Re: Hello, and a (hopefully) simple question
>Now that you mention it, the billing software _is_ getting replaced >some time soon, but until then I have to hack radius as a workaround. > So alter groups and not passwords. >Is it not possible to "Fall-Through" failed users to another section >with its own pool and auth-type: accept? > Why? Just place a user in a suspend group (configured with that pool) and there is no need to fall through anything. And the users with wrong passwords will still be getting usual errors. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Hello, and a (hopefully) simple question
Now that you mention it, the billing software _is_ getting replaced some time soon, but until then I have to hack radius as a workaround. Is it not possible to "Fall-Through" failed users to another section with its own pool and auth-type: accept? Vlad On Jan 25, 2008 12:16 PM, Andy Billington <[EMAIL PROTECTED]> wrote: > David - agreed. It's a workaround until the billing software can be > modified (or replaced); in combination with an expiry_due check and > also checking whether its the billing system that made the change > though, its not a bad short-term workaround. Needs to be both of those > checks though ;-) > Andy > > > On 25/01/2008, David Roze <[EMAIL PROTECTED]> wrote: > > A trigger on the password field is a workaround. > > What about if he wants to change a user's password or when it changes back > > to bring the connection back on? > > Changing the password is not the right way to reject a connection and > > everything possible should be done to change the software's behaviour. > > > > David Roze > > --- > > http://www.netexpertise.eu > > > > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] > > On Behalf Of Andy Billington > > Sent: 25 January 2008 18:58 > > To: FreeRadius users mailing list > > Subject: Re: Hello, and a (hopefully) simple question > > > > Vlad, > > are the passwords changed _by the billing system_ for any other > > reason? You could use a trigger on the table to make a corresponding > > change on the usergroup when the billing system changes the password. > > > > Better though might just be to have a "Expiry Due?" column added to > > the users, and then have "if expiry_due AND if password changed, then > > change usergroup" triggered. You'll have to have a way to keep track > > of expiration dates and so on > > > > Vlad, > > are the passwords changed by the billing system for any other reason? > > You could use a trigger on the table to make a corresponding change on > > the usergroup when a billing system changes the password. > > > > Better though might just be to have a "Expired Yes/No" column added to > > the users, and then have "if expired AND password changed, then change > > usergroup" triggered. You'll have to have a way to keep track of > > expiration dates and so on but if the renewals are for a standard > > period (e.g. 12 months) then you could do > > > > a. if expiry_due and password changed, change usergroup (and hence ip etc) > > > > b. if expired, password changed already and then password changed > > again, change usergroup back to normal on assumption that billing > > system has reset password when payment received. Reset expiry_due to > > today() plus 12 months > > > > Then again I'm probably looking at database level stuff when > > FreeRADIUS will provide a better way using the many bits of it I dont > > understand ;-) > > Andy > > > > > > > > > > > > On 25/01/2008, Vlad Sedov <[EMAIL PROTECTED]> wrote: > > > Well, what I'm trying to do is accept the session whether the password > > > is correct or not, but if it's not correct, assign Framed-IP-Address > > > from a different IP pool, so our firewall downstream from the NAS can > > > redirect their HTTP traffic to a payment site. > > > > > > > > > Vlad > > > > > > > > > On Jan 25, 2008 11:27 AM, JB <[EMAIL PROTECTED]> wrote: > > > > If it's just a message you want to display, you could use the Reply- > > > > Message attribute. > > > > Of course, your access controler would have to know how handle this > > > > attribute. > > > > > > > > JB > > > > > > > > > > > > Marinko Tarlac wrote: > > > > > > > > > radius will reply whatever you need but you need to tell him what do > > > > > you want. > > > > > > > > > > For example, if you're using mysql, when user account expires you > > > > > can add him to specific group and group attributes you can set in > > > > > radgroupreply table. (ip pool, tx, rx limit etc.) > > > > > > > > > > On Jan 25, 2008 6:18 PM, Vlad Sedov <[EMAIL PROTECTED]> wrote: > > > > >> Hey folks. > > > > >> > > > > >> Right now, we use freeradius to authenticate simple pap/chap
Re: Hello, and a (hopefully) simple question
