All attributes in rlm_sql_log or rlm_sql ?

Dean Smith dean at eatworms.org.uk
Sat Apr 12 15:25:19 CEST 2008


Ultimately for the same reasons that rlm_detail exists. I'd like to give my
ops guys the ability to see all attributes in requests and replies when
they're debugging or monitoring. We want to maintain all records in a single
SQL database with access via our existing web frontends...so I'd like the
same detail as rlm_detail via the SQl modules. 

Obviously many ways to achieve it (parse and upload the detail log,
dedicated perl module etc.) but my scripting/coding is weak so that will
take me longer.

Many thanks for the answers and other suggestions given.

Dean


Dean Smith wrote:
> I guess I?m asking is there an unlang equivalent to this snippet from
> rlm_detail.c. ..

  No.

  I don't see why it makes sense to log all of the attributes as one big
line of text in SQL.  If you need that, it shouldn't be hard to write a
Perl plugin that does it.

  Alan DeKok.


------------------------------

Message: 8
Date: Thu, 10 Apr 2008 23:30:12 +0200
From: Alan DeKok <aland at deployingradius.com>
Subject: Re: "Users" accounts file - was: Re: EAP-TTLS (PAP) not
	working with	NT	domain - debian freeradius 1.1.7
To: FreeRadius users mailing list
	<freeradius-users at lists.freeradius.org>
Message-ID: <47FE86E4.1010100 at deployingradius.com>
Content-Type: text/plain; charset=ISO-8859-1

James McOrmond wrote:
> So, I figured the users file was a logical place..

  Yes, if it's used, and if the rest of the policy is fine.

> I added a line like this:
> 
> radiustester User-Password := "xoageifo"
> 
> but it's complaining it's not in ldap..

  Run it in debugging mode: radiusd -X.

  Alan DeKok.


------------------------------

Message: 9
Date: Thu, 10 Apr 2008 18:45:15 -0400 (EDT)
From: "Tuc at T-B-O-H.NET" <ml at t-b-o-h.net>
Subject: Re: Restrict to initial NAS used to logon
To: freeradius-users at lists.freeradius.org
Message-ID:
	<200804102245.m3AMjFCa042294 at himinbjorg.tucs-beachin-obx-house.com>
Content-Type: text/plain; charset=us-ascii

> 
> Tuc at T-B-O-H.NET wrote:
> > 	Looking to restrict a user to only be able to log in
> > and re-log in to the initial NAS they first ever logged onto.
> > (Hotspot)  Looking at the radacct file where it looks like
> > the check-items normally go against, I'm not seeing anything I
> > can use as an identifier. The nasipaddress is always 0.0.0.0.
> > Maybe calledstationid, except if we swap equipment out during
> > the lifetime of a users id it won't match. 
> > 
> > 	Is anyone doing anything like this already?
> 
>   They usually use equipment that sends a NAS identifier.
>
	Hrm.... I just originally went on the assumption that the sending
side was partially braindead, and wasn't sending it. Your comment
made me dump a session on 1812 and 1813...
1812:
Radius Protocol
    Code: Access-Request (1)
    Packet identifier: 0x0 (0)
    Length: 216
    Authenticator: A9A4B05B3C01784A8DF58849DB987135
    [The response to this request is in frame 2]
    Attribute Value Pairs
        AVP: l=5  t=User-Name(1): tuc
        AVP: l=18  t=CHAP-Challenge(60): 894209E703975A194529D13926790197
        AVP: l=19  t=CHAP-Password(3): 0A6E0AEA789A9A0AF0E2A7F15B04E6A289
        AVP: l=6  t=NAS-IP-Address(4): 0.0.0.0
        AVP: l=6  t=Service-Type(6): Login-User(1)
        AVP: l=6  t=Framed-IP-Address(8): 192.168.182.4
        AVP: l=19  t=Calling-Station-Id(31): 00-10-A4-10-8D-A6
        AVP: l=19  t=Called-Station-Id(30): 00-16-01-91-E9-46
        AVP: l=10  t=NAS-Identifier(32): TBOH2173
        AVP: l=18  t=Acct-Session-Id(44): 47fe006e00000000
        AVP: l=6  t=NAS-Port-Type(61): Wireless-802.11(19)
        AVP: l=6  t=NAS-Port(5): 0
        AVP: l=18  t=Message-Authenticator(80):
F0AE0A9EE7DAC32F9AA6089A5A9C3A70
        AVP: l=40  t=Vendor-Specific(26) v=WISPr(14122)

1813:

Radius Protocol
    Code: Accounting-Request (4)
    Packet identifier: 0x6 (6)
    Length: 142
    Authenticator: 48DCF71BE50EC2E9ECC17825FB6D2417
    [The response to this request is in frame 2]
    Attribute Value Pairs
        AVP: l=6  t=Acct-Status-Type(40): Start(1)
        AVP: l=5  t=User-Name(1): tuc
        AVP: l=11  t=Class(25): 303730333435363738
        AVP: l=19  t=Calling-Station-Id(31): 00-10-A4-10-8D-A6
        AVP: l=19  t=Called-Station-Id(30): 00-16-01-91-E9-46
        AVP: l=6  t=NAS-Port-Type(61): Wireless-802.11(19)
        AVP: l=6  t=NAS-Port(5): 0
        AVP: l=10  t=NAS-Port-Id(87): 00000000
        AVP: l=6  t=NAS-IP-Address(4): 0.0.0.0
        AVP: l=10  t=NAS-Identifier(32): TBOH2173
        AVP: l=6  t=Framed-IP-Address(8): 192.168.182.4
        AVP: l=18  t=Acct-Session-Id(44): 47fe006e00000000


	So it looks like its sending it, just not making it into
the radacct files. :-/ So where to start looking for that?
>
>   Or, use the "Packet-Src-IP-Address" attribute.
> 
	Thats gonna take a bit of headscratching to figure out
about. :) But thanks for the lead.

			Tuc


------------------------------

-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html


End of Freeradius-Users Digest, Vol 36, Issue 76
************************************************




More information about the Freeradius-Users mailing list