Re: user login once???
Thank u ivan, yaps..that's exactly what i mean..give me a clue please.. From: Ivan Kalik Subject: Re: user login once??? To: "FreeRadius users mailing list" Date: Thursday, May 7, 2009, 3:06 AM > how to setup freeradius server to perform user log in to server once in a > day or few login in a month.. help please.. Radius server doesn't log in users onto the server. Ever! Perhaps you want something else: allow one login per day (or a few per month)? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Regular expression in radcheck
Hi, I know there's hunt groups, but can't I use a reg exp to indicate multiple MAC addresses in a Calling-Station-ID entry on the radcheck table, so users can use multiple computers? Here is what I have: u...@domain Calling-Station-ID =~ 00-1c-b3-b1-3e-00|00-1c-b3-b1-3e-01|00-1c-b3-b1-3e-02 However, any MAC address is accepted...its not working like I think it should. Thanks! Eric - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with FreeRADIUS Active Directory Integration
> In our test lab we are working on using FreeRADIUS to authenticate users > against their AD credentials. We loaded FreeRADIUS on a Fedora 10. We > loaded SAMBA and it works. We loaded freeradius-2.1.3-1.fc10.i386. > > We followed the > http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO. > We booted an XP workstation and logged in. It never got a DHCP address > and failed authentication. > Read the prerequisites in the article! Updated tutorial is at: http://deployingradius.com/documents/configuration/active_directory.html I have added that link to the wiki page. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL Counters and Realms
You're correct, I haven't noticed this parameter and it's default 'sql' is a different database setup indeed. Thanks, Liran. On Wed, May 6, 2009 at 11:16 PM, Ivan Kalik wrote: > > Hey, > > > > In my FR1.1.7 setup, I have different realms for the same machine using > > different databases for each. > > The login part is ok, as well as the accounting, which has entries in the > > radacct table for "account". > > > > I enabled one of the sql counters modules which, as it seems, isn't > > returning any results, because I am > > suspecting that it's running the query on another realm's database. I > have > > several of the sql.conf config > > files for each realm, so what I'm basically doing is having in accounting > > {} > > section something like this: > >Acct-Type SQL_EXAMPLE { > > sql_example > >} > > > > What do you think is happening? > > sqlcounter module has a config item sqlmod-inst which selects sql instance > (database connection) that counter should use. Are you using the correct > instance for that counter? > > Ivan Kalik > Kalik Informatika ISP > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL Counters and Realms
> Hey, > > In my FR1.1.7 setup, I have different realms for the same machine using > different databases for each. > The login part is ok, as well as the accounting, which has entries in the > radacct table for "account". > > I enabled one of the sql counters modules which, as it seems, isn't > returning any results, because I am > suspecting that it's running the query on another realm's database. I have > several of the sql.conf config > files for each realm, so what I'm basically doing is having in accounting > {} > section something like this: >Acct-Type SQL_EXAMPLE { > sql_example >} > > What do you think is happening? sqlcounter module has a config item sqlmod-inst which selects sql instance (database connection) that counter should use. Are you using the correct instance for that counter? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: user login once???
> how to setup freeradius server to perform user log in to server once in a > day or few login in a month.. help please.. Radius server doesn't log in users onto the server. Ever! Perhaps you want something else: allow one login per day (or a few per month)? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authcheck vs. groupcheck with FreeRadius 2.1.1
> we're migrated from Freeradius 0.9 to 2.1. We are using the freeradius > with a failover MySQL Configuration. > Since the migration we have customers which get in trouble, because we > configured "Simultaneuos Use" Check Items on the user (e.g. Value 4) and > on the corresponding group (e.g. Value 2). > At the old Radius version the value was taken from the User and the > Group attribute was ignored. > Now the user can't authenticate 4 times, because the server checks the > group value. Yes, in current version group values with operator := will override user specific values for the same attribute. > How can I change this behaviour? You can alter the source code in rlm_sql. Or override group values with unlang (or perl; or whatever). Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SQL Counters and Realms
