Re: NAS list update without restarting radius server.
Maybe freeradius can read the nas list from sql at startup to some
linked list and this list will be updated every given interval with a query
to the database.
Sounds reasonable.
Regards,
Liran Tal.
On Jan 23, 2008 12:51 AM, Marinko Tarlac <[EMAIL PROTECTED]> wrote:
> Cron can help but how will you know that NAS is added and you can lost
> some updates while your radius server was down.
>
> Better idea is to make script and call it after every insert
>
> PHP can do this...
>
> Pawel Cieplinski wrote:
> > Hi
> >
> > Ok walter that is clear to me.
> >
> > How would you solve that problem? Lets say I need NAS working just after
> its
> > added to SQL.
> >
> > Restarting freeradius daemon using cron ?
> >
> > Or
> >
> > Use script wchich add NAS to SQL and restarting freerdius ?
> >
> > Regards
> > Pawel Cieplinski
> >
> > -Original Message-
> > From: freeradius-users-bounces+pawel=
> [EMAIL PROTECTED]
> > [mailto:
> [EMAIL PROTECTED]
> > g] On Behalf Of Walter Krivanek, VividVisions
> > Sent: 22 January 2008 18:46
> > To: FreeRadius users mailing list
> > Subject: Re: NAS list update without restarting radius server.
> >
> > Hi,
> >
> > in sql.conf it says:
> >
> > Set readclients to 'yes' to read radius clients from the database
> > ('nas' table)
> > Clients will ONLY be read on server startup. For performance
> > and security reasons, finding clients via SQL queries CANNOT
> > be done "live" while the server is running.
> >
> > Best,
> > Walter
> >
> >
> > Am 22.01.2008 um 19:30 schrieb Pawel Cieplinski:
> >
> >
> >> Hi there
> >>
> >>
> >>
> >> Everything works fine so far, but after adding a new NAS to DB,
> >> radius server need restart to read this data, I am trying to
> >> manipulate nas list without restarting freeradius, but due to lack
> >> od documentation could you help me with that please.
> >>
> >>
> >>
> >> Pawel Cieplinski
> >>
> >> -
> >> List info/subscribe/unsubscribe? See
> >>
> > http://www.freeradius.org/list/users.html
> >
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> >
> >
> >
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Debugging rlm_eap_sim module
Hi All, I want to debug the shared library "rlm_eap_sim.so", when running with "radiusd" [FreeRadius Server]. We are using gdb in Linux (2.6.9-5.ELsmp) platform. I have followed the following steps: 1) $ gdb radiusd 2) (gdb) file ../lib/rlm_eap_sim.so [Since rlm_eap_sim.so symbols are not loaded still by radiusd, so gdb can not find symbol] 3) (gdb) b rlm_eap_sim.c:371 Breakpoint 1 at 0x1159: file rlm_eap_sim.c, line 371. 4)(gdb) run -X Starting program: /home/nilanjan/imp_soft/freeradius-1.1.7/install2/lib/rlm_eap_sim.so -X Breakpoint 1 at 0xf54159: file rlm_eap_sim.c, line 371. warning: shared library handler failed to enable breakpoint Program received signal SIGSEGV, Segmentation fault. 0x0002 in ?? () === In this case, radiusd server exited abnormally. But if we run "$ radiusd -X", it runs fine, and can do EAP-SIM authentication successfully. If anyone has any solution, about how to debug dynamically loaded module in "gdb" please let me know. Thanks in advance. Best Regards, Nilanjan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS list update without restarting radius server.
Pawel Cieplinski wrote: > Everything works fine so far, but after adding a new NAS to DB, radius > server need restart to read this data, I am trying to manipulate nas > list without restarting freeradius, but due to lack od documentation > could you help me with that please. As always, patches are welcome. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Blank spaces after username - problem with accounting -MySqldatabase.
Marinko Tarlac wrote: >> a) the user has typed the user name with spaces >> > Yes. User has typed user name with space but why radius didn't ignore them? Why would it? Spaces are perfectly valid in a user name. > I repeat, user names and all other records in database are without > space. User has entered space and he can connect but he can't see his > accounting informations because they are connected with the same user > but with space at the end. You keep repeating that. Yes, I understand. Yes, I have read your messages. I think it's clear you either haven't read my responses, or that you haven't understood them. If "user with spaces" is given access, then it is very likely YOU that configured the server to do that. The default configuration does not have this issue. YOU BROKE THE SERVER. Now go fix it. Stop complaining about the problem. Stop repeated that "the users in the database don't have spaces". Stop trying to fix the accounting records. Stop blaming the server. > Seems like I'm subscribed for a strange problems ... :) A large part of that is you're so stuck on talking about the problem that you don't want to understand the cause, and you don't want to implement the solution I posted in another message. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: unlang question
Andy Billington wrote: > hi all, > am looking at whether to migrate to 2.0 to create a couple of > possibilities and was wondering if I can: > 1. create a main vritual server > 2. use unlang to parse the incoming requests and then based on whether > they match a regex, proxy them to different virtual servers or to an > external 3rd party RADIUS? Yes. That's one of my test cases. The only issue is that you *will* have to proxy them. i.e. set up a client of 127.0.0.1, set up different "listen" sections for each virtual server, and set up those listen sections as "home servers". The code does not currently have a way to re-direct requests to a virtual server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS list update without restarting radius server.
Hi,
in sql.conf it says:
Set readclients to 'yes' to read radius clients from the database
('nas' table)
Clients will ONLY be read on server startup. For performance
and security reasons, finding clients via SQL queries CANNOT
be done "live" while the server is running.
Best,
Walter
Am 22.01.2008 um 19:30 schrieb Pawel Cieplinski:
Hi there
Everything works fine so far, but after adding a new NAS to DB,
radius server need restart to read this data, I am trying to
manipulate nas list without restarting freeradius, but due to lack
od documentation could you help me with that please.
Pawel Cieplinski
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS list update without restarting radius server.
Cron can help but how will you know that NAS is added and you can lost
some updates while your radius server was down.
Better idea is to make script and call it after every insert
PHP can do this...
Pawel Cieplinski wrote:
Hi
Ok walter that is clear to me.
How would you solve that problem? Lets say I need NAS working just after its
added to SQL.
Restarting freeradius daemon using cron ?
Or
Use script wchich add NAS to SQL and restarting freerdius ?
Regards
Pawel Cieplinski
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
g] On Behalf Of Walter Krivanek, VividVisions
Sent: 22 January 2008 18:46
To: FreeRadius users mailing list
Subject: Re: NAS list update without restarting radius server.
Hi,
in sql.conf it says:
Set readclients to 'yes' to read radius clients from the database
('nas' table)
Clients will ONLY be read on server startup. For performance
and security reasons, finding clients via SQL queries CANNOT
be done "live" while the server is running.
