Re: IP billing with freeradius
Hello, [EMAIL PROTECTED] You wrote on Tue, 08 May 2007 09:38:19 +0100: t This is nothing to do with radius. Use netflow. What about dot1x auth + accounting? Though it may be not so good for servers. With best regards, Alexander V. Klepikov. E-mail: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Non-ascii usernames
Hello, All! How do I make FreeRadius work correct with non-ascii usernames? With best regards, Alexander V. Klepikov. E-mail: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Non-ascii usernames
Hello, Alan! You wrote on Wed, 25 Apr 2007 08:38:09 +0200: AD Alexander V. Klepikov wrote: How do I make FreeRadius work correct with non-ascii usernames? AD You type them in as UTF-8. This means that my NASes clients should send them in UTF-8, am I right? With best regards, Alexander V. Klepikov. E-mail: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Non-ascii usernames
Hello, Alan! You wrote on Wed, 25 Apr 2007 09:48:28 +0200: This means that my NASes clients should send them in UTF-8, am I right? AD The NAS just sends whatever the user types into their computer. I got it. Thank you! With best regards, Alexander V. Klepikov. E-mail: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
some issues in sqlippool, branch_1_1
Hello! 1. During setup of rlm_sqlippool module, I found some compatibility issues with PostgreSQL server. I remind that rlm_sqlippool uses transactions. In that case all of queries and commands including BEGIN, COMMIT and ROLLBACK in PostgreSQL must ends with ; or query will fail. I have this issue (is it an issue?) on PostgreSQL 7.3.15 but it should be true for 8.x versions too. I think it should be documented. 2. In sqlippool.conf %{reply:Pool-Name} is used, but in documentation said that Pool-Name is check attribute. In my tests reply:Pool-Name was empty string, so I replaced it with Pool-Name. 3. In doc/examples/postgresql.sql in radippool table definition some fields are defined as NOT NULL (and vice versa), which should not be - it causes problems when one add IP-addresses to radippool. 4. In src/include/modpriv.h , src/modules/rlm_eap/rlm_eap.h , src/modules/rlm_sql/rlm_sql.h I replaced #include ltdl.h with #include ../../libltdl/ltdl.h to compile FreeRadius. My OS is FreeBSD 6.2-RELEASE, GNU Make 3.81 Patch for items 2 and 3 attached. With best regards, Alexander V. Klepikov. E-mail: [EMAIL PROTECTED] --- doc/examples/postgresql.sql 5 Jan 2007 15:27:05 - 1.1.2.8 +++ doc/examples/postgresql.sql 17 Apr 2007 13:37:56 - @@ -199,13 +199,13 @@ CREATE TABLE radippool ( id BIGSERIAL PRIMARY KEY, pool_name text NOT NULL, - FramedIPAddress INET, - NASIPAddresstext NOT NULL, + FramedIPAddress INET NOT NULL, + NASIPAddresstext, CalledStationId VARCHAR(64), - CallingStationIdtext NOT NULL DEFAULT ''::text, - expiry_time TIMESTAMP(0) without time zone NOT NULL, + CallingStationIdtext DEFAULT ''::text, + expiry_time TIMESTAMP(0) without time zone NOT NULL DEFAULT now(), usernametext DEFAULT ''::text, - pool_keyVARCHAR(30) NOT NULL + pool_keyVARCHAR(30) ); -- --- raddb/sqlippool.conf17 Aug 2006 14:20:52 - 1.1.2.3 +++ raddb/sqlippool.conf17 Apr 2007 13:27:08 - @@ -26,7 +26,7 @@ # like Cisco internal pools do - it _trys_ to allocate the same IP-address # which user had last session... allocate-find = SELECT framedipaddress FROM radippool \ - WHERE pool_name = '%{reply:Pool-Name}' AND expiry_time 'now'::timestamp(0) \ + WHERE pool_name = '%{Pool-Name}' AND expiry_time 'now'::timestamp(0) \ ORDER BY pool_name, (username '%{User-Name}'), (callingstationid '%{Calling-Station-Id}'), expiry_time \ LIMIT 1 \ FOR UPDATE - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: add realm to user based on NAS-IP
