Re: Can't get checkrad to be called
George, Thanks for the reply. I will doublecheck my configuration. The one thing I noticed, even though checkrad is working, I can't find any clue in any log or debug output. I set it to log to checkrad.log, but that only works when I manually run /usr/sbin/checkrad. Is there another place that I'm not aware of? Thanks! -dan On 6/6/2011 1:14 AM, George Chelidze wrote: On 06/04/2011 06:28 AM, Dan Brisson wrote: Just finished setting up the latest Freeradius - 2.1.10. Checkrad is working. I've replicated the settings from 2.1.7 so I have to think something has changed from 2.1.7 to 2.1.10. hm.. I would compare both setups to eliminate any typos in 2.1.7 configuration. As far as it works with 2.1.10 you can build it on CentOS from source. Glad to hear you figured it out. Best Regards, George Chelidze - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can't get checkrad to be called
On 06/04/2011 06:28 AM, Dan Brisson wrote: Just finished setting up the latest Freeradius - 2.1.10. Checkrad is working. I've replicated the settings from 2.1.7 so I have to think something has changed from 2.1.7 to 2.1.10. hm.. I would compare both setups to eliminate any typos in 2.1.7 configuration. As far as it works with 2.1.10 you can build it on CentOS from source. Glad to hear you figured it out. Best Regards, George Chelidze - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can't get checkrad to be called
Just finished setting up the latest Freeradius - 2.1.10. Checkrad is working. I've replicated the settings from 2.1.7 so I have to think something has changed from 2.1.7 to 2.1.10. I'm running on CentOS with 2.1.7 installed from Yum. My 2.1.10 was built from source on RHEL5. I ultimately need to be on CentOS. Once I get 2.1.10 installed and tested, I'll reply to the list. Thanks to those who chimed in. -dan On 6/3/11 9:21 AM, George Chelidze wrote: On 06/03/2011 02:35 PM, Dan Brisson wrote: It really seems like this line in the radutmp "modules" file is not being executed: check_with_nas = yes But from radiusd -X, it does seem to be: It's a configuration option not a command to be executed check_with_nas = yes So, it's there Can you post authorize/accounting sections from your configuration? Best Regards, George Chelidze - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can't get checkrad to be called
On 6/3/2011 9:21 AM, George Chelidze wrote:
On 06/03/2011 02:35 PM, Dan Brisson wrote:
It really seems like this line in the radutmp "modules" file is not
being executed:
check_with_nas = yes
But from radiusd -X, it does seem to be:
It's a configuration option not a command to be executed
Sorry, poorly worded on my part.
check_with_nas = yes
So, it's there
Can you post authorize/accounting sections from your configuration?
authorize {
preprocess
auth_log
chap
mschap
suffix
eap {
ok = return
}
unix
files
sql
checkval
nascheck
expiration
logintime
pap
}
accounting {
detail
unix
radutmp
sql
attr_filter.accounting_response
}
Best Regards,
George Chelidze
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can't get checkrad to be called
On 06/03/2011 02:35 PM, Dan Brisson wrote: It really seems like this line in the radutmp "modules" file is not being executed: check_with_nas = yes But from radiusd -X, it does seem to be: It's a configuration option not a command to be executed check_with_nas = yes So, it's there Can you post authorize/accounting sections from your configuration? Best Regards, George Chelidze - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can't get checkrad to be called
No different with only using sql in session { }.
It really seems like this line in the radutmp "modules" file is not
being executed:
check_with_nas = yes
But from radiusd -X, it does seem to be:
Module: Checking session {...} for more modules to load
Module: Linked to module rlm_radutmp
Module: Instantiating radutmp
radutmp {
filename = "/var/log/radius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
Stumped still
-dan
On 6/3/11 5:49 AM, Dan Brisson wrote:
George,
Sorry, I had commented out the simul_verify_query as a troubleshooting
step but actually do have it uncommented at this point, but it still
won't work.
I checked radiusd.conf and found this:
# The program to execute to do concurrency checks.
checkrad = ${sbindir}/checkrad
Re: radutmp vs. sql, good question. I will try with only sql active.
Thanks,
-dan
On 6/3/11 3:58 AM, George Chelidze wrote:
On 06/03/2011 03:59 AM, Dan Brisson wrote:
# simul_verify_query = "SELECT radacctid, acctsessionid, username, \
# nasipaddress, nasportid, framedipaddress, \
# callingstationid, framedprotocol \
# FROM ${acct_table1} \
# WHERE username = '%{SQL-User-Name}' \
# AND acctstoptime IS NULL"
as your verify_query is commented out, it will never check it with
nas, just compare result of count_query with configured max value (1
in your case), so uncomment it.
sites-enabled/default:
# Session database, used for checking Simultaneous-Use. Either the
radutmp
# or rlm_sql module can handle this.
# The rlm_sql module is *much* faster
session {
radutmp
#
# See "Simultaneous Use Checking Queries" in sql.conf
sql
}
Do you really need both?
modules/perl:
func_checksimul = checksimul
I would enable checkrad statement in radiusd.conf as it seems to be
used with radutmp/sql modules for sumult checks.
Best Regards,
George Chelidze
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can't get checkrad to be called
George,
Sorry, I had commented out the simul_verify_query as a troubleshooting
step but actually do have it uncommented at this point, but it still
won't work.
I checked radiusd.conf and found this:
# The program to execute to do concurrency checks.
checkrad = ${sbindir}/checkrad
Re: radutmp vs. sql, good question. I will try with only sql active.
Thanks,
-dan
On 6/3/11 3:58 AM, George Chelidze wrote:
On 06/03/2011 03:59 AM, Dan Brisson wrote:
# simul_verify_query = "SELECT radacctid, acctsessionid, username, \
# nasipaddress, nasportid, framedipaddress, \
# callingstationid, framedprotocol \
# FROM ${acct_table1} \
# WHERE username = '%{SQL-User-Name}' \
# AND acctstoptime IS NULL"
as your verify_query is commented out, it will never check it with
nas, just compare result of count_query with configured max value (1
in your case), so uncomment it.
sites-enabled/default:
# Session database, used for checking Simultaneous-Use. Either the
radutmp
# or rlm_sql module can handle this.
# The rlm_sql module is *much* faster
session {
radutmp
#
# See "Simultaneous Use Checking Queries" in sql.conf
sql
}
Do you really need both?
modules/perl:
func_checksimul = checksimul
I would enable checkrad statement in radiusd.conf as it seems to be
used with radutmp/sql modules for sumult checks.
Best Regards,
George Chelidze
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can't get checkrad to be called
On 06/03/2011 03:59 AM, Dan Brisson wrote:
# simul_verify_query = "SELECT radacctid, acctsessionid, username, \
# nasipaddress, nasportid, framedipaddress, \
# callingstationid, framedprotocol \
# FROM ${acct_table1} \
# WHERE username = '%{SQL-User-Name}' \
# AND acctstoptime IS NULL"
as your verify_query is commented out, it will never check it with nas,
just compare result of count_query with configured max value (1 in your
case), so uncomment it.
sites-enabled/default:
# Session database, used for checking Simultaneous-Use. Either the radutmp
# or rlm_sql module can handle this.
# The rlm_sql module is *much* faster
session {
radutmp
#
# See "Simultaneous Use Checking Queries" in sql.conf
sql
}
Do you really need both?
modules/perl:
func_checksimul = checksimul
I would enable checkrad statement in radiusd.conf as it seems to be used
with radutmp/sql modules for sumult checks.
Best Regards,
George Chelidze
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can't get checkrad to be called
I do have this feeling that I'm missing, but I'm not sure what it is.
Here's what I have configured:
clients.conf:
client 10.1.10.20 {
secret = password
nastype = pr3000
sql/mysql/dialup.conf:
# Uncomment simul_count_query to enable simultaneous use checking
simul_count_query = "SELECT COUNT(*) \
FROM ${acct_table1} \
WHERE username = '%{SQL-User-Name}' \
AND acctstoptime IS NULL"
# simul_verify_query = "SELECT radacctid, acctsessionid, username, \
# nasipaddress, nasportid, framedipaddress, \
# callingstationid, framedprotocol \
# FROM ${acct_table1} \
# WHERE username = '%{SQL-User-Name}' \
# AND acctstoptime IS NULL"
sites-enabled/default:
# Session database, used for checking Simultaneous-Use. Either the radutmp
# or rlm_sql module can handle this.
# The rlm_sql module is *much* faster
session {
radutmp
#
# See "Simultaneous Use Checking Queries" in sql.conf
sql
}
modules/perl:
func_checksimul = checksimul
And in my MySQL radcheck table I have:
testuser Simultaneous-Use := 1
Thanks in advance for any insight,
-dan
On 6/2/11 5:54 AM, Alan DeKok wrote:
Dan Brisson wrote:
I was wondering if someone could help me determine why checkrad isn't
being called. I've followed the directions in the doc/Simultaneous-Use
but still cannot get checkrad to fire off when I login. It will check
radutmp, but never reaches out to my NAS with checkrad, as evidenced
here from radiusd -X:
+- entering group session {...}
[radutmp] expand: /var/log/radius/radutmp -> /var/log/radius/radutmp
[radutmp] expand: %{User-Name} -> testuser
++[radutmp] returns ok
Using Post-Auth-Type Reject
If you've configured Simultaneous-Use, then there should be
*something* about checkrad in the output.
Can I provide any other data? I'm using SQL for authorization and
accounting. I'm on version 2.1.7-7.el5 of FreeRadius.
Where did you configure Simultaneous-Use? How?
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can't get checkrad to be called
Dan Brisson wrote:
> I was wondering if someone could help me determine why checkrad isn't
> being called. I've followed the directions in the doc/Simultaneous-Use
> but still cannot get checkrad to fire off when I login. It will check
> radutmp, but never reaches out to my NAS with checkrad, as evidenced
> here from radiusd -X:
>
> +- entering group session {...}
> [radutmp] expand: /var/log/radius/radutmp -> /var/log/radius/radutmp
> [radutmp] expand: %{User-Name} -> testuser
> ++[radutmp] returns ok
> Using Post-Auth-Type Reject
If you've configured Simultaneous-Use, then there should be
*something* about checkrad in the output.
> Can I provide any other data? I'm using SQL for authorization and
> accounting. I'm on version 2.1.7-7.el5 of FreeRadius.
Where did you configure Simultaneous-Use? How?
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