Best,
Walter
Am 22.01.2008 um 19:30 schrieb Pawel Cieplinski:
Hi there
Everything works fine so far, but after adding a new NAS to DB,
radius server need restart to read this data, I am trying to
manipulate nas list without restarting freeradius, but due to lack
od documentation could you help me with that please.
Pawel Cieplinski
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: NAS list update without restarting radius server.
Hi
Ok walter that is clear to me.
How would you solve that problem? Lets say I need NAS working just after its
added to SQL.
Restarting freeradius daemon using cron ?
Or
Use script wchich add NAS to SQL and restarting freerdius ?
Regards
Pawel Cieplinski
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
g] On Behalf Of Walter Krivanek, VividVisions
Sent: 22 January 2008 18:46
To: FreeRadius users mailing list
Subject: Re: NAS list update without restarting radius server.
Hi,
in sql.conf it says:
Set readclients to 'yes' to read radius clients from the database
('nas' table)
Clients will ONLY be read on server startup. For performance
and security reasons, finding clients via SQL queries CANNOT
be done "live" while the server is running.
Best,
Walter
Am 22.01.2008 um 19:30 schrieb Pawel Cieplinski:
> Hi there
>
>
>
> Everything works fine so far, but after adding a new NAS to DB,
> radius server need restart to read this data, I am trying to
> manipulate nas list without restarting freeradius, but due to lack
> od documentation could you help me with that please.
>
>
>
> Pawel Cieplinski
>
> -
> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.5.516 / Virus Database: 269.19.8/1236 - Release Date: 21/01/2008
20:23
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Blank spaces after username - problem with accounting -MySqldatabase.
On Tuesday 22 January 2008 13:20:27 Marinko Tarlac wrote: > Alan DeKok wrote: > > a) the user has typed the user name with spaces > > Yes. User has typed user name with space but why radius didn't ignore them? FreeRADIUS doesn't mangle usernames by default. > I repeat, user names and all other records in database are without > space. User has entered space and he can connect but he can't see his > accounting informations because they are connected with the same user > but with space at the end. If the user can connect with an invalid username, the problem is a configuration issue. Reject usernames with a space (see email from Alan) in the username or strip the spaces from the request. -Kevin signature.asc Description: This is a digitally signed message part. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRadius V2.0.0 Simultaneous-Use Problems
>From what I can see start, interim and stop >records are being recorded just fine. The issue is that the sql queries >are matching old accounting records. Any idea on how I can fix this >issue? If there is something I'm not understanding, please let me know. > >At this point I think my next step might be to update to the new version >of freeradius, with the full 2.0 schema. Any other suggestions? > >Thanks very much for the reply, > >Dryw Paulic > Not really. You have 3 start records for that session recorded with different session start times. But theere is no delay (acctstartdelay) in them. Do a debug of accounting after login and see what's going on: is your database too slow, so new packets arrive before "old" ones are inserted into the database and is there Acct-Delay-Time in second and third packet. You should be able to correct both things on the NAS side of things by adjusting the time it waits for acconting response packets. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Imagestream
Any imagestream users know how to setup the router to get speed limiting queues from freeradius? Matt begin:vcard fn:Matthew Neumark n:Neumark;Matthew org:Velociter Wireless adr:;;1900 McHenry Ave #103;Escalon;CA;95320;USA email;internet:[EMAIL PROTECTED] tel;work:209-838-1221 tel;fax:209-838-2211 tel;cell:209-402-8377 url:http://www.velociter.net version:2.1 end:vcard - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_opendirectory (FR 2.0.0)
Thanks, Steven ... I'll give that a try! ___ James H. Graham II, Creative Director • Spark Media Group 6511 Allegheny Avenue • Takoma Park, MD 20912-4737 Tel: 301.270.4810 • Fax: 301.270.4812 • www.sparkmediagroup.com On Jan 22, 2008, at 1:18 PM, Steven Simon wrote: I build it by adding rlm_opendirectory to the ./src/modules/stable file. Then, run: make distclean ./configure etc… Everything you need should be on the desktop OS. Let me know if that is not the case. If you are on desktop, you'll probably want to set up a service access list. The magic group name that gets set up by the admin tools is: com.apple.access_radius. - Steven On Jan 22, 2008, at 7:54 AM, freeradius-users- [EMAIL PROTECTED] wrote: From: Info <[EMAIL PROTECTED]> Date: January 22, 2008 7:50:57 AM PST To: FreeRadius users mailing list [EMAIL PROTECTED]> Subject: rlm_opendirectory (FR 2.0.0) Reply-To: FreeRadius users mailing list [EMAIL PROTECTED]> Hello all, Quick Qs about the experimental rlm_opendirectory module: * Has anyone built in this module successfully? * Is it possible to add this in without the other experimental modules and, if so, what is the proper flag? (Note, I've tried on separate runs --with-rlm_opendirectory, --enable-rlm_opendirectory, and --with-modules="rlm_opendirectory" seemingly to no avail.) * Does the module need to be built against a server version of the Framework or should I be able to build this from the libraries on any os x workstation? Cheers, Jim - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
NAS list update without restarting radius server.
Hi there Everything works fine so far, but after adding a new NAS to DB, radius server need restart to read this data, I am trying to manipulate nas list without restarting freeradius, but due to lack od documentation could you help me with that please. Pawel Cieplinski - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Blank spaces after username - problem with accounting -MySqldatabase.
Alan DeKok wrote: a) the user has typed the user name with spaces Yes. User has typed user name with space but why radius didn't ignore them? I repeat, user names and all other records in database are without space. User has entered space and he can connect but he can't see his accounting informations because they are connected with the same user but with space at the end. This problems has been noticed on our old server. I made myself a completely new php script for database manipulation and we use it on our new server. It works perfectly and without any problems. (FR1.1.7) Old server will be replaced with the new one but you must confess that "space problem" is a very interesting .. :) Seems like I'm subscribed for a strange problems ... :) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_opendirectory (FR 2.0.0)
I build it by adding rlm_opendirectory to the ./src/modules/stable file. Then, run: make distclean ./configure etc… Everything you need should be on the desktop OS. Let me know if that is not the case. If you are on desktop, you'll probably want to set up a service access list. The magic group name that gets set up by the admin tools is: com.apple.access_radius. - Steven On Jan 22, 2008, at 7:54 AM, [EMAIL PROTECTED] wrote: From: Info <[EMAIL PROTECTED]> Date: January 22, 2008 7:50:57 AM PST To: FreeRadius users mailing list > Subject: rlm_opendirectory (FR 2.0.0) Reply-To: FreeRadius users mailing list > Hello all, Quick Qs about the experimental rlm_opendirectory module: * Has anyone built in this module successfully? * Is it possible to add this in without the other experimental modules and, if so, what is the proper flag? (Note, I've tried on separate runs --with-rlm_opendirectory, --enable-rlm_opendirectory, and --with-modules="rlm_opendirectory" seemingly to no avail.) * Does the module need to be built against a server version of the Framework or should I be able to build this from the libraries on any os x workstation? Cheers, Jim - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Version 2.0.1 has been released.
compliments alan and guys .
keep it up.
