Re: SQL back-end interface
> Is it possible to pass ALL auth. request attributes > to the stored procedure (in some kind of attr/value > comma-separated list) which verifies > username/password and returns accept/reject/challenge > status code and output attribute's list, that have to > be added to the response. > > The preffered method is ODBC (or something else to > work with MS-SQL). Stored procedure signature could > be as: > > CREATE PROCEDURE dbo.p_radAuth > @username varchar(253), > @password varchar(253), > @avplist_in varchar(2048), > @avplist_out varchar(2048) > Well, The answer to your question is probably yes, but with some modifications. First of, you need to run a check to match the username and password done with authorize_check_query. You must return the fields id,username,attribute,value,op from the select-statement against your SP. This will make Freeradius able to match the stored password against the sent one. If ok, freeradius will execute authorize_reply_query.. (might run if password not ok, can't remember at the moment).. You will be a good databasedesigner and follow the simple and perfect strategy used by freeradius.. Add a row for each attribute you want to add to a user.. reply_query will run something like: SELECT id, username, attribute, value, op FROM radreply where username = With MSSQL you can run a select statement against a SP. The only thing you really need to think of is that Freeradius expects to get rows with the column-names id, username, attribute, value and op. If you manage to do that, you can do whatever you want :) Sincerely, Max! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: calling a stored procedure
> this is an example of what can be done in postgresql:
>
> authorize_check_query = "SELECT * FROM
> radius_check('%{SQL-User-Name}', '%{Client-IP-Address}') HAVING id IS
> NOT NULL"
>
> the function returns the correct number of cols as needed.
>
> should be similiar for oracle.
Maybe a little late answer, but no.. You can not execute a stored
procedure the same way in Oracle as with postgres or MSSQL.
In Oracle the proc only returns a pointer that needs to be read after
execution, not supported in the current db.
However, I faced the same problem in aug/sep last year but finally managed
to solve it..
It basically depends on what you want to do, but in my case I run a
SQL-statement like this:
authorize_check_query = "select id,username,attribute,value,op FROM
radcheck WHERE username = '%{SQL-User-Nam e}' AND
check_service('%{SQL-User-Name}','%{Huntgroup-Name}','%{Called-Station-Id}')
= 1"
The check_service as you can see takes a couple of arguments. If executed
OK, it will return 1.. meaning I've got a match on the user with the
critera needed to accept the call.
This solution gave me the possibility to run different sql-queries
depending on the different input variables..
I've also modified the sql-code in pretty simple way so it's possible for
me to execute more than one authorize_reply_query .. I've added
authorize_reply_query2 and authorize_reply_query3 etc..
With this, my need for the possibility to run Oracle SP's went away, for
now anyways ;)
If you haven't solved your problem, hope this helped. Otherwise I hope
this will help other people searching the archives.. Because there is very
little written about this earlier :)
Sincerely,
Max!
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: starting FreeRadius
> I currently have it running with scripts also, but was considering using > daemontools. > Certainly something like daemontools that will keep a watchdog on the server > would be very helpful. > > Does daemontools open a window to view the program running? > Daemontools does what you tell it to do, and I don't really understand the point of opening a window to view the program running. If you want to run freeradius with daemontool, add the -f option in the runscript. More specific questions about daemontool you should take in the right forum, and that my friend, is not this mailinglist :) Sincerely, Max! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: starting FreeRadius
> Please ignore my lazyness on the last message, I used "reply" instead of > typing the address and forgot to change the subject. but you're still wondering what's the proper way how to start the server? I would say it depends on your needs, in the beginning I used to start it with rc-scripts. But it happened that the server crashed (we have added 5-6 own modules to the software) I've but freeradius under daemontools to get a quick restart if the server dies, eventough it is now running very stable. I do this on 4 servers and it works like a charm :) Max! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: free radius client software
> does any one of you know where to find the free radius client software > ,also if source code is available then let me know free radius client software? I guess you're looking for radclient or radtest, both are included in the source-package that you can download from www.freeradius.org. Compile the package and you will get your radtest or radclient. Max! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Any idea how to change attribute and not just the value?
I have been searching ideas the whole day by browsing the archives but I've not managed to solve my problem yet. The setup: freeradius-snapshot-20040317 connected to pgsql. We have different nas:es (Tigris, Ascend and Cisco to name some). Earlier the default DNS's was sent to the clients directly from the NAS-boxes. But later on we decided we wanted to set specific DNS entries for some users, otherwise the default DNS. The problem is as follows, To set the DNS on the tigris, we have to send the following attributes: Acc-Dns-Server-Pri = 10.0.0.1, Acc-Dns-Server-Sec = 10.0.0.2, But when we want to set them on the Ascend, this is the attributes we must send: Ascend-Client-Primary-DNS = 10.0.0.1, Ascend-Client-Secondary-DNS = 10.0.0.2, So what I've tried now that _almost_ works (in 3 cases of 4 :) ) is that I've configured some huntgroups: tigris NAS-IP-Address == 192.168.100.1 ascend NAS-IP-Address == 192.168.100.2 in the users file I've the following lines: DEFAULT Huntgroup-Name == "tigris" Port-Limit = 2, Fall-Through = 1, Login-Service = Rlogin, Login-Host = BESTHOST, Acc-Dns-Server-Pri = 10.0.0.1, Acc-Dns-Server-Sec = 10.0.0.2, Framed-Protocol = PPP, Framed-Routing = None DEFAULT Huntgroup-Name == "ascend" Port-Limit = 2, Fall-Through = 1, Login-Service = Rlogin, Login-Host = BESTHOST, Ascend-Client-Primary-DNS = 10.0.0.1, Ascend-Client-Secondary-DNS = 10.0.0.2, Framed-Protocol = PPP, Framed-Routing = None The users gets verified in the SQL-database and the idea is to add the attributes for the users we want to set specific DNS's for in the radreply table. So I've added the following to the radreply table: id | username | attribute | op | value +--+-++-- 1 | test | Ascend-Client-Primary-DNS | := | 10.0.0.3 2 | test | Ascend-Client-Secondary-DNS | := | 10.0.0.4 When I act as the ascend NAS I get the answer I want from the radius-server the the Pri/Sec DNS set to .3 and .4. But when I act as a Tigris and send a auth-req I get both the default Acc-Dns-Server entries and the Ascend-Client from the database. This is ofcourse as expected since this is how I configured the server, but not what I want in the end :) I've checked out the attr_rewrite module but from what I've read and what I understand in the config, I can only use to to rewrite the value of a specific attribute?! Is there a way for me to rewrite the attribute itself and not just the value? One way to solve it is to run two different sql-questions against radreply if the request is from a tigris or ascend. Then I can use a stored proc. in pgsql to rewrite the attributes and leave the values intact. Any ideas? Sincerely, Max! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
