Different IP Pool per proxied realm
Hi all I’m trying to assign a different IP Pool per realm, instead of the IP being assigned by the NAS. However after reading some postings and doing some searching I can’t get this to work. The realms we want to assign different IP Pools to, we proxy to different customers. So we don’t do the authentication for these realms, we just proxy to authentication. We are using FreeRADIUS Version 1.0.1 and using MySQL and not flat files. Our NAS is a Cisco 7304 terminating L2TP for DSL users. So far I’ve tried to add the following to the users file: DEFAULT Realm == "realm1.com", Pool-Name := "pool_one" And created the pool in radiusd.conf: ippool pool_one { range-start = 192.168.1.1 range-stop = 192.168.1.254 netmask = 255.255.255.0 cache-size = 800 session-db = ${raddbdir}/db.ippool ip-index = ${raddbdir}/db.ipindex override = no maximum-timeout = 0 } But when the user logs in they get assigned an IP from the NAS and not from the IP Pool. Am I doing something wrong? Does this not work if I'm use MySQL? Thanks in advance Tony No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.516 / Virus Database: 269.19.20/1261 - Release Date: 05/02/2008 20:57
Tony Spencer wrote:
We are using FreeRADIUS Version 1.0.1
Why? I would suggest upgrading. The newer versions have a LOT more features, and make this kind of configuration much easier.
But when the user logs in they get assigned an IP from the NAS and not from the IP Pool. Am I doing something wrong?
The debug log should explain what the server is sending back. But if you're using 1.0.1, I would suggest upgrading before posting the debug log. Alan DeKok.
We are running freeradius on Centos and the most supported package that gets installed by "yum update" is freeradius-1.0.1-3.RHEL4.5, which I now have installed. I've tried to upgrade by downloading the latest version, 2.0.1. Although it builds and installs it doesn't seem to try to connect to my SQL database. When I start the old version with -X I see a lot of mention of sql. But version 2.0.1 started with -X doesn't seem to say anything apart from its loading the sql.conf file. Am I missing something here? That said I do have some debug for the version I am using for trying to assign a different IP pool per realm. Here is the section that shows that radius is loading the IP pool: ############ Module: Loaded IPPOOL ippool: session-db = "/etc/raddb/db.ippool" ippool: ip-index = "/etc/raddb/db.ipindex" ippool: range-start = 85.92.168.1 IP address [85.92.168.1] ippool: range-stop = 85.92.168.254 IP address [85.92.168.254] ippool: netmask = 255.255.255.0 IP address [255.255.255.0] ippool: cache-size = 800 ippool: override = no ippool: maximum-timeout = 0 Module: Instantiated ippool (main_pool) ############# This is the users entry: ############ DEFAULT Realm == "dsl.realm.co.uk", Pool-Name := "main_ip_realm1" ############ And here is the debug from a user using the realm logging in: ########### rad_recv: Access-Request packet from host 192.168.1.88:1645, id=245, length=127 Framed-Protocol = PPP User-Name = "user@dsl.realm.co.uk" CHAP-Password = 0xb2cd36a39f414e084ae6ab6da5719886f7 NAS-Port-Type = Virtual NAS-Port = 2548 NAS-Port-Id = "Uniq-Sess-ID2548" Connect-Info = "4522000/1000" Service-Type = Framed-User NAS-IP-Address = 192.168.1.88 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 14 modcall[authorize]: module "preprocess" returns ok for request 14 rlm_chap: Setting 'Auth-Type := CHAP' modcall[authorize]: module "chap" returns ok for request 14 modcall[authorize]: module "mschap" returns noop for request 14 rlm_realm: Looking up realm "dsl.realm.co.uk" for User-Name = "user@dsl.realm.co.uk" rlm_realm: Found realm "dsl.realm.co.uk" rlm_realm: Proxying request from user leekane to realm dsl.realm.co.uk rlm_realm: Adding Realm = "dsl.realm.co.uk" rlm_realm: Preparing to proxy authentication request to realm "dsl.realm.co.uk" modcall[authorize]: module "suffix" returns updated for request 14 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 14 users: Matched DEFAULT at 1 modcall[authorize]: module "files" returns ok for request 14 radius_xlat: 'user@dsl.realm.co.uk' rlm_sql (sql): sql_set_user escaped user --> 'user@dsl.realm.co.uk' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'user@dsl.realm.co.uk' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 21 rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'user@dsl.realm.co.uk' ORDER BY id rlm_sql (sql): User user@dsl.realm.co.uk not found in radcheck radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupche ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'user@dsl.realm.co.uk' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' rlm_sql_mysql: query: SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupche ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'user@dsl.realm.co.uk' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrouprep ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'user@dsl.realm.co.uk' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql_mysql: query: SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrouprep ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'user@dsl.realm.co.uk' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id rlm_sql (sql): User user@dsl.realm.co.uk not found in radgroupcheck rlm_sql (sql): User not found rlm_sql (sql): Released sql socket id: 21 modcall[authorize]: module "sql" returns notfound for request 14 modcall: group authorize returns updated for request 14 Processing the pre-proxy section of radiusd.conf modcall: entering group pre-proxy for request 14 radius_xlat: '/var/log/radius/radacct/192.168.1.88/pre-proxy-detail-20080211' rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/pre-proxy-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.1.88/pre-proxy-detail-20080211 modcall[pre-proxy]: module "pre_proxy_log" returns ok for request 14 modcall: group pre-proxy returns ok for request 14 Sending Access-Request of id 1 to 88.20.106.18:1645 Framed-Protocol = PPP User-Name = "user@dsl.realm.co.uk" CHAP-Password = 0xb2cd36a39f414e084ae6ab6da5719886f7 NAS-Port-Type = Virtual NAS-Port = 2548 NAS-Port-Id = "Uniq-Sess-ID2548" Connect-Info = "4522000/1000" Service-Type = Framed-User NAS-IP-Address = 192.168.1.88 CHAP-Challenge = 0x0119ec26782b0c7dd878fb54c30f5859 Proxy-State = 0x323435 Waking up in 5 seconds... rad_recv: Access-Accept packet from host 88.20.106.18:1645, id=1, length=107 Class = 0x5342522d434c20444e3d22323032343331222041543d22323030222055533d22222053493d 22323839302200 Session-Timeout = 0 Framed-IP-Address = 255.255.255.254 Framed-IP-Netmask = 255.255.255.255 Acct-Interim-Interval = 7200 Framed-Protocol = PPP Service-Type = Framed-User Proxy-State = 0x323435 Processing the post-proxy section of radiusd.conf modcall: entering group post-proxy for request 14 radius_xlat: '/var/log/radius/radacct/192.168.1.88/post-proxy-detail-20080211' rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/post-proxy-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.1.88/post-proxy-detail-20080211 modcall[post-proxy]: module "post_proxy_log" returns ok for request 14 modcall: group post-proxy returns ok for request 14 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 14 modcall[authorize]: module "preprocess" returns ok for request 14 rlm_chap: WARNING: Auth-Type already set. Not setting to CHAP modcall[authorize]: module "chap" returns noop for request 14 modcall[authorize]: module "mschap" returns noop for request 14 rlm_realm: Proxy reply, or no User-Name. Ignoring. modcall[authorize]: module "suffix" returns noop for request 14 modcall[authorize]: module "eap" returns noop for request 14 users: Matched DEFAULT at 1 modcall[authorize]: module "files" returns ok for request 14 radius_xlat: 'user@dsl.realm.co.uk' rlm_sql (sql): sql_set_user escaped user --> 'user@dsl.realm.co.uk' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'user@dsl.realm.co.uk' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 20 rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'user@dsl.realm.co.uk' ORDER BY id rlm_sql (sql): User user@dsl.realm.co.uk not found in radcheck radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupche ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'user@dsl.realm.co.uk' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' rlm_sql_mysql: query: SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupche ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'user@dsl.realm.co.uk' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrouprep ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'user@dsl.realm.co.uk' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql_mysql: query: SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrouprep ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'user@dsl.realm.co.uk' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id rlm_sql (sql): User user@dsl.realm.co.uk not found in radgroupcheck rlm_sql (sql): User not found rlm_sql (sql): Released sql socket id: 20 modcall[authorize]: module "sql" returns notfound for request 14 modcall: group authorize returns ok for request 14 rad_check_password: Found Auth-Type rad_check_password: Auth-Type = Accept, accepting the user Login OK: [user@dsl.realm.co.uk/<CHAP-Password>] (from client 7304 port 2548) Sending Access-Accept of id 245 to 192.168.1.88:1645 Class = 0x5342522d434c20444e3d22323032343331222041543d22323030222055533d22222053493d 22323839302200 Session-Timeout = 0 Framed-IP-Address = 255.255.255.254 Framed-IP-Netmask = 255.255.255.255 Acct-Interim-Interval = 7200 Framed-Protocol = PPP Service-Type = Framed-User Finished request 14 ######## Thanks in advance Tony -----Original Message----- From: freeradius-users-bounces+tony=eurisp.co.uk@lists.freeradius.org [mailto:freeradius-users-bounces+tony=eurisp.co.uk@lists.freeradius.org] On Behalf Of Alan DeKok Sent: 09 February 2008 16:06 To: FreeRadius users mailing list Subject: Re: Different IP Pool per proxied realm Tony Spencer wrote:
We are using FreeRADIUS Version 1.0.1
Why? I would suggest upgrading. The newer versions have a LOT more features, and make this kind of configuration much easier.
But when the user logs in they get assigned an IP from the NAS and not from the IP Pool. Am I doing something wrong?
The debug log should explain what the server is sending back. But if you're using 1.0.1, I would suggest upgrading before posting the debug log. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.516 / Virus Database: 269.20.2/1270 - Release Date: 10/02/2008 12:21 No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.516 / Virus Database: 269.20.2/1270 - Release Date: 10/02/2008 12:21
Tony Spencer wrote:
We are running freeradius on Centos and the most supported package that gets installed by "yum update" is freeradius-1.0.1-3.RHEL4.5, which I now have installed.
Ugh.
I've tried to upgrade by downloading the latest version, 2.0.1. Although it builds and installs it doesn't seem to try to connect to my SQL database. When I start the old version with -X I see a lot of mention of sql. But version 2.0.1 started with -X doesn't seem to say anything apart from its loading the sql.conf file. Am I missing something here?
If you have built 2.0.1 with SQL *and* configured the SQL module in radiusd.conf && sites-available/default, it *should* work. My guess is that the server wasn't built with SQL, and that you haven't edited the configuration files to enable SQL. So far as the rest of the debug output goes, 1.0.1 is *years* out of date. I no longer remember what it does, or what quirks it has with respect to IP pools. If that is the only version that Redhat supports, then I suggest calling them and asking them for support. Or, use 2.0.1, which will be much easier to configure && debug. Alan DeKok.
Right I've now managed to get v2.0.1 working on our radius server. Although for some reason its not logging to radiusd.log. Previously we have logged accounting to the log file and the radacct table. If anyone can spare a thought on why this isn't now logging to the radiusd.log file I would appreciate it. Onto the different IP pool per realm... This still doesn't seem to work. The debug doesn't show the IP pool being loaded. Does this still need to be put into radiusd.conf or the sites-enabled file? Thanks Tony -----Original Message----- From: freeradius-users-bounces+tony=eurisp.co.uk@lists.freeradius.org [mailto:freeradius-users-bounces+tony=eurisp.co.uk@lists.freeradius.org] On Behalf Of Alan DeKok Sent: 11 February 2008 13:39 To: FreeRadius users mailing list Subject: Re: Different IP Pool per proxied realm Tony Spencer wrote:
We are running freeradius on Centos and the most supported package that gets installed by "yum update" is freeradius-1.0.1-3.RHEL4.5, which I now have installed.
Ugh.
I've tried to upgrade by downloading the latest version, 2.0.1. Although it builds and installs it doesn't seem to try to connect to my SQL database. When I start the old version with -X I see a lot of mention of sql. But version 2.0.1 started with -X doesn't seem to say anything apart from its loading the sql.conf file. Am I missing something here?
