Re[2]: Simultaneous-Use = 1
Hello Nikolay, Monday, October 01, 2001, 10:27:12 PM, you wrote: >> >> If I define it in in radcheck or radgroupcheck tables FreeRADIUS >> says: NPR> [skip] >> >> rlm_sql: Pairs do not match [test] >> NPR> You must wrote 'Simultaneous-Use = 1' into radreply (radgroupreply) also. Ok. I did as you say. But the result was same. :( rad_recv: Access-Request packet from host 192.168.1.1:3052, id=55, length=56 User-Name = "test" Password = "PM\436v`K\342r\231i\312\033\230\362\352n" NAS-IP-Address = 192.168.1.1 NAS-Port = 65 modcall: entering group authorize modcall[authorize]: module "preprocess" returns ok modcall[authorize]: module "suffix" returns ok rlm_sql: Reserving sql socket id: 4 radius_xlat: 'test' sql_escape in: 'test' sql_escape out: 'test' sql_set_user: escaped user --> 'test' radius_xlat: 'SELECT id,UserName,Attribute,Value FROM radcheck WHERE Username = 'test' ORDER BY id' rlm_postgresql Status: PGRES_TUPLES_OK sql_postgresql: affected rows = Password = "Test6523" Password = "Test6523" Simultaneous-Use = 1 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value FROM radgroupcheck,usergroup WHER E usergroup.Username = 'test' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' rlm_postgresql Status: PGRES_TUPLES_OK sql_postgresql: affected rows = radius_xlat: 'SELECT id,UserName,Attribute,Value FROM radreply WHERE Username = 'test' ORDER BY id' rlm_postgresql Status: PGRES_TUPLES_OK sql_postgresql: affected rows = Simultaneous-Use = 1 Simultaneous-Use = 1 Framed-IP-Address = 192.168.2.1 radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value FROM radgroupreply,usergroup WHER E usergroup.Username = 'test' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_postgresql Status: PGRES_TUPLES_OK sql_postgresql: affected rows = rlm_sql: Released sql socket id: 4 rlm_sql: Pairs do not match [test] modcall[authorize]: module "sql" retu
RE: Group authentication
Homero, You can specify Framed-Filter-Id and other such attributes. I believe that most NASs support port redirects in filters. Allow me to provide another possible (less expensive?) solution. Here is what I was planning to do for content filtered users. Check out squid-guard.org. Your cisco 2511 supports WCCP (v1), right? Use WCCPv1 to redirect all port 80 traffic to a squid (squid-cache.org) cache. You can use a group for redundancy. Use FreeRADIUS's exec reply addributes to setup iptables/ipchains rules and use your squid cache box as a radius accounting relay. Setup each user in a secondary group on the radius auth box (ie. grated, pgrated, justcached). Have the reply attribute exec (I haven't read the docs thoroughly on how to do this) iptables and create a redirect from port 80 to whatever port matches the content rating the customer wants. Next time that IP from the pool is used, clear out any rules that match that source address and add in a new one. You may have to devise a means by which to spread the filter rules to a cache group if you run into scalability issues. I'm sure the radius gurus on this list could correct me on a few things here (and they're welcome to :). Good luck and let us know how it goes. Cheers, Mike On Mon, 1 Oct 2001, Homero Borgo Valdez wrote: > Hi! > i want to known if i can assign to an group of users some filter that can be > redirected to an proxy (software of proxy = bessproxyISP) so that users on > that group cann?t view porn sites, etc.. but other users on other group can > have free view > some thing like things on the N2H2 page > (http://www.n2h2.com/support/terminal_server/choicenet2.php) (by the way i > have that service but i don?t have support from they) but they use chap > (login users on the same /etc/raddb/users file!) and i prefer the system > authentication system (/etc/shadow)... > > > radius server SO: solaris X86 > TS: TotalControl, Patton 2800 and Cisco 2511 > and DEFAULT Auth-Type = System > > please help! > by the way spanish is very welcome! ;) > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
