Re: Design question - proxying RADIUS auth request to a backend webservice
On Sun, Feb 17, 2013 at 11:05 PM, Walter Goulet wrote: > I'm looking for some input from the experts to help validate a solution > approach that I've come up with. The problem I'm trying to solve is that > allow NAS equipment and other RADIUS clients to authenticate users against a > proprietary authentication service that uses REST APIs over HTTP. > > The solution that I've put together is to use rlm_perl which allows me to > use standard Perl modules to interact with the authentication service. I'm > pretty happy with the results so far in that I am able to build exactly what > I need and authentication against the webservice works just fine. > > The question to the list, are there other solution approaches that might be > better? Any significant disadvantages to using rlm_perl as I've described? > Would it be better to write a custom module instead, hoping that by doing so > there may be some performance improvements? > > Any input is greatly appreciated. Not exactly your case, but. Here is my story. I had a need to proxy/convert DHCP requests from equipment (and later - end user's routers/computers (I worked @ISP)) to RADIUS. First version was using FreeRADIUS's rlm_perl for handling incoming DHCP requests and it did work pretty cool, while sometimes it had problems with duplicated requests, didn't scale well (probably my fault, but I didn't wish to find this out) and so on, so I analyzed request patterns, read RFC 2131, and reimplemented DHCP server on pure perl, without using FreeRADIUS's DHCP feature. As a backend RADIUS client (to connect to closed source commercial billing system) I used Authen::Radius first (leftover from quick-n-dirty rlm_perl version), but it didn't work well for me and was not powerful enough, so I used Net::Radius::Packet/Net::Radius::Dictionary and implemented stripped down radius client myself. So, as for your question, besides using rlm_rest (which is devel as of now, as I understand) you may try writing stripped down RADIUS server combined with REST client for your auth service. But for that you either have to reimplement full radius server (which is not an option, I think), or implement just a subset, which works only for your specific equipment. It may be an option. Cheers, Just my $0.02. -- Alexandr Kovalenko http://uafug.org.ua/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Perl bindings for libfreeradius-radius
On Wed, Dec 22, 2010 at 11:34 PM, Alan DeKok wrote: >> Anyone aware of any perl module, which provide libfreeradius-radius >> interface? > > Search CPAN for RADIUS client libraries. Thank you, but searching CPAN is prerequisite for writing to maillist :) The idea is that there is none in CPAN. I mean no reliable module, yet simple module, which could read freeradius dictionaries, make auth/acct/coa requests. Authen::Radius is pretty simple, but it has some problems with reading dictionaries of freeradius, and it's own dictionaries are pretty outdated. POE-Component-Client-RADIUS-1.02 can't issue coa/pod packets and "a bit" overkill in complexity of implementation - POE, which is not needed there. The best thing is to have something like Authen::Radius, but more reliable and able to read new dictionaries. I know it has been updated recently to 0.20, but it does not completely fix compatibility problems with vendor attributes and/or values, only quick fix to make it work in most common cases. Still have problems. That's why I'm asking for help in mailing list - maybe I am overlooking some really good, small and efficient Perl module which supports all types of messages - auth/acct/coa. Thanks in advance. -- Alexandr Kovalenko http://uafug.org.ua/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Perl bindings for libfreeradius-radius
Hello! Anyone aware of any perl module, which provide libfreeradius-radius interface? Thanks in advance! -- Alexandr Kovalenko http://uafug.org.ua/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Threads & Perl
On Fri, Mar 5, 2010 at 9:13 AM, Alan DeKok wrote:
> Alexandr Kovalenko wrote:
>> I'm trying to find out if FreeRADIUS create separate Perl instance per
>> each thread (thread pool {}) (2.1.8) ?
>
> See doc/ChangeLog
Cannot see there anything related to my question.
>> The main question is: will FreeRADIUS with use of rlm_perl script be
>> able to serve multiple requests simultaneously or each next request
>> should wait until previous will finish?
>
> Yes.
Simultaneously?
My tests show me that only one perl instance created every time,
max_requests_per_server option (from thread pool {}) does not work at
all - FreeRADIUS does not create new instance after 3+ requests.
This is perl, v5.8.9 built for i386-freebsd-64int
Characteristics of this binary (from libperl):
Compile-time options: MYMALLOC PERL_MALLOC_WRAP USE_64_BIT_INT
USE_FAST_STDIO USE_LARGE_FILES USE_PERLIO
radiusd: FreeRADIUS Version 2.1.8, for host i386-portbld-freebsd8.0,
built on Feb 3 2010 at 14:04:18
1. Should I compile perl with threads to enable multiple instances?
2. With non-threaded perl, separate perl instances created?
--
Alexandr Kovalenko
http://uafug.org.ua/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Threads & Perl
Hello!
I'm trying to find out if FreeRADIUS create separate Perl instance per
each thread (thread pool {}) (2.1.8) ?
The main question is: will FreeRADIUS with use of rlm_perl script be
able to serve multiple requests simultaneously or each next request
should wait until previous will finish?
--
Alexandr Kovalenko
http://uafug.org.ua/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl behavior
On Wed, Apr 22, 2009 at 12:23 PM, Alan DeKok wrote: > Apostolos Pantsiopoulos wrote: >> If any changes are to be made to the current >> implementation to support multiple interpreters (one per thread) >> would they show up in a 2.1.x release or a future one (2.2.x or something)? > > They will show up in the next release, whatever that is. > > i.e. "next after the changes have been made". Have any changes been made already? :) -- Alexandr Kovalenko http://uafug.org.ua/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl still looses tags for tagged attributes even after upgrade to 2.1.6
Any news on that issue? How can I make any attention from developers
to this issue?
