the customized message. Is there a way to test the
user/pw combo first and *then* perform unlang logic?
That's what the post-auth section is for.
Matthew
--
Matthew Newton, Ph.D. m...@le.ac.uk
Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH
Hi
For each Access-Request recieved and authenticated successfully I want to
do following:
1. Verify if Access-Request contains a parameter i.e IMEI of mobile
2. If Not, send Access-Reject. Else,
3. compare IMEI to value in database and assign a 32bit hex number in
Access-Accept
Basically, I
Navodit Bhardwaj wrote:
For each Access-Request recieved and authenticated successfully I want
to do following:
1. Verify if Access-Request contains a parameter i.e IMEI of mobile
2. If Not, send Access-Reject. Else,
3. compare IMEI to value in database and assign a 32bit hex number in
On Thu, Jul 18, 2013 at 10:46 AM, Alan DeKok al...@deployingradius.com wrote:
Navodit Bhardwaj wrote:
For each Access-Request recieved and authenticated successfully I want
to do following:
1. Verify if Access-Request contains a parameter i.e IMEI of mobile
2. If Not, send Access-Reject.
Hi
To proceed with unlang, how can I ensure that the Access-Request contains
specific IE.
For example:
- IMEI Field: 1234567890123
- Hardware Id : AC12BD54FS56TRZS506
- etc..
Also, Is there any limitation to number of parameters and size, that can be
contained in any
Hi,
Just wondered if someone could explain the reason why, on rejection of
EAP authentication, an access challenge request is sent out to the NAS,
and whether it's something we can control or not?
Thanks
Andy
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 10/06/13 15:45, Franks Andy (RLZ) IT Systems Engineer wrote:
Hi,
Just wondered if someone could explain the reason why, on rejection
of EAP authentication, an access challenge request is sent out to the
NAS, and whether it’s something we can control or not?
I assume you're referring to
the default tunnel post-auth reject section to not do a linelog
if auth-type has been set to EAP but it doesn't work when clients are
rejected in this ldap section; the EAP auth-type is set but it never
authenticates as the reject is triggered first, and so a linelog would
never be recorded in the inner
On 10/06/13 17:29, Franks Andy (RLZ) IT Systems Engineer wrote:
I'm also doing some stuff in the authorization section which can reject
a user based on some ldap information. I thought I could perhaps just
update the default tunnel post-auth reject section to not do a linelog
if auth-type has
Hi, It is not default virtual server). Following error occurs, when user
attempt to login with invalid password, otherwise not. is it normal? or
should be troubleshooted.
Info: WARNING: Unknown value specified for Post-Auth-Type. Cannot
perform requested action
My postauth section
post-auth
and post auth section,
but it never makes it through.
It's not really critical at this point, just annoying me. I'm sure it's
something I need to do differently but I'm not sure what.
Thanks
Andy
-Original Message-
From: freeradius-users-bounces+andy.franks=sath.nhs...@lists.freeradius.org
Franks Andy (RLZ) IT Systems Engineer wrote:
My FR version is 2.1.10+dfsg-3build2_amd64. Unless there’s a nice
package for Ubuntu 12.04 server then I’ll be compiling from source then
I think.
Yes. Upgrading would be good.
so yes, the “use_tunneled reply” bit is there. Is that what’s
it should be similar to the description in the post auth reject
section of the inner tunnel :
update outer.reply {
User-Name = %{request:User-Name}
}
But the section never gets called, so I tried putting it after the ldap
authorization bit, as I can't do it in the authentication part
Andy,
What version of FreeRadius are you using?
I *think* that unless you are using the git source for 2.2.1, post-auth reject
is broken. There was some stuff I was doing a few months ago that got fixed in
2.2.1 … but I'm getting old and can't remember all the details :-(
On 10 May 2013
On 10/05/13 13:53, Franks Andy (RLZ) IT Systems Engineer wrote:
Hi,
This may have come up before but I can’t find any solutions :
I’m using a NAS which alwaysperformsEAP/MSCHAP2authentication, so I’ve
stripped the sites-enabled/default right down to pretty much just
include the eap stuff
: Re: Inner tunnel post auth question
Andy,
What version of FreeRadius are you using?
