Re: Transform reject to accept response with specific attributes
Arran Cudbard-Bell writes:
> On 6 Sep 2012, at 15:10, Kostas Zorbadelos wrote:
>
>>
>> Greetings to all,
>>
>> I would like to achieve the following functionality: in case a user's
>> AUTHENTICATION fails, the user should not be rejected but be given an
>> accept response with specific attributes.
>> The reason behind this is to provide a captive portal functionality for
>> users having wrong credentials in their CPEs.
>> Could you provide a few hints for how the config would look like (I am
>> thinking of something in terms of unlang and utilizing virtual servers
>> but I am not sure how it would look like.
>
> authenticate {
> Auth-Type pap {
> pap {
> reject = 1
> }
> if (reject) {
> ok
> # Add extra attributes here...
> }
> }
> }
>
Thank you very much, this seems to work.
> -Arran
Kostas
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Transform reject to accept response with specific attributes
Greetings to all, I would like to achieve the following functionality: in case a user's AUTHENTICATION fails, the user should not be rejected but be given an accept response with specific attributes. The reason behind this is to provide a captive portal functionality for users having wrong credentials in their CPEs. Could you provide a few hints for how the config would look like (I am thinking of something in terms of unlang and utilizing virtual servers but I am not sure how it would look like. Regards, Kostas -- Kostas Zorbadelos twitter:@kzorbadeloshttp://gr.linkedin.com/in/kzorba () www.asciiribbon.org - against HTML e-mail & proprietary attachments /\ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Check in users file using a string attribute obtained from ldap
Greetings to all,
I am trying to accomplish the following setup:
- have freeradius query an ldap server to get the usual user entry with one
check and a few reply attributes
- have after that a users file, that based on the check attribute obtained
before by the ldap module make some processing (eg add a few common reply
attributes)
This is actually a "grouping" functionallity and I can accomplish what I want
using the Ldap-Group attribute, BUT I want to avoid the extra ldap queries.
So for example I have:
LDAP
--
# kzorba, people, company.gr
dn: uid=kzorba1,ou=people,dc=company,dc=gr
objectClass: XXX
objectClass: YYY
radiusProfile: FOO_STATIC
Framed-IP-Address: 62.103.131.9
userPassword: XXX
sn: ZORBADELOS
uid: kzorba
...
ldap.attrmap
--
checkItem $GENERIC$ radiusCheckItem
replyItem $GENERIC$ radiusReplyItem
checkItem Ascend-GroupradiusProfile
replyItem Framed-IP-Address Framed-IP-Address
replyItem Framed-RouteFramed-Route
replyItem Filter-Id Filter-Id
And I want to have a users file that looks like this:
DEFAULT Ascend-Group =~ "STATIC"
Reply-Message = "Your account is Static."
Having the following authorize section in default
authorize {
preprocess
chap
mschap
ldap {
notfound = reject
}
files
pap
}
The checks fail.
I looked at the source code and from what I understood the ldap module puts
all check items in the so called control (or check list), while rlm_file makes
checks in the request list
So I figured that doing an unlang update request would solve the problem.
authorize {
preprocess
chap
mschap
ldap {
notfound = reject
}
update request {
Group = "%{control:Ascend-Group}"
}
files
pap
}
And in users file have a
DEFAULT Group =~ "STATIC"
Reply-Message = "Your account is Static."
However this also did not work.
Any help as to what am I missing here?
Thanks,
Kostas Zorbadelos
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Trivial patch for rlm_acctlog in 2.0.5
On Wednesday 13 August 2008 12:24:44 Alan DeKok wrote: > Kostas Zorbadelos wrote: > > As we are preparing for migration to 2.X version in some of our > > production systems, I took a closer look at the sources and found the > > rlm_acctlog module that allows for the logging of various types of > > accounting messages in the radius logs. Moreover I saw that syslog > > support in 2.X is vastly improved over 1.X series. > > See also rlm_linelog in the current source (git.freeradius.org), and > raddb/modules/linelog. It is a fully configurable module that logs one > line of text to a file, based on dynamically expanded keys. > I will give a look at it. Seems like a nice generalization of rlm_acctlog -:) > > My minor request is, could you include the following patch in later > > releases (so as to not maintain it internally)? > > Done. > Thanks > Alan DeKok. Kostas Zorbadelos - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Trivial patch for rlm_acctlog in 2.0.5
Hello to everyone. As we are preparing for migration to 2.X version in some of our production systems, I took a closer look at the sources and found the rlm_acctlog module that allows for the logging of various types of accounting messages in the radius logs. Moreover I saw that syslog support in 2.X is vastly improved over 1.X series. My minor request is, could you include the following patch in later releases (so as to not maintain it internally)? --- rlm_acctlog.c.orig 2007-11-12 00:11:51.0 +0200 +++ rlm_acctlog.c 2008-08-08 13:54:34.0 +0300 @@ -79,7 +79,7 @@ rlm_acctlog_t *inst; VALUE_PAIR *pair; - charlogstr[MAX_STRING_LEN]; + charlogstr[1024]; int acctstatustype = 0; The idea is to have a bigger buffer than 253 characters for logging. Some old syslog implementations can have a 1024 character limit I think, so I guess that would be enough :) Thanks and keep up the good work. Kostas Zorbadelos - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxying doesn't work!
On Wed, Jul 11, 2007 at 09:22:32AM +0200, Federico Giannici wrote:
> We have a working FreeRADIUS 1.1.4 running since a lot of months.
> Now we have to proxy the requests for a realm (gtenet.it) to a given
> RADIUS server, but our server seems to ignore the proxy configuration!
>
> I have set "proxy_requests = yes" and included the "proxy.conf" file
> (I'm sure of these, looked at the debug output).
>
> Here it is our "proxy.conf" file:
>
> proxy server {
> synchronous = no
> retry_delay = 5
> retry_count = 3
> dead_time = 120
> default_fallback = yes
> post_proxy_authorize = no
> }
> realm gtenet.it {
> type= radius
> authhost= 195.103.212.53:1645
> accthost= 195.103.212.53:1646
> secret = X
> }
>
> When a request for [EMAIL PROTECTED] is received, it goes through the
> authorization and then instead of being proxied it goes through
> authentication and obviously fail!
>
You need to uncomment the "suffix" module in the authorize section.
> Here it is the output of the server in debug mode:
>
> Jul 10 18:55:29 aragorn radiusd[23262]: Going to the next request
> Jul 10 18:55:29 aragorn radiusd[23262]: Waking up in 6 seconds...
> Jul 10 18:55:29 aragorn radiusd[23262]: rad_lowerpair: User-Name now
> '[EMAIL PROTECTED]'
> Jul 10 18:55:29 aragorn radiusd[23262]: rad_lowerpair: User-Password
> now ''
> Jul 10 18:55:29 aragorn radiusd[23262]: rad_rmspace_pair: User-Name now
> '[EMAIL PROTECTED]'
> Jul 10 18:55:29 aragorn radiusd[23262]: rad_rmspace_pair: User-Password
> now ''
> Jul 10 18:55:29 aragorn radiusd[23262]: Processing the authorize
> section of radiusd.conf
> Jul 10 18:55:29 aragorn radiusd[23262]: modcall: entering group
> authorize for request 72
> Jul 10 18:55:29 aragorn radiusd[23262]: modcall[authorize]: module
> "preprocess" returns ok for request 72
> Jul 10 18:55:29 aragorn radiusd[23262]: modcall[authorize]: module
> "nm" returns noop for request 72
^
I don't know this module. Have you named an instance of a known module
this way?
> Jul 10 18:55:29 aragorn radiusd[23262]: modcall[authorize]: module
> "chap" returns noop for request 72
> Jul 10 18:55:29 aragorn radiusd[23262]: modcall[authorize]: module
> "mschap" returns noop for request 72
> Jul 10 18:55:29 aragorn radiusd[23262]: rlm_pap: WARNING! No "known
> good" password found for the user. Authentication may fail because of this.
> Jul 10 18:55:29 aragorn radiusd[23262]: modcall[authorize]: module
> "pap" returns noop for request 72
> Jul 10 18:55:29 aragorn radiusd[23262]: modcall: leaving group authorize
> (returns ok) for request 72
> Jul 10 18:55:29 aragorn radiusd[23262]: auth: No authenticate method
> (Auth-Type) configuration found for the request: Rejecting the user
> Jul 10 18:55:29 aragorn radiusd[23262]: auth: Failed to validate the user.
>
> Any hints of what could be the problem?
>
>
> Thanks.
>
> --
> ___
> __
> |- [EMAIL PROTECTED]
> |ederico Giannici http://www.neomedia.it
> ___
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 2.0.0-pre1 compile problem on ubuntu
On Fri, May 25, 2007 at 02:27:48PM +0200, Alan Dekok wrote: > Norbert Wegener wrote: > > on an ubuntu 6.06 configure does not show an error with 2.0.0-pre1. > ... > > /home/norbert/Desktop/freeradius-server-2.0.0-pre1/src/lib/.libs/libradius.so > > > > -L/usr/local/lib /usr/lib/perl/5.8/auto/DynaLoader/DynaLoader.a > > -L/usr/lib/perl/5.8/CORE -lperl -ldl -lm -lc -lcrypt -lnsl -lresolv > > -lpthread -Wl,-E -Wl,-soname -Wl,rlm_perl-2.0.0-pre1.so -o > > .libs/rlm_perl-2.0.0-pre1.so^M > > /usr/bin/ld: cannot find -lperl^M > > I see it, too. I think it's because Dynloader is a static library, so > libtool is looking for libperl.a, not libperl.so. > This is because libpersl.so exists in the libperl-dev package. This is standard Debian practice. > But I really don't know. Did I mention I hate libtool? > > Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius proxy code questions and proposed patch
On Mon, Apr 30, 2007 at 05:41:06PM +0200, Alan DeKok wrote: > Kostas Zorbadelos wrote: > > I had described a strange behavior in our large proxy setup. After > > running the server in debug mode (radiusd -xxx) in our production > > systems we found out what was causing our problems. The problem was > > that the home server in our proxy setup was marked dead quite often > > during the day and with a dead_time of 30 secs every request that came > > within these 30 secs was rejected. > > Yes. In 1.x, the proxy code does this. It's fixed in 2.0, which > should be released real soon now. > > > + /* > > +* If we are running in synchronous proxy mode, > > there's no point marking the target > > +* server(s) dead, since this should be done by the > > radius client > > Uh, no. The RADIUS client doesn't know about the home servers. It > only knows about the server it's sending packets to. > Precicely. But when we work in 'synchronous' mode we want the NAS to be in charge of the retransmision policy not our proxy server. If the home server does not reply for any reason, we want the client (NAS) to notice it and retransmit. Eventually, the client will mark our proxy server dead not because it is its fault, but because the home server is not responding. > > The purpose of this patch is to not have the freeradius server mark > > the home server dead when working in synchronous mode. We believe that > > in synchronous operation it is a good idea to leave the job of marking > > the server dead to the NAS client. > > Which server? All your patch does is make sure that the NAS marks the > proxying server as dead. > Eventually, yes this is what the NAS will do. All that is due to the synchronous mode in proxy operation. > ... > > It seems that in some "strange" occations the code enters the above > > path. A decision is made in case the current time is older than > > mainconfig.proxy_retry_delay * mainconfig.proxy_retry_count. If this > > is the case, the request is rejected and the code tries to disable the > > realm. However in the proxy.conf configuration file it is mentioned: > > All of that code is *gone* in 2.0. The new code is so much better > that it's really quite hard to describe how much better it is. > > > Please let me know your thoughts on these matters (also on the patch > > we provide) > > Take a look at the current CVS snapshot. It should be pretty robust > with some recent bug fixes, and it will solve *all* of your proxying > problems. > > And I do mean ALL of the problems. > I have read in the list about the major clean up version 2.0 of the server will be. While reading the code of versions 1.x I could see that there is great room for improvement. I will take a look in the 2.0 sources and I look forward to testing it when it becomes available. Thanks a lot Alan. Kostas > Alan DeKok. > -- > http://deployingradius.com - The web site of the book > http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius proxy code questions and proposed patch
Hello to everyone.
In a previous thread
http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg33354.html
I had described a strange behavior in our large proxy setup. After
running the server in debug mode (radiusd -xxx) in our production
systems we found out what was causing our problems. The problem was
that the home server in our proxy setup was marked dead quite often
during the day and with a dead_time of 30 secs every request that came
within these 30 secs was rejected.
Our proxy conf initially looked like the following:
proxy server {
synchronous = yes
retry_delay = 0
retry_count = 0
dead_time = 30
default_fallback = yes
post_proxy_authorize = no
}
###
#
# Configuration for the proxy realms.
#
...
We first changed the dead_time to 0 so as to avoid marking the home
server dead in synchronous mode.
Additionally, we implemented the following patch (against version 1.1.6):
--- ./src/main/files.c.orig 2007-04-23 15:14:14.569932000 +0300
+++ ./src/main/files.c 2007-04-23 15:22:30.995686000 +0300
@@ -489,6 +489,15 @@
if (cl->last_reply > (( now -
mainconfig.proxy_retry_delay * mainconfig.proxy_retry_count ))) {
continue;
}
+ /*
+* If we are running in synchronous proxy mode, there's
no point marking the target
+* server(s) dead, since this should be done by the
radius client
+*/
+ if (mainconfig.proxy_synchronous) {
+ radlog(L_PROXY, "authentication server %s:%d
for realm %s seems unresponsive.",
+ cl->server, port, cl->realm);
+ continue;
+ }
cl->active = FALSE;
cl->wakeup = now + mainconfig.proxy_dead_time;
@@ -498,6 +507,15 @@
if (cl->last_reply > (( now -
mainconfig.proxy_retry_delay * mainconfig.proxy_retry_count ))) {
continue;
}
+ /*
+* If we are running in synchronous proxy mode, there's
no point marking the target
+* server(s) dead, since this should be done by the
radius client
+*/
+ if (mainconfig.proxy_synchronous) {
+ radlog(L_PROXY, "accounting server %s:%d for
realm %s seems unresponsive.",
+ cl->acct_server, port, cl->realm);
+ continue;
+ }
cl->acct_active = FALSE;
cl->acct_wakeup = now + mainconfig.proxy_dead_time;
The purpose of this patch is to not have the freeradius server mark
the home server dead when working in synchronous mode. We believe that
in synchronous operation it is a good idea to leave the job of marking
the server dead to the NAS client.
All the above actions solved our initial problems. However, after a
while we noticed again clients being rejected when they shouldn't.
The following code in request_list.c caught my attention:
/*
* Refresh a request, by using proxy_retry_delay, cleanup_delay,
* max_request_time, etc.
*
* When walking over the request list, all of the per-request
* magic is done here.
*/
static int refresh_request(REQUEST *request, void *data)
{
...
(around line 1264 version 1.1.6)
} else if (request->proxy && !request->proxy_reply) {
/*
* The request is NOT finished, but there is an
* outstanding proxy request, with no matching
* proxy reply.
*
* Wake up when it's time to re-send
* the proxy request.
*
* But in synchronous proxy, we don't retry but we update
* the next retry time as NAS has not resent the request
* in the given retry window.
*/
if (mainconfig.proxy_synchronous) {
/*
* If the retry_delay * count has passed,
* then mark the realm dead.
*/
if (info->now > (request->timestamp +
(mainconfig.proxy_retry_delay * mainconfig.proxy_retry_count))) {
rad_assert(request->child_pid ==
NO_SUCH_CHILD_PID);
request_reject(request);
realm_disable(request->proxy->dst_ipaddr,
request->proxy->dst_port);
Re: Autotools related problems in freeradius 1.1.6
On Tue, Apr 24, 2007 at 01:12:26PM +0200, Alan DeKok wrote: > Kostas Zorbadelos wrote: > > I disagree with you on this one Alan. I discovered all these issues I > > mention the hard way, after our radius server stopped running in > > random times (after a failure in rad_assert() in request_list.c around > > the section > ... > > In production environments the server should be able to at least > > report the errors it encounters and continue operations. Service > > availability is the most important. > > My point was that it should continue doing *what*? The assertions are > there to catch catastrophic failures in the code. If the assertion > trips, it's doing so because the error is non-recoverable. > > If you disable the assertions, the server may look like it's still > running. But there's no guarantee that it will do anything useful. It > may crash randomly later, for reasons that are difficult to track down. > The only *safe* thing to do is to revert to a known working state. > i.e. restart from scratch. > In the code snippet I sent, from what I can tell, nothing catastrophic happens. The code checks to see if it is time to send a delayed reject back to the client and asserts that there is no child thread that works on that request. Anyway, if the developer flags are switched off rad_assert() does nothing. This is the way it is defined: #ifdef NDEBUG #define rad_assert(expr) ((void) (0)) #else #define rad_assert(expr) \ ((void) ((expr) ? 0 : \ rad_assert_fail (__FILE__, __LINE__))) #endif So if someone compiles freeradius without developer flags he actually de-activates all assertions :) > > As far as I can tell, the following minor patch should take care of the > > issue of having developer flags switched off be default: > > OK, thanks. > There is the Solaris issue however. I will try to track it down and send a patch for this too if I can. Kostas Zorbadelos > Alan DeKok. > -- > http://deployingradius.com - The web site of the book > http://deployingradius.com/blog/ - The blog > - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Autotools related problems in freeradius 1.1.6
On Mon, Apr 23, 2007 at 04:39:22PM +0200, Alan DeKok wrote:
> Kostas Zorbadelos wrote:
> > If I do
> >
> > ./configure --prefix=/opt/freeradius
> >
> > the build scripts presume that --enable-developer is true.
>
> That may be an issue only in 1.1.6. You should be able to change it
> by doing --disable-developer.
>
This is exactly what I did. The reason I mention it is because I think
the default should be sane in future releases of freeradius (that is
developer options switched off by default).
> > This has
> > the effect that -DNDEBUG is not defined in CFLAGS during compilation,
> > among other things, so the rad_assert() function can abort freeradius
> > operation in production environments.
>
> Which is not necessarily a bad thing. Yes, it's bad for your RADIUS
> server to go down. It's arguably worse for the RADIUS server to keep
> running, and doing... something... after it notices that internal sanity
> checks have failed.