Thanks in advance!
On Wed, Aug 26, 2009 at 2:52 AM, Alexandr Kovalenko
wrote:
> UP
>
> On Thu, Aug 20, 2009 at 10:49 AM, Alexandr
> Kovalenko wrote:
>> Hello,
>>
>> It has been stated in release notes for FR 2.1.6 that loosing of tags
>> for tagged attributes is fixed in rlm_perl in this version, but it is
>> not.
>>
>> Look at the example below:
>>
>>
>> $ radiusd -v | head -1
>> radiusd: FreeRADIUS Version 2.1.6, for host i386-portbld-freebsd7.2,
>> built on Aug 18 2009 at 12:31:54
>>
>> $ perl -V
>> Summary of my perl5 (revision 5 version 8 subversion 9) configuration:
>> Platform:
>> osname=freebsd, osvers=7.2-release-p2, archname=i386-freebsd-64int
>> uname='freebsd mile.office.tsu 7.2-release-p2 freebsd
>> 7.2-release-p2 #0: fri jun 26 10:01:50 eest 2009
>> r...@mile.office.tsu:usrobjusrsrcsysmile i386 '
>> config_args='-sde -Dprefix=/usr/local
>> -Darchlib=/usr/local/lib/perl5/5.8.9/mach
>> -Dprivlib=/usr/local/lib/perl5/5.8.9
>> -Dman3dir=/usr/local/lib/perl5/5.8.9/perl/man/man3
>> -Dman1dir=/usr/local/man/man1
>> -Dsitearch=/usr/local/lib/perl5/site_perl/5.8.9/mach
>> -Dsitelib=/usr/local/lib/perl5/site_perl/5.8.9
>> -Dscriptdir=/usr/local/bin
>> -Dsiteman3dir=/usr/local/lib/perl5/5.8.9/man/man3
>> -Dsiteman1dir=/usr/local/man/man1 -Ui_malloc -Ui_iconv
>> -Uinstallusrbinperl -Dcc=cc -Duseshrplib -Dinc_version_list=none
>> -Dccflags=-DAPPLLIB_EXP="/usr/local/lib/perl5/5.8.9/BSDPAN"
>> -Doptimize=-O2 -fno-strict-aliasing -pipe -march=pentium4 -Ud_dosuid
>> -Ui_gdbm -Dusethreads=n -Dusemymalloc=y -Duse64bitint'
>> hint=recommended, useposix=true, d_sigaction=define
>> usethreads=undef use5005threads=undef useithreads=undef
>> usemultiplicity=undef
>> useperlio=define d_sfio=undef uselargefiles=define usesocks=undef
>> use64bitint=define use64bitall=undef uselongdouble=undef
>> usemymalloc=y, bincompat5005=undef
>> Compiler:
>> cc='cc', ccflags
>> ='-DAPPLLIB_EXP="/usr/local/lib/perl5/5.8.9/BSDPAN" -DHAS_FPSETMASK
>> -DHAS_FLOATINGPOINT_H -fno-strict-aliasing -pipe
>> -I/usr/local/include',
>> optimize='-O2 -fno-strict-aliasing -pipe -march=pentium4',
>> cppflags='-DAPPLLIB_EXP="/usr/local/lib/perl5/5.8.9/BSDPAN"
>> -DHAS_FPSETMASK -DHAS_FLOATINGPOINT_H -fno-strict-aliasing -pipe
>> -I/usr/local/include'
>> ccversion='', gccversion='4.2.1 20070719 [FreeBSD]', gccosandvers=''
>> intsize=4, longsize=4, ptrsize=4, doublesize=8, byteorder=12345678
>> d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=12
>> ivtype='long long', ivsize=8, nvtype='double', nvsize=8,
>> Off_t='off_t', lseeksize=8
>> alignbytes=4, prototype=define
>> Linker and Libraries:
>> ld='cc', ldflags =' -Wl,-E -L/usr/local/lib'
>> libpth=/usr/lib /usr/local/lib
>> libs=-lgdbm -lm -lcrypt -lutil
>> perllibs=-lm -lcrypt -lutil
>> libc=, so=so, useshrplib=true, libperl=libperl.so
>> gnulibc_version=''
>> Dynamic Linking:
>> dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='
>> -Wl,-R/usr/local/lib/perl5/5.8.9/mach/CORE'
>> cccdlflags='-DPIC -fPIC', lddlflags='-shared -L/usr/local/lib'
>>
>>
>> Characteristics of this binary (from libperl):
>> Compile-time options: MYMALLOC PERL_MALLOC_WRAP USE_64_BIT_INT
>> USE_FAST_STDIO USE_LARGE_FILES USE_PERLIO
>> Locally applied patches:
>> defined-or
>> Built under freebsd
>> Compiled at Aug 18 2009 14:56:36
>> �...@inc:
>> /usr/local/lib/perl5/5.8.9/BSDPAN
>> /usr/local/lib/perl5/site_perl/5.8.9/mach
>> /usr/local/lib/perl5/site_perl/5.8.9
>> /usr/local/lib/perl5/5.8.9/mach
>> /usr/local/lib/perl5/5.8.9
>> .
