Re: help with DHCP server functionality
On Fri, Nov 2, 2012 at 3:19 AM, Duane Cox wrote: > List: > > Hello. I have been working on this for a few days and have turned here > for help. > > The server is listening on port 67 and when a DHCP packet comes in the > server processes it, but in debug mode it give an error "No Pool-Name > defined". > > I have done some reading and I have added the following to the users > file (for testing purposes). > > DEFAULT Pool-Name := main_pool > Fall-Through = Yes > > This doesn't seem to define the Pool-Name nor do I see where the server > is processing any sql queries to determine the Pool-Name either. > > Am I mistaken? I thought that I could get a DHCP packet to be > received/processed by the server and hand out a response. My policy.conf has this: # # Assign compatibility data to request for sqlippool dhcp_sqlippool.post-auth { # Do some minor hacks to the request so that it looks # like a RADIUS request to the SQL IP Pool module. update control { Pool-Name = "DHCP-default" } update request { # ... and my sites-available/dhcp has additional instructions: # # * Create sqlippool table, if you haven't done so already. # * Import the schema (see sql/mysql/ipool.sql). # * Populate the records. At minimum each row must have # Framed-IP-Address and Pool-Name = 'DHCP-default' (or whatever # you set 'Pool-Name' to on policy.conf). # * If you want to use static IP allocation, create a row on # radippol table with 'callingstationid' set to client's MAC # address (e.g. '00:16:3E:02:15:6B') and expiry time far in the # future (e.g. '3000-01-01 00:00:00'). # Try updating your policy.conf and follow that instruction. If that works for you, I'll probably send a git pull request to update instructions in the included config files. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Bypass SQLIPPOOL via variable?
You can either use an unlang wrapper around the sqlippoolto either skip it or to call another sqlippool instanceor (and maybe better) define a virtual-server instance for queries coming from openvpn and have a totally different config for them (this keeps the server functionality isolated for each use case...leading to sanity later on ;-) ) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
help with DHCP server functionality
List: Hello. I have been working on this for a few days and have turned here for help. The server is listening on port 67 and when a DHCP packet comes in the server processes it, but in debug mode it give an error "No Pool-Name defined". I have done some reading and I have added the following to the users file (for testing purposes). DEFAULT Pool-Name := main_pool Fall-Through = Yes This doesn't seem to define the Pool-Name nor do I see where the server is processing any sql queries to determine the Pool-Name either. Am I mistaken? I thought that I could get a DHCP packet to be received/processed by the server and hand out a response. Thanks in advance, Duane Cox debug: Received DHCP-Discover of id 9daef956 from 10.11.156.70:68 to 10.12.100.90:67 DHCP-Opcode = Client-Message DHCP-Hardware-Type = Ethernet DHCP-Hardware-Address-Length = 6 DHCP-Hop-Count = 1 DHCP-Transaction-Id = 2645490006 DHCP-Number-of-Seconds = 56 DHCP-Flags = 0 DHCP-Client-IP-Address = 0.0.0.0 DHCP-Your-IP-Address = 0.0.0.0 DHCP-Server-IP-Address = 0.0.0.0 DHCP-Gateway-IP-Address = 10.11.152.62 DHCP-Client-Hardware-Address = 00:d0:b7:c0:f6:8a DHCP-Message-Type = DHCP-Discover DHCP-Parameter-Request-List = DHCP-Subnet-Mask DHCP-Parameter-Request-List = DHCP-Broadcast-Address DHCP-Parameter-Request-List = DHCP-Time-Offset DHCP-Parameter-Request-List = DHCP-Router-Address DHCP-Parameter-Request-List = DHCP-Domain-Name DHCP-Parameter-Request-List = DHCP-Domain-Name-Server DHCP-Parameter-Request-List = DHCP-Hostname server dhcp { Trying sub-section dhcp DHCP-Discover {...} +- entering group DHCP-Discover {...} ++[reply] returns noop ++[reply] returns noop [mac2ip] Added DHCP-Your-IP-Address: '10.11.152.1' to reply_items ++[mac2ip] returns ok ++- entering policy dhcp_sqlippool.post-auth {...