Re: cisco_vsa_hack (rlm_preprocess)
Hello,
I sent many times the SAME feature to the list, but project
leaders (or leader, I can't remember) said, we should make a general
architecture for this type of hacks and not do with rlm_preprocess.
So it is not in the CVS (but It should from a long time...).
Perhaps you will have success :)
I would like to see this improvement in FR.
Regards,
Thomas
On Tue, 4 Feb 2003, Vladimir Kravchenko wrote:
>
> I offer to add functionality in the function "cisco_vsa_hack".
>
> Example value pair:
> Cisco-AVPair = "h323-incoming-conf-id=cc0576cf 379011d7 95c8ef6a 9f419c36"
> I can not will address to attribute h323-incoming-conf-id through macro
> %{h323-incoming-conf-id}
> Offer: if "h323-incoming-conf-id" exists in dictonary then replace
> attribute & value.
>
> Example patch:
>
> oracle[jimson]:.../radiusd $ cat ../cisco_vsa_hack.patch
> --- src/modules/rlm_preprocess/rlm_preprocess.c.origTue Feb 4 21:26:05 2003
> +++ src/modules/rlm_preprocess/rlm_preprocess.c Tue Feb 4 21:27:22 2003
> @@ -112,7 +112,9 @@
> {
> int vendorpec, vendorcode;
> char*ptr;
> - charnewattr[MAX_STRING_LEN];
> + charnattr[MAX_STRING_LEN];
> + charnvalue[MAX_STRING_LEN];
> + DICT_ATTR *dattr;
>
> for ( ; vp != NULL; vp = vp->next) {
> vendorcode = (vp->attribute >> 16); /* HACK! */
> @@ -123,16 +125,21 @@
>
> if (vendorpec != 9) continue; /* not a Cisco VSA, continue */
>
> - if ((vp->attribute & 0x) == 1) continue; /* Cisco-AVPair */
> -
> /*
> * We strip out the duplicity from the value field,
> * we use only the value on the right side of = character.
> */
> - if ((ptr = strchr(vp->strvalue, '=')) != NULL) {
> - strNcpy(newattr, ptr + 1, sizeof(newattr));
> - strNcpy((char *)vp->strvalue, newattr,
> - sizeof(vp->strvalue));
> + if (vp->type == PW_TYPE_STRING && (ptr = strchr(vp->strvalue, '='))
>!= NULL) {
> + if ((vp->attribute & 0x) == 1) {
> + /* Cisco-AVPair */
> + strNcpy(nattr, vp->strvalue, ptr - (char
>*)vp->strvalue + 1);
> + if ((dattr = dict_attrbyname(nattr)) != NULL &&
>dattr->type == PW_TYPE_STRING) {
> + vp->attribute = dattr->attr;
> + strNcpy(vp->name, dattr->name,
>sizeof(vp->name));
> + } else continue;
> + }
> + strNcpy(nvalue, ptr + 1, sizeof(nvalue));
> + strNcpy((char *)vp->strvalue, nvalue, sizeof(vp->strvalue));
> vp->length = strlen((char *)vp->strvalue);
> }
> }
> oracle[jimson]:.../radiusd $
>
> Your opinion?
>
> P.S. To add check dattr vendor whether or not? :)
> --
> Vladimir Kravchenko / PK Mostcom JSC / system engineer
> Tel: +7 095 2312255 / UIN: 132038843 / Email: [EMAIL PROTECTED]
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sql accounting and custom attributes
On Wed, 6 Nov 2002, Alexey Chetroi wrote:
> On Tue, Nov 05, 2002 at 10:49:12AM -0500, Alan DeKok wrote:
> > > doc/variables.txt mentions that you can use %{Attribute-Name},
> > > but what if there are several attributes with the same name,
> > > eg Cisco-AVpair?
> >
> > The server doesn't handle that right now.
> >
> > > I just want to log ras-tx-speed and ras-rx-speed attributes
> > > from the cisco in sql table. Is there any trick?
> >
> > That's an even more difficult problem. You don't know the order of
> > the attributes, so you want to log Cisco-AVpair attributes which
> > contain certain values.
> >
> > Your best bet right now is to use some kind of external program to
> > do the work, or to write a module to pull the information you want out
> > of the attributes.
>
> Is it possible to rewrite attribute names eg in preprocess module,
> like cisco_vsa_hack. eg to convert from:
>
> Cisco-AVPair = "nas-rx-speed=31200"
> to
> nas-rx-speed=31200
This is not possible while there are many Cisco-AVPair AV-Pairs e.g.
Cisco-AVPair = "nas-rx-speed=31200"
Cisco-AVPair = "nas-tx-speed=31200"
preprocess doesn't know how to rewrite this to nas-rx-speed=31200
The cisco_vsa_hack can rewrite only pairs with type:
h323-connect-time = "h323-connect-time=."
Thomas
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: quintum
> I have some qustion concerning VSA. > In radiusd.conf there is > > with_cisco_vsa_hack = yes > > Is this parameter using only wiht cisco? > how can i get such behaviour with Quintum? > Remind, i need have instead > H323-Attribute = "h323-attribute=value" > this > h323-attribute=value > This hack is only for Cisco VSAs (there is hardcoded Cisco's Vendor ID - 9). It is very simple to make a small hack to have that feature for Quintum... take a look for rlm_preprocess.c file Thomas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_detail & NFS
On Thu, 31 Oct 2002, Alan DeKok wrote: > Thomas Jalsovsky <[EMAIL PROTECTED]> wrote: > > does anybody have any experience with saving detail files onto NFS > > partition sitting on a remote host? Maybe with another distributed > > filesystem under Linux? > > It's a bad idea. NFS may go away without really "going away". That > is, it will look to programs that the directories/files exist, but any > reads/writes will take literally forever. If I'm right (I heard this nut not checked yet), NFS has hard and soft modes. When the soft mode is turned on, every file function fail will reported back to the application and won't try to make the job (in loop). > > > My goal will to make fail-over solution, so when RADIUS > > (rlm_detail) can't store files onto local filesystem let store to a remote > > one. > > You're better off storing them to local disk, and using radrelay to > copy the data to another system. Yes, it's true. This solution should be for case when I can't store to local disk (disk full/ local filesystem fail). My idea: 1. try to store to local filesystem 2. if it os OK, go next, if it FAILs, try to save to a remote FS e.g. NFS 3. if everything FAILs (little probability) accounting returns with FAIL > > > > p.s.: does rlm_detail locking work together with NFS? (I'm not an NFS > > guru, please explain your answer, thanks) > > I would expect so, if NFS supports locks, without bugs. Not all NFS > implementations do... Unfortunately I don't have many experiences with NFS (I used it only for centar file distribution - storage). I'm asking because there should be more experienced users with distributed filesystems/locking/RADIUS :) Thanks Thomas p.s.: what is your idea, how should I solve filesystem problems - FS fail-over? (I have also SQL databases, but I need for archivation those CDRs) > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_detail & NFS
Hello, does anybody have any experience with saving detail files onto NFS partition sitting on a remote host? Maybe with another distributed filesystem under Linux? My goal will to make fail-over solution, so when RADIUS (rlm_detail) can't store files onto local filesystem let store to a remote one. Thanks in advance, Thomas p.s.: does rlm_detail locking work together with NFS? (I'm not an NFS guru, please explain your answer, thanks) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
libradius
Hello, does anybody have an example how to use libradius with another software (as RADIUS client part) - source code example/compilation? Thank you in advance, Thomas p.s.: I would like to use the RADIUS protocol in another open-source software and it should be great to use FR for this - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: cisco priv level
Hello, if I'm right, command and enable logging is supported only with TACACS+ protocol. (I have AAA with freeRadius and command logging with TACACS+) Thomas On 19 Aug 2002, Kuba Leszewski wrote: > How to configure Cisco 29xx and freeradius, > to log to the "enable" level ? > > I tried sending: > cisco-avpair = "shell:priv-lvl=15" > > but it doesn't work - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Attribute rewrite question
On Fri, 9 Aug 2002, Alan DeKok wrote: > Thomas Jalsovsky <[EMAIL PROTECTED]> wrote: > > I have a strange problem. My NAS sends User-Name like > > User-Name = ":" > > This is not a bug in the NAS but it is a feature (I can't solve my problem > > in another way). I would like to separate this value > > like -> User-Name and -> Called-Station-Id > > (rewrite) > > That would be really handy. Right now, I'm not sure how to do it. > The simplest method would be to add some C to rlm_preprocess. But a > more general solution would be preferable. Yes, I thought I will write it into the rlm_preprocess module, but this feature is not needed in common (I need it because I can't send from NAS the needed info only throught User-Name attribue in accounting records). I would like to make it through rlm_perl or rlm_python, but I'm not shure that rlm_python can rewrite attributes (rlm_perl can't at the moment). In this way a simple Perl script should be used for whatever bizarre attribute rewrite. Any idea? Does rlm_python support this? Kind regards, Thomas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Attribute rewrite question
