Re: Cisco-AVpair accounting client-mac-address with unlang
Alan DeKok wrote: Joe Maimon wrote: It does make the code a bit more hairy - I have been making a stab at this and it seems to be quite ugly. Hmm... much of this work could be relegated to the radius_do_cmp() function. It needs to do: a) return if condition matches b) continue if it doesn't match With some sanity checks to ensure that: (Foo != bar) is the same as !(Foo == bar) Alan DeKok. - Ok, I have a preliminary patch, targeted at a pre-2.1.8 code base (git stable 20090923) 480-evaluate-unlang-allvps.dpatch (attached and pushed to my out of date github fork/branch) It is indeed fairly ugly. I have not as of yet determined whether to hang operational hat on it yet. This patch aims to have the following as true: (Foo != bar) == !(Foo == bar) (Foo !~ bar) == !(Foo =~ bar) Which is inline with the patch I currently use operationally. 200-cmp-operators-fix.dpatch (attached) I do not believe that this behavior is present unpatched. I am undecided as to proper behavior for many of the other tests. Thank you for all your help and feedback. Joe #! /bin/sh /usr/share/dpatch/dpatch-run ## 200-cmp-operators-fix.dpatch by j...@sv04 ## ## All lines beginning with `## DP:' are a description of the patch. ## DP: No description. @DPATCH@ diff -urNad radiusd~/src/main/valuepair.c radiusd/src/main/valuepair.c --- radiusd~/src/main/valuepair.c 2008-07-20 15:35:53.0 -0400 +++ radiusd/src/main/valuepair.c2008-07-20 15:36:07.0 -0400 @@ -155,10 +155,9 @@ compare = regexec(reg, value, REQUEST_MAX_REGEX + 1, rxmatch, 0); regfree(reg); - - if (compare != 0) return 0; - return -1; - + /* !~ only succeeds if NO matches are found in reply pair */ + if (compare == 0) return -1; + ret = -1; /*check the rest for no match */ } #endif @@ -432,7 +431,12 @@ * Didn't find it. If we were *trying* * to not find it, then we succeeded. */ - if (check_item-operator == T_OP_CMP_FALSE) + if (check_item-operator == T_OP_CMP_FALSE || +#ifdef HAVE_REGEX_H + check_item-operator == T_OP_REG_NE || +#endif + check_item-operator == T_OP_NE + ) continue; else return -1; #! /bin/sh /usr/share/dpatch/dpatch-run ## 470-evaluate-unlang-allvps.dpatch by j...@jmdeb01 ## ## All lines beginning with `## DP:' are a description of the patch. ## DP: No description. @DPATCH@ diff -urNad freeradius-server~/src/main/evaluate.c freeradius-server/src/main/evaluate.c --- freeradius-server~/src/main/evaluate.c 2010-01-10 18:16:59.0 -0500 +++ freeradius-server/src/main/evaluate.c 2010-01-10 18:44:25.0 -0500 @@ -302,7 +302,8 @@ FR_TOKEN rt, const char *pright, int cflags, int modreturn) { - int result; + int attempts = 0; + int result = 0; int lint, rint; VALUE_PAIR *vp = NULL; #ifdef HAVE_REGEX_H @@ -336,6 +337,32 @@ if (radius_get_vp(request, pleft, vp)) { VALUE_PAIR myvp; +restart_cmp: + if (attempts) { + DICT_ATTR *da; + + switch (token) { +#ifdef HAVE_REGEX_H + case T_OP_REG_NE: +#endif + case T_OP_NE: + /* Testing stops at the first negative match */ + if (!result) + return TRUE; + break; + default: + /* For all other tests, testing stops at the first positive match */ + if (result) + return TRUE; + } + + /* pleft is trampled below, reinitialize it */ + pleft = vp-name; + da = dict_attrbyname(pleft); + if (da) + vp = pairfind(vp-next, da-attr); + } + /* * VP exists, and that's all we're looking for. */ @@ -344,6 +371,15 @@ return TRUE; } + /* +* VP exists and we were looking for non-existence
Re: Cisco-AVpair accounting client-mac-address with unlang
According to what I see turning on cisco vsa hack can overwrite any existing attributes that happen to match the value in the avpair and also seems to possibly delete information from the avpair -- its not clear to me exactly what it does. In any event, I just need to solve this little problem and all will be well. Thanks, Joe Bryan Campbell wrote: See the following link and the associated reference posts. What you need is already built-in. It takes two steps (5 minutes) to get access to the attributes. The only question then is how you will format your SQL statements to write the attributes out to the database (another 5 minutes). http://lists.freeradius.org/mailman/htdig/freeradius-users/2009-December/msg00367.html bbc - Alan DeKok wrote: Joe Maimon wrote: I have searched. I am unsatisfied with the results. The cisco_vsa_hack may have unintended consequences. Like... ? unlang should properly loop over the vp list, like other paircompares do. I would prefer that behavior to be *explicit* rather than *implicit*. I have patched this kind of oversight before elsewhere, not sure if thats the right approach here. Maybe something like: if (*Cisco-AVpair =~ /^client-mac-address=(.+)$/) { i.e. * means any one matches Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco-AVpair accounting client-mac-address with unlang
Hi Alan, I could use vsa hack. But it is a hack and its impact is a bit larger than the actual functionality I want. I just want to leave everything else unchanged but to have the mac address represented as calling-station-id, which for anything ethernet and not POTS related, it is. unlang or other directed processing is the proper solution in my view, and it is working. It is just that I must predict which avpair to operate on which is troubling. In a start message, its the second one. In interim-update, its the fourth. For my purposes, only the Start one is of value, but having to know the order of attributes seems to be a bit flimsy. Its problematic enough that a NAS can behave badly when sending them attributes in the wrong order. (cisco-avpair = lcp:interface-config=) (And how does the vsa_hack deal with this form of the avpair?) It is quite normal to have multiple attributes of the same name in a vp list. Matching against them all seems to be the normal behavior. pairmove() and pairxlatmove() do this. rlm_policy does this. unlang does not seem to do this. It does make the code a bit more hairy - I have been making a stab at this and it seems to be quite ugly. Your idea to make it explicit is interesting, but does not seem to be inline with previous behavior, plus as it is pointed out, it is probably what is wanted more often than not. Perhaps it could be made explicit to just check the Nth match, but thats exactly what the array operators do already. Perhaps an array symbol of [*] for all. Or an [#] for the number of attributes and/or a way to loop through them. Thanks, Joe Alan DeKok wrote: Joe Maimon wrote: According to what I see turning on cisco vsa hack can overwrite any existing attributes that happen to match the value in the avpair The Cisco boxes don't send: Cisco-AVPair = foo = bar foo = bar *both* in the same packet. and also seems to possibly delete information from the avpair -- its not clear to me exactly what it does. It's pretty simple. See my previous message. Yes... it deletes data from the avpair. That's what it's *supposed* to do. Do you really want tons of attributes like: foo-bar-baz = foo-bar-baz = value or would it be saner to have: foo-bar-baz = value ? The NAS sends the first form, (Or Cisco-AV-Pair = foo-bar-baz = value), and we re-write it into a form that isn't retarded. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco-AVpair accounting client-mac-address with unlang
Alan DeKok wrote: Joe Maimon wrote: I could use vsa hack. But it is a hack and its impact is a bit larger than the actual functionality I want. I just want to leave everything else unchanged but to have the mac address represented as calling-station-id, which for anything ethernet and not POTS related, it is. That's a pretty specific need. I suggest Perl for complex programming. I wanna use unlang! (I could also be convinced to use rlm_policy) Hmm... much of this work could be relegated to the radius_do_cmp() function. It needs to do: a) return if condition matches b) continue if it doesn't match Thats where I have been poking at it. With some sanity checks to ensure that: (Foo != bar) is the same as !(Foo == bar) Alan DeKok. Didnt think of that yet. I am certain there are other complications. I know you can do this better than I can, but I will probably keep trying. Joe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
cisco_vsa_hack
Does turning on the hack do anything to the attributes other than adding the value to matching defined attributes? From the code: if ((vp-attribute 0x) == 1) { const char *p; DICT_ATTR *dattr; p = vp-vp_strvalue; gettoken(p, newattr, sizeof(newattr)); if (((dattr = dict_attrbyname(newattr)) != NULL) (dattr-type == PW_TYPE_STRING)) { VALUE_PAIR *newvp; /* * Make a new attribute. */ newvp = pairmake(newattr, ptr + 1, T_OP_EQ); if (newvp) { pairadd(vp, newvp); } } } else {/* h322-foo-bar = h323-foo-bar = baz */ /* * We strip out the duplicity from the * value field, we use only the value on * the right side of the '=' character. */ strlcpy(newattr, ptr + 1, sizeof(newattr)); strlcpy((char *)vp-vp_strvalue, newattr, sizeof(vp-vp_strvalue)); vp-length = strlen((char *)vp-vp_strvalue); } - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Cisco-AVpair accounting client-mac-address with unlang
