Re: eap sim authorization problem
On 11.06.2013 22:21, Rodney Machado wrote: After reading again the documentation, i got to this point: [skipped] I'm going to fix the user file and give it a try again. rlm_eap_sim expects EAP-Sim-RAND1 (and friends) on reply list, not in control list. So correct users entry for EAP-SIM is: 1IMSI EAP-Type:=SIM EAP-Sim-RAND1:=0x..., ... EAP-Sim-KC3:=0x... EAP-Type control attribute is used to set initial EAP method. Initial EAP method selection performed by rlm_eap when Access-Request with EAP-Response/Identity handled. If there is no EAP-Type in control list default method is selected. Default outer EAP method is set in eap module configuration (eap { default_eap_type = ... }). Default inner EAP method is set in EAP-PEAP and EAP-TTLS method configuration (eap { peap { default_eap_type = ... }}). - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems freeradius and samba4
On 12.06.2013 4:19, ricardobarbosams wrote: No my filter is filter = ((objectClass=user)(sAMAccountName=%{User-Name})) I do not talk about filter, I do talk about binding to the directory. Your ldapsearch binds to the directory using one user and your radiusd binds to directory as another user. These users can have different authorization levels in the directory server. Directory may allow to retrieve objects to us...@batlab.corp user but disallow it to CN=freeradius,OU=noc,OU=batlab,DC=batlab,DC=corp user. Configure radiusd to use the us...@batlab.corp user to bind to the directory and you'll get same results as with ldapsearch. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Working around broken EAP client
On 11 Jun 2013, at 16:06, Alan DeKok al...@deployingradius.com wrote: That's really not what I said to do. I said set User-Name to be the MS-CHAP identity. You've got that inverted. update request { User-Name := %{mschap:User-Name} } This worked a treat. Thank you very much ! GTG -- Gordon Ross - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap sim authorization problem
On 11.06.2013 12:27, raptor raptor wrote: 1. when i change users entry, i get notification that access-accept has succesfull but unfortunately, when i restart the system cant access-accept and i must change attribute in users from agsm program here the log: I do not understand clearly whether you think you succeed or no. 2. i've changed users entry as you suggest and i still get the same notification rlm_sim_files : isufficient number of challenges of challenges for imsi Changing users file will not fix simtriplets.dat. I do not understand why do you still bother about rlm_sim_files. You've already configured auth vectors using users file and it works well. Just comment out sim_files module invocation and isufficient number of challenges will go away. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FW: MSSQL using unixodbc and truncation of characters
Ok, so I've compiled 3 from scratch with support for the freetds and unixodbc modules. I have some issues : Using the unixodbc driver that was working before gives me this now : rlm_sql (sql_postauth_lan0): Driver rlm_sql_unixodbc (module rlm_sql_unixodbc) loaded and linked rlm_sql (sql_postauth_lan0): Attempting to connect to database SATHSupport rlm_sql (sql_postauth_lan0): Initialising connection pool rlm_sql (sql_postauth_lan0): Opening additional connection (0) rlm_sql_unixodbc: 01000 [unixODBC][Driver Manager]Can't open lib '/usr/lib/x86_64-linux-gnu/odbc/libtdsodbc.so' : *¶?±: undefined symbol: get_vtable rlm_sql_unixodbc: SQL down 08003 [unixODBC][Driver Manager]Connnection does not exist rlm_sql_unixodbc: Can't allocate the statement rlm_sql_sybase: Socket destructor called, closing socket rlm_sql (sql_postauth_lan0): Opening connection failed (0) rlm_sql (sql_postauth_lan0): Removing connection pool /usr/local/etc/raddb/mods-enabled/sql_postauth_lan0[1]: Instantiation failed for module sql_postauth_lan0 The libtdsodbc.so file exists, and I've briefly altered the permissions to no avail. The .so file is from a package that ubuntu provides, and was working fine with FR2.2.1, just with