freeradius sql groups not working
James w
spyda46 at hotmail.com
Mon Sep 29 09:37:53 CEST 2014
Here is the sql module being loaded: It shows the group queries so not sure why it doesn't process them
# Loaded module rlm_sql # Instantiating module "sql" from file /etc/raddb/mods-enabled/sql sql { driver = "rlm_sql_mysql" server = "localhost" port = "3306" login = "radius" password = "123456" radius_db = "radius" read_groups = yes read_clients = yes delete_stale_sessions = yes sql_user_name = "%{User-Name}" default_user_profile = "" client_query = "SELECT id, nasname, shortname, type, secret, server FROM nas" authorize_check_query = "SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id" authorize_reply_query = "SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id" authorize_group_check_query = "SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id" authorize_group_reply_query = "SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id" group_membership_query = "SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority" simul_count_query = "" simul_verify_query = "SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL" safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /" } accounting { reference = "%{tolower:type.%{Acct-Status-Type}.query}" } post-auth { reference = ".query" } mysql { tls { } }rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linkedrlm_sql (sql): Attempting to connect to database "radius"rlm_sql (sql): Initialising connection pool pool { start = 5 min = 4 max = 10 spare = 3 uses = 0 lifetime = 0 cleanup_delay = 5 idle_timeout = 60 spread = no }rlm_sql (sql): Opening additional connection (0)rlm_sql_mysql: Starting connect to MySQL serverrlm_sql (sql): Opening additional connection (1)rlm_sql_mysql: Starting connect to MySQL serverrlm_sql (sql): Opening additional connection (2)rlm_sql_mysql: Starting connect to MySQL serverrlm_sql (sql): Opening additional connection (3)rlm_sql_mysql: Starting connect to MySQL serverrlm_sql (sql): Opening additional connection (4)rlm_sql_mysql: Starting connect to MySQL serverrlm_sql (sql): Processing generate_sql_clientsrlm_sql (sql) in generate_sql_clients: query is SELECT id, nasname, shortname, type, secret, server FROM nasrlm_sql (sql): Reserved connection (4)rlm_sql (sql): Executing query: 'SELECT id, nasname, shortname, type, secret, server FROM nas'rlm_sql (sql): Released connection (4) } # modulesradiusd: #### Loading Virtual Servers ####server { # from file /etc/raddb/radiusd.conf} # serverserver default { # from file /etc/raddb/sites-enabled/default # Creating Auth-Type = digest # Loading authenticate {...} # Loading authorize {...} # Loading virtual module filter_usernameWARNING: Ignoring "ldap" (see raddb/mods-available/README.rst) # Loading preacct {...} # Loading virtual module acct_unique # Loading accounting {...} # Loading post-proxy {...} # Loading post-auth {...} # Loading virtual module remove_reply_message_if_eap # Loading virtual module remove_reply_message_if_eap} # server defaultserver inner-tunnel { # from file /etc/raddb/sites-enabled/inner-tunnel # Loading authenticate {...} # Loading authorize {...}WARNING: Ignoring "ldap" (see raddb/mods-available/README.rst) # Loading session {...} # Loading post-proxy {...} # Loading post-auth {...}} # server inner-tunnelradiusd: #### Opening IP addresses and Ports ####listen { type = "auth" ipaddr = * port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 }}listen { type = "acct" ipaddr = * port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 }}listen { type = "auth" ipaddr = 127.0.0.1 port = 18120}Listening on auth address * port 1812 as server defaultListening on acct address * port 1813 as server defaultListening on auth address 127.0.0.1 port 18120 as server inner-tunnelOpening new proxy address * port 1814Listening on proxy address * port 1814Ready to process requests.
> From: freeradius-users-request at lists.freeradius.org
> Subject: Freeradius-Users Digest, Vol 113, Issue 129
> To: freeradius-users at lists.freeradius.org
> Date: Mon, 29 Sep 2014 09:29:30 +0200
>
> Send Freeradius-Users mailing list submissions to
> freeradius-users at lists.freeradius.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://lists.freeradius.org/mailman/listinfo/freeradius-users
> or, via email, send a message with subject or body 'help' to
> freeradius-users-request at lists.freeradius.org
>
> You can reach the person managing the list at
> freeradius-users-owner at lists.freeradius.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Freeradius-Users digest..."
>
>
> Today's Topics:
>
> 1. RE: Beginner need help (unrecognized clients) (Frank Wei)
> 2. Re: freeradius sql groups not working (James w)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Mon, 29 Sep 2014 05:09:58 +0000
> From: Frank Wei <Frank.Wei at 4rf.com>
> To: FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org>
> Subject: RE: Beginner need help (unrecognized clients)
> Message-ID:
> <36A567FFA4FB734C89ABF498A70F83AE9615B3BA at 4rf-nz-orion.local.4rf.com>
> Content-Type: text/plain; charset="us-ascii"
>
> Dear friends,
>
> I have added clients
>
> client private-network-1 {
> ipaddr = 192.168.0.244
> netmask = 24
> secret = testing123-1
> shortname = private-network-1
> }
>
> To the clients.conf.