If you have built 2.0.1 with SQL *and* configured the SQL module in radiusd.conf && sites-available/default, it *should* work. My guess is that the server wasn't built with SQL, and that you haven't edited the configuration files to enable SQL. So far as the rest of the debug output goes, 1.0.1 is *years* out of date. I no longer remember what it does, or what quirks it has with respect to IP pools. If that is the only version that Redhat supports, then I suggest calling them and asking them for support. Or, use 2.0.1, which will be much easier to configure && debug. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.516 / Virus Database: 269.20.2/1270 - Release Date: 10/02/2008 12:21 No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.516 / Virus Database: 269.20.2/1270 - Release Date: 10/02/2008 12:21
Tony Spencer wrote:
Right I've now managed to get v2.0.1 working on our radius server. Although for some reason its not logging to radiusd.log. Previously we have logged accounting to the log file and the radacct table. If anyone can spare a thought on why this isn't now logging to the radiusd.log file I would appreciate it.
File permissions? Also see the log{} configuration in radiusd.conf.
Onto the different IP pool per realm... This still doesn't seem to work. The debug doesn't show the IP pool being loaded. Does this still need to be put into radiusd.conf or the sites-enabled file?
You can put everything in radiusd.conf, just like in 1.1.7. Alan DeKok.
Everything seems to be working fine with the new upgraded version of Freeradius. I've also made progress in assigning from an IP pool for a realm. However it seems to be all or nothing, if the reply comes back with a Framed-IP-Address already set it gets ignored if I set: override = yes in the IP pool section of radiusd.conf. However some users are supposed to have a static IP address and some dynamic IP assignment. Those with no static set come back from with the reply: Session-Timeout = 0 Framed-IP-Address = 255.255.255.254 Framed-IP-Netmask = 255.255.255.255 Acct-Interim-Interval = 7200 Framed-Protocol = PPP Service-Type = Framed-User Proxy-State = 0x313832 Is there a way to tell Freeradius to only assign from the pool for the user if the Framed-IP-Address comes back as 255.255.255.254? Thanks Tony -----Original Message----- From: freeradius-users-bounces+tony=eurisp.co.uk@lists.freeradius.org [mailto:freeradius-users-bounces+tony=eurisp.co.uk@lists.freeradius.org] On Behalf Of Alan DeKok Sent: 11 February 2008 20:42 To: FreeRadius users mailing list Subject: Re: Different IP Pool per proxied realm Tony Spencer wrote:
Right I've now managed to get v2.0.1 working on our radius server. Although for some reason its not logging to radiusd.log. Previously we have logged accounting to the log file and the radacct table. If anyone can spare a thought on why this isn't now logging to the radiusd.log file I would appreciate it.
File permissions? Also see the log{} configuration in radiusd.conf.
Onto the different IP pool per realm... This still doesn't seem to work. The debug doesn't show the IP pool being loaded. Does this still need to be put into radiusd.conf or the sites-enabled file?
You can put everything in radiusd.conf, just like in 1.1.7. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.516 / Virus Database: 269.20.2/1270 - Release Date: 10/02/2008 12:21 No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.516 / Virus Database: 269.20.2/1270 - Release Date: 10/02/2008 12:21
Tony Spencer wrote:
Is there a way to tell Freeradius to only assign from the pool for the user if the Framed-IP-Address comes back as 255.255.255.254?
$ man unlang In 2.0.1: if ("%{proxy_reply:Framed-IP-Address}" != "255.255.255.254") { ippool } It's pretty much that easy... Alan DeKok.
Where do I put this statement and does override have to be yes or no? Thanks in advance Tony -----Original Message----- From: freeradius-users-bounces+tony=eurisp.co.uk@lists.freeradius.org [mailto:freeradius-users-bounces+tony=eurisp.co.uk@lists.freeradius.org] On Behalf Of Alan DeKok Sent: 12 February 2008 10:33 To: FreeRadius users mailing list Subject: Re: Different IP Pool per proxied realm Tony Spencer wrote:
Is there a way to tell Freeradius to only assign from the pool for the user if the Framed-IP-Address comes back as 255.255.255.254?
