FreeRADIUS dies
Hello, I'm using FreeRADIUS 0.8.1 as production RADIUS server with Oracle 8.1.7 on Linux. It works fine, but sometimes it will get confused, then rejects _every_ login. There is no SQL or other error in the log files, the accounting works fine, but it sends Access-Reject for every Access-Request, and displays Login incorrect in the log. If I restart the daemon, it works fine for 1-2 days, then it dies again. What could be wrong? Thanks, F.
Re: rlm_sqlcounter
Hello, It doesn't work without it either. I think it will be some kind of Oracle specific bug. Especially as the Simultaneous-Use check does not work with Oracle in 0.7 either. Felician - Original Message - From: "Randy Moore" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, July 31, 2002 17:14 Subject: Re: rlm_sqlcounter > At 03:18 PM 7/29/2002 +0200, you wrote: > >Hello, > > > >I'd like to use rlm_sqlcounter with freeradius 0.7 (using oracle backend), > >but it does not work. I have the following config: > > > > sqlcounter totalcounter { > > counter-name = Total-Session-Time > > check-name = Total-Time-Limit > > sqlmod-inst = sql > > key = User-Name > > reset = never > > query = "SELECT SUM(AcctSessionTime) a FROM acct_internet > >WHERE UserName='%{%k}'" > > } > > Hi, I'd guess you need to remove the extra 'a' in your query just before > "FROM acct_internet". > > Randy Moore > Axion Information Technologies, Inc. > > email [EMAIL PROTECTED] > phone 301-408-1200 > fax301-445-3947 > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: bug in FreeRADIUS?
> > Cisco-AVPair > > ip:inacl#1=deny tcp any host xxx eq smtp = > Did you read 'man 5 users'? > You're using '=', when you want '+='. Thank you, this was the problem. Do you have any ideas about my rlm_sqlcounter problem? It must be a bug, I've read rlm_sqlcounter/README.txt :-) Thank you, Felician - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
bug in FreeRADIUS?
Hi, I've found another interesting issue in FreeRADIUS: I have a user, with multiple Cisco-AVPair reply attributes: SQL> SELECT groupreply.id,groupreply.GroupName,groupreply.Attribute,groupreply.Value,gro upreply.operator FROM groupreply,v_usergroup_freeradius WHERE v_usergroup_freeradius.Username = '[EMAIL PROTECTED]' AND v_usergroup_freeradius.GroupName = groupreply.GroupName ORDER BY groupreply.id; ID GROUPNAME ATTRIBUTEVALUE OPERATOR --- --- - -- -- 700 FREEDIALUP Service-Type Framed-User = 701 FREEDIALUP Framed-Routing None = 702 FREEDIALUP Framed-Protocol PPP = 703 FREEDIALUP Cisco-AVPair ip:inacl#1=deny tcp any host xxx eq smtp = 704 FREEDIALUP Cisco-AVPair ip:inacl#2=deny tcp any host xxx eq smtp = 705 FREEDIALUP Cisco-AVPair ip:inacl#3=permit ip any any = 706 FREEDIALUP Cisco-AVPair ip:dns-servers=xxx xxx = 707 FREEDIALUP Cisco-AVPair modem-on-hold*960 = 8 rows selected FreeRADIUS executes the same query to find out user's reply items, but it's sending only the first Cisco-AVPair to the NAS. rad_recv: Access-Request packet from host xxx:64298, id=56, length=102 Thread 2 assigned request 1 --- Walking the entire request list --- Threads: total/active/spare threads = 10/1/9 Waking up in 5 seconds... Thread 2 handling request 1, (1 handled so far) User-Name = "[EMAIL PROTECTED]" User-Password = "xxx" NAS-Port = 1 LE-Terminate-Detail = "test" LE-Advice-of-Charge = "TiNC" USR-Terminal-Type = "test" NAS-IP-Address = x modcall: entering group authorize modcall[authorize]: module "preprocess" returns ok rlm_realm: Looking up realm freeweb.hu for User-Name = "[EMAIL PROTECTED]" rlm_realm: No such realm freeweb.hu modcall[authorize]: module "suffix" returns noop radius_xlat: '[EMAIL PROTECTED]' sql_set_user: escaped user --> '[EMAIL PROTECTED]' radius_xlat: 'SELECT id,UserName,Attribute,Value,operator FROM v_usercheck_freeradius WHERE Username = '[EMAIL PROTECTED]' ORDER BY id' rlm_sql: Reserving sql socket id: 8 radius_xlat: 'SELECT groupcheck.id,groupcheck.GroupName,groupcheck.Attribute,groupcheck.Value, groupcheck.operator FROM groupcheck,v_usergroup_freeradius WHERE v_usergroup_freeradius.Username = '[EMAIL PROTECTED]' AND v_usergroup_freeradius.GroupName = groupcheck.GroupName ORDER BY groupcheck.id' radius_xlat: 'SELECT id,UserName,Attribute,Value,'' operator FROM v_userreply_freeradius WHERE Username = '[EMAIL PROTECTED]' ORDER BY id' radius_xlat: 'SELECT groupreply.id,groupreply.GroupName,groupreply.Attribute,groupreply.Value,gro upreply.operator FROM groupreply,v_usergroup_freeradius WHERE v_usergroup_freeradius.Username = '[EMAIL PROTECTED]' AND v_usergroup_freeradius.GroupName = groupreply.GroupName ORDER BY groupreply.id' radius_xlat: 'SELECT Value,Attribute FROM v_usercheck_freeradius WHERE UserName = '[EMAIL PROTECTED]' AND ( Attribute = 'User-Password' OR Attribute = 'Password' OR Attribute = 'Crypt-Password' ) ORDER BY Attribute DESC' rlm_sql: Released sql socket id: 8 modcall[authorize]: module "sql" returns ok modcall: group authorize returns ok auth: type Local auth: user supplied User-Password matches local User-Password Login OK: [[EMAIL PROTECTED]] (from client xxx port 1) Sending Access-Accept of id 56 to xxx:64298 Service-Type = Framed-User Framed-Routing = None Framed-Protocol = PPP Cisco-AVPair = "ip:inacl#1=deny tcp any host xxx eq smtp" Session-Timeout = 360 Finished request 1 Going to the next request Thread 2 waiting to be assigned a request --- Walking the entire request list --- Threads: total/active/spare threads = 10/0/10 Waking up in 1 seconds... --- Walking the entire request list --- Cleaning up request 1 ID 56 with timestamp 3d458183 Nothing to do. Sleeping until we see a request. Is this a configuration problem or a bug (feature? :-)) in FreeRADIUS? Thank You, Felician - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_sqlcounter
Hello, I'd like to use rlm_sqlcounter with freeradius 0.7 (using oracle backend), but it does not work. I have the following config: sqlcounter totalcounter { counter-name = Total-Session-Time check-name = Total-Time-Limit sqlmod-inst = sql key = User-Name reset = never query = "SELECT SUM(AcctSessionTime) a FROM acct_internet WHERE UserName='%{%k}'" } When i try to authenticate the user with Total-Time-Limit check attribute: rlm_sqlcounter: Entering module authorize code sqlcounter_expand: 'SELECT SUM(AcctSessionTime) a FROM acct_internet WHERE UserName='%{User-Name}'' radius_xlat: 'SELECT SUM(AcctSessionTime) a FROM acct_internet WHERE UserName='[EMAIL PROTECTED]'' sqlcounter_expand: '%{sql:SELECT SUM(AcctSessionTime) a FROM acct_internet WHERE UserName='[EMAIL PROTECTED]'}' radius_xlat: Runing registered xlat function of module sql for string 'SELECT SUM(AcctSessionTime) a FROM acct_internet WHERE UserName='[EMAIL PROTECTED]'' rlm_sql: - sql_xlat radius_xlat: 'SELECT SUM(AcctSessionTime) a FROM acct_internet WHERE UserName='[EMAIL PROTECTED]'' rlm_sql: Reserving sql socket id: 4 rlm_sql: - sql_xlat finished rlm_sql: Released sql socket id: 4 radius_xlat: 'h???ÀÙÑ*p???p???ÐÙÑ*ÐÙÑ*ØÙÑ*ØÙÑ*àÙÑ*àÙÑ*èÙÑ*èÙÑ*ðÙÑ*ðÙÑ*øÙÑ*øÙÑ*' rlm_sqlcounter: (Check item - counter) is greater than zero rlm_sqlcounter: Authorized user [EMAIL PROTECTED], check_item=216000, counter=0 rlm_sqlcounter: Sent Reply-Item for user [EMAIL PROTECTED], Type=Session-Timeout, value=216000 modcall[authorize]: module "totalcounter" returns ok I think variable "counter" should be equal to the result of sql query. But counter = 0, and FreeRADIUS does not apply the correct Session-Timeout to the user. SQL> SELECT SUM(AcctSessionTime) a FROM acct_internet WHERE UserName='[EMAIL PROTECTED]'; A -- 44318 Thank You, Felician Hoppal - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRADIUS 0.7 & ORACLE
