Enable Volume Based Accounting
Hi, how to enable traffic volume based accounting on freeradius ? Thank's Teguh - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Clients Configuration on MySQL
It working. Thank you.
Teguh
On Thu, Mar 18, 2010 at 6:33 PM, Alan Buxey wrote:
> Hi,
>
>> Could we move clients.conf to mysql table ?
>
> yes.
>
>> How to do that ?
>
> its well documented but basically, you need to
>
>
> 1) import the nas.sql so that your MySQL has the right table/structure
> 2) edit the mysql/dialup.conf make sure that nas_query is not commented
>
>
> finally, edit sql.conf..right near the bottom you will find this:
>
> # Set to 'yes' to read radius clients from the database ('nas' table)
> # Clients will ONLY be read on server startup. For performance
> # and security reasons, finding clients via SQL queries CANNOT
> # be done "live" while the server is running.
> #
> #readclients = yes
>
> read the text. uncomment the readclients
>
>
> if you DO want new clients to work without restarting the service, then
> enable the dynamic-clients virtual host. read the dynamic-clients config
> well - it makes pretty good sense and is trivial to operate.
>
> alan
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Max Query Length Exceeded and Field Truncated
On 18 March 2010 19:07, Alan DeKok wrote:
> Robert Gabriel wrote:
>> Hello all,
>>
>> Our network had some change somewhere and now all MySQL insert queries
>> are failing
>> with the last field been truncated and the character count is always
>> 4097 from the CDRs
>
> What does that mean? What's a "character count"?
>
>> been sent by our NAS (Acme Packet SBC).
>>
>> Having looked at the source we see:
>>
>> src/modules/rlm_sql/conf.h
>> src/modules/rlm_sql/rlm_sql.c
>>
>> /* SQL defines */
>> #define MAX_QUERY_LEN 4096
>> #define SQL_LOCK_LEN MAX_QUERY_LEN
>>
>> I'm not sure here, can we just increase to 8192 etc. or is this being stupid?
>> Can I edit the above and recompile?
>
> Yes. But I fail to see why the SQL queries are huge. There's really
> no reason for this.
>
>> MySQL log (shortened for brevity's sake):
>>
>> INSERT into accounting (AcctStatusType, AcctTerminateCause,
>> CalledStationId, NASIdentifier, h323setuptime, h323connecttime,
>> h323disconnecttime, h323disconnectcause) values ('0', '0', '0', '0',
>> '0', '0', '0', 'sip:0738063...@h
>
> Think a bit: that line looks truncated, but there is NO WAY it's 4K in
> size.
>
> Something else is going on. Find out what, and fix it.
>
> Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
Alan, I don't appreciate your harsh response. One comes to these lists
for help not scorn and ridicule.
Character count meaning the below and as stated above (IT WAS
SHORTENED FOR BREVITY'S SAKE) so I didn't take up the whole post with
log lines
and surely now we can see it is 4KB in size (so it's 4096 bytes less
the semicolon my mistake).
Am I thinking a bit?
