Re: Cannot disconnect radius user using radclient
I’m afraid to say I am having very similar problems to the user who has been so sadly flamed for not reading the config/docs/etc/etc/etc …. believe me I have tried to find the answer for this using the resources available (wiki, docs, config files, etc) but am sadly missing something which I’m sure is obvious to a guru who eats sleeps and breathes radiusd I am trying to learn and understand RADIUS, and I am trying to understand the documentation and follow it … I am trying to disconnect users via a command (eventually a script) when all the available info I have is the username they have logged in with (and whether or not their subscription has expired and they need to be cut off) I have a coa listener on port 3799 and am issuing the following command with the following results echo "User-Name = jonhome1@fido.net.uk" | /usr/local/bin/radclient -x localhost disconnect testing123 Sending Disconnect-Request of id 125 to 127.0.0.1 port 3799 User-Name = "jonhome1@fido.net.uk" rad_recv: Disconnect-ACK packet from host 127.0.0.1 port 3799, id=125, length=20 debug output rad_recv: Disconnect-Request packet from host 127.0.0.1 port 57377, id=125, length=42 User-Name = "jonhome1@fido.net.uk" server coa { # Executing section recv-coa from file /usr/local/etc/raddb/sites-enabled/coa +group recv-coa { ++[ok] = ok +} # group recv-coa = ok # Executing section send-coa from file /usr/local/etc/raddb/sites-enabled/coa +group send-coa { ++[ok] = ok +} # group send-coa = ok } # server coa Sending Disconnect-ACK of id 125 to 127.0.0.1 port 57377 Finished request 7. Going to the next request Cleaning up request 7 ID 125 with timestamp +21 Ready to process requests. I have cow and originate-coa in my sites-enabled .. however I have a feeling there should be something other than “ok” in the policy sections, but I can’t find any examples indicating what these might be made to look like my LNS doesn’t seem to report or receive the ack and everything seems to swing around localhost … I have tried adding the IP address of the NAS (although we have several, but hard coding it for the test hasn’t helped) .. and I’m a little confused .. I have been looking at this on and off for 4-5 months now and am really in need of some help listen { type = coa ipaddr = * port = 3799 server = coa } server coa { recv-coa { ok } send-coa { ok } } home_server localhost-coa { type = coa ipaddr = 127.0.0.1 port = 3799 secret = testing123 coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } } home_server_pool coa { type = fail-over home_server = localhost-coa virtual_server = originate-coa.example.com } server originate-coa.example.com { pre-proxy { update proxy-request { NAS-IP-Address = 80.252.124.201 } } post-proxy { switch "%{proxy-reply:Packet-Type}" { case CoA-ACK { ok } case CoA-NAK { ok } case Disconnect-ACK { ok } case Disconnect-NAK { ok } case { fail } } Post-Proxy-Type Fail-CoA { ok } Post-Proxy-Type Fail-Disconnect { ok } } } my default file looks like this (comments removed for brevity) authorize { preprocess auth_log chap mschap digest suffix eap { ok = return } unix files sql expiration logintime pap update coa { User-Name = "%{User-Name}" Acct-Session-Id = "%{Acct-Session-Id}" NAS-IP-Address = "%{NAS-IP-Address}" } update disconnect { User-Name = "%{User-Name}" Acct-Session-Id = "%{Acct-Session-Id}" NAS-IP-Address = "%{NAS-IP-Address}" } } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } digest unix eap } preacct { preprocess acct_unique suffix files } accounting { detail unix radutmp sql attr_filter.accounting_response } session { radutmp sql } post-auth { main_pool reply_log sql Post-Auth-Type REJECT { attr_filter.access_reject } update coa { User-Name = "%{User-Name}" Acct-Session-Id = "%{Acct-Session-Id}" NAS-IP-Address = "%{NAS-IP-Address}" } update disconnect { User-Name = "%{User-Name}" Acct-Session-Id = "%{Acct-Session-Id}" NAS-IP-Address = "%{NAS-IP-Address}" } } pre-proxy { } post-proxy { eap update coa { User-Name = "%{User-Name}" Acct-Session-Id = "%{Acct-Session-Id}" NAS-IP-Address = "%{NAS-IP-Address}" } update disconnect { User-Name = "%{User-Name}" Acct-Session-Id = "%{Acct-Session-Id}" NAS-IP-Address = "%{NAS-IP-Address}" } } output from radiusd -X [root@ras-1 run]# radiusd -X radiusd: FreeRADIUS Version 2.2.1, for host x86_64-unknown-linux-gnu, built on Oct 21 2013 at 18:47:04 Copyright (C) 1999-2013 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License. For more information about these matters, see the file named COPYRIGHT. Starting - reading configuration files ... including configuration file /usr/local/etc/raddb/radiusd.conf including configuration file /usr/local/etc/raddb/sqlippool.conf including configuration file /usr/local/etc/raddb/ippool.conf including configuration file /usr/local/etc/raddb/proxy.conf including configuration file /usr/local/etc/raddb/clients.conf including configuration file /usr/local/etc/raddb/snmp.conf including configuration file /usr/local/etc/raddb/eap.conf including configuration file /usr/local/etc/raddb/sql.conf including files in directory /usr/local/etc/raddb/sites-enabled/ including configuration file /usr/local/etc/raddb/sites-enabled/control-socket including configuration file /usr/local/etc/raddb/sites-enabled/default including configuration file /usr/local/etc/raddb/sites-enabled/coa including configuration file /usr/local/etc/raddb/sites-enabled/originate-coa main { user = "radiusd" group = "radiusd" allow_core_dumps = no } including dictionary file /usr/local/etc/raddb/dictionary main { name = "radiusd" prefix = "/usr/local" localstatedir = "/var" sbindir = "/usr/local/sbin" logdir = "/var/log/radius" run_dir = "/var/run/radiusd" libdir = "/usr/local/lib" radacctdir = "/var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = "/var/run/radiusd/radiusd.pid" checkrad = "/usr/local/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = yes auth = yes auth_badpass = yes auth_goodpass = yes } security { max_attributes = 200 reject_delay = 5 status_server = yes } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = yes dead_time = 120 wake_all_if_all_dead = no } home_server localhost-coa { ipaddr = 127.0.0.1 port = 3799 type = "coa" secret = "testing123" response_window = 30 max_outstanding = 65536 require_message_authenticator = yes zombie_period = 40 status_check = "none" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 300 status_check_timeout = 4 coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } } realm LOCAL { authhost = LOCAL accthost = LOCAL } realm fido.net.uk { nostrip authhost = LOCAL accthost = LOCAL } ** other entries snipped ** home_server_pool coa { type = fail-over virtual_server = originate-coa.example.com home_server = localhost-coa } radiusd: #### Loading Clients #### client 127.0.0.1 { require_message_authenticator = no secret = "testing123" shortname = "localhost" nastype = "other" } ** other entries snipped ** radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating module "exec" from file /usr/local/etc/raddb/radiusd.conf exec { wait = yes input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating module "expr" from file /usr/local/etc/raddb/radiusd.conf Module: Linked to module rlm_expiration Module: Instantiating module "expiration" from file /usr/local/etc/raddb/radiusd.conf expiration { reply-message = "Your account has been suspended, %{User-Name} " } } radiusd: #### Loading Virtual Servers #### server { # from file /usr/local/etc/raddb/radiusd.conf modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating module "pap" from file /usr/local/etc/raddb/radiusd.conf pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating module "chap" from file /usr/local/etc/raddb/radiusd.conf Module: Linked to module rlm_mschap Module: Instantiating module "mschap" from file /usr/local/etc/raddb/radiusd.conf mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = no allow_retry = yes } Module: Linked to module rlm_unix Module: Instantiating module "unix" from file /usr/local/etc/raddb/radiusd.conf unix { radwtmp = "/var/log/radius/radwtmp" } Module: Linked to module rlm_eap Module: Instantiating module "eap" from file /usr/local/etc/raddb/eap.conf eap { default_eap_type = "md5" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 2048 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no send_error = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating module "preprocess" from file /usr/local/etc/raddb/radiusd.conf preprocess { huntgroups = "/usr/local/etc/raddb/huntgroups" hints = "/usr/local/etc/raddb/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } reading pairlist file /usr/local/etc/raddb/huntgroups reading pairlist file /usr/local/etc/raddb/hints Module: Linked to module rlm_detail Module: Instantiating module "auth_log" from file /usr/local/etc/raddb/radiusd.conf detail auth_log { detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Linked to module rlm_realm Module: Instantiating module "suffix" from file /usr/local/etc/raddb/radiusd.conf realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating module "files" from file /usr/local/etc/raddb/radiusd.conf files { usersfile = "/usr/local/etc/raddb/users" acctusersfile = "/usr/local/etc/raddb/acct_users" preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users" compat = "no" } reading pairlist file /usr/local/etc/raddb/users reading pairlist file /usr/local/etc/raddb/acct_users reading pairlist file /usr/local/etc/raddb/preproxy_users Module: Linked to module rlm_sql Module: Instantiating module "sql" from file /usr/local/etc/raddb/sql.conf sql { driver = "rlm_sql_mysql" server = "localhost" port = "" login = "radiusd" password = "password" radius_db = "radiusd" read_groups = yes sqltrace = yes sqltracefile = "/var/log/radius/sqltrace.sql" readclients = no deletestalesessions = yes num_sql_socks = 40 lifetime = 0 max_queries = 0 sql_user_name = "%{User-Name}" default_user_profile = "DEFAULT" nas_query = "SELECT id,nasname,shortname,type,secret FROM nas" authorize_check_query = "SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id" authorize_reply_query = "SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = '%{SQL-User-Name}' ORDER BY id" authorize_group_check_query = "SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = '%{SQL-User-Name}' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id" authorize_group_reply_query = "SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = '%{SQL-User-Name}' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id" accounting_onoff_query = "UPDATE radacct SET AcctStopTime='%S', AcctSessionTime=unix_timestamp('%S') - unix_timestamp(AcctStartTime), AcctTerminateCause='%{Acct-Terminate-Cause}', ChargeableUserIdentity='%{Chargeable-User-Identity}', AcctStopDelay = '%{Acct-Delay-Time}' WHERE AcctSessionTime=0 AND AcctStopTime=0 AND NASIPAddress= '%{NAS-IP-Address}' AND AcctStartTime <= '%S'" accounting_update_query = " UPDATE radacct SET AcctInputOctets = '%{Acct-Input-Gigawords:-0}' << 32 | '%{Acct-Input-Octets:-0}', AcctOutputOctets = '%{Acct-Output-Gigawords:-0}' << 32 | '%{Acct-Output-Octets:-0}', FramedIPAddress = '%{Framed-IP-Address}' WHERE AcctSessionId = '%{Acct-Session-Id}' AND UserName = '%{SQL-User-Name}' AND NASIPAddress= '%{NAS-IP-Address}' AND NASIPAddress= '%{NAS-IP-Address}' AND AcctStopTime = 0" accounting_update_query_alt = "INSERT into radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay, ChargeableUserIdentity) values('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', DATE_SUB('%S',INTERVAL '(%{Acct-Session-Time:-0} + %{Acct-Delay-Time:-0})' SECOND), '%{Acct-Session-Time}', '%{Acct-Authentic}', '', '%{Acct-Input-Gigawords:-0}' << 32 | '%{Acct-Input-Octets:-0}', '%{Acct-Output-Gigawords:-0}' << 32 | '%{Acct-Output-Octets:-0}', '%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '0', '%{Chargeable-User-Identity}')" accounting_start_query = "INSERT into radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay, AcctStopDelay, ChargeableUserIdentity) values('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', '%S', '0', '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '%{Acct-Delay-Time}', '0', '%{Chargeable-User-Identity}')" accounting_start_query_alt = "UPDATE radacct SET AcctStartTime = '%S', AcctStartDelay = '%{Acct-Delay-Time}', ChargeableUserIdentity='%{Chargeable-User-Identity}', ConnectInfo_start = '%{Connect-Info}' WHERE AcctSessionId = '%{Acct-Session-Id}' AND UserName = '%{SQL-User-Name}' AND NASIPAddress = '%{NAS-IP-Address}'" accounting_stop_query = " UPDATE radacct SET AcctStopTime = '%S', AcctSessionTime = '%{Acct-Session-Time}', AcctInputOctets = '%{Acct-Input-Gigawords:-0}' << 32 | '%{Acct-Input-Octets:-0}', AcctOutputOctets = '%{Acct-Output-Gigawords:-0}' << 32 | '%{Acct-Output-Octets:-0}', AcctTerminateCause = '%{Acct-Terminate-Cause}', AcctStopDelay = '%{Acct-Delay-Time}', ConnectInfo_stop = '%{Connect-Info}' WHERE AcctSessionId = '%{Acct-Session-Id}' AND UserName = '%{SQL-User-Name}' AND NASIPAddress = '%{NAS-IP-Address}' AND AcctStopTime=0" accounting_stop_query_alt = "INSERT into radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay, AcctStopDelay, ChargeableUserIdentity) values('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', DATE_SUB('%S', INTERVAL '(%{Acct-Session-Time:-0} + %{Acct-Delay-Time:-0})' SECOND), '%S', '%{Acct-Session-Time}', '%{Acct-Authentic}', '', '%{Connect-Info}', '%{Acct-Input-Gigawords:-0}' << 32 | '%{Acct-Input-Octets:-0}', '%{Acct-Output-Gigawords:-0}' << 32 | '%{Acct-Output-Octets:-0}', '%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Acct-Terminate-Cause}', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '0', '%{Acct-Delay-Time}', '%{Chargeable-User-Identity}')" group_membership_query = "SELECT GroupName FROM usergroup WHERE UserName='%{SQL-User-Name}'" connect_failure_retry_delay = 60 simul_count_query = "SELECT COUNT(*) FROM radacct WHERE UserName='%{SQL-User-Name}' AND AcctStopTime = 0" simul_verify_query = "SELECT RadAcctId, AcctSessionId, UserName, NASIPAddress, NASPortId, FramedIPAddress, CallingStationId, FramedProtocol FROM radacct WHERE UserName='%{SQL-User-Name}' AND AcctStopTime = 0" postauth_query = "INSERT into radpostauth (id, user, pass, reply, date, ChargeableUserIdentity) values ('', '%{User-Name}', '%{User-Password:-Chap-Password}', '%{reply:Packet-Type}', NOW(), '%{Chargeable-User-Identity}')" safe-characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /" } rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked rlm_sql (sql): Attempting to connect to radiusd@localhost:/radiusd rlm_sql (sql): starting 0 rlm_sql (sql): Attempting to connect rlm_sql_mysql #0 rlm_sql_mysql: Starting connect to MySQL server for #0 rlm_sql (sql): Connected new DB handle, #0 rlm_sql (sql): starting 1 ** snip ** rlm_sql (sql): Attempting to connect rlm_sql_mysql #39 rlm_sql_mysql: Starting connect to MySQL server for #39 rlm_sql (sql): Connected new DB handle, #39 Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating module "acct_unique" from file /usr/local/etc/raddb/radiusd.conf acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Instantiating module "detail" from file /usr/local/etc/raddb/radiusd.conf detail { detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Linked to module rlm_radutmp Module: Instantiating module "radutmp" from file /usr/local/etc/raddb/radiusd.conf radutmp { filename = "/var/log/radius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Linked to module rlm_ippool Module: Instantiating module "main_pool" from file /usr/local/etc/raddb/radiusd.conf ippool main_pool { session-db = "/usr/local/etc/raddb/db.ippool" ip-index = "/usr/local/etc/raddb/db.ipindex" key = "%{NAS-IP-Address} %{NAS-Port}" range-start = 84.246.197.10 range-stop = 84.246.197.254 netmask = 255.255.255.255 cache-size = 245 override = no maximum-timeout = 0 } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Instantiating module "reply_log" from file /usr/local/etc/raddb/radiusd.conf detail reply_log { detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } } # modules } # server server coa { # from file /usr/local/etc/raddb/sites-enabled/coa modules { Module: Checking recv-coa {...