My Freeradius server is supposed to deny users access which have exceeded their usage limit, but the server accepts them, while the return message that users have exceeded their limit, is being set anyway.
Debug log:
rad_recv: Access-Request packet from host 1.2.3.4 port 46010, id=13, length=197
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = "80:ED:2C:E5:EB:C6"
Called-Station-Id = "hotspot1"
NAS-Port-Id = "bridge"
User-Name = "USERNAME"
NAS-Port = 2151677955
Acct-Session-Id = "80400003"
Framed-IP-Address = 192.168.8.251
Mikrotik-Host-IP = 192.168.8.251
CHAP-Challenge = 0xa484e5a94500de0751545d5a69777d03
CHAP-Password = 0xb99d22e3c7c8cef532b70f9f514eef029c
Service-Type = Login-User
WISPr-Logoff-URL = "http://192.168.8.1/logout"
NAS-Identifier = "ROUTER"
NAS-IP-Address = 10.0.0.114
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
[chap] Setting 'Auth-Type := CHAP'
++[chap] = ok
++[mschap] = noop
++[digest] = noop
[suffix] No '#' in User-Name = "USERNAME", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] No EAP-Message, not doing EAP
++[eap] = noop
++[files] = noop
[sql] expand: %{User-Name} -> USERNAME
[sql] sql_set_user escaped user --> 'USERNAME'
rlm_sql (sql): Reserving sql socket id: 31
[sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'USERNAME' ORDER BY id
rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'USERNAME' ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'USERNAME' ORDER BY id
rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'USERNAME' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'USERNAME' ORDER BY priority
rlm_sql_mysql: query: SELECT groupname FROM radusergroup WHERE username = 'USERNAME' ORDER BY priority
rlm_sql (sql): Released sql socket id: 31
++[sql] = ok
++[expiration] = noop
++[logintime] = noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] = noop
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
++[dailycounter] = noop
++? if (reject)
? Evaluating (reject) -> FALSE
++? if (reject) -> FALSE
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
++[weeklycounter] = noop
++? if (reject)
? Evaluating (reject) -> FALSE
++? if (reject) -> FALSE
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
++[monthlycounter] = noop
++? if (reject)
? Evaluating (reject) -> FALSE
++? if (reject) -> FALSE
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
++[noresetcounter] = noop
++? if (reject)
? Evaluating (reject) -> FALSE
++? if (reject) -> FALSE
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
++[dailyBytecounter] = noop
++? if (reject)
? Evaluating (reject) -> FALSE
++? if (reject) -> FALSE
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
++[weeklyBytecounter] = noop
++? if (reject)
? Evaluating (reject) -> FALSE
++? if (reject) -> FALSE
rlm_sqlcounter: Entering module authorize code
sqlcounter_expand: 'SELECT (IFNULL(SUM(AcctInputOctets), 0) + IFNULL(SUM(AcctOutputOctets), 0)) as used_data FROM (SELECT * FROM radacct b WHERE username = '%{User-Name}' AND dateformat_ym(acctstarttime) = dateformat_ym(CURDATE()) GROUP BY acctuniqueid) a'
[monthlyBytecounter] expand: SELECT (IFNULL(SUM(AcctInputOctets), 0) + IFNULL(SUM(AcctOutputOctets), 0)) as used_data FROM (SELECT * FROM radacct b WHERE username = '%{User-Name}' AND dateformat_ym(acctstarttime) = dateformat_ym(CURDATE()) GROUP BY acctuniqueid) a -> SELECT (IFNULL(SUM(AcctInputOctets), 0) + IFNULL(SUM(AcctOutputOctets), 0)) as used_data FROM (SELECT * FROM radacct b WHERE username = 'USERNAME' AND dateformat_ym(acctstarttime) = dateformat_ym(CURDATE()) GROUP BY acctuniqueid) a
WARNING: Please replace '%S' with '${sqlmod-inst}'
sqlcounter_expand: '%{sql:SELECT (IFNULL(SUM(AcctInputOctets), 0) + IFNULL(SUM(AcctOutputOctets), 0)) as used_data FROM (SELECT * FROM radacct b WHERE username = 'USERNAME' AND dateformat_ym(acctstarttime) = dateformat_ym(CURDATE()) GROUP BY acctuniqueid) a}'
[monthlyBytecounter] sql_xlat