Hello, I have a strange problem. My NAS sends User-Name like User-Name = ":" This is not a bug in the NAS but it is a feature (I can't solve my problem in another way). I would like to separate this value like -> User-Name and -> Called-Station-Id (rewrite) It should be great to make this attr. rewrite in preprocess module (or near for this module). Can I make this with rlm_perl or rlm_python and id yes, how? Thanks in advance, Thomas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: with_cisco_vsa_hack problem
> I notice that all the "cisco" options are quoted still even with the > cisco_hack on. Is this a bug or a feature? :-) > > h323-setup-time = ".17:28:07.811 BST Sun Mar 7 1993" > h323-connect-time = ".17:28:21.984 BST Sun Mar 7 1993" This is not a BUG but it wasn't implemented. As you see the these Cisco-VSAs looks now well. > Cisco-AVPair = "subscriber=Unknown" > Cisco-AVPair = "tariff-type=Unknown" > Cisco-AVPair = "pre-bytes-in=0" These are AVPairs with VSA 1. (what you fixed before, simply if the Cisco VSA is 1, ignore it - continue). Thomas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Abnormal child exit
Hello, I use FR from CVS (Jul 10 2002). I have problems with Exec-Program-Wait. While FR runs in debug mode it doesn't send back the right AVPairs, rather AVPair Reply-Message. debug -- radius_xlat: '/gis/scripts/prepaid.pl' Exec-Program: /gis/scripts/prepaid.pl Exec-Program-Wait: value-pairs: h323-billing-model = "h323-billing-model=1",h323-preferred-lang = "h323-preferred-lang=S K",h323-credit-amount = "h323-credit-amount=419.00",h323-currency = "h323-currency=SKK",h323-return-code = "h323-return- code=0" Exec-Program: Abnormal child exit Sending Access-Reject of id 162 to 193.41.203.20:1645 Reply-Message = "\r\nAccess denied (external check failed)." Finished request 50 - When I use FR in daemon mode it works, but when I want to reject the user (my perl script returns exit value 1) and send back AVPairs to the NAS, I also get only the Reply-Message AVPair (I know this from the NAS's debug - NAS got attribute 18). Something is wrong with the external script. I know that there was a bug around the debug mode (I found this bug), but I upgraded after that bug was fixed (?). Thanks in advance. Thomas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SQL fail-over
Hello, what is the status of the SQL fail-over code? Does it work? I tested half year ago but it didn't work. Does anybody working on it? Thanks in advance, Thomas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco VSA & FreeRADIUS
> I've tested freeradius 0.6 and it works fine, I'm planning to replace my > production radius now. I have only one problem, I'd like to log Cisco > VSAs (like nas-rx-speed, nas-tx-speed) in SQL database. I have 50+ > AS5350 an AS5400 with IOS 12.2 and it sends VSA accounting as > Cisco-AVPair. Cisco-vsa-hack does not work with this. Any solution? This > is a sample accounting-stop record: the cisco_vsa_hack is only for handling situation: Cisco-VSA = "Cisco-VSA=value" this will be rewritten to Cisco-VSA = value The hack does not handle situation Cisco-AVPair = "Cisco-VSA=value" you will have to expand the hack (what I did a year ago, but wasn't applied to the FR code). Regards, Thomas > > Fri Jul 26 22:56:34 2002 > NAS-IP-Address = xxx > NAS-Port = 670 > Cisco-NAS-Port = "Async5/22*Serial2/6:2" > NAS-Port-Type = Async > User-Name = "xxx" > Called-Station-Id = "xxx" > Calling-Station-Id = "xxx" > Acct-Status-Type = Stop > Acct-Authentic = RADIUS > Service-Type = Framed-User > Acct-Session-Id = "0E000D11" > Framed-Protocol = PPP > Framed-IP-Address = xxx > Acct-Terminate-Cause = Lost-Carrier > Acct-Input-Octets = 3597499 > Acct-Output-Octets = 36347730 > Acct-Input-Packets = 55748 > Acct-Output-Packets = 74657 > Acct-Session-Time = 7280 > Cisco-AVPair = "disc-cause-ext=1011" > Cisco-AVPair = "pre-bytes-in=123" > Cisco-AVPair = "pre-bytes-out=112" > Cisco-AVPair = "pre-paks-in=5" > Cisco-AVPair = "pre-paks-out=5" > Cisco-AVPair = "pre-session-time=25" > Cisco-AVPair = "connect-progress=60" > Cisco-AVPair = "nas-rx-speed=28800" > Cisco-AVPair = "nas-tx-speed=5" > Acct-Delay-Time = 0 > Client-IP-Address = xxx > Timestamp = 1027716994 > > Best Regards, > Felician Hoppal > > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: linking error
On Tue, 9 Jul 2002, Alan DeKok wrote: > Thomas Jalsovsky <[EMAIL PROTECTED]> wrote: > > When I compiled without setting CFLAGS and CXXFLAGS, I got: > > # /gis/radius_test/sbin/radiusd -X > > /gis/radius_test/sbin/radiusd: error while loading shared libraries: > > libradius-0.7-pre.so: cannot open shared object file: No such file or > > directory > > > > there is no libradius* file in my lib/ directory. > > It's still a work in progress, sorry. I've been poking at the > server, getting it to build shared libraries for libradius, and > haven't finished it yet. As the web pages say, the CVS snapshots > aren't even guaranteed to build. :) > sorry for bothering you and the list. > > > How can I use radius with static binaries (does it help to achieve > > better performance as with e.g. mysql?), and how can start the new > > version? > > You can build it static via: > > ./configure --disable-shared > > and it shouldn't make much difference for anything > > But grab the code from cvs now, I've updated the 'install' target > for libradius. OK, it's working now. Thanks, Thomas > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
linking error
Hello, I compiled FR from today's CVS on a RedHat Linux 7.2 system with gcc 3.1: CFLAGS="-static -march=athlon -mcpu=athlon -funroll-loops -fomit-frame-pointer" \ CXXFLAGS="-static -march=athlon -mcpu=athlon -funroll-loops -fomit-frame-pointer -felide-constructors -fno-exceptions -fno-rtt i" \ ./configure \ --prefix=/gis/radius_test \ --with-mysql-dir=/gis/mysql \ --with-mysql-include-dir=/gis/mysql/include \ --with-mysql-lib-dir=/gis/mysql/lib/mysql \ --without-ascend-binary \ --without-snmp \ --with-thread-pool \ --mandir=/usr/man \ --with-raddbdir=/gis/radius_test/raddb I precompiled without errors but when I started the server I got: main: debug_level = 0 read_config_files: entering modules setup Module: Library search path is /gis/radius_test/lib radiusd.conf[463] Failed to link to module 'rlm_preprocess': file not found # ls /gis/radius_test/lib/rlm_preprocess* -1 /gis/radius_test/lib/rlm_preprocess-0.7-pre.la /gis/radius_test/lib/rlm_preprocess.a /gis/radius_test/lib/rlm_preprocess.la When I compiled without setting CFLAGS and CXXFLAGS, I got: # /gis/radius_test/sbin/radiusd -X /gis/radius_test/sbin/radiusd: error while loading shared libraries: libradius-0.7-pre.so: cannot open shared object file: No such file or directory there is no libradius* file in my lib/ directory. How can I use radius with static binaries (does it help to achieve better performance as with e.g. mysql?), and how can start the new version? Thanks in advance, Thomas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco VSA Radius Return Values
On Mon, 8 Jul 2002, Alan DeKok wrote:
> Thomas Jalsovsky <[EMAIL PROTECTED]> wrote:
> > Cisco IVR uses return VSAs in access-reject messages. By the RFC
> > RADIUS access-reject message have to has only one attribute, therefore you
> > have to look into the code and hack the server to send access-reject
> > packets to the Cisco NAS (not compatible with RFC).
>
> No, the RFC's (and FreeRADIUS) allow Vendor-Specific attributes in
> Access-Reject packets.
Sorry, I'm confusing.
radiusd.c
/*
* Authentication REJECT's can have only
* EAP-Message, Message-Authenticator
* Reply-Message and Proxy-State.
*
* We delete everything other than these.
* Proxy-State is added below, just before the
* reply is sent.
*/
auth.c
/*
* Error. radius_exec_program() returns -1 on
* fork/exec errors, or >0 if the exec'ed program
* had a non-zero exit status.
*/
if (user_msg == NULL)
user_msg = "\r\nAccess denied (external check failed).";
request->reply->code = PW_AUTHENTICATION_REJECT;
pairfree(&request->reply->vps);
tmp = pairmake("Reply-Message", user_msg, T_OP_SET);
request->reply->vps = tmp;
rad_authlog("Login incorrect (external check failed)",
request, 0);
So, if my perl script returns non-zero value (I reject the user), the
radius server sends back PW_AUTHENTICATION_REJECT with only one attribut:
Reply-Message. Where are the mentioned VSAs?