Hello, Alexander! You wrote on Sat, 31 Mar 2007 18:11:46 +0200: AP i wonder if it is possible to add a realm to a username based on the AP NAS-IP the request come from. AP For instance: AP - user abc logs on router 10.0.0.1 AP - router 10.0.0.1 asks a freeradius proxy for user abc AP - freeradius-proxy recognize the ip and add @realm to the username AP and AP proxy the request to another freeradius-server based on AP realm-entry AP in proxy.conf I use following method for adding realm based on NAS-Identifier: user abc transforms to [EMAIL PROTECTED]. This is made in hints: DEFAULT Suffix !~ @. Realm = %{NAS-Identifier:-unknown} With best regards, Alexander V. Klepikov. E-mail: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Redundant SQL servers accounting problem, FreeRadius 1.1.4
Hello, Alan! You wrote on Mon, 26 Mar 2007 10:50:17 +0100: AD I' ve committed a fix to -r branch_1_1. Please test it, to see AD if AD it works. To get it I typed cvs -d :pserver:[EMAIL PROTECTED]:/source checkout -r branch_1_1 radiusd Am I right? I got troubles with running it: =Beginning of the citation== Ready to process requests. rad_recv: Access-Request packet from host 10.0.0.1:54081, id=187, length=150 Service-Type = Framed-User Framed-Protocol = PPP User-Name = klepikov_av MS-CHAP-Challenge = 0x1d764e6c7150aff0fe12e7b36e4b2820 MS-CHAP2-Response = 0x870014fadc301b947b74c9a4ff099e1b2cbc00 0023c02712972225b77413cb9a4c00fbac6634cfcacf857aec Calling-Station-Id = 10.1.1.3 NAS-Identifier = up.ua NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 [Switching to Thread 0x806f000 (LWP 100086)] Breakpoint 1, modcall (component=1, c=0x813b640, request=0x816f900) at modcall.c:236 236 myresult = sp-modinst-entry-module-methods[component]( (gdb) step Program received signal SIGSEGV, Segmentation fault. 0x28349e28 in rad_mangle () from /usr/local/lib/rlm_preprocess-1.1.4.so (gdb) bt #0 0x28349e28 in rad_mangle () from /usr/local/lib/rlm_preprocess-1.1.4.so #1 0x2834a22d in preprocess_authorize () from /usr/local/lib/rlm_preprocess-1.1.4.so #2 0x08054be6 in modcall (component=1, c=0x813b640, request=0x816f900) at modcall.c:236 #3 0x080551f0 in call_one (component=-559038737, p=0x813b640, request=0x816f900, priority=0xbfbfccfc, result=0xbfbfcd00) at modcall.c:269 #4 0x08054e7e in modcall (component=1, c=0x813b680, request=0x816f900) at modcall.c:324 #5 0x0805405c in indexed_modcall (comp=1, idx=135723264, request=0x816f900) at modules.c:469 #6 0x0804d0c8 in rad_authenticate (request=0x816f900) at auth.c:602 #7 0x08056b71 in rad_respond (request=0x816f900, fun=0x804cfd8 rad_authenticate) at radiusd.c:1669 #8 0x08058299 in main (argc=2, argv=0xbfbfec94) at radiusd.c:1434 =The end of the citation With best regards, Alexander V. Klepikov. E-mail: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Redundant SQL servers accounting problem, FreeRadius 1.1.4
Hello, Eshun! You wrote on Mon, 26 Mar 2007 14:50:52 + (GMT): EB $ cvs -d :pserver:[EMAIL PROTECTED]:/source login CVS EB password: anoncvs $ cvs -d EB :pserver:[EMAIL PROTECTED]:/source checkout -r branch_1_1 Yes, I already did it, thank you! With best regards, Alexander V. Klepikov. E-mail: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Redundant SQL servers accounting problem, FreeRadius 1.1.4
Hello, Alan! You wrote on Mon, 26 Mar 2007 10:50:17 +0100: AD I' ve committed a fix to -r branch_1_1. Please test it, to see AD if AD it works. Yes, freeradius works without crashes when DB suddenly comes down and then up. With best regards, Alexander V. Klepikov. E-mail: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Redundant SQL servers accounting problem, FreeRadius 1.1.4
