difference in logs
I have just setup freeradius 0.8 on redhat 8 (2.4.18-14) and like it much
more that icradius, but I am seeing a strange occurrence in my logs. We
have many other radius servers that are proxying requests to us, and this
box is intended as a replacement to one of the radius servers we use right
now running icradius. User auth information is stored in mysql database and
all is working fine as far as I can see. However, during some testing
between this new box and a client radius server that is forwarding auth
requests by using fully qualified username ([EMAIL PROTECTED]). The
@customcpu.com should be stripped and then testing is sent to our box for
auth. In my main radius log file (/var/log/radius) the auth request appears
to come in as it should:
Mon Dec 30 17:27:29 2002 : Auth: Login OK: [testing] (from client
acs-proxy[4] port 32 cli 9075692251)
However, when I check the detail log file, I see:
Mon Dec 30 17:27:29 2002
Acct-Session-Id = "1E002868"
User-Name = "[EMAIL PROTECTED]"
NAS-IP-Address = 209.112.154.7
NAS-Port = 32
NAS-Port-Type = Async
Acct-Status-Type = Start
Acct-Authentic = RADIUS
Connect-Info = "52000 LAPM/V42BIS"
Called-Station-Id = "2744107"
Calling-Station-Id = "9075692251"
Service-Type = Framed-User
Framed-Protocol = PPP
Framed-IP-Address = 209.112.139.144
Acct-Delay-Time = 0
Client-IP-Address = 209.193.61.249
Acct-Unique-Session-Id = "abef067046a44f52"
Timestamp = 1041301649
Mon Dec 30 17:28:27 2002
Acct-Session-Id = "1E002868"
User-Name = "[EMAIL PROTECTED]"
NAS-IP-Address = 209.112.154.7
NAS-Port = 32
NAS-Port-Type = Async
Acct-Status-Type = Stop
Acct-Session-Time = 58
Acct-Authentic = RADIUS
Connect-Info = "52000 LAPM/V42BIS"
Acct-Input-Octets = 2136
Acct-Output-Octets = 788
Called-Station-Id = "2744107"
Calling-Station-Id = "9075692251"
Acct-Terminate-Cause = User-Request
LE-Terminate-Detail = "User Request - PPP Term Req"
Service-Type = Framed-User
Framed-Protocol = PPP
Framed-IP-Address = 209.112.139.144
Acct-Delay-Time = 0
Client-IP-Address = 209.193.61.249
Acct-Unique-Session-Id = "abef067046a44f52"
Timestamp = 1041301707
I have session information being logged via radutmp & sql in radiusd.conf:
session {
radutmp
sql
}
the sql database shows the same information as the detail file entries
above.
radlast shows:
testing@ 032:0XCaBw 209.112.139.159 Mon Dec 30 17:29 - 17:35 (00:06)
radwho (while the connection was active):
testing@cu testing@customcpu PPP S32 Mon 17:36 209.112.1 209.112.139.129
Im not to informed on the more advanced features of the radius protocol, but
I have been trying to find something to explain this occurrence in the
documentation and cannot. I don't understand how an auth request can come
in for a username testing, and be authenticated and logged one place, then
show up as [EMAIL PROTECTED] in another log? @customcpu.com should
have been stripped from the username before being send to my server, but
then again, /var/log/radius shows the request coming in as just testing. I
have no reference of any kind to @customcpu.com in any part of my config, so
i'm wondering how many parts to a radius authentication request packet there
are? Is there a field in the auth request where my server could be seeing
@customcpu.com but not considering it when checking against the my mysql
user database? I would really love it if someone would at least flame me
right before pointing me in some direction that will help me understand what
is going on here. Thanks much all.
-Chris Ochap
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
call china 6.2¢ www.callez.com
Re: Calling-Station-ID in accounting start request
31-Dec-02 at 10:18, Tim D. McCracken ([EMAIL PROTECTED]) wrote : > > t 04:06 PM 12/31/2002 +0100, =?iso-8859-2?Q?Mariusz_Bo=BFewicz?= wrote: > > > > >- Original Message - > > >From: "Alan DeKok" <[EMAIL PROTECTED]> > > > > > > > > > > "m&m's" <[EMAIL PROTECTED]> wrote: > > > > > Is any posibility to enter Calling-Station-Id field into > > detail file? > > > > > > > > Why wouldn't it be? > > >Ok. The possibility is... hehe, but not in my Radius server > > detail file. So > > >what should I do to enter this field to detail file ? > > > > Make sure the NAS sends it? You *have* done this already right? Running > > the server in debugging mode to see what it receives from the NAS? > > > > Unfortunately the 'rlm_magic' module has not been written, so if the NAS > > doesn't send it, the server can't log it. Patches welcome of course. :) > > > > -Chris > > Note: I have completed rlm_magic module and am currently working > on the rlm_clairvoyance module. Not only will it do everything you > want, regardless of the available data, it will read your mind so that > no manual configuration is required! :) Now, be careful. If that module works well, you might want to patent it :) don't GPL such a rare pearl. Happy New Year to the list. -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Calling-Station-ID in accounting start request
t 04:06 PM 12/31/2002 +0100, =?iso-8859-2?Q?Mariusz_Bo=BFewicz?= wrote: > > >- Original Message - > >From: "Alan DeKok" <[EMAIL PROTECTED]> > > > > > > > "m&m's" <[EMAIL PROTECTED]> wrote: > > > > Is any posibility to enter Calling-Station-Id field into > detail file? > > > > > > Why wouldn't it be? > >Ok. The possibility is... hehe, but not in my Radius server > detail file. So > >what should I do to enter this field to detail file ? > > Make sure the NAS sends it? You *have* done this already right? Running > the server in debugging mode to see what it receives from the NAS? > > Unfortunately the 'rlm_magic' module has not been written, so if the NAS > doesn't send it, the server can't log it. Patches welcome of course. :) > > -Chris Note: I have completed rlm_magic module and am currently working on the rlm_clairvoyance module. Not only will it do everything you want, regardless of the available data, it will read your mind so that no manual configuration is required! :) HAPPY NEW YEAR TO ALL FreeRadius Users and especially to Alan! - Tim > > -- > \\\|||/// \ StarNet Inc. \ Chris Parker > \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering > | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 > oOo---(_)---oOo--\-- >\ Wholesale Internet Services - http://www.megapop.net > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Calling-Station-ID in accounting start request