Hello, FreeRADIUS 0.7 does not compile with ORACLE support: ./configure --prefix=/usr --with-logdir=/var/log --with-radacctdir=/var/log/radacct --with-raddbdir=/etc/raddb --with-rlm_sql --with-rlm_sql_oracle --with-experimental-modules --with-snmp --without-rlm_x99_token configuring in ./drivers/rlm_sql_oraclerunning /bin/sh ./configure --prefix=/usr --with-logdir=/var/log --with-radacctdir=/var/log/radacct --with-raddbdir=/etc/raddb --with-rlm_sql --with-rlm_sql_oracle --with-experimental-modules --with-snmp --without-rlm_x99_token --enable-ltdl-install --enable-ltdl-install --cache-file=../../../../.././config.cache --srcdir=.loading cache ../../../../.././config.cachechecking for gcc... (cached) gccchecking whether the C compiler (gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -Wall -D_GNU_SOURCE -DNDEBUG ) works... yeschecking whether the C compiler (gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -Wall -D_GNU_SOURCE -DNDEBUG ) is a cross-compiler... nochecking whether we are using GNU C... (cached) yeschecking whether gcc accepts -g... (cached) yeschecking how to run the C preprocessor... (cached) gcc -Echecking for oci.h... yesyescreating ./config.statuscreating Makefile Making static in rlm_sql_oracle...make[10]: Entering directory `/usr/src/freeradius-0.7/src/modules/rlm_sql/drivers/rlm_sql_oracle'gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -Wall -D_GNU_SOURCE -DNDEBUG -I../.. -I../../../../include -I/usr/local/oracle/product/8.1.7/rdbms/demo -I/usr/local/oracle/product/8.1.7/rdbms/public -I/usr/local/oracle/product/8.1.7/plsql/public -I/usr/local/oracle/product/8.1.7/network/public -I/usr/local/oracle/product/8.1.7/oci/include -I/usr/src/freeradius-0.7/libltdl -c sql_oracle.c -o sql_oracle.osql_oracle.c:361: conflicting types for `sql_fetch_row'sql_oracle.h:33: previous declaration of `sql_fetch_row'sql_oracle.c: In function `sql_fetch_row':sql_oracle.c:374: warning: return makes integer from pointer without a castmake[10]: *** [sql_oracle.o] Error 1 Best Regards, Felician Hoppal
Cisco VSA & FreeRADIUS
Hello, I've tested freeradius 0.6 and it works fine, I'm planning to replace my production radius now. I have only one problem, I'd like to log Cisco VSAs (like nas-rx-speed, nas-tx-speed) in SQL database. I have 50+ AS5350 an AS5400 with IOS 12.2 and it sends VSA accounting as Cisco-AVPair. Cisco-vsa-hack does not work with this. Any solution? This is a sample accounting-stop record: Fri Jul 26 22:56:34 2002 NAS-IP-Address = xxx NAS-Port = 670 Cisco-NAS-Port = "Async5/22*Serial2/6:2" NAS-Port-Type = Async User-Name = "xxx" Called-Station-Id = "xxx" Calling-Station-Id = "xxx" Acct-Status-Type = Stop Acct-Authentic = RADIUS Service-Type = Framed-User Acct-Session-Id = "0E000D11" Framed-Protocol = PPP Framed-IP-Address = xxx Acct-Terminate-Cause = Lost-Carrier Acct-Input-Octets = 3597499 Acct-Output-Octets = 36347730 Acct-Input-Packets = 55748 Acct-Output-Packets = 74657 Acct-Session-Time = 7280 Cisco-AVPair = "disc-cause-ext=1011" Cisco-AVPair = "pre-bytes-in=123" Cisco-AVPair = "pre-bytes-out=112" Cisco-AVPair = "pre-paks-in=5" Cisco-AVPair = "pre-paks-out=5" Cisco-AVPair = "pre-session-time=25" Cisco-AVPair = "connect-progress=60" Cisco-AVPair = "nas-rx-speed=28800" Cisco-AVPair = "nas-tx-speed=5" Acct-Delay-Time = 0 Client-IP-Address = xxx Timestamp = 1027716994 Best Regards, Felician Hoppal