Re: SQL query error; rejecting user
So I did, I deleted everything in / etc / raddb and I configuration, again depending on the requirements there. My question was, if I can see where misuse. Sincerely, Daniel - Original Message - From: "Alan DeKok" To: "FreeRadius users mailing list" Sent: Monday, October 11, 2010 6:23 PM Subject: Re: SQL query error; rejecting user Daniel Sandulescu wrote: Returning, we came up here and do not know where erroarea .. If you're not going to read the messages on this list, then I don't see why you are posting questions. You have DELETED the entire configuration. Why? Use the configuration from 2.1.10. It's not hard. Delete the existing /etc/raddb directory (or move it somewhere else), and install it again. And then CHECK the configuration directory. If it's empty, don't bother posting to the list. Go fix it yourself. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Defining an Auth-Type based on a realm
Mathew Rowley wrote: > Is there a typical way to set an ‘Auth-Type := Kerberos’ when a user is > part of a specific realm? For testing purposes, I am able to add this to > the ‘users’ file: > > DEFAULTAuth-Type := Kerberos > > But, will need something based on realm in the future. You can do comparisons on the Realm, too. It's just another attribute. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Microsoft SoH Support
On 11/10/2010 22:14, James J J Hooper wrote:
On 11/10/2010 12:37, Phil Mayers wrote:
On 09/10/10 15:01, Garber, Neal wrote:
Thanks to a lot of work by Phil Mayers, the server now has support for
Microsoft SoH in PEAP, normal RADIUS (MS VPN gateway), and in DHCP.
Wow! That *must* have been a lot of work! Thank you Phil.
Does this mean FreeRADIUS can now act as a Health Policy Server?
Yes, though it's not 100%. Specifically the code can challenge clients for
an SoH, and the client will submit it and FreeRadius decode it. There is
not (yet) support for FreeRadius generating and emitting an SoHR, because
I don't have a working example of such, and decoding the MS-SOH spec is
REALLY REALLY hard without at least some working data to compare to the
awful spec language!
Hi Phil, Alan,
http://msdn.microsoft.com/en-us/library/cc251376%28v=PROT.10%29.aspx
-> Independent of the above states, the last bit of the third byte of the
AU ClientStatusCode can take the value of 1 if the AU settings on the
client are controlled by policy.
[We do a little of
http://technet.microsoft.com/en-us/library/cc708449%28WS.10%29.aspx on our
clients via our wireless set-up wizard to help them keep up to date with
patches]
... Therefore patch attached {"confd-by=" format only a suggestion}.
...I wonder if MS ever end up with:
case 0x0105:
snprintf(vp->vp_strvalue, sizeof(vp->vp_strvalue), "%s warn unconfigured
confd-by=policy", s);
Oh well, it's in the spec...
-James
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Microsoft SoH Support
On 11/10/2010 12:37, Phil Mayers wrote:
On 09/10/10 15:01, Garber, Neal wrote:
Thanks to a lot of work by Phil Mayers, the server now has support for
Microsoft SoH in PEAP, normal RADIUS (MS VPN gateway), and in DHCP.
Wow! That *must* have been a lot of work! Thank you Phil.
Does this mean FreeRADIUS can now act as a Health Policy Server?
Yes, though it's not 100%. Specifically the code can challenge clients for
an SoH, and the client will submit it and FreeRadius decode it. There is
not (yet) support for FreeRadius generating and emitting an SoHR, because
I don't have a working example of such, and decoding the MS-SOH spec is
REALLY REALLY hard without at least some working data to compare to the
awful spec language!
Hi Phil, Alan,
http://msdn.microsoft.com/en-us/library/cc251376%28v=PROT.10%29.aspx
-> Independent of the above states, the last bit of the third byte of the
AU ClientStatusCode can take the value of 1 if the AU settings on the
client are controlled by policy.
[We do a little of
http://technet.microsoft.com/en-us/library/cc708449%28WS.10%29.aspx on our
clients via our wireless set-up wizard to help them keep up to date with
patches]
... Therefore patch attached {"confd-by=" format only a suggestion}.
