Re: how to limit users access by groups using radgroucheck
Hi, I finally found what was the problem. I have read the rlm_sql but it doesn't show how to limit access by groups. In fact, what i was trying to do is to run two instances of coova chilli on a machine, create two groups of users on freeradius database, one for the first chilli and one another for the second and finally limit access for each group to only his dedicated chilli. Thx On 20/06/2012 00:24, Alan DeKok wrote: RAZAFIMBELO Faliharinohatra Rindra wrote: I'm new to freeradius and I would like to know if someone can tell me how to limit users access by groups using radgroupcheck. Read doc/rlm_sql. I have made some researchs and I saw that radgroupcheck didn't reject users even if there is a mismatch attribute. No. The group checking is about *matching*. It's up to you to determine what to do when it matches. I'd like to have a confirmation about this thing if it's true or not. I know with radcheck we can specify attribute like NAS-Identifier or NAS-IP-Address ... to limit user's access but i'm searching for a solution using groups. Can someone help me please? What part of the documentation is unclear? Be specific. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- RAZAFIMBELO Faliharinohatra Administrateur réseau et système Blueline Business Service tel: (+261) 34 56 000 85 mail: rin...@bbs.mg - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SV: "Invalid password" on OS-X
Jens W. Skov - JS Consult wrote: > I’m trying to set up external authentication from our router to a > OSX-server. > > I have it working fine if the user is an admin-user on the mac, but if > I try with a normal user I get: > > Auth: rim_opendirectory: User is authorized. > Auth: rim_opendirectory: User [vpntest]: invalid password Are you running FreeRADIUS on the same machine running OpenDirectory? JS: Yes, they have only this one server. I do suspect that I might be missing something in the users file. In the OSX gui I have selected that users and groups that should be allowed, but it seems it not passed on to the radius service. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Would like to stop Interim Accounting being proxied
Steve Brown wrote: > I'm not, and that would explain it nicely; I mentioned in my initial > message "legacy Freeradius 1.1.2 platform". Is there any way of > achieving the same end result in v1.x without Unlang? Unlang isn't in 1.1.x, and is *documented* as not being in 1.1.x. You can't just try random things in the server. > Upgrade is some time away, so this is is what we have to work with. Upgrade. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco WLC - Freeradius Vlan assigment problem
Hi, are you running the preprocess module? if not, then Huntgroups arent looked at or populated alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP fails when proxying to a realm
Hi, upgarde to 2.1.12 - it has fixes for proxy errors as for username - you cannot play with User-Name with EAP - use Stripped-User-Name - see examples alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Update control with redundant sql query
On Fri, Jun 29, 2012 at 12:09 AM, lscrlstld wrote:
> Hi,
>
> I use the policy configs to provide redundant and load-balance to update
> the pool-name.
>
> It´s work fine!
Does it?
> The policy.conf
> policy {
> update_ctlr_PN1 {
> update control {
> Pool-Name := "%{sql01:select poolname from
> radpoolname where nasipaddress=\"%{NAS-IP-Address}\"}"
> }
> }
> update_ctlr_PN2 {
> update control {
> Pool-Name := "%{sql02:select poolname from
> radpoolname where nasipaddress=\"%{NAS-IP-Address}\"}"
> }
> }
> update_ctlr_PN {
> redundant-load-balance {
> update_ctlr_PN1
> update_ctlr_PN2
> }
> }
> }
last time I check the "%{sql" block does NOT return an error if the
sql server is dead. So your "load-balance" part definitely works, but
I wouldn't be so sure about the "redundant" part. Try killing one of
the sql servers and see what happens.
IIRC I had to explicitly hack a query so it would return some value
(e.g. NOTFOUND, or whatever) when it would usually return zero rows.
That way, if the "%{sql" block returns an empty string, I know
something is wrong and I need to ask the next server. That method
works, but it doesn't provide load balance.
--
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco WLC - Freeradius Vlan assigment problem
> ++- if (!Huntgroup-Name) returns ok ++? if (Huntgroup-Name == "list")
> (Attribute Huntgroup-Name was not found)
>
>the problem seems to be your huntgroup.. Can you post your huntgroup
>definitions?
>--
>Jens Weibler
>IT-Services
Hi,
In huntgroup I just have:
...
# Usuario = xxx xxx
list Calling-Station-Id == 0221.6ae0.cef8
Them in sites-available/inner-tunnel I have a script:
if(!Huntgroup-Name) {
#reject
update reply {
Tunnel-Type = VLAN
Tunnel-Medium-Type = IEEE-802
Tunnel-Private-Group-Id = 249
}
}
if(Huntgroup-Name == "list") {
if( Ldap-Group == "WIFI-Direccion") {
update reply {
Tunnel-Type = VLAN
Tunnel-Medium-Type = IEEE-802
Tunnel-Private-Group-Id = 200
}
seems ok. What do you think?
Thanks a lot.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: EAP fails when proxying to a realm
Thanks for pointing those things out to me. I am no longer proxying back to myself like that, and I've told the sql module to use stripped user name when possible and it looks like it's all working now. Best wishes, Chris From: freeradius-users-bounces+cmanigan=towerstream@lists.freeradius.org [freeradius-users-bounces+cmanigan=towerstream@lists.freeradius.org] on behalf of Phil Mayers [p.may...@imperial.ac.uk] Sent: Thursday, June 28, 2012 12:49 PM To: freeradius-users@lists.freeradius.org Subject: Re: EAP fails when proxying to a realm On 28/06/12 17:33, Christopher Manigan wrote: > I am trying to use MSCHAPv2 to authenticate users. This works ok, except > when I try to proxy to a realm. Pasted below is the debug of a user trying > to authenticate. The realm is a prefix of the username. What I see buried > in the debug is: > > > # radiusd -X > FreeRADIUS Version 2.1.11, for host i686-pc-linux-gnu, built on Jun 28 2012 > at 11:37:39 Upgrade to 2.1.12 if possible > Sending Access-Request of id 22 to 127.0.0.1 port 1812 Why on earth are you proxying back to yourself, to the same virtual server no less? I suspect this is confusing the server, since it fails inside the handler further down. > [eap] Identity does not match User-Name, setting from EAP Identity. You are rewriting the username. This doesn't work with EAP. Don't do that. If you need to strip realms etc. use "Stripped-User-Name". Leave the original username alone. > [eap] Failed in handler > ++[eap] returns invalid > Failed to authenticate the user. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Update control with redundant sql query
Hi,
I use the policy configs to provide redundant and load-balance to update
the pool-name.
