nested groups
Hi, Is-it possible to search users on nested groups. For example : User1 is in group Group1, User2 is in group Group2, Group1 and Group2 are in group Group12 The users config : ... DEFAULT ldap-iut-Ldap-Group == Group12 Tunnel-Medium-Type:1 = 6, Tunnel-Type:1 = 13, Tunnel-Private-Group-ID:1 = 636, Fall-Through = Yes ... Freeradius Server : 2.1.7 (git) Ldap server : Active directory 2008 Thanks Nicolas Clementz Université de Haute Alsace- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
virtual servers = 2 different user files
Hello list, I would like to use one freeradius for 2 different NAS-groups. Therefore I need two different users files, one for each instance. I tried to make the module configuration per virtual server, which seems not to be working. Does anybody has a trick to get this working? BR Uwe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic VLAN attribute in LDAP or AD?
Gary Gatten wrote: I'm assuming I can do roughly the same thing with NTLM_AUTH? I have to use NTLM_Auth for 8021x (right? - at least all docs say this), No, they don't. They say that you need to use ntlm_auth for authentication in *certain* cases, when the user database is Active Directory. so if I don't HAVE to use LDAP all the better. If you don't have Active Directory, you can use anything you want as a database. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: virtual servers = 2 different user files
Hello On Tue, Aug 25, 2009 at 08:29:49AM +0200, kisteorg google wrote: Hello list, I would like to use one freeradius for 2 different NAS-groups. Therefore I need two different users files, one for each instance. I tried to make the module configuration per virtual server, which seems not to be working. Does anybody has a trick to get this working? You can try to add named files {} section into modules/files configuration. For example files files-auth1 { ... } files files-auth2 { ... } files files-acct { ... } And You can use each module in authorize or preacct sections. For example server auth1 { authorize { ... files-auth1 ... } } server auth2 { authorize { ... files-auth2 ... } } server acct { preacct { ... files-acct ... } } - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: virtual servers = 2 different user files
kisteorg google wrote: I would like to use one freeradius for 2 different NAS-groups. Therefore I need two different users files, one for each instance. I tried to make the module configuration per virtual server, which seems not to be working. You need to create two instances of the files module. Where it now has: files { ... } Replace that with: files foo { ... } files bar { ... } And point the usersfile, etc. to different files in each one. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: check username and password
hi i added below code to get username, VALUE_PAIR *vp; vp = pairfind(request-packet-vps, PW_USER_NAME); printf(x equals %s \n, vp); it is not printing anything plz help me. regard's shivashankar.c 2009/8/24 Ivan Kalik t...@kalik.net how to check username and password in rlm_wipromodule(user-define) module. Did you actually read this? http://wiki.freeradius.org/Modules2#Accessing_Radius_Request_Attributes Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- regard's shiva shankar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: check username and password
shiva shankar wrote: hi i added below code to get username, VALUE_PAIR *vp; vp = pairfind(request-packet-vps, PW_USER_NAME); printf(x equals %s \n, vp); it is not printing anything We do *not* teach C programming on this list. Buy a book, or take a course. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: How to control users traffic ?
I was trying to dynamically limit the customers speed when they hit their download quota. I'm doing this for DSL users connected to a Cisco NAS. Aren't the WISPr only for wireless users? Use avpairs. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: virtual servers = 2 different user files
Hello list, I would like to use one freeradius for 2 different NAS-groups. Therefore I need two different users files, one for each instance. I tried to make the module configuration per virtual server, which seems not to be working. Does anybody has a trick to get this working? You can do this with the single users file by defining NAS groups in (sql)huntgroups. Then combine Huntgroup-Name with user entries. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Logging client IP address
Hi, I'm experimenting with using freeradius 2.0.4 to authenticate administrative access to network equipment. If I deploy it then I'll end up with well over a hundred clients, so I'd like to describe the entire address range in a single 'client' block. I also want to have a syslogged record of each login attempt, which I can do, but I can't figure out how to log the client's IP address without having to specify every client individually in freeradius's config. As it is, I just get Login OK: [username] (from client big-netblock port 0) Is there a way around this without having to maintain a huge list of clients? Thanks - Ian -- Ian Chard, Senior Unix and Network Gorilla | E: ian.ch...@sers.ox.ac.uk Systems and Electronic Resources Service | T: 80587 / (01865) 280587 Oxford University Library Services | F: (01865) 242287 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to use large SQL-query for %{sql:} clause?