Hey, In my FR1.1.7 setup, I have different realms for the same machine using different databases for each. The login part is ok, as well as the accounting, which has entries in the radacct table for "account". I enabled one of the sql counters modules which, as it seems, isn't returning any results, because I am suspecting that it's running the query on another realm's database. I have several of the sql.conf config files for each realm, so what I'm basically doing is having in accounting {} section something like this: Acct-Type SQL_EXAMPLE { sql_example } What do you think is happening? Here is the relevant debug snippet from freeradius: Wed May 6 22:47:28 2009 : Debug: modsingle[authorize]: calling accessperiod (rlm_sqlcounter) for request 0 Wed May 6 22:47:28 2009 : Debug: rlm_sqlcounter: Entering module authorize code Wed May 6 22:47:28 2009 : Debug: sqlcounter_expand: 'SELECT UNIX_TIMESTAMP() - UNIX_TIMESTAMP(AcctStartTime) FROM radacct WHERE UserName = '%{Stripped-User-Name:-%{User-Name}}' ORDER BY AcctStartTime LIMIT 1' Wed May 6 22:47:28 2009 : Debug: radius_xlat: 'SELECT UNIX_TIMESTAMP() - UNIX_TIMESTAMP(AcctStartTime) FROM radacct WHERE UserName = 'access1' ORDER BY AcctStartTime LIMIT 1' Wed May 6 22:47:28 2009 : Debug: sqlcounter_expand: '%{sql:SELECT UNIX_TIMESTAMP() - UNIX_TIMESTAMP(AcctStartTime) FROM radacct WHERE UserName = 'access1' ORDER BY AcctStartTime LIMIT 1}' Wed May 6 22:47:28 2009 : Debug: radius_xlat: Running registered xlat function of module sql for string 'SELECT UNIX_TIMESTAMP() - UNIX_TIMESTAMP(AcctStartTime) FROM radacct WHERE UserName = 'access1' ORDER BY AcctStartTime LIMIT 1' Wed May 6 22:47:28 2009 : Debug: rlm_sql (sql): - sql_xlat Wed May 6 22:47:28 2009 : Debug: radius_xlat: 'access1' Wed May 6 22:47:28 2009 : Debug: rlm_sql (sql): sql_set_user escaped user --> 'access1' Wed May 6 22:47:28 2009 : Debug: radius_xlat: 'SELECT UNIX_TIMESTAMP() - UNIX_TIMESTAMP(AcctStartTime) FROM radacct WHERE UserName = 'access1' ORDER BY AcctStartTime LIMIT 1' Wed May 6 22:47:28 2009 : Debug: rlm_sql (sql): Reserving sql socket id: 2 Wed May 6 22:47:28 2009 : Debug: rlm_sql (sql): SQL query did not return any results Wed May 6 22:47:28 2009 : Debug: rlm_sql (sql): Released sql socket id: 2 Wed May 6 22:47:28 2009 : Debug: radius_xlat: '' Wed May 6 22:47:28 2009 : Debug: rlm_sqlcounter: (Check item - counter) is greater than zero Wed May 6 22:47:28 2009 : Debug: rlm_sqlcounter: Authorized user access1, check_item=300, counter=0 Wed May 6 22:47:28 2009 : Debug: rlm_sqlcounter: Sent Reply-Item for user access1, Type=Session-Timeout, value=300 Wed May 6 22:47:28 2009 : Debug: modsingle[authorize]: returned from accessperiod (rlm_sqlcounter) for request 0 Wed May 6 22:47:28 2009 : Debug: modcall[authorize]: module "accessperiod" returns ok for request 0 Regards, Liran. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
user login once???
how to setup freeradius server to perform user log in to server once in a day or few login in a month.. help please.. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
authcheck vs. groupcheck with FreeRadius 2.1.1
Hello, we're migrated from Freeradius 0.9 to 2.1. We are using the freeradius with a failover MySQL Configuration. Since the migration we have customers which get in trouble, because we configured "Simultaneuos Use" Check Items on the user (e.g. Value 4) and on the corresponding group (e.g. Value 2). At the old Radius version the value was taken from the User and the Group attribute was ignored. Now the user can't authenticate 4 times, because the server checks the group value. How can I change this behaviour? If you need configuration fragments, please tell and I will supply them. Thanks a lot and best regards Michael Schramm - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
problem with eap-tls between FR and XP client
hi forum, I'm trying to connect a Windows XP client (also I'm trying with Vista) with freeradius with EAP-TLS. I made my set of certificates (from this site http://www.linuxjournal.com/node/8095/print) and now, I have: CA, radius_cert.pem, radius_key.pem, radius_keycert.pemradius_req.pem, cliente_cert.p12, cliente_key.pem, cliente_cert.pem, cliente_req.pem, dh, random, xpextensions, xpclient_ext, xpserver_ext I've configured eap.conf of this way: tls { certdir = ${confdir}/certs2 cadir = ${confdir}/certs2 private_key_password = *** private_key_file = ${certdir}/radius_keycert.pem certificate_file = ${certdir}/radius_keycert.pem CA_file = ${cadir}/cacert.pem dh_file = ${certdir}/dh random_file = ${certdir}/random cipher_list = "DEFAULT" make_cert_command = "${certdir}/bootstrap" And I've installed my cacert.pem and cliente_cert.p12 into mmc into Trusted Root Certification Authorities and Personal - certificates, respectively. When I try to connect with freeradius my log is this: (it's too long because I see the same request again and again) rad_recv: Access-Request packet from host 10.0.0.1 port 3072, id=159, length=199 User-Name = "carlosg...@realmprueba.com" NAS-IP-Address = 10.0.0.1 NAS-Port = 0 Called-Station-Id = "00116b3f0ce5" Calling-Station-Id = "00215d9ade9a" NAS-Identifier = "Realtek Access Point. 8181" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Service-Type = Framed-User Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x021a016361726c6f7367617269407769746563682e636f6d Message-Authenticator = 0xc6247c05f7aae962aecbc459c9416907 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] Looking up realm "realmprueba.com" for User-Name = "carlosg...@realmprueba.com" [suffix] Found realm "realmprueba.com" [suffix] Adding Realm = "realmprueba.com" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] EAP packet type response id 0 length 26 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound [sql] expand: %{User-Name} -> carlosg...@realmprueba.com [sql] sql_set_user escaped user --> 'carlosg...@realmprueba.com' rlm_sql (sql): Reserving sql socket id: 4 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'carlosg...