[monthlyBytecounter] expand: %{User-Name} -> USERNAME
[monthlyBytecounter] sql_set_user escaped user --> 'USERNAME'
[monthlyBytecounter] expand: SELECT (IFNULL(SUM(AcctInputOctets), 0) + IFNULL(SUM(AcctOutputOctets), 0)) as used_data FROM (SELECT * FROM radacct b WHERE username = 'USERNAME' AND dateformat_ym(acctstarttime) = dateformat_ym(CURDATE()) GROUP BY acctuniqueid) a -> SELECT (IFNULL(SUM(AcctInputOctets), 0) + IFNULL(SUM(AcctOutputOctets), 0)) as used_data FROM (SELECT * FROM radacct b WHERE username = 'USERNAME' AND dateformat_ym(acctstarttime) = dateformat_ym(CURDATE()) GROUP BY acctuniqueid) a
[monthlyBytecounter] expand: /var/log/freeradius/sqltrace.sql -> /var/log/freeradius/sqltrace.sql
rlm_sql (sql): Reserving sql socket id: 30
rlm_sql_mysql: query: SELECT (IFNULL(SUM(AcctInputOctets), 0) + IFNULL(SUM(AcctOutputOctets), 0)) as used_data FROM (SELECT * FROM radacct b WHERE username = 'USERNAME' AND dateformat_ym(acctstarttime) = dateformat_ym(CURDATE()) GROUP BY acctuniqueid) a
[monthlyBytecounter] sql_xlat finished
rlm_sql (sql): Released sql socket id: 30
[monthlyBytecounter] expand: %{sql:SELECT (IFNULL(SUM(AcctInputOctets), 0) + IFNULL(SUM(AcctOutputOctets), 0)) as used_data FROM (SELECT * FROM radacct b WHERE username = 'USERNAME' AND dateformat_ym(acctstarttime) = dateformat_ym(CURDATE()) GROUP BY acctuniqueid) a} -> 3111228361
rlm_sqlcounter: (Check item - counter) is less than zero
rlm_sqlcounter: Rejected user USERNAME, check_item=1048576000, counter=3111228361
++[monthlyBytecounter] = reject
++? if (reject)
? Evaluating (reject) -> TRUE
++? if (reject) -> TRUE
++if (reject) {
+++update reply {
+++} # update reply = noop
++} # if (reject) = noop
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
++[noresetBytecounter] = noop
++? if (reject)
? Evaluating (reject) -> FALSE
++? if (reject) -> FALSE
+} # group authorize = ok
Found Auth-Type = CHAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group CHAP {
[chap] login attempt by "USERNAME" with CHAP password
[chap] Using clear text password "PASSWORD" for user USERNAME authentication.
[chap] chap user USERNAME authenticated succesfully
++[chap] = ok
+} # group CHAP = ok
# Executing section post-auth from file /etc/freeradius/sites-enabled/default
+group post-auth {
[sql] expand: %{User-Name} -> USERNAME
[sql] sql_set_user escaped user --> 'USERNAME'
[sql] expand: %{User-Password} ->
[sql] ... expanding second conditional
[sql] expand: %{Chap-Password} -> 0xb99d22e3c7c8cef532b70f9f514eef029c
[sql] expand: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'USERNAME', '0xb99d22e3c7c8cef532b70f9f514eef029c', 'Access-Accept', '2017-08-31 10:59:03')
[sql] expand: /var/log/freeradius/sqltrace.sql -> /var/log/freeradius/sqltrace.sql
rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'USERNAME', '0xb99d22e3c7c8cef532b70f9f514eef029c', 'Access-Accept', '2017-08-31 10:59:03')
rlm_sql (sql): Reserving sql socket id: 29
rlm_sql_mysql: query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'USERNAME', '0xb99d22e3c7c8cef532b70f9f514eef029c', 'Access-Accept', '2017-08-31 10:59:03')
rlm_sql (sql): Released sql socket id: 29
++[sql] = ok
++[exec] = noop
+} # group post-auth = ok
Sending Access-Accept of id 13 to 1.2.3.4 port 46010
Mikrotik-Total-Limit = 1048576000
Reply-Message = "You have exceeded your usage limit this month."
It appears that the usage limit is being checked correctly, but somehow the return is set to accept?
Sending Access-Accept of id 13 to 1.2.3.4 port 46010
Mikrotik-Total-Limit = 1048576000
Reply-Message = "You have exceeded your usage limit this month."
The configuration of the specific part in sites-enabled/default is this:
monthlyBytecounter {
reject = 1
}
if (reject) {
update reply {
Reply-Message := "You have exceeded your usage limit this month."
}
reject
}
I'm running freeradius: FreeRADIUS Version 2.2.8 on Ubuntu 16.04 LTS
Any ideas what may cause the problem ?