At 04:06 PM 12/31/2002 +0100, =?iso-8859-2?Q?Mariusz_Bo=BFewicz?= wrote: - Original Message - From: "Alan DeKok" <[EMAIL PROTECTED]> > "m&m's" <[EMAIL PROTECTED]> wrote: > > Is any posibility to enter Calling-Station-Id field into detail file? > > Why wouldn't it be? Ok. The possibility is... hehe, but not in my Radius server detail file. So what should I do to enter this field to detail file ? Make sure the NAS sends it? You *have* done this already right? Running the server in debugging mode to see what it receives from the NAS? Unfortunately the 'rlm_magic' module has not been written, so if the NAS doesn't send it, the server can't log it. Patches welcome of course. :) -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Calling-Station-ID in accounting start request
- Original Message - From: "Alan DeKok" <[EMAIL PROTECTED]> > "m&m's" <[EMAIL PROTECTED]> wrote: > > Is any posibility to enter Calling-Station-Id field into detail file? > > Why wouldn't it be? Ok. The possibility is... hehe, but not in my Radius server detail file. So what should I do to enter this field to detail file ? Mariusz Bozewicz - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Calling-Station-ID in accounting start request
"m&m's" <[EMAIL PROTECTED]> wrote: > Is any posibility to enter Calling-Station-Id field into detail file? Why wouldn't it be? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: HOW TO START EXEC-WAIT SCRIPT....
falcon <[EMAIL PROTECTED]> wrote: > I have 9 groups (roles) of users, for the > corresponding roles i have to run accounting script, which will logon > them. That script will count time of dropping user. And if user loggedout > earlier then he was droppped, then another script must get > user_worked_secs... So write a script. There are examples in the distribution telling you how to use Exec-Program-wait. You did look at the files distributed with the server, didn't you? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question about rlm_sql
="wanglu" <[EMAIL PROTECTED]> wrote: > But one more question: it said that 'sql' can not included in > the 'authentication' part of the radiusd.conf, which I also saw > in aaa.txt. But in radius.conf, 'sql' is commented in the > 'authentication'. Why is that? Read the list archives. This comes up a lot. > Should I use the 'pap' module instead? You could, yes. > But I want to use 'Auth-Type=EAP'. How can I solve it Then I guess you don't wanyt to use the pap module. I'd go out on a limb, and say you might want to use the eap module. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re:[SOLVED] op field is coming up NULL although it has a value indb
>Hello > >I'm using freeradius 0.8.1 with Postgresql 7.3.1 on FreeBSD 4.7-RELEASE >and I have a couple of test users and groups set up in the sql >database. >However, when I do a test login (which works, but possibly by accident) >I see an entry in the log file for every check and reply pair where >rlm_sql complains that the op field value is NULL or non-existent. >Fiddling around with sql.c shows that indeed the value of the op field >is NULL, although the database has ':=' for reply pairs and '==' for >check pairs. > >Turning on debugging shows that the correct query is going to the >database, and of course running the query by hand in psql produces the >correct result. I couldn't see any mention of this in the archives, >leading me to suspect I may have broken something, but if I have, it's >not obvious. > >I'm going through the postgres driver code at the moment, but it all >seems to be Ok - has any one else seen this? I hereby nominate myself for slaphead of the month. The problem was due to the authorize_group_check_query and authorize_group_reply_query strings in postgresql.conf not selecting the op field. Simply adding in the appropriate values to the select statement fixed it. Obvious really... -Adrian - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Calling-Station-ID in accounting start request
Hi Is any posibility to enter Calling-Station-Id field into detail file? Mariusz Bozewicz - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
op field is coming up NULL although it has a value in db
Hello I'm using freeradius 0.8.1 with Postgresql 7.3.1 on FreeBSD 4.7-RELEASE and I have a couple of test users and groups set up in the sql database. However, when I do a test login (which works, but possibly by accident) I see an entry in the log file for every check and reply pair where rlm_sql complains that the op field value is NULL or non-existent. Fiddling around with sql.c shows that indeed the value of the op field is NULL, although the database has ':=' for reply pairs and '==' for check pairs. Turning on debugging shows that the correct query is going to the database, and of course running the query by hand in psql produces the correct result. I couldn't see any mention of this in the archives, leading me to suspect I may have broken something, but if I have, it's not obvious. I'm going through the postgres driver code at the moment, but it all seems to be Ok - has any one else seen this? -Adrian - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