-James
--
James J J Hooper
Network Specialist
Information Services
University of Bristol
http://www.wireless.bristol.ac.uk http://www.jamesjj.net
--
--- soh.c-orig 2010-10-11 20:54:28.0 +
+++ soh.c-new1 2010-10-11 21:02:49.0 +
@@ -500,19 +500,34 @@ int soh_verify(VALUE_PAIR *sohvp, const
s = "auto-updates";
switch (hcstatus) {
case 1:
-
snprintf(vp->vp_strvalue, sizeof(vp->vp_strvalue), "%s warn disabled", s);
+
snprintf(vp->vp_strvalue, sizeof(vp->vp_strvalue), "%s warn disabled
confd-by=user", s);
break;
case 2:
-
snprintf(vp->vp_strvalue, sizeof(vp->vp_strvalue), "%s ok action=check-only",
s);
+
snprintf(vp->vp_strvalue, sizeof(vp->vp_strvalue), "%s ok action=check-only
confd-by=user", s);
break;
case 3:
-
snprintf(vp->vp_strvalue, sizeof(vp->vp_strvalue), "%s ok action=download", s);
+
snprintf(vp->vp_strvalue, sizeof(vp->vp_strvalue), "%s ok action=download
confd-by=user", s);
break;
case 4:
-
snprintf(vp->vp_strvalue, sizeof(vp->vp_strvalue), "%s ok action=install", s);
+
snprintf(vp->vp_strvalue, sizeof(vp->vp_strvalue), "%s ok action=install
confd-by=user", s);
break;
case 5:
-
snprintf(vp->vp_strvalue, sizeof(vp->vp_strvalue), "%s warn unconfigured", s);
+
snprintf(vp->vp_strvalue, sizeof(vp->vp_strvalue), "%s warn unconfigured
confd-by=user", s);
+ break;
+ case 0x0101:
+
snprintf(vp->vp_strvalue, sizeof(vp->vp_strvalue), "%s warn disabled
confd-by=policy", s);
+ break;
+ case 0x0102:
+
snprintf(vp->vp_strvalue, sizeof(vp->vp_strvalue), "%s ok action=check-only
confd-by=policy", s);
+ break;
+ case 0x0103:
+
snprintf(vp->vp_strvalue, sizeof(vp->vp_strvalue), "%s ok action=download
confd-by=policy", s);
+
Defining an Auth-Type based on a realm
Is there a typical way to set an Auth-Type := Kerberos¹ when a user is part of a specific realm? For testing purposes, I am able to add this to the users¹ file: DEFAULTAuth-Type := Kerberos But, will need something based on realm in the future. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Microsoft SoH Support
On 11/10/10 16:23, Alan DeKok wrote: Phil Mayers wrote: Ok, the attached should be more sane Debug messages shouldn't have "\n". The log function adds the "\n" itself. Yeah - that's in 0004-*.patch (I noticed it when using the excellent raddebug to test that the SoH stuff appeared) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Microsoft SoH Support
Phil Mayers wrote: > Ok, the attached should be more sane Debug messages shouldn't have "\n". The log function adds the "\n" itself. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL query error; rejecting user
Daniel Sandulescu wrote: > Returning, we came up here and do not know where erroarea .. If you're not going to read the messages on this list, then I don't see why you are posting questions. You have DELETED the entire configuration. Why? Use the configuration from 2.1.10. It's not hard. Delete the existing /etc/raddb directory (or move it somewhere else), and install it again. And then CHECK the configuration directory. If it's empty, don't bother posting to the list. Go fix it yourself. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Service-Logon
