Re: EAP module return code for proxy case [Re: help with EAP proxy]
Just so I'm on the right page, I assume I should do the patch and submit it in the usual way? If so, I'll clarify my understanding of what needs to happen. In eap.c/eap_start, I can return EAP_OK instead of EAP_NOOP for the proxy case. I dont see any other cases where EAP_OK is returned now. Then in rlm_eap.c/eap_authorize, in the switch statement for the eap_start return code, I can add an EAP_OK case that will return RLM_MODULE_OK. I can also add a config note in doc/rlm_eap. Dave Alan DeKok wrote: Dave Mason [EMAIL PROTECTED] wrote: Along the way, I noticed that in the 1.0 server code, rlm_eap returns NOOP both for Access-Requests with an EAP-Message to be proxied and for Access-Requests with no EAP at all. It would be useful for me to write a configurable failover block in the authorize section of radiusd.conf that distinguishes between the two. Ok... Maybe it could return HANDLED in that case? No. That return code means there's a RADIUS reply packet ready to be sent to the client. Maybe RLM_MODULE_NOOP for no EAP-Message, and RLM_MODULE_OK for an EAP-Message which will be proxied. This should also be documented in the man page for rlm_eap. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
help with EAP proxy
Hi, I'm using an old Freeradius server, v0.8.1, to proxy Access-Requests with EAP-Messages. The outbound proxy works fine, but the proxy response is getting mangled. The 1.0 server works fine, and I know the real solution is to pick it up, but with my current deadline I cant port the rest of my application to it yet, and hopefully I can pick up some new code to fix the bug. I found some new code in eap_authorize that prevents adding Auth-Type = EAP if the request is to be proxied. I also see the change in radiusd.conf to move suffix before eap in the authorize section. However, when the proxy response comes, the server calls the authorize and authenticate sections as usual, when I dont believe it should. rad_authenticate calls rad_check_password and somehow this succeeds, causing Access-Accept to be sent to the client, instead of Access-Challenge. Any idea how to prevent this? Here's a trace: rad_recv: Access-Request packet from host 127.0.0.1:33225, id=160, length=103 Thread 1 assigned request 0 --- Walking the entire request list --- Threads: total/active/spare threads = 5/1/4 Waking up in 5 seconds... Thread 1 handling request 0, (1 handled so far) User-Name = [EMAIL PROTECTED] Message-Authenticator = 0x1b676d3dcd9e39bf4e9f75afdfecd30f EAP-Message = 0x020100210131323935303233383230303032313330407472616e7361742e636f6d modcall: entering group authorize modcall[authorize]: module preprocess returns ok rlm_realm: Looking up realm transat.com for User-Name = [EMAIL PROTECTED] rlm_realm: Found realm transat.com rlm_realm: Proxying request from user 1295023820002130 to realm transat.com rlm_realm: Adding Realm = transat.com rlm_realm: Preparing to proxy authentication request to realm transat.com modcall[authorize]: module suffix returns updated modcall[authorize]: module eap returns noop users: Matched DEFAULT at 166 modcall[authorize]: module files returns ok modcall: group authorize returns updated Sending Access-Request of id 1 to 192.168.1.26:1812 User-Name = [EMAIL PROTECTED] Message-Authenticator = 0x EAP-Message = 0x020100210131323935303233383230303032313330407472616e7361742e636f6d NAS-IP-Address = 127.0.0.1 Proxy-State = 160 Thread 1 waiting to be assigned a request rad_recv: Access-Challenge packet from host 192.168.1.26:1812, id=1, length=99 Thread 2 assigned request 0 rl_next: returning NULL Waking up in 5 seconds... Thread 2 handling request 0, (1 handled so far) EAP-Message = 0x01020010120a0f0200020001 Message-Authenticator = 0x9495b4c9ad2b49368ee4713da30eb317 State = 0x7a09c5908c3a238a892edc7e82f3b9f3fb400829d375a96cc6ef2a15ea2f26170783 Proxy-State = 0x313630 modcall: entering group authorize modcall[authorize]: module preprocess returns ok rlm_realm: Proxy reply, or no user name. Ignoring. modcall[authorize]: module suffix returns noop modcall: entering group group modcall[authorize]: module eap returns noop modcall: group group returns noop users: Matched DEFAULT at 166 modcall[authorize]: module files returns ok modcall: group authorize returns ok rad_check_password: Found Auth-Type rad_check_password: Auth-Type = Accept, accepting the user Sending Access-Accept of id 160 to 127.0.0.1:33225 EAP-Message = 0x01020010120a0f0200020001 Message-Authenticator = 0x State = 0x7a09c5908c3a238a892edc7e82f3b9f3fb400829d375a96cc6ef2a15ea2f26170783 Finished request 0 Going to the next request Thread 2 waiting to be assigned a request --- Walking the entire request list --- Threads: total/active/spare threads = 5/0/5 Waking up in 1 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 160 with timestamp 40fbf3e7 Nothing to do. Sleeping until we see a request. As a reference, here's what the 1.0 server does: rad_recv: Access-Request packet from host 127.0.0.1:33225, id=169, length=103 --- Walking the entire request list --- Waking up in 31 seconds... Threads: total/active/spare threads = 5/0/5 Thread 1 got semaphore Thread 1 handling request 0, (1 handled so far) User-Name = [EMAIL PROTECTED] Message-Authenticator = 0xf27d915025b8dacb43dbdbe7cfa21444 EAP-Message = 0x020100210131323935303233383230303032313330407472616e7361742e636f6d Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: Looking up realm transat.com for User-Name = [EMAIL PROTECTED] rlm_realm: Found realm transat.com rlm_realm: Proxying request from user 1295023820002130 to realm transat.com rlm_realm: Adding Realm = transat.com rlm_realm: Preparing to proxy authentication request to realm
