Re: How to auth_log via sql ?
On Sun, Jun 20, 2004 at 02:42:52PM +0200, Stephan von Krawczynski wrote: this is possibly a very simple question, but browsing through the list and FAQs I could not find any hints. How can you write the information auth_log produces in a logfile to sql instead _without_ doing authentication via sql? You can't simply write sql into the authorize section, because it will try to authorize, right? You're after the post-auth SQL query. Edit it and the table to record what you want to see, and then put sql in your post-auth section, in the appropriate Post-Auth-Type section if relevant. You'll have to be using 1.0 or 1.1 series FreeRADIUS to have this. -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
spedial daily session attribute
the daily session as i understand it,keeps track of total number of hours used within 24 hours, and if the limit daily session is reached, the users cannot reconnect again until the next day, that is the daily counter is reset. is daily-session separate from max-daily-session attribute? again, my problem is that i'm planning to disconnect dialup users every 4th hour of their internet usage within 24 hours. and let them reconnect again on the same day. until they reach the 4th hours of their connection. the disconnection happens every 4th hour of their connection. would it be possible? does this requires external script?any special attribute? i am using MySQL+freeradius on FC1. please advise. thanks, //milver - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to auth_log via sql ?
On Sun, 20 Jun 2004 23:25:01 +1000
[EMAIL PROTECTED] (Paul Hampson) wrote:
On Sun, Jun 20, 2004 at 02:42:52PM +0200, Stephan von Krawczynski wrote:
this is possibly a very simple question, but browsing through the list and
FAQs I could not find any hints.
How can you write the information auth_log produces in a logfile to sql
instead_without_ doing authentication via sql?
You can't simply write sql into the authorize section, because it will
try to authorize, right?
You're after the post-auth SQL query. Edit it and the table to record
what you want to see, and then put sql in your post-auth section, in the
appropriate Post-Auth-Type section if relevant.
You'll have to be using 1.0 or 1.1 series FreeRADIUS to have this.
Hello Paul,
Thanks for this hint.
The problem with this solution is (as far as I can see):
# Post-Authentication
# Once we KNOW that the user has been authenticated, there are
# additional steps we can take.
post-auth {
This means it does not get called if authentication failed, correct?
Contrary auth_log gets called for every authentication-request, no matter if
failing or succeeding later on. This may be important while debugging user
login problems. It would not help a lot if you could only see the working
cases...
Any additional thoughts?
Stephan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: oracle database library problem
Wisam Najim [EMAIL PROTECTED] wrote: I am running freeRADIUS version 0.9.0 on Solaris 2.8 and using oracle 8.1.7.4 database for accounting and authentication. 1.0.0-pre3 has a number of fixes to the Oracle module, which correct memory leaks bad pointer problems. I have two databases for authentication and I am configuring the freeRADIUS to implement failover. When the radius detects that primary database is not accessible it crashes in most of the cases when using the standard oracle library that comes with installed oracle client libclntsh.so.8.0. That's bad. If you have access to a tool like purify, that can help enormously. If not, you're pretty much stuck with gdb. If I use another library that was generated by another machine the radius works fine. (I do not know how that library was generated) Do you know where that library came from? That is, why does one library work, and the other fail? I would like to know if there are special requirements for oracle client installation in order to work properly with freeRADIUS. There shouldn't be. I have tried the third pre 1.0.0 version and still have the same problem. Hmm... I'd like to be able to say it's a problem with the Oracle library, but I can't be sure that's true. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: spedial daily session attribute
Milver S. Nisay [EMAIL PROTECTED] wrote: is daily-session separate from max-daily-session attribute? Yes. The first is a counter, the second is a limit. again, my problem is that i'm planning to disconnect dialup users every 4th hour of their internet usage within 24 hours. and let them reconnect again on the same day. until they reach the 4th hours of their connection. the disconnection happens every 4th hour of their connection. would it be possible? I'm not sure I know what you mean. You can configure rlm_counter (or rlm_sqlcounter) to limit users to 4 hours per day, and to reset the counters every day. Once that's done, it doesn't matter how many times they log in, they only get a total of 4 hours. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Shared secret problems!
