difference in logs
I have just setup freeradius 0.8 on redhat 8 (2.4.18-14) and like it much more that icradius, but I am seeing a strange occurrence in my logs. We have many other radius servers that are proxying requests to us, and this box is intended as a replacement to one of the radius servers we use right now running icradius. User auth information is stored in mysql database and all is working fine as far as I can see. However, during some testing between this new box and a client radius server that is forwarding auth requests by using fully qualified username ([EMAIL PROTECTED]). The @customcpu.com should be stripped and then testing is sent to our box for auth. In my main radius log file (/var/log/radius) the auth request appears to come in as it should: Mon Dec 30 17:27:29 2002 : Auth: Login OK: [testing] (from client acs-proxy[4] port 32 cli 9075692251) However, when I check the detail log file, I see: Mon Dec 30 17:27:29 2002 Acct-Session-Id = "1E002868" User-Name = "[EMAIL PROTECTED]" NAS-IP-Address = 209.112.154.7 NAS-Port = 32 NAS-Port-Type = Async Acct-Status-Type = Start Acct-Authentic = RADIUS Connect-Info = "52000 LAPM/V42BIS" Called-Station-Id = "2744107" Calling-Station-Id = "9075692251" Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Address = 209.112.139.144 Acct-Delay-Time = 0 Client-IP-Address = 209.193.61.249 Acct-Unique-Session-Id = "abef067046a44f52" Timestamp = 1041301649 Mon Dec 30 17:28:27 2002 Acct-Session-Id = "1E002868" User-Name = "[EMAIL PROTECTED]" NAS-IP-Address = 209.112.154.7 NAS-Port = 32 NAS-Port-Type = Async Acct-Status-Type = Stop Acct-Session-Time = 58 Acct-Authentic = RADIUS Connect-Info = "52000 LAPM/V42BIS" Acct-Input-Octets = 2136 Acct-Output-Octets = 788 Called-Station-Id = "2744107" Calling-Station-Id = "9075692251" Acct-Terminate-Cause = User-Request LE-Terminate-Detail = "User Request - PPP Term Req" Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Address = 209.112.139.144 Acct-Delay-Time = 0 Client-IP-Address = 209.193.61.249 Acct-Unique-Session-Id = "abef067046a44f52" Timestamp = 1041301707 I have session information being logged via radutmp & sql in radiusd.conf: session { radutmp sql } the sql database shows the same information as the detail file entries above. radlast shows: testing@ 032:0XCaBw 209.112.139.159 Mon Dec 30 17:29 - 17:35 (00:06) radwho (while the connection was active): testing@cu testing@customcpu PPP S32 Mon 17:36 209.112.1 209.112.139.129 Im not to informed on the more advanced features of the radius protocol, but I have been trying to find something to explain this occurrence in the documentation and cannot. I don't understand how an auth request can come in for a username testing, and be authenticated and logged one place, then show up as [EMAIL PROTECTED] in another log? @customcpu.com should have been stripped from the username before being send to my server, but then again, /var/log/radius shows the request coming in as just testing. I have no reference of any kind to @customcpu.com in any part of my config, so i'm wondering how many parts to a radius authentication request packet there are? Is there a field in the auth request where my server could be seeing @customcpu.com but not considering it when checking against the my mysql user database? I would really love it if someone would at least flame me right before pointing me in some direction that will help me understand what is going on here. Thanks much all. -Chris Ochap - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
call china 6.2¢ www.callez.com
Re: Calling-Station-ID in accounting start request
31-Dec-02 at 10:18, Tim D. McCracken ([EMAIL PROTECTED]) wrote : > > t 04:06 PM 12/31/2002 +0100, =?iso-8859-2?Q?Mariusz_Bo=BFewicz?= wrote: > > > > >- Original Message - > > >From: "Alan DeKok" <[EMAIL PROTECTED]> > > > > > > > > > > "m&m's" <[EMAIL PROTECTED]> wrote: > > > > > Is any posibility to enter Calling-Station-Id field into > > detail file? > > > > > > > > Why wouldn't it be? > > >Ok. The possibility is... hehe, but not in my Radius server > > detail file. So > > >what should I do to enter this field to detail file ? > > > > Make sure the NAS sends it? You *have* done this already right? Running > > the server in debugging mode to see what it receives from the NAS? > > > > Unfortunately the 'rlm_magic' module has not been written, so if the NAS > > doesn't send it, the server can't log it. Patches welcome of course. :) > > > > -Chris > > Note: I have completed rlm_magic module and am currently working > on the rlm_clairvoyance module. Not only will it do everything you > want, regardless of the available data, it will read your mind so that > no manual configuration is required! :) Now, be careful. If that module works well, you might want to patent it :) don't GPL such a rare pearl. Happy New Year to the list. -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Calling-Station-ID in accounting start request
t 04:06 PM 12/31/2002 +0100, =?iso-8859-2?Q?Mariusz_Bo=BFewicz?= wrote: > > >- Original Message - > >From: "Alan DeKok" <[EMAIL PROTECTED]> > > > > > > > "m&m's" <[EMAIL PROTECTED]> wrote: > > > > Is any posibility to enter Calling-Station-Id field into > detail file? > > > > > > Why wouldn't it be? > >Ok. The possibility is... hehe, but not in my Radius server > detail file. So > >what should I do to enter this field to detail file ? > > Make sure the NAS sends it? You *have* done this already right? Running > the server in debugging mode to see what it receives from the NAS? > > Unfortunately the 'rlm_magic' module has not been written, so if the NAS > doesn't send it, the server can't log it. Patches welcome of course. :) > > -Chris Note: I have completed rlm_magic module and am currently working on the rlm_clairvoyance module. Not only will it do everything you want, regardless of the available data, it will read your mind so that no manual configuration is required! :) HAPPY NEW YEAR TO ALL FreeRadius Users and especially to Alan! - Tim > > -- > \\\|||/// \ StarNet Inc. \ Chris Parker > \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering > | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 > oOo---(_)---oOo--\-- >\ Wholesale Internet Services - http://www.megapop.net > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Calling-Station-ID in accounting start request
