Huntgroup-Name !=
Hi, Does anybody use Huntgroup-Name with != operator? I think I have hit a bug, just want to confirm before digging the source. -- Mojahed System Administrator, Agni Systems Limited - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No detail file generated in mod_radius_auth
On Thu, Aug 01, 2002 at 10:49:17PM +0600, Dr. Muhammad Masroor Ali wrote: > After some grueling days and kind advice from fellow netizens, > mod_radius_auth does perfect authentication for squid > (2.4.STABLE1) in my RH 7.3 linux box. However, no accounting > records are being written. That is, pam_radius_auth will never generate accounting records. That "account" line is not really for accounting. I presume you are trying to make squid generate accounting records. Unfortunately, HTTP proxies do not have any notion of "sessions", just like HTTP. When squid first sees an unauthenticated proxy request, it asks the client browser for authentication. After a successful authentication, the browser keeps on sending the authentication header with each proxy request, until the browser is closed. Each request is independent of each other. There is no way for squid to know when the user has stopped browsing. -- Mojahed System Administrator, Agni Systems Limited - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Urgent!!! USR Accounting
On Wed, Jun 05, 2002 at 05:06:38PM +0300, Ruslan Spivak wrote: > NAS - NETServer/16 V.34. > I have installed freeradius-0.5 under RH 7.2 > Authentication works well, but accounting messages from radius: Malformed packet Don't know about NETServe. Their HiPerARC has a quirk (among many many others). Its QuickSetup wizard does not set the accounting secret. You have to set it yourself with "SET ACCOUNTING ... ". It's quite possible this quirk has made its way to NetServe too. -- Mojahed System Administrator, Agni Systems Limited - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: tables replication ...
On Mon, Apr 29, 2002 at 05:57:41PM +0300, Do-Risika RAFIEFERANTSIARONJY wrote: > > For those using mysql, how do you replicate your authentication > (and eventually your accounting) tables to a backup server ? I'm > looking for the best method. This problem hunted me for a long time. I have managed to string up a solution that may not be the best but works fine. I have three boxes lets call them A, B and C. All of them run mysql 3.23.xx. A and B run FreeRADIUS. A is the primary radius auth/acc server and B is the secondary/backup auth/acc server. C is purely a database backup. The following diagram shows the inter-relation between the boxes: A: auth <--- mysql A ---> replicate to mysql B ---> replicate to mysql C A: accn ---> detail ---> mysql A ---> replicate to mysql C B: auth <--- mysql B B: accn ---> detail ---> rsync to A ---> mysql A Management scripts: ---> mysql A Billing queries:<--- mysql C LEGEND: mysql A means MySQL running on box A. Replication is mysql's built-in one way replication. A cron job on box A runs every X minutes, reads the detail files and inserts stop records to the accounting database. The script is clever enough to skip over the part of detail file it already put into the database. Management scripts (account add/delete, pass change) only changes the auth db in box A. Billing software (with long SELECTs) only queries box C. I know there will be a few questions, here are the answers in advance: Q1. FR can put acc records directly to mysql, why the hell are ya doing the same stuff from the detail file? A1. First, I have learned the hard way "plain text" files are the most reliable things you can have in computers. When I screw up mysql I can reliably reproduce it from the detail files without any more coding. Second, integrating accounting records from box B is possible this way. Otherwise our billing and some management scripts would have to read acct databases from both A and B. Q2. What happens when A goes down? A2. Auth/acc records go to B. Auth works instantly. Acc records are accumulated in the detail file of B. I can take all the time I need to bring back A without worrying of lost acc records. The only problem while I do this is no one can change their passwords and users can't see their latest usage records. Not a big problem because bringing A back shouldn't take more than a few hours. When A comes back it will automatically integrate the accounting