configuration parameters for perl module in rlm_perl
Hi list, is there are recommended way to pass configuration parameter to a rlm_perl module? My rlm_perl module, would need to have additional configuration parameters. I would like to avoid having the perl module read an additional configuration file. Is there a possibility to add such paramters somewhere in the freeradius config like in /etc/freeradius/modules/perl and than have the perl module access these parameters? Thanks a lot and kind regards Cornelius signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: configuration parameters for perl module in rlm_perl
Cornelius Kölbel wrote: I would like to avoid having the perl module read an additional configuration file. Then edit the source code to rlm_perl, and add those features. Is there a possibility to add such paramters somewhere in the freeradius config like in /etc/freeradius/modules/perl and than have the perl module access these parameters? No. Why is it a problem to read a configuration file? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: configuration parameters for perl module in rlm_perl
Am 14.09.2013 14:50, schrieb Alan DeKok: Cornelius Kölbel wrote: I would like to avoid having the perl module read an additional configuration file. Then edit the source code to rlm_perl, and add those features. Is there a possibility to add such paramters somewhere in the freeradius config like in /etc/freeradius/modules/perl and than have the perl module access these parameters? No. Thanks for the clarification! Why is it a problem to read a configuration file? Just to avoid to many config files... But now I will do so. Thanks a lot Cornelius Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Rlm_perl in func_authenticate
thanks for your replay On Sep 2, 2013 12:36 AM, Alan DeKok al...@deployingradius.com wrote: Mehdi Ravanbakhsh wrote: i have some problem in Understanding of capability of Rlm_perl in authenticate ... if i use this : DEFAULT Auth-Type = Perl Fall-Through = yes then all user authenticate be done with this Auth-Type ? Yes. That's what you told it to do. So what is happen to PAP , CHAP module ? They're not called. and what is the relation of all module in authenticate section ? Read the comments before the authenticate section. And doc/aaa.rst. This is documented. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Rlm_perl in func_authenticate
Hi All i have some problem in Understanding of capability of Rlm_perl in authenticate ... if i use this : DEFAULT Auth-Type = Perl Fall-Through = yes then all user authenticate be done with this Auth-Type ? So what is happen to PAP , CHAP module ? and what is the relation of all module in authenticate section ? thanks and best regards. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Rlm_perl in func_authenticate
Mehdi Ravanbakhsh wrote: i have some problem in Understanding of capability of Rlm_perl in authenticate ... if i use this : DEFAULT Auth-Type = Perl Fall-Through = yes then all user authenticate be done with this Auth-Type ? Yes. That's what you told it to do. So what is happen to PAP , CHAP module ? They're not called. and what is the relation of all module in authenticate section ? Read the comments before the authenticate section. And doc/aaa.rst. This is documented. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl hashes
Mehdi Ravanbakhsh wrote: If i remove SQL module in default (site enable) in any section then %RAD_CHECK hashes is still available in rlm_perl ? Yes. The modules are completely independent. In my plan i need to transfer all policy mechanism to my database (PostgreSQL) function but we have some limitation in xlat , so i need to pass all value pairs from request to SQL function and get all reply value pairs in function return . in this case my function read all check value pairs directly from database so i think no need SQL module any more ... Uh the SQL module *connects* to the SQL database. Without the SQL module, you can't access your stored procedures. So can i transfer all SQL module Task to SQL function in my database ? Programming. Read the Postgres documentation to see how to use it's embedded language. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_perl hashes
Hello All If i remove SQL module in default (site enable) in any section then %RAD_CHECK hashes is still available in rlm_perl ? In my plan i need to transfer all policy mechanism to my database (PostgreSQL) function but we have some limitation in xlat , so i need to pass all value pairs from request to SQL function and get all reply value pairs in function return . in this case my function read all check value pairs directly from database so i think no need SQL module any more ... So can i transfer all SQL module Task to SQL function in my database ? Best regards. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_perl issue
An interesting one for the list ... We are installing a Palo Alto firewall and it has a way to pass Username/IP mappings from FreeRADIUS to a Windows User ID Agent, which is then queried by the firewall. The method employed is to use a Perl module (PAN::API), which has a simple API, basically: $var = PAN::API::UID-new( ip of server ); $var-add( type login/logout, username, Framed-IP-Address ); $var-submit(); which is added in the sub preacct () of the perl module... then call this in preacct {} There are a couple of issues with this module that I am going to try and address: 1) Connections new only instantiates an empty object add adds the values to a hash submit opens an TCP SSL connection, sends the hash as XML, then closes the connection. With all the work being done in submit you have to create and tear down an SSL TCP connection for EVERY accounting record! Which is a lot at my site! 2) Errors If the socket set-up fails, the PAN::API module calls croak(), which on my system terminated FreeRADIUS, which seems like what would happen? Thu Aug 22 13:53:03 2013 : Error: rlm_perl: perl_embed:: module = /etc/raddb/perl.pl , func = preacct exit status= Unable to connect socket. at /etc/raddb/perl.pl line 474 Socket setup failed I am guessing because of all the open/close socket activity? Looks like the Windows 2008R2 server either blocked this as a suspected DOS or the agent failed to cope with this kind of TCP activity? Obviously for problem 1, a better model would be to implement new methods on the object to open and close the SSL connection, then use a pattern like: { # Static block start my $object = PAN::API::UID-new( IP ); $object-connectssl(); sub preacct { $object-add( params ); $object-submit(); } } closing the SSL would not be needed in effect as we run forever, and I wouldn't know where to place it as there is no function called on an rlm_perl module when FreeRADIUS is about to terminate, unless I am missing something. For problem 2, are there rules about what you should not do in an rlm_perl module? I would have thought exit(), die(), croak() etc are all bad and that returning quietly, optionally setting an error code, would be better? Then back in sub preacct () you could check the error and log with radiusd::radlog() and do a return RLM_MODULE_NOOP? Would you expect FreeRADIUS to terminate if an rlm_perl module called croak()? Anyone want to throw in 2 cents/pennies worth to this? Thanks in advance, as always, for your time ... Barry Dean Principal Programmer/Analyst Networks Team Computing Service Department - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl issue
On 22/08/13 16:46, Dean, Barry wrote: Anyone want to throw in 2 cents/pennies worth to this? Yep, don't do it like this. Instead, write the user/ip entries to a file using the linelog module, and use a long-running perl process to tail the file (using File::Tail) and post them to the PAN. This will likely be more performant and avoid the hassles of a random module interfering with FreeRADIUS. You probably want to write a timestamp to the file, and have the long-running process ignore lines X old, in case it lags behind e.g. because it hangs, gets shutdown and restarted much later, etc. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RLM_PERL mysql disconnect : what is the preferred handling ?
itquestioner wrote: We've found in the freeradius wiki, that the correct way to manage connection to mysql is to initiate the connection in the CLONE function. But where should we put $dbh-disconnect() to be sure that any connection will also be closed ? Whatever the result of the request treatment, and the stage in which the module may exit. You should be able to disconnect the database at any time. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RLM_PERL mysql disconnect : what is the preferred handling ?
Hi, First question from beginners We've found in the freeradius wiki, that the correct way to manage connection to mysql is to initiate the connection in the CLONE function. But where should we put $dbh-disconnect() to be sure that any connection will also be closed ? Whatever the result of the request treatment, and the stage in which the module may exit. Thank you best regards - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius 3.0 hints, rlm_perl
Hello Arran, You can of course 'make deb' in the top level directory of the current Git HEAD (which will very soon be 2.2.1) and make your own debian packages. that is fine with me and works perfect. I was not aware of that option, but now I know that it is out there, it is the way to go. While trying that I also build a 3.0 GIT HEAD and there were a few problems, I trippeled about: - HINTS does not work the way it did before. Especially this no longer works for me: DEFAULT User-Name =~ ^v104([^@]+) User-Name := %{1}@V104.GMVL.DE - rlm_perl does not seem to register itself as module correctly because I get the following error message as soon as I: ... authorize { update control { Auth-Type := perl } } ... Message is: (0) WARNING: Unknown value specified for Post-Auth-Type. Cannot perform requested action. Full Log: http://pbot.rmdir.de/IRC6zW11GNEWEFpMx0a13w - freeradius gives me a segmentation fault as soon as I put 'perl' in the authorize section and do one authentication request. authorize { perl } I really would like to work out all the above issues, is someone willing to walk me through it? Otherwise I'll try myself, but I always appreciate all the help I can get. ;-) Cheers, Thomas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 3.0 hints, rlm_perl
- HINTS does not work the way it did before. Especially this no longer works for me: DEFAULT User-Name =~ ^v104([^@]+) User-Name := %{1}@V104.GMVL.DE Can you got some debug output or even just the value of the User-Name? It may just be the escaping is less crazy than it used to be. - rlm_perl does not seem to register itself as module correctly because I get the following error message as soon as I: ... authorize { update control { Auth-Type := perl } } ... Message is: (0) WARNING: Unknown value specified for Post-Auth-Type. Cannot perform requested action. No. That just means you don't have a reject {} section in Post-Auth, it has nothing to do with the perl module. Full Log: http://pbot.rmdir.de/IRC6zW11GNEWEFpMx0a13w - freeradius gives me a segmentation fault as soon as I put 'perl' in the authorize section and do one authentication request. Can you provide a backtrace please? I'll see if I can fix it. -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 3.0 hints, rlm_perl
Hello Arran, DEFAULT User-Name =~ ^v104([^@]+) User-Name := %{1}@V104.GMVL.DE Can you got some debug output or even just the value of the User-Name? It may just be the escaping is less crazy than it used to be. username is: v104\Administrator but radius puts it internally as v104\\Administrator. This is how it looks like in 2.2.0: rad_recv: Access-Request packet from host 10.104.1.0 port 54489, id=59, length=58 User-Name = v104\\Administrator User-Password = Pa$$w0rd # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[control] returns notfound [preprocess]expand: %{User-Name} - v104\Administrator [preprocess] hints: Matched DEFAULT at 1 [preprocess]expand: %{1}@V104.GMVL.DE - administra...@v104.gmvl.de ++[preprocess] returns ok Found Auth-Type = perl # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} rlm_perl: Added pair User-Name = administra...@v104.gmvl.de rlm_perl: Added pair User-Password = Pa$$w0rd rlm_perl: Added pair NAS-IP-Address = 10.104.1.0 rlm_perl: Added pair Reply-Message = Enter SMS one time password rlm_perl: Added pair State = 72641523 rlm_perl: Added pair Response-Packet-Type = Access-Challenge rlm_perl: Added pair Auth-Type = perl No. That just means you don't have a reject {} section in Post-Auth, it has nothing to do with the perl module. I see, I'll try that and report back. Can you provide a backtrace please? I'll see if I can fix it. I'll do that. I found another small bug in the debian packages generated by debian/rules binary in the 2.2.0 release: Initscript puts pid file in /var/run/freeradius But Freeradius wants to put it in /var/run/radius, so it does not start: Sun Jul 21 19:36:34 2013 : Error: Failed creating PID file /var/run/radiusd/radiusd.pid: No such file or directory Cheers, Thomas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 3.0 hints, rlm_perl
Hi, While trying that I also build a 3.0 GIT HEAD and there were a few problems, I trippeled about: - HINTS does not work the way it did before. Especially this no longer works for me: DEFAULT User-Name =~ ^v104([^@]+) User-Name := %{1}@V104.GMVL.DE I bleieve hitns is going the way of the dodo eventually - unlang can do the work for you eg if (%{User-Name} =~ ^v104([^@]+) ) { update request { %{User-Name} := %{1}@V104.GMVL.DE } } or somesuch. Message is: (0) WARNING: Unknown value specified for Post-Auth-Type. Cannot perform requested action. as already said, this is just no reject part on post-auth - this has been common since 2.2.x - freeradius gives me a segmentation fault as soon as I put 'perl' in the authorize section and do one authentication request. thats more interesting. We run PERL with 3.x here and havent seen such an issue wonder if your PERL environment is different it would be sooo much better for you to be running (or ready to run!) 3.x at this point in time alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 3.0 hints, rlm_perl
Hello Arran, Can you provide a backtrace please? I'll see if I can fix it. Program received signal SIGSEGV, Segmentation fault. 0x08052f8a in rad_authenticate (request=0x863f138) at src/main/auth.c:542 542 (auth_item-da-attr == PW_USER_PASSWORD)) { (gdb) bt #0 0x08052f8a in rad_authenticate (request=0x863f138) at src/main/auth.c:542 #1 0x080741d3 in request_running (request=0x863f138, action=1) at src/main/process.c:1185 #2 0x08073525 in request_queue_or_run (request=0x863f138, process=0x8074104 request_running) at src/main/process.c:828 #3 0x08074836 in request_receive (listener=0x8480c00, packet=0x863ef30, client=0x81e4828, fun=0x8052a0b rad_authenticate) at src/main/process.c:1377 #4 0x080592ec in auth_socket_recv (listener=0x8480c00) at src/main/listen.c:1449 #5 0x08079b09 in event_socket_handler (xel=0x846f640, fd=7, ctx=0x8480c00) at src/main/process.c:3483 #6 0xf7d7e0cd in fr_event_loop (el=0x846f640) at src/lib/event.c:414 #7 0x0807ad91 in radius_event_process () at src/main/process.c:4272 #8 0x0806a384 in main (argc=2, argv=0xcc04) at src/main/radiusd.c:475 (gdb) p auth_item $1 = (VALUE_PAIR *) 0x8482220 (gdb) p auth_item-da $2 = (const DICT_ATTR *) 0x0 I was able to reproduce that on Ubuntu 12.04 (Precise Pangolin) x64 and Debian Wheezy 32 Bit. If you need exact instruction on howto reproduce or access to the system, send me a ssh key or e-mail. Cheers, Thomas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 3.0 hints, rlm_perl
