VMPS Problem with similar requests
Hi, If two vmps requests are sent in close succession (within cleanup_delay), with the same source port, from the same switch (which does in fact seem to be common, as the cisco switch I'm using for testing sends *all* requests with a source port picked on startup), they are detected as identical by freeradius as identical, even if they are for different mac addresses. This means the second request gets the same response as the first, even when they should be different. For example, testing with the vqpcli tool: Close together: server:/etc/freeradius/tests# ./vqpcli.pl -s 127.0.0.1 -v tc.example.com -w 192.168.248.32 -i Fa0/17 -m 0016.4111.0bfe Vlan: BRIDGE MAC Address: 001641110bfe Status: ALLOW server:/etc/freeradius/tests# ./vqpcli.pl -s 127.0.0.1 -v tc.example.com -w 192.168.248.32 -i Fa0/17 -m 0016.4111.0bff Vlan: BRIDGE MAC Address: 001641110bfe Status: ALLOW then a short time later (outside cleanup_delay) server:/etc/freeradius/tests# ./vqpcli.pl -s 127.0.0.1 -v tc.example.com -w 192.168.248.32 -i Fa0/17 -m 0016.4111.0bff Vlan: MAC Address: Status: DENY Which is the correct response Cheers --Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: String Validation
The if statement can remain the same, add before it: if (SQL-GROUP =~ /(.*)-.*/) { update request { SQL-GROUP := "%{1}" } } This assumes that: a) There is never a '-' in the USUK or whatever part. b) You don't need to reference the original SQL-GROUP value. If you do, you may want to use something like: if (SQL-GROUP =~ /(.*)-.*/) { update control { Tmp-String-0 := "%{1}" } } if(control:Tmp-String-0 == "USUK") { ok } etc. --Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: String Validation
> > If a connection that comes in with a GROUP NAME from SQL of "USUK-XX" > or "WUK-XX" and I want to strip of the "-XX", how would I do this with > ulang so I only validate the following? Using the regexp feature, you can match part of an attribute then reference it later, like so: if (SQL-GROUP =~ /(.*)-XX/) { update request { SQL-GROUP := "%{1}" } } --Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP / mschapv2 Error Messages
> > unlang? set a variable to the value of MS-CHAP-Error and then set the > Reply-Message > to be some text with that variable in it. > Unfortunately, this sends it back in the next packet, which is an Access-Challenge, not in the final Access-Reject. Also, for some strange reason, the post-auth section in the inner-tunnel only gets called on a successful auth, not on a failure, so I can't output the failure to sql there either. > alternatively you could probably call PERL pr pythin etc at the right time and > do the required variable and reply-message settings with those languages > instead > > howeverby sending such messages the remote user knows the reason for > failure > eg incorrect password but a successful user...and could bruteforce I plan to do something along the lines of: MS-Chap-Error=User wrong => login failed MS-Chap-Error=PAss wrong => login failed MS-Chap-Error=Account locked => Account locked --Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PEAP / mschapv2 Error Messages
Hi, Using the default eap/peap & inner-tunnel configuration, a failure gives rise to this: Exec-Program output: Logon failure (0xc06d) Exec-Program-Wait: plaintext: Logon failure (0xc06d) Exec-Program: returned: 1 [mschap] External script failed. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject [eap] Freeing handler ++[eap] returns reject Failed to authenticate the user. } # server inner-tunnel [peap] Got tunneled reply code 3 MS-CHAP-Error = "\nE=691 R=1" EAP-Message = 0x040a0004 Message-Authenticator = 0x [peap] Got tunneled reply RADIUS code 3 MS-CHAP-Error = "\nE=691 R=1" EAP-Message = 0x040a0004 Message-Authenticator = 0x [peap] Tunneled authentication was rejected. [peap] FAILURE ++[eap] returns handled How can I take that MS-Chap-Error attribute and pass it back in the final access-reject, as a Reply-Message attribute for example. Cheers --Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re:freeradius2.1.6 module errors
Wrong operator. Use = or not := --Mike On Thu, 2009-08-13 at 12:56 +0530, ramesh p wrote: > > > Hi, > > Here is the full accounting section of sites-available/default > accounting { > # > # Create a 'detail'ed log of the packets. > # Note that accounting requests which are proxied > # are also logged in the detail file. > detail > # daily > # Update the wtmp file > # > # If you don't use "radlast", you can delete this line. > unix > # > # For Simultaneous-Use tracking. > # > # Due to packet losses in the network, the data here > # may be incorrect. There is little we can do about it. > radutmp > # sradutmp > # Return an address to the IP Pool when we see a stop record. > # main_pool > # > # Log traffic to an SQL database. > # > # See "Accounting queries" in