>>
>>
>> Following code is used in sub authorize {} in perl module I'm trying to use
>>
>> if (($RAD_REQUEST{'User-Name'} eq 'admin') and
>> ($RAD_REQUEST{'User-Password'} eq 'test')) {
>> $RAD_REPLY{'ERX-Service-Activate:1'} = "telesys";
>> $RAD_REPLY{'ERX-Service-Statistics:1'} = "time-volume";
>> $RAD_REPLY{'ERX-Qos-Parameters'}[0] = "internet_tr_value 2097152";
>> $RAD_REPLY
Re: rlm_perl still looses tags for tagged attributes even after upgrade to 2.1.6
UP
On Thu, Aug 20, 2009 at 10:49 AM, Alexandr
Kovalenko wrote:
> Hello,
>
> It has been stated in release notes for FR 2.1.6 that loosing of tags
> for tagged attributes is fixed in rlm_perl in this version, but it is
> not.
>
> Look at the example below:
>
>
> $ radiusd -v | head -1
> radiusd: FreeRADIUS Version 2.1.6, for host i386-portbld-freebsd7.2,
> built on Aug 18 2009 at 12:31:54
>
> $ perl -V
> Summary of my perl5 (revision 5 version 8 subversion 9) configuration:
> Platform:
> osname=freebsd, osvers=7.2-release-p2, archname=i386-freebsd-64int
> uname='freebsd mile.office.tsu 7.2-release-p2 freebsd
> 7.2-release-p2 #0: fri jun 26 10:01:50 eest 2009
> r...@mile.office.tsu:usrobjusrsrcsysmile i386 '
> config_args='-sde -Dprefix=/usr/local
> -Darchlib=/usr/local/lib/perl5/5.8.9/mach
> -Dprivlib=/usr/local/lib/perl5/5.8.9
> -Dman3dir=/usr/local/lib/perl5/5.8.9/perl/man/man3
> -Dman1dir=/usr/local/man/man1
> -Dsitearch=/usr/local/lib/perl5/site_perl/5.8.9/mach
> -Dsitelib=/usr/local/lib/perl5/site_perl/5.8.9
> -Dscriptdir=/usr/local/bin
> -Dsiteman3dir=/usr/local/lib/perl5/5.8.9/man/man3
> -Dsiteman1dir=/usr/local/man/man1 -Ui_malloc -Ui_iconv
> -Uinstallusrbinperl -Dcc=cc -Duseshrplib -Dinc_version_list=none
> -Dccflags=-DAPPLLIB_EXP="/usr/local/lib/perl5/5.8.9/BSDPAN"
> -Doptimize=-O2 -fno-strict-aliasing -pipe -march=pentium4 -Ud_dosuid
> -Ui_gdbm -Dusethreads=n -Dusemymalloc=y -Duse64bitint'
> hint=recommended, useposix=true, d_sigaction=define
> usethreads=undef use5005threads=undef useithreads=undef
> usemultiplicity=undef
> useperlio=define d_sfio=undef uselargefiles=define usesocks=undef
> use64bitint=define use64bitall=undef uselongdouble=undef
> usemymalloc=y, bincompat5005=undef
> Compiler:
> cc='cc', ccflags
> ='-DAPPLLIB_EXP="/usr/local/lib/perl5/5.8.9/BSDPAN" -DHAS_FPSETMASK
> -DHAS_FLOATINGPOINT_H -fno-strict-aliasing -pipe
> -I/usr/local/include',
> optimize='-O2 -fno-strict-aliasing -pipe -march=pentium4',
> cppflags='-DAPPLLIB_EXP="/usr/local/lib/perl5/5.8.9/BSDPAN"
> -DHAS_FPSETMASK -DHAS_FLOATINGPOINT_H -fno-strict-aliasing -pipe
> -I/usr/local/include'
> ccversion='', gccversion='4.2.1 20070719 [FreeBSD]', gccosandvers=''
> intsize=4, longsize=4, ptrsize=4, doublesize=8, byteorder=12345678
> d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=12
> ivtype='long long', ivsize=8, nvtype='double', nvsize=8,
> Off_t='off_t', lseeksize=8
> alignbytes=4, prototype=define
> Linker and Libraries:
> ld='cc', ldflags =' -Wl,-E -L/usr/local/lib'
> libpth=/usr/lib /usr/local/lib
> libs=-lgdbm -lm -lcrypt -lutil
> perllibs=-lm -lcrypt -lutil
> libc=, so=so, useshrplib=true, libperl=libperl.so
> gnulibc_version=''
> Dynamic Linking:
> dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='
> -Wl,-R/usr/local/lib/perl5/5.8.9/mach/CORE'
> cccdlflags='-DPIC -fPIC', lddlflags='-shared -L/usr/local/lib'
>
>
> Characteristics of this binary (from libperl):
> Compile-time options: MYMALLOC PERL_MALLOC_WRAP USE_64_BIT_INT
> USE_FAST_STDIO USE_LARGE_FILES USE_PERLIO
> Locally applied patches:
> defined-or
> Built under freebsd
> Compiled at Aug 18 2009 14:56:36
> �...@inc:
> /usr/local/lib/perl5/5.8.9/BSDPAN
> /usr/local/lib/perl5/site_perl/5.8.9/mach
> /usr/local/lib/perl5/site_perl/5.8.9
> /usr/local/lib/perl5/5.8.9/mach
> /usr/local/lib/perl5/5.8.9
> .