Could be something wrong with monthlyBytecounter in counter.conf
Mine is here (daily)
sqlcounter counterChilliSpotMaxTotalOctetsDaily {
counter-name = ChilliSpot-Max-Total-Octets-Daily
check-name = CS-Total-Octets-Daily
counter-type = data
reply-name = ChilliSpot-Max-Total-Octets
sqlmod-inst = sql
key = User-Name
reset = daily
query = "SELECT IFNULL((SUM(AcctInputOctets + AcctOutputOctets)),0) FROM radacct WHERE UserName='%{%k}' AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'"
}
But I do define limit in radcheck for CS-Total-Octets-Daily for the specific user.
You are returning only monthlyBytecounter reply message, not the monthlyBytecounter return value. In case of exceeded usage limit, you must return 0(zero) or send disconnection request like below.
echo \"User-Name='$username'\" | radclient -x -c 1 -n 3 -r 3 -t 3 '127.0.0.1:3997' 'disconnect' 'testing123'
Post your monthlyBytecounter code if this does not solve your question
Related
I'm trying to use Session object in Freemarker template:
<#assign
known = Session.SPRING_SECURITY_CONTEXT??
>
<#if known>
<#assign
user = Session.SPRING_SECURITY_CONTEXT.authentication.principal
name = user.getUsername()
isAdmin = user.isAdmin()
currentUserId = user.getId()
>
<#else>
<#assign
name = "unknown"
isAdmin = false
currentUserId = -1
>
</#if>
but receive the error:
freemarker.core.InvalidReferenceException: The following has evaluated to null or missing:
==> Session [in template "parts/security.ftlh" at line 2, column 9]
How could I use the Session object in Freemarker? Is another method exists to hide some HTML elements based on user roles?
Add spring.freemarker.expose-session-attributes=true to the application.properties
And modify your code to:
<#assign
known = SPRING_SECURITY_CONTEXT??
>
<#if known>
<#assign
user = SPRING_SECURITY_CONTEXT.authentication.principal
name = user.getUsername()
isAdmin = user.isAdmin()
currentUserId = user.getId()
>
<#else>
<#assign
name = "unknown"
isAdmin = false
currentUserId = -1
>
</#if>
I have an issue where only the last record in a csv file is written to the database by my stored procedure. I thought this might be related to the type of file (csv or text) because I have a comma delimited text file with only five records that will write all records, but when I used a csv file only the last record is written. I did read a post which said that this could be related to using a scalar variable in the stored proc but I don't think that this is right because when I use the text file it's still the same stored proc. Please advise.
Thanks!
here's the stored proc:
USE [SomeDB]
GO
/****** Object: StoredProcedure [dbo].[SaveUser] Script Date: 8/1/2016 9:25:24 AM ******/
SET ANSI_NULLS ON
GO
SET QUOTED_IDENTIFIER ON
GO
Alter PROCEDURE [dbo].[SaveUser]
-- Add the parameters for the stored procedure here
#PartnerID INT,
#SourceID INT,
#OrgSourcedIDs NVARCHAR(50),
#Role NVARCHAR(50),
#UserID NVARCHAR(50),
#GivenName NVARCHAR(50),
#FamilyName NVARCHAR(50),
#Email NVARCHAR(50),
#Grade NVARCHAR(50),
#Identifier NVARCHAR(50)
AS
BEGIN
-- SET NOCOUNT ON added to prevent extra result sets from
-- interfering with SELECT statements.
