RE: Different IP Pool per proxied realm
Everything seems to be working fine with the new upgraded version of Freeradius. I've also made progress in assigning from an IP pool for a realm. However it seems to be all or nothing, if the reply comes back with a Framed-IP-Address already set it gets ignored if I set: override = yes in the IP pool section of radiusd.conf. However some users are supposed to have a static IP address and some dynamic IP assignment. Those with no static set come back from with the reply: Session-Timeout = 0 Framed-IP-Address = 255.255.255.254 Framed-IP-Netmask = 255.255.255.255 Acct-Interim-Interval = 7200 Framed-Protocol = PPP Service-Type = Framed-User Proxy-State = 0x313832 Is there a way to tell Freeradius to only assign from the pool for the user if the Framed-IP-Address comes back as 255.255.255.254? Thanks Tony -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: 11 February 2008 20:42 To: FreeRadius users mailing list Subject: Re: Different IP Pool per proxied realm Tony Spencer wrote: Right I've now managed to get v2.0.1 working on our radius server. Although for some reason its not logging to radiusd.log. Previously we have logged accounting to the log file and the radacct table. If anyone can spare a thought on why this isn't now logging to the radiusd.log file I would appreciate it. File permissions? Also see the log{} configuration in radiusd.conf. Onto the different IP pool per realm... This still doesn't seem to work. The debug doesn't show the IP pool being loaded. Does this still need to be put into radiusd.conf or the sites-enabled file? You can put everything in radiusd.conf, just like in 1.1.7. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.516 / Virus Database: 269.20.2/1270 - Release Date: 10/02/2008 12:21 No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.516 / Virus Database: 269.20.2/1270 - Release Date: 10/02/2008 12:21 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Different IP Pool per proxied realm
Tony Spencer wrote: Is there a way to tell Freeradius to only assign from the pool for the user if the Framed-IP-Address comes back as 255.255.255.254? $ man unlang In 2.0.1: if (%{proxy_reply:Framed-IP-Address} != 255.255.255.254) { ippool } It's pretty much that easy... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Different IP Pool per proxied realm
Tony Spencer wrote: The only place I found reference to the IP Pool is in the site-enabled config file. So I added: if (%{proxy_reply:Framed-IP-Address} == 255.255.255.254) { Sorry, that should be proxy-reply, not proxy_reply. There is an error in the debug when a user tries to login, but it seems to run the rule. But it still doesn't seem to assign from the IP pool. Again, the debug output makes it clear what is happening: ... +- entering group post-auth ++? if (%{proxy_reply:Framed-IP-Address} == 255.255.255.254) WARNING: Unknown module proxy_reply in string expansion Yup. That's a typo. %{proxy_reply:Framed-IP-Address} expand: %{proxy_reply:Framed-IP-Address} - i.e. nothing. ? Evaluating (%{proxy_reply:Framed-IP-Address} == 255.255.255.254) - FALSE Nothing doesn't match the string 255.255.255.254. Again, reading the debug output helps. There is no magic required to see a WARNING, and conclude that maybe something is wrong. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Different IP Pool per proxied realm
FROM usergroup WHERE username = '%{SQL-User-Name}' ORDER BY id - SELECT groupname FROM usergroup WHERE username = '[EMAIL PROTECTED]' ORDER BY id rlm_sql_mysql: query: SELECT groupname FROM usergroup WHERE username = '[EMAIL PROTECTED]' ORDER BY id rlm_sql (sql): Released sql socket id: 3 rlm_sql (sql): User [EMAIL PROTECTED] not found ++[sql] returns notfound ++[expiration] returns noop ++[logintime] returns noop rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type rad_check_password: Auth-Type = Accept, accepting the user Login OK: [EMAIL PROTECTED]/s3cr3t] (from client localhost port 111) +- entering group post-auth ++? if (%{proxy_reply:Framed-IP-Address} == 255.255.255.254) WARNING: Unknown module proxy_reply in string expansion %{proxy_reply:Framed-IP-Address} expand: %{proxy_reply:Framed-IP-Address} - ? Evaluating (%{proxy_reply:Framed-IP-Address} == 255.255.255.254) - FALSE ++? if (%{proxy_reply:Framed-IP-Address} == 255.255.255.254) - FALSE rlm_sql (sql): Processing sql_postauth expand: %{User-Name} - [EMAIL PROTECTED] rlm_sql (sql): sql_set_user escaped user -- '[EMAIL PROTECTED]' expand: %{User-Password} - s3cr3t expand: INSERT INTO radpostauth (user, pass, reply, date) VALUES ( '%{User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') - INSERT INTO radpostauth (user, pass, reply, date) VALUES ( '[EMAIL PROTECTED]', 's3cr3t', 'Access-Accept', '2008-02-12 13:22:36') expand: /usr/local/var/log/radius/sqltrace.sql - /usr/local/var/log/radius/sqltrace.sql rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth (user, pass, reply, date) VALUES ( '[EMAIL PROTECTED]', 's3cr3t', 'Access-Accept', '2008-02-12 13:22:36') rlm_sql (sql): Reserving sql socket id: 2 rlm_sql_mysql: query: INSERT INTO radpostauth (user, pass, reply, date) VALUES ( '[EMAIL PROTECTED]', 's3cr3t', 'Access-Accept', '2008-02-12 13:22:36') rlm_sql (sql): Released sql socket id: 2 ++[sql] returns ok Sending Access-Accept of id 155 to 127.0.0.1 port 32791 Session-Timeout = 0 Framed-IP-Address = 255.255.255.254 Framed-IP-Netmask = 255.255.255.255 Finished request 0. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: 12 February 2008 12:41 To: FreeRadius users mailing list Subject: Re: Different IP Pool per proxied realm Tony Spencer wrote: I currently have this in radiusd.conf. That is NOT the only reference to the ippool module. The IP's get allocated *somewhere* via a reference to the main_pool module. You must have edited the configuration files to do this, because it is *not* enabled in the default configuration. I've tried adding the statement before and inside this but even static assigned users get an address from the pool. Umm... please go read man unlang. It is a *policy* language for *processing* packets. It does not apply to module configurations. See the default configuration files for examples of how to use if(). Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.516 / Virus Database: 269.20.2/1270 - Release Date: 10/02/2008 12:21 No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.516 / Virus Database: 269.20.2/1270 - Release Date: 10/02/2008 12:21 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Different IP Pool per proxied realm
Tony Spencer wrote: I currently have this in radiusd.conf. That is NOT the only reference to the ippool module. The IP's get allocated *somewhere* via a reference to the main_pool module. You must have edited the configuration files to do this, because it is *not* enabled in the default configuration. I've tried adding the statement before and inside this but even static assigned users get an address from the pool. Umm... please go read man unlang. It is a *policy* language for *processing* packets. It does not apply to module configurations. See the default configuration files for examples of how to use if(). Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Different IP Pool per proxied realm
Tony Spencer wrote: Where do I put this statement Where is your current ippool module referenced? and does override have to be yes or no? yes Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Different IP Pool per proxied realm
Where do I put this statement and does override have to be yes or no? Thanks in advance Tony -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: 12 February 2008 10:33 To: FreeRadius users mailing list Subject: Re: Different IP Pool per proxied realm Tony Spencer wrote: Is there a way to tell Freeradius to only assign from the pool for the user if the Framed-IP-Address comes back as 255.255.255.254? $ man unlang In 2.0.1: if (%{proxy_reply:Framed-IP-Address} != 255.255.255.254) { ippool } It's pretty much that easy... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.516 / Virus Database: 269.20.2/1270 - Release Date: 10/02/2008 12:21 No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.516 / Virus Database: 269.20.2/1270 - Release Date: 10/02/2008 12:21 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Different IP Pool per proxied realm
I currently have this in radiusd.conf. ippool main_pool { range-start = 10.0.0.1 range-stop = 10.0.0.254 netmask = 255.255.255.0 cache-size = 800 session-db = ${sysconfdir}/raddb/db.ippool ip-index = ${sysconfdir}/raddb/db.ipindex override = yes maximum-timeout = 0 } I've tried adding the statement before and inside this but even static assigned users get an address from the pool. Thanks Tony -Original Message- [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: 12 February 2008 11:17 To: FreeRadius users mailing list Subject: Re: Different IP Pool per proxied realm Tony Spencer wrote: Where do I put this statement Where is your current ippool module referenced? and does override have to be yes or no? yes Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.516 / Virus Database: 269.20.2/1270 - Release Date: 10/02/2008 12:21 No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.516 / Virus Database: 269.20.2/1270 - Release Date: 10/02/2008 12:21 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Different IP Pool per proxied realm
The only other place the main ip pool is mentioned is in the site-enabled file. Within post-auth. post-auth { main_pool sql Post-Auth-Type REJECT { attr_filter.access_reject sql } } I'll try and see if I can work it out by man unlang if not then I maybe posting back. Sorry... Tony -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: 12 February 2008 12:41 To: FreeRadius users mailing list Subject: Re: Different IP Pool per proxied realm Tony Spencer wrote: I currently have this in radiusd.conf. That is NOT the only reference to the ippool module. The IP's get allocated *somewhere* via a reference to the main_pool module. You must have edited the configuration files to do this, because it is *not* enabled in the default configuration. I've tried adding the statement before and inside this but even static assigned users get an address from the pool. Umm... please go read man unlang. It is a *policy* language for *processing* packets. It does not apply to module configurations. See the default configuration files for examples of how to use if(). Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.516 / Virus Database: 269.20.2/1270 - Release Date: 10/02/2008 12:21 No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.516 / Virus Database: 269.20.2/1270 - Release Date: 10/02/2008 12:21 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Different IP Pool per proxied realm