the previous issue noted (truncation) Also, the rlm_sql_freetds module gives ,from a simple update control { SQLComputerID := %{sql_test_mssql:Select 123456}) } Gives : LITERAL: %{sql_test_mssql:Select 123456} LITERAL: %{sql_test_mssql:Select 123456} -- %{sql_test_mssql:Select 123456} EXPANSION: %{sql_test_mssql:Select 123456} MOD: sql_test_mssql -- LITERAL: Select 123456} xlat aprint 2 xlat aprint 0 expand mod sql_test_mssql -- 'Select 123456' LITERAL: %{User-Name} LITERAL: %{User-Name} -- %{User-Name} EXPANSION: %{User-Name} Looking for attribute name in User-Name xlat aprint 3 expand attr User-Name -- '0023ae604b02' (0) expand: '%{User-Name}' - '0023ae604b02' (0) SQL-User-Name updated rlm_sql (sql_test_mssql): Reserved connection (4) rlm_sql (sql_test_mssql): Executing query: 'Select 123456' rlm_sql_freetds sql_select_query(): unsupported rlm_sql (sql_test_mssql): Database query error 'UNKNOWN' rlm_sql (sql_test_mssql): Released connection (4) rlm_sql (sql_test_mssql): Closing connection (0): Too many free connections (5 3) rlm_sql_freetds: Socket destructor called, closing socket I'm stuck, any ideas. Sorry to spam the mailing list so much but I've reached the limit of my knowledge on this one.. Thanks Andy - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MSSQL using unixodbc and truncation of characters
I'm stuck, any ideas. Sorry to spam the mailing list so much but I've reached the limit of my knowledge on this one.. Ok, i'll take a closer took at it tonight. Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MSSQL using unixodbc and truncation of characters
On 13 Jun 2013, at 13:56, Arran Cudbard-Bell a.cudba...@freeradius.org wrote: I'm stuck, any ideas. Sorry to spam the mailing list so much but I've reached the limit of my knowledge on this one.. Ok, i'll take a closer took at it tonight. Um, apparently the original author didn't add select support to the freetds driver. Hence the error. https://github.com/FreeRADIUS/freeradius-server/blob/master/src/modules/rlm_sql/drivers/rlm_sql_freetds/rlm_sql_freetds.c#L175 Isn't the sybase driver equivalent? Doesn't it just use a different version of the API? I know I meant to delete one... The other one looks like a linker issue. Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: MSSQL using unixodbc and truncation of characters
Hi Aaran, The Sybase driver works for a simple select 123456, but then any real value gives, .e.g : rlm_sql (sql_test_mssql): Executing query: 'Select NetworkCardID from Audit_NetworkCard where macaddress='9C:B7:0D:84:0D:09'' Sybase Server message: number(208) severity(16) state(1) line(1) Invalid object name 'Audit_NetworkCard'. rlm_sql_sybase(sql_select_query): Unexpected result type from query rlm_sql (sql_test_mssql): Database query error '' This is because it doesn't properly set the database to the one asked for : (by the way is there a nice way to get shot of all these ansi escape codes from the radius.log? It looks nice in -X mode, but not great back-end) rlm_sql (sql_test_mssql): Creating new attribute sql_test_mssql-SQL-Group rlm_sql (sql_test_mssql): Couldn't find configuration for accounting, will return NOOP for calls from this section^[[$ ^[[1mrlm_sql (sql_test_mssql): Couldn't find configuration for post-auth, will return NOOP for calls from this section^[[0m ^[[1mrlm_sql (sql_test_mssql): Driver rlm_sql_sybase (module rlm_sql_sybase) loaded and linked^[[0m ^[[1mrlm_sql (sql_test_mssql): Attempting to connect to database SATHSupport^[[0m rlm_sql (sql_test_mssql): Initialising connection pool ^[[1mrlm_sql (sql_test_mssql): Opening additional connection (0)^[[0m ^[[31mSybase Server message: ^[[0m ^[[31mnumber(5701) severity(0) state(2) line(1) ^[[0m ^[[31mChanged database context to 'master'. ^[[0m ^[[31mSybase Server message: ^[[0m ^[[31mnumber(5703) severity(0) state(1) line(1) ^[[0m ^[[31mChanged language setting to us_english. ^[[0m ^[[1mrlm_sql (sql_test_mssql): Opening additional connection (1)^[[0m ^[[31mSybase Server message: ^[[0m ^[[31mnumber(5701) severity(0) state(2) line(1) ^[[0m ^[[31mChanged database context to 'master'. ^[[0m ^[[31mSybase Server message: ^[[0m ^[[31mnumber(5703) severity(0) state(1) line(1) ^[[0m ^[[31mChanged language setting to us_english. ^[[0m ... So I need to use an explicit sql call to set the database early on, but otherwise it works without too much hassle, and no truncation of returned value (!) Now, if only I could get the unixodbc rlm module working. You mentioned a linking problem - any ideas on progressing debug with that? Thanks VERY much, this list is great. Andy - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MSSQL using unixodbc and truncation of characters