One step closer by reverse-engineering a TAC example... but still not quite working # "users" file - initial bring up jkuh...@asr_5_61 Cleartext-Password := "hello1" Service-Type += Framed-User, Framed-Protocol += PPP, Cisco-Account-Info += "NAMED_ACL_SERVICE", Framed-IPv6-Prefix += "0015:::::::/64", cisco-avpair += "ipv6:inacl#1=permit ipv6 15::0/64 any", cisco-avpair += "ipv6:inacl#2=permit tcp 1::1/64 any eq 50001", Fall-Through = no DEFAULTPrefix == "NAMED_ACL_SERVICE" Service-Type += Outbound-User, cisco-avpair += "ipv6:inacl=IN_ACL_NAMED_v6_2" #Able to see it on NAS asr05#sh aaa service-profiles 1000> Service Name: asr_5_61 1001> Service Name: NAMED_ACL_SERVICE # attempting COA User-Name += "jkuh...@asr_5_61" Acct-Session-Id="03EE" cisco-avpair += "subscriber:command=activate-service" cisco-avpair += "subscriber:service-name=NAMED_ACL_SERVICE" # Radius Debug: Oct 11 14:11:37.838: COA: 5.28.21.99 request queued Oct 11 14:11:37.838: RADIUS: authenticator 43 98 88 99 AE 20 8E CA - DE 91 37 88 E8 74 93 D8 Oct 11 14:11:37.838: RADIUS: User-Name [1] 18 "jkuh...@asr_5_61" Oct 11 14:11:37.838: RADIUS: Acct-Session-Id [44] 10 "03EE" Oct 11 14:11:37.838: RADIUS: Vendor, Cisco [26] 43 Oct 11 14:11:37.838: RADIUS: Cisco AVpair [1] 37 "subscriber:command=activate-service" Oct 11 14:11:37.838: RADIUS: Vendor, Cisco [26] 49 Oct 11 14:11:37.838: RADIUS: Cisco AVpair [1] 43 "subscriber:service-name=NAMED_ACL_SERVICE" Oct 11 14:11:37.838: COA: Message Authenticator missing or failed decode I can do COA successfully for tagged or named ACLs defined directly, so overall feel it is a syntax issue. Any suggestions appreciated. Jay -Original Message- From: freeradius-users-bounces+jkuhne=cisco@lists.freeradius.org [mailto:freeradius-users-bounces+jkuhne=cisco@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Saturday, October 09, 2010 7:51 AM To: FreeRadius users mailing list Subject: Re: Service-Logon Jay Kuhne (jkuhne) wrote: > Thanks for the reply. Does it need to be configured on the NAS or the > NAS accepts Radius is telling it "this is the policy to use" See the NAS documentation for how the NAS behaves. > Any other thoughts on what I might be doing incorrectly? No idea. The only goal in RADIUS is to get the "right" contents to the NAS. We document how to put things in the packet. The NAS documents what it needs in the packet. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL query error; rejecting user
Returning, we came up here and do not know where erroarea .. rad_recv: Access-Request packet from host 127.0.0.1 port 58178, id=244, length=115 Service-Type = Framed-User Framed-Protocol = PPP User-Name = "phlander" CHAP-Challenge = 0x4ff1c005798fc649dd7acb1270f8d142d169b3e1f4 CHAP-Password = 0x14362cd1151241b3faf7b4826269ee9771 Calling-Station-Id = "00:42:15:11:24:57" NAS-IP-Address = 10.0.0.1 NAS-Port = 0 WARNING: Empty authorize section. Using default return values. ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Failed to authenticate the user. Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 244 to 127.0.0.1 port 58178 Waking up in 4.9 seconds. Cleaning up request 0 ID 244 with timestamp +13 Ready to process requests. - Original Message - From: "Alan DeKok" To: "FreeRadius users mailing list" Sent: Monday, October 11, 2010 4:44 PM Subject: Re: SQL query error; rejecting user Daniel Sandulescu wrote: I upgraded to version 2.1.10 and now I have this erroare: The entire point of the debug output is to *read* it. You have the same problem as last time. And even worse, you "upgraded" to 2.1.10, and left all of the problematic configuration files in place. Instead, use the 2.1.10 configuration files, and then edit them. See "man radiusd" Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Detailed Logging freeradius Request Packets
On Sun, 2010-10-10 at 08:50 +0200, Alan DeKok wrote: > Jean-Francois Mousinho wrote: > > I've tried to find a way of detail logging the packets sent by > > freeradius to the client in the authentication phase but didn't found a > > way of doing it. Maybe I've not looked correctly so I'm asking if it's > > actually possible? > > Yes. > > > I was able to log detailed packets sent by the client (Response packets) > > but not the ones sent by freeradius to the client (except accounting and > > proxied ones). > > raddb/modules/detail.log auth_log is activated in detail.log, and in the authorize section of sites-enabled/default. Example of packet exchange... Sequence in the freeradius logs gives (grep'ed Message-Authenticator): Message-Authenticator = 0x8af956293cf49787a8a291406ea9de91 Message-Authenticator = 0xefb5ce8677fa2bbfbae3eca96071cd45 Message-Authenticator = 0x8ccbc2c39bf018909859bb683ca8c058 ... In the eapol_test supplicant, I got the following (also grep'ed): Attribute 80 (Message-Authenticator) length=18 Value: 8a f9 56 29 3c f4 97 87 a8 a2 91 40 6e a9 de 91 Attribute 80 (Message-Authenticator) length=18 Value: 2b fc 84 c6 41 fa 0f 48 bb 44 66 0b c8 e7 56 3f Attribute 80 (Message-Authenticator) length=18 Value: ef b5 ce 86 77 fa 2b bf ba e3 ec a9 60 71 cd 45 Attribute 80 (Message-Authenticator) length=18 Value: 67 20 0e f4 6e 13 09 b7 4c 6c f2 4f 81 1f a9 70 So the message *3f (and others are not logged). The message 3f in eapol_test output: Received RADIUS message RADIUS message: code=11 (Access-Challenge) identifier=0 length=86 Attribute 1 (User-Name) length=22 Value: ... Attribute 79 (EAP-Message) length=8 Value: 01 01 00 06 19 20 Attribute 80 (Message-Authenticator) length=18 Value: 2b fc 84 c6 41 fa 0f 48 bb 44 66 0b c8 e7 56 3f Attribute 24 (State) length=18 Value: e6 3d 08 c0 e6 3c 11 c3 1a d2 99 89 61 b8 e9 51 STA 02:00:00:00:00:01: Received RADIUS packet matched with a pending request, round trip time 0.00 sec So this message, the Access-Challenge messages are not logged, although the Access-Accept are logged. I should have said I want to log Access-Challenge messages, would be more correct. Thanks for your time. Jean-François Mousinho - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Microsoft SoH Support
--On Monday, October 11, 2010 14:24:07 +0200 Alan DeKok
wrote:
Phil Mayers wrote:
I've tested it with WinXP SP3, Vista and Win7. There is one compile fix
needed which must have snuck through (attached)
I deleted all references to the REQUEST structure from src/lib/soh.c.
The library functions are for clients, not just the server.
The code in "git" should now be up to date, and should compile.
[I know it's work in progress, just FYI...]