It´s work fine! But I have same questions...
- Is it the correct way to do it? Is it the better way, considering a
performance in high usage?
- Why the virtual module created in the policy and control update always
return "notfound" ?
+- entering group authorize {...}
++- entering policy update_ctlr_PN {...}
+++- entering redundant-load-balance group redundant-load-balance {...}
- entering policy update01_Pool-Name {...}
...
expand: select poolname from radpoolname where
nasipaddress="%{NAS-IP-Address}" -select poolname from radpoolname where
nasipaddress="X.X.X.X"
rlm_sql (sql01): Reserving sql socket id: 4
sql_xlat finished
rlm_sql (sql01): Released sql socket id: 4
expand: %{sql01:select poolname from radpoolname where
nasipaddress="%{NAS-IP-Address}"} -pool01
+[control] returns notfound
- policy update_ctlr_PN1 returns notfound
+++- redundant-load-balance group redundant-load-balance returns notfound
++- policy update_ctlr_PN returns notfound
The policy.conf
policy {
update_ctlr_PN1 {
update control {
Pool-Name := "%{sql01:select poolname from
radpoolname where nasipaddress=\"%{NAS-IP-Address}\"}"
}
}
update_ctlr_PN2 {
update control {
Pool-Name := "%{sql02:select poolname from
radpoolname where nasipaddress=\"%{NAS-IP-Address}\"}"
}
}
update_ctlr_PN {
redundant-load-balance {
update_ctlr_PN1
update_ctlr_PN2
}
}
}
Server conf:
...
authorize {
update_ctlr_PN
pap
chap
sql01
}
...
Thank you.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP fails when proxying to a realm
On 28/06/12 17:33, Christopher Manigan wrote: I am trying to use MSCHAPv2 to authenticate users. This works ok, except when I try to proxy to a realm. Pasted below is the debug of a user trying to authenticate. The realm is a prefix of the username. What I see buried in the debug is: # radiusd -X FreeRADIUS Version 2.1.11, for host i686-pc-linux-gnu, built on Jun 28 2012 at 11:37:39 Upgrade to 2.1.12 if possible Sending Access-Request of id 22 to 127.0.0.1 port 1812 Why on earth are you proxying back to yourself, to the same virtual server no less? I suspect this is confusing the server, since it fails inside the handler further down. [eap] Identity does not match User-Name, setting from EAP Identity. You are rewriting the username. This doesn't work with EAP. Don't do that. If you need to strip realms etc. use "Stripped-User-Name". Leave the original username alone. [eap] Failed in handler ++[eap] returns invalid Failed to authenticate the user. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Would like to stop Interim Accounting being proxied
On 28/06/12 17:13, Steve Brown wrote:
On 28/06/12 14:34, Steve Brown wrote:
Is there any way of achieving the same end result in v1.x without Unlang?
If there was a way to simply respond to an accounting request with an
'Accept', like you can with Auth, could I do something like:
You might be able do use the "configurable_failover" in 1.x to achieve
this. Something like:
preacct {
files {
ok = return
}
... rest of modules ...
}
...and in your "files" module, something like you had:
DEFAULT Acct-Status-Type == Interim-Update, User-Name =~ "@domain"
Fall-Through = No
See "doc/configurable_failover" - from the version of the server you are
running, obviously.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP does not work with realms
ql_mysql: Starting connect to MySQL server for #40
rlm_sql (sql): Connected new DB handle, #40
rlm_sql (sql): starting 41
rlm_sql (sql): Attempting to connect rlm_sql_mysql #41
rlm_sql_mysql: Starting connect to MySQL server for #41
rlm_sql (sql): Connected new DB handle, #41
rlm_sql (sql): starting 42
rlm_sql (sql): Attempting to connect rlm_sql_mysql #42
rlm_sql_mysql: Starting connect to MySQL server for #42
rlm_sql (sql): Connected new DB handle, #42
rlm_sql (sql): starting 43
rlm_sql (sql): Attempting to connect rlm_sql_mysql #43
rlm_sql_mysql: Starting connect to MySQL server for #43
rlm_sql (sql): Connected new DB handle, #43
rlm_sql (sql): starting 44
rlm_sql (sql): Attempting to connect rlm_sql_mysql #44
rlm_sql_mysql: Starting connect to MySQL server for #44
rlm_sql (sql): Connected new DB handle, #44
rlm_sql (sql): starting 45
rlm_sql (sql): Attempting to connect rlm_sql_mysql #45
rlm_sql_mysql: Starting connect to MySQL server for #45
rlm_sql (sql): Connected new DB handle, #45
rlm_sql (sql): starting 46
rlm_sql (sql): Attempting to connect rlm_sql_mysql #46
rlm_sql_mysql: Starting connect to MySQL server for #46
rlm_sql (sql): Connected new DB handle, #46
rlm_sql (sql): starting 47
rlm_sql (sql): Attempting to connect rlm_sql_mysql #47
rlm_sql_mysql: Starting connect to MySQL server for #47
rlm_sql (sql): Connected new DB handle, #47
rlm_sql (sql): starting 48
rlm_sql (sql): Attempting to connect rlm_sql_mysql #48
rlm_sql_mysql: Starting connect to MySQL server for #48
rlm_sql (sql): Connected new DB handle, #48
rlm_sql (sql): starting 49
rlm_sql (sql): Attempting to connect rlm_sql_mysql #49
rlm_sql_mysql: Starting connect to MySQL server for #49
rlm_sql (sql): Connected new DB handle, #49
rlm_sql (sql): Processing generate_sql_clients
rlm_sql (sql) in generate_sql_clients: query is SELECT id, nasname, shortname,
type, secret, server FROM nas
rlm_sql (sql): Reserving sql socket id: 49
rlm_sql (sql): Read entry nasname=192.168.100.150,shortname=zd,secret=secret
rlm_sql (sql): Adding client 192.168.100.150 (zd, server=) to clients list
rlm_sql (sql): Read entry nasname=69.38.220.75,shortname=zd,secret=secret
rlm_sql (sql): Adding client 69.38.220.75 (zd, server=) to clients list
rlm_sql (sql): Read entry nasname=127.0.0.1,shortname=localhost,secret=secret