I have this in preacct, and it works. if (%{Cisco-AVpair[3]} =~ /^client-mac-address=(.+)$/) { if (!Calling-Station-Id) { update request { Calling-Station-Id := %{1} } } } However this is ugly. I dont want to have to know which Cisco-AVpair it is, it should work whichever the order or number there is. It does not seem to work any other way. I know other directions to head include cisco_vsa_hack or the rlm_policy and others. I would appreciate any tips. Thanks, Joe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco-AVpair accounting client-mac-address with unlang
I have searched. I am unsatisfied with the results. The cisco_vsa_hack may have unintended consequences. unlang should properly loop over the vp list, like other paircompares do. I have patched this kind of oversight before elsewhere, not sure if thats the right approach here. Bryan Campbell wrote: Been there, done that . . . search the mailing list archives from last month for this topic. The hack turns the av-pair strings into attributes (if you add them to the dictionary). Then you just have to adjust your SQL to address them for writing to the database. Again . . . search the mailing list archives. This has been done before by at least a dozen people. bbc Joe Maimon wrote: I have this in preacct, and it works. if (%{Cisco-AVpair[3]} =~ /^client-mac-address=(.+)$/) { if (!Calling-Station-Id) { update request { Calling-Station-Id := %{1} } } } However this is ugly. I dont want to have to know which Cisco-AVpair it is, it should work whichever the order or number there is. It does not seem to work any other way. I know other directions to head include cisco_vsa_hack or the rlm_policy and others. I would appreciate any tips. Thanks, Joe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: misbehaving nas's send accounting to both primary and secondary servers
Ivan Kalik wrote: What is the best way to deal with misbehaving nas's that send accounting to both the primary and secondary server, even while receiving replies to both queries. First make sure that this is so. Debug accounting on the NAS. NAS should send several packets to first radius server before it fails over to second one. If debug does show NAS is getting replies from the first server see why are they ignored. It could be that you have configured radius server on the NAS with one IP address and server is replying from another (if it is multihomed). Such replies would be ignored. Ivan Kalik Kalik Informatika ISP Packet captures show everything fine. The nas is no longer supported by any manufacturer I can find. The documentation refers to a setting that can be used to tell the nas to use both accounting server groups or one, but that setting doesnt exist on this nas, perhaps software revision or something. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: misbehaving nas's send accounting to both primary and secondary servers
Alan DeKok wrote: Joe Maimon wrote: What is the best way to deal with misbehaving nas's that send accounting to both the primary and secondary server, even while receiving replies to both queries. Throw it away, and buy a real NAS. The customer uses this nas for a product that is in its endoflife. It has been in place for quite some time. Previously, this feature was unwittingly used to have accounting sent to two different unrelated systems, where it was needed on both. So long as it works, there will be no more capital investments, which have been investigated to an extent. I guess I should learn to *not* be shocked by how bad the NAS equipment is. The nas has a concept of server groups, primary and secondary. Each group can be configured with up to three ip address destination/ports/secrets. However, failover when using just one group seems to be problematic. On the other hand, with both server groups enabled, duplicate accounting. This results in multiple accounting records in sql, with duplicate acctsessionid and acctuniqueid values. The NAS sends *different* Acct-Session-Id values for the same session? No, those values are identical. Two rows in mysql are created with those identical values. It's definitely a piece of garbage. What the heck would it do if it failed over from one RADIUS server to another? Change the session Id? I think it could use a software update. Unfortunately, I cant find anywhere anyone offering official support, product line was sold, discontinued, it is EOL, something. Assuming the NAS cannot be properly configured, either for technical or other reasons, these are the potential options. - configure only one of the primary or secondary on the NAS That MIGHT work. See above. It would work fine, and since this setup uses anycast (sticky) not lose all that much in the way of redundancy. Its more or less how it is setup now - but I dont like it. The device is a 3com hiper arc, used for analog modem dialup. - get the server to recognize the existing record and update it instead of inserting a new one What are the contents of the accounting packets? How could you use those contents to determine that two packets were about the same session? No, each server gets ONE start packet. i.e. post some packet contents here. Odds are that you can look at NAS-IP-Address, NAS-Port, and maybe User-Name. If those all match, odds are it's for the same session, even if Acct-Session-Id is different. They are the same. Now there is account_start_query_alt, but that appears to only be called if the account_start_query fails. With the default mysql schema, I dont think there is anything to cause that query to ever fail. Tips and advice are greatly appreciated. Tell the NAS vendor that their product is horrible. Get THEM to fix the problem. Having all of their customers deploy work-arounds just encourages idiots. If all of their customers called, complained, and threatened to return the equipment, you can bet it would get fixed in a hurry. Alan DeKok. I agree with you but that time has passed, at least for this equipment. I suppose my question is when and how is the account_start_query_alt used, and can I use that to prevent duplicate accounting rows in sql? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: misbehaving nas's send accounting to both primary and secondary servers
Ivan Kalik wrote: Break it than. Make AcctUniqueId unique: ALTER TABLE `radacct` ADD UNIQUE (`AcctUniqueId`) That should disable duplicated INSERT. Ivan Kalik Kalik Informatika ISP That is what I was considering. Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
misbehaving nas's send accounting to both primary and secondary servers
What is the best way to deal with misbehaving nas's that send accounting to both the primary and secondary server, even while receiving replies to both queries. This results in multiple accounting records in sql, with duplicate acctsessionid and acctuniqueid values. Assuming the NAS cannot be properly configured, either for technical or other reasons, these are the potential options. - configure only one of the primary or secondary on the NAS - get the server to recognize the existing record and update it instead of inserting a new one Now there is account_start_query_alt, but that appears to only be called if the account_start_query fails. With the default mysql schema, I dont think there is anything to cause that query to ever fail. Tips and advice are greatly appreciated. Thanks, Joe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting copying to specific systems
Alan DeKok wrote: Joe Maimon wrote: Here is what I am doing with rlm_policy You had control above. Why request here? These are all the patches I am currently carrying. OK... my $0.02 is put them in github. Fork the stable branch, apply your patches, and send me a link to the github repository. That makes it easier for me to see apply the patches. Alan DeKok. And that is what I have done. git://github.com/jmaimon/freeradius-server.git - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting copying to specific systems
Alan DeKok wrote: Joe Maimon wrote: Would that be this freeradius internal attribute? Home-Server-Pool It's used to proxy requests to a home server pool, without involving realms. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html It doesnt work with Home-Server-Pool, but it does work with Proxy-To-Realm. Server is built from git-stable-20090923 Also, I havent been able to figure out how to get unlang to do the job here. Server wont even start with my attempt. Expected comparison at: =* /etc/freeradius/sites-enabled/copy-acct-to-noc03-8e6[9]: Errors parsing preacct section Currently I am using the rlm_policy language. I would appreciate any suggestions, tips and advice. Thank you for all your help. Joe Here is my semi-finished product: radiusd.conf: = detail detail-copy-noc03-8e6 { detailfile = ${radacctdir}/detail-reader/noc03-8e6.log detailperm = 0600 header = %t } policy policy-copy-acct-to-noc03-8e6 { filename = ${confdir}/policy-copy-acct-to-noc03-8e6.txt } proxy.conf: === home_server noc03-8e6 { type = acct ipaddr = xx.yy.53.10 secret = test src_ipaddr = ${local_address} port = 1646 } home_server_pool pool-noc03-8e6 { home_server = noc03-8e6 } realm noc03-8e6.realms { acct_pool = pool-noc03-8e6 } sites-available/default: #Add this line to the accounting section detail-copy-noc03-8e6 sites-available/copy-acct-to-noc03-8e6: === server copy-acct-to-no03-8e6 { listen { type = detail filename = ${radacctdir}/detail-reader/noc03-8e6.log load_factory = 10 } preacct { # doesnt work, server wont start. # if (request:Class =* ) { # if (request:Client-Short-Name == noc03rt07) { # update control { # Home-Server-Pool := pool-noc03-8e6 # } # } # } policy-copy-acct-to-noc03-8e6 preprocess } accounting { ok } pre-proxy { } post-proxy { } } policy-copy-acct-to-noc03-8e6.txt: == policy set-acct-home-server { if (request:Class =* ) { if (request:Client-Short-Name == noc03rt07) { control .= { #Home-Server-Pool doesnt seem to do anything even post 2.1.7 Home-Server-Pool := pool-noc03-8e6 Proxy-To-Realm := noc03-8e6.realms } } } } policy preacct { set-acct-home-server() } - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting copying to specific systems