Hello, Alan! You wrote on Wed, 21 Mar 2007 12:57:46 +0100: After Nicolas Baradakis's patch some things changed. Now I know that if connection to PostgreSQL DB became broken, libpq does not free pg_sock-conn, so PQfinish(pg_sock-conn) MUST be called. AD If pg_sock-conn is freed, that pointer MUST be set to NULL. Yes, I understand that. AD No. sqlsocket-state is redundant. If the conn handle exists, AD it AD MUST be a valid connection handle. If it's not valid, it's NULL, AD and AD therefore the socket is disconnected. Then each time sql_destroy_socket MUST be called after sql_close in database drivers and especially in sql_init_socket when DB connection can't be established. Of course, sqlsocket-state MUST be set then too, maybe in sql_destroy_socket function. It concerns all SQL drivers. In theory, sqlsocket-state can equals to sockconnected when actually it is disconnected. I make some additional tests. When DB connection suddenly breakes, sqlsocket-state == sockconnected. AD That's a bug. It's wrong and MUST be fixed. It seemes to me it would be hard to do. The simplest way I see is to use instead of sqlsocket-state a function that is declared in sql driver module. For PostgreSQL it may look so: static int IsConnected(SQLSOCK *sqlsocket); { rlm_sql_postgres_sock *pg_sock; if (sqlsocket-conn != NULL) { pg_sock = sqlsocket-conn; if ((pg_sock-conn != NULL) (PQstatus(pg_sock-conn) == CONNECTION_OK)) { return -1; } else { sql_close(sqlsocket,config); sql_destroy(sqlsocket); return 0; } } else return 0; } It seemes to me, it's almost impossible to write code which will allow sqlsocket-conn to provide accurate information about connection state. But again, I'm not a programmer. With best regards, Alexander V. Klepikov. E-mail: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Redundant SQL servers accounting problem, FreeRadius 1.1.4
Hello, Alan! You wrote on Tue, 20 Mar 2007 12:47:01 +0100: AD Alexander V. Klepikov wrote: I applied the patch and it does not work. It seemes to me, it's becuase SQL socket may be unconnected and sqlsocket-conn != NULL, AD That sounds like a bug to me. It seemes to me I begin to understand, what is going on in the module rlm_sql_postgresql, but it is very difficult to me to write my conclusions in english. I'm afraid this is not a bug. I looked in the sources, and I found that in module rlm_sql_postgresql in all functions is used construction rlm_sql_postgres_sock *pg_sock = sqlsocket-conn; Then all calls to libpq (the real PostgreSQL driver) deal with pg_sock-conn. Here is one of the best illustrations, function sql_init_socket : =Beginning of the citation== static int sql_init_socket(SQLSOCK *sqlsocket, SQL_CONFIG *config) { char connstring[2048]; char *port, *host; rlm_sql_postgres_sock *pg_sock; if (config-sql_server[0] != '\0') { host = host=; } else { host = ; } if (config-sql_port[0] != '\0') { port = port=; } else { port = ; } if (!sqlsocket-conn) { sqlsocket-conn = (rlm_sql_postgres_sock *)rad_malloc(sizeof(rlm_sql_postgres_sock)); if (!sqlsocket-conn) { return -1; } } pg_sock = sqlsocket-conn; memset(pg_sock, 0, sizeof(*pg_sock)); snprintf(connstring, sizeof(connstring), dbname=%s%s%s%s%s user=%s password=%s, config-sql_db, host, config-sql_server, port, config-sql_port, config-sql_login, config-sql_password); pg_sock-row=NULL; pg_sock-result=NULL; pg_sock-conn=PQconnectdb(connstring); if (PQstatus(pg_sock-conn) == CONNECTION_BAD) { radlog(L_ERR, rlm_sql_postgresql: Couldn't connect socket to PostgreSQL server [EMAIL PROTECTED]:%s, config-sql_login, co radlog(L_ERR, rlm_sql_postgresql: Postgresql error '%s', PQerrorMessage(pg_sock-conn)); PQfinish(pg_sock-conn); return SQL_DOWN; } return 0; } =The end of the citation You see, first sqlsocket-conn is inited and all database parameters are set.Then a connection attempt is made: pg_sock-conn=PQconnectdb(connstring) . If connection to DB fails, PQfinish(pg_sock-conn) is called, which frees pg_sock-conn - need to do this is described in libpq docs. So even in case of unsuccessefull connection we have good database handle sqlsocket-conn, which should not be NULL. When FreeRadius starts, sql_init_socketpool is called. It inits all SQL sockets and attempts to connect to database(s). I did not find any information