On 22/01/2008, Alan T DeKok <[EMAIL PROTECTED]> wrote:
>
> Version 2.0.0 was released less than two weeks ago, and has proven to
> be very stable and bug-free. A few issues have recently been found and
> fixed, and "unlang" has has some minor changes which result in much
> simpler policies.
>
> As a result, we are releasing 2.0.1 today. See http://freeradius.org
> for the announcement and download links.
>
>
> Feature improvements
> * "unlang" has been expanded to do less run-time expansion,
> and to have better handling of typed data. See "man unlang"
> for documentation and new examples.
>
> Bug fixes
> * The 'acct_unique' module has been updated to understand
> the deprecated (but still used) Client-IP-Address attribute.
> * The EAP-MSCHAPv2 module no longer leaks MS-CHAP2-Success in
> packets.
> * Fixed crash in rlm_dbm.
> * Fixed parsing of syslog configuration.
>
>
> The changes in "unlang" simplify references to attributes, and add
> type-specific checking:
>
> if (Framed-IP-Address) { # was "%{Framed-Ip-Address}" in 2.0.0
> ...
>
> # not possible in 2.0.0
> if ((Framed-IP-Address > 192.168.0.1) && (Framed-IP-Address <
> 192.168.0.4)) {
> ...
>
> # refer to VALUEs by name:
> if (Service-Type == Login-User) {
> ...
>
> Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
unlang question
hi all, am looking at whether to migrate to 2.0 to create a couple of possibilities and was wondering if I can: 1. create a main vritual server 2. use unlang to parse the incoming requests and then based on whether they match a regex, proxy them to different virtual servers or to an external 3rd party RADIUS? I'm sure Ive missed something in the docs so pls any pointers verey gratefully received ! Andy - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRadius V2.0.0 Simultaneous-Use Problems
Hi Kevin, To answer your questions: Auth-Type: Ok. Mysql Version: 5.0.22 Freeradius_Schema: V1.5 (It is what came with FreeRADIUS Version 2.0.0-pre2) Original Query: select * from radacct where username ='absolute' \G; *** 2. row *** radacctid: 81 acctsessionid: 00:0E:0C:2D:18:56:12009942091051 acctuniqueid: 5e5fbec08c10c41f username: absolute groupname: realm: nasipaddress: ###.###.###.### nasportid: nasporttype: Wireless-802.11 acctstarttime: 2008-01-22 08:50:32 acctstoptime: -00-00 00:00:00 acctsessiontime: 0 acctauthentic: Local connectinfo_start: connectinfo_stop: acctinputoctets: 0 acctoutputoctets: 0 calledstationid: 00:0E:0C:2D:18:56 callingstationid: 00:1e:4c:13:c1:37 acctterminatecause: servicetype: framedprotocol: framedipaddress: 10.51.1.63 acctstartdelay: 0 acctstopdelay: 0 xascendsessionsvrkey: *** 3. row *** radacctid: 85 acctsessionid: 00:0E:0C:2D:18:56:12009942091051 acctuniqueid: 5e5fbec08c10c41f username: absolute groupname: realm: nasipaddress: ###.###.###.### nasportid: nasporttype: Wireless-802.11 acctstarttime: 2008-01-22 08:50:31 acctstoptime: 2008-01-22 08:51:06 acctsessiontime: 35 acctauthentic: RADIUS connectinfo_start: connectinfo_stop: acctinputoctets: 273675 acctoutputoctets: 128263 calledstationid: 00:0E:0C:2D:18:56 callingstationid: 00:1e:4c:13:c1:37 acctterminatecause: Admin-Reset servicetype: framedprotocol: framedipaddress: 10.51.1.63 acctstartdelay: 0 acctstopdelay: 0 xascendsessionsvrkey: NULL 3 row in set (0.00 sec) Full Where Clause: select * from radacct where username ='absolute' AND acctstoptime=0 \G; *** 1. row *** radacctid: 81 acctsessionid: 00:0E:0C:2D:18:56:12009942091051 acctuniqueid: 5e5fbec08c10c41f username: absolute groupname: realm: nasipaddress: ###.###.###.### nasportid: nasporttype: Wireless-802.11 acctstarttime: 2008-01-22 08:50:32 acctstoptime: -00-00 00:00:00 acctsessiontime: 0 acctauthentic: Local connectinfo_start: connectinfo_stop: acctinputoctets: 0 acctoutputoctets: 0 calledstationid: 00:0E:0C:2D:18:56 callingstationid: 00:1e:4c:13:c1:37 acctterminatecause: servicetype: framedprotocol: framedipaddress: 10.51.1.63 acctstartdelay: 0 acctstopdelay: 0 xascendsessionsvrkey: 1 row in set (0.00 sec) mysql> select count(*) from radacct where username ='absolute' AND acctstoptime=0; +--+ | count(*) | +--+ |1 | +--+ If I look at my /var/log/radius I can see: Tue Jan 22 08:51:06 2008 User-Name = "absolute" Acct-Status-Type = Stop Acct-Session-Id = "00:0E:0C:2D:18:56:120099420910511" Acct-Authentic = RADIUS Acct-Session-Time = 35 NAS-Identifier = "###" NAS-IP-Address = ###.###.###.### Acct-Input-Octets = 273675 Acct-Output-Octets = 128263 Acct-Input-Packets = 961 Acct-Output-Packets = 1002 Calling-Station-Id = "00:1e:4c:13:c1:37" Called-Station-Id = "00:0E:0C:2D:18:56" Framed-IP-Address = ###.###.###.### NAS-Port-Type = Wireless-802.11 Class = 0x20 Acct-Terminate-Cause = Admin-Reset Acct-Unique-Session-Id = "5e5fbec08c10c41f" Timestamp = 1201020666 Request-Authenticator = Verified So, the session has been terminated as you can see by the last record in the first query, but the query with the full where clause picks up on the old accounting record. Using acctstoptime IS NULL has the same result. 'datefield = 0' seems to match on datetime fields on my version of Mysql. (In schema 1.5 acctstoptime datetime NOT NULL default '-00-00 00:00:00'). From what I can see start, interim and stop records are being recorded just fine. The issue is that the sql queries are matching old accounting records. Any idea on how I can fix this issue? If there is something I'm not understanding, please let me know. At this point I think my next step might be to update to the new version of freeradius, with the full 2.0 schema. Any other suggestions? Thanks very much for the reply, Dryw Paulic -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] g] On Behalf Of Kevin Bonner Sent: Monday, January 21, 2008 4:10 PM To: FreeRadius users mailing list Subject: Re: FreeRadius V2.0.0 Simultaneous-Use Problems On Monday 21 January 2008 14:19:06 Dryw Paulic wrote: > mysql> select
Re: Problem with Vista EAP-PEAP Authentication
Hi,
Yes, Freeradius has been compiled with freeradius.org sources.
