Re: rlm_perl hash issue
On Wed, Mar 23, 2005 at 04:22:34PM +0200, Boian Jordanov wrote: Fixed in CVS. Please use recent cvs snapshot. Before rlm_perl expects that scalar value of RAD_xxx hash is character value, now it can be string or integer. There is only one limitation an ip address should be returned as character value i.e. $RAD_REPLY{'Framed-Ip-Address'} = 127.0.0.1; - if ((sv != NULL) (SvPOK(sv))) { - val = SvPV(sv, val_len); + if (SvTRUE(sv)) { + val = SvPV_nolen(sv); What if sv is 0 (or 0)? SvTRUE would fail, I think... SvLEN(sv) != 0 maybe? Or just (SvPOK(sv) || SvNIOK(sv))? What are you trying to check? Maybe (sv != PL_sv_undef) is sufficient? -- Fduch M. Pravking - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl reply operators
On Fri, Feb 25, 2005 at 02:26:12PM -0500, Dustin Doris wrote: Is there a way to specify different operators when adding something to the $RAD_REPLY hash? Such as. $RAD_REPLY{'Attribute'} = += Value; Currently, no. But you can try: $RAD_REPLY{'Attribute'} = [ 'Value 1', 'Value 2' ]; I had an idea of making %RAD_* hashes tied to corresponding avp lists, and making possible use of operators; I started to work on it, but I have no time to finish it now :( -- Fduch M. Pravking - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Hide password
On Tue, Feb 01, 2005 at 11:07:54AM +0100, Nicolas Viers - SCI Limoges wrote: Hello, how to hide User-Password in radacct logs There's no standard way. You can patch rlm_detail sources or use grep -v User-Password on your detail logs. As of debug mode, there's also a lot of places in server core and modules where user-supplied password or local one is printed... -- Fduch M. Pravking - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Luscent Portmaster 3
On Fri, Jan 14, 2005 at 02:39:00AM +0300, Martes Wigglesworth wrote: I have had little luck finding this specific inquiry, on the list archives. I am researching to start a dialup ISP, and want to use the luscent portmaster 3 device. I have seen miscellaneous portmaster listings, however, I don't see that the FreeRadius project will specifically work with that NAS. Does anyone have any good input? I don't want to get stuck with a piece of hardware that requires proprietary radius interfaces. I am very new, so please hold your frustrations, with my seemingly trivial inquiry. I will be running the newest 1.x version of FreeRadius, however, since I don't have anything setup, yet, I don't have the information specified on the list ediquete page. The only problem with PM3-RADIUS bundle I experience is that it doesn't send stop packets for users administratively disconnected via SNMP. And... nontrivial RADIUS NAS-Port to SNMP interface mapping. -- Fduch M. Pravking - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how many records in radacct
On Mon, Nov 22, 2004 at 10:10:53PM +0300, Alexander Serkin wrote: Hello, how many records in radacct table do you manage to keep, guys? About of 1.3M without any problem. I see that radius stops working properly after about 15 accounting records in Oracle (9.2.0.4) database or ~3 in PostgreSQL 7.4.6. After that amount accounting records are not written into table and FR (v1.0.1) claims about no DB handles to use. I see this with Oracle and Postgres. The symptoms are the same on two different Solaris8 machines - Netra1120 with 2x440MHz processors and SunFire V240 with 2x1GHz processors. All recomendations about tuning are met - noatime on partitions with DB, no detail accounting, indexes on the accounting table. I'm fighting with that for a couple of months with no understanding what else could be wrong. Our DBA did some tunings on Oracle table and configuration - with no visible results. PostgreSQL is not tuned - just 'configure,make,make install, initdb, createdb radius,etc'. Can't say anything about Oracle but here's several advices on PG. First, you should ANALYZE, or better VACUUM ANALYZE RadAcct table at least every time it grows 1.5-2 times. We do VACUUM ANALYZE nightly. If your radius server receives and processes Accounting-Update's you will probably need even more often. See PostgreSQL documentation on database maintenance: http://www.postgresql.org/docs/7.4/static/maintenance.html#ROUTINE-VACUUMING Second, did you modify standard schema and/or postgresql.conf to fit your needs? If so, try to determine which queries are slowest and try to understand why, e.g. there's no appropriate index or something. The default ones should work OK. Third, make sure you have no dead locks. ps auxww | grep postgres | grep waiting Several words for Peter Nixon about default PostgreSQL schema/queries... 