$> wc -c "INSERT into accounting (AcctStatusType, AcctTerminateCause,
CalledStationId, NASIdentifier, h323setuptime, h323connecttime,
h323disconnecttime, h323disconnectcause, SessionGenericId,
FlowID_FS1_F, FlowType_FS1_F, SessionIngressCallId,
SessionEgressCallId, FlowInRealm_FS1_F, FlowInSrcAddr_FS1_F,
FlowInSrcPort_FS1_F, FlowInDstAddr_FS1_F, FlowInDstPort_FS1_F,
FlowOutRealm_FS1_F, FlowOutSrcAddr_FS1_F, FlowOutSrcPort_FS1_F,
FlowOutDstAddr_FS1_F, FlowOutDstPort_FS1_F, CallingOctets_FS1,
CallingPackets_FS1, CallingRTCPPacketsLost_FS1,
CallingRTCPAvgJitter_FS1, CallingRTCPAvgLatency_FS1,
CallingRTCPMaxJitter_FS1, CallingRTCPMaxLatency_FS1,
CallingRTPPacketsLost_FS1, CallingRTPAvgJitter_FS1,
CallingRTPMaxJitter_FS1, SessionIngressRealm, SessionEgressRealm,
SessionProtocolType, CalledOctets_FS1, CalledPackets_FS1,
CalledRTCPPacketsLost_FS1, CalledRTCPAvgJitter_FS1,
CalledRTCPAvgLatency_FS1, CalledRTCPMaxJitter_FS1,
CalledRTCPMaxLatency_FS1, CalledRTPPacketsLost_FS1,
CalledRTPAvgJitter_FS1, CalledRTPMaxJitter_FS1, SessionChargingVector,
SessionChargingFunction_Address, FirmwareVersion, LocalTimeZone,
PostDialDelay, CDRSequenceNumber, SessionDisposition,
DisconnectInitiator, DisconnectCause, Intermediate_Time,
PrimaryRoutingNumber, OriginatingTrunkGroup, TerminatingTrunkGroup,
OriginatingTrunkContext, TerminatingTrunkContext, PAssertedID,
SIPDiversion, SIPStatus, IngressLocalAddr, IngressRemoteAddr,
EgressLocalAddr, EgressRemoteAddr, FlowID_FS1_R, FlowType_FS1_R,
FlowInRealm_FS1_R, FlowInSrcAddr_FS1_R, FlowInSrcPort_FS1_R,
FlowInDstAddr_FS1_R, FlowInDstPort_FS1_R, FlowOutRealm_FS1_R,
FlowOutSrcAddr_FS1_R, FlowOutSrcPort_FS1_R, FlowOutDstAddr_FS1_R,
FlowOutDstPort_FS1_R, FlowID_FS2_F, FlowType_FS2_F, FlowInRealm_FS2_F,
FlowInSrcAddr_FS2_F, FlowInSrcPort_FS2_F, FlowInDstAddr_FS2_F,
FlowInDstPort_FS2_F, FlowOutRealm_FS2_F, FlowOutSrcAddr_FS2_F,
FlowOutSrcPort_FS2_F, FlowOutDstAddr_FS2_F, FlowOutDstPort_FS2_F,
CallingOctets_FS2, CallingPackets_FS2, CallingRTCPPacketsLost_FS2,
CallingRTCPAvgJitter_FS2, CallingRTCPAvgLatency_FS2,
CallingRTCPMaxJitter_FS2, CallingRTCPMaxLatency_FS2,
CallingRTPPacketsLost_FS2, CallingRTPAvgJitter_FS2,
CallingRTPMaxJitter_FS2, FlowID_FS2_R, FlowType_FS2_R,
FlowInRealm_FS2_R, FlowInSrcAddr_FS2_R, FlowInSrcPort_FS2_R,
FlowInDstAddr_FS2_R, FlowInDstPort_FS2_R, FlowOutRealm_FS2_R,
FlowOutSrcAddr_FS2_R, FlowOutSrcPort_FS2_R, FlowOutDstAddr_FS2_R,
FlowOutDstPort_FS2_R, CalledOctets_FS2, CalledPackets_FS2,
CalledRTCPPacketsLost_FS2, CalledRTCPAvgJitter_FS2,
CalledRTCPAvgLatency_FS2, CalledRTCPMaxJitter_FS2,
CalledRTCPMaxLatency_FS2, CalledRTPPacketsLost_FS2,
CalledRTPAvgJitter_FS2, CalledRTPMaxJitter_FS2,
EgressFinalRoutingNumber ) values ('Stop', 'User-Request',
'', 'acmepacket', '14:47:22.831
GMT+2 MAR 12 2010', '14:47:36.670 GMT+2 MAR 12 2010', '14:50:10.179
GMT+2 MAR 12 2010', '1', '', 'localhost:652024', 'G729',
'310075-3477386742-88...@nextone-msw.mydomain.com',
'310075-3477386742-88...@nextone-msw.mydomain.com', 'oscar_telecom',
'196.31.63.118', '15826', '172.28.18.226', '12450', 'QUESCFARM',
'10.0.64.10', '18334', '10.0.32.8', '11252', '624088', '7956', '72',
'215', '1784', '263', '2045', '41', '0', '45', 'oscar_telecom',
'QUESCFARM', 'SIP', '623574', '7945', '52', '3', '873', '4', '
Re: Freeradius and COA
Johan Meiring wrote: > 1) For originating a COA packet, is it possible to trigger it from > rlm_perl. > i.e. cause an "update coa". Not really. > 2) For receiving a COA packet. How can I "process" it. I see that when > perl instantiates, it claims it will use two funtions, send_coa and > recv_coa. In what section must I put perl for it to call the functions? The recv_coa && send_coa sections. > I've created a listen section for Coa. Freradius receives it, but "does > nothing" and simply sends back an ack. Yup. The example CoA server was missed in 2.1.8. See: http://github.com/alandekok/freeradius-server/blob/master/raddb/sites-available/coa Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius PEAP/MSCHAPv2 against Apple OpenDirectory
