openLDAP & freeRADIUS

[Mazen R. Kassem]

Title: openLDAP & freeRADIUS 







Hi All

As I mentioned before I have installed LDAP successfully on Linux 7.1 and able to add users and search the data base on top of that I installed freeradius 5 and follows the instructions " radius authentication using LDAP " but the test command 

"radtest " always reply with the message " radius_client: no response from the server"

Plus I tried to telnet to that server but also hopeless "login incorrect"

I'm attaching my configured files pls if I missed something or there is additional step to follow ,,guide me 

Thanks 

Mazen 

 <>  <>  <>  <>  <>  <> 

Integrated Networks Co.

Tel:  2734474 x 148

Fax: 2734117 x 148

Mob: 054170626

Email: [EMAIL PROTECTED]





clients
Description: clients


dictionary
Description: dictionary


radiusd.conf
Description: radiusd.conf


slapd.conf
Description: slapd.conf


users
Description: users


logmessages
Description: logmessages

downloadable ACLs

[Florin Andrei]

I see in the Cisco PIX documentation that the PIX firewall supports
downloadable ACLs: instead of storing them on the PIX and pass the ACL
ID from RADIUS, you can download them by request.

Is this something doable with FreeRadius?

-- 
Florin Andrei

Democracy is three wolves and a sheep voting on
what to have for dinner.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: proxy and replicate

[Florin Andrei]

On Wed, 2002-05-22 at 07:40, Chris Parker wrote:
> 
> proxy server acts as the middle-man.  The remote server sees the request
> coming from the proxy server.  The only indication the remote server has
> regarding the origin of the request is via the NAS-IP-Address or NAS-
> Identifier.  The source IP address of the packet as seen by the remote
> server will be the
> The source-ip of the packets they receive will be the ip of proxying
> server.  That source-ip is what is used to determine the shared-secret
> to use.  If what you are trying to avoid is having to configure all of
> your NAS into the auth servers, then that is how proxy is meant to work.

Yes, this is what i'm trying to do: keep the configuration on the
authentication servers simple (no NAS addresses), and do all the gory
authorisation stuff with FreeRadius, in MySQL. Good point about the
shared-secret too.

There's only one more thing: my authentication Radius servers sit on top
of a proprietary one-time-password application that has it's own
mechanisms to control the authorisation. For each user, it has the
so-called "pass-actions" fields, containing the NAS IP addresses that
are acceptable for that user.
It looks like i have to dig into the documentation and figure out
whether the pass-actions are determined based on the source IP of the
packets, or based on the NAS-IP-Address field.

If the authentication is done based on the NAS-IP-Address, then i guess
i'll configure the proxy to authenticate via PAM, and i'll install and
configure the PAM authentication module. This way, i'm sure i'll be able
to totally hide the NAS address, no matter what the RFC says. :-)

-- 
Florin Andrei

Democracy is three wolves and a sheep voting on
what to have for dinner.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: possible to add realm in huntgroup

[Chris Parker]

At 04:49 PM 5/22/2002 -0600, [EMAIL PROTECTED] wrote:
>I'm playing with an idea to try to hide realm information from users,
>basically so I
>can do things without having to change to much on their end.  The setup is
>this:
>
>  NAS   -> radius1 (freeradius)  -> radius2 (safeword)
>
>At the moment I have it so if you login as [EMAIL PROTECTED] into the NAS,
>radius1 will
>proxy the authentication request to radius2.  This works like a champ.
>
>I'd like to be able to drop the @sybase.com for people dialing into the
>NAS, but still be
>able to proxy them to radius2.

Setup the realm 'sybase.com' as you have now.

Add entries to the users file that contain the 'Proxy-To-Realm' attribute.

Usage is the same as the 'Replicate-To-Realm' attribute discussed on this
list a short time ago.

-Chris
--
\\\|||///  \  StarNet Inc.  \ Chris Parker
\ ~   ~ /   \   WX *is* Wireless!\   Director, Engineering
| @   @ |\   http://www.starnetwx.net \  (847) 963-0116
oOo---(_)---oOo--\--
   \ Wholesale Internet Services - http://www.megapop.net



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

possible to add realm in huntgroup

[jason . ornstein]

I'm playing with an idea to try to hide realm information from users,
basically so I
can do things without having to change to much on their end.  The setup is
this:

 NAS   -> radius1 (freeradius)  -> radius2 (safeword)

At the moment I have it so if you login as [EMAIL PROTECTED] into the NAS,
radius1 will
proxy the authentication request to radius2.  This works like a champ.

I'd like to be able to drop the @sybase.com for people dialing into the
NAS, but still be
able to proxy them to radius2.

Something like this on radius1

 if (from NAS and NAS-Port-Type == Async)
  proxy to radius2
 else
  system authentication locally

I was trying to think of a way of doing this in huntgroups.  I know that I
can do something like
this in huntgroups:

 NAS  NAS-IP-Address == xx.xx.xx.xx, NAS-Port-Type == Async
  User-Name = user

But I don't know if I can use the variable substitution to add something to
user, that being
@sybase.com so that after the preprocess step the username is really
[EMAIL PROTECTED]

If this can't currently be handled, any suggestions where to start trying
to add this?

-jason


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Fix for Exec-Program-Wait

[Rodrigo Gonzalez]

I am testing it right nowthe only thing I changed is:

radlog(L_DBG, "Exec-Program: returned: %d", status);

to

radlog(L_INFO, "Exec-Program: returned: %d", status);

To allow me to quickly watch any problem with the external auth program...

Regards,

Rodrigo Gonzalez.

