Re: Daily usage counter
> > Hi,
> >
> > Question when a daily usage counter is setup using this:
> >
> > #
> > counter daily {
> > filename = ${logdir}/db.counter
> > key = User-Name
> > count-attribute = Acct-Session-Time
> > reset = daily
> > counter-name = Daily-Session-Time
> > check-name = Max-Daily-Session
> > allowed-servicetype = Framed-User
> > cache-size = 5000
> > }
> >
> >
> > How can I manually reset someones time without increasing the maximum
> > daily time for the user?
>
> You can't unless you write some c/perl program to play with the gdbm file
That's what I figures, fair enough.
> > It seems like the radius server doesn't reset the maximum daily time if
> > the user stays connected for more than a day (we have schools with dialup
> > that use the phone similar to a leased line).
>
> That's quite impossible. The gdbm counter file gets wiped out every time the
> counters are reset.
So is the gdbm file updated every second for every user or is the session
time written to the file when a stop occured?
> > How can I fix that? Here's
> > the log from an account that exceeded their time:
> >
> > UserName Start_Date_and_Time Stop_Date_and_Time_ Secnds TotSecnd IP-Address_
>Pt___ Sess-ID__ KB_In_ KB_Out PktIn_ PktOut CallerID__
> > kihslac 2002/09/01 16:13:44 2002/09/01 16:59:17 2734 2734 216.26.102.78
> 11 3D7278A934D2406 2290 4228 3570
> > kihslac 2002/09/01 22:11:40 2002/09/01 22:54:31 2572 5306 216.26.102.78
> 11 3D72D6C5411B702 3710 6242 6496
> > kihslac 2002/09/02 11:08:50 2002/09/02 11:13:49300 5606 216.26.102.78
> 11 3D738CD00264 26209367294
> > kihslac 2002/09/03 11:44:44 2002/09/03 11:45:18 34 5640 216.26.102.71
> 4 3D74DD9F1A8E 0 0 7 4
> > kihslac 2002/09/03 12:19:25 2002/09/03 12:20:07 43 5683 216.26.102.71
> 4 3D74E71E1B00 0 0 11 4
> > kihslac 2002/09/03 12:22:13 2002/09/03 12:41:30 1158 6841 216.26.102.71
> 4 3D74EFA11E2F 32 0391 3
> > kihslac 2002/09/03 12:59:36 2002/09/03 13:42:51 2595 9436 216.26.102.71
> 4 3D74F44A2007440 0 4307 3
> > kihslac 2002/09/03 13:48:48 2002/09/03 16:06:54 828717723 216.26.102.71
> 4 3D7502AC2163470 0 3375 8
> > kihslac 2002/09/03 16:16:40 2002/09/03 18:19:42 738225105 216.26.102.71
> 4 3D75246E2540648 1 3400 34
> > kihslac 2002/09/03 18:35:15 2002/09/03 21:17:23 972934834 216.26.102.71
> 4 3D75438E2856 4 0 63 16
> > kihslac 2002/09/03 23:03:48 2002/09/05 06:55:52 114725 149559 216.26.102.71
> 4 3D757B492C64 6183 7 37710162
> >
> > As the last line indicates, the remote user logged in 2002/09/03 and
> > didn't disconnect until 2002/09/05 (today). Radius now refuses login on
> > the grounds of exceeded daily limit, even though the daily limit hasn't
> > technically been exceeded...
>
> If your Max-Daily-Session for this user is smaller than 06:55:52 then he *has*
> technicaly exceeded his daily limit. He has used your resources today for more
> time than he is allowed.
> >
> > This could be a glitch where the session wasn't properly terminated. The
> > RAS box (Linux with portslave) improperly shutdown around that time.
> >
> > Any suggestions?
>
> What is the Max-Daily-Session for this user?
The Max-Daily-Session for this user is 86400. I set it to 20 and now
he is able to log back in.
Adi
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Daily usage counter
Hi,
Question when a daily usage counter is setup using this:
#
counter daily {
filename = ${logdir}/db.counter
key = User-Name
count-attribute = Acct-Session-Time
reset = daily
counter-name = Daily-Session-Time
check-name = Max-Daily-Session
allowed-servicetype = Framed-User
cache-size = 5000
}
How can I manually reset someones time without increasing the maximum
daily time for the user?
