Re: ip pool problem ?
On Thu, Dec 18, 2003 at 03:49:20PM +0700, [EMAIL PROTECTED] wrote: > I need help on configuring freeradius , on ip pooling. issue i use mysql as the user > as well as ip database. But it seems , radius can works on range ip i gave but i > works on ip with "+", but i can control the ip assignment that server gave to user > who dials in. Also i previously try using main_ippool with range start & range stop, > it seems dont work. Can anyone help me figure out this phenomena ? As far as I know, freeradius does not store ip pools in sql databases. Perhaps you can provide some debugging output and confguration you use (don't send everything, only the 'interesting' parts). Oliver. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ip pool problem ?
Dearest Freeradiusers, I need help on configuring freeradius , on ip pooling. issue i use mysql as the user as well as ip database. But it seems , radius can works on range ip i gave but i works on ip with "+", but i can control the ip assignment that server gave to user who dials in. Also i previously try using main_ippool with range start & range stop, it seems dont work. Can anyone help me figure out this phenomena ? Thx i look fwd for any respond and advice Joko P.
Re: IP Pool Unused IPs deallocation?
On Thu, Dec 04, 2003 at 03:27:49PM +0200, m0bius wrote: > Well you may actually be correct but from what I have read during the > past months some NAS equipment didn't have any problems with the ip > management via the radius server so I though this should be a most > applicable method to setup radius. It is a nice to manage all ips on the radius, but on the other hand I do just the same with my pool based setup. All pools and pool assignments are managed via the radius on our ascend and cisco nas equipment (they both support nas side ip pools managed via radius very well). Oliver. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: IP Pool Unused IPs deallocation?
> > > On the other hand: why not just let the MAX distribute the IPs? make a > > > pools-NAS-NAME entry which assigns your pools to the NAS and choose > > > the pool via the Ascend-Assign-IP-Pool attribute. Works fine (I have > > > about a dozend MAX 2000/4000/6000/TNT with this setup). > > > > So let me see if I get this straight. I should create something like: > > > > pools-nas1 Ascend-Assign-IP-Pool := "nas1_pool" ? > No. > Example (makes three pools on nas1 and has 3 test users which each get > an ip from a different pool): > pools-nas1Auth-Type := Local, User-Password == "ascend" > Service-Type = Outbound-User, > Ascend-IP-Pool-Definition = "1 10.10.10.1 126", > Ascend-IP-Pool-Definition = "2 10.10.20.1 126", > Ascend-IP-Pool-Definition = "3 10.10.30.1 126" > user1 Auth-Type := Local, User-Password == "test1" > Service-Type = Framed, > Framed-Protocol = MPP, > Ascend-Maximum-Channels = 2, > Ascend-Assign-IP-Pool = 1, > Ascend-Idle-Limit = 3600, > Ascend-Client-Primary-DNS = 10.1.1.1, > Ascend-Client-Secondary-DNS = 10.2.1.1, > Ascend-Client-Assign-DNS = DNS-Assign-Yes > > user2 Auth-Type := Local, User-Password == "test2" > Service-Type = Framed, > Framed-Protocol = MPP, > Ascend-Maximum-Channels = 2, > Ascend-Assign-IP-Pool = 2, > Ascend-Idle-Limit = 3600, > Ascend-Client-Primary-DNS = 10.1.1.1, > Ascend-Client-Secondary-DNS = 10.2.1.1, > Ascend-Client-Assign-DNS = DNS-Assign-Yes > user3 Auth-Type := Local, User-Password == "test3" > Service-Type = Framed, > Framed-Protocol = MPP, > Ascend-Maximum-Channels = 2, > Ascend-Assign-IP-Pool = 3, > Ascend-Idle-Limit = 3600, > Ascend-Client-Primary-DNS = 10.1.1.1, > Ascend-Client-Secondary-DNS = 10.2.1.1, > Ascend-Client-Assign-DNS = DNS-Assign-Yes > This works well with fallback defaults / sql group replies. I see. I will forward these changes to see whether the problems are totally solved and let you know of the outcome. This hole issue with the IP Pools has been in my mind since I first started working along with Radius. > > I don't know if I understood exactly what you mean. I've never worked > > with ascend before. If however it's pretty much the above has this > > anything to do with the countless auth requests regarding > > pools-nas1/ascend I receive or have I screwed everything badly? :-) > Oh, missed that paragraph... > Yep. pool defs must go to the pools user of the nas. As soon as the max > powers up, it asks for its pools. If it gets a user reply which has a > unknown pool, it should ask again. Another helpful tip. Browsing the archives this subject had been mentioned before but the answer was simply to put this user in Service-Type = REJECT to avoid the logging of these connections. Let along the manuals of the NAS equipment have been lost through the centuries making my life much more difficult :-) > I don't trust freeradius to assign IP addresses, cause the NAS is the one > who knows if a session is there or if it is not. There is no real point in > letting the radius assign ip adresses if your NAS equipment can do it. And > if you are changing pools often, this is also no problem if your running > some sort of dynamic routing protocol, cause the nas will announce it's > learned pools via this way... Well you may actually be correct but from what I have read during the past months some NAS equipment didn't have any problems with the ip management via the radius server so I though this should be a most applicable method to setup radius. > Oliver. Thank you very much for all your help. Regards, Paris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IP Pool Unused IPs deallocation?