- Original Message -
From: "Alan DeKok" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, May 22, 2002 4:05 PM
Subject: Fix for Exec-Program-Wait


>   I've just committed a fix to the tree which should *hopefully* fix
> the problem with the server locking up, when using Exec-Program-Wait.
>
>   If you're using Exec-Program-Wait, and are willing to test the CVS
> snapshot from tonight, please try it out, and report success/failure
> to the list.
>
>   If this change doesn't solve the problem, then there's more work to
> do.  If it DOES solve the problem, then it would help enormously to
> know that.
>
>   Alan DeKok.
>
> -
> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
>


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

C++ radius client library ...

[Emir Mulabegovic]

Hello,
Does anyone know about some C++ based radius client library or C++
wrapper on libradius?

Thank you 

EMir Mulabegovic();

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Fix for Exec-Program-Wait

[John]

Is this the problem that I have been seeing?  You mentioned Exec-Program-Wait 
in prior emails.  If so, I'll try this out tonight.

cheers,
john

Quoting Alan DeKok <[EMAIL PROTECTED]>:

>   I've just committed a fix to the tree which should *hopefully* fix
> the problem with the server locking up, when using Exec-Program-Wait.
> 
>   If you're using Exec-Program-Wait, and are willing to test the CVS
> snapshot from tonight, please try it out, and report success/failure
> to the list.
> 
>   If this change doesn't solve the problem, then there's more work to
> do.  If it DOES solve the problem, then it would help enormously to
> know that.
> 
>   Alan DeKok.
> 
> - 
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> 


John Hogenmiller, kb3dfz
Systems Administrator, Pennswoods.net
877.716.2002 x 529
---
Anyone could say, "What fantastic and expensive items you have! Oh, how I 
wish they were mine!" But I have proven my sincerity by going that extra mile 
and actually robbing you blind.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Fix for Exec-Program-Wait

[Alan DeKok]

  I've just committed a fix to the tree which should *hopefully* fix
the problem with the server locking up, when using Exec-Program-Wait.

  If you're using Exec-Program-Wait, and are willing to test the CVS
snapshot from tonight, please try it out, and report success/failure
to the list.

  If this change doesn't solve the problem, then there's more work to
do.  If it DOES solve the problem, then it would help enormously to
know that.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: mysql problem?

[Petre L. Daniel]

eh.. i just vacuum radacct..
thx anyway

On Wed, 22 May 2002, Alexandre Strube wrote:

> On Wed, 22 May 2002 16:50:06 +0300 (EEST), Petre L. Daniel wrote:
> 
> Was the radiusd stopped? Are you running it with supervise or something like
> that?
> This happens here when radius is not responding on the very same moment
> that the dialup user disconnects, because of the obvious fact that the STOP
> packet is not logged on mysql. Some days ago, I don't know why, both supervise
> and radiusd stopped working at 3am. As the stop packets weren't logged, my
> dialup-admin was a mess. I had to delete all invalid entries... 
> 
> The quickest way to do this is to remove all lines from sql which have the 
>AcctStopTime
> filled with -00-00 00:00:00
> 
> Something like DELETE FROM radacct WHERE AcctStopTime = '-00-00 00:00:00'
> 
> As the dialup users will eventually disconnect, the correct stop times will be 
>logged and
> everything will come back to normal.
> 
> >heyah.
> >it seems that since some days ago my dialup admin interface shows users 
> >that logged off long time ago and doesn show the new users when the max 
> >line is reached.
> >like i think something is not updated and i cant see in real time who's 
> >logged in..
> >what could be the problem?
> >thx in advance.
> 
> 
>   As opiniões formuladas neste e-mail são de caráter
>   exclusivamente pessoal. Minha opinião não necessariamente
> representa a opinião do meu Moto Grupo nem da empresa onde
> trabalho.
> 
> Mene Sakkhet ur-seveh
>   Alexandre Ganso - Diretor Steel Goose Moto Group
> 6, 7 e 8 de setembro - Aniversario 10 anos Steel Goose - Ouro Branco - MG
> 500 Four Vermelha
> [EMAIL PROTECTED]
>   ICQ# 3778773
> 
> 
> 
> 
> 
> 
> - 
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> 

-- 
Petre L. Daniel,System Administrator,
Canad Systems Pitesti SRL Romania,
tel:+4048206200,+4048206201
email:[EMAIL PROTECTED]
http://www.cyber.ro


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Sqlcounter.

[Alexandre Strube]

On Wed, 22 May 2002 07:55:06 -0400, Randy Moore wrote:

>>Hi, I just upgraded Freeradius 0.5 to freeradius-snapshot-20020521.
>>I altered the old radiusd.conf file to reflect some changes, and have
>>included SQLcounter module. I wish to limit access to users on a
>>three-month basis, but only some users, and this 3-month time is
>>individual.
>>
>>What I did:
>>Raidusd.conf
>> sqlcounter monthlycounter {
>> counter-name = Monthly-Session-Time
>> check-name = Max-Monthly-Session
>> sqlmod-inst = sql
>> key = User-Name
>> reset = 3m
>>}
>>authorize {
>> preprocess
>> suffix
>> monthlycounter
>> sql
>> monthlycounter
>>}
>Since you are defining your Check Item in your SQL database, you should not
>need to include 'monthlycounter' twice.  The copy *after* sql is the only
>one you should need.

Ok, I've removed it.

>>accounting {
>> acct_unique
>> sql
>> radutmp
>>}
>>The user can log ok if there's nothing on table radcheck about Monthly
>>Sessions. But if I
>>insert a row like
>>username=surak
>>attribute=Max-Monthly-Session
>>value= 200  (Any)
>>op=   ":=" without quotes, obviosly
>This looks fine.

Anyway, looks like there is something missing somewhere.

>>The radius rejects the user with the following message on debug:
>>modcall: entering group authorize
()
>>rlm_sqlcounter: Entering module authorize code
>>rlm_sqlcounter: Could not find Check item value pair
>>   modcall[authorize]: module "monthlycounter" returns noop
>Since you called 'monthlycounter' twice, it should appear twice in the 
>debug output.  The first time should appear just as it does above because
>the check item has not yet been read from your SQL database.  But you don't
>include the logs for the second call.  Did they appear?  If so what do they
>indicate?

