hi again... i try to get suffix work but i guess missing something... here some debugs and confs rad_recv: Access-Request packet from host 10.10.64.67 port 16829, id=53, length=208 Framed-Protocol = PPP User-Name = "*usertest@my.domain.cu*" User-Password = "*secret*" NAS-Port-Type = Async Calling-Station-Id = "123456789" Called-Station-Id = "987654321" Connect-Info = "44000/28800 V90/V44/LAPM" Cisco-AVPair = "v92-info=V.92 QC/QC Short Train Success/0/0" NAS-Port = 443 NAS-Port-Id = "Async3/11*E1 7/0:7" Service-Type = Framed-User NAS-IP-Address = 10.10.64.67 # Executing section authorize from file /etc/freeradius/sites-available/default +- entering group authorize {...} [preprocess] hints: Matched DEFAULT at 36 ++[preprocess] returns ok ++- entering policy filter_username {...} +++? if (User-Name =~ /^ /) ? Evaluating (User-Name =~ /^ /) -> FALSE +++? if (User-Name =~ /^ /) -> FALSE +++? if (User-Name =~ / $$/) ? Evaluating (User-Name =~ / $$/) -> FALSE +++? if (User-Name =~ / $$/) -> FALSE +++? if (User-Name != "%{tolower:%{User-Name}}") expand: %{User-Name} -> *usertest@my.domain.cu* expand: %{tolower:%{User-Name}} -> *usertest@my.domain.cu* ? Evaluating (User-Name != "%{tolower:%{User-Name}}") -> FALSE +++? if (User-Name != "%{tolower:%{User-Name}}") -> FALSE ++- policy filter_username returns ok *[suffix] No '@' in User-Name = "usertest", looking up realm NULL <---why not found '@' if is coming in radius packet and check in the conf???* [suffix] No such realm "NULL" ++[suffix] returns noop [ldap] performing user authorization for *usertest* [ldap] expand: %{Stripped-User-Name} -> *usertest* [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=* usertest*) *<---------- this works stripped-user-name OK* [ldap] expand: ou=group,ou=my,dc=domain,dc=cu -> ou=group,ou=my,dc=domain,dc=cu . *checking user/pass works fine... now check monthlycounter to compare hours..* . [monthlycounter1] sql_xlat [monthlycounter1] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [monthlycounter1] expand: %{Stripped-User-Name:-%{User-Name:-DEFAULT}} -> *usertest* [monthlycounter1] sql_set_user escaped user --> '*usertest*' *IF stripped-user-name works here at monthlycounter why the query not use it! and use user with realm??/* [monthlycounter1] expand: SELECT SUM(acctsessiontime - GREATEST((1346472000 - UNIX_TIMESTAMP(acctstarttime)), 0)) FROM radacct WHERE username='*usertest@my.domain.cu*' AND UNIX_TIMESTAMP(acctstarttime) + acctsessiontime > '1346472000' -> SELECT SUM(acctsessiontime - GREATEST((1346472000 - UNIX_TIMESTAMP(acctstarttime)), 0)) FROM radacct WHERE username='*usertest@my.domain.cu*' AND UNIX_TIMESTAMP(acctstarttime) + acctsessiontime > '1346472000' rlm_sql (sql1): Reserving sql socket id: 4 [monthlycounter1] row[0] returned NULL rlm_sql (sql1): Released sql socket id: 4 [monthlycounter1] expand: %{sql1:SELECT SUM(acctsessiontime - GREATEST((1346472000 - UNIX_TIMESTAMP(acctstarttime)), 0)) FROM radacct WHERE username='*usertest@my.domain.cu*' AND UNIX_TIMESTAMP(acctstarttime) + acctsessiontime > '1346472000'} -> *rlm_sqlcounter: No integer found in string "" <------------- must be found integer to compare with max-monthly-session, in database i have only usernames, not with realms* +++[monthlycounter1] returns noop hints confs *DEFAULT Suffix == "@my.domain.cu", Strip-User-Name = Yes* Hint = "userdefault", Service-Type = Framed-User, Framed-Protocol = PPP, site-available/default # cat sites-available/default | egrep -v '\#|^$' authorize { preprocess filter_username *suffix* ldap redundant-load-balance { monthlycounter1 monthlycounter2 } checkval1 checkval2 checkval3 expiration logintime pap } authenticate { Auth-Type PAP { pap } Auth-Type LDAP { ldap } } preacct { preprocess acct_unique *suffix* } accounting { redundant-load-balance { sql1 sql2 } } session { load-balance { sql1 sql2 } } post-auth { Post-Auth-Type REJECT { attr_filter.access_reject } } pre-proxy { } post-proxy { } thanxs for any help. -- Antonio Peña Secure email with PGP 0x8B021001 available at http://pgp.mit.edu Fingerprint: 74E6 2974 B090 366D CE71 7BB2 6476 FA09 8B02 1001