>
I disagree with you on this one Alan. I discovered all these issues I
mention the hard way, after our radius server stopped running in
random times (after a failure in rad_assert() in request_list.c around
the section
...
static int refresh_request(REQUEST *request, void *data)
...
/*
* If the request is marked as a delayed reject, AND it's
* time to send the reject, then do so now.
*/
if (request->finished &&
((request->options & RAD_REQUEST_OPTION_DELAYED_REJECT) != 0)) {
> rad_assert(request->child_pid == NO_SUCH_CHILD_PID);
...)
In production environments the server should be able to at least
report the errors it encounters and continue operations. Service
availability is the most important.
In our case, after I recompiled freeradius with -DNDEBUG option set,
we noticed no further noticable problems in our radius service.
> > I believe that by default, --enable-developer should be false unless
> > explicitly set during configure.
> > Let me know if you need anything else to trace the issue.
>
> It's just a couple of lines of shell scripting in configure.in.
>
As far as I can tell, the following minor patch should take care of the
issue of having developer flags switched off be default:
--- configure.in.orig Tue Apr 24 12:02:13 2007
+++ configure.inTue Apr 24 12:02:40 2007
@@ -278,11 +278,11 @@
AC_ARG_ENABLE(developer,
[ --enable-developer Enables features of interest to
developers.],
[ case "$enableval" in
-no)
- developer=no
+yes)
+ developer=yes
;;
*)
- developer=yes
+ developer=no
esac ]
)
> > Moreover, in a Solaris 9 environment
> > --enable-developer or --disable-developer seem to be ignored and
> > someone should define CFLAGS explicitly in the configure command to
> > define -NDEBUG macro.
> >
I didn't manage to undestand however why in a Solaris environment,
--disable-developer seems to be ignored. Even if I set
--disable-developer in configure, the -DNDEBUG macro is not passed in
compilation options.
Find attached (a gzipped) BUILD log in my environment.
Thanks,
Kostas Zorbadelos
> Alan DeKok.
> --
> http://deployingradius.com - The web site of the book
> http://deployingradius.com/blog/ - The blog
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
BUILD.solaris-disable-developer.log.gz
Description: Binary data
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Autotools related problems in freeradius 1.1.6
Greetings to all in the list. I'd like to report an issue in the build scripts of freeradius. I tried to build version 1.1.6 but the problem exists in earlier versions too. If I do ./configure --prefix=/opt/freeradius the build scripts presume that --enable-developer is true. This has the effect that -DNDEBUG is not defined in CFLAGS during compilation, among other things, so the rad_assert() function can abort freeradius operation in production environments. I believe that by default, --enable-developer should be false unless explicitly set during configure. Moreover, in a Solaris 9 environment --enable-developer or --disable-developer seem to be ignored and someone should define CFLAGS explicitly in the configure command to define -NDEBUG macro. Let me know if you need anything else to trace the issue. Thanks, Kostas Zorbadelos - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Some problem
On Tue, Mar 06, 2007 at 10:51:25AM +0800, zhangxianshi wrote: If you ever need to build the freeradius perl module you should install the packages libperl-dev libperl Debian policy is to use libfoo-dev package to contain the libfoo.so symbolic link. This is what is missing in your case (libperl.so) Regards, Kostas Zorbadelos > Dear All, > > I use a Linux system called Ubuntu. Yesterday I tried to complier the > freeradius 1.1.4. When I begun to make, there is something wrong. > > This is the error log: > > Making all in rlm_passwd... > make[6]: Entering directory > `/home/stone/freeradius-1.1.4/src/modules/rlm_passwd' > make[6]: Leaving directory > `/home/stone/freeradius-1.1.4/src/modules/rlm_passwd' > Making all in rlm_perl... > make[6]: Entering directory > `/home/stone/freeradius-1.1.4/src/modules/rlm_perl' > /home/stone/freeradius-1.1.4/libtool --mode=link gcc -release 1.1.4 \ > -module -export-dynamic -o rlm_perl.la \ > -rpath /usr/local/lib rlm_perl.lo rlm_perl.c > /home/stone/freeradius-1.1.4/src/lib/libradius.la \ > `perl -MExtUtils::Embed -e ldopts` -lnsl -lresolv -lpthread > > *** Warning: Linking the shared library rlm_perl.la against the > *** static library /usr/lib/perl/5.8/auto/DynaLoader/DynaLoader.a is not > portable! > gcc -shared .libs/rlm_perl.o -Wl,--rpath > -Wl,/home/stone/freeradius-1.1.4/src/lib/.libs -Wl,--rpath -Wl,/usr/local/lib > /home/stone/freeradius-1.1.4/src/lib/.libs/libradius.so -L/usr/local/lib > /usr/lib/perl/5.8/auto/DynaLoader/DynaLoader.a -L/usr/lib/perl/5.8/CORE > -lperl -ldl -lm -lc -lcrypt -lnsl -lresolv -lpthread -Wl,-E -Wl,-soname > -Wl,rlm_perl-1.1.4.so -o .libs/rlm_perl-1.1.4.so > /usr/bin/ld: cannot find -lperl > collect2: ld returned 1 exit status > make[6]: *** [rlm_perl.la] Error 1 > make[6]: Leaving directory `/home/stone/freeradius-1.1.4/src/modules/rlm_perl' > make[5]: *** [common] Error 2 > make[5]: Leaving directory `/home/stone/freeradius-1.1.4/src/modules' > make[4]: *** [all] Error 2 > make[4]: Leaving directory `/home/stone/freeradius-1.1.4/src/modules' > make[3]: *** [common] Error 2 > make[3]: Leaving directory `/home/stone/freeradius-1.1.4/src' > make[2]: *** [all] Error 2 > make[2]: Leaving directory `/home/stone/freeradius-1.1.4/src' > make[1]: *** [common] Error 2 > make[1]: Leaving directory `/home/stone/freeradius-1.1.4' > make: *** [all] Error 2 > > > How can I slove it? > > Regards Zhang > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Strange problems in large proxy setup
On Mon, Feb 26, 2007 at 10:09:43AM +0100, Alan DeKok wrote: > Kostas Zorbadelos wrote: > Hi Alan, > > By 'debugging mode' I guess you are referring to radiusd -xxx or > > something is that correct? Could this affect the authentication > > service for our customers? > > Use "radiusd -X", and no, it won't affect service. > we are talking about a setup that services tens of thousands of requests (hundreds per second maybe). If I am not mistaking radiusd -X will run freeradius in single threaded mode. In our normal mode of operation freeradius has 65 threads servicing requests. Won't this affect service? > > I was thinking > > something in the lines of changing the freeradius config to log the > > packets going to the home server and their replies (detail_log module > > in pre_proxy and post_proxy stages). > > That would be good, too. > > > Has anyone else noticed this behaviour in a large load proxy setup? > > I haven't heard of it. > This is indeed a very difficult situation to debug. The problem behaviour does not appear in a low volume load. I believe it has to do with the increased load (and the fact that the home FUNK radius delays the servicing of requests I think). I will try to give as much debugging input as possible and I will also review the server's code. > Alan DeKok. Kostas Zorbadelos - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Strange problems in large proxy setup
On Fri, Feb 23, 2007 at 10:23:50AM -0500, Dennis Skinner wrote: > Kostas Zorbadelos wrote: > > radiusd -X confirms that the configuration is correct, however I have > > this problem behaviour in large scale. My initial suspitions go to the > > proxying code to be honest, but I need to take a good look to grasp > > it. > Hi Dennis, > I would try running the production radius in debugging mode and send the > output to a file that you can review for anomalies. If it is happening > often enough and you don't want to run the primary radius in debug mode, > you could do it on the secondary and force a failover for a short time > and try to catch it. > By 'debugging mode' I guess you are referring to radiusd -xxx or something is that correct? Could this affect the authentication service for our customers? I was thinking something in the lines of changing the freeradius config to log the packets going to the home server and their replies (detail_log module in pre_proxy and post_proxy stages). Has anyone else noticed this behaviour in a large load proxy setup? > -- > Dennis Skinner > Systems Administrator > BlueFrog Internet > http://www.bluefrog.com -- Kostas Zorbadelos Systems Designer/Developer, Otenet SA [EMAIL PROTECTED] contact: kzorba (at) otenet.gr - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Strange problems in large proxy setup
On Fri, Feb 23, 2007 at 02:49:57PM +, [EMAIL PROTECTED] wrote: > Hi, > > > active sessions and if he is allowed to have a session the request is > > proxied to the FUNK server that performs the actual authentication. So > > the setup is a classical proxy setup. This policy decision of whether > > > whoah. steady on there. this is not a classical proxy setup. in a classical > proxy setup ALL autentication is handled by a 3rd party. in this case you > are doing an LDAP authorization on the FreeRADIUS box. OK you have a point there, my wording is incorrect. Yes, we do make an authorization decision in the freeradius box. > the fact that this > works on testing but not in high-volume production points a marked finger > towards this LDAP process. > The 'ldap process' you refer to is actually rlm_ldap and a tiny module of ours. However, we have never observed any issues with them, no error messages or any other logging messages. I believe I have a valid and quite simple (for my purposes of course) configuration. I make the authorization decision and if all OK, I proxy the request, otherwise I reject the request without proxying it. radiusd -X confirms that the configuration is correct, however I have this problem behaviour in large scale. My initial suspitions go to the proxying code to be honest, but I need to take a good look to grasp it. > alan Kostas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Strange problems in large proxy setup
My greetings to the list.
We have deployed a large setup using freeradius 1.1.3 in a proxy
configuration in front of FUNK radius. During the day we have about
150.000 concurrent DSL users online. Our setup takes the
access-request from the NAS, checks whether the user has any other
active sessions and if he is allowed to have a session the request is
proxied to the FUNK server that performs the actual authentication. So
the setup is a classical proxy setup. This policy decision of whether
the user is allowed to have a session is taken by a module we have
developed for this purpose (we call it rlm_concurrency). We use the
ldap module to find the maximum allowed sessions for a user.
Our setup involves no accounting, just authentication/authorization.
-----
| NAS | -> | Freeradius | <---> | FUNK |
-----
This is the actual config we have in our freeradius server:
authorize {
preprocess
# The following config instructs freeradius to stop processing
# requests if it matches the user in the local users file
files {
ok = return
}
ldap
concurrency
suffix
}
Here is a debugging output from freeradius with this config:
== Debugging output (radiusd -X) ==
Nothing to do. Sleeping until we see a request.
rad_recv: Access-Request packet from host 62.103.1.111:1645, id=4, length=127
Framed-Protocol = PPP
User-Name = "foouser"
User-Password = "XX"
Calling-Station-Id = "X"
NAS-Port-Type = Async
Connect-Info = "33600/31200 V34+/V42bis/LAPM"
NAS-Port = 4115
NAS-Port-Id = "Async2/2"
Service-Type = Framed-User
NAS-IP-Address = 62.103.1.111
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 9
modcall[authorize]: module "preprocess" returns ok for request 9
modcall[authorize]: module "files" returns notfound for request 9
rlm_ldap: - authorize
rlm_ldap: performing user authorization for foouser
radius_xlat: '(&(uid=foouser)(radiusAccountStatus=activated))'
radius_xlat: '...'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=..., with filter
(&(uid=foouser)(radiusAccountStatus=activated))
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding radiusMaxLogins as Simultaneous-Use, value 1 & op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: user foouser authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 9
rlm_concurrency: Found NAS-IP-Address: 62.103.1.111
rlm_concurrency: User: foouser, Max-Sessions found: 1
rlm_concurrency: Accepted User foouser. Active sessions: 0, Maximum allowed
sessions: 1
modcall[authorize]: module "concurrency" returns ok for request 9
rlm_realm: No '@' in User-Name = "foouser", looking up realm NULL
rlm_realm: Found realm "NULL"
rlm_realm: Proxying request from user foouser to realm NULL
rlm_realm: Adding Realm = "NULL"
rlm_realm: Preparing to proxy authentication request to realm "NULL"
modcall[authorize]: module "suffix" returns updated for request 9
modcall: leaving group authorize (returns updated) for request 9
Sending Access-Request of id 9 to port 1645
Framed-Protocol = PPP
User-Name = "foouser"
User-Password = "XX"
Calling-Station-Id = "XX"
NAS-Port-Type = Async
Connect-Info = "33600/31200 V34+/V42bis/LAPM"
NAS-Port = 4115
NAS-Port-Id = "Async2/2"
Service-Type = Framed-User
NAS-IP-Address = 62.103.1.111
Proxy-State = 0x34
--- Walking the entire request list ---
Waking up in 0 seconds...
...
Waking up in 0 seconds...
rad_recv: Access-Accept packet from host , id=9, length=107
Proxy-State = 0x34
Class =
0x5342522d434c20444e3d22646570616b222041543d22323030222055533d2053493d223630373737383736302200
Filter-Id = "USER-FILTER-OUT.out"
Framed-Protocol = PPP
Service-Type = Framed-User
authorize: Skipping authorize in post-proxy stage
rad_check_password: Found Auth-Type
rad_check_password: Auth-Type = Accept, accepting the user
Login OK: [foouser] (from client KARP3845 port 4115 cli 2237021227)
Sending Access-Accept of id 4 to 62.103.1.111 port 1645
Class =
0x5342522d434c20444e3d22646570616b222041543d22323030222055533d2053493d223630373737383736302200
Filter-Id = "USER-FILTER-OUT.out"
Framed-Protocol = PPP
Service-Type = Framed-User
== End Debugging output (radiusd -X) ==
We have noticed no problems with our module and also no problems
whatsoever in a low traffic testing environment. However we have observed
the following strange be
Re: Questions about proxy radius on multihomed host
On Sun, Dec 03, 2006 at 09:15:54PM -0800, Alan DeKok wrote: > Kostas Zorbadelos wrote: > > on a multihomed Solaris host when radius packets are proxied what is > > their source IP? Is it IP1 or it could also be IP2? > > Uh... that's up to the OS. That's what I also thought. This would have to do with the TCP/IP implementation in the kernel... > There are patches pending against CVS head > that should fix this. > In a portable way? > > I took a look at the sources where I see that in proxy.c a rad_send() > > is used to actually send the packet. rad_send() uses sendto() unless > > WITH_UDPFROMTO is defined in which case sendfromto() is used. In my > > case, WITH_UDPFROMTO is undefined. > > That only matters for packets being received by the server, not > packets it's sending. > I am reffering to proxy_send in proxy.c /* * Relay the request to a remote server. * Returns: * * RLM_MODULE_FAIL: we don't reply, caller returns without replying * RLM_MODULE_NOOP: caller falls through to normal processing * RLM_MODULE_HANDLED : we reply, caller returns without replying */ int proxy_send(REQUEST *request) >From what I can see it has to do with the packets relayed by the server to the remote home server in proxy mode. > > Can I assume that outgoing packets use as source address the one > > listed in the listen directive? > > If that's the only IP used, yes. Otherwise, it's up to the OS to > determine the best source IP for an outgoing packet. > Thanks Alan. -- Kostas Zorbadelos [EMAIL PROTECTED] contact: kzorba (at) otenet.gr Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Questions about proxy radius on multihomed host
Hello to everyone. I have a question regarding freeradius proxying. My setup is freeradius 1.1.3 on Solaris 9. I have a very simple proxy configuration. The setup is a bit 'weird' in the sense that I have a freeradius server on the machine that acts as a proxy to another radius server running on the same machine (different IP). So the setup is described as Solaris 9 Host -- | IP1 IP2 | | Freeradius<---Proxy---> Other Radius | || -- The Solaris host contains 2 IPs, freeradius is configured with the listen directive to accept authentication requests on IP1, while the other server is listening on IP2. In the other radius, I have configured as client the IP1 but I notice several failures. My question is: on a multihomed Solaris host when radius packets are proxied what is their source IP? Is it IP1 or it could also be IP2? I took a look at the sources where I see that in proxy.c a rad_send() is used to actually send the packet. rad_send() uses sendto() unless WITH_UDPFROMTO is defined in which case sendfromto() is used. In my case, WITH_UDPFROMTO is undefined. sendfromto() is defined in freeradius sources with comments that it works on Linux and FreeBSD 5.x. I have not seen any configuration option that sets the source address of outgoing packets, in case of multihomed hosts. There is only the following comment in radiusd.conf: # bind_address: Make the server listen on a particular IP address, and # send replies out from that address. This directive is most useful # for machines with multiple IP addresses on one interface. # # It can either contain "*", or an IP address, or a fully qualified # Internet domain name. The default is "*" # # As of 1.0, you can also use the "listen" directive. See below for # more information. # Can I assume that outgoing packets use as source address the one listed in the listen directive? Thanks in advance, Kostas -- Kostas Zorbadelos [EMAIL PROTECTED] contact: kzorba (at) otenet.gr Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS user Survey
On Thu, Oct 05, 2006 at 02:39:18PM -0400, Alan DeKok wrote: > In order to better understand the needs of people using FreeRADIUS, > I've set up a survey with 12 questions. The goal is to understand > who's using FreeRADIUS, how they're using it, and what the users needs > are. The page is: > > http://gs-survey.com/s.asp?s=1651 > > Please take a few minutes to fill out the survey, and I'll be > posting a summary of the responses here. > > I expect to have a few more surveys after this one, to be able to > target future development. Thanks for your efforts in supporting FreeRADIUS. > > Alan DeKok. In the first question (How large is your organization?) the range 101 - 1000 is missing... In the question (How many RADIUS client machines do you have?) is the last range >101? -- Kostas Zorbadelos [EMAIL PROTECTED] contact: kzorba (at) otenet.gr Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP related questions