No, this is the only information that appears. Now, with only the second 
monthlycounter defined
on authorize section, the result is the same.

Just to remember: If I drop this row ( surak   Max-Monthly-Session   20   :=  )
from radcheck table, it authorizes the user normally.

Follows the output from radiusd -X. The first is the one which has the row with 
Max-Montly-Session. The second
output is executed right after it, just dropping the Max-Monthly-Session from radcheck 
table.


-First output--
modcall: entering group authorize
  modcall[authorize]: module "preprocess" returns ok
rlm_realm: Looking up realm NULL for User-Name = "surak"
rlm_realm: No such realm NULL
  modcall[authorize]: module "suffix" returns noop
radius_xlat:  'surak'
sql_escape in:  'surak'
sql_escape out:  'surak'
sql_set_user:  escaped user --> 'surak'
radius_xlat:  'SELECT id,UserName,Attribute,Value FROM radcheck WHERE Username = 
'surak' ORDER BY id'
rlm_sql: Reserving sql socket id: 4
radius_xlat:  'SELECT 
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value 
FROM radgroupcheck,usergroup WHERE usergroup.Username = 'surak' AND
usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id'
radius_xlat:  'SELECT id,UserName,Attribute,Value FROM radreply WHERE Username = 
'surak' ORDER BY id'
radius_xlat:  'SELECT 
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value 
FROM radgroupreply,usergroup WHERE usergroup.Username = 'surak' AND 
usergroup.GroupName =
radgroupreply.GroupName ORDER BY radgroupreply.id'
rlm_sql: Pairs do not match [surak]
rlm_sql: Released sql socket id: 4
  modcall[authorize]: module "sql" returns notfound
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
  modcall[authorize]: module "monthlycounter" returns noop
modcall: group authorize returns ok
auth: No Auth-Type configuration for the request, rejecting the user
auth: Failed to validate the user.
Delaying request 9 for 1 seconds

Second output--
modcall: entering group authorize
  modcall[authorize]: module "preprocess" returns ok
rlm_realm: Looking up realm NULL for User-Name = "surak"
rlm_realm: No such realm NULL
  modcall[authorize]: module "suffix" returns noop
radius_xlat:  'surak'
sql_escape in:  'surak'
sql_escape out:  'surak'
sql_set_user:  escaped user --> 'surak'
radius_xlat:  'SELECT id,UserName,Attribute,Value FROM radcheck WHERE Username = 
'surak' ORDER BY id'
rlm_sql: Reserving sql socket id: 4
radius_xlat:  'SELECT 
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value 
FROM radgroupcheck,usergroup WHERE usergroup.Username = 'surak' AND
usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id'
radius_xlat:  'SELECT id,UserName,Attribute,Value FROM radreply WHERE Username = 
'surak' ORDER BY id'
radius_xlat:  'SELECT 
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,rad

Re: mysql problem?

[Alexandre Strube]

On Wed, 22 May 2002 16:50:06 +0300 (EEST), Petre L. Daniel wrote:

Was the radiusd stopped? Are you running it with supervise or something like
that?
This happens here when radius is not responding on the very same moment
that the dialup user disconnects, because of the obvious fact that the STOP
packet is not logged on mysql. Some days ago, I don't know why, both supervise
and radiusd stopped working at 3am. As the stop packets weren't logged, my
dialup-admin was a mess. I had to delete all invalid entries...

The quickest way to do this is to remove all lines from sql which have the AcctStopTime
filled with -00-00 00:00:00

Something like DELETE FROM radacct WHERE AcctStopTime = '-00-00 00:00:00'

As the dialup users will eventually disconnect, the correct stop times will be logged 
and
everything will come back to normal.

>heyah.
>it seems that since some days ago my dialup admin interface shows users
>that logged off long time ago and doesn show the new users when the max
>line is reached.
>like i think something is not updated and i cant see in real time who's
>logged in..
>what could be the problem?
>thx in advance.


  As opiniões formuladas neste e-mail são de caráter
  exclusivamente pessoal. Minha opinião não necessariamente
representa a opinião do meu Moto Grupo nem da empresa onde
trabalho.

Mene Sakkhet ur-seveh
  Alexandre Ganso - Diretor Steel Goose Moto Group
6, 7 e 8 de setembro - Aniversario 10 anos Steel Goose - Ouro Branco - MG
500 Four Vermelha
[EMAIL PROTECTED]
  ICQ# 3778773






-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: General question

[Raghu]

Artur Hecker wrote:
> 
> hi
> 
> > >Please change it as below
> > >
> > >artur   Auth-Type := System, User-Password == "hello"
> > >  Reply-Message = "Hello, %u"
> > >
> > >Please note the := before Sytem.
> >
> > I asked to change the operator('='), as it was causing the problem,
> > ie User-Password was never being picked up into the config_items.
> 
> You mean that the "System" itself just doesn't matter at all in this
> context, don't you? So I can put in what I want? Is it ignored?
>
Yes. As long as your authorize block contains eap.

ie 
authorize {
files,
eap
}

EAP module overwrites any other Auth-Type with EAP,
if present in authorize block.

 
> I'm currently trying to analyze what's happening with Ethereal, as you
> advised me. On which link would it be better to use Ethereal? On the
> wireless (between user and client) or on the wired? (between client and
> server?)
> 
> I'm currently trying between server and client and I see the following
> in the Ethereal:
> 
Server & Client.
Which version of Ethereal are you using?
Try the latest one, It can tell you the 
EAP type and content in the Radius packets.


