (control:Packet-Type == Access-Accept) - FALSE ++? if (control:Packet-Type == Access-Accept) - FALSE . Could version 2.1.4 have a bug in this area ? Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy-To-Realm and Users File
Alexander Clouter wrote: Mike O'Connor freerad...@pineview.net wrote: Using freeradius 2.1.4 the following works if I user the hints file. DEFAULT Called-Station-Id == splns357 User-Name := %{user-na...@mb.webshield.net.au The user is proxied to the correct server and the user is correctly set. I now need to proxy based on the User-Name which in this case will always be a telephone number (Mobile Broadband SIM's) I had added the following to the users file (which I hope to change to the fast users later) 61466004163Proxy-To-Realm := mb.webshield.net.au User-Name := %{user-na...@mb.webshield.net.au This proxies the user to the next server but does not rewrite the username, I've also tried a couple of other in this file but none seem to work. I ran into this too, I think I got the impression that after you call 'suffix' things are set in stone and User-Name/Realm is read-only (in the 'request' set of valuepairs); which is fair enough[1]. If you do rewrite 'proxy-request:User-Name' you probably will find things work as you expect. Cheers [1] later on when mangling other things, you apprieate that mangling the original User-Name/Realm was a Bad Idea(tm) and besides whats the point in calling 'suffix' also :) I have to be able to do this rewrite in a dynamic way because I'm forwarding wholesale services which do not have a realm. I've been reading the source code and can not find any thing which would indicate a locking in the rlm_preprocess. Any other ideas out there for this problem ? Mike Does anyone know how I could affect thing - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Selective Update of User-Name
Hi Guys This email tries to ask my question in a different way, to last time. I need to Rewrite the User-Name of individual accounts to add a realm, this would need to reliable up to at least 1 users. Does any one have any ideas on how this might be done, in a way that can be updated with out restarting Freeradius ? We do have some python code running in this proxy which might be able to help. Thanks Mike O'Connor - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Selective Update of User-Name
John Morrissey wrote: On Thu, Aug 27, 2009 at 10:57:47PM +0930, Mike O'Connor wrote: I need to Rewrite the User-Name of individual accounts to add a realm, this would need to reliable up to at least 1 users. Does any one have any ideas on how this might be done, in a way that can be updated with out restarting Freeradius ? We do have some python code running in this proxy which might be able to help. We're doing this with rlm_perl's authorize(). We change the values in %RAD_REQUEST and return RLM_MODULE_UPDATED in the handler. I would think rlm_python would be similar. If you need to change the list of users on the fly (is that what you mean by with out restarting Freeradius?), you could put your list of users into something like a Berkeley DB file and have the authorize handler check there for the username to determine whether to add the realm. john Hi John Thanks for your comments, I now see why the modules rlm_files and rlm_fastusers do not adjust the username, they only return RLM_MODULE_OK, where as rlm_preprocess returns RLM_MODULE_UPDATED. This peice of information will allow a python module to be written. Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxy-To-Realm and Users File
Hi All Using freeradius 2.1.4 the following works if I user the hints file. DEFAULT Called-Station-Id == splns357 User-Name := %{user-na...@mb.webshield.net.au The user is proxied to the correct server and the user is correctly set. I now need to proxy based on the User-Name which in this case will always be a telephone number (Mobile Broadband SIM's) I had added the following to the users file (which I hope to change to the fast users later) 61466004163Proxy-To-Realm := mb.webshield.net.au User-Name := %{user-na...@mb.webshield.net.au This proxies the user to the next server but does not rewrite the username, I've also tried a couple of other in this file but none seem to work. rad_recv: Access-Request packet from host 118.67.209.51 port 56036, id=1, length=92 Framed-Protocol = PPP User-Name = 61466004163 User-Password = password Calling-Station-Id = 61466004163 Called-Station-Id = splns357 Service-Type = Framed-User NAS-IP-Address = 118.67.208.51 +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d - /var/log/radius/radacct/118.67.209.51/auth-detail-20090827 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/118.67.209.51/auth-detail-20090827 [auth_log] expand: %t - Thu Aug 27 09:40:24 2009 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = 61466004163, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop [files] users: Matched entry 61466004163 at line 1 [files] expand: %{user-na...@mb.webshield.net.au - 61466004...@mb.webshield.net.au ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop 2009-08-27T09:40:24.327336: Verbose: RLM_PYTHON: handling Authorize request... ++[python] returns ok +- entering group pre-proxy {...} [attr_filter.pre-proxy] expand: %{Realm} - mb.webshield.net.au ++[attr_filter.pre-proxy] returns noop Sending Access-Request of id 250 to 118.67.209.21 port 1812 Framed-Protocol = PPP User-Name = 61466004163 User-Password = password Calling-Station-Id = 61466004163 Called-Station-Id = splns357 Service-Type = Framed-User NAS-IP-Address = 118.67.208.51 Proxy-State = 0x31 Proxying request 0 to home server 118.67.209.21 port 1812 Sending Access-Request of id 250 to 118.67.209.21 port 1812 Framed-Protocol = PPP User-Name = 61466004163 User-Password = password Calling-Station-Id = 61466004163 Called-Station-Id = splns357 Service-Type = Framed-User NAS-IP-Address = 118.67.208.51 Proxy-State = 0x31 Going to the next request Waking up in 0.9 seconds. Waking up in 13.0 seconds. rad_recv: Access-Reject packet from host 118.67.209.21 port 1812, id=250, length=23 Proxy-State = 0x31 Thanks All Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_python example?
