Please can someone say whether it's possible to receive a CoA and pass that into the REST module? I tried a simple configuration using 3.0.11 and got a startup error: /home/adrian/freeradius-server-3.0.11/etc/raddb/sites-enabled/coa[38]: "rest" modules aren't allowed in 'recv-coa' sections -- they have no such method. /home/adrian/freeradius-server-3.0.11/etc/raddb/sites-enabled/coa[23]: Errors parsing recv-coa section. We use the REST module quite extensively for auth and acct requests and would like to do similar for coa. Thanks, Adrian Smith
Hi, I haven't tried this, but it should work: recv-coa { rest.authenticate } this will call the 'authenticate' section of the rest module (you'll need another instance of the rest module, since you use auth already) kind regards Pshem On Tue, 20 Dec 2016 at 22:37 <adrian.p.smith@bt.com> wrote:
Please can someone say whether it's possible to receive a CoA and pass that into the REST module?
I tried a simple configuration using 3.0.11 and got a startup error:
/home/adrian/freeradius-server-3.0.11/etc/raddb/sites-enabled/coa[38]: "rest" modules aren't allowed in 'recv-coa' sections -- they have no such method. /home/adrian/freeradius-server-3.0.11/etc/raddb/sites-enabled/coa[23]: Errors parsing recv-coa section.
We use the REST module quite extensively for auth and acct requests and would like to do similar for coa.
Thanks,
Adrian Smith
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Please can someone say whether it's possible to receive a CoA and pass that into the REST module?
I tried a simple configuration using 3.0.11 and got a startup error:
/home/adrian/freeradius-server-3.0.11/etc/raddb/sites-enabled/coa[38]: "rest" modules aren't allowed in 'recv-coa' sections -- they have no such method. /home/adrian/freeradius-server-3.0.11/etc/raddb/sites-enabled/coa[23]: Errors parsing recv-coa section.
We use the REST module quite extensively for auth and acct requests and would like to do similar for coa.
Thanks,
Adrian Smith
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Thanks for the tip. I tried this and the server does now start up. When I send it a CoA however, I see no sign of the REST module being called: (0) Received CoA-Request Id 217 from 127.0.0.1:45490 to 127.0.0.1:3799 length 38 (0) User-Name = "adrian" (0) Calling-Station-Id = "aa-bb-cc" (0) Sent CoA-ACK Id 217 from 127.0.0.1:3799 to 127.0.0.1:45490 length 0 (0) Finished request Anything else I've missed? Thanks again. Adrian -----Original Message----- From: Freeradius-Users [mailto:freeradius-users-bounces+adrian.p.smith=bt.com@lists.freeradius.org] On Behalf Of Pshem Kowalczyk Sent: 20 December 2016 10:30 To: FreeRadius users mailing list Subject: Re: CoA -> REST Hi, I haven't tried this, but it should work: recv-coa { rest.authenticate } this will call the 'authenticate' section of the rest module (you'll need another instance of the rest module, since you use auth already) kind regards Pshem On Tue, 20 Dec 2016 at 22:37 <adrian.p.smith@bt.com> wrote: - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Dec 20, 2016, at 5:40 AM, adrian.p.smith@bt.com wrote:
Thanks for the tip. I tried this and the server does now start up.
When I send it a CoA however, I see no sign of the REST module being called:
(0) Received CoA-Request Id 217 from 127.0.0.1:45490 to 127.0.0.1:3799 length 38 (0) User-Name = "adrian" (0) Calling-Station-Id = "aa-bb-cc" (0) Sent CoA-ACK Id 217 from 127.0.0.1:3799 to 127.0.0.1:45490 length 0 (0) Finished request
Anything else I've missed?
Read the *entire* debug log. FreeRADIUS doesn't magically ignore virtual servers. If it's not using a virtual server, it's because of a local configuration issue. The default CoA server in raddb/sites-available/coa works when it's enabled. So... what did you do? Alan DeKok.
I enabled that virtual server by linking it into sites-enabled. I then added a single line: rest.authenticate in the "server coa" recv-coa section immediately before the "ok" line. adding just "rest" stopped the server from starting. I then send the server a CoA using radclient. I see the server receiving it (as per the debug output below), but no mention of "rest.authenticate". -----Original Message----- From: Freeradius-Users [mailto:freeradius-users-bounces+adrian.p.smith=bt.com@lists.freeradius.org] On Behalf Of Alan DeKok Sent: 20 December 2016 15:02 To: FreeRadius users mailing list Subject: Re: CoA -> REST On Dec 20, 2016, at 5:40 AM, adrian.p.smith@bt.com wrote:
Thanks for the tip. I tried this and the server does now start up.
When I send it a CoA however, I see no sign of the REST module being called:
(0) Received CoA-Request Id 217 from 127.0.0.1:45490 to 127.0.0.1:3799 length 38 (0) User-Name = "adrian" (0) Calling-Station-Id = "aa-bb-cc" (0) Sent CoA-ACK Id 217 from 127.0.0.1:3799 to 127.0.0.1:45490 length 0 (0) Finished request
Anything else I've missed?
Read the *entire* debug log. FreeRADIUS doesn't magically ignore virtual servers. If it's not using a virtual server, it's because of a local configuration issue. The default CoA server in raddb/sites-available/coa works when it's enabled. So... what did you do? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Dec 20, 2016, at 10:21 AM, <adrian.p.smith@bt.com> <adrian.p.smith@bt.com> wrote:
I enabled that virtual server by linking it into sites-enabled.
I then added a single line:
rest.authenticate
in the "server coa" recv-coa section immediately before the "ok" line.
adding just "rest" stopped the server from starting.
Because the "rest" module doesn't have a "coa" method.
I then send the server a CoA using radclient.
I see the server receiving it (as per the debug output below), but no mention of "rest.authenticate".
There's also no mention of the virtual server, or the "send-coa" method. My copy of v3.0.x says this: (0) Received CoA-Request Id 195 from 127.0.0.1:59155 to 127.0.0.1:3799 length 62 (0) User-Name = "bob" (0) NAS-IP-Address = 127.0.0.1 (0) Framed-IP-Address = 127.0.0.1 (0) X-Ascend-Billing-Number = "\001\032\231\002\003" (0) # Executing section recv-coa from file ./raddb/sites-enabled/coa (0) recv-coa { (0) [suffix] = noop (0) [ok] = ok (0) } # recv-coa = ok (0) # Executing section send-coa from file ./raddb/sites-enabled/coa (0) send-coa { (0) [ok] = ok (0) } # send-coa = ok (0) Sent CoA-ACK Id 195 from 127.0.0.1:3799 to 127.0.0.1:59155 length 0 If you're running an old version of the server, upgrade. Odds are it has bugs which have been found and fixed years ago. This is also why we suggest posting the debug output to the list. *ALL* of the debug output. It contains version information, which lets us know that you're running an out of date system. Alan DeKok.
On Tue, Dec 20, 2016 at 03:21:55PM +0000, adrian.p.smith@bt.com wrote:
I enabled that virtual server by linking it into sites-enabled.
I then added a single line:
rest.authenticate
in the "server coa" recv-coa section immediately before the "ok" line.
adding just "rest" stopped the server from starting.
I then send the server a CoA using radclient.
I see the server receiving it (as per the debug output below), but no mention of "rest.authenticate".