rlm_sql (sql): Adding client 127.0.0.1 (localhost, server=) to clients
list
rlm_sql (sql): Released sql socket id: 49
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating module "acct_unique" from file
/etc/raddb/modules/acct_unique
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address,
NAS-Port"
}
Module: Instantiating module "suffix" from file /etc/raddb/modules/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
Module: Checking accounting {...} for more modules to load
Module: Instantiating module "detail" from file /etc/raddb/modules/detail
detail {
detailfile =
"/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Linked to module rlm_radutmp
Module: Instantiating module "radutmp" from file /etc/raddb/modules/radutmp
radutmp {
filename = "/var/log/radius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
}
Module: Linked to module rlm_attr_filter
Module: Instantiating module "attr_filter.accounting_response" from file
/etc/raddb/modules/attr_filter
attr_filter attr_filter.accounting_response {
attrsfile = "/etc/raddb/attrs.accounting_response"
key = "%{User-Name}"
}
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
Module: Instantiating module "reply_log" from file
/etc/raddb/modules/detail.log
detail reply_log {
detailfile =
"/var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Instantiating module "attr_filter.access_reject" from file
/etc/raddb/modules/attr_filter
attr_filter attr_filter.access_reject {
attrsfile = "/etc/raddb/attrs.access_reject"
key = "%{User-Name}"
}
} # modules
} # server
server inner-tunnel { # from file /etc/raddb/sites-enabled/inner-tunnel
modules {
Module: Checking authenticate {...} for more modules to load
Mo
EAP fails when proxying to a realm
lm_sql (sql): starting 44
rlm_sql (sql): Attempting to connect rlm_sql_mysql #44
rlm_sql_mysql: Starting connect to MySQL server for #44
rlm_sql (sql): Connected new DB handle, #44
rlm_sql (sql): starting 45
rlm_sql (sql): Attempting to connect rlm_sql_mysql #45
rlm_sql_mysql: Starting connect to MySQL server for #45
rlm_sql (sql): Connected new DB handle, #45
rlm_sql (sql): starting 46
rlm_sql (sql): Attempting to connect rlm_sql_mysql #46
rlm_sql_mysql: Starting connect to MySQL server for #46
rlm_sql (sql): Connected new DB handle, #46
rlm_sql (sql): starting 47
rlm_sql (sql): Attempting to connect rlm_sql_mysql #47
rlm_sql_mysql: Starting connect to MySQL server for #47
rlm_sql (sql): Connected new DB handle, #47
rlm_sql (sql): starting 48
rlm_sql (sql): Attempting to connect rlm_sql_mysql #48
rlm_sql_mysql: Starting connect to MySQL server for #48
rlm_sql (sql): Connected new DB handle, #48
rlm_sql (sql): starting 49
rlm_sql (sql): Attempting to connect rlm_sql_mysql #49
rlm_sql_mysql: Starting connect to MySQL server for #49
rlm_sql (sql): Connected new DB handle, #49
rlm_sql (sql): Processing generate_sql_clients
rlm_sql (sql) in generate_sql_clients: query is SELECT id, nasname, shortname,
type, secret, server FROM nas
rlm_sql (sql): Reserving sql socket id: 49
rlm_sql (sql): Read entry nasname=127.0.0.1,shortname=localhost,secret=secret
rlm_sql (sql): Adding client 127.0.0.1 (localhost, server=) to clients
list
rlm_sql (sql): Released sql socket id: 49
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating module "acct_unique" from file
/etc/raddb/modules/acct_unique
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address,
NAS-Port"
}
Module: Instantiating module "suffix" from file /etc/raddb/modules/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
Module: Checking accounting {...} for more modules to load
Module: Instantiating module "detail" from file /etc/raddb/modules/detail
detail {
detailfile =
"/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Linked to module rlm_radutmp
Module: Instantiating module "radutmp" from file /etc/raddb/modules/radutmp
radutmp {
filename = "/var/log/radius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
}
Module: Linked to module rlm_attr_filter
Module: Instantiating module "attr_filter.accounting_response" from file
/etc/raddb/modules/attr_filter
attr_filter attr_filter.accounting_response {
attrsfile = "/etc/raddb/attrs.accounting_response"
key = "%{User-Name}"
}
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
Module: Instantiating module "reply_log" from file
/etc/raddb/modules/detail.log
detail reply_log {
detailfile =
"/var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Instantiating module "attr_filter.access_reject" from file
/etc/raddb/modules/attr_filter
attr_filter attr_filter.access_reject {
attrsfile = "/etc/raddb/attrs.access_reject"
key = "%{User-Name}"
}
} # modules
} # server
server inner-tunnel { # from file /etc/raddb/sites-enabled/inner-tunnel
modules {
Module: Checking authenticate {...} for more modules to load
Module: Checking authorize {...} for more modules to load
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
} # modules
} # server
radiusd: Opening IP addresses and Ports
listen {
type = "auth"
ipaddr = *
port = 0
}
listen {
type = "acct"
ipaddr = *
port = 0
}
listen {
type = "control"
listen {
socket = "/var/run/radiusd/radiusd.sock"
}
}
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
... adding new socket proxy address * port 41620
... adding new socket proxy address * port 46995
... adding new socket proxy address * port 43755
... adding new socket proxy address * port 35210
... adding new socket proxy address * port 53936
... addin
Re: Would like to stop Interim Accounting being proxied
On 28/06/12 14:34, Steve Brown wrote:
Is there any way of achieving the same end result in v1.x without Unlang?
