Multi-valued LDAP attribute configuration
Hi, I have installed FreeRADIUS server (Version 3.0.4) on Cent 7 OS and configured the external authentication with 389-DS server using rlm_ldap module. I would like to authenticate the mac address of all the user which I have stored in LDAP. The macaddress field in LDAP is a multi value attribute and the Freeraiud is communicating with LDAP without any issues, but the freeradius is authenticating only the first macaddress value from LDAP's multi value field. I would like to configure the Freeradius to authenticate all the values from multi value filed. Someone suggested that we can configure this using rlm_python or rlm_perl module. I am not a coder and I am not able to find any step by guide to configure the same. Could someone guide me on how to configure the Freeradius to authenticate Multi-valued LDAP attribute? Thank you in advance for your time and support. Regards, -- Srinivas R
On Sep 12, 2017, at 9:00 AM, Srinivasa R <srinivasa.r@icts.res.in> wrote:
I have installed FreeRADIUS server (Version 3.0.4)
I would suggest upgrading to 3.0.15.
on Cent 7 OS and configured the external authentication with 389-DS server using rlm_ldap module. I would like to authenticate the mac address of all the user which I have stored in LDAP. The macaddress field in LDAP is a multi value attribute and the Freeraiud is communicating with LDAP without any issues, but the freeradius is authenticating only the first macaddress value from LDAP's multi value field.
That's how it works, unfortunately...
I would like to configure the Freeradius to authenticate all the values from multi value filed.
What does that mean? To allow any of those MAC addresses to be used?
Someone suggested that we can configure this using rlm_python or rlm_perl module. I am not a coder and I am not able to find any step by guide to configure the same. Could someone guide me on how to configure the Freeradius to authenticate Multi-valued LDAP attribute?
FreeRADIUS doesn't support multivalued attributes like that. Alan DeKok.
On Tue, Sep 12, 2017 at 6:43 PM, Alan DeKok <aland@deployingradius.com> wrote:
On Sep 12, 2017, at 9:00 AM, Srinivasa R <srinivasa.r@icts.res.in> wrote:
I have installed FreeRADIUS server (Version 3.0.4)
I would suggest upgrading to 3.0.15.
Sure, I will upgrade it.
on Cent 7 OS and configured the external authentication with 389-DS server using rlm_ldap module. I would like to authenticate the mac address of all the user which I have stored in LDAP. The macaddress field in LDAP is a multi value attribute and the Freeraiud is communicating with LDAP without any issues, but the freeradius is authenticating only the first macaddress value from LDAP's multi value field.
That's how it works, unfortunately...
I would like to configure the Freeradius to authenticate all the values from multi value filed.
What does that mean? To allow any of those MAC addresses to be used?
I mean, I am storing 3 different macaddresses (like laptop, tab, & phone) in a single LDAP attribute (multiple value). I want Freerdaius to check all these 3 values from the LDAP before it send "Access-Accept" or "Access-Reject" message.
Someone suggested that we can configure this using rlm_python or rlm_perl module. I am not a coder and I am not able to find any step by guide to configure the same. Could someone guide me on how to configure the Freeradius to authenticate Multi-valued LDAP attribute?
FreeRADIUS doesn't support multivalued attributes like that.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
Regards, -- Srinivas R
Srinivasa R wrote:
I mean, I am storing 3 different macaddresses (like laptop, tab, & phone) in a single LDAP attribute (multiple value). I want Freerdaius to check all these 3 values from the LDAP before it send "Access-Accept" or "Access-Reject" message.
Instead of comparing client's MAC address with all 3 attribute values you could probably simply search the entry with the client's MAC address used in the LDAP search filter and reject in case there was no LDAP search result. Also LDAP implements compare requests. Ciao, Michael.
Hi Michael, On Tue, Sep 12, 2017 at 7:30 PM, Michael Ströder <michael@stroeder.com> wrote:
Srinivasa R wrote:
I mean, I am storing 3 different macaddresses (like laptop, tab, & phone) in a single LDAP attribute (multiple value). I want Freerdaius to check all these 3 values from the LDAP before it send "Access-Accept" or "Access-Reject" message.
Instead of comparing client's MAC address with all 3 attribute values you could probably simply search the entry with the client's MAC address used in the LDAP search filter and reject in case there was no LDAP search result.
Also LDAP implements compare requests.
Thanks for your suggstion. I am okay with any method which will make Freeradius to check all the three values. Could you please explain in more detail or share me any refernece document to proceed further on this.
Ciao, Michael.
Regards, -- Srinivas R
Am Di, 12.09.2017 um 18:30 schrieb Srinivasa R <srinivasa.r@icts.res.in>:
I have installed FreeRADIUS server (Version 3.0.4) on Cent 7 OS and configured the external authentication with 389-DS server using rlm_ldap module. I would like to authenticate the mac address of all the user which I have stored in LDAP. The macaddress field in LDAP is a multi value attribute and the Freeraiud is communicating with LDAP without any issues, but the freeradius is authenticating only the first macaddress value from LDAP's multi value field.
I would like to configure the Freeradius to authenticate all the values from multi value filed. Someone suggested that we can configure this using rlm_python or rlm_perl module. I am not a coder and I am not able to find any step by guide to configure the same. Could someone guide me on how to configure the Freeradius to authenticate Multi-valued LDAP attribute?
I used unlang features to implement sth. like this. I think you can adapt it to your use case. In the LDAP module I have sth like update { request:gwdg-user-services += 'userServices' } where userServices is multi-valued and sometimes included 'eduroamNotAllowed' In the site I check against all occurrences: if ( &gwdg-user-services[*] !~ /eduroamNotAllowed/ ) { ... } lg /Steffen -- Steffen Klemer E-Mail: Steffen.Klemer@gwdg.de Tel: +49 551 201 2170 ------------------------------------------------------------------ GWDG - Gesellschaft für wissenschaftliche Datenverarbeitung mbH Göttingen Am Faßberg 11, 37077 Göttingen Service-Hotline: Tel: +49 551 201-1523 E-Mail: support@gwdg.de Kontakt: Tel: 0551 201-1510 Fax: 0551 201-2150 E-Mail: gwdg@gwdg.de WWW: https://www.gwdg.de ------------------------------------------------------------------ Geschäftsführer: Prof. Dr. Ramin Yahyapour Aufsichtsratsvorsitzender: Prof. Dr. Christian Griesinger Sitz der Gesellschaft: Göttingen Registergericht: Göttingen, Handelsregister-Nr. B 598 ------------------------------------------------------------------ Zertifiziert nach ISO 9001 ------------------------------------------------------------------
What you should do a ldap query based on the incoming MAC address: user { filter = "(userServices=%{User-Name})" Assuming the User-Name is the MAC address of the incoming client. The "userServices" I assume is the multi-valued attribute in your ldap directory. Then if you get a response you know the record exists, otherwise it doesn't and reject the request. On Wed, Sep 13, 2017 at 4:36 AM, Steffen Klemer <steffen.klemer@gwdg.de> wrote:
Am Di, 12.09.2017 um 18:30 schrieb Srinivasa R <srinivasa.r@icts.res.in>:
I have installed FreeRADIUS server (Version 3.0.4) on Cent 7 OS and configured the external authentication with 389-DS server using rlm_ldap module. I would like to authenticate the mac address of all the user which I have stored in LDAP. The macaddress field in LDAP is a multi value attribute and the Freeraiud is communicating with LDAP without any issues, but the freeradius is authenticating only the first macaddress value from LDAP's multi value field.
I would like to configure the Freeradius to authenticate all the values from multi value filed. Someone suggested that we can configure this using rlm_python or rlm_perl module. I am not a coder and I am not able to find any step by guide to configure the same. Could someone guide me on how to configure the Freeradius to authenticate Multi-valued LDAP attribute?
I used unlang features to implement sth. like this. I think you can adapt it to your use case.