cisco config
Can someone tell me which config file I need to edit to add the cisco configuration options listed in the docs/cisco file? I read though the file, and it lists which configuration directives to use, but it doesn't say one word about which config file they go into. I should know this, but I don't, and it isn't obvious to me. Thanks, schu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Group authentication
Hi! i want to known if i can assign to an group of users some filter that can be redirected to an proxy (software of proxy = bessproxyISP) so that users on that group cann?t view porn sites, etc.. but other users on other group can have free view some thing like things on the N2H2 page (http://www.n2h2.com/support/terminal_server/choicenet2.php) (by the way i have that service but i don?t have support from they) but they use chap (login users on the same /etc/raddb/users file!) and i prefer the system authentication system (/etc/shadow)... radius server SO: solaris X86 TS: TotalControl, Patton 2800 and Cisco 2511 and DEFAULT Auth-Type = System please help! by the way spanish is very welcome! ;) -Mensaje original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]En nombre de Mike Cathey Enviado el: Lunes, 01 de Octubre de 2001 06:21 a.m. Para: [EMAIL PROTECTED] Asunto: Re: Group authentication John/Dan, Here is what I'm using in production with a snapshot of Cistron from April (I think). Remeber that you want to put the least expensive (CPU wise) checks first that are most likely to get rejected. It should work with FreeRadius (you might have to use ":=" in the check line instead of "="; pardon the wrapping from my MUA -- it does what its told :): SNIP start /etc/raddb/users DEFAULT Called-Station-Id = "1877", Group != tollcalls, Auth-Type = Reject Reply-Message = "You are not an authorized user of our DialAnywhere Service", Fall-Through = Yes DEFAULT Called-Station-Id = "1877", Group = tollcalls, Auth-Type = System Ascend-Assign-IP-Pool = 2, Fall-Through = Yes DEFAULT Auth-Type = System SNIP end /etc/raddb/users Hope that helps! Cheers, Mike John McKinney wrote: > Dan, > I am trying to get freeradius setup. We are currently using Livingston > Radius. They both allow for this as a check item. > > Something like: > > DEFAULT Auth-Type = System, Group = "login" > > DEFAULT Auth-Type = System, Group = "mailusers" > > Make sure you have a group 'login' and also 'mailusers' on the system and > that the user belongs to that group. While I don't have the freeradius > working yet, I believe this will work fine, if not someone will hopefully > correct me. (maybe this is why I'm having trouble with authentication?:)) > > Hope this helps, > John McKinney > >>-Original Message- >>From: [EMAIL PROTECTED] >>To: [EMAIL PROTECTED] >>Subject: Group authentication >> >>Greetings, >>Is it possible to configure FreeRadius to only authenticate system >>accounts that belong to a specific group? I'd like it to only accounts >>that belong to group "pppusers" while rejecting accounts belonging to >>other groups such as "emailusers". Thanks >> >>Dan Houtz - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simultaneous-Use = 1
èÕ ÉÚ ÚÉÓØ, äÒÉÎËÉÎÓ? éÃ Ü Sergey V. Sichevsky [[EMAIL PROTECTED]] ×ÒÏÔÅ: > > If I define it in in radcheck or radgroupcheck tables FreeRADIUS > says: [skip] > > rlm_sql: Pairs do not match [test] > You must wrote 'Simultaneous-Use = 1' into radreply (radgroupreply) also. Some question for developer: We have a different tables 'radcheck' - for check phase in authorizing and 'radreply' - for send some attributes back to NAS. Why we need compare 'request', 'check' and 'reply' attributes in paircmp()??? IMHO need compare request and check valuepairs only. May I stupid :) but as I see in RFC2865/RFC2866 NAS don't require full back return from server check