linking to a c++ lib in a module
This problem was noticed back in Sept 2000, but I never saw the resulting solution; I have a module which is linking (and using) a library which is using the standard C++ library; when I kill -HUP radiusd, I get a segfault in dl_close() (dumps core). This is primarily witnessed under Linux. I tried building the module alone with '-lstdc++', but this did not solve the problem; should I rebuild the radius core with the '-lstdc++' flag? is there a configure option to do this? Sorry for the redundant post. Any help would be appreciated. MV -- ~~~ Mike Varley -= SOMA Networks =- Tel: 416.977.1414 x1578 email: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: post_proxy methods
Thanks Alan and Chris. Indeed, I did mean version 0.8 (not 8.0). There are no 'FreeRadius' specific resources I have to free on a proxy-reject, but my module holds state information and some resources for each active session. If a user attempts to renew their session and for some magical reason the proxy says 'NO!', then my module needs to mop up. Thanks again, I will investigate the CVS tree. MV On Wed, 2003-02-26 at 15:42, Chris Parker wrote: > At 03:28 PM 2/26/2003 -0500, Mike Varley wrote: > >Appologies for not keeping up to date, but I was wondering if the > >'post_proxy' module methods are currently supported. > > Yes, but not by every module. Check the latest CVS for support. > > >I am running FR 8.0, and although I can list post-proxy methods in the > >config file, the methods are not run. This did not pose a problem > >because I simply implemented a 'post-auth' method to do all my work. > > Code is in current CVS to do this. I belive it is post 0.8 but may > or may not be in 0.8.1. > > >The problem now is that I would like to know if the proxy rejects a > >user; if it does, I need to free up any resources that user maybe > >holding. Are the post-proxy methods supported? Will they be called on a > >Proxy-Reject? > > Post-Proxy exists as a stage after authorization, after the reply has > been received from the remote server, but before the reply enters > the authentication stage ( IE, before a request is sent back to the > client who sent it to us ). > > There shouldn't be anything specific you need to do in post-proxy > to do cleanup, unless you have a custom module that has allocated > resources in some way. > > >If there is a 'ChangeLog' file someone could point me to, I will happily > >read that. > > Subscribe to the -devel list and you'll get nightly CVS commit logs, that > is the best way to get the most verbose and uptodate feature information. > > -Chris > -- > \\\|||/// \ StarNet Inc. \ Chris Parker > \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering > | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 > oOo---(_)---oOo--\-- > \ Wholesale Internet Services - http://www.megapop.net > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- ~~~ Mike Varley -= SOMA Networks =- Tel: 416.977.1414 x1578 email: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
post_proxy methods
Appologies for not keeping up to date, but I was wondering if the 'post_proxy' module methods are currently supported. I am running FR 8.0, and although I can list post-proxy methods in the config file, the methods are not run. This did not pose a problem because I simply implemented a 'post-auth' method to do all my work. The problem now is that I would like to know if the proxy rejects a user; if it does, I need to free up any resources that user maybe holding. Are the post-proxy methods supported? Will they be called on a Proxy-Reject? If there is a 'ChangeLog' file someone could point me to, I will happily read that. Thanks. MV -- ~~~~~~~ Mike Varley -= SOMA Networks =- Tel: 416.977.1414 x1578 email: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: DHCP & Freeradius
Indeed it is! the rlm_ippools module is pretty easy to set up and good for testing. Unfortunately I ran into troubles with running this module for a long period of time (ie, over a weekend). Eventually it stopped handing out IP addresses. Also, I had extra requirements that were not fullfilled by the module, so I had to go a custom route. But the ippool module is a great place to start and a way to understand how the freeradius architecture works with IP address management. MV On Tue, 2003-01-14 at 09:29, Evren Yurtesen wrote: > yes but isnt freeradius supporting ip pools as an experimental feature > nowadays? > > Evren > > On 14 Jan 2003, Mike Varley wrote: > > > I looked into this solution (using DHCP as the ip address manager for > > RADIUS clients) but in the end hooking in the dhcpclient code to work > > with freeradius seemed like a lot of work, and an incomplete solution > > (for our specific needs). So we ended