On Sat, Jul 01, 2006 at 12:04:24PM -0400, Alan DeKok wrote: > Kostas Zorbadelos <[EMAIL PROTECTED]> wrote: > > I saw the cvs version and indeed it contains the code you > > describe. This is a very useful feature. The feature is not contained > > in the latest stable (1.1.2) version. Will it be in the next? > > Probably in 2.0, which we hope to release before the next millenium. > OK, till then, I guess if we need the functionality, we patch the stable version... -:) > Alan DeKok. -- Kostas Zorbadelos [EMAIL PROTECTED] contact: kzorba (at) otenet.gr Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP related questions
On Wed, Jun 28, 2006 at 04:21:14PM +0300, Kostas Kalevras wrote: > On Wed, 28 Jun 2006, Kostas Zorbadelos wrote: > > >On Wed, Jun 28, 2006 at 02:09:15PM +0300, Kostas Kalevras wrote: > >>>On Wed, Jun 28, 2006 at 11:56:27AM +0300, Kostas Zorbadelos wrote: > >>> > >>>I have a few suspicions where the problem might be. > >>>Is there a way to define the operator in the radius check attributes > >>>of ldap (without using the generic radiusCheckItem attribute)? > >> > >>radiusSessionTimeout: += > >> > > > >I meant in ldap.attrmap. > >When I define for example > > > >checkItem Group-Name radiusProfile > > > >what is the operator implied (& op=21 in the debugging output)? > >Can this be changed? > > In the cvs version at least an extra field is supported in ldap.attrmap > which sets the operator to be used. Dont know if it's supported in the > stable versions. > Thanks Kostas, I saw the cvs version and indeed it contains the code you describe. This is a very useful feature. The feature is not contained in the latest stable (1.1.2) version. Will it be in the next? > > -- > Kostas Kalevras Network Operations Center > [EMAIL PROTECTED] National Technical University of Athens, Greece > Work Phone: +30 210 7721861 > 'Go back to the shadow' Gandalf > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > -- Kostas [EMAIL PROTECTED] contact: kzorba (at) otenet.gr Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius advocacy needed for convincing corporate management
On Wed, Jun 28, 2006 at 02:01:24PM -0400, Alan DeKok wrote: > Kostas Zorbadelos <[EMAIL PROTECTED]> wrote: > > - Any large installations that use freeradius effectively today > > (commercial environments preffered). This would give us arguments in > > favour of freeradius scalability and reliability > > Most commercial installations won't publicly say they're using it. > > I know of multiple national ISP's with millions of users who've > replaced commercial servers with FreeRADIUS. But they don't want me > to mention their names, sorry. > > An alternative is to see who's subscribed to this list. Past posts > include people from DHL, among other large companies. > > Alan DeKok. Thanks very much for all the information. I hope the effort (of convincing) turns out OK. -- Kostas Zorbadelos [EMAIL PROTECTED] contact: kzorba (at) otenet.gr Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP related questions
On Wed, Jun 28, 2006 at 02:09:15PM +0300, Kostas Kalevras wrote: > >On Wed, Jun 28, 2006 at 11:56:27AM +0300, Kostas Zorbadelos wrote: > > > >I have a few suspicions where the problem might be. > >Is there a way to define the operator in the radius check attributes > >of ldap (without using the generic radiusCheckItem attribute)? > > radiusSessionTimeout: += > I meant in ldap.attrmap. When I define for example checkItem Group-Name radiusProfile what is the operator implied (& op=21 in the debugging output)? Can this be changed? -- Kostas Zorbadelos [EMAIL PROTECTED] contact: kzorba (at) otenet.gr Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius advocacy needed for convincing corporate management
My greetings to the list. The company I work is one of the largest ISPs in Greece. We are evaluating the possibility to move away from our current radius software (FUNK Radius now Juniper) in favour of freeradius. We as technical people understand all the benefits of the move (and it would also give us opportunity to contribute to the project). However management would like to hear stuff like - Any large installations that use freeradius effectively today (commercial environments preffered). This would give us arguments in favour of freeradius scalability and reliability - Possibility to have commercial support Anyone who can contribute arguments or facts is more than welcome. Kostas -- Kostas Zorbadelos [EMAIL PROTECTED] contact: kzorba (at) otenet.gr Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP related questions
On Wed, Jun 28, 2006 at 02:11:00PM +0300, Kostas Kalevras wrote: > On Wed, 28 Jun 2006, Kostas Zorbadelos wrote: > > >Hello to everyone. > > > >I have a question regarding a configuration I am trying to achieve. I > >have users stored in an ldap database. An example user entry looks > >like this: > > > >dn: uid=kzorba,ou=people,dc=company,dc=gr > >cn: ZORBADELOS KONSTANTINOS > >uid: kzorba > >clearTextPwd: mypassword > >radiusProfile: PSTN_STATIC > >radiusAccountStatus: activated > >radiusMaxLogins: 1 > >radiusExpDate: 2030/12/31 00:00:00 > >Framed-IP-Address: 62.103.176.39 > >objectClass: account > >objectClass: MyRadiusAccount > >objectClass: top > > > >Tha attribute radiusProfile groups the users. For each group we have a > >corresponding profile > > Why not put the full profile DN in radiusProfile? Then you can use the > profile_attribute mechanism > That would be perfect, however we already have the users database and we use a different Radius software. Our data are in the form I described. Any modifications would require migration and this is what I am trying to avoid. -- Kostas Zorbadelos [EMAIL PROTECTED] contact: kzorba (at) otenet.gr Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP related questions
On Wed, Jun 28, 2006 at 11:56:27AM +0300, Kostas Zorbadelos wrote: I have a few suspicions where the problem might be. Is there a way to define the operator in the radius check attributes of ldap (without using the generic radiusCheckItem attribute)? -- Kostas Zorbadelos [EMAIL PROTECTED] contact: kzorba (at) otenet.gr Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP related questions
dap: performing user authorization for kzorba radius_xlat: '(&(uid=kzorba)(objectClass=MyRadiusAccount)(radiusAccountStatus=activated))' radius_xlat: 'ou=people,dc=company,dc=gr' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=people,dc=company,dc=gr, with filter (&(uid=kzorba)(objectClass=MyRadiusAccount)(radiusAccountStatus=activated)) rlm_ldap: looking for check items in directory... rlm_ldap: Adding radiusProfile as Group, value PSTN_STATIC & op=21 rlm_ldap: Adding radiusMaxLogins as Simultaneous-Use, value 1 & op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: Adding Framed-IP-Address as Framed-IP-Address, value 62.103.176.39 & op=11 rlm_ldap: user kzorba authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type Reject rad_check_password: Auth-Type = Reject, rejecting user auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 167 to 127.0.0.1 port 41392 Reply-Message = "Unauthorized access." Nothing to do. Sleeping until we see a request. My questions are: - Does this approach have a meaning? - Why the Group attribute returned through LDAP does not match the correct entry in users file? - Are there any alternative ideas to achieve the setup I want (users + profiles stored in LDAP with the form of the user entry as I described) Thanks in advance for any answers. Kostas -- Kostas Zorbadelos [EMAIL PROTECTED] contact: kzorba (at) otenet.gr Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error building version 1.1.1
On Thu, Mar 23, 2006 at 08:19:19AM +0100, Stefan Winter wrote: > Hi, > > > The makefile in src/lib creates the lib directory before it installs > > anything in it. I have no idea why building an RPM would result in > > things happening in the reverse order. > Indeed the installation fails (I used --prefix in configure) and I compiled from sources without trying to make a package of any sort. By searching I found the following patch: Index: Makefile === RCS file: /source/radiusd/src/lib/Makefile,v retrieving revision 1.28 diff -u -r1.28 Makefile --- Makefile 22 Jan 2006 21:46:35 - 1.28 +++ Makefile 6 Mar 2006 17:51:34 - -48,6 +48,6 rm -rf .libs install: all - $(LIBTOOL) --mode=install $(INSTALL) -c $(TARGET).la $(R)$(libdir) + $(LIBTOOL) --mode=install $(INSTALL) -c $(TARGET).la $(R)$(libdir)/$(TARGET).la rm -f $(R)$(libdir)/$(TARGET)-$(RADIUSD_VERSION).la; ln -s $(TARGET).la $(R)$(libdir)/$(TARGET)-$(RADIUSD_VERSION).la This solved the issue. > It doesn't only happen when building an RPM. I installed from the tarball and > the same thing happened. It worked when I manually created lib/ after the > first failed attempt und tried it a second time (SuSE 8.2). > Nicolas Baradakis sent me a patched Makefile, I will try that soon and report > back if it fixes the issue. > > Greetings, > > Stefan Winter > > -- > Stefan WINTER > > Stiftung RESTENA - Rιseau Tιlιinformatique de l'Education Nationale et de > la Recherche > Ingenieur Forschung & Entwicklung > > 6, rue Richard Coudenhove-Kalergi > L-1359 Luxembourg > E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 > http://www.restena.lu Fax: +352 422473 > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- Kostas Zorbadelos [EMAIL PROTECTED] contact: kzorba (at) otenet.gr Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: rlm_sql: unknown attribute Cisco-VSA
On Tue, Mar 01, 2005 at 02:35:09AM -0800, Abdul Lateef wrote: > Hi Guys, > > Here is one small problem. > > I am using mySQL for the cisco NAS authontication i > add the fowllowing in radreply table: > > id UserName Attributeop Value > 11 12345Cisco-VSA= > h323-credit-time=10 > There is no attribute named Cisco-VSA in the freeradius dictionaries. Try using Cisco-AVPair += h323-credit-time=10 > But It is working and the log is : > > Tue Mar 1 08:49:13 2005 : Error: rlm_sql: unknown > attribute Cisco-VSA > Tue Mar 1 08:49:13 2005 : Error: rlm_sql (sql): Error > getting data from database > > > It will be very thankful if anyone can treat it. > > Thank YOu > > > > __ > Do you Yahoo!? > Yahoo! Mail - now with 250MB free storage. Learn more. > http://info.mail.yahoo.com/mail_250 > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- Kostas Zorbadelos Systems Developer, Otenet SA mailto: [EMAIL PROTECTED] Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Version 1.0.2 has been released.
On Thu, Feb 17, 2005 at 03:16:30PM +0200, Kostas Kalevras wrote: > > The patch was just commited in CVS. Could you check it out and make sure > everything works as expected? > > > -- > Kostas Kalevras Network Operations Center > [EMAIL PROTECTED] National Technical University of Athens, Greece > Work Phone: +30 210 7721861 > 'Go back to the shadow' Gandalf > Kostas, I performed a diff between my patched sql_oracle.c file and the same file as seen in the freeradius CVS tree and there are no differences. Since this patch runs without problems in our production environment, everything seems to be OK. So we are expecting to see the patch included in the next release. Thanks again for everything. -- Kostas Zorbadelos Systems Developer, Otenet SA mailto: [EMAIL PROTECTED] Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How can I unsubscribe
On Fri, Feb 18, 2005 at 10:55:57AM +0800, Zhao Yu,SCNB R&D NNA(BJ) wrote: > How can I unsubscribe? http://lists.freeradius.org/mailman/listinfo/freeradius-users -- Kostas Zorbadelos Systems Developer, Otenet SA mailto: [EMAIL PROTECTED] Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Version 1.0.2 has been released.
On Thu, Feb 17, 2005 at 03:16:30PM +0200, Kostas Kalevras wrote: > > The patch was just commited in CVS. Could you check it out and make sure > everything works as expected? > > > > > -- > Kostas Kalevras Network Operations Center > [EMAIL PROTECTED] National Technical University of Athens, Greece > Work Phone: +30 210 7721861 > 'Go back to the shadow' Gandalf Kostas, I cannot find a web cvs interface in the freeradius site. I will wait till tomorrow and I will download the latest snapshot. The patch as seen in http://bugs.freeradius.org/show_bug.cgi?id=128 is already applied in our production environment and runs without problems for a few months. Thanks a lot Kostas -- Kostas Zorbadelos Systems Developer, Otenet SA mailto: [EMAIL PROTECTED] Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Version 1.0.2 has been released.
On Wed, Feb 16, 2005 at 02:55:12PM -0500, Alan DeKok wrote: > FreeRADIUS 1.0.2 ; $Date: 2005/02/13 01:03:20 $, urgency=medium > * Novell eDirectory support. Patch from Novell. > * localweb & Trapeze dictionary updates. > * EAP-SIM fixes. > * Make "Strip-User-Name = No" work. > * Don't declare zero-length arrays in rlm_passwd > * Bug fix to make udpfromto code work > * radrelay shouldn't dump core if it can't read a VP from the > detail file. > * Only initialize the random pool once. > * In rlm_sql, don't escape characters twice. > * Fix MD4 calculation on big-endian machines. > * In rlm_ldap, only claim Auth-Type if a plain text password is present > * Treat Quintium VSAs like Cisco VSAs > * Locking fixes in threading code > * rlm_krb5 includes /usr/include/et for Fedora Core > * Fix post-auth REJECT stanza processing for rejections from external > processes or home RADIUS servers > * Fix building on gcc-4.0 by not trying to access static auth_port from > other files. > * Fix building SNMP support on Solaris 9, which needs -lkstat > > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > Dear Alan, unfortunately, as I can see, the patch discussed in http://bugs.freeradius.org/show_bug.cgi?id=128 was not applied in this release. Is this an omission, or the plan is to be applied later? Thanks and keep up the good work! -- Kostas Zorbadelos Systems Developer, Otenet SA mailto: [EMAIL PROTECTED] Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with Auth-Type
On Tue, Nov 16, 2004 at 08:02:42AM +, carlos akitani wrote: > Hi, I've go the same > problem but no solution. > I've added the Auth-Type:=Local in the users file but the same > answer: > auth: No authenticate method (Auth-Type) configuration found > for the request: Rejecting the user > and even (username/password) not valide (but I've declared > them in the clients.conf). > How to do? > First of all; please NO HTML MAIL! You should really read documentation first before trying to achieve what you want. Clients.conf is not used to store usernames and passwords of the users. The users file is meant to do that. Read the comments in the users file and also the aaa.txt in the doc directory to get an idea of how the radius server works. Kostas -- Kostas Zorbadelos Systems Developer, Otenet SA mailto: [EMAIL PROTECTED] Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticating more than username/password
On Fri, Nov 12, 2004 at 11:28:09AM -0800, David Young wrote: > Hi, I was wondering if there's a way to make freeradius authenticate a client > based on more than username and password? for example, I want to limit a > user to dial in only from a certain designated number (ANI) to prevent fraud. > My user lookup is done through postgresql. Is there a way to do additional > checks before replying to the NAS with an Accept or Reject response? Maybe > something that will do: > Yes, use additional check items. Look at the comments in the users file and also in its man page for more info. > if (username and password and ANI) all match then > Accept > else > reject > > > Thanks a lot, > David -- Kostas Zorbadelos Systems Developer, Otenet SA mailto: [EMAIL PROTECTED] Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with Auth-Type
On Wed, Nov 10, 2004 at 11:23:52AM -0300, German P. Santillan - DESETech wrote: You won't find that in radiusd.conf. You need to add Auth-Type := Local to the users file. Man users to see anything else. > My system requires Local Auth-Type Method, but this method ha not defined in > my radiusd.conf, and when I run radiusd with -X param, this appear > > auth: No authenticate method (Auth-Type) configuration found for the request: > Rejecting the user > > Thanks > > Germ??n P. Santill??n > Administrador de Redes > DESETech Argentina > http://www.desetech.com.ar > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > -- Kostas Zorbadelos Systems Developer, Otenet SA mailto: [EMAIL PROTECTED] Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Oracle cursor leak
On Thu, Nov 11, 2004 at 02:23:36PM +0300, Alexander Serkin wrote:
>
OK here is the patched file. You can verify it if you diff it with the
original file.
Kostas
>
> Kostas Zorbadelos wrote:
> ...
> >
> >I resubmit the patch as a text file (output of
> >diff sql_oracle.c.before_patch sql_oracle.c > freeradius_oracle_patch)
> >because from the web page I had
> >problems applying it and I was forced to apply it partly by hand
> >editing of the code...
> >
>
> the same problem. I cannot apply patch taken from the web:
>
> patching file src/modules/rlm_sql/drivers/rlm_sql_oracle/sql_oracle.c
> patch: malformed patch at line 60: @@ -311,9 +328,11 @@
>
>
> --
> Sincerely Yours,
> Alexander Serkin,
> Skylink, Moscow
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
--
Kostas Zorbadelos
Systems Developer, Otenet SA
mailto: [EMAIL PROTECTED]
Out there in the darkness, out there in the night
out there in the starlight, one soul burns brighter
than a thousand suns.
/*
* sql_oracle.c Oracle (OCI) routines for rlm_sql
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*
* Copyright 2000 The FreeRADIUS server project
* Copyright 2000 David Kerry <[EMAIL PROTECTED]>
*/
#include
#include
#include
#include
#include
#include "radiusd.h"
#include
#include "rlm_sql.h"
typedef struct rlm_sql_oracle_sock {
OCIEnv *env;
OCIError *errHandle;
OCISvcCtx *conn;
OCIStmt *queryHandle;
sb2 *indicators;
char **results;
int id;
int in_use;
struct timeval tv;
} rlm_sql_oracle_sock;
#define MAX_DATASTR_LEN 64
/*
*
* Function: sql_error
*
* Purpose: database specific error. Returns error associated with
* connection
*
*/
static char *sql_error(SQLSOCK *sqlsocket, SQL_CONFIG *config) {
static char msgbuf[512];
sb4 errcode = 0;
rlm_sql_oracle_sock *oracle_sock = sqlsocket->conn;
if (!oracle_sock) return "rlm_sql_oracle: no connection to db";
memset((void *) msgbuf, (int)'\0', sizeof(msgbuf));
OCIErrorGet((dvoid *) oracle_sock->errHandle, (ub4) 1, (text *) NULL,
&errcode, msgbuf, (ub4) sizeof(msgbuf), (ub4) OCI_HTYPE_ERROR);
if (errcode) {
return msgbuf;
}
else {
return NULL;
}
}
/*
*
* Function: sql_check_error
*
* Purpose: check the error to see if the server is down
*
*/
static int sql_check_error(SQLSOCK *sqlsocket, SQL_CONFIG *config) {
if (strstr(sql_error(sqlsocket, config), "ORA-03113") ||
strstr(sql_error(sqlsocket, config), "ORA-03114")) {
radlog(L_ERR,"rlm_sql_oracle: OCI_SERVER_NOT_CONNECTED");
return SQL_DOWN;
}
else {
radlog(L_ERR,"rlm_sql_oracle: OCI_SERVER_NORMAL");
return -1;
}
}
/*
*
* Function: sql_close
*
* Purpose: database specific close. Closes an open database
* connection and cleans up any open handles.