} for more modules to load Module: Linked to module rlm_always Module: Instantiating module "ok" from file /usr/local/etc/raddb/radiusd.conf always ok { rcode = "ok" simulcount = 0 mpp = no } Module: Checking send-coa {...} for more modules to load } # modules } # server server originate-coa.example.com { # from file /usr/local/etc/raddb/sites-enabled/originate-coa modules { Module: Creating Post-Proxy-Type = Fail-CoA Module: Creating Post-Proxy-Type = Fail-Disconnect Module: Checking pre-proxy {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Instantiating module "fail" from file /usr/local/etc/raddb/radiusd.conf always fail { rcode = "fail" simulcount = 0 mpp = no } } # modules } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } listen { type = "control" listen { socket = "/var/run/radiusd/radiusd.sock" uid = "radiusd" gid = "radiusd" } } listen { type = "coa" server = "coa" ipaddr = * port = 3799 } ... adding new socket proxy address * port 35373 Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on command file /var/run/radiusd/radiusd.sock Listening on coa address * port 3799 as server coa Listening on proxy address * port 1814 Ready to process requests. rad_recv: Disconnect-Request packet from host 127.0.0.1 port 49227, id=199, length=42 User-Name = "jonhome1@fido.net.uk" server coa { # Executing section recv-coa from file /usr/local/etc/raddb/sites-enabled/coa +group recv-coa { ++[ok] = ok +} # group recv-coa = ok # Executing section send-coa from file /usr/local/etc/raddb/sites-enabled/coa +group send-coa { ++[ok] = ok +} # group send-coa = ok } # server coa Sending Disconnect-ACK of id 199 to 127.0.0.1 port 49227 Finished request 170. Going to the next request Cleaning up request 170 ID 199 with timestamp +439 Ready to process requests.
Jon Morby wrote:
I’m afraid to say I am having very similar problems to the user who has been so sadly flamed for not reading the config/docs/etc/etc/etc ….
No one gets flamed for not reading the docs. They get told to read the docs. They get flamed when they argue about reading the docs.
I am trying to disconnect users via a command (eventually a script) when all the available info I have is the username they have logged in with (and whether or not their subscription has expired and they need to be cut off)
Well... that's the first problem. Most NAS equipment won't disconnect a user based just on a User-Name. They need more. What else do they need? No one knows... read the NAS documentation, if it exists. I've argued in the standards bodies that this is stupid, and there's a better way. I was over-ruled.
I have a coa listener on port 3799 and am issuing the following command with the following results
Why do you have a CoA listener? The NAS is the entity which disconnects a user, not the RADIUS server. You should be sending the disconnect packet to the NAS.
rad_recv: Disconnect-Request packet from host 127.0.0.1 port 57377, id=125, length=42 User-Name = "jonhome1@fido.net.uk" server coa { # Executing section recv-coa from file /usr/local/etc/raddb/sites-enabled/coa +group recv-coa { ++[ok] = ok +} # group recv-coa = ok # Executing section send-coa from file /usr/local/etc/raddb/sites-enabled/coa +group send-coa { ++[ok] = ok +} # group send-coa = ok } # server coa Sending Disconnect-ACK of id 125 to 127.0.0.1 port 57377 Finished request 7. Going to the next request Cleaning up request 7 ID 125 with timestamp +21 Ready to process requests.
So... the coa virtual server does what it's configured to do. Which is nothing. If you want it to do something, configure it to do something.