attributes. Some bugfix: insert into rlm_sql.c pairmove() befor paircmp() in line 279. Or rewrite paircompare() in src/main/valuepair.c Good. NAS require it. Next question: Why we use different tables??? IMHO more logical make 'radauthorize' table and wrote 'check' and 'reply' value pairs. Best Wishes, Mag P.S. I am very sorry, but letters to '[EMAIL PROTECTED]' without replies. I have a patches fixing detecting PostgreSQL on FreeBSD-4.X and autorecconect to PostgreSQL server. Also, some working to add T_OP_REG_EQ and other operators in rlm_sql module (I need it for some checking like 'Calling-Station-Id' and other :)) -- Nikolay P. Romanyuk - NR42-RIPE, NPR1-RIPN - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can't get rlm_ldap to compile
Matthew Schumacher <[EMAIL PROTECTED]> wrote: > I needed to add -ldl to the linker. It seems that I have needed to do > this a lot on my redhat 7.1 box. Any ideas why configure didn't sort > this out for me, or is it how I have my redhat machine setup? The configure script probably didn't test for it. That test will have to be added. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap memory leaks
Matthew Schumacher <[EMAIL PROTECTED]> wrote: > I was reading the list archives and it seems that there where problems > with ldap leaking memory. I was wondering if that was cleared up? I > testing an ldap-freeradius setup now and it doesn't seem to be growing > on me. See 'doc/rlm_ldap'. It appears to leak on Solaris, but not on Linux. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ldap memory leaks
Hello all, I was reading the list archives and it seems that there where problems with ldap leaking memory. I was wondering if that was cleared up? I testing an ldap-freeradius setup now and it doesn't seem to be growing on me. thanks, schu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: I have no portgres, but make wants to compile support for it
...with the following error as a result... configure bug? Making static in rlm_sql_postgresql... gmake[10]: Entering directory `/usr/src/cvs/radiusd/src/modules/rlm_sql/drivers/rlm_sql_postgresql' gcc -g -O2 -D_REENTRANT -Wall -D_GNU_SOURCE -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -I../.. -I../../../../include -I -c sql_postgresql.c -o sql_postgresql.o In file included from sql_postgresql.c:48: sql_postgresql.h:6:29: libpq-fe.h: No such file or directory -- Juan Carlos Castro y Castro | "Standing up to an evil system is [EMAIL PROTECTED] | exhilarating." -Richard Stallman Rio de Janeiro - Brazil | http://www.vialink.com.br/~jcastro DC4DC #25 | chmod a+x /bin/laden mv the directory rlm_sql_postgresql to no_rlm_sql_postgresql and it will not be found by the makefile. It worked for me. Ciao, Robert Divko -- Dr. Robert Divko, Kiem-Pauli-Weg 15, 83052 Bruckmühl tel: 08062/79700, 0172/8337394, fax: 08062/79701 [EMAIL PROTECTED], [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Ascend-Client-Primary-DNS does't work!?!
At 07:10 AM 9/30/2001 +0200, Robert Divko wrote: >Has somebody an idea why users of an ascend max 4030 >don't receive the DNS Information by PPP with freeradius, >while using "radius-livingston 2.1-30" or "radius-1.16-ascend" >with (almost) identical settings in the users file >everything works fine. > >This is the configuration in freeradius users file (syntax): > >DEFAULT Auth-Type := System > Fall-Through = 1 ># >DEFAULT Service-Type == Framed-User, Framed-Protocol == PPP > Service-Type = Framed-User, > Framed-Protocol = PPP, > Ascend-Assign-IP-Pool = 1, > Ascend-Client-Primary-DNS = 62.180.107.2, > Ascend-Client-Secondary-DNS = 212.72.80.131, > Ascend-Idle-Limit = 600, > Fall-Through = Yes Check the dictionary you are using as well as the configuration of the MAX. The MAX will have three settings for attributes "compat mode": OLD - This is the old unecapsulated attributes ( non-vsa ) VSA - This is the RFC-Compliant standart 8 big VSA