i put the hint file more below after radiusd -X.. check again please... i miss policyfilter... i send again both. /etc/freeradius/hints DEFAULT Suffix == "@my.domain.cu", Strip-User-Name = Yes Hint = "userdefault", Service-Type = Framed-User, Framed-Protocol = PPP, /etc/freeradius/policy.conf (is the original file, i just activate uncommented # ) anyway here is policy { forbid_eap { if (EAP-Message) { reject } } permit_only_eap { if (!EAP-Message) { if (!"%{outer.request:EAP-Message}") { reject } } } deny_realms { if (User-Name =~ /@|\\/) { reject } } do_not_respond { update control { Response-Packet-Type := Do-Not-Respond } handled } filter_username { if (User-Name =~ /^ /) { reject } if (User-Name =~ / $$/) { reject } if (User-Name != "%{tolower:%{User-Name}}") { reject } } cui_authorize { update request { Chargeable-User-Identity:='\\000' } } cui_postauth { if (FreeRadius-Proxied-To == 127.0.0.1) { if (outer.request:Chargeable-User-Identity) { update outer.reply { Chargeable-User-Identity:="%{md5:%{config:cui_hash_key}%{User-Name}}" } } } else { if (Chargeable-User-Identity) { update reply { Chargeable-User-Identity="%{md5:%{config:cui_hash_key}%{User-Name}}" } } } } cui_updatedb { if (reply:Chargeable-User-Identity) { cui } } cui_accounting { if (!Chargeable-User-Identity) { update control { Chargable-User-Identity := "%{cui: SELECT cui FROM cui WHERE clientipaddress = '%{Client-IP-Address}' AND callingstationid = '%{Calling-Station-Id}' AND username = '%{User-Name}'}" } } if (Chargeable-User-Identity && (Chargeable-User-Identity != "")) { cui } } mac-addr = ([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2}) rewrite.called_station_id { if((Called-Station-Id) && "%{Called-Station-Id}" =~ /^%{config:policy.mac-addr}(:(.+))?$/i) { update request { Called-Station-Id := "%{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}" } if ("%{8}") { update request { Called-Station-Id := "%{Called-Station-Id}:%{8}" } } updated } else { noop } } rewrite.calling_station_id { if((Calling-Station-Id) && "%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) { update request { Calling-Station-Id := "%{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}" } updated } else { noop } } } 2012/9/27 alan buxey <A.L.M.Buxey@lboro.ac.uk>
Hi,
User-Name = "[1]usertest@my.domain.cu"
okay..
[preprocess] hints: Matched DEFAULT at 36 ++[preprocess] returns ok
and what is in your hints file?
++- policy filter_username returns ok
and what is in this policy?
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Antonio Peña Secure email with PGP 0x8B021001 available at http://pgp.mit.edu Fingerprint: 74E6 2974 B090 366D CE71 7BB2 6476 FA09 8B02 1001
Hi,
DEFAULT Suffix == "@[1]my.domain.cu", Strip-User-Name = Yes
there you go. strip-user-name = yes this means that user@blahblah.com becomes just user do you WANT or intend to strip the user-name? If you are trying to use the suffix for other things then stripping it isnt going to help.... alan
I want when username is user@my.domain the suffix out @my.domain to only get: user that only need. 2012/9/27 alan buxey <A.L.M.Buxey@lboro.ac.uk>
Hi,
DEFAULT Suffix == "@[1]my.domain.cu", Strip-User-Name = Yes
there you go.
strip-user-name = yes
this means that user@blahblah.com becomes just user
do you WANT or intend to strip the user-name? If you are trying to use the suffix for other things then stripping it isnt going to help....
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Antonio Peña Secure email with PGP 0x8B021001 available at http://pgp.mit.edu Fingerprint: 74E6 2974 B090 366D CE71 7BB2 6476 FA09 8B02 1001
anyway... my problem is exactly at monthlycounter because i need stripped-user-name and module stripped when try to use but in the queries use username complete including realm. 2012/9/27 Tony Peña <emperor.cu@gmail.com>
I want when username is user@my.domain
the suffix out @my.domain to only get: user
that only need.
2012/9/27 alan buxey <A.L.M.Buxey@lboro.ac.uk>
Hi,
DEFAULT Suffix == "@[1]my.domain.cu", Strip-User-Name = Yes
there you go.
strip-user-name = yes
this means that user@blahblah.com becomes just user
do you WANT or intend to strip the user-name? If you are trying to use the suffix for other things then stripping it isnt going to help....