I *think* that unless you are using the git source for 2.2.1, post-auth
reject is broken. There was some stuff I was doing a few months ago that
got fixed in 2.2.1 ... but I'm getting old and can't remember
so is that done as in post-auth in the inner-tunnel now works?
Rgds
Alex
On 13 Mar 2013, at 20:14, Arran Cudbard-Bell a.cudba...@freeradius.org wrote:
On 13 Mar 2013, at 13:19, Matthew Newton m...@leicester.ac.uk wrote:
On Wed, Mar 13, 2013 at 12:58:15PM -0400, Arran Cudbard-Bell wrote
On 03/14/2013 09:36 AM, Alex Sharaz wrote:
so is that done as in post-auth in the inner-tunnel now works?
Should be. Please git pull and recompile and confirm.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Thu, Mar 14, 2013 at 10:10:28AM +, Phil Mayers wrote:
On 03/14/2013 09:36 AM, Alex Sharaz wrote:
so is that done as in post-auth in the inner-tunnel now works?
Should be. Please git pull and recompile and confirm.
It should fully work now. Previously, inner-tunnel post-auth
reject
Yup works just fine thanks
Rgds
Alex
On 14 Mar 2013, at 14:22, Matthew Newton m...@leicester.ac.uk wrote:
On Thu, Mar 14, 2013 at 10:10:28AM +, Phil Mayers wrote:
On 03/14/2013 09:36 AM, Alex Sharaz wrote:
so is that done as in post-auth in the inner-tunnel now works?
Should be. Please
Hi,
I've got a number of FR 2.2.0 servers that invoke sql_log in the inner-tunnel
post-auth in order to write user-name some other attributes into a back end
mysql database server and it all works. If I've got non-eap requests coming in
, the default site deals with it. If I've got eap-based
On 13.03.2013 12:46, Alex Sharaz wrote:
Hi,
I've got a number of FR 2.2.0 servers that invoke sql_log in the inner-tunnel
post-auth in order to write user-name some other attributes into a back end
mysql database server and it all works. If I've got non-eap requests coming
git.freeradius, built
that and upgraded one of my FR2.2 servers. Since then I
can't see an invocation of post-auth within the inner-tunnel.
I can see it for the default site but not the inner-tunnel.
Everything else seems to work but not that. Same hardware
platform, same config files just different
00cadac7
Defines the function rad_virtual_server, but doesn't call it from anywhere.
Where should that be called? Was there another commit?
-Arran
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Wed, Mar 13, 2013 at 12:58:15PM -0400, Arran Cudbard-Bell wrote:
00cadac7
Defines the function rad_virtual_server, but doesn't call it
from anywhere. Where should that be called? Was there another
commit?
Grr, fatfinger paste bug :)
I'd suggest that either a00c4432 needs backing out,
On 13 Mar 2013, at 13:19, Matthew Newton m...@leicester.ac.uk wrote:
On Wed, Mar 13, 2013 at 12:58:15PM -0400, Arran Cudbard-Bell wrote:
00cadac7
Defines the function rad_virtual_server, but doesn't call it
from anywhere. Where should that be called? Was there another
commit?
Grr,
Hi,
Hope this is a quick request for someone to answer, been googling and
can't find the reply.
I've altered the post-auth sql recording data a bit from the standard
schema - I wanted to record some of the details of the request packet
without relying on the NAS to do proper accounting, which I
On 21/08/12 13:33, Franks Andy (RLZ) IT Systems Engineer wrote:
Hi,
Hope this is a quick request for someone to answer, been googling and
can’t find the reply.
I’ve altered the post-auth sql recording data a bit from the standard
schema–Iwanted to record some of the details of the request
Franks Andy (RLZ) IT Systems Engineer wrote:
‘%{request:Client-Short-Name}’ didn’t seem to work – blank string.