Alan DeKok wrote: Joe Maimon wrote: It doesnt work with Home-Server-Pool, but it does work with Proxy-To-Realm. Hmm... what does that mean? If you put the update section inside of an if statement that never matches... it won't work. The if matches just fine and updates with rlm_policy, but I couldnt get something reasonable in unlang to parse successfully. I would appreciate some tips. The Home-Server-Pool code *should* work in 2.1.7. I can double-check it tomorrow. Thanks. Also, I havent been able to figure out how to get unlang to do the job here. Server wont even start with my attempt. Expected comparison at: =* /etc/freeradius/sites-enabled/copy-acct-to-noc03-8e6[9]: Errors parsing preacct section See man unlang. The '=* operator isn't supported. So I should try regex =~ .* ? That didnt work either. Currently I am using the rlm_policy language. Which isn't unlang. Those policies need to (a) be in separate files, and (b) follow the format outlined in raddb/policy.txt They are, they work. My point was that I was hoping to find a way to use unlang. However, to use it like I use policy, seems like it might need some patches. As I am currently carrying patches for rlm_policy, the question is whether it is worthwhile to switch focus to unlang. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting copying to specific systems
Alan DeKok wrote: Joe Maimon wrote: It doesnt work with Home-Server-Pool, but it does work with Proxy-To-Realm. Hmm... what does that mean? If you put the update section inside of an if statement that never matches... it won't work. The Home-Server-Pool code *should* work in 2.1.7. I can double-check it tomorrow. src/main/acct.c needed a patch to handle PW_HOME_SERVER_POOL similar to PW_PROXY_TO_REALM Seems like it is working, but I am still testing. My patch duplicates the LOCAL functionality, but is that purposeless? #! /bin/sh /usr/share/dpatch/dpatch-run ## 440-proxy-home-server-pool.dpatch by j...@debian09 ## ## All lines beginning with `## DP:' are a description of the patch. ## DP: No description. @DPATCH@ diff -urNad freeradius-server~/src/main/acct.c freeradius-server/src/main/acct.c --- freeradius-server~/src/main/acct.c 2009-09-24 16:38:44.0 -0400 +++ freeradius-server/src/main/acct.c 2009-09-24 16:38:47.0 -0400 @@ -122,6 +122,29 @@ * Maybe one of the preacct modules has decided * that a proxy should be used. */ + + if ((vp = pairfind(request-config_items, PW_HOME_SERVER_POOL))) { + home_pool_t *home_pool; + + /* +* Check whether Home-Server-Pool is +* a LOCAL pool. +*/ + home_pool = home_pool_byname(vp-vp_strvalue, HOME_TYPE_ACCT); + if (home_pool !home_pool-servers) { + DEBUG(rad_accounting: Cancelling proxy to home_pool %s, as it is a LOCAL home pool., + home_pool-name); + pairdelete(request-config_items, PW_HOME_SERVER_POOL); + } else { + /* +* Don't reply to the NAS now because +* we have to send the proxied packet +* before that. +*/ + return result; + } + } + if ((vp = pairfind(request-config_items, PW_PROXY_TO_REALM))) { REALM *realm; diff -urNad freeradius-server~/src/main/realms.c freeradius-server/src/main/realms.c --- freeradius-server~/src/main/realms.c2009-09-24 16:38:44.0 -0400 +++ freeradius-server/src/main/realms.c 2009-09-24 16:39:31.0 -0400 @@ -932,7 +932,8 @@ } } - if (num_home_servers == 0) { + /* LOCAL pools have no servers */ + if (num_home_servers == 0 strcmp(name2, LOCAL)) { cf_log_err(cf_sectiontoitem(cs), No home servers defined in pool %s, name2); @@ -1468,6 +1469,11 @@ mypool.name = name; mypool.server_type = server_type; + if (strcmp(name, LOCAL) == 0) { + cf_log_err(cf_sectiontoitem(cs), \%s\ pool cannot be used with realms, name); + return 0; + } + pool = rbtree_finddata(home_pools_byname, mypool); if (!pool) { CONF_SECTION *pool_cs; @@ -1728,10 +1734,15 @@ static int pool_peek_type(CONF_SECTION *config, CONF_SECTION *cs) { int home; - const char *name, *type; + const char *name, *name2, *type; CONF_PAIR *cp; CONF_SECTION *server_cs; + name2 = cf_section_name2(cs); + if (name2 strcmp(name2, LOCAL) == 0) { + /* LOCAL Home server pool has no home_server */ + return HOME_TYPE_AUTH; + } cp = cf_pair_find(cs, home_server); if (!cp) { cf_log_err(cf_sectiontoitem(cs), Pool does not contain a \home_server\ entry); - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting copying to specific systems
Alan DeKok wrote: Joe Maimon wrote: The if matches just fine and updates with rlm_policy, but I couldnt get something reasonable in unlang to parse successfully. I would appreciate some tips. Here is what I am doing with rlm_policy if (request:Class =* ) { if (request:Client-Short-Name == noc03rt07) { control .= { Home-Server-Pool := pool-noc03-8e6 } } } Here is how I tried doing it with unlang if (request:Class =* ) { if (request:Client-Short-Name == noc03rt07) { update request { Home-Server-Pool := pool-noc03-8e6 } } } I also tried this if (request:Class =~ .* ) { if (request:Client-Short-Name == noc03rt07) { update request { Home-Server-Pool := pool-noc03-8e6 } } } As I am currently carrying patches for rlm_policy, the question is whether it is worthwhile to switch focus to unlang. IIRC, most of the patches you had for the policy module went into source control. What's left? You got the big one. These are all the patches I am currently carrying. 020-client-short-name.dpatch 030-substar_regex.patch 080-keep-local-av-proxy.dpatch 130-rlm-policy-fix.dpatch 140-rlm-policy-subops.dpatch 200-cmp-operators-fix.dpatch 230-fix-policy-null-myvp.dpatch 245-policy-xlat.dpatch 310-rlm_exec-nullchecks.dpatch 380-rlm_policy-evaluate-seg 400-rlm_policy-parse-assert 430-rlm_policy-missing-policy-ok 440-proxy-home-server-pool Some are hacks, most are old and you have probably seen them before. About the only thing I can say with confidence, is worksforme. I suppose I should use bugzilla to post them even if the attached tarball comes through. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html jm-freeradius-2.1.8-git-20090923.tar.gz Description: GNU Zip compressed data - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting copying to specific systems
Alan DeKok wrote: Joe Maimon wrote: Here is what I am doing with rlm_policy if (request:Class =* ) { And what does that mean? I haven't looked at the policy code in years... And it still works nicely. If Class exists in the request. See man unlang the CONDITIONS section for how conditions work. If you're just looking to see if Class exists, do: if (Class) { It's that easy. And it works. Thanks. if (request:Client-Short-Name == noc03rt07) { update request { You had control above. Why request here? Troubleshooting permutations. These are all the patches I am currently carrying. OK... my $0.02 is put them in github. Fork the stable branch, apply your patches, and send me a link to the github repository. That makes it easier for me to see apply the patches. Alan DeKok. Soon as I figure it out. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting copying to specific systems
Alan DeKok wrote: Right now, yes. In 2.1.7, you probably won't have to. You can give the realms any name you want. Alan DeKok. Would that be this freeradius internal attribute? Home-Server-Pool - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pre-release of 2.1.7
Alan DeKok wrote: Arran Cudbard-Bell wrote: ... gcc .libs/radiusdS.o -o .libs/radiusd .libs/acct.o .libs/auth.o .libs/client.o .libs/conffile.o .libs/crypt.o .libs/exec.o .libs/ .libs/modules.o: In function `setup_modules': /usr/local/src/freeradius-server-2.1.7/src/main/modules.c:1259: undefined reference to `lt__PROGRAM__LTX_preloaded_symbols' Did I mention I hate libltdl? Which version of libltdl is the compile line using? It's cut off, so I can't see it. My recent investigations lead me to believe that this error occurs when the *compile* uses the local libltdl, and the *link* stage uses the installed system libltdl. Alan DeKok. The last time I had a problem with libltdl, I has to execute a make manually in the source tree libltdl directory. After that everything worked, including rebuilds. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting copying to specific systems
Alan DeKok wrote: Joe Maimon wrote: Certain systems need copies of accounting data, but I only want to send a subset of accounting to the appropriate system. I dont want to change the way the server updates the sql accounting and local detail files. If you need *multiple* copies, then the detail write/reader is the way to go. I would suggest writing one detail log per destination. Then, when the detail file is read, do the filtering *there*. That ensures that the filtering for one destination doesn't affect the filtering for another destination. So I write all accounting coming into the server duplicated into multiple detail files, one per potential destination. Then I have a reader which while reading filters only what I want to send to the destination. I have multiple readers. I think I get it, I would use acct_users and Reject what I dont want? Wouldnt I need a customized files to use a different acct_users per destination? Is there any way to do this without buffering all accounting to disk and then filtering all accounting multiple times? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting copying to specific systems