>
>
> Following code is used in sub authorize {} in perl module I'm trying to use
>
> if (($RAD_REQUEST{'User-Name'} eq 'admin') and
> ($RAD_REQUEST{'User-Password'} eq 'test')) {
> $RAD_REPLY{'ERX-Service-Activate:1'} = "telesys";
> $RAD_REPLY{'ERX-Service-Statistics:1'} = "time-volume";
> $RAD_REPLY{'ERX-Qos-Parameters'}[0] = "internet_tr_value 2097152";
> $RAD_REPLY{'ERX-Qos-Parameters'}[1] = "internet_tr_value_in 2097152";
> $RAD_REPLY{'ERX-Service-Activate:2'} = "deny";
> $RAD_REPLY{'ERX-Qos-Profile-Name'} = "SP_Tele_Internet";
> $RAD_REPLY{'Framed-IP-Address'} = '10.0.112.2';
> $RAD_REPLY{'Framed-IP-Netmask'}= "255.255.255.255";
> $RAD_REPLY{'ERX-Primary-DNS'} = "1.2.3.4";
> $RAD_REPLY{'ERX-Secondary-DNS'} = "1.2.3.
rlm_perl still looses tags for tagged attributes even after upgrade to 2.1.6
"
ERX-Service-Activate:0 = "deny"
ERX-Service-Activate:0 = "telesys"
ERX-Qos-Profile-Name = "SP_Tele_Internet"
ERX-Service-Statistics:1 = time-volume
ERX-Primary-Dns = 1.2.3.4
ERX-Secondary-Dns = 1.2.3.5
Framed-IP-Address = 10.0.112.2
Framed-IP-Netmask = 255.255.255.255
Output from radiusd -X:
rad_recv: Access-Request packet from host 10.3.1.252 port 52845,
id=70, length=57
User-Name = "admin"
User-Password = "test"
NAS-IP-Address = 10.1.2.13
NAS-Port = 12
server radoss {
+- entering group authorize {...}
++[preprocess] returns ok
++[control] returns ok
rlm_perl: $VAR1 = {};
rlm_perl: defined
rlm_perl: Added pair User-Name = admin
rlm_perl: Added pair User-Password = test
rlm_perl: Added pair NAS-Port = 12
rlm_perl: Added pair NAS-IP-Address = 10.1.2.13
rlm_perl: Added pair ERX-Qos-Profile-Name = SP_Tele_Internet
rlm_perl: Added pair ERX-Service-Activate:2 = deny
rlm_perl: Added pair ERX-Qos-Parameters = internet_tr_value 2097152
rlm_perl: Added pair ERX-Qos-Parameters = internet_tr_value_in 2097152
rlm_perl: Added pair ERX-Service-Statistics:1 = time-volume
rlm_perl: Added pair ERX-Secondary-DNS = 1.2.3.5
rlm_perl: Added pair Framed-IP-Address = 10.0.112.2
rlm_perl: Added pair Framed-IP-Netmask = 255.255.255.255
rlm_perl: Added pair ERX-Service-Activate:1 = telesys
rlm_perl: Added pair ERX-Primary-DNS = 1.2.3.4
rlm_perl: Added pair Auth-Type = Perl
++[perl] returns ok
Found Auth-Type = Perl
+- entering group Perl {...}
rlm_perl: Added pair User-Name = admin
rlm_perl: Added pair User-Password = test
rlm_perl: Added pair NAS-IP-Address = 10.1.2.13
rlm_perl: Added pair NAS-Port = 12
rlm_perl: Added pair ERX-Qos-Parameters = internet_tr_value 2097152
rlm_perl: Added pair ERX-Qos-Parameters = internet_tr_value_in 2097152
rlm_perl: Added pair ERX-Service-Activate = deny
rlm_perl: Added pair ERX-Service-Activate = telesys
rlm_perl: Added pair ERX-Qos-Profile-Name = SP_Tele_Internet
rlm_perl: Added pair ERX-Service-Statistics:1 = time-volume
rlm_perl: Added pair ERX-Primary-Dns = 1.2.3.4
rlm_perl: Added pair ERX-Secondary-Dns = 1.2.3.5
rlm_perl: Added pair Framed-IP-Address = 10.0.112.2
rlm_perl: Added pair Framed-IP-Netmask = 255.255.255.255
rlm_perl: Added pair Auth-Type = Perl
++[perl] returns ok
+- entering group post-auth {...}
++[exec] returns noop
} # server radoss
Sending Access-Accept of id 70 to 10.3.1.252 port 52845
ERX-Qos-Parameters += "internet_tr_value 2097152"
ERX-Qos-Parameters += "internet_tr_value_in 2097152"
ERX-Service-Activate:0 += "deny"
ERX-Service-Activate:0 += "telesys"
ERX-Qos-Profile-Name = "SP_Tele_Internet"
ERX-Service-Statistics:1 = time-volume
ERX-Primary-Dns = 1.2.3.4
ERX-Secondary-Dns = 1.2.3.5
Framed-IP-Address = 10.0.112.2
Framed-IP-Netmask = 255.255.255.255
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 70 with timestamp +4
Ready to process requests.
