Re: Turning on sql in accounting - 2 questions
I found out why. freeradius is running as uid 'freeradius', so it cannot create files under /var/log. and the Unix module bombed because of that, and therefore no ack. The debug log was indeed the key :) Thanks, -npy - Original Message - From: Alan DeKok [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Sunday, May 18, 2008 2:04 PM Subject: Re: Turning on sql in accounting - 2 questions NPY wrote: I found out why. NAS is sending the Accounting Request packet 3 times to the radius server because the radius server is not acknowledging, even though it receives the packets. So... read the debug log to see why. Is there any config that I miss out that causes freeradius not to ack? The debug log shows why it's not acking. #Firewall is not a problem; I have turned it off. Please advise. Read the debug log. When we say read it, we mean READ IT. A very large number of problems on this list can be solved simply by reading the debug log. Yes, there is a lot of output. But it's not hard to scan it for things like failed or warning' or error. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Turning on sql in accounting - 2 questions
I found out why. freeradius is running as uid 'freeradius', so it cannot create files under /var/log. and the Unix module bombed because of that, and therefore no ack. The debug log was indeed the key :) Thanks, -npy - Original Message - From: Alan DeKok [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Sunday, May 18, 2008 2:04 PM Subject: Re: Turning on sql in accounting - 2 questions NPY wrote: I found out why. NAS is sending the Accounting Request packet 3 times to the radius server because the radius server is not acknowledging, even though it receives the packets. So... read the debug log to see why. Is there any config that I miss out that causes freeradius not to ack? The debug log shows why it's not acking. #Firewall is not a problem; I have turned it off. Please advise. Read the debug log. When we say read it, we mean READ IT. A very large number of problems on this list can be solved simply by reading the debug log. Yes, there is a lot of output. But it's not hard to scan it for things like failed or warning' or error. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Turning on sql in accounting - 2 questions
2. Why am I getting 3 rows of data in table radacct for each session? Read the debug log. It's likely that the NAS isn't sending a consistent Acct-Session-Id. I found out why. NAS is sending the Accounting Request packet 3 times to the radius server because the radius server is not acknowledging, even though it receives the packets. Is there any config that I miss out that causes freeradius not to ack? #Firewall is not a problem; I have turned it off. Please advise. -npy - Original Message - From: Alan DeKok [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Friday, May 16, 2008 10:12 PM Subject: Re: Turning on sql in accounting - 2 questions NPY wrote: 1. In sites-available/default, I found that 'sql' logging only works in accounting only if I put it in front of 'unix' under the accounting section. Why? Read the debug log. 2. Why am I getting 3 rows of data in table radacct for each session? Read the debug log. It's likely that the NAS isn't sending a consistent Acct-Session-Id. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Turning on sql in accounting - 2 questions
Hi, 1. In sites-available/default, I found that 'sql' logging only works in accounting only if I put it in front of 'unix' under the accounting section. Why? 2. Why am I getting 3 rows of data in table radacct for each session? -npy - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius-2.0.3 not talking to mysql-5.1
Hi, I am struggling to get freeradius-2.0.3 to work with mysql-5.1.24 on a FreeBSD-7.0 machine. Basic PAP auth is working so radiusd is running fine. Below is the 'radiusd -X' output when I did a 'radtest joy happy localhost 1812 testing123' I notice when running 'radiusd -X' that no module rlm_sql_mysql was loaded. Is that a problem? How do I resolve it? Thanks, -Marcus - FreeRADIUS Version 2.0.3, for host amd64-portbld-freebsd7.0, built on May 13 2008 at 14:48:48 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License. Starting - reading configuration files ... including configuration file /usr/local/etc/raddb/radiusd.conf including configuration file /usr/local/etc/raddb/proxy.conf including configuration file /usr/local/etc/raddb/clients.conf including configuration file /usr/local/etc/raddb/snmp.conf including configuration file /usr/local/etc/raddb/eap.conf including configuration file /usr/local/etc/raddb/sql.conf including configuration file /usr/local/etc/raddb/sql/mysql/dialup.conf including