Alan DeKok wrote: Joe Maimon wrote: Certain systems need copies of accounting data, but I only want to send a subset of accounting to the appropriate system. I dont want to change the way the server updates the sql accounting and local detail files. If you need *multiple* copies, then the detail write/reader is the way to go. I would suggest writing one detail log per destination. Then, when the detail file is read, do the filtering *there*. That ensures that the filtering for one destination doesn't affect the filtering for another destination. Alan DeKok. Apparently I dont get it yet. Forgive me for being slow. So I define multiple home servers as the potential destinations for the copied accounting in proxy.conf How do I specify where to send the accounting in the detail-reader? Either of these? ATTRIBUTE Proxy-To-Realm 1048string ATTRIBUTE Replicate-To-Realm 1049string I wasnt planning to create a realm, do I need to? Thank you very much. Joe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Accounting copying to specific systems
Certain systems need copies of accounting data, but I only want to send a subset of accounting to the appropriate system. I dont want to change the way the server updates the sql accounting and local detail files. I want something like this acct.hints DEFAULT Client-IP-Address == 1.2.3.4, Hint := FILTER-1 DEFAULT Client-IP-Address == 1.2.3.5, Hint := FILTER-1 DEFAULT Client-IP-Address == 5.6.7.8, Hint := FILTER-2 DEFAULT Client-IP-Address == 5.6.7.9, Hint := FILTER-2 acct.users DEFAULT Hint == FILTER-1, Copy-To := filter-1-system DEFAULT Hint == FILTER-2, Copy-To := filter-2-system Where both filter-1-system and filter-2-system are defined in proxy.conf and obviously Copy-To is wishful thinking. Am I headed in the right direction or is there a better way to do this? Thanks, Joe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Another Installation Problem
kbajwa wrote: Dennis: I have already done that. The first link is 'download', which takes to the download site. The first link is 'download', and when I CLICK on it, I get to the 'download' page. The first file todownload is: # 2006.08.22 freeradius-1.1.3.tar.bz2, (currently released version: 1.1.3) Please note the extension 'bz2' tar jxf freeradius-1.1.3.tar.bz2 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to use != == =~ and !~ on multiple keys?
Mike wrote: On 10/22/06, Joe Maimon [EMAIL PROTECTED] wrote: I have the following keys in a radius request: Cisco-AVPair = src-codec=g729 g711A64k g711U64k g7231 gsmFR NS:iLBC-15k2 Cisco-AVPair = dst-codec=g729 When using the != == =~ and !~ conditionals with Cisco-AVPair key, which one(s) are checked? In the order provided by the order they were written on the check line until there is either a match or none. Ah, you meant which AVpair is checked? All until match. (at least its supposed to) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to use != == =~ and !~ on multiple keys?
Mike wrote: I have the following keys in a radius request: Cisco-AVPair = src-codec=g729 g711A64k g711U64k g7231 gsmFR NS:iLBC-15k2 Cisco-AVPair = dst-codec=g729 When using the != == =~ and !~ conditionals with Cisco-AVPair key, which one(s) are checked? In the order provided by the order they were written on the check line until there is either a match or none. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fwd: Filter attributes when proxying
try to use rlm_policy I am sure there are other ways. Martin Zuziak wrote: Hello all I didn't get any response the first time I sent this so I'm trying again. Any chance of having such a feature implemented? Sincerely, Martin Zuziak [EMAIL PROTECTED] PS: Don't worry, if I don't get any answer this time, I'll shut up :) - Forwarded message from Martin Zuziak [EMAIL PROTECTED] - Date: Thu, 1 Jun 2006 10:34:19 +0200 From: Martin Zuziak [EMAIL PROTECTED] To: freeradius-users@lists.freeradius.org Subject: Filter attributes when proxying Hello all Is it possible to (easily) remove single attributes sent or received when proxying? I know it can be done with attr_filter but if you only want to remove a single attribute while leaving the rest untouched, you need pass rules for every other attribute. It doesn't look like attr_rewrite can remove attributes. Am I wrong? Otherwise I think this would be a nice feature to implement. The attr_filter module can easily (I think) be changed to include a variable to control whether or not passing rules are needed to allow an attribute. Currently attributes are only allowed if they don't fail any rules in attrs and pass at least one rule: if (fail == 0 pass 0) This could be changed to something like if (fail == 0 (pass 0 || allow_no_match)) where a variable in the attrs file could control if passing rules are required. Sincerely, Martin Zuziak [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - End forwarded message - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius Proxying and IP injection
John Williams wrote: Is it possible to get the customers radius server to specify the IP address pool to use from the Cisco to assign an IP address? I found this attribute: Ascend-Assign-IP-Global-Pool Can our customer use: Ascend-Assign-IP-Global-Pool = IP-POOL In his radius entries to specify this pool from the Cisco? John Cisco-Avpair+= ip:addr-pool=poolname - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius Proxying and IP injection
John Williams wrote: However the users that are authenticating are being dropped offline as soon as they authenticate. The account logs show the reason as being “User-Request” although the user hasn’t requested a disconnect, in fact they aren’t connected long enough to do so. The customer is also sending a framed IP address for each user that connects via the users radius users file entry. Your cisco doesnt like certain attributes in the reply and closes the connections. Likely as not the attributes it doesnt like is the ones in relation to what your customer is trying to assign. debugs will show you exactly which one, but beware. debug radius debug aaa authentication debug aaa authorization debug aaa per-user debug aaa subsys debug ppp negotiation debug vtemplate ev debug vtemplate cloning debug vprofile I would also run your server in debugging mode to see exactly which attributes are being sent to your cisco nas for those users. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius Proxying and IP injection
## The strange thing is the Framed-IP-Address, it isn’t showing the correct IP address that the user has assigned in our customer radius users file. If I run radtest from the command line against the customers radius server it returns: If you get different results from your customers radius server when the requests originate from your nas or when the requests originate from your command line then.. With the correct IP address. Any ideas why it’s doing this? This is a misconfiguration of your customers radius server, possibly based upon incorrect information from you. The proxying seems to be working fine as all requests for the realm are sent to the customers radius server. And our log files show that the authentication was “OK”. However the users that are authenticating are being dropped offline as soon as they authenticate. Let me guessyou dont have any ip pools available on your nas server. So without a specified IP, the user cant/wont stay connected. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius Proxying and IP injection
John Williams wrote: Looking through the radius files I saw this in the attrs file: ## # The rest of this file contains the DEFAULT entry. # DEFAULT matches with all realm names. # DEFAULT Service-Type == Framed-User, Service-Type == Login-User, Login-Service == Telnet, Login-Service == Rlogin, Login-Service == TCP-Clear, Login-TCP-Port = 65536, Framed-IP-Address == 255.255.255.254, Framed-IP-Netmask == 255.255.255.255, If you are using the attrs module, then this will prevent your customers attributes from being used. In your earlier email you were unclear whether you performed the radtest directly against your customers radius server or against your own. I assumed the latter. Good luck. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program and length of arguments