--
Alexandr Kovalenko
http://uafug.org.ua/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS Server Version 2.1.6 has been released
"test"
NAS-IP-Address = 10.1.2.13
NAS-Port = 12
rad_recv: Access-Accept packet from host 10.3.1.252 port 1812, id=70, length=188
ERX-Qos-Parameters = "internet_tr_value 2097152"
ERX-Qos-Parameters = "internet_tr_value_in 2097152"
ERX-Service-Activate:0 = "deny"
ERX-Service-Activate:0 = "telesys"
ERX-Qos-Profile-Name = "SP_Tele_Internet"
ERX-Service-Statistics:1 = time-volume
ERX-Primary-Dns = 1.2.3.4
ERX-Secondary-Dns = 1.2.3.5
Framed-IP-Address = 10.0.112.2
Framed-IP-Netmask = 255.255.255.255
Output from radiusd -X:
rad_recv: Access-Request packet from host 10.3.1.252 port 52845,
id=70, length=57
User-Name = "admin"
User-Password = "test"
NAS-IP-Address = 10.1.2.13
NAS-Port = 12
server radoss {
+- entering group authorize {...}
++[preprocess] returns ok
++[control] returns ok
rlm_perl: $VAR1 = {};
rlm_perl: defined
rlm_perl: Added pair User-Name = admin
rlm_perl: Added pair User-Password = test
rlm_perl: Added pair NAS-Port = 12
rlm_perl: Added pair NAS-IP-Address = 10.1.2.13
rlm_perl: Added pair ERX-Qos-Profile-Name = SP_Tele_Internet
rlm_perl: Added pair ERX-Service-Activate:2 = deny
rlm_perl: Added pair ERX-Qos-Parameters = internet_tr_value 2097152
rlm_perl: Added pair ERX-Qos-Parameters = internet_tr_value_in 2097152
rlm_perl: Added pair ERX-Service-Statistics:1 = time-volume
rlm_perl: Added pair ERX-Secondary-DNS = 1.2.3.5
rlm_perl: Added pair Framed-IP-Address = 10.0.112.2
rlm_perl: Added pair Framed-IP-Netmask = 255.255.255.255
rlm_perl: Added pair ERX-Service-Activate:1 = telesys
rlm_perl: Added pair ERX-Primary-DNS = 1.2.3.4
rlm_perl: Added pair Auth-Type = Perl
++[perl] returns ok
Found Auth-Type = Perl
+- entering group Perl {...}
rlm_perl: Added pair User-Name = admin
rlm_perl: Added pair User-Password = test
rlm_perl: Added pair NAS-IP-Address = 10.1.2.13
rlm_perl: Added pair NAS-Port = 12
rlm_perl: Added pair ERX-Qos-Parameters = internet_tr_value 2097152
rlm_perl: Added pair ERX-Qos-Parameters = internet_tr_value_in 2097152
rlm_perl: Added pair ERX-Service-Activate = deny
rlm_perl: Added pair ERX-Service-Activate = telesys
rlm_perl: Added pair ERX-Qos-Profile-Name = SP_Tele_Internet
rlm_perl: Added pair ERX-Service-Statistics:1 = time-volume
rlm_perl: Added pair ERX-Primary-Dns = 1.2.3.4
rlm_perl: Added pair ERX-Secondary-Dns = 1.2.3.5
rlm_perl: Added pair Framed-IP-Address = 10.0.112.2
rlm_perl: Added pair Framed-IP-Netmask = 255.255.255.255
rlm_perl: Added pair Auth-Type = Perl
++[perl] returns ok
+- entering group post-auth {...}
++[exec] returns noop
} # server radoss
Sending Access-Accept of id 70 to 10.3.1.252 port 52845
ERX-Qos-Parameters += "internet_tr_value 2097152"
ERX-Qos-Parameters += "internet_tr_value_in 2097152"
ERX-Service-Activate:0 += "deny"
ERX-Service-Activate:0 += "telesys"
ERX-Qos-Profile-Name = "SP_Tele_Internet"
ERX-Service-Statistics:1 = time-volume
ERX-Primary-Dns = 1.2.3.4
ERX-Secondary-Dns = 1.2.3.5
Framed-IP-Address = 10.0.112.2
Framed-IP-Netmask = 255.255.255.255
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 70 with timestamp +4
Ready to process requests.
--
Alexandr Kovalenko
http://uafug.org.ua/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Tagged attributes problem and rlm_perl in FreeRADIUS 2.1.4
On Thu, Apr 16, 2009 at 1:34 PM, Alan DeKok wrote: > Alexandr Kovalenko wrote: >> I've already asked about the very same problem with tagged attributes >> and rlm_perl in FreeRADIUS 1.1.7, and Ivan Kalik told >> me that he tested it on 2.1.4, so I've upgraded to new version: > > It doesn't support tagged attributes, either. The source code for the > module will need to be updated to support tagged attributes. Thanks for reply. Then I have few questions: 1. How could this be that it worked in 1.1.7 (but only 1st auth attempt, all further didn't, until restart)? 2. Is there any work-in-progress project on adding support for tagged attributes in rlm_perl? 3. Is there any workaround to make it work? 4. Which of these modules: rlm_python, rlm_exec, rlm_ support tagged attributes? Thanks in advance. -- Alexandr Kovalenko http://uafug.org.ua/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Tagged attributes problem and rlm_perl in FreeRADIUS 2.1.4
Another one log file with $RAD_REPLY{'ERX-Service-Activate:2'} =
"deny"; uncommented attached (crash was not related to freeradius
initially).
On Thu, Apr 16, 2009 at 12:31 PM, Alexandr Kovalenko
wrote:
> Hello!