records from B. Q3. What happens when B goes down? A3. No problemma. When it comes back, mysql's built-in replication will send the changes it missed while it was down. Q4. What happens when you need to upgrade MySQL in A? A4. Relax! This is one of the reasons I am doing this in a round way with the detail file. Edit sql.conf in A to point to mysql B, kill -HUP radius, take as much time as I need to upgrade MySQL A, have lunch, point sql.conf back to mysql A, kill -HUP radius. Database upgraded witout one second of down time. Upgrading FR is also very simple with this scheme. Q5. This looks way too cumbersome, is this the best method to have high availability? A5. Buddy, I have tried many approaches and looked into even more. Hit the limits everywhere, mostly with mysql. Oracle with High Availability would be ideal in this case. But it's too much more complicated than mysql. Also, we would need to hire a good Oracle DBA who will have nothing to do the whole year, just waiting for a possible accident. If you have a better approach, please let me know. -- Mojahed System Administrator, Agni Systems Limited - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Login-time + SQL
On Tue, Apr 23, 2002 at 02:28:39PM +0200, Alessandro Maioli wrote: > > there is anyone that has experience with Login-Time attribute > saved on SQL Database (such as Oracle). I'm tring but seem don't > work. You are sure you are putting it in radcheck/radgroupcheck, right? -- Mojahed System Administrator, Agni Systems Limited - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius not working under firewall
On Sun, Apr 07, 2002 at 11:37:14AM +0600, Dr. Muhammad Masroor Ali wrote: > ... > rules we have put something like allow packets to ports 1645 and > 1646 tcp + udp only from NAS IP. But, as soon as firewall is > activated, users start getting invalid login. All outgoing ports > are open. No need for TCP, RADIUS is UDP only. Please make sure this machine can do DNS lookups. Your firewall is probably blocking incoming DNS response packets. If this doesn't help you could post your firewall rules here, but that's kind of off topic. -- Mojahed System Administrator, Agni Systems Limited - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: accurate accounting when username missing
On Thu, Mar 28, 2002 at 09:13:34PM +0800, Raymond Chen wrote: > > rlm_acct_unique: Hashing ',Client-IP-Address = > 202.123.211.86,NAS-IP-Address = 202.123.211.86,Acct-Session-Id = > "0D88",User-Name = ""' I don't know why your substitution does not work. The debugging output you attached could be for an Accounting-On or keep-alive packet which doesn't have a User-Name attribute. You can ignore them safely --- for accounting purposes at least. -- Mojahed System Administrator, Agni Systems Limited - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program and Acct-Status-Type
On Mon, Mar 11, 2002 at 01:11:54PM +0800, M Z Rahman wrote: > I was trying to run an external perl script to do some customised logging > depending on the Acct-Status-Type in the users file: > > DEFAULT Acct-Status-Type == "Start" >Exec-Program-Wait = "/radius/raddb/startstopacct %u %s %e %f %n %c %i > %o %d %t %r %h" > ... > free-radius read the execparams file for the argument vectors for the Looks like you confused XtRadius with FreeRADIUS. -- Mojahed System Administrator, Agni Systems Limited - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Incorrect Acct-Session-Time
On Wed, Feb 13, 2002 at 04:40:50PM +0800, Daniel Yeung wrote: > ... > Sometime, I exprience incorrect session-time problem in details file > sometimes. Would anyone give me suggestion ? Pardon me, but all I can see is that your Acct-Session-Time is zero. Why do you think it's wrong? If you want to be sure, find out the corresponding "Start" packet entry and match the Timestamps. -- Mojahed System Administrator, Agni Systems Limited - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MySQL Threads
Has anyone noticed that MySQL's "show processlist;" shows only one thread being used by FreeRADIUS, even at high loads? I just want to know if I'm the only one seeing this problem. FR is 0.3 on a FreeBSD 4.4 box. -- Mojahed System Administrator Agni Systems Limited - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reject users
