How to use rlm_dbm module ???

[나종현]

 
 
I want to use gdbm in radius.
 
For management user_id, passwd etc.
 
is it possible for using rlm_dbm module.
 
How to modify radiusd.conf module section.
 
Help me please.
 
 

		
			

			
			





☞ 카트라이더가 지겹다면? 이제는 인라인 레이싱게임 Xplay! ☜








- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Apologies for Mr. Peter Nixon and updated sqlippool debug

[Peter Nixon]

On Tue 26 Sep 2006 00:49, Guilherme Franco wrote:
> Mr. Nixon,
>
> Please accept my humble apologies for the earlier spam.
>
> I would like to test your experimental module sqlippool in Oracle and
> in return, contribute somehow with my working configs and tables to
> the CVS.
>
> I understand that you are a busy man, so please excuse me if I did bother
> you.
>
> This question is not directed only to you but I'm asking it because
> module rlm_sqlippool have pnixon ownership. Please correct me with I'm
> wrong.
>
> With all the help from yours and everyone from freeradius-user-list,
> I've managed to make some progress with the sqlippool in Oracle, with
> just one error left.
>
> I'm not a SQL newbie, but I'm struggling to debug that error because I
> can't see the originating query as it is apparently mounted on the fly
> in lib/rlm_sqlippool* objects.
>
> I have C knowledge but didn't discovered what might be causing the
> error in rlm_sqlippool.c.
>
> Currently, I'm using freeradius-snapshot-20060925.
>
> I've compiled it with  --enable-developer and ran radiusd -X through gdb.
>
> The error happens even when I'm using the default v1.4 of
> sqlippool.conf, without modifying it:
> --
> Processing the post-auth section of radiusd.conf
> modcall:  entering group post-auth for request 0
> rlm_sql (sql): Reserving sql socket id: 2
> radius_xlat:  'BEGIN'
> BEGIN
> rlm_sql_oracle: execute query failed in sql_query: ORA-06550: line 1,
> column 5: PLS-00103: Encountered the symbol "end-of-file" when
> expecting one of the following: begin case declare exit for goto
> if loop mod null pragmaraise return select update while with  identifier>  variable> <  savepoint set sql execute commit forall merge pipe
> rlm_sql_oracle: OCI_SERVER_NORMAL
> sqlippool_command: database query error
> ---
>
> Next is an output of Oracle's compatible version of sqlippool.conf
> that I've made. It works, but the IP from the sql pool does not get
> allocated because of the previous error:
>
> ---
> UPDATE radippool   SET nasipaddress = '', pool_key = 0,
> callingstationid = '',   expiry_time = current_timestamp - interval
> '1' second(1)   WHERE pool_key = '2398432'
> SELECT framedipaddress FROM radippool   WHERE pool_name = 'FOO' AND
> expiry_time < current_timestamp AND ROWNUM = 1   ORDER BY (select
> username from radippool where username <> ''), (select
> callingstationid from radippool where callingstationid <> ''),
> expiry_time   FOR UPDATE
> sqlippool_query1: SQL query did not succeed



What happens when you run this query manually?


-- 

Peter Nixon
http://www.peternixon.net/
PGP Key: http://www.peternixon.net/public.asc


pgpICwIIMFZez.pgp
Description: PGP signature
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Auth-Type issue

[Apu islam]

Hello good FreeRadius People,
I have the radius server running fine, however I am
having issues with user being authenticated. To note,
I am using dialup-admin to create the user. Here is
the error output:
---
rad_recv: Access-Request packet from host
x.x.x.x:63762, id=252, length=156
NAS-Identifier = "border01"
NAS-Port = 0
NAS-Port-Type = Virtual
Service-Type = Framed-User
Framed-Protocol = PPP
User-Name = "apu"
MS-CHAP-Challenge = 0xbb1e683234213423423423
MS-CHAP2-Response =
0x82174309827423842879a5c39e672
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
  modcall[authorize]: module "preprocess" returns ok
for request 1
modcall: leaving group authorize (returns ok) for
request 1
auth: No authenticate method (Auth-Type) configuration
found for the request: Rejecting the user 


can you tell me how to get around that ? I have dug in
but did not see any way I could set the flag when I
create the user in dialup-admin. Any help is
appreciated.

Apu



--
 Apu Islam
( E Pluribus Unum)
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Source IP address for proxy requests

[Nicolas Baradakis]

Peter Nixon wrote:

> On Mon 25 Sep 2006 19:05, Nicolas Baradakis wrote:
>
> > That has nothing to do with FreeRADIUS. The source address of an
> > outgoing UDP packet is chosen by the kernel according to the local
> > network configuration.
>
> I had this problem previously with FreeRADIUS where radius had to reply from
> the inside interface of a multihomed server else the packets would not match
> the IPSec tunnel ACLs bound to the external interface (A common config) I
> solved it by telling freeradius to only bind to one IP. Does this config no
> longer work??

This example is different from the one we're discussing. FreeRADIUS
replies indeed to the NAS from the same address as the request arrived
at.

However, a proxy request is different, because it's a new outgoing
packet. In this case, we don't force the source IP in FreeRADIUS and
we shouldn't do so because the NAS and the realm server are possibly
on a different network. (it depends on the local network configuration)

The network configuration of the host is outside the scope of
FreeRADIUS. The correct way to solve the problem is to fix the
network routes on the host, so the outgoing requests have the
desired source IP.