In the LDAP module I have sth like
update { request:gwdg-user-services += 'userServices' }
where userServices is multi-valued and sometimes included 'eduroamNotAllowed'
In the site I check against all occurrences:
if ( &gwdg-user-services[*] !~ /eduroamNotAllowed/ ) { ... }
lg /Steffen
-- Steffen Klemer E-Mail: Steffen.Klemer@gwdg.de Tel: +49 551 201 2170
------------------------------------------------------------------ GWDG - Gesellschaft für wissenschaftliche Datenverarbeitung mbH Göttingen Am Faßberg 11, 37077 Göttingen
Service-Hotline: Tel: +49 551 201-1523 E-Mail: support@gwdg.de
Kontakt: Tel: 0551 201-1510 Fax: 0551 201-2150 E-Mail: gwdg@gwdg.de WWW: https://www.gwdg.de ------------------------------------------------------------------ Geschäftsführer: Prof. Dr. Ramin Yahyapour Aufsichtsratsvorsitzender: Prof. Dr. Christian Griesinger Sitz der Gesellschaft: Göttingen Registergericht: Göttingen, Handelsregister-Nr. B 598 ------------------------------------------------------------------ Zertifiziert nach ISO 9001 ------------------------------------------------------------------
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
Hi Peter, On Wed, Sep 13, 2017 at 2:51 AM, Peter Lambrechtsen <peter@crypt.nz> wrote:
What you should do a ldap query based on the incoming MAC address:
user { filter = "(userServices=%{User-Name})"
Assuming the User-Name is the MAC address of the incoming client. The "userServices" I assume is the multi-valued attribute in your ldap directory.
I have tried this, but it checking for the first value only and accepting only for the first filed value out of three.
Then if you get a response you know the record exists, otherwise it doesn't and reject the request.
On Wed, Sep 13, 2017 at 4:36 AM, Steffen Klemer <steffen.klemer@gwdg.de> wrote:
Am Di, 12.09.2017 um 18:30 schrieb Srinivasa R <srinivasa.r@icts.res.in>:
I have installed FreeRADIUS server (Version 3.0.4) on Cent 7 OS and configured the external authentication with 389-DS server using rlm_ldap module. I would like to authenticate the mac address of all the user which I have stored in LDAP. The macaddress field in LDAP is a multi value attribute and the Freeraiud is communicating with LDAP without any issues, but the freeradius is authenticating only the first macaddress value from LDAP's multi value field.
I would like to configure the Freeradius to authenticate all the values from multi value filed. Someone suggested that we can configure this using rlm_python or rlm_perl module. I am not a coder and I am not able to find any step by guide to configure the same. Could someone guide me on how to configure the Freeradius to authenticate Multi-valued LDAP attribute?
I used unlang features to implement sth. like this. I think you can adapt it to your use case.
In the LDAP module I have sth like
update { request:gwdg-user-services += 'userServices' }
where userServices is multi-valued and sometimes included 'eduroamNotAllowed'
In the site I check against all occurrences:
if ( &gwdg-user-services[*] !~ /eduroamNotAllowed/ ) { ... }
lg /Steffen
-- Steffen Klemer E-Mail: Steffen.Klemer@gwdg.de Tel: +49 551 201 2170
------------------------------------------------------------------ GWDG - Gesellschaft für wissenschaftliche Datenverarbeitung mbH Göttingen Am Faßberg 11, 37077 Göttingen
Service-Hotline: Tel: +49 551 201-1523 E-Mail: support@gwdg.de
Kontakt: Tel: 0551 201-1510 Fax: 0551 201-2150 E-Mail: gwdg@gwdg.de WWW: https://www.gwdg.de ------------------------------------------------------------------ Geschäftsführer: Prof. Dr. Ramin Yahyapour Aufsichtsratsvorsitzender: Prof. Dr. Christian Griesinger Sitz der Gesellschaft: Göttingen Registergericht: Göttingen, Handelsregister-Nr. B 598 ------------------------------------------------------------------ Zertifiziert nach ISO 9001 ------------------------------------------------------------------
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
Regards, -- Srinivas R
Do the LDAP query using the command line tool “ldapsearch”. If you really have a multi-valued attribute with the right value(s) it should work. I’d expect to see something like: dn: cn=foo,dc=bar,dc=com cn: foo userServices: 00:01:02:03:04:05 userServices: 0a:0b:0c:0d:0e:0f userServices: aa:bb:cc:dd:ee:ff objectClass: …. … In the output of the command line search. Alister On 13/09/2017, 12:26, "Freeradius-Users on behalf of Srinivasa R" <freeradius-users-bounces+alister.winfield=sky.uk@lists.freeradius.org on behalf of srinivasa.r@icts.res.in> wrote: Hi Peter, On Wed, Sep 13, 2017 at 2:51 AM, Peter Lambrechtsen <peter@crypt.nz> wrote: > What you should do a ldap query based on the incoming MAC address: > > user { > filter = "(userServices=%{User-Name})" > > Assuming the User-Name is the MAC address of the incoming client. The > "userServices" I assume is the multi-valued attribute in your ldap > directory. > > I have tried this, but it checking for the first value only and accepting only for the first filed value out of three. > Then if you get a response you know the record exists, otherwise it doesn't > and reject the request. > > > > On Wed, Sep 13, 2017 at 4:36 AM, Steffen Klemer <steffen.klemer@gwdg.de> > wrote: > > > Am Di, 12.09.2017 um 18:30 schrieb Srinivasa R > > <srinivasa.r@icts.res.in>: > > > > > I have installed FreeRADIUS server (Version 3.0.4) on Cent 7 OS and > > > configured the external authentication with 389-DS server using > > > rlm_ldap module. I would like to authenticate the mac address of all > > > the user which I have stored in LDAP. The macaddress field in LDAP is > > > a multi value attribute and the Freeraiud is communicating with LDAP > > > without any issues, but the freeradius is authenticating only the > > > first macaddress value from LDAP's multi value field. > > > > > > I would like to configure the Freeradius to authenticate all the > > > values from multi value filed. Someone suggested that we can > > > configure this using rlm_python or rlm_perl module. I am not a coder > > > and I am not able to find any step by guide to configure the same. > > > Could someone guide me on how to configure the Freeradius to > > > authenticate Multi-valued LDAP attribute? > > > > I used unlang features to implement sth. like this. I think you can > > adapt it to your use case. > > > > > > In the LDAP module I have sth like > > > > update { > > request:gwdg-user-services += 'userServices' > > } > > > > where userServices is multi-valued and sometimes included > > 'eduroamNotAllowed' > > > > > > In the site I check against all occurrences: > > > > if ( &gwdg-user-services[*] !~ /eduroamNotAllowed/ ) { > > ... > > } > > > > > > lg > > /Steffen > > > > -- > > Steffen Klemer E-Mail: Steffen.Klemer@gwdg.de > > Tel: +49 551 201 2170 > > > > ------------------------------------------------------------------ > > GWDG - Gesellschaft für wissenschaftliche > > Datenverarbeitung mbH Göttingen > > Am Faßberg 11, 37077 Göttingen > > > > Service-Hotline: > > Tel: +49 551 201-1523 > > E-Mail: support@gwdg.de > > > > Kontakt: > > Tel: 0551 201-1510 > > Fax: 0551 201-2150 > > E-Mail: gwdg@gwdg.de > > WWW: https://www.gwdg.de > > ------------------------------------------------------------------ > > Geschäftsführer: Prof. Dr. Ramin Yahyapour > > Aufsichtsratsvorsitzender: Prof. Dr. Christian Griesinger > > Sitz der Gesellschaft: Göttingen > > Registergericht: Göttingen, Handelsregister-Nr. B 598 > > ------------------------------------------------------------------ > > Zertifiziert nach ISO 9001 > > ------------------------------------------------------------------ > > > > - > > List info/subscribe/unsubscribe? See http://www.freeradius.org/ > > list/users.html > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/ > list/users.html > Regards, -- Srinivas R - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Information in this email including any attachments may be privileged, confidential and is intended exclusively for the addressee. The views expressed may not be official policy, but the personal views of the originator. If you have received it in error, please notify the sender by return e-mail and delete it from your system. You should not reproduce, distribute, store, retransmit, use or disclose its contents to anyone. Please note we reserve the right to monitor all e-mail communication through our internal and external networks. SKY and the SKY marks are trademarks of Sky plc and Sky International AG and are used under licence. Sky UK Limited (Registration No. 2906991), Sky-In-Home Service Limited (Registration No. 2067075) and Sky Subscribers Services Limited (Registration No. 2340150) are direct or indirect subsidiaries of Sky plc (Registration No. 2247735). All of the companies mentioned in this paragraph are incorporated in England and Wales and share the same registered office at Grant Way, Isleworth, Middlesex TW7 5QD.
