Re: Selective Update of User-Name
Hi All So after a little playing this is how I got it to work. We wrote a python program which set the Proxy-To-Realm as a control item in the return. Then wrote some unlang code for authorize and preacct which uses this to selectively rewrite the username so that it has a realm. I have another question about unlang I'll ask in a new email Cheers Mike Mike O'Connor wrote: Hi Guys This email tries to ask my question in a different way, to last time. I need to Rewrite the User-Name of individual accounts to add a realm, this would need to reliable up to at least 1 users. Does any one have any ideas on how this might be done, in a way that can be updated with out restarting Freeradius ? We do have some python code running in this proxy which might be able to help. Thanks Mike O'Connor - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
unlang: matching for 'Access-Accept'
Hi Guys How would I match for the packet type ie 'Access-Accept' in unlang Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: unlang: matching for 'Access-Accept'
Ivan Kalik wrote:
How would I match for the packet type ie 'Access-Accept' in unlang
Answers to questions like this can be found examining
dictionary.freeradius.internal. These attributes are mostly on control
list. So it should be:
if(control:Packet-Type == Access-Accept) {
...
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi Ivan
Did not know that this information was available there. Thanks.
There does seem to be a problem, the %control:Packet-Type does not seem
to expand to a value.
rad_recv: Access-Accept packet from host 118.67.xxx.xxx port 1812,
id=10, length=25
Proxy-State = 0x313534
+- entering group post-proxy {...}
++? if (control:Packet-Type == Access-Accept)
expand: %{control:Packet-Type} -
? Evaluating (control:Packet-Type == Access-Accept) - FALSE
++? if (control:Packet-Type == Access-Accept) - FALSE
.
Could version 2.1.4 have a bug in this area ?
Mike
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy-To-Realm and Users File
Alexander Clouter wrote:
Mike O'Connor freerad...@pineview.net wrote:
Using freeradius 2.1.4 the following works if I user the hints file.
DEFAULT Called-Station-Id == splns357
User-Name := %{user-na...@mb.webshield.net.au
The user is proxied to the correct server and the user is correctly set.
I now need to proxy based on the User-Name which in this case will
always be a telephone number (Mobile Broadband SIM's)
I had added the following to the users file (which I hope to change to
the fast users later)
61466004163Proxy-To-Realm := mb.webshield.net.au
User-Name := %{user-na...@mb.webshield.net.au
This proxies the user to the next server but does not rewrite the
username, I've also tried a couple of other in this file but none seem
to work.
I ran into this too, I think I got the impression that after you call
'suffix' things are set in stone and User-Name/Realm is read-only (in
the 'request' set of valuepairs); which is fair enough[1]. If you do
rewrite 'proxy-request:User-Name' you probably will find things work as
you expect.
Cheers
[1] later on when mangling other things, you apprieate that mangling the
original User-Name/Realm was a Bad Idea(tm) and besides whats
the point in calling 'suffix' also :)
I have to be able to do this rewrite in a dynamic way because I'm
forwarding wholesale services which do not have a realm.
I've been reading the source code and can not find any thing which would
indicate a locking in the rlm_preprocess.
Any other ideas out there for this problem ?
Mike
Does anyone know how I could affect thing
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Selective Update of User-Name
Hi Guys This email tries to ask my question in a different way, to last time. I need to Rewrite the User-Name of individual accounts to add a realm, this would need to reliable up to at least 1 users. Does any one have any ideas on how this might be done, in a way that can be updated with out restarting Freeradius ? We do have some python code running in this proxy which might be able to help. Thanks Mike O'Connor - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Selective Update of User-Name
John Morrissey wrote: On Thu, Aug 27, 2009 at 10:57:47PM +0930, Mike O'Connor wrote: I need to Rewrite the User-Name of individual accounts to add a realm, this would need to reliable up to at least 1 users. Does any one have any ideas on how this might be done, in a way that can be updated with out restarting Freeradius ? We do have some python code running in this proxy which might be able to help. We're doing this with rlm_perl's authorize(). We change the values in %RAD_REQUEST and return RLM_MODULE_UPDATED in the handler. I would think rlm_python would be similar. If you need to change the list of users on the fly (is that what you mean by with out restarting Freeradius?), you could put your list of users into something like a Berkeley DB file and have the authorize handler check there for the username to determine whether to add the realm. john Hi John Thanks for your comments, I now see why the modules rlm_files and rlm_fastusers do not adjust the username, they only return RLM_MODULE_OK, where as rlm_preprocess returns RLM_MODULE_UPDATED. This peice of information will allow a python module to be written. Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxy-To-Realm and Users File
Hi All
Using freeradius 2.1.4 the following works if I user the hints file.
DEFAULT Called-Station-Id == splns357
User-Name := %{user-na...@mb.webshield.net.au
The user is proxied to the correct server and the user is correctly set.
I now need to proxy based on the User-Name which in this case will
always be a telephone number (Mobile Broadband SIM's)
I had added the following to the users file (which I hope to change to
the fast users later)
61466004163Proxy-To-Realm := mb.webshield.net.au
User-Name := %{user-na...@mb.webshield.net.au
This proxies the user to the next server but does not rewrite the
username, I've also tried a couple of other in this file but none seem
to work.
rad_recv: Access-Request packet from host 118.67.209.51 port 56036,
id=1, length=92
Framed-Protocol = PPP
User-Name = 61466004163
User-Password = password
Calling-Station-Id = 61466004163
Called-Station-Id = splns357
Service-Type = Framed-User
NAS-IP-Address = 118.67.208.51
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand:
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -
/var/log/radius/radacct/118.67.209.51/auth-detail-20090827
[auth_log]
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands
to /var/log/radius/radacct/118.67.209.51/auth-detail-20090827
[auth_log] expand: %t - Thu Aug 27 09:40:24 2009
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = 61466004163, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[files] users: Matched entry 61466004163 at line 1
[files] expand: %{user-na...@mb.webshield.net.au -
61466004...@mb.webshield.net.au
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
2009-08-27T09:40:24.327336: Verbose: RLM_PYTHON: handling Authorize
request...