*
*/
static int sql_close(SQLSOCK *sqlsocket, SQL_CONFIG *config) {
rlm_sql_oracle_sock *oracle_sock = sqlsocket->conn;
if (oracle_sock->conn) {
OCILogoff (oracle_sock->conn, oracle_sock->errHandle);
}
if (oracle_sock->queryHandle) {
OCIHandleFree((dvoid *)oracle_sock->queryHandle, (ub4) OCI_HTYPE_STMT);
}
if (oracle_sock->errHandle) {
OCIHandleFree((dvoid *)oracle_sock->errHandle, (ub4) OCI_HTYPE_ERROR);
}
if (oracle_sock->env) {
OCIHandleFree((dvoid *)oracle_sock->env, (ub4) OCI_HTYPE_ENV);
}
oracle_sock->conn = NULL;
free(oracle_sock);
sqlsocket->conn = NULL;
return 0;
}
/*
*
* Function: sql_init_socket
*
* Purpose: Establish connection to the db
*
*
Re: Oracle cursor leak
On Wed, Nov 03, 2004 at 07:27:18PM +0100, Roberto Re wrote: > hi, > > I have applied the patch yesterday only, but the problem still exists. > The cursors are allocated and they continuously increase up to the maximum > limit imposed by Oracle to the db. > > I have analysed some of the queries allocating the cursors: there are some > query to RADGROUPCHECK and RADGROUPREPLY tables, which are _*empty*_. > Could it be those ones raising the problem? > > As we are not using those 2 tables , would it be possible to modify the > cfg of Freeradius, so that it does no longer use them? > > I will also try to insert some dummy-values in the two RADGROUP... > > Thanks and regards > Roberto > I am not using RADGROUPCHECK and RADGROUPREPLY either so I have commented out all the relevant lines for them (including the queries) in oraclesql.conf. I haven't noticed any problem with cursor allocating in oracle 8i. Our DBA told me that there are database parameters you can tune that could help (look at cursor_sharing and instead of the value EXACT use FORCE (for 8i) or SIMILAR (for 9i)). Kostas > > > > On Thu, Oct 14, 2004 at 11:13:40AM +0200, Roberto Re wrote: > >> > >> > >> Kostas Zorbadelos wrote: > >> > >> >On Wed, Oct 13, 2004 at 06:25:25PM +0200, Roberto Re wrote: > >> > > >> >>First of all thanks for your attention, Alan > >> >> > >> >>My problem however seems to be more like this: > >> >>http://lists.cistron.nl/pipermail/freeradius-devel/2002-December/004052.html > >> >> > >> >>I had already checked the working code, which includes that patch and > >> it > >> >>is exactly the following one: > >> >> > >> >>http://www.freeradius.org/cvs-log/radiusd/src/modules/rlm_sql/drivers/rlm_sql_oracle/sql_oracle.c > >> >> > >> >The code in this url does not include the patch Alan is reffering > >> >to. Of course the patch in > >> >http://bugs.freeradius.org/show_bug.cgi?id=128 addresses the > >> >freeradius crash in case of Oracle errors in sql queries. This happens > >> >with the Oracle 8i client libraries. I was told that Oracle 9 client > >> >libs do not cause the freeradius crash (not tested my self). > >> > >> In my experience with Oracle 9 client (on a Linux RedHat Enterprise) the > >> freeRADIUS dont crash, it dont realease cursors on the oracle side. > >> > >> Roberto > >> > > > > OK, if the crashes do not happen on successive Oracle errors, try the > > patch and let us know if it also solves your problem. > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > -- Kostas Zorbadelos Systems Developer, Otenet SA mailto: [EMAIL PROTECTED] Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program-Wait question and rlm_exec
On Tue, Oct 26, 2004 at 10:20:48AM -0400, Alan DeKok wrote: > Kostas Zorbadelos <[EMAIL PROTECTED]> wrote: > > First of all I have a question for Exec-Program-Wait. I need to run an > > external C program that expects in its environment a proper > > LD_LIBRARY_PATH to run. I followed the obvious solution of using a > > wrapper bash shell script, that sets the environment and calls the C > > program via exec. Can I avoid this? > > No. > > I'd suggest adding a patch to rlm_exec, so that it can take a > configuration directive for LD_LIBRARY_PATH, and maybe others. > > > The second thing I want to bring up again is the rlm_exec module. Back > > in September (thread rlm_exec vs Exec-Program-Wait attribute) > > summarized in > > http://lists.freeradius.org/archives/freeradius-users/2004/09/frm00161.html, > > a set of changes to rlm_exec were proposed to also handle the case of > > having attributes in access-reject. > > Are these changes going to be accepted finally and if so in which > > version? > > Probably, but I haven't had time to look over them yet. If > sufficient people use the patch and like it, it can be added. > > Alan DeKok. > Actually the conversation in that thread ended by mentioning the ideas rlm_exec should follow. I didn't see any patch that implemented them. If there is such a patch please direct me to it and I will test it. Kostas -- Kostas Zorbadelos Systems Developer, Otenet SA mailto: [EMAIL PROTECTED] Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Exec-Program-Wait question and rlm_exec
Hello to everyone. First of all I have a question for Exec-Program-Wait. I need to run an external C program that expects in its environment a proper LD_LIBRARY_PATH to run. I followed the obvious solution of using a wrapper bash shell script, that sets the environment and calls the C program via exec. Can I avoid this? That is, can I have the radius server pass the proper environment directly to the program? I read the variables.txt and I do not see this possibility. The second thing I want to bring up again is the rlm_exec module. Back in September (thread rlm_exec vs Exec-Program-Wait attribute) summarized in http://lists.freeradius.org/archives/freeradius-users/2004/09/frm00161.html, a set of changes to rlm_exec were proposed to also handle the case of having attributes in access-reject. Are these changes going to be accepted finally and if so in which version? I am trying 1.0.1 now with the exec-program-wait because of rlm_exec resctrictions. Thanks in advance. Kostas -- Kostas Zorbadelos Systems Developer, Otenet SA mailto: [EMAIL PROTECTED] Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Oracle cursor leak
On Thu, Oct 14, 2004 at 11:13:40AM +0200, Roberto Re wrote: > > > Kostas Zorbadelos wrote: > > >On Wed, Oct 13, 2004 at 06:25:25PM +0200, Roberto Re wrote: > > > >>First of all thanks for your attention, Alan > >> > >>My problem however seems to be more like this: > >>http://lists.cistron.nl/pipermail/freeradius-devel/2002-December/004052.html > >> > >>I had already checked the working code, which includes that patch and it > >>is exactly the following one: > >> > >>http://www.freeradius.org/cvs-log/radiusd/src/modules/rlm_sql/drivers/rlm_sql_oracle/sql_oracle.c > >> > >The code in this url does not include the patch Alan is reffering > >to. Of course the patch in > >http://bugs.freeradius.org/show_bug.cgi?id=128 addresses the > >freeradius crash in case of Oracle errors in sql queries. This happens > >with the Oracle 8i client libraries. I was told that Oracle 9 client > >libs do not cause the freeradius crash (not tested my self). > > In my experience with Oracle 9 client (on a Linux RedHat Enterprise) the > freeRADIUS dont crash, it dont realease cursors on the oracle side. > > Roberto > OK, if the crashes do not happen on successive Oracle errors, try the patch and let us know if it also solves your problem. -- Kostas Zorbadelos Systems Developer, Otenet SA mailto: [EMAIL PROTECTED] Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Oracle cursor leak
On Wed, Oct 13, 2004 at 06:25:25PM +0200, Roberto Re wrote:
> First of all thanks for your attention, Alan
>
> My problem however seems to be more like this:
> http://lists.cistron.nl/pipermail/freeradius-devel/2002-December/004052.html
>
> I had already checked the working code, which includes that patch and it
> is exactly the following one:
>
> http://www.freeradius.org/cvs-log/radiusd/src/modules/rlm_sql/drivers/rlm_sql_oracle/sql_oracle.c
>
The code in this url does not include the patch Alan is reffering
to. Of course the patch in
http://bugs.freeradius.org/show_bug.cgi?id=128 addresses the
freeradius crash in case of Oracle errors in sql queries. This happens
with the Oracle 8i client libraries. I was told that Oracle 9 client
libs do not cause the freeradius crash (not tested my self). Anyway
the proposed patch is said to better handle the Oracle connections.
I tested the patch myself and it works OK. Crashes no longer occur and
freeradius handles Oracle connections better.
However the patch is not included in freeradius 1.0.1. Any plans of
including it in a later version?
I resubmit the patch as a text file (output of
diff sql_oracle.c.before_patch sql_oracle.c > freeradius_oracle_patch)
because from the web page I had
problems applying it and I was forced to apply it partly by hand
editing of the code...
Kostas
> Function: sql_free_result , does this function realease memory but not
> any cursors on the oracle side?
>
> Thanks
> Roberto
>
>
>
>
>
> Alan DeKok wrote:
>
> >Roberto Re <[EMAIL PROTECTED]> wrote:
> >
> >>I've installed a FreeRADIUS version 1.0.0 on a Linux Red Hat Enterprise
> >>with Oracle Client 9.1, it never close any cursors it opened, leading to
> >>all sorts of interesting problems when the max-open-cursor limits
> >>were hit.
> >>
> >>How can I fix this problem ?
> >
> >
> > http://bugs.freeradius.org/show_bug.cgi?id=128
> >
> > The patch there may help. If it does, please say so on the list.
> >
> > Alan DeKok.
> >
> >-
> >List info/subscribe/unsubscribe? See
> >http://www.freeradius.org/list/users.html
> >
>
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
--
Kostas Zorbadelos
Systems Developer, Otenet SA
mailto: [EMAIL PROTECTED]
Out there in the darkness, out there in the night
out there in the starlight, one soul burns brighter
than a thousand suns.
75a76,94
> /*
> *
> *Function: sql_check_error
> *
> *Purpose: check the error to see if the server is down
> *
> */
> static int sql_check_error(SQLSOCK *sqlsocket, SQL_CONFIG *config) {
>
> if (strstr(sql_error(sqlsocket, config), "ORA-03113") ||
> strstr(sql_error(sqlsocket, config), "ORA-03114")) {
> radlog(L_ERR,"rlm_sql_oracle: OCI_SERVER_NOT_CONNECTED");
> return SQL_DOWN;
> }
> else {
> radlog(L_ERR,"rlm_sql_oracle: OCI_SERVER_NORMAL");
> return -1;
> }
> }
247c266
< (ub4) OCI_DEFAULT);
---
> (ub4) OCI_COMMIT_ON_SUCCESS);
249,252c268,269
< if ((x != OCI_NO_DATA) && (x != OCI_SUCCESS)) {
< radlog(L_ERR,"rlm_sql_oracle: execute query failed in sql_query: %s",
< sql_error(sqlsocket, config));
< return SQL_DOWN;
---
> if (x == OCI_SUCCESS) {
> return 0;
255,257c272,273
< x = OCITransCommit(oracle_sock->conn, oracle_sock->errHandle, (ub4) 0);
< if (x != OCI_SUCCESS) {
< radlog(L_ERR,"rlm_sql_oracle: commit failed in sql_query: %s",
---
> if (x == OCI_ERROR) {
> radlog(L_ERR,"rlm_sql_oracle: execute query failed in sql_query: %s",
259c275,278
< return SQL_DOWN;
---
> return sql_check_error(sqlsocket, config);
> }
> else {
> return -1;
261,262d279
<
< return 0;
314,316c331,335
< else if (x != OCI_SUCCESS) {
< radlog(L_ERR,"rlm_sql_oracle: query failed in sql_select_query:
%s",sql_error(sqlsocket, config));
< return SQL_DOWN;
---
>
> if (x != OCI_SUCCESS) {
> radlog(L_ERR,"rlm_sql_oracle: query failed in sql_select_query: %s",
> sql_error(sqlsock
Re: Proxying Radius server
On Wed, Sep 08, 2004 at 02:43:34AM -0700, Cool Man wrote: So, use the 'nostrip' option in the realm configuration. > Hi , > > I am using freeradius 1.0.0 for proxying pupose. > > I have seen a small problem with my proxy test. I have a radius server acting as > proxy which forwards the packets to another radius server. Further, I have also > enabled proxying on second radius server. > > > Client --(Proxy radius > server)(Radius Server). > > Now my problem is when I enter the user name like [EMAIL PROTECTED] the proxy radius > server Strippes of the realm while forwarding the packets to actuall radius server. > > I see this problem because if the actuall radius server need to decide wether it > should forward the user credential to another server then the realm information is > not there. > > This is similar like hop by hop forwarding the request to radius server untill it > finds the desired one. > > Could anyone explain this and explain why freeradius strippes of the realm from > username while forwarding the request to another server. > > Thanks > Raza. > > > --------- > Do you Yahoo!? > New and Improved Yahoo! Mail - 100MB free storage! -- Kostas Zorbadelos Systems Developer, Otenet SA mailto: [EMAIL PROTECTED] Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program doesn't execute the program
On Mon, Sep 06, 2004 at 04:25:48PM +0300, Edgars wrote: > got it to work:)i was putting this attribute in the radcheck table not > radreply. Ok, so you were using an sql db backend... But now another problem is rising up - the only reason why i > want to use this attribute is that i wanted to add a Session-Timeout > attribute to radreply table and that this timeout should be given to > the user in the current authentication try. But the php script is only > adding the timeout but it will be given to user only at the next login. > How to workaround this? Should i use rlm_sql instead of exec-program > attribute? > > Edgars > So you don't need to store it in radreply table. Your external script will enrich the attributes returned to the client by adding the Session-Timeout. -- Kostas Zorbadelos Systems Developer, Otenet SA mailto: [EMAIL PROTECTED] Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_exec vs Exec-Program-Wait attribute
On Sat, Sep 04, 2004 at 07:56:29PM +0200, Thor Spruyt wrote: > Paul Hampson wrote: > > New behaviour: (Replaces behaviour identical to <0 above) > > If the program returns 1 through RLM_MODULE_NUMCODES, return the > > appropriate code and attributes as expected. > > 1RLM_MODULE_REJECT, /* immediately reject the request */ > > 2RLM_MODULE_FAIL,/* module failed, don't reply */ > > 3RLM_MODULE_OK, /* the module is OK, continue */ > > 4RLM_MODULE_HANDLED, /* the module handled the request, so stop. > > */ 5RLM_MODULE_INVALID, /* the module considers the request > > invalid. */ 6RLM_MODULE_USERLOCK,/* reject the request (user > > is locked out) */ 7RLM_MODULE_NOTFOUND,/* user not found */ > > 8RLM_MODULE_NOOP,/* module succeeded without doing anything */ > > 9RLM_MODULE_UPDATED, /* OK (pairs modified) */ > > Looks ok. > > > If it returns > RLM_MODULE_NUMCODES, return RLM_MODULE_OK. (as for 0) > > Maybe it's better to return RLM_MODULE_FAIL in this case. > > > This then leads the question, what return code do we want for when the > > child process terminates abnormally? (!WIFEXITED or rad_waitpid > > returns something other than the child's pid)... If we leave it as it > > is, it's RLM_MODULE_REJECT with the below patch... Would > > RLM_MODULE_FAIL be better? (Changes return 1 at src/main/exec.c:390 > > to return 2... This > > I guess RLM_MODULE_FAIL would be better here. > > -- > Regards, > > Thor Spruyt I also agree with Thor's input. -- Kostas Zorbadelos Systems Developer, Otenet SA mailto: [EMAIL PROTECTED] Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program doesn't execute the program
On Mon, Sep 06, 2004 at 04:00:43PM +0300, Edgars wrote: What is the debugging output of radiusd -X? > nope, the same. > > Edgars > > Kostas Zorbadelos wrote: > > >On Mon, Sep 06, 2004 at 03:12:47PM +0300, Edgars wrote: > > > > > >>with permissions there are no problems, i tried also your chmod options. > >>The same:/ > >>Maybe something else? > >> > >>Edgars > >> > >> > >> > > > >Perhaps you should create an executable wrapper shell script > >containing the call to your php script like > > > >StartPhp.sh > > > >#!/bin/sh > > > >php -f > > > > > > > > > >>Kostas Zorbadelos wrote: > >> > >> > >> > >>>On Mon, Sep 06, 2004 at 02:27:29PM +0300, Edgars wrote: > >>> > >>> > >>> > >>> > >>>>Hello, > >>>> > >>>>in some way this attribute does not execute my PHP program. I have data > >>>>base insert query in this file to test all this. If i execute the *.php > >>>>program from command line, everything is OK - a new field is added in > >>>>the DB. I've put this attribute with path in the radcheck table. > >>>> > >>>>Where could be the problem? Can't tell anything from the debugging > >>>>mode.. > >>>> > >>>>Edgars > >>>> > >>>>- > >>>>List info/subscribe/unsubscribe? See > >>>>http://www.freeradius.org/list/users.html > >>>> > >>>> > >>>> > >>>> > >>>> > >>>Is your script executable from the user who owns radiusd? > >>>A chmod 755 would be appropriate then. > >>> > >>> > >>> > >>> > >>> > >>> > >>- > >>List info/subscribe/unsubscribe? See > >>http://www.freeradius.org/list/users.html > >> > >> > >> > > > > > > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > -- Kostas Zorbadelos Systems Developer, Otenet SA mailto: [EMAIL PROTECTED] Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxy.conf configuration options question