> ap -> server: Access Request(1) (id=11)
> server -> ap: Accounting challenge(11) (id=11)
> ap -> server: Access Request(1) (id=12)
> server -> ap: Access Reject(3) (id=12)
> 
> then a sequence of ignored requests follows:
> ap -> server: Access Request(1) (id=13)
> 
> As you know, the second Request is interpreted as a Notification message
> causing the reject...
> 
> Which data would be interesting?
> 
RADIUS/EAP data
1. with your old configuration
2. with Auth-Type := EAP

-Raghu

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: General question

[Artur Hecker]

hi

> >Please change it as below
> >
> >artur   Auth-Type := System, User-Password == "hello"
> >  Reply-Message = "Hello, %u"
> >
> >Please note the := before Sytem.
> 
> I asked to change the operator('='), as it was causing the problem,
> ie User-Password was never being picked up into the config_items.

You mean that the "System" itself just doesn't matter at all in this
context, don't you? So I can put in what I want? Is it ignored?


I'm currently trying to analyze what's happening with Ethereal, as you
advised me. On which link would it be better to use Ethereal? On the
wireless (between user and client) or on the wired? (between client and
server?)


I'm currently trying between server and client and I see the following
in the Ethereal:

ap -> server: Access Request(1) (id=11)
server -> ap: Accounting challenge(11) (id=11)
ap -> server: Access Request(1) (id=12) 
server -> ap: Access Reject(3) (id=12)

then a sequence of ignored requests follows:
ap -> server: Access Request(1) (id=13)


As you know, the second Request is interpreted as a Notification message
causing the reject...

Which data would be interesting?



Thank you

artur





-- 
Artur Hecker Groupe Accès et Mobilité
hecker[at]enst[dot]fr Département Informatique et Réseaux
+33 1 45 81 750746, rue Barrault 75634 Paris cedex 13
http://www.infres.enst.fr  ENST Paris

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: General question

[Raghu]

Artur Hecker wrote:
> 
> hi
> 
> > > deciding where to take the password from in the authorize {} section in
> > > radiusd.conf file and to authenticate with the ... appropriate module in
> > > authenticate {} ?
> >
> >   The 'unix' module.  It's called 'system' for historical reasons.
> 
> Why would i do Auth-Type := System for EAP/MD5 then??? That's what Raghu
> said I should do.
> What does Local mean then? "files"?
> 

No.
What I meant is, 
Your user file configuration was

>> users:
>> 
>> 
>> artur   Auth-Type = System, User-Password == "hello"
>> Reply-Message = "Hello, %u"
>> 
>>
>Please change it as below
>
>artur   Auth-Type := System, User-Password == "hello"
>  Reply-Message = "Hello, %u"
>
>Please note the := before Sytem.

I asked to change the operator('='), as it was causing the problem,
ie User-Password was never being picked up into the config_items.


-Raghu

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Cisco AP 350 to EAP/LDAP...

[Eric Reischer]

Please respect the rules of this list and do not include VCF attachments in 
your posts.

Thank you.


At 10:56 AM 5/22/2002, Ricardo Stella <[EMAIL PROTECTED]> wrote:

>So the problem is Radius is sending the wrong attribute back to the AP
>?  That would make sense as to why the AP keeps on retrying to get the
>EAP message from the server.  Would just the dictionary be needed to be
>modified ?  Where and what to ?  Anyone ?
>
>TIA...
>
>Alan DeKok wrote:
> >
> >
> >   And in the middle:
> >
> > The Session Key (SK) is sent from RS to AP in the final packet. It
> > is carried in a cisco-avpair vendor specific radius attribute. The
> > value of the attribute is: "leap:session-key=" where  is
> > 34 octets of binary data as described in SK below.
> >
> >   Yuck.  I have vendor-specific extensions to standard protocols.
> >


*
Eric Reischer [EMAIL PROTECTED]
"The universe is full of magical things patiently
waiting for our wits to grow sharper."  -- Eden Phillpots
*


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: General question

[Artur Hecker]

> Ok, 'man 5 files' really DOES explain the difference, thank you and
> sorry for bothering.

I meant "man 5 users", sorry.


Artur

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: General question

[Artur Hecker]

hi

> > deciding where to take the password from in the authorize {} section in
> > radiusd.conf file and to authenticate with the ... appropriate module in
> > authenticate {} ?
> 
>   The 'unix' module.  It's called 'system' for historical reasons.

Why would i do Auth-Type := System for EAP/MD5 then??? That's what Raghu
said I should do.
What does Local mean then? "files"?


> > Why do we have to use different tokens anyway? Why is "User-Password ==
> > something" during "Auth-Type := something"? Can it be "Auth-Type ==
> > something"? Are those not both just Radius-attributes?
> 
>   No.  The password is a string given by the user, and sent via RADIUS
> to the server..  The Auth-Type is a *control* attribute, which is
> internal to the server, which tells the server how to authenticate the user.

Ok, 'man 5 files' really DOES explain the difference, thank you and
sorry for bothering.


>   They are.  See 'raddb/dictionary', and the comments in it.

ok, got this.


Greetings,

artur

-- 
Artur Hecker Groupe Accès et Mobilité
hecker[at]enst[dot]fr Département Informatique et Réseaux
+33 1 45 81 750746, rue Barrault 75634 Paris cedex 13
http://www.infres.enst.fr  ENST Paris

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

mysql tables in freeradius

[Nick Davis]

Hello,

I am using freeradius-snapshot-20020506 on debian.

I want to use mysql for authorize and accounting. I have been using the users 
file for user/pass and mysql for accounting and now want to move all the 
users/passes to mysql. My question is this: If I do not use groups do I need 
the tables called radgroupreply, radgroupcheck, and usergroup? Or are they 
required?

Here is how I have my users file setup, showing the various types of 
definitions I use:

top of file...