++[python] returns ok
+- entering group pre-proxy {...}
[attr_filter.pre-proxy] expand: %{Realm} - mb.webshield.net.au
++[attr_filter.pre-proxy] returns noop
Sending Access-Request of id 250 to 118.67.209.21 port 1812
Framed-Protocol = PPP
User-Name = 61466004163
User-Password = password
Calling-Station-Id = 61466004163
Called-Station-Id = splns357
Service-Type = Framed-User
NAS-IP-Address = 118.67.208.51
Proxy-State = 0x31
Proxying request 0 to home server 118.67.209.21 port 1812
Sending Access-Request of id 250 to 118.67.209.21 port 1812
Framed-Protocol = PPP
User-Name = 61466004163
User-Password = password
Calling-Station-Id = 61466004163
Called-Station-Id = splns357
Service-Type = Framed-User
NAS-IP-Address = 118.67.208.51
Proxy-State = 0x31
Going to the next request
Waking up in 0.9 seconds.
Waking up in 13.0 seconds.
rad_recv: Access-Reject packet from host 118.67.209.21 port 1812,
id=250, length=23
Proxy-State = 0x31
Thanks All
Mike
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_python example?
Hi Hristo
Could you supply a quick example ?
Its always good to get working example after a problem is resolved (even
if the person is resolved by the questioner)
Mike
Hristo Trendev wrote:
The examples in src/modules/rlm_python gave me some hints and I
figured it out. Thanks anyway.
On Tue, Mar 31, 2009 at 3:43 PM, Hristo Trendev dist.li...@gmail.com wrote:
I am trying to figure out how to properly setup freeradius with
rlm_python. The module loads and scripts execute, but I seem to miss
something when I try to return value pairs to be used in the reply
packet (Access-Accept). I have tried with the following �script:
def authorize (params):
� � � �print params
� � � �return (0, ('Reply-Message', 'banned1'), ('Reply-Message', 'banned2'))
and received (when I run with -X option):
-snip-
+- entering group authorize {...}
rlm_python:authorize: tuple element 0 is not a tuple
rlm_python:authorize: tuple element 1 is not a tuple
rlm_python:authorize: tuple element 0 is not a tuple
rlm_python:authorize: tuple element 1 is not a tuple
++[python] returns reject
-snip-
I have also tried changing it to:
def authorize (params):
� � � �print params
� � � �return (0, ('Reply-Message', 'banned'))
but then I get:
-snip-
+- entering group authorize {...}
rlm_python:authorize: tuple must be (return, replyTuple, configTuple)
++[python] returns ??
-snip-
Can someone point me in the right direction? What is supposed to be
passed in configTuple? How do I return multiple value pairs at? I was
able to make it work with rlm_exec, but I'd like to use the the python
module instead.
I am using freeradius on ubuntu 8.04. installed via apt-get from
hardy-backports (2.1.0+dfsg-0ubuntu2~hardy1)
BR,
Hristo
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: OT: Implementing RSA's SecurID
Greg Vickers wrote: Hi, (Apologies for an OT post) I was wondering if anyone know of any user list that would contain a community of people who implement systems like RSA's SecurID? The reason is that I am researching who else has implemented SecurID and am trying to find if there is another company or organisation who has implemented it in the way we wish to. Thanks, Hi Greg I suggest that you have a look at Yubico's YubiKey, one of the most interesting authentication devices I have ever seen. Note Freeradius is support via PAM http://code.google.com/p/yubico-pam/wiki/YubikeyAndRadiusViaPAM Cheers Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 2.04 + python + mysqldb python module on Debian 4.0
Hi Jester A few things. 1. I've never been able to get python to work correct on a debian system, this is for both Sarge and Etch. We currently have to use Centos 5 for our proxy radius systems which use python. 2. I do not believe that loading a mysql connection each time you recived a radius packet is going to be a good idea. I would instead create a very small shim which calls a python daemon via a unix socket. Cheers Mike [EMAIL PROTECTED] wrote: From the subject, you can probably guess that its just barely a Freeradius problem :) Anyway... Using the Build (http://wiki.freeradius.org/Build) instructions for Debian, i have compiled FreeRADIUS with python support. I copied the example module configuration for python out of experimental.conf. using the provided test script, the server runs fine. and any other simple script works until i try to import MySQLdb for python. However, when you try to import MySQLdb, it blows it stops, and throws the following: type 'exceptions.ImportError': /var/lib/python-support/python2.5/_mysql.so: undefined symbol: PyExc_ImportError Failed to import python module pyrad_auth /etc/freeradius/radiusd.conf[608]: Instantiation failed for module python Errors initializing modules Which, i think, means that it can't load the mysql module for some reason, and i don't know much else. from the command prompt, i can execute the .py script that i am using. In fact, it is the same script that works on a SuSE 10.1 server that i have, so i think the script is not likely to be the problem. Any pointers/hints/need more info? Much appreciated. --Jester Purtteman - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Failed Auth using users file (sometimes)
Hi Ivan Thanks for your response, my question why would it not work then just work, no changes other than a restart between the two. Its running freeradius 1.1.7 Mike Mike Ivan Kalik wrote: rlm_realm: Looking up realm xxx.com for User-Name = [EMAIL PROTECTED] rlm_realm: Found realm xxx.com rlm_realm: Proxying request from user nyp2inter to realm xxx.com rlm_realm: Adding Realm = xxx.com rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module suffix returns noop for request 1647 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 1647 modcall[authorize]: module files returns notfound for request 1647 rlm_realm: Looking up realm xxx.com for User-Name = [EMAIL PROTECTED] rlm_realm: Found realm xxx.com rlm_realm: Adding Stripped-User-Name = nyp2inter rlm_realm: Proxying request from user nyp2inter to realm xxx.com rlm_realm: Adding Realm = xxx.com rlm_realm: Preparing to proxy authentication request to realm xxx.com modcall[authorize]: module suffix returns updated for request 1675 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 1675 users: Matched entry nyp2inter at line 18 modcall[authorize]: module files returns ok for request 1675 First debug doesn't strip the realm so there is no match in users file. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Failed Auth using users file (sometimes)
Hi Guys
I have an account which I want to auth locally on our 2 proxy radius
machine.
The problem is that sometimes the connection authenticates and other
times it does not, there are warning in the log's below so I'm sure I
have something wrong. But I can not work out what I should be doing instead.
Also how would I create a feature which would temporally authenticate
all users for a realm as allowed ?