Anton Maksimenkov wrote: If I add to users file this: When I used exec-program all the attributes I wanted were in the environment. And how can I exploit it? I get only this: -- $ cat /home/engineer/acrad.sh #!/bin/sh printenv /tmp/exec-program-wait -- bob Auth-Type := Local, User-Password == bob Reply-Message = Hello, %u, Exec-Program = /home/engineer/acrad.sh -- after radtest in /tmp/exec-program-wait I found only $ cat /tmp/exec-program-wait CLIENT_IP_ADDRESS=127.0.0.1 NAS_IP_ADDRESS=255.255.255.255 PATH=/usr/bin:/bin:/usr/sbin:/sbin:/usr/X11R6/bin:/usr/local/bin NAS_PORT=0 USER_PASSWORD=bob USER_NAME=bob See? Its working perfectly. Your radtest caused the above. But this is far less than what I wait for... I need to do the same that SQL accounting do. Your radtest DOES NOT cause accounting requests to occur as well. If I look at raddb/pgsql-voip.conf, I can see snip I read this. But I just newbie, sorry. I tried this exec echo { wait = yes program = /home/engineer/acrad.sh %{User-Name} input_pairs = request output_pairs = reply } instantiate { exec ... but it seems that program not started at all. packet_type = Accounting-Request And make sure you instantiate the echo instance of the exec module under the radiusd accounting section - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: One radius and 4 pppoe/pptp servers
Mordor Networks wrote: Hi all I have a small problem , i have a freeradius server with mysql backend and 3 pppoe server and one pptp server all the NAS'es pppoe/pptp server connect to the same radiusd and same mysql database , so when i add a user for exampe i added a user to server-one and his ip is 192.168.2.100 http://192.168.2.100 so the user must set the the server-name server-one in the service name when creating his connection setup , my problem is if a user on server-one did not set the service name or change it from server-one to server-two , he get connected to another server instead of server one , if he set the service name to server-two he get connected to server-two instead of server-one and if he did not set the service name at all he get connected to a ramdom server , how i can fix this issue , but forcing the user to get connect to the server we set up his account in . thanks What makes you think that you setup a user and restricted it to a specific NAS? You can restrict users from a pppoe server by using mac filters if your environment supports that. However, that isnt a support question. I would recommend you design your environment so that whatever pppoe NAS your users connect to things work correctly. See ospf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco avpair
Pierre LEONARD wrote: Hi everybody i search an exhaustiv list of cisco avpair parameters that the radius server could return to a cisco router... i hope somebody will be able to help me with an URL or a list. thanks in advance This isnt the right place to ask. Try cisco-nsp or open a tac case. Here is where I asked the question. http://puck.nether.net/pipermail/cisco-nsp/2005-November/025998.html That being said, the general rule of thumb is that any tacacs value/pair can be sent as a cisco-avpair. Try searching cco for the strings cisco-avpair radius aaa For some non exhaustive lists see http://www.cisco.com/en/US/customer/products/ps6441/products_feature_guide09186a008048cfc7.html#wp1047577 http://www.cisco.com/en/US/customer/tech/tk713/tk507/technologies_tech_note09186a0080094862.shtml http://www.cisco.com/en/US/customer/products/ps6350/products_configuration_guide_chapter09186a0080444c05.html http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/secur_c/scprt6/sctacatb.htm https://puck.nether.net/pipermail/cisco-nsp/2004-December/015120.html http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t15/ft_puq.htm http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_chapter09186a008007dee9.html http://www.cisco.com/en/US/customer/products/ps6350/products_configuration_guide_chapter09186a0080455a5e.html http://www.cisco.com/en/US/customer/products/sw/iosswrel/ps5013/products_feature_guide09186a0080087e64.html http://www.cisco.com/en/US/customer/products/sw/iosswrel/ps5413/products_feature_guide09186a0080335ed5.html http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t13/ftvrfaaa.htm#1056126 Good luck! Joe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco avpair
Pierre LEONARD wrote: Joe Maimon a écrit : Good luck! Joe thanks Joe but I'm a french student and i havent any acces to the cisco site (with cco login) remove the customer/ and it should work as normal. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco-AVPair Route Map
Alan Lumb wrote: Hi Everyone. I'm struggling to find concise documentation on Cisco-AVPairs (and what pairs cisco support) - can anyone help me with this? Mainly I am trying to setup a walled garden system based on radius reply, using a route map with set next hop e.g. route-map walled-garden permit 10 set ip next-hop 1.1.1.1 My problem is how to apply this to a specific connection, do I just use lcp:interface-config=ip policy route-map walled-garden or are there better ways of doing this? This should work. You may want to look into SSG. Other ways of doing it are - vrf - nat - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: getting disconected
freeradius contains no inherent support for disconnecting users other than sending attributes at the time of the connection that may cause the device connected to terminate the connection. Run the server in debugging mode and see what attributes it sends to your NAS. debik wrote: I have problem with my freeradius. I'm getting connected but after 6 minutes Win XP xlient is getting disconected. I have looked in to radius debug and theres no stop message swnt to the client. On the client I haver run ethereal to look for some kind of packet, but i didn't find anything. So what could be the reason ? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accessing REQUEST structure data outside FreeRADIUS module
Nicolas Castel wrote: Hello and thanks for replies I'm using FreeRADIUS v1.1.0. I'm developping some modules and I try to access auth_req structure (REQUEST) data from an external function (out of my module) and it fails. All works fine when accessing this data from the module itself but when i call an external function with the address of REQUEST, it doesn't work. and in anotherfile, lib_com.c What happens when your external function is in the same file as your module function? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accessing REQUEST structure data outside FreeRADIUS module
Nicolas Castel wrote: 2006/4/12, Joe Maimon [EMAIL PROTECTED]: Nicolas Castel wrote: Hello and thanks for replies I'm using FreeRADIUS v1.1.0. I'm developping some modules and I try to access auth_req structure (REQUEST) data from an external function (out of my module) and it fails. All works fine when accessing this data from the module itself but when i call an external function with the address of REQUEST, it doesn't work. and in anotherfile, lib_com.c What happens when your external function is in the same file as your module function? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Thanks for responding, When i put the function in the module all works fine too. Let me rewrite that: When you put the function into the same c language file as the rest of the module functions, all works fine. If that is correct, than I would suggest you are having an include file problem and/or a linking problem. If I am correct, there isnt much I can do without seeing your code other than suggest you duplicate what you do for the file that works and/or you examine other successfull built modules with multiple files and their build process. Of course, I could be very wide off the mark here. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Assigning DNS servers
Tony Spencer wrote: I'm using a Cisco 7204VXR to do the authentication. It seems it doesn't pass these attributes. Debugging radius and AAA authentication shows all the other attributes it's passing. Anyone using a Cisco to do radius authentication and assign DNS servers? Yes Primary-DNS-Server := 172.19.1.53, Secondary-DNS-Server:= 172.19.1.57, Thanks Tony - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS online/offline?
Use sql radius accounting logging modify the table to have a timestamp field modify the server queries if neccessary run an external script/process that checks for all acctstoptime=0 and timestamp (current_time - (expected_update_interval*2)) updates them all with acctstoptime = timestamp. or something like that nikwan (sent by Nabble.com) wrote: Hypothetically situation: You have users logged into a NAS. the NAS goes down without warning (power failure...) Users who where logged in now have sessions which are not complete (acctstoptime is set to NULL). In my case Simultaneous logins is disabled and need to be so. Therefore once the NAS is brought back up. the users cant log back in, as radius will not authorize the users as they are apparently logged in. My question is... How do i set the accstoptime to the time when the NAS goes down. Is there a way to see when a NAS dies Any input will be greatly appreciated View this message in context: NAS online/offline? http://www.nabble.com/NAS-online-offline--t1075858.html#a2800675 Sent from the FreeRadius - User http://www.nabble.com/FreeRadius---User-f1104.html forum at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple secrets for 0.0.0.0/0
Alan DeKok wrote: =?ISO-8859-1?Q?Te=F3filo_Ruiz_Su=E1rez?= [EMAIL PROTECTED] wrote: I'd like to declare two different secrets for my radius server listening on 0.0.0.0/0. No. It's impossible. And it makes no sense. How does the server decide which secret to use? Magic? Trial and error? Whats wrong with trial and error? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple secrets for 0.0.0.0/0
