VMPS Problem with similar requests
Hi, If two vmps requests are sent in close succession (within cleanup_delay), with the same source port, from the same switch (which does in fact seem to be common, as the cisco switch I'm using for testing sends *all* requests with a source port picked on startup), they are detected as identical by freeradius as identical, even if they are for different mac addresses. This means the second request gets the same response as the first, even when they should be different. For example, testing with the vqpcli tool: Close together: server:/etc/freeradius/tests# ./vqpcli.pl -s 127.0.0.1 -v tc.example.com -w 192.168.248.32 -i Fa0/17 -m 0016.4111.0bfe Vlan: BRIDGE MAC Address: 001641110bfe Status: ALLOW server:/etc/freeradius/tests# ./vqpcli.pl -s 127.0.0.1 -v tc.example.com -w 192.168.248.32 -i Fa0/17 -m 0016.4111.0bff Vlan: BRIDGE MAC Address: 001641110bfe Status: ALLOW then a short time later (outside cleanup_delay) server:/etc/freeradius/tests# ./vqpcli.pl -s 127.0.0.1 -v tc.example.com -w 192.168.248.32 -i Fa0/17 -m 0016.4111.0bff Vlan: MAC Address: Status: DENY Which is the correct response Cheers --Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: String Validation
The if statement can remain the same, add before it:
if (SQL-GROUP =~ /(.*)-.*/) {
update request {
SQL-GROUP := "%{1}"
}
}
This assumes that:
a) There is never a '-' in the USUK or whatever part.
b) You don't need to reference the original SQL-GROUP value.
If you do, you may want to use something like:
if (SQL-GROUP =~ /(.*)-.*/) {
update control {
Tmp-String-0 := "%{1}"
}
}
if(control:Tmp-String-0 == "USUK") {
ok
}
etc.
--Mike
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: String Validation
>
> If a connection that comes in with a GROUP NAME from SQL of "USUK-XX"
> or "WUK-XX" and I want to strip of the "-XX", how would I do this with
> ulang so I only validate the following?
Using the regexp feature, you can match part of an attribute then
reference it later, like so:
if (SQL-GROUP =~ /(.*)-XX/) {
update request {
SQL-GROUP := "%{1}"
}
}
--Mike
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP / mschapv2 Error Messages
> > unlang? set a variable to the value of MS-CHAP-Error and then set the > Reply-Message > to be some text with that variable in it. > Unfortunately, this sends it back in the next packet, which is an Access-Challenge, not in the final Access-Reject. Also, for some strange reason, the post-auth section in the inner-tunnel only gets called on a successful auth, not on a failure, so I can't output the failure to sql there either. > alternatively you could probably call PERL pr pythin etc at the right time and > do the required variable and reply-message settings with those languages > instead > > howeverby sending such messages the remote user knows the reason for > failure > eg incorrect password but a successful user...and could bruteforce I plan to do something along the lines of: MS-Chap-Error=User wrong => login failed MS-Chap-Error=PAss wrong => login failed MS-Chap-Error=Account locked => Account locked --Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PEAP / mschapv2 Error Messages
Hi, Using the default eap/peap & inner-tunnel configuration, a failure gives rise to this: Exec-Program output: Logon failure (0xc06d) Exec-Program-Wait: plaintext: Logon failure (0xc06d) Exec-Program: returned: 1 [mschap] External script failed. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject [eap] Freeing handler ++[eap] returns reject Failed to authenticate the user. } # server inner-tunnel [peap] Got tunneled reply code 3 MS-CHAP-Error = "\nE=691 R=1" EAP-Message = 0x040a0004 Message-Authenticator = 0x [peap] Got tunneled reply RADIUS code 3 MS-CHAP-Error = "\nE=691 R=1" EAP-Message = 0x040a0004 Message-Authenticator = 0x [peap] Tunneled authentication was rejected. [peap] FAILURE ++[eap] returns handled How can I take that MS-Chap-Error attribute and pass it back in the final access-reject, as a Reply-Message attribute for example. Cheers --Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re:freeradius2.1.6 module errors
Wrong operator.
Use = or not :=
--Mike
On Thu, 2009-08-13 at 12:56 +0530, ramesh p wrote:
>
>
> Hi,
>
> Here is the full accounting section of sites-available/default
> accounting {
> #
> # Create a 'detail'ed log of the packets.
> # Note that accounting requests which are proxied
> # are also logged in the detail file.
> detail
> # daily
> # Update the wtmp file
> #
> # If you don't use "radlast", you can delete this line.
> unix
> #
> # For Simultaneous-Use tracking.
> #
> # Due to packet losses in the network, the data here
> # may be incorrect. There is little we can do about it.
> radutmp
> # sradutmp
> # Return an address to the IP Pool when we see a stop record.
> # main_pool
> #
> # Log traffic to an SQL database.
