RE: plpgsql freeradius authentication function
In which statement do you implement this query? Date: Sat, 16 Oct 2010 11:49:36 -0400 Subject: plpgsql freeradius authentication function From: kak...@gmail.com To: freeradius-users@lists.freeradius.org Hi I have a plpgsql function being called from freeradius to do authentication but i keep getting Access-Reject from radius although when i run the function without freeradius it works fine. Please find below the function and how i call it CREATE OR REPLACE FUNCTION try (your_name TEXT, tiger TEXT) RETURNS RECORD AS $$ DECLARE users_rec RECORD; BEGIN if tiger = '' then SELECT INTO users_rec * FROM aniradcheck WHERE username = your_name; else SELECT INTO users_rec * FROM radcheck WHERE username = your_name; end if; RETURN users_rec.username; END; $$ LANGUAGE plpgsql; SELECT id,username,attribute,op,value FROM try('714094','') as(id integer,username varchar,attribute varchar,op character,value varchar); Appreciate if you can help Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication failing when using *...@domain.com
Ryan Garrett wrote: I have a test account setup within a test domain. The username is dadmin. If I authenticate with just dadmin it works fine, I get an access accept response and I am up and running. OK. However, if I try dad...@testlab.net authentication is rejected. Because names are just strings. The strings dadmin and dad...@testlab.net are different. My main concern is the fact that during the process, it says testlab.net was not found, using NULL for the Realm. Yes... because you didn't configure the realm. See raddb/proxy.conf. In 2.1.10, read raddb/sites-available/inner-tunnel. Test that with radtest and dad...@testlab.net. Once that works, PEAP will work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Matching a value within an IP subnet
Brian Candler wrote: DEFAULT NAS-IP-Address =~ 192.0.2.0/27, NAS-Group := ADSL-BRAS I've had a look at paircmp() in src/lib/valuepair.c and can't see any logic which might do this. Nope. Write a regex to do the matching. The above string after =~ is *not* a regex. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: plpgsql freeradius authentication function
Hi I implemented this in the freeradius postgresql.conf file SELECT id,username,attribute,op,value FROM try('714094','') as(id integer,username varchar,attribute varchar,op character,value varchar); and implemented this function on the Postgres database server CREATE OR REPLACE FUNCTION try (your_name TEXT, tiger TEXT) RETURNS RECORD AS $$ DECLARE users_rec RECORD; BEGIN if tiger = '' then SELECT INTO users_rec * FROM aniradcheck WHERE username = your_name; else SELECT INTO users_rec * FROM radcheck WHERE username = your_name; end if; RETURN users_rec.username; END; $$ LANGUAGE plpgsql; I am generally trying to authenticate with a postgres function Thanks and your help very much appreciated. On Mon, Oct 18, 2010 at 2:20 AM, Santiago Balaguer García santiago...@hotmail.com wrote: In which statement do you implement this query? -- Date: Sat, 16 Oct 2010 11:49:36 -0400 Subject: plpgsql freeradius authentication function From: kak...@gmail.com To: freeradius-users@lists.freeradius.org Hi I have a plpgsql function being called from freeradius to do authentication but i keep getting Access-Reject from radius although when i run the function without freeradius it works fine. Please find below the function and how i call it CREATE OR REPLACE FUNCTION try (your_name TEXT, tiger TEXT) RETURNS RECORD AS $$ DECLARE users_rec RECORD; BEGIN if tiger = '' then SELECT INTO users_rec * FROM aniradcheck WHERE username = your_name; else SELECT INTO users_rec * FROM radcheck WHERE username = your_name; end if; RETURN users_rec.username; END; $$ LANGUAGE plpgsql; SELECT id,username,attribute,op,value FROM try('714094','') as(id integer,username varchar,attribute varchar,op character,value varchar); Appreciate if you can help Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: plpgsql freeradius authentication function
Kafui Akyea wrote: Hi I implemented this in the freeradius postgresql.conf file SELECT id,username,attribute,op,value That's the wrong order. See the default SELECT in raddb/sql/postgresql/dialup.conf. I am generally trying to authenticate with a postgres function Make sure it returns exactly the same information, in the same order, as the default queries. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
DHCP with option 82 best practice
