The detail file
I have searched the FAQ and what I can of the mail archive and can not find an HOW-TO for making freeradius log to a single detail file instead of making a lot of nas subdirectories. Can someone please point me in the right direction Regards Troy - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Wireless
I am looking for a document that shows how to configure the Free Radius Server and wireless access points; I am using Orinoco’s or Proxim’s AP-2000. Any Help would be wonderful. I saw the diagram at NetWorld Interop. Thank you Troy �
Passwords over 12 chars
Hi, Is there a some reason why any password that I type into freeside over 12 chars is put into the sqlradius database and Crypt-Password? I have a customer who dials in useing the password countrybumpkin. Now that I have switched over to freeside this password is exported and a Crypy-Password. If I make it 12 or less it is put in as password. Is this suppose to be like this? Can it be stoped? Troy
Reject By Called-Station-Id
I am looking into FreeRadius and it seems to be a good package. Very different in seting up from what I use now which is Radiator. I am wondering if there is a way to reject a user becouse he dialed into a phone # he wasnt suppose to. Pretty much useing the Called-Station-Id. I have local, level3, Alaron, and Quest access for my company right now. I have it now so that if anyone local tries to dial in on anyhting other than my local access they get denied. I dont want them useing Alaron , Quest or levle3 when I have lines in the building for them. There are a few exceptions to these rules. One town in our county can only call the Alaron local number so I have to give them access to it. Other than them no one is allowed to use it. It is where now that it has to be aproved by me in order for someone to get changed to anyone of the numbers that I dont want people to use. I figured I could someone by defalt deny all access to them and setup a group that is allowed to and change ther group if they are approved to use it. Thanks, Troy Hammonds - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Disconnecting a user
Has mentioned in my email, the nas is not mine, so I can not log into it. Else it would be an easy fix I will do a search for radkill Thanks - Original Message - From: "Evren Yurtesen" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, December 30, 2002 10:01 PM Subject: Re: Disconnecting a user > Well you can write a small script which logs in to your NAS and sends the > command to disconnect your user. Or there was this program called radkill > you should check from google perhaps. > > Also maybe there are better ways to do this, maybe somebody in the list > can suggest a better way. > > Evren > > On Wed, 30 Oct 2002, Troy Davis wrote: > > > Ok here a funny request, which I already say is not possible. > > But, if I know the nas ip address and port number my user is one can I sent > > a command to the nas to disconnect the user? > > I don't have direct access to the nas, as I am a virtual ISP > > If so what would this command be, I would like to set-up a bot to dump users > > when my lines start to full up.. > > > > Thanks Troy > > > > > > - > > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Disconnecting a user
Ok here a funny request, which I already say is not possible. But, if I know the nas ip address and port number my user is one can I sent a command to the nas to disconnect the user? I don't have direct access to the nas, as I am a virtual ISP If so what would this command be, I would like to set-up a bot to dump users when my lines start to full up.. Thanks Troy - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: user usage
I believe IC-Radius can do this and it's free - Original Message - From: Craig Witter To: [EMAIL PROTECTED] Sent: Thursday, December 19, 2002 11:54 AM Subject: user usage I was wondering if anyone has found a way that users can go to a website, enter their username, and see a history of their logins. Ive seen commercial software that does this before. Anyone seen an open source version? Possible a cgi script? Thanks, Craig
Re: Just plain problems
I am really starting to think this is usless crap. Troy J. White C.E.O. D.A. JAZ Internet Technologies 727-321-8899 Powered by Verizon --- [EMAIL PROTECTED] wrote: >Alan, > >I tried it without altering the config or users files in ANY way. The >results are similar. I'm really stumped and as I said, I'm willing to pay >for help. > >Gary > >At 11:03 AM 12/6/2002 -0500, you wrote: >>[EMAIL PROTECTED] wrote: >> > Second, how to configure FreeRadius to use the users file first and >> > THEN go to the FreeBSD system calls for authentication out of the >> > system password file. >> >> It comes configured this way. >> >> If it doesn't do this on your system, then you edited the default >>configuration, and broke it. >> >> Alan DeKok. >> >>- >>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ Sign up for FREE email from Premier Internet Service at http://www.dajaz.net _ Select your own custom email address for FREE! Get [EMAIL PROTECTED] w/No Ads, 6MB, POP & more! http://www.everyone.net/selectmail?campaign=tag - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxy configurations
I am new to cistron. How do i setup my sever to authenticate dial in users using command line. I use a PuTTY interface. Troy J. White C.E.O. D.A. JAZ Internet Technologies 727-321-8899 Powered by Verizon _ Sign up for FREE email from Premier Internet Service at http://www.dajaz.net _ Select your own custom email address for FREE! Get [EMAIL PROTECTED] w/No Ads, 6MB, POP & more! http://www.everyone.net/selectmail?campaign=tag - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
(no subject)
unsubscribe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Enabling rlm_sqlcounter
All -- I have freeradius 0.71 working with the sql module for authentication and accounting, but I'm having trouble getting the sqlcounter module going. I have read all the docs I can find. I have 'sqlcounter dailycounter' and 'sqlcounter monthlycounter' sections defined in my radiusd.conf 'modules' section, and they contain directives that are sensible. The problem I am having is at execution; radiusd dies because the 'Max-Daily-Session' attribute referenced in the files module 'users' file is not defined. I do define it, however, in the modules:sqlcounter section. But I have no evidence that the sqlcounter module is being called at runtime; radiusd -X makes no mention of it. The rlm_sqlcounter module is being compiled but I am not sure it's being referenced at execution. (I did stuff like ./configure --with-rlm_sqlcounter, without really knowing if it was a good idea, but it seemed enthusiastic enough about compiling it.) Anyway, I'm real tired and this may all come to me in the morning, but any advice would be appreciated. Regards, Dave ===== David C. Troy [[EMAIL PROTECTED]] 410-384-2500 Sales ToadNet - Want to go fast?410-544-1329 FAX 570 Ritchie Highway, Severna Park, MD 21146-2925 www.toad.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Redundant entry for accounting...