> #
> # See "Accounting queries" in sql.conf
> #sql
>
> if(Acct-Status-Type := 'stop') {
> sql
> }
>
> #
> # Instead of sending the query to the SQL server,
># write it into a log file.
> #
> # sql_log
> # Cisco VoIP specific bulk accounting
> # pgsql-voip
> # Filter attributes from the accounting response.
> attr_filter.accounting_response
> #
> # See "Autz-Type Status-Server" for how this works.
> #
> Acct-Type Status-Server {
> }
> }
>
> Thanks,
> Rams.
>
> On 13/8/09 07:10, ramesh p wrote:
> > Though i have placed the code in sites-available/default
> > under accounting section:
>
> >
> >if(Acct-Status-Type := 'stop'){
> >sql
>
>
> Can you post the full section that you have added this to, if you have
> only added just those 2 lines then you haven't closed the statement
> off
> with a "}".
>
> Steve
>
> --
> Steven Carr
> Systems Development Officer
> SLS/ITS/Systems - (0191) 515 3953
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
2.1.6 Segfault (unlang: if (NAS-Port == 0) { reject }
Hi,
Reproducible on 2.1.6, default config with:
These lines in the authorize section:
if (NAS-Port == 0) {
reject
}
And this command:
echo "User-Name = test" | radclient 10.252.24.114 auth testing123
An Access-Request packet not containing the NAS-Port Attribute causes the server
to segfault.
Cheers
--Mike
P.S.
Workaround: if (NAS-Port && NAS-Port == 0) {
segfault-log
Description: Binary data
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: VMPS: Failed encoding packet: Failed to find VQP-Packet-Type in response packet
Attached is the debug output from a ubuntu package of 2.1.0, with the
default config (I didn't see a 2.1.0 tarball on the site)
Also attached is the debug output from the 2.1.6 install (tarball from
site), again with the default config.
As far as I can tell, in 2.1.0 it finds the vmps section, in 2.1.6 it
doesn't.
--Mike
On Sun, 2009-08-09 at 15:06 +0200, Alan DeKok wrote:
> Michael Bryant wrote:
> >> You get the same error in 2.1.0, or the configuration which worked in
> >> 2.1.0 doesn't work in 2.1.6?
> >
> > My customized vmps server section works in 2.1.0.
>
> Except that debug mode prints out what it is processing. And it's not
> printing out anything in 2.1.6. That may be the source of the problem.
>
> What does debug mode show for 2.1.0?
>
> > Output with 2.1.0:
> > Vlan: please_use_real_vlan_here
> > MAC Address: 123412341234
> > Status: ALLOW
>
> Is that the debug output... or something else?
>
> > With 2.1.6:
> > Ready to process requests.
>
> Which looks to be the debug output.
>
> Compare apples to apples.
>
> Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRADIUS Version 2.1.0, for host i486-pc-linux-gnu, built on Oct 9 2008 at 13:24:33
Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/proxy.conf
including configuration file /etc/freeradius/clients.conf
including files in directory /etc/freeradius/modules/
including configuration file /etc/freeradius/modules/sql_log
including configuration file /etc/freeradius/modules/policy
including configuration file /etc/freeradius/modules/detail.example.com
including configuration file /etc/freeradius/modules/echo
including configuration file /etc/freeradius/modules/pam
including configuration file /etc/freeradius/modules/files
including configuration file /etc/freeradius/modules/ldap
including configuration file /etc/freeradius/modules/etc_group
including configuration file /etc/freeradius/modules/smbpasswd
including configuration file /etc/freeradius/modules/exec
including configuration file /etc/freeradius/modules/checkval
including configuration file /etc/freeradius/modules/wimax
including configuration file /etc/freeradius/modules/expiration
including configuration file /etc/freeradius/modules/linelog
including configuration file /etc/freeradius/modules/expr
including configuration file /etc/freeradius/modules/detail.log
including configuration file /etc/freeradius/modules/radutmp
including configuration file /etc/freeradius/modules/realm
including configuration file /etc/freeradius/modules/preprocess
including configuration file /etc/freeradius/modules/digest
including configuration file /etc/freeradius/modules/mschap
including configuration file /etc/freeradius/modules/counter
including configuration file /etc/freeradius/modules/unix
including configuration file /etc/freeradius/modules/acct_unique
including configuration file /etc/freeradius/modules/chap
including configuration file /etc/freeradius/modules/ippool
including configuration file /etc/freeradius/modules/detail
including configuration file /etc/freeradius/modules/inner-eap
including configuration file /etc/freeradius/modules/attr_rewrite
including configuration file /etc/freeradius/modules/attr_filter
including configuration file /etc/freeradius/modules/logintime
including configuration file /etc/freeradius/modules/passwd
including configuration file /etc/freeradius/modules/mac2ip
including configuration file /etc/freeradius/modules/mac2vlan
including configuration file /etc/freeradius/modules/pap
including configuration file /etc/freeradius/modules/always
including configuration file /etc/freeradius/modules/krb5
including configuration file /etc/freeradius/modules/sradutmp
including configuration file /etc/freeradius/eap.conf
including configuration file /etc/freeradius/policy.conf
including files in directory /etc/freeradius/sites-enabled/
including configuration file /etc/freeradius/sites-enabled/inner-tunnel
including configuration file /etc/freeradius/sites-enabled/default
including configuration file /etc/freeradius/sites-enabled/vmps
including dictionary file /etc/freeradius/dictionary
main {
prefix = "/usr"
localstatedir = "/var"
logdir = "/var/log/freeradius"
libdir = "/usr/lib/freeradius"
radacctdir = "/var/log/freeradius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
allow_core_dumps = no
pidfile = &qu
Re: VMPS: Failed encoding packet: Failed to find VQP-Packet-Type in response packet
> You get the same error in 2.1.0, or the configuration which worked in
> 2.1.0 doesn't work in 2.1.6?
