Re: Freeradius and MySQL
Stefan escreveu: All, I've successfully set up my freeradius to lookup the users in MySql. I've two questions: 1. Is it possible to configure the RADIUS Clients in MySql too? There is a nas table in the db schema now but I don't know how it works. 2. would it be possible to write specific RADIUS Attributes into the accounting db? In some cases, I will get VSAs, which I have to keep for some days. In the text file accounting, I can find them. You can modify the standard accounting table and queries (in the sql.conf file) to include any attribute you nas returns in the accounting requests. Hope that helps, Keith Yoder - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius and MySQL
All, I've successfully set up my freeradius to lookup the users in MySql. I've two questions: 1. Is it possible to configure the RADIUS Clients in MySql too? 2. would it be possible to write specific RADIUS Attributes into the accounting db? In some cases, I will get VSAs, which I have to keep for some days. In the text file accounting, I can find them. Thank you for a hint. Rg. Stefan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
NAS-Identifier and != operator
Greetings! To be short, i tried to use this construction in users file, but it fails to match for some reason. DEFAULT Huntgroup-Name == "test", Sql-Group == "groupname", NAS-Identifier != ftp, Auth-Type := Reject Fall-Through = No I.e., it should check if user is from huntgroup test, has group groupname, and his nas-identifier is NOT ftp. Everything works, except for that != operator, and i don't see, why. Can you please give some point? Regards, Vladimir - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuring Freeradius to authenticate with MySQL
Hi:
Based on the error message - check whether your
clients.conf file has local host 127.0.0.1 setup as a
valid client and also check the shared-secret used is
the correct
client 127.0.0.1 {
secret = omeya
shortname = spacecable
nastype = other
}
-Mohammed.
Mohammed H. Petiwala
Senior Staff Engineer
iDEN-WLAN, Motorola Inc.
--- bhalchandra sawant <[EMAIL PROTECTED]> wrote:
> Hello,
>
> I am configuring Freeradius with Mysql. I think I
> have configured correctly, as I am not getting any
> error message in debugging mode. The result is as
> below :
>
> [EMAIL PROTECTED] root]# radiusd -X
> Starting - reading configuration files ...
> reread_config: reading radiusd.conf
> Config: including file: /etc/raddb/sql.conf
> main: prefix = "/usr"
> main: localstatedir = "/var"
> main: logdir = "/var/log/radius"
> main: libdir = "/usr/lib"
> main: radacctdir = "/var/log/radius/radacct"
> main: hostname_lookups = no
> main: max_request_time = 90
> main: cleanup_delay = 5
> main: max_requests = 1024
> main: delete_blocked_requests = 0
> main: port = 0
> main: allow_core_dumps = no
> main: log_stripped_names = no
> main: log_file = "/var/log/radius/radius.log"
> main: log_auth = no
> main: log_auth_badpass = no
> main: log_auth_goodpass = no
> main: pidfile = "/var/run/radiusd/radiusd.pid"
> main: user = "radiusd"
> main: group = "radiusd"
> main: usercollide = no
> main: lower_user = "no"
> main: lower_pass = "no"
> main: nospace_user = "no"
> main: nospace_pass = "no"
> main: checkrad = "/usr/sbin/checkrad"
> main: proxy_requests = no
> security: max_attributes = 200
> security: reject_delay = 1
> security: status_server = no
> main: debug_level = 0
> read_config_files: reading dictionary
> read_config_files: reading naslist
> Using deprecated naslist file. Support for this
> will
> go away soon.
> read_config_files: reading clients
> Using deprecated clients file. Support for this
> will
> go away soon.
> read_config_files: reading realms
> Using deprecated realms file. Support for this will
> go away soon.