mode, what most people think when they say VSA. 16-Bit VSA - This is an Ascend specific 16 bit VSA format that is not currently supported by FreeRADIUS. Freeradius has two settings, depending on the dictionary specified and the attributes you use. Ascend-Client-Primary-DNS - This is VSA format I'm using the above format for all radiuses X-Ascend-Cleint-Primary-DNS - This is OLD format In order for it to work properly, you'll need to have FreeRADIUS and your MAX set to use both the same style of attributes. I'd recommend putting the MAX in VSA mode. Note that auth and accounting both allow you specify the attribute style used. You'll want to make sure you change both to the same format on your MAXes. >BTW: Using local authentication on the ascend also >doesn't give the clients a valid DNS server >(Where can one configure this?). I believe you can set this under: Ethernet->Mod Config->DNS That's for the ascend itself not for the clients. I found entries in the ascend connection profile for client DNS (which wasn't nessecary using the older radiuses). ( at least, that is where it is on MAX 6000 TAOS 9.1 ). -Chris -- \\\|||/// \ Chris Parker - Manager, Development Engineering \ ~ ~ / \ WX *is* Wireless! \ [EMAIL PROTECTED] | @ @ | \ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Without C we would have 'obol', 'basi', and 'pasal' -- Dr. Robert Divko, Kiem-Pauli-Weg 15, 83052 Bruckmühl tel: 08062/79700, 0172/8337394, fax: 08062/79701 [EMAIL PROTECTED], [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can't get rlm_ldap to compile
Alan, Ok I got it to work I needed to add -ldl to the linker. It seems that I have needed to do this a lot on my redhat 7.1 box. Any ideas why configure didn't sort this out for me, or is it how I have my redhat machine setup? thanks again, schu [EMAIL PROTECTED] wrote: > Matthew Schumacher <[EMAIL PROTECTED]> wrote: > >>still doesn't work: >> >>[root@mail1 rlm_ldap]# ./configure >> > > Have you tried doing 'configure' from the TOP directory of the source > tree? > > >>checking for ldap_init in -lldap... no >>configure: warning: silently not building rlm_ldap. >> > > Yup. That's exactly what I would expect. > > >>Any other ideas? >> > > Do a 'configure' from the top-level directory. Odds are that it > will work. > > Why? Look at 'rlm_lap/config.log'. Find the line where it's > failing to find ldap_init() in -lldap. It will be probably > complaining about some 'res_XXX' functions. > > Try: > > [root@mail1 rlm_ldap]# LIBS=-lresolv ./configure > > > If you run configure from the top-level directory, it finds this for > you. > > Yes, we *could* make each module's "configure" file complete and > perfect. But that takes time, and they're not really meant to be run > from that directory. > > Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can't get rlm_ldap to compile
Matthew Schumacher <[EMAIL PROTECTED]> wrote: > still doesn't work: > > [root@mail1 rlm_ldap]# ./configure Have you tried doing 'configure' from the TOP directory of the source tree? > checking for ldap_init in -lldap... no > configure: warning: silently not building rlm_ldap. Yup. That's exactly what I would expect. > Any other ideas? Do a 'configure' from the top-level directory. Odds are that it will work. Why? Look at 'rlm_lap/config.log'. Find the line where it's failing to find ldap_init() in -lldap. It will be probably complaining about some 'res_XXX' functions. Try: [root@mail1 rlm_ldap]# LIBS=-lresolv ./configure If you run configure from the top-level directory, it finds this for you. Yes, we *could* make each module's "configure" file complete and perfect. But that takes time, and they're not really meant to be run from that directory. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I have no portgres, but make wants to compile support for it
