Re: How to configure FreeRadius as Captive Portal
On 13/03/12 21:41, Fabricio Flores wrote: Hello... I Have a question... Which captive portal is the best? I tried to configure in CentOS coovachilli and is very hard to install and configuring... Grase Hotspot is easier? Grase Hotspot uses Coova Chilli internally, but does the work of setting everything up for you. It uses Debian/Ubuntu based distributions as it makes use of packaging features to do all the hard configuration work. The admin interface is (in my biased opinion) nice and easy to use. Tim - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to configure FreeRadius as Captive Portal
On 13/03/12 07:33, ulislam.raihan wrote: 192.168.2.X. I am planing to write a small module in Java . Whn a device attached to Access Point. It will get IP from192.168.1.X and all the request from this ip range will go to the java program. It will get the user name and password from the user and then do the authentication with the Radius server. Afrer authentication is done then the DHCP server will change IP address of the that device. Hi Raihan. I suggest you look at something like Coova Chilli. It uses a Radius server to authenticate users, but does the captive portal. You can use any access point with it, and it'll run fine on the same machine as Freeradius. I don't suggest reinventing the wheel if you can avoid it. If you are totally new to radius/captive portals etc, I suggest checking out the Grase Hotspot project, all you need is a machine with 2 network cards, install a base debian or ubuntu distro, and then install the Grase Hotspot packages on top. It'll setup the Freeradius for you, with Coova Chilli and a nice admin interface. Tim Dislaimer: The Grase Hotspot is my project, there are other hotspot systems out there with Freeradius and Coova Chilli, but some are hard to setup. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using freeRadius with OTP and gateway
Hi Mercier What it sounds like you are trying to do, needs more than just the radius server to do it. One of the features I'm writing for the Grase Hotspot (which uses Coova Chilli and Freeradius), is the ability for the user to create an account based on their mobile number. It goes a bit like this. User is presented with a form that allows them to enter a "username" which has to be their mobile number. The form is submitted to a php script, which then creates a user in the radius tables (SQL) with the username as their mobile number, and generates them a random password. The same php script then sends that random password via a sms gateway to the users mobile phone (confirming that the number is correct and the user has possession of it). The user is then presented with a normal login form, which they can use the mobile number, and the password they received as a sms, to login which is handled via normal Coova Chilli and Radius. What you could do, is again, using a php script, generate the OTP and create the user in a special temporary table with the OTP and a password (maybe the user sets the password as well). Then, the user sends the OTP to the special number, and waits. When the SMS arrives at the special number, it would need to trigger a script somehow (not sure how you receive your SMS as all the gateways I use are for sending only), which would then confirm the OTP from the temporary table, if it is valid then we create the user with the password specified in the table, and then the user can login. I'm assuming though, what you want to do, sounds like 2 different things. Firstly you want the Radius server to create a user when there is no user known. For this, you are going to need a script that does it. I prefer an external script, but you could use rlm_perl or similar to do it. The seconds half of what you are doing, sounds like using OTP's for the user. There are a few ways to do this, but normally the user ether has an application (i.e. smartphone, or security token dongle thing) that is pre-authorised with codes to assist with generating the time based OTP's. Or, a list of use once passwords that the server also has, to be used in order. Or, as most banks around here do, sending a sms to the authorised phone number of the user, so the user uses that instead of their normal