Franks Andy (RLZ) IT Systems Engineer wrote: (by the way is there a nice way to get shot of all these ansi escape codes from the radius.log? It looks nice in -X mode, but not great back-end) See radiusd.conf, log subeection. Look for colourise. So I need to use an explicit sql call to set the database early on, but otherwise it works without too much hassle, and no truncation of returned value (!) That's good to hear. Thanks VERY much, this list is great. Thanks. It's what we do. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
unlang and update section
Can update sections contain if conditions? I get the following error: /etc/raddb/sites-enabled/default[573]: update sections cannot have subsections /etc/raddb/sites-enabled/default[465]: Errors parsing post-auth section. The documentation says The only contents permitted in an update section are attributes and values which I assume is the issue. Please confirm. Bill - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Exec problems in FR3.0
Sorry to send yet more emails with issues. I've moved to FR3 to test SQL stuff and am having some problems with getting exec modules I previously used to work. I know I could rewrite these in perl, but they worked before in FR2.2.1 and I want to solve why they won't work now. I have an exec module thus : exec mactodelimitedmac { wait = yes input_pairs = config output_pairs = config shell_escape = yes program = /usr/local/etc/raddb/mactodelimitedmac.sh %{User-Name} : } It just takes a mac address and adds a delimited to each component of the address, updating the control value DelimitedMac via the standard echo Variable := \value\ I used to instantiate it in radiusd.conf and then call it directly from, say, the post-auth section Mactodelimitedmac Which updated that value. If I do it that way now it gives : (0) WARNING: mactodelimitedmac : List INVALID is not available LITERAL: %{User-Name} LITERAL: %{User-Name} -- %{User-Name} EXPANSION: %{User-Name} Looking for attribute name in User-Name xlat aprint 3 expand attr User-Name -- '0023ae604b02' (0) mactodelimitedmac : expand: '%{User-Name}' - '0023ae604b02' (0) mactodelimitedmac : Program output is (0) ERROR: mactodelimitedmac : Abnormal child exit: Success (0) [mactodelimitedmac] = reject (0) Using Post-Auth-Type Reject If I instead do Update control { DelimitedMac := %{mactodelimitedmac:/etc/freeradius/mactodelimitedmac.sh %{user-name} :} } And change the script so that it just returns the bare variable it says : expand mod mactodelimitedmac -- '/usr/local/etc/raddb/mactodelimitedmac.sh 0023ae604b02 :' (0) Executing /usr/local/etc/raddb/mactodelimitedmac.sh 0023ae604b02 : (0) Program output is ?[1m?[33m(0) WARNING: Failed to execute /usr/local/etc/raddb/mactodelimitedmac.sh: Bad address?[0m (0) ERROR: Child returned error 1 (0) result 1 -- '?[1m?[33m(0) WARNING: Failed to execute /usr/local/etc/raddb/mactodelimitedmac.sh: Bad address?[0m ' Again, I'm struggling. Sorry to be a pain. Andy - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: unlang and update section
On 13/06/13 16:07, Bill Schoolfield wrote: Can update sections contain if conditions? I get the following error: No. /etc/raddb/sites-enabled/default[573]: update sections cannot have subsections /etc/raddb/sites-enabled/default[465]: Errors parsing post-auth section. The documentation says The only contents permitted in an update section are attributes and values which I assume is the issue. Please confirm. The documentation is authoritative. It should need to be confirmed. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: unlang and update section