EAP module return code for proxy case [Re: help with EAP proxy]
Hi, I found the answer in auth.c near the beginning of rad_authenticate. The trick is to return RLM_MODULE_HANDLED if the proxy reply is an Access-Challenge. Along the way, I noticed that in the 1.0 server code, rlm_eap returns NOOP both for Access-Requests with an EAP-Message to be proxied and for Access-Requests with no EAP at all. It would be useful for me to write a configurable failover block in the authorize section of radiusd.conf that distinguishes between the two. That is, if there is no EAP-Message, I'd like to run the sql module to check for Username/Password. If there is an EAP proxy going on, I could skip sql if eap returns something different than NOOP. Maybe it could return HANDLED in that case? To accomplish that with the current code, eap_start would return EAP_FOUND, which is misleading. Maybe there's a better way. Dave Dave Mason wrote: Hi, I'm using an old Freeradius server, v0.8.1, to proxy Access-Requests with EAP-Messages. The outbound proxy works fine, but the proxy response is getting mangled. The 1.0 server works fine, and I know the real solution is to pick it up, but with my current deadline I cant port the rest of my application to it yet, and hopefully I can pick up some new code to fix the bug. I found some new code in eap_authorize that prevents adding Auth-Type = EAP if the request is to be proxied. I also see the change in radiusd.conf to move suffix before eap in the authorize section. However, when the proxy response comes, the server calls the authorize and authenticate sections as usual, when I dont believe it should. rad_authenticate calls rad_check_password and somehow this succeeds, causing Access-Accept to be sent to the client, instead of Access-Challenge. Any idea how to prevent this? Here's a trace: deleted Dave - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
how to save binary values in MySQL radreply table
Hi, My apologies if this has been answered before but I didn't see anything. This is basically a MySQL question. I need to save MS-MPPE attributes in the radreply table. Those have a binary value. According to the schema, Value is a varchar(253). Can I just copy the binary value to a string and send that to the MySQL API, or do I need to transalate it to ASCII first? Thanks, Dave - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to save binary values in MySQL radreply table
True - I need to figure out how to reverse the process. That is, I need to send something like 0xed5e as my attribute value. For now I'll just use VSA as the attribute because it's not encrypted. If I set the value in radreply to ed5e, the server returns 65643565 to the client, as you would expect. I need to get binary values into the table somehow. Maybe the API is smart enough to handle binary data even if the mysql command line client isn't? I tried prefixing each character with \0x but that didnt work. Dave Alan DeKok wrote: Dave Mason [EMAIL PROTECTED] wrote: My apologies if this has been answered before but I didn't see anything. This is basically a MySQL question. I need to save MS-MPPE attributes in the radreply table. Those have a binary value. Which is why they're of type octets in the dictionary. When the server prints them out, it prints them as a series of hex characters, which is in turn a normal ASCII string. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
how to change the proxy realm in the User-Name
Hi, I have an application where I need to programmatically change the realm I proxy Accounting-Request messages to if the incoming realm is some known value. I have a preacct function that looks for the particular realm in the User-Name, and if it's there, it adds a Realm attrbute to request-packet-vps and a Proxy-To-Realm attribute to request-config_items. In radiusd.conf I put this before suffix, so rlm_realm doesnt do anything. This sets up the proxy to the new realm, but the User-Name in the proxy packet still has the original realm, and I need to switch it to the new one. I tried writing a pre-proxy function that looks for User-Name in request-proxy-vps, deletes it, and adds a new one with the my new realm substituted for the old one. That function appears to work, but radiusd crashes in rad_send (radius.c) in the following code block, on the line if ((VENDOR for (reply = packet-vps; reply; reply = reply-next) { /* *Ignore non-wire attributes */ if ((VENDOR(reply-attribute) == 0) ((reply-attribute 0x) 0xff)) { continue; } I suspect I mangled the request proxy packet somehow. Is there a better way to do this? Dave - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: HELP: Compile freeradius with C++ module and third party library