I have questions regarding the synchronous, retry_delay and retry_count configuration options in proxy.conf. I have noticed that the setup below, used in my production system (0.9.3), does not work in case of accounting packets. To be precise, whenever I do not receive acks in the accounting packets I send, the retransmision policy is that of the router (3 x 10 sec) and not freeradius'. Do these configuration options affect access-requests only? # # If the NAS re-sends the request to us, we can immediately re-send # the proxy request to the end server. To do so, use 'yes' here. # # If this is set to 'no', then we send the retries on our own schedule, # and ignore any duplicate NAS requests. # # If you want to have the server send proxy retries ONLY when the NAS # sends it's retries to the server, then set this to 'yes', and # set the other proxy configuration parameters to 0 (zero). # synchronous = no # # The time (in seconds) to wait for a response from the proxy, before # re-sending the proxied request. # # If this time is set too high, then the NAS may re-send the request, # or it may give up entirely, and reject the user. # # If it is set too low, then the RADIUS server which receives the proxy # request will get kicked unnecessarily. # retry_delay = 7 # # The number of retries to send before giving up, and sending a reject # message to the NAS. # retry_count = 4 # # If the home server does not respond to any of the multiple retries, # then FreeRADIUS will stop sending it proxy requests, and mark it 'dead'. # # If there are multiple entries configured for this realm, then the # server will fail-over to the next one listed. If no more are listed, # then no requests will be proxied to that realm. # -- Kostas Zorbadelos Systems Developer, Otenet SA mailto: [EMAIL PROTECTED] Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program doesn't execute the program
On Mon, Sep 06, 2004 at 03:12:47PM +0300, Edgars wrote: > with permissions there are no problems, i tried also your chmod options. > The same:/ > Maybe something else? > > Edgars > Perhaps you should create an executable wrapper shell script containing the call to your php script like StartPhp.sh #!/bin/sh php -f > Kostas Zorbadelos wrote: > > >On Mon, Sep 06, 2004 at 02:27:29PM +0300, Edgars wrote: > > > > > >>Hello, > >> > >>in some way this attribute does not execute my PHP program. I have data > >>base insert query in this file to test all this. If i execute the *.php > >>program from command line, everything is OK - a new field is added in > >>the DB. I've put this attribute with path in the radcheck table. > >> > >>Where could be the problem? Can't tell anything from the debugging mode.. > >> > >>Edgars > >> > >>- > >>List info/subscribe/unsubscribe? See > >>http://www.freeradius.org/list/users.html > >> > >> > >> > > > >Is your script executable from the user who owns radiusd? > >A chmod 755 would be appropriate then. > > > > > > > > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > -- Kostas Zorbadelos Systems Developer, Otenet SA mailto: [EMAIL PROTECTED] Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program doesn't execute the program
On Mon, Sep 06, 2004 at 02:27:29PM +0300, Edgars wrote: > Hello, > > in some way this attribute does not execute my PHP program. I have data > base insert query in this file to test all this. If i execute the *.php > program from command line, everything is OK - a new field is added in > the DB. I've put this attribute with path in the radcheck table. > > Where could be the problem? Can't tell anything from the debugging mode.. > > Edgars > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > Is your script executable from the user who owns radiusd? A chmod 755 would be appropriate then. -- Kostas Zorbadelos Systems Developer, Otenet SA mailto: [EMAIL PROTECTED] Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Oracle Bug Report
On Mon, Sep 06, 2004 at 08:27:33AM +0200, Andrea Gabellini wrote: > I'm using the 8.1.7 library to connect to a 9.2 database. I can't upgrade > my library because I'm working with Solaris and x86 hardware. The last > oracle client for this platform is the 8.1. > I am afraid I can't upgrade my client library too. > If this is a bug of the library I'm very happy, but I think that the oracle > driver in FR must manage better the OCI_ERROR condition. > Actually EVERY error returns SQL_DOWN, and this is not correct if the error > is generated by the server because the server is up and running. > > Andrea > This seems like a good improvement in the freeradius code. Will this patch be accepted in the CVS and be available in a next minor revision? Kostas -- Kostas Zorbadelos Systems Developer, Otenet SA mailto: [EMAIL PROTECTED] Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Oracle bug report
On Fri, Sep 03, 2004 at 08:54:42AM -0500, Dave Weis wrote: > > On Fri, 3 Sep 2004, Kostas Zorbadelos wrote: > >OK, it seems bugs.freeradius.org is experiencing problems. > >I submit the bug here with the corresponding debugging outputs. When > >the problems are restored, I will submit it in bugs also... > >Short Description: > >Freeradius crashes upon oracle errors in accounting queries > >Way to reproduce: > >Run radiusd -X and from a shell > >for ((i=0;$i<30; i=$i+1)); do radclient -d ~/freeradius/BUILD/etc/raddb/ > >-f testacct localhost acct testing123; sleep 2; done > >testacct file: > >User-Name = kzorbatest > >Acct-Session-Id = 123456789009876543211234567890ABCDEFGHI > >NAS-IP-Address = 62.103.3.155 > >Acct-Status-Type = Start > >(very big Acct-Session-Id will cause oracle error (ORA-01401: inserted > >value too large for column) > > That is because the session ID column is declared as a 32 character > varchar. You are putting 39 characters into it. If the spec defines a > maximum length of 32 characters, then you have too long of a session ID, > or the column isn't large enough. > > dave > Yes, I know. I caused the oracle error on purpose to cause the crash. Kostas > -- > Dave Weis > [EMAIL PROTECTED] > http://www.internetsolver.com/ > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > -- Kostas Zorbadelos Systems Developer, Otenet SA mailto: [EMAIL PROTECTED] Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Oracle bug report
OK, it seems bugs.freeradius.org is experiencing problems. I submit the bug here with the corresponding debugging outputs. When the problems are restored, I will submit it in bugs also... Short Description: Freeradius crashes upon oracle errors in accounting queries Way to reproduce: Run radiusd -X and from a shell for ((i=0;$i<30; i=$i+1)); do radclient -d ~/freeradius/BUILD/etc/raddb/ -f testacct localhost acct testing123; sleep 2; done testacct file: User-Name = kzorbatest Acct-Session-Id = 123456789009876543211234567890ABCDEFGHI NAS-IP-Address = 62.103.3.155 Acct-Status-Type = Start (very big Acct-Session-Id will cause oracle error (ORA-01401: inserted value too large for column) Environment: Solaris 8, gcc 2.95.3, Oracle 8.1.7 Attached are the outputs of gdb with the bt and also output of truss Kostas -- Kostas Zorbadelos Systems Developer, Otenet SA mailto: [EMAIL PROTECTED] Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. [EMAIL PROTECTED]:~->gdb /space/radius/freeradius/BUILD/sbin/radiusd ./core GNU gdb 6.0 Copyright 2003 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "sparc-sun-solaris2.8"...(no debugging symbols found)... Core was generated by `radiusd -X'. Program terminated with signal 10, Bus error. Reading symbols from /usr/lib/libcrypt_i.so.1...(no debugging symbols found)... done. Loaded symbols for /usr/lib/libcrypt_i.so.1 Reading symbols from /space/radius/freeradius/BUILD/lib/libradius-1.0.0.so...done. Loaded symbols for /space/radius/freeradius/BUILD/lib/libradius-1.0.0.so Reading symbols from /space/radius/freeradius/BUILD/lib/libltdl.so.3...done. Loaded symbols for /space/radius/freeradius/BUILD/lib/libltdl.so.3 Reading symbols from /usr/lib/libdl.so.1...done. Loaded symbols for /usr/lib/libdl.so.1 Reading symbols from /usr/lib/libnsl.so.1...done. Loaded symbols for /usr/lib/libnsl.so.1 Reading symbols from /usr/lib/libresolv.so.2...done. Loaded symbols for /usr/lib/libresolv.so.2 Reading symbols from /usr/lib/libsocket.so.1...done. Loaded symbols for /usr/lib/libsocket.so.1 Reading symbols from /usr/lib/librt.so.1...done. Loaded symbols for /usr/lib/librt.so.1 Reading symbols from /usr/lib/libpthread.so.1...done. Loaded symbols for /usr/lib/libpthread.so.1 Reading symbols from /usr/lib/libc.so.1...done. Loaded symbols for /usr/lib/libc.so.1 Reading symbols from /usr/lib/libgen.so.1...done. Loaded symbols for /usr/lib/libgen.so.1 Reading symbols from /usr/lib/libmp.so.2...done. Loaded symbols for /usr/lib/libmp.so.2 Reading symbols from /usr/lib/libaio.so.1...done. Loaded symbols for /usr/lib/libaio.so.1 Reading symbols from /usr/platform/SUNW,Sun-Fire-480R/lib/libc_psr.so.1...done. Loaded symbols for /usr/platform/SUNW,Sun-Fire-480R/lib/libc_psr.so.1 Reading symbols from /usr/lib/libthread.so.1...done. Loaded symbols for /usr/lib/libthread.so.1 Reading symbols from /usr/lib/nss_files.so.1...done. Loaded symbols for /usr/lib/nss_files.so.1 Reading symbols from /space/radius/freeradius-1.0.0/BUILD/lib/rlm_exec-1.0.0.so... done. Loaded symbols for /space/radius/freeradius-1.0.0/BUILD/lib/rlm_exec-1.0.0.so Reading symbols from /space/radius/freeradius-1.0.0/BUILD/lib/rlm_expr-1.0.0.so... done. Loaded symbols for /space/radius/freeradius-1.0.0/BUILD/lib/rlm_expr-1.0.0.so Reading symbols from /space/radius/freeradius-1.0.0/BUILD/lib/rlm_pap-1.0.0.so... done. Loaded symbols for /space/radius/freeradius-1.0.0/BUILD/lib/rlm_pap-1.0.0.so Reading symbols from /space/radius/freeradius-1.0.0/BUILD/lib/rlm_chap-1.0.0.so... done. Loaded symbols for /space/radius/freeradius-1.0.0/BUILD/lib/rlm_chap-1.0.0.so Reading symbols from /space/radius/freeradius-1.0.0/BUILD/lib/rlm_mschap-1.0.0.so...done. Loaded symbols for /space/radius/freeradius-1.0.0/BUILD/lib/rlm_mschap-1.0.0.so Reading symbols from /space/radius/freeradius-1.0.0/BUILD/lib/rlm_unix-1.0.0.so... done. Loaded symbols for /space/radius/freeradius-1.0.0/BUILD/lib/rlm_unix-1.0.0.so Reading symbols from /space/radius/freeradius-1.0.0/BUILD/lib/rlm_eap-1.0.0.so... done. Loaded symbols for /space/radius/freeradius-1.0.0/BUILD/lib/rlm_eap-1.0.0.so Reading symbols from /space/radius/freeradius-1.0.0/BUILD/lib/rlm_eap_md5-1.0.0.so...done. Loaded symbols for /space/radius/freeradius-1.0.0/BUILD/lib/rlm_eap_md5-1.0.0.so Reading symbols from /space/radius/freeradius-1.0.0/BUILD/lib/rlm_eap_leap-1.0.0.so...done. Loaded symbols for /space/radius/freeradius-1.0.0/BUILD/lib/rlm_eap_leap-1.0.0.so Reading symbols from /space/radius/freeradius-1.0.0/BUILD/lib/rlm_eap_gtc-1.0.0.so...done. Loaded symbols for /space/radius/freera
Re: freeradius 1.0.0 Solaris compile issues [Partially SOLVED]
On Thu, Aug 26, 2004 at 05:19:06PM +0300, Kostas Zorbadelos wrote: Hello to everyone. I had sent 2 compile issues of freeradius-1.0.0 on Solaris 2.8, gcc 2.95.3 > I can see that ltdl.h is not in the include path passed to gcc but in > ./libltdl/ltdl.h. The problem is solved if we use the > --with-ltdl-include in the configure line > This one was my problem. I had used $./configure --prefix=~/freeradius-1.0.0/BUILD in configure. The problem does not exist if I use a full path in --prefix and not the '~' shortcut of bash. However, the error regarding rlm_x99_token exists. > > Making static dynamic in rlm_x99_token... > make[6]: Entering directory > `/space/radius/freeradius-1.0.0/src/modules/rlm_x99_token' > gcc -fcse-skip-blocks -fexpensive-optimizations -finline-functions > -fomit-frame-pointer -O3 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5 > -Wall -D_GNU_SOURCE -DNDEBUG -I../../include -DX99_MODULE_NAME=\"rlm_x99_token\" > -DFREERADIUS -c x99_rlm.c -o x99_rlm.o > In file included from x99_rlm.c:54: > x99.h:26: openssl/des.h: No such file or directory > > I do not have openssl in the system. Shouldn't autoconf diagnose this > and disable rlm_x99_token as it did in several eap modules? > I solved it using --without-rlm_x99_token in the configure line. > -- Kostas Zorbadelos Systems Developer, Otenet SA mailto: [EMAIL PROTECTED] Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_exec vs Exec-Program-Wait attribute
On Thu, Sep 02, 2004 at 02:52:13PM -0400, Alan DeKok wrote:
Dear Alan,
though this setup you propose will work, I agree with Thor's oppinion
on the matter. I believe that it would be a good idea to allow
rlm_exec module return reject messages with attributes in them as
Exec-Program-Wait does. In this case, we can have the good things of
Exec-Program-Wait, plus the extras of rlm_exec.
For now, I think
that for my needs I will use Exec-Program-Wait as I find it a more
elegant setup (of course I do not expect it to go away in a future
version right?).
Please let us know your thoughts on the matter.
Thanks
Kostas
> Kostas Zorbadelos <[EMAIL PROTECTED]> wrote:
> >Autz-Type CLID{
> > callerid {
> > fail=reject
> > }
> > }
> >
> > In this case when the external script returns a non zero exit code or
> > fails I get an Access-Reject. However I cannot put any attributes
> > inside this reject packet.
>
> So do the following:
>
>Autz-Type CLID {
> callerid {
>ok = return
>notfound = return
>... = return
>fail = 1
> }
> another_files
>}
>
>
> Make the "another_files" module a copy of "rlm_files", and point it
> to different "users" files. It will then be run ONLY when the
> external scrip returns "fail", and you can add replay attributes to
> the reject packet there.
>
> Alan DeKok.
>
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
--
Kostas Zorbadelos
Systems Developer, Otenet SA
mailto: [EMAIL PROTECTED]
Out there in the darkness, out there in the night
out there in the starlight, one soul burns brighter
than a thousand suns.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_exec vs Exec-Program-Wait attribute
In a previous thread I described my scenario:
>My scenario is simple. When I receive an authentication request for a
>user, I want to run an external program and if everything goes OK,
>return access-accept with some attributes, otherwise I want to return
>access-reject with other attributes.
This scenario is accomplished easily using the Exec-Program-Wait
attribute in users file.
When I try to accomplish the same thing with rlm_exec, as Doug Hardie
and Alan suggested, I use configurable failover:
radiusd.conf:
exec callerid {
wait=yes
program=/space/radius/callerid.sh
input_pairs = request
output_pairs = reply
packet_type = Access-Request
}
in users I have
CLIDACTIVATEAuth-Type := Local, User-Password=="AAA", Autz-Type := CLID
and in the authorize section of radiusd.conf
Autz-Type CLID{
callerid {
fail=reject
}
}
In this case when the external script returns a non zero exit code or
fails I get an Access-Reject. However I cannot put any attributes
inside this reject packet. If my script outputs pairs and exits with a
non zero status, the pairs are not kept in the reject packet sent back
to the client. So my questions are:
- is it possible to have attributes in reject packets in rlm_exec
setups (something I can do with Exec-Program-Wait)?
- is Exec-Program-Wait deprecated and probably removed in future
versions? If so, how can I accomplish my scenario?
I need to make a decision for an imminent project.
Thanks in advance
Kostas
--
Kostas Zorbadelos
Systems Developer, Otenet SA
mailto: [EMAIL PROTECTED]
Out there in the darkness, out there in the night
out there in the starlight, one soul burns brighter
than a thousand suns.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 1.0.0 crashes on oracle errors
On Thu, Sep 02, 2004 at 01:24:19PM +0800, ElHassan, Omar wrote:
>
> I have been experiencing the exact same problem - a crash with repeated
> start packets. I have the same environment (O.S., gcc and freeradius).
> I have found that as a test, a slight modification to sql_oracle.c to not
> return SQL_DOWN but -1 in sql_query as follows:
> x = OCIStmtExecute(oracle_sock->conn,
> oracle_sock->queryHandle,
> oracle_sock->errHandle,
> (ub4) 1,
> (ub4) 0,
> (OCISnapshot *) NULL,
> (OCISnapshot *) NULL,
> (ub4) OCI_DEFAULT);
>
> if ((x != OCI_NO_DATA) && (x != OCI_SUCCESS)) {
> radlog(L_ERR,"rlm_sql_oracle: execute query failed in
> sql_query: %s",
> sql_error(sqlsocket, config));
> /*return SQL_DOWN;*/
> return -1;
> }
> Will remove this crash. A -1 here means that the connection is not re-opened
> after each error. I hope this helps us in finding the problem.
>
> Regards,
> OeH
Very good Omar,
but what happens when all connections die in this way and are not
re-opened? Freeradius will remain running but with no connections to
the Oracle database. In conversations regarding this issue several
months ago, I was told that it is an error that has to do with the
re-open of the connections and you confirm that.
Anyway, i will submit a gdb traceback in bugs.freeradius.org. I only
hope that I will have time to do it today.
There is too much expertise here, to let the bug get away...