If I start from a completely clean 3.0.x install, and link coa into sites-enabled, and send it a coa packet with radclient, I get eceived CoA-Request Id 27 from 127.0.0.1:43031 to 127.0.0.1:3799 length 25 (0) User-Name = "test" (0) # Executing section recv-coa from file /opt/fr3/etc/raddb/sites-enabled/coa (0) recv-coa { (0) [suffix] = noop (0) [ok] = ok (0) } # recv-coa = ok (0) # Executing section send-coa from file /opt/fr3/etc/raddb/sites-enabled/coa (0) send-coa { (0) [ok] = ok (0) } # send-coa = ok (0) Sent CoA-ACK Id 27 from 127.0.0.1:3799 to 127.0.0.1:43031 length 0 (0) Finished request so... as Alan said: what is the *entire* debug output? All the debug lines right from and including the FreeRADIUS banner at the top actually matter, contrary to popular belief on this list :(. Or, compare to a completely clean install, see what the difference is, and work from there. Matthew
-----Original Message----- From: Freeradius-Users [mailto:freeradius-users-bounces+adrian.p.smith=bt.com@lists.freeradius.org] On Behalf Of Alan DeKok Sent: 20 December 2016 15:02 To: FreeRadius users mailing list Subject: Re: CoA -> REST
On Dec 20, 2016, at 5:40 AM, adrian.p.smith@bt.com wrote:
Thanks for the tip. I tried this and the server does now start up.
When I send it a CoA however, I see no sign of the REST module being called:
(0) Received CoA-Request Id 217 from 127.0.0.1:45490 to 127.0.0.1:3799 length 38 (0) User-Name = "adrian" (0) Calling-Station-Id = "aa-bb-cc" (0) Sent CoA-ACK Id 217 from 127.0.0.1:3799 to 127.0.0.1:45490 length 0 (0) Finished request
Anything else I've missed?
Read the *entire* debug log.
FreeRADIUS doesn't magically ignore virtual servers. If it's not using a virtual server, it's because of a local configuration issue.
The default CoA server in raddb/sites-available/coa works when it's enabled.
So... what did you do?
Alan DeKok.
-- Matthew Newton, Ph.D. <mcn4@leicester.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
I was using 3.0.11. I have built 3.0.12 from scratch and tried that with more success. Ready to process requests (0) Received CoA-Request Id 134 from 127.0.0.1:43349 to 127.0.0.1:3799 length 56 (0) User-Name = "adrian" (0) Calling-Station-Id = "aa-bb-cc" (0) User-Password = "\210\317\357\267\025 \362\\\r\203VI\367W\315%" (0) # Executing section recv-coa from file /home/adrian/freeradius-server-3.0.12/etc/raddb/sites-enabled/coa (0) recv-coa { (0) [suffix] = noop (0) rest: ERROR: You set 'Auth-Type = REST' for a request that does not contain a User-Password attribute! (0) [rest.authenticate] = invalid (0) } # recv-coa = invalid (0) # Executing section send-coa from file /home/adrian/freeradius-server-3.0.12/etc/raddb/sites-enabled/coa (0) send-coa { (0) [ok] = ok (0) } # send-coa = ok (0) Sent CoA-NAK Id 134 from 127.0.0.1:3799 to 127.0.0.1:43349 length 0 (0) Finished request So this seems to raise a couple of issues for me. 1. I am sending a User-Password but FreeRadius thinks not? 2. In the real scenario, I probably wouldn't have a password at this point. I guess I can just send a dummy one? Assuming I can get #1 to work. Are there any plans to improve the REST module to handle CoA directly? Thanks again. Adrian -----Original Message----- From: Freeradius-Users [mailto:freeradius-users-bounces+adrian.p.smith=bt.com@lists.freeradius.org] On Behalf Of Matthew Newton Sent: 20 December 2016 15:43 To: FreeRadius users mailing list Subject: Re: CoA -> REST On Tue, Dec 20, 2016 at 03:21:55PM +0000, adrian.p.smith@bt.com wrote:
I enabled that virtual server by linking it into sites-enabled.
I then added a single line:
rest.authenticate
in the "server coa" recv-coa section immediately before the "ok" line.
adding just "rest" stopped the server from starting.
I then send the server a CoA using radclient.
I see the server receiving it (as per the debug output below), but no mention of "rest.authenticate".
If I start from a completely clean 3.0.x install, and link coa into sites-enabled, and send it a coa packet with radclient, I get eceived CoA-Request Id 27 from 127.0.0.1:43031 to 127.0.0.1:3799 length 25 (0) User-Name = "test" (0) # Executing section recv-coa from file /opt/fr3/etc/raddb/sites-enabled/coa (0) recv-coa { (0) [suffix] = noop (0) [ok] = ok (0) } # recv-coa = ok (0) # Executing section send-coa from file /opt/fr3/etc/raddb/sites-enabled/coa (0) send-coa { (0) [ok] = ok (0) } # send-coa = ok (0) Sent CoA-ACK Id 27 from 127.0.0.1:3799 to 127.0.0.1:43031 length 0 (0) Finished request so... as Alan said: what is the *entire* debug output? All the debug lines right from and including the FreeRADIUS banner at the top actually matter, contrary to popular belief on this list :(. Or, compare to a completely clean install, see what the difference is, and work from there. Matthew
-----Original Message----- From: Freeradius-Users [mailto:freeradius-users-bounces+adrian.p.smith=bt.com@lists.freeradiu s.org] On Behalf Of Alan DeKok Sent: 20 December 2016 15:02 To: FreeRadius users mailing list Subject: Re: CoA -> REST
On Dec 20, 2016, at 5:40 AM, adrian.p.smith@bt.com wrote:
Thanks for the tip. I tried this and the server does now start up.
When I send it a CoA however, I see no sign of the REST module being called:
(0) Received CoA-Request Id 217 from 127.0.0.1:45490 to 127.0.0.1:3799 length 38 (0) User-Name = "adrian" (0) Calling-Station-Id = "aa-bb-cc" (0) Sent CoA-ACK Id 217 from 127.0.0.1:3799 to 127.0.0.1:45490 length 0 (0) Finished request
Anything else I've missed?
Read the *entire* debug log.
FreeRADIUS doesn't magically ignore virtual servers. If it's not using a virtual server, it's because of a local configuration issue.
The default CoA server in raddb/sites-available/coa works when it's enabled.
So... what did you do?
Alan DeKok.
-- Matthew Newton, Ph.D. <mcn4@leicester.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Dec 20, 2016, at 11:12 AM, <adrian.p.smith@bt.com> <adrian.p.smith@bt.com> wrote:
I was using 3.0.11.
I have built 3.0.12 from scratch and tried that with more success.
That's good.
So this seems to raise a couple of issues for me.
1. I am sending a User-Password but FreeRadius thinks not?
FreeRADIUS is receiving the password. The problem is that the RFCs say you're not allowed to put User-Password into CoA packets.
2. In the real scenario, I probably wouldn't have a password at this point. I guess I can just send a dummy one? Assuming I can get #1 to work.
The better question is why do you want to send a password in a CoA request?
Are there any plans to improve the REST module to handle CoA directly?
Sure. Send a patch. It should be about ~60 lines of code. Just cut & paste & edit. Alan DeKok.