I attached the captured packets. Please open it with wireshark. The password from OD is “”. It is neither cleartext password nor encrypted password. --- 10年3月18日,周四, John 写道: 发件人: John 主题: Re: Freeradius PEAP/MSCHAPv2 against Apple OpenDirectory 收件人: "FreeRadius users mailing list" 日期: 2010年3月18日,周四,下午7:01 I configured the LDAP module talks to Open Directory, based on the debug looks the password fetched from OD, but the authentication always failed. Is there any guide for freeRADIUS+ldap+OD integrating? I setup freeRADIUS talks to OpenLDAP, it works well. Can OD return cleartext password like OpenLDAP do? John. --- 10年3月15日,周一, Alan DeKok 写道: 发件人: Alan DeKok 主题: Re: Freeradius PEAP/MSCHAPv2 against Apple OpenDirectory 收件人: "FreeRadius users mailing list" 日期: 2010年3月15日,周一,下午12:59 John wrote: > Hello, > We want to setup freeRADIUS with Peap/MSCHAPv2 talk to Apple Open > Directory. I found this option 'use_open_directory'. But looks we need > to install freeRADIUS on the same machine with Open > Directory.(https://lists.freeradius.org/pipermail/freeradius-users/2010-February/msg00307.html) > > Do we have to run freeRADIUS on the same machine with OpenDirectory? Yes. > Is > there a work-around that we can run freeRADIUS seperate from OpenDirectory? OpenDirectory is an LDAP server. Configure that way in FreeRADIUS. It might work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -下面为附件内容- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html ODldap.pcap Description: Binary data - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius and COA
Hi, I am trying to figure out to use the Coa functionality in Freeradius. I have two seperate questions. 1) For originating a COA packet, is it possible to trigger it from rlm_perl. i.e. cause an "update coa". 2) For receiving a COA packet. How can I "process" it. I see that when perl instantiates, it claims it will use two funtions, send_coa and recv_coa. In what section must I put perl for it to call the functions? I've created a listen section for Coa. Freradius receives it, but "does nothing" and simply sends back an ack. Hope this makes sense... -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: TLS/SSL Error?
Mike Diggins wrote: > I just recently enabled a WPA SSID on our wireless network. PEAP with > MSCHAP V2 is the EAP method. As far as I know it's working correctly > (from all my test clients anyway), but I have seen a number of these > messages logged (FreeRadius 2.1.3) and I don't know where they're coming > from. My Free radius server has a Thawte Certificate installed. I'm not > sure what the message means? > > Mar 18 15:01:01 rad01 radiusd[8452]: TLS Alert read:fatal:unknown CA The client is connecting with a certificate that is unknown to the RADIUS server. i.e. blame the client. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Unresponsive child for request
Mark Jones wrote: > I am getting this error in my logs and I understand it is do to likley > an issue with sql but was wondering what the criteria for this error to > be generrated is. > > Error: WARNING: Unresponsive child for request 271737, in module sqlzuul > component accounting > > Basically I assume and sql query is sent and if there is no response in > x seconds this error is generated. Yes. Go fix the SQL DB. It should NOT take 5-10s to do a query. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Limit Bandwith
Le jeudi 18 mars 2010 à 17:27 +0800, sugiarto tjahyono a écrit : > Sorry if this topic already posted or on wrong forum > > > How can we set speed if the user already over quota ie first day of > month they get 1Mbps bandwith after spent 1Gig the speed will decrease > to 512Kbps until end of month without turning off modem and > re-authenticate. > > > is that possible? If your NAS support it you could use CoA based on events triggerrd by iterim updates tickets. > > > > > > > > > __ > Dapatkan nama yang Anda sukai! > Sekarang Anda dapat memiliki email di @ymail.com dan @rocketmail.com. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Unresponsive child for request
I wish resolving "unresponsive child" errors was as simple as posting to a msg board or reading a man page -Original Message- From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell@lists.freeradius.org] On Behalf Of Mark Jones Sent: Thursday, March 18, 2010 3:03 PM To: FreeRadius users mailing list Subject: Unresponsive child for request I am getting this error in my logs and I understand it is do to likley an issue with sql but was wondering what the criteria for this error to be generrated is. Error: WARNING: Unresponsive child for request 271737, in module sqlzuul component accounting Basically I assume and sql query is sent and if there is no response in x seconds this error is generated. Or am I completly wrong here? Mark Jones - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Unresponsive child for request
I am getting this error in my logs and I understand it is do to likley an issue with sql but was wondering what the criteria for this error to be generrated is. Error: WARNING: Unresponsive child for request 271737, in module sqlzuul component accounting Basically I assume and sql query is sent and if there is no response in x seconds this error is generated. Or am I completly wrong here? Mark Jones - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
TLS/SSL Error?