-- 
Nicolas Baradakis

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Apologies for Mr. Peter Nixon and updated sqlippool debug

[Peter Nixon]

On Tue 26 Sep 2006 14:45, Guilherme Franco wrote:
> Hi,
>
> This is what happens:
>
> SQL> UPDATE radippool   SET nasipaddress = '', pool_key =
> 0,callingstationid = '',   expiry_time = current_timestamp - interval
> '1' second(1)   WHERE pool_key = '2398432';
>
> 0 rows updated.
>
> SQL> SELECT framedipaddress FROM radippool   WHERE pool_name = 'FOO'
> AND expiry_time < current_timestamp AND ROWNUM = 1   ORDER BY (select
> username from radippool where username <> ''), (select
> callingstationid from radippool where callingstationid <>
> ''),expiry_time   FOR UPDATE;
>
> no rows selected

So there you go. You found the problem.. Why doesn't it find any rows?

-- 

Peter Nixon
http://www.peternixon.net/
PGP Key: http://www.peternixon.net/public.asc


pgpiEhA0xUlHI.pgp
Description: PGP signature
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Apologies for Mr. Peter Nixon and updated sqlippool debug

[Guilherme Franco]

Hello,

But how can my first query work if the pool-key was not saved anywhere
in the database?

When I do the same query without the "where pool_key = something", it works:

UPDATE radippool   SET nasipaddress = '', pool_key =
0,callingstationid = '',   expiry_time = current_timestamp - interval
'1' second(1);

4 rows updated.

SQL> select * from radippool;

   ID POOL_NAME  NASIPADDRESS
-- -- --
   1   FOO
NAS_PORT
--
EXPIRY_TIME
26-SEP-06 09.27.54 AM
---
USERNAME

FRAMEDIPADDRESS
192.168.1.1
POOL_KEYCALLINGSTATIONID
--
0


Sorry, in the second query I pasted an old query earlier for you. The
second query works, it is:

SQL> SELECT framedipaddress FROM radippool   WHERE pool_name = 'FOO'
AND expiry_time < current_timestamp AND ROWNUM = 1   ORDER BY (select
username from radippool where username <> ''), (select
callingstationid from radippool where callingstationid <>
''),expiry_time   FOR UPDATE;

FRAMEDIPADDRESS
--
192.168.1.1

Thanks.

On 9/26/06, Peter Nixon <[EMAIL PROTECTED]> wrote:

On Tue 26 Sep 2006 14:45, Guilherme Franco wrote:
> Hi,
>
> This is what happens:
>
> SQL> UPDATE radippool   SET nasipaddress = '', pool_key =
> 0,callingstationid = '',   expiry_time = current_timestamp - interval
> '1' second(1)   WHERE pool_key = '2398432';
>
> 0 rows updated.
>
> SQL> SELECT framedipaddress FROM radippool   WHERE pool_name = 'FOO'
> AND expiry_time < current_timestamp AND ROWNUM = 1   ORDER BY (select
> username from radippool where username <> ''), (select
> callingstationid from radippool where callingstationid <>
> ''),expiry_time   FOR UPDATE;
>
> no rows selected

So there you go. You found the problem.. Why doesn't it find any rows?

--

Peter Nixon
http://www.peternixon.net/
PGP Key: http://www.peternixon.net/public.asc


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Source IP address for proxy requests

[Peter Nixon]

On Tue 26 Sep 2006 11:55, Nicolas Baradakis wrote:
> Peter Nixon wrote:
> > On Mon 25 Sep 2006 19:05, Nicolas Baradakis wrote:
> > > That has nothing to do with FreeRADIUS. The source address of an
> > > outgoing UDP packet is chosen by the kernel according to the local
> > > network configuration.
> >
> > I had this problem previously with FreeRADIUS where radius had to reply
> > from the inside interface of a multihomed server else the packets would
> > not match the IPSec tunnel ACLs bound to the external interface (A common
> > config) I solved it by telling freeradius to only bind to one IP. Does
> > this config no longer work??
>
> This example is different from the one we're discussing. FreeRADIUS
> replies indeed to the NAS from the same address as the request arrived
> at.
>
> However, a proxy request is different, because it's a new outgoing
> packet. In this case, we don't force the source IP in FreeRADIUS and
> we shouldn't do so because the NAS and the realm server are possibly
> on a different network. (it depends on the local network configuration)
>
> The network configuration of the host is outside the scope of
> FreeRADIUS. The correct way to solve the problem is to fix the
> network routes on the host, so the outgoing requests have the
> desired source IP.

Yes you are correct. Abviously I didn't read the thread in enough depth. It 
does bring up the issue that we maybe should have an optional proxy_source_ip 
config option..

Cheers

-- 

Peter Nixon
http://www.peternixon.net/
PGP Key: http://www.peternixon.net/public.asc


pgpNvWmIc1aJW.pgp
Description: PGP signature
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Apologies for Mr. Peter Nixon and updated sqlippool debug

[Guilherme Franco]

Sorry if I did not made myself clear.