On Mon, Oct 29, 2001 at 03:13:33PM +0100, Aldo Maruffi wrote: > > How I can write in a MySQL table the users reject with the > reason for rejection? DELETE FROM radcheck WHERE UserName='badguy'; DELETE FROM radreply WHERE UserName='badguy'; INSERT INTO radcheck ('', 'badguy', 'Auth-Type', 'Reject'); INSERT INTO radreply ('', 'badguy', 'Reply-Message', 'Go away. No pay no Net'); Of course, this is only the idea. One point, if the customer uses a Windows box and does not use the terminal window to login, he will not see the message. -- Mojahed System Administrator Agni Systems Limited - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Handling limt credit with Radius
On Wed, Oct 17, 2001 at 04:46:02PM -0500, Carlos Lerma wrote: > > Thanks for your response. Due to the Radius can not handle this > situation, if I can know when the customer increase his limit. > Can I use the SNMP protocol in order to tell the NAS, that not > cut the session and increase the "Session-Timeout". Some people use a solution that does not use Session-Timeout at all. They run a daemon that checks the radutmp file every minute or so and for every user logged in, checks their time credit in the database and disconnects the account if it's over credit. This is quite a kludgy solution, IMHO. If you think about it, with Session-Timeout the only little nuisance is that the user has to hangup to get the new Session-Timeout. Is that really a big deal? How often does it happen in real-life that the user is logged in and his account is updated? -- Mojahed System Administrator Agni Systems Limited - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simultaneous-Use = 1
On Tue, Oct 02, 2001 at 01:46:38PM +0100, Sergey V. Sichevsky wrote: > MHAH> Simultanous-Use and Login-Time does not work with rlm_sql modules > MHAH> without a minor change in source code. > Can I define this parameter w/o changes in code? > In ./etc/raddb/users for example? But I need auth* in sql. That's what I said! Simultaneous-Use works fine in /etc/raddb/users. But it will not work in sql. To make it work in sql, you have to make the changes I suggested. -- Mojahed System Administrator Agni Systems Limited - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simultaneous-Use = 1
On Tue, Oct 02, 2001 at 10:14:18AM +0100, Sergey V. Sichevsky wrote: > >> rlm_sql: Pairs do not match [test] > >> > NPR> You must wrote 'Simultaneous-Use = 1' into radreply (radgroupreply) also. > > Ok. I did as you say. But the result was same. :( Simultanous-Use and Login-Time does not work with rlm_sql modules without a minor change in source code. The problem is, rlm_sql does not understand the check operators other than '='. If you use the "users" file (rlm_files), you would use ':=' for Simultaneous-Use and Login-Time. This hasn't been implemented yet. Someone sent a patch to the developers list, I guess it'll get incorporated after some time. Until then, take these lines: if ((strncasecmp(row[2], "Login-Time", 10) == 0) || (strncasecmp(row[2], "Simultaneous-Use", 16) == 0)) operator = T_OP_ADD; else operator = T_OP_CMP_EQ; And add them before pair = pairmake(row[2], row[3], operator); pairadd(first_pair, pair); in src/modules/rlm_sql/sql.c in function sql_userparse. -- Mojahed System Administrator Agni Systems Limited - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Password encoding in radcheck table? (MySQL)
On Fri, Sep 28, 2001 at 04:01:35PM -0300, Juan Carlos Castro y Castro wrote: > Joe Modjeski wrote: > mysql> select * from radcheck; > ++--+---+---+ > | id | UserName | Attribute | Value | > ++--+---+---+ > | 1 | jcastro | Password | JAEyCQtZ6viPc | This password looks like an encrypted password to me. The Attribute name must be "Crypt-Password" for this to work. Why don't you use radtest to check FreeRADIUS is working as expected? -- Mojahed System Administrator Agni Systems Limited - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxying to Cistron
On Thu, Sep 27, 2001 at 10:12:58AM +0600, Mojahedul Hoque Abul Hasanat wrote: > On Wed, Sep 26, 2001 at 09:49:50PM +, Miquel van Smoorenburg wrote: > > >radius.log. For any request that came to it from the FreeRADIUS Holly Shit! I prayed then installed a recent snapshot (20010924). It couldn't have worked better! I did some tcpdumps and debugs with the 0.2 beta, it was receiving the proxy reply alright, but just forgot to send a reply back to the NAS. I'm going to try it out on our production box again. Thanks to the FreeRADIUS team for a superb product. -- Mojahed System Administrator Agni Systems Limited - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxying to Cistron
