Re: default linelog Accounting-Request handling broken?
Josip Rodin wrote:
> Hi,
>
> I made my own instance of linelog and configured it just like the default,
> i.e. it has:
>
> format = "..."
> reference = "%{%{Packet-Type}:-format}"
That's used for logging per-packet information.
> Accounting-Request {
> Start = "..."
> unknown = "..."
> }
See the comments right above that entry for the *correct* reference to
use for accounting requests.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
default linelog Accounting-Request handling broken?
Hi,
I made my own instance of linelog and configured it just like the default,
i.e. it has:
format = "..."
reference = "%{%{Packet-Type}:-format}"
Accounting-Request {
Start = "..."
unknown = "..."
}
However, I'm not getting the Accounting-Request block interpreted at all,
it just reverts to the format variable. As a workaround I set it to:
format = "%S This is a log message for %{User-Name} for packet type:
%{Packet-Type} (%{request:Acct-Status-Type})"
and I get this at debug level 2:
[myownlittle_linelog] expand: %{Packet-Type} -> Accounting-Request
[myownlittle_linelog] expand: %{%{Packet-Type}:-format} ->
Accounting-Request
[myownlittle_linelog] Entry ".Accounting-Request" is not a variable assignment
[myownlittle_linelog] expand: /var/log/freeradius/linelog ->
/var/log/freeradius/linelog
[myownlittle_linelog] expand: %S This is a log message for %{User-Name}
for packet type: %{Packet-Type} (%{request:Acct-Status-Type}) -> 2009-11-25
02:17:02 This is a log message for u...@example.tld for packet type:
Accounting-Request (Start)
++[myownlittle_linelog] returns ok
AFAICT from reading rlm_linelog.c, that looks like cf_reference_item()
worked, but cf_item_is_pair() didn't. Well, that actually makes perfect
sense. Just to verify, I added:
if (cf_item_is_section(ci)) {
radlog(L_ERR, "Entry \"%s\" is a section and we expected a
plain variable", line);
}
And I got that logged.
Aren't we missing a critical block of code here? :)
--
2. That which causes joy or happiness.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Rejecting auth from a specific realm
> All I am trying to do is reject auth requests from a specific realm.
>
> http://wiki.freeradius.org/Operators
>>
>> I am not sure what are you trying to do. If you are trying to match
>> regex
>> then use a proper operator. And if you are trying to do an exact match
>> than right side should be a string not regex. And use just "Realm" on
>> the
>> left.
>>
>> So something like? This gives the same error.
>
> if (Realm == your.realm) {
> update control {
> Auth-Type = Reject
> }
> }
>
> Where is the syntax for flow control like 'if' documented?
man unlang
Ivan Kalik
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Rejecting auth from a specific realm
All I am trying to do is reject auth requests from a specific realm.
http://wiki.freeradius.org/Operators
>
> I am not sure what are you trying to do. If you are trying to match regex
> then use a proper operator. And if you are trying to do an exact match
> than right side should be a string not regex. And use just "Realm" on the
> left.
>
> So something like? This gives the same error.
if (Realm == your.realm) {
update control {
Auth-Type = Reject
}
}
Where is the syntax for flow control like 'if' documented?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
home server debugging issues
Hi,
I upgraded one of our proxy servers from 2.0.4 to 2.1.7, and noticed that
the proxying changed in a way that "status_check = request" logic started
being critical, so this kind of stuff:
Sun Nov 22 09:25:56 2009 : Error: Rejecting request 70011 due to lack of any
response from home server X port 1812
...was replaced, without a change in home server configuration, with:
Tue Nov 24 06:32:01 2009 : Error: PROXY: Marking home server X port 1812 as
zombie (it looks like it is dead).
Tue Nov 24 06:32:03 2009 : Info: PROXY: Marking home server X port 1812 as dead.
Tue Nov 24 06:32:03 2009 : Error: PROXY: Marking home server Y port 1812 as
zombie (it looks like it is dead).
Once this happened, I went to investigate, only to find out that our test
username requests were no longer summarily rejected by those two home
servers - instead they were discarded. So the marking those servers alive
would never happen, and this was the obvious root of the proxying problem.
