Re: Freeradius Mysql Performance
On Sat, Jan 28, 2012 at 3:03 PM, Alan Buxey a.l.m.bu...@lboro.ac.uk wrote: What?? You dont need that kind of hardware for job, sure. Throwing that kind of horsepower might fix the speed but this is a DBA question. Look at your mysql configuration and see how it can be adjusted (my.cnf) look at the engine in use and see if you can use better..(eg innodb instead of myisam), look at an alternative SQL eg postgres. Look at your usage of sql with freeradius, eg the radius tables. What indexes are present what do you need , what do you not need? Can you divide the work? Use one server for one table or task and the other another...eg simple queries can be done against a passive slave server... alan Hi, Sorry to pick into this with a short question. Just wondering, do you see performance increase using postgres instead of mysql? I would rather think the opposite, but must admit that I'm no db expert and have not much experience with postgres. Kind regards, Yves - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius Mysql Performance
On Sun, Jan 29, 2012 at 11:36 AM, Alan DeKok al...@deployingradius.comwrote: YvesDM wrote: Just wondering, do you see performance increase using postgres instead of mysql? Yes. MySQL can be higher performance than older versions of PostGreSQL, if you don't do database writes. Newer versions of Postgres have similar performance to MySQL, with the benefit of allowing writes. i.e. the MyISAM driver is fast but unsafe. The InnoDB is slower but safe. Postgres has the best of both. I would rather think the opposite, but must admit that I'm no db expert and have not much experience with postgres. The main reason to use MySQL is familiarity. That, and MySQL cluster. For most normal systems, Postgresql is a better choice. Alan DeKok. Ok Alan, I will not immediatelly will change the whole thing (indeed familiarity and we have no issues with our tuned mysql so far), but I will sure keep this post in mind. Thx for the clear up. Yves - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting not working
On Tue, Jan 3, 2012 at 4:44 PM, John Corps env...@gmail.com wrote: Hello All, I have 4 servers setup exactly the same at 4 different locations. Each server is using the exact same configs and is working perfectly well doing what I want it to do. The only issue I have is at the 1 location, I am not getting any accounting requests and therefor nothing is being updated in the radacct table. Starting radiusd in debug mode -X shows that its listening for accounting requests the exact same as the 3 other locations, just no accounting requests are coming through. Is there any way to do a test to see if its even listening and working at all? I have been racking my brain over this the last few days, checking switch and router configs etc but that is all the same as the other 3 locations as well, everything is the same at all 4 locations, just this one location isn't doing the accounting. Any help would be great :) Thanks. - Hi, Is port 1813 open to the server? Kr Yves - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius first hour free ???
On Mon, Dec 26, 2011 at 4:31 PM, Alan Buxey a.l.m.bu...@lboro.ac.uk wrote: Fairly easy to do, especially with a recent version (ie 2.x) of freeradius alan Correct. Or simply forget about pfsense and use Mikrotik as NAS which has hotspot trial time included as a default option. kr, Yves - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Quota based on time with squid
On Fri, Oct 21, 2011 at 9:07 PM, Alan DeKok al...@deployingradius.comwrote: I need to assign quota to squid users based on the weekly/hourly basis. I need users radius server to return packet reject when time is expired. is it possible in radius? Yes. See the counter module, or the sqlcounter module. The main issue is that they require the NAS to send accounting packets. I don't know if squid does that. Yes it does. There are many configuration examples available on the net. Kind regards, Yves - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic Attributes Based on NAS Type !
That's also the way we do it. On Sat, Oct 8, 2011 at 7:48 PM, Michael Hartwick hartw...@hartwick.comwrote: It may not be pretty, but why not just sent all 3 sets of VSA’s. If the NAS doesn’t recognize it won’t it just ignore the attribute? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
dynamic clients
Hi, I try to configure dynamic clients on FR2.1.8. I use as good as default configuration in my testing. Somehow it always looks at FreeRADIUS-Client-Virtual-Server = something even the dynamic_client_server is defined in client dynamic. As I understand it right, it shouldn't look at that directive as long as dynamic_client_server is defined in client dynamic On the other hand debugs shows the nas (192.168.2.47) was added. # Define a network where clients may be dynamically defined. client dynamic { ipaddr = 192.168.2.0 netmask = 24 dynamic_clients = dynamic_client_server lifetime = 86400 } configuration of dynamic_client_server is default, so untouched. I 'm sure I'm doing something wrong, but have no idea, any pointers? thx Ready to process requests. rad_recv: Access-Request packet from host 192.168.2.47 port 2056, id=29, length=310 server dynamic_client_server { rlm_sql (sql): Reserving sql socket id: 4 rlm_sql (sql): Released sql socket id: 4 } # server dynamic_client_server - Added client 192.168.2.47 with shared secret testing123 rad_recv: Access-Request packet from host 192.168.2.47 port 2056, id=29, length=310 ChilliSpot-Version = 1.0.13-svn User-Name = test User-Password = test NAS-IP-Address = 192.168.2.47 Service-Type = Login-User Framed-IP-Address = 10.0.1.1 Calling-Station-Id = 1C-4B-D6-6E-EB-83 Called-Station-Id = 00-1C-10-91-5A-11 NAS-Identifier = siTEST Acct-Session-Id = 4e22be2d0001 NAS-Port-Type = Wireless-802.11 NAS-Port = 1 WISPr-Location-ID = isocc=,cc=,ac=,network=SI,SI WISPr-Location-Name = SI_Hotspot WISPr-Logoff-URL = http://10.0.0.1:3660/logoff; Message-Authenticator = 0x2ccd7c5de5d37864d350617fc6d3f8f0 server something { No such virtual server something } # server something Using Post-Auth-Type Reject No such virtual server something Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 29 to 192.168.2.47 port 2056 Waking up in 4.9 seconds. Cleaning up request 0 ID 29 with timestamp +7 Ready to process requests. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with rml_sqlcounter with GigaByte datavolume
On Mon, Jun 6, 2011 at 1:24 PM, Hanno Schupp hanno.sch...@gmail.com wrote: Thank you for this reply. I thought the limitation might come from the wrapping around 4.3 GB due to the limitations of a 32bit system with 2147483648 being the highest signed and 4294967296 being the highest unsigned number. 1705032704 is then exactly the difference to 6GB, after the system wrapped at 4.29GB. I requite the log: Sat Jun 4 23:10:21 2011 : Debug: rlm_sqlcounter: Rejected user lapzel14, check_item=1705032704, counter=2147513300 Exactly the 1705032704 one would expect based on highest 32bit unsigned integer. Now here is my problem: Why does it wrap at 32Bit, if the system is a x64 server? Does not make a lot of sense to me. Also, the FAQ is containing instructions how to deal with gigawords in terms of the sql statements that handel the calculation of the counter value. And as this is implemented, the counter value is not the problem here – it is the check_item value that as I understand is based on my configuration, taken straight out of the radcheck table. I am sorry, but this sounds like a limitation/bug of the standard system, that could be overcome. After all, if it can be resolved with custom perl code as I understand you suggest, why should the standard system not be able to handle data limits larger than 4.29GB out of the box? Or am I missing something? Alan, can you enlighten us on this issue? Regards Hanno You confuse gigawords storage in the database coming from acct updates/stop packets of the nas with the reply from sqlcounter. FR is capable of saving gigawords in the database when a nas is sending them, that's not the problem. But, the sqlcounter's code was never changed to reply gigawords to the nas. Check the C code and you will see. Kind regards Y. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with rml_sqlcounter with GigaByte datavolume
On Sun, Jun 5, 2011 at 1:22 AM, Hanno Schupp hanno.sch...@gmail.com wrote: Dear All, can I ask for some pointers please. in my FreeRADIUS Version 2.1.8, for host x86_64-pc-linux-gnu (Ubuntu LTS 10.04) installation I have followed the Gigabyte instructions on the FreeRADIUS wiki's FAQ http://wiki.freeradius.org/FAQ#Why+do+Acct-Input-Octets+and+Acct-Output-Octets+wrap+at+4+GB%3F. The Usage is calculated correctly, but the check_item value is not what I expect to see (1.7 GB as opposed th 6GB set in radcheck). I understand who the system determines the counter value and it is correctly calculated, but where does the check_item vlaue of 1.7GB come from? I have no idea to be truthful. Sqlcounter also wraps at 4GB in its reply. Your 6GB is actually 5722.045 MB, then wraps at 4GB so 1,7GB left and this is replied ;-) As far as I know there's no integrated solution to this unless you change the source code. Most people solve this by using rlm_perl if I'm not mistaking. Make your perl calculate and reply gigawords + remaining bytes when values are 4GB Ps Make sure your coova-chilli is equal or 1.0.13, else it won't understand gigawords replies Kind regards, Y. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to configure freeradius client?
