Interim Accounting
Hi All, How can I enable Interim-Accounting in freeradius? I have a Mikrotik RouterOS set up to send interim requests at every minute but according according to the documentation at Mikrotik the radius server needs to send an Acct-Interim-Interval = 0 A/V pair back to the NAS so as to take effect. However, while running the server in debug mode I can see that the Attribute is not being returned in the Access-Accept packet. Is there some config that needs to be done? Thanks for your time. Andy - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SQL queries being executed twice
Hi All,
I am trying to configure accounting on my MySQL server and everything
seems to be working fine... except for the fact that there are two
"INSERT" queries executed for every user logging in. Excerpt from the
"radiusd -x" command is below:
--CUT-
rad_recv: Accounting-Request packet from host 202.183.67.218:34980,
id=109, length=149
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Identifier = "MikroTik"
NAS-Port = 19071
NAS-Port-Type = Ethernet
User-Name = "aakashshah"
Calling-Station-Id = "00:80:AD:83:B3:41"
Called-Station-Id = "Blaze-World.net"
NAS-Port-Id = "PPPoe"
Acct-Session-Id = "81903a63"
Framed-IP-Address = 203.115.66.241
Acct-Authentic = RADIUS
Acct-Status-Type = Start
NAS-IP-Address = 202.183.67.218
Acct-Delay-Time = 0
modcall: entering group preacct
modcall[preacct]: module "preprocess" returns noop
rlm_realm: No '@' in User-Name = "aakashshah", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[preacct]: module "suffix" returns noop
modcall[preacct]: module "files" returns noop
modcall: group preacct returns noop
modcall: entering group accounting
rlm_acct_unique: Hashing 'NAS-Port-Id = "PPPoe",Client-IP-Address =
202.183.67.218,NAS-IP-Address = 202.183.67.218,Acct-Sessio
n-Id = "81903a63",User-Name = "aakashshah"'
rlm_acct_unique: Acct-Unique-Session-ID = "1d2f299d28c64497".
modcall[accounting]: module "acct_unique" returns ok
radius_xlat:
'/usr/local/var/log/radius/radacct/202.183.67.218/detail-20031009'
rlm_detail:
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d
expands to /usr/local/var/log/radius/radacct/
202.183.67.218/detail-20031009
modcall[accounting]: module "detail" returns ok
modcall[accounting]: module "unix" returns ok
radius_xlat: 'aakashshah'
rlm_sql (sql): sql_set_user escaped user --> 'aakashshah'
radius_xlat: 'INSERT into radacct (RadAcctId, AcctSessionId,
AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType,
AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic,
ConnectInfo_start, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets,
CalledStationId, CallingStationId, AcctTerminateCause, ServiceType,
FramedProtocol, FramedIPAddress, AcctStartDelay, AcctStopDelay)
values('', '81903a63', '1d2f299d28c64497', 'aakashshah', '',
'202.183.67.218', '19071', 'Ethernet', '2003-10-09 23:46:21', '0', '0',
'RADIUS', '', '', '0', '0', 'Blaze-World.net', '00:80:AD:83:B3:41', '',
'Framed-User', 'PPP', '203.115.66.241', '0', '0')'
radius_xlat: '/usr/local/var/log/radius/sqltrace.sql'
rlm_sql (sql): Reserving sql socket id: 4
rlm_sql_mysql: query: INSERT into radacct (RadAcctId, AcctSessionId,
AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId,NASPortType,
AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic,
ConnectInfo_start, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets,
CalledStationId, CallingStationId, AcctTerminateCause, ServiceType,
FramedProtocol, FramedIPAddress, AcctStartDelay, AcctStopDelay)
values('', '81903a63', '1d2f299d28c64497', 'aakashshah', '',
'202.183.67.218', '19071', 'Ethernet','2003-10-09 23:46:21', '0', '0',
'RADIUS', '', '', '0', '0', 'Blaze-World.net', '00:80:AD:83:B3:41', '',
'Framed-User', 'PPP', '203.115.66.241', '0', '0')
rlm_sql (sql): Released sql socket id: 4
modcall[accounting]: module "sql" returns ok
--CUT-
Is there anything that I am missing something that I need to check??
Thanks for your time..
Best regards,
Anindya
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.522 / Virus Database: 320 - Release Date: 29/09/2003
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius to LDAP mapping.. radius attributes not working fromLDAP.. Solved
Yes! I had not setup the authorize section properly. Now all seems to be
fine.
Thanks for your help and time.
Regards
Anindya
- Original Message -
From: "freeradius mailing list" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Sunday, March 16, 2003 11:12 AM
Subject: Re: Radius to LDAP mapping.. radius attributes not working fromLDAP
> It looks like you aren't using LDAP for Authorization. What do you have
> in the authorization section of radiusd.conf? Also, can you attach your
> users file as well if that didn't help?