...with the following error as a result... configure bug? Making static in rlm_sql_postgresql... gmake[10]: Entering directory `/usr/src/cvs/radiusd/src/modules/rlm_sql/drivers/rlm_sql_postgresql' gcc -g -O2 -D_REENTRANT -Wall -D_GNU_SOURCE -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -I../.. -I../../../../include -I -c sql_postgresql.c -o sql_postgresql.o In file included from sql_postgresql.c:48: sql_postgresql.h:6:29: libpq-fe.h: No such file or directory -- Juan Carlos Castro y Castro | "Standing up to an evil system is [EMAIL PROTECTED] | exhilarating." -Richard Stallman Rio de Janeiro - Brazil | http://www.vialink.com.br/~jcastro DC4DC #25 | chmod a+x /bin/laden - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can't get rlm_ldap to compile
hmmm, still doesn't work: [root@mail1 rlm_ldap]# ./configure creating cache ./config.cache checking for gcc... gcc checking whether the C compiler (gcc ) works... yes checking whether the C compiler (gcc ) is a cross-compiler... no checking whether we are using GNU C... yes checking whether gcc accepts -g... yes checking for lber.h... yes checking for ldap.h... yes checking for sasl_encode in -lsasl... no checking for DH_new in -lcrypto... no checking for SSL_new in -lssl... no checking for ber_init in -llber... yes checking for ldap_init in -lldap... no configure: warning: silently not building rlm_ldap. configure: warning: FAILURE: rlm_ldap requires: libldap. updating cache ./config.cache creating ./config.status creating Makefile [root@mail1 rlm_ldap]# ldconfig -p | grep ldap libldap_r.so.2 (libc6) => /usr/local/lib/libldap_r.so.2 libldap_r.so (libc6) => /usr/local/lib/libldap_r.so libldap.so.2 (libc6) => /usr/local/lib/libldap.so.2 libldap.so (libc6) => /usr/local/lib/libldap.so Any other ideas? schu [EMAIL PROTECTED] wrote: > Matthew Schumacher <[EMAIL PROTECTED]> wrote: > >>checking for ldap_initialize in -lldap... no >> > > Weird. The code itself uses ldap_init(), not ldap_initialize(). > > Hmm.. and if I change the configure script to look for ldap_init(), > it doesn't work for me. > > After some poking, I discovered at least one typo in the configure > script. > > Please grab the latest CVS snapshot tomorrow morning. That should > contain the fix. > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Simultaneous-Use = 1
Hello freeradius-users, How can I define Simultaneous-Use = 1 i SQL Schema? If I define it in in radcheck or radgroupcheck tables FreeRADIUS says: rad_recv: Access-Request packet from host 192.168.1.1:4353, id=201, length=56 User-Name = "test" Password = "PM\436v`K\342r\231i\312\033\230\362\352n" NAS-IP-Address = 192.168.1.1 NAS-Port = 1 modcall: entering group authorize modcall[authorize]: module "preprocess" returns ok modcall[authorize]: module "suffix" returns ok rlm_sql: Reserving sql socket id: 4 radius_xlat: 'test' sql_escape in: 'test' sql_escape out: 'test' sql_set_user: escaped user --> 'test' radius_xlat: 'SELECT id,UserName,Attribute,Value FROM radcheck WHERE Username = 'test' ORDER BY id' rlm_postgresql Status: PGRES_TUPLES_OK sql_postgresql: affected rows = Password = "Test6523" Password = "Test6523" Simultaneous-Use = 1 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value FROM radgroupcheck,usergroup WHER E usergroup.Username = 'test' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' rlm_postgresql Status: PGRES_TUPLES_OK sql_postgresql: affected rows = radius_xlat: 'SELECT id,UserName,Attribute,Value FROM radreply WHERE Username = 'test' ORDER BY id' rlm_postgresql Status: PGRES_TUPLES_OK sql_postgresql: affected rows = radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value FROM radgroupreply,usergroup WHER E usergroup.Username = 'test' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_postgresql Status: PGRES_TUPLES_OK sql_postgresql: affected rows = Framed-Protocol = PPP Framed-Protocol = PPP Service-Type = Framed-User Framed-Protocol = PPP Service-Type = Framed-User Framed-MTU = 1500 Framed-Protocol = PPP
Re: Ascend-Client-Primary-DNS does't work!?!