I have cow and originate-coa in my sites-enabled .. however I have a feeling there should be something other than “ok” in the policy sections, but I can’t find any examples indicating what these might be made to look like
Because it's impossible to come up with examples that fit your scenario. You're supposed to (a) know what you want to happen, (b) know what the FreeRADIUS modules do, and (c) put the two together.
my LNS doesn’t seem to report or receive the ack and everything seems to swing around localhost
Because that's what you told it to do. You had radclient send a packet to localhost. Why not send it to the NAS? You had FreeRADIUS configured to do nothing with the packet. So of *course* it's not going to send the packet to the NAS.
I have tried adding the IP address of the NAS (although we have several, but hard coding it for the test hasn’t helped) .. and I’m a little confused ..
Adding the IP of the NAS to ... what? That would seem important.
I have been looking at this on and off for 4-5 months now and am really in need of some help
Well, if you can't get it to work in a day, ask questions. That's what the list is for. I think the fundamental confusion is that you expect FreeRADIUS to do something magical with the packets. It can't. It's just a RADIUS server. If you need something *more* than just a User-Name, then read the NAS documentation to see what it needs. We can't help there. Then, look at the debug output to see if the NAS sends FreeRADIUS those attributes. If it doesn't, you're stuck. If it does, you need to echo those attributes back in a Disconnect-Request. The connection between an Accounting-Request and you sending a Disconnect-Request is the database. The session data from accounting should be stored in a database. You can then read the database, keyed by User-Name, to search for the session attributes. You don't need FreeRADIUS to do that. A short Perl script which reads the database && sends attributes to radclient should work. And send the Disconnect-Request packet to the NAS. There's really no reason to send it to FreeRADIUS. There *should* be a standard for proxying Disconnect-Messages. But RFC 5176 is silent on this topic. I have a proposal to fix that. It's implemented in 2.2.x and 3.0.0, and there are no objections in the standard bodies. But it still might take 3 years to get standardized. Alan DeKok.
On 21 Oct 2013, at 22:08, Alan DeKok <aland@deployingradius.com> wrote:
Jon Morby wrote:
I’m afraid to say I am having very similar problems to the user who has been so sadly flamed for not reading the config/docs/etc/etc/etc ….
No one gets flamed for not reading the docs. They get told to read the docs. They get flamed when they argue about reading the docs.
Ok understood .. and believe me I have read what I can find and tried to bend it to my will :)
I am trying to disconnect users via a command (eventually a script) when all the available info I have is the username they have logged in with (and whether or not their subscription has expired and they need to be cut off)
Well... that's the first problem. Most NAS equipment won't disconnect a user based just on a User-Name. They need more.
Yup … basically I need to get the session id AND the NAS id that the user is connected to, all based on the username We have several LNS and the user could be connected to any of them .. this application has no idea if the user is connected at all, nor where he is connected if he is. We just need to ensure that at the end of their paid time they are disconnected if they are still connected so the next time they login they get forced into a walled garden (or we just expire their account so they can’t log back in) What I was hoping for was feed the username into FR, get it to associatively fill in the blanks (the session-id and nas id) and then forward to the LNS concerned If I send a disconnect with the Acct-Session-Id to the LNS then the user gets kicked off … so I know that works
What else do they need? No one knows... read the NAS documentation, if it exists.
It doesn’t really exist beyond saying "RFC5176 Disconnect message and change of authorisation are supported allowing on the fly changes of routing table, closed user group, routes, and line speed without dropping session. Ideal for handling BRAS rate changes seamlessly.”
I've argued in the standards bodies that this is stupid, and there's a better way. I was over-ruled.
I have a coa listener on port 3799 and am issuing the following command with the following results
Why do you have a CoA listener? The NAS is the entity which disconnects a user, not the RADIUS server. You should be sending the disconnect packet to the NAS.
Because all I could see from the help given to the last few people who’ve asked this was “enable outgoing-coa and rtfm” so I did because nothing else was working
rad_recv: Disconnect-Request packet from host 127.0.0.1 port 57377, id=125, length=42 User-Name = "jonhome1@fido.net.uk" server coa { # Executing section recv-coa from file /usr/local/etc/raddb/sites-enabled/coa +group recv-coa { ++[ok] = ok +} # group recv-coa = ok # Executing section send-coa from file /usr/local/etc/raddb/sites-enabled/coa +group send-coa { ++[ok] = ok +} # group send-coa = ok } # server coa Sending Disconnect-ACK of id 125 to 127.0.0.1 port 57377 Finished request 7. Going to the next request Cleaning up request 7 ID 125 with timestamp +21 Ready to process requests.