If there was a way to simply respond to an accounting request with an
'Accept', like you can with Auth, could I do something like:
acct_users:
DEFAULT Acct-Status-Type == Interim-Update, User-Name =~ /@domain/
Acct-Type := "IGNORE"
radiusd.conf:
accounting {
Acct-Type IGNORE {
Accept
}
}
Can't find a method like 'Accept' in the docs though so maybe that's not
possible.
Steve
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS SQl Ippool problem -
On Thu, Jun 28, 2012 at 8:22 PM, Taz Manian wrote: > I did check the wiki , i have been on it for the last 3 days trying to > figure this out > > I did a search for Pool-Name and i got 4 different results as below > > http://wiki.freeradius.org/search?q=Pool-Name > > http://wiki.freeradius.org/Rlm_sqlippool Did you notice I specifically mentioned that page? > http://wiki.freeradius.org/Rlm_ippool > http://wiki.freeradius.org/Users > http://wiki.freeradius.org/Ippool%20and%20radius%20clients > > I checked each one of them and not one said anything about radcheck or > radreply. Did you read this paragraph? " To assign a user an IP from a pool you simply need to have a Pool-Name Attribute (Keep in mind that it is a CONTROL attribute, not a reply attribute) in the required configuration file, which is either in files(users), sql or any other type of configuration schema. " It should be clear enough that Pool-Name should not be in rad(group)reply (since that table holds reply attributes). If you don't know where to put CONTROL attribute (which is in rad(group)check, btw), then we might need to add an entry for that. > I checked on Google and found some pages that said TO USE Framed-Pool , and > i could see that when i ran radiusd -X Your primary source of information should be the included documentation (comments on the config file, man pages, etc). After that, the wiki. After that, this list. If you decide to follow some random page, then no wonder you get random result. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Would like to stop Interim Accounting being proxied
On 28/06/12 14:03, Alan DeKok wrote: Check that you're using version 2? It looks like you're using version 1. "Unlang" is only supported in version 2. I'm not, and that would explain it nicely; I mentioned in my initial message "legacy Freeradius 1.1.2 platform". Is there any way of achieving the same end result in v1.x without Unlang? Upgrade is some time away, so this is is what we have to work with. Steve - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS SQl Ippool problem -
Taz Manian wrote: > I checked each one of them and not one said anything about radcheck or > radreply. Because they give examples for the "users" file. They don't give examples for SQL, LDAP, external programs, Perl, Python, etc. The "users" file example has the Pool-Name on the first line. The documentation for the "users" file says that this makes it a check item. The documentation for the SQL module describes how to map "users" file entries to SQL. It *is* documented. We expect that *some* independent understanding is necessary. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius crash during EAP-TTLS authentication
Hello,
After three month having stable situation, the ISP home servers has
started again to loose packet and to have slow response time, then our
freeradius proxies has began to crash again.
We've reproduced the crash with the Git version.
Here's the output that I got with gdb
Going to the next request
rad_recv: Accounting-Request packet from host X.X.X.X port 1812, id=124,
length=520
Received conflicting packet from client bas-man72-02 port 1812 - ID: 124
due to unfinished request 715241. Giving up on old request.
ASSERT FAILED event.c[2773]: request->ev != NULL
Program received signal SIGABRT, Aborted.
[Switching to Thread 8012021c0 (LWP 100143)]
0x000800fb978c in kill () from /lib/libc.so.7
(gdb)
(gdb) thread apply all bt full
Thread 2 (Thread 8012021c0 (LWP 100143)):
#0 0x000800fb978c in kill () from /lib/libc.so.7
No symbol table info available.
#1 0x000800fb858b in abort () from /lib/libc.so.7
No symbol table info available.
#2 0x00420cd4 in rad_assert_fail (file=Variable "file" is not
available.
) at util.c:366
No locals.
#3 0x00429d9a in received_request (listener=0x801fdcac0,
packet=0x8051c1900, prequest=0x7fffe4d0, client=0x801fdaa80) at
event.c:2773
when = {tv_sec = 1340876260, tv_usec = 138114}
packet_p = Variable "packet_p" is not available.
Is there enough information for this bug ?
Do you want me to get some more information ?
I can provide smokeping graphs that shows packet loss and slow response
time (3 seconds)
Many thanks
Thomas
Le 29/03/2012 23:04, Thomas Fagart a écrit :
Many thanks, I will test it when available.
Thomas
Le 28/03/2012 17:15, Alan DeKok a écrit :
Thomas Fagart wrote:
Here's the debug output this happens specialy when we add a virtual
server as a fallback server.