Regards,
Thomas
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco VSA Radius Return Values
Hello, an example: raddb/users_fast ... 248039 Auth-Type = Local, Password == "not crypted password" Exec-Program-Wait = "/path/to/your/script.pl" .. --- /path/to/your/script.pl #!/usr/bin/perl print "h323-credit-amount = \"h323-credit-amount=123\","; print "h323-currency = \"h323-currency=USD\"" # accept exit 0; -- of course you have to configure to use Cisco's dictionary. Everything else is written in FR docs and on www.cisco.com. Regards, Thomas On Mon, 8 Jul 2002, Kasra Robert Rasaee wrote: > Hi again, > > Yeah I am attempting to work on a Prepaid solution, > but the problem I still face is how and were to use > the exec-program-wait ? would I require to modify > the code to FreeRadius ? in order to send back the > h323-credit-amount and h323-credit-time how would > that be done after authentication is complete ? > > I am still a bit confused, this stuff is all pretty much > new to me, for example how would I a script or > perhaps write my own module so that it would send > back the h323-credit-amount and h323-credit-time, > > see the problem here is that in order to retrieve the > h323-credit-time I must see where the person is going > to be terminating to, then I must match it against a termination > rate for that location, then it would calculate the time remaining > for that destination by the number of dollars he or she has > and the rate, > > Any code pointers you can provide me ? > perhaps configurations ? > examples ? > > Anything would be useful, > > Thanks in advance, > > > Kasra > > - Original Message - > From: "Thomas Jalsovsky" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Cc: <[EMAIL PROTECTED]> > Sent: Monday, July 08, 2002 1:09 AM > Subject: Re: Cisco VSA Radius Return Values > > > > > > Hello, > > > > If I'm right you are working on a prepaid solution. > > exec-program-wait is your key to the success. > > Cisco IVR uses return VSAs in access-reject messages. By the RFC > > RADIUS access-reject message have to has only one attribute, therefore you > > have to look into the code and hack the server to send access-reject > > packets to the Cisco NAS (not compatible with RFC). > > > > Cheers, > > Thomas > > > > On Sun, 7 Jul 2002, Alan DeKok wrote: > > > > > "Kasra Robert Rasaee" <[EMAIL PROTECTED]> wrote: > > > > I just can't seem to find enough documentation on how I can write > > > > my own module to allow for the return values of h323-credit-amount > > > > and h323-credit-time, > > > > > > Uh, why? There's no need for that amount of work. > > > > > > > I wish to calculate the values of these two attributes via a script > > > > or a program which I can possibly pass the values to from > > > > FreeRadius and for it to return other values detaining information > > > > for those two attributes, > > > > > > See 'scripts/exec-program-wait' > > > > > > Alan DeKok. > > > > > > - > > > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > > > > > > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco VSA Radius Return Values
Hello, If I'm right you are working on a prepaid solution. exec-program-wait is your key to the success. Cisco IVR uses return VSAs in access-reject messages. By the RFC RADIUS access-reject message have to has only one attribute, therefore you have to look into the code and hack the server to send access-reject packets to the Cisco NAS (not compatible with RFC). Cheers, Thomas On Sun, 7 Jul 2002, Alan DeKok wrote: > "Kasra Robert Rasaee" <[EMAIL PROTECTED]> wrote: > > I just can't seem to find enough documentation on how I can write > > my own module to allow for the return values of h323-credit-amount > > and h323-credit-time, > > Uh, why? There's no need for that amount of work. > > > I wish to calculate the values of these two attributes via a script > > or a program which I can possibly pass the values to from > > FreeRadius and for it to return other values detaining information > > for those two attributes, > > See 'scripts/exec-program-wait' > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Abnormal child exit
I tested again, and I get a bit more info: the 'Abnormal child exit' problem is ONLY in debug mode (radiusd -X) - in daemon mode it is working well... Regards, Thomas On Tue, 2 Jul 2002, Thomas Jalsovsky wrote: > > Hello all, > > I'm running the latest CVS tree and I want to use external scripts > (written in Perl). > I run FR in debug mode and sent an auth. radius packet which > should be handled by an external script > --- cut > radius_xlat: '/gis/scripts/dev/p2.pl' > Exec-Program: /gis/scripts/dev/p2.pl > Exec-Program: Abnormal child exit > Login incorrect (external check failed): [978319/97904] (from client > localhost p > ort 0) > Sending Access-Reject of id 35 to 127.0.0.1:46389 > Finished request 14 > - cut - > > What I have in p2.pl: > cut > #!/usr/bin/perl > exit 1; > - cut --- > > Why did I get Abnormal child exit? What does it mean? Is something > wrong with the script? (access rights are OK, everything has owner radius) > > I used a complicated script too, which returns A/V-Pairs, the > script runs perfectly and returns good values, radius handles these > av-pairs but there is the irritating message: Abnormal child exit > > One more think: I always get access-reject while I use exit 0 or > exit 1. > > Idea? > > Regards, > Thomas > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Abnormal child exit
Hello all, I'm running the latest CVS tree and I want to use external scripts (written in Perl). I run FR in debug mode and sent an auth. radius packet which should be handled by an external script --- cut radius_xlat: '/gis/scripts/dev/p2.pl' Exec-Program: /gis/scripts/dev/p2.pl Exec-Program: Abnormal child exit Login incorrect (external check failed): [978319/97904] (from client localhost p ort 0) Sending Access-Reject of id 35 to 127.0.0.1:46389 Finished request 14 - cut - What I have in p2.pl: cut #!/usr/bin/perl exit 1; - cut --- Why did I get Abnormal child exit? What does it mean? Is something wrong with the script? (access rights are OK, everything has owner radius) I used a complicated script too, which returns A/V-Pairs, the script runs perfectly and returns good values, radius handles these av-pairs but there is the irritating message: Abnormal child exit One more think: I always get access-reject while I use exit 0 or exit 1. Idea? Regards, Thomas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: probably xlat problem
Hi,
I see the mentioned characters were included as non-escaped characters.
It works well for me.
Thanks,
Thomas
On Fri, 7 Jun 2002, Thomas Jalsovsky wrote:
>
> Hello
>
> I found in the mailing-list that there are escaped characters. It is not
> clear for me why is this needed could you non-escape characters
> : (colon), (space)?
>
> Thanks in advance,
>
> Thomas
>
>
> On Fri, 7 Jun 2002, Thomas Jalsovsky wrote:
>
> >
> > Hello,
> >
> > I use today's CVS (2002 June 7). I found a problem with
> > accounting. When the value contains space char '.' or ':' the ascii
> > (probably) value is used. It is bad for me, because the system uses values
> > what are received and stored into SQL as is. The detail file looks well,
> > but my SQL (MySQL) records are wrong
> > e.g.
> > in place of: 95BB3EF3 78CF11D6 A817D89C D849DCD6
> > i have in the DB:
> > 95BB3EF3=2078CF11D6=20A817D89C=20D849DCD6
> >
> > Where can I turn this off or solve this problem?
> >
> > Regards,
> > Thomas
> >
> > p.s.: I use Cisco NAS-es and in production I have cisco_vsa_hack turned
> > on, but now I tried without this feature and without the preprocess
> > module, but the problem still exists.
> >
> >
> > rad_recv: Accounting-Request packet from host 127.0.0.1:34338, id=14,
> > length=263
> > Cisco-NAS-Port = "ISDN 0:D:1"
> > NAS-Port-Type = Async
> > User-Name = "0908181984"
> > Acct-Status-Type = Start
> > Service-Type = Login-User
> > h323-gw-id = "PosTel-5300.postel.sk"
> > h323-incoming-conf-id = "95BB3EF3 78CF11D6 A817D89C D849DCD6"
> > h323-call-origin = "answer"
> > h323-call-type = "Telephony"
> > h323-setup-time = "00:00:01.964 SKS Fri Jun 7 2002"
> > h323-conf-id = "95BB3EF3 78CF11D6 A817D89C D849DCD6"
> > Acct-Session-Id = "0003F00A"
> > modcall: entering group preacct
> > rlm_realm: Looking up realm NULL for User-Name = "0908181984"
> > rlm_realm: No such realm NULL
> > modcall[preacct]: module "suffix" returns noop
> > modcall[preacct]: module "files" returns noop
> > modcall[preacct]: module "preprocess" returns noop
> > modcall: group preacct returns noop
> > modcall: entering group accounting
> > rlm_acct_unique: Hashing 'h323-conf-id = "95BB3EF3 78CF11D6 A817D89C
> > D849DCD6",,Client-IP-Address = 127.0.0.1,NAS-IP-Address =
> > 127.0.0.1,Acct-Session-Id = "0003F00A",h323-setup-time = "00:00:01.964 SKS
> > Fri Jun 7 2002"'
> > rlm_acct_unique: Acct-Unique-Session-ID = "c8619f14262d90ed".
> > modcall[accounting]: module "acct_unique" returns ok
> > radius_xlat: '/gis/radius2/var/log/127.0.0.1/20020607'
> > rlm_detail: /gis/radius2/var/log/%{NAS-IP-Address}/%D expands to
> > /gis/radius2/var/log/127.0.0.1/20020607
> > modcall[accounting]: module "detail_arch" returns ok modcall: entering
> > group group radius_xlat: 'INSERT IGNORE into radacct_test
> >
>(SessionId,InConfId,UserName,NASIPAddress,NASPortId,CallingStationId,CalledStationId,CallOrigin,CallType,SetupTime)
> > values
> >
>('c8619f14262d90ed','95BB3EF3=2078CF11D6=20A817D89C=20D849DCD6','0908181984','127.0.0.1','ISDN=200=3AD=3A1','','','answer','Telephony','00=3A00=3A01.964=20SKS=20Fri=20Jun=207=202002')'
> > rlm_sql: Reserving sql socket id: 19 rlm_sql: Released sql socket id: 19
> > modcall[accounting]: module "sql_primary" returns ok
> > modcall: group group returns ok
> > modcall: group accounting returns ok
> > Sending Accounting-Response of id 14 to 127.0.0.1:34338
> > Finished request 10
> >
> >
> >
> > -
> > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html
> >
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: probably xlat problem
Hello
I found in the mailing-list that there are escaped characters. It is not
clear for me why is this needed could you non-escape characters
: (colon), (space)?
Thanks in advance,
Thomas
On Fri, 7 Jun 2002, Thomas Jalsovsky wrote:
>
> Hello,
>
> I use today's CVS (2002 June 7). I found a problem with
> accounting. When the value contains space char '.' or ':' the ascii
> (probably) value is used. It is bad for me, because the system uses values
> what are received and stored into SQL as is. The detail file looks well,
> but my SQL (MySQL) records are wrong
> e.g.
> in place of: 95BB3EF3 78CF11D6 A817D89C D849DCD6
> i have in the DB:
> 95BB3EF3=2078CF11D6=20A817D89C=20D849DCD6
>
> Where can I turn this off or solve this problem?
>
> Regards,
> Thomas
>
> p.s.: I use Cisco NAS-es and in production I have cisco_vsa_hack turned
> on, but now I tried without this feature and without the preprocess
> module, but the problem still exists.