Alan DeKok wrote: Joe Maimon [EMAIL PROTECTED] wrote: Whats wrong with trial and error? Yuck. Probably. It also opens the door to any one of umpteen secrets. I would like to know what the underlying requirements are, as there's probably a better way of doing this. Dont know what his requirements are, but the ability to allow any client in the world to authenticate to my server with any one of X secrets, thereby allowing me to associate them to client Y as opposed to client Z is very usefull wherever the IP address range describing the source of client Y and client Z might overlap. The ip address range in question need not actually be 0/0. This allows me to have specific configurations for this client, cancel service to only one of the entities and to upgrade/change the secret without requiring a flag-day event. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: Assertion failed in request_list.c, line 1119
masetio wrote: Both of these are if the queuing of the request failed; assertion should be true. no in log just Wed Jan 25 02:05:16 2006 : Error: Assertion failed in request_list.c, line 1119 and Freeradius is crash 'n down i'll try to gat some information by running in debug mode but in debug mode, everythink is OK. Is diferent proccess running di daemon mode and debug mode? Tanks.. -- ~_|[]~ You mean the server isnt doing anything??? What else is in the log? You could use other flags other than -X, which disables threading use -fxx - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Debian + Exec-Program = Zombie process
George Chelidze wrote: versions. Can I make some tests to narrow down the problem, or some other actions. Best Regards, George I suppose you could add some debug code to where you believe the calls to waitpid should be/are The way I read it, without threads it should be in src/main/radiusd.c:631 in cvs 20060124 Joe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: error if running daemon
Well you could try my deb packages at http://apt-repo.ttec.com Dont know if that will help. Also check delete_blocked_requests = no is set in radiusd.conf masetio wrote: I used freeradius-snapshot-20060119 in Debian Sarge implemen sqlcounter module if running with daemon Freeradius crash with log : Thu Jan 26 09:32:46 2006 : Info: Ready to process requests. Thu Jan 26 10:02:58 2006 : Error: Assertion failed in request_list.c, line 1119 but if running with debug mode doesn't have any error. plz i need sugest tengkyu ~_|[]~ --- .:Learning by Doing:. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using Freeradius and bind as a dynamic dns
Willem Pretorius wrote: Hi, Have anyone been able to use freeradius with mysql and a bind dns server to update a domain say dynamic.com everytime a user connects? I want to create a local ADSL dynamic dns service for all my adsl users, eg. if the login name is companyX with ip 165.146.165.78 I want to update the bind dns everytime a user connects, eg. companyX.dynamic.com Any Ideas? This is the bash script glue method http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg20828.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RLM_perl and Cisco-AVPair
Alan Lumb wrote: Hi everyone. Im trying to get RLM_perl to respond with two Cisco-AVPair lines (what would usually be done with += in users) So try that with rlm_perl the server functions that update the list need to see the += operator. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to compile freeradius with sqlcounter module on debian/ubuntu
Gabriele Vidali wrote: hi, I'm trying to compile freeradius with sqlcounter module on my ubuntu dapper with no success. Actually I can compile it but at the end I have no rlm_sqlcounter-x.x.so in my /usr/lib/freeradius directory. This is how I proceeded: * apt-get source freeradius * apt-get build-dep freeradius * I added --with-experimental-modules in debian/rules file * dpkg-buildpackage -rfakeroot -uc -us Is this way correct? freeradius version in dapper is 1.0.5-2 many thanks Gabriele Well I did something a bit different to get the rlm_policy module as a part of my deb package. I patched configure to allow it to accept a list of modules which I added into debian/rules configure invocation http://apt-repo.ttec.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Experimental bleeding edge patched debian packages available
I have made my local customized debian apt-get repository available online. http://apt-repo.ttec.com Found there are freeradius packages -- they are generally unstable CVS and contain patches that I run with. These should not in any way be construed as any actual release by the freeRADIUS team or by any offical Debian maintainers. I dont expect anyone to actually install the binaries. I expect most people who actually use it (if any) to merely obtain the source. No guarantees or warranties made in any way shape or form for anything. In particular, the latest package(s) there is suspected to core-dump infrequently after HUP. I want to thank Paul Hampson and all those who have contributed to Freeradius development, and for this instance, in particular the debian packaging. It was done in such a way as to make maintaining a customized package that parallels offical releases and code trivial. (##from memory its something like . mkdir cvs- cd cvs-XXX cvs co radiusd cd .. mkdir debian cd debian apt-get source freeradius cd freeradius-* diff -urN ../../cvs-XXX/radiusd/debian debian | less #use your head vi debian/changelog mv debian .. #carefull here rm -rf * cp -R ../../cvs-XXX/radiusd/* . mv ../debian . dpkg-buildpackage -rfakeroot ) Thank You! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: cannot create core dump file?
and where can i get the core dump file? any advise? thanks in advance. regards, Pang KW check the root directory, check radiusd.conf to see that core dumps are enabled - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sqlcounter and something else than Session-Timeout
Alan DeKok wrote: Seferovic Edvin [EMAIL PROTECTED] wrote: I really don't know why everybody is telling that such config would be impossible. It's impossible to enforce traffic limiting *during* a users session. So if a user is a tiny bit below their limit and logs in again, they can go over their limit. The server will only catch enforce their limit on the next login. This has been discussed multiple times on the list over the past 5 years. Well in theory, one can write an exec-program or such, call it during accounting, and if appropriate disconnect the user utilizing something like telnet scripts, snmp, radius packet of disconnect and so on so forth. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Auth All but only for those in my clients.conf
Lewis Bergman wrote: Mojo Jojo wrote: At this time, the request are authed regardless of the username or password but they are authed regardless of the client or secret. Not possible. You are correct.. If you look at the way the secret is used you'll find that your use of auth-type := accept makes it irrelevant. secret is used to encrypt user-passwword attributes. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Auth All but only for those in my clients.conf
Mojo Jojo wrote: At this time, the request are authed regardless of the username or password but they are authed regardless of the client or secret. Not possible. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Documentation on Group Locking using FreeRADIUS/AD/Cisco VPN Concentrator
Alhagie Puye wrote: Hello all, I have spent a few bit of time trying to get FreeRADIUS/Active Directory/Cisco VPN Concentrator 3005 to lock users into group using the class attribute. Dusty Doris gave me a hand too. It has been tested and it works as expected. http://www.cisco.com/warp/public/471/altigagroup.html This feature is very, very neat and flexible. I would now like to write up a step-by-step document on how to make these work together. I don't have a public web site to host this page. I'm looking for suggestions on how to make it readily available to other users since the VPN Concentrator is gaining popularity. Is the wiki page mentioned here a while back going to materialize? Or should I write up a text document so that it could be added to doc/ directory in the source code? wiki.freeradius.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS list and dynamic IP
Gunther wrote: Alan DeKok wrote: How can I use a unique secret for each NAS connected to the same ISP? You can't. There's no real way to tell them apart. Alan DeKok. Thanks Alan! I presume it is a radius protocol issue. Maybe good for a future enhancement with some form of additional ID coming from the NAS and not just using the IP address. Gunther Or do vpn tunnels from the nas with internal numbers. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fall-through and different NAS IP Settings
Jonathan De Graeve wrote: How do you explain this then? I have a NAS that DOESN'T sent NAS-IP-Address attribute to the radius server (only nas-identifier) but all my huntgroups based on NAS-IP-Address work without any problem... Is this then somewhere in the code? If (!NAS-IP-Address Client-IP-Address) NAS-IP-Address = Client-IP-Address J. Yes. rlm_preprocess adds the nas-ip-address to the request if one wasnt there. I have patched my local freeradius to add Client-Ip-Address if it is missing and Client-Short-Name (local creation) as well. Joe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How can i change Configure file.