Thanks
Kostas
--
Kostas Zorbadelos
Currently at: Otenet IT Department
mailto: [EMAIL PROTECTED]
Out there in the darkness, out there in the night
out there in the starlight, one soul burns brighter
than a thousand suns.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 1.0.0 crashes on oracle errors
On Tue, Aug 31, 2004 at 12:35:18PM +0400, Alexander Serkin wrote: > Hello. > I see a lot of 1401 errors in radiusd.log. But they does not lead to core > dumps. > Radiusd performs correctly. > These errors come when users supply incorrect usernames those are longer > than the username column size. > We work on SPARC Solaris 2.8, gcc 3.3, Oracle 9.2.0.5, freeradius-1.0.0.. > Hmmm. I have a different compiler version and older Oracle version (8.1.7). Have you tried to cause the 1401 error continously and not sporadically? You can do that with radclient. Anyway I will submit a bug report with the gdb output. > > Kostas Zorbadelos <[EMAIL PROTECTED]> wrote: > > > My environment is Solaris 2.8, gcc 2.95.3, Oracle 8.1.7. > > > Freeradius crashes (and core dumps) after an sql query causes an error > > > with an Oracle backend database. > > > > Yuck. > > > > > First of all in oraclesql.conf there is a typo in > > > accounting_start_query_alt query: > > > > Fixed, thanks. > > > > > Secondly, I caused the crash by sending an accounting start packet > > > with very large acct-session-id, that caused an ORA-01401(: inserted > > > value too large for column) error. > > > > Ok. The server *should* be robust in the face of such errors. > > > > > Should I submit a bug report in bugs.freeradius.org? > > > > Please. > > > > > For anything else you might need to trace the error, please let me > > > know. > > > > A gdb 'bt', so we can see where/when the error occured. > > > > If you have access to a Linux box, you can try running it under > > "valgrind", which should give you more information about the invalid > > memory accesses. > > > > Alan DeKok. > > > > > > - > > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- Kostas Zorbadelos Currently at: Otenet IT Department mailto: [EMAIL PROTECTED] Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: help with rlm_sql_oracle
On Tue, Aug 31, 2004 at 09:42:42AM +0300, Ivan wrote: It should be possible to compile freeradius oracle support with the oracle client installed only. I also had various problems with 9.2 oracle client (on my debian system) so I installed oracle client 8.1.7 rel3. If you set the ORACLE_HOME environment variable in the configure of freeradius, it should detect and build the oracle module without problems. > Dear FreeRadius.org comunity, > We`ve got a problem during installation of FreeRadius server 1.0.0 for > use with the Oracle database on FreeBSD. The next sample of the config.log file > illustrates our problem: > > orabsd# ./configure > . > configuring in ./drivers/rlm_sql_oracle > running /bin/sh ./configure --enable-ltdl-install --enable-ltdl-install > --cache-file=../../../../.././config.cache > --srcdir=. > loading cache ../../../../.././config.cache > checking for gcc... (cached) gcc > checking whether the C compiler (gcc -g -O2 -pthread -D_THREAD_SAFE > -DOPENSSL_NO_KRB5 -Wall -D_GNU_SOURCE -DNDEBUG ) > works... yes > checking whether the C compiler (gcc -g -O2 -pthread -D_THREAD_SAFE > -DOPENSSL_NO_KRB5 -Wall -D_GNU_SOURCE -DNDEBUG ) is a > cross-compiler... no > checking whether we are using GNU C... (cached) yes > checking whether gcc accepts -g... (cached) yes > checking how to run the C preprocessor... (cached) gcc -E > checking for oci.h... no > configure: warning: oracle headers not found. Use --with-oracle-home-dir=. > configure: warning: sql submodule 'oracle' disabled > updating cache ../../../../.././config.cache > creating ./config.status > creating Makefile > . > As you see, we can`t compile the rlm_sql_oracle driver. > We were trying to install the FreeRadius server on a PC with Oracle client for > FreeBSD 4.10-5.2.1(we tried different > releases of FreeBSD). > We tried to do the following steps: > 1. > ./configure --with-oracle-home-dir= > ./configure --disable-shared --with-oracle-home-dir= directory> > 2. > ./configure --with-oracle-lib-dir= /rdbms/demo directory> > ./configure --disable-shared --with-oracle-lib-dir= directory, to the /rdbms/demo directory> > 3. > we also tried to compile the rlm_sql_oracle driver alone in the installation > directory of the oracle client, but with no result. > Is it possible to install the FreeRadius server with oracle support on a PC just > with oracle client installed (without > basic installation of the Oracle database. we use a separate database > server with Oracle 9.2i)? If yes, then wich directory must contain the > oracle client lib files? If it`s not possible, then will it be > possible to connect to the oracle database located on a remote PC? > > Hope to hear from you soon > with best regards, > Ivan and Valery > mailto:[EMAIL PROTECTED] > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- Kostas Zorbadelos Currently at: Otenet IT Department mailto: [EMAIL PROTECTED] Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_exec questions
Hello to everyone.
My scenario is simple. When I receive an authentication request for a
user, I want to run an external program and if everything goes OK,
return access-accept with some attributes, otherwise I want to return
access-reject with other attributes.
I have done the following configuration in radiusd.conf:
exec callerid {
wait=yes
program=/space/radius/callerid.sh
input_pairs = request
output_pairs = reply
packet_type = Access-Request
}
in users I have
CLIDACTIVATEAuth-Type := Local, Autz-Type := CLID
and in the authorize section of radiusd.conf
Autz-Type CLID{
callerid
}
In case my script terminates normally, I get the attribute value pairs
appended to an access-accept message as I want. However, if I make an
exit 1 at the end of the script, I do not get an access-reject with
the output attribute-value pairs appended.
I make the test with radtest
radtest -d . CLIDACTIVATE 1760 localhost 123 testing123
and from radiusd -X I get
rad_recv: Access-Request packet from host 127.0.0.1:64711, id=42, length=64
User-Name = "CLIDACTIVATE"
User-Password = "1760"
NAS-IP-Address = 255.255.255.255
NAS-Port = 123
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 2
modcall[authorize]: module "preprocess" returns ok for request 2
modcall[authorize]: module "chap" returns noop for request 2
modcall[authorize]: module "mschap" returns noop for request 2
rlm_realm: No '/' in User-Name = "CLIDACTIVATE", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "realmslash" returns noop for request 2
rlm_realm: No '@' in User-Name = "CLIDACTIVATE", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 2
users: Matched CLIDACTIVATE at 74
modcall[authorize]: module "files" returns ok for request 2
modcall: group authorize returns ok for request 2
Processing the authorize section of radiusd.conf
modcall: entering group Autz-Type for request 2
radius_xlat: '/space/radius/callerid.sh'
Exec-Program: /space/radius/callerid.sh
Exec-Program output: h323-return-code = "2"
Exec-Program-Wait: value-pairs: h323-return-code = "2"
Exec-Program: returned: 1
rlm_exec (callerid): External script failed
modcall[authorize]: module "callerid" returns fail for request 2
modcall: group Autz-Type returns fail for request 2
Finished request 2
Going to the next request
The module returns fail but no access-reject is sent back and radtest
keeps retransmitting.
What am I missing?
Thanks for any help.
Kostas
--
Kostas Zorbadelos
Currently at: Otenet IT Department
mailto: [EMAIL PROTECTED]
Out there in the darkness, out there in the night
out there in the starlight, one soul burns brighter
than a thousand suns.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 1.0.0 Solaris compile issues
On Thu, Aug 26, 2004 at 11:15:57AM -0400, Alan DeKok wrote: > Kostas Zorbadelos <[EMAIL PROTECTED]> wrote: > > gcc -fcse-skip-blocks -fexpensive-optimizations -finline-functions > > -fomit-frame-pointer -O3 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5 > > -Wall -D_GNU_SOURCE -DNDEBUG -I../../include -I./libeap -c rlm_eap.c -o rlm_eap.o > > In file included from rlm_eap.c:26: > > rlm_eap.h:26: ltdl.h: No such file or directory > > You probably did: > > $ ./configure --disable-ltdl-install > I did that, but second. In the beginning I just did $ ./configure --prefix=/my/path > > I can see that ltdl.h is not in the include path passed to gcc but in > > ./libltdl/ltdl.h. The problem is solved if we use the > > --with-ltdl-include in the configure line > > I don't see why that would be necessary, if you didn't pass any > other options to configure. > So by passing the --prefix option, I couldn't avoid passing --with-ltdl-include too? > > Making static dynamic in rlm_x99_token... > > make[6]: Entering directory > > `/space/radius/freeradius-1.0.0/src/modules/rlm_x99_token' > > gcc -fcse-skip-blocks -fexpensive-optimizations -finline-functions > > -fomit-frame-pointer -O3 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5 > > -Wall -D_GNU_SOURCE -DNDEBUG -I../../include -DX99_MODULE_NAME=\"rlm_x99_token\" > > -DFREERADIUS -c x99_rlm.c -o x99_rlm.o > > In file included from x99_rlm.c:54: > > x99.h:26: openssl/des.h: No such file or directory > > Hmm... if you don't have openssl, it shouldn't try to use it. > > What's the output of "./configure"? > Output of ./configure is attached in the file. Kostas > Alan DeKok. > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- Kostas Zorbadelos Currently at: Otenet IT Department mailto: [EMAIL PROTECTED] Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. [EMAIL PROTECTED]:~/freeradius-1.0.0->./configure loading cache ./config.cache checking for gcc... (cached) gcc checking whether the C compiler (gcc -fcse-skip-blocks -fexpensive-optimizations -finline-functions -fomit-frame-pointer -O3 -s) works... yes checking whether the C compiler (gcc -fcse-skip-blocks -fexpensive-optimizations -finline-functions -fomit-frame-pointer -O3 -s) is a cross-compiler... no checking whether we are using GNU C... (cached) yes checking whether gcc accepts -g... (cached) yes checking how to run the C preprocessor... (cached) gcc -E checking whether gcc needs -traditional... (cached) no checking whether we are using SUNPro C... (cached) no checking for ranlib... (cached) ranlib checking for AIX... no checking for gmake... (cached) no checking for make... (cached) /usr/local/bin/make checking for lt_dlinit in -lltdl... (cached) yes checking for Cygwin environment... (cached) no checking for mingw32 environment... (cached) no checking host system type... sparc-sun-solaris2.8 checking build system type... sparc-sun-solaris2.8 checking for ld used by GCC... (cached) /usr/ccs/bin/ld checking if the linker (/usr/ccs/bin/ld) is GNU ld... (cached) no checking for /usr/ccs/bin/ld option to reload object files... (cached) -r checking for BSD-compatible nm... (cached) /usr/ccs/bin/nm -p checking whether ln -s works... (cached) yes checking how to recognise dependant libraries... (cached) pass_all checking for object suffix... (cached) o checking for executable suffix... (cached) no checking command to parse /usr/ccs/bin/nm -p output... (cached) ok checking for dlfcn.h... (cached) yes checking for ranlib... (cached) ranlib checking for strip... (cached) strip checking for objdir... .libs checking for gcc option to produce PIC... (cached) -fPIC checking if gcc PIC flag -fPIC works... (cached) yes checking if gcc static flag -static works... (cached) yes checking if gcc supports -c -o file.o... (cached) yes checking if gcc supports -c -o file.lo... (cached) yes checking if gcc supports -fno-rtti -fno-exceptions... yes checking whether the linker (/usr/ccs/bin/ld) supports shared libraries... *** Warning: Releases of GCC earlier than version 3.0 cannot reliably *** create self contained shared libraries on Solaris systems, without *** introducing a dependency on libgcc.a. Therefore, libtool is disabling *** -no-undefined support, which will at least allow you to build shared *** libraries. However, you may find that when you link such libraries *** into an application without using GCC, you have to manually add *** `gcc --print-libgcc-file-name` to the link command. We urge you to *** upgrade to a newer version of GCC. Another option is to rebui
freeradius 1.0.0 Solaris compile issues
Freeradius 1.0 compile fails in Solaris 2.8, gcc 2.95.3 Here is the relevant output... Making static dynamic in rlm_eap... make[6]: Entering directory `/space/radius/freeradius-1.0.0/src/modules/rlm_eap' gcc -fcse-skip-blocks -fexpensive-optimizations -finline-functions -fomit-frame-pointer -O3 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5 -Wall -D_GNU_SOURCE -DNDEBUG -I../../include -I./libeap -c rlm_eap.c -o rlm_eap.o In file included from rlm_eap.c:26: rlm_eap.h:26: ltdl.h: No such file or directory make[6]: *** [rlm_eap.o] Error 1 make[6]: Leaving directory `/space/radius/freeradius-1.0.0/src/modules/rlm_eap' make[5]: *** [common] Error 1 make[5]: Leaving directory `/space/radius/freeradius-1.0.0/src/modules' make[4]: *** [all] Error 2 make[4]: Leaving directory `/space/radius/freeradius-1.0.0/src/modules' make[3]: *** [common] Error 1 make[3]: Leaving directory `/space/radius/freeradius-1.0.0/src' make[2]: *** [all] Error 2 make[2]: Leaving directory `/space/radius/freeradius-1.0.0/src' make[1]: *** [common] Error 1 make[1]: Leaving directory `/space/radius/freeradius-1.0.0' make: *** [all] Error 2 I can see that ltdl.h is not in the include path passed to gcc but in ./libltdl/ltdl.h. The problem is solved if we use the --with-ltdl-include in the configure line Making static dynamic in rlm_x99_token... make[6]: Entering directory `/space/radius/freeradius-1.0.0/src/modules/rlm_x99_token' gcc -fcse-skip-blocks -fexpensive-optimizations -finline-functions -fomit-frame-pointer -O3 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5 -Wall -D_GNU_SOURCE -DNDEBUG -I../../include -DX99_MODULE_NAME=\"rlm_x99_token\" -DFREERADIUS -c x99_rlm.c -o x99_rlm.o In file included from x99_rlm.c:54: x99.h:26: openssl/des.h: No such file or directory I do not have openssl in the system. Shouldn't autoconf diagnose this and disable rlm_x99_token as it did in several eap modules? I solved it using --without-rlm_x99_token in the configure line. -- Kostas Zorbadelos Currently at: Otenet IT Department mailto: [EMAIL PROTECTED] Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: raddb/users, having OR conditions
On Mon, Aug 23, 2004 at 10:15:00PM +0200, Adam KOSA wrote: I had asked the same question months ago and I was told that it is not possible... > Hi List > > I'm sorry if this is a basic question here. I just set up freeradius, > using it to authenticate to network devices (instead local auth). I got > it up almost fine. In my raddb/users file, i have the following: > > test Auth-Type := Local, User-Password == "test", Simultaneous-Use := > 10, Calling-Station-Id == "10.19.5.1" > Service-Type = Login, > cisco-avpair="shell:priv-lvl=15" > > I understand that in the first line i can set up conditions, separated > by commas which all have to be true to permit login. How can i set up > an OR condition? I'm thinking about letting more IP-s in via radius, > not only allowing login from ip 10.19.5.1. > > Currently i duplicated the "test" user and the second entry has another > IP - this way i can login from both IP-s. But i don't like that i had > to duplicate the password, and every setting. But being new to > freeradius i know no more ways. > > I'd be greatful if one could describe a solution. > > Thanks > Adam > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- Kostas Zorbadelos Currently at: Otenet IT Department mailto: [EMAIL PROTECTED] Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Modify packet proxied to a specific realm [Solved in 2 ways]
At Tue, 15 Jun 2004 11:55:00 -0400, Alan DeKok wrote: > > Please don't CC me on messages. I already read the list, and I > don't need to see the same message twice. > Sorry Alan (replied to all by accident) > > I wanted for every username of the form [EMAIL PROTECTED] to add 3 wispr > > attributes (Location-Id, LocationName and LogoffUrl) to the access request > > packets and 2 attributes (Location-Id, Location-Name) to the > > accounting packets before they get proxied to the home radius. > > In preproxy_users, you should be able to do: > > #--- > DEFAULT User-Name =~ "@testrealm$", Packet-Type == Access-Request > Wispr-Location-Id = "foo", > Wispr-LocationName = "bar", > ... > After adding the files module in pre-proxy section, worked like a charm. Wonderful and elegant configuration (much better from the one I came up with). Since the atrr_rewrite module and the preproxy_users are said to be 'experimental' which one would you recommend for use in a production environment? Is any of this going to go away in 1.0.0 or the future? Thanks for everything. -- Kostas Zorbadelos Currently at: Otenet IT Department mailto: [EMAIL PROTECTED] Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Modify packet proxied to a specific realm [Solved with a few questions]
At Mon, 14 Jun 2004 14:09:45 -0400,
Alan DeKok wrote:
>
> Kostas Zorbadelos <[EMAIL PROTECTED]> wrote:
> > I would like to know if and how it is possible to modify an accounting
> > and an authentication request
> > packet that is going to be proxied to a specific realm.
>
> Ues. Use the "preproxy" section.
>
> Alan DeKok.
>
Hello again. Now that I have a working configuration that solves my
problem, I post it to the list for archiving purposes and also a few
clarifications.
I am using version 0.9.3 but I plan to test everything with 1.0.0 pre2
also.
Description of the problem
---
I wanted for every username of the form [EMAIL PROTECTED] to add 3 wispr
attributes (Location-Id, LocationName and LogoffUrl) to the access request
packets and 2 attributes (Location-Id, Location-Name) to the
accounting packets before they get proxied to the home radius.
I used the attr_rewrite module with the following config in
radiusd.conf:
attr_rewrite addLocationId {
attribute = WISPr-Location-ID
# may be "packet", "reply", or "config"
searchin = packet
searchfor = "[+ ]"
replacewith = "isocc=gr,cc=30,ac=21,network=otenet"
ignore_case = no
new_attribute = yes
max_matches = 10
## If set to yes then the replace string will be appended to the
original string
append = yes
}
attr_rewrite addLocationName {
attribute = WISPr-Location-Name
# may be "packet", "reply", or "config"
searchin = packet
searchfor = ""
replacewith = "OTENET,hotspot"
ignore_case = no
new_attribute = yes
max_matches = 10
## If set to yes then the replace string will be appended to the
original string
append = yes
}
attr_rewrite addLogoffUrl {
attribute = WISPr-Logoff-URL
# may be "packet", "reply", or "config"
searchin = packet
searchfor = ""
replacewith =
"https://192.168.3.3:8443/accountLogoff/home?confirmed=true";
ignore_case = no
new_attribute = yes
max_matches = 10
## If set to yes then the replace string will be appended to the
original string
append = yes
}
1) The pre-proxy section
-
The pre-proxy section in radiusd.conf wasn't what I wanted because the
modifications would happen before the proxy of every packet and not
just packets destined to the specific realm testrealm. After the test
however I noticed that the packets were not modified at all (is this a
bug that is fixed in 1.0.0?)
My configuration
pre-proxy {
addLocationId
addLocationName
addLogoffUrl
}
and the relevant part of the debugging output
rad_recv: Access-Request packet from host 212.205.85.239:4422, id=214, length=103
Acct-Session-Id = "01C3"
User-Name = "[EMAIL PROTECTED]"
User-Password = "usera"
NAS-IP-Address = 212.205.178.115
NAS-Port = 0
NAS-Port-Type = Virtual
Proxy-State = 0x6f70656e65745f776c616e
modcall: entering group authorize for request 0
...
rlm_realm: Preparing to proxy authentication request to realm "testrealm"
...
modcall: entering group pre-proxy for request 0
radius_xlat: 'isocc=gr,cc=30,ac=21,network=otenet'
rlm_attr_rewrite: Added attribute WISPr-Location-ID with value
'isocc=gr,cc=30,ac=21,network=otenet'
modcall[pre-proxy]: module "addLocationId" returns ok for request 0
radius_xlat: 'OTENET,hotspot'
rlm_attr_rewrite: Added attribute WISPr-Location-Name with value 'OTENET,hotspot'
modcall[pre-proxy]: module "addLocationName" returns ok for request 0
radius_xlat: 'https://192.168.3.3:8443/accountLogoff/home?confirmed=true'
rlm_attr_rewrite: Added attribute WISPr-Logoff-URL with value
'https://192.168.3.3:8443/accountLogoff/home?confirmed=true'
modcall[pre-proxy]: module "addLogoffUrl" returns ok for request 0
modcall: group pre-proxy returns ok for request 0
Sending Access-Request of id 1 to 212.205.178.120:1812
User-Name = "usera"
Acct-Session-Id = "01C3"
User-Password = "usera"
NAS-IP-Address = 212.205.178.115
NAS-Port = 0
NAS-Port-Type = Virtual
Proxy-State = 0x6f70656e65745f776c616e
Proxy-State = 0x323134
...