Because of the very first problem, I think:

Processing the post-auth section of radiusd.conf
modcall:  entering group post-auth for request 0
rlm_sql (sql): Reserving sql socket id: 2
radius_xlat:  'BEGIN'
BEGIN
rlm_sql_oracle: execute query failed in sql_query: ORA-06550: line 1,
column 5: PLS-00103: Encountered the symbol "end-of-file" when
expecting one of the following: begin case declare exit for goto
if loop mod null pragmaraise return select update while with   < 'test_user2'
modcall: group post-auth returns noop for request 0
Sending Access-Accept of id 44 to 172.16.4.1 port 2243
Finished request 0


The access is accepted but without an IP.


That's the problem.

Thank you very much.

On 9/26/06, Peter Nixon <[EMAIL PROTECTED]> wrote:

So what exactly is the problem. You posted me a debug log. I told you what the
problem was. If you say that it now works then there is no problem.

If you have ANOTHER problem, then post the debug for it.

The first query is not SUPPOSED to work if the pool_key doesn't exist. I
CLEARS existing IP leases. Do you have any active leases right now? If not
why would you be trying to clear them?

Peter

On Tue 26 Sep 2006 15:41, Guilherme Franco wrote:
> Hello,
>
> But how can my first query work if the pool-key was not saved anywhere
> in the database?
>
> When I do the same query without the "where pool_key = something", it
> works:
>
> UPDATE radippool   SET nasipaddress = '', pool_key =
> 0,callingstationid = '',   expiry_time = current_timestamp - interval
> '1' second(1);
>
> 4 rows updated.
>
> SQL> select * from radippool;
>
> ID POOL_NAME  NASIPADDRESS
> -- -- --
> 1   FOO
>  NAS_PORT
> --
> EXPIRY_TIME
> 26-SEP-06 09.27.54 AM
> ---
> USERNAME
> ---
>- FRAMEDIPADDRESS
> 192.168.1.1
> POOL_KEYCALLINGSTATIONID
> --
> 0
>
>
> Sorry, in the second query I pasted an old query earlier for you. The
> second query works, it is:
>
> SQL> SELECT framedipaddress FROM radippool   WHERE pool_name = 'FOO'
> AND expiry_time < current_timestamp AND ROWNUM = 1   ORDER BY (select
> username from radippool where username <> ''), (select
> callingstationid from radippool where callingstationid <>
> ''),expiry_time   FOR UPDATE;
>
> FRAMEDIPADDRESS
> --
> 192.168.1.1
>
> Thanks.
>
> On 9/26/06, Peter Nixon <[EMAIL PROTECTED]> wrote:
> > On Tue 26 Sep 2006 14:45, Guilherme Franco wrote:
> > > Hi,
> > >
> > > This is what happens:
> > >
> > > SQL> UPDATE radippool   SET nasipaddress = '', pool_key =
> > > 0,callingstationid = '',   expiry_time = current_timestamp - interval
> > > '1' second(1)   WHERE pool_key = '2398432';
> > >
> > > 0 rows updated.
> > >
> > > SQL> SELECT framedipaddress FROM radippool   WHERE pool_name = 'FOO'
> > > AND expiry_time < current_timestamp AND ROWNUM = 1   ORDER BY (select
> > > username from radippool where username <> ''), (select
> > > callingstationid from radippool where callingstationid <>
> > > ''),expiry_time   FOR UPDATE;
> > >
> > > no rows selected
> >
> > So there you go. You found the problem.. Why doesn't it find any rows?
> >
> > --
> >
> > Peter Nixon
> > http://www.peternixon.net/
> > PGP Key: http://www.peternixon.net/public.asc
> >
> >
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html

--

Peter Nixon
http://www.peternixon.net/
PGP Key: http://www.peternixon.net/public.asc


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Prefixing Topics with Mailing list name

[Graham Beneke]

Hi Guys

Something thats been bugging me about this list for a while is the fact 
that the post subjects have no indication which mailing list they are from.
All the other mailing lists I'm on prefix subjects with something like 
"[freeradius]" but since this list (as well as freeradius-devel) don't 
do this it makes it quite difficult to figure out what is going on in my 
inbox.

Could we get this changed?

regards
--


 Graham Beneke
 Apolix Internet Services

E-Mail: [EMAIL PROTECTED] 
Cell: 082-432-1873 
Skype: grbeneke 
WEB: www.apolix.co.za 
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Source IP address for proxy requests

[Peter Nixon]

On Tue 26 Sep 2006 16:26, Nicolas Baradakis wrote:
> Peter Nixon wrote:
> > On Tue 26 Sep 2006 11:55, Nicolas Baradakis wrote:
> > > However, a proxy request is different, because it's a new outgoing
> > > packet. In this case, we don't force the source IP in FreeRADIUS and
> > > we shouldn't do so because the NAS and the realm server are possibly
> > > on a different network. (it depends on the local network configuration)
> > >
> > > The network configuration of the host is outside the scope of
> > > FreeRADIUS. The correct way to solve the problem is to fix the
> > > network routes on the host, so the outgoing requests have the
> > > desired source IP.
> >
> > Yes you are correct. Abviously I didn't read the thread in enough
> > depth. It does bring up the issue that we maybe should have an optional
> > proxy_source_ip config option..
>
> I don't think it's a good idea, because all the realm servers may not be
> on the same network. IMHO FreeRADIUS doesn't have to cope with the network
> configuration of the host: it only has to set the destination IP, and the
> rest is handled by the kernel.

