rml_perl question
FreeRadius-ML
freeradius at zap2link.com
Wed Jul 25 11:16:24 CEST 2007
Hi Alan,
Of course I updated the PERL script. I simply modified the debug function to be:
sub log_request_attributes {
# This shouldn't be done in production environments!
# This is only meant for debugging!
for (keys %RAD_REQUEST) {
&radiusd::radlog(1, "RAD_REQUEST: $_ = $RAD_REQUEST{$_}");
}
for (keys %RAD_CHECK) {
&radiusd::radlog(1, "RAD_CHECK: $_ = $RAD_CHECK{$_}");
}
for (keys %RAD_REPLY) {
&radiusd::radlog(1, "RAD_REPLY: $_ = $RAD_REPLY{$_}");
}
}
I hadn't set Auth-Type in radiusd.conf, according to references I've recieved,
the only Auth-Type directive I've added in the users.conf file.
Just for checking, I've removed the directive from the users.conf file, and now
I'm getting the following in the debug:
rad_recv: Access-Request packet from host 192.168.2.80:43824, id=122, length=194
User-Name = "101 at 192.168.2.80"
Digest-Attributes = 0x0a05313031
Digest-Attributes = 0x010e3139322e3136382e322e3830
Digest-Attributes = 0x022a34366130353033393832656466366336633065373730373531633335383536346266646632346562
Digest-Attributes = 0x04127369703a3139322e3136382e322e3830
Digest-Attributes = 0x030a5245474953544552
Digest-Response = "897c22eebf92577a23d3d2e91a360d67"
Service-Type = IAPP-Register
Sip-Uri-User = "101"
NAS-Port = 5060
NAS-IP-Address = 192.168.2.80
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 8
modcall[authorize]: module "preprocess" returns ok for request 8
radius_xlat: '/usr/local/freeradius/var/log/radius/radacct/192.168.2.80/auth-detail-20070720'
rlm_detail: /usr/local/freeradius/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/freeradius/var/log/radius/radacct/192.168.2.80/auth-detail-20070720
modcall[authorize]: module "auth_log" returns ok for request 8
rlm_digest: Adding Auth-Type = DIGEST
modcall[authorize]: module "digest" returns ok for request 8
perl_pool: item 0xa587328 asigned new request. Handled so far: 1
found interpetator at address 0xa587328
rlm_perl: RAD_REQUEST: Client-IP-Address = 192.168.2.80
rlm_perl: RAD_REQUEST: Digest-Response = 897c22eebf92577a23d3d2e91a360d67
rlm_perl: RAD_REQUEST: User-Name = 101 at 192.168.2.80
rlm_perl: RAD_REQUEST: Service-Type = IAPP-Register
rlm_perl: RAD_REQUEST: NAS-IP-Address = 192.168.2.80
rlm_perl: RAD_REQUEST: NAS-Port = 5060
rlm_perl: RAD_REQUEST: Sip-Uri-User = 101
rlm_perl: RAD_REQUEST: Digest-Attributes = ARRAY(0xa64592c)
perl_pool total/active/spare [32/0/32]
Unreserve perl at address 0xa587328
modcall[authorize]: module "perl" returns ok for request 8
modcall: leaving group authorize (returns ok) for request 8
auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user
auth: Failed to validate the user.
Login incorrect: [101 at 192.168.2.80/<no User-Password attribute>] (from client 192.168.2.80 port 5060)
Delaying request 8 for 1 seconds
Finished request 8
Going to the next request
Cleaning up request 7 ID 121 with timestamp 46a03e12
As a reference, I'm uploading my configuration files to pastebin.com, according to the following:
radiusd.conf - http://pastebin.com/f31b5226b
rlm_perl.pl - http://pastebin.com/f15f198ca
users.conf - Everything is commented in, which means basically an empty file
Alan, i'm asking these questions as I want to understand the possibilities and
the various options that exist. I'm fully aware of the configuration of Digest and
how to make digest work with a MySQL backend, that worked without a problem and I
was able to understand how to start playing around with it to make do what I want
it to do.
My only problem here is that I'm now playing around with rlm_perl, which appears to
be a bit more complex in the way it does things. For example, I've looked into the
documentation, I hadn't seen any document explaining the information transfer between
the rlm_perl script and the digest mechanism. The documentation describes how to work
with rlm_perl, how to write your own script and so on. But that little piece of
information is missing from it. The general information in the documentation is much
better than in most OSS projects I know, however, the lack of examples and the fact
that most people tend to work with some form of SQL/LDAP backend, makes any other
usage beyond that a bit more complicated for the novice FreeRadius user.
Alan, just to make something clear, I think FreeRadius is a wonderful tool. I've used
it in conjunction with GnuGK to build a multi-million minute H323 routing switch back in
2003, which is still working till today (switching over 25 million minutes a month). I've
used in conjunction with Cisco Access Servers to create various Dial-IN PPP access routers,
and I've used it as a backend for Cisco L2TP/PPTP services, which were all working off of
MySQL, and work to this day - in other words, I know my way around FreeRadius fairly well.
The first time I ran into a situation I actually needed to talk to someone on the list is
now. I'm currently in the process of writing a document explaining my findings, and maybe
also help others use rlm_perl, but you have to understand that while I may seem a little
nagging, it is purely due to my Israeli nature that tends to get the better of me - and
my general desire to understand what I'm doing.
Regards,
Z2L
----- Original Message -----
From: "Alan DeKok" <aland at deployingradius.com>
To: freeradius at zap2link.com, "FreeRadius users mailing list" <freeradius-users at lists.freeradius.org>
Sent: Tuesday, July 24, 2007 6:22:27 PM (GMT+0200) Asia/Jerusalem
Subject: Re: rml_perl question
FreeRadius-ML wrote:
> Yes, that was the initial idea. However, $RAD_CHECK{User-Password}, at least according to
> my log file doesn't exist:
I don't understand. Did you update the Perl script to set that? Or
are you just looking at the debug output, and expecting to see
$RAD_CHECK{User-Password} somehow magically appear?
So... what Perl script are you using? Post it.
> rlm_perl: RAD_CHECK: Auth-Type = perl
I'm about ready to stop answering your messages. Every single thing
in the documentation, and what you've been told here has said
DO NOT SET AUTH-TYPE.
Yet... there you go setting it.
Honestly, I just don't understand why you're so insistent on ignoring
the advice you're given here. Damn near all of the problems you're
running into are because you're working hard to break things.
If you're not going to follow the advice given here, stop asking
questions.
Alan DeKok.
More information about the Freeradius-Users
mailing list