configuration file /usr/local/etc/raddb/sql/mysql/counter.conf including configuration file /usr/local/etc/raddb/policy.conf including files in directory /usr/local/etc/raddb/sites-enabled/ including configuration file /usr/local/etc/raddb/sites-enabled/default including configuration file /usr/local/etc/raddb/sites-enabled/inner-tunnel including dictionary file /usr/local/etc/raddb/dictionary main { prefix = /usr/local localstatedir = /var logdir = /var/log libdir = /usr/local/lib radacctdir = /var/log/radacct hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 allow_core_dumps = no pidfile = /var/run/radiusd/radiusd.pid user = freeradius group = freeradius checkrad = /usr/local/sbin/checkrad debug_level = 0 proxy_requests = yes security { max_attributes = 200 reject_delay = 1 status_server = yes } } client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = testing123 nastype = other } radiusd: Loading Realms and Home Servers proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = auth secret = testing123 response_window = 20 max_outstanding = 65536 zombie_period = 40 status_check = status-server ping_check = none ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: Instantiating modules instantiate { Module: Linked to module rlm_exec Module: Instantiating exec exec { wait = yes input_pairs = request shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating expr Module: Linked to module rlm_expiration Module: Instantiating expiration expiration { reply-message = Password Has Expired } Module: Linked to module rlm_logintime Module: Instantiating logintime logintime { reply-message = You are calling outside your allowed timespan minimum-timeout = 60 } } radiusd: Loading Virtual Servers server inner-tunnel { modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating pap pap { encryption_scheme = auto auto_header = no } Module: Linked to module rlm_chap Module: Instantiating chap Module: Linked to module rlm_mschap Module: Instantiating mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = no } Module: Linked to module rlm_unix Module: Instantiating unix unix { radwtmp = /var/log/radwtmp } Module: Linked to module rlm_eap Module: Instantiating eap eap { default_eap_type = md5 timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = Password: auth_type = PAP } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 pem_file_type = yes private_key_file = /usr/local/etc/raddb/certs/server.pem certificate_file = /usr/local/etc/raddb/certs/server.pem CA_file = /usr/local/etc/raddb/certs/ca.pem private_key_password = whatever dh_file = /usr/local/etc/raddb/certs/dh
Re: freeradius-2.0.3 not talking to mysql-5.1
: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating preprocess preprocess { huntgroups = /usr/local/etc/raddb/huntgroups hints = /usr/local/etc/raddb/hints with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating acct_unique acct_unique { key = User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating detail detail { detailfile = /var/log/radacct/%{Client-IP-Address}/detail-%Y%m%d header = %t detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Instantiating attr_filter.accounting_response attr_filter attr_filter.accounting_response { attrsfile = /usr/local/etc/raddb/attrs.accounting_response key = %{User-Name} } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } } radiusd: Opening IP addresses and Ports listen { type = auth ipaddr = * port = 0 } listen { type = acct ipaddr = * port = 0 } Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on proxy address * port 1814 Ready to process requests. User-Name = joy User-Password = happy NAS-IP-Address = 123.242.231.112 NAS-Port = 1812 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = joy, looking up realm NULL rlm_realm: No such realm NULL ++[suffix] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop rlm_pap: WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Login incorrect: [joy/happy] (from client localhost port 1812) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} - joy attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Waking up in 4.9 seconds. - Original Message - From: Alan DeKok [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Wednesday, May 14, 2008 11:51 PM Subject: Re: freeradius-2.0.3 not talking to mysql-5.1 NPY wrote: I notice when running 'radiusd -X' that no module rlm_sql_mysql was loaded. Is that a problem? How do I resolve it? Ensure that the MySQL client libraries and headers are installed, and then re-build the server. Also, un-comment the references to SQL in the configuration files. It appears you haven't done that, so I have no idea why you would expect it to use SQL. If you do un-comment the reference to SQL in the config files, the server will look for the MySQL libraries. If they've been built, the server will use them. If not, it will complain. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius documentation: Auth-Type