Hi Hristo Could you supply a quick example ? Its always good to get working example after a problem is resolved (even if the person is resolved by the questioner) Mike Hristo Trendev wrote: The examples in src/modules/rlm_python gave me some hints and I figured it out. Thanks anyway. On Tue, Mar 31, 2009 at 3:43 PM, Hristo Trendev dist.li...@gmail.com wrote: I am trying to figure out how to properly setup freeradius with rlm_python. The module loads and scripts execute, but I seem to miss something when I try to return value pairs to be used in the reply packet (Access-Accept). I have tried with the following �script: def authorize (params): � � � �print params � � � �return (0, ('Reply-Message', 'banned1'), ('Reply-Message', 'banned2')) and received (when I run with -X option): -snip- +- entering group authorize {...} rlm_python:authorize: tuple element 0 is not a tuple rlm_python:authorize: tuple element 1 is not a tuple rlm_python:authorize: tuple element 0 is not a tuple rlm_python:authorize: tuple element 1 is not a tuple ++[python] returns reject -snip- I have also tried changing it to: def authorize (params): � � � �print params � � � �return (0, ('Reply-Message', 'banned')) but then I get: -snip- +- entering group authorize {...} rlm_python:authorize: tuple must be (return, replyTuple, configTuple) ++[python] returns ?? -snip- Can someone point me in the right direction? What is supposed to be passed in configTuple? How do I return multiple value pairs at? I was able to make it work with rlm_exec, but I'd like to use the the python module instead. I am using freeradius on ubuntu 8.04. installed via apt-get from hardy-backports (2.1.0+dfsg-0ubuntu2~hardy1) BR, Hristo - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: OT: Implementing RSA's SecurID
Greg Vickers wrote: Hi, (Apologies for an OT post) I was wondering if anyone know of any user list that would contain a community of people who implement systems like RSA's SecurID? The reason is that I am researching who else has implemented SecurID and am trying to find if there is another company or organisation who has implemented it in the way we wish to. Thanks, Hi Greg I suggest that you have a look at Yubico's YubiKey, one of the most interesting authentication devices I have ever seen. Note Freeradius is support via PAM http://code.google.com/p/yubico-pam/wiki/YubikeyAndRadiusViaPAM Cheers Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 2.04 + python + mysqldb python module on Debian 4.0
Hi Jester A few things. 1. I've never been able to get python to work correct on a debian system, this is for both Sarge and Etch. We currently have to use Centos 5 for our proxy radius systems which use python. 2. I do not believe that loading a mysql connection each time you recived a radius packet is going to be a good idea. I would instead create a very small shim which calls a python daemon via a unix socket. Cheers Mike [EMAIL PROTECTED] wrote: From the subject, you can probably guess that its just barely a Freeradius problem :) Anyway... Using the Build (http://wiki.freeradius.org/Build) instructions for Debian, i have compiled FreeRADIUS with python support. I copied the example module configuration for python out of experimental.conf. using the provided test script, the server runs fine. and any other simple script works until i try to import MySQLdb for python. However, when you try to import MySQLdb, it blows it stops, and throws the following: type 'exceptions.ImportError': /var/lib/python-support/python2.5/_mysql.so: undefined symbol: PyExc_ImportError Failed to import python module pyrad_auth /etc/freeradius/radiusd.conf[608]: Instantiation failed for module python Errors initializing modules Which, i think, means that it can't load the mysql module for some reason, and i don't know much else. from the command prompt, i can execute the .py script that i am using. In fact, it is the same script that works on a SuSE 10.1 server that i have, so i think the script is not likely to be the problem. Any pointers/hints/need more info? Much appreciated. --Jester Purtteman - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Failed Auth using users file (sometimes)
Hi Ivan Thanks for your response, my question why would it not work then just work, no changes other than a restart between the two. Its running freeradius 1.1.7 Mike Mike Ivan Kalik wrote: rlm_realm: Looking up realm xxx.com for User-Name = [EMAIL PROTECTED] rlm_realm: Found realm xxx.com rlm_realm: Proxying request from user nyp2inter to realm xxx.com rlm_realm: Adding Realm = xxx.com rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module suffix returns noop for request 1647 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 1647 modcall[authorize]: module files returns notfound for request 1647 rlm_realm: Looking up realm xxx.com for User-Name = [EMAIL PROTECTED] rlm_realm: Found realm xxx.com rlm_realm: Adding Stripped-User-Name = nyp2inter rlm_realm: Proxying request from user nyp2inter to realm xxx.com rlm_realm: Adding Realm = xxx.com rlm_realm: Preparing to proxy authentication request to realm xxx.com modcall[authorize]: module suffix returns updated for request 1675 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 1675 users: Matched entry nyp2inter at line 18 modcall[authorize]: module files returns ok for request 1675 First debug doesn't strip the realm so there is no match in users file. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Failed Auth using users file (sometimes)