There are two unprotected fprintf in peap.c which appear to block the
server if you run it daemonized [i.e. not -X]:
$ grep -A 5 -B 5 JJJ ./src/modules/rlm_eap/types/rlm_eap_peap/peap.c
rad_assert(t->soh_virtual_server != NULL);
fake->server = t->soh_virtual_server;
RDEBUG("Processing SoH request");
debug_pair_list(fake->packet->vps);
//JJJ fprintf(fr_log_fp, "server %s {\n", fake->server);
rad_authenticate(fake);
//JJJ fprintf(fr_log_fp, "} # server %s\n", fake->server);
RDEBUG("Got SoH reply");
debug_pair_list(fake->reply->vps);
if (fake->reply->code != PW_AUTHENTICATION_ACK) {
RDEBUG2("SoH was rejected");
-James
--
James J J Hooper
Network Specialist
Information Services
University of Bristol
http://www.wireless.bristol.ac.uk http://www.jamesjj.net
--
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL query error; rejecting user
Daniel Sandulescu wrote: > > I upgraded to version 2.1.10 and now I have this erroare: The entire point of the debug output is to *read* it. You have the same problem as last time. And even worse, you "upgraded" to 2.1.10, and left all of the problematic configuration files in place. Instead, use the 2.1.10 configuration files, and then edit them. See "man radiusd" Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL query error; rejecting user
I upgraded to version 2.1.10 and now I have this erroare:
rad_recv: Access-Request packet from host 127.0.0.1 port 48934, id=235,
length=116
Service-Type = Framed-User
Framed-Protocol = PPP
User-Name = "phlander"
CHAP-Challenge = 0x697c26c79cb6f40f57fbbbddb6bc63d8e805ee6a9b75
CHAP-Password = 0x8c0a8927b6df3d0ac0c6f0cc6444b19ed9
Calling-Station-Id = "00:42:15:11:24:57"
NAS-IP-Address = 10.0.0.1
NAS-Port = 0
# Executing section authorize from file /usr/local/etc/raddb/radiusd.conf
+- entering group authorize {...}
[chap] Setting 'Auth-Type := CHAP'
++[chap] returns ok
++[mschap] returns noop
rlm_sql (sql): Reserving sql socket id: 1
[sql] expand: ->
[sql] Error generating query; rejecting user
rlm_sql (sql): Released sql socket id: 1
++[sql] returns fail
Delaying reject of request 3 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 3
Sending Access-Reject of id 235 to 127.0.0.1 port 48934
Waking up in 4.9 seconds.
Cleaning up request 3 ID 235 with timestamp +164
Ready to process requests.
- Original Message -
From: "Alan DeKok"
To: "FreeRadius users mailing list"
Sent: Monday, October 11, 2010 3:21 PM
Subject: Re: SQL query error; rejecting user
Daniel Sandulescu wrote:
Hello!
I got a erroarea following logging and do not know where to look.
Can someone ajunte me?
It means you've edited the default configuration, and broken it.
modcall[authorize]: module "mschap" returns noop for request 0
radius_xlat: ''
i.e. the SQL query is empty. It shouldn't be empty.
You're also running 1.1.x. I *strongly* suggest upgrading to 2.1.10,
which was released last week.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Microsoft SoH Support
Hi, > It's fairly useful though - you can enable it, and SoH-enabled clients > will submit info like: > This can be punted to a virtual server, and you can assign a vlan or > reject authentication etc. > > I've tested it with WinXP SP3, Vista and Win7. There is one compile fix > needed which must have snuck through (attached) just to report that we've been using this for a little while (via its old direct GIT) and I'm happy to see it starting to go into the main tree... we are not using it YET for direct policy decisions (ie putting people onto different VLANs) - we are just starting to record the status of our clients health and security posture. it will hopefully give us interesting client metrics alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Service-Logon
Hi Alan, Thank you, this helps. Will have another go at debugging from the NAS side. I'll post back once I get it working. Jay -Original Message- From: freeradius-users-bounces+jkuhne=cisco@lists.freeradius.org [mailto:freeradius-users-bounces+jkuhne=cisco@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Saturday, October 09, 2010 7:51 AM To: FreeRadius users mailing list Subject: Re: Service-Logon Jay Kuhne (jkuhne) wrote: > Thanks for the reply. Does it need to be configured on the NAS or the > NAS accepts Radius is telling it "this is the policy to use" See the NAS documentation for how the NAS behaves. > Any other thoughts on what I might be doing incorrectly? No idea. The only goal in RADIUS is to get the "right" contents to the NAS. We document how to put things in the packet. The NAS documents what it needs in the packet. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Microsoft SoH Support