Right I've now managed to get v2.0.1 working on our radius server. Although for some reason its not logging to radiusd.log. Previously we have logged accounting to the log file and the radacct table. If anyone can spare a thought on why this isn't now logging to the radiusd.log file I would appreciate it. Onto the different IP pool per realm... This still doesn't seem to work. The debug doesn't show the IP pool being loaded. Does this still need to be put into radiusd.conf or the sites-enabled file? Thanks Tony -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: 11 February 2008 13:39 To: FreeRadius users mailing list Subject: Re: Different IP Pool per proxied realm Tony Spencer wrote: We are running freeradius on Centos and the most supported package that gets installed by yum update is freeradius-1.0.1-3.RHEL4.5, which I now have installed. Ugh. I've tried to upgrade by downloading the latest version, 2.0.1. Although it builds and installs it doesn't seem to try to connect to my SQL database. When I start the old version with -X I see a lot of mention of sql. But version 2.0.1 started with -X doesn't seem to say anything apart from its loading the sql.conf file. Am I missing something here? If you have built 2.0.1 with SQL *and* configured the SQL module in radiusd.conf sites-available/default, it *should* work. My guess is that the server wasn't built with SQL, and that you haven't edited the configuration files to enable SQL. So far as the rest of the debug output goes, 1.0.1 is *years* out of date. I no longer remember what it does, or what quirks it has with respect to IP pools. If that is the only version that Redhat supports, then I suggest calling them and asking them for support. Or, use 2.0.1, which will be much easier to configure debug. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.516 / Virus Database: 269.20.2/1270 - Release Date: 10/02/2008 12:21 No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.516 / Virus Database: 269.20.2/1270 - Release Date: 10/02/2008 12:21 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Different IP Pool per proxied realm
Tony Spencer wrote: We are running freeradius on Centos and the most supported package that gets installed by yum update is freeradius-1.0.1-3.RHEL4.5, which I now have installed. Ugh. I've tried to upgrade by downloading the latest version, 2.0.1. Although it builds and installs it doesn't seem to try to connect to my SQL database. When I start the old version with -X I see a lot of mention of sql. But version 2.0.1 started with -X doesn't seem to say anything apart from its loading the sql.conf file. Am I missing something here? If you have built 2.0.1 with SQL *and* configured the SQL module in radiusd.conf sites-available/default, it *should* work. My guess is that the server wasn't built with SQL, and that you haven't edited the configuration files to enable SQL. So far as the rest of the debug output goes, 1.0.1 is *years* out of date. I no longer remember what it does, or what quirks it has with respect to IP pools. If that is the only version that Redhat supports, then I suggest calling them and asking them for support. Or, use 2.0.1, which will be much easier to configure debug. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Different IP Pool per proxied realm
Framed-Protocol = PPP User-Name = [EMAIL PROTECTED] CHAP-Password = 0xb2cd36a39f414e084ae6ab6da5719886f7 NAS-Port-Type = Virtual NAS-Port = 2548 NAS-Port-Id = Uniq-Sess-ID2548 Connect-Info = 4522000/1000 Service-Type = Framed-User NAS-IP-Address = 192.168.1.88 CHAP-Challenge = 0x0119ec26782b0c7dd878fb54c30f5859 Proxy-State = 0x323435 Waking up in 5 seconds... rad_recv: Access-Accept packet from host 88.20.106.18:1645, id=1, length=107 Class = 0x5342522d434c20444e3d22323032343331222041543d22323030222055533d2053493d 22323839302200 Session-Timeout = 0 Framed-IP-Address = 255.255.255.254 Framed-IP-Netmask = 255.255.255.255 Acct-Interim-Interval = 7200 Framed-Protocol = PPP Service-Type = Framed-User Proxy-State = 0x323435 Processing the post-proxy section of radiusd.conf modcall: entering group post-proxy for request 14 radius_xlat: '/var/log/radius/radacct/192.168.1.88/post-proxy-detail-20080211' rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/post-proxy-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.1.88/post-proxy-detail-20080211 modcall[post-proxy]: module post_proxy_log returns ok for request 14 modcall: group post-proxy returns ok for request 14 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 14 modcall[authorize]: module preprocess returns ok for request 14 rlm_chap: WARNING: Auth-Type already set. Not setting to CHAP modcall[authorize]: module chap returns noop for request 14 modcall[authorize]: module mschap returns noop for request 14 