Hi Guys I have an account which I want to auth locally on our 2 proxy radius machine. The problem is that sometimes the connection authenticates and other times it does not, there are warning in the log's below so I'm sure I have something wrong. But I can not work out what I should be doing instead. Also how would I create a feature which would temporally authenticate all users for a realm as allowed ? The user file entry is nyp2inter Realm == 'xxx.com', User-Password == 'xxx', Proxy-To-Realm := LOCAL Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = xxx.xx.216.40, Framed-IP-Netmask = 255.255.255.255, Framed-Route = xxx.xx.10.128/25 0.0.0.0 1, Framed-MTU = 1492, Framed-Compression = Van-Jacobsen-TCP-IP Failed Auth: rad_recv: Access-Request packet from host xxx.xx.208.165:1645, id=155, length=106 Framed-Protocol = PPP User-Name = [EMAIL PROTECTED] User-Password = xxx NAS-Port-Type = Virtual NAS-Port = 328 Calling-Station-Id = sfy713300200187 Service-Type = Framed-User NAS-IP-Address = xxx.xx.208.165 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1647 modcall[authorize]: module preprocess returns ok for request 1647 radius_xlat: '/var/log/radius/radacct/xxx.xx.208.165/auth-detail-20080424' rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/xxx.xx.208.165/auth -detail-20080424 modcall[authorize]: module auth_log returns ok for request 1647 modcall[authorize]: module attr_filter returns noop for request 1647 modcall[authorize]: module chap returns noop for request 1647 modcall[authorize]: module mschap returns noop for request 1647 rlm_realm: Looking up realm xxx.com for User-Name = [EMAIL PROTECTED] rlm_realm: Found realm xxx.com rlm_realm: Proxying request from user nyp2inter to realm xxx.com rlm_realm: Adding Realm = xxx.com rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module suffix returns noop for request 1647 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 1647 modcall[authorize]: module files returns notfound for request 1647 rlm_pap: WARNING! No known good password found for the user. Authentication may fail because of this. modcall[authorize]: module pap returns noop for request 1647 2008-04-24T11:29:37.613507: Verbose: RLM_PYTHON: handling Authorize request... modcall[authorize]: module python returns ok for request 1647 modcall: leaving group authorize (returns ok) for request 1647 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Login incorrect: [EMAIL PROTECTED]/nyp4inter] (from client lns1.ade port 328 cli sfy713300200187) Found Post-Auth-Type Processing the post-auth section of radiusd.conf modcall: entering group REJECT for request 1647 rlm_sql_log (sql_log): Processing sql_log_postauth radius_xlat: 'INSERT INTO radpostauth (user, password, reply, date, reply_message) VALUES ('[EMAIL PROTECTED]', 'xxx', ' Access-Reject', '2008-04-24 11:29:37', '');' radius_xlat: '/var/log/radius/radacct/sql-relay' modcall[post-auth]: module sql_log returns ok for request 1647 modcall: leaving group REJECT (returns ok) for request 1647 Delaying request 1647 for 1 seconds Finished request 1647 With no Changes this Connected: rad_recv: Access-Request packet from host xxx.xx.208.165:1645, id=167, length=106 Framed-Protocol = PPP User-Name = [EMAIL PROTECTED] User-Password = xxx NAS-Port-Type = Virtual NAS-Port = 315 Calling-Station-Id = sfy713300200187 Service-Type = Framed-User NAS-IP-Address = xxx.xx.208.165 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1675 modcall[authorize]: module preprocess returns ok for request 1675 radius_xlat: '/var/log/radius/radacct/xxx.xx208.165/auth-detail-20080424' rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/xxx.xx208.165/auth -detail-20080424 modcall[authorize]: module auth_log returns ok for request 1675 modcall[authorize]: module attr_filter returns noop for request 1675 modcall[authorize]: module chap returns noop for request 1675 modcall[authorize]: module mschap returns noop for request 1675 rlm_realm: Looking up realm xxx.com for User-Name = [EMAIL PROTECTED] rlm_realm: Found realm xxx.com rlm_realm: Adding Stripped-User-Name = nyp2inter rlm_realm: Proxying request from user nyp2inter to realm xxx.com rlm_realm: Adding Realm = xxx.com rlm_realm: Preparing to proxy authentication request to realm xxx.com
Freeradius 1.1.7 and LDAP
Hi Guys I have a small issue with freeradius and ldap, its authenticating as 'access accept' customers which have placed a space at the beginning of there user name. This then causes there accounting data not to match and so we do not account for there data. This this a bug or a setting I have incorrectly set ? Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_python freeradiusd 2.0.2
Hi Alexander I think your problem is that python does not know where to find your module. The best way of over coming this issue is to place a file in the site-packages directory which indicates where your python code is installed. [EMAIL PROTECTED] site-packages]# cat radiusd_test.pth /opt/freeradius-python/ [EMAIL PROTECTED] site-packages]# Cheers Mike Alexander Demidoff wrote: Hello all! I want to use python possibilities to authorize users with freeradius. So, I compiled freeradius with options: --with-experimental-modules \ --with-rlm_python created config files and my pythom module radiusd_isp, put it python path freeradius -X out me: python { mod_instantiate = radiusd_isp func_instantiate = instantiate mod_authorize = radiusd_isp func_authorize = authorize mod_authenticate = radiusd_isp func_authenticate = authenticate mod_preacct = radiusd_isp func_preacct = preacct mod_accounting = radiusd_isp func_accounting = accounting mod_detach = radiusd_isp func_detach = detach } exceptions.ImportError: No module named radiusd_isp Failed to import python module radiusd_isp /etc/freeradius/python.conf[32]: Instantiation failed for module python /etc/freeradius/radiusd.conf[1824]: Failed to find module python. /etc/freeradius/radiusd.conf[1793]: Errors parsing authorize section. help me anybody, please !? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EXAMPLE: unlang removing attribute inside a test
Hi Alan The documentation does not mention these options so I assume that you mean it would need writing ? One option is to add more filtering operators. e.g. -~, meaning regex match, and remove. Or perhaps a better way, is to add a filter section: filter request { # filter out attributes matching the following Foo =~ /bar/ # remove by regex } Also, adding a require section may be useful, too: require request { # filter out attributes NOT matching Foo =~ /bar/ } As I have not written much C code in 15 years, its going to take me awhile to work that one out. Cheers Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Python and return attributes in `postproxy`