sql.conf > #sql > > if(Acct-Status-Type := 'stop') { > sql > } > > # > # Instead of sending the query to the SQL server, ># write it into a log file. > # > # sql_log > # Cisco VoIP specific bulk accounting > # pgsql-voip > # Filter attributes from the accounting response. > attr_filter.accounting_response > # > # See "Autz-Type Status-Server" for how this works. > # > Acct-Type Status-Server { > } > } > > Thanks, > Rams. > > On 13/8/09 07:10, ramesh p wrote: > > Though i have placed the code in sites-available/default > > under accounting section: > > > > >if(Acct-Status-Type := 'stop'){ > >sql > > > Can you post the full section that you have added this to, if you have > only added just those 2 lines then you haven't closed the statement > off > with a "}". > > Steve > > -- > Steven Carr > Systems Development Officer > SLS/ITS/Systems - (0191) 515 3953 > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
2.1.6 Segfault (unlang: if (NAS-Port == 0) { reject }
Hi, Reproducible on 2.1.6, default config with: These lines in the authorize section: if (NAS-Port == 0) { reject } And this command: echo "User-Name = test" | radclient 10.252.24.114 auth testing123 An Access-Request packet not containing the NAS-Port Attribute causes the server to segfault. Cheers --Mike P.S. Workaround: if (NAS-Port && NAS-Port == 0) { segfault-log Description: Binary data - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: VMPS: Failed encoding packet: Failed to find VQP-Packet-Type in response packet
Attached is the debug output from a ubuntu package of 2.1.0, with the default config (I didn't see a 2.1.0 tarball on the site) Also attached is the debug output from the 2.1.6 install (tarball from site), again with the default config. As far as I can tell, in 2.1.0 it finds the vmps section, in 2.1.6 it doesn't. --Mike On Sun, 2009-08-09 at 15:06 +0200, Alan DeKok wrote: > Michael Bryant wrote: > >> You get the same error in 2.1.0, or the configuration which worked in > >> 2.1.0 doesn't work in 2.1.6? > > > > My customized vmps server section works in 2.1.0. > > Except that debug mode prints out what it is processing. And it's not > printing out anything in 2.1.6. That may be the source of the problem. > > What does debug mode show for 2.1.0? > > > Output with 2.1.0: > > Vlan: please_use_real_vlan_here > > MAC Address: 123412341234 > > Status: ALLOW > > Is that the debug output... or something else? > > > With 2.1.6: > > Ready to process requests. > > Which looks to be the debug output. > > Compare apples to apples. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html FreeRADIUS Version 2.1.0, for host i486-pc-linux-gnu, built on Oct 9 2008 at 13:24:33 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/proxy.conf including configuration file /etc/freeradius/clients.conf including files in directory /etc/freeradius/modules/ including configuration file /etc/freeradius/modules/sql_log including configuration file /etc/freeradius/modules/policy including configuration file /etc/freeradius/modules/detail.example.com including configuration file /etc/freeradius/modules/echo including configuration file /etc/freeradius/modules/pam including configuration file /etc/freeradius/modules/files including configuration file /etc/freeradius/modules/ldap including configuration file /etc/freeradius/modules/etc_group including configuration file /etc/freeradius/modules/smbpasswd including configuration file /etc/freeradius/modules/exec including configuration file /etc/freeradius/modules/checkval including configuration file /etc/freeradius/modules/wimax including configuration file /etc/freeradius/modules/expiration including configuration file /etc/freeradius/modules/linelog including configuration file /etc/freeradius/modules/expr including configuration file /etc/freeradius/modules/detail.log including configuration file /etc/freeradius/modules/radutmp including configuration file /etc/freeradius/modules/realm including configuration file /etc/freeradius/modules/preprocess including configuration file /etc/freeradius/modules/digest including configuration file /etc/freeradius/modules/mschap including configuration file /etc/freeradius/modules/counter including configuration file /etc/freeradius/modules/unix including configuration file /etc/freeradius/modules/acct_unique including configuration file /etc/freeradius/modules/chap including configuration file /etc/freeradius/modules/ippool including configuration file /etc/freeradius/modules/detail including configuration file /etc/freeradius/modules/inner-eap including configuration file /etc/freeradius/modules/attr_rewrite including configuration file /etc/freeradius/modules/attr_filter including configuration file /etc/freeradius/modules/logintime including configuration file /etc/freeradius/modules/passwd including configuration file /etc/freeradius/modules/mac2ip including