> radiusd: entering modules setup
> Module: Library search path is /usr/lib
> Module: Loaded expr
> Module: Instantiated expr (expr)
> Module: Loaded PAP
> pap: encryption_scheme = "crypt"
> Module: Instantiated pap (pap)
> Module: Loaded CHAP
> Module: Instantiated chap (chap)
> Module: Loaded MS-CHAP
> mschap: use_mppe = yes
> mschap: require_encryption = yes
> mschap: require_strong = yes
> mschap: passwd = "(null)"
> mschap: authtype = "MS-CHAP"
> Module: Instantiated mschap (mschap)
> Module: Loaded preprocess
> preprocess: huntgroups = "/etc/raddb/huntgroups"
> preprocess: hints = "/etc/raddb/hints"
> preprocess: with_ascend_hack = no
> preprocess: ascend_channels_per_line = 23
> preprocess: with_ntdomain_hack = no
> preprocess: with_specialix_jetstream_hack = no
> preprocess: with_cisco_vsa_hack = no
> Module: Instantiated preprocess (preprocess)
> Module: Loaded detail
> detail: detailfile =
>
"/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d"
> detail: detailperm = 384
> detail: dirperm = 493
> detail: locking = no
> Module: Instantiated detail (auth_log)
> Module: Loaded realm
> realm: format = "suffix"
> realm: delimiter = "@"
> Module: Instantiated realm (suffix)
> Module: Loaded SQL
> sql: driver = "rlm_sql_mysql"
> sql: server = "spacecable"
> sql: port = ""
> sql: login = ""
> sql: password = ""
> sql: radius_db = "radius"
> sql: acct_table = "radacct"
> sql: acct_table2 = "radacct"
> sql: authcheck_table = "radcheck"
> sql: authreply_table = "radreply"
> sql: groupcheck_table = "radgroupcheck"
> sql: groupreply_table = "radgroupreply"
> sql: usergroup_table = "usergroup"
> sql: nas_table = "nas"
> sql: dict_table = "dictionary"
> sql: sqltrace = yes
> sql: sqltracefile = "/var/log/radius/sqltrace.sql"
> sql: deletestalesessions = yes
> sql: num_sql_socks = 5
> sql: sql_user_name =
> "%{Stripped-User-Name:-%{User-Name:-DEFAULT}}"
> sql: default_user_profile = ""
> sql: query_on_not_found = no
> sql: authorize_check_query = "SELECT
> id,UserName,Attribute,Value,op FROM radcheck WHERE
> Username = '%{SQL-User-Name}' ORDER BY id"
> sql: authorize_reply_query = "SELECT
> id,UserName,Attribute,Value,op FROM radreply WHERE
> Username = '%{SQL-User-Name}' ORDER BY id"
> sql: authorize_group_check_query = "SELECT
>
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
> FROM radgroupcheck,usergroup WHERE
> usergroup.Username
> = '%{SQL-User-Name}' AND usergroup.GroupName =
> radgroupcheck.GroupName ORDER BY radgroupcheck.id"
> sql: authorize_group_reply_query = "SELECT
>
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
> FROM radgroupreply,usergroup WHERE
> usergroup.Username
> = '%{SQL-User-Name}' AND usergroup.GroupName =
> radgroupreply.Group
Configuring Freeradius to authenticate with MySQL
Hello,
I am configuring Freeradius with Mysql. I think I
have configured correctly, as I am not getting any
error message in debugging mode. The result is as
below :
[EMAIL PROTECTED] root]# radiusd -X
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /etc/raddb/sql.conf
main: prefix = "/usr"
main: localstatedir = "/var"
main: logdir = "/var/log/radius"
main: libdir = "/usr/lib"
main: radacctdir = "/var/log/radius/radacct"
main: hostname_lookups = no
main: max_request_time = 90
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = "/var/log/radius/radius.log"
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = "/var/run/radiusd/radiusd.pid"
main: user = "radiusd"
main: group = "radiusd"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "/usr/sbin/checkrad"
main: proxy_requests = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will
go away soon.
read_config_files: reading clients
Using deprecated clients file. Support for this will
go away soon.
read_config_files: reading realms
Using deprecated realms file. Support for this will
go away soon.
