unsubscribe
Re: FreeRADIUS with DEFAULT user
Check out the default_user_profile directive in sql.conf. This feature has been added in the latest versions of the sql module. The comments in sql.conf should also be very helpfull. Ok, I've found it. After some tests, I've reached the situation: default profile works, in fact. But in my case, I need to set up a default profile with Auth-Type=Accept; the problem is FreeRadius applies default profile to all users, BEFORE verifying radcheck table. This way, everybody can log in, with any password, and falls in default profile. In this point, IC-Radius is more intelligent (or I'm more stupid, and didn't find the way): IC verifies radcheck table BEFORE, and if the supplied credentials are ok, authenticates the registered user; otherwise - since the credentials aren't in radcheck tables - the user falls in DEFAULT scope, going to a group according with radgroup table (where I can setup different pool, NAS filter, and so on) This is the puzzle. Maybe I've missed something, but as far as I've gone, there's no way to: a) if the login/pass EXISTS in radcheck, authenticate the user with the credentials; b) OTHERWISE, apply group features to this user, now a DEFAULT user. If there's any way to do this, I'll be very helpful. FreeRadius seems to be more functional than ICradius, but for now, I've switched back. -- Fernando - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using MySQL for authenticate
Hi there. I've found a lot of trouble with authorization, authentication and accouting. After many tries, I've understood the process and which module should use in each section: You can (should) use sql in authorize and accounting section. You cannot use sql in authentication section. See docs/aaa.txt for more detail. In my tests, I was using pap/chap for authentication (I said 'was' because I've switched back to ic-radius). In your case, EAP should do the trick. Hope to help, Fernando - Original Message - From: wanglu [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, December 23, 2002 4:49 AM Subject: Using MySQL for authenticate Hi My O.S. is RedHat7.2 and I installed the freeradius-snapshot2002-09-16. I'm using EAP for authentication.Now I want to use MySQL in FreeRadius. I think I should install the MySQL package first, and then add the 'sql' in module in authencation and authorization. Is that right?If you have used MySQL, please give me some advice. I am new to MySQL.How can I configure Radius to get it work with MySQL?Hope you can tell the steps.Thank you! wanglu [EMAIL PROTECTED] 2002-12-23 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Pairs do not match user [xxx]
Hi again. I've found my question many times in mailinglist archives, but not
suitable solution.
I keep receiving 'pairs do not match user'; in the end, follows copy of log.
I have installed sql tables from the FreeRadius template. Since I'm not
using crypt now, I tried to change 'Password' to 'User-Password' as
attribute in the sql, but still no joy.
Reading the log, it says
modcall[authorize]: module sql returns notfound
users: Matched DEFAULT at 85
modcall[authorize]: module files returns ok
modcall: group authorize returns ok
rad_check_password: Found Auth-Type system
auth: type System
(after the message about pairs was sent); of course, I don't have a module
'sql {' in radiusd.conf, and don't know how to build one. Then, in the end
of log, I see Found Auth-Type System (is this correct? in my
'authorization' section I'm trying sql, but the module doesn't exists, and
we start it all over..) Is this the problem?
But, according the log, rlm_sql is checking the sql tables after stripping
username - and in this phase I get the error message... Yet, no joy.
Where the error / missing config could be?
-- Fernando
rad_recv: Access-Request packet from host 192.168.1.25:1027, id=35,
length=75
Thread 1 assigned request 0
--- Walking the entire request list ---
Threads: total/active/spare threads = 5/1/4
Nothing to do. Sleeping until we see a request.
Thread 1 handling request 0, (1 handled so far)
User-Name = ferds
User-Password = twister
NAS-IP-Address = 192.168.1.25
NAS-Port = 2
NAS-Port-Type = Async
Service-Type = Framed-User
Framed-Protocol = PPP
modcall: entering group authorize
modcall[authorize]: module preprocess returns ok
rlm_realm: No '@' in User-Name = ferds, looking up realm NULL
rlm_realm: No such realm NULL
modcall[authorize]: module suffix returns noop
radius_xlat: 'ferds'
rlm_sql (sql): sql_set_user escaped user -- 'ferds'
(...)
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrouprep
ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE
usergroup.Username = 'ferds' AND usergroup.GroupName =
radgroupreply.GroupName ORDER BY radgroupreply.id
rlm_sql (sql): Pairs do not match for user [ferds]
rlm_sql (sql): Released sql socket id: 4
modcall[authorize]: module sql returns notfound
users: Matched DEFAULT at 85
modcall[authorize]: module files returns ok
modcall: group authorize returns ok
rad_check_password: Found Auth-Type system
auth: type System
auth: Failed to validate the user.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRADIUS with DEFAULT user
Last question (the previous errors I've posted in the list was solved): I'm using MySQL auth/accouting.with FreeRADIUS. The last question remaining is: is there a way to use DEFAULT user configuration (which can always log in)? With ic-radius, this can be accomplished creating a group GUEST in radgroup table, then setting a/v values in radgroupreply table, adding a field Auth-Type = Accept for group GUEST in the same table. Is there a way to do the same with FreeRADIUS? Maybe using the old users file with a DEFAULT user? In this case, I will need to use Fall-Through in sql, but I can't imagine how (or where) add this attribute. I'll very helpfull for any tips about 'add an default user with a/v auth-type=accept'. Thanks in advance, -- Fernando. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SQL 'authenticate' section
I'm migrating from ic-radius to freeradius. It seems that they read the same MySQL table structure. I've made some preliminary adjusts in radiusd.conf, but still can't have freeradius starting with mysql. I keep getting error: sql modules aren't allowed in authenticate sections -- they have no such method Where did I miss? Also, is there a howto/help/step-by-step guide, radiusd.conf example, anything I can read about it? As far as I gone, freeradius.org has no tips Thanks in advance, -- Fernando. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL 'authenticate' section
Thanks, Chris, for the quick response (and for understanding I'm a newbie...) Ok, FreeRADIUS starts either with par or chap in authenticate. I quickly found that FreeRadius doesn't read NAS table from ic-radius, so I've made the changes in clients.conf; now I'm trying dial-in to NAS, but olny get: 'dropping packet from client pm3test:1026 due to dead request 10' 'discarding new request from client pm2test:1026 due to live request 14' 'rlm_sql_getvpdata: database query error' 'rlm_sql (sql): sql query error; rejecting user' This error appears because freeradius is getting trouble in read ic-radius tables, or is not table-related? Of course I'll not report you all my erroneous tests. I'm only trying to find out where to start to learn. Also, either chap or pap should work with SQL authorization method? It's easy to see I have no idea (yet) what exactly pap or chap does, it will be the next need-to-learn... Thanks again, -- Fernando - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SQL last question, I swear!