My customized vmps server section works in 2.1.0.
Trying to use the same customized configuration in 2.1.6 gives the
error.
Using the default configuration - the
VMPS-VLAN-Name = "please_use_real_vlan_here"
one, works in 2.1.0
In 2.1.6, it returns the error.
> Which shows that absolutely nothing is happening in the VMPS server.
>
> Is there anything at all in the VMPS server?
Yes, the part to pull the mac address out of the ethernet frame, putting
it in the vmps-cookie, updating the reply with the vlan name /
packet-type - the default config.
On a clean machine I've just compiled 2.1.6, done minimal editing to
enable the vmps server (linked the vmps file into sites-enabled), and
i'm getting the same error.
Output with 2.1.0:
Vlan: please_use_real_vlan_here
MAC Address: 123412341234
Status: ALLOW
With 2.1.6:
Ready to process requests.
VMPS-Packet-Type = VMPS-Join-Request
VMPS-Error-Code = VMPS-No-Error
VMPS-Sequence-Number = 4660
VMPS-Client-IP-Address = 127.0.0.1
VMPS-Port-Name = "Fa0/1"
VMPS-VLAN-Name = ""
VMPS-Domain-Name = ""
VMPS-Unknown = 0x00
VMPS-MAC = 12:34:12:34:12:34
server vmps {
Doing VMPS
Done VMPS
} # server vmps
Failed encoding packet: Failed to find VQP-Packet-Type in response
packet
Finished request 0.
Full 2.1.6 log attached
Cheers
--Mike
FreeRADIUS Version 2.1.6, for host i486-pc-linux-gnu, built on Aug 9 2009 at
10:01:26
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/proxy.conf
including configuration file /etc/freeradius/clients.conf
including files in directory /etc/freeradius/modules/
including configuration file /etc/freeradius/modules/always
including configuration file /etc/freeradius/modules/attr_filter
including configuration file /etc/freeradius/modules/attr_rewrite
including configuration file /etc/freeradius/modules/chap
including configuration file /etc/freeradius/modules/checkval
including configuration file /etc/freeradius/modules/counter
including configuration file /etc/freeradius/modules/detail
including configuration file /etc/freeradius/modules/detail.example.com
including configuration file /etc/freeradius/modules/detail.log
including configuration file /etc/freeradius/modules/digest
including configuration file /etc/freeradius/modules/echo
including configuration file /etc/freeradius/modules/etc_group
including configuration file /etc/freeradius/modules/exec
including configuration file /etc/freeradius/modules/expiration
including configuration file /etc/freeradius/modules/expr
including configuration file /etc/freeradius/modules/files
including configuration file /etc/freeradius/modules/inner-eap
including configuration file /etc/freeradius/modules/ippool
including configuration file /etc/freeradius/modules/krb5
including configuration file /etc/freeradius/modules/ldap
including configuration file /etc/freeradius/modules/linelog
including configuration file /etc/freeradius/modules/logintime
including configuration file /etc/freeradius/modules/mac2ip
including configuration file /etc/freeradius/modules/mac2vlan
including configuration file /etc/freeradius/modules/mschap
including configuration file /etc/freeradius/modules/otp
including configuration file /etc/freeradius/modules/pam
including configuration file /etc/freeradius/modules/pap
including configuration file /etc/freeradius/modules/passwd
including configuration file /etc/freeradius/modules/perl
including configuration file /etc/freeradius/modules/policy
including configuration file /etc/freeradius/modules/preprocess
including configuration file /etc/freeradius/modules/radutmp
including configuration file /etc/freeradius/modules/realm
including configuration file /etc/freeradius/modules/smbpasswd
including configuration file /etc/freeradius/modules/smsotp
including configuration file /etc/freeradius/modules/sql_log
including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login
including configuration file /etc/freeradius/modules/sradutmp
including configuration file /etc/freeradius/modules/unix
including configuration file /etc/freeradius/modules/wimax
including configuration file /etc/freeradius/modules/acct_unique
including configuration file /etc/freeradius/eap.conf
including configuration file /etc/freeradius/policy.conf
including files in directory /etc/freeradius/sites-enabled/
including configuration file /etc/freeradius/sites-enabled/inner-tunnel
including configuration file /etc/freeradius/sites-enabled/default
including configuration fi
VMPS: Failed encoding packet: Failed to find VQP-Packet-Type in response packet
Hi,
Stock Freeradius version 2.1.6, compiled with dpkg-buildpackage.