If I don't send a password, then the rest.authenticate complains. That was what was suggested I try. So I guess that's a non-starter. I guess I could have a crack at a patch. Will have to see what the big bosses say! Thanks. -----Original Message----- From: Freeradius-Users [mailto:freeradius-users-bounces+adrian.p.smith=bt.com@lists.freeradius.org] On Behalf Of Alan DeKok Sent: 20 December 2016 16:20 To: FreeRadius users mailing list Subject: Re: CoA -> REST On Dec 20, 2016, at 11:12 AM, <adrian.p.smith@bt.com> <adrian.p.smith@bt.com> wrote:
I was using 3.0.11.
I have built 3.0.12 from scratch and tried that with more success.
That's good.
So this seems to raise a couple of issues for me.
1. I am sending a User-Password but FreeRadius thinks not?
FreeRADIUS is receiving the password. The problem is that the RFCs say you're not allowed to put User-Password into CoA packets.
2. In the real scenario, I probably wouldn't have a password at this point. I guess I can just send a dummy one? Assuming I can get #1 to work.
The better question is why do you want to send a password in a CoA request?
Are there any plans to improve the REST module to handle CoA directly?
Sure. Send a patch. It should be about ~60 lines of code. Just cut & paste & edit. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
YES! Thanks again. -----Original Message----- From: Freeradius-Users [mailto:freeradius-users-bounces+adrian.p.smith=bt.com@lists.freeradius.org] On Behalf Of Alan DeKok Sent: 20 December 2016 16:44 To: FreeRadius users mailing list Subject: Re: CoA -> REST
On Dec 20, 2016, at 11:24 AM, <adrian.p.smith@bt.com> <adrian.p.smith@bt.com> wrote:
If I don't send a password, then the rest.authenticate complains.
That was what was suggested I try. So I guess that's a non-starter.
Then use rest.authorize ... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Tue, Dec 20, 2016 at 04:24:17PM +0000, adrian.p.smith@bt.com wrote:
If I don't send a password, then the rest.authenticate complains.
You could always use rest.accounting, or rest.post-auth, etc, instead. Depends on what you want to do with it I guess. Matthew -- Matthew Newton, Ph.D. <mcn4@leicester.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
On Tue, Dec 20, 2016 at 04:24:17PM +0000, adrian.p.smith@bt.com wrote:
I guess I could have a crack at a patch. Will have to see what the big bosses say!
Try https://github.com/mcnewton/freeradius-server/tree/coa-rest and see if it works. Matthew -- Matthew Newton, Ph.D. <mcn4@leicester.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
Having trouble building that branch. ... LINK build/bin/rlm_ippool_tool CC src/modules/rlm_krb5/rlm_krb5.c CC src/modules/rlm_krb5/krb5.c LINK build/lib/rlm_krb5.la make: *** No rule to make target `/home/adrian/work/freeradius-server-coa/src/freeradius-devel/map_proc.h', needed by `build/objs/src/modules/rlm_ldap/rlm_ldap.lo'. Stop. -----Original Message----- From: Freeradius-Users [mailto:freeradius-users-bounces+adrian.p.smith=bt.com@lists.freeradius.org] On Behalf Of Matthew Newton Sent: 20 December 2016 17:04 To: FreeRadius users mailing list Subject: Re: CoA -> REST On Tue, Dec 20, 2016 at 04:24:17PM +0000, adrian.p.smith@bt.com wrote:
I guess I could have a crack at a patch. Will have to see what the big bosses say!
Try https://github.com/mcnewton/freeradius-server/tree/coa-rest and see if it works. Matthew -- Matthew Newton, Ph.D. <mcn4@leicester.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Wed, Dec 21, 2016 at 09:01:31AM +0000, adrian.p.smith@bt.com wrote:
Having trouble building that branch.
... LINK build/bin/rlm_ippool_tool CC src/modules/rlm_krb5/rlm_krb5.c CC src/modules/rlm_krb5/krb5.c LINK build/lib/rlm_krb5.la make: *** No rule to make target `/home/adrian/work/freeradius-server-coa/src/freeradius-devel/map_proc.h', needed by `build/objs/src/modules/rlm_ldap/rlm_ldap.lo'. Stop.
Weird, no problems building it here. And that error's not in rlm_rest anyway. Do 3.0.12 or v3.0.x HEAD build? Make sure you're starting from a completely clean build tree. Matthew
-----Original Message----- From: Freeradius-Users [mailto:freeradius-users-bounces+adrian.p.smith=bt.com@lists.freeradius.org] On Behalf Of Matthew Newton Sent: 20 December 2016 17:04 To: FreeRadius users mailing list Subject: Re: CoA -> REST
On Tue, Dec 20, 2016 at 04:24:17PM +0000, adrian.p.smith@bt.com wrote:
I guess I could have a crack at a patch. Will have to see what the big bosses say!
Try
https://github.com/mcnewton/freeradius-server/tree/coa-rest
and see if it works.
Matthew
-- Matthew Newton, Ph.D. <mcn4@leicester.ac.uk>
Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Matthew Newton, Ph.D. <mcn4@leicester.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
OK, my bad - it was dirty from where I tried to build before checking out the correct branch. Works like a charm! Be great to get this into the next release? Regards, Adrian -----Original Message----- From: Freeradius-Users [mailto:freeradius-users-bounces+adrian.p.smith=bt.com@lists.freeradius.org] On Behalf Of Matthew Newton Sent: 21 December 2016 10:42 To: FreeRadius users mailing list Subject: Re: CoA -> REST On Wed, Dec 21, 2016 at 09:01:31AM +0000, adrian.p.smith@bt.com wrote:
Having trouble building that branch.
... LINK build/bin/rlm_ippool_tool CC src/modules/rlm_krb5/rlm_krb5.c CC src/modules/rlm_krb5/krb5.c LINK build/lib/rlm_krb5.la make: *** No rule to make target `/home/adrian/work/freeradius-server-coa/src/freeradius-devel/map_proc.h', needed by `build/objs/src/modules/rlm_ldap/rlm_ldap.lo'. Stop.
Weird, no problems building it here. And that error's not in rlm_rest anyway. Do 3.0.12 or v3.0.x HEAD build? Make sure you're starting from a completely clean build tree. Matthew
-----Original Message----- From: Freeradius-Users [mailto:freeradius-users-bounces+adrian.p.smith=bt.com@lists.freeradiu s.org] On Behalf Of Matthew Newton Sent: 20 December 2016 17:04 To: FreeRadius users mailing list Subject: Re: CoA -> REST
On Tue, Dec 20, 2016 at 04:24:17PM +0000, adrian.p.smith@bt.com wrote:
I guess I could have a crack at a patch. Will have to see what the big bosses say!
Try
https://github.com/mcnewton/freeradius-server/tree/coa-rest
and see if it works.
Matthew
-- Matthew Newton, Ph.D. <mcn4@leicester.ac.uk>
Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Matthew Newton, Ph.D. <mcn4@leicester.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Wed, Dec 21, 2016 at 09:01:31AM +0000, adrian.p.smith@bt.com wrote:
Having trouble building that branch.
Forget about that branch now - Alan's done essentially the same commit directly in v3.0.x HEAD: https://github.com/FreeRADIUS/freeradius-server/commit/848ad8590118f8db413dd... so you should use that instead. Matthew -- Matthew Newton, Ph.D. <mcn4@leicester.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
Many thanks everyone. -----Original Message----- From: Freeradius-Users [mailto:freeradius-users-bounces+adrian.p.smith=bt.com@lists.freeradius.org] On Behalf Of Matthew Newton Sent: 21 December 2016 11:03 To: FreeRadius users mailing list Subject: Re: CoA -> REST On Wed, Dec 21, 2016 at 09:01:31AM +0000, adrian.p.smith@bt.com wrote:
Having trouble building that branch.
