RE: All attributes in rlm_sql_log or rlm_sql ?
Ultimately for the same reasons that rlm_detail exists. I'd like to give my ops guys the ability to see all attributes in requests and replies when they're debugging or monitoring. We want to maintain all records in a single SQL database with access via our existing web frontends...so I'd like the same detail as rlm_detail via the SQl modules. Obviously many ways to achieve it (parse and upload the detail log, dedicated perl module etc.) but my scripting/coding is weak so that will take me longer. Many thanks for the answers and other suggestions given. Dean Dean Smith wrote:
I guess I?m asking is there an unlang equivalent to this snippet from rlm_detail.c. ..
No. I don't see why it makes sense to log all of the attributes as one big line of text in SQL. If you need that, it shouldn't be hard to write a Perl plugin that does it. Alan DeKok. ------------------------------ Message: 8 Date: Thu, 10 Apr 2008 23:30:12 +0200 From: Alan DeKok <aland@deployingradius.com> Subject: Re: "Users" accounts file - was: Re: EAP-TTLS (PAP) not working with NT domain - debian freeradius 1.1.7 To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Message-ID: <47FE86E4.1010100@deployingradius.com> Content-Type: text/plain; charset=ISO-8859-1 James McOrmond wrote:
So, I figured the users file was a logical place..
Yes, if it's used, and if the rest of the policy is fine.
I added a line like this:
radiustester User-Password := "xoageifo"
but it's complaining it's not in ldap..
Run it in debugging mode: radiusd -X. Alan DeKok. ------------------------------ Message: 9 Date: Thu, 10 Apr 2008 18:45:15 -0400 (EDT) From: "Tuc at T-B-O-H.NET" <ml@t-b-o-h.net> Subject: Re: Restrict to initial NAS used to logon To: freeradius-users@lists.freeradius.org Message-ID: <200804102245.m3AMjFCa042294@himinbjorg.tucs-beachin-obx-house.com> Content-Type: text/plain; charset=us-ascii
Tuc at T-B-O-H.NET wrote:
Looking to restrict a user to only be able to log in and re-log in to the initial NAS they first ever logged onto. (Hotspot) Looking at the radacct file where it looks like the check-items normally go against, I'm not seeing anything I can use as an identifier. The nasipaddress is always 0.0.0.0. Maybe calledstationid, except if we swap equipment out during the lifetime of a users id it won't match.
Is anyone doing anything like this already?
They usually use equipment that sends a NAS identifier.
Hrm.... I just originally went on the assumption that the sending side was partially braindead, and wasn't sending it. Your comment made me dump a session on 1812 and 1813... 1812: Radius Protocol Code: Access-Request (1) Packet identifier: 0x0 (0) Length: 216 Authenticator: A9A4B05B3C01784A8DF58849DB987135 [The response to this request is in frame 2] Attribute Value Pairs AVP: l=5 t=User-Name(1): tuc AVP: l=18 t=CHAP-Challenge(60): 894209E703975A194529D13926790197 AVP: l=19 t=CHAP-Password(3): 0A6E0AEA789A9A0AF0E2A7F15B04E6A289 AVP: l=6 t=NAS-IP-Address(4): 0.0.0.0 AVP: l=6 t=Service-Type(6): Login-User(1) AVP: l=6 t=Framed-IP-Address(8): 192.168.182.4 AVP: l=19 t=Calling-Station-Id(31): 00-10-A4-10-8D-A6 AVP: l=19 t=Called-Station-Id(30): 00-16-01-91-E9-46 AVP: l=10 t=NAS-Identifier(32): TBOH2173 AVP: l=18 t=Acct-Session-Id(44): 47fe006e00000000 AVP: l=6 t=NAS-Port-Type(61): Wireless-802.11(19) AVP: l=6 t=NAS-Port(5): 0 AVP: l=18 t=Message-Authenticator(80): F0AE0A9EE7DAC32F9AA6089A5A9C3A70 AVP: l=40 t=Vendor-Specific(26) v=WISPr(14122) 1813: Radius Protocol Code: Accounting-Request (4) Packet identifier: 0x6 (6) Length: 142 Authenticator: 48DCF71BE50EC2E9ECC17825FB6D2417 [The response to this request is in frame 2] Attribute Value Pairs AVP: l=6 t=Acct-Status-Type(40): Start(1) AVP: l=5 t=User-Name(1): tuc AVP: l=11 t=Class(25): 303730333435363738 AVP: l=19 t=Calling-Station-Id(31): 00-10-A4-10-8D-A6 AVP: l=19 t=Called-Station-Id(30): 00-16-01-91-E9-46 AVP: l=6 t=NAS-Port-Type(61): Wireless-802.11(19) AVP: l=6 t=NAS-Port(5): 0 AVP: l=10 t=NAS-Port-Id(87): 00000000 AVP: l=6 t=NAS-IP-Address(4): 0.0.0.0 AVP: l=10 t=NAS-Identifier(32): TBOH2173 AVP: l=6 t=Framed-IP-Address(8): 192.168.182.4 AVP: l=18 t=Acct-Session-Id(44): 47fe006e00000000 So it looks like its sending it, just not making it into the radacct files. :-/ So where to start looking for that?
Or, use the "Packet-Src-IP-Address" attribute.
Thats gonna take a bit of headscratching to figure out about. :) But thanks for the lead. Tuc ------------------------------ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html End of Freeradius-Users Digest, Vol 36, Issue 76 ************************************************
Dean Smith wrote:
Ultimately for the same reasons that rlm_detail exists. I'd like to give my ops guys the ability to see all attributes in requests and replies when they're debugging or monitoring. We want to maintain all records in a single SQL database with access via our existing web frontends...so I'd like the same detail as rlm_detail via the SQl modules.
SQL isn't really the best way to store dozens of lines of text per request.
Obviously many ways to achieve it (parse and upload the detail log, dedicated perl module etc.) but my scripting/coding is weak so that will take me longer.
rlm_perl, and a special SQL table would likely be best for this. Alan DeKok.
participants (2)
-
Alan DeKok -
Dean Smith