At 04:06 PM 12/31/2002 +0100, =?iso-8859-2?Q?Mariusz_Bo=BFewicz?= wrote: - Original Message - From: "Alan DeKok" <[EMAIL PROTECTED]> > "m&m's" <[EMAIL PROTECTED]> wrote: > > Is any posibility to enter Calling-Station-Id field into detail file? > > Why wouldn't it be? Ok. The possibility is... hehe, but not in my Radius server detail file. So what should I do to enter this field to detail file ? Make sure the NAS sends it? You *have* done this already right? Running the server in debugging mode to see what it receives from the NAS? Unfortunately the 'rlm_magic' module has not been written, so if the NAS doesn't send it, the server can't log it. Patches welcome of course. :) -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Calling-Station-ID in accounting start request
- Original Message - From: "Alan DeKok" <[EMAIL PROTECTED]> > "m&m's" <[EMAIL PROTECTED]> wrote: > > Is any posibility to enter Calling-Station-Id field into detail file? > > Why wouldn't it be? Ok. The possibility is... hehe, but not in my Radius server detail file. So what should I do to enter this field to detail file ? Mariusz Bozewicz - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Calling-Station-ID in accounting start request
"m&m's" <[EMAIL PROTECTED]> wrote: > Is any posibility to enter Calling-Station-Id field into detail file? Why wouldn't it be? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: HOW TO START EXEC-WAIT SCRIPT....
falcon <[EMAIL PROTECTED]> wrote: > I have 9 groups (roles) of users, for the > corresponding roles i have to run accounting script, which will logon > them. That script will count time of dropping user. And if user loggedout > earlier then he was droppped, then another script must get > user_worked_secs... So write a script. There are examples in the distribution telling you how to use Exec-Program-wait. You did look at the files distributed with the server, didn't you? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question about rlm_sql
="wanglu" <[EMAIL PROTECTED]> wrote: > But one more question: it said that 'sql' can not included in > the 'authentication' part of the radiusd.conf, which I also saw > in aaa.txt. But in radius.conf, 'sql' is commented in the > 'authentication'. Why is that? Read the list archives. This comes up a lot. > Should I use the 'pap' module instead? You could, yes. > But I want to use 'Auth-Type=EAP'. How can I solve it Then I guess you don't wanyt to use the pap module. I'd go out on a limb, and say you might want to use the eap module. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re:[SOLVED] op field is coming up NULL although it has a value indb
>Hello > >I'm using freeradius 0.8.1 with Postgresql 7.3.1 on FreeBSD 4.7-RELEASE >and I have a couple of test users and groups set up in the sql >database. >However, when I do a test login (which works, but possibly by accident) >I see an entry in the log file for every check and reply pair where >rlm_sql complains that the op field value is NULL or non-existent. >Fiddling around with sql.c shows that indeed the value of the op field >is NULL, although the database has ':=' for reply pairs and '==' for >check pairs. > >Turning on debugging shows that the correct query is going to the >database, and of course running the query by hand in psql produces the >correct result. I couldn't see any mention of this in the archives, >leading me to suspect I may have broken something, but if I have, it's >not obvious. > >I'm going through the postgres driver code at the moment, but it all >seems to be Ok - has any one else seen this? I hereby nominate myself for slaphead of the month. The problem was due to the authorize_group_check_query and authorize_group_reply_query strings in postgresql.conf not selecting the op field. Simply adding in the appropriate values to the select statement fixed it. Obvious really... -Adrian - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Calling-Station-ID in accounting start request
Hi Is any posibility to enter Calling-Station-Id field into detail file? Mariusz Bozewicz - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
op field is coming up NULL although it has a value in db
Hello I'm using freeradius 0.8.1 with Postgresql 7.3.1 on FreeBSD 4.7-RELEASE and I have a couple of test users and groups set up in the sql database. However, when I do a test login (which works, but possibly by accident) I see an entry in the log file for every check and reply pair where rlm_sql complains that the op field value is NULL or non-existent. Fiddling around with sql.c shows that indeed the value of the op field is NULL, although the database has ':=' for reply pairs and '==' for check pairs. Turning on debugging shows that the correct query is going to the database, and of course running the query by hand in psql produces the correct result. I couldn't see any mention of this in the archives, leading me to suspect I may have broken something, but if I have, it's not obvious. I'm going through the postgres driver code at the moment, but it all seems to be Ok - has any one else seen this? -Adrian - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html