how to use mysql existing connection

[Vijay Badola]

Can I use mysql connection, created by server initially by reading sql.conf,
from my own separate module to get sql query answer?

If yes then what will be steps? Will it affect/create any performance issue?

 

,Regards

Vijay

 

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Set Calling-Station-Id after first authorization

[Kledi Andoni]

After a bit of work, I was able to solve it by running a php script in the 
preacct process.

I added the external program with exec:

exec 1stlogin {

wait = yes
program = "/usr/bin/php /root/1stlogin.php %{User-Name} 
%{Calling-Station-Id}"
input_pairs = request
}

Then in the preacct session I added

1stlogin

The script itself as follows:

 0)  {
printf ("Not first auth"); 
}
else {
mysql_query("INSERT into radcheck (UserName, Attribute, op, 
Value) values ('$argv[1]', 'Calling-Station-Id', '==', '$argv[2]')");   
}

?>


I rarely write any php, so any improvement in the code is highly appreciated. 
Do I need to return anything to freeradius in case of an error or something?

Cheers,
Kledi



On Feb 13, 2010, at 3:01 AM, EasyHorpak.com wrote:

> Kledi Andoni wrote:
>> 
>> Hello,
>> 
>> I need a way to set the Calling-Station-Id attribute automatically for each 
>> user after the first authorization request. In this way the user will be 
>> allowed to authorize only from that mac address in the future.
>> 
>> I am using freeradius 1.1.7 with mysql. I do not have the expertise to write 
>> a new module, but I believe the way to do it is:
>> 
>> - User tries to authorize and sends username/password/calling-station-id
>> - Radius verifies username/password (calling-station-id is not yet set)
>> - Check if a user has ever authorized, through a query on the radacct table. 
>> If no rows exist for the specific username then its first login
>> - insert a row containing the calling-station-id for the specific user in 
>> the radcheck table.
>> 
>> Is there a way to do this by configuring freeradius, or do I have to submit 
>> it as a request for a feature?
>> 
>> Thank you,
>> K
>> -
>> List info/subscribe/unsubscribe? See 
>> http://www.freeradius.org/list/users.html
>> 
>>   
> you can use modules checkval to make calling-station-id check.
> But for add calling-station-id on first login, you need more scripts to add 
> it.
> you may use unlang. for me i use pppoe-server as nas. i use php to add it 
> after first login.
> 
> -- 
> http://www.EasyHorpak.com - แหล่งค้นหาหอพัก,อพาร์ทเมนท์,แมนชั่น,คอนโด,โรงแรม
> http://www.EasyZoneCorp.net - ซอฟแวร์จัดการ internet คุณภาพสูง Hotpsot และ 
> PPPoE ,Anti NetCut, Mac spoof
> http://www.thai-school.net - เว็บไซต์โรงเรียน,ศิษย์เก่า สำเร็จรูป 
> EasyZone SuperLink - แลกหมื่นลิ้งคืในคลิ๊กเดียว 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Allowing user from one realm but not another

[Jeff A]

Heres my issue and no idea exactly how to do this.

Trying to figure it out is making me more confused.

 

1st I use the usersfile for authentation 

 

I have three different realms users can login with

 

For examples they are (foo.net, bar.net, beg.net)

 

When users login from one of the realms from my two upstream providers they
login as one of these realms

Then freeradius will strip the realm and auth the user

 

My delima is I have some users that abused a certain realm usage and I want
to restrict them to another realm for login and deny the others

 

Say bi...@foo.net has abused the foo.net realm now I need him solely on the
beg.net and disallowing the other two realms. In other words reject him
before if he trys to use the old realm again. In other words I want to allow
only billy to use this one new realm and be rejected if he trys another
realm.

 

This has to take place I figure in preproxy, cause my users file is
authenticated minus the realm in proxy..

 

But as I said I have no idea on what to do to set this up..

 

I would not mind adding usernames to a file to be prechecked at preproxy and
if user is and he is not using realm specified reject him , just not sure
what to do or how..

