Re: Stale sessions problem
Kinda depends on what he is connected to. If you get a START record and a STOP record after the authentication from the device they are connected to you can check there. If you use sql for accounting, there will be a record created with a unique session id for the customer, and it will have a start time, but the stop time will be blank. This only is valid if the device they are connecting to supplies stop and start records when they logon and off or timeout. Gerry At 02:40 AM 2/25/2006, you wrote: Alan DeKok wrote: > Georgi Alexandrov <[EMAIL PROTECTED]> wrote: > >>If a user that somehow failed network connectivity and failed to tell >>the server "account stop" tries to reconnect back it won't let him >>because his previous session is stalled. I need a mechanism that will do >>a check upon connection if the session is stalled, delete it and let the >>user in or if there is already a real user logged in deny the connecting >>one. >>I read from the mailing lists that radzap should do the job but i can't >>seem to figure out how to integrate it in that setup (the man page >>explains only the syntax). > > > radzap calls radwho to query radutmp and generates an accounting > stop message. > > You can query your SQL database and generate accounting stop > messages, too. > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > Ehlo Alan, how could one know from the database (radacct i suppose) if a user session i stalled or he's actually online? -- regards, Georgi Alexandrov Key Server = http://pgp.mit.edu/ :: KeyID = 37B4B3EE Key Fingerprint = E429 BF93 FA67 44E9 B7D4 F89E F990 01C1 37B4 B3EE - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Please HELP!!! Any ideas??? MySQL and users file... Difference???
This is just a quess.. Since you are doing a sql look-up, I will bet it does the select * from xxx where username like btest. It returns both records, but only processes the first record, the passwords don't match and fails. I'll bet if you only have a single encrypted entry that will work. This is just a guess on my part but give it a shot. Gerry At 12:25 AM 2/25/2006, you wrote: Please anybody help me... I am reposting this message, since I am hitting the dead end with this issue Thanks in advance... Hi to all... Does anyone have any idea why placing the following two lines into users file works perfectly with both PAP and CHAP users btest User-Password == Master1 btest Crypt-Password == "$1$KyUhHIHD$R7mAm4rPX1q4WTEJY5rKQ1" whereas placing the same two records into radcheck table doesn't work for PAP it does however work for CHAP? username | att| op |val --+-++--- btest| User-Password | == | Master1 btest| Crypt-Password | == | $1$KyUhHIHD$R7mAm4rPX1q4WTEJY5rKQ1 It seems that rlm_sql is hitting the unencrypted password only, whereas encryption-scheme in radiusd.conf is defined crypt... Am I missing something? Any help will be appreciated Alex Savguira radius -X (version 1.0.4 ) says rad_recv: Access-Request packet from host 192.168.0.8:4544, id=47, length=45 User-Name = "btest" User-Password = "Master1" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 rlm_realm: No '@' in User-Name = "btest", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 users: Matched entry DEFAULT at line 171 users: Matched entry DEFAULT at line 173 modcall[authorize]: module "files" returns ok for request 0 radius_xlat: 'btest' rlm_sql (sql): sql_set_user escaped user --> 'btest' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'btest' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 4 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'btest' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'btest' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'btest' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): Released sql socket id: 4 modcall[authorize]: module "sql" returns ok for request 0 modcall[authorize]: module "domainmschap" returns noop for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type PAP auth: type "PAP" Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 0 rlm_pap: login attempt by "btest" with password Master1 rlm_pap: Using password "Master1" for user btest authentication. rlm_pap: Using CRYPT encryption. rlm_pap: Passwords don't match modcall[authenticate]: module "pap" returns reject for request 0 modcall: group Auth-Type returns reject for request 0 auth: Failed to validate the user. Login incorrect (rlm_pap: CRYPT password check failed): [btest/Master1] (from client rasdata port 0) Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 47 to 192.168.0.8:4544 Waking up in 4 seconds... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
V1.10 File and LDAP Problems
Andrew thanks for the quick reply. Looks like you don't have the LDAP information setup correctly. FreeRADIUS can't login to LDAP with the settings (un)specified. > rlm_ldap: (re)connection attempt failed > rlm_ldap: search failed > rlm_ldap: ldap_release_conn: Release Id: 0 > modcall[authorize]: module "ldap" returns fail for request 0 > modcall: leaving group authorize (returns fail) for request 0 Yep, knew that, but expected to continue with the text auth since the user existed in that file. LDAP returns fail, which is weighted heavier than the both the "noop" returned by mschap and the "ok" returned by files. Because LDAP returns "fail," the entire request returns "fail." You can specify different weighted settings for noop, fail, etc, but the obvious answer is to fix your LDAP settings and then try again. How do you go about setting the weighting. I want to be able to use text, ldap and mysql so that we have various fall back options with a failure of the external databases (ldap and mysql). Once you can login to the LDAP, if the user does not exist in there then LDAP should return "noop" for the request. If you want a user to exist in both the LDAP and the users file with different passwords, that requires a bit of tweaking but I've got it working if you need to see Would like to see how you did it. Hope this helps! Andrew Gerry Dalton, Network System Support Consolidated Communications Cell: 214 532-1905 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
V1.10 File and LDAP Problems
I have installed Freeradius 1.10, on Solaris 8. Using default radiusd.conf, and users file, added a couple of users. Tested and I am able to auth my testme user. I then add in the LDAP module, and un-comment ldap places in the radiusd.conf file. I again try to auth the same user who is in the user text file, and I can not auth that user. No other changes, just put the ldap directives in and it seems to break text file auth. I need to have the capability to fall back to text file of users in case the LDAP server is not available/problems/etc. Below are traces from each test. Note in the second test, that I know the login to the LDAP server is not valid, but this simulates the server being broken etc. I have also tested with a valid connection and get the same results. DEGUG FOLLOWS:-- WORKING: The ldap module is not enabled in the radiusd.conf file: Ready to process requests. rad_recv: Access-Request packet from host 10.0.90.32:2016, id=61, length=46 User-Name = "testme" User-Password = "123456" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 users: Matched entry testme at line 142 modcall[authorize]: module "files" returns ok for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "testme", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type Local auth: type Local auth: user supplied User-Password matches local User-Password Login OK: [testme] (from client Dallas port 0) Sending Access-Accept of id 61 to 10.0.90.32 port 2016 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 61 with timestamp 43fe2e2d Nothing to do. Sleeping until we see a request. NOT WORKING: Ready to process requests. rad_recv: Access-Request packet from host 10.0.90.32:2017, id=62, length=46 User-Name = "testme" User-Password = "123456" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 users: Matched entry testme at line 142 modcall[authorize]: module "files" returns ok for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for testme radius_xlat: '(sAMAccountname=testme)' radius_xlat: 'dc=consolidated,dc=com' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 10.0.60.177:389, authentication 0 rlm_ldap: bind as cn=someuser,cn=Users,dc=ourcompany,dc=com/secret to 10.0.xx.xxx:389 rlm_ldap: waiting for bind result ... rlm_ldap: LDAP login failed: check identity, password settings in ldap section of radiusd.conf rlm_ldap: (re)connection attempt failed rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns fail for request 0 modcall: leaving group authorize (returns fail) for request 0 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 62 with timestamp 43fe2e82 Nothing to do. Sleeping until we see a request. Gerry Dalton, Network System Support Consolidated Communications Cell: 214 532-1905 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html