password. I hope that is clear. You probably need to do 2 different things to get the solution you want. Tim On 07/03/12 22:56, Mercier Valentin wrote: Hi everyone, I'm using Freeradius 2.1.12 on a server Debian. I have an another server Debian with Coovachilli (captive portal) and an Access Point based on Ruckus OS. When my users connected on the AP, a web page is coming with a formular to connect. Then the user enter is information (username and password) and Coovachilli made the authentication on the radius and this is working fine. Now I want to make something different, when the user connected on the AP, I want that he received a little formular, then he need to enter a username (not know on the radius) and i want the radius to create a One Time Password and send it to the user (on an another webpage). And the user send this OTP via SMS to a smsm gateway to finish the authentication, is that possible, and if yes, could someone explain to me how I can make it ? For the gateway sms I am using SMSLib (java library) on the *same* server as freeradius. Best regards and sorry for my bad english (from switzerland). -- Mercier Valentin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Translation of Reply Messages
I'm wondering if anyone has worked out some way to translate reply messages easily? I'm guessing I probably need to make this happen on the GUI side of my application (Grase Hotspot), but what do other people do in a multi language environment? Thanks Tim - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: User maanger for Freeradius users
On 06/03/12 20:15, Javier Ruiz Escalante wrote: Good morning, I have my freeradius working with SQL but have no software to manage users. Anybody knows anything? It really depends on the use case. I write the Grase Hotspot interface for managing SQL users for a hotspot environment (although it could easily be used to manage users for other environments that just need simple login/expirys). There are plenty of other systems out there for managing the users, most are orientated towards a particular use case. Tim - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Possible bug in rlm_sqlcounter examples
Following on from my previous email, I've checked an x86 machine as well, and get the same behaviour. Debug logs follow, the first being the initial login for the day, showing sqlcounter not finding an integer and hence returning noop. The second being after an initial login where a correct integer is returned. Can anyone else confirm that the example sqlcounter queries are at fault and that we need ether an IFNULL or COALESCE surrounding the SUM? I'll be updating the Grase Hotspot files, but I'm wondering if a change was made in rlm_sqlcounter in the last few months (year) that has caused it to treat NULL as NULL and not as 0, and hence the SQL queries need to be updated? Thanks Tim -- rlm_sqlcounter: Entering module authorize code sqlcounter_expand: 'SELECT SUM(acctsessiontime - GREATEST((1329832800 - UNIX_TIMESTAMP(acctstarttime)), 0)) FROM radacct WHERE username = '%{User-Name}' AND UNIX_TIMESTAMP(acctstarttime) + acctsessiontime > '1329832800'' [dailycounter] expand: SELECT SUM(acctsessiontime - GREATEST((1329832800 - UNIX_TIMESTAMP(acctstarttime)), 0)) FROM radacct WHERE username = '%{User-Name}' AND UNIX_TIMESTAMP(acctstarttime) + acctsessiontime > '1329832800' -> SELECT SUM(acctsessiontime - GREATEST((1329832800 - UNIX_TIMESTAMP(acctstarttime)), 0)) FROM radacct WHERE username = 'timtest' AND UNIX_TIMESTAMP(acctstarttime) + acctsessiontime > '1329832800' sqlcounter_expand: '%{sql:SELECT SUM(acctsessiontime - GREATEST((1329832800 - UNIX_TIMESTAMP(acctstarttime)), 0)) FROM radacct WHERE username = 'timtest' AND UNIX_TIMESTAMP(acctstarttime) + acctsessiontime > '1329832800'}' [dailycounter] sql_xlat [dailycounter] expand: %{User-Name} -> timtest [dailycounter] sql_set_user escaped user --> 'timtest' [dailycounter] expand: SELECT SUM(acctsessiontime - GREATEST((1329832800 - UNIX_TIMESTAMP(acctstarttime)), 0)) FROM radacct WHERE username = 'timtest' AND UNIX_TIMESTAMP(acctstarttime) + acctsessiontime > '1329832800' -> SELECT SUM(acctsessiontime - GREATEST((1329832800 - UNIX_TIMESTAMP(acctstarttime)), 0)) FROM radacct WHERE username = 'timtest' AND