about what is going on when database or SQL server suddenly comes down, but it looks like pg_sock-conn is freed when connection to DB became broken. And pg_sock-conn != NULL . That's why libpq crashes when PQfinish(pg_sock-conn) in sql_close function is called. As far I understand, this is expected behavior. According to this, I can make a conclusion that when database handle is checked for connectivity (in rlm_sql module), sqlsocket-state should be used. In theory, sqlsocket-state can equals to sockconnected when actually it is disconnected. It seemes to me, actually this can happen very rarely. May be, state of connection should be checked before running every SQL query to minimize risk of operation on disconnected DB, but I believe it's not necessary yet. Besides, it will require to modify all sql drivers. I think there is few places left in rlm_sql module where sqlsocket-conn should be replaced with sqlsocket-state. I'm sure I can find and patch them. With best regards, Alexander V. Klepikov. E-mail: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Redundant SQL servers accounting problem, FreeRadius 1.1.4
Hello, Nicolas! You wrote on Wed, 21 Mar 2007 12:37:03 +0100: NB It seems to me this is the real cause of the problem: pg_sock-conn NB becomes NB an invalid pointer. The libpq manpage says the PGconn pointer should NB not be NB used after PQfinish has been called. NB Please try the following patch: [Sorry, skipped] Yes, it solves the problem. Thank you! Very simple solution! But according to Alan it looks like we have discovered a real problem... With best regards, Alexander V. Klepikov. E-mail: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Redundant SQL servers accounting problem, FreeRadius 1.1.4
Hello, Alan! You wrote on Mon, 19 Mar 2007 17:54:52 +0100: AD Hmm... it looks like similar patches were added in revision 1.72 AD of AD that file. I've double-checked the code, and found one more AD location. AD Please try the attached patch. I applied the patch and it does not work. It seemes to me, it's becuase SQL socket may be unconnected and sqlsocket-conn != NULL, so I think it's better to check sqlsocket-state . Corrected patch is attached. With best regards, Alexander V. Klepikov. E-mail: [EMAIL PROTECTED] patch-src-modules-rlm-sql-sql.c Description: Binary data - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Redundant SQL servers accounting problem, FreeRadius 1.1.4
Hello, Alexander! You wrote to All on Fri, 16 Mar 2007 17:23:19 +0200: AVK It looks like accounting module cannot properly make a connection AVK to SQL AVK server, but authorize module can. I found that with num_sql_socks AVK = 2 AVK FreeRadius works perfect, I made several tests stopping and AVK starting my SQL Well, I think I found why FreeRadius crashes. Unconnected SQL socket is passed to sql_close function in module rlm_sql in function rlm_sql_query (src/modules/rlm_sql/sql.c line 499). Here is the patch: =Beginning of the citation== --- src/modules/rlm_sql/sql.c Fri Aug 26 03:37:47 2005 +++ src/modules/rlm_sql/sql.c Mon Mar 19 16:11:57 2007 @@ -496,6 +496,7 @@ if (ret == SQL_DOWN) { /* close the socket that failed */ + if (sqlsocket-state == sockconnected) (inst-module-sql_close)(sqlsocket, inst-config); /* reconnect the socket */ =The end of the citation My tests shows that problem is gone. I hope I patched right piece of code :) With best regards, Alexander V. Klepikov. E-mail: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Redundant SQL servers accounting problem, FreeRadius 1.1.4
(to be exact, PGCluster 1.7.0rc5) To reproduce this problem, set up FreeRadius as mentioned above, start databases, start FreeRadius and then stop first database listed in redundant group. With best regards, Alexander V. Klepikov. E-mail: [EMAIL PROTECTED] PS Sorry for my bad english - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html