All --
I did this in radiusd.conf:
accounting {
redundant {
sql_acct
detail
}
}
It appeared to get me accounting both in the SQL database as well as in
detail files, which is not what I wanted. I want the detail accounting
only when the SQL database is down. Is this a bug, or am I misguided?
Regards,
Dave
=
David C. Troy [[EMAIL PROTECTED]] 410-384-2500 Sales
ToadNet - Want to go fast?410-544-1329 FAX
570 Ritchie Highway, Severna Park, MD 21146-2925 www.toad.net
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ascend-Data-Filters problem with 0.7
> "David C. Troy" <[EMAIL PROTECTED]> wrote: > > Following up on this, testing with NTRadPing with 0.5 I am getting my > > filters returned as 4 separate lines of binary data. > > I've never understood everyone's fascination with NTRadPing. Try > using 'radclient', which comes with the server. It will print out the > Ascend attributes in humanly readable form. I agree it's a bit odd. I was using it, though, because my personal workstation is an XP box and I wanted to get on a box away from the server itself... seemed the easiest way. > > > With 0.7 I am getting a single line of binary data that appears to be the > > same number of bytes as each of the lines in the 4 separate lines of > > binary data from 0.5. > > So you have 4 Ascend attributes configured, but 0.7 is only sending > one. 'radclient' will tell you WHICH one is being sent. Yeah, actually it's 4 lines of Ascend-Data-Filter entries, and I figured out the problem. I had them defined using '=' but apparently needed to use '+=' so that the attribute didn't stomp itself on each line. This appears to be new behavior to 0.7. Regards, Dave = David C. Troy [[EMAIL PROTECTED]] 410-544-6193 Sales ToadNet - Want to go fast?410-544-1329 FAX 570 Ritchie Highway, Severna Park, MD 21146-2925 www.toad.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ascend-Data-Filters problem with 0.7
Following up on this, testing with NTRadPing with 0.5 I am getting my filters returned as 4 separate lines of binary data. With 0.7 I am getting a single line of binary data that appears to be the same number of bytes as each of the lines in the 4 separate lines of binary data from 0.5. The users file is identical on both machines and I've tried various experiments. Anybody have Ascend-Data-Filters working on 0.7, and if so can you share any config info? Dave = David C. Troy [[EMAIL PROTECTED]] 410-544-6193 Sales ToadNet - Want to go fast?410-544-1329 FAX 570 Ritchie Highway, Severna Park, MD 21146-2925 www.toad.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Ascend-Data Filters problem with 0.7
All - I have been using the "X-Ascend-Data-Filter" attribute with Freeradius 0.5 for several months without incident. I just upgraded to 0.7 and now it seems all data is blocked on all ports. If I remove the filter attributes entirely everything is OK. I read on the Vircom Radius page that there are 2-byte and 4-byte padding options for these attributes and that a mismatch can cause failure. Does anybody know anything about this? Regards, Dave = David C. Troy [[EMAIL PROTECTED]] 410-544-6193 Sales ToadNet - Want to go fast?410-544-1329 FAX 570 Ritchie Highway, Severna Park, MD 21146-2925 www.toad.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Convert detail->MySQL radacct script
All -- I am looking for a quick and dirty script that will do a straight conversion of a detail file to the current MySQL radacct schema. I can write one, but would prefer not to reinvent the wheel if I can... any pointers (or scripts e-mailed here) would be appreciated. Regards, Dave = David C. Troy [[EMAIL PROTECTED]] 410-544-6193 Sales ToadNet - Want to go fast?410-544-1329 FAX 570 Ritchie Highway, Severna Park, MD 21146-2925 www.toad.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: hints file somehow not processed against users in sql database?