On 13/06/13 16:26, Phil Mayers wrote: The documentation is authoritative. It should need to be confirmed. Shouldn't. Sigh. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: unlang and update section
Bill Schoolfield wrote: Can update sections contain if conditions? I get the following error: /etc/raddb/sites-enabled/default[573]: update sections cannot have subsections What is unclear about that? /etc/raddb/sites-enabled/default[465]: Errors parsing post-auth section. The documentation says The only contents permitted in an update section are attributes and values which I assume is the issue. Please confirm. I can confirm that the error message is correct. I can confirm that the documentation is correct. Now, are you going to ask a useful question? And what did you put in the section starting on line 573? Is it a secret? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: unlang and update section
Yes, i have come across this error once. there is little mistake in your unlang code. understand form following working code. ## Authorization Area Starts Here # If user not present allow them free access # Between 10:00 and 12:59PM ('Any1000-1259') # Whole Day ('Any-2359') # File Module Retuns noop sql Module Returns notfound server accept_everyone { authorize { sql if(ok) { update control { Login-Time := 'Any-1259' Auth-Type := Accept } } update reply { WISPr-Redirection-URL := http://www.yale.edu; } else { update control { Auth-Type := Reject } update reply { WISPr-Redirection-URL := http://41.139.28.1; } } } pap files logintime expiration preprocess dailycounter forevertimecounter # Fix ForThe WARNING That Says: Unknown Value Specified For Post-Auth-Type. Cannot Perform Requested Action # # Do Not Remove The Post-Auth Configuration From Authorization Section (Here): # post-auth { Post-Auth-Type REJECT { noop notfound } } } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } digest unix eap } # END Thanks --RM On Thu, Jun 13, 2013 at 3:07 PM, Bill Schoolfield b...@billmax.com wrote: Can update sections contain if conditions? I get the following error: /etc/raddb/sites-enabled/**default[573]: update sections cannot have subsections /etc/raddb/sites-enabled/**default[465]: Errors parsing post-auth section. The documentation says The only contents permitted in an update section are attributes and values which I assume is the issue. Please confirm. Bill - List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: unlang and update section
On 6/13/2013 10:33 AM, Alan DeKok wrote: Bill Schoolfield wrote: Can update sections contain if conditions? I get the following error: /etc/raddb/sites-enabled/default[573]: update sections cannot have subsections What is unclear about that? /etc/raddb/sites-enabled/default[465]: Errors parsing post-auth section. The documentation says The only contents permitted in an update section are attributes and values which I assume is the issue. Please confirm. I can confirm that the error message is correct. I can confirm that the documentation is correct. Now, are you going to ask a useful question? And what did you put in the section starting on line 573? Is it a secret? From my perspective, yes it was useful to me. I didn't know those were line numbers. Now I know. It seems clear in retrospect but I've seen quite a bit of misleading, outdated or wrong documentation (mostly elsewhere but sometimes at freeradius.org) so I thought I'd get confirmation. Any harm in that? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: unlang and update section