I just recently enabled a WPA SSID on our wireless network. PEAP with MSCHAP V2 is the EAP method. As far as I know it's working correctly (from all my test clients anyway), but I have seen a number of these messages logged (FreeRadius 2.1.3) and I don't know where they're coming from. My Free radius server has a Thawte Certificate installed. I'm not sure what the message means? Mar 18 15:01:01 rad01 radiusd[8452]: TLS Alert read:fatal:unknown CA Mar 18 15:01:01 rad01 radiusd[8452]: TLS_accept:failed in SSLv3 read client certificate A Mar 18 15:01:01 rad01 radiusd[8452]: rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca -Mike <>- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Limit Bandwith
Title: Re: Limit Bandwith Здравствуйте, sugiarto. just change speed limiting rule in your firewall Вы писали 18 марта 2010 г., 11:27:20: > Sorry if this topic already posted or on wrong forum How can we set speed if the user already over quota ie first day of month they get 1Mbps bandwith after spent 1Gig the speed will decrease to 512Kbps until end of month without turning off modem and re-authenticate. is that possible? Dapatkan nama yang Anda sukai! Sekarang Anda dapat memiliki email di @ymail.com dan @rocketmail.com. -- С уважением, Коньков mailto:kes-...@yandex.ru - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Max Query Length Exceeded and Field Truncated
Robert Gabriel wrote:
> Hello all,
>
> Our network had some change somewhere and now all MySQL insert queries
> are failing
> with the last field been truncated and the character count is always
> 4097 from the CDRs
What does that mean? What's a "character count"?
> been sent by our NAS (Acme Packet SBC).
>
> Having looked at the source we see:
>
> src/modules/rlm_sql/conf.h
> src/modules/rlm_sql/rlm_sql.c
>
> /* SQL defines */
> #define MAX_QUERY_LEN4096
> #define SQL_LOCK_LEN MAX_QUERY_LEN
>
> I'm not sure here, can we just increase to 8192 etc. or is this being stupid?
> Can I edit the above and recompile?
Yes. But I fail to see why the SQL queries are huge. There's really
no reason for this.
> MySQL log (shortened for brevity's sake):
>
> INSERT into accounting (AcctStatusType, AcctTerminateCause,
> CalledStationId, NASIdentifier, h323setuptime, h323connecttime,
> h323disconnecttime, h323disconnectcause) values ('0', '0', '0', '0',
> '0', '0', '0', 'sip:0738063...@h
Think a bit: that line looks truncated, but there is NO WAY it's 4K in
size.
Something else is going on. Find out what, and fix it.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Max Query Length Exceeded and Field Truncated
Hello all,
Our network had some change somewhere and now all MySQL insert queries
are failing
with the last field been truncated and the character count is always
4097 from the CDRs
been sent by our NAS (Acme Packet SBC).
Having looked at the source we see:
src/modules/rlm_sql/conf.h
src/modules/rlm_sql/rlm_sql.c
/* SQL defines */
#define MAX_QUERY_LEN 4096
#define SQL_LOCK_LEN MAX_QUERY_LEN
I'm not sure here, can we just increase to 8192 etc. or is this being stupid?