On Thu, Dec 04, 2003 at 11:17:12AM +0200, m0bius wrote: > I don't know if I understood exactly what you mean. I've never worked > with ascend before. If however it's pretty much the above has this > anything to do with the countless auth requests regarding > pools-nas1/ascend I receive or have I screwed everything badly? :-) Oh, missed that paragraph... Yep. pool defs must go to the pools user of the nas. As soon as the max powers up, it asks for its pools. If it gets a user reply which has a unknown pool, it should ask again. I don't trust freeradius to assign IP addresses, cause the NAS is the one who knows if a session is there or if it is not. There is no real point in letting the radius assign ip adresses if your NAS equipment can do it. And if you are changing pools often, this is also no problem if your running some sort of dynamic routing protocol, cause the nas will announce it's learned pools via this way... Oliver. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IP Pool Unused IPs deallocation?
On Thu, Dec 04, 2003 at 11:17:12AM +0200, m0bius wrote: > > > > DEFAULT Service-Type == Framed-User, Pool-Name := "main_pool" > > > Framed-MTU = 1500, > > > Service-Type = Framed-User, > > > Fall-Through = 1, > > > Ascend-IP-Pool-Definition = "1 111.222.333.97 93" > > > As far as I understand, an Ascend-Pool def is not needed in the > > described setup. If the radius assigns IPs, the MAX does not need a > > pool, just route the IPs to it. > > Actually Ascend-IP-Pool-Definition has been there since my early tests > and hasn't been removed by a mistake. > > > On the other hand: why not just let the MAX distribute the IPs? make a > > pools-NAS-NAME entry which assigns your pools to the NAS and choose > > the pool via the Ascend-Assign-IP-Pool attribute. Works fine (I have > > about a dozend MAX 2000/4000/6000/TNT with this setup). > > So let me see if I get this straight. I should create something like: > > pools-nas1 Ascend-Assign-IP-Pool := "nas1_pool" ? No. Example (makes three pools on nas1 and has 3 test users which each get an ip from a different pool): pools-nas1 Auth-Type := Local, User-Password == "ascend" Service-Type = Outbound-User, Ascend-IP-Pool-Definition = "1 10.10.10.1 126", Ascend-IP-Pool-Definition = "2 10.10.20.1 126", Ascend-IP-Pool-Definition = "3 10.10.30.1 126" user1 Auth-Type := Local, User-Password == "test1" Service-Type = Framed, Framed-Protocol = MPP, Ascend-Maximum-Channels = 2, Ascend-Assign-IP-Pool = 1, Ascend-Idle-Limit = 3600, Ascend-Client-Primary-DNS = 10.1.1.1, Ascend-Client-Secondary-DNS = 10.2.1.1, Ascend-Client-Assign-DNS = DNS-Assign-Yes user2 Auth-Type := Local, User-Password == "test2" Service-Type = Framed, Framed-Protocol = MPP, Ascend-Maximum-Channels = 2, Ascend-Assign-IP-Pool = 2, Ascend-Idle-Limit = 3600, Ascend-Client-Primary-DNS = 10.1.1.1, Ascend-Client-Secondary-DNS = 10.2.1.1, Ascend-Client-Assign-DNS = DNS-Assign-Yes user3 Auth-Type := Local, User-Password == "test3" Service-Type = Framed, Framed-Protocol = MPP, Ascend-Maximum-Channels = 2, Ascend-Assign-IP-Pool = 3, Ascend-Idle-Limit = 3600, Ascend-Client-Primary-DNS = 10.1.1.1, Ascend-Client-Secondary-DNS = 10.2.1.1, Ascend-Client-Assign-DNS = DNS-Assign-Yes This works well with fallback defaults / sql group replies. Oliver. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: IP Pool Unused IPs deallocation?
> > DEFAULT Service-Type == Framed-User, Pool-Name := "main_pool" > > Framed-MTU = 1500, > > Service-Type = Framed-User, > > Fall-Through = 1, > > Ascend-IP-Pool-Definition = "1 111.222.333.97 93" > As far as I understand, an Ascend-Pool def is not needed in the > described setup. If the radius assigns IPs, the MAX does not need a > pool, just route the IPs to it. Actually Ascend-IP-Pool-Definition has been there since my early tests and hasn't been removed by a mistake. > On the other hand: why not just let the MAX distribute the IPs? make a > pools-NAS-NAME entry which assigns your pools to the NAS and choose > the pool via the Ascend-Assign-IP-Pool attribute. Works fine (I have > about a dozend MAX 2000/4000/6000/TNT with this setup). So let me see if I get this straight. I should create something like: pools-nas1 Ascend-Assign-IP-Pool := "nas1_pool" ? I don't know if I understood exactly what you mean. I've never worked with ascend before. If however it's pretty much the above has this anything to do with the countless auth requests regarding pools-nas1/ascend I receive or have I screwed everything badly? :-) > Oliver. Regards, Paris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IP Pool Unused IPs deallocation?