It was unclear to me why didn't FreeRADIUS notice this as soon as it first
happened, and when it eventually happened, why didn't it explicate the
rationale. So I looked and found these in src/main/event.c:
RDEBUG2("No response to status check %d from home server %s port %d",
RDEBUG2("Proxying request %d to home server %s port %d",
RDEBUG2("ERROR: Failed to find live home server for realm %s",
RDEBUG2("Failed to find live home server for request %d",
request->number);
It doesn't make sense for both error and debug messages to be displayed on
the same debug level. The error messages need to have priority, so that the
admin actually has a chance to see them.
In this particular situation, when I move from debug level 0 to 2 in order
to oversee these events, I get not only these messages, but gobs of rlm_sql
expansions, unlang processing logs, etc.
It would be better if some of those error messages were upgraded to L_ERR,
or L_PROXY, while keeping the truely informational messages as L_DBG.
In fact it looks like there's only a single reference to L_PROXY in the
entire file.
Does this make sense, can I submit patches?
--
2. That which causes joy or happiness.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Rejecting auth from a specific realm
>> And how does your if statement look like? It should be something like:
>
> Looks pretty much exactly like Ana's email except I've substituted 'your'
> and 'realm'
>
> if ("%{Realm}" == /your\.realm$/) {
> update control {
> Auth-Type = Reject
> }
> }
http://wiki.freeradius.org/Operators
I am not sure what are you trying to do. If you are trying to match regex
then use a proper operator. And if you are trying to do an exact match
than right side should be a string not regex. And use just "Realm" on the
left.
Ivan Kalik
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Rejecting auth from a specific realm
> And how does your if statement look like? It should be something like:
Looks pretty much exactly like Ana's email except I've substituted 'your'
and 'realm'
if ("%{Realm}" == /your\.realm$/) {
update control {
Auth-Type = Reject
}
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Rejecting auth from a specific realm
> Tried option A , but I get a syntax error:
>
> Wed Nov 25 10:14:26 2009 : Error: /etc/raddb/radiusd.conf[1829]: Line is
> not
> in 'attribute = value' format
> Wed Nov 25 10:14:26 2009 : Error: Errors reading radiusd.conf
>
> This matches the 'if' statement.
And how does your if statement look like? It should be something like:
if(Realm == "whatever") {
...
}
Ivan Kalik
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Rejecting auth from a specific realm
Tried option A , but I get a syntax error: Wed Nov 25 10:14:26 2009 : Error: /etc/raddb/radiusd.conf[1829]: Line is not in 'attribute = value' format Wed Nov 25 10:14:26 2009 : Error: Errors reading radiusd.conf This matches the 'if' statement. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Correct net scheme
hi all. I would like to apply any kind of authentication for VDSL clients. i am a ISP. i have a "3com Total control" wich provides dial up access to another users, and i think i would use PPPOE in the same 3COM to auth. the other users (VDSL) because they doesn't use a telephone line to connect to my ISP. They are coming from their home by fiber optic to my central switch. 3COM provides PPPOE on his eth interface. currently VDSL users have a bandwith managmnt by a router cisco 3640 and have no any authentication, autorization or accounting. then, i would like to apply any solution for: manage properly the bandwith (¿its ok if the router does?) take PPPOE of 3COM total control (it is a RAS) and (if its necessary), install a freeradius on debian (with mysql and a web admin interface) to create profiles to new users... - i ask: can only the router works as a radius or a RAS and ignore the 3com RAS? can anybody suggest me a better net-scheme for this, watching all the equipement? thanks a lot CDR - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP/SoH patch
> What I'm looking for is help from people for review & implementation - > in particular, if there's anyone out there who knows how the hell I get > debugging out of WinXP SP3. Could interested and technically capable > parties contact me off-list or direct me to a place more appropriate for > discussion? http://technet.microsoft.com/en-us/library/bb457017.aspx netsh commands to enable/disable tracing work on XP as well. Also http://support.microsoft.com/kb/328601 Ivan Kalik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Combine Proxy Answer with Local Information
> I have one small issue that I need to address. For some of our clients > they don't want us to proxy requests before our LAC forwards them. > Obviosuly I can configure a default entry in the proxy config so that > any domain realm that I havent configured is matched, and specified to > be handled locally. > > The problem comes that I don't know the passwords for all of the > individual users that will come thorugh, so effectively I just need to > generate an Accept packet whenever I hit this default proxy config. Is > there someway I can do this, would I need to configure something within > the users file instead or is there something I can add within the > authorization section to allow this to work? If you know the usernames you can put something like this in users file: u...@somewhere Auth-Type := Accept Ivan Kalik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Stripping Realms from SQL Accounting Queries
>> Perhaps do what is suggested wherever you care to look (this
>> list, documentation, website, ...) - run server in debug mode
>> (radiusd -X). Then you will see exactly what is happening.