Hi, My first guess would be to ask if you're calling a C++ method directly from C. You can link a C++ library into Freeradius, but in order to call a C++ method you have to put it inside a C wrapper function. Your code would like something like this: interface.h -- #ifdef __cplusplus extern C { #endif int interfaceWrapper(int arg); #ifdef __cplusplus extern C } #endif interface.cpp #include interface.h #include C++_library.h int interfaceWrapper(int arg) { int rc; new yourC++object; rc = yourC++object-method(arg); delete yourC++object; // or you may want to use a persistent object. Just keep a pointer to it that you can get to. return rc; } Freeradius rlm_xxx.c - #include interface.h int xxx_authenticate // for example { if (interfaceWrapper(arg) == 0) return RLM_MODULE_OK; else return RLM_MODULE_FAILURE; } This gives you an interface.o and rlm_xxx.o which must both be linked into radiusd, along with your library. If youre already doing this, I'm not sure where the error would be coming from. You can use the nm command to check the symbols that are defined in your library and make sure the one you want is really there. Dave Htin Hlaing wrote: Hi, Using the suggestions and the patch on the list, I put in my C++ module in. That works fine. But from the new C++ module, I need to be able to use another third party C++ library. There, I am having a hard time. At this point, I configure using --with-static-modules=3Dmymodule to = catch the link error at compile time. In my Makefile, I put RLM_LIBS +=3D -lstdc++ -L/home/hhlaing/project/head/libxmlrpc++ -lXmlRpc to link in the third party library. I get link error saying the symbol not found; the symbol is from the third party library. Here is the exact error message: gcc .libs/radiusdS.o -g -O2 -pthread -D_THREAD_SAFE -DOPENSSL_NO_KRB5 -Wall -D_GNU_SOURCE -g -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -W -Wredundant-decls -Wundef -I../include -DHOSTINFO=3D\\ -DRADIUSD_VERSION=3D\1.0.0-pre0\ -o .libs/radiusd radiusd.o files.o util.o acct.o nas.o log.o valuepair.o version.o proxy.o exec.o auth.o timestr.o conffile.o modules.o modcall.o session.o xlat.o threads.o smux.o radius_snmp.o client.o request_list.o mainconfig.o -Wl,--export-dynamic ../modules/rlm_xmlrpc/.libs/rlm_xmlrpc.a -lstdc++ -L/home/hhlaing/project/head/libxmlrpc++ -lXmlRpc -L/data/home/hhlaing/FreeRadius/radiusd-May-9/src/lib -lcrypt -lcipher /data/home/hhlaing/FreeRadius/radiusd-May-9/src/lib/.libs/libradius.so /data/home/hhlaing/FreeRadius/radiusd-May-9/libltdl/.libs/libltdl.so -lcrypto -lssl -lcrypt -lcipher -Wl,--rpath -Wl,/home/hhlaing/Install/FreeRadius-May-9/lib /usr/lib/libc.so.4: warning: this program uses gets(), which is unsafe. /usr/lib/libc.so.4: warning: mktemp() possibly used unsafely; consider using mkstemp() /usr/lib/libc.so.4: warning: tmpnam() possibly used unsafely; consider using mkstemp() /usr/lib/libc.so.4: warning: this program uses f_prealloc(), which is not recommended. /usr/lib/libc.so.4: warning: tempnam() possibly used unsafely; consider using mkstemp() ../modules/rlm_xmlrpc/.libs/rlm_xmlrpc.a(rlm_xmlrpc.o): In function `xmlrpcInstantiate(conf_part *, void **)': /data/home/hhlaing/FreeRadius/radiusd-May-9/src/modules/rlm_xmlrpc/rlm_x mlrpc.cpp:122: undefined reference to `XmlRpc::XmlRpcClient::XmlRpcClient(char const *, int, char const *)' gmake[3]: *** [radiusd] Error 1 gmake[3]: Leaving directory `/data/home/hhlaing/FreeRadius/radiusd-May-9/src/main' Thanks, Htin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mysql and Freeradius
Hi, I've seen your posts and you have my sympathy. The best I can say is that everything magically works if it's set up right. I think you've already seen the web site with the config notes? My suggestions would be to rebuild with a fresh dump from the tar file, in case you made some changes that arent working. Alan mentioned that you might not have the MySQL development package installed, which sounds like a good guess to me. On my system that's mysql-devel-3.23.58-1, but the version number should match what's on your machine. When you run configure, make sure you get some lines that look like this: checking for mysql/mysql.h... yes checking for mysql_init in -lmysqlclient... yes If youre missing the devel package these probably say no. There is also a faq about link problems. I dont think that applies to your case, but it's a common problem so you might check it out. Dave - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Compile freeradius in C++