Use: %{client:foo}
This expands to the foo entry of the relevant client section:
client stuff {
ipaddr = 1.2.3.4
secret = hello
foo = bar
bad =
On Tue, Aug 21, 2012 at 01:33:00PM +0100, Franks Andy (RLZ) IT Systems Engineer
wrote:
got into yet. I'd quite like to record the attribute ClientShortname as
referred to by the clients.conf file, but expansion of
'%{request:Client-Short-Name}' didn't seem to work - blank string.
Looking at
Ok, schoolboy error there! Thanks guys.
Whilst on the subject, is it possible (in theory) to write different
INSERT statements dependent on, for example, whether the post-auth
section is based on having accepted or rejected the user. The sql
modules named in the default virtual server file link
On 21 Aug 2012, at 14:46, Franks Andy \(RLZ\) IT Systems Engineer
andy.fra...@sath.nhs.uk wrote:
Ok, schoolboy error there! Thanks guys.
Whilst on the subject, is it possible (in theory) to write different
INSERT statements dependent on, for example, whether the post-auth
section is based
Hi,
Am I being dumb / getting something wrong or does the post-auth session
not get called if PEAP/MSCHAP returns a reject?
It seems to run for successful auths, but not failures.
That is the case.
This is in the context of us not seeing log messages for EAP auth
failures; I
On 05/19/2012 12:37 PM, alan buxey wrote:
Hi,
Am I being dumb / getting something wrong or does the post-auth session
not get called if PEAP/MSCHAP returns a reject?
It seems to run for successful auths, but not failures.
That is the case.
This is in the context of us not seeing log
Mayers wrote:
Am I being dumb / getting something wrong or does the post-auth session
not get called if PEAP/MSCHAP returns a reject?
It seems to run for successful auths, but not failures.
That is the case.
This is in the context of us not seeing log messages for EAP auth
failures; I
...@deployingradius.com wrote:
Phil Mayers wrote:
Am I being dumb / getting something wrong or does the post-auth
session
not get called if PEAP/MSCHAP returns a reject?
It seems to run for successful auths, but not failures.
That is the case.
This is in the context of us not seeing log
Am I being dumb / getting something wrong or does the post-auth session
not get called if PEAP/MSCHAP returns a reject?
It seems to run for successful auths, but not failures.
This is in the context of us not seeing log messages for EAP auth
failures; I suspect that the client may just hang
Phil Mayers wrote:
Am I being dumb / getting something wrong or does the post-auth session
not get called if PEAP/MSCHAP returns a reject?
It seems to run for successful auths, but not failures.
That is the case.
This is in the context of us not seeing log messages for EAP auth
failures
Am 16.04.2012 22:40, schrieb Matthew Newton:
On Mon, Apr 16, 2012 at 10:00:03PM +0200, Gerald Krause wrote:
Please use 2.1.12. It's better.
I'll check that suggestion. In the moment this is a plain apt-get
install/update/upgrade Debian box that comes with 2.1.10 (don't blame
me...) but
, accepting the user
Login OK: [test@foo/password] (from client LOCALHOST port 123)
+- entering group post-auth
++[exec] returns noop
Sending Access-Accept of id 236 to 127.0.0.1 port 51046
Framed-Protocol = PPP
Service-Type = Framed-User
Class
Gerald Krause wrote:
after upgrading our server from 2.0.4 to 2.1.10
Please use 2.1.12. It's better.
we see a change in the
auth logic - e.g. when processing proxied requests to a home server and
their replies. We need this feature to append some special attributes to
the accept-packet
Am 16.04.2012 21:22, schrieb Alan DeKok:
Gerald Krause wrote:
after upgrading our server from 2.0.4 to 2.1.10
Please use 2.1.12. It's better.
I'll check that suggestion. In the moment this is a plain apt-get
install/update/upgrade Debian box that comes with 2.1.10 (don't blame
me...) but
On Mon, Apr 16, 2012 at 10:00:03PM +0200, Gerald Krause wrote:
Please use 2.1.12. It's better.