Alan DeKok wrote: Mike O'Connor wrote: It would seem as if the rlm_python does not provide the returned attributes from the proxy, this happens in both a patched version of 1.1.7 and 2.0.0. Yes. It appears to convert only the request attributes to a python tuple. Fixing it shouldn't be hard. As always, patches are welcome. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Hi Alan Is there an example of how this is done in another rlm_ module which works in a similar way as the rlm_python code ? Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Python and return attributes in `postproxy`
Hi Guys It would seem as if the rlm_python does not provide the returned attributes from the proxy, this happens in both a patched version of 1.1.7 and 2.0.0. Code: def postproxy(params): log.log('RLM_PYTHON: handling Post Proxy request...', log.VERBOSE) pprint.pprint(params) returnval = send_message('postproxy', params, False) return lib.radiusd.RLM_MODULE_OK Result: +- entering group post-proxy 2008-01-14T13:14:09.412107: Verbose: RLM_PYTHON: handling Post Proxy request... (('Framed-Protocol', 'PPP'), ('User-Name', '[EMAIL PROTECTED]'), ('User-Password', 'x'), ('Service-Type', 'Framed-User'), ('NAS-IP-Address', '118.xx.xx.xx'), ('Realm', 'dsl.*'), ++[python] returns ok Command line test: Sending Access-Request of id 39 to 118.67.209.51 port 1812 Framed-Protocol = PPP User-Name = [EMAIL PROTECTED] User-Password = x Service-Type = Framed-User NAS-IP-Address = 118.xx.xx.xx rad_recv: Access-Accept packet from host 118.67.209.51 port 1812, id=39, length=44 Port-Limit = 1 Framed-Protocol = PPP Service-Type = Framed-User Framed-IP-Address = 118.xx.xx.21 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RLM_python patch to enable postproxy - Not work need a little help
Alan DeKok wrote: Mike O'Connor wrote: I wrote the attached patch for Freeradius 1.1.7 to enabled calling python in the post-proxy, it compiles but will not run when the hook is listed in post-proxy because Freeradius complains that there is no support for post-proxy in rlm_python. You didn't install the new version of rlm_python. So it's still linking to the old rlm_python, without post-proxy support. Maybe I'm not getting your but even the lastest cvs does not have any post-proxy or post-auth support. module_t rlm_python = { RLM_MODULE_INIT, python, RLM_TYPE_THREAD_SAFE, /* type */ python_instantiate, /* instantiation */ python_detach, /* detach */ { python_authenticate,/* authentication */ python_authorize, /* authorization */ python_preacct, /* preaccounting */ python_accounting, /* accounting */ python_checksimul, /* checksimul */ NULL, /* pre-proxy */ NULL, /* post-proxy */ NULL/* post-auth */ }, }; My code added the post-proxy but when I tried to use it freeradius would complain that rlm_python did not support being called from the post-auth section of radiusd.conf. My question is where in the source is the list of allowed call per module ? No. The *only* interaction is in the modules. That's what I would have thought which is why what I saw did not make any senses. It would report finding my config section for the post-proxy but when added to the config it would not start freeradius. Thanks Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RLM_python patch to enable postproxy - Not work need a little help
Hi Alan I think I have worked it out, some how I got my self confused during my testing. The model was there but I think each time I did not have everything configured. Thanks as always for your time Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RLM_python patch to enable postproxy - Not work need a little help
Hi Guys I wrote the attached patch for Freeradius 1.1.7 to enabled calling python in the post-proxy, it compiles but will not run when the hook is listed in post-proxy because Freeradius complains that there is no support for post-proxy in rlm_python. My question is where in the source is the list of allowed call per module ? Once I know this I can fix this attached and supply as a tested patch. Thanks Mike --- src/modules/rlm_python/rlm_python.c.orig2007-03-06 00:45:28.0 +1030 +++ src/modules/rlm_python/rlm_python.c 2007-10-10 15:36:51.0 +0930 @@ -54,6 +54,7 @@ char*mod_authenticate; char*mod_preacct; char*mod_accounting; +char*mod_post_proxy; char*mod_checksimul; char*mod_detach; @@ -63,6 +64,7 @@ char*func_authenticate; char*func_preacct; char*func_accounting; +char*func_post_proxy; char*func_checksimul; char*func_detach; @@ -71,6 +73,7 @@ PyObject *pModule_authenticate; PyObject *pModule_preacct; PyObject *pModule_accounting; +PyObject *pModule_post_proxy; PyObject *pModule_checksimul; PyObject *pModule_detach; @@ -80,6 +83,7 @@ PyObject *pFunc_authenticate; PyObject *pFunc_preacct; PyObject *pFunc_accounting; +PyObject *pFunc_post_proxy; PyObject *pFunc_checksimul; PyObject *pFunc_detach; }; @@ -120,6 +124,11 @@ { func_accounting, PW_TYPE_STRING_PTR, offsetof(struct rlm_python_t, func_accounting), NULL, NULL}, + { mod_post_proxy, PW_TYPE_STRING_PTR, +offsetof(struct rlm_python_t, mod_post_proxy), NULL, NULL}, + { func_post_proxy, PW_TYPE_STRING_PTR, +offsetof(struct rlm_python_t, func_post_proxy), NULL, NULL}, + { mod_checksimul, PW_TYPE_STRING_PTR, offsetof(struct rlm_python_t, mod_checksimul), NULL, NULL}, { func_checksimul, PW_TYPE_STRING_PTR, @@ -490,6 +499,7 @@ python_objclear(data-pFunc_authenticate); python_objclear(data-pFunc_preacct); python_objclear(data-pFunc_accounting); +python_objclear(data-pFunc_post_proxy); python_objclear(data-pFunc_checksimul); python_objclear(data-pFunc_detach); @@ -498,6 +508,7 @@ python_objclear(data-pModule_authenticate); python_objclear(data-pModule_preacct); python_objclear(data-pModule_accounting); +python_objclear(data-pModule_post_proxy); python_objclear(data-pModule_checksimul); python_objclear(data-pModule_detach); } @@ -566,6 +577,12 @@ data-pFunc_accounting) 0) goto failed; +if (python_load_function(data-mod_post_proxy, +data-func_post_proxy, +data-pModule_post_proxy, +data-pFunc_post_proxy) 0) +goto failed; + if (python_load_function(data-mod_checksimul, data-func_checksimul, data-pModule_checksimul, @@ -633,6 +650,14 @@ accounting); } +static int python_post_proxy(void *instance, REQUEST *request) +{ +return python_function( + request, + ((struct rlm_python_t *)instance)-pFunc_post_proxy, + post-proxy); +} + static int python_checksimul(void *instance, REQUEST *request) { return python_function( @@ -663,7 +688,7 @@ python_accounting, /* accounting */ python_checksimul, /* checksimul */ NULL, /* pre-proxy */ - NULL, /* post-proxy */ + python_post_proxy, /* post-proxy */ NULL/* post-auth */ }, python_detach, /* detach */ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Filtering out a attribute conditionally