The user file entry is
nyp2inter Realm == 'xxx.com', User-Password == 'xxx',
Proxy-To-Realm := LOCAL
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-IP-Address = xxx.xx.216.40,
Framed-IP-Netmask = 255.255.255.255,
Framed-Route = xxx.xx.10.128/25 0.0.0.0 1,
Framed-MTU = 1492,
Framed-Compression = Van-Jacobsen-TCP-IP
Failed Auth:
rad_recv: Access-Request packet from host xxx.xx.208.165:1645, id=155,
length=106
Framed-Protocol = PPP
User-Name = [EMAIL PROTECTED]
User-Password = xxx
NAS-Port-Type = Virtual
NAS-Port = 328
Calling-Station-Id = sfy713300200187
Service-Type = Framed-User
NAS-IP-Address = xxx.xx.208.165
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1647
modcall[authorize]: module preprocess returns ok for request 1647
radius_xlat: '/var/log/radius/radacct/xxx.xx.208.165/auth-detail-20080424'
rlm_detail:
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands
to /var/log/radius/radacct/xxx.xx.208.165/auth
-detail-20080424
modcall[authorize]: module auth_log returns ok for request 1647
modcall[authorize]: module attr_filter returns noop for request 1647
modcall[authorize]: module chap returns noop for request 1647
modcall[authorize]: module mschap returns noop for request 1647
rlm_realm: Looking up realm xxx.com for User-Name =
[EMAIL PROTECTED]
rlm_realm: Found realm xxx.com
rlm_realm: Proxying request from user nyp2inter to realm xxx.com
rlm_realm: Adding Realm = xxx.com
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module suffix returns noop for request 1647
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module eap returns noop for request 1647
modcall[authorize]: module files returns notfound for request 1647
rlm_pap: WARNING! No known good password found for the user.
Authentication may fail because of this.
modcall[authorize]: module pap returns noop for request 1647
2008-04-24T11:29:37.613507: Verbose: RLM_PYTHON: handling Authorize
request...
modcall[authorize]: module python returns ok for request 1647
modcall: leaving group authorize (returns ok) for request 1647
auth: No authenticate method (Auth-Type) configuration found for the
request: Rejecting the user
auth: Failed to validate the user.
Login incorrect: [EMAIL PROTECTED]/nyp4inter] (from client lns1.ade
port 328 cli sfy713300200187)
Found Post-Auth-Type
Processing the post-auth section of radiusd.conf
modcall: entering group REJECT for request 1647
rlm_sql_log (sql_log): Processing sql_log_postauth
radius_xlat: 'INSERT INTO radpostauth (user, password, reply, date,
reply_message) VALUES ('[EMAIL PROTECTED]', 'xxx', '
Access-Reject', '2008-04-24 11:29:37', '');'
radius_xlat: '/var/log/radius/radacct/sql-relay'
modcall[post-auth]: module sql_log returns ok for request 1647
modcall: leaving group REJECT (returns ok) for request 1647
Delaying request 1647 for 1 seconds
Finished request 1647
With no Changes this Connected:
rad_recv: Access-Request packet from host xxx.xx.208.165:1645, id=167,
length=106
Framed-Protocol = PPP
User-Name = [EMAIL PROTECTED]
User-Password = xxx
NAS-Port-Type = Virtual
NAS-Port = 315
Calling-Station-Id = sfy713300200187
Service-Type = Framed-User
NAS-IP-Address = xxx.xx.208.165
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1675
modcall[authorize]: module preprocess returns ok for request 1675
radius_xlat: '/var/log/radius/radacct/xxx.xx208.165/auth-detail-20080424'
rlm_detail:
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands
to /var/log/radius/radacct/xxx.xx208.165/auth
-detail-20080424
modcall[authorize]: module auth_log returns ok for request 1675
modcall[authorize]: module attr_filter returns noop for request 1675
modcall[authorize]: module chap returns noop for request 1675
modcall[authorize]: module mschap returns noop for request 1675
rlm_realm: Looking up realm xxx.com for User-Name =
[EMAIL PROTECTED]
rlm_realm: Found realm xxx.com
rlm_realm: Adding Stripped-User-Name = nyp2inter
rlm_realm: Proxying request from user nyp2inter to realm xxx.com
rlm_realm: Adding Realm = xxx.com
rlm_realm: Preparing to proxy authentication request to realm xxx.com
Freeradius 1.1.7 and LDAP
Hi Guys I have a small issue with freeradius and ldap, its authenticating as 'access accept' customers which have placed a space at the beginning of there user name. This then causes there accounting data not to match and so we do not account for there data. This this a bug or a setting I have incorrectly set ? Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_python freeradiusd 2.0.2
Hi Alexander
I think your problem is that python does not know where to find your module.
The best way of over coming this issue is to place a file in the
site-packages directory which indicates where your python code is installed.
[EMAIL PROTECTED] site-packages]# cat radiusd_test.pth
/opt/freeradius-python/
[EMAIL PROTECTED] site-packages]#
Cheers
Mike
Alexander Demidoff wrote:
Hello all!
I want to use python possibilities to authorize users with
freeradius.
So, I compiled freeradius with options:
--with-experimental-modules \
--with-rlm_python
created config files and my pythom module radiusd_isp,
put it python path
freeradius -X out me:
python {
mod_instantiate = radiusd_isp
func_instantiate = instantiate
mod_authorize = radiusd_isp
func_authorize = authorize
mod_authenticate = radiusd_isp
func_authenticate = authenticate
mod_preacct = radiusd_isp
func_preacct = preacct
mod_accounting = radiusd_isp
func_accounting = accounting
mod_detach = radiusd_isp
func_detach = detach
}
exceptions.ImportError: No module named radiusd_isp
Failed to import python module radiusd_isp
/etc/freeradius/python.conf[32]: Instantiation failed for module python
/etc/freeradius/radiusd.conf[1824]: Failed to find module python.
/etc/freeradius/radiusd.conf[1793]: Errors parsing authorize section.
help me anybody, please !?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EXAMPLE: unlang removing attribute inside a test
Hi Alan
The documentation does not mention these options so I assume that you
mean it would need writing ?
One option is to add more filtering operators. e.g. -~, meaning
regex match, and remove. Or perhaps a better way, is to add a
filter section:
filter request { # filter out attributes matching the following
Foo =~ /bar/ # remove by regex
}
Also, adding a require section may be useful, too:
require request { # filter out attributes NOT matching
Foo =~ /bar/
}
As I have not written much C code in 15 years, its going to take me
awhile to work that one out.