You'll find below the end of Freeradius debug output :
Tue Jan 22 17:18:48 2008 : Debug: Thread 4 handling request 3, (1 handled so
far)
User-Name = "nsouleman"
NAS-IP-Address = 10.40.0.114
Connect-Info = "CONNECT 802.11"
Called-Station-Id = "000fb5905b7e"
Calling-Station-Id = "0019d2ae409a"
NAS-Identifier = "ap"
NAS-Port-Type = Wireless-802.11
NAS-Port = 32
NAS-Port-Id = "32"
Framed-MTU = 1400
State = 0x4d65e25317851beaa7122ab0f6d7758f
EAP-Message = 0x020400061900
Message-Authenticator = 0x5fe3280798b9c0bf7eb60427ac59acac
Tue Jan 22 17:18:48 2008 : Debug: Processing the authorize section of
radiusd.conf
Tue Jan 22 17:18:48 2008 : Debug: modcall: entering group authorize for
request 3
Tue Jan 22 17:18:48 2008 : Debug: modsingle[authorize]: calling preprocess
(rlm_preprocess) for request 3
Tue Jan 22 17:18:48 2008 : Debug: modsingle[authorize]: returned from
preprocess (rlm_preprocess) for request 3
Tue Jan 22 17:18:48 2008 : Debug: modcall[authorize]: module "preprocess"
returns ok for request 3
Tue Jan 22 17:18:48 2008 : Debug: modsingle[authorize]: calling auth_log
(rlm_detail) for request 3
Tue Jan 22 17:18:48 2008 : Debug: radius_xlat:
'/usr/local/freeradius-1.1.6/var/log/radius/radacct/10.40.0.114/auth-detail-
20080122'
Tue Jan 22 17:18:48 2008 : Debug: rlm_detail:
/usr/local/freeradius-1.1.6/var/log/radius/radacct/%{Client-IP-Address}/auth
-detail-%Y%m%d expands to
/usr/locaar/log/radius/radacct/10.40.0.114/auth-detail-20080122
Tue Jan 22 17:18:48 2008 : Debug: modsingle[authorize]: returned from
auth_log (rlm_detail) for request 3
Tue Jan 22 17:18:48 2008 : Debug: modcall[authorize]: module "auth_log"
returns ok for request 3
Tue Jan 22 17:18:48 2008 : Debug: modsingle[authorize]: calling chap
(rlm_chap) for request 3
Tue Jan 22 17:18:48 2008 : Debug: modsingle[authorize]: returned from chap
(rlm_chap) for request 3
Tue Jan 22 17:18:48 2008 : Debug: modcall[authorize]: module "chap"
returns noop for request 3
Tue Jan 22 17:18:48 2008 : Debug: modsingle[authorize]: calling mschap
(rlm_mschap) for request 3
Tue Jan 22 17:18:48 2008 : Debug: modsingle[authorize]: returned from
mschap (rlm_mschap) for request 3
Tue Jan 22 17:18:48 2008 : Debug: modcall[authorize]: module "mschap"
returns noop for request 3
Tue Jan 22 17:18:48 2008 : Debug: modsingle[authorize]: calling eap
(rlm_eap) for request 3
Tue Jan 22 17:18:48 2008 : Debug: rlm_eap: EAP packet type response id 4
length 6
Tue Jan 22 17:18:48 2008 : Debug: rlm_eap: No EAP Start, assuming it's an
on-going EAP conversation
Tue Jan 22 17:18:48 2008 : Debug: modsingle[authorize]: returned from eap
(rlm_eap) for request 3
Tue Jan 22 17:18:48 2008 : Debug: modcall[authorize]: module "eap" returns
updated for request 3
Tue Jan 22 17:18:48 2008 : Debug: modsingle[authorize]: calling ldap
(rlm_ldap) for request 3
Tue Jan 22 17:18:48 2008 : Debug: rlm_ldap: - authorize
Tue Jan 22 17:18:48 2008 : Debug: rlm_ldap: performing user authorization
for nsouleman
Tue Jan 22 17:18:48 2008 : Debug: radius_xlat:
'(&(objectclass=posixAccount)(uid=nsouleman))'
Tue Jan 22 17:18:48 2008 : Debug: radius_xlat:
'ou=Users,dc=angers,dc=afone,dc=fr'
Tue Jan 22 17:18:48 2008 : Debug: rlm_ldap: ldap_get_conn: Checking Id: 0
Tue Jan 22 17:18:48 2008 : Debug: rlm_ldap: ldap_get_conn: Got Id: 0
Tue Jan 22 17:18:48 2008 : Debug: rlm_ldap: performing search in
ou=Users,dc=angers,dc=afone,dc=fr, with filter
(&(objectclass=posixAccount)(uid=nsouleman))
Tue Jan 22 17:18:48 2008 : Debug: rlm_ldap: Added password xxx in check
items
Tue Jan 22 17:18:48 2008 : Debug: rlm_ldap: looking for check items in
directory...
Tue Jan 22 17:18:48 2008 : Debug: rlm_ldap: Adding sambaNTPassword as
NT-Password, value 06ED974D43A7B40ACF5F9798C7060A4B & op=21
Tue Jan 22 17:18:48 2008 : Debug: rlm_ldap: Adding sambaLMPassword as
LM-Password, value 2C720756F237E37AAAD3B435B51404EE & op=21
Tue Jan 22 17:18:48 2008 : Debug: rlm_ldap: looking for reply items in
directory...
Tue Jan 22 17:18:48 2008 : Debug: rlm_ldap: user nsouleman authorized to use
remote access
Tue Jan 22 17:18:48 2008 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0
Tue Jan 22 17:18:48 2008 : Debug: modsingle[authorize]: returned from ldap
(rlm_ldap) for request 3
Tue Jan 22 17:18:48 2008 : Debug: modcall[authorize]: module "ldap"
returns ok for request 3
Tue Jan 22 17:18:48 2008 : Debug: modcall: leaving group authorize (returns
updated) for request 3
Tue Jan 22 17:18:48 2008 : Debug: rad_check_password: Found Auth-Type EAP
Tue Jan 22 17:18:48 2008 : Debug: auth: type "EAP"
Tue Jan 22 17:18:48 2008 : Debug: Processing the authentic
Re: Blank spaces after username - problem with accounting -MySqldatabase.