configuration file /etc/freeradius/modules/mac2vlan including configuration file /etc/freeradius/modules/pap including configuration file /etc/freeradius/modules/always including configuration file /etc/freeradius/modules/krb5 including configuration file /etc/freeradius/modules/sradutmp including configuration file /etc/freeradius/eap.conf including configuration file /etc/freeradius/policy.conf including files in directory /etc/freeradius/sites-enabled/ including configuration file /etc/freeradius/sites-enabled/inner-tunnel including configuration file /etc/freeradius/sites-enabled/default including configuration file /etc/freeradius/sites-enabled/vmps including dictionary file /etc/freeradius/dictionary main { prefix = "/usr" localstatedir = "/var" logdir = "/var/log/freeradius" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/freeradius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 allow_core_dumps = no pidfile = &qu
Re: VMPS: Failed encoding packet: Failed to find VQP-Packet-Type in response packet
> You get the same error in 2.1.0, or the configuration which worked in > 2.1.0 doesn't work in 2.1.6? My customized vmps server section works in 2.1.0. Trying to use the same customized configuration in 2.1.6 gives the error. Using the default configuration - the VMPS-VLAN-Name = "please_use_real_vlan_here" one, works in 2.1.0 In 2.1.6, it returns the error. > Which shows that absolutely nothing is happening in the VMPS server. > > Is there anything at all in the VMPS server? Yes, the part to pull the mac address out of the ethernet frame, putting it in the vmps-cookie, updating the reply with the vlan name / packet-type - the default config. On a clean machine I've just compiled 2.1.6, done minimal editing to enable the vmps server (linked the vmps file into sites-enabled), and i'm getting the same error. Output with 2.1.0: Vlan: please_use_real_vlan_here MAC Address: 123412341234 Status: ALLOW With 2.1.6: Ready to process requests. VMPS-Packet-Type = VMPS-Join-Request VMPS-Error-Code = VMPS-No-Error VMPS-Sequence-Number = 4660 VMPS-Client-IP-Address = 127.0.0.1 VMPS-Port-Name = "Fa0/1" VMPS-VLAN-Name = "" VMPS-Domain-Name = "" VMPS-Unknown = 0x00 VMPS-MAC = 12:34:12:34:12:34 server vmps { Doing VMPS Done VMPS } # server vmps Failed encoding packet: Failed to find VQP-Packet-Type in response packet Finished request 0. Full 2.1.6 log attached Cheers --Mike FreeRADIUS Version 2.1.6, for host i486-pc-linux-gnu, built on Aug 9 2009 at 10:01:26 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/proxy.conf including configuration file /etc/freeradius/clients.conf including files in directory /etc/freeradius/modules/ including configuration file /etc/freeradius/modules/always including configuration file /etc/freeradius/modules/attr_filter including configuration file /etc/freeradius/modules/attr_rewrite including configuration file /etc/freeradius/modules/chap including configuration file /etc/freeradius/modules/checkval including configuration file /etc/freeradius/modules/counter including configuration file /etc/freeradius/modules/detail including configuration file /etc/freeradius/modules/detail.example.com including configuration file /etc/freeradius/modules/detail.log including configuration file /etc/freeradius/modules/digest including configuration file /etc/freeradius/modules/echo including configuration file /etc/freeradius/modules/etc_group including configuration file /etc/freeradius/modules/exec including configuration file /etc/freeradius/modules/expiration including configuration file /etc/freeradius/modules/expr including configuration file /etc/freeradius/modules/files including configuration file /etc/freeradius/modules/inner-eap including configuration file /etc/freeradius/modules/ippool including configuration file /etc/freeradius/modules/krb5 including configuration file /etc/freeradius/modules/ldap including configuration file /etc/freeradius/modules/linelog including configuration file /etc/freeradius/modules/logintime including configuration file /etc/freeradius/modules/mac2ip including configuration file /etc/freeradius/modules/mac2vlan including configuration file /etc/freeradius/modules/mschap including configuration file /etc/freeradius/modules/otp including configuration file /etc/freeradius/modules/pam including configuration file /etc/freeradius/modules/pap including configuration file /etc/freeradius/modules/passwd including configuration file /etc/freeradius/modules/perl including configuration file /etc/freeradius/modules/policy including configuration file /etc/freeradius/modules/preprocess including configuration file /etc/freeradius/modules/radutmp including configuration file /etc/freeradius/modules/realm including configuration file /etc/freeradius/modules/smbpasswd including configuration file /etc/freeradius/modules/smsotp including configuration file /etc/freeradius/modules/sql_log including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login including configuration file /etc/freeradius/modules/sradutmp including configuration file /etc/freeradius/modules/unix including configuration file /etc/freeradius/modules/wimax including configuration file /etc/freeradius/modules/acct_unique including configuration file /etc/freeradius/eap.conf including configuration file /etc/freeradius/policy.conf including files in directory /etc/freeradius/sites-enabled/ including configuration file /etc/freeradius/sites-enabled/inner-tunnel including configuration file /etc/freeradius/sites-enabled/default including configuration fi