On 21 Jul 2013, at 22:33, Thomas Glanzmann tho...@glanzmann.de wrote: Hello Arran, Can you provide a backtrace please? I'll see if I can fix it. Program received signal SIGSEGV, Segmentation fault. 0x08052f8a in rad_authenticate (request=0x863f138) at src/main/auth.c:542 542 (auth_item-da-attr == PW_USER_PASSWORD)) { (gdb) bt #0 0x08052f8a in rad_authenticate (request=0x863f138) at src/main/auth.c:542 #1 0x080741d3 in request_running (request=0x863f138, action=1) at src/main/process.c:1185 #2 0x08073525 in request_queue_or_run (request=0x863f138, process=0x8074104 request_running) at src/main/process.c:828 #3 0x08074836 in request_receive (listener=0x8480c00, packet=0x863ef30, client=0x81e4828, fun=0x8052a0b rad_authenticate) at src/main/process.c:1377 #4 0x080592ec in auth_socket_recv (listener=0x8480c00) at src/main/listen.c:1449 #5 0x08079b09 in event_socket_handler (xel=0x846f640, fd=7, ctx=0x8480c00) at src/main/process.c:3483 #6 0xf7d7e0cd in fr_event_loop (el=0x846f640) at src/lib/event.c:414 #7 0x0807ad91 in radius_event_process () at src/main/process.c:4272 #8 0x0806a384 in main (argc=2, argv=0xcc04) at src/main/radiusd.c:475 (gdb) p auth_item $1 = (VALUE_PAIR *) 0x8482220 (gdb) p auth_item-da $2 = (const DICT_ATTR *) 0x0 I was able to reproduce that on Ubuntu 12.04 (Precise Pangolin) x64 and Debian Wheezy 32 Bit. If you need exact instruction on howto reproduce or access to the system, send me a ssh key or e-mail. Oh I have a pretty good idea of what's gone on. Could you git pull and rebuild. You'll probably see an abort this time round. -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 3.0 hints, rlm_perl
Hello Alan, I bleieve hitns is going the way of the dodo eventually - unlang can do the work for you eg if (%{User-Name} =~ ^v104([^@]+) ) { update request { %{User-Name} := %{1}@V104.GMVL.DE } } I tried: server default { listen { type = auth ipaddr = * } authenticate { perl } authorize { update control { Auth-Type := perl } if (%{User-Name} =~ /^v104([^@]+)/ ) { update request { %{User-Name} := %{1}@V104.GMVL.DE } } } accounting { detail } post-auth { Post-Auth-Type REJECT { attr_filter.access_reject } } } There was one error I could figure out the right side of the regular expressions have to be // and not , I fixed that but it does not recognize the right hand side %{1}@V104.GMVL.DE. Accordin to [1] it should be that, if I understand it correctly. [1] http://freeradius.org/radiusd/man/unlang.html thats more interesting. We run PERL with 3.x here and havent seen such an issue wonder if your PERL environment is different I'm running Debian Wheezy. libperl-dev - 5.14.2-21 it would be sooo much better for you to be running (or ready to run!) 3.x at this point in time I work on it. :-) Cheers, Thomas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 3.0 hints, rlm_perl
Hello Arran, Oh I have a pretty good idea of what's gone on. Could you git pull and rebuild. You'll probably see an abort this time round. I did a git pull # Wipe the working directory clean git reset --hard HEAD; git clean -f -x -d ./configure --prefix=/local/freeradius-head; make -j; make install And yes, I see an ABORT, what is going on? Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1 port 47420, id=99, length=43 User-Name = 'bla' User-Password = 'fasel' (0) # Executing section authorize from file /local/freeradius-head/etc/raddb/sites-enabled/smsotp (0) group authorize { (0) - entering group authorize {...} (0) update control { (0) Auth-Type := perl (0) } # update control = notfound (0) Found Auth-Type = perl (0) # Executing group from file /local/freeradius-head/etc/raddb/sites-enabled/smsotp (0) group authenticate { (0) - entering group authenticate {...} rlm_perl: Added pair User-Name = bla rlm_perl: Added pair User-Password = fasel rlm_perl: Added pair Auth-Type = perl (0) [perl] = reject (0) Failed to authenticate the user. (0) Using Post-Auth-Type Reject (0) # Executing group from file /local/freeradius-head/etc/raddb/sites-enabled/smsotp (0) group REJECT { (0) - entering group REJECT {...} (0) attr_filter.access_reject : expand: %{User-Name} - 'bla' (0) attr_filter.access_reject : Matched entry DEFAULT at line 11 (0) [attr_filter.access_reject] = updated (0) Finished request 0. Waking up in 0.3 seconds. Waking up in 0.6 seconds. (0) Sending delayed reject Sending Access-Reject of id 99 from 0.0.0.0 port 1812 to 127.0.0.1 port 47420 Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 127.0.0.1 port 33829, id=101, length=43 User-Name = 'bla' User-Password = 'fasel' (1) # Executing section authorize from file /local/freeradius-head/etc/raddb/sites-enabled/smsotp (1) group authorize { (1) - entering group authorize {...} (1) update control { (1) Auth-Type := perl (1) } # update control = notfound (1) Found Auth-Type = perl (1) # Executing group from file /local/freeradius-head/etc/raddb/sites-enabled/smsotp (1) group authenticate { (1) - entering group authenticate {...} rlm_perl: Added pair User-Name = bla rlm_perl: Added pair User-Password = fasel rlm_perl: Added pair Auth-Type = perl (1) [perl] = reject (1) Failed to authenticate the user. Program received signal SIGABRT, Aborted. 0xf7fdf430 in __kernel_vsyscall () (gdb) bt #0 0xf7fdf430 in __kernel_vsyscall () #1 0xf7b92941 in *__GI_raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64 #2 0xf7b95d72 in *__GI_abort () at abort.c:92 #3 0xf7d47c83 in ?? () from /usr/lib/i386-linux-gnu/libtalloc.so.2 #4 0xf7d498cc in talloc_get_name () from /usr/lib/i386-linux-gnu/libtalloc.so.2 #5 0xf7d4bbde in _talloc_get_type_abort () from /usr/lib/i386-linux-gnu/libtalloc.so.2 #6 0x08052f97 in rad_authenticate (request=0x863eeb8) at src/main/auth.c:541 #7 0x080741f3 in request_running (request=0x863eeb8, action=1) at src/main/process.c:1185 #8 0x08073545 in request_queue_or_run (request=0x863eeb8, process=0x8074124 request_running) at src/main/process.c:828 #9 0x08074856 in request_receive (listener=0x8480a98, packet=0x863edb8, client=0x81e4828, fun=0x8052a0b rad_authenticate) at src/main/process.c:1377 #10 0x0805930c in auth_socket_recv (listener=0x8480a98) at src/main/listen.c:1449 #11 0x08079b29 in event_socket_handler (xel=0x846f4d8, fd=7, ctx=0x8480a98) at src/main/process.c:3483 #12 0xf7d7e0cd in fr_event_loop (el=0x846f4d8) at src/lib/event.c:414 #13 0x0807adb1 in radius_event_process () at src/main/process.c:4272 #14 0x0806a3a4 in main (argc=2, argv=0xcc14) at src/main/radiusd.c:475 (gdb) quit Cheers, Thomas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 3.0 hints, rlm_perl
On 21 Jul 2013, at 23:17, Thomas Glanzmann tho...@glanzmann.de wrote: Hello Arran, Oh I have a pretty good idea of what's gone on. Could you git pull and rebuild. You'll probably see an abort this time round. I did a git pull # Wipe the working directory clean git reset --hard HEAD; git clean -f -x -d ./configure --prefix=/local/freeradius-head; make -j; make install And yes, I see an ABORT, what is going on? Something was caching the pointer to request-password when it shouldn't of. Should be fixed now. Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 3.0 hints, rlm_perl
On 21 Jul 2013, at 23:47, Susan Brown a.cudba...@freeradius.org wrote: On 21 Jul 2013, at 23:17, Thomas Glanzmann tho...@glanzmann.de wrote: Hello Arran, Oh I have a pretty good idea of what's gone on. Could you git pull and rebuild. You'll probably see an abort this time round. I did a git pull # Wipe the working directory clean git reset --hard HEAD; git clean -f -x -d ./configure --prefix=/local/freeradius-head; make -j; make install And yes, I see an ABORT, what is going on? Something was caching the pointer to request-password when it shouldn't of. Should be fixed now. Interesting. Pretty sure I haven't changed my name to Susan Brown... hmm. -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 3.0 hints, rlm_perl
Hello Arran, Something was caching the pointer to request-password when it shouldn't have. Should be fixed now. I pulled the fix and can no longer reproduce the issue, I tried with 100 authentications in a row. Thank you for fixing it. Cheers, Thomas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_perl not found
Hi, I have a yum install free radius which I'm trying to use the perl module. I am following the examples/instructions here http://wiki.freeradius.org/modules/Rlm_perl But I'm getting an error when starting radiusd. server { # from file /etc/raddb/radiusd.conf modules { Module: Creating Auth-Type = Perl Module: Creating Auth-Type = ntlm_auth Module: Creating Auth-Type = LDAP Module: Creating Post-Auth-Type = REJECT Module: Checking authenticate {...} for more modules to load /etc/raddb/modules/perl[7]: Failed to link to module 'rlm_perl': file not found /etc/raddb/sites-enabled/default[51]: Failed to load module perl. /etc/raddb/sites-enabled/default[51]: Failed to parse perl entry. Any help on how to resolve this? -- Med venlig hilsen / With best regards Thomas Andersen Systems and Network Administrator IT University in Copenhagen Rued Langgaards Vej 7 2300 København S Phone: +45 72185249 **NEVER DISCLOSE YOUR PASSWORD OR SHOE SIZE - NOT EVEN TO YOUR DENTIST** - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl not found
On 28 Jun 2013, at 12:30, Thomas Hermarij Maimann Andersen t...@itu.dk wrote: Hi, I have a yum install free radius which I'm trying to use the perl module. I am following the examples/instructions here http://wiki.freeradius.org/modules/Rlm_perl But I'm getting an error when starting radiusd. server { # from file /etc/raddb/radiusd.conf modules { Module: Creating Auth-Type = Perl Module: Creating Auth-Type = ntlm_auth Module: Creating Auth-Type = LDAP Module: Creating Post-Auth-Type = REJECT Module: Checking authenticate {...} for more modules to load /etc/raddb/modules/perl[7]: Failed to link to module 'rlm_perl': file not found /etc/raddb/sites-enabled/default[51]: Failed to load module perl. /etc/raddb/sites-enabled/default[51]: Failed to parse perl entry. Any help on how to resolve this? Have you installed freeradius-perl? yum install freeradius-perl Regards Scott signature.asc Description: Message signed with OpenPGP using GPGMail - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Trucation of octet attribute handled by rlm_perl
All attributes in rlm_perl scripts should be text. rlm_perl convert them to text before function call and convert them from text after function return. So you should use $RAD_REPLY{'DHCP-Classless-Static-Route'} = '0x'.unpack('H*', $route); On 28.02.2013 11:05, Бен Томпсон wrote: Hello everyone I am having a slight problem with rlm_perl and I would really appreciate any advice/help. I have a perl script which rlm_perl adds a value to the DHCP-Classless-Static-Route attribute something like this :- perl script snippets ... my $route = pack('C7', split(/\,/, 16,172,16,10,0,0,2)); ... radiusd::radlog(RADLOG_DEBUG, packed data: . unpack('H*', $route)); ... $RAD_REPLY{'DHCP-Classless-Static-Route'} = $route; ... ### - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Trucation of octet attribute handled by rlm_perl
Many thanks for you help. 2013/3/1 Iliya Peregoudov iperegu...@cboss.ru: All attributes in rlm_perl scripts should be text. rlm_perl convert them to text before function call and convert them from text after function return. So you should use $RAD_REPLY{'DHCP-Classless-Static-Route'} = '0x'.unpack('H*', $route); On 28.02.2013 11:05, Бен Томпсон wrote: Hello everyone I am having a slight problem with rlm_perl and I would really appreciate any advice/help. I have a perl script which rlm_perl adds a value to the DHCP-Classless-Static-Route attribute something like this :- perl script snippets ... my $route = pack('C7', split(/\,/, 16,172,16,10,0,0,2)); ... radiusd::radlog(RADLOG_DEBUG, packed data: . unpack('H*', $route)); ... $RAD_REPLY{'DHCP-Classless-Static-Route'} = $route; ... ### - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Trucation of octet attribute handled by rlm_perl
Hello everyone I am having a slight problem with rlm_perl and I would really appreciate any advice/help. I have a perl script which rlm_perl adds a value to the DHCP-Classless-Static-Route attribute something like this :- perl script snippets ... my $route = pack('C7', split(/\,/, 16,172,16,10,0,0,2)); ... radiusd::radlog(RADLOG_DEBUG, packed data: . unpack('H*', $route)); ... $RAD_REPLY{'DHCP-Classless-Static-Route'} = $route; ... ### ..but from the debug output I see that the attribute data is truncated at the first octet with value 00 :- ### freeradius -Xx snippets ... Thu Feb 28 10:35:23 2013 : rlm_perl: packed data: 10ac100a02 Thu Feb 28 10:35:23 2013 : Debug: rlm_perl: Added pair DHCP-Classless-Static-Route = ??? ... DHCP-Classless-Static-Route = 0x10ac100a ## Am I doing somthething daft, or is this a possible bug in rlm_perl? I am using freeradius 2.2.0. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_perl RAD_REQUEST
EHLO list! We're running into a strange issue here and would like the input of the FreeRADIUS community. Using rlm_perl with our own perl module for post_auth, everything is running smoothly until, for an unknown reason, it looks like the RAD_REQUEST hash is becoming empty. Here's a snippet of the module (the important part for this particular issue). our (%RAD_REQUEST, %RAD_REPLY, %RAD_CHECK); sub post_auth { my $mac = clean_mac($RAD_REQUEST{'Calling-Station-Id'}); if (length($mac) != 17) { radiusd::radlog(L_INFO, MAC address is empty or invalid in this request. . It could be normal on certain radius calls); radiusd::radlog(L_INFO, Our values. RAD_REQUEST-CallingStationId: . $RAD_REQUEST{'Calling-Station-Id'} . | MAC after clean_mac: . $mac); return RLM_MODULE_OK; } ... } Here's the output when the issue occurs. Info: rlm_perl: MAC address is empty or invalid in this request. It could be normal on certain radius calls Info: rlm_perl: Our values. RAD_REQUEST-CallingStationId: | MAC after clean_mac:0 (The clean_mac thing is a method in our libraries that sanitize the MAC address itself... shouldn't have any incidence here) Any insight ? Somewhere to look ? Thanks! Derek -- dwuelfr...@inverse.ca :: +1.514.447.4918 (x110) :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Need to change response type to Access-Challenge from rlm_perl
Hi, Looking through archives for this exact question, I see a post from 2008 ( http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg47423.html) where this exact question was previously asked. Here is my server version info: radiusd: FreeRADIUS Version 2.2.0, for host x86_64-unknown-linux-gnu, built on Feb 17 2013 at 03:34:41 Here's my code: # Construct HTTP request my $authresult = authamis($RAD_REQUEST{'User-Name'},$RAD_REQUEST{'User-Password'}); radiusd::radlog(L_DBG, Result after authamis call - $authresult); if($authresult eq true) { $RAD_CHECK{'Response-Packet-Type'} = Access-Challenge; $RAD_REPLY{'Reply-Message'} = authentication successful; for (keys %RAD_REPLY) { radiusd::radlog(L_DBG, RAD_REPLY: $_ = $RAD_REPLY{$_}); } for (keys %RAD_CHECK) { radiusd::radlog(L_DBG, RAD_CHECK: $_ = $RAD_CHECK{$_}); } for (keys %RAD_CONFIG) { radiusd::radlog(L_DBG, RAD_CONFIG: $_ = $RAD_CONFIG{$_}); } return RLM_MODULE_OK } else { $RAD_REPLY{'Reply-Message'} = authentication failure; return RLM_MODULE_REJECT; } Here is the relevant debug output: Found Auth-Type = perl # Executing group from file /opt/app/freeradius/etc/raddb/sites-enabled/default +- entering group perl {...} rlm_perl: RAD_REQUEST: User-Name = test rlm_perl: RAD_REQUEST: User-Password = 42594190 rlm_perl: RAD_REQUEST: NAS-IP-Address = 192.168.65.1 rlm_perl: AMIS request: http://amis.jdt.com:8080/auth/authenticate/test/42594190 rlm_perl: Result after authamis call - true rlm_perl: RAD_REPLY: Reply-Message = authentication successful rlm_perl: RAD_CHECK: Response-Packet-Type = Access-Challenge rlm_perl: RAD_CHECK: Auth-Type = perl rlm_perl: RAD_CONFIG: Auth-Type = perl rlm_perl: Added pair User-Name = test rlm_perl: Added pair User-Password = 42594190 rlm_perl: Added pair NAS-IP-Address = 192.168.65.1 rlm_perl: Added pair Reply-Message = authentication successful rlm_perl: Added pair Response-Packet-Type = Access-Challenge rlm_perl: Added pair Auth-Type = perl ++[perl] returns ok # Executing section post-auth from file /opt/app/freeradius/etc/raddb/sites-enabled/default +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 81 to 192.168.65.1 port 53504 Reply-Message = authentication successful Finished request 0. Going to the next request Clearly the Access-Challenge setting is not being honored by the server. Is there another attribute that must be set to configure the response type? Thanks, Walter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need to change response type to Access-Challenge from rlm_perl