Can I edit the above and recompile?
Unfortunately we are running FreeRADIUS 1.1.7 and yes, everyone must
be screaming upgrade!
Linux klio 2.6.24-21-server #1 SMP Wed Oct 22 00:18:13 UTC 2008 i686 GNU/Linux.
MySQL 5.0.51a-3ubuntu5.4-log.
I've looked at the above files in 2.1.8 and the values are the same.
Does this mean an upgrade will not fix this?
The RADIUS RFC says a maximum length of 4096, is this what we are
breaking or something else?
Please advise as to the best solution.
FreeRADIUS log:
Wed Mar 17 16:10:50 2010 : Error: rlm_sql_mysql: MySQL error 'You have
an error in your SQL syntax; check the manual that corresponds to y
our MySQL server version for the right syntax to use near
''sip:0827355...@hugetipjhb01' at line 1'
MySQL log (shortened for brevity's sake):
INSERT into accounting (AcctStatusType, AcctTerminateCause,
CalledStationId, NASIdentifier, h323setuptime, h323connecttime,
h323disconnecttime, h323disconnectcause) values ('0', '0', '0', '0',
'0', '0', '0', 'sip:0738063...@h
>From the FreeRADIUS SQL trace (shortened for brevity's sake):
INSERT into accounting (AcctStatusType, AcctTerminateCause,
CalledStationId, NASIdentifier, h323setuptime, h323connecttime,
h323disconnecttime, h323disconnectcause, CallingRTCPMaxLatency_FS1,
CallingRTPPacketsLost_FS1, CallingRTPAvgJitter_FS1,
CallingRTPMaxJitter_FS1, SessionIngressRealm, SessionEgressRealm,
SessionProtocolType) values ('196.31.63.118', '15830', '0', '0', '0',
'0', '0', '0', '0', '0', '0', '0', 'sip:0823246912@;
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MAC based Vlan problem
Hi, we're using freeradius to switch different computer into various vlans on our switches. We have had a working configuration for freeradius 1.x, but for 2.1.6 (running on SLES) this configuration is working different. We're including a file looking like this: --- # VLAN 14 # # DEFAULT Tunnel-Private-Group-ID = 14, Foundry-802_1x-enable = 0, Fall-Through = 1 # aaabbbcccddd User-Password == "aaabbbcccddd" # VLAN 15 # # DEFAULT Tunnel-Private-Group-ID = 15, Foundry-802_1x-enable = 0, Fall-Through = 1 # bbbcccdddaaa User-Password == "bbbcccdddaaa" --- On the new freeradius *all* valid mac addresses are getting the vlan Tunnel-Private-Group-ID from the first statement. All other vlan id's are ignored. The advantage was, to group all mac according to the vlan-id. Now you have to add all settings to each mac Is there a way to group the mac addresses with one header ? -- Bye, Peer _ Max-Planck-Institut fuer Biogeochemie Dr. Peer-Joachim Koch Hans-Knöll Str.10Telefon: ++49 3641 57-6705 D-07745 Jena Telefax: ++49 3641 57-7705 <> smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: debug only for rlm_xxx (rlm_perl)
Hi Doug, I will try this. But - without my patch, the compile goes OK. Thanks Thomas. On Wed, 17 Mar 2010 15:15:20 -0700, Doug Hardie wrote: > Only one of those errors references the code you added. There should have > been a line in my earlier email like: > > struct stat sb; > > The other errors indicate a problem with the normal build includes. How > did you try and rebuild it? I suspect there is a way to just rebuild > rlm_perl, but I haven't tried to do that on version 2. I suspect you may > need to rebuild the entire freeradius. > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: /usr/local/sbin/radiusd -X problem
Hi, > > The same Problem I am getting My Solaris Servers while starting the radius > > server. How can I fix this . > > > > can U give me detailed explanation. the output is fairly obvious: > >> /usr/local/etc/raddb/certs/bootstrap: make: not found > >> /usr/local/etc/raddb/certs/bootstrap: openssl: not found > >> Exec-Program output: > >> Exec-Program: returned: 1 > >> rlm_eap: Failed to initialize type tls (then it fails...because EAP section broken) okay - you need to have certificates to use EAP. if you havent already installed a CA and a server cert into the correct place (read eap.conf file!) then you probably also havent uncommented the 'bootstrap' line. this line tells the server to make a 'snake oil' CA and server cert (for testing purposes!). as you dont appear to have the right tools installed...eg 'make' and 'openssl', then this fails. to fix this either 1) install development environment and openssl tools or 2) put a server cert and CA cert onto the system and disable the bootstrap command alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Clients Configuration on MySQL
Hi,
> Could we move clients.conf to mysql table ?
yes.