I'll check that suggestion. In the moment this is a plain apt-get
install/update/upgrade Debian box that comes with 2.1.10 (don't blame
me...) but maybe I'am going to install freeradius from
post-auth section like this:
post-auth {
sql {
fail = return
}
}
user autentication with unreachable mysql server will always ends with:
++[sql] returns fail
Using Post-Auth-Type Reject
I have not mentioned in my first email about looking to unlang. I have
looked
Michal Bruncko wrote:
I have not mentioned in my first email about looking to unlang. I have
looked on it, but either I dont understand or there is not that
combination of code = value that fills for this needs (I would not
sting the truth).
sql {
fail = ok
}
Alan DeKok.
-
List
Hello Alan,
your hint gives syntax error:
/etc/raddb/sites-enabled/default[476]: Unknown action 'ok'.
/etc/raddb/sites-enabled/default[461]: Errors parsing post-auth section.
post-auth {
sql {
fail = ok
}
}
from the man unlang I assume, that ok keyword should
On 01/10/2012 06:40 PM, Michal Bruncko wrote:
Hello Alan,
your hint gives syntax error:
/etc/raddb/sites-enabled/default[476]: Unknown action 'ok'.
/etc/raddb/sites-enabled/default[461]: Errors parsing post-auth section.
post-auth {
sql {
fail = ok
}
}
from the man unlang I assume, that ok
'ok'.
/etc/raddb/sites-enabled/default[461]: Errors parsing post-auth section.
post-auth {
sql {
fail = ok
}
}
from the man unlang I assume, that ok keyword should be placed only on
the left side of statement code = value.
Maybe try:
post-auth {
redundant {
sql
ok
}
}
-
List info/subscribe
Hello list
I am using freeradius server as the authenicator for our WPA2 wifi
network. We are using loggining of result for every authentication
request from clients to sql database through sql module in post auth
section.
but in case that the central mysql server (for many radius servers
inside the authenticate section.
man unlang
ok the module succeeded
updated the module updated the request
failthe module failed
and then doc/configurable_failover
you want something like
post-auth
I still cannot figure out how to pass this value from authorize to
post-auth.
It works for PAP. The only reason it doesn't work is you're running
EAP, and that's more complicated.
Is there something extra that needs to be done in order for the value to be
preserved when running EAP
Hi,
I still cannot figure out how to pass this value from authorize to
post-auth.
It works for PAP. The only reason it doesn't work is you're running
EAP, and that's more complicated.
Is there something extra that needs to be done in order for the value
I still cannot figure out how to pass this value from authorize to
post-auth.
It works for PAP. The only reason it doesn't work is you're running
EAP, and that's more complicated.
Is there something extra that needs to be done in order for the value
- it depends on how you are doing it - are you doing post-auth
in the inner-tunnel, or in the outer virtual-server after EAP has been done?
just assign a standard RADIUS attribute and it will be there for you to use in
eg PERL
(so long as you copy-to-tunnel in your EAP config)
alan
-
List info/subscribe
- it depends on how you are doing it - are you doing post-auth
in the inner-tunnel, or in the outer virtual-server after EAP has been done?
just assign a standard RADIUS attribute and it will be there for you to use
in eg PERL
(so long as you copy-to-tunnel in your EAP config
Hi,
copy_request_to_tunnel = yes
As mentioned earlier, I am assigning a standard RADIUS attribute, but the
value I'm passing to it is not there when I call it, which is in the
post_auth of the outer virtual server.. I figured it made sense to put it
there, since I call the
to the LDAP than you need.)
Well, thanks so much Alan, putting all of this into the inner-tunnel
authorization block finally allows me to get the value in post-auth block (of
the inner-tunnel). The reason why I put this into the outer tunnel was because
I'm calling LDAP for authorization only so I
work.
In post-auth:
...
update reply {
Reply-Message := You are %{control:Person-Group}.
}
...
And that should work too.