Mark,
We have it working, here is our hints file
DEFAULT Suffix = "@domain.com", Strip-User-Name = Yes
Realm = "@domain.com"
DEFAULT Prefix = "ppp#", Strip-User-Name = Yes
For the suffix we also have this in the proxy.conf
realm domain.com {
type= radius
authhost= LOCAL
accthost= LOCAL
secret = testing123
nostrip
}
Also in sql.conf Line 112 look for User-Name we had to change this to
SQL-User-Name.
Our radius.conf looks like this:
authorize {
preprocess
suffix
files
}
authenticate {
unix
}
preacct {
preprocess
suffix
files
}
accounting {
detail
unix
radutmp
}
session {
sql
}
I hope this helps.
- Ryan
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Mark
Hennessy
Sent: Wednesday, August 21, 2002 9:10 AM
To: [EMAIL PROTECTED]
Subject: Re: hints file somehow not processed against users in sql
database?
I fixed this.
I did the following:
in sql.conf:
I uncommented:
sql_user_name = "%{Stripped-User-Name:-%{User-Name:-none}}"
and commented out:
sql_user_name = "%{User-Name}"
causing Stripped-User-Name to be checked as well against the sql
database.
In radiusd.conf:
I added
suffix
in the preprocess section right before the hints file is specified so
that
a hinted username can be properly stripped if it is also realmed.
username.ppp@domain wouldn't work before.
--
Mark P. Hennessy
[EMAIL PROTECTED]
On Wed, 21 Aug 2002, Mark Hennessy wrote:
> Date: Wed, 21 Aug 2002 10:20:39 -0400 (EDT)
> From: Mark Hennessy <[EMAIL PROTECTED]>
> Reply-To: [EMAIL PROTECTED]
> To: [EMAIL PROTECTED]
> Subject: hints file somehow not processed against users in sql
database?
>
> For some reason, the hints file doesn't seem to get honored when a
user
> with an entry the sql database is trying to authenticate on my system.
>
> Here's my hints file:
>
> DEFAULT Suffix = ".ppp", Strip-User-Name = Yes
> Hint = "PPP",
> Service-Type = Framed-User,
> Framed-Protocol = PPP,
> Fall-Through = Yes
>
> DEFAULT Suffix = ".roaming", Strip-User-Name = Yes
> Hint = "PPP",
> Service-Type = Framed-User,
> Framed-Protocol = PPP,
> Fall-Through = Yes
>
> It doesn't seem to be authenticating properly if the realm is
specified
> either, even though the realm is specified in the realms file.
>
> huntgroups is being honored, so it would appear that preprocess is
> being used.
>
> This is debug output from an attempt with the realm name, the debug
output
> from an attempt with .ppp suffix is the next one below this.
>
> rad_recv: Access-Request packet from host 192.168.1.20:2465, id=96,
length=82
> User-Name = "[EMAIL PROTECTED]"
> User-Password = ""
> Service-Type = Framed-User
> Framed-Protocol = PPP
> NAS-IP-Address = 192.168.1.20
> NAS-Port = 0
> modcall: entering group authorize
> modcall[authorize]: module "preprocess" returns ok
> rlm_realm: Looking up realm cloud9.net for User-Name =
> "[EMAIL PROTECTED]"
> rlm_realm: Found realm cloud9.net
> rlm_realm: Adding Stripped-User-Name = "foo"
> rlm_realm: Proxying request from user foo to realm cloud9.net
> rlm_realm: Adding Realm = "cloud9.net"
> rlm_realm: Authentication realm is LOCAL.
> rlm_realm: auth_port is not set. proxy cancelled
> modcall[authorize]: module "suffix" returns noop
> radius_xlat: '[EMAIL PROTECTED]'
> sql_set_user: escaped user --> '[EMAIL PROTECTED]'
> radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck
WHERE
> Username = '[EMAIL PROTECTED]' ORDER BY id'
> rlm_sql: Reserving sql socket id: 4
> rlm_sql: User [EMAIL PROTECTED] not found
> radius_xlat: 'SELECT
>
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgrou
pcheck.Value,radgroupcheck.op
> FROM radgroupcheck,usergroup WHERE usergroup.Username =
> '[EMAIL PROTECTED]' AND usergroup.GroupName = radgroupcheck.GroupName
> ORDER BY radgroupcheck.id'
> radius_xlat: 'SELECT
>
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrou
preply.Value,radgroupreply.op
> FROM radgroupreply,usergroup WHERE usergroup.Username =
> '[EMAIL PROTECTED]' AND usergroup.GroupName = radgroupreply.GroupName
> ORDER BY radgroupreply.id'
> sql_set_user: escaped user --> 'DEFAULT'
> radius_xlat: 'SELECT
>
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgrou
pcheck.Value,radgroupcheck.op
> FROM radgroupcheck,usergroup WHERE usergroup.Username = 'DEFAULT' AND
> usergroup.GroupName = radgroupcheck.GroupName ORDER BY
radgroupcheck.id'
> radius_xlat: 'SELECT
>
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrou
preply.Value,radgroupreply.op
> FROM radgroupreply,usergroup WHERE usergroup.Username = 'DEFAULT' AND
> usergroup.GroupName = radgroupreply.GroupName ORDER BY
radgroupreply.id'
> rlm_sql
MySQL PAP/CHAP Configuration
Hey All,
I've given this some serious thought and done a bunch of reading, and I'm
stuck. Here's what I want to do:
1. Provider A uses PAP
2. Provider B uses CHAP
3. I have an existing MySQL table (not radcheck) that has
a single unique row for each username; the people that use
PAP have crypted passwords, and the people who use CHAP
have cleartext passwords stored in each row
I want to setup a single FreeRadius server to process requests from either
Provider A or Provider B using my existing password table. I would prefer
not to build a new radcheck table as this would duplicate existing data.