UNIX_TIMESTAMP(acctstarttime) + acctsessiontime > '1329832800' rlm_sql (sql): Reserving sql socket id: 3 [dailycounter] row[0] returned NULL rlm_sql (sql): Released sql socket id: 3 [dailycounter] expand: %{sql:SELECT SUM(acctsessiontime - GREATEST((1329832800 - UNIX_TIMESTAMP(acctstarttime)), 0)) FROM radacct WHERE username = 'timtest' AND UNIX_TIMESTAMP(acctstarttime) + acctsessiontime > '1329832800'} -> rlm_sqlcounter: No integer found in string "" ++[dailycounter] returns noop -- rlm_sqlcounter: Entering module authorize code sqlcounter_expand: 'SELECT SUM(acctsessiontime - GREATEST((1329832800 - UNIX_TIMESTAMP(acctstarttime)), 0)) FROM radacct WHERE username = '%{User-Name}' AND UNIX_TIMESTAMP(acctstarttime) + acctsessiontime > '1329832800'' [dailycounter] expand: SELECT SUM(acctsessiontime - GREATEST((1329832800 - UNIX_TIMESTAMP(acctstarttime)), 0)) FROM radacct WHERE username = '%{User-Name}' AND UNIX_TIMESTAMP(acctstarttime) + acctsessiontime > '1329832800' -> SELECT SUM(acctsessiontime - GREATEST((1329832800 - UNIX_TIMESTAMP(acctstarttime)), 0)) FROM radacct WHERE username = 'timtest' AND UNIX_TIMESTAMP(acctstarttime) + acctsessiontime > '1329832800' sqlcounter_expand: '%{sql:SELECT SUM(acctsessiontime - GREATEST((1329832800 - UNIX_TIMESTAMP(acctstarttime)), 0)) FROM radacct WHERE username = 'timtest' AND UNIX_TIMESTAMP(acctstarttime) + acctsessiontime > '1329832800'}' [dailycounter] sql_xlat [dailycounter] expand: %{User-Name} -> timtest [dailycounter] sql_set_user escaped user --> 'timtest' [dailycounter] expand: SELECT SUM(acctsessiontime - GREATEST((1329832800 - UNIX_TIMESTAMP(acctstarttime)), 0)) FROM radacct WHERE username = 'timtest' AND UNIX_TIMESTAMP(acctstarttime) + acctsessiontime > '1329832800' -> SELECT SUM(acctsessiontime - GREATEST((1329832800 - UNIX_TIMESTAMP(acctstarttime)), 0)) FROM radacct WHERE username = 'timtest' AND UNIX_TIMESTAMP(acctstarttime) + acctsessiontime > '1329832800' rlm_sql (sql): Reserving sql socket id: 3 [dailycounter] sql_xlat finished rlm_sql (sql): Released sql socket id: 3 [dailycounter] expand: %{sql:SELECT SUM(acctsessiontime -
Possible bug in rlm_sqlcounter examples
Hi All. I am using the following SQL in sqlcounter for a MySQL database in the Grase Hotspot project, as part of daily/hourly/monthly counters. query = "SELECT SUM(acctsessiontime - \ GREATEST((%b - UNIX_TIMESTAMP(acctstarttime)), 0)) \ FROM radacct WHERE username = '%{%k}' AND \ UNIX_TIMESTAMP(acctstarttime) + acctsessiontime > '%b'" This is taken directly out of the examples that come with Freeradius, and is also in the Wiki. http://wiki.freeradius.org/Rlm_sqlcounter#Example+Setup Recently I was having problems where the first login for a day, wasn't being limited to it's daily limit. However, subsequent logins for they day were. So for example, if they had a 4 hour limit, and the first login went over 4 hours, it could keep going as Session-Limit was being returned by freeradius. However, all subsequent logins would return a valid Session-Limit (timeout?) or an access denied if they had gone over the daily limit. Some poking around showed that if there was no logins for that day, the above SQL will return NULL, which Freeradius complains about, something along the lines of there not being an integer in the results (I can't get the exact error message right now), and so the sqlcounter just passes through as noop. To solve the problem, I needed to use an IFNULL (or COALESCE) to return a 0 instead of NULL and then Freeradius sqlcounter returns the correct attributes. query = "SELECT COALESCE( SUM(acctsessiontime - \ GREATEST((%b - UNIX_TIMESTAMP(acctstarttime)), 0)) ) \ FROM radacct WHERE username = '%{%k}' AND \ UNIX_TIMESTAMP(acctstarttime) + acctsessiontime > '%b'" This happens on the arm architecture, and so may be architecture dependent. A quick test on x86 MySQL shows it also returns NULL, however I've not had the chance to test how Freeradius interprets the NULL, as 0 or NULL. I will get out an x86 test machine shortly and test what Freeradius is returning. $ apt-cache policy freeradius freeradius: Installed: 2.1.10+dfsg-2 Debian 6.0.3 Linux Kernel 2.6.32 armv5tel Has anyone else run into this problem? Tim - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can freeRadius do that?