$ man unlang In 2.0.1: if ("%{proxy_reply:Framed-IP-Address}" != "255.255.255.254") { ippool } It's pretty much that easy... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.516 / Virus Database: 269.20.2/1270 - Release Date: 10/02/2008 12:21 No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.516 / Virus Database: 269.20.2/1270 - Release Date: 10/02/2008 12:21
I currently have this in radiusd.conf. ippool main_pool { range-start = 10.0.0.1 range-stop = 10.0.0.254 netmask = 255.255.255.0 cache-size = 800 session-db = ${sysconfdir}/raddb/db.ippool ip-index = ${sysconfdir}/raddb/db.ipindex override = yes maximum-timeout = 0 } I've tried adding the statement before and inside this but even static assigned users get an address from the pool. Thanks Tony -----Original Message----- eurisp.co.uk@lists.freeradius.org [mailto:freeradius-users-bounces+tony=eurisp.co.uk@lists.freeradius.org] On Behalf Of Alan DeKok Sent: 12 February 2008 11:17 To: FreeRadius users mailing list Subject: Re: Different IP Pool per proxied realm Tony Spencer wrote:
Where do I put this statement
Where is your current "ippool" module referenced?
and does override have to be yes or no?
"yes" Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.516 / Virus Database: 269.20.2/1270 - Release Date: 10/02/2008 12:21 No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.516 / Virus Database: 269.20.2/1270 - Release Date: 10/02/2008 12:21
Tony Spencer wrote:
I currently have this in radiusd.conf.
That is NOT the only reference to the "ippool" module. The IP's get allocated *somewhere* via a reference to the "main_pool" module. You must have edited the configuration files to do this, because it is *not* enabled in the default configuration.
I've tried adding the statement before and inside this but even static assigned users get an address from the pool.
Umm... please go read "man unlang". It is a *policy* language for *processing* packets. It does not apply to module configurations. See the default configuration files for examples of how to use "if()". Alan DeKok.
The only other place the main ip pool is mentioned is in the site-enabled file. Within post-auth. post-auth { main_pool sql Post-Auth-Type REJECT { attr_filter.access_reject sql } } I'll try and see if I can work it out by "man unlang" if not then I maybe posting back. Sorry... Tony -----Original Message----- From: freeradius-users-bounces+tony=eurisp.co.uk@lists.freeradius.org [mailto:freeradius-users-bounces+tony=eurisp.co.uk@lists.freeradius.org] On Behalf Of Alan DeKok Sent: 12 February 2008 12:41 To: FreeRadius users mailing list Subject: Re: Different IP Pool per proxied realm Tony Spencer wrote:
I currently have this in radiusd.conf.
That is NOT the only reference to the "ippool" module. The IP's get allocated *somewhere* via a reference to the "main_pool" module. You must have edited the configuration files to do this, because it is *not* enabled in the default configuration.
I've tried adding the statement before and inside this but even static assigned users get an address from the pool.