I still cannot figure out how to pass this value from authorize to
post-auth.
It works for PAP. The only reason it doesn't
Define your own [attributes]. That's why the dictionary files are editable.
Is there a private name space for that (i.e., X-*) that is guaranteed not to
conflict with future official attribute names?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Sun, Nov 27, 2011 at 7:47 PM, Edgar Fuß e...@math.uni-bonn.de wrote:
Define your own [attributes]. That's why the dictionary files are editable.
Is there a private name space for that (i.e., X-*) that is guaranteed not to
conflict with future official attribute names?
You should be able
I was probably too fuzzy about what I actually mean, sorry.
Suppose I'm writing my own module or I'm using rlm_perl.
Then, in authenticate, I gather some information.
Later, in post-auth, I need this information for my authorization policy.
So, as far as I can see, I'll have to put
Edgar Fuß wrote:
Suppose I'm writing my own module or I'm using rlm_perl.
Then, in authenticate, I gather some information.
Later, in post-auth, I need this information for my authorization policy.
So, as far as I can see, I'll have to put this Information into an attribute.
Yes.
Am I
EF Am I supposed to use the Tmp-Xxx-N attributes for that?
ADK Define your own. That's why the dictionary files are editable.
Ah, you mean raddb/dictionary, I suppose. Thanks, I over-looked that.
Just out of curiosity: What are the pre-defined Tmp-Xxx-N attributes for, then?
-
List
This might help.
Then I want to map certain attribute like employeeStatus from our
iPlanet ldap server to some radius attribute, so I can manipulate it
in the post-auth section.
I put the following line in etc/raddb/dictionary
ATTRIBUTE My-Local-employeeStatus 3000string
Hello,
I'm sorry for asking such a simple(?) thing, but my lack of understanding is
not due to a lack of reading, searching, trial-and-error... I just can't seem
to figure out how to reference an ldap attribute in post-auth. Using
freeradius 2.1.8, PEAPv0/EAP-MSCHAPv2 with AD
Of Adam Track
Sent: Tuesday, November 01, 2011 1:36 PM
To: ' freeradius-users@lists.freeradius.org'
Subject: Referencing LDAP attributes in post-auth
Hello,
I'm sorry for asking such a simple(?) thing, but my lack of understanding is
not due to a lack of reading, searching, trial-and-error... I just
I’m just guessing, and could be WAY
off, but may be an inner-tunnel vs. outer-tunnel thing.
In eap.conf, I've got copy_request_to_tunnel = yes and use_tunneled_reply =
yes. Neither the ldap nor perl modules are called in the inner-tunnel. -
List info/subscribe/unsubscribe? See
Hello,
I'm have a FreeRADIUS 2.1.10 server on CentOS... with a backend MySQL
database (logging) which is, as Alan would say, Broken - at peak usage
times it's horribly overloaded. Up until yesterday, our post-auth
section had a sql call not wrapped in a redundant { sql / ok }. It
seems that when
-auth
section had a sql call not wrapped in a redundant { sql / ok }. It
seems that when the MySQL server gets overloaded, and the sql module
fails/times out (can't find a configuration value for timeout, or a note
on what the timeout actually is), the post-auth section stops and
returns
Hi,
Hope the following makes sense.
I have a perl module that runs in post-auth.
It checks various things that confirms whether the user may have access and,
if not, would turn an Accept into a Reject.
I want this perl module to run whether the authentication previously failed
Johan Meiring wrote:
If the auhtentication as OK, and my perl module then decides to reject
the Authentication (by returning RLM_MODULE_REJECT),
Don't do that.
The post-auth section is for running modules AFTER the user has been
accepted or rejected. It doesn't make much sense to accept
On 2011/09/26 11:38 PM, Alan DeKok wrote:
Johan Meiring wrote:
If the auhtentication as OK, and my perl module then decides to reject
the Authentication (by returning RLM_MODULE_REJECT),
Don't do that.
The post-auth section is for running modules AFTER the user has been
accepted
Thanks for your reply.. I will test in some minutes..
