Problem in xlat.c code
Hi all, i have found problem in xlat.c code. Original code doesn`t work when i want to use in acct_users: DEFAULT Called-Station-Id == orangewap Called-Station-Id := %{Called-Station-Id}.%{3GPP-SGSN-Address} I have changed xlat.c [radiusd@tdrad1 main]$ diff xlat.c xlat.c.backup 1043a1044,1046 if (isdigit(*p)) { module_name = xlat_str = p; } else { 1045a1049 } Now everythink works correct. Peter Balšianok Data Service Operation Coordinator, Voice Data Services Operations Orange Slovensko, a. s. Metodova 8, 821 08 Bratislava tel: +421 908 00 2405 mobil: +421 905 012 405 e-mail: peter.balsia...@orange.skmailto:peter.balsia...@orange.sk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem in xlat.c code
BALSIANOK, Peter wrote: I have changed xlat.c [radiusd@tdrad1 main]$ diff xlat.c xlat.c.backup 1043a1044,1046 if (isdigit(*p)) { module_name = xlat_str = p; } else { 1045a1049 } Now everythink works correct. Please use git, or diff -u, so that we can see the context. Right now, all I know is that *some version* of xlat.c got changed. I don't know where this code goes. Line numbers don't help, as they change with every version of the file. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem in xlat.c code
BALSIANOK, Peter wrote: i have found problem in xlat.c code. I've pulled a fix from the master' branch. It should now work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Problem in xlat.c code
I have recompiled freeradius-2.2.0 ( with new version of xlat.c ), I get segmentation fault when i tried accounting request [radiusd@tdrad1 ggsn]$ /app/radius/freeradius-2.2.0/sbin/radiusd -Xxx -d /app/radius/raddb/ggsn/ Tue Dec 18 11:26:55 2012 : Info: FreeRADIUS Version 2.2.0, for host i686-pc-linux-gnu, built on Nov 27 2012 at 13:30:37 Tue Dec 18 11:26:55 2012 : Info: Copyright (C) 1999-2012 The FreeRADIUS server project and contributors. Tue Dec 18 11:26:55 2012 : Info: There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A Tue Dec 18 11:26:55 2012 : Info: PARTICULAR PURPOSE. Tue Dec 18 11:26:55 2012 : Info: You may redistribute copies of FreeRADIUS under the terms of the Tue Dec 18 11:26:55 2012 : Info: GNU General Public License v2. Tue Dec 18 11:26:55 2012 : Info: Starting - reading configuration files ... Tue Dec 18 11:26:55 2012 : Debug: including configuration file /app/radius/raddb/ggsn//radiusd.conf Tue Dec 18 11:26:55 2012 : Debug: including configuration file /app/radius/raddb/ggsn//proxy.conf Tue Dec 18 11:26:55 2012 : Debug: including configuration file /app/radius/raddb/ggsn//clients.conf Tue Dec 18 11:26:55 2012 : Debug: including files in directory /app/radius/raddb/ggsn//modules/ Tue Dec 18 11:26:55 2012 : Debug: including configuration file /app/radius/raddb/ggsn//modules/ntlm_auth Tue Dec 18 11:26:55 2012 : Debug: including configuration file /app/radius/raddb/ggsn//modules/mac2ip Tue Dec 18 11:26:55 2012 : Debug: including configuration file /app/radius/raddb/ggsn//modules/unix Tue Dec 18 11:26:55 2012 : Debug: including configuration file /app/radius/raddb/ggsn//modules/detail.example.com Tue Dec 18 11:26:55 2012 : Debug: including configuration file /app/radius/raddb/ggsn//modules/dhcp_sqlippool Tue Dec 18 11:26:55 2012 : Debug: including configuration file /app/radius/raddb/ggsn//sql/mysql/ippool-dhcp.conf Tue Dec 18 11:26:55 2012 : Debug: including configuration file /app/radius/raddb/ggsn//modules/files Tue Dec 18 11:26:55 2012 : Debug: including configuration file /app/radius/raddb/ggsn//modules/smsotp Tue Dec 18 11:26:55 2012 : Debug: including configuration file /app/radius/raddb/ggsn//modules/digest Tue Dec 18 11:26:55 2012 : Debug: including configuration file /app/radius/raddb/ggsn//modules/replicate Tue Dec 18 11:26:55 2012 : Debug: including configuration file /app/radius/raddb/ggsn//modules/expr Tue Dec 18 11:26:55 2012 : Debug: including configuration file /app/radius/raddb/ggsn//modules/wimax Tue Dec 18 11:26:55 2012 : Debug: including configuration file /app/radius/raddb/ggsn//modules/ippool Tue Dec 18 11:26:55 2012 : Debug: including configuration file /app/radius/raddb/ggsn//modules/inner-eap Tue Dec 18 11:26:55 2012 : Debug: including configuration file /app/radius/raddb/ggsn//modules/policy Tue Dec 18 11:26:55 2012 : Debug: including configuration file /app/radius/raddb/ggsn//modules/preprocess Tue Dec 18 11:26:55 2012 : Debug: including configuration file /app/radius/raddb/ggsn//modules/chap Tue Dec 18 11:26:55 