> How to do that ?
its well documented but basically, you need to
1) import the nas.sql so that your MySQL has the right table/structure
2) edit the mysql/dialup.conf make sure that nas_query is not commented
finally, edit sql.conf..right near the bottom you will find this:
# Set to 'yes' to read radius clients from the database ('nas' table)
# Clients will ONLY be read on server startup. For performance
# and security reasons, finding clients via SQL queries CANNOT
# be done "live" while the server is running.
#
#readclients = yes
read the text. uncomment the readclients
if you DO want new clients to work without restarting the service, then
enable the dynamic-clients virtual host. read the dynamic-clients config
well - it makes pretty good sense and is trivial to operate.
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius PEAP/MSCHAPv2 against Apple OpenDirectory
I configured the LDAP module talks to Open Directory, based on the debug looks the password fetched from OD, but the authentication always failed. Is there any guide for freeRADIUS+ldap+OD integrating? I setup freeRADIUS talks to OpenLDAP, it works well. Can OD return cleartext password like OpenLDAP do? John. --- 10年3月15日,周一, Alan DeKok 写道: 发件人: Alan DeKok 主题: Re: Freeradius PEAP/MSCHAPv2 against Apple OpenDirectory 收件人: "FreeRadius users mailing list" 日期: 2010年3月15日,周一,下午12:59 John wrote: > Hello, > We want to setup freeRADIUS with Peap/MSCHAPv2 talk to Apple Open > Directory. I found this option 'use_open_directory'. But looks we need > to install freeRADIUS on the same machine with Open > Directory.(https://lists.freeradius.org/pipermail/freeradius-users/2010-February/msg00307.html) > > Do we have to run freeRADIUS on the same machine with OpenDirectory? Yes. > Is > there a work-around that we can run freeRADIUS seperate from OpenDirectory? OpenDirectory is an LDAP server. Configure that way in FreeRADIUS. It might work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Limit Bandwith
> sugiarto tjahyono : > How can we set speed if the user already over quota ie first day of > month they get 1Mbps bandwith after spent 1Gig the speed will decrease > to 512Kbps until end of month without turning off modem and > re-authenticate. > >is that possible? That is possible. But, with the few explanation you provided, it's a bit complicated and my idea goes to something like "SQLCounter". -- Architecte Informatique chez Blueline/Gulfsat: Administration Systeme, Recherche & Developpement +261 34 29 155 34 / +261 33 11 207 36 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius and vlan assignment
i could'nt imagine that would be so simple. i'll try that next time [?] thank u 2010/3/18 Bob Brandt > In the users file do this: > > DEFAULT Ldap-Group == "cn=InsideGroup,o=Base" > Reply-Message = "Your a member of the Inside Group", > Tunnel-Medium-Type = IEEE-802, > Tunnel-Type = VLAN, > Tunnel-Private-Group-ID = 11, > Fall-Through = No > > DEFAULT Auth-Type == "LDAP" > Reply-Message = "You did not match a LDAP Group", > Tunnel-Medium-Type = IEEE-802, > Tunnel-Type = VLAN, > Tunnel-Private-Group-ID = 99 > > All members of the InsideGroup will get the first group of attributes and > the FreeRadius will stop looking. > Everyone else who authenticated through LDAP will get the second group of > attributes. > > Bob > > On Thu, Mar 18, 2010 at 8:59 AM, omega bk wrote: > >> hi, >> >> assume that the switch does not support the "auth-fail" and has 2 vlan ( >> vlan inside and vlan outside ), is it possible in the users file to put a >> condition like: >> >> if (user belong to Ldap-group=inside) >> assign to vlan = inside >> else >> assign to vlan = outside >> >> is that possible ? >> >> >> thanks >> >> >> >> >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html >> > > > > -- > The problem with socialism is that you eventually run out of other people's > money. - Margaret Thatcher > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > <<330.gif>>- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: framed-ip-address based on nas-ip-address
I have read doc/rlm_sql many times but I unable to find any solution . adding Fall-Through in radreply for user or radgroupreply for groups doesn't help .. even I tried to use huntgroups but same result .. it works just when the user is membership of a group .. mean if I add user to second group its not working any more and sqlippool is not processing ! its not matter if group checks is matching or no .. it seems there is something wrong when a user is membership of 2 groups because its checking none of them when user is in more than 1 group - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: /usr/local/sbin/radiusd -X problem