 

Jeff

 

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Allowing user from one realm but not another

[Gary Gatten]

Assuming there are not duplicate names, can't you jus rewrite his auth request 
so its always the realm you want? Billy.* = Billy.beg



From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org 
 
To: freeradius-users@lists.freeradius.org 
 
Sent: Sat Feb 13 09:52:33 2010
Subject: Allowing user from one realm but not another 



Heres my issue and no idea exactly how to do this.

Trying to figure it out is making me more confused.

 

1st I use the usersfile for authentation 

 

I have three different realms users can login with

 

For examples they are (foo.net, bar.net, beg.net)

 

When users login from one of the realms from my two upstream providers they 
login as one of these realms

Then freeradius will strip the realm and auth the user

 

My delima is I have some users that abused a certain realm usage and I want to 
restrict them to another realm for login and deny the others

 

Say bi...@foo.net has abused the foo.net realm now I need him solely on the 
beg.net and disallowing the other two realms. In other words reject him before 
if he trys to use the old realm again. In other words I want to allow only 
billy to use this one new realm and be rejected if he trys another realm.

 

This has to take place I figure in preproxy, cause my users file is 
authenticated minus the realm in proxy..

 

But as I said I have no idea on what to do to set this up..

 

I would not mind adding usernames to a file to be prechecked at preproxy and if 
user is and he is not using realm specified reject him , just not sure what to 
do or how..

 

Jeff

 









"This email is intended to be reviewed by only the intended recipient
 and may contain information that is privileged and/or confidential.
 If you are not the intended recipient, you are hereby notified that
 any review, use, dissemination, disclosure or copying of this email
 and its attachments, if any, is strictly prohibited.  If you have
 received this email in error, please immediately notify the sender by
 return email and delete this email from your system."


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Allowing user from one realm but not another

[Jeff A]

Yes that would work not not sure how to implement this.  I have been trying to 
find a written example of someone who has done this

On the search engines but all I have accomplished is making myself confused

 

 

From: freeradius-users-bounces+jeffa=globalco@lists.freeradius.org 
[mailto:freeradius-users-bounces+jeffa=globalco@lists.freeradius.org] On 
Behalf Of Gary Gatten
Sent: Saturday, February 13, 2010 11:11 AM
To: freeradius-users@lists.freeradius.org
Subject: Re: Allowing user from one realm but not another

 

Assuming there are not duplicate names, can't you jus rewrite his auth request 
so its always the realm you want? Billy.* = Billy.beg

 

  _  

From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org 
 
To: freeradius-users@lists.freeradius.org 
 
Sent: Sat Feb 13 09:52:33 2010
Subject: Allowing user from one realm but not another 

Heres my issue and no idea exactly how to do this.

Trying to figure it out is making me more confused.

 

1st I use the usersfile for authentation 

 

I have three different realms users can login with

 

For examples they are (foo.net, bar.net, beg.net)

 

When users login from one of the realms from my two upstream providers they 
login as one of these realms

Then freeradius will strip the realm and auth the user

 

My delima is I have some users that abused a certain realm usage and I want to 
restrict them to another realm for login and deny the others

 

Say bi...@foo.net has abused the foo.net realm now I need him solely on the 
beg.net and disallowing the other two realms. In other words reject him before 
if he trys to use the old realm again. In other words I want to allow only 
billy to use this one new realm and be rejected if he trys another realm.

 

This has to take place I figure in preproxy, cause my users file is 
authenticated minus the realm in proxy..

 

But as I said I have no idea on what to do to set this up..

 

I would not mind adding usernames to a file to be prechecked at preproxy and if 
user is and he is not using realm specified reject him , just not sure what to 
do or how..

 

Jeff

 

"This email is intended to be reviewed by only the intended recipient and may 
contain information that is privileged and/or confidential. If you are not the 
intended recipient, you are hereby notified that any review, use, 
dissemination, disclosure or copying of this email and its attachments, if any, 
is strictly prohibited. If you have received this email in error, please 
immediately notify the sender by return email and delete this email from your 
system." 