I'm using freeradius, with CoovaChilli, and a Squid Proxy (to reduce internet traffic). Works a charm Tim Alan DeKok wrote: Guillaume Chartrand wrote: ... What I want to do is like many hotel in my country. The user open is laptop with wireless capability, is automaticly connected to the wireless network but if he want to use the internet connection, when he first run is browser, he’s automaticly redirect to an authentification page that ask him a username and a password. So is it freeradius who’s handle this or another software or combination of software. Like a freeradius server and a proxy or freeradius with third party software. See Chillispot or CoovaChilli. What you want is a "captive portal". Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Expiration Value
The format isn't easily sortable or useable in a SQL compare operation. It also requires slightly more work to generate. The simple format of "-MM-DD HH:MM:SS" makes more sense to me. It is easily human readable, and is also easily machine readable, isn't locale or language dependent. Basically, it means that to do any operations on the table regarding the Expiration date, where I only want dates between a range, I have to get all dates, and sort them outside of SQL. I'm not sure if print.c is the right place for this, but I've not had a chance to look at the code. Tim Marinko Tarlac wrote: Well what problem do you have with this format? Best regards On Tue, Feb 26, 2008 at 10:21 AM, <[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>> wrote: Hi, > Tim White wrote: > > Bummer. Does anyone know how to get a format that doesn't use Words > > (month Name)? > > Edit src/lib/print.c to print dates in a different format. Or, make a > suggestion for the format you like... hmm, a feature request? what variable in the config though? print_time ? print_time = human print_time = UTC print_time = unix ? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Expiration Value
Ivan Kalik wrote: The one you have there in the text. Bummer. Does anyone know how to get a format that doesn't use Words (month Name)? Thanks Tim - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Expiration Value
So you maintain to instances of this value? Once in radcheck, and once in an external table? The first instance, in radcheck, what format do you have that in? Thanks Tim Ivan Kalik wrote: We don't do these checks on radius database at all. We have a billing database with users details which has value of this attribute in datetime format and checks are done there. Ivan Kalik Kalik Informatika ISP Dana 25/2/2008, "Tim White" <[EMAIL PROTECTED]> piše: I'm attempting to use Expiration to expire user accounts after a set time period. What format does the Date/Time (Value field) have to be? From what I can see it's in the format of "Monthname Day Year Hour:Min:Sec". So for example "March 24 2008 00:00:00". But it appears that in this format you can't use normal SQL datetime operators to see if it's expired (for example, to run a SQL query to remove all expired accounts). Can someone who has it working please let me know what format they use for Expiration value, and how they can use MySQL comparison operators with it? (Ether 2.0.2 or 1.1.7). Thanks Tim - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Expiration Value
I'm attempting to use Expiration to expire user accounts after a set time period. What format does the Date/Time (Value field) have to be? From what I can see it's in the format of "Monthname Day Year Hour:Min:Sec". So for example "March 24 2008 00:00:00". But it appears that in this format you can't use normal SQL datetime operators to see if it's expired (for example, to run a SQL query to remove all expired accounts). Can someone who has it working please let me know what format they use for Expiration value, and how they can use MySQL comparison operators with it? (Ether 2.0.2 or 1.1.7). Thanks Tim - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Changing Reply-Message for expired Password
Phil Mayers wrote: Tim White wrote: $ freeradius -v freeradius: FreeRADIUS Version 1.1.6, for host i486-pc-linux-gnu, built on Jun 8 2007 at 17:17:46 I'm using Freeradius, with MySQL (rlm_sql) as the backend for Coova Chilli (and it's JSON interface). Unfortunately, the reply-message when the password is expired, contains a newline at the end, which breaks chilli (due to the newline being in the JSON object, which breaks). Short of recompiling Freeradius with the newlines removed, is there an easier way to change this reply-message? Assuming you mean a radius Reply-Message attribute in the Access-Accept or Access-Reject, there are two possibilities: Yes 1. You have put the newline in yourself, either in files (/etc/raddb/users) or the SQL/LDAP/other lookup 2. It's in their accidentally I'm going to take a wild guess and say you forgot the closing " in /etc/raddb/users i.e. you have: DEFAULT Reply-Message = "there will be a newline here Firstly, I'm not using files at all, and as it's the Reply-Message for when a password has expired, it's not going to be in /etc/raddb/users anyway, as when a password has expired, the server replaces all the Reply-Message attributes with it's own. In this case, the one with the newline. As advised in the docs and on this mailing list daily, run the server in debug mode (-X) to see where the newline is actually coming from. I did that. I've now got the sources, and it appears to be in the src that the problem is. freeradius-1.1.7/src/main/auth.c:84 "Password Has Expired\r\n", Looking the the 2.0.2 sources, I see the same problem, except I understand seeing as this code is in rlm_expiration now, that it can be overridden in config files. freeradius-2.0.2/src/modules/rlm_expiration/rlm_expiration.c:54 NULL, "Password Has Expired\r\n"}, So from my quick look, is there no way to fix this in 1.1.7 without recompiling freeradius? If not, anyone know of a package for 2.0.2 for Ubuntu? Thanks Tim - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Changing Reply-Message for expired Password
$ freeradius -v freeradius: FreeRADIUS Version 1.1.6, for host i486-pc-linux-gnu, built on Jun 8 2007 at 17:17:46 I'm using Freeradius, with MySQL (rlm_sql) as the backend for Coova Chilli (and it's JSON interface). Unfortunately, the reply-message when the password is expired, contains a newline at the end, which breaks chilli (due to the newline being in the JSON object, which breaks). Short of recompiling Freeradius with the newlines removed, is there an easier way to change this reply-message? It appears in some versions of FreeRadius there is a rlm_expiration module or something which allows it to be changed? If I have to upgrade manually (using Ubuntu Server), then I'm sure I can do that. But I'd rather not upgrade yet (seeing as everything other than that is work, so I don't want to break other stuff for a minor breakage). Thanks Tim - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html