OK... it looks like the proxy_reply doesn't exist. I'll push a
patch.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRADIUS SQl Ippool problem -
I did check the wiki , i have been on it for the last 3 days trying to figure this out I did a search for Pool-Name and i got 4 different results as below http://wiki.freeradius.org/search?q=Pool-Name http://wiki.freeradius.org/Rlm_sqlippool http://wiki.freeradius.org/Rlm_ippool http://wiki.freeradius.org/Users http://wiki.freeradius.org/Ippool%20and%20radius%20clients I checked each one of them and not one said anything about radcheck or radreply. I checked on Google and found some pages that said TO USE Framed-Pool , and i could see that when i ran radiusd -XI just tried using Pool-Name and it doesnt work nor does it show when i try it with radiusd -X. I appreciate your input , im really stuck on this one. Im also not sure how to use rlm_sqlipool ? Taz > Date: Thu, 28 Jun 2012 19:08:25 +0700 > Subject: Re: FreeRADIUS SQl Ippool problem - > From: l...@fajar.net > To: dj...@iol.ie; freeradius-users@lists.freeradius.org > > On Thu, Jun 28, 2012 at 7:03 PM, Taz Manian wrote: > > Hi Guys, > > > > > > > > Im having a problem with Ippools with freeradius2 and i cant seem to get any > > username to get an address from the pool. > > > > 90% of the usernames will have static IP's but i want a few to be in a pool > > but i really am stumped - i tried putting > > > > > > > > username@realm Framed-Pool := EZPOOL > > > > > > > > into the radreply section and it gives me a reply when i test it # > > > Please check the wiki, IIRC you should put it in radcheck, not > radreply. And the attribute is Pool-Name, not Framed-Pool. > > > so i know is readying that - i then have a pool set up in radippool > > Also, IMHO you should just use rlm_sqlipool. It's easier to setup and debug. > > -- > Fajar > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Would like to stop Interim Accounting being proxied
Steve Brown wrote:
> Thanks for the pointer. This is actually what I started with :(
>
> I still get the error "Error: /etc/raddb/radiusd.conf[1433]: Line is not
> in 'attribute = value' format"; line 1433 is this actual 'if ((' line.
It works for me.
Check that you're using version 2? It looks like you're using version
1. "Unlang" is only supported in version 2.
Upgrade.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Probmels with sqlcounter module in FreeRADIUS 2.1.12
On Thu, Jun 28, 2012 at 7:34 PM, Andrei Petru Mura wrote: > id | username | attribute | op | value > > -++++ > 167 | test1 | Password | := | test1 > 168 | test1 | Max-Daily-Session | := | 60 > > The problem is that every time when I authenticate for the first time per > hour (because the sqlcounter is resetted hourly), with username test1, I can > access the services given by freeradius an unlimited time. That's not right. - Did you read the wiki? - Did you try to run FR in debug mode? Did it send Session-Timeout attribute? Was it calculated correctly? - Does your NAS honor Session-Timeout attribute? IIRC some NAS (e.g. chillispot) ignores some attributes (e.g. Acct-Interim-Interval) if it's too small (e.g <= 60 seconds). That might be the case in your setup (although the attribute here is different). -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Probmels with sqlcounter module in FreeRADIUS 2.1.12
Andrei Petru Mura wrote: > Now in my database. I have in "radcheck" table two rows: > >id | username | attribute| op | value > > -++++ > 167 | test1 | Password | := | test1 Please fix that. Really. It's been ~6 years that "Password :=" has been *documented* as being wrong. See the FAQ. > 168 | test1 | Max-Daily-Session | := | 60 > > The problem is that every time when I authenticate for the first time > per hour (because the sqlcounter is resetted hourly), with username > test1, I can access the services given by freeradius an unlimited time. Blame the NAS. > The sqlcounter is ebanled only if after I log in first time, log out and > log in again. If I exceed the time specified in the radcheck table in > the first log in, at the second login (in the same hour), I cannot login > again due to the sqlcounter that says that the time is up. > > Question: can anyone help me how to put the right settings in database > or FR' files so that the sqlcounter module will work from the first login? Read the debug output. If the correct Session-Timeout is being returned, blame the NAS. As *always* read the debug output. We really can't say that enough. Perhaps putting that in the "you have subscribed" notice to the list would make a difference? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS SQl Ippool problem -
On Thu, Jun 28, 2012 at 7:26 PM, Michell wrote: > Hello, > > to some time ago informed me that the ippool not work properly with mysql. It works just fine > As it is now? > I'm not sure what the problems were occurring, but informed me that it > worked better and smoothly only in postgres. IIRC from the discussion, postgres should perform better compared to mysql on the DEFAULT setup due to locking (or lack of it). Function-wise, both work fine. If your load is pretty light, OR you know how to adjust your mysql setup to avoid the locking issue, it should be irrelevant. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Would like to stop Interim Accounting being proxied
Hi Alan,
Thanks for the pointer. This is actually what I started with :(
I still get the error "Error: /etc/raddb/radiusd.conf[1433]: Line is not
in 'attribute = value' format"; line 1433 is this actual 'if ((' line.
accounting {
if ((Acct-Status-Type == Interim-Update) && (User-Name =~
/@docomo/)) {
update control {
Proxy-To-Realm := LOCAL
}
}
}
On 28/06/12 13:32, Alan DeKok wrote:
That's wrong on a number of levels. The documentation says you can
just refer to an attribute by name. And use '==':
if ((Acct-Status-Type == Interim-Update)&& (User-Name =~ /@domain/)) {
...
}
Steve
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS SQl Ippool problem -
Michell wrote: > to some time ago informed me that the ippool not work properly with > mysql. As it is now? "someone somewhere said something". That's not helpful. Read the documentation and examples distributed with FreeRADIUS. They give you the CORRECT answers. In this case, raddb/sql/mysql/ippool.* Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Probmels with sqlcounter module in FreeRADIUS 2.1.12
I'm running FreeRADIUS in conjunction with PostgreSQL 9.1. Snippet from
radiusd.conf:
modules {
...
$INCLUDE sql/postgresql/counter.conf
...
}
in my sql/postgresql/counter.conf, I have the following:
sqlcounter dailycounter {
counter-name = Daily-Session-Time
check-name = Max-Daily-Session
reply-name = Session-Timeout
sqlmod-inst = sql
key = User-Name
reset = hourly
query = "SELECT SUM(AcctSessionTime - GREATER((%b -
AcctStartTime::ABSTIME::INT4), 0)) FROM radacct WHERE UserName='%{%k}'
AND AcctStartTime::ABSTIME::INT4 + AcctSessionTime > '%b'"
}
Attention!!! The "dailycounter" has an hourly reset.
in the sites-available/default, under authorize section:
authorize {
...
dailycounter
...