Hi everybody, at first I want to thank Arran and Alan for their help with my last post. Good job! Had trouble getting the lists reply's, but solved now. I am curious if somebody could share information how to get FR as DHCP with option 82 authentication up and running. Couldn't find much information in provided sample files and on the net. My own experiments with auth configs were not particularly successful. The key I am missing is the link between having DHCP-Relay-Circuit-Id in DHCP-Request and DHCP-Discover messages and kicking in some kind of auth in order to return a DHCP-Offer/Ack message including a client IP out of the configured IP pools. Backend is mysql. I have the feeling that most users straight heading for rlm_perl and not using the ppp/chap/pap alike chain. This I would understand since the handshakes differ. Confirmation of this thesis would help me as well, so I can stop searching and start coding ;o) Any comment much appreciated! Cheers, Marco - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: DHCP with option 82 best practice
On 10/18/2010 05:05 PM, Zietz, Marco wrote: I am curious if somebody could share information how to get FR as DHCP with option 82 authentication up and running. Couldn't find much information in provided sample files and on the net. My own experiments with auth configs were not particularly successful. The key I am missing What have you tried? Why didn't it work? is the link between having DHCP-Relay-Circuit-Id in DHCP-Request and DHCP-Discover messages and kicking in some kind of auth in order to return a DHCP-Offer/Ack message including a client IP out of the configured IP pools. Backend is mysql. As with most things in FreeRadius, the key (pardon the pun) is determining what data is in the input packet, what data you want in the reply and what key/value lookup you need to do to achieve that. The difficulty with DHCP is that you really need to do the following: start transaction select ip from pool where key=... and not used update ip set used=true where ip=... commit add ip to reply packet The rlm_sqlippool module does this for example, but the queries it executes are perhaps not suited to DHCP allocation; I haven't tried it. If your DHCP pools are simple - one IP per switch/port and no pools - then you could just do: update reply { DHCP-Your-IP-Address = %{sql:select ip from opt82 where switch='%{DHCP-Agent-Remote-Id}' and port='%{DHCP-Agent-Circuit-Id}'} } ...but this may cause problems without proper lease management. I have the feeling that most users straight heading for rlm_perl and not using the ppp/chap/pap alike chain. This I would understand since the handshakes differ. Confirmation of this thesis would help me as well, so I can stop searching and start coding ;o) I don't recognise the terminology you use here: handshakes? In pretty much all modes, FreeRadius is a system for processing attribute/value pairs and generating replies. DHCP is just another encoding for AVPs with the slightly complex aspect that lease management needs to be (a bit) transactional, so anything other than fixed mac-IP mappings needs a bit of work. That is why people may use perl or things more complex than unlang/rlm_passwd - the need for transactional lease allocation. I suspect few people are using FreeRadius for DHCP in anger yet, which explains why you have found little info, but I'm sure it can do it. If you can provide more info about what you've tried that doesn't work... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Cisco LNS with Freeradius and MySQL
Hi I request a small help for my configuration, sorry for my english: I have a cisco router with VRF I have a Freeradius server with sql I have a lot of Adsl user in L2TP. I want add one user to a specific vrf, i have added to the mysql table: INSERT INTO `radgroupreply` VALUES (9, 'IAccess', 'cisco-avpair', '+=', 'lcp:interface-config=ip vrf forwarding INT002\\n ip unnumbered Loopback250'); but when the user connect, that's don't work ... On my cisco router, i have: One Loopback: interface Loopback250 ip vrf forwarding INT002 no ip address One Vrf: ip vrf INT002 rd 65509:501 route-target export 65509:101 route-target import 65509:100 route-target import 65509:50 where is my error ? Second question: I use sqlippool for dynamic IP, if i want specify a IP to a username (static) what is the process ? create a specific group ? thanks for your help stephane - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco LNS with Freeradius and MySQL