1. now() returns timestamp with time zone, so there's no need to cast it once more. This applies to AcctStartTime::timestamp with time zone too. 2. accounting_onoff_query shound not have AcctSessionTime IS NULL condition in where clause, otherwise those records which were updated by Accounting-Update will not be closed. Active sessions just have AcctStopTime IS NULL. 3. I don't understand why there's DATE_SUB function at all :) One can simply say CURRENT_DATE - some_integer * '1minute'::interval. Is it simpler to call date_sub(CURRENT_DATE, some_integer, 'minute')? -- Fduch M. Pravking - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Kill online user
On Wed, Oct 13, 2004 at 02:42:11PM -0600, Guy Fraser wrote: It depends on the type of NAS you are using. On some Cisco Access Servers you can use SNMP to administratively disable the line the user is on then administratively enable the line to allow new connections on it. Even between different classes of Cisco products, the SNMP OID codes may be different. And other vendors will likely have much different OID codes. A snippet from Cisco's IF-MIB.my file : It's not Cisco's, it's common MIB :) Cisco has its own means too: casnDisconnect from CISCO-AAA-SESSION-MIB. It's more handy, because the index in that table corresponds RADIUS NAS-Port attribute, and there's no need to enable the interface back. But ifAdminStatus method should work for any NAS, the only problem is to determine SNMP index of the interface. For Cisco, it's, yes, index of an entry which has ifDescr = Async%{NAS-Port}. For PortMaster, I get it from ip.ipAddrTable.ipAddrEntry.ipAdEntIfIndex.%{Framed-IP-Address} variable. -- Fduch M. Pravking - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Double quoting in sql?
On Wed, Sep 29, 2004 at 08:10:45AM +0200, Oliver Graf wrote: On Fri, Sep 24, 2004 at 10:24:09AM -0400, Alan DeKok wrote: Oliver Graf [EMAIL PROTECTED] wrote: I've upgraded recently from 0.9.3 to 1.0.1. There seems to be one small problem in the sql module: a Username seems to be quoted two times, first when setting sql_user_name, then when doing the xlat on the whole query. Debug output: radius_xlat: 'test=23test' Something is escaping '#' to '=23', probably in the SQL module. Yeah. The Problem is that the allowed_chars string in 0.9.3 included '=', but the one in 1.0.1 does not. I'll take a risk to remind these threads... http://lists.cistron.nl/pipermail/freeradius-devel/2003-May/thread.html#4836 http://lists.cistron.nl/pipermail/freeradius-devel/2003-June/thread.html#4954 http://lists.cistron.nl/pipermail/freeradius-devel/2003-July/thread.html#5539 -- Fduch M. Pravking - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Double quoting in sql?
On Fri, Sep 24, 2004 at 09:39:07AM +0200, Oliver Graf wrote: Hi! I've upgraded recently from 0.9.3 to 1.0.1. There seems to be one small problem in the sql module: a Username seems to be quoted two times, first when setting sql_user_name, then when doing the xlat on the whole query. IIRC this behavour is here since SQL-User-Name attribute is handled by rlm_sql, because it's being escaped twice. Two ways I see: 1. avoid using %{SQL-User-Name} in queries. 2. patch rlm_sql.c::sql_set_user to pass func=NULL to radius_xlat. However, in second case, radius_xlat uses own copy function (xlat_copy), which has FIXME: Do escaping of bad stuff! comment... -- Fduch M. Pravking - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Double quoting in sql?