Hi, I have the following problem:
radddb.conf:
client 192.168.0.0/16 {
secret = 123qweasdzxc
shortname = homenet
nastype = other
}
Then if a nas sends invalid shared secret I still get it's access request packet
processed, but only the User-Password is modified (with trash). As I use freeradius
for voip some users are authenticated by freamed-ip-address and user-name. So, there
is a chance that anybody can trigger havy processing of my billing on access-request,
when user-password is not used! (A few querries to db, etc...)
As I found out, there is no such problem for accounting packets - they are
automatically rejected.
Can I make freeradius reject (or even better leave without a responce) registration
packets that do not come from specified ip address and don't have correct shared
secret?
Thanks alot!
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_perl v.1.0.0
Hi, I use freeradius rlm_perl - haven't ever had any crash (under have testing also). I really like this module - I can do whatever I want, I can write billing the way I want with this module... Some time ago I read that it was on todo list to move this module into stable, but I checked - it's not on the list of stable modules in the latest v.1.0.0; Is it planned that this module will finally be cleaned and improved to be able to go into stable?? Thanks! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to auth_log via sql ?
On Sun, Jun 20, 2004 at 03:54:28PM +0200, Stephan von Krawczynski wrote:
On Sun, 20 Jun 2004 23:25:01 +1000
[EMAIL PROTECTED] (Paul Hampson) wrote:
On Sun, Jun 20, 2004 at 02:42:52PM +0200, Stephan von Krawczynski wrote:
this is possibly a very simple question, but browsing through the list and
FAQs I could not find any hints.
How can you write the information auth_log produces in a logfile to sql
instead_without_ doing authentication via sql?
You can't simply write sql into the authorize section, because it will
try to authorize, right?
You're after the post-auth SQL query. Edit it and the table to record
what you want to see, and then put sql in your post-auth section, in the
appropriate Post-Auth-Type section if relevant.
You'll have to be using 1.0 or 1.1 series FreeRADIUS to have this.
Hello Paul,
Thanks for this hint.
The problem with this solution is (as far as I can see):
# Post-Authentication
# Once we KNOW that the user has been authenticated, there are
# additional steps we can take.
post-auth {
This means it does not get called if authentication failed, correct?
That probably should read Once we KNOW that the user has been
authenticated or not,
Contrary auth_log gets called for every authentication-request, no matter if
failing or succeeding later on. This may be important while debugging user
login problems. It would not help a lot if you could only see the working
cases...
Any additional thoughts?
Stephan
If you look further down, you'll see the stanza that gets called if the
request is rejected, under Post-Auth-Type REJECT. Put sql in there
as well as in the main stanza (directly above this one) and it'll get
called on both accept and reject. From memory, the default Post-Auth
SQL query logs Accept or Reject as well as time and username.
--
Paul TBBle Hampson, on an alternate email client.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Urgent:two radius running at same time
hi
i install FreeRadius 0.7 on RedHat-9. the version of mysql server is
3.23.54.
at the begenning i had a problem with the rlm_Sql, i installed
mysql-devel-3.23.54a-11.i386.rpm, i compilled and i reinstall free radius
again.
now i have another error message when i run the radius server with the
command:
//usr/local/sbin/radiusd
the arror message is:
Sun Jun 20 12:54:58 2004 : Info: Starting - reading configuration files ...
auth bind: Address already in use
when i run the debug mode with : radiusd -xx , i had this error message:
Sun Jun 20 12:56:30 2004 : Debug: radutmp: username = %{User-Name}
Sun Jun 20 12:56:30 2004 : Debug: radutmp: perm = 384
Sun Jun 20 12:56:30 2004 : Debug: radutmp: callerid = yes
Sun Jun 20 12:56:30 2004 : Debug: Module: Instantiated radutmp (radutmp)
auth bind: Address already in use
Sun Jun 20 12:56:30 2004 : Debug: There appears to be another RADIUS
server already running on the authentication port UDP 1645.
so i did this command : ps -ef | grep radiusd to kill the running radius, i
had this:
root 16438 16347 0 12:57 pts/000:00:00 grep radiusd
so i didn't find any radius to killl it.