Hello. I am using FR v2.1.6. I am needing to generate values of reply attributes via SQL. I am using `%{sql:SQL-query}` clause. I am inserting attribute/value pairs into radreply table, where value - `%{sql:}`-clause. But I had got complex and large queries. I don't want to increase size of fields of SQL-table. How I can solve this problem? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to use large SQL-query for %{sql:} clause?
I am needing to generate values of reply attributes via SQL. I am using `%{sql:SQL-query}` clause. I am inserting attribute/value pairs into radreply table, where value - `%{sql:}`-clause. But I had got complex and large queries. I don't want to increase size of fields of SQL-table. How I can solve this problem? Just add them to the reply list without putting them into the table. Why write them into the table and then read them from there? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Logging client IP address
Hi, I'm experimenting with using freeradius 2.0.4 to authenticate administrative access to network equipment. If I deploy it then I'll end up with well over a hundred clients, so I'd like to describe the entire address range in a single 'client' block. okay - just a big range will help you I also want to have a syslogged record of each login attempt, which I can do, but I can't figure out how to log the client's IP address without having to specify every client individually in freeradius's config. As it is, I just get Login OK: [username] (from client big-netblock port 0) Is there a way around this without having to maintain a huge list of clients? the single line log can be chaged to give more details...but the detail logs give more information - like explicit NAS-IP-Address etc - so if you want more detail, use the detail modulenot the linelog. alternatively, use SQL to hold the clients and have each one defined... you can then use dynamic_clients so new entries can be added on the fly without server rebooting alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Logging client IP address
On 25/08/09 09:50, Alan Buxey wrote: [Ian Chard wrote:] I also want to have a syslogged record of each login attempt, which I can do, but I can't figure out how to log the client's IP address without having to specify every client individually in freeradius's config. As it is, I just get Login OK: [username] (from client big-netblock port 0) Is there a way around this without having to maintain a huge list of clients? the single line log can be chaged to give more details...but the detail logs give more information - like explicit NAS-IP-Address etc - so if you want more detail, use the detail modulenot the linelog. I'm more inclined to use the linelog because I want the messages to end up on my syslog server along with all my other auth events. Can the linelog be changed without recompiling freeradius? alternatively, use SQL to hold the clients and have each one defined... you can then use dynamic_clients so new entries can be added on the fly without server rebooting If modifying the linelog isn't possible then I like the sound of this. Is there some documentation on the dynamic_clients option? I can't seem to find any reference to it on freeradius.org. - Ian -- Ian Chard, Senior Unix and Network Gorilla | E: ian.ch...@sers.ox.ac.uk Systems and Electronic Resources Service | T: 80587 / (01865) 280587 Oxford University Library Services | F: (01865) 242287 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to use large SQL-query for %{sql:} clause?