DEFAULT Auth-Type := Local, Simultaneous-Use := 1
Fall-Through = Yes

#Joe Blow
joe Password == "blow"
User-Service-Type = Framed-User,
Framed-Protocol = PPP

#John Doe
johnPassword == "doe", Simultaneous-Use := 2
User-Service-Type = Framed-User,
Framed-Address = 208.42.21.201,
Framed-Protocol = PPP

#Bill Bob
billy   Password == "bob", Simultaneous-Use := 3
User-Service-Type = Framed-User,
Framed-Protocol = PPP

more users with similar info...


I would like to use just the radcheck, radreply, and radacct to make things 
simple. I have noticed a few posts where people use the radgroupcheck table 
for the Simultaneous-Use Attribute. I guess I could just make everyone the 
same group, but I just wondered if anyone had some advice/input into this 
idea?? It's not that I cannot add those tables, I would just like to make it 
as simple as possible.

Thanks,

Nick
-- 
Nick Davis 
Associate Systems Administrator 
[EMAIL PROTECTED] 
Internet Exposure, Inc. 
http://www.iexposure.com  

(612)676-1946 
Web Development-Web Marketing-ISP Services

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Force Gateway profile

[Scott Silzer]

You may want to visit http://portmasters.com/tech/docs/manuals.html
and take a look at choicenet I have not used it in a while but it was
designed to provide filtered content on the PM's.

At 09:45 -0500 05/22/2002, Chris Parker wrote:
>At 11:56 AM 5/22/2002 +0200, De Schrijver Peter wrote:
>> Hi !
>>
>> I´d like to set up a profile to force some users to take a
>>certain route (gateway?) to the internet. Other users using the
>>same box (lucent NAS) should be able to take a direct route (other
>>gateway).
>>
>> Purpose is to have an optionally  "content filtered" way
>>for the users to surf the net.
>>
>> Is this possible with radius?
>
>Yes, if the appropriate attributes are created and defined by the NAS
>under Vendor-Specific attributes.
>
>You mention Lucent, which means that you should be able to support the
>'Ascend-IP-Direct' attribute.  This sets the 'next-hop' address for traffic
>from the user's session.
>
>IE, if you have your normal gateway at 10.0.0.1, and web proxy server at
>10.0.0.2, and you want to force certain traffic through the proxy, you would
>return the attribute pair:
>
>Ascend-IP-Direct = 10.0.0.2
>
>for the sessions you want to redirect.  You'll need to make sure that you
>have the NAS and the radius server configured the same in terms of VSA vs.
>Vendor-Proprietary.
>
>Further questions should be directed to a support list for the NAS you are
>using, as FreeRADIUS is certainly capable of returning any attribute to
>the NAS.  What attributes are required are up the the NAS vendor.
>
>-Chris
>--
>\\\|||///  \  StarNet Inc.  \ Chris Parker
>\ ~   ~ /   \   WX *is* Wireless!\   Director, Engineering
>| @   @ |\   http://www.starnetwx.net \  (847) 963-0116
>oOo---(_)---oOo--\--
>   \ Wholesale Internet Services - http://www.megapop.net
>
>
>
>- List info/subscribe/unsubscribe? See
>http://www.freeradius.org/list/users.html


--
Scott A Silzer


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

LEAP

[Bryan Tolka]

Is LEAP supported on FreeRadius. It is my understanding that LEAP is just a type of 
EAP. I have free-radius complied and have successfully authenticated using EAP-TLS on 
LINUX. Unfortunately EAP-TLS is not supported on Windows platforms except XP. Any 
ideas or suggestions would be greatly appreciated.
 
 Bryan Tolka
 West Virginia University

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Cisco AP 350 to EAP/LDAP...

[Alan DeKok]

Ricardo Stella <[EMAIL PROTECTED]> wrote:
> So the problem is Radius is sending the wrong attribute back to the
> AP?

  Sort of.  The RADIUS server is trying to talk EAP, and the AP is
trying to talk LEAP.  Never the twain shall meet,

>  That would make sense as to why the AP keeps on retrying to get the
> EAP message from the server.  Would just the dictionary be needed to be
> modified ?  Where and what to ?  Anyone ?

  No.  You've got to create code in the server:

 src/modules/rlm_eap/types/rlm_eap_leap

  which will handle the LEAP protocol.  See:

http://www.missl.cs.umd.edu/wireless/ethereal/leap.txt

  for a clearer description.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Cisco AP 350 to EAP/LDAP...

[Ricardo Stella]

So the problem is Radius is sending the wrong attribute back to the AP
?  That would make sense as to why the AP keeps on retrying to get the
EAP message from the server.  Would just the dictionary be needed to be
modified ?  Where and what to ?  Anyone ?

TIA...

Alan DeKok wrote:
> 
> 
>   And in the middle:
> 
> The Session Key (SK) is sent from RS to AP in the final packet. It
> is carried in a cisco-avpair vendor specific radius attribute. The
> value of the attribute is: "leap:session-key=" where  is
> 34 octets of binary data as described in SK below.
> 
>   Yuck.  I have vendor-specific extensions to standard protocols.
>

begin:vcard 
adr;dom:;;;Lawrenceville;NJ;08648;
adr:;;2083 Lawreceville Road;Lawrenceville;NJ;08648;
n:Stella;Ricardo
tel;fax:1-208-330-8297
tel;work:1-609-896-5000 x7436
x-mozilla-html:FALSE
url:http://poseidon.rider.edu
org:Rider University;O.I.T.
version:2.1
title:Manager
x-mozilla-cpt:;-3024
fn:Ricardo Stella
end:vcard

RE: IPPOOL is not giving all the ip addresses.

[Abel Alejandro]

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Kostas
Kalevras
Sent: Wednesday, May 22, 2002 9:41 AM
To: [EMAIL PROTECTED]
Subject: RE: IPPOOL is not giving all the ip addresses.

On Wed, 22 May 2002, Abel Alejandro wrote:

>> Forgot to mention, I am running radiusd -X > radius.log

>Stupid question. Is the ippool module listed in the accounting section
in
>radiusd.conf?
>The accounting packet should be an accounting stop for a nas/port
>combination
>that has an allocated ip assigned to it.