It is not a critical option (for me) at present, but it is usefull and it 
should default to * of course. If someone doesn't have all their realm 
servers on the same "side" of the server then they should know that.

A more flexible option of course would be to have an internal attribute 
like "Proxy-Source-IP". The it could be specified per request for people who 
wish to..

Cheers

-- 

Peter Nixon
http://www.peternixon.net/
PGP Key: http://www.peternixon.net/public.asc


pgp1jxy936Snv.pgp
Description: PGP signature
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Apologies for Mr. Peter Nixon and updated sqlippool debug

[Guilherme Franco]

Hi,

This is what happens:

SQL> UPDATE radippool   SET nasipaddress = '', pool_key =
0,callingstationid = '',   expiry_time = current_timestamp - interval
'1' second(1)   WHERE pool_key = '2398432';

0 rows updated.

SQL> SELECT framedipaddress FROM radippool   WHERE pool_name = 'FOO'
AND expiry_time < current_timestamp AND ROWNUM = 1   ORDER BY (select
username from radippool where username <> ''), (select
callingstationid from radippool where callingstationid <>
''),expiry_time   FOR UPDATE;

no rows selected

SQL>

Thank you.


On 9/26/06, Peter Nixon <[EMAIL PROTECTED]> wrote:

On Tue 26 Sep 2006 00:49, Guilherme Franco wrote:
> Mr. Nixon,
>
> Please accept my humble apologies for the earlier spam.
>
> I would like to test your experimental module sqlippool in Oracle and
> in return, contribute somehow with my working configs and tables to
> the CVS.
>
> I understand that you are a busy man, so please excuse me if I did bother
> you.
>
> This question is not directed only to you but I'm asking it because
> module rlm_sqlippool have pnixon ownership. Please correct me with I'm
> wrong.
>
> With all the help from yours and everyone from freeradius-user-list,
> I've managed to make some progress with the sqlippool in Oracle, with
> just one error left.
>
> I'm not a SQL newbie, but I'm struggling to debug that error because I
> can't see the originating query as it is apparently mounted on the fly
> in lib/rlm_sqlippool* objects.
>
> I have C knowledge but didn't discovered what might be causing the
> error in rlm_sqlippool.c.
>
> Currently, I'm using freeradius-snapshot-20060925.
>
> I've compiled it with  --enable-developer and ran radiusd -X through gdb.
>
> The error happens even when I'm using the default v1.4 of
> sqlippool.conf, without modifying it:
> --
> Processing the post-auth section of radiusd.conf
> modcall:  entering group post-auth for request 0
> rlm_sql (sql): Reserving sql socket id: 2
> radius_xlat:  'BEGIN'
> BEGIN
> rlm_sql_oracle: execute query failed in sql_query: ORA-06550: line 1,
> column 5: PLS-00103: Encountered the symbol "end-of-file" when
> expecting one of the following: begin case declare exit for goto
> if loop mod null pragmaraise return select update while with  identifier>  variable> <  savepoint set sql execute commit forall merge pipe
> rlm_sql_oracle: OCI_SERVER_NORMAL
> sqlippool_command: database query error
> ---
>
> Next is an output of Oracle's compatible version of sqlippool.conf
> that I've made. It works, but the IP from the sql pool does not get
> allocated because of the previous error:
>
> ---
> UPDATE radippool   SET nasipaddress = '', pool_key = 0,
> callingstationid = '',   expiry_time = current_timestamp - interval
> '1' second(1)   WHERE pool_key = '2398432'
> SELECT framedipaddress FROM radippool   WHERE pool_name = 'FOO' AND
> expiry_time < current_timestamp AND ROWNUM = 1   ORDER BY (select
> username from radippool where username <> ''), (select
> callingstationid from radippool where callingstationid <> ''),
> expiry_time   FOR UPDATE
> sqlippool_query1: SQL query did not succeed



What happens when you run this query manually?


--

Peter Nixon
http://www.peternixon.net/
PGP Key: http://www.peternixon.net/public.asc


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Prefixing Topics with Mailing list name

[Peter Nixon]

On Tue 26 Sep 2006 15:01, Graham Beneke wrote:
> Hi Guys
>
> Something thats been bugging me about this list for a while is the fact
> that the post subjects have no indication which mailing list they are from.
> All the other mailing lists I'm on prefix subjects with something like
> "[freeradius]" but since this list (as well as freeradius-devel) don't
> do this it makes it quite difficult to figure out what is going on in my
> inbox.
> Could we get this changed?
>
> regards
If you check the headers you will see that all mails have:

List-Post: 

Simply create a filter based on that to put the mail in whatever folder you 
wish. If you want something added to the subject, that is easy enough to do 
locally also. Personally I strip all such things from my mail as it makes the 
mail much less readable. Why would you want to lose half of the width of your 
suject to useless data?