On Tue, Aug 25, 2009 at 09:42:24AM +0100, Ivan Kalik wrote: I am needing to generate values of reply attributes via SQL. I am using `%{sql:SQL-query}` clause. I am inserting attribute/value pairs into radreply table, where value - `%{sql:}`-clause. But I had got complex and large queries. I don't want to increase size of fields of SQL-table. How I can solve this problem? Just add them to the reply list without putting them into the table. Why write them into the table and then read them from there? I want to set some quota for users. Quota is calculated from user's configuration and amount of eated service. Name of service is defined into auth-packet. Other words quota must be calculated as 'some_prefix(service_name) + max_allowed_amount(service_name) - already_eated_amount(service_name)'. I am needing to recalculate quota after incoming auth-packet. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Logging client IP address
Hi, If modifying the linelog isn't possible then I like the sound of this. Is there some documentation on the dynamic_clients option? I can't seem to find any reference to it on freeradius.org. $site_config/raddb/sites-available/dynamic-clients (one of many cases where the feature is new but well documented in the config/code than the website or WIKI) as for linelog, edit modules/linelog for your requirements and then put a call to that module where you need it (eg postauth) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: virtual servers = 2 different user files
Hi, Replace that with: files foo { ... } files bar { ... } And point the usersfile, etc. to different files in each one. Ok. Just one point left. Where do I reference foo and bar. Are these the server names? BR Uwe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxying accounting to create a 'tee'
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 24/08/2009 16:46, John Morrissey wrote: On Sat, Aug 22, 2009 at 01:59:00AM +0100, Arran Cudbard-Bell wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 21/08/2009 21:15, John Morrissey wrote: On Sun, Aug 16, 2009 at 10:11:02AM +0200, Alan DeKok wrote: vol...@ufamts.ru wrote: If home server does not respond, FR does not respond too - NAS repeats request - FR writes request data to SQL again. So... configure the server to respond. See the file raddb/sites-available/decoupled-accounting Is decoupled-accounting (writing all detail to disk and replaying it serialized with a detail listener) the only way to configure FreeRADIUS to respond to the NAS? Yes. Otherwise it'll wait for the response from the proxy server, and proxy the Accounting-Response from the proxy server back to the NAS. It's the only way the NAS could be sure the remote server received the Accounting-Request. Right. I was hoping there was a way for robust-proxy-accounting to respond to the NAS when the proxy isn't responding, since the accounting request has been successfully processed (i.e., written to the detail log and saved for later proxying). I don't think that's possible unfortunately... If you proxy the request from the server in which it was received (and not the detail listener), the server will never send a response directly. It will instead just forward the Accounting-Response sent by the home server. Hmm come to think of it I'm not sure there's actually a way to determine that a proxy is down from within unlang. So it may not even be possible to do the switch between proxying and detail writer... I know it sounds a little clunky, but another option could be to use a chain of detail readers/writers? If you set the primary detail reader load factor to 100% the actual delay is likely to be pretty minimal... So you'd have: NAS-Outer Server-Detail Writer (Primary)-Detail Reader-Detail Writer Queue 1 -Detail Writer Queue 2 -Detail Writer Queue n. Detail Reader Queue 1 - Proxy Server Detail Reader Queue 2 - Proxy Server Detail Reader Queue n - Proxy Server That way the NAS always receives a response, and you get pseudo parallel Accounting requests going to the proxy server. To balance between the detail writers you can use the load-balance unlang stanza, or just the expressions module with the modulo operator. I'm adapting robust-proxy-accounting for our environment and can't figure out how (or if it's possible) to get FreeRADIUS to respond to the originating NAS when proxying fails and the detail is logged for later proxying. Yep that's a good idea if the data is time critical, it also allows multiple requests to be forwarded in parallel. nod, this is my preference. Unfortunately (as I mentioned above), I haven't been able to figure out if/how it's possible to have FreeRADIUS always respond to the NAS, even when the proxy isn't responding and accounting is spooled to the detail file for later processing. I don't think it is. It'd be a nice thing to have, but I suspect quite hard to actually implement. - -Arran - -- Arran Cudbard-Bell a.cudbard-b...