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Allowing user from one realm but not another

[Gary Gatten]

LOL, easy to do with FR. I was just getting the hang of it when I was pulled 
off to another project.

Check out the operators and unlang. Maybe there are some examples within the 
users file with similar replacement operations.



From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org 
 
To: 'FreeRadius users mailing list'  
Sent: Sat Feb 13 10:17:42 2010
Subject: RE: Allowing user from one realm but not another 



Yes that would work not not sure how to implement this.  I have been trying to 
find a written example of someone who has done this

On the search engines but all I have accomplished is making myself confused

 

 

From: freeradius-users-bounces+jeffa=globalco@lists.freeradius.org 
[mailto:freeradius-users-bounces+jeffa=globalco@lists.freeradius.org] On 
Behalf Of Gary Gatten
Sent: Saturday, February 13, 2010 11:11 AM
To: freeradius-users@lists.freeradius.org
Subject: Re: Allowing user from one realm but not another

 

Assuming there are not duplicate names, can't you jus rewrite his auth request 
so its always the realm you want? Billy.* = Billy.beg

 



From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org 
 
To: freeradius-users@lists.freeradius.org 
 
Sent: Sat Feb 13 09:52:33 2010
Subject: Allowing user from one realm but not another 

Heres my issue and no idea exactly how to do this.

Trying to figure it out is making me more confused.

 

1st I use the usersfile for authentation 

 

I have three different realms users can login with

 

For examples they are (foo.net, bar.net, beg.net)

 

When users login from one of the realms from my two upstream providers they 
login as one of these realms

Then freeradius will strip the realm and auth the user

 

My delima is I have some users that abused a certain realm usage and I want to 
restrict them to another realm for login and deny the others

 

Say bi...@foo.net has abused the foo.net realm now I need him solely on the 
beg.net and disallowing the other two realms. In other words reject him before 
if he trys to use the old realm again. In other words I want to allow only 
billy to use this one new realm and be rejected if he trys another realm.

 

This has to take place I figure in preproxy, cause my users file is 
authenticated minus the realm in proxy..

 

But as I said I have no idea on what to do to set this up..

 

I would not mind adding usernames to a file to be prechecked at preproxy and if 
user is and he is not using realm specified reject him , just not sure what to 
do or how..

 

Jeff

 

"This email is intended to be reviewed by only the intended recipient and may 
contain information that is privileged and/or confidential. If you are not the 
intended recipient, you are hereby notified that any review, use, 
dissemination, disclosure or copying of this email and its attachments, if any, 
is strictly prohibited. If you have received this email in error, please 
immediately notify the sender by return email and delete this email from your 
system." 









"This email is intended to be reviewed by only the intended recipient
 and may contain information that is privileged and/or confidential.
 If you are not the intended recipient, you are hereby notified that
 any review, use, dissemination, disclosure or copying of this email
 and its attachments, if any, is strictly prohibited.  If you have
 received this email in error, please immediately notify the sender by
 return email and delete this email from your system."


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Allowing user from one realm but not another

[Jeff A]

So far no luck, but I will keep looking.

 

 

From: freeradius-users-bounces+jeffa=globalco@lists.freeradius.org 
[mailto:freeradius-users-bounces+jeffa=globalco@lists.freeradius.org] On 
Behalf Of Gary Gatten
Sent: Saturday, February 13, 2010 11:32 AM
To: freeradius-users@lists.freeradius.org
Subject: Re: Allowing user from one realm but not another

 

LOL, easy to do with FR. I was just getting the hang of it when I was pulled 
off to another project.

Check out the operators and unlang. Maybe there are some examples within the 
users file with similar replacement operations.