Forget about that branch now - Alan's done essentially the same commit directly in v3.0.x HEAD: https://github.com/FreeRADIUS/freeradius-server/commit/848ad8590118f8db413dd... so you should use that instead. Matthew -- Matthew Newton, Ph.D. <mcn4@leicester.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Here is the full output: FreeRADIUS Version 3.0.12 Copyright (C) 1999-2016 The FreeRADIUS server project and contributors There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License For more information about these matters, see the file named COPYRIGHT Starting - reading configuration files ... including dictionary file /home/adrian/freeradius-server-3.0.12/share/freeradius/dictionary including dictionary file /home/adrian/freeradius-server-3.0.12/share/freeradius/dictionary.dhcp including dictionary file /home/adrian/freeradius-server-3.0.12/share/freeradius/dictionary.vqp including dictionary file /home/adrian/freeradius-server-3.0.12/etc/raddb/dictionary including configuration file /home/adrian/freeradius-server-3.0.12/etc/raddb/radiusd.conf including configuration file /home/adrian/freeradius-server-3.0.12/etc/raddb/proxy.conf including configuration file /home/adrian/freeradius-server-3.0.12/etc/raddb/clients.conf including files in directory /home/adrian/freeradius-server-3.0.12/etc/raddb/mods-enabled/ including configuration file /home/adrian/freeradius-server-3.0.12/etc/raddb/mods-enabled/chap including configuration file /home/adrian/freeradius-server-3.0.12/etc/raddb/mods-enabled/dynamic_clients including configuration file /home/adrian/freeradius-server-3.0.12/etc/raddb/mods-enabled/files including configuration file /home/adrian/freeradius-server-3.0.12/etc/raddb/mods-enabled/rest including configuration file /home/adrian/freeradius-server-3.0.12/etc/raddb/mods-enabled/sradutmp including configuration file /home/adrian/freeradius-server-3.0.12/etc/raddb/mods-enabled/mschap including configuration file /home/adrian/freeradius-server-3.0.12/etc/raddb/mods-enabled/soh including configuration file /home/adrian/freeradius-server-3.0.12/etc/raddb/mods-enabled/ntlm_auth including configuration file /home/adrian/freeradius-server-3.0.12/etc/raddb/mods-enabled/realm including configuration file /home/adrian/freeradius-server-3.0.12/etc/raddb/mods-enabled/always including configuration file /home/adrian/freeradius-server-3.0.12/etc/raddb/mods-enabled/utf8 including configuration file /home/adrian/freeradius-server-3.0.12/etc/raddb/mods-enabled/attr_filter including configuration file /home/adrian/freeradius-server-3.0.12/etc/raddb/mods-enabled/passwd including configuration file /home/adrian/freeradius-server-3.0.12/etc/raddb/mods-enabled/echo including configuration file /home/adrian/freeradius-server-3.0.12/etc/raddb/mods-enabled/unpack including configuration file /home/adrian/freeradius-server-3.0.12/etc/raddb/mods-enabled/date including configuration file /home/adrian/freeradius-server-3.0.12/etc/raddb/mods-enabled/linelog including configuration file /home/adrian/freeradius-server-3.0.12/etc/raddb/mods-enabled/preprocess including configuration file /home/adrian/freeradius-server-3.0.12/etc/raddb/mods-enabled/detail including configuration file /home/adrian/freeradius-server-3.0.12/etc/raddb/mods-enabled/exec including configuration file /home/adrian/freeradius-server-3.0.12/etc/raddb/mods-enabled/eap including configuration file /home/adrian/freeradius-server-3.0.12/etc/raddb/mods-enabled/unix including configuration file /home/adrian/freeradius-server-3.0.12/etc/raddb/mods-enabled/digest including configuration file /home/adrian/freeradius-server-3.0.12/etc/raddb/mods-enabled/detail.log including configuration file /home/adrian/freeradius-server-3.0.12/etc/raddb/mods-enabled/pap including configuration file /home/adrian/freeradius-server-3.0.12/etc/raddb/mods-enabled/cache_eap including configuration file /home/adrian/freeradius-server-3.0.12/etc/raddb/mods-enabled/dhcp including configuration file /home/adrian/freeradius-server-3.0.12/etc/raddb/mods-enabled/expiration including configuration file /home/adrian/freeradius-server-3.0.12/etc/raddb/mods-enabled/radutmp including configuration file /home/adrian/freeradius-server-3.0.12/etc/raddb/mods-enabled/replicate including configuration file /home/adrian/freeradius-server-3.0.12/etc/raddb/mods-enabled/expr including configuration file /home/adrian/freeradius-server-3.0.12/etc/raddb/mods-enabled/logintime including files in directory /home/adrian/freeradius-server-3.0.12/etc/raddb/policy.d/ including configuration file /home/adrian/freeradius-server-3.0.12/etc/raddb/policy.d/moonshot-targeted-ids including configuration file /home/adrian/freeradius-server-3.0.12/etc/raddb/policy.d/canonicalization including configuration file /home/adrian/freeradius-server-3.0.12/etc/raddb/policy.d/debug including configuration file /home/adrian/freeradius-server-3.0.12/etc/raddb/policy.d/eap including configuration file /home/adrian/freeradius-server-3.0.12/etc/raddb/policy.d/operator-name including configuration file /home/adrian/freeradius-server-3.0.12/etc/raddb/policy.d/dhcp including configuration file /home/adrian/freeradius-server-3.0.12/etc/raddb/policy.d/cui including configuration file /home/adrian/freeradius-server-3.0.12/etc/raddb/policy.d/control including configuration file /home/adrian/freeradius-server-3.0.12/etc/raddb/policy.d/filter including configuration file /home/adrian/freeradius-server-3.0.12/etc/raddb/policy.d/accounting including configuration file /home/adrian/freeradius-server-3.0.12/etc/raddb/policy.d/abfab-tr including files in directory /home/adrian/freeradius-server-3.0.12/etc/raddb/sites-enabled/ including configuration file /home/adrian/freeradius-server-3.0.12/etc/raddb/sites-enabled/default including configuration file /home/adrian/freeradius-server-3.0.12/etc/raddb/sites-enabled/coa including configuration file /home/adrian/freeradius-server-3.0.12/etc/raddb/sites-enabled/inner-tunnel main { name = "radiusd" prefix = "/home/adrian/freeradius-server-3.0.12" localstatedir = "/home/adrian/freeradius-server-3.0.12/var" sbindir = "/home/adrian/freeradius-server-3.0.12/sbin" logdir = "/home/adrian/freeradius-server-3.0.12/var/log/radius" run_dir = "/home/adrian/freeradius-server-3.0.12/var/run/radiusd" libdir = "/home/adrian/freeradius-server-3.0.12/lib" radacctdir = "/home/adrian/freeradius-server-3.0.12/var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 16384 pidfile = "/home/adrian/freeradius-server-3.0.12/var/run/radiusd/radiusd.pid" checkrad = "/home/adrian/freeradius-server-3.0.12/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no colourise = yes msg_denied = "You are already logged in - access denied" } resources { } security { max_attributes = 200 reject_delay = 1.000000 status_server = yes allow_vulnerable_openssl = "CVE-2016-6304" } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = <<< secret >>> response_window = 20.000000 