On Fri, Sep 24, 2004 at 12:39:09PM +0200, Oliver Graf wrote: It does not seem that the change which causes this is in rlm_sql.c. I guess it is to search in variable expansion of main/xlat.c. But I currently fail to see the change between 0.9.3 and 1.0.1 where this happened... perhaps I will take a deeper look later. Hmm... 0.9.3 did escaping for anything except: @abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: =/, and the default setting of safe-characters is the same now, so the '#' char should have been escaped in 0.9.3 too. Didn't you patch rlm_sql.c of 0.9.3 to modify safe char list? ;-) -- Fduch M. Pravking - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Help] duplicate radacct records in my postgresql database
On Tue, Aug 10, 2004 at 04:18:08PM +0800, ac wrote: I use postgresql to record all the radacct-pkts from the freeradius-0.9.3. But sometimes the record with the same acctuniqueid, acctsessionid appears twice or much more times. I don't know why it happened and how to avoid it. Check if Acct-Delay-Time differs in requests. If it does, looks like you have one of the following problems: 1. Network problems, so Accounting-Ack sometimes does not reach NAS, so it re-sends request. 2. Slow database, so it takes too long time to accomplish the request and the NAS gets timed out, again, re-sending the request. In this case you can try to configure your NAS for greater timeout. Some people would suggest using UNIQUE constraint on acctUniqueId column, which also seems reasonable. By the way, is there any sql statment which can help me to delete or skip the duplicate records with the same acctuniqueid ? If you have a serial id column in default schema try using SELECT * FROM radacct WHERE EXISTS ( SELECT 1 FROM radacct r2 WHERE r2.id radacct.id -- note the AND r2.acctUniqueId = radacct.acctUniqueId ); Then, if you sure that's it, replace SELECT with DELETE. If you want leave the first of dups, use , if you want the last - . -- Fduch M. Pravking - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Many SQL accounts
On Sun, Jul 18, 2004 at 12:53:44PM +0800, Nikolay L. Kirillov wrote: Hi All! In this good sunday I'm trying to start accounting. And have some trouble with freeradius 0.9.3: In 'radiusd.conf' added lines modules { # some other lines $INCLUDE ${confdir}/sql.conf # Instance named 'sql'. $INCLUDE ${confdir}/sql1.conf # Instance named 'sql1'. $INCLUDE ${confdir}/sql2.conf # Instance named 'sql2'. What's there? Looks like you have declared sql1 { ... } The right syntax for module config is module-name [ instance-name ] { ... } If not specified, instance name is the same as module name. So that in you case: sql sql1 { ... } radiusd.conf[1] Failed to link to module 'rlm_sql1': rlm_sql1.so: cannot open shared object file: No such file or directory I was made: ln -s /usr/local/lib/rlm_sql.so /usr/local/lib/rlm_sql1.so It's an unnecessary dirty hack :) -- Fduch M. Pravking - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fall-Through in acct_users
On Tue, Jul 13, 2004 at 11:07:59AM -0400, Alan DeKok wrote: Andrey Lakhno [EMAIL PROTECTED] wrote: It does not work. May be I done something incorrectly ? acct_users: DEFAULT NAS-IP-Address == x.x.x.x, Acct-Status-Type == Stop Exec-Program = /home/voip/aaa/acct_call_generic, Fall-Through = Yes DEFAULT NAS-IP-Address == x.x.x.x, Acct-Status-Type == Stop Exec-Program = /home/voip/aaa/test At least you should have used += instead of =. What doesn't work is having two Exec-Program attributes. The server supports only one. But why? Was it just not implemented or there are some other reasons? -- Fduch M. Pravking - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question about Freeradius and LDAP
On Wed, Jul 07, 2004 at 09:00:00PM +0200, Arthur EBEL wrote: Hi everybody, My freeradius operate very well with an openldap directory All ldap users stored in my basedn=ou=people,ou=personnels,dc=utt,dc=fr can be authenticated. I would like to add another basedn=ou=students,ou=personnels,dc=utt,dc=fr BUT I don't want to give an access to all my tree dc=utt,dc=fr How can I set up the LDAP module to do this ? AFAIK, rlm_ldap cannot work with multiple basedn's. However, you can use OpenLDAP own ACLs. E.g. in slapd.conf (assuming you have identity=cn=radius,ou=robots,dc=utt,dc=fr): access to dn ou=people,ou=personnels,dc=utt,dc=fr ... by dn=cn=radius,ou=robots,dc=utt,dc=fr read access to dn ou=students,ou=personnels,dc=utt,dc=fr ... by dn=cn=radius,ou=robots,dc=utt,dc=fr read access to * by dn=cn=radius,ou=robots,dc=utt,dc=fr none (I'm not sure this is totally correct so you should test it yourself.) Then you can safely use basedn=ou=personnels,dc=utt,dc=fr for radius. -- Fduch M. Pravking - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: User's password on radius log