I have been able to get PAP to work using this query, which reads the
crypted password from my table:
authorize_check_query = "SELECT
uid,username,'User-Password',passwd,':=' FROM passwd WHERE username =
'%{SQL-User-Name}' AND allow_logon=1 and pwstatus='x'"
How do I configure this so that it does basically this:
- Get auth request
- Is it PAP? If so, run query string A
- Compare crypted password
- Is it CHAP? If so, run query string B
- Compare cleartext password
If I had access to the Auth-Type value within sql.conf, I might could do
something like this:
authorize_check_query = "SELECT uid, username,
'User-Password',IF('%{Auth-Type}'='PAP', passwd, clearpw),':=' FROM passwd
WHERE username = '%{SQL-User-Name}' AND allow_logon=1 and pwstatus='x'"
This would return the appropriate PAP/CHAP password from the DB, however
this doesn't seem to be anywhere close to working.
Am I on crack? Advice appreciated.
Thanks,
Dave
=
David C. Troy [[EMAIL PROTECTED]] 410-544-6193 Sales
ToadNet - Want to go fast?410-544-1329 FAX
570 Ritchie Highway, Severna Park, MD 21146-2925 www.toad.net
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Questions about huntgroups
I am having a hard time getting the server to recognize huntgroups I defined, which prompts these questions: 1) does running in -xx mode display the results of any huntgroup matching? I am not seeing any matches on the huntgroups I have defined in the debug output. 2) Alan, are you *sure* that I can use Client-IP-Address in the huntgroups file, and that it's not added to the request packet until after the preprocess step is completed? It seems to ignore this entirely. 3) It would be helpful for me to be able to use this in 'huntgroups': providerA Client-IP-Address =~ ^64\.105\. Does huntgroups support the use of regular expressions? Any help appreciated as always. Regards, Dave = David C. Troy [[EMAIL PROTECTED]] 410-544-6193 Sales ToadNet - Want to go fast?410-544-1329 FAX 570 Ritchie Highway, Severna Park, MD 21146-2925 www.toad.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple authentication profiles...
> > Actually I should clarify. If I understand you correctly, I would need to > > put in an entry for each client NAS box, rather than just each client > > PROXY box. > > No, no, no, no. > > > I don't know all the NAS IP's and they could change. > > Exactly. > > > Can I do this based on the Proxy IP only? > > Yes. The Client-IP-Address is the address of the RADIUS client, > whether it's a proxy or a NAS. It's added to the request internally, > by rlm_preprocess. > > The NAS-IP-Address is an attribute inside of the RADIUS packet. > Treat it with suspicion, as the NAS can lie. OK, that all makes sense. > > Use Regexp's to classify them by their 'short-name' when definining > > which default profile to use? > > Huntgroups should work, as Frank pointed out. Define 'Huntgroup-A', > etc. in the huntgroup file, and then key on that in the 'users' file. OK, this seems like the right overall direction, but one question -- in the 'huntgroups' documentation, it looks like a Huntgroup is defined exclusively by the use of the NAS-IP-Address and NAS-Port-ID attributes. Based on what you said above, it sounds like I don't want to use NAS-IP-Address, but rather Client-IP-Address. Can I define a huntgroup based on Client-IP-Address (or based on any other A/V pairs)? If so, cool. If not, do I then want to use NAS-IP-Address, and if that's the case, will that end up being the proxy IP or the NAS IP? Regards, Dave = David C. Troy [[EMAIL PROTECTED]] 410-544-6193 Sales ToadNet - Want to go fast?410-544-1329 FAX 570 Ritchie Highway, Severna Park, MD 21146-2925 www.toad.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple authentication profiles...