Cheers

-- 

Peter Nixon
http://www.peternixon.net/
PGP Key: http://www.peternixon.net/public.asc


pgpDi83XVqXYQ.pgp
Description: PGP signature
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Source IP address for proxy requests

[Nicolas Baradakis]

Peter Nixon wrote:

> On Tue 26 Sep 2006 11:55, Nicolas Baradakis wrote:
>
> > However, a proxy request is different, because it's a new outgoing
> > packet. In this case, we don't force the source IP in FreeRADIUS and
> > we shouldn't do so because the NAS and the realm server are possibly
> > on a different network. (it depends on the local network configuration)
> >
> > The network configuration of the host is outside the scope of
> > FreeRADIUS. The correct way to solve the problem is to fix the
> > network routes on the host, so the outgoing requests have the
> > desired source IP.
>
> Yes you are correct. Abviously I didn't read the thread in enough
> depth. It does bring up the issue that we maybe should have an optional
> proxy_source_ip config option..

I don't think it's a good idea, because all the realm servers may not be
on the same network. IMHO FreeRADIUS doesn't have to cope with the network
configuration of the host: it only has to set the destination IP, and the
rest is handled by the kernel.

-- 
Nicolas Baradakis

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Hiding Passwords in Debug Output

[Garber, Neal]

> The administrator has access to ALL secret information by simple
> fact that he's an administrator.  He can run tcpdump, and manually
> decrypt the passwords.  So hiding the password on the server is
> pointless, and a waste of time.

I realize that.  I wasn't trying to *prevent* the admin. from getting
the password if they felt they needed it (as if the admin. couldn't be
trusted).  Rather, I believe most of the time admins don't need to see
it so why not have the *option* to suppress it since it's considered
sensitive information.  Displaying it increases the risk that others
could see it and/or that an admin. would redirect debug output to disk
because: they forgot it included sensitive information, they don't
understand the risk, they're troubleshooting an intermittent problem and
they need to save the output for later analysis, or because they
normally redirect output of the server to disk just in case they need to
troubleshoot a problem.  Once it's on disk, it's the same issue that
caused the eventual change to the detail module.

> And that's the crux of the problem.  The server is used by people
> other than you, who DO need access to that information.

That's unfair Alan.  I was not trying to *dictate* that other admins
shouldn't see it - I was proposing that admins should have a choice -
because, IMO it's not needed to troubleshoot most problems.  

> Why not simply run the shell script I presented?

I could and it would do most of what I wanted.  However, it feels like a
kludge and everyone on my team would need to remember to filter the
output when running in debug mode.  I just think it's safer (from the
perspective of admins that don't want/need to see the passwords) to have
a config. option that forces the suppression.  With the config. option,
you can change the server to run in debug mode without having to
remember to pipe the output to sed (or to run a special script that
pipes the output to sed).

I've tried to articulate my point of view and why I see value in having
this option.  I've asked questions in an attempt to understand your
point-of-view and you didn't answer them.  I feel either I failed to
explain myself clearly or you made up your mind from the start and
aren't interested in hearing contrary opinions.  Perhaps our difference
is a matter of perspective, level of paranoia and the business
environment in which the server is operating.  In any case, it's not
worth arguing about.  After all, FreeRadius is open source so, if my
team feels strongly enough about it, we can make the change and maintain
it locally.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Hiding Passwords in Debug Output

[Alan DeKok]

"Garber, Neal" <[EMAIL PROTECTED]> wrote:
> That's unfair Alan.  I was not trying to *dictate* that other admins
> shouldn't see it - I was proposing that admins should have a choice -
> because, IMO it's not needed to troubleshoot most problems.  

  It's no more unfair than your comment about why don't I see the need
to keep private information secure...

> I could and it would do most of what I wanted.  However, it feels like a
> kludge and everyone on my team would need to remember to filter the
> output when running in debug mode.

  Huh?  Write a wrapper for the server.  That's what shell scripts are
for.

> I just think it's safer (from the perspective of admins that don't
> want/need to see the passwords) to have a config. option that forces
> the suppression.

  You have access to the source.  Make a patch that you apply and
maintain locally.  The main disagreement here is that you want the
patch to be applied to the server, for everyone elses "benefit".

  As I hope I'm making clear, that won't happen.

> I've asked questions in an attempt to understand your
> point-of-view and you didn't answer them.

  I have responded to every issue of substance you raised.  I have
explained *my* position in depth, and given you multiple options for
how to achieve your goal without impacting everyone else using the
server.

  Insulting me because I disagree with you pretty much guarantees that
I will never agree with you.

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: proxy.conf

[Francois-Xavier GAILLARD]

Le Mon, Sep 25, 2006 at 09:28:52PM +0200, srg krn ecrivait:
> Hello:
> 
> I have a freeradius proxy working fine with one realm (radgroup)
> defined in proxy.conf.
> If it receives a query for [EMAIL PROTECTED] if "sends" to another radius
> server striping the "@radgroup" from username and all is OK.
> 
> Now, I need that if a query for "[EMAIL PROTECTED]" arrives, then
> freeradius will send it to an ldap server.
> 
> It is possible to configure a realm with "type=ldap" or something like this?

Configure the realm 'ldapgroup' in proxy.conf and set authhost to LOCAL,
then you can grant acces to your users via LDAP.