>
>
> rad_recv: Accounting-Request packet from host 127.0.0.1:34338, id=14,
> length=263
> Cisco-NAS-Port = "ISDN 0:D:1"
> NAS-Port-Type = Async
> User-Name = "0908181984"
> Acct-Status-Type = Start
> Service-Type = Login-User
> h323-gw-id = "PosTel-5300.postel.sk"
> h323-incoming-conf-id = "95BB3EF3 78CF11D6 A817D89C D849DCD6"
> h323-call-origin = "answer"
> h323-call-type = "Telephony"
> h323-setup-time = "00:00:01.964 SKS Fri Jun 7 2002"
> h323-conf-id = "95BB3EF3 78CF11D6 A817D89C D849DCD6"
> Acct-Session-Id = "0003F00A"
> modcall: entering group preacct
> rlm_realm: Looking up realm NULL for User-Name = "0908181984"
> rlm_realm: No such realm NULL
> modcall[preacct]: module "suffix" returns noop
> modcall[preacct]: module "files" returns noop
> modcall[preacct]: module "preprocess" returns noop
> modcall: group preacct returns noop
> modcall: entering group accounting
> rlm_acct_unique: Hashing 'h323-conf-id = "95BB3EF3 78CF11D6 A817D89C
> D849DCD6",,Client-IP-Address = 127.0.0.1,NAS-IP-Address =
> 127.0.0.1,Acct-Session-Id = "0003F00A",h323-setup-time = "00:00:01.964 SKS
> Fri Jun 7 2002"'
> rlm_acct_unique: Acct-Unique-Session-ID = "c8619f14262d90ed".
> modcall[accounting]: module "acct_unique" returns ok
> radius_xlat: '/gis/radius2/var/log/127.0.0.1/20020607'
> rlm_detail: /gis/radius2/var/log/%{NAS-IP-Address}/%D expands to
> /gis/radius2/var/log/127.0.0.1/20020607
> modcall[accounting]: module "detail_arch" returns ok modcall: entering
> group group radius_xlat: 'INSERT IGNORE into radacct_test
>
>(SessionId,InConfId,UserName,NASIPAddress,NASPortId,CallingStationId,CalledStationId,CallOrigin,CallType,SetupTime)
> values
>
>('c8619f14262d90ed','95BB3EF3=2078CF11D6=20A817D89C=20D849DCD6','0908181984','127.0.0.1','ISDN=200=3AD=3A1','','','answer','Telephony','00=3A00=3A01.964=20SKS=20Fri=20Jun=207=202002')'
> rlm_sql: Reserving sql socket id: 19 rlm_sql: Released sql socket id: 19
> modcall[accounting]: module "sql_primary" returns ok
> modcall: group group returns ok
> modcall: group accounting returns ok
> Sending Accounting-Response of id 14 to 127.0.0.1:34338
> Finished request 10
>
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
probably xlat problem
Hello,
I use today's CVS (2002 June 7). I found a problem with
accounting. When the value contains space char '.' or ':' the ascii
(probably) value is used. It is bad for me, because the system uses values
what are received and stored into SQL as is. The detail file looks well,
but my SQL (MySQL) records are wrong
e.g.
in place of: 95BB3EF3 78CF11D6 A817D89C D849DCD6
i have in the DB:
95BB3EF3=2078CF11D6=20A817D89C=20D849DCD6
Where can I turn this off or solve this problem?
Regards,
Thomas
p.s.: I use Cisco NAS-es and in production I have cisco_vsa_hack turned
on, but now I tried without this feature and without the preprocess
module, but the problem still exists.
rad_recv: Accounting-Request packet from host 127.0.0.1:34338, id=14,
length=263
Cisco-NAS-Port = "ISDN 0:D:1"
NAS-Port-Type = Async
User-Name = "0908181984"
Acct-Status-Type = Start
Service-Type = Login-User
h323-gw-id = "PosTel-5300.postel.sk"
h323-incoming-conf-id = "95BB3EF3 78CF11D6 A817D89C D849DCD6"
h323-call-origin = "answer"
h323-call-type = "Telephony"
h323-setup-time = "00:00:01.964 SKS Fri Jun 7 2002"
h323-conf-id = "95BB3EF3 78CF11D6 A817D89C D849DCD6"
Acct-Session-Id = "0003F00A"
modcall: entering group preacct
rlm_realm: Looking up realm NULL for User-Name = "0908181984"
rlm_realm: No such realm NULL
modcall[preacct]: module "suffix" returns noop
modcall[preacct]: module "files" returns noop
modcall[preacct]: module "preprocess" returns noop
modcall: group preacct returns noop
modcall: entering group accounting
rlm_acct_unique: Hashing 'h323-conf-id = "95BB3EF3 78CF11D6 A817D89C
D849DCD6",,Client-IP-Address = 127.0.0.1,NAS-IP-Address =
127.0.0.1,Acct-Session-Id = "0003F00A",h323-setup-time = "00:00:01.964 SKS
Fri Jun 7 2002"'
rlm_acct_unique: Acct-Unique-Session-ID = "c8619f14262d90ed".
modcall[accounting]: module "acct_unique" returns ok
radius_xlat: '/gis/radius2/var/log/127.0.0.1/20020607'
rlm_detail: /gis/radius2/var/log/%{NAS-IP-Address}/%D expands to
/gis/radius2/var/log/127.0.0.1/20020607
modcall[accounting]: module "detail_arch" returns ok modcall: entering
group group radius_xlat: 'INSERT IGNORE into radacct_test
(SessionId,InConfId,UserName,NASIPAddress,NASPortId,CallingStationId,CalledStationId,CallOrigin,CallType,SetupTime)
values
('c8619f14262d90ed','95BB3EF3=2078CF11D6=20A817D89C=20D849DCD6','0908181984','127.0.0.1','ISDN=200=3AD=3A1','','','answer','Telephony','00=3A00=3A01.964=20SKS=20Fri=20Jun=207=202002')'
rlm_sql: Reserving sql socket id: 19 rlm_sql: Released sql socket id: 19
modcall[accounting]: module "sql_primary" returns ok
modcall: group group returns ok
modcall: group accounting returns ok
Sending Accounting-Response of id 14 to 127.0.0.1:34338
Finished request 10
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Failed to link to module 'rlm_unix-0.6'
On Thu, 6 Jun 2002, Stefan Immel wrote: > > I just build the latest snapshot on BSDI 4.2, when I try to start > > radiusd I get the following: > > > > Module: Library search path is /usr/local/lib > > radiusd.conf[325] Failed to link to module 'rlm_unix-0.6': > > file not found > I got the same error. > > Frank Cusack is about to fix it. > > You can use the following workaround I used. > > Copy following files: > > rlm_files-0.6.la > rlm_radutmp-0.6.la > rlm_sql-0.6.la > rlm_detail-0.6.la > rlm_preprocess-0.6.la > rlm_realm-0.6.la > rlm_unix-0.6.la > > into your /usr/local/lib directory. The base file is in your >source/modules/rlm_ tree > > e.g. > > cp /usr/src/freeradius-snapshot/src/modules/rlm_unix/rlm_unix.la >/usr/local/lib/rlm_unix-0.6.la > > That worked for me. > That worked for me, too. When will this problem solved in the CVS? Thomas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL group auth problem [patch]
Hello all,
I went through the SQL module and I found that in the SQL
authorization part, firstly the radcheck table is checked. If the given
user is not found, it tries the DEFAULT setting but doesn't look for the
radgroupcheck entries.
This patch modifies the rlm_sql module to look for radcheck and if
user not fond in them try radgroupcheck and if there is no record in
radgroupcheck for the given user try the DEFAULT entry.
This function should be good for accounts without password (or the
same predefined password).
Example: authentification by a CLIP (ANI) phone number, there is no
password (or constant password ex. "accept") for the phone number. Without
this patch radcheck will have all of the lines about CLIP accounts:
++++-+--+
| id | UserName | Attribute | Value | op |
++++-+--+
| 1 | 0245958400 | Password | accept | == |
| 2 | 0245958155 | Password | accept | == |
++++-+--+
With patch you have to put the CLIP into a usergroup and define group
reply attributes.
On Sun, 14 Apr 2002, Alan DeKok wrote:
> I still haven't had time to look at it, sorry. I would suggest
>posting the patch to the users and/or the devel list. If other people
>say it works && it's useful, then I'll apply it without looking at it.
Please take a look for this and say your experience.