>
> And run command "radius -X". From the debug message I can see the added client loaded.
>
> Then from my NAS (with IP 192.168.0.244) I sent a "authentication only" request to the server. The server showed me a message:
>
> Ignored,.....Unrecognized client "192.168.0.244" port "1222".
>
> What is wrong with my config?
>
> Regards,
> Frank
>
>
> -----Original Message-----
> From: freeradius-users-bounces+frank.wei=4rf.com at lists.freeradius.org [mailto:freeradius-users-bounces+frank.wei=4rf.com at lists.freeradius.org] On Behalf Of A.L.M.Buxey at lboro.ac.uk
> Sent: Thursday, 25 September 2014 6:49 p.m.
> To: FreeRadius users mailing list
> Subject: Re: Beginner need help
>
> Hi,
>
> > My understanding is that source IP address of the Access-Request packets must be the NAS IP address which is "NAS-IP-Address". Apparently this is different to the Attribute description.
> >
> > Could anybody explain?
>
> sure.
>
> the NAS-IP-Address is set by the NAS - so it SHOULD be its IP address in a nice world. okay
> thats clear....however, the packet might be reaching your RADIUS server via some other
> route - lets say, eg a NAT gateway, a RADIUS server (it has been proxied) or from some
> central controller (thinking of some of the WiFi solutions out there) - in which case
> the NAS-IP-Address is NOT the source IP address of the packet.
>
>
> the NAS-IP-Address is also part of the RADIUS datagram - so you've already started to
> analyse the packet contents really before you can - eg how did you ensure the packet
> contents were correct, verify the message authenticator or ensured the content values
> by using the shared secret? you didnt.
>
> the RADIUS datagram comes in. you see the source address of the packet. look up the client,
> get its shared secret, work on the packet.
>
> alan
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> The information in this email communication (inclusive of attachments) is confidential to 4RF Limited and the intended recipient(s). If you are not the intended recipient(s), please note that any use, disclosure, distribution or copying of this information or any part thereof is strictly prohibited and that the author accepts no liability for the consequences of any action taken on the basis of the information provided. If you have received this email in error, please notify the sender immediately by return email and then delete all instances of this email from your system. 4RF Limited will not accept responsibility for any consequences associated with the use of this email (including, but not limited to, damages sustained as a result of any viruses and/or any action or lack of action taken in reliance on it).
>
>
> ------------------------------
>
> Message: 2
> Date: Mon, 29 Sep 2014 07:29:26 +0000
> From: James w <spyda46 at hotmail.com>
> To: "freeradius-users at lists.freeradius.org"
> <freeradius-users at lists.freeradius.org>
> Subject: Re: freeradius sql groups not working
> Message-ID: <DUB123-W2A21F9FBF92014A289545B2BA0 at phx.gbl>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Does anybody have any suggestions, could this be a bug ? Shall i try another version, its running on RHEL 7 Free radius version 3.0.1
>
> > From: freeradius-users-request at lists.freeradius.org
> > Subject: Freeradius-Users Digest, Vol 113, Issue 128
> > To: freeradius-users at lists.freeradius.org
> > Date: Mon, 29 Sep 2014 04:06:31 +0200
> >
> > Send Freeradius-Users mailing list submissions to
> > freeradius-users at lists.freeradius.org
> >
> > To subscribe or unsubscribe via the World Wide Web, visit
> > http://lists.freeradius.org/mailman/listinfo/freeradius-users
> > or, via email, send a message with subject or body 'help' to
> > freeradius-users-request at lists.freeradius.org
> >
> > You can reach the person managing the list at
> > freeradius-users-owner at lists.freeradius.org
> >
> > When replying, please edit your Subject line so it is more specific
> > than "Re: Contents of Freeradius-Users digest..."
> >
> >
> > Today's Topics:
> >
> > 1. Re: How to send disconnect message to the NAS? (Alan DeKok)
> > 2. Re: EAP and rlm_perl. Is it possible to build custom logic
> > for VPN peers? (Oleksandr Yermolenko)
> > 3. Re: EAP and rlm_perl. Is it possible to build custom logic
> > for VPN peers? (Oleksandr Yermolenko)
> > 4. version 2.2.5 repo (Rando Nakarmi)
> > 5. Re: version 2.2.5 repo (Alan DeKok)
> > 6. Re: EAP and rlm_perl. Is it possible to build custom logic
> > for VPN peers? (Alan DeKok)
> > 7. Re: Problem in Module Statistics in freeradius (Himanshu Pandey)
> >
> >
> > ----------------------------------------------------------------------
> >
> > Message: 1
> > Date: Sun, 28 Sep 2014 11:08:16 -0400
> > From: Alan DeKok <aland at deployingradius.com>
> > To: FreeRadius users mailing list
> > <freeradius-users at lists.freeradius.org>
> > Subject: Re: How to send disconnect message to the NAS?