SET NOCOUNT ON;
DECLARE #ReturnVal NVARCHAR(10)
DECLARE #IsTransfer Bit = 0
DECLARE #IsUpdate BIT = 0
SELECT #IsTransfer = CASE WHEN OrgSourcedIDs != #OrgSourcedIDs THEN 1 ELSE 0 END,
#IsUpdate = CASE WHEN HASHBYTES('SHA', GivenName +FamilyName +Email +Grade ) != HASHBYTES('SHA', #GivenName + #FamilyName + #Email + #Grade ) THEN 1 ELSE 0 END
FROM dbo.tblUsers a
WHERE a.PartnerID = #PartnerID AND a.SourcedID = #SourceID
IF ##RowCount = 0
BEGIN
-- If not, add it to staging table with ACTION = INSERT (into tblUser)
INSERT INTO dbo.tblUsers
( PartnerID, SourcedID, OrgSourcedIDs, Role, UserID,
GivenName, FamilyName, Email, Grade, Identifier,
Action )
VALUES
( #PartnerID, #SourceID, #OrgSourcedIDs, #Role, #UserID,
#GivenName, #FamilyName, #Email, #Grade, #Identifier,
'Create' )
--SELECT #ReturnVal = 'INSERT'
END
ELSE IF (#IsTransfer = 1)
BEGIN
UPDATE dbo.tblUsers
SET
OrgSourcedIDs = #OrgSourcedIDs,
UserID = #UserID,
GivenName = #GivenName,
FamilyName = #FamilyName,
Email = #Email,
Grade = #Grade,
Identifier = #Identifier,
Action = 'Transfer'
WHERE
PartnerID = #PartnerID
AND SourcedID = #SourceID
END
ELSE IF(#IsUpdate = 1)
BEGIN
UPDATE dbo.tblUsers
SET
UserID = #UserID,
GivenName = #GivenName,
FamilyName = #FamilyName,
Email = #Email,
Grade = #Grade,
Identifier = #Identifier,
Action = 'Update'
WHERE
PartnerID = #PartnerID
AND SourcedID = #SourceID
END
--SELECT #ReturnVal
END
GO
I have a query like that and it works normally. If a student gets more than one course, it list all of them:
SELECT ks.KullaniciKodu as username, ks.Sifre as password, k.adi as firstname, k.soyadi as lastname, k.Email as email,
MAX(CASE WHEN c.DERSKODU = 'ENF100' THEN 'ENF100' ELSE '' END)As course1,
MAX(CASE WHEN c.DERSKODU = 'ATA101' THEN 'ATA101' ELSE '' END) As course2,
MAX(CASE WHEN c.DERSKODU = 'TDB101' THEN 'TDB101' ELSE '' END) As course3,
MAX(CASE WHEN c.DERSKODU = 'İNG101' THEN 'İNG101' ELSE '' END) As course4
FROM Kayit k
JOIN DersNotu dn ON dn.KayitNo = k.KayitNo
JOIN Ders c ON c.DersKayitNo = dn.DersKayitNo AND c.DERSKODU IN ('ENF100','ATA101','TDB101', 'İNG101') AND c.DONEM = '201512'
JOIN KullaniciSifre ks ON ks.KullaniciKodu = k.KullaniciKodu
GROUP BY ks.KullaniciKodu, ks.Sifre, k.adi, k.soyadi, k.Email
But when i convert it to Linq (to Entity), it only gets one course or all courses are null. Where is the difference and problem in this code?
from k in db.Kayit
join dn in db.DersNotu on k.KayitNo equals dn.KayitNo
join c in db.Ders on dn.DersKayitNo equals c.DersKayitNo
join ks in db.KullaniciSifre on k.KullaniciKodu equals ks.KullaniciKodu
where
(new string[] { "ENF100", "ATA101", "TDB101", "İNG101" }).Contains(c.DersKodu) &&
c.Donem == 201512
group new { ks, k, c } by new
{
ks.KullaniciKodu,
ks.Sifre,
k.Adi,
k.Soyadi,
k.Email
} into g
select new
{
KullaniciKodu = g.Key.KullaniciKodu,
Sifre = g.Key.Sifre,
Adi = g.Key.Adi,
Soyadi = g.Key.Soyadi,
Email = g.Max(p => (
p.k.Email == string.Empty ? "NULL" : p.k.Email)),
Course1 = g.Max(p => (
p.c.DersKodu == "ENF100" ? "ENF100,1" : "NULL,1")),
Course2 = g.Max(p => (
p.c.DersKodu == "ATA101" ? "ATA101,1" : "NULL,1")),
Course3 = g.Max(p => (
p.c.DersKodu == "TDB101" ? "TDB101,1" : "NULL,1")),
Course4 = g.Max(p => (
p.c.DersKodu == "İNG101" ? "İNG101,1" : "NULL,1"))
}
Using MAX in SQL is just a trick to work-around the problem. You should not convert that explicitly to LINQToEntity. The problem here is you use Max against strings. In your case the NULL,1 seems be always selected as max except for the TDB101,1.
The actual logic here is such as for ENF100, if any one found, project for "ENF100", otherwise project for "NULL,1". The same logic for others. So it should be like this:
Course1 = g.Any(p => p.c.DersKodu == "ENF100") ? "ENF100,1" : "NULL,1",
Course2 = g.Any(p => p.c.DersKodu == "ATA101") ? "ATA101,1" : "NULL,1",
Course3 = g.Any(p => p.c.DersKodu == "TDB101") ? "TDB101,1" : "NULL,1",
Course4 = g.Any(p => p.c.DersKodu == "İNG101") ? "İNG101,1" : "NULL,1"
Also the Email is projected wrong, it is already included in the group key, so you can just project it via the group key:
Email = g.Key.Email
I want to configure a freeradius server in the way that an authentication is successful only if NAS-IP-Address attribute is not empty and equals to some specific IP (of course a user name and a password match).