On Fri, May 6, 2011 at 5:01 PM, Meyer Jerome jerome.me...@iwbtelekom.chwrote: Thanks for reply! Meyer Jerome wrote: # radiusd -v What about radiusd -X, as suggested in the FAQ, README, man page, web pages, and daily on this list? Should the client start the radiusd daemon too? radclient: no response from server for ID 120 socket 3 1) I don’t know what’s the NAS-IP-Address? 2) I don’t find any right document about „how to configure the client“? See raddb/clients.conf. This file it is on the server to check which clients will be connected! Is it on the client too? Because the client should connect to the server and not the reverse! 3) How should I configure the client? Should some deamon to be start? This is documented. You means on the MAN pages? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Jérôme Meyer Jérome, Please, before alan freaks out :-), read the documentation. (the wiki is a nice place to start) The things you're saying clearly show that you don't understand the concept at all. Kind regards Y - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simple Guest user web front end for FreeRADIUS
On Fri, Apr 8, 2011 at 9:50 PM, u...@3.am wrote: On my client's wifi network, we are authenticating staff users via FreeRADIUS against the corporate LDAP database. I've created a new SSID/WLAN with an IP pool that I've restricted through router ACLs that we want to deploy for temporary guest users. I can set up a new FreeRADIUS server (I've done many of those) backend for this, but am unfamiliar with 2 things that will be different here, which are: 1) A Web front end for a clerical type to enter in temporary accounts to FreeRADIUS. I imagine there must be a simple php interface for some sort of Internet cafe type of use. I'd prefer as simple as possible (ie, flat file), but would be fine if MySQL is the way to go for account info storage. I know I COULD put together a FreeRADIUS and OpenLDAP server with something like a webmin front end, but that seems overkill to me. 2) Some sort of automatic password generator for above...not absolutely necessary, but would be nice. I would imagine this wheel has already been invented, so if anybody could point me in the right direction, it would be appreciated. Thanks! - 1. You can simply use m0n0wall / Pfsense, it has all voucher/ user accounts stuff and a GUI onboard, so you don't even need to use radius if you think it's overkill for this particular situation. 2. Why setup an extra radius server if you have one? 3. There are many frontends available, dialup admin, daloradius, Yfi (aka hotcakes), dma softlab radius manager, etc kind regards, Y - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sqlcounter returning Gigawords?
On Fri, Apr 1, 2011 at 10:40 AM, Alan DeKok al...@deployingradius.com wrote: The latest version has rlm_expr, which is 64-bit clean. You can use it to split the counters into 32-bit pieces. Alan DeKok. Tnx Alan, will check it out. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
sqlcounter returning Gigawords?
Hi, We 're about to upgrade our radius which is still running 1.1.7 We use monthly datalimits so we patched the sqlcounter in order to make it reply max 4GB of left quota (to avoid wrapping), even if the user still has 10GB quota left. Of course this results in a logged out user when he reaches a session of 4GB. As general datatraffic increases we would like to avoid this in our new radius setup. In the newest version, is there a way to reply gigawords from sqlcounter? If not, is there another solution to this? Many thx. Yves - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius Groups / Profiles
On Sat, Feb 5, 2011 at 7:16 AM, npayne npa...@g-host.co.za wrote: I have installed freeradius with daloRadius. I have then created a group / profile to cut off after using a certain amount of data. I have the following problem. It does not cut the user off when the limit was reached but it will reject the user when he/she tries to log in again. The DB only gets updated with the used octets once the users logs off. How do I get the session to be terminated when the max octets is reached? Thanks Neill 1. You need to use sql counter (if you don't do already) 2. Use the Acct-Interim-Interval attribute in the reply to update accounting every x seconds. kind regards Yves - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Automatically Generating Expiration - Freeradius 2.1.9 / mysql 5.1 / dialup admin
On Wed, Nov 24, 2010 at 7:50 AM, mikal m...@atceast.com wrote: What I'm trying to do is enable a non-technical person to create temporary, guest like accounts using the dialup admin interface. The accounts will be created as needed, they need to expire within a predetermined time frame(s) and I'm trying to avoid asking the person creating the accounts to be entering Expiration. So how would I approach having the Expiration field auto populated based on the account creation date/time and a predetermined account lifetime? For instance, creation date/time + 12-hours, or date + 1-day. Thanks in advance for any guidance. Why don't you simply write some kind of small webif in php to do this? It's easy to predefine values and just add them to the database when a non-technical person presses a button or something like it. (you could even add multiple timeframes in a dropdownbox or so) With a little coding you could even integrate such a page in the existing dialup admin if this is desired. I would not use expiration also, but some no-resetting sql counter. You will also need to find a way to auto-delete expired accounts. Just my 2cents. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Beginner Question: Hotspot Login Failed
On Thu, Sep 9, 2010 at 8:01 PM, Sean Wingert se...@norris-stevens.com wrote: Thanks to Alan and Stephen, I am closer to a solution. I realized the scrambled password was due to hotspotlogin.php (I need to study Chillispot more), so for now I commented out its uamsecret line, which -- although it still fails on the 123 account -- provides different output in debugging mode: You should not uncomment the uamsecret line, but configure it the same in your hotspotlogin.php and your nas (read:chillispot) Kind regards Yves - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ubuntu OpenSSL
On Tue, Jun 15, 2010 at 6:49 PM, David Peterson dav...@wirelessconnections.net wrote: I know there is probably something easy I am missing but I cannot for the life of me get FR to compile with OpenSSL for EAP-TTLS support. Are there any how-to’s on getting Ubuntu to compile OpenSSL support into FR2.1.9 David Peterson Strange, I had no issues compiling it on debian. You did install the openssl package right? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Access-Reject packet from host 127.0.0.1 port 1812, id=29, length=34
On Sat, Mar 13, 2010 at 8:14 PM, Suman Dash sumand...@gmail.com wrote: +- entering group PAP {...} [pap] login attempt with password hello [pap] Using CRYPT encryption. [pap] Passwords don't match ++[pap] returns reject I don't think you used a crypt password in your users file - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Access-Reject packet from host 127.0.0.1 port 1812, id=29, length=34
On Sun, Mar 14, 2010 at 8:35 AM, Suman Dash sumand...@gmail.com wrote: No, The Password is in Cleartext. How do i disable / Enable the CRYPT password ? On the first day google was born http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg61708.html kind regards - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dynamic check item, based on nas type
On Mon, Feb 15, 2010 at 8:47 AM, YvesDM ydm...@gmail.com wrote: Hi, Situation: All users can login to different nas types. Problem: I need a different value for simult.-use check depending on the nas a user logs on to. Is there a way to do this? (using FR1.1.7 for now) tnx. Yves Edited title, needed to be check-item instead of reply of course, sorry. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
dynamic reply attribute, based on nas type
Hi, Situation: All users can login to different nas types. Problem: I need a different value for simult.-use check depending on the nas a user logs on to. Is there a way to do this? (using FR1.1.7 for now) tnx. Yves - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session-Octets-Limit and sqlcounter
On Mon, Nov 30, 2009 at 4:44 PM, Charles char...@goma.kivu-online.com wrote: Thanks Allan, I think you are right, I will ask in the monowall forum. Just that the forum is not very active on Captive Portal issues. Could you be kind to suggest a NAS that you know which can help me achieve my goal? Thanks in advance - I know I am asking too much. Charles Charles, m0n0wall has an option in the CP settings to re-authenticate every minute. It makes your life real easy in setting up radius. Just set a check item in radcheck containing your datacap and set sql counter appropiate. But as suggested, the m0n0wall list will definately help you out. kind regards Y. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Info regarding radius and tacacs
On Wed, Aug 5, 2009 at 1:13 PM, Alan Buxeya.l.m.bu...@lboro.ac.uk wrote: Hi, Hi, Can anyone let me know if there is a free downloadable Tacacs server with support for Ipv6 www.google.com alan Aren't you mistaking? This looks like some kind of search engine, not a tacacs server? :-) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to control users traffic ?