Cheers
Mike
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Python and return attributes in `postproxy`
Alan DeKok wrote: Mike O'Connor wrote: It would seem as if the rlm_python does not provide the returned attributes from the proxy, this happens in both a patched version of 1.1.7 and 2.0.0. Yes. It appears to convert only the request attributes to a python tuple. Fixing it shouldn't be hard. As always, patches are welcome. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Hi Alan Is there an example of how this is done in another rlm_ module which works in a similar way as the rlm_python code ? Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Python and return attributes in `postproxy`
Hi Guys
It would seem as if the rlm_python does not provide the returned
attributes from the proxy, this happens in both a patched version of
1.1.7 and 2.0.0.
Code:
def postproxy(params):
log.log('RLM_PYTHON: handling Post Proxy request...', log.VERBOSE)
pprint.pprint(params)
returnval = send_message('postproxy', params, False)
return lib.radiusd.RLM_MODULE_OK
Result:
+- entering group post-proxy
2008-01-14T13:14:09.412107: Verbose: RLM_PYTHON: handling Post Proxy
request...
(('Framed-Protocol', 'PPP'),
('User-Name', '[EMAIL PROTECTED]'),
('User-Password', 'x'),
('Service-Type', 'Framed-User'),
('NAS-IP-Address', '118.xx.xx.xx'),
('Realm', 'dsl.*'),
++[python] returns ok
Command line test:
Sending Access-Request of id 39 to 118.67.209.51 port 1812
Framed-Protocol = PPP
User-Name = [EMAIL PROTECTED]
User-Password = x
Service-Type = Framed-User
NAS-IP-Address = 118.xx.xx.xx
rad_recv: Access-Accept packet from host 118.67.209.51 port 1812, id=39,
length=44
Port-Limit = 1
Framed-Protocol = PPP
Service-Type = Framed-User
Framed-IP-Address = 118.xx.xx.21
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RLM_python patch to enable postproxy - Not work need a little help
Alan DeKok wrote:
Mike O'Connor wrote:
I wrote the attached patch for Freeradius 1.1.7 to enabled calling
python in the post-proxy, it compiles but will not run when the hook is
listed in post-proxy because Freeradius complains that there is no
support for post-proxy in rlm_python.
You didn't install the new version of rlm_python. So it's still
linking to the old rlm_python, without post-proxy support.
Maybe I'm not getting your but even the lastest cvs does not have any
post-proxy or post-auth support.
module_t rlm_python = {
RLM_MODULE_INIT,
python,
RLM_TYPE_THREAD_SAFE, /* type */
python_instantiate, /* instantiation */
python_detach, /* detach */
{
python_authenticate,/* authentication */
python_authorize, /* authorization */
python_preacct, /* preaccounting */
python_accounting, /* accounting */
python_checksimul, /* checksimul */
NULL, /* pre-proxy */
NULL, /* post-proxy */
NULL/* post-auth */
},
};
My code added the post-proxy but when I tried to use it freeradius would
complain that rlm_python did not support being called from the post-auth
section of radiusd.conf.
My question is where in the source is the list of allowed call per module ?
No. The *only* interaction is in the modules.
That's what I would have thought which is why what I saw did not make
any senses. It would report finding my config section for the post-proxy
but when added to the config it would not start freeradius.
Thanks
Mike
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RLM_python patch to enable postproxy - Not work need a little help
Hi Alan I think I have worked it out, some how I got my self confused during my testing. The model was there but I think each time I did not have everything configured. Thanks as always for your time Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RLM_python patch to enable postproxy - Not work need a little help
Hi Guys
I wrote the attached patch for Freeradius 1.1.7 to enabled calling
python in the post-proxy, it compiles but will not run when the hook is
listed in post-proxy because Freeradius complains that there is no
support for post-proxy in rlm_python.
My question is where in the source is the list of allowed call per module ?
Once I know this I can fix this attached and supply as a tested patch.
Thanks
Mike
--- src/modules/rlm_python/rlm_python.c.orig2007-03-06 00:45:28.0
+1030
+++ src/modules/rlm_python/rlm_python.c 2007-10-10 15:36:51.0 +0930
@@ -54,6 +54,7 @@
char*mod_authenticate;
char*mod_preacct;
char*mod_accounting;
+char*mod_post_proxy;
char*mod_checksimul;
char*mod_detach;
@@ -63,6 +64,7 @@
char*func_authenticate;
char*func_preacct;
char*func_accounting;
+char*func_post_proxy;
char*func_checksimul;
char*func_detach;
@@ -71,6 +73,7 @@
PyObject *pModule_authenticate;
PyObject *pModule_preacct;
PyObject *pModule_accounting;
+PyObject *pModule_post_proxy;
PyObject *pModule_checksimul;
PyObject *pModule_detach;
@@ -80,6 +83,7 @@
PyObject *pFunc_authenticate;
PyObject *pFunc_preacct;
PyObject *pFunc_accounting;
+PyObject *pFunc_post_proxy;
PyObject *pFunc_checksimul;
PyObject *pFunc_detach;
};
@@ -120,6 +124,11 @@
{ func_accounting, PW_TYPE_STRING_PTR,
offsetof(struct rlm_python_t, func_accounting), NULL, NULL},
+ { mod_post_proxy, PW_TYPE_STRING_PTR,
+offsetof(struct rlm_python_t, mod_post_proxy), NULL, NULL},
+ { func_post_proxy, PW_TYPE_STRING_PTR,
+offsetof(struct rlm_python_t, func_post_proxy), NULL, NULL},
+
{ mod_checksimul, PW_TYPE_STRING_PTR,
offsetof(struct rlm_python_t, mod_checksimul), NULL, NULL},
{ func_checksimul, PW_TYPE_STRING_PTR,
@@ -490,6 +499,7 @@
python_objclear(data-pFunc_authenticate);
python_objclear(data-pFunc_preacct);
python_objclear(data-pFunc_accounting);
+python_objclear(data-pFunc_post_proxy);
python_objclear(data-pFunc_checksimul);
python_objclear(data-pFunc_detach);
@@ -498,6 +508,7 @@
python_objclear(data-pModule_authenticate);
python_objclear(data-pModule_preacct);
python_objclear(data-pModule_accounting);
+python_objclear(data-pModule_post_proxy);
python_objclear(data-pModule_checksimul);
python_objclear(data-pModule_detach);
}
@@ -566,6 +577,12 @@
data-pFunc_accounting) 0)
goto failed;
+if (python_load_function(data-mod_post_proxy,
+data-func_post_proxy,
+data-pModule_post_proxy,
+data-pFunc_post_proxy) 0)
+goto failed;
+
if (python_load_function(data-mod_checksimul,
data-func_checksimul,
data-pModule_checksimul,
@@ -633,6 +650,14 @@
accounting);
}
+static int python_post_proxy(void *instance, REQUEST *request)
+{
+return python_function(
+ request,
+ ((struct rlm_python_t *)instance)-pFunc_post_proxy,
+ post-proxy);
+}
+
static int python_checksimul(void *instance, REQUEST *request)
{
return python_function(
@@ -663,7 +688,7 @@
python_accounting, /* accounting */
python_checksimul, /* checksimul */
NULL, /* pre-proxy */
- NULL, /* post-proxy */
+ python_post_proxy, /* post-proxy */
NULL/* post-auth */
},
python_detach, /* detach */