Nicolas Baradakis wrote: Manojkumar Patel wrote: My Config.ini file is like: --no-create --sysconfdir=/home/manoj/RadiusServer --with-logdir=/home/manoj/RadisuServer When I w run config file like ./configure Config.ini But radius server was configured as default setting. But I want to change default setting. I want to pass all parameter in one file instead of Command line argument. How can I do that requirements ? You could try this command line: $ xargs ./configure Config.ini And please turn HTML off when posting to a mailing list. http://freeradius.org/list/users.html And the reason you would do that is because configure scripts do not read stdin, they expect their parameters to be passed to them as command line arguments. And wouldnt xargs do it once per arg? You might as well simply make a shell script that looks like this. ./configure\ --no-create\ --sysconfdir=/home/manoj/RadiusServer\ --with-logdir=/home/manoj/RadisuServer And consider that running a radius server from your home directory is only usefull or good practice for testing/debugging purposes. For anything else, use the system standard locations and utilize /usr/local or /opt And your spelling/capitalization of RadiusServer is going to cause you nothing but trouble. Make it simple and call it radius. Or call it raddb - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius and Interim Packets
Matt wrote: Ok, well now hold on a second. It's not simply the sending/receiving/logging of interim packets that determines whether or not the RADIUS server has interim packet support. For a RADIUS Like the man said Yes. It works. You enable it by installing the server. Did you *try* it? Alan DeKok. - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius and Interim Packets
Matt wrote: Ok, I'm just checking because I've received different answers from different people. So the radius server will A) track sessions and will B) send a stop packet if no interim packet is received for the radius interim packet responce or what? I'm finding very little information googeling for it, that's why I'm asking these questions. On 12/5/05, Joe Maimon [EMAIL PROTECTED] wrote: Matt wrote: You mean you want sessions that do not receive an interim packet to be expired? Sessions are tracked by the basis of the Acct-Session-Id which can sometimes have a non-uniqueness problem -- see rlm_acct_unique Tis means nothing for the detail file which will write each packet it receives. It means something for the radutmp file. It means something for the sql logging modules which will do UPDATE queries instead of INSERT queries, by default. The radius server doesnt send a stop packet to the NAS. The nas is supposed to send the stop packet to the radius server. A stop packet is an accounting packet with a status of Stop. If you were doing sql accounting logging, you could modify the db to contain a timestamp field, updated by each insert/update. Then a query that selects those records with a stop time of 0 and a non-updating timestamp field can be used along with radzap. There may be more elegant and smarter ways to go about this. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question about deleting old files
Alan DeKok wrote: Linda Pagillo [EMAIL PROTECTED] wrote: I have upgraded my freeradius from version 0.9.3 to the newest version. Is it safe to delete all of the files from the 0.9.3 version such as the .lib, .lib.so and .a files? Thanks! Yes. Alan DeKok. - Use package management if possible. As long as it understands you are upgrading package x.1 withpackage x.2 it will replace/delete stuff intelligently for you. To this end, you can keep local packages in apt repositories, use checkinstall, rebuild rpms...so on so forth. Or if you install from source, keep it around and do a make uninstall -- but make sure you have a copy of your /etc/raddb or equivalent directory. The library files are only a problem if you have an unrelated app that may be using those and requiring that specific version. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: help needed for debugging segfault
Luca Corti wrote: Hello, I've been banging my head against this for a few days. I've installed freeradius 1.1.0 from cvs and I'm doing EAP-PEAP using ntlm_auth for authentication. freeradius segfaults while sending the access-accept packet. In my first post someone instructed me to enable coredumps in freeradius and post the result. I've compiled freeradius using --enable-developer, set allow_core_dumps = yes in radiusd.conf and used ulimit to remove coredump filesize limit from my shell, but it seems freeradius still doesn't dump core. The radius server is a Debian testing box. The Wi-Fi accesspoint is a D-Link DWL-2100AP. Is there anything else I can do? Is this a freeradius issue or an OS issue? thanks Try checking if the server runs with different user/groups, disable that. Worked to an extent for me. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Juniper buys Funk
Alan DeKok wrote: http://www.juniper.net/company/presscenter/pr/2005/pr-051114.html Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Apparently freeradius developers have managed to build a system comparable to one that just sold for $122 M Is that the take away? Joe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Framed-Route and proxying
Jason Frisvold wrote: Hi there, I'm looking for a way to force certain users through a proxy. I *think* Framed-Routes are the way to go. Can someone help me out a little? Framed-Route instructs the NAS to install a route as described by the value, to the dialed up user. (at least that what my nas's do) So in and of itself, I do not think it will accomplish any sort of forced proxying. When you say force do you mean * does not work unless they are configured to use proxy X This would generally be a function of ACL which can be configured in different ways. Using Framed-Route or Framed-IP-Address may be usefull to you for that. * transparent proxying If you combine Framed-Route and/or Framed-IP-Address with policy routing (or natting) or vrf tables, you will probably achieve your goal. But your use of Framed-Route may not be required at all. Our users either dial in via a Patton RAS unit, or a Redback SMS-500. Any help would be appreciated. Thanks! -- Jason 'XenoPhage' Frisvold [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Framed-Route and proxying
Jason Frisvold wrote: I *think* that's more what I'm looking for.. The idea is to put a user in a suspended group that will only allow them to go to the payment server. By using a proxy, I can intercept all port 80 traffic and redirect them to the proper location. Does that make more sense? Lets say you used cisco gear (where I use this concept in different ways fairly often) You would do something like this, without any loss of performance. Default Hint == Suspended Cisco-Avpair+= lcp:interface-config=ip vrf forwarding suspended, Cisco-Avpair+= lcp:interface-config=ip unnumbered l10, Cisco-Avpair+= ip:addr-pool=suspended On the cisco you would config it like this, aside from the normal aaa config and whatnot ip vrf suspended rd 1:1 int l10 ip vrf forwarding suspended ip address 10.1.1.1 255.255.255.255 int fa0.10 description proxy server encapsulation dot1q 10 ip vrf forwardin suspended ip address 10.2.2.1 255.255.255.0 ip local pool suspended 10.10.0.1 10.10.10.255 ip route vrf suspended 0.0.0.0 0.0.0.0 10.2.2.1 -- Jason 'XenoPhage' Frisvold [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: appending to a proxy reply attribute
Tariq Rashid wrote: hi - i would like to achieve the following: * inspect the reply packet from a proxy target radius * if the reply contains Framed-Route, for example Framed-Route = 195.40.42.96/30 83.67.214.162 1 then append a string to the value: Framed-Route = 195.40.42.96/30 83.67.214.162 1 n n 60 uk-ABC-001 * NOTE that the appended string depends on the realm/domain so possibilities are: for username [EMAIL PROTECTED] Framed-Route = 195.40.42.96/30 83.67.214.162 1 n n 60 uk-ABC-001 for username [EMAIL PROTECTED] Framed-Route = 195.40.42.96/30 83.67.214.162 1 n n 60 uk-XYZ-001 how is this possible with freeradius 1.0.2? tariq Well one possible way that occurs to me would be to use an external program with the exec module. attr_rewrite would do it except it seems that you need to check other attributes. rlm_policy would do it, except I dont know about its ability to APPEND to an existing attribute Were I you I would also check rlm_perl, something I have never actually done. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy Forwarding on User-Name attribute
Christian Meutes wrote: Hello, i have the demand to forward some auth-requests to some further radius servers, but only in the case when a specific User-Name is for authorization requested. The User-Name attributes look like this [EMAIL PROTECTED] and the userpart is always changing but the realm is always the same. How can i accomplish this without defining every user which is to forward in proxy.conf? Why arent you defining the realm in proxy.conf? Are you sharing it between unproxied users? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Rejecting auth requests
Tim O'Donovan wrote: Hi, Does anyone know of a simple way to invoke an Access-Reject for a user at the authenticate stage? Without changing the stored password. I have tried altering the 'op' to != and all manner of other combinations from within the rad_check table without success. We would just like to be able to ban/unban a user with a single SQL update statement. in the users file, setting a check item like this userAuth-Type := Reject Seems to do the job. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IP address assignment
Infusino, Michael - ADP Dataphile wrote: I am using radius to authenticate access from VPN. Would anyone now how to record the IP address the user is assigned after they log in. Michael How does a little dynamic dns strike you? Make sure to actualy read below and attached scripts and setup a DNS key. --radiusd.conf- modules section exec ddns_update { wait = no program = /usr/local/sbin/radius-dns-update.sh input_pairs = request packet_type = Accounting-Request shell_escape = yes } end modules instantiate section--- ddns_update ---end section #!/bin/bash #must setup this key!! #man nsupdate NSUPDATE=nsupdate -k /etc/freeradius/keys/Kradius-dns-updates.+157+08981.private function usage() { echo Usage: `basename $0` -u User-Name -t Hint -s Acct-Status-Type -i Framed-IP-Address exit 1 } while getopts u:t:s:i: opt; do case $opt in u) USER_NAME=$OPTARG;; t) HINT=$OPTARG;; s) ACCT_STATUS_TYPE=$OPTARG;; i) FRAMED_IP_ADDRESS=$OPTARG;; *) usage;; esac; done HINT=`echo ${HINT} | tr -d ''` USER_NAME=`echo ${USER_NAME} | tr -d ''` ACCT_STATUS_TYPE=`echo ${ACCT_STATUS_TYPE} | tr -d ''` FRAMED_IP_ADDRESS=`echo ${FRAMED_IP_ADDRESS} | tr -d ''` if [[ ${USER_NAME} == ]] || [[ ${HINT} == ]] || [[ ${ACCT_STATUS_TYPE} == ]] || [[ ${FRAMED_IP_ADDRESS} == ]]; then exit 1; fi #make sure you update below list to something that fits your setup! case ${HINT} in XXX) DOMAINNAME=xxx.you.net;; YYY) DOMAINNAME=yyy.you.net;; *)exit 1;; esac; USER_NAME=[EMAIL PROTECTED] DNS_A_REC=${USER_NAME}.${DOMAINNAME} DELETE_DNS_A_REC=prereq yxdomain ${DOMAINNAME}\nupdate delete ${DNS_A_REC} A ADD_DNS_A_REC=update add ${DNS_A_REC} 300 in A ${FRAMED_IP_ADDRESS} TOUCH_DNS_A_REC=prereq nxdomain ${DNS_A_REC}\n case ${ACCT_STATUS_TYPE} in Start) echo -e ${DELETE_DNS_A_REC}\n${ADD_DNS_A_REC}\nsend | $NSUPDATE ;; Stop) #comment below to leave logged out users in DNS echo -e ${DELETE_DNS_A_REC}\nsend | $NSUPDATE ;; Alive) #uncomment below to flood active users in during turnup # echo -e ${TOUCH_DNS_A_REC}\n${ADD_DNS_A_REC}\nsend | $NSUPDATE exit 0;; *) exit 1;; esac; #!/bin/bash STAGE2=/usr/local/sbin/radius-dns-update.s2.sh if [[ ${USER_NAME} == ]] || [[ ${HINT} == ]] || [[ ${ACCT_STATUS_TYPE} == ]] || [[ ${FRAMED_IP_ADDRESS} == ]]; then exit 0; fi if [[ -x $STAGE2 ]]; then $STAGE2 -u${USER_NAME} -t${HINT} -s${ACCT_STATUS_TYPE} -i${FRAMED_IP_ADDRESS} 21 /dev/null fi exit 0 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Logging question