On Tue, Jul 14, 2009 at 6:02 AM, Ericbbah...@gmail.com wrote: freeradius-1.1.3-1.4 !! Is it the reason of problem ? Yes, reply-name was only implemented in version 1.1.5 or 1.1.6 Upgrade to the latest version. Kind regards Yves - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
sqlcounter / end session at the end of the month
Hi, I'm having issues with octet accounting. Users are monthly limited in octets, not in time. The problem i have is when a user logs in on the last day of the month and stays online for 3 days then there's 2days within the new month but the accounting counts within the previous month, which we don't like :-) So I was thinking about adding a counter module which calculates a session-timeout at the last second of the month so users get logged out just before the new month starts. But, I don't know how to set the check-item. If I use max-all-session and a monthly reset I need a check item that equals the end of the month, which can be 28 days, 30 days or 31 days. Any known solutions to this? Kind regards, Y. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need Help: 'Simultaneous-Use' don't work !!! =/ version 1.1.7 !
On Fri, Dec 12, 2008 at 5:33 PM, Diogo Teixeira diogo@gmail.com wrote: and i done everything i it still don't work. You do have port 1813 open on your radius right? Kind regards - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Is it possible to recognize clients not by their IP addresses?
On Fri, Nov 28, 2008 at 5:05 AM, Sebo PL [EMAIL PROTECTED][EMAIL PROTECTED] wrote: I'm waiting for such NAS-ID exactly and hope it might be based on the SSID of the AP. Or it may be based on Calling-Station-Id I see the MAC address of the AP in this attribute attached to each message send to the radius server. - That's up to the nas. The nas sends the nas identifier so the string is determined on/by the nas. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Updated HOWTO's on deployingradius.com
Very nice and understandable for everybody. Keep up the good work, really looking forward to the book here ;-) Kind regards, Yves On Sun, Jul 20, 2008 at 5:47 PM, Alan DeKok [EMAIL PROTECTED] wrote: I've added a few more HOWTO's for EAP, certificates, etc. on my web page. See: http://deployingradius.com The main page now lists: (1) PAP (2) EAP (3) Certificates (4) Importing the certificates If you've ever wondered how to get EAP working with FreeRADIUS client machines, these documents should help. They are a short series of simple steps that need to be performed. The total effort is limited to running 3-4 commands, some multiple times. The key to getting it *right* is the rest of the explanations on the web pages: Why those commands are used, and in what order they should be used. The documents also recommend running the same tests over and over again, each time the server configuration is changed. This process means that you can easily pinpoint *which* step doesn't work. The web pages then explain *why* it doesn't work, along with some common problems and solutions. This is the first step in putting the rest of my book online. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Expiration?
On Tue, Apr 29, 2008 at 12:09 PM, Ivan Kalik [EMAIL PROTECTED] wrote: Literally? Or it is some sort of example? Eg i have to write: Expiration := May 10 2008 21:00:00 Like that. Ivan Kalik Kalik Informatika ISP Hmm interesting, I did not know you could add an hour too, tnx ;-) Kind regards, Y. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 'Idle-Timeout' and the 'Acct-Session-Time' argument
On Sun, Feb 24, 2008 at 2:59 PM, Ivan Kalik [EMAIL PROTECTED] wrote: 'Idle-Timeout' timeout is an argument in Radius. Chillispot use this radius argument. Yes. I think freeradius configuration can update automatically the Acct-Session-Time argument if it see a user is IDLE. What do you think about this? No. Chillispot does the accounting and sends data to freeradius. Radius server has no idea about whether the user is connected or not. It is up to the NAS to send that information to it. If Chillispot disconnects the user and doesn't send accounting Stop packet to freeradius the session in radius database will remain open. As far as I can see that's how you set up the Chillispot - disconnect the session only on clicking the logout link. Set up Chillispot properly. Ivan Kalik Kalik Informatika ISP Yes, and a correct functioning chillispot definitely sends an accounting stop packet when idle-timeout is reached and user gets logged out. I got idle-timeout in radgroupreply too, and as soon as chillispot reaches the idle-timeout for a user the user gets disconnected (by chillispot) and the accounting session is closed in radacct. In acctTerminateCause you should find idle-timeout as termination cause in this scenario. This is standard behaviour for chillispot in a correct setup. So I don't understand why this isn't working for the OP. Sniff your network and see if an acctstop packet is sent by your chillispot when idle timeout is reached. Kind regards Y. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: cannot connect to sql databse
On Jan 30, 2008 10:15 AM, Devinder Singh [EMAIL PROTECTED] wrote: Hi Liran This is my log file i cant find any errors for cannot connect to sql database Thanks Devinder 080124 14:48:58 mysqld ended 080124 14:48:58 mysqld started 080124 14:48:58 InnoDB: Started; log sequence number 0 43655 080124 14:48:58 [Note] /usr/sbin/mysqld: ready for connections. Version: '5.0.45' socket: '/var/lib/mysql/mysql.sock' port: 3306 SUSE MySQL RPM 080124 15:26:09 [Note] /usr/sbin/mysqld: Normal shutdown 080124 15:26:09 InnoDB: Starting shutdown... 080124 15:26:11 InnoDB: Shutdown completed; log sequence number 0 43655 080124 15:26:11 [Note] /usr/sbin/mysqld: Shutdown complete 080124 15:26:11 mysqld ended 080124 15:26:11 mysqld started 080124 15:26:11 InnoDB: Started; log sequence number 0 43655 080124 15:26:11 [Note] /usr/sbin/mysqld: ready for connections. Version: '5.0.45' socket: '/var/lib/mysql/mysql.sock' port: 3306 SUSE MySQL RPM 080124 15:40:56 [Note] /usr/sbin/mysqld: Normal shutdown 080124 15:40:56 InnoDB: Starting shutdown... 080124 15:40:57 InnoDB: Shutdown completed; log sequence number 0 43655 080124 15:40:57 [Note] /usr/sbin/mysqld: Shutdown complete 080124 15:40:57 mysqld ended 080124 15:40:57 mysqld started 080124 15:40:57 InnoDB: Started; log sequence number 0 43655 080124 15:40:58 [Note] /usr/sbin/mysqld: ready for connections. Version: '5.0.45' socket: '/var/lib/mysql/mysql.sock' port: 3306 SUSE MySQL RPM Does mysql actually keep running? What gives ps -ae | grep mysql Can you acces your database from the cli? kind regards, Y. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: cannot connect to sql databse
On Jan 30, 2008 10:41 AM, Devinder Singh [EMAIL PROTECTED] wrote: Yes i can access mysql rom CLI Did you try to create another mysql user account for dialupadmin and give him the correct rights on the radius database? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: truncate_radacct script deleted more then desired
Hi Liran, Yes I thought it's shipped with dialup admin so... But ok, I'll attach the script with this reply. I noticed in scripts.log that it also deleted to much last year. I think the problem is where $date gets created. I see wrong dates in the log file (scripts.log), for example: 2008-01-02 00:01:01 DELETE FROM radacct WHERE AcctStopTime = '-00-00 00:00:00' AND AcctStartTime '2008-01-02 00:01:01'; 2008-01-02 00:01:01 LOCK TABLES radacct WRITE;DELETE FROM radacct WHERE AcctStopTime '2008-01-02 00:01:01' AND AcctStopTime IS NOT NULL ;UNLOCK TABLES; First one is from clean_radacct to clean stale sessions, $back_days is set to 35 days, so the timestamp in the logfile should not be todays date but 35 days ago (correct me if i'm wrong) Now it just deleted all open sessions. :-( Second log entry is from truncate_radacct, same problem with timestamp, $back_days is set to 365, so the timestamp should be one year older. Kind regards, Y. Many tnx. On Jan 2, 2008 8:23 AM, liran tal [EMAIL PROTECTED] wrote: Hey Yves, It would probably be better if you attach the script for those of us who don't have it around... Also, if you run it with certain arguments maybe you should let us know how you ran it. Regards, Liran. On Jan 1, 2008 4:06 PM, YvesDM [EMAIL PROTECTED] wrote: Hi, FR1.1.6 on debian. I use the truncate_radacct script that comes with dialup admin to delete older accounting records. I got the $back_days set at 365 days in order to keep the accounting data for one year. It 's been working fine untill this morning (1/1/08, 00:01) Instead of deleting data older then 01/01/07 it deleted all data older then 01/01/08, or everything in radacct :-( I 've got backups, that's not the problem, but I wonder what went wrong here. Anyone experiencing the same, any clues? Kind regards Yves - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html truncate_radacct Description: Binary data - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
truncate_radacct script deleted more then desired
Hi, FR1.1.6 on debian. I use the truncate_radacct script that comes with dialup admin to delete older accounting records. I got the $back_days set at 365 days in order to keep the accounting data for one year. It 's been working fine untill this morning (1/1/08, 00:01) Instead of deleting data older then 01/01/07 it deleted all data older then 01/01/08, or everything in radacct :-( I 've got backups, that's not the problem, but I wonder what went wrong here. Anyone experiencing the same, any clues? Kind regards Yves - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Expire attribute
On Nov 22, 2007 7:51 AM, [EMAIL PROTECTED] wrote: Attribute name is Expiration. It is a check item so it does go into radcheck. I use is == as operator, but := should work as well. Format that works for me is: November 28 2007 20:26:43 Ivan Kalik Kalik Informatika ISP Any suggestions on how I could use this dynamically? For example, user can login for 90 days 'after the first login'. (Don't know when first login date will be) After does 90 days the account should be expired. Tnx - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Basic usage: What do I do next to get this to work?