any one can help me with this problem, please it is very Urgent
_
MSN Premium includes powerful parental controls and get 2 months FREE*
http://join.msn.com/?pgmarket=en-capage=byoa/premxAPID=1994DI=1034SU=http://hotmail.com/encaHL=Market_MSNIS_Taglines
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Urgent:two radius running at same time
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Sunday 20 June 2004 13:02, wadih jalad wrote: i install FreeRadius 0.7 on RedHat-9. Wow. That's fairly old. I would suggest upgrading to 0.9.3 or 1.0.0 when it comes out. Sun Jun 20 12:56:30 2004 : Debug: There appears to be another RADIUS server already running on the authentication port UDP 1645. On the RH9 box, run 'netstat -lnp' to find what pid/process has udp port 1645 currently open. At the very least 'killall -9 radiusd' should search destroy any radiusd process still running. Kevin Bonner -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFA1cXv/9i/ml3OBYMRAov5AJ9DgAECIdAAzpCxTEOhqgo7GXSWwQCbBZEd pngJoC8MAp8jaxTwGoprcA8= =Hq/H -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius, 802.1x, eap/tls, and edirectory (ldap)
Gary, I had scanned them prior to posting, but there seem to be no solutions to all of the problems people have with this configuration. My impression is that most of the gurus on the list are assuming WAY too much of some of us newbies. They keep coming back with the same replies, like read the faqs, readme, rfc, etc., etc. But, that begs the question: If that's going to be the reply each time, then why even bother with the list in the first place? Oh, well. I am definitely taking a more indepth look at the archives, though, as you've suggested. If nothing else, maybe that will help me form better questions. Thanks for the help! mack On 19 Jun 2004 at 6:34, Gary McKinney wrote: Mack, Check the email archives over the last three months - there is a great deal of information on using EAP/TLS and how to use LDAP with freeradius (including example snippets). gm... - Original Message - From: Mack [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, June 18, 2004 11:52 PM Subject: radius, 802.1x, eap/tls, and edirectory (ldap) Hi, I'm a newbie to all of this, so please bear with me. This list is all I've got! We are introducing a wireless infrastructure on our campus (a little late in the game). Right now we're in testing phase. In this testing phase, We are using several 3com 7250 AP's, some 3com cards capable of 802.1x, and Novell eDirectory (LDAP). My requirement is to enable 802.1x authentication to the AP's using EAP/TLS. Additionally, I need to be able to authenticate the users to Novell via LDAP. All via the FreeRADIUS server. I have configured freeradius version 0.9.3 to work successfully with only ldap authentication against Novell eDirectory. I have also verified that 802.1x authentication is working with the AP. However, if I attempt to somehow enable both authentication mechanisms, I fail. The logs keep passing the EAP username (common name from cert) to ldap and of course ldap spits it out because the object does not exist. Again, I'm new to this, and maybe I have made incorrect assumptions of what the end result should be. Maybe this isn't even possible, but here's what I had hoped to come away with: the wireless user boots their laptop, then gets authenticated via eap/tls. They then open a browser, and are asked for username and password (via dialog box?), or either redirected to a login page. The username and password are then passed to ldap for authentication. Successful authentication results in the client being given internet access. Is this possible? Or, am I totally misunderstanding how this is all supposed to work (very likely)? I must admit, I'm not very comfortable when working with the config files. Not too sure what I'm doing in there. I tackled this whole project somewhat blindly, with the help of various bits of info I gathered from google searches. I do need to obtain a good book on this stuff...that's obvious...but I am hoping that someone on this list has experience with getting freeradius to work with eap/tls and novell ldap authentication and is willing to share that experience and wisdom. (Embarrassed) Sorry again for the newbie-ness of this post, and thanks in advance for any help! mack -- This message has been scanned for viruses and dangerous content by the CSU Email Gateway, and is believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --- [This E-mail scanned for viruses by Declude Ant-Virus Scanner] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- This message has been scanned for viruses and dangerous content by the CSU Email Gateway, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by the CSU Email Gateway, and is believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