To answer my own question, I found that using the return code RLM_MODULE_OK triggers the server to respond back with Access-Accept. If I used RLM_MODULE_HANDLED instead, the response packet type was set to what I expected it to be. This makes sense since I expect the client to exchange several messages with me before I finally trigger the Access-Accept message. On Mon, Feb 18, 2013 at 9:00 AM, Walter Goulet wgou...@gmail.com wrote: Hi, Looking through archives for this exact question, I see a post from 2008 ( http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg47423.html) where this exact question was previously asked. Here is my server version info: radiusd: FreeRADIUS Version 2.2.0, for host x86_64-unknown-linux-gnu, built on Feb 17 2013 at 03:34:41 Here's my code: # Construct HTTP request my $authresult = authamis($RAD_REQUEST{'User-Name'},$RAD_REQUEST{'User-Password'}); radiusd::radlog(L_DBG, Result after authamis call - $authresult); if($authresult eq true) { $RAD_CHECK{'Response-Packet-Type'} = Access-Challenge; $RAD_REPLY{'Reply-Message'} = authentication successful; for (keys %RAD_REPLY) { radiusd::radlog(L_DBG, RAD_REPLY: $_ = $RAD_REPLY{$_}); } for (keys %RAD_CHECK) { radiusd::radlog(L_DBG, RAD_CHECK: $_ = $RAD_CHECK{$_}); } for (keys %RAD_CONFIG) { radiusd::radlog(L_DBG, RAD_CONFIG: $_ = $RAD_CONFIG{$_}); } return RLM_MODULE_OK } else { $RAD_REPLY{'Reply-Message'} = authentication failure; return RLM_MODULE_REJECT; } Here is the relevant debug output: Found Auth-Type = perl # Executing group from file /opt/app/freeradius/etc/raddb/sites-enabled/default +- entering group perl {...} rlm_perl: RAD_REQUEST: User-Name = test rlm_perl: RAD_REQUEST: User-Password = 42594190 rlm_perl: RAD_REQUEST: NAS-IP-Address = 192.168.65.1 rlm_perl: AMIS request: http://amis.jdt.com:8080/auth/authenticate/test/42594190 rlm_perl: Result after authamis call - true rlm_perl: RAD_REPLY: Reply-Message = authentication successful rlm_perl: RAD_CHECK: Response-Packet-Type = Access-Challenge rlm_perl: RAD_CHECK: Auth-Type = perl rlm_perl: RAD_CONFIG: Auth-Type = perl rlm_perl: Added pair User-Name = test rlm_perl: Added pair User-Password = 42594190 rlm_perl: Added pair NAS-IP-Address = 192.168.65.1 rlm_perl: Added pair Reply-Message = authentication successful rlm_perl: Added pair Response-Packet-Type = Access-Challenge rlm_perl: Added pair Auth-Type = perl ++[perl] returns ok # Executing section post-auth from file /opt/app/freeradius/etc/raddb/sites-enabled/default +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 81 to 192.168.65.1 port 53504 Reply-Message = authentication successful Finished request 0. Going to the next request Clearly the Access-Challenge setting is not being honored by the server. Is there another attribute that must be set to configure the response type? Thanks, Walter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_perl changing User-Name and proxy requests
I have an issue with rlm_perl changing the request User-Name attribute but the proxy request not honoring it. First I'll describe what I'm trying to accomplish and why and then what I'm doing. I'm running a branch of 2.2.1 that has some krb5 realm fixes in it. I have multiple realms that users can authenticate against: our division has replayable password (handled by kerberos) and one time passwords (handled by both YubiKeys and Crypto Card), our lab has replayable passwords (handled by AD) and a separate one time password system (handled by Crypto Card). For services that we want to allow replayable passwords (like IMAP access for instance), we want to allow the user to choose which service to use (division or lab). For services requiring OTP we want the user to choose which OTP token they want to use (some people have multiple because of external requirements). We want users to be able to change these auth preferences on their own and not have this require changing the RADIUS configuration (a.k.a., the users file) to do this. Our account information is kept in LDAP. This is all well and good except that usernames between the division and the lab aren't guaranteed to match - User A might have lastname as their division name, but lastnamefirst as their lab username. For the kerberos and AD request the RADIUS server can handle the request directly using rlm_krb5, but for all the OTP requests the server must proxy to the correct OTP server to handle the request. Here's my plan for accomplishing this. During authorization, rlm_ldap is used to make sure if the user is in LDAP. If not the request is rejected outright (this should help with brute force attempts bogging down all the servers for bogus attempts). Next an rlm_perl module is called to get the user's preferred realm and what username to use in that realm from LDAP. An example would be leggett@ yubi.division.example.com (signifying that I want to use YubiKey from my division). The rlm_perl module updates the request User-Name to be this preference and Auth-Type to be System (see http://pastie.org/5670077). Lastly rlm_realm checks the request to determine if it should be proxied or not. The problem is this: Everything works if the username doesn't change. For instance, if I'm legg...@yubi.division.example.com and legg...@crypto.example.com, things work. The User-Name change being done by rlm_perl is being recognized by rlm_realm and rlm_realm is routing to the proper realm; however, rlm_realm seems to want to clobbe! r User-Name in its own way, so that by the time proxying happens User-Name is set to whatever the initial username was - if I started the process as leggett and wanted my username to eventually be ti.legg...@crypto.example.com, by the time it reaches the proxy phase my User-Name attribute has been reset back to leggett even if I rerun the rlm_perl module after rlm_realm (see http://pastie.org/5670076) I notice that rlm_suffix doesn't overwrite the Stripped-User-Name rlm_perl adds, but appends another entry. This is fine for my purposes since the rlm_perl one is added first subsequent calls use that value. I'm afraid the same is happening with User-Name in that rlm_perl is appending another entry instead of overwriting the ones there. So is there any way around this or am I completely insane with this approach? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl changing User-Name and proxy requests
hi, dont play with User-Name, update/modify Stripped-User-Name instead and use that in the authn/authz stages alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl changing User-Name and proxy requests
On Jan 11, 2013, at 2:32 PM, Arran Cudbard-Bell a.cudba...@freeradius.org wrote: [snip] Yeah it'll just bog down your LDAP server instead. You should use rlm_cache to cache the result of the LDAP lookup (once you have all this working)*. Have you added nostrip for all the realms? The only way I can see it clobbering username is if stripping is enabled. So that was my first thought too. However, I have limited visibility into the remote lab crypto server and when I sent a request to with a realm included, it flat out dropped the request. Didn't reply at all. So I need the realm to so the proxy portion can hit the right destination, but I need the User-Name stripped so the remote server can understand it. -Arran PS: You know you want to test the threaded version of the updated rlm_krb5 module :) I do! Once I get this configuration working I'll be happy to try it. One of my todos for this whole config revamp is to stress test the environment against a brute force attack (we get them frequently). Then I'll have some before numbers to compare with the after. * Only use the rlm_cache module from 2.2.1 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl changing User-Name and proxy requests
On 11 Jan 2013, at 19:58, Ti Leggett legg...@mcs.anl.gov wrote: I have an issue with rlm_perl changing the request User-Name attribute but the proxy request not honoring it. First I'll describe what I'm trying to accomplish and why and then what I'm doing. I'm running a branch of 2.2.1 that has some krb5 realm fixes in it. I have multiple realms that users can authenticate against: our division has replayable password (handled by kerberos) and one time passwords (handled by both YubiKeys and Crypto Card), our lab has replayable passwords (handled by AD) and a separate one time password system (handled by Crypto Card). For services that we want to allow replayable passwords (like IMAP access for instance), we want to allow the user to choose which service to use (division or lab). For services requiring OTP we want the user to choose which OTP token they want to use (some people have multiple because of external requirements). We want users to be able to change these auth preferences on their own and not have this require changing the RADIUS configuration (a.k.a., the users file) to do this. Our account information is kept in LDAP. This is all well and good except that usernames between the division and the lab aren't guaranteed to match - User A might have lastname as their division name, but lastnamefirst as their lab username. For the kerberos and AD request the RADIUS server can handle the request directly using rlm_krb5, but for all the OTP requests the server must proxy to the correct OTP server to handle the request. Here's my plan for accomplishing this. During authorization, rlm_ldap is used to make sure if the user is in LDAP. If not the request is rejected outright (this should help with brute force attempts bogging down all the servers for bogus attempts). Yeah it'll just bog down your LDAP server instead. You should use rlm_cache to cache the result of the LDAP lookup (once you have all this working)*. Have you added nostrip for all the realms? The only way I can see it clobbering username is if stripping is enabled. -Arran PS: You know you want to test the threaded version of the updated rlm_krb5 module :) * Only use the rlm_cache module from 2.2.1 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl changing User-Name and proxy requests
On 01/11/2013 08:32 PM, Arran Cudbard-Bell wrote: Have you added nostrip for all the realms? The only way I can see it clobbering username is if stripping is enabled. Isn't the problem the special request-username attribute? AFAICT the pairmove code handles this specially (fixup) but I'm not sure rlm_perl does the same? If that is the case, OP may find that putting the new username in an interim / temp variable then forcing update via unlang works: authorize { ... myperl update request { User-Name := %{The-Var} } ... } This is a WAG though... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl changing User-Name and proxy requests
On Jan 11, 2013, at 2:35 PM, a.l.m.bu...@lboro.ac.uk wrote: hi, dont play with User-Name, update/modify Stripped-User-Name instead and use that in the authn/authz stages How do I get the remote servers I'm proxying for to understand Stripped-User-Name. As far as I can tell Stripped-User-Name isn't even in the Access-Request to the proxyied server. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl changing User-Name and proxy requests
On 11 Jan 2013, at 20:49, Phil Mayers p.may...@imperial.ac.uk wrote: On 01/11/2013 08:32 PM, Arran Cudbard-Bell wrote: Have you added nostrip for all the realms? The only way I can see it clobbering username is if stripping is enabled. Isn't the problem the special request-username attribute? It is, request-username appears to be pointing to the original User-Name pair instead of the new perl one. AFAICT the pairmove code handles this specially (fixup) but I'm not sure rlm_perl does the same? Yes, unfortunately. That would have been a nice simple fix. https://github.com/FreeRADIUS/freeradius-server/blob/v2.x.x/src/modules/rlm_perl/rlm_perl.c @leggett If you don't mind rebuilding the server, could you change: https://github.com/FreeRADIUS/freeradius-server/blob/v2.x.x/src/main/modcall.c#L686 And add: RDEBUG(Cached username is \%s\, list username is \%s\, request-username-vp_strvalue, pairfind(request-packet-vps, PW_USER_NAME)-vp_strvalue); Just after modcall_single() Run it in debug mode and you'll see exactly where the username isn't being updated. List username and cached username should always be in sync up until the call to suffix, at which point the cached username should be stripped of the realm. If that is the case, OP may find that putting the new username in an interim / temp variable then forcing update via unlang works: authorize { ... myperl update request { User-Name := %{The-Var} } ... } Yeah it should do. That calls radius_pairmove which has the magic update cache logic in it too. -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl changing User-Name and proxy requests
Hi, How do I get the remote servers I'm proxying for to understand Stripped-User-Name. As far as I can tell Stripped-User-Name isn't even in the Access-Request to the proxyied server. ah, missed the proxy bit. as Phil says, use a temp value and then set User-Name to that just before the proxying occurs (using unlang) - but beware that particular authentication methods dont like User-Name to have changed (thinking some EAP clients) - so this may cause issues in the future or be the cause of issues you are facing. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl changing User-Name and proxy requests
On Jan 11, 2013, at 3:21 PM, Arran Cudbard-Bell a.cudba...@freeradius.org wrote: @leggett If you don't mind rebuilding the server, could you change: https://github.com/FreeRADIUS/freeradius-server/blob/v2.x.x/src/main/modcall.c#L686 And add: RDEBUG(Cached username is \%s\, list username is \%s\, request-username-vp_strvalue, pairfind(request-packet-vps, PW_USER_NAME)-vp_strvalue); Just after modcall_single() Run it in debug mode and you'll see exactly where the username isn't being updated. List username and cached username should always be in sync up until the call to suffix, at which point the cached username should be stripped of the realm. Ok. I'm flumoxed: +- entering group pre-proxy {...} [pre_proxy_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/pre-proxy-detail-%Y%m%d - /var/log/radius/radacct/192.168.1.1/pre-proxy-detail-20130111 [pre_proxy_log] /var/log/radius/radacct/%{Client-IP-Address}/pre-proxy-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.1.1/pre-proxy-detail-20130111 [pre_proxy_log] expand: %t - Fri Jan 11 15:38:05 2013 Cached username is ti.leggett, list username is ti.legg...@crypto.example.com ++[pre_proxy_log] returns ok Sending Access-Request of id 217 to 192.168.1.2 port 1812 NAS-Port-Type = Virtual Service-Type = Authenticate-Only Calling-Station-Id = host.division.example.com User-Name = leggett User-Password = password NAS-Identifier = sshd NAS-IP-Address = 192.168.1.1 NAS-Port = 9975 Proxy-State = 0x3831 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl changing User-Name and proxy requests