Hi Alister, When I run LDAP query using the command line tool “ldapsearch” and I get the following output: # it section, People, icts.res.in dn: cn=it section,ou=People,dc=XXXX,dc=XXX,dc=XX objectClass: posixAccount objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person objectClass: top objectClass: ieee802Device homeDirectory: /home/it loginShell: /bin/bash uid: it cn: it section uidNumber: 10001 gidNumber: 10000 sn: section givenName: it telephoneNumber: mobile: macAddress: 28:f1:0e:2a:c1:ac macAddress: e4:a4:71:a3:88:6f macAddress: 0c:c4:7a:22:63:23 Regards, -- Srinivas R On Wed, Sep 13, 2017 at 8:44 PM, Winfield, Alister <Alister.Winfield@sky.uk> wrote:
Do the LDAP query using the command line tool “ldapsearch”.
If you really have a multi-valued attribute with the right value(s) it should work.
I’d expect to see something like:
dn: cn=foo,dc=bar,dc=com cn: foo userServices: 00:01:02:03:04:05 userServices: 0a:0b:0c:0d:0e:0f userServices: aa:bb:cc:dd:ee:ff objectClass: …. …
In the output of the command line search.
Alister
On 13/09/2017, 12:26, "Freeradius-Users on behalf of Srinivasa R" <freeradius-users-bounces+alister.winfield=sky.uk@lists.freeradius.org on behalf of srinivasa.r@icts.res.in> wrote:
Hi Peter,
On Wed, Sep 13, 2017 at 2:51 AM, Peter Lambrechtsen <peter@crypt.nz> wrote:
> What you should do a ldap query based on the incoming MAC address: > > user { > filter = "(userServices=%{User-Name})" > > Assuming the User-Name is the MAC address of the incoming client. The > "userServices" I assume is the multi-valued attribute in your ldap > directory. > > I have tried this, but it checking for the first value only and accepting only for the first filed value out of three.
> Then if you get a response you know the record exists, otherwise it doesn't > and reject the request. > > > > On Wed, Sep 13, 2017 at 4:36 AM, Steffen Klemer < steffen.klemer@gwdg.de> > wrote: > > > Am Di, 12.09.2017 um 18:30 schrieb Srinivasa R > > <srinivasa.r@icts.res.in>: > > > > > I have installed FreeRADIUS server (Version 3.0.4) on Cent 7 OS and > > > configured the external authentication with 389-DS server using > > > rlm_ldap module. I would like to authenticate the mac address of all > > > the user which I have stored in LDAP. The macaddress field in LDAP is > > > a multi value attribute and the Freeraiud is communicating with LDAP > > > without any issues, but the freeradius is authenticating only the > > > first macaddress value from LDAP's multi value field. > > > > > > I would like to configure the Freeradius to authenticate all the > > > values from multi value filed. Someone suggested that we can > > > configure this using rlm_python or rlm_perl module. I am not a coder > > > and I am not able to find any step by guide to configure the same. > > > Could someone guide me on how to configure the Freeradius to > > > authenticate Multi-valued LDAP attribute? > > > > I used unlang features to implement sth. like this. I think you can > > adapt it to your use case. > > > > > > In the LDAP module I have sth like > > > > update { > > request:gwdg-user-services += 'userServices' > > } > > > > where userServices is multi-valued and sometimes included > > 'eduroamNotAllowed' > > > > > > In the site I check against all occurrences: > > > > if ( &gwdg-user-services[*] !~ /eduroamNotAllowed/ ) { > > ... > > } > > > > > > lg > > /Steffen > > > > -- > > Steffen Klemer E-Mail: Steffen.Klemer@gwdg.de > > Tel: +49 551 201 2170 > > > > ------------------------------------------------------------------ > > GWDG - Gesellschaft für wissenschaftliche > > Datenverarbeitung mbH Göttingen > > Am Faßberg 11, 37077 Göttingen > > > > Service-Hotline: > > Tel: +49 551 201-1523 > > E-Mail: support@gwdg.de > > > > Kontakt: > > Tel: 0551 201-1510 > > Fax: 0551 201-2150 > > E-Mail: gwdg@gwdg.de > > WWW: https://www.gwdg.de > > ------------------------------------------------------------------ > > Geschäftsführer: Prof. Dr. Ramin Yahyapour > > Aufsichtsratsvorsitzender: Prof. Dr. Christian Griesinger > > Sitz der Gesellschaft: Göttingen > > Registergericht: Göttingen, Handelsregister-Nr. B 598 > > ------------------------------------------------------------------ > > Zertifiziert nach ISO 9001 > > ------------------------------------------------------------------ > > > > - > > List info/subscribe/unsubscribe? See http://www.freeradius.org/ > > list/users.html > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/ > list/users.html >
Regards, --
Srinivas R - List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
Information in this email including any attachments may be privileged, confidential and is intended exclusively for the addressee. The views expressed may not be official policy, but the personal views of the originator. If you have received it in error, please notify the sender by return e-mail and delete it from your system. You should not reproduce, distribute, store, retransmit, use or disclose its contents to anyone. Please note we reserve the right to monitor all e-mail communication through our internal and external networks. SKY and the SKY marks are trademarks of Sky plc and Sky International AG and are used under licence.
Sky UK Limited (Registration No. 2906991), Sky-In-Home Service Limited (Registration No. 2067075) and Sky Subscribers Services Limited (Registration No. 2340150) are direct or indirect subsidiaries of Sky plc (Registration No. 2247735). All of the companies mentioned in this paragraph are incorporated in England and Wales and share the same registered office at Grant Way, Isleworth, Middlesex TW7 5QD.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
-- Srinivas R Scientific Officer 'C' International Centre for Theoretical Sciences (ICTS) Survey No. 151, Shivakote, Hesaraghatta Hobli, Bengaluru North - 560 089, India. Office: 080 - 6730/4653-6305 | Mob: +91 9886280088 Email: srinivasa.r@icts.res.in Website: www.icts.res.in
On Wed, 2017-09-13 at 22:51 +0530, Srinivasa R wrote:
# it section, People, icts.res.in dn: cn=it section,ou=People,dc=XXXX,dc=XXX,dc=XX objectClass: posixAccount objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person objectClass: top objectClass: ieee802Device homeDirectory: /home/it loginShell: /bin/bash uid: it cn: it section uidNumber: 10001 gidNumber: 10000 sn: section givenName: it telephoneNumber: mobile: macAddress: 28:f1:0e:2a:c1:ac macAddress: e4:a4:71:a3:88:6f macAddress: 0c:c4:7a:22:63:23
I'm probably missing something here, but can't you just get your LDAP server to do the searching for you? i.e. update the ldap filter to something like filter = "(&(uid=%{%{Stripped-User-Name}:-%{User- Name}})(macAddress=%{Calling-Station-Id}))" If that returns ok, both User-Name and Calling-Station-Id matched. If not, then one or other or both didn't. -- Matthew