radiusd: entering modules setup
Module: Library search path is /usr/lib
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = "crypt"
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = yes
mschap: require_strong = yes
mschap: passwd = "(null)"
mschap: authtype = "MS-CHAP"
Module: Instantiated mschap (mschap)
Module: Loaded preprocess
preprocess: huntgroups = "/etc/raddb/huntgroups"
preprocess: hints = "/etc/raddb/hints"
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded detail
detail: detailfile =
"/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d"
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (auth_log)
Module: Loaded realm
realm: format = "suffix"
realm: delimiter = "@"
Module: Instantiated realm (suffix)
Module: Loaded SQL
sql: driver = "rlm_sql_mysql"
sql: server = "spacecable"
sql: port = ""
sql: login = ""
sql: password = ""
sql: radius_db = "radius"
sql: acct_table = "radacct"
sql: acct_table2 = "radacct"
sql: authcheck_table = "radcheck"
sql: authreply_table = "radreply"
sql: groupcheck_table = "radgroupcheck"
sql: groupreply_table = "radgroupreply"
sql: usergroup_table = "usergroup"
sql: nas_table = "nas"
sql: dict_table = "dictionary"
sql: sqltrace = yes
sql: sqltracefile = "/var/log/radius/sqltrace.sql"
sql: deletestalesessions = yes
sql: num_sql_socks = 5
sql: sql_user_name =
"%{Stripped-User-Name:-%{User-Name:-DEFAULT}}"
sql: default_user_profile = ""
sql: query_on_not_found = no
sql: authorize_check_query = "SELECT
id,UserName,Attribute,Value,op FROM radcheck WHERE
Username = '%{SQL-User-Name}' ORDER BY id"
sql: authorize_reply_query = "SELECT
id,UserName,Attribute,Value,op FROM radreply WHERE
Username = '%{SQL-User-Name}' ORDER BY id"
sql: authorize_group_check_query = "SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
FROM radgroupcheck,usergroup WHERE usergroup.Username
= '%{SQL-User-Name}' AND usergroup.GroupName =
radgroupcheck.GroupName ORDER BY radgroupcheck.id"
sql: authorize_group_reply_query = "SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
FROM radgroupreply,usergroup WHERE usergroup.Username
= '%{SQL-User-Name}' AND usergroup.GroupName =
radgroupreply.GroupName ORDER BY radgroupreply.id"
sql: accounting_onoff_query = "UPDATE radacct SET
AcctStopTime='%S',
AcctSessionTime=unix_timestamp('%S') -
unix_timestamp(AcctStartTime),
AcctTerminateCause='%{Acct-Terminate-Cause}',
AcctStopDelay = %{Acct-Delay-Time} WHERE
AcctSessionTime=0 AND AcctStopTime=0 AND NASIPAddress=
'%{NAS-IP-Address}' AND AcctStartTime <= '%S'"
sql: accounting_update_query = "UPDATE radacct SET
FramedIPAddress = '%{Framed-IP-Address}' WHERE
AcctSessionId = '%{Acct-Session-Id}' AND UserName =
'%{SQL-User-Name}' AND NASIPAddress=
'%{NAS-IP-Address}' AND AcctStopTime = 0"
sql: accounting_start_query = "INSERT into radacct
(RadAcctId, AcctSessionId, AcctUniqueId, UserName,
Real
Re: What am I missing??
"Chris Knipe" <[EMAIL PROTECTED]> wrote: > Alan, may it perhaps be a good idea to add some debugging info to -X so that > it can perhaps state which actual module (path / version / etc) it is > loading? In my case, I think I had older versions of the modules laying > arround that FR loaded... The exact version being loaded is known only to libtool, unfortunately. The versioning of libraries that the server uses SHOULD ensure that incompatible libraries aren't loaded. But with libtool, who knows. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: What am I missing??
Lo all, I just wanted to let you know that the problem was because I had a older version of rlm_sqlcounter (I think). I recompiled the module, and everything was fine. Alan, may it perhaps be a good idea to add some debugging info to -X so that it can perhaps state which actual module (path / version / etc) it is loading? In my case, I think I had older versions of the modules laying arround that FR loaded... -- Chris. - Original Message - From: "Chris Knipe" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, October 26, 2004 6:44 PM Subject: What am I missing?? Lo all, Below is a full debug output of a authentication request. I am trying to get rlm_sqlcounter to work - from what I can see, all the attributes are in place, but the module simply ignores them?? I'd appreciate some assistance, it must be something silly(tm) again... --- Walking the entire request list --- Cleaning