Just after modcall_single() Or call_modsingle even... -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl changing User-Name and proxy requests
On 11 Jan 2013, at 20:51, Ti Leggett legg...@mcs.anl.gov wrote: On Jan 11, 2013, at 2:35 PM, a.l.m.bu...@lboro.ac.uk wrote: hi, dont play with User-Name, update/modify Stripped-User-Name instead and use that in the authn/authz stages How do I get the remote servers I'm proxying for to understand Stripped-User-Name. As far as I can tell Stripped-User-Name isn't even in the Access-Request to the proxyied server. It's not, it's an internal attribute which doesn't get copied into the proxy request. In pre-proxy you can add update proxy-request { User-Name := %{%{Stripped-User-Name}:-%{User-Name}} } Which will fix the issue. Where is that User-Name value in the proxy request coming from, is it the one from the original request? Could you include more debug output? -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: share information between authorize and authenticate sections (rlm_perl rlm_python)
Hi, in perl, i could write some new attributes in RAD_CHECK ??, then authenticate() will access them. in python, attributes are read only, so i cannot use them to pass information to authenticate(). A simple database, like redis, could be a solution by adding info with the id of the request (with Message-Authenticator as key)? we use and update private internal FreeRADIUS attributes alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: share information between authorize and authenticate sections (rlm_perl rlm_python)
On 12/12/12 22:04, laurent.fe...@free.fr wrote: Hello, If someone can advise me... How to share information between the authorize() function and the authenticate() function within a perl or python script ? Just set an attribute: authorize { update request { Tmp-String-0 := %{some:expansion} } ... } authenticate { Auth-Type XXX { if (Tmp-String-0 == a) { module_a } else { module_b } } } ...re-work as appropriate for your use-case. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: share information between authorize and authenticate sections (rlm_perl rlm_python)
Yes, just found this attribute. Thanks. Works well with Perl :), but not with Python :( - Mail original - De: Phil Mayers p.may...@imperial.ac.uk À: freeradius-users@lists.freeradius.org Envoyé: Jeudi 13 Décembre 2012 13:05:23 Objet: Re: share information between authorize and authenticate sections (rlm_perl rlm_python) On 12/12/12 22:04, laurent.fe...@free.fr wrote: Hello, If someone can advise me... How to share information between the authorize() function and the authenticate() function within a perl or python script ? Just set an attribute: authorize { update request { Tmp-String-0 := %{some:expansion} } ... } authenticate { Auth-Type XXX { if (Tmp-String-0 == a) { module_a } else { module_b } } } ...re-work as appropriate for your use-case. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
share information between authorize and authenticate sections (rlm_perl rlm_python)
Hello, If someone can advise me... How to share information between the authorize() function and the authenticate() function within a perl or python script ? For example, i get some information from a database in authorize() that will reuse it in authenticate()? I could resubmit the sql request again, but it is clearly not efficient. in perl, i could write some new attributes in RAD_CHECK ??, then authenticate() will access them. in python, attributes are read only, so i cannot use them to pass information to authenticate(). A simple database, like redis, could be a solution by adding info with the id of the request (with Message-Authenticator as key)? If someone has an idea, it is very welcome... Regards, Laurent - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: share variables in perl script (rlm_perl)
only 1 thread ? what 's about performance? yes, many thanks, i will look at your code Regards, Laurent - Mail original - De: Thomas Glanzmann tho...@glanzmann.de À: FreeRadius users mailing list freeradius-users@lists.freeradius.org Envoyé: Samedi 1 Décembre 2012 16:11:35 Objet: Re: share variables in perl script (rlm_perl) Hello Laurent, Meaning, when i start the first radtest that modifies the global variable, only the sixth request can view the global variable modified by the first request( i guess the sixth one turns into the first thread). I had the very same problem when I was implementing the smsotp perl module. I only noticed when the system was already in production. As a quick work around I limited the radius threads to '1'. And than I used berkeley db to save the state. Have a look at the smsotp code, it only took 30 minutes to implement. It is very straight forward. You can use also a database like postgresql to obtain the same. http://thomas.glanzmann.de/smsotpd.2012-10-05.tar.bz2 Cheers, Thomas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: share variables in perl script (rlm_perl)
Hello, thanks for your respond. I tried memcached as suggested by John Denins. Seems working very well. i thought of Redis, if memcached does not satisfied me (i don't see), Redis could be an option. In term of security, i have to be sure that information in memcached can be secured, and not public. Regards, Laurent - Mail original - De: Iliya Peregoudov iperegu...@cboss.ru À: FreeRadius users mailing list freeradius-users@lists.freeradius.org Envoyé: Mardi 4 Décembre 2012 08:14:13 Objet: Re: share variables in perl script (rlm_perl) Arran Cudbard-Bell wrote: On 29 Nov 2012, at 22:14, laurent.fe...@free.fr wrote: Hello, In a perl script (where authorize() and authenticate() are defined), i was able to set a global variable. when a radius request comes, the script may modify the variable, and the next request has the new value. I test with radiusd -X, and everything is fine. when radiusd is started as a daemon, 5 threads (default value) are started. And now, i understood i have 5 different perl environments. Meaning, when i start the first radtest that modifies the global variable, only the sixth request can view the global variable modified by the first request( i guess the sixth one turns into the first thread). I hope my explanation is clear. I would like to know if it possible to have a unique sharing enviroment (the basic solution is maybe to have only one thread, but it should be good for performance) No, submit patches if you want this functionality. You can explicitly share data between perl interpreters. However you'll need to explicitly lock shared data. See perldoc threads::shared for details. use threads; # this module contains share() and lock() use threads::shared; # hashes get empty on share my %sharedhash; share(%sharedhash); sub put($$) { my ($key, $value) = @_ lock(%sharedhash); $sharedhash{$key} = share($value); return; } sub get($) { my ($key) = @_; lock(%sharedhash); my $value = $sharedhash{$key}; return $value; } But I think it's better to store shared data in some sort of storage, for example redis or sql database. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: share variables in perl script (rlm_perl)
On 12/04/2012 09:30 AM, laurent.fe...@free.fr wrote: Hello, thanks for your respond. I tried memcached as suggested by John Denins. Seems working very well. i thought of Redis, if memcached does not satisfied me (i don't see), Redis could be an option. In term of security, i have to be sure that information in memcached can be secured, and not public. The simplest and most secure way to secure memcached is by using unix sockets if your memcached instance is running on the same machine as your memcache clients (e.g. radiusd). The memcache data won't be accessible remotely because memcached is not listening on an inet socket. Use appropriate ownership and permissions on the socket file. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: share variables in perl script (rlm_perl)
Arran Cudbard-Bell wrote: On 29 Nov 2012, at 22:14, laurent.fe...@free.fr wrote: Hello, In a perl script (where authorize() and authenticate() are defined), i was able to set a global variable. when a radius request comes, the script may modify the variable, and the next request has the new value. I test with radiusd -X, and everything is fine. when radiusd is started as a daemon, 5 threads (default value) are started. And now, i understood i have 5 different perl environments. Meaning, when i start the first radtest that modifies the global variable, only the sixth request can view the global variable modified by the first request( i guess the sixth one turns into the first thread). I hope my explanation is clear. I would like to know if it possible to have a unique sharing enviroment (the basic solution is maybe to have only one thread, but it should be good for performance) No, submit patches if you want this functionality. You can explicitly share data between perl interpreters. However you'll need to explicitly lock shared data. See perldoc threads::shared for details. use threads; # this module contains share() and lock() use threads::shared; # hashes get empty on share my %sharedhash; share(%sharedhash); sub put($$) { my ($key, $value) = @_ lock(%sharedhash); $sharedhash{$key} = share($value); return; } sub get($) { my ($key) = @_; lock(%sharedhash); my $value = $sharedhash{$key}; return $value; } But I think it's better to store shared data in some sort of storage, for example redis or sql database. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
share variables in perl script (rlm_perl)
Hello, In a perl script (where authorize() and authenticate() are defined), i was able to set a global variable. when a radius request comes, the script may modify the variable, and the next request has the new value. I test with radiusd -X, and everything is fine. when radiusd is started as a daemon, 5 threads (default value) are started. And now, i understood i have 5 different perl environments. Meaning, when i start the first radtest that modifies the global variable, only the sixth request can view the global variable modified by the first request( i guess the sixth one turns into the first thread). I hope my explanation is clear. I would like to know if it possible to have a unique sharing enviroment (the basic solution is maybe to have only one thread, but it should be good for performance) Just for your information, i would like to cache some information... the script has to find which OTP server the user is defined on. The second time the search is not necessary... i use Tie::Hash::Expire module for caching information. Regards, Laurent - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: share variables in perl script (rlm_perl)
On 29 Nov 2012, at 22:14, laurent.fe...@free.fr wrote: Hello, In a perl script (where authorize() and authenticate() are defined), i was able to set a global variable. when a radius request comes, the script may modify the variable, and the next request has the new value. I test with radiusd -X, and everything is fine. when radiusd is started as a daemon, 5 threads (default value) are started. And now, i understood i have 5 different perl environments. Meaning, when i start the first radtest that modifies the global variable, only the sixth request can view the global variable modified by the first request( i guess the sixth one turns into the first thread). I hope my explanation is clear. I would like to know if it possible to have a unique sharing enviroment (the basic solution is maybe to have only one thread, but it should be good for performance) No, submit patches if you want this functionality. -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: share variables in perl script (rlm_perl)
On 11/29/2012 05:14 PM, laurent.fe...@free.fr wrote: Hello, In a perl script (where authorize() and authenticate() are defined), i was able to set a global variable. when a radius request comes, the script may modify the variable, and the next request has the new value. I test with radiusd -X, and everything is fine. when radiusd is started as a daemon, 5 threads (default value) are started. And now, i understood i have 5 different perl environments. Meaning, when i start the first radtest that modifies the global variable, only the sixth request can view the global variable modified by the first request( i guess the sixth one turns into the first thread). I hope my explanation is clear. I would like to know if it possible to have a unique sharing enviroment (the basic solution is maybe to have only one thread, but it should be good for performance) Just for your information, i would like to cache some information... the script has to find which OTP server the user is defined on. The second time the search is not necessary... i use Tie::Hash::Expire module for caching information. Is there a problem with having each thread perform it's own caching? It will take slightly longer to populate the cache than if it was shared but is that an issue in practice? You could borrow a technique from web servers where requests are typically processed in independent processes but shared caching between the processes is desired by utilizing memcache. memcached is a stand alone process (daemon) that holds a hash table in memory and processes connect to it via sockets (either inet or unix). There are several memcache client language bindings, pretty sure there is one for Perl. Google memcache, you'll find a ton of information about it. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_perl without DynaLoader
Hi, when using rlm_perl with a very simple Perl script that does *not* use DynaLoader to load some *.so files, upon thread exit, FreeRADIUS (current v2.x.x branch) throws errors: Error: Could not get @DynaLoader::dl_librefs for unloading. The errors originate from rlm_perl_get_handles(), which is invoked via pthread_key_create(key, rlm_destroy_perl): https://github.com/FreeRADIUS/freeradius-server/blob/v2.x.x/src/modules/rlm_perl/rlm_perl.c#L154 Adding an (otherwise useless) 'require DynaLoader;' to the Perl script fixes the errors. Why is this an error case, rather than no libs, no unloading necessary? Thanks, Julius - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl without DynaLoader
Julius Plenz wrote: when using rlm_perl with a very simple Perl script that does *not* use DynaLoader to load some *.so files, upon thread exit, FreeRADIUS (current v2.x.x branch) throws errors: Error: Could not get @DynaLoader::dl_librefs for unloading. That shouldn't be an error. I'll go fix that. Why is this an error case, rather than no libs, no unloading necessary? It's a minor bug. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl without DynaLoader
Hi, Alan! * Alan DeKok al...@deployingradius.com [2012-11-22 15:22]: Why is this an error case, rather than no libs, no unloading necessary? It's a minor bug. Thank you for the bug fix I found at https://github.com/FreeRADIUS/freeradius-server/commit/bfaf23b7d930364d680e76c14c1abedb2a1fb421 However, by fixing the minor bug, you seem to have introduced a major one: FreeRADIUS segfaults on startup. Backtrace: #0 0x7fe8bc912ffe in Perl_newXS () from /usr/lib/libperl.so.5.10 #1 0x7fe8bcc495d4 in perl_instantiate (conf=0x24451a0, instance=0x2589c98) at rlm_perl.c:484 #2 0x0041a413 in find_module_instance (modules=value optimized out, instname=0x2448150 perl, do_link=value optimized out) at modules.c:610 #3 0x0041c273 in do_compile_modsingle (parent=0x0, component=value optimized out, ci=0x2448110, grouptype=value optimized out, modname=0x7fffa89e15d0) at modcall.c:1921 #4 0x0041a8f1 in load_component_section (cs=0x2447c50, components=value optimized out, comp=1) at modules.c:898 #5 0x0041adbc in load_byserver (cs=0x2447ad0) at modules.c:1099 #6 0x0041b1c8 in virtual_servers_load (config=0x243f100) at modules.c:1230 #7 0x0041b520 in setup_modules (reload=value optimized out, config=0x243f100) at modules.c:1558 #8 0x004194ea in read_mainconfig (reload=value optimized out) at mainconfig.c:967 #9 0x0041e2fe in main (argc=6, argv=0x7fffa89e1ee8) at radiusd.c:270 Maybe you shouldn't have moved the newXS() call to *before* the perl_parse(inst-perl, xs_init, ...) call? Moving it after that line fixes the segfault. Julius - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl without DynaLoader