Hello All, Someone can give me a hint? Sometimes I can see this info in my Logs: sql: Running Accounting section for automatically created accounting 'stop' After this I have this incomplete register in my database without naporttype and callingstationid. Why?? radacctid acctsessionid acctuniqueid username groupname realm nasipaddress nasportid nasporttype acctstarttime acctupdatetime acctstoptime acctinterval acctsessiontime acctauthentic connectinfo_start connectinfo_stop acctinputoctets acctoutputoctets calledstationid callingstationid acctterminatecause servicetype framedprotocol framedipaddress acctstartdelay acctstopdelay xascendsessionsvrkey 676589 81c00242 69bee70f31ad12b1d7df868bb5caf780 simonecarlos 172.17.30.2 15729235 2017-09-11 09:48:58 2017-09-11 09:48:58 2017-09-11 09:48:58 NULL 0 0 0 Framed-User PPP 187.120.205.22 NULL NULL NULL Here is the complete log: Ready to process requests (8023) Received Access-Request Id 212 from 172.17.60.2:34960 to 187.120.197.140:1812 length 191 (8023) Service-Type = Framed-User (8023) Framed-Protocol = PPP (8023) NAS-Port = 15729185 (8023) NAS-Port-Type = Ethernet (8023) User-Name = "flaviasilva" (8023) Calling-Station-Id = "00:1A:3F:A0:B1:D2" (8023) Called-Station-Id = "CE - POP ABTE" (8023) NAS-Port-Id = "bridge1" (8023) MS-CHAP-Challenge = 0xd0033cbd3739184c (8023) MS-CHAP-Response = 0x0101000000000000000000000000000000000000000000000000c1f75534b802f945e 5ee4707ecd8b790709253be2ca90ce6 (8023) NAS-Identifier = "CE-ABAETE" (8023) NAS-IP-Address = 172.17.60.2 (8023) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (8023) authorize { (8023) [preprocess] = ok (8023) [chap] = noop (8023) mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap' (8023) [mschap] = ok (8023) sql: EXPAND %{User-Name} (8023) sql: --> flaviasilva (8023) sql: SQL-User-Name set to 'flaviasilva' rlm_sql (sql): Reserved connection (30) (8023) sql: EXPAND SELECT DISTINCT (R.id), R.username, R.attribute, R.value, R.op FROM mpc_freeradius.radcheck R, mpc_freeradius.nas N, mpc_lw.maclist M WHERE R.username = BINARY '%{SQL-User-Name}' AND M.usuario_login = BINARY '%{SQL-User-Name}' AND N.nasname = '%{Nas-IP-Address}' AND N.gw_id = (SELECT gateway_id FROM mpc_lw.maclist WHERE usuario_login = BINARY '%{SQL-User-Name}' AND plano_id NOT IN (8,9,793) AND gateway_id = ( SELECT gw_id FROM mpc_freeradius.nas WHERE nasname = '%{Nas-IP-Address}' ) ORDER BY ID) UNION ALL SELECT DISTINCT (R.id), R.username, R.attribute, R.value, R.op FROM mpc_freeradius.radcheck R, mpc_freeradius.nas N, mpc_lw.maclist M WHERE R.username = BINARY '%{SQL-User-Name}' AND M.usuario_login = BINARY '%{SQL-User-Name}' AND M.grupocliente = 'ALL-POPS' (8023) sql: --> SELECT DISTINCT (R.id), R.username, R.attribute, R.value, R.op FROM mpc_freeradius.radcheck R, mpc_freeradius.nas N, mpc_lw.maclist M WHERE R.username = BINARY 'flaviasilva' AND M.usuario_login = BINARY 'flaviasilva' AND N.nasname = '172.17.60.2' AND N.gw_id = (SELECT gateway_id FROM mpc_lw.maclist WHERE usuario_login = BINARY 'flaviasilva' AND plano_id NOT IN (8,9,793) AND gateway_id = ( SELECT gw_id FROM mpc_freeradius.nas WHERE nasname = '172.17.60.2' ) ORDER BY ID) UNION ALL SELECT DISTINCT (R.id), R.username, R.attribute, R.value, R.op FROM mpc_freeradius.radcheck R, mpc_freeradius.nas N, mpc_lw.maclist M WHERE R.username = BINARY 'flaviasilva' AND M.usuario_login = BINARY 'flaviasilva' AND M.grupocliente = 'ALL-POPS' (8023) sql: Executing select query: SELECT DISTINCT (R.id), R.username, R.attribute, R.value, R.op FROM mpc_freeradius.radcheck R, mpc_freeradius.nas N, mpc_lw.maclist M WHERE R.username = BINARY 'flaviasilva' AND M.usuario_login = BINARY 'flaviasilva' AND N.nasname = '172.17.60.2' AND N.gw_id = (SELECT gateway_id FROM mpc_lw.maclist WHERE usuario_login = BINARY 'flaviasilva' AND plano_id NOT IN (8,9,793) AND gateway_id = ( SELECT gw_id FROM mpc_freeradius.nas WHERE nasname = '172.17.60.2' ) ORDER BY ID) UNION ALL SELECT DISTINCT (R.id), R.username, R.attribute, R.value, R.op FROM mpc_freeradius.radcheck R, mpc_freeradius.nas N, mpc_lw.maclist M WHERE R.username = BINARY 'flaviasilva' AND M.usuario_login = BINARY 'flaviasilva' AND M.grupocliente = 'ALL-POPS' (8023) sql: User found in radcheck table (8023) sql: Conditional check items matched, merging assignment check items (8023) sql: Simultaneous-Use := 1 (8023) sql: Pool-Name := "main_pool" (8023) sql: Cleartext-Password := "FS189" (8023) sql: EXPAND SELECT DISTINCT (R.id), R.username, R.attribute, R.value, R.op FROM mpc_freeradius.radcheck R, mpc_freeradius.nas N, mpc_lw.maclist M WHERE R.username = BINARY '%{SQL-User-Name}' AND M.usuario_login = BINARY '%{SQL-User-Name}' AND N.nasname = '%{Nas-IP-Address}' AND N.gw_id = (SELECT gateway_id FROM mpc_lw.maclist WHERE usuario_login = BINARY '%{SQL-User-Name}' AND plano_id NOT IN (8,9,793) AND gateway_id = ( SELECT gw_id FROM mpc_freeradius.nas WHERE nasname = '%{Nas-IP-Address}' ) ORDER BY ID) UNION ALL SELECT DISTINCT (R.id), R.username, R.attribute, R.value, R.op FROM mpc_freeradius.radcheck R, mpc_freeradius.nas N, mpc_lw.maclist M WHERE R.username = BINARY '%{SQL-User-Name}' AND M.usuario_login = BINARY '%{SQL-User-Name}' AND M.grupocliente = 'ALL-POPS' (8023) sql: --> SELECT DISTINCT (R.id), R.username, R.attribute, R.value, R.op FROM mpc_freeradius.radcheck R, mpc_freeradius.nas N, mpc_lw.maclist M WHERE R.username = BINARY 'flaviasilva' AND M.usuario_login = BINARY 'flaviasilva' AND N.nasname = '172.17.60.2' AND N.gw_id = (SELECT gateway_id FROM mpc_lw.maclist WHERE usuario_login = BINARY 'flaviasilva' AND plano_id NOT IN (8,9,793) AND gateway_id = ( SELECT gw_id FROM mpc_freeradius.nas WHERE nasname = '172.17.60.2' ) ORDER BY ID) UNION ALL SELECT DISTINCT (R.id), R.username, R.attribute, R.value, R.op FROM mpc_freeradius.radcheck R, mpc_freeradius.nas N, mpc_lw.maclist M WHERE R.username = BINARY 'flaviasilva' AND M.usuario_login = BINARY 'flaviasilva' AND M.grupocliente = 'ALL-POPS' (8023) sql: Executing select query: SELECT DISTINCT (R.id), R.username, R.attribute, R.value, R.op FROM mpc_freeradius.radcheck R, mpc_freeradius.nas N, mpc_lw.maclist M WHERE R.username = BINARY 'flaviasilva' AND M.usuario_login = BINARY 'flaviasilva' AND N.nasname = '172.17.60.2' AND N.gw_id = (SELECT gateway_id FROM mpc_lw.maclist WHERE usuario_login = BINARY 'flaviasilva' AND plano_id NOT IN (8,9,793) AND gateway_id = ( SELECT gw_id FROM mpc_freeradius.nas WHERE nasname = '172.17.60.2' ) ORDER BY ID) UNION ALL SELECT DISTINCT (R.id), R.username, R.attribute, R.value, R.op FROM mpc_freeradius.radcheck R, mpc_freeradius.nas N, mpc_lw.maclist M WHERE R.username = BINARY 'flaviasilva' AND M.usuario_login = BINARY 'flaviasilva' AND M.grupocliente = 'ALL-POPS' (8023) sql: User found in radreply table, merging reply items (8023) sql: Simultaneous-Use := 1 (8023) sql: Pool-Name := "main_pool" (8023) sql: Cleartext-Password := "FS189" (8023) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority (8023) sql: --> SELECT groupname FROM radusergroup WHERE username = 'flaviasilva' ORDER BY priority (8023) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'flaviasilva' ORDER BY priority (8023) sql: User found in the group table (8023) sql: EXPAND SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id (8023) sql: --> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '715' ORDER BY id (8023) sql: Executing select query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '715' ORDER BY id (8023) sql: Group "715": Conditional check items matched (8023) sql: Group "715": Merging assignment check items (8023) sql: EXPAND SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{SQL-Group}' ORDER BY id (8023) sql: --> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '715' ORDER