Conditional expression ":-" deprecated?
We have a vendor product that only supports usernames shorter than 64 characters. I used the unlang expression: if ("%{#User-Name:-0}" <= 63) to avoid sending accounting with longer usernames to it, which yielded: server buffered-dpi-esc4 { +- entering group preacct {...} ++? if ("%{#User-Name:-0}" <= 63) WARNING: Deprecated conditional expansion ":-". See "man unlang" for details expand: %{#User-Name:-0} -> 70 ? Evaluating ("%{#User-Name:-0}" <= 63) -> FALSE ++? if ("%{#User-Name:-0}" <= 63) -> FALSE I got the ":-" expression from unlang(5), which doesn't mention that it's deprecated. I used this expression to specify a default length of 0 since unlang(5) states that %{#attr} returns an empty value if attr isn't present, and I wasn't sure how FreeRADIUS would react to a numeric comparison against an unset value. I'm using: if (User-Name && "%{#User-Name}" <= 63) { instead for now, but is the ":-" expression really deprecated, and is there an alternative equivalent? How will FreeRADIUS react to an unset value in a numeric comparison? john -- John Morrissey _o/\ __o j...@horde.net_-< \_ / \ < \, www.horde.net/__(_)/_(_)/\___(_) /_(_)__ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RADIUS comparison tee
In moving our RADIUS infrastructure to FreeRADIUS, I wrote a tee to transparently compare FreeRADIUS' responses with those of our existing Radiator installations. It sniffs RADIUS traffic on the current machine, replays the requests to another RADIUS server, and compares the received responses with the sniffed responses. Differences are emitted to stdout, and known differences can be configured so they're automatically ignored. http://horde.net/~jwm/software/misc/comparison-tee john -- John Morrissey _o/\ __o j...@horde.net_-< \_ / \ < \, www.horde.net/__(_)/_(_)/\___(_) /_(_)__ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxying accounting to create a 'tee'
On Tue, Aug 25, 2009 at 10:49:21AM +0100, Arran Cudbard-Bell wrote: > I know it sounds a little clunky, but another option could be to use a > chain of detail readers/writers? If you set the primary detail reader load > factor to 100% the actual delay is likely to be pretty minimal... > > So you'd have: > > NAS->Outer Server->Detail Writer (Primary)->Detail Reader->Detail Writer > Queue 1 >->Detail Writer Queue 2 >->Detail Writer Queue > n. > > Detail Reader Queue 1 -> Proxy Server > Detail Reader Queue 2 -> Proxy Server > Detail Reader Queue n -> Proxy Server > > That way the NAS always receives a response, and you get pseudo parallel > Accounting requests going to the proxy server. > > To balance between the detail writers you can use the load-balance unlang > stanza, or just the expressions module with the modulo operator. I settled on something similar to this. The outer server (processing requests from the NAS) uses redundant-load-balance to write round-robin across several (currently 5) detail files. Five detail listeners (one for each detail file) then feed data to their final destinations (remote proxies, SQL databases, etc.). It turned out a bit neater than having the outer server write a single file that's exploded by a dedicated detail listener into several files that, in turn, each have a detail listener that actually processes the detail. FWIW, it turned out to be impossible to implement that way since detail listeners won't write to a detail files, even if the output file is different from the input file. Thanks again for the idea Arran, I'm glad it worked out. john -- John Morrissey _o/\ __o j...@horde.net_-< \_ / \ < \, www.horde.net/__(_)/_(_)/\___(_) /_(_)__ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Overriding proxy response
On Wed, Sep 09, 2009 at 11:08:43PM +0100, Ivan Kalik wrote: > > I would like to override failed (rejected, timed out) proxy responses with > > local authentication data. IOW, if the proxy request fails, I want to > > process the request locally. > > This is documented in post-proxy section. I assume you mean the stock configuration's sites-available/default post-proxy section. It certainly says the request may be 'massaged' there, but does not indicate how to go about the more advanced 'massaging' I asked after in my post. The only thing that even comes close in the sample configuration is attr_rewrite, which is far too simplistic for what I'm looking to do. Again, what I'm after is to process the request locally for unresponsive proxies or proxy Access-Rejects. By 'process the request locally,' I mean achieve the same effect as if the request was re-run through the authorize and authenticate sections. I've looked into achieving this with rlm_perl. I see two problems with using an rlm_perl post-proxy handler to 'massage' the reply in this way. First, FreeRADIUS functionality would need to be duplicated in the post-proxy handler, particularly any authentication methods I wish to use, since there is no apparent way to call the authenticate handlers in FreeRADIUS modules at this point. Secondly, the response code is not available in the hashes passed to rlm_perl modules, so rlm_perl handlers cannot change it. john -- John Morrissey _o/\ __o j...@horde.net_-< \_ / \ < \, www.horde.net/__(_)/_(_)/\___(_) /_(_)__ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Overriding proxy response