On 10/31/07, Doc. Caliban [EMAIL PROTECTED] wrote: [EMAIL PROTECTED] IPCop is actually pretty good for this as it uses one of it's interfaces for wireless access based on granting each node specific access by MAC, but it can be any network node, it doesn't have to be a wireless device. All of our public workstations are on this interface so the machines are verified at the proxy. Now I just need to get the RADIUS piece in place to validate the users. IPCop can require RADIUS authentication on top of the MAC filter. It sounds good on paper, I just need to find the easiest way possible for my users to deal with the RADIUS piece of the model. Alternativley you could install the copspot plugin on ipcop ( http://www.ban-solms.de/t/IPCop-copspot.html ) It implements chillispot and gives you a captive portal which can talk to you radius for AAA. Kind regards Yves - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Basic usage: What do I do next to get this to work?
On 10/31/07, Doc. Caliban [EMAIL PROTECTED] wrote: YvesDM wrote: Alternativley you could install the copspot plugin on ipcop ( http://www.ban-solms.de/t/IPCop-copspot.html ) It implements chillispot and gives you a captive portal which can talk to you radius for AAA. Kind regards Yves That's a great suggestion, and something that I'd looked into at one point. The problem is that CopSpot only allows for HTTP traffic and not HTTPS. That will certainly be a big problem for a lot of my users. If there was an easy way around that, I'd probably try it out. Strange, according to the copspot link I've sent you it uses https. (on non-standard port) I never used ipcop myself though. Kind regards Yves - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Basic usage: What do I do next to get this to work?
On 10/31/07, Doc. Caliban [EMAIL PROTECTED] wrote: YvesDM wrote: Strange, according to the copspot link I've sent you it uses https. (on non-standard port) I never used ipcop myself though. Kind regards Yves Oh, weird. It must be in the details somewhere. That's the page I'd looked at and this line had caught my eye: Currently the portal user will only be able to use http (tcp port 80) into the internet. All other access is blocked. I'll read through it more carefully though as this would be a great way to go, thanks again! Oh, i see, now I know what you mean. I thought you meant users weren't able to login through https. If your users need more opened ports this will probably be easy to modify through the firewall rules. But we're going off topic of this list. Good luck Kind regards. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radcheck NAS-identifier
Hi, FR + mysql authacct. Sometimes I need to restrict users or groups to acces a certain NAS. I use the nas-identifier attribute to recognize the nas To accomplish this I just add an entry to radcheck or radgroupcheck like this NAS-identifier != nas-name This works fine but, sometimes I use radtest directly on the server to test accounts if someone claims he/she is unable to login. Now for every user/group I've set the above entry in the database, radcheck on the server always returns an acces-reject for some reason. Though, users can login the nas's they are allowed to and get rejected on the certain nas I've specified, so the setup itself is working. But I've kind of lost my account testing utitlity :-) I don't understand why radcheck fails on these accounts. I understand radcheck doesn't send any nas-identifier, but I used operator ' ! = ' and not ' ==' so shouldn't the radius accept radtest requests on localhost? I 'm sure there is a good explanation why radtest returns an Acces-reject, but I'd like to know why and, if possible, if there is a solution/work-around for this. Many tnx, Y. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: accounting update
On 10/17/07, Daann [EMAIL PROTECTED] wrote: but I'd like to have some more detailed instructions on what to do. Thanks in advance Set this in the users file and accounting will get updated every 300 sec # Sent Chillispot Interim Accounting interval in every reply packet DEFAULT Acct-Interim-Interval = 300 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radcheck problem
On 9/7/07, YvesDM [EMAIL PROTECTED] wrote: Hi, I want a specific user (call him john) NOT to be able to login through a specific nas. So I thought, just add this to radcheck INSERT INTO `radcheck` (`UserName`, `Attribute`, `op`, `Value`) VALUES ('john','NASIdentifier','!=','nas-id') (nas-id is the nasidentifier of the specific nas) Anyway, when I add this entry to radcheck, john gets rejected all the time, no matter what nas he's connecting to. Am I overlooking something? Never mind, problem solved, forgot the - in NAS-Identifier :-) INSERT INTO `radcheck` (`UserName`, `Attribute`, `op`, `Value`) VALUES ('john','NAS-Identifier','!=','nas-id') Kind regards - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radcheck problem
Hi, I want a specific user (call him john) NOT to be able to login through a specific nas. So I thought, just add this to radcheck INSERT INTO `radcheck` (`UserName`, `Attribute`, `op`, `Value`) VALUES ('john','NASIdentifier','!=','nas-id') (nas-id is the nasidentifier of the specific nas) Anyway, when I add this entry to radcheck, john gets rejected all the time, no matter what nas he's connecting to. Am I overlooking something? Kind regards - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simultaneous-Use per NAS
On 8/30/07, Svend Eriksen [EMAIL PROTECTED] wrote: Hi, We run freeradius 1.1.6 against postgresql 8.1. With the current configuration the user can only login one time simultaneously. What I want is that a user can login only one time per NAS, but that the user can login on several NASes at the same time. The reason for this is that a user can move between NASes without the need to logout from the NAS he is leaving. The user can only login to NASes that is in a group that he is a member of (this already works today). Is it also possible to set the Simultaneously-Use as a default value for all users, so we don't have to set it on all the groups? Here are the lines from the database SELECT * FROM radcheck 40 | user1 | Cleartext-Password | := | kebab1 41 | user1 | Expiration | := | Dec 31 2050 00:00:00 SELECT * FROM radusergroup user1 | testusergroup |0 SELECT * FROM nas 7 | 10.0.0.1 | NAS1 | other | | naspw 8 | 10.0.0.2 | NAS2 | other | | naspw SELECT * FROM radgroupcheck 15 | testusergroup | NAS-IP-Address | += | 10.0.0.1 16 | testusergroup | NAS-IP-Address | += | 10.0.0.2 17 | testusergroup | Simultaneous-Use | := | 1 reg Svend Eriksen Hi, Why don't you just add Simultaneous-Use for each user to radcheck? As I understand you correctly, that would solve the problem, right? I don't know how you actually add the new users, but it can easily be done to give them that attr. as a default one. Kind Regards, Yves - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Is this possible
On 8/4/07, Fred Zinsli [EMAIL PROTECTED] wrote: Hello everyone I am very new to freeradius and security type environments and I am feeling somewhat out of my depth at the moment. My current situation is that I have a chillispot WIFI setup. A diagram of the current network can be seen at http://www.shooter.co.nz/network.pdf Looks nice :-) The problem I have with this setup is that unscrupulous people are connecting to the unprotected APs without authenticating and playing games between themselves therefore bogging down our network with their traffic. Just wondering, that firewall (smooth1) is a smoothwall box? If yes, It's been a while since i've been playing with it, but I remember there was a chillispot mod for it.(check the homebrew forum) Just add an extra nic to that box and try it out. Your wireless will be completely seperated from the rest of the network too this way. Also, as already suggested, you can run chillispot directly from a WRT54GL (maybe WAP54G also, not sure) with alternative firmware, which is probably the most easy solution. ... Here is what I would like to do. When a user attempts to connect to the AP, the user is presented with a login screen (much like chillispot), the user logs on and they are connected to the AP and can use the network as expected. If a user cannot authenticate the attempt is logged and the connection attempt to the AP is dropped. That's easy, once you've set up everything, just enable auth. logging in radiusd.conf Kind regards, Yves - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to change reply message.(Password has expired)