>
> I've already asked about the very same problem with tagged attributes
> and rlm_perl in FreeRADIUS 1.1.7, and Ivan Kalik told
> me that he tested it on 2.1.4, so I've upgraded to new version:
>
> FreeRADIUS Version 2.1.4, for host i386-portbld-freebsd7.1, built on
> Apr 16 2009 at 10:42:09
>
> But the problem persist. But now it became even worse, it does not
> authorize even for the first time.
>
> Log file attached. If I uncomment $RAD_REPLY{'ERX-Service-Activate:2'}
> = "deny" line in code radiusd just dies. When it is commented radiusd
> returns attributes ERX-Service-Activate and ERX-Service-Statistics
> without tag.
>
> Thanks in advance for help.
>
> Code snippet of my rlm_perl authorize( ) function:
>
> if (($RAD_REQUEST{'User-Name'} eq 'admin') and
> ($RAD_REQUEST{'User-Password'} eq 'test')) {
> %RAD_REPLY = undef;
> $RAD_REPLY{'ERX-Service-Activate:1'} = "telesys";
> $RAD_REPLY{'ERX-Service-Statistics:1'}[0] = "time-volume";
> $RAD_REPLY{'ERX-Qos-Parameters'}[0] = "internet_tr_value 2097152";
> $RAD_REPLY{'ERX-Qos-Parameters'}[1] = "internet_tr_value_in 2097152";
> # $RAD_REPLY{'ERX-Service-Activate:2'} = "deny";
> $RAD_REPLY{'ERX-Qos-Profile-Name'} = "SP_Tele_Internet";
> $RAD_REPLY{'Framed-IP-Address'} = '10.0.112.2';
> $RAD_REPLY{'Framed-IP-Netmask'}= "255.255.255.255";
> $RAD_REPLY{'ERX-Primary-DNS'} = "77.91.190.21";
> $RAD_REPLY{'ERX-Secondary-DNS'} = "77.91.190.24";
> return RLM_MODULE_OK;
> } else {
> return RLM_MODULE_REJECT;
> };
>
> --
> Alexandr Kovalenko
> http://uafug.org.ua/
>
--
Alexandr Kovalenko
http://uafug.org.ua/
radiusd2.log
Description: Binary data
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Tagged attributes problem and rlm_perl in FreeRADIUS 2.1.4
Hello!
I've already asked about the very same problem with tagged attributes
and rlm_perl in FreeRADIUS 1.1.7, and Ivan Kalik told
me that he tested it on 2.1.4, so I've upgraded to new version:
FreeRADIUS Version 2.1.4, for host i386-portbld-freebsd7.1, built on
Apr 16 2009 at 10:42:09
But the problem persist. But now it became even worse, it does not
authorize even for the first time.
Log file attached. If I uncomment $RAD_REPLY{'ERX-Service-Activate:2'}
= "deny" line in code radiusd just dies. When it is commented radiusd
returns attributes ERX-Service-Activate and ERX-Service-Statistics
without tag.
Thanks in advance for help.
Code snippet of my rlm_perl authorize( ) function:
if (($RAD_REQUEST{'User-Name'} eq 'admin') and
($RAD_REQUEST{'User-Password'} eq 'test')) {
%RAD_REPLY = undef;
$RAD_REPLY{'ERX-Service-Activate:1'} = "telesys";
$RAD_REPLY{'ERX-Service-Statistics:1'}[0] = "time-volume";
$RAD_REPLY{'ERX-Qos-Parameters'}[0] = "internet_tr_value 2097152";
$RAD_REPLY{'ERX-Qos-Parameters'}[1] = "internet_tr_value_in 2097152";
#$RAD_REPLY{'ERX-Service-Activate:2'} = "deny";
$RAD_REPLY{'ERX-Qos-Profile-Name'} = "SP_Tele_Internet";
$RAD_REPLY{'Framed-IP-Address'} = '10.0.112.2';
$RAD_REPLY{'Framed-IP-Netmask'}= "255.255.255.255";
$RAD_REPLY{'ERX-Primary-DNS'} = "77.91.190.21";
$RAD_REPLY{'ERX-Secondary-DNS'} = "77.91.190.24";
return RLM_MODULE_OK;
} else {
return RLM_MODULE_REJECT;
};
--
Alexandr Kovalenko
http://uafug.org.ua/
radiusd.log
Description: Binary data
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[fixed version] rlm_perl and tagged attributes problem
p authorize (returns ok) for request 0
rad_check_password: Found Auth-Type Perl
auth: type "Perl"
Processing the authenticate section of radiusd.conf
modcall: entering group Perl for request 0
Using perl at 0x592370
rlm_perl: Added pair ERX-Qos-Profile-Name = SP_Tele_Internet
rlm_perl: Added pair ERX-Qos-Parameters = internet_tr_value 2097152
rlm_perl: Added pair Framed-IP-Address = 10.0.112.2
rlm_perl: Added pair Framed-IP-Netmask = 255.255.255.255
rlm_perl: Added pair Auth-Type = Perl
modcall[authenticate]: module "perl" returns ok for request 0
modcall: leaving group Perl (returns ok) for request 0
Sending Access-Accept of id 42 to 127.0.0.1 port 64032
ERX-Qos-Parameters = "internet_tr_value 2097152"
ERX-Service-Activate:1 = "telesys(1048576)"
ERX-Qos-Profile-Name = "SP_Tele_Internet"
ERX-Service-Statistics:1 = time-volume
Framed-IP-Address = 10.0.112.2
Framed-IP-Netmask = 255.255.255.255
Finished request 0
Here is log of next try:
rad_recv: Access-Request packet from host 127.0.0.1:49908, id=99, length=57
User-Name = "admin"
User-Password = "test"
NAS-IP-Address = 255.255.255.255
NAS-Port = 2
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
modcall[authorize]: module "preprocess" returns ok for request 1
modcall[authorize]: module "chap" returns noop for request 1
modcall[authorize]: module "mschap" returns noop for request 1
rlm_realm: No '@' in User-Name = "admin", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 1
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for request 1
users: Matched entry DEFAULT at line 171
modcall[authorize]: module "files" returns ok for request 1
Using perl at 0x592370
rlm_perl: $VAR1 = {};
rlm_perl: defined
rlm_perl: Added pair ERX-Qos-Parameters = internet_tr_value 2097152
rlm_perl: Added pair ERX-Service-Activate = telesys(1048576)
rlm_perl: Added pair ERX-Qos-Profile-Name = SP_Tele_Internet
rlm_perl: Added pair ERX-Service-Statistics = time-volume
rlm_perl: Added pair Framed-IP-Address = 10.0.112.2
rlm_perl: Added pair Framed-IP-Netmask = 255.255.255.255
rlm_perl: Added pair Auth-Type = Perl
modcall[authorize]: module "perl" returns ok for request 1
rlm_pap: WARNING! No "known good" password found for the user.