So... the coa virtual server does what it's configured to do. Which is nothing. If you want it to do something, configure it to do something.
Yup that’s what I’m trying to work out how to do … feed it a user-name get FR to add the session id to the equation and proxy/forward it to the relevant NAS as a coa
I have coa and originate-coa in my sites-enabled .. however I have a feeling there should be something other than “ok” in the policy sections, but I can’t find any examples indicating what these might be made to look like
Because it's impossible to come up with examples that fit your scenario. You're supposed to (a) know what you want to happen, (b) know what the FreeRADIUS modules do, and (c) put the two together.
Yup and I’m trying to fathom that and missing the rosetta stone … but I am continuing to work the problem and decided (finally) to reach out for help
my LNS doesn’t seem to report or receive the ack and everything seems to swing around localhost
Because that's what you told it to do. You had radclient send a packet to localhost. Why not send it to the NAS?
Because I don’t know which NAS at that stage .. all I know is the username
You had FreeRADIUS configured to do nothing with the packet. So of *course* it's not going to send the packet to the NAS.
Yup now my question .. how do I tell FR to do “something useful” with the packet (specifically complete the Acct-Session-Id and forward to the NAS which the user is connected to)?
I have tried adding the IP address of the NAS (although we have several, but hard coding it for the test hasn’t helped) .. and I’m a little confused ..
Adding the IP of the NAS to ... what? That would seem important.
To the CoA / Disconnect request packet .. sorry obviously wasn’t being clear enough in my original post
I have been looking at this on and off for 4-5 months now and am really in need of some help
Well, if you can't get it to work in a day, ask questions. That's what the list is for.
I considered that … but I saw how the 2 or 3 other users who have asked this very question were shot down in public and decided to spend more time trying to understand the problem … sadly it didn’t help so I decided to ask for help understanding the fundamentals a little more
I think the fundamental confusion is that you expect FreeRADIUS to do something magical with the packets. It can't. It's just a RADIUS server.
I was hoping it would fill in the blanks (based on the coa packet I had “defined” with “update coa”) and then proxy it to the right place
If you need something *more* than just a User-Name, then read the NAS documentation to see what it needs. We can't help there.
Session ID plane and simple
Then, look at the debug output to see if the NAS sends FreeRADIUS those attributes. If it doesn't, you're stuck. If it does, you need to echo those attributes back in a Disconnect-Request.
They’re in radacct … how do I get them out (can I get them out with FR?)
The connection between an Accounting-Request and you sending a Disconnect-Request is the database. The session data from accounting should be stored in a database.
Ok so I need to MySQL query it and not bother asking FR directly for the info? I was hoping FR would be the API / Interface layer to the DB
You can then read the database, keyed by User-Name, to search for the session attributes. You don't need FreeRADIUS to do that. A short Perl script which reads the database && sends attributes to radclient should work.
Yup .. again I was hoping to do this with radius queries rather than bypassing FR to ask the question
And send the Disconnect-Request packet to the NAS. There's really no reason to send it to FreeRADIUS.
Other than to submit everything through FR which I was treating as the holy grail / centre of the universe for all our connections
There *should* be a standard for proxying Disconnect-Messages. But RFC 5176 is silent on this topic. I have a proposal to fix that. It's implemented in 2.2.x and 3.0.0, and there are no objections in the standard bodies.
Cool … well this is what I was looking for / hoping to trigger …. send a disconnect request into FR, get it to proxy it (based on a policy definition/update in the configs) and avoid having to touch the underlying DB
But it still might take 3 years to get standardised.
That fast? :) … this isn’t the early 90’s any more sadly :)
Alan DeKok.