On 8/2/07, Marwan Sultan [EMAIL PROTECTED] wrote: Hello All, Im on freeradius Latest, and FreeBSD, ChilliSpot. When an account of my users expires, and he tries to log in again, the HotSpotlogin script will reply with a message says Password Has Expired How would I change this to Account has Expired I guess its somewhere in freeradius, Please correct me if im wrong. Thank you in advance. Marwan As far as i remember somebody wrote a patch for this, check the chillispot forum (I think). Else if you use a php based login page, it's quite easy to modify that reply message. Kind Regards Yves - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Nas Type
On 7/30/07, Roberto Greiner [EMAIL PROTECTED] wrote: YvesDM wrote: Hi Robert, As for m0n0wall (and I guess pfsense too), you can also use the diable concurrent logins option in the CP setup. This way there will never be simultaneous use from the same nas. Kind Regards, Yves Yes, I've seen that option, and I actually have it enabled. What I don't like with it, is that instead of blocking a user, it accepts the new session and simply disconnects the session that was active. Anyway, thank you very much, Roberto Yes indeed, and that way they will never share their credentials again :-) Anyway if you plan to use simultaneous use on your radius, and have the re-authenticate every minute option in monowall enabled, you will need to allow at least 3 (or 2 don't quite remember) sessions or re-authentication will fail and user gets logged out after 1 minute. Kind regards, Yves - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Nas Type
On 7/27/07, Roberto Greiner [EMAIL PROTECTED] wrote: Hi, I was starting to look at checkrad, and found (based on http://www.freeradius.org/radiusd/doc/Simultaneous-Use) that using other as the NAS-type will actually check only radutmp instead of looking at the actual NAS. Now, Could someone point me what would be the proper NAS type to use for each of the devices below(or the proper reference document to use)? I'm using the following NASes in my network: Monowall pfSense (3Com) Total Control PopTop (in Linux) What I want to do is to use checkrad as one of the steps to make sure that whoever appears as logged is really logged in, because I'm trying to use Simultaneous-use check, and some of the above (notably monowall) doesn't seem to be clearing properly sometimes. Thank you very much, Roberto Greiner -- Hi Robert, As for m0n0wall (and I guess pfsense too), you can also use the diable concurrent logins option in the CP setup. This way there will never be simultaneous use from the same nas. Kind Regards, Yves - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dyndns.org domain in Clients.conf
On 5/8/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Hi! YvesDM wrote: How i can use nas identifier attribute?? client.conf needs an ip however ?? i'm very confused. In clients.conf use 0.0.0.0/0 and make sure your shared secret is long and strong. A small note if you really want to do this: in 2.0, this will only match for the exact address 0.0.0.0, and not for all IP addresses anymore, like it does in 1.x. You can work around this by using two entries, one for 0.0.0.0/1 and one for 128.0.0.0/1. I don't think this is a very good idea anyway (Yes, I do use it myself, but that is for a very nonstandard and non-production setup on an isolated network, not for an internet-connected server.) Gtnx Marcel Hi Marcel, Tnx for the note about 2.0, I didn't know that. I also didn't look into 2.0so far, maybe it's time to do so. I know 0.0.0.0/0 in clients.conf is not a preferable setup, but many public hotspot setups have nas's with dynamic ip's and as far as I know there is no other solution for this, unless you really go for some advanced scripting like somebody else proposed in this topic. If you have a better solution for this, I will be happy to learn! Kind Regards, Yves - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dyndns.org domain in Clients.conf
On 5/4/07, AS Alex [EMAIL PROTECTED] wrote: Yes i have enabled hostname_lookups but nothing. Hostname lookups are only done at FR startup, so as soon as the ip changes you have a problem :-) Use the Nas identifier attribute. Kind regards, Yves - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius on ubuntu
On 3/11/07, adreas Polyxronopoulos [EMAIL PROTECTED] wrote: Hi list, I have tried ubuntu 6.10 desktop with freeradius1.1.3 source and everything work perfect. Now i have installed on another PC ubuntu 6.06server LAMP and i am in the moment where the freeradius should be installed. I can download the source of freeradius and compile it or i can download the package of freeradius. The package version is 1.1.0 but for the source of freeradius i can choose any version i want (i would choose freeradius 1.1.3 source because i have tested). Which one is better choice ? thanks Adreas Polyxronopoulos The latest stable version is always the best choice. Kind regards Yves - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Where to find sql counter module ?
On 2/25/07, Tas Dionisakos [EMAIL PROTECTED] wrote: Just vim /etc/freeradius/dictionary and include the following line $INCLUDE/usr/share/freeradius/dictionary.chillispot Oh, and move the chillispot.dictionary file into the /usr/share/freeradius directory just to keep things neat! Goodluck! Tas. Arrghhow could i forget that $include ! Anyway, I just added the line in /usr/share/dictionary itself, $INCLUDE dictionary.chillispot Many thanks Kind Regards, Yves - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Where to find sql counter module ?
On 2/24/07, PD [EMAIL PROTECTED] wrote: Simple questions... how and where to get sql counter module ? I try to googling for hours but still can not find it. TIA PD You should compile FR with experimental modules You have to create the module yourself Read rlm_sqlcounter in the doc/ folder . It's explained how to use this. Kind Regards, Yves - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Where to find sql counter module ?
On 2/24/07, Graham Beneke [EMAIL PROTECTED] wrote: In the current version of FR (1.1.4) the sqlcounter module is no longer experimental - comes as in the default collection of modules. There is also a wiki article on using sqlcounter: http://wiki.freeradius.org/Rlm_sqlcounter Its not complete but I am working on it. -- Graham Beneke Interesting, tnx for your work! I'm struggling with the sqlcounter module too for the moment. Try to define the reply-name (FR1.1.4), but it gives me errors If I specify this in sqlcounter.conf: sqlcounter volumelimit { counter-name = Octets-Total check-name = Max-Octets reply-name = ChilliSpot-Max-Total-Octets sqlmod-inst = sql key = User-Name reset = monthly # This query will calculate the total volume used it results in: freeradius -X | grep sqlcounter snip sqlcounter: counter-name = Octets-Total sqlcounter: check-name = Max-Octets sqlcounter: reply-name = ChilliSpot-Max-Total-Octets sqlcounter: key = User-Name sqlcounter: sqlmod-inst = sql sqlcounter: query = SELECT (SUM(AcctInputOctets) +SUM(AcctInputGigawords * 4294967295) +SUM(AcctOutputOctets) +SUM(AcctOutputGigawords * 4294967295)) / 1048576 FROM radacct WHERE UserName = '%{%k}' AND AcctStartTime FROM_UNIXTIME('%b') sqlcounter: reset = monthly sqlcounter: safe-characters = @abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: / rlm_sqlcounter: No such attribute ChilliSpot-Max-Total-Octets obelix:/etc/freeradius# sqlcounter: counter-name = Octets-Total sqlcounter: check-name = Max-Octets sqlcounter: reply-name = ChilliSpot-Max-Total-Octets sqlcounter: key = User-Name sqlcounter: sqlmod-inst = sql sqlcounter: query = SELECT (SUM(AcctInputOctets) +SUM(AcctInputGigawords * 4294967295) +SUM(AcctOutputOctets) +SUM(AcctOutputGigawords * 4294967295)) / 1048576 FROM radacct WHERE UserName = '%{%k}' AND AcctStartTime FROM_UNIXTIME('%b') sqlcounter: reset = monthly sqlcounter: safe-characters = @abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: / rlm_sqlcounter: No such attribute ChilliSpot-Max-Total-Octets obelix:/etc/freeradius# Strange... But I'm not in a rush, I'll find out what's wrong :-) Kind regards, Yves - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Where to find sql counter module ?