> > Message-ID: <54282460.1090603 at deployingradius.com>
> > Content-Type: text/plain; charset=ISO-8859-1
> >
> > Xin wrote:
> > > Thanks a lot for your reply, I have understood I can use update control
> > > section to control send or not. And one more question, what is the virtual
> > > server in home_server_pool section. Just find the server
> > > originate-coa.example.com section?
> >
> > The behavior is documented in that file.
> >
> > > If this is right, can you tell me the
> > > usage of pre-proxy section? I have already understand the purpose of the
> > > post-proxy is to handle the COA/DM response.
> >
> > Read the file. This is documented.
> >
> > Alan DeKok.
> >
> >
> > ------------------------------
> >
> > Message: 2
> > Date: Sun, 28 Sep 2014 18:52:59 +0300
> > From: Oleksandr Yermolenko <aae at sumix.com>
> > To: Alan DeKok <aland at deployingradius.com>
> > Subject: Re: EAP and rlm_perl. Is it possible to build custom logic
> > for VPN peers?
> > Message-ID: <54282EDB.20904 at sumix.com>
> > Content-Type: text/plain; charset=utf-8; format=flowed
> >
> >
> > >> Is it possible to use any of EAP methods (I mean EAP-PEAP, EAP-TTLS or
> > >> EAP-TLS ...) with rlm_perl.
> > > What does that mean?
> > can I use authenticate, authorize, accounting hooks (or post_auth)?
> > I looked at example.pl.
> >
> > Just put "perl" in somewhere eap.conf file?
> >
> > >
> > > You can run the perl module when the server receives a packet. It
> > > doesn't matter whether the packet contains PAP, CHAP, MS-CHAP, or any
> > > EAP type.
> > >
> > > What do you want to *do* in rlm_perl? Knowing that probably more
> > > useful, and will get you a better answer.
> > authenticate a lot of VPN clients (currently I can choose EAP method),
> > keeping them in mysql or ldap. According their properties give a
> > personal access to
> > different local resources. Accounting: updating start/stop/alive
> > messages. POD if it's possible
> > for strongswan.
> > >
> > > Alan DeKok.
> >
> >
> >
> > ------------------------------
> >
> > Message: 3
> > Date: Sun, 28 Sep 2014 18:52:59 +0300
> > From: Oleksandr Yermolenko <aae at sumix.com>
> > To: Alan DeKok <aland at deployingradius.com>
> > Subject: Re: EAP and rlm_perl. Is it possible to build custom logic
> > for VPN peers?
> > Message-ID: <54282EDB.20904 at sumix.com>
> > Content-Type: text/plain; charset=utf-8; format=flowed
> >
> >
> > >> Is it possible to use any of EAP methods (I mean EAP-PEAP, EAP-TTLS or
> > >> EAP-TLS ...) with rlm_perl.
> > > What does that mean?
> > can I use authenticate, authorize, accounting hooks (or post_auth)?
> > I looked at example.pl.
> >
> > Just put "perl" in somewhere eap.conf file?
> >
> > >
> > > You can run the perl module when the server receives a packet. It
> > > doesn't matter whether the packet contains PAP, CHAP, MS-CHAP, or any
> > > EAP type.
> > >
> > > What do you want to *do* in rlm_perl? Knowing that probably more
> > > useful, and will get you a better answer.
> > authenticate a lot of VPN clients (currently I can choose EAP method),
> > keeping them in mysql or ldap. According their properties give a
> > personal access to
> > different local resources. Accounting: updating start/stop/alive
> > messages. POD if it's possible
> > for strongswan.
> > >
> > > Alan DeKok.
> >
> >
> >
> > ------------------------------
> >
> > Message: 4
> > Date: Sun, 28 Sep 2014 19:14:18 +0000
> > From: Rando Nakarmi <randonakarmi at gmail.com>
> > To: FreeRadius users mailing list
> > <freeradius-users at lists.freeradius.org>
> > Subject: version 2.2.5 repo
> > Message-ID:
> > <CAG+85v_XJ_v8cJGu-tMqi+eWNSsnME=7mZcv5yqAhB6d9K+_KA at mail.gmail.com>
> > Content-Type: text/plain; charset="utf-8"
> >
> > HI,
> >
> > I see both in RHEL and epel , the freeradius version 2.1.12-4 is available
> > but not the 2.2.5 which is the newest version on 2.x.x series.