Julius Plenz wrote: Hi, Alan! * Alan DeKok al...@deployingradius.com [2012-11-22 15:22]: Why is this an error case, rather than no libs, no unloading necessary? It's a minor bug. Thank you for the bug fix I found at https://github.com/FreeRADIUS/freeradius-server/commit/bfaf23b7d930364d680e76c14c1abedb2a1fb421 However, by fixing the minor bug, you seem to have introduced a major one: FreeRADIUS segfaults on startup. Backtrace: ... Maybe you shouldn't have moved the newXS() call to *before* the perl_parse(inst-perl, xs_init, ...) call? Moving it after that line fixes the segfault. Ok, fixed. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
random questions on rlm_perl.c (was: rlm_perl and threads)
Digging through the rlm_perl source, I stumbled over the following: 1. Is it on purpose that it normally checks USE_ITHREADS and only perl_xlat checks WITH_ITHREADS? 2. Is it also on purpose that radiusd::radog is newXS'd only after perl_parse()? That hit me because as it is, you can't log anything (like a version number) inside the script's body/main program (or call it initialization routine). 3. I also noticed that tests like #if PERL_REVISION = 5 PERL_VERSION 8 would trigger for 6.0 if that is ever going to happen. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl and threads
To answer my own question: In the module init code, can I tell whether I'm in the threading case or not? Yes: use Config and check $Config{useithreads}. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl and threads
Thanks, this has been very helpful. If I read the source correctly, it works as follows: -- A global interpreter is created that runs the module initialization code. -- When a perl function is going to be called, the global interpreter is used in the non-threading case. In the threading case, if necessary, a thread-local interpreter is created by cloning the global one. So, in the non-threading case, I would have to perform initialization tasks like opening a database connection in the module init code. In the threading case, I have do to that in CLONE(). In the module init code, can I tell whether I'm in the threading case or not? It's probaby no harm besides a waste of resources to also do the full init there in the threading case, but I would like to avoid that if easily possible. Threading is not done in debug mode (-X), start your freeradius in normal mode to test multithreading. I think this should be documented since one is always urged to test in debug mode. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_perl and threads
Sorry if this sounds like a stupid question with an obvious answer, but I could not easily find this documented. If I have an rlm_perl script, is it possible that multiple instances of it are running concurrently due to FreeRADIUS' threading? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl and threads
On 05/11/12 12:34, Edgar Fuß wrote: Sorry if this sounds like a stupid question with an obvious answer, but I could not easily find this documented. If I have an rlm_perl script, is it possible that multiple instances of it are running concurrently due to FreeRADIUS' threading? Yes. Likely, even. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl and threads
Yes. Likely, even. Thanks. So will these then be two distinct Perl interpreters or two instances of the same Perl interpreter? From the Perl script's point of view, what will the two instances share? Can you hint me to any documentation covering this? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl and threads
On 05/11/12 13:36, Edgar Fuß wrote: Yes. Likely, even. Thanks. So will these then be two distinct Perl interpreters or two instances of the same Perl interpreter? From the Perl script's point of view, what will the two instances share? Can you hint me to any documentation covering this? I'm not aware of any docs. You might need to refer to the source. In particular, the USE_ITHREADS #define seems to control how the perl interpreter is created/allocated/used. I'm not familiar enough with perl to understand the code, personally. See here: https://github.com/FreeRADIUS/freeradius-server/blob/master/src/modules/rlm_perl/rlm_perl.c#L254 ...and the rest of that file. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl and threads
The old wiki used to contain more information on this. I'm currently in the process of making our rlm_perl module multithreaded as well. Some pointers: perl -V | grep -i multipl ... useithreads=define, usemultiplicity=define Compile-time options: HAS_TIMES MULTIPLICITY PERLIO_LAYERS check your multiplicity here. Multiplicity causes one perl process to be started, with multiple perl interpreters inside. Add a CLONE function to your perl script (yes, all in caps). The CLONE function is run every time a new perl interpreter is started. What happens is all existing variables are copied to the new interpreter when a new thread is started. In this function you can adjust values that should be unique for each thread (like database handlers). The number of threads are controlled trough the max_servers and max/min spare servers in your radiusd.conf Threading is not done in debug mode (-X), start your freeradius in normal mode to test multithreading. AFAIK the above information is correct and recent. Kind regards Sander Eerdekens Informatiesystemen Systeembeheer Ondersteuning san...@uzleuven.be UZ Leuven | campus Gasthuisberg | Herestraat 49 | B - 3000 Leuven | www.uzleuven.be -- Message: 5 Date: Mon, 05 Nov 2012 14:01:56 + From: Phil Mayers p.may...@imperial.ac.uk To: freeradius-users@lists.freeradius.org Subject: Re: rlm_perl and threads Message-ID: 5097c6d4.9070...@imperial.ac.uk Content-Type: text/plain; charset=ISO-8859-1; format=flowed On 05/11/12 13:36, Edgar Fu? wrote: Yes. Likely, even. Thanks. So will these then be two distinct Perl interpreters or two instances of the same Perl interpreter? From the Perl script's point of view, what will the two instances share? Can you hint me to any documentation covering this? I'm not aware of any docs. You might need to refer to the source. In particular, the USE_ITHREADS #define seems to control how the perl interpreter is created/allocated/used. I'm not familiar enough with perl to understand the code, personally. See here: https://github.com/FreeRADIUS/freeradius-server/blob/master/src/modules/rlm_perl/rlm_perl.c#L254 ...and the rest of that file. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl and dynamic_clients
Sorry. I wasn't paying attention and resent the initial question mail by accident instead of the following: I followed your instructions and the Packet-Src-IP-Address came through into the Perl script, thank you. I did however use Packet-Src-IP-Address-0 instead of Tmp-IP-Address-0 for ease of understanding, for anyone else looking at the script. I hope this is not what's affecting the operation. I hope the output below is enough information your you to see how I am adding to RAD_REPLY. I am returning RLM_MODULE_OK at the end of the script. I did try to use RLM_MODULE_UPDATED but that returned a result as if I was returning RLM_MODULE_FAIL, module failure. I also did try to use directory = ${confdir}/dynamic-clients/ in the virtual server in case the failure might have been coming from somewhere not shown in the output, like the SQL module maybe --- client dynamic { ipaddr = 0.0.0.0 netmask = 0 dynamic_clients = dynamic_client_server lifetime = 3600 } server dynamic_client_server { authorize { update request { Packet-Src-IP-Address-0 := %{Packet-Src-IP-Address} } dynamic-clients-pl } } --- rad_recv: Access-Request packet from host 192.168.0.200 port 58738, id=36, length=212 server dynamic_client_server { rlm_perl: RAD_REQUEST: Packet-Src-IP-Address-0 = 192.168.0.200 rlm_perl: RAD_REPLY: FreeRADIUS-Client-Shortname = Internal rlm_perl: RAD_REPLY: FreeRADIUS-Client-Secret = 123456 rlm_perl: RAD_REPLY: FreeRADIUS-Client-NAS-Type = other rlm_perl: RAD_REPLY: FreeRADIUS-Client-IP-Address = 192.168.0.200 rlm_perl: Added pair Packet-Src-IP-Address-0 = 192.168.0.200 rlm_perl: Added pair FreeRADIUS-Client-Shortname = Internal rlm_perl: Added pair FreeRADIUS-Client-Secret = 123456 rlm_perl: Added pair FreeRADIUS-Client-NAS-Type = other rlm_perl: Added pair FreeRADIUS-Client-IP-Address = 192.168.0.200 } # server dynamic_client_server - Cannot add client 192.168.0.200: Required attribute FreeRADIUS-Client-Secret is missing. Ignoring request to authentication address * port 1812 as server r9 from unknown client 192.168.0.200 port 58738 On Fri, Aug 31, 2012 at 8:52 AM, Steven Eksteen ste...@rad9.net wrote: I am pretty sure I might be missing something here, or having a giant blonde moment. I followed your instructions and the Packet-Src-IP-Address came through into the Perl script, thank you. I did however use Packet-Src-IP-Address-0 instead of Tmp-IP-Address-0 for ease of understanding. I hope this is not what's affecting the operation. I hope the output below is enough information your you to see how I am adding to RAD_REPLY. I am returning RLM_MODULE_OK at the end of the script. I did try to use RLM_MODULE_UPDATED but that returned a result as if I was returning RLM_MODULE_FAIL, module failure. I also did try to use directory = ${confdir}/dynamic-clients/ in the virtual server in case the failure might have been coming from somewhere not shown in the output, like the SQL module --- client dynamic { ipaddr = 0.0.0.0 netmask = 0 dynamic_clients = dynamic_client_server lifetime = 3600 } server dynamic_client_server { authorize { update request { Packet-Src-IP-Address-0 := %{Packet-Src-IP-Address} } dynamic-clients-pl } } --- rad_recv: Access-Request packet from host 192.168.0.200 port 58738, id=36, length=212 server dynamic_client_server { rlm_perl: RAD_REQUEST: Packet-Src-IP-Address-0 = 192.168.0.200 rlm_perl: RAD_REPLY: FreeRADIUS-Client-Shortname = Internal rlm_perl: RAD_REPLY: FreeRADIUS-Client-Secret = 123456 rlm_perl: RAD_REPLY: FreeRADIUS-Client-NAS-Type = other rlm_perl: RAD_REPLY: FreeRADIUS-Client-IP-Address = 192.168.0.200 rlm_perl: Added pair Packet-Src-IP-Address-0 = 192.168.0.200 rlm_perl: Added pair FreeRADIUS-Client-Shortname = Internal rlm_perl: Added pair FreeRADIUS-Client-Secret = 123456 rlm_perl: Added pair FreeRADIUS-Client-NAS-Type = other rlm_perl: Added pair FreeRADIUS-Client-IP-Address = 192.168.0.200 } # server dynamic_client_server - Cannot add client 192.168.0.200: Required attribute FreeRADIUS-Client-Secret is missing. Ignoring request to authentication address * port 1812 as server r9 from unknown client 192.168.0.200 port 58738 Ready to process requests. --- On Tue, Aug 28, 2012 at 4:21 PM, Steven Eksteen st...@saoirse.co.za wrote: Thank you. Much appreciated On Tue, Aug 28, 2012 at 4:14 PM, Alan DeKok al...@deployingradius.com wrote: Steven Eksteen wrote: I was wondering how would I use Packet-Src-IP-Address using Perl for Dynamic Clients. I thought it might be part of the RAD_REQUEST hash. It's not, but you can do: server dynamic_client_server { authorize { update request { Tmp-IP-Address-0 := %{Packet-Src
Re: rlm_perl and dynamic_clients
Steven Eksteen wrote: Sorry. I wasn't paying attention and resent the initial question mail by accident instead of the following: I followed your instructions and the Packet-Src-IP-Address came through into the Perl script, thank you. I did however use Packet-Src-IP-Address-0 instead of Tmp-IP-Address-0 for ease of understanding, for anyone else looking at the script. I hope this is not what's affecting the operation. If you've added it as an attribute, as documented in the raddb/dictionary. I also did try to use directory = ${confdir}/dynamic-clients/ in the virtual server in case the failure might have been coming from somewhere not shown in the output, like the SQL module maybe That doesn't work. You can't just add random things in random places and expect them to do something. server dynamic_client_server { Did you look at the example file in raddb/sites-available? It contains *extensive* documentation and examples. rlm_perl: RAD_REPLY: FreeRADIUS-Client-Shortname = Internal You didn't read the documentation. Go do that. This is WELL DOCUMENTED. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl and dynamic_clients
Hi, I was wondering how would I use Packet-Src-IP-Address using Perl for Dynamic Clients. I thought it might be part of the RAD_REQUEST hash. If some direction could be made as to setting FreeRADIUS-Client-Shortname, FreeRADIUS-Client-Secret, etc. too I would be very grateful. I already have Perl working for the normal AAA functions. This just doesn't appear to work the same way. I am not a Perl developer in the slightest so apologies in advance if this is a monumentally stupid question. Thank you --- FreeRADIUS Version 2.1.10, for host x86_64-redhat-linux-gnu --- client dynamic { ipaddr = 0.0.0.0 netmask = 0 dynamic_clients = dynamic_client_server lifetime = 3600 } server dynamic_client_server { authorize { dynamic-clients-pl } } --- use strict; use Data::Dumper; use vars qw(%RAD_REQUEST); use constant RLM_MODULE_REJECT = 0; use constant RLM_MODULE_FAIL = 1; use constant RLM_MODULE_OK = 2; use constant RLM_MODULE_HANDLED = 3; use constant RLM_MODULE_INVALID = 4; use constant RLM_MODULE_USERLOCK = 5; use constant RLM_MODULE_NOTFOUND = 6; use constant RLM_MODULE_NOOP = 7; use constant RLM_MODULE_UPDATED = 8; use constant RLM_MODULE_NUMCODES = 9; sub authorize { log_request_attributes; return RLM_MODULE_FAIL; } sub log_request_attributes { for (keys %RAD_REQUEST) { radiusd::radlog(1, RAD_REQUEST: $_ = $RAD_REQUEST{$_}); } } --- rad_recv: Access-Request packet from host 41.132.69.140 port 51951, id=31, length=212 server dynamic_client_server { } # server dynamic_client_server Ignoring request to authentication address * port 1812 as server r9 from unknown client 41.132.69.140 port 51951 Ready to process requests. --- On Tue, Aug 28, 2012 at 4:21 PM, Steven Eksteen st...@saoirse.co.za wrote: Thank you. Much appreciated On Tue, Aug 28, 2012 at 4:14 PM, Alan DeKok al...@deployingradius.com wrote: Steven Eksteen wrote: I was wondering how would I use Packet-Src-IP-Address using Perl for Dynamic Clients. I thought it might be part of the RAD_REQUEST hash. It's not, but you can do: server dynamic_client_server { authorize { update request { Tmp-IP-Address-0 := %{Packet-Src-IP-Address} } dynamic-clients-pl } } And then use the Tmp-IP-Address-0 in the Perl code. If some direction could be made as to setting FreeRADIUS-Client-Shortname, FreeRADIUS-Client-Secret, etc. too I would be very grateful. You just set them in the RAD_REPLY hash. I already have Perl working for the normal AAA functions. This just doesn't appear to work the same way. I am not a Perl developer in the slightest so apologies in advance if this is a monumentally stupid question. Nope. It's a complicated system. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl and dynamic_clients