 

  _  

From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org 
 
To: 'FreeRadius users mailing list'  
Sent: Sat Feb 13 10:17:42 2010
Subject: RE: Allowing user from one realm but not another 

Yes that would work not not sure how to implement this.  I have been trying to 
find a written example of someone who has done this

On the search engines but all I have accomplished is making myself confused

 

 

From: freeradius-users-bounces+jeffa=globalco@lists.freeradius.org 
[mailto:freeradius-users-bounces+jeffa=globalco@lists.freeradius.org] On 
Behalf Of Gary Gatten
Sent: Saturday, February 13, 2010 11:11 AM
To: freeradius-users@lists.freeradius.org
Subject: Re: Allowing user from one realm but not another

 

Assuming there are not duplicate names, can't you jus rewrite his auth request 
so its always the realm you want? Billy.* = Billy.beg

 

  _  

From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org 
 
To: freeradius-users@lists.freeradius.org 
 
Sent: Sat Feb 13 09:52:33 2010
Subject: Allowing user from one realm but not another 

Heres my issue and no idea exactly how to do this.

Trying to figure it out is making me more confused.

 

1st I use the usersfile for authentation 

 

I have three different realms users can login with

 

For examples they are (foo.net, bar.net, beg.net)

 

When users login from one of the realms from my two upstream providers they 
login as one of these realms

Then freeradius will strip the realm and auth the user

 

My delima is I have some users that abused a certain realm usage and I want to 
restrict them to another realm for login and deny the others

 

Say bi...@foo.net has abused the foo.net realm now I need him solely on the 
beg.net and disallowing the other two realms. In other words reject him before 
if he trys to use the old realm again. In other words I want to allow only 
billy to use this one new realm and be rejected if he trys another realm.

 

This has to take place I figure in preproxy, cause my users file is 
authenticated minus the realm in proxy..

 

But as I said I have no idea on what to do to set this up..

 

I would not mind adding usernames to a file to be prechecked at preproxy and if 
user is and he is not using realm specified reject him , just not sure what to 
do or how..

 

Jeff

 

"This email is intended to be reviewed by only the intended recipient and may 
contain information that is privileged and/or confidential. If you are not the 
intended recipient, you are hereby notified that any review, use, 
dissemination, disclosure or copying of this email and its attachments, if any, 
is strictly prohibited. If you have received this email in error, please 
immediately notify the sender by return email and delete this email from your 
system." 

"This email is intended to be reviewed by only the intended recipient and may 
contain information that is privileged and/or confidential. If you are not the 
intended recipient, you are hereby notified that any review, use, 
dissemination, disclosure or copying of this email and its attachments, if any, 
is strictly prohibited. If you have received this email in error, please 
immediately notify the sender by return email and delete this email from your 
system." 

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Allowing user from one realm but not another

[Jeff A]

Ok,  from what I see that won’t work..

 

If I rewrite a username in preproxy

Ie(bi...@foo.net) to bi...@beg.net then in proxy username is authed cause 
radius only looks at username with stripped realm

I need to watch for billy to login and if he uses any other realm besides 
bi...@beg.net then reject him before he even gets to the

Being authed by server, cause my server strips realm off and only sees the 
username

 

Rewriting the realm on the auth request for this user would allow him login no 
matter what

 

I think best approach would be to watch for any username named billy and if his 
realm does not match realm he is allowed from then

Reject access before he is sent for authentation and the realm has been 
stripped as it is suppose to be

 

Maybe I am wrong here do not know, but here is why I am trying to do this.

 

 

Jeff

 

 

From: freeradius-users-bounces+jeffa=globalco@lists.freeradius.org 
[mailto:freeradius-users-bounces+jeffa=globalco@lists.freeradius.org] On 
Behalf Of Jeff A
Sent: Saturday, February 13, 2010 1:54 PM
To: 'FreeRadius users mailing list'
Subject: RE: Allowing user from one realm but not another

 

So far no luck, but I will keep looking.