How should I do it? I have tried to read the documentation without success:
http://freeradius.org/rfc/attributes.html
http://freeradius.org/rfc/rfc2865.html#NAS-IP-Address
Sure, there are many ways of doing this.
authorize {
if (!NAS-IP-Address) {
reject
}
if (NAS-IP-Address != 192.168.0.2) {
reject
}
if ("%{sql:SELECT count(*) FROM table WHERE User-Name = '%{User-Name}' AND IP-Address = '%{NAS-IP-Address}'" == 0) {
reject
}
}
In v3.0.x subnet matching is also supported, where < > are reassigned to mean the set operators (< subset of) (> superset of).
if (!(<ipv4prefix>NAS-IP-Address < 192.168.0.0/16)) {
reject
}
NAS-IP-Address = 192.168.0.2
(0) ? if (<ipv4prefix>NAS-IP-Address < 192.168.0.0/16)
(0) ? if (<ipv4prefix>NAS-IP-Address < 192.168.0.0/16) -> TRUE
NAS-IP-Address = 192.169.0.2
(0) ? if (<ipv4prefix>NAS-IP-Address < 192.168.0.0/16)
(0) ? if (<ipv4prefix>NAS-IP-Address < 192.168.0.0/16) -> FALSE
I am very new to stored procedures and need some help.
I am trying to create a 'dynamic' stored procedure. When a parameter is NOT NULL then a certain part of the SQL should be added. This is what I have until now.
SELECT
TCId,
ENVId,
UId,
MTId,
TestSetName,
TestCaseName,
InterchangeSeqNo,
InstructionSeqNo,
TransactionSeqNo,
TestCaseDescription
FROM XML_TEST_SET_OVERVIEW
WHERE (ENVId = #MyENVId)
SELECT CASE #MyUId
WHEN IS NOT NULL THEN (AND UId = #MyUId)
END
SELECT CASE #MyMTId
WHEN IS NOT NULL THEN (AND MTId = #MyMTId)
END
SELECT CASE #MyTestSetName
WHEN IS NOT NULL THEN (AND TestSetName = #MyTestSetName)
END
SELECT CASE #MyTestCaseName
WHEN IS NOT NULL THEN (AND TestCaseName = #MyTestCaseName)
END
SELECT CASE #MyInterchangeSeqNo
WHEN IS NOT NULL THEN (AND InterchangeSeqNo = #MyInterchangeSeqNo)
END
SELECT CASE #MyInstructionSeqNo
WHEN IS NOT NULL THEN (AND InstructionSeqNo = #MyInstructionSeqNo)
END
SELECT CASE #MyTransactionSeqNo
WHEN IS NOT NULL THEN (AND TransactionSeqNo = #MyTransactionSeqNo)
END
ORDER BY ENVId, UId, MTId, TestSetName, TestCaseName, InterchangeSeqNo, InstructionSeqNo, TransactionSeqNo
Any help is appreciated
I have to guess at data types here, and I'll let you fill in the extra fluff.
DECLARE #sql NVARCHAR(MAX) = N'SELECT ...
FROM dbo.XML_TEST_SET_OVERVIEW -- always use schema prefix
WHERE ENVId = #MyENVId'
+ CASE WHEN #MyUId IS NOT NULL THEN
N' AND UId = #MyUId' ELSE '' END
+ CASE WHEN #MyMTId IS NOT NULL THEN
N' AND MTId = #MyMTId' ELSE '' END
+ CASE WHEN #MyTestSetName IS NOT NULL THEN
N' AND TestSetName = #MyTestSetName' ELSE '' END
...
+ CASE WHEN #MyTransactionSeqNo IS NOT NULL THEN
N' AND TransactionSeqNo = #MyTransactionSeqNo' ELSE '' END
+ N' ORDER BY ENVId, UId, ...;';
EXEC sp_executesql #sql,
N'#MyENVId INT, #MyUId INT, #MyMTId INT,
#MyTestSetName NVARCHAR(32), ... , #MyTransactionSeqNo INT',
#MyENVId, #MyUId, #MyMTId, #MyTestSetName, ... , #MyTransactioNSeqNo;