On Sun, Jun 06, 2004 at 10:20:13AM -0400, Alan DeKok wrote: Rattapon Pacharawongsakda [EMAIL PROTECTED] wrote: Is it possible to turn off showing password of each user on freeradius log file? Yes. Search radiusd.conf for password and log. Unfortunately, some modules (e.g. rlm_(ms)chap, rlm_ldap) do log passwords in _debug mode_, in despite of log_auth_(good|bad)pass settings. The only way for now to fix it (if you need) is to edit the sources. -- Fduch M. Pravking - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: shared secret length limitation
On Thu, May 13, 2004 at 11:25:34AM +0100, Graeme Hinchliffe wrote: Well assuming JUST the alphabet was used in the same case thats: 16^26 = 20282409603651670423947251286016 possible combinations Sorry for pedantry, not 16^26 but 26^16 = 4.36087428994289e+22 ;-) That is, assuming N is a desired number of combinations, A is an alphabet capacity (26 here), ln() is natural logarithm, we got (nearly) enough shared secret length L: L = ln(N) / ln(A). -- Fduch M. Pravking - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: User with 2 profiles but different simultaneous-use in each
On Mon, Apr 05, 2004 at 08:16:24PM +0300, Kostas Zorbadelos wrote: Hello to everyone. I have the following problem where I work. We have a user, lets say kzorba that is an ADSL user and has a specific profile (check and reply attributes). We want to limit the Simultaneous-Use of the user for this service to 1. We also want for the same user to be able to use an ISDN 128 backup connection in case his ADSL line has a problem. I this case our user has a different profile and Simultaneous-Use 2 (in order to be able to login twice for the 2 isdn channels). So the question is: how can I lock the user in a way that when he uses his ADSL connection, not to be able to connect with ISDN at all (that's easy since Simultaneous-Use is 1 in this case and won't be allowed to login for anything else) and the opposite (when in as an ISDN not to be able to use the ADSL). Any suggestions are highly appreciated. You could do it in authorize {} section instead of session {}. Say you have defined 2 attrs (e.g. of type integer): ADSL-Up and ISDN-Up. Assuming you have accounting in SQL, you could do: ADSL-Up := `%{sql:SELECT count(*) FROM radacct WHERE UserName = '%u' AND NASPortType = 'Ethernet' AND AcctStopTime IS NULL}` ISDN-Up := `%{sql:SELECT count(*) FROM radacct WHERE UserName = '%u' AND NASPortType = 'ISDN' AND AcctStopTime IS NULL}` (Note the backquotes; the behavour can change soon.) Then put 2 entries in users file: DEFAULT NAS-Port-Type == ISDN, ADSL-Up 0, Auth-Type := Reject Reply-Message := You have your ADSL up, ISDN connections disabled DEFAULT NAS-Port-Type == Ethernet, ISDN-Up 0, Auth-Type := Reject Reply-Message := To use ADSL, first stop your backup ISDN connections -- Fduch M. Pravking - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: accounting from alive packets doesn't go to sql
On Tue, Apr 06, 2004 at 10:13:01PM +0400, Alexander Lunyov wrote: AL But it's not affecting sql :( And, while this accounting data is not shows up in AL sql, traffic is leaking! While searching message base of this list i found thread accounting_update_query. Is this query in sql.conf responsible for traffic updates (by Alive packets, i mean)? Yes. If it so, why default update_query does not include traffic and time update fields? May it be a cause of my problem? Looks like your sql config is too old, current configs (mysql/pg/oracle) do update Acct*Octets. But that's not the main problem, I think: you should have seen at least update of AcctSessionTime. Could you show the debug output for an Alive packet? -- Fduch M. Pravking - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: accounting from alive packets doesn't go to sql
On Wed, Apr 07, 2004 at 12:36:30AM +0400, Alexander Lunyov wrote: If it so, why default update_query does not include traffic and time update fields? May it be a cause of my problem? AMP Looks like your sql config is too old, current configs (mysql/pg/oracle) AMP do update Acct*Octets. Current means cvs? I have freeradius-0.9.3 configs. Yes. AMP But that's not the main problem, I think: you AMP should have seen at least update of AcctSessionTime. In my case i don't need SessionTime at all, traffic is the main objective. AMP Could you show the debug output for an Alive packet? Well, it looks something like this: Oh, no. Not the detail'ed entry, but the output from radiusd -X -- Fduch M. Pravking - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Gigawords
On Tue, Apr 06, 2004 at 04:31:30PM -0400, Alan DeKok wrote: Steve Cole [EMAIL PROTECTED] wrote: The dictionaries don't concern me, what I need to do is log them. Unless I'm blind, there is no support for Accounting for them in SQL schema: shrug So add them, and supply a patch to the schema queries. That's why they're in configuration files: so you can edit them. PostgreSQL config already has the support. Someone was going to make similar changes for all other drivers IIRC... -- Fduch M. Pravking - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how can i limit traffic use?