Hi Alan Is there any way of adding or removing the ip_pool bases on a rule ? I don't know what you mean by that. I still want the customer isp to be able to set a static ip address but I have to remove the cisco-avp pair when these come thought, or I want to add the cisco-avp pair when there is no static ip address. Could Freeradius 2 do this ? It would likely be a lot easier. Download 2.0, and read man unlang. I suspected that V2 would handle this better. I had read the unlang man page. Still trying get get a handle on it. Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Filtering out a attribute conditionally
Hi All I have a problem with my Cisco 7301's where I apply a address pool via a Cisco-AVPair (for each wholesale ISP customer) and the wholesale ISP supplies a Framed-IP-Address at the same time, the connection is kicked by the cisco. Is there any way of adding or removing the ip_pool bases on a rule ? Could Freeradius 2 do this ? Thanks Mike --- Current Attrs File .com Service-Type == Framed-User, Framed-IP-Address =* 255.255.255.254, Framed-IP-Netmask == 255.255.255.255, Framed-Route =* ANY, Cisco-AVPair := ip:addr-pool=ip_pool_netyp, Framed-Compression =* Van-Jacobson-TCP-IP, Framed-Protocol == PPP, Framed-MTU =* 1492, Framed-Filter-ID =* ANY, Cisco-AVPair =* ANY, Reply-Message =* ANY, Proxy-State =* ANY, Idle-Timeout =* 600, Session-Timeout =* 28800, Port-Limit =* 1 --- Reply with out framed-ip-address Packet-Type = Access-Accept Wed Oct 31 19:55:36 2007 Cisco-AVPair := ip:addr-pool=ip_pool_netyp Service-Type = Framed-User Framed-Protocol = PPP Framed-MTU = 1500 Framed-Compression = Van-Jacobson-TCP-IP Session-Timeout = 14400 Idle-Timeout = 900 Port-Limit = 1 --- Reply with framed-ip-address Packet-Type = Access-Accept Wed Oct 31 19:55:36 2007 Cisco-AVPair := ip:addr-pool=ip_pool_netyp Service-Type = Framed-User Framed-IP-Address = XXX.XXX.11.247 Framed-IP-Netmask = 255.255.255.255 Framed-Protocol = PPP Framed-MTU = 1500 Framed-Compression = Van-Jacobson-TCP-IP Session-Timeout = 14400 Idle-Timeout = 900 Port-Limit = 1 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Post-Proxy attr_filter on Access-Accept Packets only
Hi Alan Do you see it in the response packet? Or in debug mode? Or both? Yes with verbose turned on in radclient you see the extra value pair printed on the screen. CVS head has this fixed. You can run separate pre/post proxy sections for authentication and for accounting. Ok so when version 2 is release this issue will go away. Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Post-Proxy attr_filter on Access-Accept Packets only
Hi Guys How do I only add a radius attribute via attr_filter on Accept-Accept Packets ? My current config is adding the attribute on accounting reply packets also. Thanks Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_Python - PyExc_IOError
Hi All I have look at this problem and I can not see how to fix it How much is it going to cost me to have someone login to a virtual machine I'll setup and fix this issue ASAP ? The fix would need to be done in such away that the standard Debian build scripts would be used and the patch sent back to the project. I'll like the patch for both 1.1.x and for current head. If someone is interested please contact me privately. Thanks Mike Alan DeKok wrote: Mike O'Connor wrote: I decided to try freeradius-2.0.0-pre2 and its give a much clear idea of the problem. The issue seems to be that the rlm_python module is having trouble loading dynamic code. I suspect it's a shared library problem. The time.so library depends on another one that contains PyExc_IOError. However, that dependency is NOT recorded in time.so. That dependency is also NOT built into FreeRADIUS (or rlm_python), as it as no idea which Python library depends on which other Python library. I suggesting finding out out which library contains that symbol, and then re-building rlm_python to link to that library. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_Python - PyExc_IOError
Hi Alan You are correct about it being an issue with time.so, because I just removed this module from my test code and added the module random instead and the freeradius loaded. Mike Alan DeKok wrote: Mike O'Connor wrote: I decided to try freeradius-2.0.0-pre2 and its give a much clear idea of the problem. The issue seems to be that the rlm_python module is having trouble loading dynamic code. I suspect it's a shared library problem. The time.so library depends on another one that contains PyExc_IOError. However, that dependency is NOT recorded in time.so. That dependency is also NOT built into FreeRADIUS (or rlm_python), as it as no idea which Python library depends on which other Python library. I suggesting finding out out which library contains that symbol, and then re-building rlm_python to link to that library. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_Python - PyExc_IOError
Hi All I'm happy to say I have fixed this issue. I'm not totally happy with the way I did it because it would not be portable if python was installed a different location. If some with a little more knowledge could add this correctly that would be great. # # $Id: Makefile.in,v 1.2.10.1 2006/02/10 19:47:17 nbk Exp $ # TARGET = @targetname@ SRCS = rlm_python.c HEADERS= /usr/include/python2.4/pyerrors.h - RLM_LIBS = @python_ldflags@ RLM_CFLAGS = @python_cflags@ include ../rules.mak $(LT_OBJS): $(HEADERS) Mike Mike O'Connor wrote: Hi All I have look at this problem and I can not see how to fix it How much is it going to cost me to have someone login to a virtual machine I'll setup and fix this issue ASAP ? The fix would need to be done in such away that the standard Debian build scripts would be used and the patch sent back to the project. I'll like the patch for both 1.1.x and for current head. If someone is interested please contact me privately. Thanks Mike Alan DeKok wrote: Mike O'Connor wrote: I decided to try freeradius-2.0.0-pre2 and its give a much clear idea of the problem. The issue seems to be that the rlm_python module is having trouble loading dynamic code. I suspect it's a shared library problem. The time.so library depends on another one that contains PyExc_IOError. However, that dependency is NOT recorded in time.so. That dependency is also NOT built into FreeRADIUS (or rlm_python), as it as no idea which Python library depends on which other Python library. I suggesting finding out out which library contains that symbol, and then re-building rlm_python to link to that library. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_Python - PyExc_IOError