Regards,
Thomas
p.s.: The patch should be applied to today's CVS tree
--- src/modules/rlm_sql/rlm_sql.c.orig Wed May 29 11:57:42 2002
+++ src/modules/rlm_sql/rlm_sql.c Wed May 29 12:21:07 2002
@@ -343,23 +343,33 @@
} else {
int gcheck;
-
- /*
-* We didn't find the user, so we try looking
-* for a DEFAULT entry
-*/
- if (sql_set_user(inst, request, sqlusername, "DEFAULT") < 0) {
- sql_release_socket(inst, sqlsocket);
- return RLM_MODULE_FAIL;
- }
-
- radius_xlat(querystr, MAX_QUERY_LEN,
inst->config->authorize_group_check_query, request, sql_escape_func);
- gcheck = sql_getvpdata(inst, sqlsocket, &check_tmp, querystr,
PW_VP_GROUPDATA);
- radius_xlat(querystr, MAX_QUERY_LEN,
inst->config->authorize_group_reply_query, request, sql_escape_func);
- gcheck = sql_getvpdata(inst, sqlsocket, &reply_tmp, querystr,
PW_VP_GROUPDATA);
- if (gcheck)
- found = 1;
- }
+/*
+* We didn't find the user in radcheck, so we try looking
+* for radgroupcheck entry
+*/
+radius_xlat(querystr, MAX_QUERY_LEN,
+inst->config->authorize_group_check_query, request, NULL);
+gcheck = sql_getvpdata(inst, sqlsocket, &check_tmp, querystr,
+PW_VP_GROUPDATA);
+radius_xlat(querystr, MAX_QUERY_LEN,
+inst->config->authorize_group_reply_query, request, NULL);
+sql_getvpdata(inst, sqlsocket, &reply_tmp, querystr, PW_VP_GROUPDATA);
+if (gcheck) {
+found = 1;
+} else {
+/*
+* We didn't find the user, so we try looking
+* for a DEFAULT entry
+*/
+if (sql_set_user(inst, request, sqlusername, "DEFAULT") < 0) {
+sql_release_socket(inst, sqlsocket);
+return RLM_MODULE_FAIL;
+}
+radius_xlat(querystr, MAX_QUERY_LEN,
+inst->config->authorize_group_check_query, request, NULL);
+gcheck = sql_getvpdata(inst, sqlsocket, &check_tmp, querystr,
+PW_VP_GROUPDATA);
+radius_xlat(querystr, MAX_QUERY_LEN,
+inst->config->authorize_group_reply_query, request, NULL);
+gcheck = sql_getvpdata(inst, sqlsocket, &reply_tmp, querystr,
+PW_VP_GROUPDATA);
+if (gcheck)
+found = 1;
+}
+}
if (!found) {
radlog(L_DBG, "rlm_sql: User %s not found and DEFAULT not found",
sqlusername);
sql_release_socket(inst, sqlsocket);
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
2 SQL schemas at once
Hello, I would like to use different SQL schemas with the same RADIUS server. I would like to make SQL accounting for different NASes (and services). The attributes are different (Cisco VoIP and another devices). I thought about the system uses XTRadius but I didn't find anything about this feature in the freeRADIUS sotware (and probably it is not good to open/close database connections always when an acct. packet arrives). Do somebody have any idea how should I solve this? Thanks in advance, Thomas Jalsvsky - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
fastusers grouping
Hello, I would like to use 10.000 prepaid accounts and use Exec-Program-Wait feature for this. How can I define a group and how can I add that user accounts into the given group? I would like to use another accounts (without Exec-Program-Wait and with another parameters). Thanks in advance, Thomas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius and mysql accounting and use of called-station-id
Hello,
if you make debugging in radius server and in Cisco ('debug
radius' :), you should find, that Cisco doesn't send this attribute in the
auth. requests, therefore you cannot make auth. decision by this
attribute. I don't know that it is possible to configure Cisco to send
this attribute, I cannot make that.
Another solution: you should write/rewrite TCL IVR script and you
can send the info (e.g. called-station-id) via Cisco VSA attribute and
your FreeRADIUS server will see this through VSAs. Take a look for
h323-ivr-in and h323-ivr-out in the TCL IVR 2 documentation.
Regards,
Thomas
On Thu, 11 Apr 2002, Dirk Tanneberger wrote:
> sql.conf is o.k. and with sql tracing I see, that these values are blank.
> I think the Cisco AS5300 send not these values.
> But how can I configure AS5300 to send the parameters?
> In details-file are the following entries:
>
> Thu Apr 11 15:54:34 2002
> NAS-IP-Address = 192.168.0.254
> NAS-Port = 106
> Cisco-NAS-Port = "Serial3:10"
> NAS-Port-Type = ISDN
> User-Name = "test"
> Called-Station-Id = "3552000"
> Calling-Station-Id = "3551720"
> Acct-Status-Type = Stop
> Acct-Authentic = RADIUS
> Service-Type = Framed-User
> Acct-Session-Id = "B005"
> Framed-Protocol = PPP
> Acct-Link-Count = 2
> X-Ascend-Num-In-Multilink = 1
> Acct-Multi-Session-Id = "14165"
> Framed-IP-Address = 193.98.116.99
> X-Ascend-Disconnect-Cause = 45
> X-Ascend-Pre-Input-Octets = 154
> X-Ascend-Pre-Output-Octets = 139
> X-Ascend-Pre-Input-Packets = 4
> X-Ascend-Pre-Output-Packets = 5
> Acct-Input-Octets = 666
> Acct-Output-Octets = 394
> Acct-Input-Packets = 26
> Acct-Output-Packets = 19
> X-Ascend-PreSession-Time = 1
> Acct-Session-Time = 13
> X-Ascend-Data-Rate = 64000
> X-Ascend-Xmit-Rate = 64000
> X-Ascend-Multilink-ID = 14165
> Acct-Delay-Time = 0
> Client-IP-Address = 192.168.1.41
> Timestamp = 1018533274
>
> Thanks Dirk
>
> - Original Message -
> From: "Chris Parker" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Thursday, April 11, 2002 5:27 PM
> Subject: Re: freeradius and mysql accounting and use of called-station-id
>
>
> > At 05:09 PM 4/11/2002 +0200, Dirk Tanneberger wrote:
> > >Hello all,
> > >
> > >I use freeradius 0.5 and my NAS is a Cisco AS5300.
> > >I test with freeradius and mysql since 2 weeks and I have 2 problems:
> > >
> > >The radius server writes the accounting records in the mysql-table, but
> > >the following entries leave blank for all records:
> > >++
> > >AcctUniqueId
> > >ConnectInfo_start
> > >ConnectInfo_stop
> > >AcctTerminateCause
> > >NASPortId = 0 (for all records)
> > >++
> > >How can I fill these parameters?
> >
> > What do you have in 'sql.conf' for the queries? Simply adding the columns
> > to the table definition will not fill them in. You must also alter your
> > sql.conf to add them if they do not exist.
> >
> > Also, make sure you are correctly calling the 'acct_unique' module in your
> > config.
> >
> > If this has been done, run the server in debugging mode, with sql tracing
> > enabled, so you can see what sql queries are being run.
> >
> > -Chris
> > --
> > \\\|||/// \ StarNet Inc. \Chris Parker
> > \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering
> > | @ @ |\ http://www.starnetwx.net \ (847) 963-0116
> > oOo---(_)---oOo--\--
> >\ Wholesale Internet Services - http://www.megapop.net
> >
> >
> >
> > -
> > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> >
> >
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco VSA Attribute show again in string
On Mon, 25 Feb 2002, Alan DeKok wrote: > "noway noway" <[EMAIL PROTECTED]> wrote: > > Please help to solve the Cisco VSA attribute problem in Detail file, it > > shows the attribute in the value string again like H323-Attribute = > > "h323-attribute=value". I've enable the with_cisco_vsa_hack=yes, but it's > > only in pre-accouting not accounting call which generates detail files. > > The pre-accounting modules edit the request so that the accounting > function will log the cleaned attributes. > > If it's not doing that for you, check your config. > > Alan DeKok. > This function is working perfectly for me. But, this hcak don't solve the situation if you have attributes Cisco-AVPair = "h323-attribute=value". Thomas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Access Reject
Hello I would like to send an Access reject packet to NAS when the User-Name and User-Password fields match (successfull auth.) I want to do that with DB, but I don't know what and where I have to put. Could anybody tell me? I tryed put to radgroupreply: mygroup | Auth-Type | Reject But it still returns Access accept and the sw in the NAS requires Access reject. Thanks, Thomas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Grpups in fastusers
Hello, I have accounts sorted into groups. It is working well with DB-schema. I would like to set up the same with fastusers file (for case when all DBs fail). I found in users file: DEFAULT Group=="mygroup", Auth-Type:=Accept How can I sort accounts into group 'mygroup' ? Thanks, Thomas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SQL group auth problem
usergroup +++---+ | id | UserName | GroupName | +++---+ | 5 | 0905835218 | test | +++---+ radgroupcheck ++--+---+---+--+ | id | GroupName| Attribute | Value | op | ++--+---+---+--+ | 18 | test | User-Password | accept| == | | 19 | test | Auth-Type | Local | := | ++--+---+---+--+ I filled out these tables, and tryed to auth. "0905835218","accept" The user was rejected. Why? How can I allow access for that user (with groups)? Thanks, Thomas ps.: radcheck, radreply, radgroupreply are empty - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Identical attributes on auth
> Thomas Jalsovsky <[EMAIL PROTECTED]> wrote: > > my nas sends: > > ... > > h323-ivr-out=transactionID:13880 > > h323-ivr-out=type:test.tcl > > ... > > I want to check by the h323-ivr-out line, so I would like to make > > decision (about accept/reject) by the attribute h323-ivr-out which has > > value 'type:'. > > When I test the attribute, the first line is tested and I don't > > know how should I write a rule for this. > > Yes. The current code checks for the FIRST appearance of an > attribute, and stops if it doesn't match. > > It *could* be changed to look for any other copy of an attribute, if > the first one didn't match. That may be preferable, in fact. > > The code in src/main/valuepair.c, function paircmp() should be > changed so that IF there isn't a match, it loops back to check for > another copy of the same attribute. This will slow the server down a > little, but not significantly. > > The patch would be fairly small, too. If people think it's terribly > useful, I'll take a look at doing it in the next few days. > > Alan DeKok. OK, I see that in the last CVS is the paircmp fix. I compiled the latest CVS, and made som debugs. Unfortunately I can't make it working. rad_recv: Access-Request packet from host 193.41.203.20:1645, id=181, length=244 NAS-IP-Address = 193.41.203.20 Cisco-NAS-Port = "ISDN 3:D:31" NAS-Port-Type = Async User-Name = "160045" h323-conf-id = "h323-conf-id=A0F37603 1AE911D6 B7E0FCCE C908BF0C" Calling-Station-Id = "169" Password = "" Cisco-AVPair = "in-portgrp-id=(Local PBX)" Cisco-AVPair = "h323-ivr-out=transactionID:16112" Cisco-AVPair = "h323-ivr-out=type:pp" modcall: entering group authorize modcall[authorize]: module "preprocess" returns ok modcall: entering group redundant rlm_sql: Reserving sql socket id: 19 radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = '160045' ORDER BY id' radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = '160045' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = '160045' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = '160045' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql: Released sql socket id: 19 rlm_sql: Pairs do not match [] modcall[authorize]: module "sql_primary" returns notfound modcall: group redundant returns notfound modcall: group authorize returns notfound auth: No Auth-Type configuration for the request, rejecting the user auth: Failed to validate the user. I looked for the SQL queryes: mysql> SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE -> Username = '160045' ORDER BY id; +--+--++-+--+ | id | UserName | Attribute | Value | op | +--+--++-+--+ | 1856 | 160045 | Crypt-Password | *** | NULL | +--+--++-+--+ mysql> SELECT -> radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op -> FROM radgroupcheck,usergroup WHERE usergroup.Username = '160045' AND -> usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id; ++---+--+---+--+ | id | GroupName | Attribute| Value | op | ++---+--+---+--+ | 16 | prepaid | h323-ivr-out | type:pp | NULL | ++---+--+---+--+ mysql> SELECT id,UserName,Attribute,Value,op FROM radreply WHERE -> Username = '160045' ORDER BY id; Empty set (0.00 sec) mysql> SELECT -> radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op -> FROM radgroupreply,usergroup WHERE usergroup.Username = '160045' AND -> usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id; ++---+---+-+--+ | id | GroupName | A
sql_user_name problems
Hello
I uncommented the line
sql_user_name = "%{User-Name}"
in the sql.conf file. The accounting to the database didn't work the sql
module returned FAIL. What is this option used for? Do I need to have this
option configured? If yes, how can I correctly set it up?