Marinko Tarlac wrote: > So this can be called as FreeRadius bug ? No. As I have said, FreeRADIUS does not add spaces to user names. This is the *first* time I can recall seeing this problem in almost 9 years of working with FreeRADIUS. It is *not* a FreeRADIUS issue. If you see spaces, then: a) the user has typed the user name with spaces b) local edits to your configuration files are adding those spaces Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Virtual Server and Ldap-Group
Hi ya,
Today I have installed the *new* Freeradius 2.0 release and tested the
virtual server setup.
I was just wondering what will be the best solution to check on LDAP Groups.
(Ldap-Group)
Check them (as before) in the users file, or somewhere in the virtual server
configuration with a switch/case statement.
..
switch "%{control:Ldap-Group}" {
case "WebUsers" {
update reply {
NS-User-Group = WebUsers
}
}
case "MailUsers" {
update reply {
NS-User-Group = MailUsers
}
}
case ... {
}
}
...
Kind regards,
--
Robin Gruyters
Network and Security Engineer
Betronic Nederland B.V.
I: http://yirdis.com
I: http://betronic.nl
P: +31 (0)20 5659191
F: +31 (0)20 5659190
pgpe6Vzfcjnb5.pgp
Description: PGP signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_opendirectory (FR 2.0.0)
Hello all, Quick Qs about the experimental rlm_opendirectory module: * Has anyone built in this module successfully? * Is it possible to add this in without the other experimental modules and, if so, what is the proper flag? (Note, I've tried on separate runs --with-rlm_opendirectory, --enable-rlm_opendirectory, and --with-modules="rlm_opendirectory" seemingly to no avail.) * Does the module need to be built against a server version of the Framework or should I be able to build this from the libraries on any os x workstation? Cheers, Jim ___ James H. Graham II, Creative Director • Spark Media Group 6511 Allegheny Avenue • Takoma Park, MD 20912-4737 Tel: 301.270.4810 • Fax: 301.270.4812 • www.sparkmediagroup.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Blank spaces after username - problem with accounting -MySqldatabase.
MySQL is 5.0.x
Query SELECT * FROM `radcheck` WHERE `UserName` LIKE 'test.user '; (added
space) returns 0 records (not found)
Query SELECT * FROM `radcheck` WHERE `UserName` LIKE 'test.user'; (without
blank space) returns valid records. (password, simultaneus-use and other
check entries.
So this can be called as FreeRadius bug ?
I saw binary option so I will test it later.
Best regards and thanks for your time and ideas you gave to me.
Marinko
2008/1/22 <[EMAIL PROTECTED]>:
> It's more likely to be a MySQL bug. Try the same with a user entry in
> users file - if user can authenticate with and without trailing space
> then it is freeradius bug. If SELECT . 'test' and SELECT .
> 'test ' produce the same output, then the problem is with MySQL.
>
> Ivan Kalik
> Kalik Informatika ISP
>
>
> Dana 22/1/2008, "Marinko Tarlac" <[EMAIL PROTECTED]> piše:
>
> >Thanks but this option didn't help.
> >
> >I tried with random username and when I add blank space after username
> user
> >still can connect... Seems like a radius bug so I will try to install
> newer
> >version.
> >
> >In any case I will inform you about this... Until I fix this issue I will
> >update radacct with my own script who will remove blank spaces in
> usernames.
> >
> >
> >Best regards
> >
> >2008/1/22 <[EMAIL PROTECTED]>:
> >
> >> There is a configuration line in radiusd.conf:
> >>
> >> nospace_user = yes (default is no)
> >>
> >> that will remove trailing space even when entered. By the user. It
> >> doesn't help if the trailing space is in the database.
> >>
> >> Ivan Kalik
> >> Kalik Informatika ISP
> >>
> >>
> >> Dana 22/1/2008, "Marinko Tarlac" <[EMAIL PROTECTED]> piše:
> >>
> >> >> Neither. The user is adding the spaces. It looks to me like
> someone
> >> >> figured out that you have test accounts. They are using the test
> >> >> accounts to log in without paying.
> >> >>
> >> >>
> >> >Well it is more than one account and they are random usernames
> (example,
> >> >mirije, drogbba, etc. )
> >> >
> >> >
> >> >> You need to to audit your configuration to ensure that you are
> using
> >> >> the user name *correctly*.
> >> >>
> >> >> e.g. this is wrong: SELECT ... %{User-Name} ...
> >> >>
> >> >> this is correct:SELECT ... '%{User-Name}' ...
> >> >>
> >> >> > One is sure. MySql seems fine and only solution I can do now is to
> >> make
> >> >> > querry "UPDATE radacct SET UserName=' test.user' WHERE
> >> >> > UserName='test.user '";
> >> >>
> >> >> -
> >> >>
> >> >
> >> >Inside sql.conf everything seems fine.
> >> >.
> >> >sql_user_name = "%{User-Name}"
> >> >..
> >> >authorize_check_query = "SELECT id, UserName, Attribute, Value, op \
> >> > FROM ${authcheck_table} \
> >> > WHERE Username = '%{SQL-User-Name}' \
> >> > ORDER BY id"
> >> >authorize_reply_query = "SELECT id, UserName, Attribute, Value, op \
> >> > FROM ${authreply_table} \
> >> > WHERE Username = '%{SQL-User-Name}' \
> >> > ORDER BY id"
> >> >
> >> >Also, accounting queries are also the same. ???
> >> >
> >> >
> >>
> >> -
> >> List info/subscribe/unsubscribe? See
> >> http://www.freeradius.org/list/users.html
> >>
> >
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with Vista EAP-PEAP Authentication
Hi, FR 1.1.6, 1.1.7 and 2.0.0/2.0.1 work fine with vista (without any special non windows-update KBs installed) are you using source from www.freeradius.org, or some distribution package? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Blank spaces after username - problem with accounting -MySqldatabase.
It's more likely to be a MySQL bug. Try the same with a user entry in
users file - if user can authenticate with and without trailing space
then it is freeradius bug. If SELECT . 'test' and SELECT .
'test ' produce the same output, then the problem is with MySQL.
Ivan Kalik
Kalik Informatika ISP
Dana 22/1/2008, "Marinko Tarlac" <[EMAIL PROTECTED]> piše:
>Thanks but this option didn't help.
>
>I tried with random username and when I add blank space after username user
>still can connect... Seems like a radius bug so I will try to install newer
>version.
>
>In any case I will inform you about this... Until I fix this issue I will
>update radacct with my own script who will remove blank spaces in usernames.