VMPS: Failed encoding packet: Failed to find VQP-Packet-Type in response packet
Hi, Stock Freeradius version 2.1.6, compiled with dpkg-buildpackage. Using default sites-avaialable/vmps virtual server. Also using dynamic clients with clients in postgresql. Getting this error on every VMPS request: Failed encoding packet: Failed to find VQP-Packet-Type in response packet. Using a customised sites-enabled/vmps file, pulling data from postgresql, which was working in 2.1.0, I get the same error. Any ideas as to why this error is occurring? Cheers --Mike radiusd: Opening IP addresses and Ports listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } listen { type = "vmps" ipaddr = * port = 1589 } Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on vmps address * port 1589 as server vmps Listening on proxy address * port 1814 Ready to process requests. server dynamic_client_server { rlm_sql (sqllocal): Reserving sql socket id: 4 rlm_sql_postgresql: query: SELECT nasname FROM nas WHERE nasname >>= '127.0.0.1' rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: query affected rows = 1 , fields = 1 rlm_sql (sqllocal): Released sql socket id: 4 rlm_sql (sqllocal): Reserving sql socket id: 3 rlm_sql_postgresql: query: SELECT shortname FROM nas WHERE nasname >>= '127.0.0.1' rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: query affected rows = 1 , fields = 1 rlm_sql (sqllocal): Released sql socket id: 3 rlm_sql (sqllocal): Reserving sql socket id: 2 rlm_sql_postgresql: query: SELECT secret FROM nas WHERE nasname >>= '127.0.0.1' rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: query affected rows = 1 , fields = 1 rlm_sql (sqllocal): Released sql socket id: 2 rlm_sql (sqllocal): Reserving sql socket id: 1 rlm_sql_postgresql: query: SELECT type FROM nas WHERE nasname >>= '127.0.0.1' rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: query affected rows = 1 , fields = 1 rlm_sql (sqllocal): Released sql socket id: 1 } # server dynamic_client_server - Added client 127.0.0.1 with shared secret testing123 VMPS-Packet-Type = VMPS-Join-Request VMPS-Error-Code = VMPS-No-Error VMPS-Sequence-Number = 4660 VMPS-Client-IP-Address = 10.252.24.2 VMPS-Port-Name = "Fa0/17" VMPS-VLAN-Name = "" VMPS-Domain-Name = "blah" VMPS-Unknown = 0x00 VMPS-MAC = 00:16:41:11:0b:ff server vmps { Doing VMPS Done VMPS } # server vmps Failed encoding packet: Failed to find VQP-Packet-Type in response packet Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 4660 with timestamp +87 Ready to process requests. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Request Items, Config/control Items; rlm_sql
> authorize { >update request { > Tmp-String=0 = "%{sql:select ...}" >} >sql > } Unfortunately that's no use, as I understand it, redundant blocks aren't supported in xlat? --Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Request Items, Config/control Items; rlm_sql
I'm confused, how can I use unlang halfway through the processing of the rlm_sql module? --Mike In message <4a65854f.4050...@deployingradius.com> FreeRadius users mailing list writes: > Michael Bryant wrote: > > Hi, > > Using Freeradius 2.1.0 (debian package), with rlm_sql. > > > > I am trying to, in radcheck, set a value, which I can then compare against > > in > > radgroupcheck. > > It doesn't support that. > > > When I try this, with a custom attribute in either raddb/dictionary , a > > VSA, or > > Tmp-String-* it seems to be appearing in the config items list, as opposed > > to > > the request one, so rlm_sql doesn't check against it. > > > > Any ideas how I can get this to work? > > Use "unlang" to copy attributes between lists. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Request Items, Config/control Items; rlm_sql
Hi, Using Freeradius 2.1.0 (debian package), with rlm_sql. I am trying to, in radcheck, set a value, which I can then compare against in radgroupcheck. When I try this, with a custom attribute in either raddb/dictionary , a VSA, or Tmp-String-* it seems to be appearing in the config items list, as opposed to the request one, so rlm_sql doesn't check against it. Any ideas how I can get this to work? Cheers --Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html