Regards,
Thomas
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Identical attributes on auth
> > my nas sends: > > ... > > h323-ivr-out=transactionID:13880 > > h323-ivr-out=type:test.tcl > > ... > > I want to check by the h323-ivr-out line, so I would like to make > > decision (about accept/reject) by the attribute h323-ivr-out which has > > value 'type:'. > > When I test the attribute, the first line is tested and I don't > > know how should I write a rule for this. > > Yes. The current code checks for the FIRST appearance of an > attribute, and stops if it doesn't match. > > It *could* be changed to look for any other copy of an attribute, if > the first one didn't match. That may be preferable, in fact. > > The code in src/main/valuepair.c, function paircmp() should be > changed so that IF there isn't a match, it loops back to check for > another copy of the same attribute. This will slow the server down a > little, but not significantly. > > The patch would be fairly small, too. If people think it's terribly > useful, I'll take a look at doing it in the next few days. > > Alan DeKok. > Thank you for your fast response, Alan. I will be very happy if it works. Another way should be (for me) to filter out the first line (with regular expression it is very simple - ^transaction), but it should be more work than changing the mentioned code part. Thanks, Thomas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
sql_user_name problems
Hello
I uncommented the line
sql_user_name = "%{User-Name}"
in the sql.conf file. The accounting to the database didn't work the sql
module returned FAIL. What is this option used for? Do I need to have this
option configured? If yes, how can I correctly set it up?
Regards,
Thomas
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SQL group auth problem
usergroup +++---+ | id | UserName | GroupName | +++---+ | 5 | 0905835218 | test | +++---+ radgroupcheck ++--+---+---+--+ | id | GroupName| Attribute | Value | op | ++--+---+---+--+ | 18 | test | User-Password | accept| == | | 19 | test | Auth-Type | Local | := | ++--+---+---+--+ I filled out these tables, and tryed to auth. "0905835218","accept" The user was rejected. Why? How can I allow access for that user (with groups)? Thanks, Thomas ps.: radcheck, radreply, radgroupreply are empty - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Identical attributes on auth
> It would be easier to debug the problem if you used a simple test > entry in the 'users' file, and poked at the server with radclient. > That will get you the MINIMUM of confusing log messages, which may not > have anything to do with the problem. OK, I'm going to do that... > > Something I do wrong or the paircmp fix doesn't solve this problem? > > What I can see is that the 'op' field is NULL. You probably want to > put the operator their. I searched in the docs and in the mailing list archives but I didn't find the clear definition of op values. Can somebody decribe me? For ex. what does the += op do in a radreply table? > > If you had tested this with the 'users' file first, you would have > been able to verify if the feature worked. It would probably have > then been obvious that the issue was NOT the new feature, but some > misconfiguration or bug in the SQL module. > > Alan DeKok. If I make sure with the users file, what can I do with the problem in SQL? Thanks Thomas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Access Reject
On Thu, 7 Feb 2002, Alan DeKok wrote: > Thomas Jalsovsky <[EMAIL PROTECTED]> wrote: > > I would like to send an Access reject packet to NAS when the > > User-Name and User-Password fields match (successfull auth.) > > Hmm... the server isn't really set up to do that now. > > > But it still returns Access accept and the sw in the NAS requires Access > > reject. > > Why does the NAS require and access reject when the username and > password are OK? > > Alan DeKok. > The sw in the NAS does: does ISDN preauthentication - AAA with ,"reject" if the auth. failed, it means, the use can continue, the ISDN line should be picked up. If not, the ISDN disconnect will applied (it is important for toll free - 800 - numbers). If the ,"reject" isn't in the database, the user can continue, the script tries authentication by the phone number in way: AAA ,"accept" if auth is successful, auth is done; if not account and pin are asked from the user Thomas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Access Reject
Hello I would like to send an Access reject packet to NAS when the User-Name and User-Password fields match (successfull auth.) I want to do that with DB, but I don't know what and where I have to put. Could anybody tell me? I tryed put to radgroupreply: mygroup | Auth-Type | Reject But it still returns Access accept and the sw in the NAS requires Access reject. Thanks, Thomas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Identical attributes on auth
> Thomas Jalsovsky <[EMAIL PROTECTED]> wrote: > > my nas sends: > > ... > > h323-ivr-out=transactionID:13880 > > h323-ivr-out=type:test.tcl > > ... > > I want to check by the h323-ivr-out line, so I would like to make > > decision (about accept/reject) by the attribute h323-ivr-out which has > > value 'type:'. > > When I test the attribute, the first line is tested and I don't > > know how should I write a rule for this. > > Yes. The current code checks for the FIRST appearance of an > attribute, and stops if it doesn't match. > > It *could* be changed to look for any other copy of an attribute, if > the first one didn't match. That may be preferable, in fact. > > The code in src/main/valuepair.c, function paircmp() should be > changed so that IF there isn't a match, it loops back to check for > another copy of the same attribute. This will slow the server down a > little, but not significantly. > > The patch would be fairly small, too. If people think it's terribly > useful, I'll take a look at doing it in the next few days. > > Alan DeKok. OK, I see that in the last CVS is the paircmp fix. I compiled the latest CVS, and made som debugs. Unfortunately I can't make it working. rad_recv: Access-Request packet from host 193.41.203.20:1645, id=181, length=244 NAS-IP-Address = 193.41.203.20 Cisco-NAS-Port = "ISDN 3:D:31" NAS-Port-Type = Async User-Name = "160045" h323-conf-id = "h323-conf-id=A0F37603 1AE911D6 B7E0FCCE C908BF0C" Calling-Station-Id = "169" Password = "" Cisco-AVPair = "in-portgrp-id=(Local PBX)" Cisco-AVPair = "h323-ivr-out=transactionID:16112" Cisco-AVPair = "h323-ivr-out=type:pp" modcall: entering group authorize modcall[authorize]: module "preprocess" returns ok modcall: entering group redundant rlm_sql: Reserving sql socket id: 19 radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = '160045' ORDER BY id' radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = '160045' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = '160045' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = '160045' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql: Released sql socket id: 19 rlm_sql: Pairs do not match [] modcall[authorize]: module "sql_primary" returns notfound modcall: group redundant returns notfound modcall: group authorize returns notfound auth: No Auth-Type configuration for the request, rejecting the user auth: Failed to validate the user. I looked for the SQL queryes: mysql> SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE -> Username = '160045' ORDER BY id; +--+--++-+--+ | id | UserName | Attribute | Value | op | +--+--++-+--+ | 1856 | 160045 | Crypt-Password | *** | NULL | +--+--++-+--+ mysql> SELECT -> radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op -> FROM radgroupcheck,usergroup WHERE usergroup.Username = '160045' AND -> usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id; ++---+--+---+--+ | id | GroupName | Attribute| Value | op | ++---+--+---+--+ | 16 | prepaid | h323-ivr-out | type:pp | NULL | ++---+--+---+--+ mysql> SELECT id,UserName,Attribute,Value,op FROM radreply WHERE -> Username = '160045' ORDER BY id; Empty set (0.00 sec) mysql> SELECT -> radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op -> FROM radgroupreply,usergroup WHERE usergroup.Username = '160045' AND -> usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id; ++---+---+-+--+ | id | GroupName | A
Grpups in fastusers
Hello, I have accounts sorted into groups. It is working well with DB-schema. I would like to set up the same with fastusers file (for case when all DBs fail). I found in users file: DEFAULT Group=="mygroup", Auth-Type:=Accept How can I sort accounts into group 'mygroup' ? Thanks, Thomas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Identical attributes on auth
> > my nas sends: > > ... > > h323-ivr-out=transactionID:13880 > > h323-ivr-out=type:test.tcl > > ... > > I want to check by the h323-ivr-out line, so I would like to make > > decision (about accept/reject) by the attribute h323-ivr-out which has > > value 'type:'. > > When I test the attribute, the first line is tested and I don't > > know how should I write a rule for this. > > Yes. The current code checks for the FIRST appearance of an > attribute, and stops if it doesn't match. > > It *could* be changed to look for any other copy of an attribute, if > the first one didn't match. That may be preferable, in fact. > > The code in src/main/valuepair.c, function paircmp() should be > changed so that IF there isn't a match, it loops back to check for > another copy of the same attribute. This will slow the server down a > little, but not significantly. > > The patch would be fairly small, too. If people think it's terribly > useful, I'll take a look at doing it in the next few days. > > Alan DeKok. > Thank you for your fast response, Alan. I will be very happy if it works. Another way should be (for me) to filter out the first line (with regular expression it is very simple - ^transaction), but it should be more work than changing the mentioned code part. Thanks, Thomas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Identical attributes on auth
Hello my nas sends: ... h323-ivr-out=transactionID:13880 h323-ivr-out=type:test.tcl ... I want to check by the h323-ivr-out line, so I would like to make decision (about accept/reject) by the attribute h323-ivr-out which has value 'type:'. When I test the attribute, the first line is tested and I don't know how should I write a rule for this. Please let me know if you have any idea, Thanks in advance, Thomas p.s.: the number after transactionID: is generated by the NAS - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sending cisco vsa\'s to the AS
Hi,
to HoraPe: Could you send me your test script and configuration?
cisco_vsa_hack: this hack is only in the preprocess module, and if
you send back anything with radius you don't use this module, therefore
you should have this field turned on or off.