On 2/24/07, Graham Beneke [EMAIL PROTECTED] wrote: YvesDM wrote: rlm_sqlcounter: No such attribute ChilliSpot-Max-Total-Octets obelix:/etc/freeradius# Strange... But I'm not in a rush, I'll find out what's wrong :-) Looks like a dictionary problem to me - Chillispot's dictionary is not yet part of FR you have to add it manually. Maybe someone with a little spare time can throw together the Chillispot dictionary as a patch ;-) Graham Beneke Yeah, that w - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Where to find sql counter module ?
On 2/24/07, Graham Beneke [EMAIL PROTECTED] wrote: Looks like a dictionary problem to me - Chillispot's dictionary is not yet part of FR you have to add it manually. Maybe someone with a little spare time can throw together the Chillispot dictionary as a patch ;-) Graham Beneke Yeah, that was my first thought too, but I've added the dictionary before, so the dictionary is there Kind regards, Yves - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Why Freeradius and Mysql dont work?
On 1/29/07, satish patel [EMAIL PROTECTED] wrote: Install mysql again Did you compile FR yourself? Did you install the mysql-dev files? Kind regards, Yves - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting : server and port 1813
On 11/12/06, James Wakefield [EMAIL PROTECTED] wrote: - if my wifi router is not able to be configured for accounting my network is not able to do accounting because station(s) cannot contact 1813.That's correct - at least, you won't be able to do RADIUS accounting with your wifi router.Depending on your network's topology and whatother equipment you may have you may be able to use another method toprovide accounting.Chillispot (http://www.chillispot.org/ ) might dowhat you want.You might even be able to use the iptables byte counterson your Linux server and route traffic through it if you have no otheroptions.Just a little addition here. Chillispot indeed does that, but if you want an all in one solution to replace your wifi router,M0n0wall is worth to take a look at. http://m0n0.ch/wall/I use it in hotspot setups with freeradius and it works flawlessly. Sincerely, Yves - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
logs: invalid Message-Authenticator! (Shared secret is incorrect.)
I try to get chillispot to work with freeradius.I can't authenticate. Log files show me this entry:Fri Oct 13 14:38:28 2006 : Error: Received packet from 192.168.2.165 with invalid Message-Authenticator! (Shared secret is incorrect.) Dropping packet without response. radius2:/var/log/freeradius# Looks pretty obvious, though, I'm sure the shared secret is correct in my clients.conf and in the chillispot configuration.Any hints?Y. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: logs: invalid Message-Authenticator! (Shared secret is incorrect.)
On 10/13/06, Paul Lambert [EMAIL PROTECTED] wrote: Hi,Have you checked your authentication protocol on the shared secret? Are you sending with CHAP when freeradius is not expecting it or vice versa?Have you tried testing with a radius test client - this should allow you determine if the problem is in the Client or the Server config... or just a misconfiguration between the two! Kind regards,Paul.On 10/13/06, K. Hoercher [EMAIL PROTECTED] wrote: Hi,On 10/13/06, YvesDM [EMAIL PROTECTED] wrote: Looks pretty obvious, though, I'm sure the shared secret is correct in my clients.conf and in the chillispot configuration. Any hints?Well, as you said yourself, it looks pretty obvious. But as it wouldbe extremely unlikely for both statements to be true, I'd suggest (inno particular order):Check clients.conf for eventual more specific entries overriding those for subnets. Does some sql reading of nas's set another secret? Do thealleged correct config files get actually used by freeradius (beenthere, done that *g*).Something to those effects regarding chilli.conf.Some of that might have been ruled out/in already, had you providedthe full debug output and pertinent snippets from your config.Sniff the radius traffic, and check validity manually. See src/lib/hmac.c hthK. Hoercher-List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Tnx for the answers. Meanwhile I've upgraded chillispot to the newest version, changed the shared secrets into something else and reloaded the radius configuration and the problem was gone. Y. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with Installation
configure: error: no acceptable C compiler found in $PATH See `config.log' for more details Read the output. You have no c compiler. Install gcc Sincerely Yves On 10/1/06, Abel Monzon [EMAIL PROTECTED] wrote: Hi list, I have trying install Freeradius on Debian Sytem, but when I try whit ./configure, that respond.. server:~/freeradius-1.1.3# ./configure configure: WARNING: you should use --build, --host, --target checking for CC-gcc... no checking for gcc... no checking for CC-cc... no checking for cc... no checking for cc... no checking for CC-cl... no checking for cl... no configure: error: no acceptable C compiler found in $PATH See `config.log' for more details. server:~/freeradius-1.1.3# ./configure CXX configure: WARNING: you should use --build, --host, --target checking for CXX-gcc... no checking for gcc... no checking for CXX-cc... no checking for cc... no checking for cc... no checking for CXX-cl... no checking for cl... no configure: error: no acceptable C compiler found in $PATH See `config.log' for more details. I can't see whit ./configure --help any solution, Please.. i need help.. Greatting.. Abel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
clean stale sessions with radzap?