> Alan -- Thanks for the help. One further bit of clarification -- > > the Providers A, B, C each have about 10-20 proxy boxes. I would prefer > to define them as classes of proxies rather than have to set up individual > profiles in the 'users' file. > > Is there any reasonable way to do this, or am I really stuck putting a > users entry for each proxy box? Actually I should clarify. If I understand you correctly, I would need to put in an entry for each client NAS box, rather than just each client PROXY box. I don't know all the NAS IP's and they could change. Can I do this based on the Proxy IP only? Use Regexp's to classify them by their 'short-name' when definining which default profile to use? Again, thanks. Dave > > Regards, > Dave > > ===== > David C. Troy [[EMAIL PROTECTED]] 410-544-6193 Sales > ToadNet - Want to go fast?410-544-1329 FAX > 570 Ritchie Highway, Severna Park, MD 21146-2925 www.toad.net > > On Fri, 5 Jul 2002, Alan DeKok wrote: > > > "David C. Troy" <[EMAIL PROTECTED]> wrote: > > > I have the following situation -- > > > > > > 1) Provider A uses PAP and doesn't want Ascend-Data-Filters > > > 2) Provider B uses PAP and DOES want Ascend-Data-Filters > > > 3) Provider C uses CHAP and doen't want Ascend-Data-Filters > > > 4) They all want to use ports 1645/1646 > > > > > > Everything is authenticated from a central MySQL database where I store > > > both crypted and plaintext passwords, where needed. > > > > > > Is it possible to support all four of the above conditions in a single > > > instance of freeradius? > > > > I don't see why not. > > > > > I would prefer to have the three machines have an identical configuration > > > and use them for backup to each other, but I am not sure how I could go > > > about differentiating between the three different providers; maybe place > > > some directives in the clients.conf file? > > > > No, that won't help. > > > > > > Some comments: > > > > - all using 1645/1646 is fine. FreeRADIUS will do that. > > > > - using PAP/CHAP is unimportant. FreeRADIUS will authenticate > > whatever comes in the RADIUS request. > > > > - if you want to FORCE the use of PAP or CHAP, that's a bit harder, > > but I don't see why it would be useful, or necessary. > > > > > > So you're left with the problem of getting Ascend-Data-Filters to > > two providers, but not the third. The answer is to find out what > > distinguishes the provider A/C packets from provider B. Once you > > know that, the answer is easy. > > > > If A/C come from client-A/client-C, and B comes from client-B, then > > you can do in the 'users' file: > > > > DEFAULT Client-IP-Address == client-A > > Ascend-Data-Filters... > > Fall-Through = Yes > > > > DEFAULT Client-IP-Address == client-C > > Ascend-Data-Filters... > > Fall-Through = Yes > > > > > > Alan DeKok. > > > > - > > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple authentication profiles...
Alan -- Thanks for the help. One further bit of clarification -- the Providers A, B, C each have about 10-20 proxy boxes. I would prefer to define them as classes of proxies rather than have to set up individual profiles in the 'users' file. Is there any reasonable way to do this, or am I really stuck putting a users entry for each proxy box? Regards, Dave = David C. Troy [[EMAIL PROTECTED]] 410-544-6193 Sales ToadNet - Want to go fast?410-544-1329 FAX 570 Ritchie Highway, Severna Park, MD 21146-2925 www.toad.net On Fri, 5 Jul 2002, Alan DeKok wrote: > "David C. Troy" <[EMAIL PROTECTED]> wrote: > > I have the following situation -- > > > > 1) Provider A uses PAP and doesn't want Ascend-Data-Filters > > 2) Provider B uses PAP and DOES want Ascend-Data-Filters > > 3) Provider C uses CHAP and doen't want Ascend-Data-Filters > > 4) They all want to use ports 1645/1646 > > > > Everything is authenticated from a central MySQL database where I store > > both crypted and plaintext passwords, where needed. > > > > Is it possible to support all four of the above conditions in a single > > instance of freeradius? > > I don't see why not. > > > I would prefer to have the three machines have an identical configuration > > and use them for backup to each other, but I am not sure how I could go > > about differentiating between the three different providers; maybe place > > some directives in the clients.conf file? > > No, that won't help. > > > Some comments: > > - all using 1645/1646 is fine. FreeRADIUS will do that. > > - using PAP/CHAP is unimportant. FreeRADIUS will authenticate > whatever comes in the RADIUS request. > > - if you want to FORCE the use of PAP or CHAP, that's a bit harder, > but I don't see why it would be useful, or necessary. > > > So you're left with the problem of getting Ascend-Data-Filters to > two providers, but not the third. The answer is to find out what > distinguishes the provider A/C packets from provider B. Once you > know that, the answer is easy. > > If A/C come from client-A/client-C, and B comes from client-B, then > you can do in the 'users' file: > > DEFAULT Client-IP-Address == client-A > Ascend-Data-Filters... > Fall-Through = Yes > > DEFAULT Client-IP-Address == client-C > Ascend-Data-Filters... > Fall-Through = Yes > > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Multiple authentication profiles...