@sussex.ac.uk, Systems Administrator (AAA), Infrastructure Services (IT Services), E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT DDI+FAX: +44 1273 873900 | INT: 3900 GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkqTs6EACgkQcaklux5oVKL8ngCfUe9KbYiyi9+sQbKOcrNyPcX7 jyQAnixL+xx6Jj64x+MtcWAW2GtskQRu =nKD4 -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Logging client IP address
On 25/08/09 10:39, Alan Buxey wrote: Hi, If modifying the linelog isn't possible then I like the sound of this. Is there some documentation on the dynamic_clients option? I can't seem to find any reference to it on freeradius.org. $site_config/raddb/sites-available/dynamic-clients (one of many cases where the feature is new but well documented in the config/code than the website or WIKI) Ahh gotcha. Looks like I'll have to upgrade (I'm using the Debian lenny stock freeradius 2.0.4, which I believe doesn't have dynamic-clients). as for linelog, edit modules/linelog for your requirements and then put a call to that module where you need it (eg postauth) Ditto I think! Many thanks for your help - Ian -- Ian Chard, Senior Unix and Network Gorilla | E: ian.ch...@sers.ox.ac.uk Systems and Electronic Resources Service | T: 80587 / (01865) 280587 Oxford University Library Services | F: (01865) 242287 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxying accounting to create a 'tee'
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 24/08/2009 13:56, Alan DeKok wrote: Arran Cudbard-Bell wrote: No, that'll get you the timestamp of when the packet was read back into the server. The only way to calculate the original received timestamp is to write the original Acct-Delay-Time into a custom attribute (say Acct-Delay-Time-Orig), subtract that from the current Acct-Delay-Time, then that from the current UNIX timestamp. The detail file reader creates/updates the Acct-Delay-Time based on how long the packet has been sitting in the detail file. There's no need to update it manually. I wasn't suggesting that. I was suggesting a way of getting the Packet-Original-Timestamp is a usable form. Yeah it's a pretty common setup, we do it too. One thing you have to watch out for is packets with fatal errors. Where the remote accounting server never acknowledged receipt of the packet, so it gets stuck in an infinite loop in the proxying queue. I haven't figured out how to solve this properly with the current setup, so it'd be good to see some discussion on list about it. Hmm... it should continue sending a packet from the detail file until the upstream server has responded. It shouldn't write packets to the detail file if they've been read from the detail file. It doesn't. But they're only removed from the detail file if the server actually responded. Some usernames are permenantly unroutable for accounting requests. i.e. their home accounting server just doesn't accept the Accounting-Requests and never send Accounting-Responses. Ideally there'd be a mechanism to remove Accounting-Requests after X number of attempts at proxying. At the moment were using a request expiry time based on the length of the period between the request being received and it being proxied. i.e 'This request has been in the Queue for X seconds, X seconds is longer than our expiry time, remove packet from queue' This is a *horrible horrible* hacky work around, because if a bunch of requests are received around the same time, and one is 'unroutable' then all the packets received around that time will be dropped. If you don't do this, then the unproxyable packet stays at the head of the queue and blocks all the requests behind it. Arran - -- Arran Cudbard-Bell a.cudbard-b...@sussex.ac.uk, Systems Administrator (AAA), Infrastructure Services (IT Services), E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT DDI+FAX: +44 1273 873900 | INT: 3900 GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkqTtpsACgkQcaklux5oVKJxcgCbBqY/nEHORyplNym1jNSPOAtU 9VIAnRG64wVCOkGmLxPlF+zR5T3Ejt7y =cIre -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