I use FR + mysqlI try to clean some stale sessions from NAS's with dynamic ip's.I 'm logged in on the server and use radzap this way:radius1:~# radzapUsage: radzap [options] server[:port] secretSo i try: radius1:~# radzap -u john localhost:1812 mysecretBut this doesn't seem to be the right way?tnx yves - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sql segmentaiton fault
On 8/16/06, Nicolas Baradakis [EMAIL PROTECTED] wrote: YvesDM wrote: Created my own debs of freeradius 1.0.5Please upgrade to 1.1.2.I know, but the radius I'm running now (FR 1.0.5, SQL authentication, timevolume accounting) was originally setup by somebody else. It's working fine, but I wanted to know how everything was set up without trashing the existing server (it's in use).I had a spare server and decided to give it a go.I choose to install 1.0.5 on the testradius too because then it was possible for me to compare the config files with the existing server and see the changes. As soon as I got everything working on my 1.0.5 testradius, I will definately try to reproduce it again with the newest version. Everything works, but when i try to use mysql i get a segmentation fault running radiusd -XSee http://freeradius.org/radiusd/doc/bugs This problem is solved now.(it took 4 days for my post to appear here, strange) I tried to fire it up with the config files from the existing radius and got the segm. fault.When I used the standard config it was running fine. So far, I got radius sql authentication working. Still got to take a look to install dialup admin and the volume accounting part, but I ran a bit out of time this week :-)Maybe tomorrow I can work on it again. I used the rules file in the debian dir of the tar.gz, but added --with-experimental modules as a configure option in it cause i need the sqlcounter.sqlcounter is in the stable modules list in versions = 1.1.0.See above :-) One question, on the existing radius I got a file perl.conf in /etc/freeradius. I don't have this on my testradius and I guess I will need it.I also have FR complaining about missing modules when I use the exisiting server 's configfile. Missing modules are for example downloadlimit When i take a look at radiusd.conf from the existing server, it's in the Authorize section right above the authentication section.snippet: # # The ldap module will set Auth-Type to LDAP if it has not # already been set# ldap # # Enforce daily limits on time spent logged in.# daily validfromlogin downloadlimit uploadlimit volumelimit prepaidcounter # # Use the checkval module# checkval}# Authentication. I guess I missed something and hope someone can help me out here.Many tnx.Yves - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sql segmentaiton fault
On 8/16/06, Alan DeKok [EMAIL PROTECTED] wrote: YvesDM [EMAIL PROTECTED] wrote: Missing modules are for example downloadlimit When i take a look at radiusd.conf from the existing server, it's in the Authorize section right above the authentication section. snippet: It's a module created in the original configuration.Go read that. Look for downloadlimit in radiusd.conf.Alan DeKok.Sorry alan, I don't get it? What should i read? That snippet in my prior mail came from radiusd.conf from the existing (active) server In the (almost unmodified) radiusd.conf from the testradius that same snippet looks like this: # The ldap module will set Auth-Type to LDAP if it has not # already been set# ldap # # Enforce daily limits on time spent logged in.# daily # # Use the checkval module# checkval}# Authentication.So there are no validfromlogin, downloadlimit, uploadlimit, volumelimit, prepaidcounter entries there.Or maybe I get this wrong and you mean something else?Yves - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sql segmentaiton fault
On 8/16/06, Alan DeKok [EMAIL PROTECTED] wrote: YvesDM [EMAIL PROTECTED] wrote: I don't get it? What should i read?The original radiusd.conf. That snippet in my prior mail came from radiusd.conf from the existing (active) serverYes, go read that again.It's defining those extra modules.Thosemodules aren't defined in the default configuration.They are localto your site.I don't know how else to explain that. I can see those modules are listed there, but then what?I looked in /usr/lib/freeradius but didn't find them there.Obviously I don't understand the whole module thing in radius.I will read radiusd.conf and the docs again (for the xxx time) Oh I guess i'm just stupid. In the (almost unmodified) radiusd.conffrom the testradius that same snippet looks like this:Yes, which is the default config.I don't understand why you thinkit's necessary to post the default config to the list.I wrote much of it, and am quite familiar with it.When you said it's a module created in the default configuration, I thought you meant it was there by default. Obviously this wasn't what you meant. (English is not my native language)Go read the configuration files on the active server.Stop arguing. I did many times. But ok, I will do again.Thank you for your help.Sincerely Yves - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: installation dirs on debian
On 8/12/06, Francois-Xavier GAILLARD [EMAIL PROTECTED] wrote: Le Sat, Aug 12, 2006 at 01:55:20AM +0100, Stephen Gran ecrivait: apt-get build-dep freeradius is so much easier :) But I'm being a pedant, I think.No, you're being right :) Thank you both Stephenfox for this explanation!I 'll try it outSincerely,Yves - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
sql segmentaiton fault
hi,Created my own debs of freeradius 1.0.5Everything works, but when i try to use mysql i get a segmentation fault running radiusd -X Could my freeradius-mysql.deb be corrupt? I got no errors creating it. I used the rules file in the debian dir of the tar.gz, but added --with-experimental modules as a configure option in it cause i need the sqlcounter. These are the last lines of the radiusd -X output:sql: postauth_query = INSERT into radpostauth (id, user, pass, reply, date) values ('', '%{User-Name}', '%{User-Password:-Chap-Password}', '%{reply:Packet-Type}', NOW()) sql: safe-characters = @abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linkedrlm_sql (sql): Attempting to connect to [EMAIL PROTECTED]:/radiusrlm_sql (sql): starting 0rlm_sql (sql): Attempting to connect rlm_sql_mysql #0rlm_sql_mysql: Starting connect to MySQL server for #0rlm_sql (sql): Connected new DB handle, #0 rlm_sql (sql): starting 1rlm_sql (sql): Attempting to connect rlm_sql_mysql #1rlm_sql_mysql: Starting connect to MySQL server for #1rlm_sql (sql): Connected new DB handle, #1rlm_sql (sql): starting 2rlm_sql (sql): Attempting to connect rlm_sql_mysql #2 rlm_sql_mysql: Starting connect to MySQL server for #2rlm_sql (sql): Connected new DB handle, #2rlm_sql (sql): starting 3rlm_sql (sql): Attempting to connect rlm_sql_mysql #3rlm_sql_mysql: Starting connect to MySQL server for #3 rlm_sql (sql): Connected new DB handle, #3rlm_sql (sql): starting 4rlm_sql (sql): Attempting to connect rlm_sql_mysql #4rlm_sql_mysql: Starting connect to MySQL server for #4rlm_sql (sql): Connected new DB handle, #4 rlm_sql (sql): - generate_sql_clientsrlm_sql (sql): Query: SELECT * FROM nasrlm_sql (sql): Reserving sql socket id: 4rlm_sql (sql): Read entry nasname=localhost,shortname=localhost,secret=XXXrlm_sql (sql): Adding client 127.0.0.1 (localhost) to clients listrlm_sql (sql): Released sql socket id: 4Module: Instantiated sql (sql)Segmentation faultAny idea's? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: installation dirs on debian
On 8/11/06, Stefan Winter [EMAIL PROTECTED] wrote: Can someone point me to the right direction?There's a configure switch that allows you to specify the configurationdirectory.StefanIndeed, I just noticed. I posted a little to fast, sorry. Many tnxYves - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: installation dirs on debian
On 8/11/06, Stephen Gran [EMAIL PROTECTED] wrote: Take a look at the file debian/rules in the tarball.It is the Makefilefor building debian packages from the tarball.Several options arepassed to ./configure to make it install various directories in their various places.That should give you a start.Tnx Stephen, though I never needed to built .deb's myself, so I will have to do some research on how to do this.Hints are always welcome of course. Many tnx.Yves - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: installation dirs on debian
On 8/11/06, Alan DeKok [EMAIL PROTECTED] wrote: YvesDM [EMAIL PROTECTED] wrote: When I install using apt-get (installs 1.0.2 currently), I get freeradius installed in /etc/freeradius. When I install the same version using the tar.gz it gets installed in /usr/local/etc/raddb/If you're building on debian, there is a debian directory in thetar.gz file.The files there should be used to build a local debianpackage. Like I answered to Stephen, I will need to do some research on how to do this. I've looked into the debian directory in the tarball, but it doesn't learn me anything about this.There should be a README there, saying what to do, I guess.Yes there is, it contains info about directory changes when building the deb package PS Alan, any idea yet when the deploying radius book will be available?Many tnxYves - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: trouble with getting user accepted with Mysql
On 5/12/06, Jeremy ohara [EMAIL PROTECTED] wrote: Hi there i been able to get the radius to working. but the problem i'm having is. when i try to do a test login it keeps being rejected. i've setup groups, etc and using dialupadmin for administration. i've attached the radiusd.conf and mysql.conf and the output files, etc.i got from the radius debug. hope someone can help and THIS is enough info for yous! Also i'm using the lates fedora5 and using freeradius 1.0.5 Do you use dialup admin to create your users?In its config file you can choose how the passwords are stored (plain text, encrypted,...) Are you sure your passwords have the right attribute? Look at this post from me, i had the same problem.http://www.m0n0.ch/wall/list/showmsg.php?id=260/58 Alan pointed me in the right direction there. The attribute needed to be Crypt-Password instead of User-passwordGood luck Yves - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius, mysql, please help!!!
On 4/13/06, Guy Fraser [EMAIL PROTECTED] wrote: You will also need to use Auth-Type := Crypt-LocalThis has been discussed, an enormous number of times.Please feel free to use Google to search for answers.-List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.htmlI really did google for this, but didn't find it.I was messing with all this for one week before actually posting here! Anyway it's working now.Many tnx! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How do i set volume limits?
Hi,Using the latest freeradiusdialupadmin on debian.I did find the option to set time limits (day,week,month), but i 'd like to know how i can set volume limits. (MiB's up/down transfered) The up-/down transferred MiB's are sent by the NAS and stored into the db. I can see all users sessions up/down MiB's tranfered if i query them in the accounting tab of dialupadmin.Though i can't see anything in the user statistics of any of my test users. The page just stays empty when i hit show, strange. Can anyone tell me how to set daily/weekly/monthly volume limits?Many tnxYves - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius, mysql, please help!!!
Hi,I'm getting desperate here.I've been trying for a week now to make freeradius work with mysql.Can someone please help me out here?Tnx!some info:debiancompiled freeradius 1.1.1 with mysqlRadius is working fine, i get an Acces-accept packet when i radtest a user from the users fileradius:/var/log/radius# radtest yves test localhost 1812 testing123Sending Access-Request of id 213 to 127.0.0.1 port 1812User-Name = yvesUser-Password = testNAS-IP-Address = 255.255.255.255NAS-Port = 1812 rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=213, length=20radius:/var/log/radius# I've created some testusers in de mysql database as well (sorry for layout, pasting from the shell) mysql connect radiusReading table information for completion of table and column namesYou can turn off this feature to get a quicker startup with -AConnection id: 61Current database: radius mysql select * from usergroup;+--+---+--+| UserName | GroupName | priority |+--+---+--+| | general |1 || steve | general |1 | | maureen | general |1 || john | general |1 |+--+---+--+4 rows in set (0.00 sec)mysql select * from radcheck;++--+---+++ | id | UserName | Attribute | op | Value |++--+---+++| 1 | steve | User-Password | := | $1$nyiGAEuR$5wcFr5bT7SfkVjIChnbZo0 | | 2 | maureen | User-Password | := | $1$LTvKoOtc$X2fVg8uDqyP4.mU.iLNKm0 || 3 | john | User-Password | := | $1$bkW9WNor$tq5sRRiUcwOV4/fwk3CYM/ |++--+---+++ 3 rows in set (0.00 sec)Though when i try to authenticate john (or other from de db),i get a reject packet and i don't know why!radius:/var/log/radius# radtest john test localhost 1812 testing123 Sending Access-Request of id 240 to 127.0.0.1 port 1812User-Name = johnUser-Password = testNAS-IP-Address = 255.255.255.255NAS-Port = 1812Re-sending Access-Request of id 240 to 127.0.0.1 port 1812User-Name = johnUser-Password = test NAS-IP-Address = 255.255.255.255NAS-Port = 1812rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=240, length=20 radius:/var/log/radius# Debug output:radius:/usr/local/dialup_admin/conf# radiusd -XStarting - reading configuration files ...reread_config: reading radiusd.confConfig: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.confConfig: including file: /usr/local/etc/raddb/snmp.confConfig: including file: /usr/local/etc/raddb/eap.confConfig: including file: /usr/local/etc/raddb/sql.conf main: prefix = /usr/localmain: localstatedir = /usr/local/varmain: logdir = /usr/local/var/log/radiusmain: libdir = /usr/local/libmain: radacctdir = /usr/local/var/log/radius/radacct main: hostname_lookups = nomain: max_request_time = 30main: cleanup_delay = 5main: max_requests = 1024main: delete_blocked_requests = 0main: port = 0main: allow_core_dumps = nomain: log_stripped_names = no main: log_file = /usr/local/var/log/radius/radius.logmain: log_auth = nomain: log_auth_badpass = nomain: log_auth_goodpass = nomain: pidfile = /usr/local/var/run/radiusd/radiusd.pid main: user = (null)main: group = (null)main: usercollide = nomain: lower_user = nomain: lower_pass = nomain: nospace_user = nomain: nospace_pass = no main: checkrad = /usr/local/sbin/checkradmain: proxy_requests = yesproxy: retry_delay = 5proxy: retry_count = 3proxy: synchronous = noproxy: default_fallback = yesproxy: dead_time = 120 proxy: post_proxy_authorize = noproxy: wake_all_if_all_dead = nosecurity: max_attributes = 200security: reject_delay = 1security: status_server = nomain: debug_level = 0read_config_files: reading dictionary read_config_files: reading naslistUsing deprecated naslist file. Support for this will go away soon.read_config_files: reading clientsread_config_files: reading realmsUsing deprecated realms file. Support for this will go away soon. radiusd: entering modules setupModule: Library search path is /usr/local/libModule: Loaded execexec: wait = yesexec: program = (null)exec: input_pairs = requestexec: output_pairs = (null) exec: packet_type = (null)rlm_exec: Wait=yes but no output defined. Did you mean output=none?Module: Instantiated exec (exec)Module: Loaded exprModule: Instantiated expr (expr)Module: Loaded PAP pap: encryption_scheme = cryptModule: Instantiated pap (pap)Module: Loaded CHAPModule: Instantiated chap (chap)Module: Loaded MS-CHAPmschap: use_mppe = yesmschap: require_encryption = no mschap: require_strong = nomschap: with_ntdomain_hack = nomschap: passwd = (null)mschap: authtype = MS-CHAPmschap: ntlm_auth = (null)Module: Instantiated mschap (mschap) Module: Loaded Systemunix: cache = nounix: passwd = (null)unix: shadow = (null)unix: group = (null)unix: radwtmp = /usr/local/var/log/radius/radwtmp unix:
Re: Freeradius, mysql, please help!!!
On 4/12/06, Alan DeKok [EMAIL PROTECTED] wrote: YvesDM [EMAIL PROTECTED] wrote: mysql select * from radcheck; ++--+---+++ | id | UserName | Attribute | op | Value| ++--+---+++ |1 | steve| User-Password | :=3D | $1$nyiGAEuR$5wcFr5bT7SfkVjIChnbZo0=|These are *not* clear-text passwords.They're encrypted passwords. Change the attribute name to Crypt-Password, and it shouldwork.Alan DeKok.Tnx for the reply, but it didn't solve my problem.mysql select * from radcheck; ++--++++| id | UserName | Attribute | op | Value |++--++++ | 1 | steve | User-Password | := | $1$nyiGAEuR$5wcFr5bT7SfkVjIChnbZo0 || 2 | maureen | Crypt-Password | := | $1$LTvKoOtc$X2fVg8uDqyP4.mU.iLNKm0 || 3 | john | Crypt-Password | := | $1$bkW9WNor$tq5sRRiUcwOV4/fwk3CYM/ | ++--++++3 rows in set (0.00 sec)mysql quitByeradius:/usr/local/etc/raddb# radtest john test localhost 1812 testing123Sending Access-Request of id 213 to 127.0.0.1 port 1812 User-Name = john User-Password = test NAS-IP-Address = 255.255.255.255 NAS-Port = 1812 Re-sending Access-Request of id 213 to 127.0.0.1 port 1812 User-Name = john User-Password = test NAS-IP-Address = 255.255.255.255 NAS-Port = 1812rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=213, length=20radius:/usr/local/etc/raddb# radtest maureen test localhost 1812 testing123 Sending Access-Request of id 219 to 127.0.0.1 port 1812 User-Name = maureen User-Password = test NAS-IP-Address = 255.255.255.255 NAS-Port = 1812Re-sending Access-Request of id 219 to 127.0.0.1 port 1812 User-Name = maureen User-Password = test NAS-IP-Address = 255.255.255.255 NAS-Port = 1812rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=219, length=20 radius:/usr/local/etc/raddb# Any other suggestions?Yves - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius, mysql, please help!!!
On 4/12/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Hi,ummm. I'm not too certain here but wasnt the password you defined in the mySQL database for john $1$bkW9WNor$tq5sRRiUcwOV4/fwk3CYM/if this is a crypted password then surely the attribute is Crypt-Passwordrather than User-Password?alan-List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.htmlCorrect, alan DeKok told me too. I changed it, but it didn't solve the problem.tnxyves - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question
On 4/12/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:Hi, modcall: leaving group authorize (returns ok) for request 0 rad_check_password:Found Auth-Type System auth: type Systemtry removing the default System authentication method from yourusers file.alanWorking now! i changed system to radius in the users file and now it's working.# First setup all accounts to be checked against the UNIX /etc/passwd.# (Unless a password was already given earlier in this file). #DEFAULT Auth-Type = Radius Fall-Through = 1 Many tnxYves - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html