Microsoft left out that part of the protocol... users on a Mac will see it, however you're pretty much out of luck with windows.
Adam Bill Anderson said: > Thanks a bunch. That did it. A second question. Now that it works, > it is supposed to send a reply message back to the user, however, the > end user gets a 691 error, username and password invalid. Any way to > change this behavior. I tried it on both XP and NT. Thanks. > >> -----Original Message----- >> From: [EMAIL PROTECTED] >> [mailto:[EMAIL PROTECTED] Behalf Of Kostas >> Kalevras >> Sent: Wednesday, March 05, 2003 2:23 PM >> To: [EMAIL PROTECTED] >> Subject: Re: Help Please - Monthly Time Limit >> >> >> On Wed, 5 Mar 2003, Bill Anderson wrote: >> >> > I am so close to getting the monthly time limit working and I >> just need a >> > little help. I have looked through the archives and have found >> things that >> > have brought me this far, however, I believe I am close. Does >> anyone have >> > any idea what I am doing wrong? Basically what I would like to >> do is have a >> > user to be rejected if they reach their monthly time limit. I >> am not using >> > SQL. I have attached the following information: >> > >> > /etc/raddb/users >> > radiusd debug session (radiusd -X) >> > /etc/raddb/radiusd.conf >> > >> > users file: >> > >> > mytestuser Max-Monthly-Session := 30, Auth-Type := Local, >> User-Password == >> > "somepass" >> > Service-Type = Framed-User, >> > Framed-Protocol = PPP, >> > Framed-IP-Address = 255.255.255.254, >> > Framed-IP-Netmask = 255.255.255.255, >> > Framed-Routing = None, >> > Framed-MTU = 1500, >> > Framed-Compression = Van-Jacobson-TCP-IP, >> > Idle-Timeout = 900, >> > Session-Timeout = 21600, >> > Port-Limit = 1, >> >> > DEFAULT Max-Monthly-Session > 30, Auth-Type = Reject >> > Reply-Message = "Max monthly hours achieved" >> >> You don't need this check if you set Max-Monthly-Session >> >> > >> > Debug Session: >> > >> > [EMAIL PROTECTED] raddb]# radiusd -X >> > Starting - reading configuration files ... >> > Config: including file: /etc/raddb/proxy.conf >> > Config: including file: /etc/raddb/clients.conf >> > rad_recv: Access-Request packet from host 209.95.37.8:1647, id=149, >> length=182 >> > User-Name = "mytestuser" >> > User-Password = "backd00r" >> > NAS-IP-Address = 209.247.5.114 >> > NAS-Port = 136 >> > Service-Type = Framed-User >> > Framed-Protocol = PPP >> > Ascend-Data-Rate = 21600 >> > Ascend-Calling-Id-Type-Of-Num = Unknown >> > Ascend-Calling-Id-Number-Plan = Unknown >> > Ascend-Xmit-Rate = 49333 >> > Called-Station-Id = "5032134042" >> > Calling-Station-Id = "5038850150" >> > Acct-Session-Id = "386694565" >> > NAS-Port-Type = Async >> > Ascend-NAS-Port-Format = 2_4_5_5 >> > Proxy-State = 0x3533 >> > modcall: entering group authorize >> > modcall[authorize]: module "preprocess" returns ok >> > rlm_chap: Could not find proper Chap-Password attribute in request >> > modcall[authorize]: module "chap" returns noop >> > modcall[authorize]: module "mschap" returns notfound >> > rlm_counter: Entering module authorize code >> > rlm_counter: Could not find Check item value pair >> > modcall[authorize]: module "counter" returns noop >> > rlm_realm: No '@' in User-Name = "mytestuser", looking up realm >> NULL rlm_realm: No such realm NULL >> > modcall[authorize]: module "suffix" returns noop >> > users: Matched mytestuser at 1 >> > modcall[authorize]: module "files" returns ok >> >> You have files after counter in your authorize section. Try >> puting the counter >> module after the files module >> >> >> >> > # encryption moderate >> > # require_encryption = yes >> > >> > # require_strong always requires 128 bit key >> > # encryption >> > # require_strong = yes >> > } >> > >> > # Lightweight Directory Access Protocol (LDAP) >> > # >> > # This module definition allows you to use LDAP for >> > # authorization and authentication (Auth-Type := LDAP) >> > # >> > # See doc/rlm_ldap for description of configuration options >> > # and sample authorize{} and authenticate{} blocks >> > ldap { >> > server = "ldap.your.domain" >> > # identity = "cn=admin,o=My Org,c=UA" >> > # password = mypass >> > basedn = "o=My Org,c=UA" >> > filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" >> > >> > # set this to 'yes' to use TLS encrypted connections >> > # to the LDAP database by using the StartTLS extended >> > # operation. >> > start_tls = no >> > # set this to 'yes' to use TLS encrypted connections to the >> > # LDAP database by passing the LDAP_OPT_X_TLS_TRY option to >> > # the ldap library. >> > tls_mode = no >> > >> > # default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA" >> > # profile_attribute = "radiusProfileDn" >> > access_attr = "dialupAccess" >> > >> > # Mapping of RADIUS dictionary attributes to LDAP >> > # directory attributes. >> > dictionary_mapping = ${raddbdir}/ldap.attrmap >> > >> > # ldap_cache_timeout = 120 >> > # ldap_cache_size = 0 >> > ldap_connections_number = 5 >> > # password_header = "{clear}" >> > # password_attribute = userPassword >> > # groupname_attribute = cn >> > # groupmembership_filter = >> > >> "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectCl >> ass=GroupO >> > fUniqueNames)(uniquemember=%{Ldap-UserDn})))" >> > # groupmembership_attribute = radiusGroupName >> > timeout = 4 >> > timelimit = 3 >> > net_timeout = 1 >> > # compare_check_items = yes >> > # access_attr_used_for_allow = yes >> > } >> > >> > # passwd module allows to do authorization via any passwd-like # >> file and to extract any attributes from these modules >> > # >> > # parameters are: >> > # filename - path to filename >> > # format - format for filename record. This parameters >> > # correlates record in the passwd file and RADIUS >> > # attributes. >> > # >> > # Field marked as '*' is key field. That is, the >> parameter >> > # with this name from the request is used to search for >> # the record from passwd file >> > # >> > # Field marked as ',' may contain a comma separated >> list # of attributes. >> > # authtype - if record found this Auth-Type is used to >> authenticate >> > # user >> > # hashsize - hashtable size. If 0 or not specified records are >> not # stored in memory and file is red on every >> request. # allowmultiplekeys - if few records for every key are >> allowed # ignorenislike - ignore NIS-related records >> > # delimiter - symbol to use as a field separator in passwd file, >> # for format ':' symbol is always used. '\0', '\n' are >> > # not allowed >> > # >> > #passwd etc_smbpasswd { >> > # filename = /etc/smbpasswd >> > # format = >> "*User-Name::LM-Password:NT-Password:SMB-Account-CTRL-TEXT::" >> > # authtype = MS-CHAP >> > # hashsize = 100 >> > # ignorenislike = no >> > # allowmultiplekeys = no >> > #} >> > >> > # Similar configuration, for the /etc/group file. Adds a >> Group-Name # attribute for every group that the user is member >> of. >> > # >> > #passwd etc_group { >> > # filename = /etc/group >> > # format = "Group-Name:::*,User-Name" >> > # hashsize = 50 >> > # ignorenislike = yes >> > # allowmultiplekeys = yes >> > # delimiter = ":" >> > #} >> > >> > # Realm module, for proxying. >> > # >> > # You can have multiple instances of the realm module to >> > # support multiple realm syntaxs at the same time. The >> > # search order is defined the order in the authorize and >> > # preacct blocks after the module config block. >> > # >> > # Two config options: >> > # format - must be 'prefix' or 'suffix' >> > # delimiter - must be a single character >> > >> > # '[EMAIL PROTECTED]' >> > # >> > realm suffix { >> > format = suffix >> > delimiter = "@" >> > } >> > >> > # 'realm/username' >> > # >> > # Using this entry, IPASS users have their realm set to "IPASS". >> realm realmslash { >> > format = prefix >> > delimiter = "/" >> > } >> > >> > # 'username%realm' >> > # >> > realm realmpercent { >> > format = suffix >> > delimiter = "%" >> > } >> > >> > # rewrite arbitrary packets. Useful in accounting and >> authorization. >> > # >> > ## This module is highly experimental at the moment. Please give >> ## feedback to the mailing list. >> > # >> > # The module can also use the Rewrite-Rule attribute. If it >> > # is set and matches the name of the module instance, then >> > # that module instance will be the only one which runs. >> > # >> > # Also if new_attribute is set to yes then a new attribute >> > # will be created containing the value replacewith and it >> > # will be added to searchin (packet, reply or config). >> > # searchfor,ignore_case and max_matches will be ignored in >> that case. >> > >> > # >> > #attr_rewrite sanecallerid { >> > # attribute = Called-Station-Id >> > # may be "packet", "reply", or "config" >> > # searchin = packet >> > # searchfor = "[+ ]" >> > # replacewith = "" >> > # ignore_case = no >> > # new_attribute = no >> > # max_matches = 10 >> > # ## If set to yes then the replace string will be >> appended to the original >> > string >> > # append = no >> > #} >> > >> > # Preprocess the incoming RADIUS request, before handing it off # >> to other modules. >> > # >> > # This module processes the 'huntgroups' and 'hints' files. >> > # In addition, it re-writes some weird attributes created >> > # by some NASes, and converts the attributes into a form which # >> is a little