FreeRADIUS dies
Hello, I'm using FreeRADIUS 0.8.1 as production RADIUS server with Oracle 8.1.7 on Linux. It works fine, but sometimes it will get confused, then rejects _every_ login. There is no SQL or other error in the log files, the accounting works fine, but it sends Access-Reject for every Access-Request, and displays Login incorrect in the log. If I restart the daemon, it works fine for 1-2 days, then it dies again. What could be wrong? Thanks, F.
Re: rlm_sqlcounter
Hello,
It doesn't work without it either. I think it will be some kind of Oracle
specific bug. Especially as the Simultaneous-Use check does not work with
Oracle in 0.7 either.
Felician
- Original Message -
From: "Randy Moore" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, July 31, 2002 17:14
Subject: Re: rlm_sqlcounter
> At 03:18 PM 7/29/2002 +0200, you wrote:
> >Hello,
> >
> >I'd like to use rlm_sqlcounter with freeradius 0.7 (using oracle
backend),
> >but it does not work. I have the following config:
> >
> > sqlcounter totalcounter {
> > counter-name = Total-Session-Time
> > check-name = Total-Time-Limit
> > sqlmod-inst = sql
> > key = User-Name
> > reset = never
> > query = "SELECT SUM(AcctSessionTime) a FROM
acct_internet
> >WHERE UserName='%{%k}'"
> > }
>
> Hi, I'd guess you need to remove the extra 'a' in your query just before
> "FROM acct_internet".
>
> Randy Moore
> Axion Information Technologies, Inc.
>
> email [EMAIL PROTECTED]
> phone 301-408-1200
> fax301-445-3947
>
>
> -
> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
>
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: bug in FreeRADIUS?
> > Cisco-AVPair > > ip:inacl#1=deny tcp any host xxx eq smtp = > Did you read 'man 5 users'? > You're using '=', when you want '+='. Thank you, this was the problem. Do you have any ideas about my rlm_sqlcounter problem? It must be a bug, I've read rlm_sqlcounter/README.txt :-) Thank you, Felician - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
bug in FreeRADIUS?
Hi, I've found another interesting issue in FreeRADIUS: I have a user, with multiple Cisco-AVPair reply attributes: SQL> SELECT groupreply.id,groupreply.GroupName,groupreply.Attribute,groupreply.Value,gro upreply.operator FROM groupreply,v_usergroup_freeradius WHERE v_usergroup_freeradius.Username = '[EMAIL PROTECTED]' AND v_usergroup_freeradius.GroupName = groupreply.GroupName ORDER BY groupreply.id; ID GROUPNAME ATTRIBUTEVALUE OPERATOR --- --- - -- -- 700 FREEDIALUP Service-Type Framed-User = 701 FREEDIALUP Framed-Routing None = 702 FREEDIALUP Framed-Protocol PPP = 703 FREEDIALUP Cisco-AVPair ip:inacl#1=deny tcp any host xxx eq smtp = 704 FREEDIALUP Cisco-AVPair ip:inacl#2=deny tcp any host xxx eq smtp = 705 FREEDIALUP Cisco-AVPair ip:inacl#3=permit ip any any = 706 FREEDIALUP Cisco-AVPair ip:dns-servers=xxx xxx = 707 FREEDIALUP Cisco-AVPair modem-on-hold*960 = 8 rows selected FreeRADIUS executes the same query to find out user's reply items, but it's sending only the first Cisco-AVPair to the NAS. rad_recv: Access-Request packet from host xxx:64298, id=56, length=102 Thread 2 assigned request 1 --- Walking the entire request list --- Threads: total/active/spare threads = 10/1/9 Waking up in 5 seconds... Thread 2 handling request 1, (1 handled so far) User-Name = "[EMAIL PROTECTED]" User-Password = "xxx" NAS-Port = 1 LE-Terminate-Detail = "test" LE-Advice-of-Charge = "TiNC" USR-Terminal-Type = "test" NAS-IP-Address = x modcall: entering group authorize modcall[authorize]: module "preprocess" returns ok rlm_realm: Looking up realm freeweb.hu for User-Name = "[EMAIL PROTECTED]" rlm_realm: No such realm freeweb.hu modcall[authorize]: module "suffix" returns noop radius_xlat: '[EMAIL PROTECTED]' sql_set_user: escaped user --> '[EMAIL