response_timeouts = 1 max_outstanding = 65536 zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 check_timeout = 4 num_answers_to_alive = 3 revive_interval = 120 limit { max_connections = 16 max_requests = 0 lifetime = 0 idle_timeout = 0 } coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = <<< secret >>> nas_type = "other" proto = "*" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client localhost_ipv6 { ipv6addr = ::1 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } Found debugger attached # Creating Auth-Type = mschap # Creating Auth-Type = digest # Creating Auth-Type = eap # Creating Auth-Type = PAP # Creating Auth-Type = CHAP # Creating Auth-Type = MS-CHAP radiusd: #### Instantiating modules #### modules { # Loaded module rlm_chap # Loading module "chap" from file /home/adrian/freeradius-server-3.0.12/etc/raddb/mods-enabled/chap # Loaded module rlm_dynamic_clients # Loading module "dynamic_clients" from file /home/adrian/freeradius-server-3.0.12/etc/raddb/mods-enabled/dynamic_clients # Loaded module rlm_files # Loading module "files" from file /home/adrian/freeradius-server-3.0.12/etc/raddb/mods-enabled/files files { filename = "/home/adrian/freeradius-server-3.0.12/etc/raddb/mods-config/files/authorize" acctusersfile = "/home/adrian/freeradius-server-3.0.12/etc/raddb/mods-config/files/accounting" preproxy_usersfile = "/home/adrian/freeradius-server-3.0.12/etc/raddb/mods-config/files/pre-proxy" } # Loaded module rlm_rest # Loading module "rest" from file /home/adrian/freeradius-server-3.0.12/etc/raddb/mods-enabled/rest rest { connect_uri = "http://127.0.0.1:8895/" connect_timeout = 4.000000 } # Loaded module rlm_radutmp # Loading module "sradutmp" from file /home/adrian/freeradius-server-3.0.12/etc/raddb/mods-enabled/sradutmp radutmp sradutmp { filename = "/home/adrian/freeradius-server-3.0.12/var/log/radius/sradutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes permissions = 420 caller_id = no } # Loaded module rlm_mschap # Loading module "mschap" from file /home/adrian/freeradius-server-3.0.12/etc/raddb/mods-enabled/mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = yes passchange { } allow_retry = yes } # Loaded module rlm_soh # Loading module "soh" from file /home/adrian/freeradius-server-3.0.12/etc/raddb/mods-enabled/soh soh { dhcp = yes } # Loaded module rlm_exec # Loading module "ntlm_auth" from file /home/adrian/freeradius-server-3.0.12/etc/raddb/mods-enabled/ntlm_auth exec ntlm_auth { wait = yes program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}" shell_escape = yes } # Loaded module rlm_realm # Loading module "IPASS" from file /home/adrian/freeradius-server-3.0.12/etc/raddb/mods-enabled/realm realm IPASS { format = "prefix" delimiter = "/" ignore_default = no ignore_null = no } # Loading module "suffix" from file /home/adrian/freeradius-server-3.0.12/etc/raddb/mods-enabled/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } # Loading module "realmpercent" from file /home/adrian/freeradius-server-3.0.12/etc/raddb/mods-enabled/realm realm realmpercent { format = "suffix" delimiter = "%" ignore_default = no ignore_null = no } # Loading module "ntdomain" from file /home/adrian/freeradius-server-3.0.12/etc/raddb/mods-enabled/realm realm ntdomain { format = "prefix" delimiter = "\\" ignore_default = no ignore_null = no } # Loaded module rlm_always # Loading module "reject" from file /home/adrian/freeradius-server-3.0.12/etc/raddb/mods-enabled/always always reject { rcode = "reject" simulcount = 0 mpp = no } # Loading module "fail" from file /home/adrian/freeradius-server-3.0.12/etc/raddb/mods-enabled/always always fail { rcode = "fail" simulcount = 0 mpp = no } # Loading module "ok" from file /home/adrian/freeradius-server-3.0.12/etc/raddb/mods-enabled/always always ok { rcode = "ok" simulcount = 0 mpp = no } # Loading module "handled" from file /home/adrian/freeradius-server-3.0.12/etc/raddb/mods-enabled/always always handled { rcode = "handled" simulcount = 0 mpp = no } # Loading module "invalid" from file /home/adrian/freeradius-server-3.0.12/etc/raddb/mods-enabled/always always invalid { rcode = "invalid" simulcount = 0 mpp = no } # Loading module "userlock" from file /home/adrian/freeradius-server-3.0.12/etc/raddb/mods-enabled/always always userlock { rcode = "userlock" simulcount = 0 mpp = no } # Loading module "notfound" from file /home/adrian/freeradius-server-3.0.12/etc/raddb/mods-enabled/always always notfound { rcode = "notfound" simulcount = 0 mpp = no } # Loading module "noop" from file /home/adrian/freeradius-server-3.0.12/etc/raddb/mods-enabled/always always noop { rcode = "noop" simulcount = 0 mpp = no } # Loading module "updated" from file /home/adrian/freeradius-server-3.0.12/etc/raddb/mods-enabled/always always updated { rcode = "updated" simulcount = 0 mpp = no } # Loaded module rlm_utf8 # Loading module "utf8" from file /home/adrian/freeradius-server-3.0.12/etc/raddb/mods-enabled/utf8 # Loaded module rlm_attr_filter # Loading module "attr_filter.post-proxy" from file /home/adrian/freeradius-server-3.0.12/etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.post-proxy { filename = "/home/adrian/freeradius-server-3.0.12/etc/raddb/mods-config/attr_filter/post-proxy" key = "%{Realm}" relaxed = no } # Loading module "attr_filter.pre-proxy" from file /home/adrian/freeradius-server-3.0.12/etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.pre-proxy { filename = "/home/adrian/freeradius-server-3.0.12/etc/raddb/mods-config/attr_filter/pre-proxy" key = "%{Realm}" relaxed = no } # Loading module "attr_filter.access_reject" from file /home/adrian/freeradius-server-3.0.12/etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.access_reject { filename = "/home/adrian/freeradius-server-3.0.12/etc/raddb/mods-config/attr_filter/access_reject" key = "%{User-Name}" relaxed = no } # Loading module "attr_filter.access_challenge" from file /home/adrian/freeradius-server-3.0.12/etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.access_challenge { filename = "/home/adrian/freeradius-server-3.0.12/etc/raddb/mods-config/attr_filter/access_challenge" key = "%{User-Name}" relaxed = no } # Loading module "attr_filter.accounting_response" from file /home/adrian/freeradius-server-3.0.12/etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.accounting_response { filename = "/home/adrian/freeradius-server-3.0.12/etc/raddb/mods-config/attr_filter/accounting_response" key = "%{User-Name}" relaxed = no } # Loaded module rlm_passwd # Loading module "etc_passwd" from file /home/adrian/freeradius-server-3.0.12/etc/raddb/mods-enabled/passwd passwd etc_passwd { filename = "/etc/passwd" format = "*User-Name:Crypt-Password:" delimiter = ":" ignore_nislike = no ignore_empty = yes allow_multiple_keys = no hash_size = 100 } # Loading module "echo" from file /home/adrian/freeradius-server-3.0.12/etc/raddb/mods-enabled/echo exec echo { wait = yes program = "/bin/echo %{User-Name}" input_pairs = "request" output_pairs = "reply" shell_escape = yes } # Loaded module rlm_unpack # Loading module "unpack" from file /home/adrian/freeradius-server-3.0.12/etc/raddb/mods-enabled/unpack # Loaded module rlm_date # Loading module "date" from file /home/adrian/freeradius-server-3.0.12/etc/raddb/mods-enabled/date date { format = "%b %e %Y %H:%M:%S %Z" } # Loaded module rlm_linelog # Loading module "linelog" from file /home/adrian/freeradius-server-3.0.12/etc/raddb/mods-enabled/linelog linelog { filename = "/home/adrian/freeradius-server-3.0.12/var/log/radius/linelog" escape_filenames = no syslog_severity = "info" permissions = 384 format = "This is a log message for %{User-Name}" reference = "messages.