more standard. >> > # >> > preprocess { >> > huntgroups = ${confdir}/huntgroups >> > hints = ${confdir}/hints >> > >> > # This hack changes Ascend's wierd port numberings >> > # to standard 0-??? port numbers so that the "+" works >> > # for IP address assignments. >> > with_ascend_hack = no >> > ascend_channels_per_line = 23 >> > >> > # Windows NT machines often authenticate themselves as >> > # NT_DOMAIN\username >> > # >> > # If this is set to 'yes', then the NT_DOMAIN portion >> > # of the user-name is silently discarded. >> > with_ntdomain_hack = no >> > >> > # Specialix Jetstream 8500 24 port access server. >> > # >> > # If the user name is 10 characters or longer, a "/" >> > # and the excess characters after the 10th are >> > # appended to the user name. >> > # >> > # If you're not running that NAS, you don't need >> > # this hack. >> > with_specialix_jetstream_hack = no >> > >> > # Cisco sends it's VSA attributes with the attribute >> > # name *again* in the string, like: >> > # >> > # H323-Attribute = "h323-attribute=value". >> > # >> > # If this configuration item is set to 'yes', then >> > # the redundant data in the the attribute text is stripped >> > # out. The result is: >> > # >> > # H323-Attribute = "value" >> > # >> > # If you're not running a Cisco NAS, you don't need >> > # this hack. >> > with_cisco_vsa_hack = no >> > } >> > >> > # Livingston-style 'users' file >> > # >> > files { >> > usersfile = ${confdir}/users >> > acctusersfile = ${confdir}/acct_users >> > >> > # If you want to use the old Cistron 'users' file >> > # with FreeRADIUS, you should change the next line >> > # to 'compat = cistron'. You can the copy your 'users' >> > # file from Cistron. >> > compat = no >> > } >> > >> > # Write a detailed log of all accounting records received. >> > # >> > detail { >> > # Note that we do NOT use NAS-IP-Address here, as >> > # that attribute MAY BE from the originating NAS, and >> > # NOT from the proxy which actually sent us the >> > # request. The Client-IP-Address attribute is ALWAYS >> > # the address of the client which sent us the >> > # request. >> > # >> > # The following line creates a new detail file for >> > # every radius client (by IP address or hostname). >> > # In addition, a new detail file is created every >> > # day, so that the detail file doesn't have to go >> > # through a 'log rotation' >> > # >> > # If your detail files are large, you may also want >> > # to add a ':%H' (see doc/variables.txt) to the end >> > # of it, to create a new detail file every hour, e.g.: >> > # >> > # ..../detail-%Y%m%d:%H >> > # >> > # This will create a new detail file for every hour. >> > # >> > detailfile = >> ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d >> > >> > # >> > # The Unix-style permissions on the 'detail' file. >> > # >> > # The detail file often contains secret or private >> > # information about users. So by keeping the file >> > # permissions restrictive, we can prevent unwanted >> > # people from seeing that information. >> > detailperm = 0600 >> > } >> > >> > # Create a unique accounting session Id. Many NASes re-use or # >> repeat values for Acct-Session-Id, causing no end of >> > # confusion. >> > # >> > # This module will add a (probably) unique session id >> > # to an accounting packet based on the attributes listed >> > # below found in the packet. See doc/rlm_acct_unique for >> > # more information. >> > # >> > acct_unique { >> > key = "User-Name, Acct-Session-Id, NAS-IP-Address, >> Client-IP-Address, >> > NAS-Port-Id" >> > } >> > >> > >> > # Include another file that has the SQL-related configuration. # >> This is another file solely because it tends to be big. >> > # >> > # The following configuration file is for use with MySQL. >> > # >> > # For Postgresql, use: ${confdir}/postgresql.conf >> > # For MS-SQL, use: ${confdir}/mssql.conf >> > # >> > $INCLUDE ${confdir}/sql.conf >> > >> > # Write a 'utmp' style log file, of which users are currently # >> logged in, and where they've logged in from. >> > # >> > radutmp { >> > filename = ${logdir}/radutmp >> > >> > # Set the file permissions, as the contents of this file >> > # are usually private. >> > perm = 0600 >> > >> > callerid = "yes" >> > } >> > >> > # "Safe" radutmp - does not contain caller ID, so it can be >> > # world-readable, and radwho can work for normal users, without # >> exposing any information that isn't already exposed by who(1). # >> > # This is another instance of the radutmp module, but it is given >> # then name "sradutmp" to identify it later in the "accounting" # >> section. >> > radutmp sradutmp { >> > filename = ${logdir}/sradutmp >> > perm = 0644 >> > callerid = "no" >> > } >> > >> > # attr_filter - filters the attributes received in replies from # >> proxied servers, to make sure we send back to our RADIUS client # >> only allowed attributes. >> > attr_filter { >> > attrsfile = ${confdir}/attrs >> > } >> > >> > # This module takes an attribute (count-attribute). >> > # It also takes a key, and creates a counter for each unique # >> key. The count is incremented when accounting packets are # >> received by the server. The value of the increment depends # on >> the attribute type. >> > # If the attribute is Acct-Session-Time or an integer we add the >> # value of the attribute. If it is anything else we increase the >> # counter by one. >> > # >> > # The 'reset' parameter defines when the counters are all reset >> to # zero. It can be hourly, daily, weekly, monthly or never. >> > # It can also be user defined. It should be of the form: >> > # num[hdwm] where: >> > # h: hours, d: days, w: weeks, m: months >> > # If the letter is ommited days will be assumed. In example: # >> reset = 10h (reset every 10 hours) >> > # reset = 12 (reset every 12 days) >> > # >> > # >> > # The check-name attribute defines an attribute which will be # >> registered by the counter module and can be used to set the # >> maximum allowed value for the counter after which the user # is >> rejected. >> > # Something like: >> > # >> > # DEFAULT Max-Daily-Session := 36000 >> > # Fall-Through = 1 >> > # >> > # You should add the counter module in the instantiate >> > # section so that it registers check-name before the files >> > # module reads the users file. >> > # >> > # If check-name is set and the user is to be rejected then we # >> send back a Reply-Message and we log a Failure-Message in >> > # the radius.log >> > # >> > # The counter-name can also be used like below: >> > # >> > # DEFAULT Daily-Session-Time > 3600, Auth-Type = Reject >> > # Reply-Message = "You've used up more than one hour today" # >> > # The allowed-servicetype attribute can be used to only take # >> into account specific sessions. For example if a user first # >> logs in through a login menu and then selects ppp there will # be >> two sessions. One for Login-User and one for Framed-User # >> service type. We only need to take into account the second one. # >> > # The module should be added in the instantiate, authorize and # >> accounting sections. Make sure that in the authorize >> > # section it comes after any module which sets the >> > # 'check-name' attribute. >> > # >> > # counter { >> > # filename = ${raddbdir}/db.counter >> > # key = User-Name >> > # count-attribute = Acct-Session-Time >> > # reset = daily >> > # counter-name = Daily-Session-Time >> > # check-name = Max-Daily-Session >> > # allowed-servicetype = Framed-User >> > # cache-size = 5000 >> > # } >> > >> > counter { >> > filename = ${raddbdir}/db.counter >> > key = User-Name >> > count-attribute = Acct-Session-Time >> > reset = monthly >> > counter-name = Monthly-Session-Time >> > check-name = Max-Monthly-Session >> > allowed-servicetype = Framed-User >> > cache-size = 5000 >> > } >> > >> > # The "always" module is here for debugging purposes. Each >> > # instance simply returns the same result, always, without >> > # doing anything. >> > always fail { >> > rcode = fail >> > } >> > always reject { >> > rcode = reject >> > } >> > always ok { >> > rcode = ok >> > simulcount = 0 >> > mpp = no >> > } >> > >> > # >> > # The 'expression' module current has no configuration. >> > expr { >> > } >> > >> > # ANSI X9.9 token support. Not included by default. >> > # $INCLUDE ${confdir}/x99.conf >> > >> > } >> > >> > # Instantiation >> > # >> > # This section orders the loading of the modules. Modules >> > # listed here will get loaded BEFORE the later sections like >> > # authorize, authenticate, etc. get examined. >> > # >> > # This section is not strictly needed. When a section like >> > # authorize refers to a module, it's automatically loaded and # >> initialized. However, some modules may not be listed in any # of >> the following sections, so they can be listed here. >> > # >> > # Also, listing modules here ensures that you have control over # >> the order in which they are initalized. If one module needs # >> something defined by another module, you can list them in order # >> here, and ensure that the configuration will be OK. >> > # >> > instantiate { >> > # >> > # The expression module doesn't do authorization, >> > # authentication, or accounting. It only does dynamic >> > # translation, of the form: >> > # >> > # Session-Timeout = `%{expr:2 + 3}` >> > # >> > # So the