Authentication may fail because of this.
modcall[authorize]: module "pap" returns noop for request 1
modcall: leaving group authorize (returns ok) for request 1
rad_check_password: Found Auth-Type Perl
auth: type "Perl"
Processing the authenticate section of radiusd.conf
modcall: entering group Perl for request 1
Using perl at 0x592370
rlm_perl: Added pair ERX-Qos-Profile-Name = SP_Tele_Internet
rlm_perl: Added pair ERX-Qos-Parameters = internet_tr_value 2097152
rlm_perl: Added pair Framed-IP-Address = 10.0.112.2
rlm_perl: Added pair Framed-IP-Netmask = 255.255.255.255
rlm_perl: Added pair Auth-Type = Perl
modcall[authenticate]: module "perl" returns ok for request 1
modcall: leaving group Perl (returns ok) for request 1
Sending Access-Accept of id 68 to 127.0.0.1 port 49908
ERX-Qos-Parameters = "internet_tr_value 2097152"
ERX-Service-Activate:0 = "telesys(1048576)"
ERX-Qos-Profile-Name = "SP_Tele_Internet"
ERX-Service-Statistics:0 = time-volume
Framed-IP-Address = 10.0.112.2
Framed-IP-Netmask = 255.255.255.255
Finished request 1
--
Alexandr Kovalenko
http://uafug.org.ua/
--
Alexandr Kovalenko
http://uafug.org.ua/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl and tagged attributes problem
On Mon, Mar 30, 2009 at 12:53 PM, Alexandr Kovalenko
wrote:
> On Mon, Mar 30, 2009 at 12:08 PM, wrote:
>>>Using perl at 0x592370
>>>rlm_perl: $VAR1 = {};
>>>rlm_perl: defined
>>>rlm_perl: Added pair ERX-Qos-Parameters = internet_tr_value 2097152
>>>rlm_perl: Added pair ERX-Service-Activate = telesys (1048576)
>>>rlm_perl: Added pair ERX-Qos-Profile-Name = SP_Tele_Internet
>>>rlm_perl: Added pair ERX-Service-Statistics = time-volume
>>>rlm_perl: Added pair Framed-IP-Address = 10.0.112.2
>>>rlm_perl: Added pair Framed-IP-Netmask = 255.255.255.255
>>>rlm_perl: Added pair Auth-Type = Perl
>>> modcall[authorize]: module "perl" returns ok for request 0
>> ..
>>>Using perl at 0x592370
>>>rlm_perl: $VAR1 = {};
>>>rlm_perl: defined
>>>rlm_perl: Added pair ERX-Qos-Parameters = internet_tr_value 2097152
>>>rlm_perl: Added pair ERX-Service-Activate = telesys (1048576)
>>>rlm_perl: Added pair ERX-Qos-Profile-Name = SP_Tele_Internet
>>>rlm_perl: Added pair ERX-Service-Statistics = time-volume
>>>rlm_perl: ERROR: Failed to create pair Primary-DNS = 77.91.190.21
>>>rlm_perl: Added pair Framed-IP-Address = 10.0.112.2
>>>rlm_perl: ERROR: Failed to create pair Secondary-DNS = 77.91.190.24
>>>rlm_perl: Added pair Framed-IP-Netmask = 255.255.255.255
>>>rlm_perl: Added pair Auth-Type = Perl
>>> modcall[authorize]: module "perl" returns ok for request 1
>>
>> That is not the same script.
>
> I've just manually removed ERROR lines in previous dump :)
> It is not the case :)
So, any ideas on why it is happening and how could be fixed?
P.S. Sorry to repeat :(
--
Alexandr Kovalenko
http://uafug.org.ua/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl and tagged attributes problem
On Mon, Mar 30, 2009 at 12:08 PM, wrote:
>>Using perl at 0x592370
>>rlm_perl: $VAR1 = {};
>>rlm_perl: defined
>>rlm_perl: Added pair ERX-Qos-Parameters = internet_tr_value 2097152
>>rlm_perl: Added pair ERX-Service-Activate = telesys (1048576)
>>rlm_perl: Added pair ERX-Qos-Profile-Name = SP_Tele_Internet
>>rlm_perl: Added pair ERX-Service-Statistics = time-volume
>>rlm_perl: Added pair Framed-IP-Address = 10.0.112.2
>>rlm_perl: Added pair Framed-IP-Netmask = 255.255.255.255
>>rlm_perl: Added pair Auth-Type = Perl
>> modcall[authorize]: module "perl" returns ok for request 0
> ..