Hi Guys Got a problem with rlm_python using 1.1.7 on Debian etch with no changes to source other than to move rlm_python in to the stable modules file. The module is in the path and an strace shows the file being found. rlm_python:python_load_function: module 'radiusd_test' is not found rlm_python:EXCEPT:exceptions.ImportError: /usr/lib/python2.4/lib-dynload/time.so: undefined symbol: PyExc_IOError rlm_python:python_load_function: failed to import python function 'radiusd_test.instantiate' radiusd.conf[1]: python: Module instantiation failed. Anyidea would be great Thanks Mike --- File is found and loaded open(/usr/lib/python2.4/site-packages/radiusd_test.py, O_RDONLY|O_LARGEFILE) = 5 fstat64(5, {st_mode=S_IFREG|0644, st_size=497, ...}) = 0 open(/usr/lib/python2.4/site-packages/radiusd_test.pyc, O_RDONLY|O_LARGEFILE) = 6 fstat64(6, {st_mode=S_IFREG|0644, st_size=1408, ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7b67000 read(6, m\362\r\n[EMAIL PROTECTED]..., 4096) = 1408 fstat64(6, {st_mode=S_IFREG|0644, st_size=1408, ...}) = 0 read(6, , 4096) = 0 close(6)= 0 munmap(0xb7b67000, 4096) -- = 0 stat64(/usr/lib/python24.zip/time, 0xbfa8422c) = -1 ENOENT (No such file or directory) open(/usr/lib/python24.zip/time.so, O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory) open(/usr/lib/python24.zip/timemodule.so, O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory) open(/usr/lib/python24.zip/time.py, O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory) open(/usr/lib/python24.zip/time.pyc, O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory) stat64(/usr/lib/python2.4/time, 0xbfa8422c) = -1 ENOENT (No such file or directory) open(/usr/lib/python2.4/time.so, O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory) open(/usr/lib/python2.4/timemodule.so, O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory) open(/usr/lib/python2.4/time.py, O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory) open(/usr/lib/python2.4/time.pyc, O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory) stat64(/usr/lib/python2.4/plat-linux2/time, 0xbfa8422c) = -1 ENOENT (No such file or directory) open(/usr/lib/python2.4/plat-linux2/time.so, O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory) open(/usr/lib/python2.4/plat-linux2/timemodule.so, O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory) open(/usr/lib/python2.4/plat-linux2/time.py, O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory) open(/usr/lib/python2.4/plat-linux2/time.pyc, O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory) stat64(/usr/lib/python2.4/lib-tk/time, 0xbfa8422c) = -1 ENOENT (No such file or directory) open(/usr/lib/python2.4/lib-tk/time.so, O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory) open(/usr/lib/python2.4/lib-tk/timemodule.so, O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory) open(/usr/lib/python2.4/lib-tk/time.py, O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory) open(/usr/lib/python2.4/lib-tk/time.pyc, O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory) stat64(/usr/lib/python2.4/lib-dynload/time, 0xbfa8422c) = -1 ENOENT (No such file or directory) open(/usr/lib/python2.4/lib-dynload/time.so, O_RDONLY|O_LARGEFILE) = 6 fstat64(6, {st_mode=S_IFREG|0644, st_size=15860, ...}) = 0 open(/usr/lib/python2.4/lib-dynload/time.so, O_RDONLY) = 7 read(7, \177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\20\22\0..., 512) = 512 fstat64(7, {st_mode=S_IFREG|0644, st_size=15860, ...}) = 0 mmap2(NULL, 19072, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 7, 0) = 0xb79a6000 mmap2(0xb79a9000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 7, 0x2) = 0xb79a9000 close(7)= 0 munmap(0xb79a6000, 19072) = 0 close(6)= 0 close(5)= 0 futex(0x8010a620, FUTEX_WAKE, 1)= 0 time(NULL) = 1191313703 write(1, rlm_python:python_load_function:..., 68rlm_python:python_load_function: module 'radiusd_test' is not found ) = 68 futex(0x801083f8, FUTEX_WAKE, 1)= 0 time(NULL) = 1191313703 write(1, rlm_python:EXCEPT:exceptions.Imp..., 114rlm_python:EXCEPT:exceptions.ImportError: /usr/lib/python2.4/lib-dynload/time.so: undefined symbol: PyExc_IOError ) = 114 futex(0x801083f8, FUTEX_WAKE, 1)= 0 time(NULL) = 1191313703 write(1, rlm_python:python_load_function:..., 93rlm_python:python_load_function: failed to import python function 'radiusd_test.instantiate' ) = 93 futex(0x801083f8, FUTEX_WAKE, 1)= 0 futex(0x801083f8, FUTEX_WAKE, 1)= 0 futex(0x801083f8, FUTEX_WAKE, 1)= 0 time(NULL) = 1191313703 write(1, radiusd.conf[1]: python: Module ...,
Re: rlm_Python - PyExc_IOError
Hi Alan Is radiusd.py in the path? Yep in the same place as my own code /usr/lib/python2.4/site-packages/ Strace never shows that file being requested for loading. Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_Python - PyExc_IOError
Hi Guys I decided to try freeradius-2.0.0-pre2 and its give a much clear idea of the problem. The issue seems to be that the rlm_python module is having trouble loading dynamic code. Mike write(1, exceptions.ImportError: /usr/lib..., 97exceptions.ImportError: /usr/lib/python2.4/lib-dynload/time.so: undefined symbol: PyExc_IOError ) = 97 write(1, Failed to import python module \..., 47Failed to import python module radiusd_test ) = 47 write(1, /etc/freeradius/rlmpython.conf[1..., 76/etc/freeradius/rlmpython.conf[1]: Instantiation failed for module python ) = 76 write(1, /etc/freeradius/sites-enabled/de..., 76/etc/freeradius/sites-enabled/default[126]: Failed to find module python. ) = 76 write(1, /etc/freeradius/sites-enabled/de..., 79/etc/freeradius/sites-enabled/default[35]: Failed to parse authorize section. ) = 79 write(1, }\n, 3 } ) = 3 write(1, }\n, 2} ) = 2 write(1, Errors setting up modules\n, 26Errors setting up modules ) = 26 exit_group(1) = ? Process 1212 detached - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_perl/rlm_python adding extra value pairs