Ok, Chris, it cleaned up my preliminary questions. I'll start from the table templates for FreeRADIUS, and not try to patch that ones I was using with IC (yes, I know when 'time to RTFM' comes). Since que PAP question is understood, obviously the other error are related to my adapted SQL tables. Two migration questions: 1. with FreeRADIUS, I can have attribute/values pairs set for groups? So I only need to define attributes for a group in one table, associate users with groups in another table, and freeradius applies check and reply rules to the entire group? 2. in case of 'yes' answer to the previous question, can I build a group 'filtered', apply some NAS filter and let any user that isn't in the 'users' (radcheck?) table logs in, with an Auth-Type = Access? I work at an ISP and its my main priorities, since a user (non-customer) which dials in but have not account MUST log in with restricted access (according with NAS filter), and daily-time-limit, fuction which doesn't exist in ic-radius, what makes me to migrate to a more functional Radius server. The group/filter was working fine with ic-radius, and since FreeRadius has much more features, am I right in guessing I will get my needed features running with FreeRadius? Thanks, really, a lot. -- Fernando - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Webpage redirect
Hello Chris, I'm not sure if I post the details to the mailing-list, but I'm using the following RAS: - Lucent PortMaster 3 (22 units) - Lucent/Ascend Max6000 (4 units) - MaxTNT (1 unit) I was guessing if Cisco would do the trick - it does a lot of tricks. But I have only Cisco routers in the ISP, no RAS :-( I was also guessing that it's out of the Radius scope. There's no way to interact Radius filter with http functions, like web redirect via proxy. Too sad. I'm working in a log-parser to extract "filtered" login/phone number from the log, and sent it to my helpdesk crew - and they will call the "filtered" customers. Not so elegant, but it's the most effective I can do now... Again, thanks for the support. Fernando.
Re: Webpage redirect
EOL product, but this is capable of doing what you want, if you can find the docs to configure it. The magic can be done with PM3? Sounds great, it's the model for most of my RAS. I'll search about it, so. Do you know how this function (redirect according filter) is called? Something that all of the nas you listed can do fairly easily is apply a packet filter via RADIUS ( Filter-ID ). This could block port 80 traffic from going anywhere except the proxy server. You apply it selectively to the users you want. If they don't have proxy settings, they won't be able to surf the web, so they'll likely call your NOC. Your NOC can then tell them to add the proxy settings and VOILA. I'm using Filter-ID; filtered customers have only access to my webserver and mail server (I'm also trying to discover how limit the daily usage to 30 minutes) The problem is my ISP was working together with another ISP, and now this fellowship has been broke apart. So, when I restrict my customers to only my webpage (where there's a message telling the story, with a link to validate their accounts), they must ACTIVELLY open the browser and go to my website (could be a proxy, which I'm not using at this time), to read the message. Therefore, if they can't go anywhere else in web, there's 50% chance they'll call my NOC, and 50% chance they'll call the other NOC (the other ISP) What a puzzle! Fernando - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Redirect homepage with filter
Hi there. Glad to join the list. I'm facing a puzzle dealing with Radius; the whole problem doesn't makes sense to me, but I'm still trying to find a way. ( I work at an ISP in Brazil) The classic situation: Since my custome dials-in and authenticates, it will have an assigned filter, i.e. if he hasn't paid his prepaid account. With this filter, I can say what (IP) addresses and/or services he can or cannot access. Regular customers have no filters. The question: There's some way, using RAS filters activated by the Radius server, to "force" my filtered customer to open some default homepage in his browser? In other words, no matter what website he tries to reach, he's redirected (at his first try) to www.rantac.com.br/payme.html? I'm not using proxy. And I can't imagine how to combine IPTables (or other packet-filter) to redirect the customer IP to some URL based on the RAS/radius filter. Any tip? Is this really impossible? Fernando.
Webpage redirect
Hi Matt, and thanks for the tip. Walled Garden sounds fine. I followed the link you send me; as far I understood, a captive portal is a kind of gateway with transparent proxy that redirects the client browser; so, when the customer tries any address, it's source is verified from an auth system (if it has already authenticated, he can pass-through an go anywhere). It should work for me, even with no auth - simply sending a default webpage to the client with a cookie. Yet, my problem remains: not all my customers should fall in this system - they will (or will not) fit in this rule according some criteria - and the Radius is my first choice, since everybody's must dial-in and auth in Radius. If I let anyone auth in Radius and force anyone to authenticate in browser to access the web, it will be a great pain for regular customers (90% of the total users); this is the pattern used by free-ISP in Brazil, and it makes this services so boring. Most important, you answered my main question: there's no way to redirect clients homepage with any of Radius features, right? Radius talks only with RAS, and not with the end-user. So, any solution will require web-proxy redirecting. No other way? Thanks again, Fernando. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