What is important: using the dictionary.cisco file in your radius
configuration.
What does your "debug radius" say in the Cisco equipment? When I
developed my radius script, I used this debugging tool and it was very
good for the troubleshooting.
Thomas
On Fri, 28 Dec 2001 [EMAIL PROTECTED] wrote:
> That is exactly how you should send them.
>
> Make sure you include a return character at the end of your
> print statement. This may or may not make a difference but try
> it.
>
> Also, Do you see the attributes being sent from the RADIUS
> server? try running radius -X and see if you get the attributes
> in readable form at least.
>
> Jose\' L.
> P.S.: I am not sure if this would make a difference but try
> setting the cisco_vsa_hack to no.
>
> Mensaje citado por: Thomas Jalsovsky <[EMAIL PROTECTED]>:
>
> >
> > Hello
> >
> > how did you send AVPairs from the RADIUS server to
> > AS5300?
> >
> > example:
> >
> > #!/usr/bin/perl
> > ...
> > print \"h323-credit-amount =
> > \\\"h323-credit-amount=25\\\",\";
> > print \"h323-return-code = \\\"h323-return-code=0\\\"\";
> > ...
> >
> > I\'m not sure that you need the return-code value but I
> > think it is
> > important for. The sample script did work with AS5300
> > IOS 12.2(1).
> >
> >
> > Regards,
> > Thomas
> >
> >
> > On Wed, 26 Dec 2001 [EMAIL PROTECTED]
> > wrote:
> >
> > > ¡Hola!
> > >
> > > This is not a freeradius question, but an AS5300 one.
> > (BTW,
> > > is there a cisco list somewhere?)
> > >
> > > I\'m trying to send a h323-credit-amount cisco VSA to a
> > TCL IVR
> > > script on my AS.
> > >
> > > The script goes:
> > >
> > > set avs(h323-credit-amount) 25.00
> > > aaa authorize \"Prueba\" \"\" \"\" \"\" leg_incoming avs
> > >
> > > proc act_Auth {} {
> > > if { [infotag get aaa_avpair_exists
> > h323-credit-amount] } {
> > > set cr [infotag get aaa_avpair
> > h323-credit-amount]
> > > puts \"h323-credit-amount:$cr\"
> > > } else {
> > > puts \"h323-credit-amount doesn\'t
> > exist\"
> > > }
> > >
> > > }
> > > }
> > >
> > > In the radius i sent h323-credit-amount set to 25.00
> > (ie, the same that
> > > i receive from the AS)
> > >
> > > tcpdump: (i expand the interesting attr)
> > >
> > > 13:22:24.810283 200.41.96.114.1645 >
> > 200.69.73.69.1812: [udp sum ok] rad-access-req 201 [id
> > 35] Attr[ NAS_ipaddr{200.41.96.114}
> > Vendor_specific{..ISDN 1:D:6} NAS_port_type{Sync}
> > User{Prueba} Vendor_specific{.2h323-conf-id=9482DDC3
> > F95311D5 80E4FA8D 2364D729} Pass
> > Vendor_specific{..h323-ivr-out=transactionID:72}
> > Vendor_specific{e.h323-credit-amount=25.00} ] (ttl
> > 245, id 21831, len 229)
> > > 4500 00e5 5547 f511 359a
> > c829 6072
> > > c845 4945 066d 0714 00d1 3c29
> > 0123 00c9
> > > 771b bb76 034d 96d4 0ddd 4174
> > dc87 57be
> > > 0406 c829 6072 1a12 0009
> > 020c 4953
> > > 444e 2031 3a44 3a36 3d06
> > 0108
> > > 5072 7565 6261 1a38 0009
> > 1832 6833
> > > 3233 2d63 6f6e 662d 6964 3d39
> > 3438 3244
> > > 4443 3320 4639 3533 3131 4435
> > 2038 3045
> > > 3446 4138 4420 3233 3634 4437
> > 3239 0212
> > > ad75 4fe3 7c96 15c1 0c57 e9b8
> > 7205 280a
> > > 1a25 0009 011f 6833 3233
> > 2d69 7672
> > > 2d6f 7574 3d74 7261 6e73 6163
> > 7469 6f6e
> > > 4944 3a37 32
> > >
> > >1a20 0009 651a 6833 3233 2d63 7265
&g
Re: sending cisco vsa's to the AS
Hello
how did you send AVPairs from the RADIUS server to AS5300?
example:
#!/usr/bin/perl
...
print "h323-credit-amount = \"h323-credit-amount=25\",";
print "h323-return-code = \"h323-return-code=0\"";
...
I'm not sure that you need the return-code value but I think it is
important for. The sample script did work with AS5300 IOS 12.2(1).
Regards,
Thomas
On Wed, 26 Dec 2001 [EMAIL PROTECTED] wrote:
> ¡Hola!
>
> This is not a freeradius question, but an AS5300 one. (BTW,
> is there a cisco list somewhere?)
>
> I'm trying to send a h323-credit-amount cisco VSA to a TCL IVR
> script on my AS.
>
> The script goes:
>
> set avs(h323-credit-amount) 25.00
> aaa authorize "Prueba" "" "" "" leg_incoming avs
>
> proc act_Auth {} {
> if { [infotag get aaa_avpair_exists h323-credit-amount] } {
> set cr [infotag get aaa_avpair h323-credit-amount]
> puts "h323-credit-amount:$cr"
> } else {
> puts "h323-credit-amount doesn't exist"
> }
>
> }
> }
>
> In the radius i sent h323-credit-amount set to 25.00 (ie, the same that
> i receive from the AS)
>
> tcpdump: (i expand the interesting attr)
>
> 13:22:24.810283 200.41.96.114.1645 > 200.69.73.69.1812: [udp sum ok] rad-access-req
>201 [id 35] Attr[ NAS_ipaddr{200.41.96.114} Vendor_specific{..ISDN 1:D:6}
>NAS_port_type{Sync} User{Prueba} Vendor_specific{.2h323-conf-id=9482DDC3 F95311D5
>80E4FA8D 2364D729} Pass Vendor_specific{..h323-ivr-out=transactionID:72}
>Vendor_specific{e.h323-credit-amount=25.00} ] (ttl 245, id 21831, len 229)
> 4500 00e5 5547 f511 359a c829 6072
> c845 4945 066d 0714 00d1 3c29 0123 00c9
> 771b bb76 034d 96d4 0ddd 4174 dc87 57be
> 0406 c829 6072 1a12 0009 020c 4953
> 444e 2031 3a44 3a36 3d06 0108
> 5072 7565 6261 1a38 0009 1832 6833
> 3233 2d63 6f6e 662d 6964 3d39 3438 3244
> 4443 3320 4639 3533 3131 4435 2038 3045
> 3446 4138 4420 3233 3634 4437 3239 0212
> ad75 4fe3 7c96 15c1 0c57 e9b8 7205 280a
> 1a25 0009 011f 6833 3233 2d69 7672
> 2d6f 7574 3d74 7261 6e73 6163 7469 6f6e
> 4944 3a37 32
>
>1a20 0009 651a 6833 3233 2d63 7265
>6469 742d 616d 6f75 6e74 3d32 352e 3030
>
> VSA (1a), CISCO ( 0009),
> h323-credit-amount (65)
> Data: "h323-credit-amount=25.00"
>
> 13:22:24.927087 200.69.73.69.1812 > 200.41.96.114.1645: [udp sum ok]
>rad-access-accept 52 [id 35] Attr[ Vendor_specific{e.h323-credit-amount=25.00} ]
>(ttl 64, id 11594, len 80)
> 4500 0050 2d4a 4011 132d c845 4945
> c829 6072 0714 066d 003c e482 0223 0034
> c558 0b38 9637 6067 c6b1 09b1 46b0 7ec0
>
> 1a20 0009 651a 6833 3233 2d63 7265
> 6469 742d 616d 6f75 6e74 3d32 352e 3030
>
> (the exact same bytes that in the request)
>
> Although the attr radius is sending to the AS is exactly the same
> that the AS sends (so the codification is ok by cisco standards),
> the script says that "h323-credit-amount doesn't exist"
>
> Some help?
> HoraPe
> ---
> Horacio J. Peña
> [EMAIL PROTECTED]
> [EMAIL PROTECTED]
> [EMAIL PROTECTED]
> [EMAIL PROTECTED]
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
--
---
Thomas Jalsovsky,Project Manager at PosTel, Plc.
PosTel, a.s. Kvacalova 53,82108 Bratislava 2
Tel.: +421-2-50203160, Fax.: +421-2-50203198
http://www.postel.sk, http://www.globalphone.sk
GlobalPhone, As long as you want
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: core dumps where?