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Antonio Peña Secure email with PGP 0x8B021001 available at http://pgp.mit.edu Fingerprint: 74E6 2974 B090 366D CE71 7BB2 6476 FA09 8B02 1001
-- Antonio Peña Secure email with PGP 0x8B021001 available at http://pgp.mit.edu Fingerprint: 74E6 2974 B090 366D CE71 7BB2 6476 FA09 8B02 1001
On 27/09/12 17:06, Tony Peña wrote:
i put the hint file more below after radiusd -X.. check again please... i miss policyfilter... i send again both.
/etc/freeradius/hints
DEFAULT Suffix == "@my.domain.cu", Strip-User-Name
Don't do this. It doesn't work reliably, because you modify the username, which breaks some things. Stop using the hints file, and instead do something like this: authorize { ... if (User-Name =~ /^(.+)@my.domain.co/) { update request { Stripped-User-Name := "%{1}" } } ... } As Alan has pointed out, you can also do this with the "realm" module: authorize { ... suffix ... } ...but to do that, you ALSO need to edit proxy.conf and define a fake local realm. Personally I find this confusing and like to separate proxy realms from username realms.
ok.. the suffix patch works and get out the @realm... but monthlycounter is my trouble more bigger... because not stripped-user-name in the queries... is possible to do the same patch, in sql/mysql/counter.conf ?? where said. sqlcounter monthlycounter1 { counter-name = Monthly-Session-Time check-name = Max-Monthly-Session reply-name = Session-Timeout sqlmod-inst = sql1 key = User-Name <---- use the if { your patch} ??? reset = monthly 2012/9/27 Phil Mayers <p.mayers@imperial.ac.uk>
On 27/09/12 17:06, Tony Peña wrote:
i put the hint file more below after radiusd -X.. check again please... i miss policyfilter... i send again both.
/etc/freeradius/hints
DEFAULT Suffix == "@my.domain.cu", Strip-User-Name
Don't do this. It doesn't work reliably, because you modify the username, which breaks some things.
Stop using the hints file, and instead do something like this:
authorize { ... if (User-Name =~ /^(.+)@my.domain.co/) { update request { Stripped-User-Name := "%{1}" } } ... }
As Alan has pointed out, you can also do this with the "realm" module:
authorize { ... suffix ... }
...but to do that, you ALSO need to edit proxy.conf and define a fake local realm. Personally I find this confusing and like to separate proxy realms from username realms.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html <http://www.freeradius.org/list/users.html>
-- Antonio Peña Secure email with PGP 0x8B021001 available at http://pgp.mit.edu Fingerprint: 74E6 2974 B090 366D CE71 7BB2 6476 FA09 8B02 1001
Hi,
key = User-Name <---- use the if { your patch} ???
either change this to Stripped-User-Name instead....or if you ONLY want this to be the full realm when its NOT the realm of interest, then create a new SQL query and then wrap unlang around it eg if ("%{User-Name}" =~ /\@realm.you.want$/i ){ monthlycounter1 } else { monthlycounter2 } alan
ok.. I do some testing about new sql... and with your unlang if idea.. could be thanxs to all 2012/9/27 alan buxey <A.L.M.Buxey@lboro.ac.uk>
Hi,
key = User-Name <---- use the if { your patch} ???
either change this to Stripped-User-Name instead....or if you ONLY want this to be the full realm when its NOT the realm of interest, then create a new SQL query and then wrap unlang around it eg
if ("%{User-Name}" =~ /\@realm.you.want$/i ){ monthlycounter1 } else { monthlycounter2 }
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Antonio Peña Secure email with PGP 0x8B021001 available at http://pgp.mit.edu Fingerprint: 74E6 2974 B090 366D CE71 7BB2 6476 FA09 8B02 1001
On Thu, Sep 27, 2012 at 10:34 PM, Tony Peña <emperor.cu@gmail.com> wrote:
hi again... i try to get suffix work but i guess missing something... here
[preprocess] hints: Matched DEFAULT at 36
[suffix] No '@' in User-Name = "usertest", looking up realm NULL <---why not found '@' if is coming in radius packet and check in the conf???
because you edit the config file and broke it
hints confs
DEFAULT Suffix == "@my.domain.cu", Strip-User-Name = Yes
... and most likely that's where you broke it. Return that file to the default and you should have it working correctly. -- Fajar
participants (4)
-
alan buxey -
Fajar A. Nugraha -
Phil Mayers -
Tony Peña