I would like to override failed (rejected, timed out) proxy responses with local authentication data. IOW, if the proxy request fails, I want to process the request locally. It looks like the proxy reply trumps local authorization/authentication, and I can't find a way to override the proxy's response code. %REQUEST_PROXY_REPLY in rlm_perl doesn't contain the response code. If this was the opposite way (don't proxy for accounts that exist locally), it seems I could remove Proxy-To-Realm to prevent proxying. Is there a way to do the opposite (perform proxying and override the proxy's response with local auth)? john -- John Morrissey _o/\ __o j...@horde.net_-< \_ / \ < \, www.horde.net/__(_)/_(_)/\___(_) /_(_)__ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Selective Update of User-Name
On Thu, Aug 27, 2009 at 10:57:47PM +0930, Mike O'Connor wrote: > I need to Rewrite the User-Name of individual accounts to add a realm, > this would need to reliable up to at least 1 users. > > Does any one have any ideas on how this might be done, in a way that can > be updated with out restarting Freeradius ? > > We do have some python code running in this proxy which might be able to > help. We're doing this with rlm_perl's authorize(). We change the values in %RAD_REQUEST and return RLM_MODULE_UPDATED in the handler. I would think rlm_python would be similar. If you need to change the list of users on the fly (is that what you mean by "with out restarting Freeradius"?), you could put your list of users into something like a Berkeley DB file and have the authorize handler check there for the username to determine whether to add the realm. john -- John Morrissey _o/\ __o j...@horde.net_-< \_ / \ < \, www.horde.net/__(_)/_(_)/\___(_) /_(_)__ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxying accounting to create a 'tee'
On Sat, Aug 22, 2009 at 01:59:00AM +0100, Arran Cudbard-Bell wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > On 21/08/2009 21:15, John Morrissey wrote: > > On Sun, Aug 16, 2009 at 10:11:02AM +0200, Alan DeKok wrote: > >> vol...@ufamts.ru wrote: > >>> If home server does not respond, FR does not respond too -> NAS repeats > >>> request -> FR writes request data to SQL again. > >> > >> So... configure the server to respond. See the file > >> raddb/sites-available/decoupled-accounting > > > > Is decoupled-accounting (writing all detail to disk and replaying it > > serialized with a detail listener) the only way to configure FreeRADIUS to > > respond to the NAS? > > Yes. Otherwise it'll wait for the response from the proxy server, and > proxy the Accounting-Response from the proxy server back to the NAS. It's > the only way the NAS could be sure the remote server received the > Accounting-Request. Right. I was hoping there was a way for robust-proxy-accounting to respond to the NAS when the proxy isn't responding, since the accounting request has been "successfully" processed (i.e., written to the detail log and saved for later proxying). > > I'm adapting robust-proxy-accounting for our environment and can't > > figure out how (or if it's possible) to get FreeRADIUS to respond to the > > originating NAS when proxying fails and the detail is logged for later > > proxying. > > Yep that's a good idea if the data is time critical, it also allows > multiple requests to be forwarded in parallel. nod, this is my preference. Unfortunately (as I mentioned above), I haven't been able to figure out if/how it's possible to have FreeRADIUS always respond to the NAS, even when the proxy isn't responding and accounting is spooled to the detail file for later processing. john -- John Morrissey _o/\ __o j...@horde.net_-< \_ / \ < \, www.horde.net/__(_)/_(_)/\___(_) /_(_)__ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Values from LDAP
On Fri, Aug 21, 2009 at 08:36:58PM +0100, John Smith wrote: > I'm using Freeradius 2.1.6 talking to an LDAP server. I am able to do > basic LDAP authentication and everything is fine from that point of view. > > What I am trying to do is retrieve some additional values from the LDAP > server, I'm sure it should be a simple thing to do but I can't work out > how to do it. [snip] > To being with I'd like to put 'mail' or 'ou' into the Reply-Message > attribute - does anyone have any suggestions? (This is the first time I'm > using LDAP, so please go easy if I've missed something obvious). Have you looked at dictionary_mapping in your ldap {} configuration, and the default ldap.attrmap? john -- John Morrissey _o/\ __o j...@horde.net_-< \_ / \ < \, www.horde.net/__(_)/_(_)/\___(_) /_(_)__ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxying accounting to create a 'tee'