}
Now in my database. I have in "radcheck" table two rows:
id | username | attribute| op | value
-++++
167 | test1 | Password | := | test1
168 | test1 | Max-Daily-Session | := | 60
The problem is that every time when I authenticate for the first time per
hour (because the sqlcounter is resetted hourly), with username test1, I
can access the services given by freeradius an unlimited time. The
sqlcounter is ebanled only if after I log in first time, log out and log in
again. If I exceed the time specified in the radcheck table in the first
log in, at the second login (in the same hour), I cannot login again due to
the sqlcounter that says that the time is up.
Question: can anyone help me how to put the right settings in database or
FR' files so that the sqlcounter module will work from the first login?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Would like to stop Interim Accounting being proxied
Steve Brown wrote:
> Reading the unlang man page, I've tried:
>
> accounting {
>
>if ( ("%{Acct-Status-Type}" = "Interim-Update") &&
> ("%{User-Name}" =~ "/@domain/") ) {
That's wrong on a number of levels. The documentation says you can
just refer to an attribute by name. And use '==':
if ((Acct-Status-Type == Interim-Update) && (User-Name =~ /@domain/)) {
...
}
> But that causes the daemon to error out with
> "/etc/raddb/radiusd.conf[1433]: Line is not in 'attribute = value' format"
>
> What have I misunderstood?
Double-check line 1433?
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS SQl Ippool problem -
Hello, to some time ago informed me that the ippool not work properly with mysql. As it is now? I'm not sure what the problems were occurring, but informed me that it worked better and smoothly only in postgres. They try to succeed in this scenario freeradius / mysql? Thanks for listening, Michell 2012/6/28 Fajar A. Nugraha > On Thu, Jun 28, 2012 at 7:03 PM, Taz Manian wrote: > > Hi Guys, > > > > > > > > Im having a problem with Ippools with freeradius2 and i cant seem to get > any > > username to get an address from the pool. > > > > 90% of the usernames will have static IP's but i want a few to be in a > pool > > but i really am stumped - i tried putting > > > > > > > > username@realm Framed-Pool := EZPOOL > > > > > > > > into the radreply section and it gives me a reply when i test it # > > > Please check the wiki, IIRC you should put it in radcheck, not > radreply. And the attribute is Pool-Name, not Framed-Pool. > > > so i know is readying that - i then have a pool set up in radippool > > Also, IMHO you should just use rlm_sqlipool. It's easier to setup and > debug. > > -- > Fajar > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Would like to stop Interim Accounting being proxied
Hi all,
I need to stop proxying Interim Accounting for a particular domain on
our legacy Freeradius 1.1.2 platform.
Reading the unlang man page, I've tried:
accounting {
if ( ("%{Acct-Status-Type}" = "Interim-Update") &&
("%{User-Name}" =~ "/@domain/") ) {
update control {
Proxy-To-Realm := LOCAL
}
}
}
But that causes the daemon to error out with
"/etc/raddb/radiusd.conf[1433]: Line is not in 'attribute = value' format"
What have I misunderstood?
Steve
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS SQl Ippool problem -
On Thu, Jun 28, 2012 at 7:08 PM, Fajar A. Nugraha wrote: > On Thu, Jun 28, 2012 at 7:03 PM, Taz Manian wrote: >> so i know is readying that - i then have a pool set up in radippool > > Also, IMHO you should just use rlm_sqlipool. It's easier to setup and debug. Sorry, I somehow read "radippool" as "rlm_ippool". If you use that table then you should use (or at least try to use) rlm_sqlippool already. You probably just need to read the wiki: http://wiki.freeradius.org/Rlm_sqlippool -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS SQl Ippool problem -
On Thu, Jun 28, 2012 at 7:03 PM, Taz Manian wrote: > Hi Guys, > > > > Im having a problem with Ippools with freeradius2 and i cant seem to get any > username to get an address from the pool. > > 90% of the usernames will have static IP's but i want a few to be in a pool > but i really am stumped - i tried putting > > > > username@realm Framed-Pool := EZPOOL > > > > into the radreply section and it gives me a reply when i test it # Please check the wiki, IIRC you should put it in radcheck, not radreply. And the attribute is Pool-Name, not Framed-Pool. > so i know is readying that - i then have a pool set up in radippool Also, IMHO you should just use rlm_sqlipool. It's easier to setup and debug. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRADIUS SQl Ippool problem -
Hi Guys, Im having a problem with Ippools with freeradius2 and i cant seem to
get any username to get an address from the pool.90% of the usernames will have
static IP's but i want a few to be in a pool but i really am stumped - i tried
putting username@realm
Framed-Pool
:=
EZPOOL into the radreply section and it gives me a reply when i test it #
Standard Framed-Pool"EZPOOL" so i know is readying that - i then have
a pool set up in
radippool pool_name=EZPOOLFramedIPAddress=192.168.1.200 (i have more) and
my radiusd -X reply is : # Executing group from file
/etc/raddb/sites-enabled/default
+- entering group PAP {...}
[pap] login attempt with password "111"
[pap] Using clear text password "111"
[pap] User authenticated successfully
++[pap] returns ok
# Executing section post-auth from file /etc/raddb/sites-enabled/default
+- entering group post-auth {...}
[sql] expand: %{User-Name} -> user@realm
[sql] sql_set_user escaped user --> 'username@realm'
[sql] expand: %{User-Password} -> 111
[sql] expand: INSERT INTO radpostauth (username,
pass, reply, authdate) VALUES (
'%{User-Name}',
'%{%{User-Password}:-%{Chap-Password}}',
'%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth
(username, pass, reply, authdate) VALUES (
'username@realm', '111',
'Access-Accept', '2012-06-28 10:59:37')
rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth
(username, pass, reply, authdate) VALUES (
'username@realm', '111',
'Access-Accept', '2012-06-28 10:59:37')
rlm_sql (sql): Reserving sql socket id: 2
rlm_sql (sql): Released sql socket id: 2
++[sql] returns ok
++[exec] returns noop