Steven Eksteen wrote: I was wondering how would I use Packet-Src-IP-Address using Perl for Dynamic Clients. I'm wondering why you didn't read my previous message. You knowm the one you replied to, and quoted verbatim? The one that had the answer to your questions? I thought it might be part of the RAD_REQUEST hash. I have no idea why. You were told it wasn't. What part of my message didn't you understand? Or did you simply not read it? If some direction could be made as to setting FreeRADIUS-Client-Shortname, FreeRADIUS-Client-Secret, etc. too I would be very grateful. Do you understand what a RADIUS secret is? I already have Perl working for the normal AAA functions. This just doesn't appear to work the same way. I am not a Perl developer in the slightest so apologies in advance if this is a monumentally stupid question. If you're going to ask questions on this list, it helps to read the answers. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_perl and dynamic_clients
Hi, I was wondering how would I use Packet-Src-IP-Address using Perl for Dynamic Clients. I thought it might be part of the RAD_REQUEST hash. If some direction could be made as to setting FreeRADIUS-Client-Shortname, FreeRADIUS-Client-Secret, etc. too I would be very grateful. I already have Perl working for the normal AAA functions. This just doesn't appear to work the same way. I am not a Perl developer in the slightest so apologies in advance if this is a monumentally stupid question. Thank you --- FreeRADIUS Version 2.1.10, for host x86_64-redhat-linux-gnu --- client dynamic { ipaddr = 0.0.0.0 netmask = 0 dynamic_clients = dynamic_client_server lifetime = 3600 } server dynamic_client_server { authorize { dynamic-clients-pl } } --- use strict; use Data::Dumper; use vars qw(%RAD_REQUEST); use constant RLM_MODULE_REJECT = 0; use constant RLM_MODULE_FAIL = 1; use constant RLM_MODULE_OK = 2; use constant RLM_MODULE_HANDLED = 3; use constant RLM_MODULE_INVALID = 4; use constant RLM_MODULE_USERLOCK = 5; use constant RLM_MODULE_NOTFOUND = 6; use constant RLM_MODULE_NOOP = 7; use constant RLM_MODULE_UPDATED = 8; use constant RLM_MODULE_NUMCODES = 9; sub authorize { log_request_attributes; return RLM_MODULE_FAIL; } sub log_request_attributes { for (keys %RAD_REQUEST) { radiusd::radlog(1, RAD_REQUEST: $_ = $RAD_REQUEST{$_}); } } --- rad_recv: Access-Request packet from host 41.132.69.140 port 51951, id=31, length=212 server dynamic_client_server { } # server dynamic_client_server Ignoring request to authentication address * port 1812 as server r9 from unknown client 41.132.69.140 port 51951 Ready to process requests. --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl and dynamic_clients
Steven Eksteen wrote: I was wondering how would I use Packet-Src-IP-Address using Perl for Dynamic Clients. I thought it might be part of the RAD_REQUEST hash. It's not, but you can do: server dynamic_client_server { authorize { update request { Tmp-IP-Address-0 := %{Packet-Src-IP-Address} } dynamic-clients-pl } } And then use the Tmp-IP-Address-0 in the Perl code. If some direction could be made as to setting FreeRADIUS-Client-Shortname, FreeRADIUS-Client-Secret, etc. too I would be very grateful. You just set them in the RAD_REPLY hash. I already have Perl working for the normal AAA functions. This just doesn't appear to work the same way. I am not a Perl developer in the slightest so apologies in advance if this is a monumentally stupid question. Nope. It's a complicated system. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl and dynamic_clients
Thank you. Much appreciated On Tue, Aug 28, 2012 at 4:14 PM, Alan DeKok al...@deployingradius.com wrote: Steven Eksteen wrote: I was wondering how would I use Packet-Src-IP-Address using Perl for Dynamic Clients. I thought it might be part of the RAD_REQUEST hash. It's not, but you can do: server dynamic_client_server { authorize { update request { Tmp-IP-Address-0 := %{Packet-Src-IP-Address} } dynamic-clients-pl } } And then use the Tmp-IP-Address-0 in the Perl code. If some direction could be made as to setting FreeRADIUS-Client-Shortname, FreeRADIUS-Client-Secret, etc. too I would be very grateful. You just set them in the RAD_REPLY hash. I already have Perl working for the normal AAA functions. This just doesn't appear to work the same way. I am not a Perl developer in the slightest so apologies in advance if this is a monumentally stupid question. Nope. It's a complicated system. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Accessing nas ip with rlm_python and rlm_perl
Hello: Is it at all possible to access this information within these modules? I am trying to code different behavior in my code based on IP. Regards, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accessing nas ip with rlm_python and rlm_perl
On 25 Jul 2012, at 14:57, Carl Pierre wrote: Hello: Is it at all possible to access this information within these modules? I am trying to code different behavior in my code based on IP. NAS-IP-Address yes, Client-IP-Address maybe not, i'd have to check the code… Are you definitely trying to access the NAS-IP-Address? -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl module not executing authenticate
Fajar. Thanks for the tip. This indeed works. In fact as Alan alluded to, placing the configuration in either users or the module will work. Here are the configurations that worked: /etc/raddb/users: DEFAULT Auth-Type = Perl Fall-Through = yes OR /etc/raddb/example: # Function to handle authorize sub authorize { # For debugging purposes only log_request_attributes; # Here's where your authorization code comes # You can call another function from here: test_call; $RAD_CHECK{'Auth-Type'} = Perl; $RAD_CHECK{'Fall-Through'} = yes; return RLM_MODULE_OK; } Cheers and thanks! Diego On Tue, Jun 12, 2012 at 10:16 PM, Fajar A. Nugraha l...@fajar.net wrote: On Wed, Jun 13, 2012 at 6:01 AM, Diego Matute dmat...@cyphercor.com wrote: 2/ How does Auth-Type get set? I've read a bunch of forum threads and it looks like best practice nowadays is to let the server figure it out and not set it explicitly in /etc/raddb/users, however it isn't being set. It isn't being set because the default distribution doesn't use rlm_perl. If you want to *force* usage of rlm_perl, you need to set Auth-Type. If you want to let the server just do the right thing, leave everything alone. What is the best practice for this? Should the Auth-Type be set in /etc/raddb/users, within the module, /etc/raddb/sites-available/*? Why do you want to set Auth-Type? As Alan already said, if you want to let the server just do the right thing, leave everything alone. Meaning, you leave auth-type alone, use rlm_perl to supply user data (e.g. cleartext-password) as needed during authorization, and let the default authentication methods (pap, mschap, etc) does its job. If you force set auth-type, then you're not following best practice. That being said, from within rlm_perl you could probably set the attribute on %RAD_CHECK (or is it %RAD_CONFIG?). If ALL your users will use perl to authenticate then something like the default section on /etc/raddb/users should do. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl module not executing authenticate
Got it. Thanks. On Wed, Jun 13, 2012 at 1:57 AM, Alan DeKok al...@deployingradius.comwrote: Diego Matute wrote: What is the best practice for this? Should the Auth-Type be set in /etc/raddb/users, within the module, /etc/raddb/sites-available/*? It should be set wherever you want. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl module not executing authenticate
Diego Matute wrote: What is the best practice for this? Should the Auth-Type be set in /etc/raddb/users, within the module, /etc/raddb/sites-available/*? It should be set wherever you want. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl module not executing authenticate
Diego Matute wrote: I've installed freeradius and other packages on a vanilla amazon ec2 instance and am trying to get the rlm_perl module working. Ultimately the authenticate function in the perl script is not being run. Here are the details. ... 1/ Request comes in and authorize is being called within rlm_perl. The print statement is not outputting on the server side? The modules aren't permitted to print to STDOUT or STDERR. 2/ How does Auth-Type get set? I've read a bunch of forum threads and it looks like best practice nowadays is to let the server figure it out and not set it explicitly in /etc/raddb/users, however it isn't being set. It isn't being set because the default distribution doesn't use rlm_perl. If you want to *force* usage of rlm_perl, you need to set Auth-Type. If you want to let the server just do the right thing, leave everything alone. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl module not executing authenticate
Thanks for the quick response. Inline. On Tue, Jun 12, 2012 at 10:44 AM, Alan DeKok al...@deployingradius.comwrote: Diego Matute wrote: I've installed freeradius and other packages on a vanilla amazon ec2 instance and am trying to get the rlm_perl module working. Ultimately the authenticate function in the perl script is not being run. Here are the details. ... 1/ Request comes in and authorize is being called within rlm_perl. The print statement is not outputting on the server side? The modules aren't permitted to print to STDOUT or STDERR. Got it. 2/ How does Auth-Type get set? I've read a bunch of forum threads and it looks like best practice nowadays is to let the server figure it out and not set it explicitly in /etc/raddb/users, however it isn't being set. It isn't being set because the default distribution doesn't use rlm_perl. If you want to *force* usage of rlm_perl, you need to set Auth-Type. If you want to let the server just do the right thing, leave everything alone. What is the best practice for this? Should the Auth-Type be set in /etc/raddb/users, within the module, /etc/raddb/sites-available/*? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl module not executing authenticate
On Wed, Jun 13, 2012 at 6:01 AM, Diego Matute dmat...@cyphercor.com wrote: 2/ How does Auth-Type get set? I've read a bunch of forum threads and it looks like best practice nowadays is to let the server figure it out and not set it explicitly in /etc/raddb/users, however it isn't being set. It isn't being set because the default distribution doesn't use rlm_perl. If you want to *force* usage of rlm_perl, you need to set Auth-Type. If you want to let the server just do the right thing, leave everything alone. What is the best practice for this? Should the Auth-Type be set in /etc/raddb/users, within the module, /etc/raddb/sites-available/*? Why do you want to set Auth-Type? As Alan already said, if you want to let the server just do the right thing, leave everything alone. Meaning, you leave auth-type alone, use rlm_perl to supply user data (e.g. cleartext-password) as needed during authorization, and let the default authentication methods (pap, mschap, etc) does its job. If you force set auth-type, then you're not following best practice. That being said, from within rlm_perl you could probably set the attribute on %RAD_CHECK (or is it %RAD_CONFIG?). If ALL your users will use perl to authenticate then something like the default section on /etc/raddb/users should do. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: rlm_perl added pairs disapear after eap authentication
-Oorspronkelijk bericht- Van: freeradius-users- bounces+p.kaagman=atlascollege...@lists.freeradius.org [mailto:freeradius-users- bounces+p.kaagman=atlascollege...@lists.freeradius.org] Namens Peter Kaagman Verzonden: donderdag 31 mei 2012 13:52 Aan: freeradius-users@lists.freeradius.org Onderwerp: rlm_perl added pairs disapear after eap authentication Hi there list, After getting (p)eap an mschap working I'm faced with the following problem: The client gets authenticated through mschap and receives an Access-Accept but the rlm_perl added pair which where added in request 0 are not send to the client. Resulting in a client ending up in the wrong vlan. I've tried several things to resolve this but with no result. One of which was running the perl code in a post-auth event. This resulted in something like 250 requests and the client not connecting., Two things strike me as odd: - There is a warning about 2 auth-types - perl and eap - Why does the authorization run first? I would have thought authentication comes first. Did some more debugging as you guys suggested... and sure enough there was an error. A messed up regex which caused the NAS to resend the request over and over solved... But it seems to be a bumpy road and ran into yet another problem: rlm_perl will not let me load modules. I found reference to this problem on the list in December 2009 in which Alan replied: quote= Коньков Евгений wrote: Can't load '/usr/local/lib/perl5/5.10.1/mach/auto/Data/Dumper/Dumper.so' for module Data::Dumper: /usr/local/lib/perl5/5.10.1/mach/auto/Data/Dumper/Dumper.so: Undefined symbol PL_sv_undef at /usr/local/lib/perl5/5.10.1/mach/XSLoader.pm line 70. at /usr/local/lib/perl5/5.10.1/mach/Data/Dumper.pm line 36 It turns out this is largely a bug in libltl. (Of course). We won't be able to address it directly in 2.1.8, but you should be able to do minor modifications to 2.1.8 that will fix it. end quote= I'm using 2.1.10 and am getting : Can't load '/usr/local/lib/perl/5.14.2/auto/Data/Dumper/Dumper.so' for module Data::Dumper: /usr/local/lib/perl/5.14.2/auto/Data/Dumper/Dumper.so: undefined symbol: PL_charclass at /usr/share/perl/5.14/XSLoader.pm line 71. at /usr/local/lib/perl/5.14.2/Data/Dumper.pm line 36 whenever I try to use Data::Dumper, and Can't load '/usr/lib/perl5/auto/DBI/DBI.so' for module DBI: /usr/lib/perl5/auto/DBI/DBI.so: undefined symbol: PL_thr_key at /usr/lib/perl/5.14/DynaLoader.pm line 184. at /usr/lib/perl5/DBI.pm line 268 whenever I try to use DBI. Looking at het examples on the Wiki it seems other people do not experience the same problems. Any suggestions on how to get this working? Peter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl added pairs disapear after eap authentication
On 06/01/2012 09:08 AM, Peter Kaagman wrote: But it seems to be a bumpy road and ran into yet another problem: rlm_perl will not let me load modules. I found reference to this problem on the list in December 2009 in which Alan replied: Looking at het examples on the Wiki it seems other people do not experience the same problems. Any suggestions on how to get this working? I forget the details but I know we patched our packages to fix this a while ago (2 years?). -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_perl added pairs disapear after eap authentication
