Voip database

Miha Zoubek miha_zoubek at hotmail.com
Tue Dec 7 15:39:53 CET 2010 

Thank you!!!
I put it there but still the same problem:
authorize {	#	#  The preprocess module takes care of sanitizing some bizarre	#  attributes in the request, and turning them into attributes	#  which are more standard.	#	#  It takes care of processing the 'raddb/hints' and the	#  'raddb/huntgroups' files.	preprocess
	#	#  If you want to have a log of authentication requests,	#  un-comment the following line, and the 'detail auth_log'	#  section, above.#	auth_log
	#	#  The chap module will set 'Auth-Type := CHAP' if we are	#  handling a CHAP request and Auth-Type has not already been set	chap 	#	#  If the users are logging in with an MS-CHAP-Challenge	#  attribute for authentication, the mschap module will find	#  the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP'	#  to the request, which will cause the server to then use	#  the mschap module for authentication.	mschap
	#	#  If you have a Cisco SIP server authenticating against	#  FreeRADIUS, uncomment the following line, and the 'digest'	#  line in the 'authenticate' section.	digest	#	#  The WiMAX specification says that the Calling-Station-Id	#  is 6 octets of the MAC.  This definition conflicts with	#  RFC 3580, and all common RADIUS practices.  Un-commenting	#  the "wimax" module here means that it will fix the	#  Calling-Station-Id attribute to the normal format as	#  specified in RFC 3580 Section 3.21#	wimax
	#	#  Look for IPASS style 'realm/', and if not found, look for	#  '@realm', and decide whether or not to proxy, based on	#  that.#	IPASS
	#	#  If you are using multiple kinds of realms, you probably	#  want to set "ignore_null = yes" for all of them.	#  Otherwise, when the first style of realm doesn't match,	#  the other styles won't be checked.	#	suffix#	ntdomain
	#	#  This module takes care of EAP-MD5, EAP-TLS, and EAP-LEAP	#  authentication.	#	#  It also sets the EAP-Type attribute in the request	#  attribute list to the EAP type from the packet.	#	#  As of 2.0, the EAP module returns "ok" in the authorize stage	#  for TTLS and PEAP.  In 1.x, it never returned "ok" here, so	#  this change is compatible with older configurations.	#	#  The example below uses module failover to avoid querying all	#  of the following modules if the EAP module returns "ok".	#  Therefore, your LDAP and/or SQL servers will not be queried	#  for the many packets that go back and forth to set up TTLS	#  or PEAP.  The load on those servers will therefore be reduced.	#	eap {		ok = return	}
	#	#  Pull crypt'd passwords from /etc/passwd or /etc/shadow,	#  using the system API's to get the password.  If you want	#  to read /etc/passwd or /etc/shadow directly, see the	#  passwd module in radiusd.conf.	##	unix
	#	#  Read the 'users' file	#files
	#	#  Look in an SQL database.  The schema of the database	#  is meant to mirror the "users" file.	#	#  See "Authorization Queries" in sql.conf	#sql	pgsql-voip	#	#  If you are using /etc/smbpasswd, and are also doing	#  mschap authentication, the un-comment this line, and	#  configure the 'etc_smbpasswd' module, above.#	etc_smbpasswd
	#	#  The ldap module will set Auth-Type to LDAP if it has not	#  already been set#	ldap
	#	#  Enforce daily limits on time spent logged in.#	daily
	#	# Use the checkval module#	checkval
	expiration	logintime
	pap
	#	Autz-Type Status-Server {##	}}

#authenticate {	#	#  PAP authentication, when a back-end database listed	#  in the 'authorize' section supplies a password.  The	#  password can be clear-text, or encrypted.	#Auth-Type PAP {	#	pap	#}
	#	#  Most people want CHAP authentication	#  A back-end database listed in the 'authorize' section	#  MUST supply a CLEAR TEXT password.  Encrypted passwords	#  won't work.	Auth-Type CHAP {		chap	}
	#	#  MSCHAP authentication.	Auth-Type MS-CHAP {		mschap	}
	#	#  If you have a Cisco SIP server authenticating against	#  FreeRADIUS, uncomment the following line, and the 'digest'	#  line in the 'authorize' section.	digest
	#	#  Pluggable Authentication Modules.	pam	#	#  See 'man getpwent' for information on how the 'unix'	#  module checks the users password.  Note that packets	#  containing CHAP-Password attributes CANNOT be authenticated	#  against /etc/passwd!  See the FAQ for details.	#	#  For normal "crypt" authentication, the "pap" module should	#  be used instead of the "unix" module.  The "unix" module should	#  be used for authentication ONLY for compatibility with legacy	#  FreeRADIUS configurations.	#	unix
	# Uncomment it if you want to use ldap for authentication	#	# Note that this means "check plain-text password against	# the ldap database", which means that EAP won't work,	# as it does not supply a plain-text password.#	Auth-Type LDAP {#		ldap#	}
	#	#  Allow EAP authentication.	eap
	#	#  The older configurations sent a number of attributes in	#  Access-Challenge packets, which wasn't strictly correct.	#  If you want to filter out these attributes, uncomment	#  the following lines.	#	Auth-Type eap {		eap {			handled = 1  		}		if (handled && (Response-Packet-Type == Access-Challenge)) {			attr_filter.access_challenge.post-auth			handled  # override the "updated" code from attr_filter		}	}}