No client cert request when configured EAP-TLS-Require-Client-Cert
Hi, I have strange behavior on my freeradius. I try to make it ask for client certificate as part of EAP-TTLS authentication. I added the configuration EAP-TLS-Require-Client-Cert = Yes to users configuration file as control for my username. And got the following LOG TLS_accept: SSLv3 write server done A [ttls] TLS_accept: SSLv3 flush data [ttls] TLS_accept: Need to read more data: SSLv3 read client certificate However, the sniffing shows no client certificate sending and there is no cert request sent by the server You can see it below Thanks for your help. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: groupcmp fails during tunneled request
---BeginMessage--- Hello, Just to inform that I have solved the problem. Some parts of the ldap were not indexed properly so it cause some troubles with freeradius. Matthew Ivan Kalik a écrit : I fixed the SSL issue, restarted the server and the group check was working until now: *no huntgroup* for user Nothing has changed and the server has not been restarted. I just don't understand where the problem is as for the same user it's working in the first place, then after a few hours of work, it starts failing... without restarting the daemon. Debug ldap and see what is going on. For some reason you are loosing the connection to ldap. Ivan Kalik Kalik Informatika ISP ---End Message--- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: No client cert request when configured EAP-TLS-Require-Client-Cert
Forgot to add the sniffing results earlier Hi, I have strange behavior on my freeradius. I try to make it ask for client certificate as part of EAP-TTLS authentication. I added the configuration EAP-TLS-Require-Client-Cert = Yes to users configuration file as control for my username. And got the following LOG TLS_accept: SSLv3 write server done A [ttls] TLS_accept: SSLv3 flush data [ttls] TLS_accept: Need to read more data: SSLv3 read client certificate However, the sniffing shows no client certificate sending and there is no cert request sent by the server You can see it below Thanks for your help. Radius Protocol Code: Access-challenge (11) Packet identifier: 0x2 (2) Length: 1090 Authenticator: 30C0590D2DA3E4BBA06A60E9956D6441 Attribute Value Pairs AVP: l=255 t=EAP-Message(79) Segment[1] AVP: l=255 t=EAP-Message(79) Segment[2] AVP: l=255 t=EAP-Message(79) Segment[3] AVP: l=255 t=EAP-Message(79) Segment[4] AVP: l=14 t=EAP-Message(79) Last Segment[5] EAP fragment Extensible Authentication Protocol Code: Request (1) Id: 3 Length: 1024 Type: EAP-TTLS [RFC5281] (21) Flags(0xC0): Length More TTLS version 0 Length: 3578 [EAP-TLS Fragments (3578 bytes): #14(1014), #16(1014), #18(1014), #20(536)] Secure Socket Layer TLSv1 Record Layer: Handshake Protocol: Server Hello TLSv1 Record Layer: Handshake Protocol: Certificate TLSv1 Record Layer: Handshake Protocol: Server Key Exchange TLSv1 Record Layer: Handshake Protocol: Server Hello Done AVP: l=18 t=Message-Authenticator(80): 3B8DD2F0E3AE6A6C08BA6B8CC5A12D8B AVP: l=18 t=State(24): A97FDCBBAB7CC99E1A7630EF1EB500F8 State: A97FDCBBAB7CC99E1A7630EF1EB500F8 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: XP client can not authenticate in Radius Server - HELP ME PLEASE!!!!!!!!!!!!!
Hi Buxey, After generating the certificates the file server.der was not created! Ca.der ok!!! What can I do??? Best regards 2009/8/18 Alan Buxey a.l.m.bu...@lboro.ac.uk: Hi, Hi ALL!!! Hi! ignore the tutorials. install latest version from source...ensure /usr/local/etc/raddb or /etc/raddb doesnt exist before 'make install' thenm run the radiusd server...the first time it will make test certs. copy the CA.der server.der to the windows system and install as trusted certificates I defined users file like: guaraldi Auth-Type := EAP, Cleartext-Password == mudar123 wrong! change to guaraldi Cleartext-Password := mudar123 now, using the SSID of whatever you chose, and the SSL cert you just trusted ...it will.work! alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: XP client can not authenticate in Radius Server - HELP ME PLEASE!!!!!!!!!!!!!