Hi there list, After getting (p)eap an mschap working I'm faced with the following problem: The client gets authenticated through mschap and receives an Access-Accept but the rlm_perl added pair which where added in request 0 are not send to the client. Resulting in a client ending up in the wrong vlan. I've tried several things to resolve this but with no result. One of which was running the perl code in a post-auth event. This resulted in something like 250 requests and the client not connecting., Two things strike me as odd: - There is a warning about 2 auth-types - perl and eap - Why does the authorization run first? I would have thought authentication comes first. Below the trace and versions. Peter FreeRADIUS Version 2.1.10, for host x86_64-pc-linux-gnu, built on Nov 24 2011 at 07:53:12 Ubuntu 64bit 12.04 (wheezy/sid) FreeRADIUS Version 2.1.10, for host x86_64-pc-linux-gnu, built on Nov 24 2011 at 07:53:12 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/proxy.conf including configuration file /etc/freeradius/clients.conf including files in directory /etc/freeradius/modules/ including configuration file /etc/freeradius/modules/acct_unique including configuration file /etc/freeradius/modules/opendirectory including configuration file /etc/freeradius/modules/ldap including configuration file /etc/freeradius/modules/inner-eap including configuration file /etc/freeradius/modules/logintime including configuration file /etc/freeradius/modules/perl including configuration file /etc/freeradius/modules/pap including configuration file /etc/freeradius/modules/detail.example.com including configuration file /etc/freeradius/modules/smbpasswd including configuration file /etc/freeradius/modules/linelog including configuration file /etc/freeradius/modules/mschap including configuration file /etc/freeradius/modules/preprocess including configuration file /etc/freeradius/modules/expr including configuration file /etc/freeradius/modules/wimax including configuration file /etc/freeradius/modules/mac2ip including configuration file /etc/freeradius/modules/mac2vlan including configuration file /etc/freeradius/modules/always including configuration file /etc/freeradius/modules/policy including configuration file /etc/freeradius/modules/exec including configuration file /etc/freeradius/modules/otp including configuration file /etc/freeradius/modules/dynamic_clients including configuration file /etc/freeradius/modules/passwd including configuration file /etc/freeradius/modules/sradutmp including configuration file /etc/freeradius/modules/echo including configuration file /etc/freeradius/modules/ippool including configuration file /etc/freeradius/modules/radutmp including configuration file /etc/freeradius/modules/files including configuration file /etc/freeradius/modules/counter including configuration file /etc/freeradius/modules/detail.log including configuration file /etc/freeradius/modules/sql_log including configuration file /etc/freeradius/modules/krb5 including configuration file /etc/freeradius/modules/attr_filter including configuration file /etc/freeradius/modules/chap including configuration file /etc/freeradius/modules/checkval including configuration file /etc/freeradius/modules/digest including configuration file /etc/freeradius/modules/smsotp including configuration file /etc/freeradius/modules/pam including configuration file /etc/freeradius/modules/realm including configuration file /etc/freeradius/modules/detail including configuration file /etc/freeradius/modules/etc_group including configuration file /etc/freeradius/modules/expiration including configuration file /etc/freeradius/modules/attr_rewrite including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login including configuration file /etc/freeradius/modules/cui including configuration file /etc/freeradius/modules/ntlm_auth including configuration file /etc/freeradius/modules/unix including configuration file /etc/freeradius/eap.conf including configuration file /etc/freeradius/policy.conf including files in directory /etc/freeradius/sites-enabled/ including configuration file /etc/freeradius/sites-enabled/default including configuration file /etc/freeradius/sites-enabled/inner-tunnel main { user = freerad group = freerad allow_core_dumps = no } including dictionary file /etc/freeradius/dictionary main { prefix = /usr localstatedir = /var logdir = /var/log/freeradius libdir = /usr/lib/freeradius radacctdir = /var/log/freeradius/radacct hostname_lookups = no max_request_time = 30
Re: rlm_perl added pairs disapear after eap authentication
Peter Kaagman wrote: After getting (p)eap an mschap working I'm faced with the following problem: The client gets authenticated through mschap and receives an Access-Accept but the rlm_perl added pair which where added in request 0 are not send to the client. That's how the server works. It doesn't cache attributes across multiple packets. You'll need to set the VLAN in the post-auth section. That's what it's for. Setting VLANs in the authorize section won't work. I've tried several things to resolve this but with no result. One of which was running the perl code in a post-auth event. This resulted in something like 250 requests and the client not connecting., Uh.. it *will* work if you do it correctly. There's no magic. The client doesn't know about post-auth versus authorize. Two things strike me as odd: - There is a warning about 2 auth-types - perl and eap Do NOT set Auth-Type = Perl. Why are you doing that? - Why does the authorization run first? I would have thought authentication comes first. The server runs authorize, authenticate, and then post-auth. The reasons are historical. rlm_perl: Added pair User-Name = host/lt-pkn.atlas.atlascollege.nl rlm_perl: Added pair EAP-Message = 0x020800061a03 rlm_perl: Added pair State = 0xed1f2576ec173f556982a467baafe64e rlm_perl: Added pair FreeRADIUS-Proxied-To = 127.0.0.1 rlm_perl: Added pair Auth-Type = Perl Don't set that. [peap] Got tunneled reply code 2 MS-MPPE-Encryption-Policy = 0x0001 MS-MPPE-Encryption-Types = 0x0006 MS-MPPE-Send-Key = 0xa2a8dbf6f2cfb9fdbd0b000663af7c62 MS-MPPE-Recv-Key = 0x2288dd50426a86ee2dca3737658de57c EAP-Message = 0x03080004 Message-Authenticator = 0x User-Name = host/lt-pkn.atlas.atlascollege.nl In which you don't set any additional attributes. Sending Access-Accept of id 209 to 10.0.9.48 port 1645 MS-MPPE-Recv-Key = 0x33ecfbf5652ce567309f5f2b1710989bd8c1c1ef2e68386139e7c94f2eb06a75 MS-MPPE-Send-Key = 0x5c0639908bded95e2a61821743bf72ea714a6acc829016d7c4ce07edfdba4223 EAP-Message = 0x03090004 Message-Authenticator = 0x User-Name = host/lt-pkn.atlas.atlascollege.nl And you don't set any additional attributes here. Set the attributes in the post-auth section. It *will* work. If it doesn't, you did something wrong. Show *what* you did, what happened, and what you expected to see. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: rlm_perl added pairs disapear after eap authentication
If it doesn't, you did something wrong. Show *what* you did, what happened, and what you expected to see. Alan DeKok. Thanks for the reply Alan. Haven't got a lab available at the moment will give it a shot tomorrow and get back to you. Off course I did something wrong no discussion there :D Funny thing is though... the attributes you tell me not to set in rlm_perl are set automagicly (at least to me it looks like magic at the moment)... I did not make them up ;) Neither do I manually set an auth-type other than a default one in the users file as instructed by the rlm_perl wiki page. But I will get back to you tomorrow with details on what I did and am trying to achieve. Peter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl added pairs disapear after eap authentication
Peter Kaagman wrote: Funny thing is though... the attributes you tell me not to set in rlm_perl are set automagicly (at least to me it looks like magic at the moment)... I did not make them up ;) They're not set in the default configuration. Someone changed them. And it's local to you. Neither do I manually set an auth-type other than a default one in the users file as instructed by the rlm_perl wiki page. So... you DID change them. In case the Wiki doesn't make it clear, you ONLY set Auth-Type = Perl if you want the Perl module to be called during the authentication phase. So... don't set it. Delete that entry from the users file. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl added pairs disapear after eap authentication
On Thu, May 31, 2012 at 01:51:43PM +0200, Peter Kaagman wrote: I've tried several things to resolve this but with no result. One of which was running the perl code in a post-auth event. This resulted in something like 250 requests and the client not connecting., On the understanding (from above) that everything is working except your perl code that is not setting the VLAN correctly, you could try - 1. Remove everything related to the perl code, so the server authenticates users correctly, but no VLAN is set. 2. Add something like update reply { Tunnel-Type := 13 Tunnel-Medium-Type := 6 Tunnel-Private-Group-Id := 999 } to the outer post-auth section. 3. Verify that the server a) works, and b) sends the above attributes in the Access-Accept (check the debug output). 4. Only after all the above, replace the update reply {} with rlm_perl, and work on that. At this stage you know that setting the AVPs there works, so if it's broken it must be your perl code or rlm_perl settings :-) Cheers, Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accessing radwho information or accounting request from rlm_perl
eluna wrote: As you can see the NAS-IP-Address attributes are different, and I need a method to get the value of the accounting request because when I need to for example deauthenticate a user, i need to know what access point is is actually associated to. Any solutions or hints are very much appreciated. Use a database to store the data. Find a common key, and look it up in the DB. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Accessing radwho information or accounting request from rlm_perl
I need to get the NAS-IP-Address attribute from the Accounting request and not from the Access request because because I am working with a WDS environment. These are the access and accounting requests: rad_recv: Access-Request packet from host 10.33.0.33 port 1645, id=36, length=211 User-Name = user Framed-MTU = 1400 Called-Station-Id = 00-19-56-B0-90-18 Calling-Station-Id = 00-1B-77-89-00-15 Cisco-AVPair = ssid=SECURE Service-Type = Login-User Message-Authenticator = 0x04664bdb23657848c1dfe846b6e162f6 EAP-Message = 0x020c002b190017030100208aa24d178243e49e8315219bac17f793f2b933eec5b NAS-Port-Type = Wireless-802.11 NAS-Port = 10677114 NAS-Port-Id = 10677114 State = 0xec6d109ee561091c536a9f8f173c1470 NAS-IP-Address = 10.33.0.33 rad_recv: Accounting-Request packet from host 10.33.11.33 port 1646, id=43, length=231 Acct-Session-Id = 33C4 Called-Station-Id = 00-16-47-93-68-E2 Calling-Station-Id = 00-1B-77-89-00-15 Cisco-AVPair = ssid=SECURE Cisco-AVPair = vlan-id=123 Cisco-AVPair = nas-location=unspecified User-Name = user Cisco-AVPair = connect-progress=Call Up Acct-Status-Type = Start NAS-Port-Type = Wireless-802.11 Cisco-NAS-Port = 13454 NAS-Port = 13454 Service-Type = Framed-User NAS-IP-Address = 10.33.11.33 Acct-Delay-Time = 0 As you can see the NAS-IP-Address attributes are different, and I need a method to get the value of the accounting request because when I need to for example deauthenticate a user, i need to know what access point is is actually associated to. Any solutions or hints are very much appreciated. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Accessing-radwho-information-or-accounting-request-from-rlm-perl-tp5695393.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC-Auth issues with rlm_perl
On 03/26/2012 10:01 AM, Glen Harris wrote: Server: Debian 6 (Squeeze) 2.6.32-5-amd64 FreeRadius: 2.1.10 (Debian package) Client: HP E-MSM460 AP (MSCHAPv2, Use message authenticator) Authentication methods for the MSM460 are: MSCHAPv2, MSCHAP, CHAP, EAP MD5 and PAP. I'm trying to set up a simple MAC-Auth based network using HP 2610 switches and MSM640 wireless APs as radius clients. I've added the AP to This is a matter of choice, but personally I would advise against using MAC-auth on wireless. It provides illusory security, and 802.1x is pretty easy on modern equipment. You call however. the clients.conf and configured the AP to use MAC-based authentication and it appears to be talking to FreeRadius using MSCHAPv2 correctly. Well, see below for more on this; IMO it's not correct to use MSCHAPv2 for mac-auth. It's a hack, presumably created for people with dumb radius servers that assume ever authentication is tied to something with a username/password. We only have a few dozen clients, so I'm using the perl module to read and cache a text file of MAC addresses. My script watches the file's mtime and re-loads it as necessary. I've followed the instructions on http://wiki.freeradius.org/Rlm_perl, but I get the following error: /etc/freeradius/users[204]: Parse error (check) for entry DEFAULT: Unknown value Perl for attribute Auth-Type Why are you trying to set Auth-Type to Perl? Since the requests are MSCHAP, unless you've written a full MSCHAP implementation in Perl, you won't be able to authenticate them. If you just want to whitelist MACs, run perl in authorize. After some trial and error, I found that adding perl to the authorize and authenticate sections of sites-available/inner-tunnel would get rid of the error, but I have no idea if that solved the problem or merely masked it and caused he next one. There appears to be something seriously wrong with the way this config is working, because rlm_perl is calling the AUTHORIZE function but not AUTHENTICATE. I've pasted the debug of an authentication attempt below. It appears to be taking the CLIENT mschap authentication and somehow applying those attributes to mangle USER authentication. I don't understand this paragraph. What do you mean by client mschap authentication and mangle user authentication. In any event - the problems are all spelt out in the debug if you read carefully: rad_recv: Access-Request packet from host 192.168.0.29 port 35063, id=48, length =275 Acct-Session-Id = 1ca83cd8-00013b2c NAS-Port = 0 NAS-Port-Type = Wireless-802.11 NAS-Identifier = CN18D332BD NAS-IP-Address = 192.168.0.29 User-Name = 984b4af5bf40 Calling-Station-Id = 98:4b:4a:f5:bf:40 Called-Station-Id = 2c:41:38:f4:f5:c0 Service-Type = Login-User MS-CHAP-Challenge = 0x5ec43b8666ef945c1db7a14cc42da516 MS-CHAP2-Response = 0x3000f12947d93103bfe476001a4f8d6fcc6800 00fe6dae7fbe3907cbb43186ffcc0ed0f6f16a31b47731bdba Colubris-AVPair = ssid=TSV-UC Colubris-AVPair = phytype=IEEE802dot11n Message-Authenticator = 0xf6affdfe1901c35141d3128eed2c515e The above is an MSCHAP request. However, the username appears to be a MAC address, so maybe the NAS is trying to do MSCHAP mac auth. Sigh. # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop [mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap' The mschap module sets Auth-Type to itself, correctly. ++[mschap] returns ok ++[digest] returns noop [suffix] No '@' in User-Name = 984b4af5bf40, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop [files] users: Matched entry DEFAULT at line 204 snip ++[perl] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = MSCHAP Auth-Type is still MSCHAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. No password is set, therefore auth is going to fail... [mschap] Creating challenge hash with username: 984b4af5bf40 [mschap] Told to do MS-CHAPv2 for 984b4af5bf40 with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject ...and auth fails. I am going to take a wild guess, that your NAS does MAC-auth via an mschap request. I am going to guess the password it uses is either the same as the username, or a fixed value. You could try adding lines like this to the users file: 984b4af5bf40Cleartext-Password := 984b4af5bf40 Or, if your NAS can be made to do so, disable the dumb lets do MAC-auth by simulating
MAC-Auth issues with rlm_perl