>
> I did that, and it didn't help. I added a realm definition back in to the
> config file, and here's the debug output now:
No, just a small snip of it.
> Doh, no dice! Incidentally, as I mentioned in another reply a few minutes
> ago, using %{SQL-User-Name} instead of %{User-Name} results in an empty
> string,
That doesn't make much sense. SQL-User-Name *is* User-Name by default. At
least in recent versions.
> and using only %{Stripped-User-Name} also results in an empty
> string.
Most likely suffix and sql module outputs are not from processing same
request.
> If you really would like me to, I suppose I could get you the whole debug
> output, but it's a few thousand lines for a single authorization.
Yes, we would *really* like you too! "If you want help on the list, post
the debug" is not written in README, FAQ and almost daily on this list
because it's someones idea of a joke. If you don't know or are not sure
which parts of the debug are relevant - post the whole thing (including
startup). Nobody will say anything bad about it.
Ivan Kalik
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: The MySQL databases for Freeradius
> I am sitting here trying to figure out how FreeRadius works towards MySQL. > > The database "radcheck" is for a singeluser if I have understood it > correctly. > > What I want to do is that through MS Access make a form where I can add > several attributes to the same row in the table. > > But since radcheck only seem to work with one attribute per row for one > user I dont really know how to do. You *can* have multiple entries (rows) for each user. You don't have to cram everything into a single row. > What I mean is that if I have a user called "test-user" and want to have > two attributes for that user, in this case "Cleartext-Password" & > "NAS-Port-Id" I need to have two rows for that user. Tes, you do. > radcheck: > > -- > > |id|username |attribute |op |value | > > |1 |user-test |Cleartext-Password|== |test-pass | That should be :=. > |2 |user-test |NAS-Port-Id |== |raket | > > --- > > The reason I want to make a form is because I want others than me being > able to add new users and have them connected to the correct group which > then will have a separate VLAN and SSID. The form you generate with MS Access will put data into - MS Access backend. You can't connect that form to MySQL. If you are a fan of Windows use Windows (ASP.NET) forms or webforms which can place data into MySQL. Freeradius comes with it's own admin GUI - dialup admin. There are also outside projects like daloRadius. Or you can make your own using things like PHP. > So then I thought that if i use the table called "radusergroup" and link > the user to a specific group it should work in a way that all members of > this group may only connect to the network if they try to connect to the > correct SSID. It seems that did not work either. No, it will not work. Groups in sql emulate DEFAULT entries in users file - if chack doesn't match, replies are ignored - user is not rejected. > I am at a loss here and > dont really know what I should do. If you want user to get rejected if SSID doesn't match, you will need to make it an entry in radcheck table. As long as the password is there too user will be rejected. Ivan Kalik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RADIUS session probelm
I am configuring RADIUS with openser and CDRtool. when i dial a number it loges into in mysql of RADIUS server but it gives the following error. and when i check CDRs of CDRtool it shows all calls "inprogress". Tue Nov 24 19:47:37 2009 : Error: rlm_sql (sql) in sql_accounting: stop packet with zero session length. [user '1...@ip address', nas 'ipaddress'] -- Toqeer Ali Syed Red Hat Certified Engineer mob: +92 321 9059916 -- Toqeer Ali Syed Red Hat Certified Engineer mob: +92 321 9059916 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PEAP/SoH patch