>
>
> authorize {
> preprocess
> suffix
> files
> ldap {
> notfound = return
> }
> }
>
> -Dustin Doris
>
> On Fri, 14 Mar 2003, Das, Anindya Kishore wrote:
>
> > Hi,
> >
> > Attaching the two files, one with a authentication from the local users
> > file, the other from the LDAP. The reply packet (Access-accept) seems to
be
> > the differentiation, though I am not a RADIUS expert.
> >
> > Anindya
> > - Original Message -
> > From: "freeradius mailing list" <[EMAIL PROTECTED]>
> > To: <[EMAIL PROTECTED]>
> > Sent: Friday, March 14, 2003 10:02 AM
> > Subject: Re: Radius to LDAP mapping.. radius attributes not working
fromLDAP
> >
> >
> > > > Yes, I did add radiusPortLimit as a replyitem in the ldap.attrmap
file.
> > The
> > > > entry looks like this:
> > > >
> > > > replyItemPort-LimitradiusPortLimit
> > > >
> > > > No luck still :-(,
> > > >
> > > > Anindya
> > >
> > > I had a problem similar to that a few days ago, so I may be able to
help.
> > > Can you send a copy of radius debug messages? (fire it up with radius
> > > -X)
> > >
> > >
> > >
> > >
> > > -
> > > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> > >
> >
>
>
> -
> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius to LDAP mapping.. radius attributes not working fromLDAP
Hi, Attaching the two files, one with a authentication from the local users file, the other from the LDAP. The reply packet (Access-accept) seems to be the differentiation, though I am not a RADIUS expert. Anindya - Original Message - From: "freeradius mailing list" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, March 14, 2003 10:02 AM Subject: Re: Radius to LDAP mapping.. radius attributes not working fromLDAP > > Yes, I did add radiusPortLimit as a replyitem in the ldap.attrmap file. The > > entry looks like this: > > > > replyItemPort-LimitradiusPortLimit > > > > No luck still :-(, > > > > Anindya > > I had a problem similar to that a few days ago, so I may be able to help. > Can you send a copy of radius debug messages? (fire it up with radius > -X) > > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > auth-local-users.dump Description: Binary data auth-ldap.dump Description: Binary data
Re: Radius to LDAP mapping.. radius attributes not working fromLDAP
Hi, Attaching the two files, one with a authentication from the local users file, the other from the LDAP. The reply packet (Access-accept) seems to be the differentiation, though I am not a RADIUS expert. Anindya - Original Message - From: "freeradius mailing list" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, March 14, 2003 10:02 AM Subject: Re: Radius to LDAP mapping.. radius attributes not working fromLDAP > > Yes, I did add radiusPortLimit as a replyitem in the ldap.attrmap file. The > > entry looks like this: > > > > replyItemPort-LimitradiusPortLimit > > > > No luck still :-(, > > > > Anindya > > I had a problem similar to that a few days ago, so I may be able to help. > Can you send a copy of radius debug messages? (fire it up with radius > -X) > > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > auth-local-users.dump Description: Binary data auth-ldap.dump Description: Binary data
Re: Radius to LDAP mapping.. radius attributes not working fromLDAP
Hi,
Yes, I did add radiusPortLimit as a replyitem in the ldap.attrmap file. The
entry looks like this:
replyItemPort-LimitradiusPortLimit
No luck still :-(,
Anindya
- Original Message -
From: "freeradius mailing list" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, March 13, 2003 10:16 PM
Subject: Re: Radius to LDAP mapping.. radius attributes not working fromLDAP
> Did you add radiusportlimit to the ldap.attrmap file as a reply item?
>
>
> On Thu, 13 Mar 2003, Das, Anindya Kishore wrote:
>
> > Hi All,
> >
> > I have been trying to get Freeradius to authenticate users against the
> > entries in my OpenLDAP directory with individual user rights. My setup
> > requires that I have a port-limit set up on each user when they register
and
> > I am trying to get this information passed from the LDAP directory to
the
> > NAS via FreeRadius.
> >
> > My ldap() section in radiusd.conf file looks like this...
> >
> >
> > ldap {
> > server = "ldap.pacenet-india.com"
> > port = "389"
> > # identity = "cn=admin,o=My Org,c=UA"
> > # password = mypass
> > basedn = "ou=users,o=pacenet-india,dc=com"
> > filter = "(uid=%u)"
> > #filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
> >
> > # set this to 'yes' to use TLS encrypted connections
> > # to the LDAP database by using the StartTLS extended
> > # operation.
> > start_tls = no
> > # set this to 'yes' to use TLS encrypted connections to
the
> > # LDAP database by passing the LDAP_OPT_X_TLS_TRY option
to
> > # the ldap library.
> > tls_mode = no
> >
> > # default_profile = "cn=radprofile,ou=dialup,o=My
Org,c=UA"
> > # profile_attribute = "radiusProfileDn"
> > access_attr = "dialupAccess"
> >
> > # Mapping of RADIUS dictionary attributes to LDAP
> > # directory attributes.