I'm not anything even approaching an expert, but it looks like you don't have your certs setup properly or the file paths are pointing to the wrong place. Bob On Thu, Mar 18, 2010 at 6:13 AM, gmani wrote: > > > > gmani wrote: > > > > The same Problem I am getting My Solaris Servers while starting the > radius > > server. How can I fix this . > > > > can U give me detailed explanation. > > > *>> /usr/local/etc/raddb/certs/**bootstrap: make: not found > >> /usr/local/etc/raddb/certs/**bootstrap: openssl: not found > >> Exec-Program output: > >> Exec-Program: returned: 1 > >> rlm_eap: Failed to initialize type tls > >> /usr/local/etc/raddb/eap.conf[**17]: Instantiation failed for module > "eap" > >> /usr/local/etc/raddb/sites-**enabled/inner-tunnel[223]: Failed to find > >> module "eap". > >> /usr/local/etc/raddb/sites-**enabled/inner-tunnel[176]: Errors parsing > >> authenticate section. > >> Errors initializing modules* > >> > >> > >> plz hlp me out > >> > >> > >> > > > > > > -- The problem with socialism is that you eventually run out of other people's money. - Margaret Thatcher - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius and vlan assignment
In the users file do this: DEFAULT Ldap-Group == "cn=InsideGroup,o=Base" Reply-Message = "Your a member of the Inside Group", Tunnel-Medium-Type = IEEE-802, Tunnel-Type = VLAN, Tunnel-Private-Group-ID = 11, Fall-Through = No DEFAULT Auth-Type == "LDAP" Reply-Message = "You did not match a LDAP Group", Tunnel-Medium-Type = IEEE-802, Tunnel-Type = VLAN, Tunnel-Private-Group-ID = 99 All members of the InsideGroup will get the first group of attributes and the FreeRadius will stop looking. Everyone else who authenticated through LDAP will get the second group of attributes. Bob On Thu, Mar 18, 2010 at 8:59 AM, omega bk wrote: > hi, > > assume that the switch does not support the "auth-fail" and has 2 vlan ( > vlan inside and vlan outside ), is it possible in the users file to put a > condition like: > > if (user belong to Ldap-group=inside) > assign to vlan = inside > else > assign to vlan = outside > > is that possible ? > > > thanks > > > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > -- The problem with socialism is that you eventually run out of other people's money. - Margaret Thatcher - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: framed-ip-address based on nas-ip-address
On Thu, Mar 18, 2010 at 2:21 PM, power159 wrote: > the only problem that I have is if user is membership of 2 groups . > freeradius is processing none of them ! even if both are matching ! but if I > remove one of groups its working without any problem ! and assigning ip from > ip pool > +--+---+--+ > | username | groupname | priority | > +--+---+--+ > | test1 | group1 | 0 | > | test1 | group2 | 0 | > +--+---+--+ See doc/rlm_sql in particular, I think the priority should be different. Also if you want both groups processed, you might need Fall-Through. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Limit Bandwith
Sorry if this topic already posted or on wrong forum How can we set speed if the user already over quota ie first day of month they get 1Mbps bandwith after spent 1Gig the speed will decrease to 512Kbps until end of month without turning off modem and re-authenticate. is that possible? Lebih Bersih, Lebih Baik, Lebih Cepat - Rasakan Yahoo! Mail baru yang Lebih Cepat hari ini! http://id.mail.yahoo.com- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius and vlan assignment
hi, assume that the switch does not support the "auth-fail" and has 2 vlan ( vlan inside and vlan outside ), is it possible in the users file to put a condition like: if (user belong to Ldap-group=inside) assign to vlan = inside else assign to vlan = outside is that possible ? thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[no subject]
http://sagunnthecompany.com/TNJHLhOER9.html _ Stay in touch. http://go.microsoft.com/?linkid=9712959- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Talking to Windows 2003 AD
Thanks Alan,
The double '==' in the ntlm_auth command was the culprit. Things are
working today.
p.s. I had already stripped the usernames and verified the password so
that was fine.