Yes its. The ippool module is called 'arecibo' and its in both authorize
and accounting. 

For example, when I started radiusd this morning the first IP to be
assigned was 196.12.182.73. Then radiusd got the Acct-Status-Type = Stop
for 196.12.182.73 and it said "modcall[accounting]: module "arecibo"
returns ok"
But no deallocationg was done.


***
***
Scanned by an email protection software that checks: Content, Attachments, Security 
and Viruses
Brought to you by ICENetworks.com, eScan and MailScan
***
***

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Force Gateway profile

[Chris Parker]

At 11:56 AM 5/22/2002 +0200, De Schrijver Peter wrote:
> Hi !
>
> I´d like to set up a profile to force some users to take a 
> certain route (gateway?) to the internet. Other users using the same box 
> (lucent NAS) should be able to take a direct route (other gateway).
>
> Purpose is to have an optionally  "content filtered" way for the 
> users to surf the net.
>
> Is this possible with radius?

Yes, if the appropriate attributes are created and defined by the NAS
under Vendor-Specific attributes.

You mention Lucent, which means that you should be able to support the
'Ascend-IP-Direct' attribute.  This sets the 'next-hop' address for traffic
from the user's session.

IE, if you have your normal gateway at 10.0.0.1, and web proxy server at
10.0.0.2, and you want to force certain traffic through the proxy, you would
return the attribute pair:

Ascend-IP-Direct = 10.0.0.2

for the sessions you want to redirect.  You'll need to make sure that you
have the NAS and the radius server configured the same in terms of VSA vs.
Vendor-Proprietary.

Further questions should be directed to a support list for the NAS you are
using, as FreeRADIUS is certainly capable of returning any attribute to
the NAS.  What attributes are required are up the the NAS vendor.

-Chris
--
\\\|||///  \  StarNet Inc.  \ Chris Parker
\ ~   ~ /   \   WX *is* Wireless!\   Director, Engineering
| @   @ |\   http://www.starnetwx.net \  (847) 963-0116
oOo---(_)---oOo--\--
   \ Wholesale Internet Services - http://www.megapop.net



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: PPPoE: auth+acct via PAM

[Alan DeKok]

Ilja A Marchew <[EMAIL PROTECTED]> wrote:
> I use rp-pppoe to serve PPPoE users.  Well, I think use FR with it is a good
> idea, but cannot imagine which lines in /etc/pam.d/ppp I need.  It is
> right -- libpam-freeradius-auth

  There is no such thing.  There *is* the pam_radius_auth module, but
that's probably different.

> cannot help my efforts to log time/traffic for users in FR's base?
> It only authorizes?

  No, it does accounting too.  List it in the 'session' section of the
configuration file, and it will send accounting packets to the RADIUS
server.

  Alan DeKok.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: proxy and replicate

[Chris Parker]

At 05:14 PM 5/21/2002 -0700, Florin Andrei wrote:
>What's the difference between proxy and replicate?
>
>I mean, i think i know what it is, but i'm not sure:
>- replicate means, rebuild the request and send it to the authentication
>Radius server; the authentication server sees the request as coming from
>the original NAS (and therefore might apply its own authorisation rules
>based on IPs)
>- proxy means, strip the request from every refference to the initial IP
>of the NAS, and send it to the authentication Radius server; the
>authentication server sees all proxied requests as coming from the
>FreeRadius machine (thinks FreeRadius is the NAS)
>
>Is that correct?

Not quite.  :)

Proxy - The request cannot be completed locally and must be sent to another
server ( and a response received from the other server ) for handling.  The
proxy server acts as the middle-man.  The remote server sees the request
coming from the proxy server.  The only indication the remote server has
regarding the origin of the request is via the NAS-IP-Address or NAS-
Identifier.  The source IP address of the packet as seen by the remote
server will be the

   An Access-Request SHOULD contain a User-Name attribute.  It MUST
   contain either a NAS-IP-Address attribute or a NAS-Identifier
   attribute (or both).

In proxy-mode the proxying server waits for a reply from the remote
server before sending a reply to the NAS.

Replication - done the same as proxying, but the remote server's response
is not used.  Replication allows you to send the same data ( say an 
accounting packet ) to multiple remote servers.  This can be done to keep
accounting data in synch ( or attempt to ).

>If there is such a difference, how do i trigger one or the other
>behaviour?

The normal behaviour when using a realm is to proxy.  You can also cause
the server to replicate a packet using the 'Replicate-To-Realm := foobar'
attribute.

>I ask this because i need to trick my authentication Radius servers into
>thinking that the original source of all requests are the Radius
>proxies.

The source-ip of the packets they receive will be the ip of proxying
server.  That source-ip is what is used to determine the shared-secret
to use.  If what you are trying to avoid is having to configure all of
your NAS into the auth servers, then that is how proxy is meant to work.

>My authentication servers need to know nothing about the IP addresses of
>the NASes (i need to "hide" the NAS from the authentication server,
>using a proxy, and do all IP-based authorisation in the proxies). Is
>that doable with FreeRadius?

The authetication will know the NAS identifiers/ips as stated above.  It
is a requirement of the RFC that these attributes are present.

I suppose the proxying server could re-write those to contain it's own
IP, I'm not certain that would be a violation of the RFC in letter.  That
is not something the server does currently, so you'd have to patch it
to do that if that's really what you want.

-Chris
--
\\\|||///  \  StarNet Inc.  \ Chris Parker
\ ~   ~ /   \   WX *is* Wireless!\   Director, Engineering
| @   @ |\   http://www.starnetwx.net \  (847) 963-0116
oOo---(_)---oOo--\--
   \ Wholesale Internet Services - http://www.megapop.net



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

mysql problem?