Regards,
Fox.


signature.asc
Description: Digital signature
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Source IP address for proxy requests

[Sebastien Cantos]

I've you seen my post or are you just ignoring it ? :)

-Message d'origine-
De : [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
De la part de Angel L. Mateo
Envoyé : mardi 26 septembre 2006 08:34
À : freeradius-users@lists.freeradius.org
Objet : Re: Source IP address for proxy requests

El lun, 25-09-2006 a las 22:54 +0300, Peter Nixon escribió:

> 
> I had this problem previously with FreeRADIUS where radius had to reply
from 
> the inside interface of a multihomed server else the packets would not
match 
> the IPSec tunnel ACLs bound to the external interface (A common config) I 
> solved it by telling freeradius to only bind to one IP. Does this config
no 
> longer work??
> 
It continues working, but the problem is with connections originated
from the radius server, not the answer. Specifically, the problem is
with proxy requests sent by the radius server.

-- 
Angel L. Mateo Martínez
Sección de Telemática
Área de Tecnologías de la Información   _o)
y las Comunicaciones Aplicadas (ATICA)  / \\
http://www.um.es/atica_(___V
Tfo: 968367590
Fax: 968398337


- 
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Apologies for Mr. Peter Nixon and updated sqlippool debug

[Peter Nixon]

So what exactly is the problem. You posted me a debug log. I told you what the 
problem was. If you say that it now works then there is no problem.

If you have ANOTHER problem, then post the debug for it.

The first query is not SUPPOSED to work if the pool_key doesn't exist. I 
CLEARS existing IP leases. Do you have any active leases right now? If not 
why would you be trying to clear them?

Peter

On Tue 26 Sep 2006 15:41, Guilherme Franco wrote:
> Hello,
>
> But how can my first query work if the pool-key was not saved anywhere
> in the database?
>
> When I do the same query without the "where pool_key = something", it
> works:
>
> UPDATE radippool   SET nasipaddress = '', pool_key =
> 0,callingstationid = '',   expiry_time = current_timestamp - interval
> '1' second(1);
>
> 4 rows updated.
>
> SQL> select * from radippool;
>
> ID POOL_NAME  NASIPADDRESS
> -- -- --
> 1   FOO
>  NAS_PORT
> --
> EXPIRY_TIME
> 26-SEP-06 09.27.54 AM
> ---
> USERNAME
> ---
>- FRAMEDIPADDRESS
> 192.168.1.1
> POOL_KEYCALLINGSTATIONID
> --
> 0
>
>
> Sorry, in the second query I pasted an old query earlier for you. The
> second query works, it is:
>
> SQL> SELECT framedipaddress FROM radippool   WHERE pool_name = 'FOO'
> AND expiry_time < current_timestamp AND ROWNUM = 1   ORDER BY (select
> username from radippool where username <> ''), (select
> callingstationid from radippool where callingstationid <>
> ''),expiry_time   FOR UPDATE;
>
> FRAMEDIPADDRESS
> --
> 192.168.1.1
>
> Thanks.
>
> On 9/26/06, Peter Nixon <[EMAIL PROTECTED]> wrote:
> > On Tue 26 Sep 2006 14:45, Guilherme Franco wrote:
> > > Hi,
> > >
> > > This is what happens:
> > >
> > > SQL> UPDATE radippool   SET nasipaddress = '', pool_key =
> > > 0,callingstationid = '',   expiry_time = current_timestamp - interval
> > > '1' second(1)   WHERE pool_key = '2398432';
> > >
> > > 0 rows updated.
> > >
> > > SQL> SELECT framedipaddress FROM radippool   WHERE pool_name = 'FOO'
> > > AND expiry_time < current_timestamp AND ROWNUM = 1   ORDER BY (select
> > > username from radippool where username <> ''), (select
> > > callingstationid from radippool where callingstationid <>
> > > ''),expiry_time   FOR UPDATE;
> > >
> > > no rows selected
> >
> > So there you go. You found the problem.. Why doesn't it find any rows?
> >
> > --
> >
> > Peter Nixon
> > http://www.peternixon.net/
> > PGP Key: http://www.peternixon.net/public.asc
> >
> >
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html

-- 

Peter Nixon
http://www.peternixon.net/
PGP Key: http://www.peternixon.net/public.asc


pgpwYEkaWIzQO.pgp
Description: PGP signature
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Hiding Passwords in Debug Output

[Garber, Neal]

> Insulting me because I disagree with you pretty much guarantees that
> I will never agree with you.

Please accept my apology as it was not my intent to offend or insult
you.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Prefixing Topics with Mailing list name

[Jan Mulders]

Because most other lists (for example, Sourceforge) add [prefixes] to emails, that make it easier - for me at least - to filter emails by list in Gmail and other mail clients.I'm currently subscribed to the following lists that use [prefixes]:
[shorewall-users][openvpn-users][openvpn-devel][lartc][snort-users]What's more, these don't seem to be small groups either.I'd be eager to see the prefixes added, as it'd make my mail archives look a lot neater and easier to sort through.
I agree about losing half the subject line to said headers, but to be honest it's not much point knowing more of the subject line if you have no idea what list it's from!Regards,Jan
On 26/09/06, Peter Nixon <[EMAIL PROTECTED]> wrote:
On Tue 26 Sep 2006 15:01, Graham Beneke wrote:> Hi Guys>> Something thats been bugging me about this list for a while is the fact> that the post subjects have no indication which mailing list they are from.
> All the other mailing lists I'm on prefix subjects with something like> "[freeradius]" but since this list (as well as freeradius-devel) don't> do this it makes it quite difficult to figure out what is going on in my
> inbox.> Could we get this changed?>> regardsIf you check the headers you will see that all mails have:List-Post: 
freeradius-users@lists.freeradius.org>Simply create a filter based on that to put the mail in whatever folder youwish. If you want something added to the subject, that is easy enough to dolocally also. Personally I strip all such things from my mail as it makes the
mail much less readable. Why would you want to lose half of the width of yoursuject to useless data?Cheers--Peter Nixonhttp://www.peternixon.net/
PGP Key: http://www.peternixon.net/public.asc-List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Source IP address for proxy requests