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Filtering out a attribute conditionally
Hi Alan Is there any way of adding or removing the ip_pool bases on a rule ? I don't know what you mean by that. I still want the customer isp to be able to set a static ip address but I have to remove the cisco-avp pair when these come thought, or I want to add the cisco-avp pair when there is no static ip address. Could Freeradius 2 do this ? It would likely be a lot easier. Download 2.0, and read man unlang. I suspected that V2 would handle this better. I had read the unlang man page. Still trying get get a handle on it. Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Filtering out a attribute conditionally
Hi All I have a problem with my Cisco 7301's where I apply a address pool via a Cisco-AVPair (for each wholesale ISP customer) and the wholesale ISP supplies a Framed-IP-Address at the same time, the connection is kicked by the cisco. Is there any way of adding or removing the ip_pool bases on a rule ? Could Freeradius 2 do this ? Thanks Mike --- Current Attrs File .com Service-Type == Framed-User, Framed-IP-Address =* 255.255.255.254, Framed-IP-Netmask == 255.255.255.255, Framed-Route =* ANY, Cisco-AVPair := ip:addr-pool=ip_pool_netyp, Framed-Compression =* Van-Jacobson-TCP-IP, Framed-Protocol == PPP, Framed-MTU =* 1492, Framed-Filter-ID =* ANY, Cisco-AVPair =* ANY, Reply-Message =* ANY, Proxy-State =* ANY, Idle-Timeout =* 600, Session-Timeout =* 28800, Port-Limit =* 1 --- Reply with out framed-ip-address Packet-Type = Access-Accept Wed Oct 31 19:55:36 2007 Cisco-AVPair := ip:addr-pool=ip_pool_netyp Service-Type = Framed-User Framed-Protocol = PPP Framed-MTU = 1500 Framed-Compression = Van-Jacobson-TCP-IP Session-Timeout = 14400 Idle-Timeout = 900 Port-Limit = 1 --- Reply with framed-ip-address Packet-Type = Access-Accept Wed Oct 31 19:55:36 2007 Cisco-AVPair := ip:addr-pool=ip_pool_netyp Service-Type = Framed-User Framed-IP-Address = XXX.XXX.11.247 Framed-IP-Netmask = 255.255.255.255 Framed-Protocol = PPP Framed-MTU = 1500 Framed-Compression = Van-Jacobson-TCP-IP Session-Timeout = 14400 Idle-Timeout = 900 Port-Limit = 1 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Post-Proxy attr_filter on Access-Accept Packets only
Hi Alan Do you see it in the response packet? Or in debug mode? Or both? Yes with verbose turned on in radclient you see the extra value pair printed on the screen. CVS head has this fixed. You can run separate pre/post proxy sections for authentication and for accounting. Ok so when version 2 is release this issue will go away. Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Post-Proxy attr_filter on Access-Accept Packets only
Hi Guys How do I only add a radius attribute via attr_filter on Accept-Accept Packets ? My current config is adding the attribute on accounting reply packets also. Thanks Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_Python - PyExc_IOError
Hi All I have look at this problem and I can not see how to fix it How much is it going to cost me to have someone login to a virtual machine I'll setup and fix this issue ASAP ? The fix would need to be done in such away that the standard Debian build scripts would be used and the patch sent back to the project. I'll like the patch for both 1.1.x and for current head. If someone is interested please contact me privately. Thanks Mike Alan DeKok wrote: Mike O'Connor wrote: I decided to try freeradius-2.0.0-pre2 and its give a much clear idea of the problem. The issue seems to be that the rlm_python module is having trouble loading dynamic code. I suspect it's a shared library problem. The time.so library depends on another one that contains PyExc_IOError. However, that dependency is NOT recorded in time.so. That dependency is also NOT built into FreeRADIUS (or rlm_python), as it as no idea which Python library depends on which other Python library. I suggesting finding out out which library contains that symbol, and then re-building rlm_python to link to that library. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_Python - PyExc_IOError
Hi Alan You are correct about it being an issue with time.so, because I just removed this module from my test code and added the module random instead and the freeradius loaded. Mike Alan DeKok wrote: Mike O'Connor wrote: I decided to try freeradius-2.0.0-pre2 and its give a much clear idea of the problem. The issue seems to be that the rlm_python module is having trouble loading dynamic code. I suspect it's a shared library problem. The time.so library depends on another one that contains PyExc_IOError. However, that dependency is NOT recorded in time.so. That dependency is also NOT built into FreeRADIUS (or rlm_python), as it as no idea which Python library depends on which other Python library. I suggesting finding out out which library contains that symbol, and then re-building rlm_python to link to that library. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_Python - PyExc_IOError
Hi All I'm happy to say I have fixed this issue. I'm not totally happy with the way I did it because it would not be portable if python was installed a different location. If some with a little more knowledge could add this correctly that would be great. # # $Id: Makefile.in,v 1.2.10.1 2006/02/10 19:47:17 nbk Exp $ # TARGET = @targetname@ SRCS = rlm_python.c HEADERS= /usr/include/python2.4/pyerrors.h - RLM_LIBS = @python_ldflags@ RLM_CFLAGS = @python_cflags@ include ../rules.mak $(LT_OBJS): $(HEADERS) Mike Mike O'Connor wrote: Hi All I have look at this problem and I can not see how to fix it How much is it going to cost me to have someone login to a virtual machine I'll setup and fix this issue ASAP ? The fix would need to be done in such away that the standard Debian build scripts would be used and the patch sent back to the project. I'll like the patch for both 1.1.x and for current head. If someone is interested please contact me privately. Thanks Mike Alan DeKok wrote: Mike O'Connor wrote: I decided to try freeradius-2.0.0-pre2 and its give a much clear idea of the problem. The issue seems to be that the rlm_python module is having trouble loading dynamic code. I suspect it's a shared library problem. The time.so library depends on another one that contains PyExc_IOError. However, that dependency is NOT recorded in time.so. That dependency is also NOT built into FreeRADIUS (or rlm_python), as it as no idea which Python library depends on which other Python library. I suggesting finding out out which library contains that symbol, and then re-building rlm_python to link to that library. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_Python - PyExc_IOError
Hi Guys
Got a problem with rlm_python using 1.1.7 on Debian etch with no changes
to source other than to move rlm_python in to the stable modules file.