BY id (8023) sql: Executing select query: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '715' ORDER BY id (8023) sql: Group "715": Merging reply items (8023) sql: Framed-Compression := Van-Jacobson-TCP-IP (8023) sql: Framed-Protocol := PPP (8023) sql: Framed-Routing := Broadcast-Listen (8023) sql: Framed-MTU := 1500 (8023) sql: Service-Type := Framed-User (8023) sql: Mikrotik-Rate-Limit := "500k/2048k 563k/5632k 538k/4096k 54/54" rlm_sql (sql): Released connection (30) (8023) [sql] = ok (8023) [expiration] = noop (8023) [logintime] = noop (8023) pap: WARNING: Auth-Type already set. Not setting to PAP (8023) [pap] = noop (8023) } # authorize = ok (8023) Found Auth-Type = MS-CHAP (8023) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (8023) Auth-Type MS-CHAP { (8023) mschap: Found Cleartext-Password, hashing to create NT-Password (8023) mschap: Found Cleartext-Password, hashing to create LM-Password (8023) mschap: Client is using MS-CHAPv1 with NT-Password (8023) mschap: adding MS-CHAPv1 MPPE keys (8023) [mschap] = ok (8023) if (reject) { (8023) if (reject) -> FALSE (8023) } # Auth-Type MS-CHAP = ok (8023) # Executing section session from file /usr/local/etc/raddb/sites-enabled/default (8023) session { (8023) sql: EXPAND %{User-Name} (8023) sql: --> flaviasilva (8023) sql: SQL-User-Name set to 'flaviasilva' (8023) sql: EXPAND SELECT COUNT(*) FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL AND framedipaddress NOT REGEXP '^10\.' (8023) sql: --> SELECT COUNT(*) FROM radacct WHERE username = 'flaviasilva' AND acctstoptime IS NULL AND framedipaddress NOT REGEXP '^10\.' rlm_sql (sql): Reserved connection (17) (8023) sql: Executing select query: SELECT COUNT(*) FROM radacct WHERE username = 'flaviasilva' AND acctstoptime IS NULL AND framedipaddress NOT REGEXP '^10\.' (8023) sql: EXPAND SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL AND framedipaddress NOT REGEXP '^10\.' (8023) sql: --> SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = 'flaviasilva' AND acctstoptime IS NULL AND framedipaddress NOT REGEXP '^10\.' (8023) sql: Executing select query: SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = 'flaviasilva' AND acctstoptime IS NULL AND framedipaddress NOT REGEXP '^10\.' (8023) sql: Running Accounting section for automatically created accounting 'stop' (8023) sql: Service-Type = Framed-User (8023) sql: Framed-Protocol = PPP (8023) sql: NAS-Port = 15729185 (8023) sql: NAS-Port-Type = Ethernet (8023) sql: User-Name = "flaviasilva" (8023) sql: Calling-Station-Id = "00:1A:3F:A0:B1:D2" (8023) sql: Called-Station-Id = "CE - POP ABTE" (8023) sql: NAS-Port-Id = "bridge1" (8023) sql: MS-CHAP-Challenge = 0xd0033cbd3739184c (8023) sql: MS-CHAP-Response = 0x0101000000000000000000000000000000000000000000000000c1f75534b802f945e 5ee4707ecd8b790709253be2ca90ce6 (8023) sql: NAS-Identifier = "CE-ABAETE" (8023) sql: NAS-IP-Address = 172.17.60.2 (8023) sql: Event-Timestamp = "Sep 11 2017 11:07:05 BRT" (8023) sql: SQL-User-Name := "flaviasilva" (8023) # Executing section preacct from file /usr/local/etc/raddb/sites-enabled/default (8023) preacct { (8023) [preprocess] = ok (8023) policy acct_unique { (8023) update request { (8023) &Tmp-String-9 := "ai:" (8023) } # update request = noop (8023) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) && ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) { (8023) EXPAND %{hex:&Class} (8023) --> (8023) EXPAND ^%{hex:&Tmp-String-9} (8023) --> ^61693a (8023) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) && ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) -> FALSE (8023) else { (8023) update request { (8023) EXPAND %{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-A ddress}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}} (8023) --> a3978be96deadcc79c5b59c0df7462f6 (8023) &Acct-Unique-Session-Id := a3978be96deadcc79c5b59c0df7462f6 (8023) } # update request = noop (8023) } # else = noop (8023) } # policy acct_unique = noop (8023) [files] = noop (8023) } # preacct = ok (8023) # Executing section accounting from file /usr/local/etc/raddb/sites-enabled/default (8023) accounting { (8023) sql: EXPAND %{tolower:type.%{Acct-Status-Type}.query} (8023) sql: --> type.stop.query (8023) sql: Using query template 'query' rlm_sql (sql): Reserved connection (31) (8023) sql: EXPAND %{User-Name} (8023) sql: --> flaviasilva (8023) sql: SQL-User-Name set to 'flaviasilva' (8023) sql: EXPAND UPDATE radacct SET acctstoptime = NOW(), acctsessiontime = %{%{Acct-Session-Time}:-NULL}, acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', acctterminatecause = '%{Acct-Terminate-Cause}', connectinfo_stop = '%{Connect-Info}' WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}' (8023) sql: --> UPDATE radacct SET acctstoptime = NOW(), acctsessiontime = 0, acctinputoctets = '0' << 32 | '0', acctoutputoctets = '0' << 32 | '0', acctterminatecause = '', connectinfo_stop = '' WHERE AcctUniqueId = 'a3978be96deadcc79c5b59c0df7462f6' (8023) sql: Executing query: UPDATE radacct SET acctstoptime = NOW(), acctsessiontime = 0, acctinputoctets = '0' << 32 | '0', acctoutputoctets = '0' << 32 | '0', acctterminatecause = '', connectinfo_stop = '' WHERE AcctUniqueId = 'a3978be96deadcc79c5b59c0df7462f6' rlm_sql_mysql: Rows matched: 0 Changed: 0 Warnings: 0 (8023) sql: SQL query returned: success (8023) sql: 0 record(s) updated (8023) sql: Trying next query... (8023) sql: EXPAND INSERT INTO radacct (acctsessionid,acctuniqueid,username, realm,nasipaddress,nasportid, nasporttype,acctstarttime,acctupdatetime, acctstoptime,acctsessiontime, acctauthentic, connectinfo_start,connectinfo_stop, acctinputoctets, acctoutputoctets,calledstationid, callingstationid, acctterminatecause,servicetype,framedprotocol, framedipaddress) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', (NOW() - %{%{Acct-Session-Time}:-0}), NOW(), NOW(), %{%{Acct-Session-Time}:-NULL}, '%{Acct-Authentic}', '', '%{Connect-Info}', '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', '%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Acct-Terminate-Cause}', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}') (8023) sql: --> INSERT INTO radacct (acctsessionid,acctuniqueid,username, realm,nasipaddress,nasportid, nasporttype,acctstarttime,acctupdatetime, acctstoptime,acctsessiontime, acctauthentic, connectinfo_start,connectinfo_stop, acctinputoctets, acctoutputoctets,calledstationid, callingstationid, acctterminatecause,servicetype,framedprotocol, framedipaddress) VALUES ('81f001e1', 'a3978be96deadcc79c5b59c0df7462f6', 'flaviasilva', '', '172.17.60.2', '15729147', '', (NOW() - 0), NOW(), NOW(), 0, '', '', '', '0' << 32 | '0', '0' << 32 | '0', '', '', '', 'Framed-User', 'PPP', '187.120.206.211') (8023) sql: Executing query: INSERT INTO radacct (acctsessionid,acctuniqueid,username, realm,nasipaddress,nasportid, nasporttype,acctstarttime,acctupdatetime, acctstoptime,acctsessiontime, acctauthentic, connectinfo_start,connectinfo_stop, acctinputoctets, acctoutputoctets,calledstationid, callingstationid, acctterminatecause,servicetype,framedprotocol, framedipaddress) VALUES ('81f001e1', 'a3978be96deadcc79c5b59c0df7462f6', 'flaviasilva', '', '172.17.60.2', '15729147', '', (NOW() - 0), NOW(), NOW(), 0, '', '', '', '0' << 32 | '0', '0' << 32 | '0', '', '', '', 'Framed-User', 'PPP', '187.120.206.211') (8023) sql: SQL query returned: success (8023) sql: 1 record(s) updated rlm_sql (sql): Released connection (31) Need 1 more connections to reach 35 spares rlm_sql (sql): Opening additional connection (36), 1 of 29 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'mpc_freeradius' on mysql.mpc.com.br via TCP/IP, server version 5.5.57-0ubuntu0.14.04.1-log, protocol version 10 (8023) [sql] = ok (8023) [exec] = noop (8023) attr_filter.accounting_response: EXPAND %{User-Name} (8023) attr_filter.accounting_response: --> flaviasilva (8023) attr_filter.accounting_response: Matched entry DEFAULT at line 12 (8023) [attr_filter.accounting_response] = updated (8023) log_accounting: EXPAND Accounting-Request.