>
>
>Best regards
>
>2008/1/22 <[EMAIL PROTECTED]>:
>
>> There is a configuration line in radiusd.conf:
>>
>> nospace_user = yes (default is no)
>>
>> that will remove trailing space even when entered. By the user. It
>> doesn't help if the trailing space is in the database.
>>
>> Ivan Kalik
>> Kalik Informatika ISP
>>
>>
>> Dana 22/1/2008, "Marinko Tarlac" <[EMAIL PROTECTED]> piše:
>>
>> >> Neither. The user is adding the spaces. It looks to me like someone
>> >> figured out that you have test accounts. They are using the test
>> >> accounts to log in without paying.
>> >>
>> >>
>> >Well it is more than one account and they are random usernames (example,
>> >mirije, drogbba, etc. )
>> >
>> >
>> >> You need to to audit your configuration to ensure that you are using
>> >> the user name *correctly*.
>> >>
>> >> e.g. this is wrong: SELECT ... %{User-Name} ...
>> >>
>> >> this is correct:SELECT ... '%{User-Name}' ...
>> >>
>> >> > One is sure. MySql seems fine and only solution I can do now is to
>> make
>> >> > querry "UPDATE radacct SET UserName=' test.user' WHERE
>> >> > UserName='test.user '";
>> >>
>> >> -
>> >>
>> >
>> >Inside sql.conf everything seems fine.
>> >.
>> >sql_user_name = "%{User-Name}"
>> >..
>> >authorize_check_query = "SELECT id, UserName, Attribute, Value, op \
>> > FROM ${authcheck_table} \
>> > WHERE Username = '%{SQL-User-Name}' \
>> > ORDER BY id"
>> >authorize_reply_query = "SELECT id, UserName, Attribute, Value, op \
>> > FROM ${authreply_table} \
>> > WHERE Username = '%{SQL-User-Name}' \
>> > ORDER BY id"
>> >
>> >Also, accounting queries are also the same. ???
>> >
>> >
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem with Vista EAP-PEAP Authentication
Hello, We are trying to authenticate Windows Vista clients using FreeRadius into a HP Procurve architecture. We configured FreeRadius to operate an EAP-PEAP authentication. This works fine with XP SP2 client but the process blocks with Windows Vista at this point : Sending Access-Challenge of id 70 to 10.40.0.114 port 1073 EAP-Message = 0x010500061900 Message-Authenticator = 0x State = 0x668d79caa2854b593ec7e91a8004030b I saw a few posts on the web regarding to this problem. Some users advise to install kb932063 microsoft hotfix but I still have my problem. A patch has been released in 1.1.3 version and then included to 1.1.4 an older. I use 1.1.6 version. The Option SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS take part of rlm_eap_tls.c file. Does anybody have an idea ? Regards, Nicolas SOULEMAN. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Blank spaces after username - problem with accounting - MySqldatabase.
Thanks but this option didn't help.
I tried with random username and when I add blank space after username user
still can connect... Seems like a radius bug so I will try to install newer
version.
In any case I will inform you about this... Until I fix this issue I will
update radacct with my own script who will remove blank spaces in usernames.
Best regards
2008/1/22 <[EMAIL PROTECTED]>:
> There is a configuration line in radiusd.conf:
>
> nospace_user = yes (default is no)
>
> that will remove trailing space even when entered. By the user. It
> doesn't help if the trailing space is in the database.
>
> Ivan Kalik
> Kalik Informatika ISP
>
>
> Dana 22/1/2008, "Marinko Tarlac" <[EMAIL PROTECTED]> piše:
>
> >> Neither. The user is adding the spaces. It looks to me like someone
> >> figured out that you have test accounts. They are using the test
> >> accounts to log in without paying.
> >>
> >>
> >Well it is more than one account and they are random usernames (example,
> >mirije, drogbba, etc. )
> >
> >
> >> You need to to audit your configuration to ensure that you are using
> >> the user name *correctly*.
> >>
> >> e.g. this is wrong: SELECT ... %{User-Name} ...
> >>
> >> this is correct:SELECT ... '%{User-Name}' ...
> >>
> >> > One is sure. MySql seems fine and only solution I can do now is to
> make
> >> > querry "UPDATE radacct SET UserName=' test.user' WHERE
> >> > UserName='test.user '";
> >>
> >> -
> >>
> >
> >Inside sql.conf everything seems fine.
> >.
> >sql_user_name = "%{User-Name}"
> >..
> >authorize_check_query = "SELECT id, UserName, Attribute, Value, op \
> > FROM ${authcheck_table} \
> > WHERE Username = '%{SQL-User-Name}' \
> > ORDER BY id"
> >authorize_reply_query = "SELECT id, UserName, Attribute, Value, op \
> > FROM ${authreply_table} \
> > WHERE Username = '%{SQL-User-Name}' \
> > ORDER BY id"
> >
> >Also, accounting queries are also the same. ???
> >
> >
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Version 2.0.1 has been released.
Version 2.0.0 was released less than two weeks ago, and has proven to
be very stable and bug-free. A few issues have recently been found and
fixed, and "unlang" has has some minor changes which result in much
simpler policies.
As a result, we are releasing 2.0.1 today. See http://freeradius.org
for the announcement and download links.
Feature improvements
* "unlang" has been expanded to do less run-time expansion,
and to have better handling of typed data. See "man unlang"
for documentation and new examples.
Bug fixes
* The 'acct_unique' module has been updated to understand
the deprecated (but still used) Client-IP-Address attribute.
* The EAP-MSCHAPv2 module no longer leaks MS-CHAP2-Success in
packets.
* Fixed crash in rlm_dbm.
* Fixed parsing of syslog configuration.
The changes in "unlang" simplify references to attributes, and add
type-specific checking:
if (Framed-IP-Address) { # was "%{Framed-Ip-Address}" in 2.0.0
...
# not possible in 2.0.0
if ((Framed-IP-Address > 192.168.0.1) && (Framed-IP-Address <
192.168.0.4)) {
...
# refer to VALUEs by name:
if (Service-Type == Login-User) {
...