up request 0 ID 138 with timestamp 417e7aa9 Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host x.x.x.x:1029, id=55, length=250 Service-Type = Framed-User Framed-Protocol = PPP NAS-Identifier = "pptp-gw01.nas" NAS-Port = 55 NAS-Port-Type = Virtual User-Name = "[EMAIL PROTECTED]" Calling-Station-Id = "y.y.y.y" Called-Station-Id = "x.x.x.x" MS-CHAP-Domain = "whatever" MS-CHAP-Challenge = 0x0437345f654a85c9 MS-CHAP-Response = 0x01014bde361ff118c8c37b1bb35919665a633466ec05a9c54401 NAS-IP-Address = x.x.x.x Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 modcall[authorize]: module "chap" returns noop for request 1 modcall[authorize]: module "attr_filter" returns noop for request 1 rlm_realm: Looking up realm "whatever" for User-Name = "[EMAIL PROTECTED]" rlm_realm: Found realm "cenergynetworks.com" rlm_realm: Adding Stripped-User-Name = "6622-5505-5719-5980" rlm_realm: Proxying request from user 6622-5505-5719-5980 to realm whatever rlm_realm: Adding Realm = "whatever" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "suffix" returns noop for request 1 radius_xlat: '[EMAIL PROTECTED]' rlm_sql (sql): sql_set_user escaped user --> '[EMAIL PROTECTED]' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM RadiusCheck WHERE Username = '[EMAIL PROTECTED]' ORDER BY id' ## RETURN: ## ++--+--+++ ## | id | UserName | Attribute| Value | op | ## ++--+--+++ ## | 62 | [EMAIL PROTECTED] | User-Password| 653106 | == | ## | 63 | [EMAIL PROTECTED] | Simultaneous-Use | 1 | := | ## | 64 | [EMAIL PROTECTED] | Huntgroup-Name | pptp | := | ## | 66 | [EMAIL PROTECTED] | Max-All-Session-Time | 30 | := | <- ATTRIBUTE IN QUESTION ## ++--+--+++ ## 4 rows in set (0.00 sec) rlm_sql (sql): Reserving sql socket id: 23 radius_xlat: 'SELECT RadiusGroupCheck.id,RadiusGroupCheck.GroupName,RadiusGroupCheck.Attribute,RadiusGroupCheck.Value,RadiusGroupCheck.op FROM RadiusGroupCheck,RadiusUsers WHERE RadiusUsers.Username = '[EMAIL PROTECTED]' AND RadiusUsers.isActive='y' AND RadiusUsers.GroupName = RadiusGroupCheck.GroupName ORDER BY RadiusGroupCheck.id' ## RETURN: ## +++---+--++ ## | id | GroupName | Attribute | Value| op | ## +++---+--++ ## | 10 | CENPPTP064 | NAS-Port-Type | Ethernet | := | ## | 11 | CENPPTP064 | Pool-Name | pptp | := | ## +++---+--++ ## 2 rows in set (0.00 sec) radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM RadiusReply WHERE Username = '[EMAIL PROTECTED]' ORDER BY id' ## RETURN: ## NONE radius_xlat: 'SELECT RadiusGroupReply.id,RadiusGroupReply.GroupName,RadiusGroupReply.Attribute,RadiusGroupReply.Value,RadiusGroupReply.op FROM RadiusGroupReply,RadiusUsers WHERE RadiusUsers.Username = '[EMAIL PROTECTED]' AND RadiusUsers.isActive='y' AND RadiusUsers.GroupName = RadiusGroupReply.GroupName ORDER BY RadiusGroupReply.id' ## RETURN: ## +++---+---++ ## | id | GroupName | Attribute | Value | op | ## +++---+---++ ## | 25 | CENPPTP064 | Framed-IP-Netmask | 255.255.255.0 | = | ## | 27 | CENPPTP064 | Acct-Interim-Interval | 60| = | ## | 28 | CENPPTP064 | Rate-Limit| 64k/64k | = | ## | 29 | CENPPTP064 | Service-Type | Framed-User | = | ## | 30 | CENPPTP064 | Framed-Protocol | PPP | = | ## +++---+---++ ## 5 ro
Re: Acct Logging to Mysql
[EMAIL PROTECTED] wrote: > we have freeradius 1.0.1 and Mysql 4.0.3. > Auth Logging works fine, but the acct Logging is broken. > In freeradius -X i found no NAS Ports: Ok... > radius_xlat: 'panekm' > rlm_radutmp: No NAS-Port seen. Cannot do anything. > rlm_radumtp: WARNING: checkrad will probably not work! What do you think is broken? It's definitely not the server. > Any idea ?? What problems, if any, are you seeing as a result of the above messages? When the server prints that message, it tells you what's going wrong, and why. If there are no problems that you can discover as a result of this, then the messages aren't affecting you. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: feature request
"Anson Rinesmith" <[EMAIL PROTECTED]> wrote: > I would love to see a feature for logging by either realm, client, > or even by CLID. Does the newer FR (>.9) having where radius.log can > be sent to a DB instead? No. To log by realm/client/whatever, I suggest to change src/main/log.c, so that "log_file" is expanded via radius_xlat, rather than being used as-is. It's about a 4 line change, I think. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