At 07:10 AM 9/30/2001 +0200, Robert Divko wrote: >Has somebody an idea why users of an ascend max 4030 >don't receive the DNS Information by PPP with freeradius, >while using "radius-livingston 2.1-30" or "radius-1.16-ascend" >with (almost) identical settings in the users file >everything works fine. > >This is the configuration in freeradius users file (syntax): > >DEFAULT Auth-Type := System > Fall-Through = 1 ># >DEFAULT Service-Type == Framed-User, Framed-Protocol == PPP > Service-Type = Framed-User, > Framed-Protocol = PPP, > Ascend-Assign-IP-Pool = 1, > Ascend-Client-Primary-DNS = 62.180.107.2, > Ascend-Client-Secondary-DNS = 212.72.80.131, > Ascend-Idle-Limit = 600, > Fall-Through = Yes Check the dictionary you are using as well as the configuration of the MAX. The MAX will have three settings for attributes "compat mode": OLD - This is the old unecapsulated attributes ( non-vsa ) VSA - This is the RFC-Compliant standart 8 big VSA mode, what most people think when they say VSA. 16-Bit VSA - This is an Ascend specific 16 bit VSA format that is not currently supported by FreeRADIUS. Freeradius has two settings, depending on the dictionary specified and the attributes you use. Ascend-Client-Primary-DNS - This is VSA format X-Ascend-Cleint-Primary-DNS - This is OLD format In order for it to work properly, you'll need to have FreeRADIUS and your MAX set to use both the same style of attributes. I'd recommend putting the MAX in VSA mode. Note that auth and accounting both allow you specify the attribute style used. You'll want to make sure you change both to the same format on your MAXes. >BTW: Using local authentication on the ascend also >doesn't give the clients a valid DNS server >(Where can one configure this?). I believe you can set this under: Ethernet->Mod Config->DNS ( at least, that is where it is on MAX 6000 TAOS 9.1 ). -Chris -- \\\|||/// \ Chris Parker-Manager, Development Engineering \ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED] | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Without C we would have 'obol', 'basi', and 'pasal' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: new pretender/questions
Luiz Felipe Ceglia <[EMAIL PROTECTED]> wrote: > I would like to know if freeradius can execute programs when the user > disconnects, as that is the only way I could quickly think about managing > connection remaining times. From 'raddb/acct_users': # #DEFAULTAcct-Status-Type == Stop #Exec-Program-Wait ="/path/to/stop-program" Yes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IP Pools
At 10:34 AM 10/1/2001 +0100, you wrote: >Is there anyone out there working on a dynamic IP pool management function >for FreeRadius? Can you explain what you are looking for? Currently you can assign an IP based on the NAS-Port for most general types of NAS. I'm of the school that thinks dynamic IP pool management should be and is best done on the NAS. Trying to manage IP pools in RADIUS is very iffy IMHO and prone to many more failure modes than I'm comfortable with. -Chris -- \\\|||/// \ Chris Parker-Manager, Development Engineering \ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED] | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Without C we would have 'obol', 'basi', and 'pasal' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Login-Time Question:
"Bogdan" <[EMAIL PROTECTED]> wrote: > We try to set the Session-Timeout to the diffference > Login-Time = "Wk1200-1700" > and if user connects at 1600 then set the Session-Timeout = 3600 > Should this work? > it seems like it does not Don't set the Session-Timeout. Login-Time will do that for you. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Default entries in raddb/users file
Michael, You might be able to use nsswitch/pam to do the job. I'm not sure if there is an auth_mysql module for pam, but I know you can tell it what order in which to use the auth mechanisms that it has. For example: SNIP start /etc/nsswitch.conf passwd: ldap files shadow: ldap files group: ldap files SNIP end /etc/nsswitch.conf You could then use Auth-Type := PAM and let pam do the work for you. If there isn't a MySQL module for pam (I'm honestly not sure). You should be able to use/modify some of the external auth code from qmail to make your own external auth mechanism for FreeRADIUS--which I'm fairly sure it supports. Another option would be to rebuild the local .db files from the mysql table when changes are made (NOTE: MySQL now supports perl-based stored procedures). SSH/rsync might help do the trick securely for you there. Cheers, Mike Michael Dodd