But, I have a second question :
in /etc/raddb/ldap.attrmap, I have write : replyItem MailUtilisateur mail
in /etc/raddb/dictionary, I have write : ATTRIBUTE MailUtilisateur 3004
string
But when i want to use in the section post-auth
On 06/16/2011 07:28 AM, seb2020 wrote:
[ldap] looking for reply items in directory...
[ldap] mail - MailUser = seb.gir...@students.xxx.ch
MailUser != MailUtilisteur
Do you have a typo or duplicate in ldap.attrmap?
-
List info/subscribe/unsubscribe? See
No, sorry, I have juste make a wrong copy/paste. In all my file, I use
MailUtilisateur...
So, what's wrong ?
-
From Switzerland
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/If-in-post-auth-tp4491348p4494058.html
Sent from the FreeRadius - User mailing list
Hi !
I have a problem in my post-auth configuration. I have write this with the
help of my other topic in this forum:
update reply {
Tunnel-Type := VLAN
Tunnel-Medium-Type := IEEE-802
Tunnel-Private-Group-Id := unauthorised
Termination-Action := RADIUS-Request
Session-Timeout := 300
Acct
seb2020 girard@gmail.com wrote:
I have a problem in my post-auth configuration. I have write this with the
help of my other topic in this forum:
update reply {
Tunnel-Type := VLAN
Tunnel-Medium-Type := IEEE-802
Tunnel-Private-Group-Id := unauthorised
Termination-Action := RADIUS
and avoid mantaining doubled ldap
configurations and queries for this.
Em 06-06-2011 15:13, Renan escreveu:
Hello there,
I'm trying to evaluate an ldap returned attribute on the post-auth
section.
At my dictionary:
ATTRIBUTE Aa 3000string
At my ldap.attrmap:
checkItem AA
Renan wrote:
So, according to this:
http://wiki.freeradius.org/Attribute%20support%20by%20processing%20list
I can only access the User-Name and Auth-Type at my custom exec module,
and nothing else?
Uh, no. The wiki page needs to be reformatted.
Each module has access to *all* of the
Hi Alan,
On 06/07/2011 01:30 PM, Alan DeKok wrote:
Renan wrote:
So, according to this:
http://wiki.freeradius.org/Attribute%20support%20by%20processing%20list
I can only access the User-Name and Auth-Type at my custom exec module,
and nothing else?
Uh, no. The wiki page needs to be
John Center wrote:
We talked about this, there isn't any more content there. Someone needs
to rewrite this page.
mediawiki.freeradius.org should now work. The contents can be copied
from there.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 06/07/2011 02:22 PM, Alan DeKok wrote:
John Center wrote:
We talked about this, there isn't any more content there. Someone needs
to rewrite this page.
mediawiki.freeradius.org should now work. The contents can be copied
from there.
Still no more content, see
=renan.manola
STATE=0x01
EAP_MESSAGE=0x0...
FRAMED_MTU=1400
PWD=/etc/freeradius
NAS_IP_ADDRESS=
SHLVL=1
NAS_PORT_ID=1371
Is that the normal behavior or was it supposed to return more variables?
My module is called at the post-auth section.
Regards.
--
Renan Manola
Analista de Tecnologia da
Renan wrote:
So all of the attributes are available except the ones that Ldap module
fetched (for example: NT-Password, Password-With-Header, my custom
defined: Aa, etc...). As a test, at my exec module I did: env
/tmp/temp_file.txt to see wich variables are exported, here is the result:
On Jun 7, 2011, at 1:07 PM, John Center wrote:
On 06/07/2011 02:22 PM, Alan DeKok wrote:
John Center wrote:
We talked about this, there isn't any more content there. Someone needs
to rewrite this page.
mediawiki.freeradius.org should now work. The contents can be copied
from there.
Hello there,
I'm trying to evaluate an ldap returned attribute on the post-auth section.