The module is in the path and an strace shows the file being found.
rlm_python:python_load_function: module 'radiusd_test' is not found
rlm_python:EXCEPT:exceptions.ImportError:
/usr/lib/python2.4/lib-dynload/time.so: undefined symbol: PyExc_IOError
rlm_python:python_load_function: failed to import python function
'radiusd_test.instantiate'
radiusd.conf[1]: python: Module instantiation failed.
Anyidea would be great
Thanks
Mike
--- File is found and loaded
open(/usr/lib/python2.4/site-packages/radiusd_test.py,
O_RDONLY|O_LARGEFILE) = 5
fstat64(5, {st_mode=S_IFREG|0644, st_size=497, ...}) = 0
open(/usr/lib/python2.4/site-packages/radiusd_test.pyc,
O_RDONLY|O_LARGEFILE) = 6
fstat64(6, {st_mode=S_IFREG|0644, st_size=1408, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
0) = 0xb7b67000
read(6, m\362\r\n[EMAIL PROTECTED]...,
4096) = 1408
fstat64(6, {st_mode=S_IFREG|0644, st_size=1408, ...}) = 0
read(6, , 4096) = 0
close(6)= 0
munmap(0xb7b67000, 4096)
--
= 0
stat64(/usr/lib/python24.zip/time, 0xbfa8422c) = -1 ENOENT (No such
file or directory)
open(/usr/lib/python24.zip/time.so, O_RDONLY|O_LARGEFILE) = -1 ENOENT
(No such file or directory)
open(/usr/lib/python24.zip/timemodule.so, O_RDONLY|O_LARGEFILE) = -1
ENOENT (No such file or directory)
open(/usr/lib/python24.zip/time.py, O_RDONLY|O_LARGEFILE) = -1 ENOENT
(No such file or directory)
open(/usr/lib/python24.zip/time.pyc, O_RDONLY|O_LARGEFILE) = -1 ENOENT
(No such file or directory)
stat64(/usr/lib/python2.4/time, 0xbfa8422c) = -1 ENOENT (No such file
or directory)
open(/usr/lib/python2.4/time.so, O_RDONLY|O_LARGEFILE) = -1 ENOENT (No
such file or directory)
open(/usr/lib/python2.4/timemodule.so, O_RDONLY|O_LARGEFILE) = -1
ENOENT (No such file or directory)
open(/usr/lib/python2.4/time.py, O_RDONLY|O_LARGEFILE) = -1 ENOENT (No
such file or directory)
open(/usr/lib/python2.4/time.pyc, O_RDONLY|O_LARGEFILE) = -1 ENOENT
(No such file or directory)
stat64(/usr/lib/python2.4/plat-linux2/time, 0xbfa8422c) = -1 ENOENT
(No such file or directory)
open(/usr/lib/python2.4/plat-linux2/time.so, O_RDONLY|O_LARGEFILE) =
-1 ENOENT (No such file or directory)
open(/usr/lib/python2.4/plat-linux2/timemodule.so,
O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory)
open(/usr/lib/python2.4/plat-linux2/time.py, O_RDONLY|O_LARGEFILE) =
-1 ENOENT (No such file or directory)
open(/usr/lib/python2.4/plat-linux2/time.pyc, O_RDONLY|O_LARGEFILE) =
-1 ENOENT (No such file or directory)
stat64(/usr/lib/python2.4/lib-tk/time, 0xbfa8422c) = -1 ENOENT (No
such file or directory)
open(/usr/lib/python2.4/lib-tk/time.so, O_RDONLY|O_LARGEFILE) = -1
ENOENT (No such file or directory)
open(/usr/lib/python2.4/lib-tk/timemodule.so, O_RDONLY|O_LARGEFILE) =
-1 ENOENT (No such file or directory)
open(/usr/lib/python2.4/lib-tk/time.py, O_RDONLY|O_LARGEFILE) = -1
ENOENT (No such file or directory)
open(/usr/lib/python2.4/lib-tk/time.pyc, O_RDONLY|O_LARGEFILE) = -1
ENOENT (No such file or directory)
stat64(/usr/lib/python2.4/lib-dynload/time, 0xbfa8422c) = -1 ENOENT
(No such file or directory)
open(/usr/lib/python2.4/lib-dynload/time.so, O_RDONLY|O_LARGEFILE) = 6
fstat64(6, {st_mode=S_IFREG|0644, st_size=15860, ...}) = 0
open(/usr/lib/python2.4/lib-dynload/time.so, O_RDONLY) = 7
read(7, \177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\20\22\0...,
512) = 512
fstat64(7, {st_mode=S_IFREG|0644, st_size=15860, ...}) = 0
mmap2(NULL, 19072, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 7, 0)
= 0xb79a6000
mmap2(0xb79a9000, 8192, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 7, 0x2) = 0xb79a9000
close(7)= 0
munmap(0xb79a6000, 19072) = 0
close(6)= 0
close(5)= 0
futex(0x8010a620, FUTEX_WAKE, 1)= 0
time(NULL) = 1191313703
write(1, rlm_python:python_load_function:...,
68rlm_python:python_load_function: module 'radiusd_test' is not found
) = 68
futex(0x801083f8, FUTEX_WAKE, 1)= 0
time(NULL) = 1191313703
write(1, rlm_python:EXCEPT:exceptions.Imp...,
114rlm_python:EXCEPT:exceptions.ImportError:
/usr/lib/python2.4/lib-dynload/time.so: undefined symbol: PyExc_IOError
) = 114
futex(0x801083f8, FUTEX_WAKE, 1)= 0
time(NULL) = 1191313703
write(1, rlm_python:python_load_function:...,
93rlm_python:python_load_function: failed to import python function
'radiusd_test.instantiate'
) = 93
futex(0x801083f8, FUTEX_WAKE, 1)= 0
futex(0x801083f8, FUTEX_WAKE, 1)= 0
futex(0x801083f8, FUTEX_WAKE, 1)= 0
time(NULL) = 1191313703
write(1, radiusd.conf[1]: python: Module ...,
Re: rlm_Python - PyExc_IOError
Hi Alan Is radiusd.py in the path? Yep in the same place as my own code /usr/lib/python2.4/site-packages/ Strace never shows that file being requested for loading. Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_Python - PyExc_IOError
Hi Guys I decided to try freeradius-2.0.0-pre2 and its give a much clear idea of the problem. The issue seems to be that the rlm_python module is having trouble loading dynamic code. Mike write(1, exceptions.ImportError: /usr/lib..., 97exceptions.ImportError: /usr/lib/python2.4/lib-dynload/time.so: undefined symbol: PyExc_IOError ) = 97 write(1, Failed to import python module \..., 47Failed to import python module radiusd_test ) = 47 write(1, /etc/freeradius/rlmpython.conf[1..., 76/etc/freeradius/rlmpython.conf[1]: Instantiation failed for module python ) = 76 write(1, /etc/freeradius/sites-enabled/de..., 76/etc/freeradius/sites-enabled/default[126]: Failed to find module python. ) = 76 write(1, /etc/freeradius/sites-enabled/de..., 79/etc/freeradius/sites-enabled/default[35]: Failed to parse authorize section. ) = 79 write(1, }\n, 3 } ) = 3 write(1, }\n, 2} ) = 2 write(1, Errors setting up modules\n, 26Errors setting up modules ) = 26 exit_group(1) = ? Process 1212 detached - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_perl/rlm_python adding extra value pairs
Hi All I wish to add some extra valid pairs to accounting packets which are being proxied to other radius servers. If in the 'preacct' or the 'accounting' stage I was to add using rlm_python or rlm_perl value pairs would they be sent thought to the other radius servers ? Thanks Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