On Wed, Sep 26, 2001 at 09:49:50PM +, Miquel van Smoorenburg wrote: > >radius.log. For any request that came to it from the FreeRADIUS > >server, it shows either 'Accounting: login ... wrong order' or > >'Accounting: logout: ... wrong ID'. Worse, FreeRADIUS seems > >unable to auth from Cistron. > > Do you have multiple interfaces or multiple IP addresses configured > on one or both boxes? Nopes, both boxes have one IP. -- Mojahed System Administrator Agni Systems Limited - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxying to Cistron
On Wed, Sep 26, 2001 at 01:41:19PM -0400, [EMAIL PROTECTED] wrote: > Does it not receive them, or does it receive them, and throw > them away? Sorry, couldn't check that. I had the audacity to run FreeRADIUS on a production box. I am back on my custom patched Cistron now. I will do a test tomorrow. -- Mojahed System Administrator Agni Systems Limited - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxying to Cistron
On Wed, Sep 26, 2001 at 10:28:04AM -0400, [EMAIL PROTECTED] wrote: > So if Cistron doesn't like the proxied accounting packets, > blame the NAS, not FreeRADIUS. Hmm, everything just wroks fine if I replace FreeRADIUS with Cistron. > > Worse, FreeRADIUS seems unable to auth from Cistron. > > Define 'unable'. If you run both in debugging mode, there > should be LOTS of messages telling you what's going on, and > what the problems are. Thanks. I'm doing it right now. It seems FreeRADIUS does not receive the ack radius packets properly for accounting start and stop packets. Auth packets seem to be OK. Cistron does send the ack packet correctly, but FreeRADIUS remains oblivious to it and keeps on sending the acc start and stop packets for nearly 20 times. -- Mojahed System Administrator Agni Systems Limited - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxying to Cistron
Dear List, I replaced our patched Cistron with FreeRADIUS. The FreeRADIUS server proxies a few realms to a Cistron on another machine. Just after the upgrade, Cistron is complaining loudly in radius.log. For any request that came to it from the FreeRADIUS server, it shows either 'Accounting: login ... wrong order' or 'Accounting: logout: ... wrong ID'. Worse, FreeRADIUS seems unable to auth from Cistron. The old (main) Cistron box is also running and the NAS'es have them as their secondary. FreeRADIUS times out after a lot of retries, then the NAS'es make the request to the older Cistron, so I'm not dead yet! Is anyone on the list proxying to Cistron? Before anyone asks, shared secrets are correct. -- Mojahed System Administrator Agni Systems Limited - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL Escape Problems
On Mon, Sep 24, 2001 at 11:44:08AM -0400, [EMAIL PROTECTED] wrote: > Mojahedul Hoque Abul Hasanat <[EMAIL PROTECTED]> wrote: > > Username: hukka'hua > > sql_escape_string output: hukka\'hua > > Actual query to mysql: hukka\\'hua > > Hmm.. can you add debugging statements, to track down where the > problem occurs in the SQL module? Did some digging. The problem is not exactly in the rlm_sql modules. rlm_sql.c does the proper escaping. Then uses radius_xlat, which uses decode_attribute which calls valuepair2str and we finally arrive at librad_safeprint. This librad_safeprint does an extra escaping by doubling the backslash "\" and hell breaks lose. This is a big problem. All sql modules should be affected. If I haven't missed something, radius_xlat should be changed. I'll hack up a radius_xlat_sql now. -- Mojahed System Administrator Agni Systems Limited - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MySQL Escape Problems
Dear List, I am using rlm_sql_mysql with FreeRADIUS 0.2 on FreeBSD 4.4. Usernames with special characters like "'" are not being escaped properly. With -xx it's evident that sql_escape_string is working alright. But when it's querying MySQL, an extra "\" gets added. An example: Username: hukka'hua sql_escape_string output: hukka\'hua Actual query to mysql: hukka\\'hua People must be using rlm_sql a lot. Can anybody please give me a bang and tell me what I have missed? -- Mojahed System Administrator Agni Systems Limited - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html