Jon Morby wrote:
Ok understood .. and believe me I have read what I can find and tried to bend it to my will :)
That's the issue. You CAN'T bend it to your will. You have to understand how everything works. And then come up with a solution within that framework. This is a MAJOR reason why people don't get RADIUS. They think poking at the RADIUS server will fix things. It won't. The NAS is in charge, not the RADIUS server.
What I was hoping for was feed the username into FR, get it to associatively fill in the blanks (the session-id and nas id) and then forward to the LNS concerned
That would be nice, but the code doesn't exist. The SQL module needs to be update to do this. It may be difficult, because everyone loves to mangle the schemas. And the NAS may not send the data it needs for CoA.
If I send a disconnect with the Acct-Session-Id to the LNS then the user gets kicked off … so I know that works
That's a miracle, at least.
What else do they need? No one knows... read the NAS documentation, if it exists.
It doesn’t really exist beyond saying
"RFC5176 Disconnect message and change of authorisation are supported allowing on the fly changes of routing table, closed user group, routes, and line speed without dropping session. Ideal for handling BRAS rate changes seamlessly.”
And people complain about the FreeRADIUS documentation. <sigh>
Because all I could see from the help given to the last few people who’ve asked this was “enable outgoing-coa and rtfm” so I did because nothing else was working
No... that is *very* different. The originate-coa virtual server will disconnect a user WHEN IT RECEIVES AN ACCOUNTING PACKET. So there's no DB query, or anything complicated. You can just populate the CoA packet from the accounting packet, which has all of the fields you need. What you want is something very different. Given a User-Name, look in the DB to find the Acct-Session-Id.
my LNS doesn’t seem to report or receive the ack and everything seems to swing around localhost Because that's what you told it to do. You had radclient send a packet to localhost. Why not send it to the NAS?
Because I don’t know which NAS at that stage .. all I know is the username
This information is in the DB. Look there.
You had FreeRADIUS configured to do nothing with the packet. So of *course* it's not going to send the packet to the NAS.
Yup now my question .. how do I tell FR to do “something useful” with the packet (specifically complete the Acct-Session-Id and forward to the NAS which the user is connected to)?
I'll be unhelpful, and say "man unlang". You have the tools to figure it out. You need to update the CoA packet with data. The "unlang" documentation describes how to do this. You need to grab data from SQL. Your SQL server will contain documentation on how to write an SQL query. The big problem here is that you don't know which piece is doing what. So you can't create a solution out of those pieces. Instead, you're poking at it, and expecting it to magically work. It won't. You MUST understand what the system is doing.
I considered that … but I saw how the 2 or 3 other users who have asked this very question were shot down in public
Well, I'd wager that they didn't just ask the question. They asked vague incoherent questions with no content. Or, they asked questions, and then argued about the answers. Both behaviors are anti-social, and are discouraged. Your question had content. Intelligent content. So... you got an intelligent answer.
I was hoping it would fill in the blanks (based on the coa packet I had “defined” with “update coa”) and then proxy it to the right place
I was hoping for that, too. :( Unfortunately, the standards aren't written. So doing the "right" thing is hard. And the "automatic discovery" code / configuration is hard, too. So it hasn't been done.
They’re in radacct … how do I get them out (can I get them out with FR?)
You could. You'd have to write an SQL SELECT statement, with the associated failure logic. And the syntax of that statement depends on your database, and the schema you use to store accounting data.
The connection between an Accounting-Request and you sending a Disconnect-Request is the database. The session data from accounting should be stored in a database.
Ok so I need to MySQL query it and not bother asking FR directly for the info?
That's one way of doing it.
I was hoping FR would be the API / Interface layer to the DB
Once you've written the SQL query, you can use it in the FreeRADIUS configuration: if ("%{sql:SELECT ... }") { ... } So it all depends on SQL. FreeRADIUS is just a convenient helper.
Other than to submit everything through FR which I was treating as the holy grail / centre of the universe for all our connections
FreeRADIUS is a policy engine. The database stores data. The two are very, very, different. Alan DeKok.
participants (2)
-
Alan DeKok -
Jon Morby