wrote: > Thanks for the info Alan! After I wrote the email I started to consider > that It may not be possible. I guess I should have spent more "quality > time" with the docs, but I wasn't even sure that fail-over was what I was > dealing with. Thanks again! > - Original Message - > From: <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Saturday, September 29, 2001 6:10 AM > Subject: Re: Default entries in raddb/users file > > > >>"Michael Dodd" <[EMAIL PROTECTED]> wrote: >> >>>The goal is to have a radius server that will first attempt to >>> > authenticate > >>>from the FreeBSD system files ( /etc/passwd ) and if that fails, try to >>>authenticate from the MySQL database. >>> >> OK, the fail-over mechanism isn't well documented in the >>radiusd.conf file. See the file 'doc/configurable_failover' for more >>information. >> >> And you might not even be able to do it, anyways. Right now, the >>server really only does one kind of authentication at a time. You can >>pick between them on the fly, but each request will use only one >>authentication. >> >> Alan DeKok. >> >>- >>List info/subscribe/unsubscribe? See >> > http://www.freeradius.org/list/users.html > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Group authentication
John/Dan, Here is what I'm using in production with a snapshot of Cistron from April (I think). Remeber that you want to put the least expensive (CPU wise) checks first that are most likely to get rejected. It should work with FreeRadius (you might have to use ":=" in the check line instead of "="; pardon the wrapping from my MUA -- it does what its told :): SNIP start /etc/raddb/users DEFAULT Called-Station-Id = "1877", Group != tollcalls, Auth-Type = Reject Reply-Message = "You are not an authorized user of our DialAnywhere Service", Fall-Through = Yes DEFAULT Called-Station-Id = "1877", Group = tollcalls, Auth-Type = System Ascend-Assign-IP-Pool = 2, Fall-Through = Yes DEFAULT Auth-Type = System SNIP end /etc/raddb/users Hope that helps! Cheers, Mike John McKinney wrote: > Dan, > I am trying to get freeradius setup. We are currently using Livingston > Radius. They both allow for this as a check item. > > Something like: > > DEFAULT Auth-Type = System, Group = "login" > > DEFAULT Auth-Type = System, Group = "mailusers" > > Make sure you have a group 'login' and also 'mailusers' on the system and > that the user belongs to that group. While I don't have the freeradius > working yet, I believe this will work fine, if not someone will hopefully > correct me. (maybe this is why I'm having trouble with authentication?:)) > > Hope this helps, > John McKinney > >>-Original Message- >>From: [EMAIL PROTECTED] >>To: [EMAIL PROTECTED] >>Subject: Group authentication >> >>Greetings, >>Is it possible to configure FreeRadius to only authenticate system >>accounts that belong to a specific group? I'd like it to only accounts >>that belong to group "pppusers" while rejecting accounts belonging to >>other groups such as "emailusers". Thanks >> >>Dan Houtz - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FREE RADIUS - CVX1800 NORTEL
Hi there! I was wondering does anybody setup the freeradius (latest version) to work with cvx1800 from nortel networks, I really need some help in how to configure them, right now we are using the presides radius from nortel but we want to change to freeradius. Thank's Mimmo
IP Pools
Is there anyone out there working on a dynamic IP pool management function for FreeRadius? Alternatively, just in case, does anyone know of another :-( Linux-supported RADIUS server which does? Regards, SB Scott Bartlett BTA Limited United Kingdom http://www.bta.com Network Consultancy and Support for Windows 9x/NT and MacOS. Internet connectivity, solutions, and business services. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radcheck.log is empty
Hello, I try to use Simultanious-Use pseudo check item. I changed checkrad script to create debug log. When I run the script manually it works fine and prints something to the log. But when I run freeradius it doesn't print. Here is my /etc/raddb/users file: DEFAULT Auth-Type := Sql, Simultaneous-Use = 1 Service-Type = Framed-User, Framed-Protocol = PPP, Fall-Through = Yes DEFAULT Service-Type == Framed-User Framed-IP-Address = 255.255.255.254, Framed-MTU = 576, Service-Type = Framed-User, Fall-Through = Yes DEFAULT Framed-Protocol == PPP Framed-Protocol = PPP, Framed-Compression = Van-Jacobson-TCP-IP, Fall-Through = Yes # On no match, the user is denied access. With best regards, Andrew. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