Using default sites-avaialable/vmps virtual server.
Also using dynamic clients with clients in postgresql.
Getting this error on every VMPS request:
Failed encoding packet: Failed to find VQP-Packet-Type in response packet.
Using a customised sites-enabled/vmps file, pulling data from postgresql, which
was working in 2.1.0, I get the same error.
Any ideas as to why this error is occurring?
Cheers
--Mike
radiusd: Opening IP addresses and Ports
listen {
type = "auth"
ipaddr = *
port = 0
}
listen {
type = "acct"
ipaddr = *
port = 0
}
listen {
type = "vmps"
ipaddr = *
port = 1589
}
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on vmps address * port 1589 as server vmps
Listening on proxy address * port 1814
Ready to process requests.
server dynamic_client_server {
rlm_sql (sqllocal): Reserving sql socket id: 4
rlm_sql_postgresql: query: SELECT nasname FROM nas WHERE nasname >>=
'127.0.0.1'
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 1 , fields = 1
rlm_sql (sqllocal): Released sql socket id: 4
rlm_sql (sqllocal): Reserving sql socket id: 3
rlm_sql_postgresql: query: SELECT shortname FROM nas WHERE nasname >>=
'127.0.0.1'
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 1 , fields = 1
rlm_sql (sqllocal): Released sql socket id: 3
rlm_sql (sqllocal): Reserving sql socket id: 2
rlm_sql_postgresql: query: SELECT secret FROM nas WHERE nasname >>= '127.0.0.1'
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 1 , fields = 1
rlm_sql (sqllocal): Released sql socket id: 2
rlm_sql (sqllocal): Reserving sql socket id: 1
rlm_sql_postgresql: query: SELECT type FROM nas WHERE nasname >>= '127.0.0.1'
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 1 , fields = 1
rlm_sql (sqllocal): Released sql socket id: 1
} # server dynamic_client_server
- Added client 127.0.0.1 with shared secret testing123
VMPS-Packet-Type = VMPS-Join-Request
VMPS-Error-Code = VMPS-No-Error
VMPS-Sequence-Number = 4660
VMPS-Client-IP-Address = 10.252.24.2
VMPS-Port-Name = "Fa0/17"
VMPS-VLAN-Name = ""
VMPS-Domain-Name = "blah"
VMPS-Unknown = 0x00
VMPS-MAC = 00:16:41:11:0b:ff
server vmps {
Doing VMPS
Done VMPS
} # server vmps
Failed encoding packet: Failed to find VQP-Packet-Type in response packet
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 4660 with timestamp +87
Ready to process requests.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Request Items, Config/control Items; rlm_sql
> authorize {
>update request {
> Tmp-String=0 = "%{sql:select ...}"
>}
>sql
> }
Unfortunately that's no use, as I understand it, redundant blocks aren't
supported in xlat?
--Mike
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Request Items, Config/control Items; rlm_sql
I'm confused, how can I use unlang halfway through the processing of the rlm_sql module? --Mike In message <4a65854f.4050...@deployingradius.com> FreeRadius users mailing list writes: > Michael Bryant wrote: > > Hi, > > Using Freeradius 2.1.0 (debian package), with rlm_sql. > > > > I am trying to, in radcheck, set a value, which I can then compare against > > in > > radgroupcheck. > > It doesn't support that. > > > When I try this, with a custom attribute in either raddb/dictionary , a > > VSA, or > > Tmp-String-* it seems to be appearing in the config items list, as opposed > > to > > the request one, so rlm_sql doesn't check against it. > > > > Any ideas how I can get this to work? > > Use "unlang" to copy attributes between lists. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Request Items, Config/control Items; rlm_sql
Hi, Using Freeradius 2.1.0 (debian package), with rlm_sql. I am trying to, in radcheck, set a value, which I can then compare against in radgroupcheck. When I try this, with a custom attribute in either raddb/dictionary , a VSA, or Tmp-String-* it seems to be appearing in the config items list, as opposed to the request one, so rlm_sql doesn't check against it. Any ideas how I can get this to work? Cheers --Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