[Phil Mayers]

Nicolas Baradakis wrote:

Yes you are correct. Abviously I didn't read the thread in enough
depth. It does bring up the issue that we maybe should have an optional
proxy_source_ip config option..


All IP protocol servers should offer each type of socket a configurable 
bind address (or list of such). That is quite aside from the specifics 
of this issue - that is, it solves other, much much harder to solve 
problems than just this issue, and is required for absolutely 
deterministic behaviour.




I don't think it's a good idea, because all the realm servers may not be
on the same network. IMHO FreeRADIUS doesn't have to cope with the network
configuration of the host: it only has to set the destination IP, and the
rest is handled by the kernel.



This is not a convincing argument to my ear.

There are legitimate reasons to want to bind to a *specific* IP for 
sockets sinking and sourcing datagrams (and in fact for stream 
protocols, though these tend to be less of an issue). Bind, a venerable 
(if crufty) and EXTREMELY widely deployed datagram protocol 
client/server, has found this out repeatedly (see transfer-source, 
query-source, notify-source - those options weren't added for giggles).


I'm currently running into a problem with ISC dhcpd related to it's 
failure to offer IP-specific bind options and offering service to 
overlapping address space on a single server, which is impossible for 
the want of this micro-option.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Prefixing Topics with Mailing list name

[Peter Nixon]

On Tue 26 Sep 2006 21:34, Jan Mulders wrote:
> Because most other lists (for example, Sourceforge) add [prefixes] to
> emails, that make it easier - for me at least - to filter emails by list in
> Gmail and other mail clients.

Well, I dont know about gmail, but every decent mail client that I can think 
of can rewrite headers one way or another. So can procmail.

> I'm currently subscribed to the following lists that use [prefixes]:
>
> [shorewall-users]
> [openvpn-users]
> [openvpn-devel]
> [lartc]
> [snort-users]
>
> What's more, these don't seem to be small groups either.
>
> I'd be eager to see the prefixes added, as it'd make my mail archives look
> a lot neater and easier to sort through.
>
> I agree about losing half the subject line to said headers, but to be
> honest it's not much point knowing more of the subject line if you have no
> idea what list it's from!

As I said its easy for you to add this yourself. You should also read:

http://www.andrew.cmu.edu/user/qralston/writing/tagging-harmful/



-- 

Peter Nixon
http://www.peternixon.net/
PGP Key: http://www.peternixon.net/public.asc


pgpJWRA5vn2W9.pgp
Description: PGP signature
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Source IP address for proxy requests

[Alan DeKok]

Phil Mayers <[EMAIL PROTECTED]> wrote:
> All IP protocol servers should offer each type of socket a configurable 
> bind address (or list of such). That is quite aside from the specifics 
> of this issue - that is, it solves other, much much harder to solve 
> problems than just this issue, and is required for absolutely 
> deterministic behaviour.

  Yes.  For 2.0, I wouild like to have a configurable "proxy" section.
The difficulty is that it should really be configurable
per-home-server.  That's a fair amount of work.

> There are legitimate reasons to want to bind to a *specific* IP for 
> sockets sinking and sourcing datagrams (and in fact for stream 
> protocols, though these tend to be less of an issue). Bind, a venerable 
> (if crufty) and EXTREMELY widely deployed datagram protocol 
> client/server, has found this out repeatedly (see transfer-source, 
> query-source, notify-source - those options weren't added for giggles).

  Yes, I've worked with Bind, and done exactly that.  The difference
with RADIUS is that there have been relatively few complaints about
the current behavior, which means it's a low priority to change it.

  And changing it means most likely that people will configure
proxying on IP X to home server at IP Y... which is not routable from
X.  The kernel UDP socket code will ensure that no error is returned
to the server, meaning that it's impossible to figure out what's going
wrong.

  I really would prefer to have the proxy sockets bind to "*", and to
have the kernel do the right thing for sending packets.  I'd like to
see compelling reasons why this behavior needs to be change before
updating the code.  (See the comment about about there being few
complaints...)

> I'm currently running into a problem with ISC dhcpd related to it's 
> failure to offer IP-specific bind options and offering service to 
> overlapping address space on a single server, which is impossible for 
> the want of this micro-option.

  That's come up on the ISC list.  The answer is to create multiple
interfaces, set up routing, and to have multiple servers listening,
each on one interface.

  There has to be a better way...

  But for dhcpd, the issue isn't the packets it's originating, but
which IP's it's listening on.  FreeRADIUS already supports listening
on multiple IP's, so it's already a step ahead of DHCPD.