grouping rlm_ippool's
Hi
Some time ago there was a question about rlm_ippool and if it was
possible to group them ie
ippool main_pool_1 {}
ippool main_pool_2 {}
accounting {
group main_pool {
main_pool_1
main_pool_2
}
sql
}
post-auth {
group main_pool {
main_pool_1
main_pool_2
}
}
I have done some testing it it does not seem to work. (using
freeradius-1.0.5)
Do any one have any idea of how this could be made to work and/or have I
not got this configuration correct.
Thanks
Mike
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Regx Question
Hi All I have the following in the users and acct_users files DEFAULT Called-Station-Id == 0198334115, Proxy-To-Realm := .com I would like to match on 198334115 with a possibility of about 4 to 6 more number on the front of this number. I have tried a number of difference regx's but non of them have worked so I must have something wrong :) Any ideas would be great. Thanks Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Regx Question
Thanks Alan Reading the man page for the users file would help, too. You're not doing regular expression matching at all. DEFAULT Called-Station-Id =~ 198334115$, Proxy-To-Realm := .com I did not give any examples of what I had tried which I suppose I should have. Below are some of my attempts #DEFAULTCalled-Station-Id == 198407112$, Proxy-To-Realm := .au #DEFAULTCalled-Station-Id == *128407112$, Proxy-To-Realm := .au #DEFAULTCalled-Station-Id == ^[0-9]*128407112$, Proxy-To-Realm := .au None of the above worked, even though the exact number did. Cheers Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Regx Question
Mike Mitchell wrote: Yes, but you missed one important little detail... use =~ not == Hi Mike, Alan Did read the manual just did not see that one :( I'll go check that out now Cheers Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 8e6 technologies and radius
Terry J Fike Jr wrote: They use the Class attribute to tell their box what users are being filtered and how (which filtering ruleset). but it means that either the nas device has to send the data to it, or i can radrelay it to the 8e6 box (which is what i'm using for testing at the moment). it also has the ability (i think) to recieve data like an accounting server and then forward it to the actual accounting server. how do i modify the Access-Accept to send it to the NAS so it can add this attribute in the accounting packet? I don't remember seeing anything like that in the readmes or comments in the conf files? (not to say i couldn't be blind and have totally missed it though) Hi Terry I have been using the 8e6 box for about 1 1/2 with freeradius, both on the r2000 and then on the r3000, please find an example of how to use radius to update the 8e6 unit. I would never use the 8e6 box in relay mode because it add one more way for the network to break. Example of a command line usage of the 8e6 box radius1:/tmp# cat attribs User-Name=User97 Acct-Status-Type=Start Class=xstop: Rule1, http://www.localnet/blocked/; Framed-IP-Address=192.168.1.35 /usr/bin/radclient -d /usr/share/freeradius/ -f /tmp/attribs filter.localnet:1813 acct password I can not remember if I needed to edit the dictionarys to make this all work I have written scripts which use the acct_users system to send a filter rule to the 8e6 box each time I receive a Start, Alive and Stop. Cheers Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ippool - not releasing ip addresses
Hi Paul Thanks for you email. I sat down this weekend and wrote the same type of tool. I find all the ip address which have been left active, read out of the radacct database a closed record for each ip address. Then use radclient to send a radacct stop record for each ip address but change the nas port the one reported by rlm_ippool_tool. You mention that the problem only happend if there is not enought ip for the total ports. If I have understood you correctly, I have to disargree. For this site we have 25 port and 30 ip's. Thanks Mike Paul Hampson wrote: On Sat, Nov 20, 2004 at 10:51:32AM +1030, Mike O'Connor wrote: Thanks for you comments, I used you suggestion as a biases and have found that the accounting stop records do not always have the same port id. This means it does not match correctly and does not release the port. I do not see any way of fixing this from the nas end, so I plan to write some software which checks if a port has been release (using the Alive and Stop records) and then sends a Acct Stop record with the correct port details. In most cases this won't be a problem, as a new ippool call with a port number rlm_ipaddr thinks is still in use should free the IP address up, so it can later be reallocated. It's a problem if you have more ports than IP addresses. ^_^ (As I do here. _) I tried using radkill, but that was more trouble than worth, as the radutmp file was getting boned for entirely different reasons. I have some scripts here which will process a ip pool file (using rlm_ippool_tool) against radwho or a radacct table, which I used to clean out rm_ippool's data every so often. The problem is that any non-FreeRADIUS modification of the database needs to be done while FreeRADIUS is stopped. I'd love to improve rlm_ippool_tool, but if I ever work on it again, it'll be to SQLise rlm_ippool instead, (as I believe someone has done and posted a patch to the list), as part of my heartfelt desire to turn FreeRADIUS into some kind of unusual SQL database frontend. ^_^ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ippool - not releasing ip addresses