%{%{reply:Packet-Type}:-default}" } # Loading module "log_accounting" from file /home/adrian/freeradius-server-3.0.12/etc/raddb/mods-enabled/linelog linelog log_accounting { filename = "/home/adrian/freeradius-server-3.0.12/var/log/radius/linelog-accounting" escape_filenames = no syslog_severity = "info" permissions = 384 format = "" reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}" } # Loaded module rlm_preprocess # Loading module "preprocess" from file /home/adrian/freeradius-server-3.0.12/etc/raddb/mods-enabled/preprocess preprocess { huntgroups = "/home/adrian/freeradius-server-3.0.12/etc/raddb/mods-config/preprocess/huntgroups" hints = "/home/adrian/freeradius-server-3.0.12/etc/raddb/mods-config/preprocess/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } # Loaded module rlm_detail # Loading module "detail" from file /home/adrian/freeradius-server-3.0.12/etc/raddb/mods-enabled/detail detail { filename = "/home/adrian/freeradius-server-3.0.12/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "exec" from file /home/adrian/freeradius-server-3.0.12/etc/raddb/mods-enabled/exec exec { wait = no input_pairs = "request" shell_escape = yes timeout = 10 } # Loaded module rlm_eap # Loading module "eap" from file /home/adrian/freeradius-server-3.0.12/etc/raddb/mods-enabled/eap eap { default_eap_type = "md5" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 16384 } # Loaded module rlm_unix # Loading module "unix" from file /home/adrian/freeradius-server-3.0.12/etc/raddb/mods-enabled/unix unix { radwtmp = "/home/adrian/freeradius-server-3.0.12/var/log/radius/radwtmp" } Creating attribute Unix-Group # Loaded module rlm_digest # Loading module "digest" from file /home/adrian/freeradius-server-3.0.12/etc/raddb/mods-enabled/digest # Loading module "auth_log" from file /home/adrian/freeradius-server-3.0.12/etc/raddb/mods-enabled/detail.log detail auth_log { filename = "/home/adrian/freeradius-server-3.0.12/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "reply_log" from file /home/adrian/freeradius-server-3.0.12/etc/raddb/mods-enabled/detail.log detail reply_log { filename = "/home/adrian/freeradius-server-3.0.12/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "pre_proxy_log" from file /home/adrian/freeradius-server-3.0.12/etc/raddb/mods-enabled/detail.log detail pre_proxy_log { filename = "/home/adrian/freeradius-server-3.0.12/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "post_proxy_log" from file /home/adrian/freeradius-server-3.0.12/etc/raddb/mods-enabled/detail.log detail post_proxy_log { filename = "/home/adrian/freeradius-server-3.0.12/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loaded module rlm_pap # Loading module "pap" from file /home/adrian/freeradius-server-3.0.12/etc/raddb/mods-enabled/pap pap { normalise = yes } # Loaded module rlm_cache # Loading module "cache_eap" from file /home/adrian/freeradius-server-3.0.12/etc/raddb/mods-enabled/cache_eap cache cache_eap { driver = "rlm_cache_rbtree" key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}" ttl = 15 max_entries = 0 epoch = 0 add_stats = no } # Loaded module rlm_dhcp # Loading module "dhcp" from file /home/adrian/freeradius-server-3.0.12/etc/raddb/mods-enabled/dhcp # Loaded module rlm_expiration # Loading module "expiration" from file /home/adrian/freeradius-server-3.0.12/etc/raddb/mods-enabled/expiration # Loading module "radutmp" from file /home/adrian/freeradius-server-3.0.12/etc/raddb/mods-enabled/radutmp radutmp { filename = "/home/adrian/freeradius-server-3.0.12/var/log/radius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes permissions = 384 caller_id = yes } # Loaded module rlm_replicate # Loading module "replicate" from file /home/adrian/freeradius-server-3.0.12/etc/raddb/mods-enabled/replicate # Loaded module rlm_expr # Loading module "expr" from file /home/adrian/freeradius-server-3.0.12/etc/raddb/mods-enabled/expr expr { safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ" } # Loaded module rlm_logintime # Loading module "logintime" from file /home/adrian/freeradius-server-3.0.12/etc/raddb/mods-enabled/logintime logintime { minimum_timeout = 60 } instantiate { } # Instantiating module "files" from file /home/adrian/freeradius-server-3.0.12/etc/raddb/mods-enabled/files reading pairlist file /home/adrian/freeradius-server-3.0.12/etc/raddb/mods-config/files/authorize reading pairlist file /home/adrian/freeradius-server-3.0.12/etc/raddb/mods-config/files/accounting reading pairlist file /home/adrian/freeradius-server-3.0.12/etc/raddb/mods-config/files/pre-proxy # Instantiating module "rest" from file /home/adrian/freeradius-server-3.0.12/etc/raddb/mods-enabled/rest authorize { uri = "http://127.0.0.1:8895//user/%{User-Name}/mac/%{Called-Station-ID}?action=authorize" method = "get" body = "none" auth = "none" require_auth = no timeout = 4.000000 chunk = 0 tls { check_cert = yes check_cert_cn = yes } } authenticate { uri = "http://127.0.0.1:8895//user/%{User-Name}/mac/%{Called-Station-ID}?action=authenticate" method = "get" body = "none" auth = "none" require_auth = no timeout = 4.000000 chunk = 0 tls { check_cert = yes check_cert_cn = yes } } accounting { uri = "http://127.0.0.1:8895//user/%{User-Name}/sessions/%{Acct-Unique-Session-ID}" method = "post" body = "none" auth = "none" require_auth = no timeout = 4.000000 chunk = 0 tls { check_cert = yes check_cert_cn = yes } } post-auth { uri = "http://127.0.0.1:8895//user/%{User-Name}/mac/%{Called-Station-ID}?action=post-auth" method = "post" body = "none" auth = "none" require_auth = no timeout = 4.000000 chunk = 0 tls { check_cert = yes check_cert_cn = yes } } rlm_rest: libcurl version: libcurl/7.35.0 OpenSSL/1.0.1f zlib/1.2.8 libidn/1.28 librtmp/2.3 rlm_rest (rest): Initialising connection pool pool { start = 5 min = 3 max = 32 spare = 10 uses = 0 lifetime = 0 cleanup_interval = 30 idle_timeout = 60 retry_delay = 30 spread = no } rlm_rest (rest): Opening additional connection (0), 1 of 32 pending slots used rlm_rest (rest): Connecting to "http://127.0.0.1:8895/" rlm_rest (rest): Opening additional connection (1), 1 of 31 pending slots used rlm_rest (rest): Connecting to "http://127.0.0.1:8895/" rlm_rest (rest): Opening additional connection (2), 1 of 30 