%{%{Acct-Status-Type}:-unknown} (8023) log_accounting: --> Accounting-Request.Stop (8023) log_accounting: EXPAND %t : Info: Released IP %{Framed-IP-Address} (did %{Called-Station-Id} cli %{Calling-Station-Id} user %{User-Name}) (8023) log_accounting: --> Mon Sep 11 11:07:05 2017 : Info: Released IP 187.120.206.211 (did cli user flaviasilva) (8023) log_accounting: EXPAND /var/log/radius.log (8023) log_accounting: --> /var/log/radius.log (8023) [log_accounting] = ok (8023) } # accounting = updated rlm_sql (sql): Released connection (17) (8023) [sql] = ok (8023) } # session = ok (8023) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default (8023) post-auth { (8023) update { (8023) No attributes updated (8023) } # update = noop rlm_sql (sql): Reserved connection (4) (8023) sqlippool: EXPAND %{User-Name} (8023) sqlippool: --> flaviasilva (8023) sqlippool: SQL-User-Name set to 'flaviasilva' (8023) sqlippool: EXPAND START TRANSACTION (8023) sqlippool: --> START TRANSACTION (8023) sqlippool: Executing query: START TRANSACTION (8023) sqlippool: EXPAND UPDATE radippool SET nasipaddress = '', pool_key = 0, callingstationid = '', username = '', expiry_time = '0000-00-00 00:00:00' WHERE expiry_time <= NOW() - INTERVAL 1 SECOND AND pool_key = '%{Calling-Station-Id}' (8023) sqlippool: --> UPDATE radippool SET nasipaddress = '', pool_key = 0, callingstationid = '', username = '', expiry_time = '0000-00-00 00:00:00' WHERE expiry_time <= NOW() - INTERVAL 1 SECOND AND pool_key = '00:1A:3F:A0:B1:D2' (8023) sqlippool: Executing query: UPDATE radippool SET nasipaddress = '', pool_key = 0, callingstationid = '', username = '', expiry_time = '0000-00-00 00:00:00' WHERE expiry_time <= NOW() - INTERVAL 1 SECOND AND pool_key = '00:1A:3F:A0:B1:D2' rlm_sql_mysql: Rows matched: 1 Changed: 1 Warnings: 0 (8023) sqlippool: EXPAND COMMIT (8023) sqlippool: --> COMMIT (8023) sqlippool: Executing query: COMMIT (8023) sqlippool: EXPAND START TRANSACTION (8023) sqlippool: --> START TRANSACTION (8023) sqlippool: Executing query: START TRANSACTION (8023) sqlippool: EXPAND SELECT framedipaddress FROM radippool WHERE pool_name = '%{control:Pool-Name}' AND expiry_time = '0000-00-00 00:00:00' ORDER BY (username <> '%{User-Name}'), (callingstationid <> '%{Calling-Station-Id}'), expiry_time LIMIT 1 FOR UPDATE (8023) sqlippool: --> SELECT framedipaddress FROM radippool WHERE pool_name = 'main_pool' AND expiry_time = '0000-00-00 00:00:00' ORDER BY (username <> 'flaviasilva'), (callingstationid <> '00:1A:3F:A0:B1:D2'), expiry_time LIMIT 1 FOR UPDATE (8023) sqlippool: Executing select query: SELECT framedipaddress FROM radippool WHERE pool_name = 'main_pool' AND expiry_time = '0000-00-00 00:00:00' ORDER BY (username <> 'flaviasilva'), (callingstationid <> '00:1A:3F:A0:B1:D2'), expiry_time LIMIT 1 FOR UPDATE (8023) sqlippool: Allocated IP 187.120.203.66 (8023) sqlippool: EXPAND UPDATE radippool SET nasipaddress = '%{NAS-IP-Address}', pool_key = '%{Calling-Station-Id}', callingstationid = '%{Calling-Station-Id}', username = '%{User-Name}', expiry_time = NOW() + INTERVAL 3600 SECOND WHERE framedipaddress = '187.120.203.66' AND expiry_time = '0000-00-00 00:00:00' (8023) sqlippool: --> UPDATE radippool SET nasipaddress = '172.17.60.2', pool_key = '00:1A:3F:A0:B1:D2', callingstationid = '00:1A:3F:A0:B1:D2', username = 'flaviasilva', expiry_time = NOW() + INTERVAL 3600 SECOND WHERE framedipaddress = '187.120.203.66' AND expiry_time = '0000-00-00 00:00:00' (8023) sqlippool: Executing query: UPDATE radippool SET nasipaddress = '172.17.60.2', pool_key = '00:1A:3F:A0:B1:D2', callingstationid = '00:1A:3F:A0:B1:D2', username = 'flaviasilva', expiry_time = NOW() + INTERVAL 3600 SECOND WHERE framedipaddress = '187.120.203.66' AND expiry_time = '0000-00-00 00:00:00' rlm_sql_mysql: Rows matched: 1 Changed: 1 Warnings: 0 (8023) sqlippool: EXPAND COMMIT (8023) sqlippool: --> COMMIT (8023) sqlippool: Executing query: COMMIT rlm_sql (sql): Released connection (4) (8023) sqlippool: EXPAND Allocated IP: %{reply:Framed-IP-Address} from %{control:Pool-Name} (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name}) (8023) sqlippool: --> Allocated IP: 187.120.203.66 from main_pool (did CE - POP ABTE cli 00:1A:3F:A0:B1:D2 port 15729185 user flaviasilva) (8023) [sqlippool] = ok (8023) sql: EXPAND .query (8023) sql: --> .query (8023) sql: Using query template 'query' rlm_sql (sql): Reserved connection (0) (8023) sql: EXPAND %{User-Name} (8023) sql: --> flaviasilva (8023) sql: SQL-User-Name set to 'flaviasilva' (8023) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') (8023) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'flaviasilva', '', 'Access-Accept', '2017-09-11 11:07:05') (8023) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'flaviasilva', '', 'Access-Accept', '2017-09-11 11:07:05') (8023) sql: SQL query returned: success (8023) sql: 1 record(s) updated rlm_sql (sql): Released connection (0) (8023) [sql] = ok (8023) [exec] = noop (8023) linelog: EXPAND messages.%{%{reply:Packet-Type}:-default} (8023) linelog: --> messages.Access-Accept (8023) linelog: EXPAND %t : Auth: Login OK: [%{User-Name}] (from client %{Called-Station-Id} port %{NAS-Port} cli %{Calling-Station-Id}) (8023) linelog: --> Mon Sep 11 11:07:05 2017 : Auth: Login OK: [flaviasilva] (from client CE - POP ABTE port 15729185 cli 00:1A:3F:A0:B1:D2) (8023) linelog: EXPAND /var/log/radius.log (8023) linelog: --> /var/log/radius.log (8023) [linelog] = ok (8023) } # post-auth = ok (8023) Login OK: [flaviasilva] (from client ce-popabte-rb port 15729185 cli 00:1A:3F:A0:B1:D2) (8023) Sent Access-Accept Id 212 from 187.120.197.140:1812 to 172.17.60.2:34960 length 0 (8023) Framed-Compression = Van-Jacobson-TCP-IP (8023) Framed-Protocol = PPP (8023) Framed-Routing = Broadcast-Listen (8023) Framed-MTU = 1500 (8023) Service-Type = Framed-User (8023) Mikrotik-Rate-Limit = "500k/2048k 563k/5632k 538k/4096k 54/54" (8023) MS-CHAP-MPPE-Keys = 0xad5bd30f071d877fa66cd825e53c163d6c9530b38f7c0ce6 (8023) MS-MPPE-Encryption-Policy = Encryption-Allowed (8023) MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed (8023) Framed-IP-Address = 187.120.203.66 (8023) Finished request
On Sep 13, 2017, at 4:39 PM, Aurélio de Souza Ribeiro Neto <netolistas@mpc.com.br> wrote:
Sometimes I can see this info in my Logs: sql: Running Accounting section for automatically created accounting 'stop' After this I have this incomplete register in my database without naporttype and callingstationid. Why??