On 10/18/2010 06:07 PM, Stephane MAGAND wrote: but when the user connect, that's don't work ... See the FAQ for it doesn't work. Second question: I use sqlippool for dynamic IP, if i want specify a IP to a username (static) what is the process ? create a specific group ? You can assign an IP manually, and sqlippool will see this and do nothing. For example: authorize { ... files ... } post-auth { ... sqlippool } ...and in /etc/raddb/users: specialuser1 Framed-IP-Address := a.b.c.d otheruser2 Framed-IP-Address := e.f.g.h You can use any FreeRadius module (SQL, rlm_passwd) to do this. Another example: post-auth { update control { Tmp-IP-Address-0 = %{sql:select staticip from mytable where ...} } if (control:Tmp-IP-Address-0) { update reply { Framed-IP-Address := %{control:Tmp-IP-Address-0} } } else { sqlippool } } - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP authentication failed
Hi i have some problems with LDAP authentication. If I login on my windows xp sp3 client i want to check die login credentials against my LDAP service. But the xp client uses doubleslashs in the username!! I think this will be the problem!? If I test with radtest it works. What can i do to succecsful login? Debug log: rad_recv: Access-Request packet from host 192.168.0.2 port 1812, id=62, length=240 NAS-IP-Address = 192.168.0.2 NAS-Port = 50009 NAS-Port-Type = Ethernet User-Name = FIRMA1\\usera Called-Station-Id = 00-15-F9-D8-7C-C9 Calling-Station-Id = 00-1A-4B-63-69-0B Service-Type = Framed-User Framed-MTU = 1500 State = 0xc5fe953bc3f98c0b9575e677705364e2 EAP-Message = 0x0207006119001703010056b327be51594f6985d1854f17199fefe7151d57481c244787051f7067a50a0056a15e0a831a3aa3661a61aeed66e3c7dc85cd3315301bfd825c786fd60e0110f5124e76e2d543c9a6fd99371be7f1a9637b8ce527669f Message-Authenticator = 0xad6e1b5107c7af4b9a5ba3e648d65859 +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound [suffix] No '@' in User-Name = FIRMA1\usera, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 7 length 74 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop [ldap] performing user authorization for FIRMA1\usera [ldap] WARNING: Deprecated conditional expansion :-. See man unlang for details [ldap] ... expanding second conditional [ldap] expand: %{User-Name} - FIRMA1\5cusera [ldap] expand: (uid=%{Stripped-User-Name:-%{User-Name}}) - (uid=FIRMA1\5cusera) [ldap] expand: dc=firma1,dc=de - dc=firma1,dc=de [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in dc=firma1,dc=de, with filter (uid=FIRMA1\5cusera) [ldap] object not found [ldap] search failed [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns notfound Configuration part of LDAP module: ldap { server = 192.168.0.5 identity = cn=admin,dc=firma1,dc=de password = basedn = dc=firma1,dc=de filter = (uid=%{%{Stripped-User-Name}:-%{User-Name}}) .. } -- View this message in context: http://freeradius.1045715.n5.nabble.com/LDAP-authentication-failed-tp3217861p3217861.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco LNS with Freeradius and MySQL
2010/10/18 Phil Mayers p.may...@imperial.ac.uk: On 10/18/2010 06:07 PM, Stephane MAGAND wrote: but when the user connect, that's don't work ... See the FAQ for it doesn't work. Thanks for your answer Phil, but i don't see in the FAQ a answer at my question. Do you create the VRF on the cisco ? Do you create the loopback on the cisco ? Do you put the Loopback into the vrf ? Bye Stephane - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP authentication failed
hi, you need to use the ntdomain module and ensure that the \\ method is enabled. (check the realm module section) this will then populate stripped-user-name with just the username and not also have the hostname or domain name lurking around. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: plpgsql freeradius authentication function
Alan, Thanks a lot that worked Kafui On Mon, Oct 18, 2010 at 11:52 AM, Alan DeKok al...@deployingradius.comwrote: Kafui Akyea wrote: Hi I implemented this in the freeradius postgresql.conf file SELECT id,username,attribute,op,value That's the wrong order. See the default SELECT in raddb/sql/postgresql/dialup.conf. I am generally trying to authenticate with a postgres function Make sure it returns exactly the same information, in the same order, as the default queries. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco LNS with Freeradius and MySQL
Ok i have resolved my problems ;=) 2010/10/18 Stephane MAGAND stmagconsult...@gmail.com: 2010/10/18 Phil Mayers p.may...@imperial.ac.uk: On 10/18/2010 06:07 PM, Stephane MAGAND wrote: but when the user connect, that's don't work ... See the FAQ for it doesn't work. Thanks for your answer Phil, but i don't see in the FAQ a answer at my question. Do you create the VRF on the cisco ? Do you create the loopback on the cisco ? Do you put the Loopback into the vrf ? Bye Stephane - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Radiusd error + libfreeradius-radius-2.1.10.so