David - agreed. It's a workaround until the billing software can be modified (or replaced); in combination with an expiry_due check and also checking whether its the billing system that made the change though, its not a bad short-term workaround. Needs to be both of those checks though ;-) Andy On 25/01/2008, David Roze <[EMAIL PROTECTED]> wrote: > A trigger on the password field is a workaround. > What about if he wants to change a user's password or when it changes back > to bring the connection back on? > Changing the password is not the right way to reject a connection and > everything possible should be done to change the software's behaviour. > > David Roze > --- > http://www.netexpertise.eu > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] > On Behalf Of Andy Billington > Sent: 25 January 2008 18:58 > To: FreeRadius users mailing list > Subject: Re: Hello, and a (hopefully) simple question > > Vlad, > are the passwords changed _by the billing system_ for any other > reason? You could use a trigger on the table to make a corresponding > change on the usergroup when the billing system changes the password. > > Better though might just be to have a "Expiry Due?" column added to > the users, and then have "if expiry_due AND if password changed, then > change usergroup" triggered. You'll have to have a way to keep track > of expiration dates and so on > > Vlad, > are the passwords changed by the billing system for any other reason? > You could use a trigger on the table to make a corresponding change on > the usergroup when a billing system changes the password. > > Better though might just be to have a "Expired Yes/No" column added to > the users, and then have "if expired AND password changed, then change > usergroup" triggered. You'll have to have a way to keep track of > expiration dates and so on but if the renewals are for a standard > period (e.g. 12 months) then you could do > > a. if expiry_due and password changed, change usergroup (and hence ip etc) > > b. if expired, password changed already and then password changed > again, change usergroup back to normal on assumption that billing > system has reset password when payment received. Reset expiry_due to > today() plus 12 months > > Then again I'm probably looking at database level stuff when > FreeRADIUS will provide a better way using the many bits of it I dont > understand ;-) > Andy > > > > > > On 25/01/2008, Vlad Sedov <[EMAIL PROTECTED]> wrote: > > Well, what I'm trying to do is accept the session whether the password > > is correct or not, but if it's not correct, assign Framed-IP-Address > > from a different IP pool, so our firewall downstream from the NAS can > > redirect their HTTP traffic to a payment site. > > > > > > Vlad > > > > > > On Jan 25, 2008 11:27 AM, JB <[EMAIL PROTECTED]> wrote: > > > If it's just a message you want to display, you could use the Reply- > > > Message attribute. > > > Of course, your access controler would have to know how handle this > > > attribute. > > > > > > JB > > > > > > > > > Marinko Tarlac wrote: > > > > > > > radius will reply whatever you need but you need to tell him what do > > > > you want. > > > > > > > > For example, if you're using mysql, when user account expires you > > > > can add him to specific group and group attributes you can set in > > > > radgroupreply table. (ip pool, tx, rx limit etc.) > > > > > > > > On Jan 25, 2008 6:18 PM, Vlad Sedov <[EMAIL PROTECTED]> wrote: > > > >> Hey folks. > > > >> > > > >> Right now, we use freeradius to authenticate simple pap/chap PPP > > > >> clients. When a username/password is rejected, radius simply send > > > >> back > > > >> a reject message to the NAS. > > > >> > > > >> Is it possible to change this behavior so that a failed auth attempt > > > >> gets accepted with an alternate IP pool instead of being rejected? > > > >> > > > >> the idea is to force suspended users through a web proxy that tells > > > >> them that they have a billing issue, instead of rejecting their > > > >> connection altogether. > > > >> > > > >> > > > >> Any help would be appreciated > > > >> > > > >> > > > >> Vlad > > > > > > > > > > > > JB > > > > > > > > > > > > > > > - > > > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > > > > - > > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Hello, and a (hopefully) simple question
A trigger on the password field is a workaround. What about if he wants to change a user's password or when it changes back to bring the connection back on? Changing the password is not the right way to reject a connection and everything possible should be done to change the software's behaviour. David Roze --- http://www.netexpertise.eu -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andy Billington Sent: 25 January 2008 18:58 To: FreeRadius users mailing list Subject: Re: Hello, and a (hopefully) simple question Vlad, are the passwords changed _by the billing system_ for any other reason? You could use a trigger on the table to make a corresponding change on the usergroup when the billing system changes the password. Better though might just be to have a "Expiry Due?" column added to the users, and then have "if expiry_due AND if password changed, then change usergroup" triggered. You'll have to have a way to keep track of expiration dates and so on Vlad, are the passwords changed by the billing system for any other reason? You could use a trigger on the table to make a corresponding change on the usergroup when a billing system changes the password. Better though might just be to have a "Expired Yes/No" column added to the users, and then have "if expired AND password changed, then change usergroup" triggered. You'll have to have a way to keep track of expiration dates and so on but if the renewals are for a standard period (e.g. 12 months) then you could do a. if expiry_due and password changed, change usergroup (and hence ip etc) b. if expired, password changed already and then password changed again, change usergroup back to normal on assumption that billing system has reset password when payment received. Reset expiry_due to today() plus 12 months Then again I'm probably looking at database level stuff when FreeRADIUS will provide a better way using the many bits of it I dont understand ;-) Andy On 25/01/2008, Vlad Sedov <[EMAIL PROTECTED]> wrote: > Well, what I'm trying to do is accept the session whether the password > is correct or not, but if it's not correct, assign Framed-IP-Address > from a different IP pool, so our firewall downstream from the NAS can > redirect their HTTP traffic to a payment site. > > > Vlad > > > On Jan 25, 2008 11:27 AM, JB <[EMAIL PROTECTED]> wrote: > > If it's just a message you want to display, you could use the Reply- > > Message attribute. > > Of course, your access controler would have to know how handle this > > attribute. > > > > JB > > > > > > Marinko Tarlac wrote: > > > > > radius will reply whatever you need but you need to tell him what do > > > you want. > > > > > > For example, if you're using mysql, when user account expires you > > > can add him to specific group and group attributes you can set in > > > radgroupreply table. (ip pool, tx, rx limit etc.) > > > > > > On Jan 25, 2008 6:18 PM, Vlad Sedov <[EMAIL PROTECTED]> wrote: > > >> Hey folks. > > >> > > >> Right now, we use freeradius to authenticate simple pap/chap PPP > > >> clients. When a username/password is rejected, radius simply send > > >> back > > >> a reject message to the NAS. > > >> > > >> Is it possible to change this behavior so that a failed auth attempt > > >> gets accepted with an alternate IP pool instead of being rejected? > > >> > > >> the idea is to force suspended users through a web proxy that tells > > >> them that they have a billing issue, instead of rejecting their > > >> connection altogether. > > >> > > >> > > >> Any help would be appreciated > > >> > > >> > > >> Vlad > > > > > > > > JB > > > > > > > > > > - > > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Hello, and a (hopefully) simple question
Vlad, are the passwords changed _by the billing system_ for any other reason? You could use a trigger on the table to make a corresponding change on the usergroup when the billing system changes the password. Better though might just be to have a "Expiry Due?" column added to the users, and then have "if expiry_due AND if password changed, then change usergroup" triggered. You'll have to have a way to keep track of expiration dates and so on Vlad, are the passwords changed by the billing system for any other reason? You could use a trigger on the table to make a corresponding change on the usergroup when a billing system changes the password. Better though might just be to have a "Expired Yes/No" column added to the users, and then have "if expired AND password changed, then change usergroup" triggered. You'll have to have a way to keep track of expiration dates and so on but if the renewals are for a standard period (e.g. 12 months) then you could do a. if expiry_due and password changed, change usergroup (and hence ip etc) b. if expired, password changed already and then password changed again, change usergroup back to normal on assumption that billing system has reset password when payment received. Reset expiry_due to today() plus 12 months Then again I'm probably looking at database level stuff when FreeRADIUS will provide a better way using the many bits of it I dont understand ;-) Andy On 25/01/2008, Vlad Sedov <[EMAIL PROTECTED]> wrote: > Well, what I'm trying to do is accept the session whether the password > is correct or not, but if it's not correct, assign Framed-IP-Address > from a different IP pool, so our firewall downstream from the NAS can > redirect their HTTP traffic to a payment site. > > > Vlad > > > On Jan 25, 2008 11:27 AM, JB <[EMAIL PROTECTED]> wrote: > > If it's just a message you want to display, you could use the Reply- > > Message attribute. > > Of course, your access controler would have to know how handle this > > attribute. > > > > JB > > > > > > Marinko Tarlac wrote: > > > > > radius will reply whatever you need but you need to tell him what do > > > you want. > > > > > > For example, if you're using mysql, when user account expires you > > > can add him to specific group and group attributes you can set in > > > radgroupreply table. (ip pool, tx, rx limit etc.) > > > > > > On Jan 25, 2008 6:18 PM, Vlad Sedov <[EMAIL PROTECTED]> wrote: > > >> Hey folks. > > >> > > >> Right now, we use freeradius to authenticate simple pap/chap PPP > > >> clients. When a username/password is rejected, radius simply send > > >> back > > >> a reject message to the NAS. > > >> > > >> Is it possible to change this behavior so that a failed auth attempt > > >> gets accepted with an alternate IP pool instead of being rejected? > > >> > > >> the idea is to force suspended users through a web proxy that tells > > >> them that they have a billing issue, instead of rejecting their > > >> connection altogether. > > >> > > >> > > >> Any help would be appreciated > > >> > > >> > > >> Vlad > > > > > > > > JB > > > > > > > > > > - > > List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Hello, and a (hopefully) simple question
That's a very valid point, however we do all the CPE configuration ourselves. Customer, as a rule, does not have access to the PPPoE settings. I think the message they would get is going to say something like "There is a problem with your internet connection. Please call blahblahblah to resolve the problem"... Simple and effective :-) Vlad On Jan 25, 2008 11:45 AM, Alex Moen <[EMAIL PROTECTED]> wrote: > So, what would be the difference between a customer who was disconnected, and > one who cannot remember his/her password (yeah, this never happens, > right?) There would be no differentiation, and customers who have simply > forgotten their password may be upset when you tell then they are > disconnected Might want to remember that when you write your web page. > > Just my $.10... > > Alex > > > Vlad Sedov wrote: > > Well, what I'm trying to do is accept the session whether the password > > is correct or not, but if it's not correct, assign Framed-IP-Address > > from a different IP pool, so our firewall downstream from the NAS can > > redirect their HTTP traffic to a payment site. > > > > > > Vlad > > > > > > On Jan 25, 2008 11:27 AM, JB <[EMAIL PROTECTED]> wrote: > >> If it's just a message you want to display, you could use the Reply- > >> Message attribute. > >> Of course, your access controler would have to know how handle this > >> attribute. > >> > >> JB > >> > >> > >> Marinko Tarlac wrote: > >> > >>> radius will reply whatever you need but you need to tell him what do > >>> you want. > >>> > >>> For example, if you're using mysql, when user account expires you > >>> can add him to specific group and group attributes you can set in > >>> radgroupreply table. (ip pool, tx, rx limit etc.) > >>> > >>> On Jan 25, 2008 6:18 PM, Vlad Sedov <[EMAIL PROTECTED]> wrote: > Hey folks. > > Right now, we use freeradius to authenticate simple pap/chap PPP > clients. When a username/password is rejected, radius simply send > back > a reject message to the NAS. > > Is it possible to change this behavior so that a failed auth attempt > gets accepted with an alternate IP pool instead of being rejected? > > the idea is to force suspended users through a web proxy that tells > them that they have a billing issue, instead of rejecting their > connection altogether. > > > Any help would be appreciated > > > Vlad > >> > >> > >> JB > >> > >> > >> > >> > >> - > >> List info/subscribe/unsubscribe? See > >> http://www.freeradius.org/list/users.html > >> > > - > > List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Hello, and a (hopefully) simple question
So, what would be the difference between a customer who was disconnected, and one who cannot remember his/her password (yeah, this never happens, right?) There would be no differentiation, and customers who have simply forgotten their password may be upset when you tell then they are disconnected Might want to remember that when you write your web page. Just my $.10... Alex Vlad Sedov wrote: Well, what I'm trying to do is accept the session whether the password is correct or not, but if it's not correct, assign Framed-IP-Address from a different IP pool, so our firewall downstream from the NAS can redirect their HTTP traffic to a payment site. Vlad On Jan 25, 2008 11:27 AM, JB <[EMAIL PROTECTED]> wrote: If it's just a message you want to display, you could use the Reply- Message attribute. Of course, your access controler would have to know how handle this attribute. JB Marinko Tarlac wrote: radius will reply whatever you need but you need to tell him what do you want. For example, if you're using mysql, when user account expires you can add him to specific group and group attributes you can set in radgroupreply table. (ip pool, tx, rx limit etc.) On Jan 25, 2008 6:18 PM, Vlad Sedov <[EMAIL PROTECTED]> wrote: Hey folks. Right now, we use freeradius to authenticate simple pap/chap PPP clients. When a username/password is rejected, radius simply send back a reject message to the NAS. Is it possible to change this behavior so that a failed auth attempt gets accepted with an alternate IP pool instead of being rejected? the idea is to force suspended users through a web proxy that tells them that they have a billing issue, instead of rejecting their connection altogether. Any help would be appreciated Vlad JB - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Hello, and a (hopefully) simple question
Well, what I'm trying to do is accept the session whether the password is correct or not, but if it's not correct, assign Framed-IP-Address from a different IP pool, so our firewall downstream from the NAS can redirect their HTTP traffic to a payment site. Vlad On Jan 25, 2008 11:27 AM, JB <[EMAIL PROTECTED]> wrote: > If it's just a message you want to display, you could use the Reply- > Message attribute. > Of course, your access controler would have to know how handle this > attribute. > > JB > > > Marinko Tarlac wrote: > > > radius will reply whatever you need but you need to tell him what do > > you want. > > > > For example, if you're using mysql, when user account expires you > > can add him to specific group and group attributes you can set in > > radgroupreply table. (ip pool, tx, rx limit etc.) > > > > On Jan 25, 2008 6:18 PM, Vlad Sedov <[EMAIL PROTECTED]> wrote: > >> Hey folks. > >> > >> Right now, we use freeradius to authenticate simple pap/chap PPP > >> clients. When a username/password is rejected, radius simply send > >> back > >> a reject message to the NAS. > >> > >> Is it possible to change this behavior so that a failed auth attempt > >> gets accepted with an alternate IP pool instead of being rejected? > >> > >> the idea is to force suspended users through a web proxy that tells > >> them that they have a billing issue, instead of rejecting their > >> connection altogether. > >> > >> > >> Any help would be appreciated > >> > >> > >> Vlad > > > > JB > > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Hello, and a (hopefully) simple question
If it's just a message you want to display, you could use the Reply- Message attribute. Of course, your access controler would have to know how handle this attribute. JB Marinko Tarlac wrote: radius will reply whatever you need but you need to tell him what do you want. For example, if you're using mysql, when user account expires you can add him to specific group and group attributes you can set in radgroupreply table. (ip pool, tx, rx limit etc.) On Jan 25, 2008 6:18 PM, Vlad Sedov <[EMAIL PROTECTED]> wrote: Hey folks. Right now, we use freeradius to authenticate simple pap/chap PPP clients. When a username/password is rejected, radius simply send back a reject message to the NAS. Is it possible to change this behavior so that a failed auth attempt gets accepted with an alternate IP pool instead of being rejected? the idea is to force suspended users through a web proxy that tells them that they have a billing issue, instead of rejecting their connection altogether. Any help would be appreciated Vlad JB - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Hello, and a (hopefully) simple question
The only problem with this method is that our billing system is not (currently) capable of changing the usergroup when the account is suspended. All it does is change the password. Vlad On Jan 25, 2008 11:22 AM, Marinko Tarlac <[EMAIL PROTECTED]> wrote: > radius will reply whatever you need but you need to tell him what do you > want. > > For example, if you're using mysql, when user account expires you can add > him to specific group and group attributes you can set in radgroupreply > table. (ip pool, tx, rx limit etc.) > > > > On Jan 25, 2008 6:18 PM, Vlad Sedov <[EMAIL PROTECTED]> wrote: > > > > > > > > Hey folks. > > > > Right now, we use freeradius to authenticate simple pap/chap PPP > > clients. When a username/password is rejected, radius simply send back > > a reject message to the NAS. > > > > Is it possible to change this behavior so that a failed auth attempt > > gets accepted with an alternate IP pool instead of being rejected? > > > > the idea is to force suspended users through a web proxy that tells > > them that they have a billing issue, instead of rejecting their > > connection altogether. > > > > > > Any help would be appreciated > > > > > > Vlad > > - > > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Hello, and a (hopefully) simple question
radius will reply whatever you need but you need to tell him what do you want. For example, if you're using mysql, when user account expires you can add him to specific group and group attributes you can set in radgroupreply table. (ip pool, tx, rx limit etc.) On Jan 25, 2008 6:18 PM, Vlad Sedov <[EMAIL PROTECTED]> wrote: > Hey folks. > > Right now, we use freeradius to authenticate simple pap/chap PPP > clients. When a username/password is rejected, radius simply send back > a reject message to the NAS. > > Is it possible to change this behavior so that a failed auth attempt > gets accepted with an alternate IP pool instead of being rejected? > > the idea is to force suspended users through a web proxy that tells > them that they have a billing issue, instead of rejecting their > connection altogether. > > > Any help would be appreciated > > > Vlad > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html