Hi, As someone very new to freeradius, I find that I am struggling with the available documentation. I have problem trying to find explanations on important attributes such as Auth-Type on what it means, what are the valid values etc. Can someone point me to the right place? I know http://www.freeradius.org/rfc/attributes.htm is around but it does not list all attributes, including Auth-Type. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius-2.0.3 not talking to mysql-5.1
Hi Chris, Thanks for the hint. It helped to resolve the problem. -Marcus - Original Message - From: Chris [EMAIL PROTECTED] To: NPY [EMAIL PROTECTED] Sent: Thursday, May 15, 2008 12:57 AM Subject: Re: freeradius-2.0.3 not talking to mysql-5.1 Uncommenting it in instantiate is okay (probably unnecessary), but if you want it to authorize using sql, you have to uncomment it in authorize { }. If you want to authenticate using sql, you have to uncomment it in authenticate { }. Want to do sql accounting? uncomment in accounting { }. See raddb/sites-enabled/default On May 14, 2008, at 9:42 AM, NPY wrote: OK, I added a line 'sql' to 'instantiate' section of radiusd.conf and radiusd is finally loading rlm_sql_mysql. Only the authentication is still not going through . sigh Anything else I have missed? Do I need to modify 'users' file etc? Below is the new 'radiusd -X' output for 'radtest joy happy localhost 1812 testing123' - FreeRADIUS Version 2.0.3, for host amd64-portbld-freebsd7.0, built on May 13 2008 at 14:48:48 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License. Starting - reading configuration files ... including configuration file /usr/local/etc/raddb/radiusd.conf including configuration file /usr/local/etc/raddb/proxy.conf including configuration file /usr/local/etc/raddb/clients.conf including configuration file /usr/local/etc/raddb/snmp.conf including configuration file /usr/local/etc/raddb/eap.conf including configuration file /usr/local/etc/raddb/sql.conf including configuration file /usr/local/etc/raddb/sql/mysql/ dialup.conf including configuration file /usr/local/etc/raddb/sql/mysql/ counter.conf including configuration file /usr/local/etc/raddb/policy.conf including files in directory /usr/local/etc/raddb/sites-enabled/ including configuration file /usr/local/etc/raddb/sites-enabled/ default including configuration file /usr/local/etc/raddb/sites-enabled/ inner-tunnel including dictionary file /usr/local/etc/raddb/dictionary main { prefix = /usr/local localstatedir = /var logdir = /var/log libdir = /usr/local/lib radacctdir = /var/log/radacct hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 allow_core_dumps = no pidfile = /var/run/radiusd/radiusd.pid user = freeradius group = freeradius checkrad = /usr/local/sbin/checkrad debug_level = 0 proxy_requests = yes security { max_attributes = 200 reject_delay = 1 status_server = yes } } client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = testing123 nastype = other } radiusd: Loading Realms and Home Servers proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = auth secret = testing123 response_window = 20 max_outstanding = 65536 zombie_period = 40 status_check = status-server ping_check = none ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: Instantiating modules instantiate { Module: Linked to module rlm_exec Module: Instantiating exec exec { wait = yes input_pairs = request shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating expr Module: Linked to module rlm_expiration Module: Instantiating expiration expiration { reply-message = Password Has Expired } Module: Linked to module rlm_logintime Module: Instantiating logintime logintime { reply-message = You are calling outside your allowed timespan minimum-timeout = 60 } Module: Linked to module rlm_sql Module: Instantiating sql sql { driver = rlm_sql_mysql server = localhost port = login = radius password = pie=3.14 radius_db = radius read_groups = yes sqltrace = no sqltracefile = /var/log/sqltrace.sql readclients = no deletestalesessions = yes num_sql_socks = 5 sql_user_name = %{User-Name} default_user_profile = nas_query = SELECT id, nasname, shortname, type, secret FROM nas authorize_check_query = SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User- Name}' ORDER BY id authorize_reply_query = SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User- Name}' ORDER BY id authorize_group_check_query = SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '% {Sql-Group}' ORDER BY id authorize_group_reply_query = SELECT id, groupname, attribute, value, op FROM radgroupreply