All, I've started to do some work on supporting the SoH messages in PEAPv0, which are supported in WinXP SP3+ and Vista/Win7 So far I've made the necessary (I believe) modifications to the PEAP state machine, and have code to generate the SoH request TLV, but the clients are choking on it. EAP Request, Identity [RFC3748] EAP Response, Identity [RFC3748] EAP Request, PEAP [Palekar] TLSv1 Client Hello EAP Request, PEAP [Palekar] EAP Response, PEAP [Palekar] EAP Request, PEAP [Palekar] EAP Response, PEAP [Palekar] TLSv1 Server Hello, Certificate, Server Hello D TLSv1 Client Key Exchange, Change Cipher Spec, TLSv1 Change Cipher Spec, Encrypted Handshake M EAP Response, PEAP [Palekar] TLSv1 Application Data TLSv1 Application Data TLSv1 Application Data ^^^ containing the SoH requests ...and everything stops Please don't bombard me with "Me too, please send me your patch" requests at this point - it doesn't work, and I can't easily publish a git tree from here anyway. What I'm looking for is help from people for review & implementation - in particular, if there's anyone out there who knows how the hell I get debugging out of WinXP SP3. Could interested and technically capable parties contact me off-list or direct me to a place more appropriate for discussion? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: The MySQL databases for Freeradius
On 11/24/2009 10:32 AM, Peter Carlstedt wrote: The database "radcheck" is for a singeluser if I have understood it correctly. I don't know what you mean by single user, but radcheck has all the users in it. It may have more than one row for a given user if you want to check more than one attribute for that user. What I want to do is that through MS Access make a form where I can add several attributes to the same row in the table. I don't know what MS Access has to do with this unless you're somehow using it as a GUI front end to MySQL, but it should be obvious you can't have more than one attribute per row (because that's the schema). But since radcheck only seem to work with one attribute per row for one user I dont really know how to do. What I mean is that if I have a user called "test-user" and want to have two attributes for that user, in this case "Cleartext-Password" & "NAS-Port-Id" I need to have two rows for that user. Thats right. The way radcheck works is does a query for all the attributes associated with a user, if *any* attribute comparison matches (using the operator for that attribute) then the check succeeds. Caveat: some attributes are skipped during comparison (e.g. passwords, auth_type, etc.) because they aren't relevant during authorization. The table looks like this in Access(when i want to use two or more attributes): radcheck: -- _|id|username |attribute |op |value |_ |1 |user-test |Cleartext-Password|== |test-pass | |2 |user-test |NAS-Port-Id |== |raket | --- -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Combine Proxy Answer with Local Information
Hi, Thanks for the all the pointers, I have got the proxying and post proxy configuration working with your hints. I have one small issue that I need to address. For some of our clients they don't want us to proxy requests before our LAC forwards them. Obviosuly I can configure a default entry in the proxy config so that any domain realm that I havent configured is matched, and specified to be handled locally. The problem comes that I don't know the passwords for all of the individual users that will come thorugh, so effectively I just need to generate an Accept packet whenever I hit this default proxy config. Is there someway I can do this, would I need to configure something within the users file instead or is there something I can add within the authorization section to allow this to work? Any help you can give would be much appreciated. Dan Fisher - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
The MySQL databases for Freeradius
Hello everyone! I am sitting here trying to figure out how FreeRadius works towards MySQL. It is quite hard for me to try to explain what I want to do since Im not good with MySQL but I will try anyway and hope someone will understand what I mean. =) The database "radcheck" is for a singeluser if I have understood it correctly. What I want to do is that through MS Access make a form where I can add several attributes to the same row in the table. But since radcheck only seem to work with one attribute per row for one user I dont really know how to do. What I mean is that if I have a user called "test-user" and want to have two attributes for that user, in this case "Cleartext-Password" & "NAS-Port-Id" I need to have two rows for that user. The table looks like this in Access(when i want to use two or more attributes): radcheck: -- |id|username |attribute |op |value | |1 |user-test |Cleartext-Password|== |test-pass | |2 |user-test |NAS-Port-Id |== |raket | --- The reason I want to make a form is because I want others than me being able to add new users