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: filling in missing attributes
On Tue 22 Jan 2008, Alan DeKok wrote: > I think it's time to release 2.0.1. There have been a few good bug > fixes, and the ability to *not* double-quote everything is a big step > forwards. Seems reasonable. -- Peter Nixon http://peternixon.net/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Building FreeRadius 2.0 on Mac OS X fails
Alan DeKok wrote: Walter Krivanek, VividVisions wrote: Configure seems to expect the MySQL binaries to be in the PATH environment variable, which complicated things for me since I have three different versions of MySQL on my development machine. Another parameter like --with-mysql-bin-dir would be great. Setting the PATH for one run of a "configure" script is just as easy. Yes, but inconsistent. ;-) The only response is to say that your system needs to be fixed so that the linkers know where the libraries are, and that the list of libraries available at compile time is the same as what is available at run time. You're right, this seems to be a know problem with some MySQL installations. Here's a very interessting article how linking works in Mac OS X: http://www.cocoadev.com/index.pl?ApplicationLinking (mostly about Cocoa apps). Run it in debugging mode, and check file permissions. It works with -x but not with -X or -xx. Thanks, Walter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: regarding RFC 2253 UTF-8 String Representation of Distinguished Names support
Hi Alan, Thanks for the information. Got the point. Regards gnr On Jan 21, 2008 7:30 PM, Alan DeKok <[EMAIL PROTECTED]> wrote: > Gopinath Reddy N wrote: > > Iam trying to send ldap search request to Active Directory using free > > radius 2.0 > > Yes... you said that already. > > > When I analyzed using ethereal I have observed the below information. > > Since you were asked to post the debugging output, I don't understand > why you would fail to do that. > > > António is sent as > > 0x41, 0x6e,0x74, 0xf3, 0x6e, 0x69, 0x6F which is a simple ASCII to hex > > conversion. > > No, it's not. 0xf3 is *not* an ASCII character, and it is not a "hex" > character. This is not a "simple ASCII to hex conversion". The problem > is that the string you are giving FreeRADIUS in the User-Name is *not* > UTF-8. > > Since you told FreeRADIUS to use a string *other* than UTF-8, I'm > curious as to why you think FreeRADIUS should use UTF-8 to talk to > Active Directory. > > If you want FreeRADIUS to use UTF-8 to Active Directory, then send a > User-Name that is a UTF-8 string. > > > So wanted to check whether free radius 2.0 version is doing the encoding > > in UTF-8 format.Or some configuration attribute Iam missing. > > FreeRADIUS does not translate one character encoding to another. The > RFC's say that the User-Name SHOULD be a UTF-8 string. I suggest giving > the server a UTF-8 string, and not a string in some other weird encoding. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Building FreeRadius 2.0 on Mac OS X fails
Walter Krivanek, VividVisions wrote: > Then, I added the parameters --with-mysql-lib-dir and > --with-mysql-include-dir to the configure command. > Configure seems to expect the MySQL binaries to be in the PATH > environment variable, which complicated things for me since I have three > different versions of MySQL on my development machine. Another parameter > like --with-mysql-bin-dir would be great. Setting the PATH for one run of a "configure" script is just as easy. > Then I configured FreeRadius, started it and got this error message: > rlm_sql (freewave): Could not link driver rlm_sql_mysql: ... > The reason was that FreeRadius expected the dylib file in > /usr/local/mysql/lib/mysql/ but it actually is located in > /usr/local/mysql/lib/. No. FreeRADIUS does *not* look for libraries. The run-time linker on your system looks for libraries. FreeRADIUS just uses the features of that linker. What is happening is that the information available at compile time is different from the information available at run time. The only response is to say that your system needs to be fixed so that the linkers know where the libraries are, and that the list of libraries available at compile time is the same as what is available at run time. > Another thing: Is there anything else to set than sqltrace and > sqltracefile to get MySQL logs? Because sqltrace is set to yes and I > still get no logs... :-( Run it in debugging mode, and check file permissions. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Blank spaces after username - problem with accounting - MySqldatabase.
There is a configuration line in radiusd.conf:
nospace_user = yes (default is no)
that will remove trailing space even when entered. By the user. It
doesn't help if the trailing space is in the database.
Ivan Kalik
Kalik Informatika ISP
Dana 22/1/2008, "Marinko Tarlac" <[EMAIL PROTECTED]> piše:
>> Neither. The user is adding the spaces. It looks to me like someone
>> figured out that you have test accounts. They are using the test
>> accounts to log in without paying.
>>
>>
>Well it is more than one account and they are random usernames (example,
>mirije, drogbba, etc. )
>
>
>> You need to to audit your configuration to ensure that you are using
>> the user name *correctly*.
>>
>> e.g. this is wrong: SELECT ... %{User-Name} ...
>>
>> this is correct:SELECT ... '%{User-Name}' ...
>>
>> > One is sure. MySql seems fine and only solution I can do now is to make
>> > querry "UPDATE radacct SET UserName='test.user' WHERE
>> > UserName='test.user '";
>>
>> -
>>
>
>Inside sql.conf everything seems fine.
>.
>sql_user_name = "%{User-Name}"
>..
>authorize_check_query = "SELECT id, UserName, Attribute, Value, op \
> FROM ${authcheck_table} \
> WHERE Username = '%{SQL-User-Name}' \
> ORDER BY id"
>authorize_reply_query = "SELECT id, UserName, Attribute, Value, op \
> FROM ${authreply_table} \
> WHERE Username = '%{SQL-User-Name}' \
> ORDER BY id"
>
>Also, accounting queries are also the same. ???
>
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Blank spaces after username - problem with accounting - MySql database.
Marinko Tarlac wrote:
> Well it is more than one account and they are random usernames (example,
> mirije, drogbba, etc. )
FreeRADIUS does not add spaces to user names. Again, run it in
debugging mode to see *exactly* what it is seeing.
> Inside sql.conf everything seems fine.
>
> sql_user_name = "%{User-Name}"
> .
Then run the server in debugging mode to see WHY "test-user " is being
treated the same as "test-user". The user names are NOT the same, and
should NOT be treated identically.
> Also, accounting queries are also the same. ???
Once you fix the authentication so that users with spaces are not
authenticated, the accounting should fix itself.
In 2.0.0, you can simply put this at the *start* of the "authorize"
section:
if ("%{User-Name}" =~ / /) {
reject
}
It won't fix the problem, but it will ensure that the users get rejected.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: filling in missing attributes
Arran Cudbard-Bell wrote:
> If you require a string identifier for your NAS, you can use the
> Client-Shortname attribute in the request list. This just reflects the
> shortname assigned to the NAS using rlm_sql or in client definitions.