On Sun, Aug 16, 2009 at 10:11:02AM +0200, Alan DeKok wrote: > vol...@ufamts.ru wrote: > > If home server does not respond, FR does not respond too -> NAS repeats > > request -> FR writes request data to SQL again. > > So... configure the server to respond. See the file > raddb/sites-available/decoupled-accounting Is decoupled-accounting (writing all detail to disk and replaying it serialized with a detail listener) the only way to configure FreeRADIUS to respond to the NAS? I'm adapting robust-proxy-accounting for our environment and can't figure out how (or if it's possible) to get FreeRADIUS to respond to the originating NAS when proxying fails and the detail is logged for later proxying. Rejecting request 0 due to lack of any response from home server 66.133.129.108 port 1813 Found Post-Proxy-Type server buffered-radacct-dpi-proxy-tee { +- entering group Fail expand: /var/log/freeradius/radacct/detail.dpi-proxy-tee -> /var/log/freeradius/radacct/detail.dpi-proxy-tee rlm_detail: /var/log/freeradius/radacct/detail.dpi-proxy-tee expands to /var/log/freeradius/radacct/detail.dpi-proxy-tee expand: %t -> Fri Aug 21 20:10:39 2009 rlm_detail: Freeradius-Proxied-To = 66.133.129.108 ++[detail.dpi-proxy-tee] returns ok } Finished request 0. Cleaning up request 0 ID 24 with timestamp +2 Going to the next request WARNING: Marking home server 66.133.129.108 port 1813 as zombie (it looks like it is dead). Waking up in 0.8 seconds. john -- John Morrissey _o/\ __o j...@horde.net_-< \_ / \ < \, www.horde.net/__(_)/_(_)/\___(_) /_(_)__ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxying accounting to create a "tee"
On Fri, Aug 14, 2009 at 09:43:05PM +0200, Alan DeKok wrote: > John Morrissey wrote: > > I'm looking to process RADIUS accounting locally (SQL) as well as proxy > > it to a remote host (to some third party software that also wants to > > receive a copy of all accounting). > > Yes. Just configure "sql" in the accounting section, *and* configure > it to proxy. ach, I was presuming that local processing precluded proxying (and vice versa). Thanks, Alan. john -- John Morrissey _o/\ __o j...@horde.net_-< \_ / \ < \, www.horde.net/__(_)/_(_)/\___(_) /_(_)__ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxying accounting to create a "tee"
I'm looking to process RADIUS accounting locally (SQL) as well as proxy it to a remote host (to some third party software that also wants to receive a copy of all accounting). Is this possible with FreeRADIUS? john -- John Morrissey _o/\ __o j...@horde.net_-< \_ / \ < \, www.horde.net/__(_)/_(_)/\___(_) /_(_)__ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Buffered SQL for authentication failures?
I'm in the process of replacing OSG's Radiator with FreeRADIUS. I have our relatively complex configuration mostly ported, but a few things have left me stumped. I'd like to write authentication failures to an SQL database using a detail listener so they're buffered, as with accounting: detail detail.auth { detailfile = ${radacctdir}/detail-auth detailperm = 0600 header = "%t" } post-auth { Post-Auth-Type REJECT { detail.auth } } server buffered-sql-auth { listen { type = detail filename = ${radacctdir}/detail-auth load_factor = 100 } post-auth { sql } } Detail entries are picked up by the listener, but it never seems to do anything with them: Going to the next request Waking up in 0.7 seconds. Polling for detail file /var/log/freeradius/radacct/detail-acct Polling for detail file /var/log/freeradius/radacct/detail-auth detail_recv: Renaming /var/log/freeradius/radacct/detail-auth -> /var/log/freeradius/radacct/detail-auth.work detail_recv: Read packet from /var/log/freeradius/radacct/detail-auth.work Packet-Type = Access-Reject Framed-Protocol = PPP Service-Type = Framed-User Framed-IP-Address = 255.255.255.254 Framed-Compression = Van-Jacobson-TCP-IP Framed-MTU = 1500 Acct-Delay-Time = 0 server buffered-sql-auth { } # server buffered-sql-auth Finished request 7. Cleaning up request 7 ID 41800 with timestamp +263 It looks like detail_recv() explicitly sets its RAD_REQUEST_FUNP to rad_accounting: *pfun = rad_accounting; I haven't looked much into the FreeRADIUS source yet; is it reasonably easy to determine/loop through the configured handlers for the detail listener to support a situation like this? Is there a better way of doing this? john -- John Morrissey _o/\ __o j...@horde.net_-< \_ / \ < \, www.horde.net/__(_)/_(_)/\___(_) /_(_)__ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html