Iain Grant
Linux System Administrator
Scottish Crop Research Institute
Date: Wed, 17 Mar 2010 17:23:37 +
From: Alan Buxey
Subject: Re: Talking to Windows 2003 AD
To: FreeRadius users mailing list
Message-ID:
<20100317172337.ga16...@lboro.ac.uk>
Content-Type: text/plain;
charset=us-ascii
Hi,
> Now when I go to the next step and
enable this in /etc/raddb/modules/mschap
>
> ntlm_auth =
"/usr/bin/ntlm_auth --request-nt-key
--username==%{%{Stripped-User-Name}:-%{User-Name:-None}}
--domain=%{%{mschap:NT-Domain}:-OURDOMAIN}
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}"
radiusd -X
and show us at least that bit where that
command is called.
you have 2 == is your command. is that
intentional? you are allowing usernames
that havent been sanitised or are blank
(none) - is that intentional?
alan
__
SCRI, Invergowrie, Dundee, DD2 5DA.
The Scottish Crop Research Institute is a charitable company limited by
guarantee.
Registered in Scotland No: SC 29367.
Recognised by the Inland Revenue as a Scottish Charity No: SC 006662.
DISCLAIMER:
This email is from the Scottish Crop Research Institute, but the views
expressed by the sender are not necessarily the views of SCRI and its
subsidiaries. This email and any files transmitted with it are confidential to
the intended recipient at the e-mail address to which it has been addressed.
It may not be disclosed or used by any other than that
addressee.
If you are not the intended recipient you are requested to preserve this
confidentiality and you must not use, disclose, copy, print or rely on this
e-mail in any way. Please notify postmas...@scri.ac.uk quoting the name of the
sender and delete the email from your system.
Although SCRI has taken reasonable precautions to ensure no viruses are present
in this email, neither the Institute nor the sender accepts any responsibility
for any viruses, and it is your responsibility to scan the email and the
attachments (if any).
__-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
framed-ip-address based on nas-ip-address
Hi , As there was a mistake in my previous email title and as I had big improvement in processing my problem I am sending a new email . As I said in previous email I want to configure freeradius to reply different framed-ip-addresses based on nas servers . I found following email in the archive which helped a lot : http://lists.cistron.nl/pipermail/freeradius-users/2009-January/msg00630.html the only problem that I have is if user is membership of 2 groups . freeradius is processing none of them ! even if both are matching ! but if I remove one of groups its working without any problem ! and assigning ip from ip pool read-groups is on here is my tables : select * from radcheck; ++--+---+++ | id | username | attribute | op | value | ++--+---+++ | 4 | test1| User-Password | := | 123456 | ++--+---+++ select * from radgroupcheck; ++---+++-+ | id | groupname | attribute | op | value | ++---+++-+ | 1 | group1| Nas-IP-Address | == | 192.168.1.5 | | 2 | group1| Pool-Name | := | pool1 | | 3 | group2| Nas-IP-Address | == | 192.168.1.6 | | 4 | group2| Pool-Name | := | pool2 | ++---+++-+ select * from radusergroup; +--+---+--+ | username | groupname | priority | +--+---+--+ | test1| group1|0 | | test1| group2|0 | +--+---+--+ select * from radippool; ++---+-+--+-+--+-+--+--+ | id | pool_name | framedipaddress | nasipaddress | calledstationid | callingstationid | expiry_time | username | pool_key | ++---+-+--+-+--+-+--+--+ | 1 | pool1 | 90.90.90.1 | | | | NULL| | 0| | 2 | pool1 | 90.90.90.2 | | | | NULL| | | | 5 | pool2 | 91.90.90.1 | | | | NULL| | 0| | 6 | pool2 | 91.90.90.2 | | | | NULL| | | ++---+-+--+-+--+-+--+--+ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