Hi All I wish to add some extra valid pairs to accounting packets which are being proxied to other radius servers. If in the 'preacct' or the 'accounting' stage I was to add using rlm_python or rlm_perl value pairs would they be sent thought to the other radius servers ? Thanks Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
grouping rlm_ippool's
Hi Some time ago there was a question about rlm_ippool and if it was possible to group them ie ippool main_pool_1 {} ippool main_pool_2 {} accounting { group main_pool { main_pool_1 main_pool_2 } sql } post-auth { group main_pool { main_pool_1 main_pool_2 } } I have done some testing it it does not seem to work. (using freeradius-1.0.5) Do any one have any idea of how this could be made to work and/or have I not got this configuration correct. Thanks Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Regx Question
Hi All I have the following in the users and acct_users files DEFAULT Called-Station-Id == 0198334115, Proxy-To-Realm := .com I would like to match on 198334115 with a possibility of about 4 to 6 more number on the front of this number. I have tried a number of difference regx's but non of them have worked so I must have something wrong :) Any ideas would be great. Thanks Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Regx Question
Thanks Alan Reading the man page for the users file would help, too. You're not doing regular expression matching at all. DEFAULT Called-Station-Id =~ 198334115$, Proxy-To-Realm := .com I did not give any examples of what I had tried which I suppose I should have. Below are some of my attempts #DEFAULTCalled-Station-Id == 198407112$, Proxy-To-Realm := .au #DEFAULTCalled-Station-Id == *128407112$, Proxy-To-Realm := .au #DEFAULTCalled-Station-Id == ^[0-9]*128407112$, Proxy-To-Realm := .au None of the above worked, even though the exact number did. Cheers Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Regx Question
Mike Mitchell wrote: Yes, but you missed one important little detail... use =~ not == Hi Mike, Alan Did read the manual just did not see that one :( I'll go check that out now Cheers Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 8e6 technologies and radius
Terry J Fike Jr wrote: They use the Class attribute to tell their box what users are being filtered and how (which filtering ruleset). but it means that either the nas device has to send the data to it, or i can radrelay it to the 8e6 box (which is what i'm using for testing at the moment). it also has the ability (i think) to recieve data like an accounting server and then forward it to the actual accounting server. how do i modify the Access-Accept to send it to the NAS so it can add this attribute in the accounting packet? I don't remember seeing anything like that in the readmes or comments in the conf files? (not to say i couldn't be blind and have totally missed it though) Hi Terry I have been using the 8e6 box for about 1 1/2 with freeradius, both on the r2000 and then on the r3000, please find an example of how to use radius to update the 8e6 unit. I would never use the 8e6 box in relay mode because it add one more way for the network to break. Example of a command line usage of the 8e6 box radius1:/tmp# cat attribs User-Name=User97 Acct-Status-Type=Start Class=xstop: Rule1, http://www.localnet/blocked/; Framed-IP-Address=192.168.1.35 /usr/bin/radclient -d /usr/share/freeradius/ -f /tmp/attribs filter.localnet:1813 acct password I can not remember if I needed to edit the dictionarys to make this all work I have written scripts which use the acct_users system to send a filter rule to the 8e6 box each time I receive a Start, Alive and Stop. Cheers Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ippool - not releasing ip addresses
Hi Paul Thanks for you email. I sat down this weekend and wrote the same type of tool. I find all the ip address which have been left active, read out of the radacct database a closed record for each ip address. Then use radclient to send a radacct stop record for each ip address but change the nas port the one reported by rlm_ippool_tool. You mention that the problem only happend if there is not enought ip for the total ports. If I have understood you correctly, I have to disargree. For this site we have 25 port and 30 ip's. Thanks Mike Paul Hampson wrote: On Sat, Nov 20, 2004 at 10:51:32AM +1030, Mike O'Connor wrote: Thanks for you comments, I used you suggestion as a biases and have found that the accounting stop records do not always have the same port id. This means it does not match correctly and does not release the port. I do not see any way of fixing this from the nas end, so I plan to write some software which checks if a port has been release (using the Alive and Stop records) and then sends a Acct Stop record with the correct port details. In most cases this won't be a problem, as a new ippool call with a port number rlm_ipaddr thinks is still in use should free the IP address up, so it can later be reallocated. It's a problem if you have more ports than IP addresses. ^_^ (As I do here. _) I tried using radkill, but that was more trouble than worth, as the radutmp file was getting boned for entirely different reasons. I have some scripts here which will process a ip pool file (using rlm_ippool_tool) against radwho or a radacct table, which I used to clean out rm_ippool's data every so often. The problem is that any non-FreeRADIUS modification of the database needs to be done while FreeRADIUS is stopped. I'd love to improve rlm_ippool_tool, but if I ever work on it again, it'll be to SQLise rlm_ippool instead, (as I believe someone has done and posted a patch to the list), as part of my heartfelt desire to turn FreeRADIUS into some kind of unusual SQL database frontend. ^_^ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ippool - not releasing ip addresses