PROTECTED]' radius_xlat: 'SELECT id,UserName,Attribute,Value,operator FROM v_usercheck_freeradius WHERE Username = '[EMAIL PROTECTED]' ORDER BY id' rlm_sql: Reserving sql socket id: 8 radius_xlat: 'SELECT groupcheck.id,groupcheck.GroupName,groupcheck.Attribute,groupcheck.Value, groupcheck.operator FROM groupcheck,v_usergroup_freeradius WHERE v_usergroup_freeradius.Username = '[EMAIL PROTECTED]' AND v_usergroup_freeradius.GroupName = groupcheck.GroupName ORDER BY groupcheck.id' radius_xlat: 'SELECT id,UserName,Attribute,Value,'' operator FROM v_userreply_freeradius WHERE Username = '[EMAIL PROTECTED]' ORDER BY id' radius_xlat: 'SELECT groupreply.id,groupreply.GroupName,groupreply.Attribute,groupreply.Value,gro upreply.operator FROM groupreply,v_usergroup_freeradius WHERE v_usergroup_freeradius.Username = '[EMAIL PROTECTED]' AND v_usergroup_freeradius.GroupName = groupreply.GroupName ORDER BY groupreply.id' radius_xlat: 'SELECT Value,Attribute FROM v_usercheck_freeradius WHERE UserName = '[EMAIL PROTECTED]' AND ( Attribute = 'User-Password' OR Attribute = 'Password' OR Attribute = 'Crypt-Password' ) ORDER BY Attribute DESC' rlm_sql: Released sql socket id: 8 modcall[authorize]: module "sql" returns ok modcall: group authorize returns ok auth: type Local auth: user supplied User-Password matches local User-Password Login OK: [[EMAIL PROTECTED]] (from client xxx port 1) Sending Access-Accept of id 56 to xxx:64298 Service-Type = Framed-User Framed-Routing = None Framed-Protocol = PPP Cisco-AVPair = "ip:inacl#1=deny tcp any host xxx eq smtp" Session-Timeout = 360 Finished request 1 Going to the next request Thread 2 waiting to be assigned a request --- Walking the entire request list --- Threads: total/active/spare threads = 10/0/10 Waking up in 1 seconds... --- Walking the entire request list --- Cleaning up request 1 ID 56 with timestamp 3d458183 Nothing to do. Sleeping until we see a request. Is this a configuration problem or a bug (feature? :-)) in FreeRADIUS? Thank You, Felician - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_sqlcounter
Hello,
I'd like to use rlm_sqlcounter with freeradius 0.7 (using oracle backend),
but it does not work. I have the following config:
sqlcounter totalcounter {
counter-name = Total-Session-Time
check-name = Total-Time-Limit
sqlmod-inst = sql
key = User-Name
reset = never
query = "SELECT SUM(AcctSessionTime) a FROM acct_internet
WHERE UserName='%{%k}'"
}
When i try to authenticate the user with Total-Time-Limit check attribute:
rlm_sqlcounter: Entering module authorize code
sqlcounter_expand: 'SELECT SUM(AcctSessionTime) a FROM acct_internet WHERE
UserName='%{User-Name}''
radius_xlat: 'SELECT SUM(AcctSessionTime) a FROM acct_internet WHERE
UserName='[EMAIL PROTECTED]''
sqlcounter_expand: '%{sql:SELECT SUM(AcctSessionTime) a FROM acct_internet
WHERE UserName='[EMAIL PROTECTED]'}'
radius_xlat: Runing registered xlat function of module sql for string
'SELECT SUM(AcctSessionTime) a FROM acct_internet WHERE
UserName='[EMAIL PROTECTED]''
rlm_sql: - sql_xlat
radius_xlat: 'SELECT SUM(AcctSessionTime) a FROM acct_internet WHERE
UserName='[EMAIL PROTECTED]''
rlm_sql: Reserving sql socket id: 4
rlm_sql: - sql_xlat finished
rlm_sql: Released sql socket id: 4
radius_xlat:
'h???ÀÙÑ*p???p???ÐÙÑ*ÐÙÑ*ØÙÑ*ØÙÑ*àÙÑ*àÙÑ*èÙÑ*èÙÑ*ðÙÑ*ðÙÑ*øÙÑ*øÙÑ*'
rlm_sqlcounter: (Check item - counter) is greater than zero
rlm_sqlcounter: Authorized user [EMAIL PROTECTED], check_item=216000,
counter=0
rlm_sqlcounter: Sent Reply-Item for user [EMAIL PROTECTED],
Type=Session-Timeout, value=216000
modcall[authorize]: module "totalcounter" returns ok
I think variable "counter" should be equal to the result of sql query. But
counter = 0, and FreeRADIUS does not apply the correct Session-Timeout to
the user.
SQL> SELECT SUM(AcctSessionTime) a FROM acct_internet WHERE
UserName='[EMAIL PROTECTED]';
A
--
44318
Thank You,
Felician Hoppal
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRADIUS 0.7 & ORACLE
Hello, FreeRADIUS 0.7 does not compile with ORACLE support: ./configure --prefix=/usr --with-logdir=/var/log --with-radacctdir=/var/log/radacct --with-raddbdir=/etc/raddb --with-rlm_sql --with-rlm_sql_oracle --with-experimental-modules --with-snmp --without-rlm_x99_token configuring in ./drivers/rlm_sql_oraclerunning /bin/sh ./configure --prefix=/usr --with-logdir=/var/log --with-radacctdir=/var/log/radacct --with-raddbdir=/etc/raddb --with-rlm_sql --with-rlm_sql_oracle --with-experimental-modules --with-snmp --without-rlm_x99_token --enable-ltdl-install --enable-ltdl-install --cache-file=../../../../.././config.cache --srcdir=.loading cache ../../../../.././config.cachechecking for gcc... (cached) gccchecking whether the C compiler (gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -Wall -D_GNU_SOURCE -DNDEBUG ) works... yeschecking whether the C compiler (gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -Wall -D_GNU_SOURCE -DNDEBUG ) is a cross-compiler... nochecking whether we are using GNU C... (cached) yeschecking whether gcc accepts -g... (cached) yeschecking how to run the C preprocessor... (cached) gcc -Echecking for oci.h... yesyescreating ./config.statuscreating Makefile Making static in rlm_sql_oracle...make[10]: Entering directory `/usr/src/freeradius-0.7/src/modules/rlm_sql/drivers/rlm_sql_oracle'gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -Wall -D_GNU_SOURCE -DNDEBUG -I../.. -I../../../../include -I/usr/local/oracle/product/8.1.7/rdbms/demo -I/usr/local/oracle/product/8.1.7/rdbms/public -I/usr/local/oracle/product/8.1.7/plsql/public -I/usr/local/oracle/product/8.1.7/network/public -I/usr/local/oracle/product/8.1.7/oci/include -I/usr/src/freeradius-0.7/libltdl -c sql_oracle.c -o sql_oracle.osql_oracle.c:361: conflicting types for `sql_fetch_row'sql_oracle.h:33: previous declaration of `sql_fetch_row'sql_oracle.c: In function `sql_fetch_row':sql_oracle.c:374: warning: return makes integer from pointer without a castmake[10]: *** [sql_oracle.o] Error 1 Best Regards, Felician Hoppal
Cisco VSA & FreeRADIUS
Hello, I've tested freeradius 0.6 and it works fine, I'm planning to replace my production radius now. I have only one problem, I'd like to log Cisco VSAs (like nas-rx-speed, nas-tx-speed) in SQL database. I have 50+ AS5350 an AS5400 with IOS 12.2 and it sends VSA accounting as Cisco-AVPair. Cisco-vsa-hack does not work with this. Any solution? This is a sample accounting-stop record: Fri Jul 26 22:56:34 2002 NAS-IP-Address = xxx NAS-Port = 670 Cisco-NAS-Port = "Async5/22*Serial2/6:2" NAS-Port-Type = Async User-Name = "xxx" Called-Station-Id = "xxx" Calling-Station-Id = "xxx" Acct-Status-Type = Stop Acct-Authentic = RADIUS Service-Type = Framed-User Acct-Session-Id = "0E000D11" Framed-Protocol = PPP Framed-IP-Address = xxx Acct-Terminate-Cause = Lost-Carrier Acct-Input-Octets = 3597499 Acct-Output-Octets = 36347730 Acct-Input-Packets = 55748 Acct-Output-Packets = 74657 Acct-Session-Time = 7280 Cisco-AVPair = "disc-cause-ext=1011" Cisco-AVPair = "pre-bytes-in=123" Cisco-AVPair = "pre-bytes-out=112" Cisco-AVPair = "pre-paks-in=5" Cisco-AVPair = "pre-paks-out=5" Cisco-AVPair = "pre-session-time=25" Cisco-AVPair = "connect-progress=60" Cisco-AVPair = "nas-rx-speed=28800" Cisco-AVPair = "nas-tx-speed=5" Acct-Delay-Time = 0 Client-IP-Address = xxx Timestamp = 1027716994 Best Regards, Felician Hoppal