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Prefixing Topics with Mailing list name

[Dennis Skinner]

Jan Mulders wrote:
> Because most other lists (for example, Sourceforge) add [prefixes] to
> emails, that make it easier - for me at least - to filter emails by list
> in Gmail and other mail clients.

Create a label in Gmail and then apply it based on the sender, reply-to,
or to...whichever is the list email address.  I do this all the time in
Gmail.  It works better than filtering by subject when ppl forward from
one list that has subject tags to another.

-- 
Dennis Skinner
Systems Administrator
BlueFrog Internet
http://www.bluefrog.com
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

mod_auth_radius-2.0

[William]

Greetings,
  I am having some probles with mod_auth_radius-2.0 on apache 2.0.54.  The 
error I am receiving is:  

Cannot load /usr/local/apache/modules/mod_auth_radius-2.0.so into 
server: /usr/local/apache/modules/mod_auth_radius-2.0.so: undefined symbol: 
ap_snprintf

I am running on suse 10.1-x86_64 and apache is compiled from source.Any 
suggestions? Help?



-- 
William
Server Administrator
NetOne Communications, Inc.
231-734-2917


pgp369n88bQUE.pgp
Description: PGP signature
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Prefixing Topics with Mailing list name

[A . L . M . Buxey]

Hi,

> Because most other lists (for example, Sourceforge) add [prefixes] to
> emails, that make it easier - for me at least - to filter emails by list in
> Gmail and other mail clients.
> 
> I'm currently subscribed to the following lists that use [prefixes]:
> 
> [shorewall-users]
> [openvpn-users]
> [openvpn-devel]
> [lartc]
> [snort-users]

I filter groups based on, eg the To: or List-Id: header. this is very easy to 
do and saves a nice amount of subject line so I can read more subject
and less mailing list identity.  I used to prefer the list name in
the subject...but since then I've swung over to prefering using MY filtering
rather than rely on subject lines

> I agree about losing half the subject line to said headers, but to be honest
> it's not much point knowing more of the subject line if you have no idea
> what list it's from!

I'd disagree. I often slip into reading some random but interesting email due
to the subject line - of lists that I dont filter and would normally mass
delete at the end of the month due to no reading time. 

alan
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: mod_auth_radius-2.0

[James Wakefield]

William wrote:

Greetings,
  I am having some probles with mod_auth_radius-2.0 on apache 2.0.54.  The 
error I am receiving is:  

Cannot load /usr/local/apache/modules/mod_auth_radius-2.0.so into 
server: /usr/local/apache/modules/mod_auth_radius-2.0.so: undefined symbol: 
ap_snprintf


I am running on suse 10.1-x86_64 and apache is compiled from source.Any 
suggestions? Help?


G'day William,

What do you get when you run ldd 
/usr/local/apache/modules/mod_auth_radius-2.0.so ?


Cheers,
--
James Wakefield,
Unix Administrator, Information Technology Services Division
Deakin University, Geelong, Victoria 3217 Australia.

Phone: 03 5227 8690 International: +61 3 5227 8690
Fax:   03 5227 8866 International: +61 3 5227 8866
E-mail:   [EMAIL PROTECTED]
Website:  http://www.deakin.edu.au
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RADIUS + MySQL + decisionmaking?

[Jan Mulders]

Hello,

I am trying to set up some decision-making logic into FreeRADIUS, to
assign users a different speed of service depending on how much
bandwidth they've used since their billing started.

I want to issue 512k speed to users in group A, who have used less
than 20GB of bandwidth (monthlybytecounter is working fine at the
moment and totals this up nicely). However, if they've used more than
20GB, I want to issue 256k speed to users.

For group B, I want users to get 10Mbps as long as they've used less
than 50GB of bandwidth, and 1Mbps if they're over.

I want to assign the values for speed to some vendor-specific
variable, let's say Max-User-Speed.

I am using MySQL for this. Here is a snippet from my database:

radcheck table:

username, attribute, op, value
testuser1, Password, ==, testing

usergroup table:

username, groupname
testuser1, groupa


Here is a snippet from my radiusd.conf file:

instantiate {
   monthlybytecounter
}

authorize {
   preprocess
   sql
}

authenticate {
   pap
}

preacct {
   preprocess
}

accounting {
   #acct_unique
   #detail
   sql
   radutmp # ?
}


session {
   radutmp # ?
   sql

}

My question is... how do I implement this? Can anyone write down a few
examples of how I'd go about making these rules?

Would I perhaps be better off making a cronjob or something that
changes the user's group to one of the following? groupA_belowcap,
groupA_overcap, groupB_belowcap, groupB_overcap?

Regards,

Jan Mulders
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Source IP address for proxy requests

[Angel L. Mateo]

El mar, 26-09-2006 a las 10:00 +0200, Sebastien Cantos escribió:
> I've you seen my post or are you just ignoring it ? :)
> 
I've seen your post. I already know I could reconfigure routes.

-- 
Angel L. Mateo Martínez
Sección de Telemática
Área de Tecnologías de la Información   _o)
y las Comunicaciones Aplicadas (ATICA)  / \\
http://www.um.es/atica_(___V
Tfo: 968367590
Fax: 968398337


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html