Hi Alan Thanks for you comments, I used you suggestion as a biases and have found that the accounting stop records do not always have the same port id. This means it does not match correctly and does not release the port. I do not see any way of fixing this from the nas end, so I plan to write some software which checks if a port has been release (using the Alive and Stop records) and then sends a Acct Stop record with the correct port details. If any one has a better idea please email the list. Thanks Mike Alan DeKok wrote: Mike O'Connor [EMAIL PROTECTED] wrote: There are 30 address in the pool and at this time 13 of these are listed as active but the radacct record show that the users using these address's have logged off. Maybe the ippool module isn't getting the information it needs to release the address. Run the server in debugging mode ot see. Or, look at the detail file for sessions where the address isn't released. Run a test server in debugging mode, and send copies of those packets to the server, and see what the ippool module does. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_ippool - not releasing ip addresses
Hi All I have an issue with freeradius 1.0.1 not releasing some ip address back to the non active pool. There are 30 address in the pool and at this time 13 of these are listed as active but the radacct record show that the users using these address's have logged off. The rlm_ippool_tool has an option '-r' which I thought would fix this but it removed the ip address from the database instead. Any help with this would be greatly appreciated Thanks Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ippool_tool option 'r' removes ip address from pool
Hi All I have had a look thought the source code for this program and can not see why it would be deleting these record instead of just releasing them. Could someone have a look at this who is a little more experience with the source code and give me an idea of whats going on ? Thanks Mike Mike O'Connor wrote: Hi All Using Freeradius 1.0.1 I wrote a program to keep my ippool in line with my the online list, this used the rlm_ippool_tool to set an ip address as inactive when there was a problem. After reading the rlm_ippool_tool options I decided that the option '-r: remove active entries' was the one to uses. Problem is it does not seem to be the correct one because instead of just setting the ip address as inactive it removes it all together. Does this seem to be correct ? if so what method should I be using ? Thanks Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_ippool_tool option 'r' removes ip address from pool
Hi All Using Freeradius 1.0.1 I wrote a program to keep my ippool in line with my the online list, this used the rlm_ippool_tool to set an ip address as inactive when there was a problem. After reading the rlm_ippool_tool options I decided that the option '-r: remove active entries' was the one to uses. Problem is it does not seem to be the correct one because instead of just setting the ip address as inactive it removes it all together. Does this seem to be correct ? if so what method should I be using ? Thanks Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
acct_users - Exec-Program not working
Hi All I have been using freeradius 0.9.3 for a long time and the acct_users file below has all ways work well (did have a problem where it would just stop running the script sometimes) I upgraded be 1.0.1 because I was having trouble with the ippool code not sending a Framed-IP-Address every time. (This seems to be fixed in this version) But now I'm have a problem where my script never gets run, even thought the log below shows it being run. All the file permission are set with ownership by the freeradius user. Any ideas would be great. Thanks Mike acct_user --- # # $Id: acct_users,v 1.3.4.1 2003/08/26 17:41:48 phampson Exp $ # # This is like the 'users' file, but it is processed only for # accounting packets. # DEFAULT Acct-Status-Type == Start Exec-Program = /usr/sbin/set_filter.php # Exec-Program = /usr/bin/php4 -q /usr/sbin/set_filter.php # DEFAULT Acct-Status-Type == Stop Exec-Program = /usr/sbin/set_filter.php # #DEFAULT Acct-Status-Type == Alive # Exec-Program = printenv /tmp/alive-env.dump # # For information on how the attributes from the request are passed # to the program, see 'doc/variables.txt' # -- Exec-Program Running (maybe) --- rlm_sql (sql): Reserving sql socket id: 10 rlm_sql_postgresql: query: UPDATE radacct ??SET AcctStopTime = (now() - '0'::interval), AcctSessionTime = '701', ??AcctInputOctets = (('0'::bigint 32) + '183922'::bigint), ??AcctOutputOctets = (('0'::bigint 32) + '755249'::bigint), ??AcctTerminateCause = 'User-Request', AcctStopDelay = '0', ??FramedIPAddress = NULLIF('202.xx.xx.xx', '')::inet, ConnectInfo_stop = '' ??WHERE AcctSessionId = '001E64D7' AND UserName = 'gcrispin' ??AND NASIPAddress = '202.xx.xx.xx' AND AcctStopTime IS NULL rlm_sql_postgresql: Status: PGRES_COMMAND_OK rlm_sql_postgresql: affected rows = 1 rlm_sql (sql): Released sql socket id: 10 rlm_ippool: Searching for an entry for nas/port: 202.xx.xx.xx/152 rlm_ippool: Deallocated entry for ip/port: 202.xx.xx.xx/152 rlm_ippool: num: 0 Exec-Program: /usr/sbin/set_filter.php Sending Accounting-Response of id 110 to 202.xx.xx.xx:39753 -- Exec-Program Running with -xx -- radius_xlat: '/tmp/sqltrace.sql' rlm_sql (sql): Reserving sql socket id: 31 rlm_sql_postgresql: query: UPDATE radacct ??SET AcctStopTime = (now() - '0'::interval), AcctSessionTime = '48', ??AcctInputOctets = (('0'::bigint 32) + '16176'::bigint), ??AcctOutputOctets = (('0'::bigint 32) + '45690'::bigint), ??AcctTerminateCause = 'User-Request', AcctStopDelay = '0', ??FramedIPAddress = NULLIF('202.xx.xx.xx', '')::inet, ConnectInfo_stop = '' ??WHERE AcctSessionId = '001E651E' AND UserName = 'matt' ??AND NASIPAddress = '202.xx.xx.xx' AND AcctStopTime IS NULL rlm_sql_postgresql: Status: PGRES_COMMAND_OK rlm_sql_postgresql: affected rows = 1 rlm_sql (sql): Released sql socket id: 31 modcall[accounting]: module sql returns ok for request 0 rlm_ippool: Searching for an entry for nas/port: 202.xx.xx.xx/308 rlm_ippool: Deallocated entry for ip/port: 202.xx.xx.xx/308 rlm_ippool: num: 0 modcall[accounting]: module main_pool returns ok for request 0 modcall: group accounting returns ok for request 0 radius_xlat: '/usr/sbin/set_filter.php' Exec-Program: /usr/sbin/set_filter.php Sending Accounting-Response of id 116 to 202.xx.xx.xx:39753 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html