As you can see the packet was not modif
Re: Modify packet proxied to a specific realm
At Mon, 14 Jun 2004 14:09:45 -0400, Alan DeKok wrote: > > Kostas Zorbadelos <[EMAIL PROTECTED]> wrote: > > I would like to know if and how it is possible to modify an accounting > > and an authentication request > > packet that is going to be proxied to a specific realm. > > Ues. Use the "preproxy" section. > > Alan DeKok. > Thanks Alan, I thought I would. But which module should I use? And how can I add the attribute(s) I want for a specific realm only? I think I will focus on the attr_rewrite module but unfortunately it is not very clear how I can achieve what I want from the sample configuration in radiusd.conf. Any other ideas are welcome. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Zorbadelos Currently at: Otenet IT Department mailto: [EMAIL PROTECTED] Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Modify packet proxied to a specific realm
Hello to everyone. I would like to know if and how it is possible to modify an accounting and an authentication request packet that is going to be proxied to a specific realm. What I want is to add a specific attribute with a specific value to every accounting and authentication request packet that is going to be proxied at realm X before it gets proxied. I would appreciate any suggestions. Thanks in advance Kostas -- Kostas Zorbadelos Currently at: Otenet IT Department mailto: [EMAIL PROTECTED] Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Delimeters doesn't work
At Fri, 11 Jun 2004 14:45:56 -,
Shah, Nishant B wrote:
>
> Does freeRadius support prefix and suffix delimeters other than '/' and '@'
> sign. If yes then where to specify them. I tried to use '%','.' and '\' them
> after specifying in radiusd.conf file but it doesn't work.
> Can someone solve my issue?
>
> --
> Nishant Shah
> U4 Computer Engineering
> 979-268-0866 (M)281-222-3176
>
>
>
Add a new realm instance in radiusd.conf like this
# 'username%realm'
#
realm realmpercent {
format = suffix
delimiter = "%"
}
And then use this module in the authorize section.
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Kostas Zorbadelos
Currently at: Otenet IT Department
mailto: [EMAIL PROTECTED]
Out there in the darkness, out there in the night
out there in the starlight, one soul burns brighter
than a thousand suns.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Alan is the King!
At Fri, 21 May 2004 11:03:45 -0300, RH List Account wrote: > This is indeed very interesting. I 'll keep it in mind... (Opensource + support = convincing managers to switch!) > Folks, > > I just wanted to publicly thank Alan DeKok for his invaluable assistance > last week. We had a problem that we were kicking ourselves over and just > couldn't get. After a search online, we found www.cladju.org. > > I don't think it's well enough publicised here, but Alan does do RADIUS > consulting, and can make your FreeRADIUS problems go away very very quickly. > > If you have a problem, and have found Alan's tireless answering of questions > on this list to be useful, consider contacting him directly. > > He quickly found our problem, and we have now been able to turn on a new > service, easily justifying his very modest fee. > > Open source is great, but people gotta eat. Alan, hats off to you. > > > > Robert Hof > Internet Architect > Transact Bermuda > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Zorbadelos Currently at: Otenet IT Department mailto: [EMAIL PROTECTED] Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Update: Please tell something about rlm_sql_oracle bug
dacct (RadAcctId, AcctSessionId, AcctUniqueId, UserName, Realm,
NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctStopTime, AcctSessionTime,
AcctAuthentic, ConnectInfo_start, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets,
CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol,
FramedIPAddress, AcctStartDelay, AcctStopDelay, CiscoServiceInfo) values('',
'009F', '', '[EMAIL PROTECTED]@toratora.gr', '', '62.103.0.99', '', 'Async',
TO_DATE('2004-04-13 19:19:17','-mm-dd hh24:mi:ss'), NULL, '0', 'RADIUS', '', '',
'0', '0', '896255', '2106151600', '', 'Framed-User', 'PPP', '', '5', '0', '')
rlm_sql_oracle: execute query failed in sql_query: ORA-01401: inserted value too large
for column
rlm_sql (sql1): Attempting to connect rlm_sql_oracle #0
rlm_sql (sql1): Connected new DB handle, #0
INSERT into radacct (RadAcctId, AcctSessionId, AcctUniqueId, UserName, Realm,
NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctStopTime, AcctSessionTime,
AcctAuthentic, ConnectInfo_start, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets,
CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol,
FramedIPAddress, AcctStartDelay, AcctStopDelay, CiscoServiceInfo) values('',
'009F', '', '[EMAIL PROTECTED]@toratora.gr', '', '62.103.0.99', '', 'Async',
TO_DATE('2004-04-13 19:19:17','-mm-dd hh24:mi:ss'), NULL, '0', 'RADIUS', '', '',
'0', '0', '896255', '2106151600', '', 'Framed-User', 'PPP', '', '5', '0', '')
rlm_sql_oracle: execute query failed in sql_query: ORA-01401: inserted value too large
for column
rlm_sql (sql1): failed after re-connect
rlm_sql (sql1): Couldn't update SQL accounting for START packet - ORA-01401: inserted
value too large for column
radius_xlat: 'UPDATE radacct SET AcctStartTime = TO_DATE('2004-04-13
19:19:17','-mm-dd hh24:mi:ss'), AcctStartDelay = '5', ConnectInfo_start = '' WHERE
AcctSessionId = '009F' AND UserName = '[EMAIL PROTECTED]@toratora.gr' AND
NASIPAddress = '62.103.0.99' AND AcctStopTime = IS NULL'
radius_xlat: '/space/radius/freeradius-0.9.3/BUILD/var/log/radius/sqltrace.sql'
UPDATE radacct SET AcctStartTime = TO_DATE('2004-04-13 19:19:17','-mm-dd
hh24:mi:ss'), AcctStartDelay = '5', ConnectInfo_start = '' WHERE AcctSessionId =
'009F' AND UserName = '[EMAIL PROTECTED]@toratora.gr' AND NASIPAddress =
'62.103.0.99' AND AcctStopTime = IS NULL
rlm_sql_oracle: execute query failed in sql_query: ORA-00936: missing expression
rlm_sql (sql1): Attempting to connect rlm_sql_oracle #0
rlm_sql (sql1): Connected new DB handle, #0
UPDATE radacct SET AcctStartTime = TO_DATE('2004-04-13 19:19:17','-mm-dd
hh24:mi:ss'), AcctStartDelay = '5', ConnectInfo_start = '' WHERE AcctSessionId =
'009F' AND UserName = '[EMAIL PROTECTED]@toratora.gr' AND NASIPAddress =
'62.103.0.99' AND AcctStopTime = IS NULL
rlm_sql_oracle: execute query failed in sql_query: ORA-00936: missing expression
rlm_sql (sql1): failed after re-connect
rlm_sql (sql1): Couldn't update SQLaccounting START record - ORA-00936: missing
expression
rlm_sql (sql1): Released sql socket id: 0
modcall[accounting]: module "sql1" returns fail for request 11
modcall: group Acct-Type returns fail for request 11
Finished request 11
Going to the next request
--- Walking the entire request list ---
Cleaning up request 9 ID 94 with timestamp 407c1300
Cleaning up request 10 ID 95 with timestamp 407c1300
Waking up in 5 seconds...
rad_recv: Accounting-Request packet from host 212.205.85.227:4427, id=97, length=303
NAS-IP-Address = 62.103.0.99
NAS-Port = 224
Cisco-NAS-Port = "Async39"
NAS-Port-Type = Async
User-Name = "[EMAIL PROTECTED]@toratora.gr"
Called-Station-Id = "896255"
Calling-Station-Id = "2106151600"
Acct-Status-Type = Start
Acct-Authentic = RADIUS
Service-Type = Framed-User
Acct-Session-Id = "009F"
Framed-Protocol = PPP
Tunnel-Server-Endpoint:0 = "62.103.4.99"
Tunnel-Client-Endpoint:0 = "62.103.3.131"
Tunnel-Type:0 = L2F
Tunnel-Client-Auth-Id:0 = "otenettoratora"
Tunnel-Server-Auth-Id:0 = "toratoraotenet"
Cisco-AVPair = "tunnel-id=otenettoratora"
Cisco-AVPair = "gw-name=toratoraotenet"
Acct-Delay-Time = 10
Proxy-State = 0x6f70656e65745f6469616c7570
modcall: entering group preacct for request 12
modcall[preacct]: module "preprocess" returns noop for request 12
rlm_realm: No '/' in User-Name = "[EMAIL PROTECTED]@toratora.gr", looking up realm
NULL
rlm_realm: No such realm "NULL"
modcall[preacct]: module "realmslash" returns noop for request 12
rlm_realm: Looking up realm "toratora.gr" for User-Name = "[EMAIL
PROTECTED]@toratora.gr"
rlm_realm: No such realm "toratora.gr"
modcall[preacct]: module "suffix" returns noop for request 12
acct_users: Matched DEFAULT at 18
modcall[preacct]: module "files" returns ok for request 12
modcall: group preacct returns ok for request 12
modcall: entering group Acct-Type for request 12
radius_xlat: '[EMAIL PROTECTED]@toratora.gr'
rlm_sql (sql1): sql_set_user escaped user --> '[EMAIL PROTECTED]@toratora.gr'
radius_xlat: 'INSERT into radacct (RadAcctId, AcctSessionId, AcctUniqueId, UserName,
Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctStopTime,
AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_stop, AcctInputOctets,
AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType,
FramedProtocol, FramedIPAddress, AcctStartDelay, AcctStopDelay, CiscoServiceInfo)
values('', '009F', '', '[EMAIL PROTECTED]@toratora.gr', '', '62.103.0.99', '',
'Async', TO_DATE('2004-04-13 19:19:22','-mm-dd hh24:mi:ss'), NULL, '0', 'RADIUS',
'', '', '0', '0', '896255', '2106151600', '', 'Framed-User', 'PPP', '', '10', '0',
'')'
radius_xlat: '/space/radius/freeradius-0.9.3/BUILD/var/log/radius/sqltrace.sql'
rlm_sql (sql1): Reserving sql socket id: 2
INSERT into radacct (RadAcctId, AcctSessionId, AcctUniqueId, UserName, Realm,
NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctStopTime, AcctSessionTime,
AcctAuthentic, ConnectInfo_start, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets,
CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol,
FramedIPAddress, AcctStartDelay, AcctStopDelay, CiscoServiceInfo) values('',
'009F', '', '[EMAIL PROTECTED]@toratora.gr', '', '62.103.0.99', '', 'Async',
TO_DATE('2004-04-13 19:19:22','-mm-dd hh24:mi:ss'), NULL, '0', 'RADIUS', '', '',
'0', '0', '896255', '2106151600', '', 'Framed-User', 'PPP', '', '10', '0', '')
rlm_sql_oracle: execute query failed in sql_query: ORA-01401: inserted value too large
for column
rlm_sql (sql1): Attempting to connect rlm_sql_oracle #2
Bus Error (core dumped)
Finally the core dump.
Most of the debugging messages were caused by router retransmissions
because it didn't receive accounting acks.
--
Kostas Zorbadelos
Currently at: Otenet IT Department
mailto: [EMAIL PROTECTED]
Out there in the darkness, out there in the night
out there in the starlight, one soul burns brighter
than a thousand suns.
--- End Message ---
Re: User with 2 profiles but different simultaneous-use in each
At Wed, 14 Apr 2004 17:44:52 +0300 (EEST), Kostas Kalevras wrote: > > Well now that i think of it, the module can't really help you on that subject. > But in any case you can check the comments in the latest radiusd.conf, it's now > part of the stable modules list. > Is it in 0.9.3 release or in the cvs snapshot? > As for your problem, you can just always set Simultaneous-Use = 1. For ISDN you > just need to also set Port-Limit = 2 for the user to be able to use 2 channels. > So everything should work just fine with just that. Just make sure that > Port-Limit is only returned on ISDN connections, else a user can get 2 DSL > connections from the PTT and do multilink PPP (just guessing i am not that > familiar with how ADSL works, i think it just transmits PPP frames so it's > possible). Since you are using LDAP something like this: > > --users-- > > DEFAULT NAS-Port-Type == ISDN, Ldap-Group == "adsl-users" > Port-Limit := 2 > Thanks Kostas. I am familiar with the Port-Limit attribute, in fact I use it already in a profile for prepaid cards. But from the way I have seen it works, it just instructs the router to allow a bundle interface with up to 2 channels (if the value is 2). This way if someone has value 0 in this attribute he won't be allowed to have a bundle interface and every connection he will attempt with on demand ISDN or ISDN 128 will fail. However the authentication is independent of that. If an ISDN user tries to get a second channel he will initiate an authorization/authentication sequence normally and he will fail if Simultaneous-Use is 1. This is the way I believe things work, let me know if I am wrong. In any case thanks. -- Kostas Zorbadelos Currently at: Otenet IT Department mailto: [EMAIL PROTECTED] Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Small rlm_sql_oracle bug
Hi to everyone.
I think I found a bug in the rlm_sql_oracle. I had a syntax error in
accounting_start_query_alt and after failing to execute
an oracle query several times the server core dumps. I managed to
reproduce the error by sending accounting requests that have the
User-Name attribute too big to fit in the radacct table.
The problem does not seem to occur if the syntax of the sql queries is
OK though (apart from the fact that the server does not send acks
which is logical).
My platform is Solaris 2.7/2.8 gcc 2.95.3.
Sorry for the big logs. I wish I was able to provide the patch
myself...
Thanks in advance.
Kostas
Here is my radacct table:
CREATE TABLE fworks.radacct
(
radacctidINTEGER NOT NULL
, acctsessionidVARCHAR2 (32) NOT NULL
, acctuniqueid VARCHAR2 (32)
, username VARCHAR2 (32) NOT NULL
, realmVARCHAR2 (30)
, nasipaddress VARCHAR2 (15) NOT NULL
, nasportidNUMBER (12)
, nasporttype VARCHAR2 (32)
, acctstarttimeDATE
, acctstoptime DATE
, acctsessiontime NUMBER (12)
, acctauthenticVARCHAR2 (32)
, connectinfo_startVARCHAR2 (32)
, connectinfo_stop VARCHAR2 (32)
, acctinputoctets NUMBER (12)
, acctoutputoctets NUMBER (12)
, calledstationid VARCHAR2 (30)
, callingstationid VARCHAR2 (30)
, acctterminatecause VARCHAR2 (32)
, servicetype VARCHAR2 (32)
, framedprotocol VARCHAR2 (32)
, framedipaddress VARCHAR2 (15)
, acctstartdelay NUMBER (12)
, acctstopdelayNUMBER (12)
, ciscoserviceinfo VARCHAR2 (50)
)
In the accounting sections of radiusd.conf I have:
preacct {
preprocess
#
# Look for IPASS-style 'realm/', and if not found, look for
# '@realm', and decide whether or not to proxy, based on
# that.
#
# Accounting requests are generally proxied to the same
# home server as authentication requests.
realmslash
suffix
#
# Read the 'acct_users' file
files
}
#
# Accounting. Log the accounting data.
#
accounting {
#
# Ensure that we have a semi-unique identifier for every
# request, and many NAS boxes are broken.
acct_unique
# see acct_users file
Acct-Type SQL1{
sql1
detail
}
}
The acct_users file:
DEFAULT Acct-Type := SQL1
Now the output from radiusd -X (the sql queries are customized and
different from the default):
rad_recv: Access-Request packet from host 212.205.85.227:4426, id=94, length=141
User-Name = "[EMAIL PROTECTED]"
User-Password = "9736"
NAS-IP-Address = 62.103.0.99
NAS-Port = 224
Service-Type = Framed-User
Framed-Protocol = PPP
Cisco-NAS-Port = "Async39"
Called-Station-Id = "896255"
Calling-Station-Id = "2106151600"
NAS-Port-Type = Async
Proxy-State = 0x6f70656e65745f6469616c7570
modcall: entering group authorize for request 9
modcall[authorize]: module "preprocess" returns ok for request 9
modcall[authorize]: module "chap" returns noop for request 9
rlm_realm: No '/' in User-Name = "[EMAIL PROTECTED]", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "realmslash" returns noop for request 9
rlm_realm: Looking up realm "DIALUP" for User-Name = "[EMAIL PROTECTED]"
rlm_realm: No such realm "DIALUP"
modcall[authorize]: module "suffix" returns noop for request 9
users: Matched DEFAULT at 62
modcall[authorize]: module "files" returns ok for request 9
modcall[authorize]: module "mschap" returns noop for request 9
modcall: group authorize returns ok for request 9
modcall: entering group Autz-Type for request 9
radius_xlat: '[EMAIL PROTECTED]'
rlm_sql (sql1): sql_set_user escaped user --> '[EMAIL PROTECTED]'
radius_xlat: 'SELECT rc.PROFILEID,es.USERNAME USERNAME, rc.ATTRIBUTE ATTRIBUTE,
rc.VALUE VALUE, rc.OP OP FROM epin_serials es, products_profiles pp, radcheck rc,
profiles pr WHERE es.productid = pp.productid
Re: [Resend]: Error in sql module causes freeradius to stop functioning
At Wed, 07 Apr 2004 12:09:44 +0300,
Kostas Zorbadelos wrote:
>
Today I faced the problem again.
The router sent me accounting with no User-Name and after several
failures of the sql module in accounting section the server stopped
working (no core dump)
> [1 ]
>
>
> Hi to everyone.