> >
> > I am used to do yum, where can I get version 2.2.5 in yum repo for RHEL
> > base linux.
> >
> > R
> > -------------- next part --------------
> > An HTML attachment was scrubbed...
> > URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140928/4120d983/attachment-0001.html>
> >
> > ------------------------------
> >
> > Message: 5
> > Date: Sun, 28 Sep 2014 17:39:58 -0400
> > From: Alan DeKok <aland at deployingradius.com>
> > To: FreeRadius users mailing list
> > <freeradius-users at lists.freeradius.org>
> > Subject: Re: version 2.2.5 repo
> > Message-ID: <5428802E.8060003 at deployingradius.com>
> > Content-Type: text/plain; charset=UTF-8
> >
> > Rando Nakarmi wrote:
> > > I see both in RHEL and epel , the freeradius version 2.1.12-4 is
> > > available but not the 2.2.5 which is the newest version on 2.x.x series.
> > >
> > > I am used to do yum, where can I get version 2.2.5 in yum repo for RHEL
> > > base linux.
> >
> > Ask Redhat for a new version. We don't control the release of
> > packages on RHEL.
> >
> > Alan DeKok.
> >
> >
> > ------------------------------
> >
> > Message: 6
> > Date: Sun, 28 Sep 2014 17:42:28 -0400
> > From: Alan DeKok <aland at deployingradius.com>
> > To: aae at sumix.com, FreeRadius users mailing list
> > <freeradius-users at lists.freeradius.org>
> > Subject: Re: EAP and rlm_perl. Is it possible to build custom logic
> > for VPN peers?
> > Message-ID: <542880C4.5020603 at deployingradius.com>
> > Content-Type: text/plain; charset=ISO-8859-1
> >
> > Oleksandr Yermolenko wrote:
> > > can I use authenticate, authorize, accounting hooks (or post_auth)?
> > > I looked at example.pl.
> >
> > Then you would know that the perl module can be used in those
> > sections. The "example.pl" has comments saying this.
> >
> > > Just put "perl" in somewhere eap.conf file?
> >
> > No. You don't just put random text into random files. It helps to
> > understand how the server works.
> >
> > There is a "authorize" section. You can list modules there. This is
> > documented. See raddb/sites-available/default.
> >
> > > authenticate a lot of VPN clients (currently I can choose EAP method),
> > > keeping them in mysql or ldap.
> >
> > The server already has SQL and LDAP modules. You really don't want to
> > re-implement all of them in Perl.
> >
> > > According their properties give a
> > > personal access to
> > > different local resources. Accounting: updating start/stop/alive
> > > messages. POD if it's possible
> > > for strongswan.
> >
> > See raddb/sites-available/originate-coa for how to send disconnect
> > messages.
> >
> > Alan DeKok.
> >
> >
> > ------------------------------
> >
> > Message: 7
> > Date: 29 Sep 2014 02:06:21 -0000
> > From: "Himanshu Pandey" <pandey_himanshu80 at rediffmail.com>
> > To: "freeradius-users at lists.freeradius.org"
> > <freeradius-users at lists.freeradius.org>
> > Subject: Re: Problem in Module Statistics in freeradius
> > Message-ID:
> > <1411912518.S.6312.16903.F.H.TkFsYW4gRGVLb2sAUmU6IFByb2JsZW0gaW4gTW9kdWxlIFN0YXRpc3RpY3MgaW4gZnJlZXJhZGl1cw__.RU.rfs310,
> > rfs310, 76,
> > 303.f4-235-76.old.replied.1411956381.30440 at webmail.rediffmail.com>
> > Content-Type: text/plain; charset="utf-8"
> >
> > DONE.
> >
> > From: Alan DeKok <aland at deployingradius.com>
> > Sent: Sun, 28 Sep 2014 19:25:18
> > To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
> > Subject: Re: Problem in Module Statistics in freeradius
> > Himanshu Pandey wrote:
> >
> > > I added the following code in modcall.c under the function
> >
> > > modcall_recurse():
> >
> >
> >
> > This list is for *using* FreeRADIUS. It's not for learning how to
> >
> > program.
> >
> >
> >
> > You're making beginners errors in the code. Don't do that.
> >
> >
> >
> > Alan DeKok.
> >
> > -
> >
> > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> >
> > -------------- next part --------------
> > An HTML attachment was scrubbed...
> > URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140929/85e5ea96/attachment.html>
> >
> > ------------------------------
> >
> > -
> > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> >
> > End of Freeradius-Users Digest, Vol 113, Issue 128
> > **************************************************
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140929/d275ebd5/attachment.html>
>
> ------------------------------
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
> End of Freeradius-Users Digest, Vol 113, Issue 129
> **************************************************
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140929/d6d60fd8/attachment-0001.html>
More information about the Freeradius-Users
mailing list