} expand: DHCP-%{DHCP-Client-Hardware-Address} -> DHCP-00:d0:b7:c0:f6:8a expand: %{DHCP-Client-Hardware-Address} -> 00:d0:b7:c0:f6:8a expand: %{DHCP-Gateway-IP-Address} -> 10.11.152.62 expand: %{%{DHCP-Gateway-IP-Address}:-127.0.0.1} -> 10.11.152.62 +++[request] returns ok [dhcp_sqlippool] No Pool-Name defined. [dhcp_sqlippool]expand: DHCP: No Pool-Name defined (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name}) -> DHCP: No Pool-Name defined (did cli 00:d0:b7:c0:f6:8a port user DHCP-00:d0:b7:c0:f6:8a) DHCP: No Pool-Name defined (did cli 00:d0:b7:c0:f6:8a port user DHCP-00:d0:b7:c0:f6:8a) +++[dhcp_sqlippool] returns noop +++? if (ok) ? Evaluating (ok) -> FALSE +++? if (ok) -> FALSE ++- policy dhcp_sqlippool.post-auth returns noop ++[ok] returns ok } # server dhcp DHCP-Subnet-Mask = 255.255.255.192 DHCP-Router-Address = 10.11.152.62 DHCP-Domain-Name-Server = 4.2.2.1 DHCP-IP-Address-Lease-Time = 86400 DHCP-DHCP-Server-Identifier = 10.12.100.90 Sending DHCP-Offer of id 9daef956 to 10.11.152.62:68 Finished request 6. Cleaning up request 6 ID -1649477290 with timestamp +219 Going to the next request Ready to process requests. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Bypass SQLIPPOOL via variable?
Also, not wishing to drag this too much into the OpenVPN support group, but you can make OpenVPN use "p2p mode" which will allocate IP addresses from a /24 or greater, or you can assign individual IP addresses with a script. Obviously, these are things to research in the OpenVPN configuration pages. Regards, -- Jon "The Nice Guy" Spriggs On 1 November 2012 20:28, Blake Covarrubias wrote: > On Nov 1, 2012, at 1:02 PM, bea...@gmail.com wrote: > >> If they are coming in as a "Virtual" connection, drop out of SQLIPPOOL and >> just let freeradius auth the connection and then let OpenVPN use it's >> predefined IP pool which we will in turn NAT? > > This should be possible with a bit of unlang. > > post-auth { > if(NAS-Port-Type != Virtual){ > sqlippool > } > } > > Or something of the sort. 'man 5 unlang' for more info. > > -- > Blake Covarrubias > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Bypass SQLIPPOOL via variable?
On Nov 1, 2012, at 1:02 PM, bea...@gmail.com wrote: > If they are coming in as a "Virtual" connection, drop out of SQLIPPOOL and > just let freeradius auth the connection and then let OpenVPN use it's > predefined IP pool which we will in turn NAT? This should be possible with a bit of unlang. post-auth { if(NAS-Port-Type != Virtual){ sqlippool } } Or something of the sort. 'man 5 unlang' for more info. -- Blake Covarrubias - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + OpenVPN Solution to Traffic Limitation
On Thu, Nov 1, 2012 at 9:39 PM, yegle wrote: > A naive way would be, use OpenVPN's radiusplugin to authenticate user with a > radius server. Correct. That's the first part of openvpn-radius integration. Which works, and still somewhat easy enough. > Then you'll be able to run a crontab at a reasonable frequency to disable > users who have used the quota already and reject new connection. No need for that. That's what sqlcounter is for. > If you need to kick users offline when that user used all quotas and still > connecting, you may need to look into OpenVPN's management console. This is probably the hardest part of the integration. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + OpenVPN Solution to Traffic Limitation
A naive way would be, use OpenVPN's radiusplugin to authenticate user with a radius server. On the server side, use MySQL as data backend. Then you'll be able to run a crontab at a reasonable frequency to disable users who have used the quota already and reject new connection. If you need to kick users offline when that user used all quotas and still connecting, you may need to look into OpenVPN's management console. -- http://about.me/yegle On Thursday, November 1, 2012 at 10:23, ToriTori wrote: > I need to limit the monthly traffic of OpenVPN users on my server. Example: > After a 50G/month traffic limitation has been reached, the server will > disconnect and reject connections from that user for that period of time. > > Everything seems to point out to Freeradius as the best solution! I'm just > having problems finding any guidance to achieving this.. could someone please > instruct? > > Thank you, > Chiappa > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + OpenVPN Solution to Traffic Limitation