Bill Schoolfield wrote: From my perspective, yes it was useful to me. I didn't know those were line numbers. Now I know. It seems clear in retrospect but I've seen quite a bit of misleading, outdated or wrong documentation (mostly elsewhere but sometimes at freeradius.org) so I thought I'd get confirmation. Any harm in that? Yes. Your message amounted to asking this: The documentation says you can't do X, and when I try to do it, I get an error. Is that correct? The harm in these questions is the total waste of everyone's time. This is a free support list. It presumes that people asking questions have put some minor thought into the process. If you're not willing to put a little effort into it, then you should expect to get told you need to put a little effort into it. And no, you don't need to run a Perl script. Instead of putting the if inside of an update section, you can put it outside of the update section. Or even use *two* update sections. Think out of the box. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec problems in FR3.0
Phil Mayers wrote: Confirmed. Looks like a bug has crept into the exec code in HEAD: 28619 execve(0x6461202e2e2e2000, [0x6461202e2e2e2000, 0x77656e20676e6964, 0x2074656b636f7320, 0x7325, 0x612064656c696146, 0x727020676e696464, 0x6b636f732079786f, 0x7325203a7465, 0x612064656c696146, 0x766520676e696464, 0x646e616820746e65, 0x20726f662072656c, 0x2174656b636f73, 0x7265206c61746146, 0x6565726620726f72, 0x636f 7320676e697a, ...], [/* 2 vars */]) = -1 EFAULT (Bad address) 28619 write(1, \33[1m\33[33m(0) WARNING: myexec : F..., 91) = 91 Will investigate. It may be related to the use of argv in exec.c. Coverity says: 107 CID 1020962 (#1 of 1): Uninitialized scalar variable (UNINIT) 2. uninit_use_in_call: Using uninitialized element of array argv when calling memcpy(void * restrict, void const * restrict, size_t). 108memcpy(argv_p, argv, sizeof(argv_p)); 109 So that's probably it. I haven't had a chance to look into it yet. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Calling-Station-Id Not Getting Updated in radacct table
Hi We are on version 2.2.1 (github release). We noticed that Calling-Station-Id is not getting updated in radacct table if the NAS sends the Calling-Station-Id in octet format (ex: \000\240\274/\370\260). Based on the documentation below in default conf (sites-enabled/default) file under authorization section # # The WiMAX specification says that the Calling-Station-Id # is 6 octets of the MAC. This definition conflicts with # RFC 3580, and all common RADIUS practices. Un-commenting # the wimax module here means that it will fix the # Calling-Station-Id attribute to the normal format as # specified in RFC 3580 Section 3.21 wimax By Uncommenting the wimax above, this fixed the issue of Calling-Station-ID not getting updated in cui table, but accounting table (radacct) still show blank value. In the dialup.conf and cui.conf both use the same attribute %{Calling-Station-Id}. If NAS pass the Calling-Station-Id in String format (ex: 00-1C-B3-AA-AA-AA) both cui and radacct gets updated with Calling-Station-Id correctly. Similar to the above wimax configuration for authorize section, do we need to enable any setting for accounting to fix the Calling-Station-Id attribute that will populate the radacct correctly as string? Here is the debug log when the NAS sends the Calling Station Id in octet format Calling Station Id being sent by NAS is \000\240\274/\370\260 = Begin Debug Log = Thread 3 handling request 16, (4 handled so far) [thread] # Executing section authorize from file /opt/freeradius/etc/raddb/sites-enabled/default [thread] +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: %{Packet-Src-IP-Address} - 75.104.249.138 [auth_log] expand: /opt/freeradius/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d - /opt/freeradius/var/log/radius/radacct/75.104.249.138/auth-detail-20130613 [auth_log] /opt/freeradius/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /opt/freeradius/var/log/radius/radacct/75.104.249.138/auth-detail-20130613 [auth_log] expand: %t - Thu Jun 13 08:49:13 2013 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop rlm_wimax: Fixing WiMAX binary Calling-Station-Id to 00-a0-bc-2f-f8-b0 *** As you can see based on the uncommenting of wimax in default config of authorize section, the Calling-Station-Id is fixed to string format ++[wimax] returns ok [suffix] Looking up realm viasat-oss for User-Name = 00A0BC2FF8B0@viasat-oss [suffix] Found realm viasat-oss [suffix] Adding Stripped-User-Name = 00A0BC2FF8B0 [suffix] Adding Realm = viasat-oss [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] EAP packet type response id 6 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop [sql] expand: %{Stripped-User-Name} - 00A0BC2FF8B0 [sql] expand: %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}} - 00A0BC2FF8B0 [sql] sql_set_user escaped user -- '00A0BC2FF8B0' rlm_sql (sql): Reserving sql socket id: 2 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribute, value, op FROM radcheck WHERE username = '00A0BC2FF8B0' ORDER BY id rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '00A0BC2FF8B0' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' OR (NOT EXISTS (select 1 from radreply where username='%{SQL-User-Name}') AND username='DEFAULT-ISF') ORDER BY priority - SELECT groupname FROM radusergroup WHERE username = '00A0BC2FF8B0' OR (NOT EXISTS (select 1 from radreply where username='00A0BC2FF8B0') AND username='DEFAULT-ISF') ORDER BY priority rlm_sql_mysql: query: SELECT groupname FROM radusergroup WHERE username = '00A0BC2FF8B0' OR (NOT EXISTS (select 1 from radreply where username='00A0BC2FF8B0') AND username='DEFAULT-ISF') ORDER BY priority rlm_sql (sql): Released sql socket id: 2 [sql] User 00A0BC2FF8B0 not found ++[sql] returns notfound ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /opt/freeradius/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS [tls] Received TLS ACK [tls] ACK handshake
Re: Calling-Station-Id Not Getting Updated in radacct table
On 2013-06-13, at 2:37 PM, Cholleti, Hanumantha hanumantha.choll...@viasat.com wrote: Similar to the above wimax configuration for authorize section, do we need to enable any setting for accounting to fix the Calling-Station-Id attribute that will populate the radacct correctly as string? List wimax in the preacct section. It will fix the attribute there, too. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Calling-Station-Id Not Getting Updated in radacct table
Thanks a lot Alan, that fixed the issue :-)... We tried this option before, but only tested with radclient and it doesn't update the calling-station-id. Here is the command we used: radclient 10.25.37.61 auto HANU -f acct_start_test1.txt The 'acct_start_test1.txt' file as the following lines: Packet-Type=4 Packet-Dst-Port=1813 Acct-Session-Id = 4D2BB8AC-0098 Acct-Status-Type = Start Acct-Authentic = RADIUS User-Name = Release2-build11@viasat-oss User-Password = password NAS-Port = 100 Called-Station-Id = 00-02-6F-AA-AA-AA:My Wireless Calling-Station-Id = \000\240\274/\370\260 NAS-Port-Type = Wireless-802.11 Connect-Info = CONNECT 48Mbps 802.11b This time tested with the actual NAS with real UT, and it works great. :-) Thanks again -Hanu -Original Message- From: freeradius-users-bounces+hanumantha.cholleti=viasat@lists.freeradius.org [mailto:freeradius-users-bounces+hanumantha.cholleti=viasat@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Thursday, June 13, 2013 12:30 PM To: FreeRadius users mailing list Subject: Re: Calling-Station-Id Not Getting Updated in radacct table On 2013-06-13, at 2:37 PM, Cholleti, Hanumantha hanumantha.choll...@viasat.com wrote: Similar to the above wimax configuration for authorize section, do we need to enable any setting for accounting to fix the Calling-Station-Id attribute that will populate the radacct correctly as string? List wimax in the preacct section. It will fix the attribute there, too. Alan DeKok. - List info/subscribe/unsubscribe? See https://urldefense.proofpoint.com/v1/url?u=http://www.freeradius.org/list/users.htmlk=OWT%2FB14AE7ysJN06F7d2nQ%3D%3D%0Ar=RbstrbGHTDEX5Lhn9%2F%2FI6NK56FT6UXWy%2BZ7zzvTZGx0%3D%0Am=h7466jNJ7JhWxGNz%2F6LQfMg7WMTuyeE87ZTOken%2Fsfc%3D%0As=e956bd3d2375f80f132368b8bf087352e4d7bd705ebd5cdcd54ba5b78ff4a742 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
evaluating unlang IF with sql results