Hi Buxey, After generating the certificates the file server.der was not created! Ca.der ok!!! What can I do??? It's server.crt. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: virtual servers = 2 different user files
kisteorg google wrote: Ok. Just one point left. Where do I reference foo and bar. Are these the server names? No. They are the names of the *instance* of the files module. You will use foo and bar in the various virtual servers, instead of files. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius and Cisco
hello, This is what i have configured on my cisco Ap ! aaa new-model aaa group server radius rad_eap2 server 10.190.1.17 auth-port 1832 acct-port 1833 aaa authentication login default group rad_eap2 local aaa authentication enable default group rad_eap2 enable aaa authorization exec default group rad_eap2 local ! line vty 0 4 transport input telnet ssh Hope it will help you! 2009/8/21 AHMED KHIDR a.kh...@gmail.com: On 8/20/09, Nicholas Cappelletti n...@switchtower.org wrote: Hello Rokkhan, I was curious if you could send me the configuration you have on your Cisco AP's for telnet/ssh access? I'm having some trouble with mine, but I'm able to authentication my routers and switches just fine. I would ask the mailing lists, but they sometimes aren't very helpful. ;) --Nick - Original Message - From: Rokkhan rokk...@gmail.com To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Thursday, August 20, 2009 9:44:38 AM GMT -05:00 US/Canada Eastern Subject: Freeradius and Cisco HelloI I have been testing with my freeradius and cisco devices, such as switches, firewalls, acces points, ... Now, I´m able to configure users validation through freeradius with Access Points and Peap. Get shell acces to cisco devices and establish the level privilege of them with freeradius. And configure dot1x interfaces on switches to validate users and configure ports on diferent VLAN through Freeradius. I want to know if there is anything more that can be managed, with Freeradius, on Cisco devices. I want to explore all the options that freeradius brings to us. Thanks in advance. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Sent from my mobile device - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: XP client can not authenticate in Radius Server - HELP ME PLEASE!!!!!!!!!!!!!
OK Kalik, Thanks! 2009/8/25 Ivan Kalik t...@kalik.net: Hi Buxey, After generating the certificates the file server.der was not created! Ca.der ok!!! What can I do??? It's server.crt. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl still looses tags for tagged attributes even after upgrade to 2.1.6
UP On Thu, Aug 20, 2009 at 10:49 AM, Alexandr Kovalenkoalexandr.kovale...@gmail.com wrote: Hello, It has been stated in release notes for FR 2.1.6 that loosing of tags for tagged attributes is fixed in rlm_perl in this version, but it is not. Look at the example below: $ radiusd -v | head -1 radiusd: FreeRADIUS Version 2.1.6, for host i386-portbld-freebsd7.2, built on Aug 18 2009 at 12:31:54 $ perl -V Summary of my perl5 (revision 5 version 8 subversion 9) configuration: Platform: osname=freebsd, osvers=7.2-release-p2, archname=i386-freebsd-64int uname='freebsd mile.office.tsu 7.2-release-p2 freebsd 7.2-release-p2 #0: fri jun 26 10:01:50 eest 2009 r...