> I send this a week ago. Has this been answered before or is it not
> clear somehow? I searched the archives and found nothing. If I can
> help giving more information please let me know. I would really like
> to know about this behaviour.
>
> Thanks in advance.
>
> [2 ]
> To: [EMAIL PROTECTED]
> Subject: Error in sql module causes freeradius to stop functioning
> From: Kostas Zorbadelos <[EMAIL PROTECTED]>
> Date: Thu, 01 Apr 2004 19:20:02 +0300
> Message-ID: <[EMAIL PROTECTED]>
> User-Agent: Wanderlust/2.10.1 (Watching The Wheels) SEMI/1.14.6
> (Maruoka) FLIM/1.14.6 (Marutamachi) APEL/10.6 Emacs/21.3
> (i386-pc-linux-gnu) MULE/5.0 (SAKAKI)
> MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka")
>
>
>
> Hello to everyone.
> Yesterday I installed freeradius-0.9.3 on a Solaris 2.7 production
> environment. I use sql module and oracle as my database to store
> accounting. I first try to store the accounting data in the database
> and afterwards I write them in files with the detail module. The
> problem is that sometimes I get data that fail to be inserted in my
> database (wrong size, stupid error) so I see the following in
> radius.log:
>
>
> ...
> Thu Apr 1 15:55:13 2004 : Error: rlm_sql_oracle: execute query failed
> in sql_query: ORA-01401: inserted value too large for column
> Thu Apr 1 15:55:13 2004 : Auth: Login OK: [EMAIL PROTECTED] (from
> client fworks port 352 cli 2221038953)
> Thu Apr 1 15:55:14 2004 : Error: rlm_sql_oracle: execute query failed
> in sql_query: ORA-01401: inserted value too large for column
> Thu Apr 1 15:55:14 2004 : Error: rlm_sql (sql1): failed after re-connect
> Thu Apr 1 15:55:14 2004 : Error: rlm_sql: Couldn't insert SQL
> accounting STOP record - ORA-01401: inserted value too large for column
> Thu Apr 1 15:55:18 2004 : Error: rlm_sql_oracle: execute query failed
> in sql_query: ORA-01401: inserted value too large for column
> Thu Apr 1 15:55:18 2004 : Error: rlm_sql_oracle: execute query failed
> in sql_query: ORA-01401: inserted value too large for column
> Thu Apr 1 15:55:18 2004 : Error: rlm_sql (sql1): failed after re-connect
> Thu Apr 1 15:55:18 2004 : Error: rlm_sql: Couldn't insert SQL
> accounting STOP record - ORA-01401: inserted value too large for column
> Thu Apr 1 15:55:21 2004 : Auth: Login OK: [EMAIL PROTECTED] (from
> client fworks port 0 cli 2104131605)
> ...
>
>
> The error is very clear and I found the problem data. As I can
> understand,
> when a query fails, the sql module will try to execute the alternative
> query (if it exists) and if this also fails it reconnects to the db
> and tries one more time. Is this correct?
> Anyway, the radius server keeps servicing other requests and after a
> few such failures, the whole server stops functioning!
> Is this a correct behaviour? Shouldn't the server keep working servicing
> other requests? Is there some sort of threshold of errors after which
> the server stops functioning? Should we consider that a bug? (at first
> sight it seems this way)
>
>
>
> My configuration regarding accounting follows below.
>
> # Pre-accounting. Decide which accounting type to use.
> #
> preacct {
> preprocess
>
> #
> # Look for IPASS-style 'realm/', and if not found, look for
> # '@realm', and decide whether or not to proxy, based on
> # that.
> #
> # Accounting requests are generally proxied to the same
> # home server as authentication requests.
> # realmslash
> suffix
>
> #
> # Read the 'acct_users' file
> files
> }
>
> #
> # Accounting. Log the accounting data.
> #
> accounting {
> #
> # Ensure that we have a semi-unique identifier for every
> # request, and many NAS boxes are broken.
> acct_unique
>
> #
> # Create a 'detail'ed log of the packets.
> # Note that accounting requests which are proxied
> # are also logged in the detail file.
> # detail
> # daily
>
> # unix# wtmp file
>
> #
> # For Simultaneous-Use tracking.
> #
> # Due to packet losses in the network, the data here
> # may be incorrect. There's little we can
[Resend]: Error in sql module causes freeradius to stop functioning
Hi to everyone.
I send this a week ago. Has this been answered before or is it not
clear somehow? I searched the archives and found nothing. If I can
help giving more information please let me know. I would really like
to know about this behaviour.
Thanks in advance.
--- Begin Message ---
Hello to everyone.
Yesterday I installed freeradius-0.9.3 on a Solaris 2.7 production
environment. I use sql module and oracle as my database to store
accounting. I first try to store the accounting data in the database
and afterwards I write them in files with the detail module. The
problem is that sometimes I get data that fail to be inserted in my
database (wrong size, stupid error) so I see the following in
radius.log:
...
Thu Apr 1 15:55:13 2004 : Error: rlm_sql_oracle: execute query failed
in sql_query: ORA-01401: inserted value too large for column
Thu Apr 1 15:55:13 2004 : Auth: Login OK: [EMAIL PROTECTED] (from
client fworks port 352 cli 2221038953)
Thu Apr 1 15:55:14 2004 : Error: rlm_sql_oracle: execute query failed
in sql_query: ORA-01401: inserted value too large for column
Thu Apr 1 15:55:14 2004 : Error: rlm_sql (sql1): failed after re-connect
Thu Apr 1 15:55:14 2004 : Error: rlm_sql: Couldn't insert SQL
accounting STOP record - ORA-01401: inserted value too large for column
Thu Apr 1 15:55:18 2004 : Error: rlm_sql_oracle: execute query failed
in sql_query: ORA-01401: inserted value too large for column
Thu Apr 1 15:55:18 2004 : Error: rlm_sql_oracle: execute query failed
in sql_query: ORA-01401: inserted value too large for column
Thu Apr 1 15:55:18 2004 : Error: rlm_sql (sql1): failed after re-connect
Thu Apr 1 15:55:18 2004 : Error: rlm_sql: Couldn't insert SQL
accounting STOP record - ORA-01401: inserted value too large for column
Thu Apr 1 15:55:21 2004 : Auth: Login OK: [EMAIL PROTECTED] (from
client fworks port 0 cli 2104131605)
...
The error is very clear and I found the problem data. As I can
understand,
when a query fails, the sql module will try to execute the alternative
query (if it exists) and if this also fails it reconnects to the db
and tries one more time. Is this correct?
Anyway, the radius server keeps servicing other requests and after a
few such failures, the whole server stops functioning!
Is this a correct behaviour? Shouldn't the server keep working servicing
other requests? Is there some sort of threshold of errors after which
the server stops functioning? Should we consider that a bug? (at first
sight it seems this way)
My configuration regarding accounting follows below.
# Pre-accounting. Decide which accounting type to use.
#
preacct {
preprocess
#
# Look for IPASS-style 'realm/', and if not found, look for
# '@realm', and decide whether or not to proxy, based on
# that.
#
# Accounting requests are generally proxied to the same
# home server as authentication requests.
# realmslash
suffix
#
# Read the 'acct_users' file
files
}
#
# Accounting. Log the accounting data.
#
accounting {
#
# Ensure that we have a semi-unique identifier for every
# request, and many NAS boxes are broken.
acct_unique
#
# Create a 'detail'ed log of the packets.
# Note that accounting requests which are proxied
# are also logged in the detail file.
# detail
# daily
# unix# wtmp file
#
# For Simultaneous-Use tracking.
#
# Due to packet losses in the network, the data here
# may be incorrect. There's little we can do about it.
# radutmp
# sradutmp
# Return an address to the IP Pool when we see a stop record.
# main_pool
# see acct_users file
Acct-Type SQL1{
sql1
detail
}
}
The acct_users file:
DEFAULT Acct-Type := SQL1
Thank you in advance.--- End Message ---
Re: User with 2 profiles but different simultaneous-use in each
At Wed, 7 Apr 2004 01:36:11 +0400,
Alexander M. Pravking wrote:
>
Alexander thank you very much.
You understood exactly the locking senario I want to achieve.
Your first post seemed wonderfull, too bad it doesn't work. I will
look into rlm_perl if there is no other way.
Thanks again.
Kostas
> I'm sorry for misleading you, you can't configure it this way.
>
> On Tue, Apr 06, 2004 at 09:46:33AM +0400, Alexander M. Pravking wrote:
> > On Mon, Apr 05, 2004 at 08:16:24PM +0300, Kostas Zorbadelos wrote:
> > > Hello to everyone.
> > > I have the following problem where I work. We have a user, lets say
> > > kzorba that is an ADSL user and has a specific profile (check and
> > > reply attributes). We want to limit the Simultaneous-Use of
> > > the user for this service to 1. We also want for the same user to be
> > > able to use an ISDN 128 backup connection in case his ADSL line has a
> > > problem. I this case our user has a different profile and
> > > Simultaneous-Use 2 (in order to be able to login twice for the 2 isdn
> > > channels). So the question is: how can I lock the user in a way that
> > > when he uses his ADSL connection, not to be able to connect with ISDN
> > > at all (that's easy since Simultaneous-Use is 1 in this case and won't
> > > be allowed to login for anything else) and the opposite (when in as an
> > > ISDN not to be able to use the ADSL).
> > > Any suggestions are highly appreciated.
> >
> > You could do it in authorize {} section instead of session {}.
> > Say you have defined 2 attrs (e.g. of type integer): ADSL-Up and ISDN-Up.
> > Assuming you have accounting in SQL, you could do:
> >
> > ADSL-Up := `%{sql:SELECT count(*) FROM radacct WHERE UserName = '%u' AND
> > NASPortType = 'Ethernet' AND AcctStopTime IS NULL}`
> > ISDN-Up := `%{sql:SELECT count(*) FROM radacct WHERE UserName = '%u' AND
> > NASPortType = 'ISDN' AND AcctStopTime IS NULL}`
> >
> > (Note the backquotes; the behavour can change soon.)
>
> That's fine. But... These attributes should go into config items,
> so you cannot use users file to check them, since attributes being
> checked are always taken from the request:
>
> > Then put 2 entries in "users" file:
> > DEFAULT NAS-Port-Type == ISDN, ADSL-Up > 0, Auth-Type := Reject
> > Reply-Message := "You have your ADSL up, ISDN connections disabled"
> >
> > DEFAULT NAS-Port-Type == Ethernet, ISDN-Up > 0, Auth-Type := Reject
> > Reply-Message := "To use ADSL, first stop your backup ISDN connections"
>
> Instead, you can use rlm_perl (I'd recommend post-auth section, but then you
> should patch rlm_perl a little ;-):
>
> sub authorize {
> if ($RAD_REQUEST{'NAS-Port-Type'} eq 'ISDN'
> and $RAD_CHECK{'ADSL-Up'} > 0) {
>
> $RAD_REPLY{'Reply-Message'} =
> "You have your ADSL up, ISDN connections disabled";
> return RLM_MODULE_REJECT;
> }
>
> if ($RAD_REQUEST{'NAS-Port-Type'} eq 'Ethernet'
> and $RAD_CHECK{'ISDN-Up'} > 0) {
>
> $RAD_REPLY{'Reply-Message'} =
> "To use ADSL again, first stop your backup ISDN connections";
> return RLM_MODULE_REJECT;
> }
> return RLM_MODULE_NOOP;
> }
>
> --
> Fduch M. Pravking
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: User with 2 profiles but different simultaneous-use in each
At Tue, 6 Apr 2004 12:14:59 +0300 (EEST), Kostas Kalevras wrote: > Dear Kostas first of all thanks for your answer. I don't have this module compiled in the binary versions I compiled. I saw its source code however inside src/modules. Is it an experimental module that needs to be 'activated' in the configure step? What is its function exactly? (I know that you are the most relevant person to ask and I didn't see any documentation for it apart from the source code) Using this module can I achieve the locking senario I want? That is, when the user is logged in an ISDN line (has Simultaneous-Use=2) can I reject him if he tries to loggin as an ADSL at the same time? Looking forward to your answer to also learn the role of your module. Kostas > On Mon, 5 Apr 2004, Kostas Zorbadelos wrote: > > > > > > > Hello to everyone. > > I have the following problem where I work. We have a user, lets say > > kzorba that is an ADSL user and has a specific profile (check and > > reply attributes). We want to limit the Simultaneous-Use of > > the user for this service to 1. We also want for the same user to be > > able to use an ISDN 128 backup connection in case his ADSL line has a > > problem. I this case our user has a different profile and > > Simultaneous-Use 2 (in order to be able to login twice for the 2 isdn > > channels). So the question is: how can I lock the user in a way that > > when he uses his ADSL connection, not to be able to connect with ISDN > > at all (that's easy since Simultaneous-Use is 1 in this case and won't > > be allowed to login for anything else) and the opposite (when in as an > > ISDN not to be able to use the ADSL). > > Any suggestions are highly appreciated. > > Since you keep different profiles for each connection (ADSL or ISDN) then you > can add a check item for the NAS-Port-Type (Virtual or ISDN) in each one and use > rlm_checkval to only allow the corresponding port-type for each profile. > > > > > Thanks in advance > > > > Kostas > > > > PS: By the way we have our user database in LDAP but I think that's > > irrelevant. > > > > - > > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > > > -- > Kostas Kalevras Network Operations Center > [EMAIL PROTECTED] National Technical University of Athens, Greece > Work Phone: +30 210 7721861 > 'Go back to the shadow' Gandalf > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
User with 2 profiles but different simultaneous-use in each
Hello to everyone. I have the following problem where I work. We have a user, lets say kzorba that is an ADSL user and has a specific profile (check and reply attributes). We want to limit the Simultaneous-Use of the user for this service to 1. We also want for the same user to be able to use an ISDN 128 backup connection in case his ADSL line has a problem. I this case our user has a different profile and Simultaneous-Use 2 (in order to be able to login twice for the 2 isdn channels). So the question is: how can I lock the user in a way that when he uses his ADSL connection, not to be able to connect with ISDN at all (that's easy since Simultaneous-Use is 1 in this case and won't be allowed to login for anything else) and the opposite (when in as an ISDN not to be able to use the ADSL). Any suggestions are highly appreciated. Thanks in advance Kostas PS: By the way we have our user database in LDAP but I think that's irrelevant. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
HUP signal does not always work in Solaris
Hello. In a Solaris 2.7 I compiled the latest freeradius release (0.9.3) with gcc 2.95.3. I use it in a production environment with the sql module and an Oracle database. When I change a configuration file and send the HUP signal to the server, sometimes the server is killed. I also notice that in the occasions that HUP works, the connections to the database are closed and then re-opened. Does this have to do with the db or is it a freeradius problem? For any information I can provide to trace the problem, please let me know. Thanks in adnvance. Kostas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Error in sql module causes freeradius to stop functioning
Hello to everyone.
Yesterday I installed freeradius-0.9.3 on a Solaris 2.7 production
environment. I use sql module and oracle as my database to store
accounting. I first try to store the accounting data in the database
and afterwards I write them in files with the detail module. The
problem is that sometimes I get data that fail to be inserted in my
database (wrong size, stupid error) so I see the following in
radius.log:
...
Thu Apr 1 15:55:13 2004 : Error: rlm_sql_oracle: execute query failed
in sql_query: ORA-01401: inserted value too large for column
Thu Apr 1 15:55:13 2004 : Auth: Login OK: [EMAIL PROTECTED] (from
client fworks port 352 cli 2221038953)
Thu Apr 1 15:55:14 2004 : Error: rlm_sql_oracle: execute query failed
in sql_query: ORA-01401: inserted value too large for column
Thu Apr 1 15:55:14 2004 : Error: rlm_sql (sql1): failed after re-connect
Thu Apr 1 15:55:14 2004 : Error: rlm_sql: Couldn't insert SQL
accounting STOP record - ORA-01401: inserted value too large for column
Thu Apr 1 15:55:18 2004 : Error: rlm_sql_oracle: execute query failed
in sql_query: ORA-01401: inserted value too large for column
Thu Apr 1 15:55:18 2004 : Error: rlm_sql_oracle: execute query failed
in sql_query: ORA-01401: inserted value too large for column
Thu Apr 1 15:55:18 2004 : Error: rlm_sql (sql1): failed after re-connect
Thu Apr 1 15:55:18 2004 : Error: rlm_sql: Couldn't insert SQL
accounting STOP record - ORA-01401: inserted value too large for column
Thu Apr 1 15:55:21 2004 : Auth: Login OK: [EMAIL PROTECTED] (from
client fworks port 0 cli 2104131605)
...
The error is very clear and I found the problem data. As I can
understand,
when a query fails, the sql module will try to execute the alternative
query (if it exists) and if this also fails it reconnects to the db
and tries one more time. Is this correct?
Anyway, the radius server keeps servicing other requests and after a
few such failures, the whole server stops functioning!
Is this a correct behaviour? Shouldn't the server keep working servicing
other requests? Is there some sort of threshold of errors after which
the server stops functioning? Should we consider that a bug? (at first
sight it seems this way)
My configuration regarding accounting follows below.
# Pre-accounting. Decide which accounting type to use.
#
preacct {
preprocess
#
# Look for IPASS-style 'realm/', and if not found, look for
# '@realm', and decide whether or not to proxy, based on
# that.
#
# Accounting requests are generally proxied to the same
# home server as authentication requests.
# realmslash
suffix
#
# Read the 'acct_users' file
files
}
#
# Accounting. Log the accounting data.
#
accounting {
#
# Ensure that we have a semi-unique identifier for every
# request, and many NAS boxes are broken.
acct_unique
#
# Create a 'detail'ed log of the packets.
# Note that accounting requests which are proxied
# are also logged in the detail file.
# detail
# daily
# unix# wtmp file
#
# For Simultaneous-Use tracking.
#
# Due to packet losses in the network, the data here
# may be incorrect. There's little we can do about it.
# radutmp
# sradutmp
# Return an address to the IP Pool when we see a stop record.
# main_pool
# see acct_users file
Acct-Type SQL1{
sql1
detail
}
}
The acct_users file:
DEFAULT Acct-Type := SQL1
Thank you in advance.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