At my dictionary:
ATTRIBUTE Aa 3000string
At my ldap.attrmap:
checkItem AA eduPersonAffiliation
And at my custom module:
exec aloca_vlans {
wait = yes
On 05/12/2011 08:35 PM, Steve Staples wrote:
I understand that the query can get access to any variable, but what is
in the packet normally? or is there not a standard set of
attributes/elements in the packet?
No. It depends entirely on the NAS i.e. it's specific to you and your
On Fri, 2011-05-13 at 07:04 +0200, Alan DeKok wrote:
Steve Staples wrote:
I understand that the query can get access to any variable, but what is
in the packet normally? or is there not a standard set of
attributes/elements in the packet?
There is NOTHING standard in the packet.
Steve Staples wrote:
I wasn't sure if there was or not a standard... I guess now I can
understand why you get frustrated at *some* people
Exactly.
Q: What's in the Access-Request?
A: I've been doing this for 15 years. I have no idea.
Q: Why not? You're the expert!
A: There are too many
I've been searching the docs/wiki, and can't seem to find an answer to
this...
what variables are available to store in the rad post auth?
the sql query shows username, password, reply and date/time...
Sorry if this is documented somewhere, I just couldn't find it.
Steve
-
List info
On 12/05/11 15:38, Steve Staples wrote:
I've been searching the docs/wiki, and can't seem to find an answer to
this...
what variables are available to store in the rad post auth?
The post-auth SQL query can access any variable in the packet. If you
want to store extra fields, just extend
On Thu, 2011-05-12 at 17:06 +0100, Phil Mayers wrote:
On 12/05/11 15:38, Steve Staples wrote:
I've been searching the docs/wiki, and can't seem to find an answer to
this...
what variables are available to store in the rad post auth?
The post-auth SQL query can access any variable
Steve Staples wrote:
I understand that the query can get access to any variable, but what is
in the packet normally? or is there not a standard set of
attributes/elements in the packet?
There is NOTHING standard in the packet.
If you want to know what's in the packet, use debugging mode,
Trey Briggs wrote:
I'm trying to get similar logging in mysql to what you see with:
log {
You can use rsyslog to take syslog messages, and write them to SQL.
I've found how to log accepts and rejects using the sql module in the
post-auth section, but I'm unsure how to insert the client
Hi,
I'm trying to get similar logging in mysql to what you see with:
log {
...
auth = yes
auth_badpass = yes
auth_goodpass = yes
}
Login OK: [user/pass] (from client client port 0)
I've found how to log accepts and rejects using the sql module in the
post-auth section, but I'm unsure
accordingly (once MySQL is working again)?
-Jason
Alan DeKok wrote:
Jason Antman wrote:
And in post-auth{}:
### snip ###
if(control:Auth-Type == 'CSID'){
# Authorization happens here
authorized_macs.authorize
if(!ok){
reject
Uh... why? If the user is authenticated
Alan DeKok wrote:
Because you're doing it wrong. The whole point of accepting the user
is that you *don't* reject them.
Change your rules to reject the user *before* they're accepted. The
logging will then behave as you expect. It doesn't behave as you expect
now, because you're
On 03/29/2011 07:13 PM, Jason Antman wrote:
I just found out that the FreeRadius wiki is *not* publicly editable.
Too much spam :o(
Could whoever maintains it please update the Mac-Auth article at
http://wiki.freeradius.org/Mac-Auth to remove the parts that Alan said
make no sense?
The
This makes MUCH more sense, thanks! Now the next (relatively
new-to-radius) person won't end up as confused as I was.
I have MAC auth working with a SQL data source and custom XLAT to check
for some special field values in SQL, based on a somewhat custom schema
(more from the one-row-per-MAC
On 03/29/2011 08:52 PM, Jason Antman wrote:
This makes MUCH more sense, thanks! Now the next (relatively
new-to-radius) person won't end up as confused as I was.
I have MAC auth working with a SQL data source and custom XLAT to check
for some special field values in SQL, based on a somewhat
1 - 100 of 257 matches
Mail list logo