>>Using perl at 0x592370
>>rlm_perl: $VAR1 = {};
>>rlm_perl: defined
>>rlm_perl: Added pair ERX-Qos-Parameters = internet_tr_value 2097152
>>rlm_perl: Added pair ERX-Service-Activate = telesys (1048576)
>>rlm_perl: Added pair ERX-Qos-Profile-Name = SP_Tele_Internet
>>rlm_perl: Added pair ERX-Service-Statistics = time-volume
>>rlm_perl: ERROR: Failed to create pair Primary-DNS = 77.91.190.21
>>rlm_perl: Added pair Framed-IP-Address = 10.0.112.2
>>rlm_perl: ERROR: Failed to create pair Secondary-DNS = 77.91.190.24
>>rlm_perl: Added pair Framed-IP-Netmask = 255.255.255.255
>>rlm_perl: Added pair Auth-Type = Perl
>> modcall[authorize]: module "perl" returns ok for request 1
>
> That is not the same script.
I've just manually removed ERROR lines in previous dump :)
It is not the case :)
--
Alexandr Kovalenko
http://uafug.org.ua/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_perl and tagged attributes problem
k_password: Found Auth-Type Perl
auth: type "Perl"
Processing the authenticate section of radiusd.conf
modcall: entering group Perl for request 0
Using perl at 0x592370
rlm_perl: Added pair ERX-Qos-Profile-Name = SP_Tele_Internet
rlm_perl: Added pair ERX-Qos-Parameters = internet_tr_value 2097152
rlm_perl: Added pair Framed-IP-Address = 10.0.112.2
rlm_perl: Added pair Framed-IP-Netmask = 255.255.255.255
rlm_perl: Added pair Auth-Type = Perl
modcall[authenticate]: module "perl" returns ok for request 0
modcall: leaving group Perl (returns ok) for request 0
Sending Access-Accept of id 42 to 127.0.0.1 port 64032
ERX-Qos-Parameters = "internet_tr_value 2097152"
ERX-Service-Activate:1 = "telesys (1048576)"
ERX-Qos-Profile-Name = "SP_Tele_Internet"
ERX-Service-Statistics:1 = time-volume
Framed-IP-Address = 10.0.112.2
Framed-IP-Netmask = 255.255.255.255
Finished request 0
Here is log of next try:
rad_recv: Access-Request packet from host 127.0.0.1:49908, id=68, length=57
User-Name = "admin"
User-Password = "test"
NAS-IP-Address = 255.255.255.255
NAS-Port = 2
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
modcall[authorize]: module "preprocess" returns ok for request 1
modcall[authorize]: module "chap" returns noop for request 1
modcall[authorize]: module "mschap" returns noop for request 1
rlm_realm: No '@' in User-Name = "admin", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 1
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for request 1
users: Matched entry DEFAULT at line 171
modcall[authorize]: module "files" returns ok for request 1
Using perl at 0x592370
rlm_perl: $VAR1 = {};
rlm_perl: defined
rlm_perl: Added pair ERX-Qos-Parameters = internet_tr_value 2097152
rlm_perl: Added pair ERX-Service-Activate = telesys (1048576)
rlm_perl: Added pair ERX-Qos-Profile-Name = SP_Tele_Internet
rlm_perl: Added pair ERX-Service-Statistics = time-volume
rlm_perl: ERROR: Failed to create pair Primary-DNS = 77.91.190.21
rlm_perl: Added pair Framed-IP-Address = 10.0.112.2
rlm_perl: ERROR: Failed to create pair Secondary-DNS = 77.91.190.24
rlm_perl: Added pair Framed-IP-Netmask = 255.255.255.255
rlm_perl: Added pair Auth-Type = Perl
modcall[authorize]: module "perl" returns ok for request 1
rlm_pap: WARNING! No "known good" password found for the user.
Authentication may fail because of this.
modcall[authorize]: module "pap" returns noop for request 1
modcall: leaving group authorize (returns ok) for request 1
rad_check_password: Found Auth-Type Perl
auth: type "Perl"
Processing the authenticate section of radiusd.conf
modcall: entering group Perl for request 1
Using perl at 0x592370
rlm_perl: Added pair ERX-Qos-Profile-Name = SP_Tele_Internet
rlm_perl: Added pair ERX-Qos-Parameters = internet_tr_value 2097152
rlm_perl: Added pair Framed-IP-Address = 10.0.112.2
rlm_perl: Added pair Framed-IP-Netmask = 255.255.255.255
rlm_perl: Added pair Auth-Type = Perl
modcall[authenticate]: module "perl" returns ok for request 1
modcall: leaving group Perl (returns ok) for request 1
Sending Access-Accept of id 68 to 127.0.0.1 port 49908
ERX-Qos-Parameters = "internet_tr_value 2097152"
ERX-Service-Activate:0 = "telesys (1048576)"
ERX-Qos-Profile-Name = "SP_Tele_Internet"
ERX-Service-Statistics:0 = time-volume
Framed-IP-Address = 10.0.112.2
Framed-IP-Netmask = 255.255.255.255
Finished request 1
--
Alexandr Kovalenko
http://uafug.org.ua/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