> > dictionary_mapping = ${raddbdir}/ldap.attrmap
> >
> > # ldap_cache_timeout = 120
> > # ldap_cache_size = 0
> > ldap_connections_number = 5
> > # password_header = "{clear}"
> > # password_attribute = userPassword
> > # groupname_attribute = cn
> > # groupmembership_filter =
> > "(|(&(objectClass=GroupOfNames)(membe
> >
r=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-Use
> > rDn}
> > )))"
> > # groupmembership_attribute = radiusGroupName
> > timeout = 140
> > timelimit = 30
> > net_timeout = 10
> > # compare_check_items = yes
> > # access_attr_used_for_allow = yes
> > }
> >
> > and one of my test user's ldif looks like this
> >
> >
> > dn: uid=akd5,ou=users,o=pacenet-india,dc=com
> >
> > objectClass: top
> > objectClass: account
> > objectClass: posixAccount
> > objectClass: person
> > objectClass: inetOrgPerson
> > objectClass: radiusProfile
> > dialupAccess: yes
> > radiusPortLimit: 4
> > cn: Anindya
> > sn: Das
> > gecos: akd5
> > gidNumber: 15
> > mail: [EMAIL PROTECTED]
> > loginShell: /bin/sh
> > homeDirectory: /home/akd
> > uidNumber: 101123
> > userPassword: 123456
> > uid: akd5
> >
> > I have added the RADIUS schema for LDAP v3 and all works fine and the
user
> > gets authenticated and all. The problem is that the "radiusPortLimit"
does
> > not come into effect. I have tried adding the same information in the
users
> > file in the standard RADIUS user file format, which works beautifully.
> >
> > Is there anything I am doing wrong or missing out because of which the
> > radius attributes are not being picked up from the directory? I am using
the
> > following:
> >
> > 1. FreeRadius version 0.8.1
> > 2. OpenLDAP 2.x (LDAP Ver3)
> >
> >
> > Any help in this regard would be greatly appreciated.
> >
> > Thanks in advance
> >
> > Anindya
> >
> >
> >
> >
> > -
> > List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
> >
>
>
> -
> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Radius to LDAP mapping.. radius attributes not working from LDAP
Hi All,
I have been trying to get Freeradius to authenticate users against the
entries in my OpenLDAP directory with individual user rights. My setup
requires that I have a port-limit set up on each user when they register and
I am trying to get this information passed from the LDAP directory to the
NAS via FreeRadius.
My ldap() section in radiusd.conf file looks like this...
ldap {
server = "ldap.pacenet-india.com"
port = "389"
# identity = "cn=admin,o=My Org,c=UA"
# password = mypass
basedn = "ou=users,o=pacenet-india,dc=com"
filter = "(uid=%u)"
#filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
# set this to 'yes' to use TLS encrypted connections
# to the LDAP database by using the StartTLS extended
# operation.
start_tls = no
# set this to 'yes' to use TLS encrypted connections to the
# LDAP database by passing the LDAP_OPT_X_TLS_TRY option to
# the ldap library.
tls_mode = no
# default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"
# profile_attribute = "radiusProfileDn"
access_attr = "dialupAccess"
# Mapping of RADIUS dictionary attributes to LDAP
# directory attributes.
dictionary_mapping = ${raddbdir}/ldap.attrmap
# ldap_cache_timeout = 120
# ldap_cache_size = 0
ldap_connections_number = 5
# password_header = "{clear}"
# password_attribute = userPassword
# groupname_attribute = cn
# groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(membe
r=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-Use
rDn}
)))"
# groupmembership_attribute = radiusGroupName
timeout = 140
timelimit = 30
net_timeout = 10
# compare_check_items = yes
# access_attr_used_for_allow = yes
}
and one of my test user's ldif looks like this
dn: uid=akd5,ou=users,o=pacenet-india,dc=com
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: person
objectClass: inetOrgPerson
objectClass: radiusProfile
dialupAccess: yes
radiusPortLimit: 4
cn: Anindya
sn: Das
gecos: akd5
gidNumber: 15
mail: [EMAIL PROTECTED]
loginShell: /bin/sh
homeDirectory: /home/akd
uidNumber: 101123
userPassword: 123456
uid: akd5
I have added the RADIUS schema for LDAP v3 and all works fine and the user
gets authenticated and all. The problem is that the "radiusPortLimit" does
not come into effect. I have tried adding the same information in the users
file in the standard RADIUS user file format, which works beautifully.
Is there anything I am doing wrong or missing out because of which the
radius attributes are not being picked up from the directory? I am using the
following:
1. FreeRadius version 0.8.1
2. OpenLDAP 2.x (LDAP Ver3)
Any help in this regard would be greatly appreciated.
Thanks in advance
Anindya
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