It seems like the radius server doesn't reset the maximum daily time if
the user stays connected for more than a day (we have schools with dialup
that use the phone similar to a leased line). How can I fix that? Here's
the log from an account that exceeded their time:
UserName Start_Date_and_Time Stop_Date_and_Time_ Secnds TotSecnd IP-Address_ Pt___
Sess-ID__ KB_In_ KB_Out PktIn_ PktOut CallerID__
kihslac 2002/09/01 16:13:44 2002/09/01 16:59:17 2734 2734 216.26.102.78 11
3D7278A934D2406 2290 4228 3570
kihslac 2002/09/01 22:11:40 2002/09/01 22:54:31 2572 5306 216.26.102.78 11
3D72D6C5411B702 3710 6242 6496
kihslac 2002/09/02 11:08:50 2002/09/02 11:13:49300 5606 216.26.102.78 11
3D738CD00264 26209367294
kihslac 2002/09/03 11:44:44 2002/09/03 11:45:18 34 5640 216.26.102.71 4
3D74DD9F1A8E 0 0 7 4
kihslac 2002/09/03 12:19:25 2002/09/03 12:20:07 43 5683 216.26.102.71 4
3D74E71E1B00 0 0 11 4
kihslac 2002/09/03 12:22:13 2002/09/03 12:41:30 1158 6841 216.26.102.71 4
3D74EFA11E2F 32 0391 3
kihslac 2002/09/03 12:59:36 2002/09/03 13:42:51 2595 9436 216.26.102.71 4
3D74F44A2007440 0 4307 3
kihslac 2002/09/03 13:48:48 2002/09/03 16:06:54 828717723 216.26.102.71 4
3D7502AC2163470 0 3375 8
kihslac 2002/09/03 16:16:40 2002/09/03 18:19:42 738225105 216.26.102.71 4
3D75246E2540648 1 3400 34
kihslac 2002/09/03 18:35:15 2002/09/03 21:17:23 972934834 216.26.102.71 4
3D75438E2856 4 0 63 16
kihslac 2002/09/03 23:03:48 2002/09/05 06:55:52 114725 149559 216.26.102.71 4
3D757B492C64 6183 7 37710162
As the last line indicates, the remote user logged in 2002/09/03 and
didn't disconnect until 2002/09/05 (today). Radius now refuses login on
the grounds of exceeded daily limit, even though the daily limit hasn't
technically been exceeded...
When does the count get reset, at midnight?
This could be a glitch where the session wasn't properly terminated. The
RAS box (Linux with portslave) improperly shutdown around that time.
Any suggestions?
Adi
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using ldap authentication/authorization
> > I am assuming this is done with rlm_count. How can I retrieve the
> > timelimit from ldap and use it in radius?
>
> counter {
> filename = ${raddbdir}/db.counter
> key = User-Name
> count-attribute = Acct-Session-Time
> reset = daily
> counter-name = Daily-Session-Time
> check-name = Max-Daily-Session
>
> allowed-servicetype = Framed-User
> cache-size = 5000
> }
>
> Add an attribute like radiusMaxDailySession in your ldap schema (and in the
> radiusprofile aobjectclass). Also add it in ldap.attrmap like:
>
> checkItem Max-Daily-Session radiusMaxDailySession
>
> Then you can just set it to whatever value you wish for each user.
How can I assign the Max-Daily-Session value in the "raddb/users" file as
a default for users that do not have this in their LDAP entry? Both of the
following do not work:
DEFAULT
Max-Daily-Session = 1800,
Reply-Message = "Default settings"
DEFAULT Max-Daily-Session = 1800
Reply-Message = "Default settings"
Thanks,
Adi
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using ldap authentication/authorization
Oops, answered my own question. I was working with freeradius-0.5. > > DEFAULT Ldap-Group == "admins" This works just fine using a cvs checkout. Adi On Thu, 13 Jun 2002, Adi Linden wrote: > > You can create normal groups in your ldap tree. Then you can do group searches > > like this in your users file: > > > > DEFAULT Ldap-Group == "admins" > > Done that, I get the following error when running "radiusd -s -xxx": > > Module: Loaded files > files: usersfile = "/usr/local/etc/raddb/users" > files: acctusersfile = "/usr/local/etc/raddb/acct_users" > files: compat = "no" > /usr/local/etc/raddb/users[178]: Parse error (check) for entry DEFAULT: > Unknown attribute Ldap-Group > Errors reading /usr/local/etc/raddb/users > radiusd.conf[672]: files: Module instantiation failed. > > If I do this in the users file it never gets checked against the ldap > attribute... Looking at the source, "ldap_groupcmp" should do the group > checking and the "rlm_ldap: Entering ldap_groupcmp()" statement should > appear when it hits the "Group" or "Ldap-Group". > > DEFAULT Group == "admins" > > Thanks, > Adi > > > > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using ldap authentication/authorization
> You can create normal groups in your ldap tree. Then you can do group searches > like this in your users file: > > DEFAULT Ldap-Group == "admins" Done that, I get the following error when running "radiusd -s -xxx": Module: Loaded files files: usersfile = "/usr/local/etc/raddb/users" files: acctusersfile = "/usr/local/etc/raddb/acct_users" files: compat = "no" /usr/local/etc/raddb/users[178]: Parse error (check) for entry DEFAULT: Unknown attribute Ldap-Group Errors reading /usr/local/etc/raddb/users radiusd.conf[672]: files: Module instantiation failed. If I do this in the users file it never gets checked against the ldap attribute... Looking at the source, "ldap_groupcmp" should do the group checking and the "rlm_ldap: Entering ldap_groupcmp()" statement should appear when it hits the "Group" or "Ldap-Group". DEFAULT Group == "admins" Thanks, Adi - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using ldap authentication/authorization