Hi all, I try to install freeradius server 2.1.10. After the commands #./configure #make #make install everything is ok. Then, when I try to execute radiusd -X, I have this error: radiusd: error while loading shared libraries: libfreeradius-radius-2.1.10.so: cannot open shared object file: No such file or directory Where can I find these shared libraries?? I have to modify the PATH library? Thanks in advance. Octavio - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radiusd error + libfreeradius-radius-2.1.10.so
Octavio Ramirez wrote: Then, when I try to execute radiusd -X, I have this error: radiusd: error while loading shared libraries: libfreeradius-radius-2.1.10.so: cannot open shared object file: No such file or directory Where can I find these shared libraries?? I have to modify the PATH library? You've managed to install the libraries in a place where the dynamic linker can't find them. See your OS documentation on the dynamic linker. Or, install the libraries in a place where the dynamic linker can find them. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: DHCP with option 82 best practice
Zietz, Marco wrote: I am curious if somebody could share information how to get FR as DHCP with option 82 authentication up and running. I don't know what option 82 authentication means. Couldn't find much information in provided sample files and on the net. My own experiments with auth configs were not particularly successful. The key I am missing is the link between having DHCP-Relay-Circuit-Id in DHCP-Request and DHCP-Discover messages and kicking in some kind of auth in order to return a DHCP-Offer/Ack message including a client IP out of the configured IP pools. Backend is mysql. The SQL IP Pool module only works with RADIUS right now. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco LNS with Freeradius and MySQL
On 10/18/2010 06:51 PM, Stephane MAGAND wrote: 2010/10/18 Phil Mayersp.may...@imperial.ac.uk: On 10/18/2010 06:07 PM, Stephane MAGAND wrote: but when the user connect, that's don't work ... See the FAQ for it doesn't work. I meant literally the FAQ item It still doesn't work, which advises posting the debug output, but I see you've solved it now. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: plpgsql freeradius authentication function
Hi There is one more problem i am encountering although the function works. If i try to authenticate a user who is not valid i do not get an Access-Reject but rather i get RADIUS: Retransmit to (192.168.1.12:1812,1813) for id 1645/201 RADIUS: Retransmit to (192.168.1.12:1812,1813) for id 1645/201 RADIUS: Retransmit to (192.168.1.12:1812,1813) for id 1645/201 RADIUS: No response from (192.168.1.12:1812,1813) for id 1645/201 RADIUS/DECODE: No response from radius-server; parse response; FAIL RADIUS/DECODE: Case error(no response/ bad packet/ op decode);parse response; FAIL But that for a valid user works just fine I implemented this in the freeradius postgresql.conf file SELECT id,username,attribute,value,op FROM try('714094','') as(id integer,username varchar,attribute varchar,value varchar,op character); and implemented this function on the Postgres database server CREATE OR REPLACE FUNCTION try (your_name TEXT, tiger TEXT) RETURNS RECORD AS $$ DECLARE users_rec RECORD; BEGIN if tiger = '' then SELECT INTO users_rec * FROM aniradcheck WHERE username = your_name; else SELECT INTO users_rec * FROM radcheck WHERE username = your_name; end if; RETURN users_rec.username; END; $$ LANGUAGE plpgsql; Help will be very much appreciated On Mon, Oct 18, 2010 at 2:23 PM, Kafui Akyea kak...@gmail.com wrote: Alan, Thanks a lot that worked Kafui On Mon, Oct 18, 2010 at 11:52 AM, Alan DeKok al...@deployingradius.comwrote: Kafui Akyea wrote: Hi I implemented this in the freeradius postgresql.conf file SELECT id,username,attribute,op,value That's the wrong order. See the default SELECT in raddb/sql/postgresql/dialup.conf. I am generally trying to authenticate with a postgres function Make sure it returns exactly the same information, in the same order, as the default queries. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Redundant SQL