##  Pre-accounting.  Decide which accounting type to use.#preacct {	preprocess
	#	#  Session start times are *implied* in RADIUS.	#  The NAS never sends a "start time".  Instead, it sends	#  a start packet, *possibly* with an Acct-Delay-Time.	#  The server is supposed to conclude that the start time	#  was "Acct-Delay-Time" seconds in the past.	#	#  The code below creates an explicit start time, which can	#  then be used in other modules.	#	#  The start time is: NOW - delay - session_length	#
#	  update request {#	  	FreeRADIUS-Acct-Session-Start-Time = "%{expr: %l - %{%{Acct-Session-Time}:-0} - %{%{Acct-Delay-Time}:-0}}"#	}

	#	#  Ensure that we have a semi-unique identifier for every	#  request, and many NAS boxes are broken.	acct_unique
	#	#  Look for IPASS-style 'realm/', and if not found, look for	#  '@realm', and decide whether or not to proxy, based on	#  that.	#	#  Accounting requests are generally proxied to the same	#  home server as authentication requests.#	IPASS	suffix#	ntdomain
	#	#  Read the 'acct_users' file	#files}
##  Accounting.  Log the accounting data.#accounting {
	if (noop) {		ok	}

}
session {	radutmp

}

post-auth {

#	ldap
	exec


#	}

	edir_account_policy_check = yes' in the ldap module configuration	#	Post-Auth-Type REJECT {		# log failed authentications in SQL, too.#		sql		attr_filter.access_reject	}}

pre-proxy {
}

post-proxy {
	#	post_proxy_log
#	attr_rewrite

#	attr_filter.post-proxy

	#	eap

#	Post-Proxy-Type Fail {#			detail#	}}

}Listening on authentication address * port 1812Listening on accounting address * port 1813Listening on command file /var/run/radiusd/radiusd.sockListening on authentication address 127.0.0.1 port 18120 as server inner-tunnelListening on proxy address * port 1814Ready to process requests.rad_recv: Access-Request packet from host 212.13.228.58 port 49883, id=136, length=206        Acct-Multi-Session-Id = "1291732743095"        Cisco-Attr-130 = 0x683332332d63616c6c696e672d656e74657270726973652d69643d656e74504258        Calling-Station-Id = "81609000"        NAS-Identifier = "intraswitch"        NAS-IP-Address = 212.13.228.58        3GPP2-Prepaid-acct-Capability = 0x010600000002        3GPP2-Session-Termination-Capability = 1        h323-conf-id = "h323-conf-id=1291732743095"        Vendor-Specific = 0x00000009        Event-Timestamp = "Dec  7 2010 15:39:03 CET"        User-Name = "081609000"        User-Password = "12345"# Executing section authorize from file /etc/raddb/sites-enabled/default+- entering group authorize {...}++[preprocess] returns ok++[chap] returns noop++[mschap] returns noop++[digest] returns noop[suffix] No '@' in User-Name = "081609000", looking up realm NULL[suffix] No such realm "NULL"++[suffix] returns noop[eap] No EAP-Message, not doing EAP++[eap] returns noop[pgsql-voip]    expand: %{User-Name} -> 081609000[pgsql-voip] sql_set_user escaped user --> '081609000'rlm_sql (pgsql-voip): Reserving sql socket id: 24[pgsql-voip]    expand:  -> [pgsql-voip] Error generating query; rejecting userrlm_sql (pgsql-voip): Released sql socket id: 24++[pgsql-voip] returns failUsing Post-Auth-Type Reject# Executing group from file /etc/raddb/sites-enabled/default+- entering group REJECT {...}[attr_filter.access_reject]     expand: %{User-Name} -> 081609000 attr_filter: Matched entry DEFAULT at line 11++[attr_filter.access_reject] returns updatedDelaying reject of request 0 for 1 secondsGoing to the next requestWaking up in 0.9 seconds.


> Date: Tue, 7 Dec 2010 21:26:18 +0700
> Subject: Re: Voip database
> From: work at fajar.net
> To: freeradius-users at lists.freeradius.org
> 
> On Tue, Dec 7, 2010 at 9:24 PM, Fajar A. Nugraha <work at fajar.net> wrote:
> > On Tue, Dec 7, 2010 at 9:17 PM, miha- <miha_zoubek at hotmail.com> wrote:
> >>
> >> I have uncomment only this #  Cisco VoIP specific bulk accounting
> >> pgsql-voip under accounting section.
> >> I have not found it under authorize and authenticate.
> >>
> >> Must I put it there?
> >
> > On second thought, you might not need it in authenticate. You'd need
> > it in authorize and authenticate.
> 
> I meant to say "authorize and accounting".
> 
> -- 
> Fajar
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20101207/249d78ab/attachment.html>

More information about the Freeradius-Users mailing list