[Petre L. Daniel]

heyah.
it seems that since some days ago my dialup admin interface shows users 
that logged off long time ago and doesn show the new users when the max 
line is reached.
like i think something is not updated and i cant see in real time who's 
logged in..
what could be the problem?
thx in advance.


-- 
Petre L. Daniel,System Administrator,
Canad Systems Pitesti SRL Romania,
tel:+4048206200,+4048206201
email:[EMAIL PROTECTED]
http://www.cyber.ro


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: IPPOOL is not giving all the ip addresses.

[Kostas Kalevras]

On Wed, 22 May 2002, Abel Alejandro wrote:

> Forgot to mention, I am running radiusd -X > radius.log
>

Stupid question. Is the ippool module listed in the accounting section in
radiusd.conf?
The accounting packet should be an accounting stop for a nas/port combination
that has an allocated ip assigned to it.

--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED]  National Technical University of Athens, Greece
Work Phone: +30 10 7721861
'Go back to the shadow' Gandalf


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: IPPOOL is not giving all the ip addresses.

[Abel Alejandro]

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Kostas
Kalevras
Sent: Wednesday, May 22, 2002 9:31 AM
To: [EMAIL PROTECTED]
Subject: RE: IPPOOL is not giving all the ip addresses.

On Wed, 22 May 2002, Abel Alejandro wrote:

>> Okay one more thing I got now from the logs. Right now I have rm -rf
the
>> db*
>> And restarted radiusd, a (cmd: cat radius.log | grep "= Stop" | wc
-l)
>> reports 66 stop's, but I don't see a "rlm_ippool: Deallocated entry
for
>> ip/port:" not even one in the radius.log
>>
>> It seems radiusd can not deallocate ip's?

>That is a debugging message and it will not normally show up in the
radius.log

Forgot to mention, I am running radiusd -X > radius.log

***
***
Scanned by an email protection software that checks: Content, Attachments, Security 
and Viruses
Brought to you by ICENetworks.com, eScan and MailScan
***
***

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: IPPOOL is not giving all the ip addresses.

[Kostas Kalevras]

On Wed, 22 May 2002, Abel Alejandro wrote:

> Okay one more thing I got now from the logs. Right now I have rm -rf the
> db*
> And restarted radiusd, a (cmd: cat radius.log | grep "= Stop" | wc -l)
> reports 66 stop's, but I don't see a "rlm_ippool: Deallocated entry for
> ip/port:" not even one in the radius.log
>
> It seems radiusd can not deallocate ip's?

That is a debugging message and it will not normally show up in the radius.log

--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED]  National Technical University of Athens, Greece
Work Phone: +30 10 7721861
'Go back to the shadow' Gandalf


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: IPPOOL is not giving all the ip addresses.

[Abel Alejandro]

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Kostas
Kalevras
Sent: Wednesday, May 22, 2002 9:06 AM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: Re: IPPOOL is not giving all the ip addresses.

On Wed, 22 May 2002, Abel Alejandro wrote:

>> IPPOOL seems that it cannot give all the ip addresses on the range,
>> it starts giving addresses but if there are 50 ip's it only gives 10.

>Hmm, from what i tested right now it will give out all the ips.

Okay one more thing I got now from the logs. Right now I have rm -rf the
db*
And restarted radiusd, a (cmd: cat radius.log | grep "= Stop" | wc -l)
reports 66 stop's, but I don't see a "rlm_ippool: Deallocated entry for
ip/port:" not even one in the radius.log

It seems radiusd can not deallocate ip's?


***
***
Scanned by an email protection software that checks: Content, Attachments, Security 
and Viruses
Brought to you by ICENetworks.com, eScan and MailScan
***
***

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: IPPOOL is not giving all the ip addresses.

[Kostas Kalevras]

On Wed, 22 May 2002, Abel Alejandro wrote:

> IPPOOL seems that it cannot give all the ip addresses on the range,
> it starts giving addresses but if there are 50 ip's it only gives 10.

Hmm, from what i tested right now it will give out all the ips.

>
> FreeBSD 4.5-STABLE running Freeradius from of 19/05/02 (cvs).
>
> ippool arecibo {
> session-db = ${dbdir}/arecibo.db
> ip-index = ${dbdir}/arecibo-ip.db
> range-start = 196.12.182.65
> range-stop = 196.12.182.121
> netmask = 255.255.255.192
> cache-size = 1024
> }
>
> That is the configuration for the ippool, it runs fine, it assigns addresses
> and everything looks okay.
> However looking it in debug mode, I see a not very normal behaviour. It
> start giving the address
> on random sequences for example, instead of first assign 196.12.182.65 it
> give 196.12.182.73 (first time, with virgin db).

That has to do with the gdbm library. The db is not a linked list but a hash and
there isn't any way to tell how they will be ordered inside the file.

--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED]  National Technical University of Athens, Greece
Work Phone: +30 10 7721861
'Go back to the shadow' Gandalf

>
> I modified rlm_ippool.c to be a little more verbose, and on the creation of
> the database it does create
> the ip address list in order. Like this:
>
> Adding IP 196.12.182.65 state 0
> Adding IP 196.12.182.66 state 0
> Adding IP 196.12.182.67 state 0
> Adding IP 196.12.182.68 state 0
> 
> Until it reaches 196.12.182.121 (which is correct.)
>
> In the other hand when looking for ip address (virgin db, all ip are suposed
> to be state 0)
> it search them in random order.  Like this:
>
> rlm_ippool: Searching for an entry for nas/port: 10.50.2.1/3328
> Found IP 196.12.182.114 state 1
> Found IP 196.12.182.82 state 0
>
> It started with 114 then jumped back to 82.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Sqlcounter.