I can't seem to make this work. I'm comparing some values in the post-auth section: if((%{expr: %{check:Max-All-Session}-%{sql:select sum(acctsessiontime) from radacct where username='%{User-Name}'}}) (%{expr: %{sql:select unix_timestamp(str_to_date('%{check:Expiration}', '%%b %%d %%Y %%H:%%i:%%s'))+0}})) { update reply { Session-Timeout := %{expr: %{check:Max-All-Session}-%{sql:select sum(acctsessiontime) from radacct where username='%{User-Name}'}} } } else { update reply { Session-Timeout := %{expr: (%{sql:select unix_timestamp(str_to_date('%{check:Expiration}', '%%b %%d %%Y %%H:%%i:%%s'))})} } } The above code fails with a message (below) that says (Right field is not a number at: (1371158700)). I tried adding a zero to force a number interpretation but this does nothing. I have checked every source I can find and I don't see anyhing that addresses this problem. Thoughts anyone? Bill rad_recv: Access-Request packet from host 127.0.0.1 port 59971, id=77, length=74 User-Name = wrs CHAP-Password = 0x4dab7bdecf6c70f078b77bfa11cebd490d NAS-IP-Address = 10.0.0.147 NAS-Port = 0 Message-Authenticator = 0xcf99944924652eda7706d17c69afca2c # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [chap] Setting 'Auth-Type := CHAP' ++[chap] returns ok ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = wrs, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop [sql] expand: %{User-Name} - wrs [sql] sql_set_user escaped user -- 'wrs' rlm_sql (sql): Reserving sql socket id: 3 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'wrs' ORDER BY id [sql] User found in radcheck table [sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribute, value, op FROM radreply WHERE username = 'wrs' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority - SELECT groupname FROM radusergroup WHERE username = 'wrs' ORDER BY priority rlm_sql (sql): Released sql socket id: 3 ++[sql] returns ok [expiration] Checking Expiration time: '13 Jun 2013 21:25:00' ++[expiration] returns ok ++[logintime] returns noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop rlm_sqlcounter: Entering module authorize code WARNING: Please replace '%k' with '${key}' sqlcounter_expand: 'SELECT IFNULL(SUM(AcctSessionTime),0) FROM radacct WHERE UserName='%{User-Name}'' [noresetcounter]expand: SELECT IFNULL(SUM(AcctSessionTime),0) FROM radacct WHERE UserName='%{User-Name}' - SELECT IFNULL(SUM(AcctSessionTime),0) FROM radacct WHERE UserName='wrs' WARNING: Please replace '%S' with '${sqlmod-inst}' sqlcounter_expand: '%{sql:SELECT IFNULL(SUM(AcctSessionTime),0) FROM radacct WHERE UserName='wrs'}' [noresetcounter] sql_xlat [noresetcounter]expand: %{User-Name} - wrs [noresetcounter] sql_set_user escaped user -- 'wrs' [noresetcounter]expand: SELECT IFNULL(SUM(AcctSessionTime),0) FROM radacct WHERE UserName='wrs' - SELECT IFNULL(SUM(AcctSessionTime),0) FROM radacct WHERE UserName='wrs' rlm_sql (sql): Reserving sql socket id: 2 [noresetcounter] sql_xlat finished rlm_sql (sql): Released sql socket id: 2 [noresetcounter]expand: %{sql:SELECT IFNULL(SUM(AcctSessionTime),0) FROM radacct WHERE UserName='wrs'} - 12 rlm_sqlcounter: Check item is greater than query result rlm_sqlcounter: Authorized user wrs, check_item=600, counter=12 rlm_sqlcounter: Sent Reply-Item for user wrs, Type=Session-Timeout, value=180 ++[noresetcounter] returns ok Found Auth-Type = CHAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group CHAP {...} [chap] login attempt by wrs with CHAP password [chap] Using clear text password test123 for user wrs authentication. [chap] chap user wrs authenticated succesfully ++[chap] returns ok # Executing section post-auth from file /etc/raddb/sites-enabled/default +- entering group post-auth {...} ++[exec] returns noop ++? if ((%{expr: %{check:Max-All-Session}-%{sql:select sum(acctsessiontime) from radacct where username='%{User-Name}'}}) (%{expr: %{sql:select unix_timestamp(str_to_date('%{check:Expiration}', '%%b %%d %%Y %%H:%%i:%%s'))+0}})) sql_xlat expand: %{User-Name} - wrs
Re: evaluating unlang IF with sql results
Bill Schoolfield wrote: The above code fails with a message (below) that says (Right field is not a number at: (1371158700)). I tried adding a zero to force a number interpretation but this does nothing. That error is produced by the SQL database, not by FreeRADIUS. My guess is that the error is because the number is larger than 2^32. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