Hi, I had a similar problem but took a slightly different approach. I had a C++ library that I needed to use from inside an rlm_eap subtype module. Instead of bringing C++ into rlm_eap, I wrote a C wrapper around the C++ API, and call the C function from within freeradius. The wrapper function needs to be C++ so it can invoke methods on C++ objects, and the wrapper header has to have the #ifdef __cplusplus so both freeradius and the wrapper body can use it. In the Makefile, you need to add your C++ library and -lstdc++ to RLM_LIBS. One problem I ran into here is that I have to dynamically link freeradius while my C++ library is statically linked. When I link my rlm, the linker gives a warning but it seems to work. Ideally freeradius will get a fix for the problem that prevents static link for modules that have submodules. :) Dave Aurélien Magniez wrote: Hi, I also wrote a C++ module under FreeRadius. Look at this page : http://lists.cistron.nl/archives/freeradius-devel/2004/04/msg1.html Aurélien Magniez [EMAIL PROTECTED] wrote: At 11:41 19/04/2004, you wrote: [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Does anyone know how I could compile freeradius in C++ using g++ instead of gcc ? Why? There's no C++ code in FreeRADIUS, so there's no point in using a C++ compiler. I am writing a module that need to use C++ files that I wish I did not need to rewrite... I am not very familiar with the underlying configure mechanism , all i know is to type 'configure' an then 'make' ... Then you're definitely not going to want to use a C++ compiler. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting-Response sent on failure
Hi Alan, Your last response appears to contradict another answer you gave me last September. Here's that one, with more explanation of what's going on. Alan DeKok wrote: Dave Mason wrote: I have a Freeradius server (v0.8.1) where I may configure multiple accounting methods in radiusd.conf. These could be any of the ones supplied with Freeradius, like detail, radutmp, etc, or a new one that I wrote. My new one may succeed or fail in writing the accounting record. Currently, I return RLM_MODULE_FAIL if it fails and RLM_MODULE_OK if it succeeds. The problem is, if I run another method like detail first and it succeeds, then I run mine and it fails, the accounting group returns failure and no Accounting-Response is sent. Is that the correct behavior? That depends on what you mean by correct. It's the way it currently works... Since then, I've come to understand that this behavior was not correct. I think RFC 2866 says that if any one method succeeds, you have to send Accounting-Response. If not, should my accounting method return RLM_MODULE_NOOP or some other code in the failure case? I looked at rlm_detail..c and it returns RLM_MODULE_FAIL in its failure cases. I thought we should send Accounting-Response if any succeed, so the remaining Accounting-Requests will be sent. I think that's a good idea. The accounting modules can generally return NOOP, which is better in some cases. However, the SQL modules should return *something* useful when the database is down. This will allow configurable fail-over for SQL back-ends. Alan DeKok. With that, I changed my accounting module to return RLM_NOOP if it fails, so that other methods like detail can still trigger Accounting-Response. However, I now see that Accounting-Response always happens, even if no other method is configured except for acct_unique. This is probably because acct_unique always returns ok. Alan DeKok wrote: Dave Mason wrote: My module returns RLM_OK if it works and RLM_NOOP if not. Why? That's what RLM_MODULE_FAIL is for. RFC 2866 says that if an accounting record cannot be stored, no response should be sent. I find that if I have only two accounting modules turned on, acct_unique and my module, and my module returns noop because of a failure, Freeradius still sends an Accounting-Response. So make your module return FAIL. It appears that acct_unique always returns OK. Maybe that's the problem? No. Should acct_unique return noop? Only if it does nothing. FYI, my module needs to return noop on a failure, rather than RLM_FAILURE, so that other modules like detail still run even if mine fails. Then why are you wondering why FreeRADIUS responds with an Accounting-Response? You told it everything was OK. If you want detail to run even if your module fails, list detail before your module in the accounting section. Alan DeKok. Looks I misspoke in that last FYI. I do have detail before my module in radiusd.conf. As I mentioned, it runs fine even if mine does not, but if mine returns failure, then no response is sent, which violates the RFC. After all that, I guess my question is how to prevent the failure of one method from stopping Accounting-Response if others succeed, while at the same time, allowing the failure of a method to prevent Accounting-Response if no others succeed. Dave - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html