Sending Access-Accept of id 51 to 192.168.1.100 port 52433
Framed-Pool := "EZPOOL"
Cisco-AVPair := "lcp:interface-config=ip vrf forwarding BLAH"
Cisco-AVPair += "lcp:interface-config=ip unnumbered Loopback1"
Cisco-AVPair += "lcp:interface-config=mtu 1492"
Service-Type := Framed-User
Framed-Protocol := PPP
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 51 with timestamp +5
Ready to process requests.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help needed to configure FreeRADIUS for eduroam
Hi, > For some reason, it is working now, I did only tiny changes though. well..you made changes... obviously they were beneficial > - the differences between the WiKi > https://confluence.terena.org/display/H2eduroam/How+to+deploy+eduroam+on-site+or+on+campus > and the cookbook > http://www.eduroam.org/downloads/docs/GN2-08-230-DJ5.1.5.3-eduroamCookbook.pdf. > The configuration files are slightly different. the wiki is up to date. the cookbook is printed material...and is from GEANT2 days - so older > - the inner logic behind the virtual servers eduroam and server > eduroam-inner-tunnel; how it is working; how packets are passed from > one to the other. eduroam server passes EAP stuff into eduroam inner-tunnel - just like, by default, the default server passes things into the inner-tunnel.. how does stuff go into eduroam VS? well, usually via an entry in client.conf which says to put traffic from a particular NAS into a particualr virtual server > - how to implement anonymous outer identity? What to configure in > Radius? Is there any configuration needed in the suplicant? the RADIUS server will just handle it - it will get to the EAP part and open the tunnel to see the good stuff inside. be aware that if you have made ANY assumptions about ID based on the outerID then those can be abused/miscontrued. anonymous ID ability is based on the supplicant - some supplicants can set it, others cant. some can set a different realm ini the outer ID, some cant. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help needed to configure FreeRADIUS for eduroam
Hi, Thank you to Stefan, Scot and Alan who took time to reply to me. For some reason, it is working now, I did only tiny changes though. What I still don't understand: - the differences between the WiKi https://confluence.terena.org/display/H2eduroam/How+to+deploy+eduroam+on-site+or+on+campus and the cookbook http://www.eduroam.org/downloads/docs/GN2-08-230-DJ5.1.5.3-eduroamCookbook.pdf. The configuration files are slightly different. - the inner logic behind the virtual servers eduroam and server eduroam-inner-tunnel; how it is working; how packets are passed from one to the other. - how to implement anonymous outer identity? What to configure in Radius? Is there any configuration needed in the suplicant? Best regards, Olivier On Thu, Jun 28, 2012 at 1:21 PM, Stefan Winter wrote: > Hi, > >> I am struggling to configure my FreeRADIUS server for eduroam >> (www.eduroam.org), as I understood that some subscribers have done the >> configuration successfully, I come here to get help. >> >> I have been running my FreeRADIUS server with out problem for several >> years, identifying to an openLdap backend. >> >> I managed to configure a test WiFi access point to identify with >> 802.1x against that same radius/ldap server. >> >> But I have a problem to configure eduroam, so I would be glad if I >> could see a working example. > > It would help if you told us *what* the problem is. Looking at what you > write, you have a working FreeRADIUS, working openLDAP backend, and have > configured it to do IEEE 802.1X on a WiFi access point. > > That is 99% of what eduroam needs. So, what's missing? > > Greetings, > > Stefan Winter > > -- > Stefan WINTER > Ingenieur de Recherche > Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et > de la Recherche > 6, rue Richard Coudenhove-Kalergi > L-1359 Luxembourg > > Tel: +352 424409 1 > Fax: +352 422473 > > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Questions on the finer points of CUI
On 28.06.2012 09:07, Scott Armitage wrote:
> All,
>
> I was after some clarification about the implementation of CUI in freeRADIUS.
>
>
> My first point is the use of Client IP Address. I notice that client IP
> Address makes a regular appearance but I'm wondering whether it should.
> Looking at the cui.conf the post-auth insert adds the Client IP Address.
>
> postauth_query = "INSERT IGNORE INTO ${cui_table} \
> (clientipaddress, callingstationid, username, cui, lastaccounting) \
> VALUES \
> ('%{Client-IP-Address}', '%{Calling-Station-Id}', '%{User-Name}',
> '%{reply:Chargeable-User-Identity}', NULL) ON DUPLICATE KEY UPDATE
> lastaccounting='-00-00 00:00:00',
> cui='%{reply:Chargeable-User-Identity}'";
>
> likewise the schema (in cui.sql) even has the Client IP Address as a primary
> key which to me seems wrong. In the world of eduroam my RADIUS server can
> proxy off to one of 3 National Proxies each will have a different Client IP
> Address, therefore a single client could have 3 entries in the cui table
> depending upon which National proxy dealt with the request. I don't see the
> point of the Client IP Address being in there. If each home server is using
> a salt (together with the operator name) then even the same username and
> calling station id will return a different CUI for different home servers.
> Maybe some could explain what I'm missing and why the Client IP Address is
> there?
The $cui_table is merely a helper table to bind returned
CUI values from the home server during the *authentication* phase to a
possible subsequent Accounting packet for that same session. It is
logically maintained at the SP side of the transactions (i.e. towards
Access Points and Controllers).
When doing auth, Calling-Station-Id and a User-Name are present in the
request. The response contains the associated Chargeable-User-Identity,
and may or may not contain a User-Name, and that User-Name may or may
not be the same as the request had.
If the NAS doesn't bin auth-CUI to acct-CUI itself (which is true for
most NASes), the SP-side RADIUS server needs to do guesswork to add the
CUI attribute to the outgoing accounting request (for all such requests:
starts, interims and stops).