2012 : Debug: including configuration file /app/radius/raddb/ggsn//modules/acct_unique Tue Dec 18 11:26:55 2012 : Debug: including configuration file /app/radius/raddb/ggsn//modules/echo Tue Dec 18 11:26:55 2012 : Debug: including configuration file /app/radius/raddb/ggsn//modules/rediswho Tue Dec 18 11:26:55 2012 : Debug: including configuration file /app/radius/raddb/ggsn//modules/dynamic_clients Tue Dec 18 11:26:55 2012 : Debug: including configuration file /app/radius/raddb/ggsn//modules/attr_filter Tue Dec 18 11:26:55 2012 : Debug: including configuration file /app/radius/raddb/ggsn//modules/always Tue Dec 18 11:26:55 2012 : Debug: including configuration file /app/radius/raddb/ggsn//modules/soh Tue Dec 18 11:26:55 2012 : Debug: including configuration file /app/radius/raddb/ggsn//modules/radrelay Tue Dec 18 11:26:55 2012 : Debug: including configuration file /app/radius/raddb/ggsn//modules/expiration Tue Dec 18 11:26:55 2012 : Debug: including configuration file /app/radius/raddb/ggsn//modules/mschap Tue Dec 18 11:26:55 2012 : Debug: including configuration file /app/radius/raddb/ggsn//modules/linelog Tue Dec 18 11:26:55 2012 : Debug: including configuration file /app/radius/raddb/ggsn//modules/detail Tue Dec 18 11:26:55 2012 : Debug: including configuration file /app/radius/raddb/ggsn//modules/pam Tue Dec 18 11:26:55 2012 : Debug: including configuration file /app/radius/raddb/ggsn//modules/radutmp Tue Dec 18 11:26:55 2012 : Debug: including configuration file /app/radius/raddb/ggsn//modules/perl Tue Dec 18 11:26:55 2012 : Debug: including configuration file /app/radius/raddb/ggsn//modules/sqlcounter_expire_on_login Tue Dec 18 11:26:55 2012 : Debug: including configuration file /app/radius/raddb/ggsn//modules/cui Tue Dec 18 11:26:55 2012 : Debug: including configuration file /app/radius/raddb/ggsn//modules/opendirectory Tue Dec 18 11:26:55 2012 : Debug: including configuration file
Re: Problem in xlat.c code
BALSIANOK, Peter wrote: I have recompiled freeradius-2.2.0 ( with new version of xlat.c ), I get segmentation fault when i tried accounting request See doc/bugs Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem in xlat.c code
BALSIANOK, Peter wrote: I have recompiled freeradius-2.2.0 ( with new version of xlat.c ), I get segmentation fault when i tried accounting request And don't replace just one file. Grab a new version of the code from git. The v2.x.x branch. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem with proxying request
Hi, I try to send proxy request via freeradius-2.2.0, but as i can see in the debug output, freeradius didn`t process Accounting Response ( tcpdump shows, that server got response ) rad_recv: Accounting-Request packet from host 127.0.0.1 port 49935, id=13, length=202 X-Ascend-Dial-Number != U+0557\331\025 Acct-Session-Id != d597d91572f51ab3 Service-Type != Framed-User Called-Station-Id != orangewap Acct-Link-Count != 1 X-Ascend-Metric != 1928665779 Acct-Authentic != Local Acct-Status-Type != Start NAS-IP-Address != 10.64.192.1 X-Ascend-PRI-Number-Type != 8 3GPP-SGSN-Address != 213.151.252.35 Calling-Station-Id != 421905012405 X-Ascend-IPX-Alias != 4294967295 Framed-Protocol != GPRS-PDP-Context User-Name != 421905012405 NAS-Identifier != ggsn-01-bb1.orange.sk Acct-Multi-Session-Id != d597d9153962de6b Framed-IP-Address != 10.10.1.1 (2) # Executing section preacct from file /app/radius/raddb/ggsn//sites-enabled/default (2) group preacct { (2) - entering group preacct {...} (2) [preprocess] = ok (2) linelog : escape: 'Start' - 'Start' (2) linelog : expand: '%{Acct-Status-Type}' - 'Start' (2) linelog : expand: 'Accounting-Request.%{%{Acct-Status-Type}:-unknown}' - 'Accounting-Request.Start' (2) linelog : expand: '/app_log/radius/ggsn/ggsn-acct.dat' - '/app_log/radius/ggsn/ggsn-acct.dat' (2) linelog : escape: 'Start' - 'Start' (2) linelog : escape: '421905012405' - '421905012405' (2) linelog : escape: '10.10.1.1' - '10.10.1.1' (2) linelog : escape: 'orangewap' - 'orangewap' (2) linelog : escape: '10.64.192.1' - '10.64.192.1' (2) linelog : escape: '213.151.252.35' - '213.151.252.35' (2) linelog : escape: 'd597d9153962de6b' - 'd597d9153962de6b' (2) linelog : expand: '%{Acct-Status-Type}:%{Calling-Station-Id}:%{Framed-IP-Address}:%{Called-Station-Id}:%{NAS-IP-Address}:%{3GPP-SGSN-Address}:%{Acct-Multi-Session-Id}:%l' - 'Start:421905012405:10.10.1.1:orangewap:10.64.192.1:213.151.252.35:d597d9153962de6b:1355835824' (2) [linelog] = ok (2) suffix : No '@' in User-Name = 421905012405, looking up realm NULL (2) suffix : No such realm NULL (2) [suffix] = noop (2) files : acct_users: Matched entry DEFAULT at line 25 (2) [files] = ok (2) # Executing section accounting from file /app/radius/raddb/ggsn//sites-enabled/default (2) group accounting { (2) - entering group accounting {...