All: I have the following situation -- 1) Provider A uses PAP and doesn't want Ascend-Data-Filters 2) Provider B uses PAP and DOES want Ascend-Data-Filters 3) Provider C uses CHAP and doen't want Ascend-Data-Filters 4) They all want to use ports 1645/1646 Everything is authenticated from a central MySQL database where I store both crypted and plaintext passwords, where needed. Is it possible to support all four of the above conditions in a single instance of freeradius? Right now I am doing it by running a copy of cistron and two copies of freeradius on three machines. I would prefer to have the three machines have an identical configuration and use them for backup to each other, but I am not sure how I could go about differentiating between the three different providers; maybe place some directives in the clients.conf file? Any assistance/pointers to the appropriate FM to R would be appreciated. Dave = David C. Troy [[EMAIL PROTECTED]] 410-544-6193 Sales ToadNet - Want to go fast?410-544-1329 FAX 570 Ritchie Highway, Severna Park, MD 21146-2925 www.toad.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Oz-ISP] Portmaster 2E
this was mentioned so I was hoping uncomment both in /etc/services would do it "some reasons you don't want radius to listen on two ports" which I would be happy to do. thanks Troy - Original Message - From: "Artur Hecker" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Saturday, May 11, 2002 11:46 PM Subject: Re: [Oz-ISP] Portmaster 2E > hello Troy! > > see comments inline, please > > > Troy Davis wrote: > > > > Are you saying if I uncommented both udp addresses in /etc/services then > > radius is able to listen on both ports, I would have thought I would have > > huh? what makes you think that? i've never ever mentioned this > particular file. what i was saying is, that you could copy the data from > one udp-socket (i.e. ip+port) to another, namely with the help of the > mentioned simple program. > > you said that your device (portmaster 2E) supposes the radius-server to > be on port x which can't be reconfigured. if i understand well, your > radius server runs at port y (with x != y). i proposed to you - as one > possible solution - to copy the packets sent by the portmaster to the > port x to the port y and vice versa. the ip can certainly be configured > in this portmaster device, and the program which will copy the packets > can be started wherever you want. > > basically it would work e.g. like this: > > src:srcport proxy:srcport > proxy:x (fix!) radius:y > portmaster -> proxy > > radius-server > > where proxy is the address of the machine which proxy runs at. it _can_ > be the radius-server itself. the proxy will of course do the vice versa > in the opposite direction. > > the advantage of this setup is that you don't need to touch your running > radius server nor to install another one. if you want to re-send the > accounting packets you would start two instances of qudproxy, the second > one working on x+1, y+1 ports. > > there is NO setup at all for the qudproxy program, you just have to > start it, possibly in a while ( true; ) loop to avoid problems. > > regards, > > > artur > > > > had to have 2 radius's running. > > More information would be nice. > > Thanks Troy > > > > - Original Message - > > From: "Artur Hecker" <[EMAIL PROTECTED]> > > To: <[EMAIL PROTECTED]> > > Sent: Friday, May 10, 2002 7:15 PM > > Subject: Re: [Oz-ISP] Portmaster 2E > > > > > hmmm, > > > > > > if it is important to you to keep your current configuration and for > > > some reasons you don't want radius to listen on two ports, you could > > > simply use a udp-proxy, i.e. a small simple programm which will copy > > > ongoing packets from one udp-socket to another and vice versa... just > > > search the net for "qudproxy" (those were the days ;-)) or ask me... you > > > could start it on the same machine or on every intermediate you want. > > > > > > greetings > > > > > > art > > > > > -- > Artur Hecker Groupe Accès et Mobilité > hecker[at]enst.fr Département Informatique et Réseaux > +33 1 45 81 7507 46, rue Barrault 75634 Paris cedex 13 > http://www.infres.enst.frENST Paris > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Oz-ISP] Portmaster 2E
Are you saying if I uncommented both udp addresses in /etc/services then radius is able to listen on both ports, I would have thought I would have had to have 2 radius's running. More information would be nice. Thanks Troy - Original Message - From: "Artur Hecker" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, May 10, 2002 7:15 PM Subject: Re: [Oz-ISP] Portmaster 2E > hmmm, > > if it is important to you to keep your current configuration and for > some reasons you don't want radius to listen on two ports, you could > simply use a udp-proxy, i.e. a small simple programm which will copy > ongoing packets from one udp-socket to another and vice versa... just > search the net for "qudproxy" (those were the days ;-)) or ask me... you > could start it on the same machine or on every intermediate you want. > > greetings > > art > > > Troy Davis wrote: > > > > Ok it has been confirmed that on the PM2 the UDP port can not be changed :( > > Thanks to all that supplied your input > > > > Regards Troy > > -Original Message- > > From: Ryan Cochrane [mailto:[EMAIL PROTECTED]] > > Sent: Friday, 10 May 2002 9:10 AM > > To: Troy Davis > > Subject: RE: [Oz-ISP] Portmaster 2E > > > > set au 1 1.2.3.4 1812 (for radius) > > set acc 2 1.2.3.4 1813 (for accounting) > > > > I think. > > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED]]On Behalf Of Troy Davis > > Sent: Thursday, 9 May 2002 11:40 PM > > To: [EMAIL PROTECTED] > > Cc: [EMAIL PROTECTED] > > Subject: [Oz-ISP] Portmaster 2E > > > > Does anyone now how to change the UDP on the portmaster 2 from 1645/udp to > > 1813/udp. > > I have been searching for PM manuals but non have told me how to change this > > Thanks Troy > > > > - > > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > -- > Artur Hecker > artur[at]hecker.info > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: [Oz-ISP] Portmaster 2E
Ok it has been confirmed that on the PM2 the UDP port can not be changed :( Thanks to all that supplied your input Regards Troy -Original Message- From: Ryan Cochrane [mailto:[EMAIL PROTECTED]] Sent: Friday, 10 May 2002 9:10 AM To: Troy Davis Subject: RE: [Oz-ISP] Portmaster 2E set au 1 1.2.3.4 1812 (for radius) set acc 2 1.2.3.4 1813 (for accounting) I think. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Troy Davis Sent: Thursday, 9 May 2002 11:40 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: [Oz-ISP] Portmaster 2E Does anyone now how to change the UDP on the portmaster 2 from 1645/udp to 1813/udp. I have been searching for PM manuals but non have told me how to change this Thanks Troy - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
mysql and simultanious logins
Quick question, we are running freeradius 0.5 and mysql and we are having a problem with simultaneous logins, our database is setup like this: Radgroupcheck table: id GroupName AttributeValue op 1 DEFAULT Simultaneous-Use 2:= We keep getting errors like this: Fri May 3 10:13:04 2002 : Auth: Multiple logins (max 1) : [username] (from nas UNKNOWN-NAS port 109) But the user is not logged in; we have tested it locally and the same thing. Changing the Value to 20 or 30 seems to fix the problem. Any suggestions would be great.. Thanks, Ryan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius+mysql+simultaneous logins
Quick question, we are running freeradius 0.5 and mysql and we are having a problem with simultaneous logins, our database is setup like this: Radgroupcheck table: id GroupName AttributeValue op 1 DEFAULT Simultaneous-Use 2:= We keep getting errors like this: Fri May 3 10:13:04 2002 : Auth: Multiple logins (max 1) : [username] (from nas UNKNOWN-NAS port 109) But the user is not logged in; we have tested it locally and the same thing. Changing the Value to 20 or 30 seems to fix the problem. Any suggestions would be great.. Thanks, Ryan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: A couple quick questions
Alan, Thanks for the quick reply. Ryan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Alan DeKok Sent: Wednesday, April 24, 2002 1:39 PM To: [EMAIL PROTECTED] Subject: Re: A couple quick questions "Ryan Troy" <[EMAIL PROTECTED]> wrote: > Is it possible to read NAS from a mysql database? I see the tables are > commented out in the .sql file but I didn't know if it was possible. No, it's not possible right now. > Also is it possible to store radius.log in the mysql database? No, sorry. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
A couple quick questions
Is it possible to read NAS from a mysql database? I see the tables are commented out in the .sql file but I didn't know if it was possible. Also is it possible to store radius.log in the mysql database? Best Regards, Ryan Troy Screaming Internet, Inc Voice: 970-870-0495 Toll Free: 866-727-3261 http://www.screaminet.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Comindico
Thanks to all that helped the other night. Part of the problem turned out to be IP chains. Which btw no one mentioned :) Anyway next problem. I have brought virtual ports and the authenicate can come from a number of nas in my naslist I have 210.54.149.164 rad1net4u linux210.54.149.161 rad2net4u linux210.55.107.227 rad3net4u linux and so far I have drwxr-xr-x 2 root root 4096 Apr 19 15:07 acc02-waym-adl.comindico.com.audrwxr-xr-x 2 root root 4096 Apr 19 15:02 acc04-waym-adl.comindico.com.au in my radacct dir. My question is how can I have all the log details go into one detail file? Sure there are other people on the list that use comindico port, how are you handling this.. Thanks Troy
Re: user interface