 

 

From: freeradius-users-bounces+jeffa=globalco@lists.freeradius.org 
[mailto:freeradius-users-bounces+jeffa=globalco@lists.freeradius.org] On 
Behalf Of Gary Gatten
Sent: Saturday, February 13, 2010 11:32 AM
To: freeradius-users@lists.freeradius.org
Subject: Re: Allowing user from one realm but not another

 

LOL, easy to do with FR. I was just getting the hang of it when I was pulled 
off to another project.

Check out the operators and unlang. Maybe there are some examples within the 
users file with similar replacement operations.

 

  _  

From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org 
 
To: 'FreeRadius users mailing list'  
Sent: Sat Feb 13 10:17:42 2010
Subject: RE: Allowing user from one realm but not another 

Yes that would work not not sure how to implement this.  I have been trying to 
find a written example of someone who has done this

On the search engines but all I have accomplished is making myself confused

 

 

From: freeradius-users-bounces+jeffa=globalco@lists.freeradius.org 
[mailto:freeradius-users-bounces+jeffa=globalco@lists.freeradius.org] On 
Behalf Of Gary Gatten
Sent: Saturday, February 13, 2010 11:11 AM
To: freeradius-users@lists.freeradius.org
Subject: Re: Allowing user from one realm but not another

 

Assuming there are not duplicate names, can't you jus rewrite his auth request 
so its always the realm you want? Billy.* = Billy.beg

 

  _  

From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org 
 
To: freeradius-users@lists.freeradius.org 
 
Sent: Sat Feb 13 09:52:33 2010
Subject: Allowing user from one realm but not another 

Heres my issue and no idea exactly how to do this.

Trying to figure it out is making me more confused.

 

1st I use the usersfile for authentation 

 

I have three different realms users can login with

 

For examples they are (foo.net, bar.net, beg.net)

 

When users login from one of the realms from my two upstream providers they 
login as one of these realms

Then freeradius will strip the realm and auth the user

 

My delima is I have some users that abused a certain realm usage and I want to 
restrict them to another realm for login and deny the others

 

Say bi...@foo.net has abused the foo.net realm now I need him solely on the 
beg.net and disallowing the other two realms. In other words reject him before 
if he trys to use the old realm again. In other words I want to allow only 
billy to use this one new realm and be rejected if he trys another realm.

 

This has to take place I figure in preproxy, cause my users file is 
authenticated minus the realm in proxy..

 

But as I said I have no idea on what to do to set this up..

 

I would not mind adding usernames to a file to be prechecked at preproxy and if 
user is and he is not using realm specified reject him , just not sure what to 
do or how..

 

Jeff

 

"This email is intended to be reviewed by only the intended recipient and may 
contain information that is privileged and/or confidential. If you are not the 
intended recipient, you are hereby notified that any review, use, 
dissemination, disclosure or copying of this email and its attachments, if any, 
is strictly prohibited. If you have received this email in error, please 
immediately notify the sender by return email and delete this email from your 
system." 

"This email is intended to be reviewed by only the intended recipient and may 
contain information that is privileged and/or confidential. If you are not the 
intended recipient, you are hereby notified that any review, use, 
dissemination, disclosure or copying of this email and its attachments, if any, 
is strictly prohibited. If you have received this email in error, please 
immediately notify the se

Re: Set Calling-Station-Id after first authorization

[EasyHorpak.com]

Kledi Andoni wrote:
After a bit of work, I was able to solve it by running a
php script in the preacct process.
  
  
  I added the external program with exec:
  
  
  
  exec 1stlogin {
  
  
   wait
= yes
  ?? ? ? ? ? ? ? ?program = "/usr/bin/php /root/1stlogin.php
%{User-Name} %{Calling-Station-Id}"
  ?? ? ? ? ? ? ? ?input_pairs = request
   }
  
  
  Then in the preacct session I added
   
   1stlogin
  
  
  The script itself as follows:
  
  
  