@mile.office.tsu:usrobjusrsrcsysmile i386 ' config_args='-sde -Dprefix=/usr/local -Darchlib=/usr/local/lib/perl5/5.8.9/mach -Dprivlib=/usr/local/lib/perl5/5.8.9 -Dman3dir=/usr/local/lib/perl5/5.8.9/perl/man/man3 -Dman1dir=/usr/local/man/man1 -Dsitearch=/usr/local/lib/perl5/site_perl/5.8.9/mach -Dsitelib=/usr/local/lib/perl5/site_perl/5.8.9 -Dscriptdir=/usr/local/bin -Dsiteman3dir=/usr/local/lib/perl5/5.8.9/man/man3 -Dsiteman1dir=/usr/local/man/man1 -Ui_malloc -Ui_iconv -Uinstallusrbinperl -Dcc=cc -Duseshrplib -Dinc_version_list=none -Dccflags=-DAPPLLIB_EXP=/usr/local/lib/perl5/5.8.9/BSDPAN -Doptimize=-O2 -fno-strict-aliasing -pipe -march=pentium4 -Ud_dosuid -Ui_gdbm -Dusethreads=n -Dusemymalloc=y -Duse64bitint' hint=recommended, useposix=true, d_sigaction=define usethreads=undef use5005threads=undef useithreads=undef usemultiplicity=undef useperlio=define d_sfio=undef uselargefiles=define usesocks=undef use64bitint=define use64bitall=undef uselongdouble=undef usemymalloc=y, bincompat5005=undef Compiler: cc='cc', ccflags ='-DAPPLLIB_EXP=/usr/local/lib/perl5/5.8.9/BSDPAN -DHAS_FPSETMASK -DHAS_FLOATINGPOINT_H -fno-strict-aliasing -pipe -I/usr/local/include', optimize='-O2 -fno-strict-aliasing -pipe -march=pentium4', cppflags='-DAPPLLIB_EXP=/usr/local/lib/perl5/5.8.9/BSDPAN -DHAS_FPSETMASK -DHAS_FLOATINGPOINT_H -fno-strict-aliasing -pipe -I/usr/local/include' ccversion='', gccversion='4.2.1 20070719 [FreeBSD]', gccosandvers='' intsize=4, longsize=4, ptrsize=4, doublesize=8, byteorder=12345678 d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=12 ivtype='long long', ivsize=8, nvtype='double', nvsize=8, Off_t='off_t', lseeksize=8 alignbytes=4, prototype=define Linker and Libraries: ld='cc', ldflags =' -Wl,-E -L/usr/local/lib' libpth=/usr/lib /usr/local/lib libs=-lgdbm -lm -lcrypt -lutil perllibs=-lm -lcrypt -lutil libc=, so=so, useshrplib=true, libperl=libperl.so gnulibc_version='' Dynamic Linking: dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags=' -Wl,-R/usr/local/lib/perl5/5.8.9/mach/CORE' cccdlflags='-DPIC -fPIC', lddlflags='-shared -L/usr/local/lib' Characteristics of this binary (from libperl): Compile-time options: MYMALLOC PERL_MALLOC_WRAP USE_64_BIT_INT USE_FAST_STDIO USE_LARGE_FILES USE_PERLIO Locally applied patches: defined-or Built under freebsd Compiled at Aug 18 2009 14:56:36 �...@inc: /usr/local/lib/perl5/5.8.9/BSDPAN /usr/local/lib/perl5/site_perl/5.8.9/mach /usr/local/lib/perl5/site_perl/5.8.9 /usr/local/lib/perl5/5.8.9/mach /usr/local/lib/perl5/5.8.9 . Following code is used in sub authorize {} in perl module I'm trying to use if (($RAD_REQUEST{'User-Name'} eq 'admin') and ($RAD_REQUEST{'User-Password'} eq 'test')) { $RAD_REPLY{'ERX-Service-Activate:1'} = telesys; $RAD_REPLY{'ERX-Service-Statistics:1'} = time-volume; $RAD_REPLY{'ERX-Qos-Parameters'}[0] = internet_tr_value 2097152; $RAD_REPLY{'ERX-Qos-Parameters'}[1] = internet_tr_value_in 2097152; $RAD_REPLY{'ERX-Service-Activate:2'} = deny; $RAD_REPLY{'ERX-Qos-Profile-Name'} = SP_Tele_Internet; $RAD_REPLY{'Framed-IP-Address'} = '10.0.112.2'; $RAD_REPLY{'Framed-IP-Netmask'}= 255.255.255.255; $RAD_REPLY{'ERX-Primary-DNS'} = 1.2.3.4; $RAD_REPLY{'ERX-Secondary-DNS'} = 1.2.3.5; return RLM_MODULE_OK; }; This gives following results: # radtest admin test 10.3.1.252 12 huawei Sending Access-Request of id 70 to 10.3.1.252 port 1812 User-Name = admin User-Password = test NAS-IP-Address = 10.1.2.13 NAS-Port = 12 rad_recv: Access-Accept packet from host 10.3.1.252 port 1812, id=70, length=188 ERX-Qos-Parameters = internet_tr_value 2097152 ERX-Qos-Parameters = internet_tr_value_in 2097152 ERX-Service-Activate:0 = deny ERX-Service-Activate:0 = telesys ERX-Qos-Profile-Name = SP_Tele_Internet ERX-Service-Statistics:1 = time-volume ERX-Primary-Dns = 1.2.3.4 ERX-Secondary-Dns = 1.2.3.5 Framed-IP-Address = 10.0.112.2 Framed-IP-Netmask = 255.255.255.255 Output from radiusd -X: rad_recv: