Re: Can't get checkrad to be called
George, Thanks for the reply. I will doublecheck my configuration. The one thing I noticed, even though checkrad is working, I can't find any clue in any log or debug output. I set it to log to checkrad.log, but that only works when I manually run /usr/sbin/checkrad. Is there another place that I'm not aware of? Thanks! -dan On 6/6/2011 1:14 AM, George Chelidze wrote: On 06/04/2011 06:28 AM, Dan Brisson wrote: Just finished setting up the latest Freeradius - 2.1.10. Checkrad is working. I've replicated the settings from 2.1.7 so I have to think something has changed from 2.1.7 to 2.1.10. hm.. I would compare both setups to eliminate any typos in 2.1.7 configuration. As far as it works with 2.1.10 you can build it on CentOS from source. Glad to hear you figured it out. Best Regards, George Chelidze - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can't get checkrad to be called
On 06/04/2011 06:28 AM, Dan Brisson wrote: Just finished setting up the latest Freeradius - 2.1.10. Checkrad is working. I've replicated the settings from 2.1.7 so I have to think something has changed from 2.1.7 to 2.1.10. hm.. I would compare both setups to eliminate any typos in 2.1.7 configuration. As far as it works with 2.1.10 you can build it on CentOS from source. Glad to hear you figured it out. Best Regards, George Chelidze - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can't get checkrad to be called
Just finished setting up the latest Freeradius - 2.1.10. Checkrad is working. I've replicated the settings from 2.1.7 so I have to think something has changed from 2.1.7 to 2.1.10. I'm running on CentOS with 2.1.7 installed from Yum. My 2.1.10 was built from source on RHEL5. I ultimately need to be on CentOS. Once I get 2.1.10 installed and tested, I'll reply to the list. Thanks to those who chimed in. -dan On 6/3/11 9:21 AM, George Chelidze wrote: On 06/03/2011 02:35 PM, Dan Brisson wrote: It really seems like this line in the radutmp "modules" file is not being executed: check_with_nas = yes But from radiusd -X, it does seem to be: It's a configuration option not a command to be executed check_with_nas = yes So, it's there Can you post authorize/accounting sections from your configuration? Best Regards, George Chelidze - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can't get checkrad to be called
On 6/3/2011 9:21 AM, George Chelidze wrote: On 06/03/2011 02:35 PM, Dan Brisson wrote: It really seems like this line in the radutmp "modules" file is not being executed: check_with_nas = yes But from radiusd -X, it does seem to be: It's a configuration option not a command to be executed Sorry, poorly worded on my part. check_with_nas = yes So, it's there Can you post authorize/accounting sections from your configuration? authorize { preprocess auth_log chap mschap suffix eap { ok = return } unix files sql checkval nascheck expiration logintime pap } accounting { detail unix radutmp sql attr_filter.accounting_response } Best Regards, George Chelidze - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can't get checkrad to be called
On 06/03/2011 02:35 PM, Dan Brisson wrote: It really seems like this line in the radutmp "modules" file is not being executed: check_with_nas = yes But from radiusd -X, it does seem to be: It's a configuration option not a command to be executed check_with_nas = yes So, it's there Can you post authorize/accounting sections from your configuration? Best Regards, George Chelidze - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can't get checkrad to be called
No different with only using sql in session { }. It really seems like this line in the radutmp "modules" file is not being executed: check_with_nas = yes But from radiusd -X, it does seem to be: Module: Checking session {...} for more modules to load Module: Linked to module rlm_radutmp Module: Instantiating radutmp radutmp { filename = "/var/log/radius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes Stumped still -dan On 6/3/11 5:49 AM, Dan Brisson wrote: George, Sorry, I had commented out the simul_verify_query as a troubleshooting step but actually do have it uncommented at this point, but it still won't work. I checked radiusd.conf and found this: # The program to execute to do concurrency checks. checkrad = ${sbindir}/checkrad Re: radutmp vs. sql, good question. I will try with only sql active. Thanks, -dan On 6/3/11 3:58 AM, George Chelidze wrote: On 06/03/2011 03:59 AM, Dan Brisson wrote: # simul_verify_query = "SELECT radacctid, acctsessionid, username, \ # nasipaddress, nasportid, framedipaddress, \ # callingstationid, framedprotocol \ # FROM ${acct_table1} \ # WHERE username = '%{SQL-User-Name}' \ # AND acctstoptime IS NULL" as your verify_query is commented out, it will never check it with nas, just compare result of count_query with configured max value (1 in your case), so uncomment it. sites-enabled/default: # Session database, used for checking Simultaneous-Use. Either the radutmp # or rlm_sql module can handle this. # The rlm_sql module is *much* faster session { radutmp # # See "Simultaneous Use Checking Queries" in sql.conf sql } Do you really need both? modules/perl: func_checksimul = checksimul I would enable checkrad statement in radiusd.conf as it seems to be used with radutmp/sql modules for sumult checks. Best Regards, George Chelidze - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can't get checkrad to be called
George, Sorry, I had commented out the simul_verify_query as a troubleshooting step but actually do have it uncommented at this point, but it still won't work. I checked radiusd.conf and found this: # The program to execute to do concurrency checks. checkrad = ${sbindir}/checkrad Re: radutmp vs. sql, good question. I will try with only sql active. Thanks, -dan On 6/3/11 3:58 AM, George Chelidze wrote: On 06/03/2011 03:59 AM, Dan Brisson wrote: # simul_verify_query = "SELECT radacctid, acctsessionid, username, \ # nasipaddress, nasportid, framedipaddress, \ # callingstationid, framedprotocol \ # FROM ${acct_table1} \ # WHERE username = '%{SQL-User-Name}' \ # AND acctstoptime IS NULL" as your verify_query is commented out, it will never check it with nas, just compare result of count_query with configured max value (1 in your case), so uncomment it. sites-enabled/default: # Session database, used for checking Simultaneous-Use. Either the radutmp # or rlm_sql module can handle this. # The rlm_sql module is *much* faster session { radutmp # # See "Simultaneous Use Checking Queries" in sql.conf sql } Do you really need both? modules/perl: func_checksimul = checksimul I would enable checkrad statement in radiusd.conf as it seems to be used with radutmp/sql modules for sumult checks. Best Regards, George Chelidze - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can't get checkrad to be called
On 06/03/2011 03:59 AM, Dan Brisson wrote: # simul_verify_query = "SELECT radacctid, acctsessionid, username, \ # nasipaddress, nasportid, framedipaddress, \ # callingstationid, framedprotocol \ # FROM ${acct_table1} \ # WHERE username = '%{SQL-User-Name}' \ # AND acctstoptime IS NULL" as your verify_query is commented out, it will never check it with nas, just compare result of count_query with configured max value (1 in your case), so uncomment it. sites-enabled/default: # Session database, used for checking Simultaneous-Use. Either the radutmp # or rlm_sql module can handle this. # The rlm_sql module is *much* faster session { radutmp # # See "Simultaneous Use Checking Queries" in sql.conf sql } Do you really need both? modules/perl: func_checksimul = checksimul I would enable checkrad statement in radiusd.conf as it seems to be used with radutmp/sql modules for sumult checks. Best Regards, George Chelidze - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can't get checkrad to be called
I do have this feeling that I'm missing, but I'm not sure what it is. Here's what I have configured: clients.conf: client 10.1.10.20 { secret = password nastype = pr3000 sql/mysql/dialup.conf: # Uncomment simul_count_query to enable simultaneous use checking simul_count_query = "SELECT COUNT(*) \ FROM ${acct_table1} \ WHERE username = '%{SQL-User-Name}' \ AND acctstoptime IS NULL" # simul_verify_query = "SELECT radacctid, acctsessionid, username, \ # nasipaddress, nasportid, framedipaddress, \ # callingstationid, framedprotocol \ # FROM ${acct_table1} \ # WHERE username = '%{SQL-User-Name}' \ # AND acctstoptime IS NULL" sites-enabled/default: # Session database, used for checking Simultaneous-Use. Either the radutmp # or rlm_sql module can handle this. # The rlm_sql module is *much* faster session { radutmp # # See "Simultaneous Use Checking Queries" in sql.conf sql } modules/perl: func_checksimul = checksimul And in my MySQL radcheck table I have: testuser Simultaneous-Use := 1 Thanks in advance for any insight, -dan On 6/2/11 5:54 AM, Alan DeKok wrote: Dan Brisson wrote: I was wondering if someone could help me determine why checkrad isn't being called. I've followed the directions in the doc/Simultaneous-Use but still cannot get checkrad to fire off when I login. It will check radutmp, but never reaches out to my NAS with checkrad, as evidenced here from radiusd -X: +- entering group session {...} [radutmp] expand: /var/log/radius/radutmp -> /var/log/radius/radutmp [radutmp] expand: %{User-Name} -> testuser ++[radutmp] returns ok Using Post-Auth-Type Reject If you've configured Simultaneous-Use, then there should be *something* about checkrad in the output. Can I provide any other data? I'm using SQL for authorization and accounting. I'm on version 2.1.7-7.el5 of FreeRadius. Where did you configure Simultaneous-Use? How? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can't get checkrad to be called
Dan Brisson wrote: > I was wondering if someone could help me determine why checkrad isn't > being called. I've followed the directions in the doc/Simultaneous-Use > but still cannot get checkrad to fire off when I login. It will check > radutmp, but never reaches out to my NAS with checkrad, as evidenced > here from radiusd -X: > > +- entering group session {...} > [radutmp] expand: /var/log/radius/radutmp -> /var/log/radius/radutmp > [radutmp] expand: %{User-Name} -> testuser > ++[radutmp] returns ok > Using Post-Auth-Type Reject If you've configured Simultaneous-Use, then there should be *something* about checkrad in the output. > Can I provide any other data? I'm using SQL for authorization and > accounting. I'm on version 2.1.7-7.el5 of FreeRadius. Where did you configure Simultaneous-Use? How? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html