Phil Mayers wrote: > Indeed. Is there a good way besides the DEBUG macro to emit debugging > output in lib/*.c code? Nope. > I imagine there will be SoH type/value or > type/len/value stuff that we'll want to log (but others that we won't - > it's probably too noisy as-is) OK. > Also I guess the "right" thing to do is use the RDEBUG macros where > possible so that the per-request / radmin conditional debugging works? Yes. > Perhaps lib/soh.c should move to main/, given it's not much use for the > clients? Hmm... that would work, too. I can always "git mv" the file if that would be best, then re-add the RDEBUG macros. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Microsoft SoH Support
On 11/10/10 13:24, Alan DeKok wrote: Phil Mayers wrote: I've tested it with WinXP SP3, Vista and Win7. There is one compile fix needed which must have snuck through (attached) I deleted all references to the REQUEST structure from src/lib/soh.c. The library functions are for clients, not just the server. Indeed. Is there a good way besides the DEBUG macro to emit debugging output in lib/*.c code? I imagine there will be SoH type/value or type/len/value stuff that we'll want to log (but others that we won't - it's probably too noisy as-is) Also I guess the "right" thing to do is use the RDEBUG macros where possible so that the per-request / radmin conditional debugging works? Perhaps lib/soh.c should move to main/, given it's not much use for the clients? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Microsoft SoH Support
Phil Mayers wrote: > I've tested it with WinXP SP3, Vista and Win7. There is one compile fix > needed which must have snuck through (attached) I deleted all references to the REQUEST structure from src/lib/soh.c. The library functions are for clients, not just the server. The code in "git" should now be up to date, and should compile. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL query error; rejecting user
Daniel Sandulescu wrote: > > Hello! > I got a erroarea following logging and do not know where to look. > Can someone ajunte me? It means you've edited the default configuration, and broken it. > modcall[authorize]: module "mschap" returns noop for request 0 > radius_xlat: '' i.e. the SQL query is empty. It shouldn't be empty. You're also running 1.1.x. I *strongly* suggest upgrading to 2.1.10, which was released last week. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Microsoft SoH Support
On 09/10/10 15:01, Garber, Neal wrote:
Thanks to a lot of work by Phil Mayers, the server now has support for
Microsoft SoH in PEAP, normal RADIUS (MS VPN gateway), and in DHCP.
Wow! That *must* have been a lot of work! Thank you Phil.
Does this mean FreeRADIUS can now act as a Health Policy Server?
Yes, though it's not 100%. Specifically the code can challenge clients
for an SoH, and the client will submit it and FreeRadius decode it.
There is not (yet) support for FreeRadius generating and emitting an
SoHR, because I don't have a working example of such, and decoding the
MS-SOH spec is REALLY REALLY hard without at least some working data to
compare to the awful spec language!
It's fairly useful though - you can enable it, and SoH-enabled clients
will submit info like:
[peap] Processing SoH request
SoH-Supported = yes
SoH-MS-Machine-OS-vendor = Microsoft
SoH-MS-Machine-OS-version = 5
SoH-MS-Machine-OS-release = 1
SoH-MS-Machine-OS-build = 2600
SoH-MS-Machine-SP-version = 3
SoH-MS-Machine-SP-release = 0
SoH-MS-Machine-Processor = x86
SoH-MS-Machine-Name = "machine.test.ic.ac.uk"
SoH-MS-Correlation-Id = 0x...
SoH-MS-Machine-Role = client
SoH-MS-Windows-Health-Status = "firewall error down"
SoH-MS-Windows-Health-Status = "antivirus error down"
SoH-MS-Windows-Health-Status = "auto-updates warn service-down"
SoH-MS-Windows-Health-Status = "security-updates ok all-installed"
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "host/machine.test.ic.ac.uk"
This can be punted to a virtual server, and you can assign a vlan or
reject authentication etc.