pending slots used rlm_rest (rest): Connecting to "http://127.0.0.1:8895/" rlm_rest (rest): Opening additional connection (3), 1 of 29 pending slots used rlm_rest (rest): Connecting to "http://127.0.0.1:8895/" rlm_rest (rest): Opening additional connection (4), 1 of 28 pending slots used rlm_rest (rest): Connecting to "http://127.0.0.1:8895/" # Instantiating module "mschap" from file /home/adrian/freeradius-server-3.0.12/etc/raddb/mods-enabled/mschap rlm_mschap (mschap): using internal authentication # Instantiating module "IPASS" from file /home/adrian/freeradius-server-3.0.12/etc/raddb/mods-enabled/realm # Instantiating module "suffix" from file /home/adrian/freeradius-server-3.0.12/etc/raddb/mods-enabled/realm # Instantiating module "realmpercent" from file /home/adrian/freeradius-server-3.0.12/etc/raddb/mods-enabled/realm # Instantiating module "ntdomain" from file /home/adrian/freeradius-server-3.0.12/etc/raddb/mods-enabled/realm # Instantiating module "reject" from file /home/adrian/freeradius-server-3.0.12/etc/raddb/mods-enabled/always # Instantiating module "fail" from file /home/adrian/freeradius-server-3.0.12/etc/raddb/mods-enabled/always # Instantiating module "ok" from file /home/adrian/freeradius-server-3.0.12/etc/raddb/mods-enabled/always # Instantiating module "handled" from file /home/adrian/freeradius-server-3.0.12/etc/raddb/mods-enabled/always # Instantiating module "invalid" from file /home/adrian/freeradius-server-3.0.12/etc/raddb/mods-enabled/always # Instantiating module "userlock" from file /home/adrian/freeradius-server-3.0.12/etc/raddb/mods-enabled/always # Instantiating module "notfound" from file /home/adrian/freeradius-server-3.0.12/etc/raddb/mods-enabled/always # Instantiating module "noop" from file /home/adrian/freeradius-server-3.0.12/etc/raddb/mods-enabled/always # Instantiating module "updated" from file /home/adrian/freeradius-server-3.0.12/etc/raddb/mods-enabled/always # Instantiating module "attr_filter.post-proxy" from file /home/adrian/freeradius-server-3.0.12/etc/raddb/mods-enabled/attr_filter reading pairlist file /home/adrian/freeradius-server-3.0.12/etc/raddb/mods-config/attr_filter/post-proxy # Instantiating module "attr_filter.pre-proxy" from file /home/adrian/freeradius-server-3.0.12/etc/raddb/mods-enabled/attr_filter reading pairlist file /home/adrian/freeradius-server-3.0.12/etc/raddb/mods-config/attr_filter/pre-proxy # Instantiating module "attr_filter.access_reject" from file /home/adrian/freeradius-server-3.0.12/etc/raddb/mods-enabled/attr_filter reading pairlist file /home/adrian/freeradius-server-3.0.12/etc/raddb/mods-config/attr_filter/access_reject [/home/adrian/freeradius-server-3.0.12/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay" found in filter list for realm "DEFAULT". [/home/adrian/freeradius-server-3.0.12/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay-USec" found in filter list for realm "DEFAULT". # Instantiating module "attr_filter.access_challenge" from file /home/adrian/freeradius-server-3.0.12/etc/raddb/mods-enabled/attr_filter reading pairlist file /home/adrian/freeradius-server-3.0.12/etc/raddb/mods-config/attr_filter/access_challenge # Instantiating module "attr_filter.accounting_response" from file /home/adrian/freeradius-server-3.0.12/etc/raddb/mods-enabled/attr_filter reading pairlist file /home/adrian/freeradius-server-3.0.12/etc/raddb/mods-config/attr_filter/accounting_response # Instantiating module "etc_passwd" from file /home/adrian/freeradius-server-3.0.12/etc/raddb/mods-enabled/passwd rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no # Instantiating module "linelog" from file /home/adrian/freeradius-server-3.0.12/etc/raddb/mods-enabled/linelog # Instantiating module "log_accounting" from file /home/adrian/freeradius-server-3.0.12/etc/raddb/mods-enabled/linelog # Instantiating module "preprocess" from file /home/adrian/freeradius-server-3.0.12/etc/raddb/mods-enabled/preprocess reading pairlist file /home/adrian/freeradius-server-3.0.12/etc/raddb/mods-config/preprocess/huntgroups reading pairlist file /home/adrian/freeradius-server-3.0.12/etc/raddb/mods-config/preprocess/hints # Instantiating module "detail" from file /home/adrian/freeradius-server-3.0.12/etc/raddb/mods-enabled/detail # Instantiating module "eap" from file /home/adrian/freeradius-server-3.0.12/etc/raddb/mods-enabled/eap # Linked to sub-module rlm_eap_md5 # Linked to sub-module rlm_eap_leap # Linked to sub-module rlm_eap_gtc gtc { challenge = "Password: " auth_type = "PAP" } # Linked to sub-module rlm_eap_tls tls { tls = "tls-common" } tls-config tls-common { verify_depth = 0 ca_path = "/home/adrian/freeradius-server-3.0.12/etc/raddb/certs" pem_file_type = yes private_key_file = "/home/adrian/freeradius-server-3.0.12/etc/raddb/certs/server.pem" certificate_file = "/home/adrian/freeradius-server-3.0.12/etc/raddb/certs/server.pem" ca_file = "/home/adrian/freeradius-server-3.0.12/etc/raddb/certs/ca.pem" private_key_password = <<< secret >>> dh_file = "/home/adrian/freeradius-server-3.0.12/etc/raddb/certs/dh" fragment_size = 1024 include_length = yes auto_chain = yes check_crl = no check_all_crl = no cipher_list = "DEFAULT" ecdh_curve = "prime256v1" cache { enable = yes lifetime = 24 max_entries = 255 } verify { skip_if_ocsp_ok = no } ocsp { enable = no override_cert_url = yes url = "http://127.0.0.1/ocsp/" use_nonce = yes timeout = 0 softfail = no } } # Linked to sub-module rlm_eap_ttls ttls { tls = "tls-common" default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" include_length = yes require_client_cert = no } tls: Using cached TLS configuration from previous invocation # Linked to sub-module rlm_eap_peap peap { tls = "tls-common" default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" soh = no require_client_cert = no } tls: Using cached TLS configuration from previous invocation # Linked to sub-module rlm_eap_mschapv2 mschapv2 { with_ntdomain_hack = no send_error = no } # Instantiating module "auth_log" from file /home/adrian/freeradius-server-3.0.12/etc/raddb/mods-enabled/detail.log rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output # Instantiating module "reply_log" from file /home/adrian/freeradius-server-3.0.12/etc/raddb/mods-enabled/detail.log # Instantiating module "pre_proxy_log" from file /home/adrian/freeradius-server-3.0.12/etc/raddb/mods-enabled/detail.log # Instantiating module "post_proxy_log" from file /home/adrian/freeradius-server-3.0.12/etc/raddb/mods-enabled/detail.log # Instantiating module "pap" from file /home/adrian/freeradius-server-3.0.12/etc/raddb/mods-enabled/pap # Instantiating module "cache_eap" from file /home/adrian/freeradius-server-3.0.12/etc/raddb/mods-enabled/cache_eap rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked # Instantiating module "expiration" from file /home/adrian/freeradius-server-3.0.12/etc/raddb/mods-enabled/expiration # Instantiating module "logintime" from file /home/adrian/freeradius-server-3.0.12/etc/raddb/mods-enabled/logintime } # modules radiusd: #### Loading Virtual Servers #### server { # from file /home/adrian/freeradius-server-3.0.12/etc/raddb/radiusd.conf } # server server default { # from file /home/adrian/freeradius-server-3.0.12/etc/raddb/sites-enabled/default # Loading authenticate {...