On Wed, 31 Oct 2001 [EMAIL PROTECTED] wrote: > Matt Rose <[EMAIL PROTECTED]> wrote: > > where does freeradius core-dump to? > > The current working directory, usually where-ever you started the > server from. > > However, I've occasionally seen it die, and NOT core dump. I can't > figure out why that's happening. don't forget tho the shell... in RH7.x the default core filesize is zero. You can change this with ulimit -c 1000 (means unlimited). (/etc/profile) Of course you must enable coredumps in the radius configuration. Regards, Thomas > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Stop packet with zero session length
Hello, if you are using Cisco, you can ignore these messages with modifying rlm_sql/conf.h file //#define CISCO_ACCOUNTING_HACK I don't knw why is this option defaultly on, we normally are getting records with zero session time (VoIP - errors with signalization, user busy etc.). My opinion is that it should be defaultly off... Thomas --- Thomas Jalsovsky,Project Manager at PosTel, Plc. PosTel, a.s. Kvacalova 53,82108 Bratislava 2 Tel.: +421-2-50203160, Fax.: +421-2-50203198 http://www.postel.sk, http://www.globalphone.sk GlobalPhone, As long as you want On Sun, 28 Oct 2001, Eric Allison wrote: > Can anyone assist me with getting rid of the following error? > Error: rlm_sql: Stop packet with zero session length. (user 'username', > nas 'xxx.xxx.xxx.xxx') > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems starting radiusd
Hi,
I posted 'eval.c' problem earlyer. Now I downloaded latest (30min
old) CVS, compiled. Before I made install, I completly removed files from
the lib/ directory. Now it is working well.
Probably the problem was with some files in lib/ but i'm not sure.
I made: make, make install
make install wrote me error message that can't find rlm_dbm_parse.o file,
I went to the rlm_dbm directory, but there were no .o files, I made make,
go back to the root source tree and the make install worked. Please fix
this.
Thanks,
Thomas
On Fri, 26 Oct 2001 [EMAIL PROTECTED] wrote:
> Chris Parker <[EMAIL PROTECTED]> wrote:
> > Now, the funny thing is, I cannot find 'eval.c' anywhere in the source.
>
> 'eval.c' was mentioned in an earlier message to the list. I have no
> idea where it's coming from.
>
> > I'd suggest nuking all of the 'rlm' libs installed on your system and
> > doing a full re-install. I suspect you may have an older (and incompatible)
> > radius module lib somewhere.
>
> I would also suggest commenting out the code in rad_mangle() via:
>
> static void rad_mangle(rlm_preprocess_t *data, REQUEST *request)
> {
> #if 0
> ...
>
> #endif
> }
>
>
> It won't mangle the attributes in the way you want, but if something
> in rad_mangle() is the problem, then it won't SEGV, either.
>
> Alan DeKok.
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MySQL accounting failover
Hello,
I configured FreeRADIUS (20010909 CVS) with MySQL. I would like to
configre fail-over for MySQL accounting. I tryed:
accounting {
acct_unique
detail
group {
sql_primary {
fail = 1
notfound = 2
noop = return
ok = return
updated = return
reject = return
userlock = return
invalid = return
handled = return
}
sql_secondary {
fail = 1
notfound = 2
noop = return
ok = return
updated = return
reject = return
userlock = return
invalid = return
handled = return
}
}
unix
radutmp
sradutmp
}
If I turned off the primary server, I didn't get data to secondary. I
started RADIUS in debug mode (-xx), and I found, that primary returned
"ok" while primary DB was down. Probably for this reason the secondary DB
didn't get anything from radius server. It is OK to return ok message when
the db is down? I think it is not right...
Any idea?
Thanks,
Thomas
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MySQL accounting fail-over
Hello,
I use MySQL for accounting. I have 2 databases. I want to
configure RADIUS to send accounting data to the 1st db and if the 1st db
fails send data to the 2nd db. I tryed configuration:
# Accounting. Log to detail file, and to the radwtmp file, and maintain
# radutmp.
accounting {
acct_unique
detail
#counter
redundant {
sql_primary
sql_secondary
}
unix
radutmp
sradutmp
}
In this case I get accounting data in both db servers, what is not good
for me. What is wrong in my configuration?
Thanks in advance,
Thomas
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
turn off debug mode
Hello, how can I turn off debug mode? I don't want to have debug messages in my radius.log file. If I'm right I didn't turn on debug (radius is started without -X or -x parameters). Thanks, Thomas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: DNIS authentication
> >Cisco (our Cisco AS5300) doesn't send Called-Station-ID attribute in the > >access request RADIUS packet, therefore you can't use it for auth. > > Uhm, you certainly can. If your telco sends you DNIS info the NAS will > send it to you. I'd confirm with you telco that they are sending DNIS > info to you. > > I have >200 cisco's all happily sending Called-Station-ID, so it is > definitely supported. :) > > -Chris I think it depends on the environment. I use AS5300 for VoIP and our TCL script is in Cisco clid_col_npw_3. It doesn't sends in auth request CLID. If I rewrite the script I CAN do auth with CLID in the way of: User-Name = CLID, Password = "" (or something what I want). Sometimes we need to look into the system/scripts for solving some problems - it is true for Cisco 2 time :-) In Cisco does exist a feature called ISDN Preauth (aaa preauth) but it doesn't works with VoIP - this is not written in any documentation. Have a nice day, Thomas p.s.: I sent a couble weeks ago a cisco_vsa_hack patch. THis patch went to /dev/null or there is in a processing queue. Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: DNIS authentication
On Wed, 8 Aug 2001, Chris Parker wrote: > At 09:48 AM 8/8/2001 -0500, Mark Nicholas wrote: > >Hi, > > > > I am running freeradius-0.1. > > Upgrade to 0.2 ( or the latest CVS, actually ). Many fixes over 0.1. > > >Does anyone know how to have only one user > >able to authenticate when calling an 800 number. We are setting up personal > >800 numbers for some dialin customers and don't want them to be able to call > >other people's 800 numbers. > > Add 'Called-Station-ID' as a check item in the 'users' file. Ala: > > user1Auth-Type := System, Called-Station-ID == "8001234567" > Fall-Through = Yes > > DEFAULT Auth-Type := Reject, Called-Station-ID == "8001234567" > > -Chris Cisco (our Cisco AS5300) doesn't send Called-Station-ID attribute in the access request RADIUS packet, therefore you can't use it for auth. A debug message from Cisco (debug radius): Aug 9 05:52:32.303: RADIUS: ustruct sharecount=2 Aug 9 05:52:32.303: Radius: radius_port_info() success=0 radius_nas_port=1 Aug 9 05:52:32.303: RADIUS: added cisco VSA 2 len 11 "ISDN 3:D:31" Aug 9 05:52:32.303: RADIUS: added cisco VSA 24 len 41 "h323-conf-id=8F495AF8 CEECFC30 0 6C575794" Aug 9 05:52:32.303: RADIUS: added cisco VSA 1 len 27 "in-portgrp-id=(For testing)" Aug 9 05:52:32.303: RADIUS: added cisco VSA 1 len 32 "h323-ivr-out=transactionID:19790" Aug 9 05:52:32.307: RADIUS: Initial Transmit ISDN 3:D:31 id 104 193.41.203.5:1812, Access-Request, len 198 Aug 9 05:52:32.307: Attribute 4 6 C129CB14 Aug 9 05:52:32.307: Attribute 26 19 0009020D4953 Aug 9 05:52:32.307: Attribute 61 6 Aug 9 05:52:32.307: Attribute 1 5 3136391A Aug 9 05:52:32.307: Attribute 26 49 0009182B6833 Aug 9 05:52:32.307: Attribute 2 18 87C491A1 Aug 9 05:52:32.307: Attribute 26 35 0009011D696E Aug 9 05:52:32.307: Attribute 26 40 000901226833 Aug 9 05:52:32.311: RADIUS: Received from id 104 193.41.203.5:1812, Access-Reject, len 20 Called-Station-ID has attribute 30, and as you see, attr. 30 didn't sent to the RADIUS server. If you have Cisco, we can talk about possible solutions.. Thomas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: DNIS authentication
Hello, what kind of device do you use? If Cisco, probably I can help you. I think do you want to have preauthentication (before the device pick up the 0800 line) to secure your toll-free line. I solved this problem about 2-3 days ago with Cisco AS5300+TCL+RADIUS. Best regards, Thomas --- Thomas Jalsovsky,Project Manager at PosTel, Plc. PosTel, a.s. Kvacalova 53,82108 Bratislava 2 Tel.: +421-2-50203160, Fax.: +421-2-50203198 http://www.postel.sk, http://www.globalphone.sk GlobalPhone, As long as you want On Wed, 8 Aug 2001, Mark Nicholas wrote: > Hi, > > I am running freeradius-0.1. Does anyone know how to have only one user > able to authenticate when calling an 800 number. We are setting up personal > 800 numbers for some dialin customers and don't want them to be able to call > other people's 800 numbers. > > Thanks, > > Mark > > Mark Nicholas,[EMAIL PROTECTED] > CCNA 601.969.1434 > Internet Doorway, Inc. http://www.netdoor.com/ > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
CISCO_ACCOUNTING_HACK
Hello All, Can anubody tell me what is $SUBJ doing? I use Cisco and If I have this option turned on, some packets are lost because of zero session time. I have calls with session time zero (unsuccessfull or technical problems with ISDN signalization) whoch I want to have in accounting logs (detail file and db). Please describe what does this hack do. (now I use accounting with $SUBJ turned off - // define ...). Thanks in advance, Thomas --- Thomas Jalsovsky,Project Manager at PosTel, Plc. PosTel, a.s. Kvacalova 53,82108 Bratislava 2 Tel.: +421-2-50203160, Fax.: +421-2-50203198 http://www.postel.sk, http://www.globalphone.sk GlobalPhone, As long as you want - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Accounting replication with radrelay.
Hello All, I use in Cistron radius the $SUBJ, and I would like to know that FreeRADIUS does or will support that function. I think it is very good feature which is useable for doing some fail-over things with detail files. Thanks in advance, Thomas k - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