initial accept, but then fails
Hello, I'm having an issue with our radius server authorising users. The initial request is fine, the customer connects and receives an IP address rad_recv: Access-Request packet from host 10.8.13.254 port 1645, id=5, length=236 Framed-Protocol = PPP User-Name = micha...@example.com CHAP-Password = 0x974cfb5d4d64e91407e0c85a3b1611a584 Calling-Station-Id = GigabitEthernet 14/0/3.31010096:3101-96#587204450###pppoe 00:04:ed:d1:78:85#QTNITE4025M atm 1/1/04/27:8.35# Connect-Info = 10 NAS-Port-Type = Virtual NAS-Port = 501 NAS-Port-Id = Uniq-Sess-ID501 Service-Type = Framed-User NAS-IP-Address = 10.8.13.254 Fri Jun 14 11:44:14 2013 : Info: # Executing section authorize from file /etc/freeradius/sites-enabled/default Fri Jun 14 11:44:14 2013 : Info: +- entering group authorize {...} Fri Jun 14 11:44:14 2013 : Info: ++[preprocess] returns ok Fri Jun 14 11:44:14 2013 : Info: [chap] Setting 'Auth-Type := CHAP' Fri Jun 14 11:44:14 2013 : Info: ++[chap] returns ok Fri Jun 14 11:44:14 2013 : Info: ++[mschap] returns noop Fri Jun 14 11:44:14 2013 : Info: ++[digest] returns noop Fri Jun 14 11:44:14 2013 : Info: [suffix] Looking up realm example.com for User-Name = micha...@example.com Fri Jun 14 11:44:14 2013 : Info: [suffix] Found realm example.com Fri Jun 14 11:44:14 2013 : Info: [suffix] Adding Stripped-User-Name = michaelr Fri Jun 14 11:44:14 2013 : Info: [suffix] Adding Realm = example.com Fri Jun 14 11:44:14 2013 : Info: [suffix] Authentication realm is LOCAL. Fri Jun 14 11:44:14 2013 : Info: ++[suffix] returns ok Fri Jun 14 11:44:14 2013 : Info: [eap] No EAP-Message, not doing EAP Fri Jun 14 11:44:14 2013 : Info: ++[eap] returns noop Fri Jun 14 11:44:14 2013 : Info: [files] users: Matched entry DEFAULT at line 172 Fri Jun 14 11:44:14 2013 : Info: ++[files] returns ok Fri Jun 14 11:44:14 2013 : Info: [sql] expand: %{Stripped-User-Name} - michaelr Fri Jun 14 11:44:14 2013 : Info: [sql] expand: %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}} - michaelr Fri Jun 14 11:44:14 2013 : Info: [sql] sql_set_user escaped user -- 'michaelr' Fri Jun 14 11:44:14 2013 : Debug: rlm_sql (sql): Reserving sql socket id: 0 Fri Jun 14 11:44:14 2013 : Info: [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'michaelr' ORDER BY id Fri Jun 14 11:44:14 2013 : Info: [sql] User found in radcheck table Fri Jun 14 11:44:14 2013 : Info: [sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribute, value, op FROM radreply WHERE username = 'michaelr' ORDER BY id Fri Jun 14 11:44:14 2013 : Info: [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority - SELECT groupname FROM radusergroup WHERE username = 'michaelr' ORDER BY priority Fri Jun 14 11:44:14 2013 : Info: [sql] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id - SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'Layer2-L2TP' ORDER BY id Fri Jun 14 11:44:14 2013 : Info: [sql] User found in group Layer2-L2TP Fri Jun 14 11:44:14 2013 : Info: [sql] expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id - SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'Layer2-L2TP' ORDER BY id Fri Jun 14 11:44:14 2013 : Debug: rlm_sql (sql): Released sql socket id: 0 Fri Jun 14 11:44:14 2013 : Info: ++[sql] returns ok Fri Jun 14 11:44:14 2013 : Info: ++[expiration] returns noop Fri Jun 14 11:44:14 2013 : Info: ++[logintime] returns noop Fri Jun 14 11:44:14 2013 : Info: [pap] WARNING: Auth-Type already set. Not setting to PAP Fri Jun 14 11:44:14 2013 : Info: ++[pap] returns noop Fri Jun 14 11:44:14 2013 : Info: Found Auth-Type = Local Fri Jun 14 11:44:14 2013 : Info: !!! Fri Jun 14 11:44:14 2013 : Info: !!!Replacing User-Password in config items with Cleartext-Password. !!! Fri Jun 14 11:44:14 2013 : Info: !!! Fri Jun 14 11:44:14 2013 : Info: !!! Please update your configuration so that the known good !!! Fri Jun 14 11:44:14 2013 : Info: !!! clear text password is in Cleartext-Password, and not in User-Password. !!! Fri Jun 14 11:44:14 2013 : Info: