Interim Accounting
Hi All, How can I enable Interim-Accounting in freeradius? I have a Mikrotik RouterOS set up to send interim requests at every minute but according according to the documentation at Mikrotik the radius server needs to send an Acct-Interim-Interval = 0 A/V pair back to the NAS so as to take effect. However, while running the server in debug mode I can see that the Attribute is not being returned in the Access-Accept packet. Is there some config that needs to be done? Thanks for your time. Andy - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SQL queries being executed twice
Hi All, I am trying to configure accounting on my MySQL server and everything seems to be working fine... except for the fact that there are two "INSERT" queries executed for every user logging in. Excerpt from the "radiusd -x" command is below: --CUT- rad_recv: Accounting-Request packet from host 202.183.67.218:34980, id=109, length=149 Service-Type = Framed-User Framed-Protocol = PPP NAS-Identifier = "MikroTik" NAS-Port = 19071 NAS-Port-Type = Ethernet User-Name = "aakashshah" Calling-Station-Id = "00:80:AD:83:B3:41" Called-Station-Id = "Blaze-World.net" NAS-Port-Id = "PPPoe" Acct-Session-Id = "81903a63" Framed-IP-Address = 203.115.66.241 Acct-Authentic = RADIUS Acct-Status-Type = Start NAS-IP-Address = 202.183.67.218 Acct-Delay-Time = 0 modcall: entering group preacct modcall[preacct]: module "preprocess" returns noop rlm_realm: No '@' in User-Name = "aakashshah", looking up realm NULL rlm_realm: No such realm "NULL" modcall[preacct]: module "suffix" returns noop modcall[preacct]: module "files" returns noop modcall: group preacct returns noop modcall: entering group accounting rlm_acct_unique: Hashing 'NAS-Port-Id = "PPPoe",Client-IP-Address = 202.183.67.218,NAS-IP-Address = 202.183.67.218,Acct-Sessio n-Id = "81903a63",User-Name = "aakashshah"' rlm_acct_unique: Acct-Unique-Session-ID = "1d2f299d28c64497". modcall[accounting]: module "acct_unique" returns ok radius_xlat: '/usr/local/var/log/radius/radacct/202.183.67.218/detail-20031009' rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/ 202.183.67.218/detail-20031009 modcall[accounting]: module "detail" returns ok modcall[accounting]: module "unix" returns ok radius_xlat: 'aakashshah' rlm_sql (sql): sql_set_user escaped user --> 'aakashshah' radius_xlat: 'INSERT into radacct (RadAcctId, AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay, AcctStopDelay) values('', '81903a63', '1d2f299d28c64497', 'aakashshah', '', '202.183.67.218', '19071', 'Ethernet', '2003-10-09 23:46:21', '0', '0', 'RADIUS', '', '', '0', '0', 'Blaze-World.net', '00:80:AD:83:B3:41', '', 'Framed-User', 'PPP', '203.115.66.241', '0', '0')' radius_xlat: '/usr/local/var/log/radius/sqltrace.sql' rlm_sql (sql): Reserving sql socket id: 4 rlm_sql_mysql: query: INSERT into radacct (RadAcctId, AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId,NASPortType, AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay, AcctStopDelay) values('', '81903a63', '1d2f299d28c64497', 'aakashshah', '', '202.183.67.218', '19071', 'Ethernet','2003-10-09 23:46:21', '0', '0', 'RADIUS', '', '', '0', '0', 'Blaze-World.net', '00:80:AD:83:B3:41', '', 'Framed-User', 'PPP', '203.115.66.241', '0', '0') rlm_sql (sql): Released sql socket id: 4 modcall[accounting]: module "sql" returns ok --CUT- Is there anything that I am missing something that I need to check?? Thanks for your time.. Best regards, Anindya --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.522 / Virus Database: 320 - Release Date: 29/09/2003 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius to LDAP mapping.. radius attributes not working fromLDAP.. Solved
Yes! I had not setup the authorize section properly. Now all seems to be fine. Thanks for your help and time. Regards Anindya - Original Message - From: "freeradius mailing list" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Sunday, March 16, 2003 11:12 AM Subject: Re: Radius to LDAP mapping.. radius attributes not working fromLDAP > It looks like you aren't using LDAP for Authorization. What do you have > in the authorization section of radiusd.conf? Also, can you attach your > users file as well if that didn't help? > > > authorize { > preprocess > suffix > files > ldap { > notfound = return > } > } > > -Dustin Doris > > On Fri, 14 Mar 2003, Das, Anindya Kishore wrote: > > > Hi, > > > > Attaching the two files, one with a authentication from the local users > > file, the other from the LDAP. The reply packet (Access-accept) seems to be > > the differentiation, though I am not a RADIUS expert. > > > > Anindya > > - Original Message - > > From: "freeradius mailing list" <[EMAIL PROTECTED]> > > To: <[EMAIL PROTECTED]> > > Sent: Friday, March 14, 2003 10:02 AM > > Subject: Re: Radius to LDAP mapping.. radius attributes not working fromLDAP > > > > > > > > Yes, I did add radiusPortLimit as a replyitem in the ldap.attrmap file. > > The > > > > entry looks like this: > > > > > > > > replyItemPort-LimitradiusPortLimit > > > > > > > > No luck still :-(, > > > > > > > > Anindya > > > > > > I had a problem similar to that a few days ago, so I may be able to help. > > > Can you send a copy of radius debug messages? (fire it up with radius > > > -X) > > > > > > > > > > > > > > > - > > > List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > > > > > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius to LDAP mapping.. radius attributes not working fromLDAP
Hi, Attaching the two files, one with a authentication from the local users file, the other from the LDAP. The reply packet (Access-accept) seems to be the differentiation, though I am not a RADIUS expert. Anindya - Original Message - From: "freeradius mailing list" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, March 14, 2003 10:02 AM Subject: Re: Radius to LDAP mapping.. radius attributes not working fromLDAP > > Yes, I did add radiusPortLimit as a replyitem in the ldap.attrmap file. The > > entry looks like this: > > > > replyItemPort-LimitradiusPortLimit > > > > No luck still :-(, > > > > Anindya > > I had a problem similar to that a few days ago, so I may be able to help. > Can you send a copy of radius debug messages? (fire it up with radius > -X) > > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > auth-local-users.dump Description: Binary data auth-ldap.dump Description: Binary data
Re: Radius to LDAP mapping.. radius attributes not working fromLDAP
Hi, Attaching the two files, one with a authentication from the local users file, the other from the LDAP. The reply packet (Access-accept) seems to be the differentiation, though I am not a RADIUS expert. Anindya - Original Message - From: "freeradius mailing list" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, March 14, 2003 10:02 AM Subject: Re: Radius to LDAP mapping.. radius attributes not working fromLDAP > > Yes, I did add radiusPortLimit as a replyitem in the ldap.attrmap file. The > > entry looks like this: > > > > replyItemPort-LimitradiusPortLimit > > > > No luck still :-(, > > > > Anindya > > I had a problem similar to that a few days ago, so I may be able to help. > Can you send a copy of radius debug messages? (fire it up with radius > -X) > > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > auth-local-users.dump Description: Binary data auth-ldap.dump Description: Binary data
Re: Radius to LDAP mapping.. radius attributes not working fromLDAP
Hi, Yes, I did add radiusPortLimit as a replyitem in the ldap.attrmap file. The entry looks like this: replyItemPort-LimitradiusPortLimit No luck still :-(, Anindya - Original Message - From: "freeradius mailing list" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, March 13, 2003 10:16 PM Subject: Re: Radius to LDAP mapping.. radius attributes not working fromLDAP > Did you add radiusportlimit to the ldap.attrmap file as a reply item? > > > On Thu, 13 Mar 2003, Das, Anindya Kishore wrote: > > > Hi All, > > > > I have been trying to get Freeradius to authenticate users against the > > entries in my OpenLDAP directory with individual user rights. My setup > > requires that I have a port-limit set up on each user when they register and > > I am trying to get this information passed from the LDAP directory to the > > NAS via FreeRadius. > > > > My ldap() section in radiusd.conf file looks like this... > > > > > > ldap { > > server = "ldap.pacenet-india.com" > > port = "389" > > # identity = "cn=admin,o=My Org,c=UA" > > # password = mypass > > basedn = "ou=users,o=pacenet-india,dc=com" > > filter = "(uid=%u)" > > #filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" > > > > # set this to 'yes' to use TLS encrypted connections > > # to the LDAP database by using the StartTLS extended > > # operation. > > start_tls = no > > # set this to 'yes' to use TLS encrypted connections to the > > # LDAP database by passing the LDAP_OPT_X_TLS_TRY option to > > # the ldap library. > > tls_mode = no > > > > # default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA" > > # profile_attribute = "radiusProfileDn" > > access_attr = "dialupAccess" > > > > # Mapping of RADIUS dictionary attributes to LDAP > > # directory attributes. > > dictionary_mapping = ${raddbdir}/ldap.attrmap > > > > # ldap_cache_timeout = 120 > > # ldap_cache_size = 0 > > ldap_connections_number = 5 > > # password_header = "{clear}" > > # password_attribute = userPassword > > # groupname_attribute = cn > > # groupmembership_filter = > > "(|(&(objectClass=GroupOfNames)(membe > > r=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-Use > > rDn} > > )))" > > # groupmembership_attribute = radiusGroupName > > timeout = 140 > > timelimit = 30 > > net_timeout = 10 > > # compare_check_items = yes > > # access_attr_used_for_allow = yes > > } > > > > and one of my test user's ldif looks like this > > > > > > dn: uid=akd5,ou=users,o=pacenet-india,dc=com > > > > objectClass: top > > objectClass: account > > objectClass: posixAccount > > objectClass: person > > objectClass: inetOrgPerson > > objectClass: radiusProfile > > dialupAccess: yes > > radiusPortLimit: 4 > > cn: Anindya > > sn: Das > > gecos: akd5 > > gidNumber: 15 > > mail: [EMAIL PROTECTED] > > loginShell: /bin/sh > > homeDirectory: /home/akd > > uidNumber: 101123 > > userPassword: 123456 > > uid: akd5 > > > > I have added the RADIUS schema for LDAP v3 and all works fine and the user > > gets authenticated and all. The problem is that the "radiusPortLimit" does > > not come into effect. I have tried adding the same information in the users > > file in the standard RADIUS user file format, which works beautifully. > > > > Is there anything I am doing wrong or missing out because of which the > > radius attributes are not being picked up from the directory? I am using the > > following: > > > > 1. FreeRadius version 0.8.1 > > 2. OpenLDAP 2.x (LDAP Ver3) > > > > > > Any help in this regard would be greatly appreciated. > > > > Thanks in advance > > > > Anindya > > > > > > > > > > - > > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Radius to LDAP mapping.. radius attributes not working from LDAP
Hi All, I have been trying to get Freeradius to authenticate users against the entries in my OpenLDAP directory with individual user rights. My setup requires that I have a port-limit set up on each user when they register and I am trying to get this information passed from the LDAP directory to the NAS via FreeRadius. My ldap() section in radiusd.conf file looks like this... ldap { server = "ldap.pacenet-india.com" port = "389" # identity = "cn=admin,o=My Org,c=UA" # password = mypass basedn = "ou=users,o=pacenet-india,dc=com" filter = "(uid=%u)" #filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" # set this to 'yes' to use TLS encrypted connections # to the LDAP database by using the StartTLS extended # operation. start_tls = no # set this to 'yes' to use TLS encrypted connections to the # LDAP database by passing the LDAP_OPT_X_TLS_TRY option to # the ldap library. tls_mode = no # default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA" # profile_attribute = "radiusProfileDn" access_attr = "dialupAccess" # Mapping of RADIUS dictionary attributes to LDAP # directory attributes. dictionary_mapping = ${raddbdir}/ldap.attrmap # ldap_cache_timeout = 120 # ldap_cache_size = 0 ldap_connections_number = 5 # password_header = "{clear}" # password_attribute = userPassword # groupname_attribute = cn # groupmembership_filter = "(|(&(objectClass=GroupOfNames)(membe r=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-Use rDn} )))" # groupmembership_attribute = radiusGroupName timeout = 140 timelimit = 30 net_timeout = 10 # compare_check_items = yes # access_attr_used_for_allow = yes } and one of my test user's ldif looks like this dn: uid=akd5,ou=users,o=pacenet-india,dc=com objectClass: top objectClass: account objectClass: posixAccount objectClass: person objectClass: inetOrgPerson objectClass: radiusProfile dialupAccess: yes radiusPortLimit: 4 cn: Anindya sn: Das gecos: akd5 gidNumber: 15 mail: [EMAIL PROTECTED] loginShell: /bin/sh homeDirectory: /home/akd uidNumber: 101123 userPassword: 123456 uid: akd5 I have added the RADIUS schema for LDAP v3 and all works fine and the user gets authenticated and all. The problem is that the "radiusPortLimit" does not come into effect. I have tried adding the same information in the users file in the standard RADIUS user file format, which works beautifully. Is there anything I am doing wrong or missing out because of which the radius attributes are not being picked up from the directory? I am using the following: 1. FreeRadius version 0.8.1 2. OpenLDAP 2.x (LDAP Ver3) Any help in this regard would be greatly appreciated. Thanks in advance Anindya - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html