On Thu, Nov 1, 2012 at 9:23 PM, ToriTori wrote: > I need to limit the monthly traffic of OpenVPN users on my server. Example: > After a 50G/month traffic limitation has been reached, the server will > disconnect I don't think openvpn has support for that. > and reject connections from that user for that period of time. Should be possible. Assuming you know enough to integrate openvpn with radius. > > Everything seems to point out to Freeradius as the best solution! I'm just > having problems finding any guidance to achieving this.. could someone please > instruct? On FR's side there this: http://wiki.freeradius.org/modules/Rlm_sqlcounter That's the easy part. The "openvpn and radius integration" part is the hard one, and I'm afraid you need to look elsewhere. Try openvpn list, or hire someone with experience implementing this. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + OpenVPN Solution to Traffic Limitation
ToriTori wrote: > I need to limit the monthly traffic of OpenVPN users on my server. Example: > After a 50G/month traffic limitation has been reached, the server will > disconnect and reject connections from that user for that period of time. > > Everything seems to point out to Freeradius as the best solution! I'm just > having problems finding any guidance to achieving this.. could someone please > instruct? Well, FreeRADIUS does RADIUS. OpenVPN does VPN, including traffic limits. You may be able to use RADIUS to tell OpenVPN to limit traffic. But this requires: a) configuring OpenVPN to do RADIUS authentication b) configuring FreeRADIUS to authenticate the OpenVPN users c) configuring FreeRADIUS to send back the attributes needed by OpenVPN For the last step, you'll need to consult the OpenVPN documentation for which attributes are required / supported. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius + OpenVPN Solution to Traffic Limitation
I need to limit the monthly traffic of OpenVPN users on my server. Example: After a 50G/month traffic limitation has been reached, the server will disconnect and reject connections from that user for that period of time. Everything seems to point out to Freeradius as the best solution! I'm just having problems finding any guidance to achieving this.. could someone please instruct? Thank you, Chiappa - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_eap_ttls: Cannot tunnel EAP-Type/ttls inside of TTLS
Thanks, Matt - that trick did allow radiusd to complete loading and run! I still have to tweak the proxy.conf file, and I'm crossing my fingers that authentication will work as smoothly as it does on the already running server, but at least radiusd now responds to authentication requests. Thank you, Darren ECPI Western Broadband -Original Message- Date: Wed, 31 Oct 2012 21:32:00 + From: Matthew Newton To: FreeRadius users mailing list Subject: Re: rlm_eap_ttls: Cannot tunnel EAP-Type/ttls inside of TTLS Message-ID: <20121031213200.gd6...@rootmail.cc.le.ac.uk> Content-Type: text/plain; charset=us-ascii On Wed, Oct 31, 2012 at 03:55:29PM -0500, Darren Shea wrote: > rlm_eap: Loaded and initialized type tls > ttls: default_eap_type = "ttls" > ttls: copy_request_to_tunnel = yes > ttls: use_tunneled_reply = yes > rlm_eap_ttls: Cannot tunnel EAP-Type/ttls inside of TTLS > rlm_eap: Failed to initialize type ttls ... > Module: Linked to sub-module rlm_eap_ttls > Module: Instantiating eap-ttls >ttls { > default_eap_type = "ttls" Try setting that to something other than "ttls". For instance, "mschapv2", to match your PEAP section. Cheers, Matthew -- Matthew Newton, Ph.D. Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html End of Freeradius-Users Digest, Vol 91, Issue 1 *** - No virus found in this message. Checked by AVG - www.avg.com Version: 2013.0.2742 / Virus Database: 2617/5855 - Release Date: 10/26/12 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: User-Name (machine\user) is not the same as MS-CHAP Name (user) from EAP-MSCHAPv2 error
On 01/11/12 11:22, Gokhan Gunyol wrote: Hi; We upgraded our radius to Freeradius 2.1.10 version on Ubuntu 32bit from an old version Which old version. Our problem is windows xp clients cant login to wireless and radius has “User-Name (machine\user) is not the same as MS-CHAP Name (user) from EAP-MSCHAPv2” error mesages Ok. At the old version freeradius atexactly same configuration clients had not any problem The mschap code has had some changes over the years. This might be one of them. You can find debug log export at below This is an incomplete debug. It doesn't show the error message you refer to. Where is it? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html