So will this be offered publicly or will it have a price on it... If so how much. Thanks Troy - Original Message - From: Tarquin Douglass (Astronet Internet Access) <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Sunday, March 03, 2002 10:58 AM Subject: Re: user interface > ___ > This EMail has been scanned by Astronet/IONet VIRUS scan > Server and found to be clear of all known VIRUSES in my > definition files. > ___ > > Yes I have and it is called AstroAdmin. > A final beta release of this software will be ready very soon. > > It includes many features like billing, AAA accounting, network monitor, > webmail and support tickets as well as an online signup. > > "Monday" is the term used to signify the eighth day of my work week. > > Regards > > Tarquin Douglass > Astronet Internet Access > Office: (031) 3094760 > Home: (031) 2692954 > Cel: (083) 5557890 > _ > http://www.astronet.co.za > > - Original Message - > From: "George" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Sunday, March 03, 2002 12:53 AM > Subject: user interface > > > > Has anyone developed a user interface for freeradius so that subscribers > > > > could check their own online times? > > > > > > > > - > > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
HELP
CAN SOMEONE PLEASE HELP WITH THIS Ok I have tried all these below to try and get timeonline to work Login-Time = "Wk0800-1700,Sa,Su" Login-Time = "Wk0800-1700,Sa,Su", Login-Time = Wk0800-1700,Sa,Su Login-Time = Wk0800-1700,Sa,Su, the error I get is /etc/raddb/users[279]: Parse error (reply) for entry foxcreek The radius is RADIUS version cistron-1.5.4.3-beta17 27-Apr-1999 Compilation flags: ATTRIB_NMC linux Thanks for any help Troy COMSTECH SYSTEMS ICQ 6083429 Shop 5 Old Coach Village [EMAIL PROTECTED] Aldinga Bch http://www.comstech.com *** Tel 85 577-777 Mob 0417 873 506*** *** Internet and Computer - Support and Training *** ** Hardware Sales & Upgrades ** - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
HELP
Ok I have tried all these below to try and get timeonline to work Login-Time = "Wk0800-1700,Sa,Su" Login-Time = "Wk0800-1700,Sa,Su", Login-Time = Wk0800-1700,Sa,Su Login-Time = Wk0800-1700,Sa,Su, the error I get is /etc/raddb/users[279]: Parse error (reply) for entry foxcreek The radius is RADIUS version cistron-1.5.4.3-beta17 27-Apr-1999 Compilation flags: ATTRIB_NMC linux Thanks for any help Troy COMSTECH SYSTEMS ICQ 6083429 Shop 5 Old Coach Village [EMAIL PROTECTED] Aldinga Bch http://www.comstech.com *** Tel 85 577-777 Mob 0417 873 506*** *** Internet and Computer - Support and Training *** ** Hardware Sales & Upgrades ** - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Login-Time
Can some please give me the correct syntax for this statement on cistron radius Is it ? Login-Time = "Wk0800-1700,Sa,Su" And where should it go, IE straight under the username password line? Also if I put DEFAULT Simultaneous-Use = 1 Fall-Through = 1 at the top of my users file will this stop simultaneous use, yes perl is installed. Do I need to have the Fall - Through = 1 in there - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Login-Time
Can some please give me the correct syntax for this statement on cistron radius Is it ? Login-Time = "Wk0800-1700,Sa,Su" And where should it go, IE straight under the username password line? Also if I put DEFAULT Simultaneous-Use = 1 Fall-Through = 1 at the top of my users file will this stop simultaneous use, yes perl is installed. Do I need to have the Fall - Through = 1 in there - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
New Install Free radius or cistron
I have been an ISP for some time now, but need a radius that supports time of day logins. What I was wondering is. 1. Is freeradius stable enough now to run in a commercial situation on Redhat 6.x or 7.x? 2. If not I guess then I should use cistron! Thanks Troy - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: net restrictions
It may be not normaly done, But if I can work out how to get the user to land at a join web page when they have a 192.168 address then that would be pretty cool. Cuz they can fill out a online web form My 2 cents worth :) - Original Message - From: Chris Parker <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Saturday, December 15, 2001 1:09 AM Subject: Re: net restrictions > At 10:51 AM 12/14/2001 +1000, Tim wrote: > >Thanks Mike ... but as I see it .. > > > >User dials in with user pass of something/something .. (not configured in > >Users or Passwd file) .. my Ascend Max (4000's) box sends the request to > >radius, to which radius deny's the auth request .. then Ascend drops the > >call . ?? > > > >I would have thought that it needed to be something in the Users file that > >said, "OK, I can't auth you with that user/pass, so have an IP of 192.168 > > " ??Can the Users file do this?? > > > >Am I missing something somewhere? > > At the end of the users-file, in your DEFAULT entry, try something > like: > > DEFAULT Auth-Type := Accept > Framed-IP-Address = 192.168.0.1 > > ( or use the Ascend attributes to assign from a different pool >than the default ) > > > What you are trying to do is not something that is normally done, so > there isn't a predetermined way of doing it. You'll need to try playing > with different types of entries in the users file, and may in fact have > to write your own module or external program to do this. > > -Chris > -- > \\\|||/// \ Chris Parker-Manager, Development Engineering > \ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED] > | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 > oOo---(_)---oOo--\-- >\ Without C we would have 'obol', 'basi', and 'pasal' > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