Because you're setting Simultaneous-Use, and running "checkrad". The server sees that the user is logging in again, and discovers that the previous login session is no longer valid. So it creates a fake Accounting Stop packet, to get rid of the previous session. In 3, you it's difficult to edit this packet. The default queries *should* update the existing session, which means you don't need NAS-Port-Type or Calling-Station-Id. It just needs to close the existing session. Alan DeKok.
Allan, Thanks for your reply. I understood. What I need to do to solve this? Where I made mistake? Aurelio Em 13/09/2017 22:23, Alan DeKok escreveu:
On Sep 13, 2017, at 4:39 PM, Aurélio de Souza Ribeiro Neto <netolistas@mpc.com.br> wrote:
Sometimes I can see this info in my Logs: sql: Running Accounting section for automatically created accounting 'stop' After this I have this incomplete register in my database without naporttype and callingstationid. Why??
Because you're setting Simultaneous-Use, and running "checkrad". The server sees that the user is logging in again, and discovers that the previous login session is no longer valid. So it creates a fake Accounting Stop packet, to get rid of the previous session.
In 3, you it's difficult to edit this packet. The default queries *should* update the existing session, which means you don't need NAS-Port-Type or Calling-Station-Id.
It just needs to close the existing session.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi Mathew, I have tried the option you had suggested but no luck. Hi All, I have gone through the Freeradius logs and found that Freeradius is able to find the user id i.e macaddress which is multi value field from LDAP but the problem is with the password. Freeradius is retrieving all the three macaddress values for the password from the LDAP, but for some reasons, it is trying to match with the first value all the time. I am posting the detailed log. I am getting the Accept-Accept reply for the very first value in the multivalued field. Could someone help me please? *Freeradius configuration:* *LDAP conf file config:* update { control:Password-With-Header += 'macAddress' } user { filter = "(macAddress=%{%{Stripped-User-Name}:-%{User-Name}})" } *Freeradius log:* Received Access-Request Id 22 from 172.16.XX.XX:35697 to 172.16.XX.XXX:1812 length 103 User-Name = 'e4:a4:71:a3:88:6f' User-Password = 'e4:a4:71:a3:88:6f' NAS-IP-Address = 127.0.1.1 NAS-Port = 0 Message-Authenticator = 0x866364dcab9fba69fd2508e111d730da (2) Received Access-Request packet from host 172.16.XX.XX port 35697, id=22, length=103 (2) User-Name = 'e4:a4:71:a3:88:6f' (2) User-Password = 'e4:a4:71:a3:88:6f' (2) NAS-IP-Address = 127.0.1.1 (2) NAS-Port = 0 (2) Message-Authenticator = 0x866364dcab9fba69fd2508e111d730da (2) # Executing section authorize from file /etc/raddb/sites-enabled/default (2) authorize { (2) filter_username filter_username { (2) if (!&User-Name) (2) if (!&User-Name) -> FALSE (2) if (&User-Name =~ / /) (2) if (&User-Name =~ / /) -> FALSE (2) if (&User-Name =~ /@.*@/ ) (2) if (&User-Name =~ /@.*@/ ) -> FALSE (2) if (&User-Name =~ /\\.\\./ ) (2) if (&User-Name =~ /\\.\\./ ) -> FALSE (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (2) if (&User-Name =~ /\\.$/) (2) if (&User-Name =~ /\\.$/) -> FALSE (2) if (&User-Name =~ /@\\./) (2) if (&User-Name =~ /@\\./) -> FALSE (2) } # filter_username filter_username = notfound (2) [preprocess] = ok (2) [chap] = noop (2) [mschap] = noop (2) [digest] = noop (2) suffix : Checking for suffix after "@" (2) suffix : No '@' in User-Name = "e4:a4:71:a3:88:6f", looking up realm NULL (2) suffix : No such realm "NULL" (2) [suffix] = noop (2) eap : No EAP-Message, not doing EAP (2) [eap] = noop (2) [files] = noop rlm_ldap (ldap): Reserved connection (4) (2) ldap : EXPAND (macAddress=%{%{Stripped-User-Name}:-%{User-Name}}) (2) ldap : --> (macAddress=e4:a4:71:a3:88:6f) (2) ldap : EXPAND ou=People,dc=icts,dc=res,dc=in (2) ldap : --> ou=People,dc=icts,dc=res,dc=in (2) ldap : Performing search in 'ou=People,dc=icts,dc=res,dc=in' with filter '(macAddress=e4:a4:71:a3:88:6f)', scope 'sub' (2) ldap : Waiting for search result... (2) ldap : User object found at DN "cn=it section,ou=People,dc=icts,dc=res,dc=in" (2) ldap : Processing user attributes (2) ldap : control:Password-With-Header += '28:f1:0e:2a:c1:ac' (2) ldap : control:Password-With-Header += 'e4:a4:71:a3:88:6f' (2) ldap : control:Password-With-Header += '0c:c4:7a:22:63:23' rlm_ldap (ldap): Released connection (4) (2) [ldap] = ok (2) [expiration] = noop (2) [logintime] = noop (2) pap : No {...} in Password-With-Header, re-writing to Cleartext-Password (2) WARNING: pap : Config already contains "known good" password. Ignoring Password-With-Header (2) WARNING: pap : Config already contains "known good" password. Ignoring Password-With-Header (2) [pap] = updated (2) } # authorize = updated (2) Found Auth-Type = PAP (2) # Executing group from file /etc/raddb/sites-enabled/default (2) Auth-Type PAP { (2) pap : Login attempt with password (2) ERROR: pap : Cleartext password does not match "known good" password (2) pap : Passwords don't match (2) [pap] = reject (2) } # Auth-Type PAP = reject (2) Failed to authenticate the user (2) Using Post-Auth-Type Reject (2) # Executing group from file /etc/raddb/sites-enabled/default (2) Post-Auth-Type REJECT { (2) attr_filter.access_reject : EXPAND %{User-Name} (2) attr_filter.access_reject : --> e4:a4:71:a3:88:6f (2) attr_filter.access_reject : Matched entry DEFAULT at line 11 (2) [attr_filter.access_reject] = updated (2) eap : Request didn't contain an EAP-Message, not inserting EAP-Failure (2) [eap] = noop (2) remove_reply_message_if_eap remove_reply_message_if_eap { (2) if (&reply:EAP-Message && &reply:Reply-Message) (2) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (2) else else { (2) [noop] = noop (2) } # else else = noop (2) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop (2) } # Post-Auth-Type REJECT = updated (2) Delaying response for 1 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (2) Sending delayed response (2) Sending Access-Reject packet to host 172.16.XX.XX port 35697, id=22, length=0 Sending Access-Reject Id 22 from 172.16.XX.XXX:1812 to 172.16.XX.XX:35697 Waking up in 3.9 seconds. (2) Cleaning up request packet ID 22 with timestamp +24 On Thu, Sep 14, 2017 at 1:42 AM, Matthew Newton <mcn@freeradius.org> wrote:
On Wed, 2017-09-13 at 22:51 +0530, Srinivasa R wrote:
# it section, People, icts.res.in dn: cn=it section,ou=People,dc=XXXX,dc=XXX,dc=XX objectClass: posixAccount objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person objectClass: top objectClass: ieee802Device homeDirectory: /home/it loginShell: /bin/bash uid: it cn: it section uidNumber: 10001 gidNumber: 10000 sn: section givenName: it telephoneNumber: mobile: macAddress: 28:f1:0e:2a:c1:ac macAddress: e4:a4:71:a3:88:6f macAddress: 0c:c4:7a:22:63:23
I'm probably missing something here, but can't you just get your LDAP server to do the searching for you? i.e. update the ldap filter to something like
filter = "(&(uid=%{%{Stripped-User-Name}:-%{User- Name}})(macAddress=%{Calling-Station-Id}))"
If that returns ok, both User-Name and Calling-Station-Id matched. If not, then one or other or both didn't.