Server: Debian 6 (Squeeze) 2.6.32-5-amd64 FreeRadius: 2.1.10 (Debian package) Client: HP E-MSM460 AP (MSCHAPv2, Use message authenticator) Authentication methods for the MSM460 are: MSCHAPv2, MSCHAP, CHAP, EAP MD5 and PAP. I'm trying to set up a simple MAC-Auth based network using HP 2610 switches and MSM640 wireless APs as radius clients. I've added the AP to the clients.conf and configured the AP to use MAC-based authentication and it appears to be talking to FreeRadius using MSCHAPv2 correctly. We only have a few dozen clients, so I'm using the perl module to read and cache a text file of MAC addresses. My script watches the file's mtime and re-loads it as necessary. I've followed the instructions on http://wiki.freeradius.org/Rlm_perl, but I get the following error: /etc/freeradius/users[204]: Parse error (check) for entry DEFAULT: Unknown value Perl for attribute Auth-Type After some trial and error, I found that adding perl to the authorize and authenticate sections of sites-available/inner-tunnel would get rid of the error, but I have no idea if that solved the problem or merely masked it and caused he next one. There appears to be something seriously wrong with the way this config is working, because rlm_perl is calling the AUTHORIZE function but not AUTHENTICATE. I've pasted the debug of an authentication attempt below. It appears to be taking the CLIENT mschap authentication and somehow applying those attributes to mangle USER authentication. rad_recv: Access-Request packet from host 192.168.0.29 port 35063, id=48, length =275 Acct-Session-Id = 1ca83cd8-00013b2c NAS-Port = 0 NAS-Port-Type = Wireless-802.11 NAS-Identifier = CN18D332BD NAS-IP-Address = 192.168.0.29 User-Name = 984b4af5bf40 Calling-Station-Id = 98:4b:4a:f5:bf:40 Called-Station-Id = 2c:41:38:f4:f5:c0 Service-Type = Login-User MS-CHAP-Challenge = 0x5ec43b8666ef945c1db7a14cc42da516 MS-CHAP2-Response = 0x3000f12947d93103bfe476001a4f8d6fcc6800 00fe6dae7fbe3907cbb43186ffcc0ed0f6f16a31b47731bdba Colubris-AVPair = ssid=TSV-UC Colubris-AVPair = phytype=IEEE802dot11n Message-Authenticator = 0xf6affdfe1901c35141d3128eed2c515e # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop [mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap' ++[mschap] returns ok ++[digest] returns noop [suffix] No '@' in User-Name = 984b4af5bf40, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop [files] users: Matched entry DEFAULT at line 204 ++[files] returns ok rlm_perl: AUTHORIZE rlm_perl: RAD_REQUEST: NAS-Port-Type = Wireless-802.11 rlm_perl: RAD_REQUEST: Acct-Session-Id = 1ca83cd8-00013b2c rlm_perl: RAD_REQUEST: Service-Type = Login-User rlm_perl: RAD_REQUEST: Called-Station-Id = 2c:41:38:f4:f5:c0 rlm_perl: RAD_REQUEST: Calling-Station-Id = 98:4b:4a:f5:bf:40 rlm_perl: RAD_REQUEST: Message-Authenticator = 0xf6affdfe1901c35141d3128eed2c515e rlm_perl: RAD_REQUEST: MS-CHAP-Challenge = 0x5ec43b8666ef945c1db7a14cc42da516 rlm_perl: RAD_REQUEST: User-Name = 984b4af5bf40 rlm_perl: RAD_REQUEST: NAS-Identifier = CN18D332BD rlm_perl: RAD_REQUEST: MS-CHAP2-Response = 0x3000f12947d93103bfe476001a4f8d6fcc68fe6dae7fbe3907cbb43186ffcc0ed0f6f16a31b47731bdba rlm_perl: RAD_REQUEST: Colubris-AVPair = ARRAY(0x127d4d8) rlm_perl: RAD_REQUEST: NAS-Port = 0 rlm_perl: RAD_REQUEST: NAS-IP-Address = 192.168.0.29 rlm_perl: Added pair NAS-Port-Type = Wireless-802.11 rlm_perl: Added pair Acct-Session-Id = 1ca83cd8-00013b2c rlm_perl: Added pair Service-Type = Login-User rlm_perl: Added pair Called-Station-Id = 2c:41:38:f4:f5:c0 rlm_perl: Added pair Calling-Station-Id = 98:4b:4a:f5:bf:40 rlm_perl: Added pair Message-Authenticator = 0xf6affdfe1901c35141d3128eed2c515e rlm_perl: Added pair MS-CHAP-Challenge = 0x5ec43b8666ef945c1db7a14cc42da516 rlm_perl: Added pair User-Name = 984b4af5bf40 rlm_perl: Added pair NAS-Identifier = CN18D332BD rlm_perl: Added pair MS-CHAP2-Response = 0x3000f12947d93103bfe476001a4f8d6fcc68fe6dae7fbe3907cbb43186ffcc0ed0f6f16a31b47731bdba rlm_perl: Added pair Colubris-AVPair = ssid=TSV-UC rlm_perl: Added pair Colubris-AVPair = phytype=IEEE802dot11n rlm_perl: Added pair NAS-Port = 0 rlm_perl: Added pair NAS-IP-Address = 192.168.0.29 rlm_perl: Added pair Auth-Type = MSCHAP ++[perl] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = MSCHAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext
rlm_perl, aaa, dialup admin
Hi... I have a lot of problems configuring freeRadius. First I have a web service and a perl client to obtain users and password from an external database. I used with rlm_perl with an script perl in the authetication func and it works... but i need to implement dialup admin (or daloradius) to account... but i read that dialup admin works with a mysql database so... what i need to use to works dialup admin? and what archives i need to edit (users, radiusd.conf, etc) to authentication with rlm_perl and authorize and accounting with mysql? -- Fabricio A. Flores G. Egresado en Ingeniería en Sistemas MSN: fabri_flor...@hotmail.com Google: fabriflor...@gmail.com Twitter: fabricioflores Skype: fabriciofloresgallardo Blog Personal http://fabricioflores.wordpress.com/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: confused by logging targets for rlm_perl
Olivier Bilodeau wrote: http://wiki.freeradius.org/Rlm_perl#Logging refers to: 0 - Debug 1 - Auth Those are wrong. See src/include/radiusd.h, L_DBG, etc. I've fixed the Wiki. I expected Debug not to go out in radius.log and Auth to do since I specified Auth to yes in radiusd.conf. Yup. With radius -X, as expected, I got everything. Am I missing something here? Is this a bug or a feature(tm)? Bug. See the v2.1.x branch in git for patches to src/modules/rlm_perl/example.pl Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
confused by logging targets for rlm_perl
Hi there! It's been a while.. François turned out to be our official freeradius-users correspondent lately ;) So, I'm changing some things in our rlm_perl module and tried to make a better use of the logging facilities provided by the freeradius core. http://wiki.freeradius.org/Rlm_perl#Logging refers to: 0 - Debug 1 - Auth 2 - Proxy 3 - Info 4 - Error However in practice my tests today revealed behavior that I would prefer be clarified by one of the gurus here. With file logging, auth = yes and sending messages with radiusd::radlog() I found that: Debug, Info and Error goes to the radius.log file while Auth does not. I haven't tried Proxy or Acct (which is available according to src/main/log.c). I expected Debug not to go out in radius.log and Auth to do since I specified Auth to yes in radiusd.conf. With radius -X, as expected, I got everything. Am I missing something here? Is this a bug or a feature(tm)? Running freeradius 2.1.12. Thanks, -- Olivier Bilodeau obilod...@inverse.ca :: +1.514.447.4918 *115 :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl and returning 1 attribute with same name
On 2012/02/17 02:38 PM, Mike wrote: Hello, I am using rlm_perl and I have an application where I would like to return possibly more than 1 Filter-Id in my response. In perl, the relevent code would be this: $RAD_REPLY{'Filter-Id'} = some_filter Unfortunately, this also will only create 1 avpair by the name 'Filter-Id'. How would I go about returning more than 1 or am I stuck because of perl? I have an array with my Framed-Routes I then do the following: $RAD_REPLY{'Framed-Route'} = \@framedroutearray; -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 Before acting on this email or opening any attachments you should read Cape PC Service's email disclaimer at: http://www.pcservices.co.za/disclaimer.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_perl and returning 1 attribute with same name
Hello, I am using rlm_perl and I have an application where I would like to return possibly more than 1 Filter-Id in my response. In perl, the relevent code would be this: $RAD_REPLY{'Filter-Id'} = some_filter Unfortunately, this also will only create 1 avpair by the name 'Filter-Id'. How would I go about returning more than 1 or am I stuck because of perl? Mike- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl and returning 1 attribute with same name
Hello. I really don't think that you need to return more than one filter-id. As i know its impossible to map some acl to one interface. Anyway, you can use an array, e.g. $RAD_REPLY{'Filter-Id'} = [1,2,3] 17.02.2012, в 17:12, Mike mike-freerad...@tiedyenetworks.com написал(а): Hello, I am using rlm_perl and I have an application where I would like to return possibly more than 1 Filter-Id in my response. In perl, the relevent code would be this: $RAD_REPLY{'Filter-Id'} = some_filter Unfortunately, this also will only create 1 avpair by the name 'Filter-Id'. How would I go about returning more than 1 or am I stuck because of perl? Mike- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl and Threaded Perl??
Hardware: based on ESX host: 4 core 2.1GHz processor (have 24 cores to play with) 8GB Memory (have more as needed) CentOS 5.7 x84_64 (latest patches) MySQL 5.5.20 - Same VM and supplied by Oracle FreeRadius 2.1.12-7 - complied here, with MySQL libraries for version 5.5.20 Limitations so far: 4 million dial-in potential users (16 million gets a bit slow - so looking for other improvements) In bound transaction rate (sustained mix of 1:1.5 of radius authentication:Radius accounting) 2048 Response time (so far and improving) 500mS (current gains are from reworking MySQL data tables, structures, and indexes) CPU utilisation is still low (as reported by VSphere) ~15% ie MySQL is running well, and so is FR. Packet loss increases to 10% 2.5K transactions/sec. I am looking to use activeMQ to relieve some of the 3ggp (3ggp-Location etc.), add enrichment; and then ultimately manage quotas with overuse getting PoD. The activeMQ is on another host (utilisation of the primary network interface isn't that high; but will be looking to use a second interface, or even using the radius VM to host the activeMQ queue, with an additional VM running quota management. NB Quota is measured in credits, and other systems can charge credits - so there isn't a 'fixed' byte usage for radius accounting to count down. Also there is another system based on netflow managing nearer real time (well 5 minutes) actual data usage. I've wanted to limit the number of threads, as if the activeMQ server fails, I don't want radius to fail (users shouldn't be penalised because of poor systems management/setup). It's all a bit too open ended for me to feel comfortable with this as a solution as it stands. I'll be testing a local activeMQ server later today, with a view to either give it up as a bad idea, or to find some other way (postath database processing?). My feeling is that I've yet to unleash the real power of FR; but it's far from obvious to me, as to how to improve MySQL performance with FR. Reading others: dumping MySQL (albeit in a MySQL configuration - local file + reload) way seems the next step. Simon On 02/14/2012 07:20 AM, Alan DeKok wrote: Simon Earthrowl wrote: FR 2.1.12-1 and 2.1.12-7, but also looked at 3.0.0. I manage to get 2048 perl threads (assumed from /netstat -ap/ - as I'm interfacing into Apache's ActiveMQ), then when I hit 2049 threads FR crashes. See doc/bugs for how to deal with crashes. And 2K threads? There's something wrong with your architecture if you need that. Your backend is VERY slow, or your load is too high, or you've under-provisioned your machines. The biggest mistake is that you're talking about solutions, not problems. Using 2K threads is a solution. Since you haven't specified what the problem is, there may be OTHER solutions which work better. e.g. If you're doing something crazy like using 2K threads, the usual response is don't do that Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Follow us on Twitter at EseyeM2M Surface mount embedded SIMs in stock - adapter kit available for testing in a SIM socket Smart Metering Technology of the Year Award 2012- Shortlisted' Eseye Ltd , Company No: 06397669 - Surrey Technology Centre, Guildford, UK +44 1483 685200 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl and Threaded Perl??
On Tue, Feb 14, 2012 at 7:57 PM, Simon Earthrowl searthr...@eseye.com wrote: Hardware: based on ESX host: 4 core 2.1GHz processor (have 24 cores to play with) 8GB Memory (have more as needed) err ... that's not really much these days. Limitations so far: 4 million dial-in potential users (16 million gets a bit slow - so looking for other improvements) It's way overkill for FR with files backend. But once you include any kind of db or external backend (e.g. mysql, perl, whatever) then those system can quickly becomes the bottleneck. In the case of mysql, the bottleneck is usually disk IOPS. In bound transaction rate (sustained mix of 1:1.5 of radius authentication:Radius accounting) 2048 2048 per what? seconds? Response time (so far and improving) 500mS (current gains are from reworking MySQL data tables, structures, and indexes) That'd still mean you have a bottleneck somewhere. IIRC on a simple FR-mysql setup, I got several thousand auth+acct/sec, and that's with a pretty low max thread count (the 200-something I mentioned earlier. It's low compared to yours). CPU utilisation is still low (as reported by VSphere) ~15% ie MySQL is running well, and so is FR. Packet loss increases to 10% 2.5K transactions/sec. is this during your load test? If yes, then there's no reason to use 2048 threads. Really. Just lower them. I've wanted to limit the number of threads, as if the activeMQ server fails, I don't want radius to fail (users shouldn't be penalised because of poor systems management/setup). It's all a bit too open ended for me to feel comfortable with this as a solution as it stands. It's kinda complicated. Short version is if you use your external system only for acct, then using something similar to sites-available/buffered-sql should do the trick (i.e. log to detail file first, process later). But if you also need it for auth, then it gets compicated. Possible (especially if you only consider the case when the external system is dead), but complicated (especially if you consider the case when the external system simply becomes too slow) My feeling is that I've yet to unleash the real power of FR; but it's far It's pretty flexible. The hardest part is defining your policies. For example: how would you want FR to detect if your external system fails? How long must it wait? from obvious to me, as to how to improve MySQL performance with FR. Reading others: dumping MySQL (albeit in a MySQL configuration - local file + reload) way seems the next step. mysql can perform just fine on super-busy implementation, IF you have the skills of a competent dba (or have someone with that skill helping you). -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl and Threaded Perl??
Simon Earthrowl wrote: Limitations so far: 4 million dial-in potential users (16 million gets a bit slow - so looking for other improvements) You need to design your solution VERY carefully. Scaling to 4M users isn't the same as 1K or 100K users. In bound transaction rate (sustained mix of 1:1.5 of radius authentication:Radius accounting) 2048 Response time (so far and improving) 500mS (current gains are from reworking MySQL data tables, structures, and indexes) Response times of 500ms is RIDICULOUSLY bad. You have a catastrophic design decision somewhere. Find it, fix it. CPU utilisation is still low (as reported by VSphere) ~15% ie MySQL is running well, and so is FR. Packet loss increases to 10% 2.5K transactions/sec. My smart phone can handle 2.5K RADIUS packets/s. It's the REST of the system that needs fixing. I am looking to use activeMQ to relieve some of the 3ggp (3ggp-Location etc.), add enrichment; and then ultimately manage quotas with overuse getting PoD. You're again talking about a solution. Is using activeMQ a *requirement*? Or is it a potential solution? I'll be testing a local activeMQ server later today, with a view to either give it up as a bad idea, or to find some other way (postath database processing?). To do... what? Find out what you need to do per request. Make it as cheap as possible. Do as little work as possible per request. Post-process as much as possible. My feeling is that I've yet to unleash the real power of FR; but it's far from obvious to me, as to how to improve MySQL performance with FR. Reading others: dumping MySQL (albeit in a MySQL configuration - local file + reload) way seems the next step. For 4M users? Not a good idea. I've built multiple systems with many-millions of users. It requires a bit of care, but it's possible. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html