> No you can't. Both have to point to valid DN's in your tree. The > profile_attribute is an attribute contained in the user entry pointing to the > profile to be applied for the user, while User-Profile contains the profile to > be applied in special cases instead of the default profile (I use it to > implement Large Scale Dialout where I don't need the default reply items > contained in the default profile). So the profiles are entirely in LDAP then. I wanted to stay away from extending the LDAP schema on the LDAP server if possible and do as much as possible in the freeradius configuration. >From another message on the list I see that it is not possible to group users by having an attribute such as this either: knetRadiusGroup: knetonly In "radiusd.conf" the LDAP attribute would have to associate with the group somehow and then in "users": DEFAULT Group == "knetonly" Are there any solutions I haven't thought of yet? Thanks, Adi - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using ldap authentication/authorization
> Add an attribute like radiusMaxDailySession in your ldap schema (and in the > radiusprofile aobjectclass). Also add it in ldap.attrmap like: > > checkItem Max-Daily-Session radiusMaxDailySession > > Then you can just set it to whatever value you wish for each user. Great, this is exactly what I'd like to happen. > > How do I retrieve the pool information from ldap? Can I keep the poolname > > in an attribute such as knetRadiusPool? Where do I define the pool and > > associated ip addresses? > > > You could either use the radiusReplyItem like this: > > radiusReplyitem: Cisco-AVPair := "ip:addr-pool=mypoolname" > > or create your own attribute which you should add to the radiusprofile > objectclass and ldap.attrmap. > You define the pool inside your nas. Can I define an attribute to contain the profile a user belongs to and then refer to this attribute value in the users file? "doc/rlm_ldap" has a section: USER PROFILE ATTRIBUTE: The module can use the User-Profile attribute. If it is set, it will assume that it contains the DN of a profile entry containing radius attributes. This entry will _replace_ the default profile directive. That way we can use different profiles based on checks on the radius attributes contained in the Access-Request packets. For example (users file): DEFAULT Service-Type == Outbound-User, User-Profile := "uid=outbound-dialup,dc=company,dc=com" I assume that the User-Profile refers to the following line in "radiusd.conf": # profile_attribute = "radiusProfileDn" Will this work if the DN doesn't exist on the ldap server, or can I use any string instead of valid DN and have this in ldap: radiusProfileDn: knetonly and in users: DEFAULT Service-Type == Framed-User, User-Profile == "knetonly" Thank you for answering my questions. This has been tremendously helpful in getting things going! Thanks, Adi - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using ldap authentication/authorization
> > - Authenticate user by doing a bind to the LDAP server using the users > > username and password > > Yes Ok, got that going. > > - Get the daily timelimit amount for the user from LDAP and apply that > > daily limit > > Yes I am assuming this is done with rlm_count. How can I retrieve the timelimit from ldap and use it in radius? > > - I have 2 pools of ip addresses with different access on the terminal > > server. I need to somehow assign users to one of the pools using an > > LDAP attribute > > Yes. Just create two user profiles and assign each user to one of them. Add a > Framed-Pool or Cisco-AVPair := "ip:addr-pool=mypoolname" in each profile and you > are ok. How do I retrieve the pool information from ldap? Can I keep the poolname in an attribute such as knetRadiusPool? Where do I define the pool and associated ip addresses? Thanks, Adi - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
test radius without terminal server
How can I test the radius server without a terminal server? I would like to build, configure and test the radius server first. Once I can successfully authenticate I'd like to proceed to configure and test clients (Cisco terminal server and Linux terminal server) to work with the server. Adi - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Using ldap authentication/authorization
I am looking at using freeradius to authenticate and authorize dialup users. All the users are in an LDAP databse. There are a few things I need to be able to do and I am wondering if freeradius will support it. - Authenticate user by doing a bind to the LDAP server using the users username and password - Get the daily timelimit amount for the user from LDAP and apply that daily limit - I have 2 pools of ip addresses with different access on the terminal server. I need to somehow assign users to one of the pools using an LDAP attribute Is the above doable with freeradius? Thanks, Adi - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