and have them connected to the correct group which then will have a separate VLAN and SSID. So then I thought that if i use the table called "radusergroup" and link the user to a specific group it should work in a way that all members of this group may only connect to the network if they try to connect to the correct SSID. It seems that did not work either. I am at a loss here and dont really know what I should do. Sorry if my explaination is bad but it is quite hard for me to explain. Best regards/ Peter Carlstedt _ Windows Live: Keep your friends up to date with what you do online. http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_1:092010- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: custom script for access
d.tom.schm...@l-3com.com wrote: > Just getting back to this project. > > I want the request to come from a standard radius request from another server > (or the same server). > I was to do some external checks with a bash shell script and then have the > script allow or deny access to the user. > > I am using the flatfile for user entries. > I currently have external scripts that write entries to the flatfile for > authentication. > I can create a regular entry and have radtest verify that the entry is fine. > > I cannot figure what would have to be in that authentication entry to tell > radius to execute the script. See scripts/exec-program-wait Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Unexpected "Exiting normally" 2.1.8?
Thanks for the correction. I have rebuilt and am re-running my test. I just hope I didn't somehow taint the bisect work and provide misleading information to Alan. I should know some time today if I need to redo the bisection. For my previous work I had done, $git bisect start $git bisect bad $git bisect good 321c0ae58641f709d115526bb564cbd8c4dab71d<- I do not have full confidence in this Followed by loops of , $./conf $CFLAGS='-O0 -g' ./configure $make clean $find . -name "*.o"<- sometimes I found lingering .o files - not certain why. I would delete any I discovered at this point $make $git bisect skip|bad|good<- depending on if build failed, binary crashed or other error (skip), had error (bad), or succeeded(good) $git pull <- I THINK this may be unnecessary.. but not certain. Docs I found on git were not entirely clear If I need to re-bisect, could you perhaps spoon feed me the commands to ensure I'm doing it correctly? Specifically, how can I acquire and verify I have my first "good" build? And then the incantation to perform iterative bisections until I run out. I truly hope I haven't provided misleading info. Thanks, -craig - Original Message - From: "Alexander Clouter" To: Sent: Monday, November 23, 2009 8:13 AM Subject: Re: Unexpected "Exiting normally" 2.1.8? Hi, Craig Campbell wrote: I re -acquired the source, but there seems to be a (minor I think) error. $git clone git://git.freeradius.org/freeradius-server.git $cd freeradius-server $git fetch origin stable:stable $git pull <- should be 'git checkout stable' $make clean $CFLAGS='-O0 -g' ./configure $make Otherwise if I am reading that right you are trying to compile off the unstable branch. Cheers -- Alexander Clouter .sigmonster says: BOFH excuse #169: broadcast packets on wrong frequency - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Information from ESET Smart Security, version of virus signature database 4630 (20091123) __ The message was checked by ESET Smart Security. http://www.eset.com __ Information from ESET Smart Security, version of virus signature database 4632 (20091124) __ The message was checked by ESET Smart Security. http://www.eset.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Rejecting auth from a specific realm
Sorry if I mistaken and sorry for my english. I think you can use one of the
next two options. Correct me if I'm wrong.
OPTION A
You can use unlang doing something like that:
### /etc/freeradius/proxy.conf
realm your.realm {
# authhost = LOCAL # not strictly necessary
# accthost = LOCAL # not strictly necessary
# nostrip
}
### /etc/freeradius/sites-enable/default
authorize {
. . .
suffix
if ("%{Realm}" == /your\.realm$/){
update control {
Auth-Type = Reject
}
}
OPTION B
Using hints and users files:
### /etc/freeradius/hints
DEFAULTSuffix == "your.realm"
Hint = "MYUSERS",
### /etc/freeradius/users
DEFAULTHint == "MYUSERS", Auth-Type := RejectB
Ana Gallardo Gómez
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