up just writing our own IP address > > management stuff; it was pretty straightforward. > > > > I am using Linux, I dunno what platform you are developing on. > > > > > > MV > > > > On Tue, 2003-01-14 at 08:11, [EMAIL PROTECTED] wrote: > > > Hi everyone, > > > > > > My problem concern how to assign the IP address to a client after the radius >server (Freeradius) performed md5 authentication. Maybe it's necessary to install a >DHCP server too? If yes which is the right way to configure Freeradius to interact >with DHCP server ? > > > > > > Thanks very much > > > > > > > > > - > > > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > -- > > ~~~ > > Mike Varley -= SOMA Networks =- > > Tel: 416.977.1414 x1578 > > email: [EMAIL PROTECTED] > > > > > > - > > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- ~~~ Mike Varley -= SOMA Networks =- Tel: 416.977.1414 x1578 email: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: DHCP & Freeradius
I looked into this solution (using DHCP as the ip address manager for RADIUS clients) but in the end hooking in the dhcpclient code to work with freeradius seemed like a lot of work, and an incomplete solution (for our specific needs). So we ended up just writing our own IP address management stuff; it was pretty straightforward. I am using Linux, I dunno what platform you are developing on. MV On Tue, 2003-01-14 at 08:11, [EMAIL PROTECTED] wrote: > Hi everyone, > > My problem concern how to assign the IP address to a client after the radius server >(Freeradius) performed md5 authentication. Maybe it's necessary to install a DHCP >server too? If yes which is the right way to configure Freeradius to interact with >DHCP server ? > > Thanks very much > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- ~~~~~~~ Mike Varley -= SOMA Networks =- Tel: 416.977.1414 x1578 email: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: proxy & access-accept
Look into the 'post_auth' functionality. Essentially, after any authorization, modules listed in the post_auth {} section of the radiusd.conf file get run, and they must have a method associated with the post_authorization hook in the module structure. Hope that helps. I can provide more detail if your interested; not sure how this will hook up to scripts. MV On Tue, 2003-01-14 at 08:03, Josh Howlett wrote: > Hi all, > > I'd like to run a script when an Access-Accept is proxied through a > Freeradius proxy server (ie. in the same way that you can run a script > (through acct_users) when accounting Stop/Start packets are proxied) > > Is this possible at all? > > thanks, josh. > > -- > --- > Josh Howlett, Networking & Digital Communications, > Information Systems & Computing, University of Bristol, U.K. > 'phone: 0117 928 7850 email: [EMAIL PROTECTED] > > --- > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- ~~~ Mike Varley -= SOMA Networks =- Tel: 416.977.1414 x1578 email: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: building modules outside the FreeRadius tree
I found my problem; it wasn't with the build, but with how I was 'installing' my libraries. I needed to run ldconfig -n /usr/local/lib/ sorry for the spam. MV On Mon, 2003-01-13 at 12:10, Mike Varley wrote: > I am attempting to build a module outside the context of the FreeRADIUS > source tree. I am using libtool, and the libraries seem to be compiling > fine. (version 0.8) > > My problem comes at runtime; when FR tries to run my code, it SEGV's > because I'm doing a 'vp = pairfind(request->packet->vps, PW_REALM)', and > (according to GDB) request->packet == NULL. > > however, when I compile the exact same code under the freeradius > sturcture, everything works fine. > > I know I'm doing something outside the scope of the FreeRADIUS project, > but if anyone could shed some light on why this might be happening, or > some details on how the modules are built and linked etc... with > libtool, it would be greatly appreciated. > > Thanks in advance. > > MV > > -- > ~~~ > Mike Varley -= SOMA Networks =- > Tel: 416.977.1414 x1578 > email: [EMAIL PROTECTED] > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- ~~~ Mike Varley -= SOMA Networks =- Tel: 416.977.1414 x1578 email: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
building modules outside the FreeRadius tree
I am attempting to build a module outside the context of the FreeRADIUS source tree. I am using libtool, and the libraries seem to be compiling fine. (version 0.8) My problem comes at runtime; when FR tries to run my code, it SEGV's because I'm doing a 'vp = pairfind(request->packet->vps, PW_REALM)', and (according to GDB) request->packet == NULL. however, when I compile the exact same code under the freeradius sturcture, everything works fine. I know I'm doing something outside the scope of the FreeRADIUS project, but if anyone could shed some light on why this might be happening, or some details on how the modules are built and linked etc... with libtool, it would be greatly appreciated. Thanks in advance. MV -- ~~~~~~~ Mike Varley -= SOMA Networks =- Tel: 416.977.1414 x1578 email: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL IP Pools Module
