RE: All attributes in rlm_sql_log or rlm_sql ?

2008-04-12 Thread Dean Smith 
Ultimately for the same reasons that rlm_detail exists. I'd like to give my
ops guys the ability to see all attributes in requests and replies when
they're debugging or monitoring. We want to maintain all records in a single
SQL database with access via our existing web frontends...so I'd like the
same detail as rlm_detail via the SQl modules. 

Obviously many ways to achieve it (parse and upload the detail log,
dedicated perl module etc.) but my scripting/coding is weak so that will
take me longer.

Many thanks for the answers and other suggestions given.

Dean


Dean Smith wrote:
 I guess I?m asking is there an unlang equivalent to this snippet from
 rlm_detail.c. ..

  No.

  I don't see why it makes sense to log all of the attributes as one big
line of text in SQL.  If you need that, it shouldn't be hard to write a
Perl plugin that does it.

  Alan DeKok.


--

Message: 8
Date: Thu, 10 Apr 2008 23:30:12 +0200
From: Alan DeKok [EMAIL PROTECTED]
Subject: Re: Users accounts file - was: Re: EAP-TTLS (PAP) not
working withNT  domain - debian freeradius 1.1.7
To: FreeRadius users mailing list
freeradius-users@lists.freeradius.org
Message-ID: [EMAIL PROTECTED]
Content-Type: text/plain; charset=ISO-8859-1

James McOrmond wrote:
 So, I figured the users file was a logical place..

  Yes, if it's used, and if the rest of the policy is fine.

 I added a line like this:
 
 radiustester User-Password := xoageifo
 
 but it's complaining it's not in ldap..

  Run it in debugging mode: radiusd -X.

  Alan DeKok.


--

Message: 9
Date: Thu, 10 Apr 2008 18:45:15 -0400 (EDT)
From: Tuc at T-B-O-H.NET [EMAIL PROTECTED]
Subject: Re: Restrict to initial NAS used to logon
To: freeradius-users@lists.freeradius.org
Message-ID:
[EMAIL PROTECTED]
Content-Type: text/plain; charset=us-ascii

 
 Tuc at T-B-O-H.NET wrote:
  Looking to restrict a user to only be able to log in
  and re-log in to the initial NAS they first ever logged onto.
  (Hotspot)  Looking at the radacct file where it looks like
  the check-items normally go against, I'm not seeing anything I
  can use as an identifier. The nasipaddress is always 0.0.0.0.
  Maybe calledstationid, except if we swap equipment out during
  the lifetime of a users id it won't match. 
  
  Is anyone doing anything like this already?
 
   They usually use equipment that sends a NAS identifier.

Hrm I just originally went on the assumption that the sending
side was partially braindead, and wasn't sending it. Your comment
made me dump a session on 1812 and 1813...
1812:
Radius Protocol
Code: Access-Request (1)
Packet identifier: 0x0 (0)
Length: 216
Authenticator: A9A4B05B3C01784A8DF58849DB987135
[The response to this request is in frame 2]
Attribute Value Pairs
AVP: l=5  t=User-Name(1): tuc
AVP: l=18  t=CHAP-Challenge(60): 894209E703975A194529D13926790197
AVP: l=19  t=CHAP-Password(3): 0A6E0AEA789A9A0AF0E2A7F15B04E6A289
AVP: l=6  t=NAS-IP-Address(4): 0.0.0.0
AVP: l=6  t=Service-Type(6): Login-User(1)
AVP: l=6  t=Framed-IP-Address(8): 192.168.182.4
AVP: l=19  t=Calling-Station-Id(31): 00-10-A4-10-8D-A6
AVP: l=19  t=Called-Station-Id(30): 00-16-01-91-E9-46
AVP: l=10  t=NAS-Identifier(32): TBOH2173
AVP: l=18  t=Acct-Session-Id(44): 47fe006e
AVP: l=6  t=NAS-Port-Type(61): Wireless-802.11(19)
AVP: l=6  t=NAS-Port(5): 0
AVP: l=18  t=Message-Authenticator(80):
F0AE0A9EE7DAC32F9AA6089A5A9C3A70
AVP: l=40  t=Vendor-Specific(26) v=WISPr(14122)

1813:

Radius Protocol
Code: Accounting-Request (4)
Packet identifier: 0x6 (6)
Length: 142
Authenticator: 48DCF71BE50EC2E9ECC17825FB6D2417
[The response to this request is in frame 2]
Attribute Value Pairs
AVP: l=6  t=Acct-Status-Type(40): Start(1)
AVP: l=5  t=User-Name(1): tuc
AVP: l=11  t=Class(25): 303730333435363738
AVP: l=19  t=Calling-Station-Id(31): 00-10-A4-10-8D-A6
AVP: l=19  t=Called-Station-Id(30): 00-16-01-91-E9-46
AVP: l=6  t=NAS-Port-Type(61): Wireless-802.11(19)
AVP: l=6  t=NAS-Port(5): 0
AVP: l=10  t=NAS-Port-Id(87): 
AVP: l=6  t=NAS-IP-Address(4): 0.0.0.0
AVP: l=10  t=NAS-Identifier(32): TBOH2173
AVP: l=6  t=Framed-IP-Address(8): 192.168.182.4
AVP: l=18  t=Acct-Session-Id(44): 47fe006e


So it looks like its sending it, just not making it into
the radacct files. :-/ So where to start looking for that?

   Or, use the Packet-Src-IP-Address attribute.
 
Thats gonna take a bit of headscratching to figure out
about. :) But thanks for the lead.

Tuc


--

-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html


End of Freeradius-Users Digest, Vol 36, Issue 76

Re: All attributes in rlm_sql_log or rlm_sql ?

2008-04-12 Thread Alan DeKok 
Dean Smith wrote:
 Ultimately for the same reasons that rlm_detail exists. I'd like to give my
 ops guys the ability to see all attributes in requests and replies when
 they're debugging or monitoring. We want to maintain all records in a single
 SQL database with access via our existing web frontends...so I'd like the
 same detail as rlm_detail via the SQl modules.  

  SQL isn't really the best way to store dozens of lines of text per
request.

 Obviously many ways to achieve it (parse and upload the detail log,
 dedicated perl module etc.) but my scripting/coding is weak so that will
 take me longer.

  rlm_perl, and a special SQL table would likely be best for this.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: All attributes in rlm_sql_log or rlm_sql ?

2008-04-11 Thread A . L . M . Buxey 
Hi,
 Is there a way of using either rlm_sql_log or the post-auth query within
 rlm_sql to log all the request and/or reply attributes to mysql ?

as part of our PERL bit of handling we spew out all of the attributes to
a debug log when we want ('if file exists' logic to turn it off and on)
you could trivially do the same to dump the stuff to SQL instead.

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: All attributes in rlm_sql_log or rlm_sql ?

2008-04-10 Thread Dean Smith 
I guess I'm asking is there an unlang equivalent to this snippet from
rlm_detail.c. ..

 

/* Write each attribute/value to the log file */

for (pair = packet-vps; pair != NULL; pair = pair-next) {



vp_print(outfp, pair);

 }

Dean

 

From: Dean Smith [mailto:[EMAIL PROTECTED] 
Sent: 10 April 2008 00:14
To: 'freeradius-users@lists.freeradius.org'
Subject: All attributes in rlm_sql_log or rlm_sql ?

 

Is there a way of using either rlm_sql_log or the post-auth query within
rlm_sql to log all the request and/or reply attributes to mysql ?

 

E.g. I could populate one SQL field with a string of the whole packet (just
as you would see in the detail log). I would still add my key attributes to
named fields but I would like to record the rest of the attributes for
later reference without having to define a field for every possible
attribute I might see.

 

Clearly I could parse/upload the detail files independently but wanted to
check if it was possible within the existing framework.

 

Thanks
Dean Smith

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: All attributes in rlm_sql_log or rlm_sql ?

2008-04-10 Thread Alan DeKok 
Dean Smith wrote:
 I guess I’m asking is there an unlang equivalent to this snippet from
 rlm_detail.c. ..

  No.

  I don't see why it makes sense to log all of the attributes as one big
line of text in SQL.  If you need that, it shouldn't be hard to write a
Perl plugin that does it.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

All attributes in rlm_sql_log or rlm_sql ?

2008-04-09 Thread Dean Smith 
Is there a way of using either rlm_sql_log or the post-auth query within
rlm_sql to log all the request and/or reply attributes to mysql ?

 

E.g. I could populate one SQL field with a string of the whole packet (just
as you would see in the detail log). I would still add my key attributes to
named fields but I would like to record the rest of the attributes for
later reference without having to define a field for every possible
attribute I might see.

 

Clearly I could parse/upload the detail files independently but wanted to
check if it was possible within the existing framework.

 

Thanks
Dean Smith

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html