[Randy Moore]

At 07:32 PM 5/21/2002 -0300, you wrote:
>Hi, I just upgraded Freeradius 0.5 to freeradius-snapshot-20020521.
>I altered the old radiusd.conf file to reflect some changes, and have
>included SQLcounter module. I wish to limit access to users on a
>three-month basis, but only some users, and this 3-month time is
>individual.
>
>What I did:
>Raidusd.conf
> sqlcounter monthlycounter {
> counter-name = Monthly-Session-Time
> check-name = Max-Monthly-Session
> sqlmod-inst = sql
> key = User-Name
> reset = 3m
>}
>authorize {
> preprocess
> suffix
> monthlycounter
> sql
> monthlycounter
>}

Since you are defining your Check Item in your SQL database, you should not 
need to include 'monthlycounter' twice.  The copy *after* sql is the only 
one you should need.


>accounting {
> acct_unique
> sql
> radutmp
>}
>
>The user can log ok if there's nothing on table radcheck about Monthly 
>Sessions. But if I
>insert a row like
>username=surak
>attribute=Max-Monthly-Session
>value= 200  (Any)
>op=   ":=" without quotes, obviosly

This looks fine.


>The radius rejects the user with the following message on debug:
>modcall: entering group authorize
>   modcall[authorize]: module "preprocess" returns ok
> rlm_realm: Looking up realm NULL for User-Name = "surak"
> rlm_realm: No such realm NULL
>   modcall[authorize]: module "suffix" returns noop
>rlm_sqlcounter: Entering module authorize code
>rlm_sqlcounter: Could not find Check item value pair
>   modcall[authorize]: module "monthlycounter" returns noop

Since you called 'monthlycounter' twice, it should appear twice in the 
debug output.  The first time should appear just as it does above because 
the check item has not yet been read from your SQL database.  But you don't 
include the logs for the second call.  Did they appear?  If so what do they 
indicate?


Randy Moore
Axion Information Technologies, Inc.

email [EMAIL PROTECTED]
phone   301-408-1200
fax301-445-3947


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

IPPOOL is not giving all the ip addresses.

[Abel Alejandro]

IPPOOL seems that it cannot give all the ip addresses on the range,
it starts giving addresses but if there are 50 ip's it only gives 10.

FreeBSD 4.5-STABLE running Freeradius from of 19/05/02 (cvs).

ippool arecibo {
session-db = ${dbdir}/arecibo.db
ip-index = ${dbdir}/arecibo-ip.db
range-start = 196.12.182.65
range-stop = 196.12.182.121
netmask = 255.255.255.192
cache-size = 1024
}

That is the configuration for the ippool, it runs fine, it assigns addresses
and everything looks okay.
However looking it in debug mode, I see a not very normal behaviour. It
start giving the address
on random sequences for example, instead of first assign 196.12.182.65 it
give 196.12.182.73 (first time, with virgin db).

I modified rlm_ippool.c to be a little more verbose, and on the creation of
the database it does create
the ip address list in order. Like this:

Adding IP 196.12.182.65 state 0
Adding IP 196.12.182.66 state 0
Adding IP 196.12.182.67 state 0
Adding IP 196.12.182.68 state 0

Until it reaches 196.12.182.121 (which is correct.)

In the other hand when looking for ip address (virgin db, all ip are suposed
to be state 0)
it search them in random order.  Like this:

rlm_ippool: Searching for an entry for nas/port: 10.50.2.1/3328
Found IP 196.12.182.114 state 1
Found IP 196.12.182.82 state 0

It started with 114 then jumped back to 82.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

two radius servers with rlm_counter modules

[Daniel Yeung]

Dear Kenneth


1. The rlm_counter is wrote using gdbm interface to access data file "db.counter". You 
may write code to synchronize. 
You may also try "rsync" (http://rsync.samba.org), scp to update the data file.


3. The reset action is done at the beginning of each login session
When user login , freeradius reset the user's counter record if needed.
When user logoff, freeradius update the session usage to the counterdatabase. 


Daniel Yeung

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Force Gateway profile

[De Schrijver Peter]

Hi !

I´d like to set up a profile to force some users to take a certain route 
(gateway?) to the internet. Other users using the same box (lucent NAS) should be able 
to take a direct route (other gateway). 

Purpose is to have an optionally  "content filtered" way for the users to surf 
the net.

Is this possible with radius?


Cu
Pete




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: PPPoE: auth+acct via PAM

[boyknight]

Ilja:
I am sorry. I can't answer your question. Because I'm a beginner of RADIUS.I don't 
know your problem.8)
Good luck!
boyknight
mailto:[EMAIL PROTECTED]

- Original Message - 
From: "Ilja A Marchew" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, May 22, 2002 4:33 PM
Subject: PPPoE: auth+acct via PAM


> Hello freeradius-users.
> 
> I use rp-pppoe to serve PPPoE users.  Well, I think use FR with it is a good
> idea, but cannot imagine which lines in /etc/pam.d/ppp I need.  It is
> right -- libpam-freeradius-auth cannot help my efforts to log
> time/traffic for users in FR's base?  It only authorizes?  Any
> ideas/solutions to my problem?  Thank you and sorry for my english.
> 
> - ---
> With respect,
>  Ilja mailto:[EMAIL PROTECTED]
> 
> 
> - 
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
â²Ø§~ì¹»®&Þþéì¹»®&ÞI硶Úÿ0~·ž­§bºÊ+ƒùb²ßî±êì†Ù¥

PPPoE: auth+acct via PAM

[Ilja A Marchew]

Hello freeradius-users.

I use rp-pppoe to serve PPPoE users.  Well, I think use FR with it is a good
idea, but cannot imagine which lines in /etc/pam.d/ppp I need.  It is
right -- libpam-freeradius-auth cannot help my efforts to log
time/traffic for users in FR's base?  It only authorizes?  Any
ideas/solutions to my problem?  Thank you and sorry for my english.

- ---
With respect,
 Ilja mailto:[EMAIL PROTECTED]


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html