} (2) attr_filter.accounting_response : expand: '%{User-Name}' - '421905012405' (2) attr_filter.accounting_response : Matched entry DEFAULT at line 103 (2) [attr_filter.accounting_response] = updated (2) # Executing section pre-proxy from file /app/radius/raddb/ggsn//sites-enabled/default (2) group pre-proxy { (2) - entering group pre-proxy {...} (2) files : preproxy_users: Matched entry DEFAULT at line 33 (2) files : expand: '%{Called-Station-Id}.%{3GPP-SGSN-Address}' - 'orangewap.213.151.252.35' (2) [files] = ok (2) Proxying request to home server 213.151.250.149 port 1813 Sending Accounting-Request of id 93 from 255.255.255.255 port 56347 to 213.151.250.149 port 1813 X-Ascend-Dial-Number != U+0557\331\025 Acct-Session-Id != d597d91572f51ab3 Service-Type != Framed-User Called-Station-Id = orangewap.213.151.252.35 Acct-Link-Count != 1 X-Ascend-Metric != 1928665779 Acct-Authentic != Local Acct-Status-Type != Start NAS-IP-Address != 10.64.192.1 X-Ascend-PRI-Number-Type != 8 3GPP-SGSN-Address != 213.151.252.35 Calling-Station-Id != 421905012405 X-Ascend-IPX-Alias != 4294967295 Framed-Protocol != GPRS-PDP-Context User-Name != 421905012405 NAS-Identifier != ggsn-01-bb1.orange.sk Acct-Multi-Session-Id != d597d9153962de6b Framed-IP-Address != 10.10.1.1 Event-Timestamp != Dec 18 2012 14:03:44 CET Proxy-State != 0x3133 Waking up in 0.3 seconds. Waking up in 0.4 seconds. (2) Expecting proxy response no later than 14 seconds from now Waking up in 13.1 seconds. (2) No proxy response, giving up on request and marking it done (2) Failing request due to lack of any response from home server 213.151.250.149 port 1813 No Post-Proxy-Type Fail: ignoring (2) Cleaning up request packet ID 13 with timestamp +323 Ready to process requests. Here is tcp dump of the communication between freeradius and 3rdparty radius server: 14:03:44.828028 IP (tos 0x0, ttl 64, id 16529, offset 0, flags [none], proto: UDP (17), length:
Re: Problem with proxying request
On 18/12/12 13:11, BALSIANOK, Peter wrote: Hi, I try to send proxy request via freeradius-2.2.0, but as i can see in the debug output, freeradius didn`t process Accounting Response ( tcpdump shows, that server got response ) Firewall (iptables, ipfw, pf, etc.) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Problem with proxying request
No iptables, ipfw, pf, etc. . When i use radclient and sends accounting request ( from server were freeradius is placed ) to 3rdparty radius i got correct answer. -Original Message- From: freeradius-users-bounces+peter.balsianok=orange...@lists.freeradius.org [mailto:freeradius-users-bounces+peter.balsianok=orange...@lists.freeradius.org] On Behalf Of Phil Mayers Sent: Tuesday, December 18, 2012 4:08 PM To: freeradius-users@lists.freeradius.org Subject: Re: Problem with proxying request On 18/12/12 13:11, BALSIANOK, Peter wrote: Hi, I try to send proxy request via freeradius-2.2.0, but as i can see in the debug output, freeradius didn`t process Accounting Response ( tcpdump shows, that server got response ) Firewall (iptables, ipfw, pf, etc.) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with proxying request
On 18/12/12 15:29, BALSIANOK, Peter wrote: No iptables, ipfw, pf, etc. . When i use radclient and sends accounting request ( from server were freeradius is placed ) to 3rdparty radius i got correct answer. Then use ordinary system diagnostic tools (strace, etc.) to determine why the packet isn't being received. FreeRADIUS prints out a message every time it receives a packet in debug mode. If it's not printing anything, it didn't receive it. What OS are you on, and how do you have your proxying configured? The tcpdump output you show has name resolution turned on, so it's hard to check, but are you the server listen config is setup correctly? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [SOLVED] Return Access-Accept/-Reject depending on other active sessions during post-authentication