Hi Alan Thanks for you comments, I used you suggestion as a biases and have found that the accounting stop records do not always have the same port id. This means it does not match correctly and does not release the port. I do not see any way of fixing this from the nas end, so I plan to write some software which checks if a port has been release (using the Alive and Stop records) and then sends a Acct Stop record with the correct port details. If any one has a better idea please email the list. Thanks Mike Alan DeKok wrote: Mike O'Connor [EMAIL PROTECTED] wrote: There are 30 address in the pool and at this time 13 of these are listed as active but the radacct record show that the users using these address's have logged off. Maybe the ippool module isn't getting the information it needs to release the address. Run the server in debugging mode ot see. Or, look at the detail file for sessions where the address isn't released. Run a test server in debugging mode, and send copies of those packets to the server, and see what the ippool module does. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_ippool - not releasing ip addresses
Hi All I have an issue with freeradius 1.0.1 not releasing some ip address back to the non active pool. There are 30 address in the pool and at this time 13 of these are listed as active but the radacct record show that the users using these address's have logged off. The rlm_ippool_tool has an option '-r' which I thought would fix this but it removed the ip address from the database instead. Any help with this would be greatly appreciated Thanks Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ippool_tool option 'r' removes ip address from pool
Hi All I have had a look thought the source code for this program and can not see why it would be deleting these record instead of just releasing them. Could someone have a look at this who is a little more experience with the source code and give me an idea of whats going on ? Thanks Mike Mike O'Connor wrote: Hi All Using Freeradius 1.0.1 I wrote a program to keep my ippool in line with my the online list, this used the rlm_ippool_tool to set an ip address as inactive when there was a problem. After reading the rlm_ippool_tool options I decided that the option '-r: remove active entries' was the one to uses. Problem is it does not seem to be the correct one because instead of just setting the ip address as inactive it removes it all together. Does this seem to be correct ? if so what method should I be using ? Thanks Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_ippool_tool option 'r' removes ip address from pool
Hi All Using Freeradius 1.0.1 I wrote a program to keep my ippool in line with my the online list, this used the rlm_ippool_tool to set an ip address as inactive when there was a problem. After reading the rlm_ippool_tool options I decided that the option '-r: remove active entries' was the one to uses. Problem is it does not seem to be the correct one because instead of just setting the ip address as inactive it removes it all together. Does this seem to be correct ? if so what method should I be using ? Thanks Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
acct_users - Exec-Program not working
Hi All
I have been using freeradius 0.9.3 for a long time and the acct_users
file below has all ways work well (did have a problem where it would
just stop running the script sometimes)
I upgraded be 1.0.1 because I was having trouble with the ippool code
not sending a Framed-IP-Address every time. (This seems to be fixed in
this version)
But now I'm have a problem where my script never gets run, even thought
the log below shows it being run. All the file permission are set with
ownership by the freeradius user.
Any ideas would be great.
Thanks
Mike
acct_user ---
#
# $Id: acct_users,v 1.3.4.1 2003/08/26 17:41:48 phampson Exp $
#
# This is like the 'users' file, but it is processed only for
# accounting packets.
#
DEFAULT Acct-Status-Type == Start
Exec-Program = /usr/sbin/set_filter.php
# Exec-Program = /usr/bin/php4 -q /usr/sbin/set_filter.php
#
DEFAULT Acct-Status-Type == Stop
Exec-Program = /usr/sbin/set_filter.php
#
#DEFAULT Acct-Status-Type == Alive
# Exec-Program = printenv /tmp/alive-env.dump
#
# For information on how the attributes from the request are passed
# to the program, see 'doc/variables.txt'
#
-- Exec-Program Running (maybe) ---
rlm_sql (sql): Reserving sql socket id: 10
rlm_sql_postgresql: query: UPDATE radacct ??SET AcctStopTime = (now() -
'0'::interval), AcctSessionTime = '701', ??AcctInputOctets =
(('0'::bigint 32) + '183922'::bigint), ??AcctOutputOctets =
(('0'::bigint 32) + '755249'::bigint), ??AcctTerminateCause =
'User-Request', AcctStopDelay = '0', ??FramedIPAddress =
NULLIF('202.xx.xx.xx', '')::inet, ConnectInfo_stop = '' ??WHERE
AcctSessionId = '001E64D7' AND UserName = 'gcrispin' ??AND NASIPAddress
= '202.xx.xx.xx' AND AcctStopTime IS NULL
rlm_sql_postgresql: Status: PGRES_COMMAND_OK
rlm_sql_postgresql: affected rows = 1
rlm_sql (sql): Released sql socket id: 10
rlm_ippool: Searching for an entry for nas/port: 202.xx.xx.xx/152
rlm_ippool: Deallocated entry for ip/port: 202.xx.xx.xx/152
rlm_ippool: num: 0
Exec-Program: /usr/sbin/set_filter.php
Sending Accounting-Response of id 110 to 202.xx.xx.xx:39753
-- Exec-Program Running with -xx --
radius_xlat: '/tmp/sqltrace.sql'
rlm_sql (sql): Reserving sql socket id: 31
rlm_sql_postgresql: query: UPDATE radacct ??SET AcctStopTime = (now() -
'0'::interval), AcctSessionTime = '48', ??AcctInputOctets =
(('0'::bigint 32) + '16176'::bigint), ??AcctOutputOctets =
(('0'::bigint 32) + '45690'::bigint), ??AcctTerminateCause =
'User-Request', AcctStopDelay = '0', ??FramedIPAddress =
NULLIF('202.xx.xx.xx', '')::inet, ConnectInfo_stop = '' ??WHERE
AcctSessionId = '001E651E' AND UserName = 'matt' ??AND NASIPAddress =
'202.xx.xx.xx' AND AcctStopTime IS NULL
rlm_sql_postgresql: Status: PGRES_COMMAND_OK
rlm_sql_postgresql: affected rows = 1
rlm_sql (sql): Released sql socket id: 31
modcall[accounting]: module sql returns ok for request 0
rlm_ippool: Searching for an entry for nas/port: 202.xx.xx.xx/308
rlm_ippool: Deallocated entry for ip/port: 202.xx.xx.xx/308
rlm_ippool: num: 0
modcall[accounting]: module main_pool returns ok for request 0
modcall: group accounting returns ok for request 0
radius_xlat: '/usr/sbin/set_filter.php'
Exec-Program: /usr/sbin/set_filter.php
Sending Accounting-Response of id 116 to 202.xx.xx.xx:39753
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