On Mon, Mar 01, 2004 at 09:22:56AM +0300, Alexander Lunyov wrote: Well, i'm using exppp (http://shs.sumy.ua/, but it's in russian) on FreeBSD box, and exppp understands his own attributes (Exppp-Traffic-Limit and such), and i think it can kick user when traffic exceeds. How can freeradius tell exppp, how much octets user have for session? I mean, if all accounting information is in mysql base, radius have to do simple SELECT to sql with sum()'s, then substract this value (it will be number of octets) from some fixed value of limit and give the result to exppp as Exppp-Traffic-Limit. Well, or something like that. Can it be done in FreeRadius? I mean, all those sql queries, substraction and all of that? You could configure a default entry like this: DEFAULT Exppp-Traffic-Limit := %{sql:SELECT ...} assuming you already have an instance of sql module. Oh, it's interesting! I think something like this will help (rlm_sqlcounter): sqlcounter monthlytraffic { counter-name = Monthly-Traffic check-name = Max-Monthly-Traffic sqlmod-inst = sql key = User-Name reset = monthly query = SELECT (sum(AcctInputOctets)+sum(AcctOutputOctets)) FROM radacct WHERE UserName='%{%k}' AND Month(AcctStopTime) =(Month(NOW())-1) AND Year(AcctStopTime) = Year(NOW()) } No, WHERE UserName = '%k' or WHERE UserName = '%u'. You could probably use %b - unix time value of begginning of reset period instead of Month()/Year()/NOW() calculations. But, if i've understanded it right, this module reflects only on logon process, i mean, it won't pass no attributes to NAS, it just reject user if user's traffic is over, am i right? Still, radius have to return traffic limit value to NAS (exppp), how can it (or i) do this? rlm_counter adds Session-Timeout to the reply only if count-attribute is Acct-Session-Time, but rlm_sqlcounter seems to always add Session-Timeout. Not sane, really. You could try to patch rlm_sqlcounter to accept a new configuration value, say reply-attribute defaulting to Session-Timeout. -- Fduch M. Pravking - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_mschap: Undefined symbol lrad_lmpwdhash
The following error occurs in authenticate method of rlm_mschap: Wed Feb 4 21:49:54 2004 : Debug: modcall: entering group Auth-Type for request 0 Wed Feb 4 21:49:54 2004 : Debug: modsingle[authenticate]: calling mschap (rlm_mschap) for request 0 /usr/libexec/ld-elf.so.1: /home/fduch/radius-test/lib/rlm_mschap-1.0.0-pre0.so: Undefined symbol lrad_lmpwdhash (radiusd dies) Adding RLM_LIBS = -lradius to src/modules/rlm_mschap/Makefile and reinstalling it seems to solve the problem, but I'm not sure it's a perfect way. Comments? Oh, yes, it's a current CVS version on FreeBSD 4.8-RELEASE-p13. -- Fduch M. Pravking - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html