Hello, problem solved. I post this message for the sake of completeness and in case, if anyone will ever need to solve a similar problem. Of course, any comments on how my solution can be improved are welcomed. 1) At the SQL side I created a view (active_users) with three columns (nasipaddress, nasport and vlan) that always shows the active sessions. Basically it selects all entries from the accounting table (radacct) where the stop time is NULL and then the result is joined with the user attribute table (radreply) in order to append the vlan to each record. Of course, the join is done by the user name. 2) In the RADIUS config the following expression is added to the post-auth section of the default server. # Prevent multiple untagged VLANs on the same port at the same time. # Otherwise there would be short-curcuit fault between the affected VLANs if ( %{sql:SELECT COUNT(*) FROM active_users WHERE nasipaddress = '%{NAS-IP-Address}' AND nasport = %{NAS-Port} AND vlan '%{reply:Tunnel-Private-Group-ID}' } != 0 ) { reject } The SQL statement counts all (active) sessions on the same NAS on the same NAS port with a different VLAN assignment than the VLAN the current user is going to be assigned to. If the number does not equal zero, there is at least one session on the same port with a different VLAN. In that case the user is rejected. 3) Prevent stalled-session Accouning-Stop messages can be lost. In that case a session will falsely remain active and thus likely block out any other user. I use an interim update intervall with five minutes. If three updates were missed, i.e. the last update time is less then the current system time minus 15 minutes, the session is considered to be stalled and the stop time is set to the last update time. This way a stalled session is closed 15 minutes after the last update. Yours, Matthias Am Sonntag 16 Dezember 2012, 17:07:53 schrieb Alan DeKok: Matthias Nagel wrote: Now, I would like to write some kind of RADIUS policy to prevent this behaviour. (a) store information in a database (b) use unlang to query the database This policy is supposed to do the following during the post-authentication phase: 1) If there is no active session on the NAS port, just return Access-Accept You may need to create a new table which stores active sessions. INSERT data into it on authentication / accounting start. DELETE data on accounting stop. 2) If there is at least one active session on the NAS port and the 'Tunnel-Private-Group-ID' of that session equals the 'Tunnel-Private-Group-ID' of the new request, return Access-Accept. Store the Tunnel-Private-Group-ID of a session on INSERT. Query it on the next session authentication. 3) If there is at least one active session on the NAS port and the 'Tunnel-Private-Group-ID' of that session DOES NOT equal the 'Tunnel-Private-Group-ID' of the new request, return Access-Reject. Query the DB. If it doesn't match, reject. Is this possible to do? I have the accounting information in a SQL database, hence I know, if there are active sessions on some port. But I do not know, which would be the correct RADIUS configuration section and I do not know if unlang or some other configuration directive can perform such a check. unlang is just a way to write policies. It does NOT store data. SQL databases store data. The two together can solve this problem. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Matthias Nagel Willy-Andreas-Allee 1, Zimmer 506 76131 Karlsruhe Telefon: +49-721-8695-1506 Mobil: +49-151-15998774 e-Mail: matthias.h.na...@gmail.com ICQ: 499797758 Skype: nagmat84 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius+mysql
Hi, I am using mysql with free radius for user authorization and accounting with assignment of ip pools from iptables in mysql. These all are working. But, I would like to know if we can bypass the authorization phase with mysql and use only ip pool assignment. Can you help in this part. Like even if the user is not authenticate, I wanted to send always access accept message with a framed ip from the ip pool table. Thanks, Nanthitha- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with proxying request
hi, server has mulitple interfaces? ensure that the listener etc are bound to the IPs that you want the packet to go out from - the remote system is likely to only accept requests from a particular IP.if the packet comes from a different interface that IP will be different.. the remote server will not accept it (unknown client/incorrect shared secret) and will silently discard. basic 'tcpdump -eqntl' wil suffice alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html