I had to turn off Passive File Transfers in gFTP (under FTP/Options) MV On Tue, 2002-12-03 at 22:58, Allister Maguire wrote: > Hello, > > We have finished the sql version of the ip module it can be downloaded > from here: > > ftp://lopez.globe.net.nz/Linux/freeradius/rlm_sqlippool.tar.gz > > Issues: > 1. It does not support multilink (MPPP), we had no need for this so did > not implement it. > 2. We use transaction so could not use rlm_sql, instead rlm_sql source > is included. This is bad. > > Regards > Allister P Maguire > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- ~~~ Mike Varley -= SOMA Networks =- Tel: 416.977.1414 x1578 email: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PPP - Dynamic/Static IP's
On Tue, 2002-12-03 at 10:30, Andrew Grimmett wrote: [snip] > > I noticed also in Release 0.8's change log that it now has a post_auth > section, how do you define that, or where can I locate a doc/example of > the configuration. > > to add a post-authorize method, there are a few steps: 1) in the module file, add a function pointer to the postauth method. eg: static int mypostauth (void *instance, REQUEST *request) { return RLM_MODULE_NOOP; } module_t rlm_files = { "files", 0, /* type: reserved */ NULL, /* initialization */ file_instantiate, /* instantiation */ { NULL, /* authentication */ file_authorize, /* authorization */ file_preacct, /* preaccounting */ NULL, /* accounting */ NULL, /* checksimul */ file_preproxy, /* pre-proxy */ NULL, /* post-proxy */ mypostauth /* post-auth */ }, file_detach,/* detach */ NULL/* destroy */ }; Then, in the radius.conf file, ensure that the module is configured in the modules {} section, and then (towards the bottom of the file, after the authenticate section) add the following: post-auth { } (note the spelling matters for the section name) recompile and reinstall and restart and TA-DA! HTH MV > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- ~~~~~~~ Mike Varley -= SOMA Networks =- Tel: 416.977.1414 x1578 email: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy Realms configuration
On Mon, 2002-12-02 at 14:58, Alan DeKok wrote: > Mike Varley <[EMAIL PROTECTED]> wrote: > > I would like to use a database (SQL?) to manage my realms, instead of > > the text files. The advantages are twofold: a unified repository for all > > my user data (ISP, IP Pools, local usernames) and the other benefit is I > > could add/remove realms w/o sending a SIGHUP to the radius proxy. > > That sounds reasonable. > > > Before I go and change the core components within the freeradius > > library, has anyone else implemented this type of system before, and > > have a better solution? Can I get this kind of behaviour through > > modules? (ie, do a DB lookup, and add the result to the local list if > > its not already in the list etc...) > > No, not really. > > The server needs a bunch of information for realms. Name, IP, port, > secret, alive/dead status, etc. > > It's just easier if the server manages those lists itself > internally, rather than doing DB calls all of the time. > Faster and more efficient aswell. How often is proxy information going to change, really? And SIGHUPing FreeRADIUS is not a costly affair. One solution we came up with was a compromise; changing proxy information in the Database could trigger a re-write of the realms file, and SIGHUP the FR server. The only problem here being that someone *could* inadvertently change only the realms file, SIGHUP the process, and be out of synch with the DB. Hmmm MV -- ~~~ Mike Varley -= SOMA Networks =- Tel: 416.977.1414 x1578 email: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxy Realms configuration
Currently, FreeRADIUS uses text files to define realms for proxying requests. The files are parsed and put into a list at startup, and then the core libraries use this list during runtime to lookup realm information when proxying requests. I would like to use a database (SQL?) to manage my realms, instead of the text files. The advantages are twofold: a unified repository for all my user data (ISP, IP Pools, local usernames) and the other benefit is I could add/remove realms w/o sending a SIGHUP to the radius proxy. Before I go and change the core components within the freeradius library, has anyone else implemented this type of system before, and have a better solution? Can I get this kind of behaviour through modules? (ie, do a DB lookup, and add the result to the local list if its not already in the list etc...) Thoughts and opinions are welcome. Thank you! MV -- ~~~ Mike Varley -= SOMA Networks =- Tel: 416.977.1414 x1578 email: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Allocating dynamic IP addresses from FreeRadius
On Wed, 2002-11-27 at 09:26, Vitaliy Karlov wrote: > On Wed, Nov 27, 2002 at 04:12:12PM +0200, Kostas Kalevras wrote: > > > Hi All! > > > In radiusd.conf I put this: > > > > > > === radiusd.conf = > > > ippool main_pool { > > > range-start = 10.1.1.1 > > > range-stop = 10.1.1.255 > > > netmask = 255.255.255.255 > > > > You should put a netmask of 255.255.255.0 > > Delete the db* files and run the server in debug mode (radiusd -X) > > I delete all entries with db* and get this (I does not run radiusd in debug mode) > == radius.log == > Wed Nov 27 16:20:17 2002 : Error: rlm_ippool: 'session-db' must be set. > Wed Nov 27 16:20:17 2002 : Error: radiusd.conf[489]: main_pool: Module instantiation >failed. > === > > ??? > > What is goal of the db* files? > The db* files are used to manage which IP addresses are available, and which ones have been assigned to which NAC/port combination. for the session-db and index-db, you can just put in a path and file name. Here is my complete settings for ths module: ippool ippool { name = ippool session-db = /usr/local/etc/raddb/ippool-sess-db ip-index = /usr/local/etc/raddb/ippool-idx-db range-start = 192.168.1.2 range-stop = 192.168.1.10 netmask = 255.255.255.0 cache-size = 1000 } ippool-sess-db and ippool-idx-db are gdbm databases. you can do a 'man gdbm' for more information. MV -- ~~~ Mike Varley -= SOMA Networks =- Tel: 416.977.1414 x1578 email: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Vendor Specific Attributes Interface
Thanks to Chris Parker for the heads up. For the record, creating a vendor attribute for modules is exactly the same as creating regular attributes. The packet formation is done by the radius library code. (In my particualr case, I had a mlaformed dictionary file). Explicity, here are the steps: dictionary file: --- # your vendor code here VENDOR SOMA4735 # Define your attributes: don't forget the trailing vendor name! ATTRIBUTE SOMA-Something 1 string SOMA : Source file: #define VENDOR_SOMA (4735) #define SOMA_SOMETHING ((VENDOR_SOMA << 16) | 1) /* I'll be honest, I'm not sure why we are shifting by 16 bits here, but I'll assume is has something to do with the dictionary system */ : void add_my_vp (REQUEST *request) { VALUE_PAIR *vp; if ((vp = paircreate(SOMA_SOMETHING, PW_TYPE_STRING)) == NULL) { radlog(L_ERR|L_CONS, "no memory"); return; } vp->lvalue = "hey HEY! This is a vendor attribute"; pairadd(&request->reply->vps, vp); } --- Nice and easy. Thanks again to Chris. MV -- ~~~ Mike Varley -= SOMA Networks =- Tel: 416.977.1414 x1578 email: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Allocating dynamic IP addresses from FreeRadius
There is a module that does dynamic IP assignment: look in ${freeradius_source_dir}/src/modules/rlm_ippool It is not built by default, so you need to add it to the top level Makefile. There is a description on how to configure it in the docs direcotry. Once you've compiled and installed it, change your radiusd.conf file to have a section: post-auth { ippool } and then after every successful authentication, this module will add an IP address chosen dynamically BASED ON the NAS/port combination. The ippool module uses dbm databases. I'm not sure if this is what you are looking for, but it may help point you in the right direction. HTH! MV On Tue, 2002-11-26 at 11:37, kenw wrote: > Is it possible to dynamically allocate IP addresses from FreeRadius. > I am using a MySQL auth database, and need to supply dynamic IP's from > radius rather than from the NAS.. > > Thanks, > Ken > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- ~~~ Mike Varley -= SOMA Networks =- Tel: 416.977.1414 x1578 email: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Vendor Specific Attributes Interface
Hello; I am writing a new module to plug into FreeRADIUS (0.8) and I need to programatically add some Vendor Specific Attribute-Value pairs; I was wondering if there is an interface to do so easily in the code. I have looked at the valuepair API but nothing jumps out at me. Any information or hints on how to do this would be most appreciated. Note that adding the vendor attribute to the dictionaries and including them in the ${conf_dir}/users file works perfectly, but I can't find the code that is creating and adding these special vp's to the reply. Thanks in advance. MV -- ~~~ Mike Varley -= SOMA Networks =- Tel: 416.977.1414 x1578 email: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html