rlm_realm: Proxy reply, or no User-Name. Ignoring. modcall[authorize]: module suffix returns noop for request 14 modcall[authorize]: module eap returns noop for request 14 users: Matched DEFAULT at 1 modcall[authorize]: module files returns ok for request 14 radius_xlat: '[EMAIL PROTECTED]' rlm_sql (sql): sql_set_user escaped user -- '[EMAIL PROTECTED]' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = '[EMAIL PROTECTED]' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 20 rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = '[EMAIL PROTECTED]' ORDER BY id rlm_sql (sql): User [EMAIL PROTECTED] not found in radcheck radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupche ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = '[EMAIL PROTECTED]' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' rlm_sql_mysql: query: SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupche ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = '[EMAIL PROTECTED]' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrouprep ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = '[EMAIL PROTECTED]' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql_mysql: query: SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrouprep ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = '[EMAIL PROTECTED]' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id rlm_sql (sql): User [EMAIL PROTECTED] not found in radgroupcheck rlm_sql (sql): User not found rlm_sql (sql): Released sql socket id: 20 modcall[authorize]: module sql returns notfound for request 14 modcall: group authorize returns ok for request 14 rad_check_password: Found Auth-Type rad_check_password: Auth-Type = Accept, accepting the user Login OK: [EMAIL PROTECTED]/CHAP-Password] (from client 7304 port 2548) Sending Access-Accept of id 245 to 192.168.1.88:1645 Class = 0x5342522d434c20444e3d22323032343331222041543d22323030222055533d2053493d 22323839302200 Session-Timeout = 0 Framed-IP-Address = 255.255.255.254 Framed-IP-Netmask = 255.255.255.255 Acct-Interim-Interval = 7200 Framed-Protocol = PPP Service-Type = Framed-User Finished request 14 Thanks in advance Tony -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: 09 February 2008 16:06 To: FreeRadius users mailing list Subject: Re: Different IP Pool per proxied realm Tony Spencer wrote: We are using FreeRADIUS Version 1.0.1 Why? I would suggest upgrading. The newer versions have a LOT more features, and make this kind of configuration much easier. But when the user logs in they get assigned an IP from the NAS and not from the IP Pool. Am I doing something wrong? The debug log should explain what the server is sending back
Re: Different IP Pool per proxied realm
Tony Spencer wrote: Right I've now managed to get v2.0.1 working on our radius server. Although for some reason its not logging to radiusd.log. Previously we have logged accounting to the log file and the radacct table. If anyone can spare a thought on why this isn't now logging to the radiusd.log file I would appreciate it. File permissions? Also see the log{} configuration in radiusd.conf. Onto the different IP pool per realm... This still doesn't seem to work. The debug doesn't show the IP pool being loaded. Does this still need to be put into radiusd.conf or the sites-enabled file? You can put everything in radiusd.conf, just like in 1.1.7. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Different IP Pool per proxied realm
Tony Spencer wrote: We are using FreeRADIUS Version 1.0.1 Why? I would suggest upgrading. The newer versions have a LOT more features, and make this kind of configuration much easier. But when the user logs in they get assigned an IP from the NAS and not from the IP Pool. Am I doing something wrong? The debug log should explain what the server is sending back. But if you're using 1.0.1, I would suggest upgrading before posting the debug log. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Different IP Pool per proxied realm
Hi all I’m trying to assign a different IP Pool per realm, instead of the IP being assigned by the NAS. However after reading some postings and doing some searching I can’t get this to work. The realms we want to assign different IP Pools to, we proxy to different customers. So we don’t do the authentication for these realms, we just proxy to authentication. We are using FreeRADIUS Version 1.0.1 and using MySQL and not flat files. Our NAS is a Cisco 7304 terminating L2TP for DSL users. So far I’ve tried to add the following to the users file: DEFAULT Realm == realm1.com, Pool-Name := pool_one And created the pool in radiusd.conf: ippool pool_one { range-start = 192.168.1.1 range-stop = 192.168.1.254 netmask = 255.255.255.0 cache-size = 800 session-db = ${raddbdir}/db.ippool ip-index = ${raddbdir}/db.ipindex override = no maximum-timeout = 0 } But when the user logs in they get assigned an IP from the NAS and not from the IP Pool. Am I doing something wrong? Does this not work if I'm use MySQL? Thanks in advance Tony No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.516 / Virus Database: 269.19.20/1261 - Release Date: 05/02/2008 20:57 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html