I've tested it with WinXP SP3, Vista and Win7. There is one compile fix
needed which must have snuck through (attached)
diff --git a/src/modules/rlm_soh/rlm_soh.c b/src/modules/rlm_soh/rlm_soh.c
index 027e0f6..c5aa1fe 100644
--- a/src/modules/rlm_soh/rlm_soh.c
+++ b/src/modules/rlm_soh/rlm_soh.c
@@ -205,7 +205,7 @@ static int soh_authorize(UNUSED void * instance, REQUEST
*request)
RDEBUG("SoH radius VP found");
/* decode it */
- rv = soh_verify(request->packet->vps, vp->vp_octets, vp->length);
+ rv = soh_verify(request, request->packet->vps, vp->vp_octets,
vp->length);
return RLM_MODULE_OK;
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SQL query error; rejecting user
Hello! I got a erroarea following logging and do not know where to look. Can someone ajunte me? rad_recv: Access-Request packet from host 127.0.0.1:42096, id=227, length=116 Service-Type = Framed-User Framed-Protocol = PPP User-Name = "phlander" CHAP-Challenge = 0x153961bc09eaeddf1226af8d60538ee6819b24ede1c1 CHAP-Password = 0xacf1701244e94be1dffe4e11ee08f0caa4 Calling-Station-Id = "00:42:15:11:24:57" NAS-IP-Address = 10.0.0.1 NAS-Port = 0 rad_lowerpair: User-Name now 'phlander' rad_rmspace_pair: User-Name now 'phlander' Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 rlm_chap: Setting 'Auth-Type := CHAP' modcall[authorize]: module "chap" returns ok for request 0 modcall[authorize]: module "mschap" returns noop for request 0 radius_xlat: '' rlm_sql (sql): Reserving sql socket id: 3 rlm_sql (sql): SQL query error; rejecting user rlm_sql (sql): Released sql socket id: 3 modcall[authorize]: module "sql" returns fail for request 0 modcall: group authorize returns fail for request 0 There was no response configured: rejecting request 0 Server rejecting request 0. Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 227 to 127.0.0.1:42096 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 227 with timestamp 4cb2ee7d Nothing to do. Sleeping until we see a request. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Store Access-Request packet information in database
On 11/10/10 11:22, c.schw...@funknetz.at wrote: Hi, I would like to achieve some kind of a tracking system for 802.11 wireless clients, therefore every login attempt should be accepted and the necessary information (e.g. nas-ip-address, calling-station-id) should be stored in an extra database table. Example output: rad_recv: Access-Request packet from host 192.168.30.216 port 43128, id=5, length=200 NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "00:1A:73:59:25:4B" Called-Station-Id = "hotspot1" NAS-Port-Id = "wlan1" User-Name = "christoph" NAS-Port = 2152726535 Acct-Session-Id = "8057" Framed-IP-Address = 10.50.0.254 Mikrotik-Host-IP = 10.50.0.254 CHAP-Challenge = 0x12321805f00ad380736bd946aefe0389 CHAP-Password = 0x1153fcb1c99609b962baa8042aca266905 Service-Type = Login-User WISPr-Logoff-URL = "http://10.50.0.1/logout"; NAS-Identifier = "test-loop21" NAS-IP-Address = 192.168.30.216 Does anybody have an idea how to store this kind of information when freeradius receives an access-request packet? Yes. Use the "sql" module. This is well documented. Have you read any of the docs? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Store Access-Request packet information in database
Hi, I would like to achieve some kind of a tracking system for 802.11 wireless clients, therefore every login attempt should be accepted and the necessary information (e.g. nas-ip-address, calling-station-id) should be stored in an extra database table. Example output: rad_recv: Access-Request packet from host 192.168.30.216 port 43128, id=5, length=200 NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "00:1A:73:59:25:4B" Called-Station-Id = "hotspot1" NAS-Port-Id = "wlan1" User-Name = "christoph" NAS-Port = 2152726535 Acct-Session-Id = "8057" Framed-IP-Address = 10.50.0.254 Mikrotik-Host-IP = 10.50.0.254 CHAP-Challenge = 0x12321805f00ad380736bd946aefe0389 CHAP-Password = 0x1153fcb1c99609b962baa8042aca266905 Service-Type = Login-User WISPr-Logoff-URL = "http://10.50.0.1/logout"; NAS-Identifier = "test-loop21" NAS-IP-Address = 192.168.30.216 Does anybody have an idea how to store this kind of information when freeradius receives an access-request packet? Thanks in advance Chris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