It can see the binding primarily by observing that the calling-station
ID is the same.
It can not use the User-Name in Accounting because some NASes use the
value of an Access-Accept instead of the original value.
In principle, one could stop here. However, if a user moves from one NAS
to another, he needs to reauthenticate and has the same
Calling-Station-Id. This new authentication might get the same CUI or
another (as you rightly note, the next request can go to a different
home server, who might calculate his own CUI).
In that case, there are two entries for the same Calling-Station-Id with
different CUIs, and the server won't know which one to attach to the
next outgoing Accounting-Request -> BAD.
That's why the Client-IP-Address is a secondary key: since we're talking
SP-side, the client is the Access-Point or Controller, and the tuple of
(CSI;Client-IP) makes the CUI value unique: This device *on this client*
at a particular point in time.
You might argue that the user could close the session and then re-auth
on the *same* NAS. That's true, but it is not a problem: if that
previous session was closed "in order" with an Accounting-Stop, the
temporary entry in $cui_table gets deleted, and the new session gets the
new one. If not, since the key of CSI and Client-IP is identical, the
new session overwrites the CUI value of the previous one.
This should also explain your subsequent queries below.
Greetings,
Stefan Winter
>
> Staying with the Client IP Address, my next point surrounds the Accounting.
> The cui.conf shows that accounting updates the table using Client IP Address
> in the search:
>
> accounting_start_query = "UPDATE ${cui_table} \
> SET \
> lastaccounting = CURRENT_TIMESTAMP \
> WHERE clientipaddress = '%{Client-IP-Address}' \
> AND callingstationid = '%{Calling-Station-Id}' \
> AND username = '%{User-Name}' \
> AND cui = '%{Chargeable-User-Identity}'";
>
> How would this work? The NAS doesn't know what the Client IP Address is and
> doesn't send it in Accounting packets.
>
> Finally, why does the Accounting stop for cui remove the cui from the
> database:
>
> accounting_stop_query = "DELETE FROM ${cui_table} WHERE \
> clientipaddress = '%{Client-IP-Address}' \
> AND callingstationid = '%{Calling-Station-Id}' \
> AND username = '%{User-Name}' \
> AND cui = '%{Chargeable-User-Identity}'";
>
>
> Surely I'd want to keep this? If 2 weeks later I get a copyright
> infringement notice for a client, I'd want the CUI when contacting the home
> site of the user.
>
>
> Thanks
>
>
> Scott Armitage
>
>
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/lis
Re: Help needed to configure FreeRADIUS for eduroam
Hi, > I have been running my FreeRADIUS server with out problem for several > years, identifying to an openLdap backend. > > I managed to configure a test WiFi access point to identify with > 802.1x against that same radius/ldap server. > > But I have a problem to configure eduroam, so I would be glad if I > could see a working example. you need to look at the output of 'radiusd -X' so see what is going on with your server and why it is failing. regarding eduroam - if you already have working 802.1X locally (which I'm not sure from your message as your OpenLDAP/RADIUS combo could have been just PAP authentication) - then all you need to do for eduroam is have some unlang which checks the realm and if its not your realm, then send it to a proxy pool (configure proxy.conf) - which will send the request to remote RADIUS servers that you will be told about by your federation operator.and for you to add those remote RADIUS servers as clients (clients.conf or NAS table in SQL) so that requests for you can be sent to you. you might want to also look at the eduroam confluence WIKI for help/advice/pointers https://confluence.terena.org/display/H2eduroam/How+to+deploy+eduroam+on-site+or+on+campus alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Questions on the finer points of CUI
All,
I was after some clarification about the implementation of CUI in freeRADIUS.
My first point is the use of Client IP Address. I notice that client IP Address
makes a regular appearance but I'm wondering whether it should. Looking at the
cui.conf the post-auth insert adds the Client IP Address.
postauth_query = "INSERT IGNORE INTO ${cui_table} \
(clientipaddress, callingstationid, username, cui, lastaccounting) \
VALUES \
('%{Client-IP-Address}', '%{Calling-Station-Id}', '%{User-Name}',
'%{reply:Chargeable-User-Identity}', NULL) ON DUPLICATE KEY UPDATE
lastaccounting='-00-00 00:00:00', cui='%{reply:Chargeable-User-Identity}'";
likewise the schema (in cui.sql) even has the Client IP Address as a primary
key which to me seems wrong. In the world of eduroam my RADIUS server can
proxy off to one of 3 National Proxies each will have a different Client IP
Address, therefore a single client could have 3 entries in the cui table
depending upon which National proxy dealt with the request. I don't see the
point of the Client IP Address being in there. If each home server is using a
salt (together with the operator name) then even the same username and calling
station id will return a different CUI for different home servers. Maybe some
could explain what I'm missing and why the Client IP Address is there?
Staying with the Client IP Address, my next point surrounds the Accounting.
The cui.conf shows that accounting updates the table using Client IP Address in
the search:
accounting_start_query = "UPDATE ${cui_table} \
SET \
lastaccounting = CURRENT_TIMESTAMP \
WHERE clientipaddress = '%{Client-IP-Address}' \
AND callingstationid = '%{Calling-Station-Id}' \
AND username = '%{User-Name}' \
AND cui = '%{Chargeable-User-Identity}'";
How would this work? The NAS doesn't know what the Client IP Address is and
doesn't send it in Accounting packets.
Finally, why does the Accounting stop for cui remove the cui from the database:
accounting_stop_query = "DELETE FROM ${cui_table} WHERE \
clientipaddress = '%{Client-IP-Address}' \
AND callingstationid = '%{Calling-Station-Id}' \
AND username = '%{User-Name}' \
AND cui = '%{Chargeable-User-Identity}'";
Surely I'd want to keep this? If 2 weeks later I get a copyright infringement
notice for a client, I'd want the CUI when contacting the home site of the user.
Thanks
Scott Armitage
PGP.sig
Description: This is a digitally signed message part
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