} # Loading authorize {...} Ignoring "sql" (see raddb/mods-available/README.rst) Ignoring "ldap" (see raddb/mods-available/README.rst) # Loading preacct {...} # Loading accounting {...} # Loading post-proxy {...} # Loading post-auth {...} } # server default server coa { # from file /home/adrian/freeradius-server-3.0.12/etc/raddb/sites-enabled/coa # Loading recv-coa {...} # Loading send-coa {...} } # server coa server inner-tunnel { # from file /home/adrian/freeradius-server-3.0.12/etc/raddb/sites-enabled/inner-tunnel # Loading authenticate {...} # Loading authorize {...} # Loading session {...} # Loading post-proxy {...} # Loading post-auth {...} } # server inner-tunnel radiusd: #### Opening IP addresses and Ports #### listen { type = "coa" virtual_server = "coa" ipaddr = * port = 3799 } listen { type = "auth" ipaddr = * port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "acct" ipaddr = * port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "auth" ipv6addr = :: port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "acct" ipv6addr = :: port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "auth" ipaddr = 127.0.0.1 port = 18120 } Listening on coa address * port 3799 bound to server coa Listening on auth address * port 1812 bound to server default Listening on acct address * port 1813 bound to server default Listening on auth address :: port 1812 bound to server default Listening on acct address :: port 1813 bound to server default Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel Listening on proxy address * port 61649 Listening on proxy address :: port 55192 Ready to process requests (0) Received CoA-Request Id 134 from 127.0.0.1:43349 to 127.0.0.1:3799 length 56 (0) User-Name = "adrian" (0) Calling-Station-Id = "aa-bb-cc" (0) User-Password = "\210\317\357\267\025 \362\\\r\203VI\367W\315%" (0) # Executing section recv-coa from file /home/adrian/freeradius-server-3.0.12/etc/raddb/sites-enabled/coa (0) recv-coa { (0) [suffix] = noop (0) rest: ERROR: You set 'Auth-Type = REST' for a request that does not contain a User-Password attribute! (0) [rest.authenticate] = invalid (0) } # recv-coa = invalid (0) # Executing section send-coa from file /home/adrian/freeradius-server-3.0.12/etc/raddb/sites-enabled/coa (0) send-coa { (0) [ok] = ok (0) } # send-coa = ok (0) Sent CoA-NAK Id 134 from 127.0.0.1:3799 to 127.0.0.1:43349 length 0 (0) Finished request Waking up in 4.9 seconds. (0) Cleaning up request packet ID 134 with timestamp +16 Ready to process requests -----Original Message----- From: Smith,AP,Adrian,TNK6 R Sent: 20 December 2016 16:12 To: FreeRadius users mailing list Subject: RE: CoA -> REST I was using 3.0.11. I have built 3.0.12 from scratch and tried that with more success. Ready to process requests (0) Received CoA-Request Id 134 from 127.0.0.1:43349 to 127.0.0.1:3799 length 56 (0) User-Name = "adrian" (0) Calling-Station-Id = "aa-bb-cc" (0) User-Password = "\210\317\357\267\025 \362\\\r\203VI\367W\315%" (0) # Executing section recv-coa from file /home/adrian/freeradius-server-3.0.12/etc/raddb/sites-enabled/coa (0) recv-coa { (0) [suffix] = noop (0) rest: ERROR: You set 'Auth-Type = REST' for a request that does not contain a User-Password attribute! (0) [rest.authenticate] = invalid (0) } # recv-coa = invalid (0) # Executing section send-coa from file /home/adrian/freeradius-server-3.0.12/etc/raddb/sites-enabled/coa (0) send-coa { (0) [ok] = ok (0) } # send-coa = ok (0) Sent CoA-NAK Id 134 from 127.0.0.1:3799 to 127.0.0.1:43349 length 0 (0) Finished request So this seems to raise a couple of issues for me. 1. I am sending a User-Password but FreeRadius thinks not? 2. In the real scenario, I probably wouldn't have a password at this point. I guess I can just send a dummy one? Assuming I can get #1 to work. Are there any plans to improve the REST module to handle CoA directly? Thanks again. Adrian -----Original Message----- From: Freeradius-Users [mailto:freeradius-users-bounces+adrian.p.smith=bt.com@lists.freeradius.org] On Behalf Of Matthew Newton Sent: 20 December 2016 15:43 To: FreeRadius users mailing list Subject: Re: CoA -> REST On Tue, Dec 20, 2016 at 03:21:55PM +0000, adrian.p.smith@bt.com wrote:
I enabled that virtual server by linking it into sites-enabled.
I then added a single line:
rest.authenticate
in the "server coa" recv-coa section immediately before the "ok" line.
adding just "rest" stopped the server from starting.
I then send the server a CoA using radclient.
I see the server receiving it (as per the debug output below), but no mention of "rest.authenticate".
If I start from a completely clean 3.0.x install, and link coa into sites-enabled, and send it a coa packet with radclient, I get eceived CoA-Request Id 27 from 127.0.0.1:43031 to 127.0.0.1:3799 length 25 (0) User-Name = "test" (0) # Executing section recv-coa from file /opt/fr3/etc/raddb/sites-enabled/coa (0) recv-coa { (0) [suffix] = noop (0) [ok] = ok (0) } # recv-coa = ok (0) # Executing section send-coa from file /opt/fr3/etc/raddb/sites-enabled/coa (0) send-coa { (0) [ok] = ok (0) } # send-coa = ok (0) Sent CoA-ACK Id 27 from 127.0.0.1:3799 to 127.0.0.1:43031 length 0 (0) Finished request so... as Alan said: what is the *entire* debug output? All the debug lines right from and including the FreeRADIUS banner at the top actually matter, contrary to popular belief on this list :(. Or, compare to a completely clean install, see what the difference is, and work from there. Matthew
-----Original Message----- From: Freeradius-Users [mailto:freeradius-users-bounces+adrian.p.smith=bt.com@lists.freeradiu s.org] On Behalf Of Alan DeKok Sent: 20 December 2016 15:02 To: FreeRadius users mailing list Subject: Re: CoA -> REST
On Dec 20, 2016, at 5:40 AM, adrian.p.smith@bt.com wrote:
Thanks for the tip. I tried this and the server does now start up.
When I send it a CoA however, I see no sign of the REST module being called:
(0) Received CoA-Request Id 217 from 127.0.0.1:45490 to 127.0.0.1:3799 length 38 (0) User-Name = "adrian" (0) Calling-Station-Id = "aa-bb-cc" (0) Sent CoA-ACK Id 217 from 127.0.0.1:3799 to 127.0.0.1:45490 length 0 (0) Finished request
Anything else I've missed?
Read the *entire* debug log.
FreeRADIUS doesn't magically ignore virtual servers. If it's not using a virtual server, it's because of a local configuration issue.
The default CoA server in raddb/sites-available/coa works when it's enabled.
So... what did you do?
Alan DeKok.
-- Matthew Newton, Ph.D. <mcn4@leicester.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (4)
-
adrian.p.smith@bt.com -
Alan DeKok -
Matthew Newton -
Pshem Kowalczyk