-- Matthew
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
Regards, -- Srinivas R
On Sep 14, 2017, at 3:49 AM, Srinivasa R <srinivasa.r@icts.res.in> wrote:
I have gone through the Freeradius logs and found that Freeradius is able to find the user id i.e macaddress which is multi value field from LDAP but the problem is with the password. Freeradius is retrieving all the three macaddress values for the password from the LDAP, but for some reasons, it is trying to match with the first value all the time. I am posting the detailed log. I am getting the Accept-Accept reply for the very first value in the multivalued field. Could someone help me please?
*Freeradius configuration:* *LDAP conf file config:* update { control:Password-With-Header += 'macAddress'
Don't do that. The "Password-With-Header" attribute is for LDAP passwords with headers. e.g. {nt4}.... It is NOT for simple strings. Delete that. It's wrong.
Received Access-Request Id 22 from 172.16.XX.XX:35697 to 172.16.XX.XXX:1812 length 103 User-Name = 'e4:a4:71:a3:88:6f' User-Password = 'e4:a4:71:a3:88:6f'
Since those are the same, you don't need to check passwords. You just need to check that the MAC address is in LDAP. Then, check that the User-Name is the same as the User-Password.
(2) ldap : Performing search in 'ou=People,dc=icts,dc=res,dc=in' with filter '(macAddress=e4:a4:71:a3:88:6f)', scope 'sub' (2) ldap : Waiting for search result... (2) ldap : User object found at DN "cn=it section,ou=People,dc=icts,dc=res,dc=in"
That's good...
(2) ldap : Processing user attributes (2) ldap : control:Password-With-Header += '28:f1:0e:2a:c1:ac' (2) ldap : control:Password-With-Header += 'e4:a4:71:a3:88:6f' (2) ldap : control:Password-With-Header += '0c:c4:7a:22:63:23' rlm_ldap (ldap): Released connection (4) (2) [ldap] = ok
You can then do: ... ldap if (ok && (User-Name == User-Password)) { update control { Auth-Type := Accept } } And it will work. Don't bother checking the password after that. Alan DeKok.
Thanks a ton Alan! you just made my day. It worked like a charm. Once again thanks a lot for your support. On Thu, Sep 14, 2017 at 7:15 PM, Alan DeKok <aland@deployingradius.com> wrote:
On Sep 14, 2017, at 3:49 AM, Srinivasa R <srinivasa.r@icts.res.in> wrote:
I have gone through the Freeradius logs and found that Freeradius is able to find the user id i.e macaddress which is multi value field from LDAP but the problem is with the password. Freeradius is retrieving all the three macaddress values for the password from the LDAP, but for some reasons, it is trying to match with the first value all the time. I am posting the detailed log. I am getting the Accept-Accept reply for the very first value in the multivalued field. Could someone help me please?
*Freeradius configuration:* *LDAP conf file config:* update { control:Password-With-Header += 'macAddress'
Don't do that. The "Password-With-Header" attribute is for LDAP passwords with headers.
e.g. {nt4}....
It is NOT for simple strings.
Delete that. It's wrong.
Received Access-Request Id 22 from 172.16.XX.XX:35697 to 172.16.XX.XXX:1812 length 103 User-Name = 'e4:a4:71:a3:88:6f' User-Password = 'e4:a4:71:a3:88:6f'
Since those are the same, you don't need to check passwords. You just need to check that the MAC address is in LDAP. Then, check that the User-Name is the same as the User-Password.
(2) ldap : Performing search in 'ou=People,dc=icts,dc=res,dc=in' with filter '(macAddress=e4:a4:71:a3:88:6f)', scope 'sub' (2) ldap : Waiting for search result... (2) ldap : User object found at DN "cn=it section,ou=People,dc=icts,dc=res,dc=in"
That's good...
(2) ldap : Processing user attributes (2) ldap : control:Password-With-Header += '28:f1:0e:2a:c1:ac' (2) ldap : control:Password-With-Header += 'e4:a4:71:a3:88:6f' (2) ldap : control:Password-With-Header += '0c:c4:7a:22:63:23' rlm_ldap (ldap): Released connection (4) (2) [ldap] = ok
You can then do:
... ldap if (ok && (User-Name == User-Password)) { update control { Auth-Type := Accept } }
And it will work. Don't bother checking the password after that.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
Regards, -- Srinivas R
Hi Steffen, On Tue, Sep 12, 2017 at 10:06 PM, Steffen Klemer <steffen.klemer@gwdg.de> wrote:
Am Di, 12.09.2017 um 18:30 schrieb Srinivasa R <srinivasa.r@icts.res.in>:
I have installed FreeRADIUS server (Version 3.0.4) on Cent 7 OS and configured the external authentication with 389-DS server using rlm_ldap module. I would like to authenticate the mac address of all the user which I have stored in LDAP. The macaddress field in LDAP is a multi value attribute and the Freeraiud is communicating with LDAP without any issues, but the freeradius is authenticating only the first macaddress value from LDAP's multi value field.
I would like to configure the Freeradius to authenticate all the values from multi value filed. Someone suggested that we can configure this using rlm_python or rlm_perl module. I am not a coder and I am not able to find any step by guide to configure the same. Could someone guide me on how to configure the Freeradius to authenticate Multi-valued LDAP attribute?
I used unlang features to implement sth. like this. I think you can adapt it to your use case.
In the LDAP module I have sth like
update { request:gwdg-user-services += 'userServices' }
I have updated this in LDAP module: update { request:user-services += 'macAddress' }
where userServices is multi-valued and sometimes included 'eduroamNotAllowed'
In the site I check against all occurrences:
if ( &gwdg-user-services[*] !~ /eduroamNotAllowed/ ) { ... }
But, when I update the following section in /etc/raddb/sites-enabled/default under authentication section, I am getting the error "Failed to parse "if" subsection."
if ( &user-services[*] ) { ... } Please correct me if I am doing something wrong.
lg /Steffen
-- Steffen Klemer E-Mail: Steffen.Klemer@gwdg.de Tel: +49 551 201 2170
------------------------------------------------------------------ GWDG - Gesellschaft für wissenschaftliche Datenverarbeitung mbH Göttingen Am Faßberg 11, 37077 Göttingen
Service-Hotline: Tel: +49 551 201-1523 E-Mail: support@gwdg.de
Kontakt: Tel: 0551 201-1510 Fax: 0551 201-2150 E-Mail: gwdg@gwdg.de WWW: https://www.gwdg.de ------------------------------------------------------------------ Geschäftsführer: Prof. Dr. Ramin Yahyapour Aufsichtsratsvorsitzender: Prof. Dr. Christian Griesinger Sitz der Gesellschaft: Göttingen Registergericht: Göttingen, Handelsregister-Nr. B 598 ------------------------------------------------------------------ Zertifiziert nach ISO 9001 ------------------------------------------------------------------
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
Regards, -- Srinivas R
On Sep 13, 2017, at 7:30 AM, Srinivasa R <srinivasa.r@icts.res.in> wrote:
update { request:user-services += 'macAddress' }
Is "User-Services" an attribute in the dictionaries? I don't think so... You will need to create an attribute. See raddb/dictionary for instructions. Alan DeKok.
participants (8)
-
Alan DeKok -
Aurélio de Souza Ribeiro Neto -
Matthew Newton -
Michael Ströder -
Peter Lambrechtsen -
Srinivasa R -
Steffen Klemer -
Winfield, Alister