>
> if(!"%{NAS-Identifier}"){
> update request {
> NAS-Identifier = "%{client-shortname}"
> }
> }
For 2.0.1-pre, this should be:
if (!NAS-Identifier) {
update request {
NAS-Identifier = "%{client:shortname}"
}
}
I think it's time to release 2.0.1. There have been a few good bug
fixes, and the ability to *not* double-quote everything is a big step
forwards.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Building FreeRadius 2.0 on Mac OS X fails
Hi Alan, Jim and Arran, thank you very much for your help, I finally did it. First, I had to discard rlm_perl. I haven't tried Jim's tip to install my own version of Perl. Then, I added the parameters --with-mysql-lib-dir and --with-mysql- include-dir to the configure command. Configure seems to expect the MySQL binaries to be in the PATH environment variable, which complicated things for me since I have three different versions of MySQL on my development machine. Another parameter like --with-mysql-bin-dir would be great. After a few changes this problem was solved. Then I configured FreeRadius, started it and got this error message: rlm_sql (freewave): Could not link driver rlm_sql_mysql: dlopen(/usr/ local/freeradius2/lib/rlm_sql_mysql-2.0.0.so, 9): Library not loaded: / usr/local/mysql/lib/mysql/libmysqlclient_r.15.dylib Referenced from: /usr/local/freeradius2/lib/rlm_sql_mysql-2.0.0.so Reason: image not found rlm_sql (freewave): Make sure it (and all its dependent libraries!) are in the search path of your system's ld. The reason was that FreeRadius expected the dylib file in /usr/local/ mysql/lib/mysql/ but it actually is located in /usr/local/mysql/lib/. So I simply created the directory mysql and copied the files there. A rather ugly hack but it helped. IMHO this path should also be configurable. Alan wrote: That should be "--with-mysql-include-dir=..." What you have above is completely unsupported. The configure script in src/modules/rlm_sql/drivers/rlm_sql_mysql/ seems to know about --with-mysql-dir. Another thing: Is there anything else to set than sqltrace and sqltracefile to get MySQL logs? Because sqltrace is set to yes and I still get no logs... :-( Thanks again, Walter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EXAMPLE: unlang removing attribute inside a test
Hi Guys
I thought I would send an example of unlang being used to remove an
attribute after proxying.
My attrs file add a Cisco-AVPair which needs removing if the customer is
given a static ip address by the retail ISP.
authorize {
.
if("%{reply:Framed-IP-Address}") {
update reply {
Cisco-AVPair -= "ip:addr-pool=ip_pool_1"
}
update reply {
Cisco-AVPair -= "ip:addr-pool=ip_pool_2"
}
update reply {
Cisco-AVPair -= "ip:addr-pool=ip_pool_3"
}
}
}
I also added the update option to the post-auth to remove the
Cisco-AVPair in the case of a reject.
post-auth {
..
Post-Auth-Type REJECT {
update reply {
Cisco-AVPair -= "ip:addr-pool=ip_pool_1"
}
update reply {
Cisco-AVPair -= "ip:addr-pool=ip_pool_2"
}
update reply {
Cisco-AVPair -= "ip:addr-pool=ip_pool_3"
}
sql_log
}
}
One issue I could not seem to find a way of removing an attribute unless
both the attribute and value match, this means that I have to list each
of the pool individually.
Cheers
Mike
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: filling in missing attributes
Alan DeKok wrote:
Duane Cox wrote:
Hello List
I'm looking for a suggested solution to this problem.
I'm running freeradius 2.0.0 and have a NAS that doesn't supply the
NAS-Identifier or Called-Station-Id.
I'm using rlm_sql to log acct information and would like to have this missing
info filled in.
Would it be best to use:
"unlang" will likely make it simpler. It means that you separate the
checks for missing attributes from the SQL configuration.
Putting "%{%{Foo}:-%{Bar}}" in sql.conf quickly gets complicated.
Instead, do:
if (!Foo) {
update request {
Foo = ...
}
}
And then just put "%{Foo}" in sql.conf.
Alan DeKok.
If you require a string identifier for your NAS, you can use the
Client-Shortname attribute in the request list. This just reflects the
shortname assigned to the NAS using rlm_sql or in client definitions.
if(!"%{NAS-Identifier}"){
update request {
NAS-Identifier = "%{client-shortname}"
}
}
See http://wiki.freeradius.org/Run-time_variables
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Blank spaces after username - problem with accounting - MySql database.
> Neither. The user is adding the spaces. It looks to me like someone
> figured out that you have test accounts. They are using the test
> accounts to log in without paying.
>
>
Well it is more than one account and they are random usernames (example,
mirije, drogbba, etc. )
> You need to to audit your configuration to ensure that you are using
> the user name *correctly*.
>
> e.g. this is wrong: SELECT ... %{User-Name} ...
>
> this is correct:SELECT ... '%{User-Name}' ...
>
> > One is sure. MySql seems fine and only solution I can do now is to make
> > querry "UPDATE radacct SET UserName='test.user' WHERE
> > UserName='test.user '";
>
> -
>
Inside sql.conf everything seems fine.
sql_user_name = "%{User-Name}"
.
authorize_check_query = "SELECT id, UserName, Attribute, Value, op \
FROM ${authcheck_table} \
WHERE Username = '%{SQL-User-Name}' \
ORDER BY id"
authorize_reply_query = "SELECT id, UserName, Attribute, Value, op \
FROM ${authreply_table} \
WHERE Username = '%{SQL-User-Name}' \
ORDER BY id"
Also, accounting queries are also the same. ???
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: filling in missing attributes
Duane Cox wrote:
> Hello List
>
> I'm looking for a suggested solution to this problem.
>
> I'm running freeradius 2.0.0 and have a NAS that doesn't supply the
> NAS-Identifier or Called-Station-Id.
> I'm using rlm_sql to log acct information and would like to have this missing
> info filled in.
>
> Would it be best to use:
"unlang" will likely make it simpler. It means that you separate the
checks for missing attributes from the SQL configuration.
Putting "%{%{Foo}:-%{Bar}}" in sql.conf quickly gets complicated.
Instead, do:
if (!Foo) {
update request {
Foo = ...
}
}
And then just put "%{Foo}" in sql.conf.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Blank spaces after username - problem with accounting - MySql database.
Marinko Tarlac wrote:
> Hi there... It is me again... Few days ago, I wrote about my problem
> with accounting. Problem is that accounting doesn't work for some users.
> In this case it is "test.user"... After some investigation with log
> files (holly radiusd -X), I can see that problem is in username. As you
> can see (line marked with *-*-*-*-*-*-*), some blank spaces were added
> to username. I'm not sure how is this possible and who adds this blank
> spaces (Mikrotik as nas or radius server?).
Neither. The user is adding the spaces. It looks to me like someone
figured out that you have test accounts. They are using the test
accounts to log in without paying.
> p.s. As I can see in debug lines, raddacct table has been filled with
> wrong username so I searched for username "test.user " and I can see
> his traffic. I can solve this problem with small scheduler script who
> will replace "test.user " with "test.user" but who knows... Maybe
> tomorrow I will have more spaces and other signs in username ???
You need to to audit your configuration to ensure that you are using
the user name *correctly*.
e.g. this is wrong: SELECT ... %{User-Name} ...
this is correct:SELECT ... '%{User-Name}' ...
> One is sure. MySql seems fine and only solution I can do now is to make
> querry "UPDATE radacct SET UserName='test.user' WHERE
> UserName='test.user '";
Do not do that.
> FR is 1.1.4 and I will update it and see what's going on...
The default queries and configuration should not have this problem.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