@realmprueba.com' ORDER BY id [sql] User found in radcheck table [sql] expand: SELECT groupname FROM usergroup WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT groupname FROM usergroup WHERE username = 'carlosg...@realmprueba.com' ORDER BY id [sql] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'Navega Mes' ORDER BY id [sql] User found in group Navega Mes [sql] expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'Navega Mes' ORDER BY id rlm_sql (sql): Released sql socket id: 4 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Requiring client certificate [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 159 to 10.0.0.1 port 3072 EAP-Message = 0x010100060d20 Message-Authenticator = 0x State = 0x84a02e6384a123686383961ecc8fb910 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.0.0.1 port 3072, id=160, length=191 User-Name = "carlosg...@realmprueba.com" NAS-IP-Address = 10.0.0.1 NAS-Port = 0 Called-Station-Id = "00116b3f0ce5" Calling-Station-Id = "00215d9ade9a" NAS-Identifier = "Realtek Access Point. 8181" NAS-Port-Type = Wireless-802.11 Service-Type = Framed-User Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020100060319 State = 0x84a02e6384a123686383961ecc8fb910 Message-Authenticator = 0xe9335e399fadf61413fddd7e717c778f +- entering group authorize {...
Re: Re :checking authorization in the duration of connection
> How about vpn windows as NAS? > Is that a joke? Windows server would be useless. It can't terminate adsl, at least not much more than one line. So, someone else is going to terminate adsl and send you what via VPN? Accounting? You don't need Windows at all then - just a freeradius server. Or traffic via L2TP tunnels? Your Windows server is going to die with any significant ammount of traffic. Using Windows server as a router is insane. It can work like that - but very, very badly. Even a cheap dumb $50-$100 router like Mikrotik will outperform it by miles. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re :checking authorization in the duration of connection
How about vpn windows as NAS? 802.1x coding is not going to be of much use for adsl. What NAS are you using? Does it support gigawords in accounting and does it have traffic limiting VSAs? Best thing to do is to create a traffic sqlcounter that will set the session limit at the start of the session (at authentication) and use methods explained in netexpertise article to keep collected traffic information more realistic (in that scenario loosing even one stop packet for a session that lasted days would be quite bad). Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius for WiMAX Authentication
> I was interested in knowing if we can use the Freeradius server for WiMAX > Authentication. Some of the additional features that would be required > are: > > > > 1.Vendor Specific Attributes inclusion in the Radius Messages(I think > some amount of this can be done now - but can you tell me how) It always could be done. You add them to the reply - just like any other attribute. It will work as long as freeradius has those attributes in the vendor dictionary. > 2.Generation of WiMAX Session keys Read raddb/modules/wimax. > 3.Support for MSCHAPv2 inner authentication ?? Is there by default. > 4.Support for HA ?? Have a backup (secondary) radius server on standby. Any NAS should be able to handle it. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius for WiMAX Authentication
Hi All, I was interested in knowing if we can use the Freeradius server for WiMAX Authentication. Some of the additional features that would be required are: 1. Vendor Specific Attributes inclusion in the Radius Messages(I think some amount of this can be done now - but can you tell me how) 2. Generation of WiMAX Session keys 3. Support for MSCHAPv2 inner authentication ?? 4. Support for HA ?? Where does the Freeradius server store the accounting records. Is it stored as a raw file or is there some processing done by the server on these records. Has anyone used Free radius for WiMAX testing before, if so can you give me some pointers on how and what 'more' modifications are needed. Thanks and Regards, Kiran Kumar.B WiMAX Test Engineer - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re :checking authorization in the duration of connection
> Hi Arran > I have trouble.would you please send me codes? > I don't know how those support adsl do ? when users are online during all > the > days and there is limitation on the traffic amount? > > > > It's possible even if the NAS doesn't support PoD, so long as the NAS > supports > the 802.1X mib, you should be able to fire off an SNMP-SET with the exec > module and force re-authentication. All the required information is > available in the Accounting Request the server just received. > > If you're really having trouble and ask nicely i'll write some example > code. > > Arran 802.1x coding is not going to be of much use for adsl. What NAS are you using? Does it support gigawords in accounting and does it have traffic limiting VSAs? Best thing to do is to create a traffic sqlcounter that will set the session limit at the start of the session (at authentication) and use methods explained in netexpertise article to keep collected traffic information more realistic (in that scenario loosing even one stop packet for a session that lasted days would be quite bad). Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html