module needs to be instantiated, but CANNOT be >> > # listed in any other section. See 'doc/rlm_expr' for >> > # more information. >> > # >> > expr >> > } >> > >> > # Authorization. First preprocess (hints and huntgroups files), # >> then realms, and finally look in the "users" file. >> > # >> > # The order of the realm modules will determine the order that # >> we try to find a matching realm. >> > # >> > # Make *sure* that 'preprocess' comes before any realm if you # >> need to setup hints for the remote radius server >> > authorize { >> > # >> > # The preprocess module takes care of sanitizing some bizarre # >> attributes in the request, and turning them into attributes # >> which are more standard. >> > # >> > # It takes care of processing the 'raddb/hints' and the >> > # 'raddb/huntgroups' files. >> > # >> > # It also adds a Client-IP-Address attribute to the request. >> preprocess >> > >> > # >> > # The chap module will set 'Auth-Type := CHAP' if we are >> > # handling a CHAP request and Auth-Type has not already been set >> chap >> > >> > # >> > # If the users are logging in with an MS-CHAP-Challenge >> > # attribute for authentication, the mschap module will find >> > # the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP' >> # to the request, which will cause the server to then use >> > # the mschap module for authentication. >> > mschap >> > >> > counter >> > # attr_filter >> > # eap >> > suffix >> > files >> > # etc_smbpasswd >> > >> > >> > # The ldap module will set Auth-Type to LDAP if it has not >> already been set >> > # ldap >> > } >> > >> > >> > # Authentication. >> > # >> > # This section lists which modules are available for >> authentication. # Note that it does NOT mean 'try each module in >> order'. It means # that you have to have a module from the >> 'authorize' section add # a configuration attribute 'Auth-Type := >> FOO'. That >> authentication type >> > # is then used to pick the apropriate module from the list below. >> # >> > # The default Auth-Type is Local. That is, whatever is not >> included inside >> > # an authtype section will be called only if Auth-Type is set to >> Local. # >> > # So you should do the following: >> > # - Set Auth-Type to an appropriate value in the authorize >> modules above. >> > # For example, the chap module will set Auth-Type to CHAP, >> ldap to LDAP, >> > etc. >> > # - After that create corresponding authtype sections in the >> > # authenticate section below and call the appropriate modules. >> authenticate { >> > # >> > # PAP authentication, when a back-end database listed >> > # in the 'authorize' section supplies a password. The >> > # password can be clear-text, or encrypted. >> > authtype PAP { >> > pap >> > } >> > >> > # >> > # Most people want CHAP authentication >> > # A back-end database listed in the 'authorize' section >> > # MUST supply a CLEAR TEXT password. Encrypted passwords >> > # won't work. >> > authtype CHAP { >> > chap >> > } >> > >> > # >> > # MSCHAP authentication. >> > authtype MS-CHAP { >> > mschap >> > } >> > >> > # pam >> > >> > # >> > # See 'man getpwent' for information on how the 'unix' >> > # module checks the users password. Note that packets >> > # containing CHAP-Password attributes CANNOT be authenticated # >> against /etc/passwd! See the FAQ for details. >> > # >> > unix >> > >> > # Uncomment it if you want to use ldap for authentication >> > # authtype LDAP { >> > # ldap >> > # } >> > >> > >> > # eap >> > } >> > >> > >> > # Pre-accounting. Look for proxy realm in order of realms, then # >> acct_users file, then preprocess (hints file). >> > preacct { >> > preprocess >> > suffix >> > files >> > } >> > >> > >> > # Accounting. Log to detail file, and to the radwtmp file, and >> maintain # radutmp. >> > accounting { >> > acct_unique >> > detail >> > counter >> > unix # wtmp file >> > radutmp >> > # sradutmp >> > } >> > >> > >> > # Session database, used for checking Simultaneous-Use. Either >> the radutmp >> > # or rlm_sql module can handle this. >> > # The rlm_sql module is *much* faster >> > session { >> > radutmp >> > # sql >> > } >> > >> > >> > # Post-Authentication >> > # Once we KNOW that the user has been authenticated, there are # >> additional steps we can take. >> > post-auth { >> > # Get an address from the IP Pool. >> > #main_pool >> > } >> > >> > >> > - >> > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html >> > > -- > Kostas Kalevras Network Operations Center > [EMAIL PROTECTED] National Technical University of Athens, Greece Work > Phone: +30 210 7721861 > 'Go back to the shadow' Gandalf > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