I'm trying to implement the redundant SQL feature into my freeradius setup. The one problem I am coming up against is when freeradius is starting, but not all the SQL servers are available. I have set up sql1 and sql2 as a single virtual module and would ideally like it to *try* to connect to all servers on start-up, but if an error occurs (can't connect to one), then just bypass and continue. Assuming the total failure to is what is meant to happen, I can understand why, but in my case I'd rather have it connect to at least one database server than fail if it can't connect to them all. Is this setup possible? Regards, Chester. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: plpgsql freeradius authentication function
Hi, If i try to authenticate a user who is not valid i do not get an Access-Reject but rather i get RADIUS: Retransmit to ([1]192.168.1.12:1812,1813) for id 1645/201 RADIUS: Retransmit to ([2]192.168.1.12:1812,1813) for id 1645/201 RADIUS: Retransmit to ([3]192.168.1.12:1812,1813) for id 1645/201 RADIUS: No response from ([4]192.168.1.12:1812,1813) for id 1645/201 RADIUS/DECODE: No response from radius-server; parse response; FAIL RADIUS/DECODE: Case error(no response/ bad packet/ op decode);parse response; FAIL its falling through to sending it off to another server/process - what is 192.168.1.12 - check your proxy.conf - and look at the full debug output of 'radiusd -X' (which you seem to be trying to summarise) - it'll tell you why its doing what it does alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: plpgsql freeradius authentication function
This is what the freeradius debug looks like when i try to authenticate a user who is not valid. I dont get an Access-Reject. But for valid users the function works fine. radius_xlat: 'SELECT id,username,attribute,value,op FROM tryagain('7140949870','') as (id integer,username varchar,attribute varchar,value varchar,op character)' rlm_sql (sql): Reserving sql socket id: 1 rlm_sql_postgresql: query: SELECT id,username,attribute,value,op FROM tryagain('7140949870','') as (id integer,username varchar,attribute varchar,value varchar,op character) rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: affected rows = rlm_sql: The 'Attribute' field is empty or NULL, skipping the entire row. rlm_sql (sql): Error getting data from database rlm_sql (sql): SQL query error; rejecting user rlm_sql (sql): Released sql socket id: 1 modcall[authorize]: module sql returns fail for request 3 modcall: leaving group authorize (returns fail) for request 3 Finished request 3 On Mon, Oct 18, 2010 at 5:41 PM, Alan Buxey a.l.m.bu...@lboro.ac.uk wrote: Hi, If i try to authenticate a user who is not valid i do not get an Access-Reject but rather i get RADIUS: Retransmit to ([1]192.168.1.12:1812,1813) for id 1645/201 RADIUS: Retransmit to ([2]192.168.1.12:1812,1813) for id 1645/201 RADIUS: Retransmit to ([3]192.168.1.12:1812,1813) for id 1645/201 RADIUS: No response from ([4]192.168.1.12:1812,1813) for id 1645/201 RADIUS/DECODE: No response from radius-server; parse response; FAIL RADIUS/DECODE: Case error(no response/ bad packet/ op decode);parse response; FAIL its falling through to sending it off to another server/process - what is 192.168.1.12 - check your proxy.conf - and look at the full debug output of 'radiusd -X' (which you seem to be trying to summarise) - it'll tell you why its doing what it does alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Limiting access to Cisco boces to certain users
We have numerous routers that all our NEs need access to, so that's no issue. However, there is a developer that needs full access to one particular router. I've added him to the users file, but he has access to everything right now. I've tried using huntgroups but that completely locks him out of everything. What's the best way to limit a user or users to access only particular Cisco boxes? Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Redundant SQL
Chesterfield McMillan wrote: Assuming the total failure to is what is meant to happen, I can understand why, but in my case I’d rather have it connect to at least one database server than fail if it can’t connect to them all. For now, modify the source code. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: plpgsql freeradius authentication function
Kafui Akyea wrote: This is what the freeradius debug looks like when i try to authenticate a user who is not valid. ... rlm_sql: The 'Attribute' field is empty or NULL, skipping the entire row. rlm_sql (sql): Error getting data from database rlm_sql (sql): SQL query error; rejecting user rlm_sql (sql): Released sql socket id: 1 modcall[authorize]: module sql returns fail for request 3 The answer is the same as last time: ensure that your function returns the same values as the default queries. If you're going to modify the default queries, it helps to understand what they do and how they work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html