Curt LeCaptain wrote: Currently I'm using the mysql logging functions of FreeRADIUS and I'm logging two different things: Dial-up customers that log in with just their username (username) DSL Customers that log in with user at domain ([EMAIL PROTECTED]) I'm wondering, how would I get it so that both log the same way, that is, just username, not the suffix @itol.com. Any advice would be great! Thanks, Curt LeCaptain - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html sql.conf lets you log the stripped username - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: i want to add new attributs
Tim O'Donovan wrote: Hi Harish, I am trying to accomplish almost exactly the same thing on our freeradius setup. Our NAS servers send us an additional attribute, 'Timestamp', in UNIX time, but at the moment our radius server is ignoring it altogether. We are using MySQL for accounting etc and the default setup logs entries using the current time of insertion, not the time sent by the NAS. We have a secondary radius server that is replicated by using radrelay on the primary server which runs every minute or so. This is the main problem as the time logged to the secondary server is different to the primary. You can do anything you would like with the SQL logging by editing the sql.conf file, which contains the sql query strings the radius server uses. I believe the solution involves editing the dictionary file (found in raddb dir) to add the new attribute. You would only need to do that if the server did not recognize the attribute (translating it from a numerical id to a string name). If the server logs the attribute into the detail file with the proper name or the server prints its name in debugging mode, there is no need for that. Although I am not 100% if that is enough for it to come into effect. The standard attributes can be found here: http://www.iana.org/assignments/radius-types. When I find a complete solution I will let you know. :-) Let me know how you get on. Kind regards, Tim O'Donovan Harish Gupta wrote: Hello All, I m Harish Gupta from india, i m working in a Telecom ISP company as system Administator and I m using freeradius application on linux platform(CentOS4.0) for my dialup users . its working fine, but i want to add a new attribute like caller-id and calling-id how can add these attributs plz. help me . Thanx Regards Harish Gupta System Aministrator India +919828032258 This email message is personal statement of the sender and shall not be construed as statement of Shyam Telelink Limited. The contents of this email and attached documents (if any) may contain confidential and privileged material for the sole use of the intended recipient. Any unauthorized review, dissemination, use or distribution by others is strictly prohibited. If you have received the message in error, please advise the sender by reply email and delete the message. The recipient is also advised to get the statement confirmed in writing from the company before acting on the contents of this email. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Removing attributes from a reply
I need to remove an A/V from the reply list, but only if another A/V is already there. For example: If I have the Framed-IP-Address attribute, I need to remove any attribute of Cisco-AVPair -~ ip:addr-pool.* (because my NAS's will choke on that and that means I have no way for a fall back pool to be defined by radius for my proxy users who may/are assigned IP addresses by my customer) This needs to be done post-proxy stage for my needs. I have been assuming I would need the new CVS head policy feature for this. Anything I am missing? Joe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Removing attributes from a reply
Thor Spruyt wrote: Joe Maimon wrote: I need to remove an A/V from the reply list, but only if another A/V is already there. This needs to be done post-proxy stage for my needs. rlm_attr_filter can do it I have read the docs, I user rlm_attr_filter already, but I dont see how I can test for existence of Attribute X and if exists, remove attribute Y (using rlm_attr_filter -- I am sure there are other things I could trysuch as rlm_perl(?) sending all A/V to a shell script...) Do you have an example? Thanks, Joe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: best practice for combination freeradius -- active directory?
ho wrote: Hi all, i need some more ideas for doing a good, stable and easy to use connection between freeradius and Active Directory. You can always proxy radius to the IAS component that comes with windows that authenticates against AD. There are other ways. joe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[PATCH] operators -* and -~
This patch will add the substar (-*) operator and correct the behavior of the subeq (-=) operator. The -* operator will cause all of the named attributes to be deleted from the reply, which is the current behavior of the -= operator without this patch. With this patch -= will only delete all attributes of that name if the supplied value is blank (). Otherwise it will only delete attributes with a matching value. This version of the patch also adds the -~ operator which will remove any of the named attributes whose value matches the supplied regular expression value. Freeradius must be compiled with regex support for this to work. http://www.jmaimon.com/freeradius/patches/substar_reg_op.fr102.v2.patch http://www.jmaimon.com/freeradius - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Undefined symbol with eaptls / freeradius 1.0.1 (debian)
Paul, While checking out why my patch to add a function to rlm_preprocces causes freeradius to bomb with undefined symbol I came across this post. Just wanted to ask that you incorporate dpatch support even if you dont migrate your patches to thatIts how I make my private deb builds. It was incredibly easy to do yet...I simply added an include line in debian/rules and added the patch/unpatch targets. But I am sure you know how to use dpatch...Anyways if you do it its one less thing for me to worry about building private debs! Thanks, Joe Paul Hampson wrote: On Wed, Feb 23, 2005 at 10:24:45AM +1100, Tom wrote: Thanks very much for your reply I appreciate your help and I've just got a couple of followup questions. Just upgrading libtool won't work, as libtool 1.5 requires a more recent version of autoconf than is used in FreeRADIUS 1.0.1. As the above post suggests, try 1.1.0 (eg. CVS head) which builds with By 1.1.0 does that mean I should download the radiusd module using CVS? (Not sure if you're referring to that or 1.1.0 of something else?). Yeah. 'eg' should have been 'ie' libtool 1.5 and autoconf 2.57 and where PEAP and TTLS _should_ work. (Although I've not tested them myself) So the hypothesis is download the CVS head, re-package+compile it and try again? Sorry about the relatively simple questions but I didn't know there was a version of freeradius higher than 1.0.1 - I guess looking at the CVS tree there are a number of files updated there but I'm not sure if that constitutes v1.1.0 so I'm a bit lost as to what I'm looking for. Sorry. Yes, FreeRADIUS 1.1.0 doesn't exist per se, I meant the head branch of CVS. You should be able to just grab it from CVS or a snapshot, and dpkg-buildpackage -us -uc -rfakeroot -b and get a whole bunch of packages out. I'm considering going to dpatch in the CVS version, to make it easier to support in Debian, but I've not got the time to convert yet, and have to upload 1.0.2 to Debian first. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Variables defined from radiusd.conf used in included files from CVS head
Produced an error on startup. Specificaly ${logdir} in sql.conf Thanks, Joe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Undefined symbol in rlm_preproccess
Hello All, I am trying to rebuild a deb package on sarge for 1.0.2 - 1.1.0pre0 that includes a patch that adds a function to rlm_preproccess.c (This patch available to any who wish it adds the attribute Client-Short-Name with the value as defined from the clients.conf file. It is used to match stanzas to all clients that share a common portion of the Client-Short-Name so that requests from similar NAS's may be dealt with in a similar fashion. I prefer this approach than working off the IP address.) static int add_client_attr(REQUEST *request); Which is used in the same manner as add_nas_attr() and in the same places. Running the build gives me Undefined symbol when freeradius hits that point of execution during authentication requests and it exits. grepping for add_nas_attr shows no extra work done in the source than that I had done for add_client_attr. Is there something I am missing? Thanks for any help, Joe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: HELP:
Perhaps you would put the files section after ldap and have a DEFAULT for allow in the users file? Matthew Crocker wrote: I need to configure FreeRADIUS to authenticate/authorize off LDAP (I have this working). And if that fails (incorrect password, user unknown) to send an Accept packet back to the NAS. In other words, I want to allow everyone into the NAS but if they are in LDAP use their specific LDAP information for the connection. -Matt - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Variables defined from radiusd.conf used in included files from CVS head
Alan DeKok wrote: Joe Maimon [EMAIL PROTECTED] wrote: Produced an error on startup. Specificaly ${logdir} in sql.conf Can you say what the error is, or should we guess? Alan DeKok. IIRC it was an error about the variable being undefined or something to that effect while I was testing debian CVS head packages. I was trying out other items and I hadn't made a note of it. Sorry. Anyways, I cant seem to reproduce it now. Never mind. Sorry for the interruption. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html