Umm... please go read "man unlang". It is a *policy* language for *processing* packets. It does not apply to module configurations. See the default configuration files for examples of how to use "if()". Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.516 / Virus Database: 269.20.2/1270 - Release Date: 10/02/2008 12:21 No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.516 / Virus Database: 269.20.2/1270 - Release Date: 10/02/2008 12:21
The only place I found reference to the IP Pool is in the site-enabled config file. So I added: if ("%{proxy_reply:Framed-IP-Address}" == "255.255.255.254") { main_pool } Since it should only assign from the pool if the Framed-IP-Address we get back is 255.255.255.254, and not a statically assigned IP. There is an error in the debug when a user tries to login, but it seems to run the rule. But it still doesn't seem to assign from the IP pool. Please could you take a look at the debug and comment/suggest? rad_recv: Access-Request packet from host 127.0.0.1 port 32791, id=155, length=77 User-Name = "user@dsl.realm.co.uk" User-Password = "s3cr3t" NAS-IP-Address = 127.0.0.1 NAS-Port = 111 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: Looking up realm "dsl.realm.co.uk" for User-Name = "user@dsl.realm.co.uk" rlm_realm: Found realm "dsl.realm.co.uk" rlm_realm: Proxying request from user grahamdr to realm dsl.realm.co.uk rlm_realm: Adding Realm = "dsl.realm.co.uk" rlm_realm: Preparing to proxy authentication request to realm "dsl.realm.co.uk" ++[suffix] returns updated rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop users: Matched entry DEFAULT at line 8 ++[files] returns ok expand: %{User-Name} -> user@dsl.realm.co.uk rlm_sql (sql): sql_set_user escaped user --> 'user@dsl.realm.co.uk' rlm_sql (sql): Reserving sql socket id: 4 expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'user@dsl.realm.co.uk' ORDER BY id rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'user@dsl.realm.co.uk' ORDER BY id expand: SELECT groupname FROM usergroup WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT groupname FROM usergroup WHERE username = 'user@dsl.realm.co.uk' ORDER BY id rlm_sql_mysql: query: SELECT groupname FROM usergroup WHERE username = 'user@dsl.realm.co.uk' ORDER BY id rlm_sql (sql): Released sql socket id: 4 rlm_sql (sql): User user@dsl.realm.co.uk not found ++[sql] returns notfound ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop +- entering group pre-proxy expand: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/pre-proxy-detail-%Y%m %d -> /usr/local/var/log/radius/radacct/127.0.0.1/pre-proxy-detail-20080212 rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/pre-proxy-detail-%Y%m %d expands to /usr/local/var/log/radius/radacct/127.0.0.1/pre-proxy-detail-20080212 expand: %t -> Tue Feb 12 13:22:36 2008 ++[pre_proxy_log] returns ok Sending Access-Request of id 222 to 10.0.0.18 port 1645 User-Name = "user@dsl.realm.co.uk" User-Password = "s3cr3t" NAS-IP-Address = 127.0.0.1 NAS-Port = 111 Proxy-State = 0x313535 Proxying request 0 to home server 10.0.0.18 port 1645 Sending Access-Request of id 222 to 10.0.0.18 port 1645 User-Name = "user@dsl.realm.co.uk" User-Password = "s3cr3t" NAS-IP-Address = 127.0.0.1 NAS-Port = 111 Realm = "dsl.realm.co.uk" Realm = "dsl.realm.co.uk" Proxy-State = 0x313535 Going to the next request Waking up in 0.9 seconds. rad_recv: Access-Accept packet from host 10.0.0.18 port 1645, id=222, length=107 Class = 0x5342522d434c20444e3d22323035333632222041543d22323030222055533d22222053493d 22323838312200 Session-Timeout = 0 Framed-IP-Address = 255.255.255.254 << this should match the rule. Framed-IP-Netmask = 255.255.255.255 Acct-Interim-Interval = 7200 Framed-Protocol = PPP Service-Type = Framed-User Proxy-State = 0x313535 +- entering group post-proxy expand: %{Realm} -> dsl.realm.co.uk attr_filter: Matched entry DEFAULT at line 103 ++[attr_filter.post-proxy] returns updated ++[eap] returns noop +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: Proxy reply, or no User-Name. Ignoring. ++[suffix] returns noop ++[eap] returns noop users: Matched entry DEFAULT at line 8 ++[files] returns ok expand: %{User-Name} -> user@dsl.realm.co.uk rlm_sql (sql): sql_set_user escaped user --> 'user@dsl.realm.co.uk' rlm_sql (sql): Reserving sql socket id: 3 expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'user@dsl.realm.co.uk' ORDER BY id rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'user@dsl.realm.co.uk' ORDER BY id expand: SELECT groupname FROM usergroup WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT groupname FROM usergroup WHERE username = 'user@dsl.realm.co.uk' ORDER BY id rlm_sql_mysql: query: SELECT groupname FROM usergroup WHERE username = 'user@dsl.realm.co.uk' ORDER BY id rlm_sql (sql): Released sql socket id: 3 rlm_sql (sql): User user@dsl.realm.co.uk not found ++[sql] returns notfound ++[expiration] returns noop ++[logintime] returns noop rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type rad_check_password: Auth-Type = Accept, accepting the user Login OK: [user@dsl.realm.co.uk/s3cr3t] (from client localhost port 111) +- entering group post-auth ++? if ("%{proxy_reply:Framed-IP-Address}" == "255.255.255.254") WARNING: Unknown module "proxy_reply" in string expansion "%{proxy_reply:Framed-IP-Address}" expand: %{proxy_reply:Framed-IP-Address} -> ? Evaluating ("%{proxy_reply:Framed-IP-Address}" == "255.255.255.254") -> FALSE ++? if ("%{proxy_reply:Framed-IP-Address}" == "255.255.255.254") -> FALSE rlm_sql (sql): Processing sql_postauth expand: %{User-Name} -> user@dsl.realm.co.uk rlm_sql (sql): sql_set_user escaped user --> 'user@dsl.realm.co.uk' expand: %{User-Password} -> s3cr3t expand: INSERT INTO radpostauth (user, pass, reply, date) VALUES ( '%{User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth (user, pass, reply, date) VALUES ( 'user@dsl.realm.co.uk', 's3cr3t', 'Access-Accept', '2008-02-12 13:22:36') expand: /usr/local/var/log/radius/sqltrace.sql -> /usr/local/var/log/radius/sqltrace.sql rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth (user, pass, reply, date) VALUES ( 'user@dsl.realm.co.uk', 's3cr3t', 'Access-Accept', '2008-02-12 13:22:36') rlm_sql (sql): Reserving sql socket id: 2 rlm_sql_mysql: query: INSERT INTO radpostauth (user, pass, reply, date) VALUES ( 'user@dsl.realm.co.uk', 's3cr3t', 'Access-Accept', '2008-02-12 13:22:36') rlm_sql (sql): Released sql socket id: 2 ++[sql] returns ok Sending Access-Accept of id 155 to 127.0.0.1 port 32791 Session-Timeout = 0 Framed-IP-Address = 255.255.255.254 Framed-IP-Netmask = 255.255.255.255 Finished request 0. -----Original Message----- From: freeradius-users-bounces+tony=eurisp.co.uk@lists.freeradius.org [mailto:freeradius-users-bounces+tony=eurisp.co.uk@lists.freeradius.org] On Behalf Of Alan DeKok Sent: 12 February 2008 12:41 To: FreeRadius users mailing list Subject: Re: Different IP Pool per proxied realm Tony Spencer wrote:
I currently have this in radiusd.conf.
That is NOT the only reference to the "ippool" module. The IP's get allocated *somewhere* via a reference to the "main_pool" module. You must have edited the configuration files to do this, because it is *not* enabled in the default configuration.
I've tried adding the statement before and inside this but even static assigned users get an address from the pool.
Umm... please go read "man unlang". It is a *policy* language for *processing* packets. It does not apply to module configurations. See the default configuration files for examples of how to use "if()". Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.516 / Virus Database: 269.20.2/1270 - Release Date: 10/02/2008 12:21 No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.516 / Virus Database: 269.20.2/1270 - Release Date: 10/02/2008 12:21
Tony Spencer wrote:
The only place I found reference to the IP Pool is in the site-enabled config file. So I added:
if ("%{proxy_reply:Framed-IP-Address}" == "255.255.255.254") {
Sorry, that should be "proxy-reply", not "proxy_reply".
There is an error in the debug when a user tries to login, but it seems to run the rule. But it still doesn't seem to assign from the IP pool.
Again, the debug output makes it clear what is happening: ...
+- entering group post-auth ++? if ("%{proxy_reply:Framed-IP-Address}" == "255.255.255.254") WARNING: Unknown module "proxy_reply" in string expansion
Yup. That's a typo.
"%{proxy_reply:Framed-IP-Address}" expand: %{proxy_reply:Framed-IP-Address} ->
i.e. nothing.
? Evaluating ("%{proxy_reply:Framed-IP-Address}" == "255.255.255.254") -> FALSE
Nothing doesn't match the string "255.255.255.254". Again, reading the debug output helps. There is no magic required to see a WARNING, and conclude that maybe something is wrong. Alan DeKok.
participants (2)
-
Alan DeKok -
Tony Spencer