  
  $link = mysql_connect('localhost', 'root', 'xx');
  if (!$link) {
  ?? ?die('Could not connect: ' . mysql_error());
  }
  mysql_select_db('radius');
  $result=mysql_query("SELECT * FROM radacct WHERE
`UserName`='$argv[1]' order by Username limit 1");
  $val = mysql_num_rows($result);
   if
($val > 0) ?{
   printf
("Not first auth");?
   }
   else
{
   mysql_query("INSERT
into radcheck (UserName, Attribute, op, Value) values ('$argv[1]',
'Calling-Station-Id', '==', '$argv[2]')"); 
   }
  
  
  ?>
  
  
  
  
  I rarely write any php, so any improvement in the code is highly
appreciated. Do I need to return anything to freeradius in case of an
error or something?
  
  
  Cheers,
  Kledi
  
  
  
  
  
  
  
  
  On Feb 13, 2010, at 3:01 AM, EasyHorpak.com wrote:
  
  
Kledi Andoni wrote:

  Hello,

I need a way to set the Calling-Station-Id attribute automatically for each user after the first authorization request. In this way the user will be allowed to authorize only from that mac address in the future.

I am using freeradius 1.1.7 with mysql. I do not have the expertise to write a new module, but I believe the way to do it is:

- User tries to authorize and sends username/password/calling-station-id
- Radius verifies username/password (calling-station-id is not yet set)
- Check if a user has ever authorized, through a query on the radacct table. If no rows exist for the specific username then its first login
- insert a row containing the calling-station-id for the specific user in the radcheck table.

Is there a way to do this by configuring freeradius, or do I have to submit it as a request for a feature?

Thank you,
K
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

  

you can use modules checkval to make calling-station-id check.
But for add calling-station-id on first login, you need more scripts to
add it.
you may use unlang. for me i use pppoe-server as nas. i use php to add
it after first login.

-- 
http://www.EasyHorpak.com
-
??��??�??�??�??�??�?�,?��??—??€?�??—??�,??�?�??�?�??�,??�?�??�??”,??�?�??�??
http://www.EasyZoneCorp.net
- ??�?�??��??�?”??�?? internet
??�?“�� Hotpsot ??�?? PPPoE ,Anti NetCut, Mac
spoof
http://www.thai-school.net
-
??€?�??�??�??�??•??�??�?�??€???�,??�??€??�??�???
€?�??�� 
EasyZone
SuperLink  -
??�?�???�??��??�??�?�??�??��??�??€??”?



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
  
  
  
  

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

if you need to use checkval you should change from == to :=
on insert sql.

change to 
mysql_query("INSERT into radcheck (UserName, Attribute, op, Value)
values ('$argv[1]', 'Calling-Station-Id', ':=', '$argv[2]')"); 



-- 
http://www.EasyHorpak.com
- ???,???,???,?,??
http://www.EasyZoneCorp.net
- ? internet ? Hotpsot ??? PPPoE ,Anti NetCut, Mac
spoof
http://www.thai-school.net
- ,? ? 
EasyZone
SuperLink  - ?? 



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Allowing user from one realm but not another

[Alan DeKok]

Jeff A wrote:
> I have three different realms users can login with
> 
> For examples they are (foo.net, bar.net, beg.net)

  Are all users valid on all realms?  If so, why?

> Say bi...@foo.net  has abused the foo.net realm
> now I need him solely on the beg.net and disallowing the other two
> realms. In other words reject him before if he trys to use the old realm
> again. In other words I want to allow only billy to use this one new
> realm and be rejected if he trys another realm.

  Then you need a rule specifically for that user.

> This has to take place I figure in preproxy, cause my users file is
> authenticated minus the realm in proxy..

  You can still access the "Realm" attribute in the "users" file:

bob Realm != "foo.net", Auth-Type := Reject

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: how to use mysql existing connection

[Alan DeKok]

Vijay Badola wrote:
> Can I use mysql connection, created by server initially by reading
> sql.conf, from my own separate module to get sql query answer?

  Why not just use the dynamic expansion:

Filter-Id := "%{sql: SELECT ...}"

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html