On Thu, Dec 04, 2003 at 03:07:41AM +0200, m0bius wrote: > DEFAULT Service-Type == Framed-User, Pool-Name := "main_pool" > Framed-MTU = 1500, > Service-Type = Framed-User, > Fall-Through = 1, > Ascend-IP-Pool-Definition = "1 111.222.333.97 93" As far as I understand, an Ascend-Pool def is not needed in the described setup. If the radius assigns IPs, the MAX does not need a pool, just route the IPs to it. On the other hand: why not just let the MAX distribute the IPs? make a pools-NAS-NAME entry which assigns your pools to the NAS and choose the pool via the Ascend-Assign-IP-Pool attribute. Works fine (I have about a dozend MAX 2000/4000/6000/TNT with this setup). Oliver. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
IP Pool Unused IPs deallocation?
Hi there, For once more I seem to be having a slight problem with FreeRadius. During mostly times of high connectivity from the dialup users some users they connect normally but only a few seconds later the link fails and get an error for redialing without any reason. I've noticed a few strange things while searching for this...First of all while I get a Login OK line on radiusd.log there is absolutely nothing passed obviously to radacct since the dialup admin does not show the connection attempt (By comparing the time of the last successful connections). I have the following IP Pool configuration: ippool main_pool { range-start = 111.222.333.97 range-stop = 111.222.333.189 netmask = 255.255.255.0 cache-size = 93 session-db = ${raddbdir}/db.ippool ip-index = ${raddbdir}/db.ipindex override = yes } And also something like: DEFAULT Service-Type == Framed-User, Pool-Name := "main_pool" Framed-MTU = 1500, Service-Type = Framed-User, Fall-Through = 1, Ascend-IP-Pool-Definition = "1 111.222.333.97 93" So I've noticed the following. While running radiusd on debug mode the rlm-ippool seems to assign ips correctly. However I've noticed that the ips on the db.* files are not seem to be freed on Accounting Stop. For example at this very moment radwho | wc -l returns a value of 12 while rlm_ippool_tool -c db.ippool db.ipindex returns 62. Shouldn't the ips not used anymore become free or am I missing something more vital? I cant seem to determine what is going on. I fear that there may be a problem regarding the Ascend Lucent Max 6000 we are using that causes the disconnections, since by reading past threads it seems that the Ascend Maxes do not always work as they should be. But since the configurations are enormous I would like to make sure that the radius is configured properly so that I could focus on the Nases. Anyway I would be most grateful for any hints given that could finally finish the radius issue for me once and for good :-) Regards, Paris Stamatopoulos - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius send only one Ascend-IP-Pool-Definition
At 07:30 AM 9/26/2003, you wrote: Hi, please help. I want to send more than one IP-Pool-Definition to my ascend box. Freeradius sends only one of them. users-file: "pools-Moritz" Auth-Type := Local, User-Password =="secret" Service-Type = Dialout-Framed-User, Ascend-IP-Pool-Definition = "1 111.111.100.129 70", Ascend-IP-Pool-Definition = "2 111.111.101.0 32" Use += for your operator - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius send only one Ascend-IP-Pool-Definition
Hi, please help. I want to send more than one IP-Pool-Definition to my ascend box. Freeradius sends only one of them. users-file: "pools-Moritz" Auth-Type := Local, User-Password =="secret" Service-Type = Dialout-Framed-User, Ascend-IP-Pool-Definition = "1 111.111.100.129 70", Ascend-IP-Pool-Definition = "2 111.111.101.0 32" debug mode: auth: type Local auth: user supplied User-Password matches local User-Password Sending Access-Accept of id 34 to 111.111.111.60:1541 Service-Type = Outbound-User Ascend-IP-Pool-Definition = "1 111.111.111.129 70" Finished request 0 Thanks -- Hans Bornemann Universtitaet Dortmund Hochschulrechenzentrum August Schmidt Str. 12 44227 Dortmund Tel. ++49 231 7552132 Fax. ++49 231 7552731 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ip-pool problem
I can't set ip-address for user. When I recive Access-Request packet I add to Access-Accept reply field "Framed-IP-Address = 192.168.164.164" but my cisco (ubr7200) ignore it and set ip-address for user from cisco-ip-pool. I try to remove ip-pool on cisco, but in this way user don't create at all. I try to send Access-Accept with and without "Framed-IP-Netmask", "Framed-Protocol", "Service-Type". Authorize and accounting work normal, if forget about manualy set ip-address for some users. I have freeradius 0.8. rad_recv: Access-Request packet from host 192.168.164.34:1645, id=167, length=170 NAS-IP-Address = 195.38.164.34 NAS-Port = 1 Cisco-NAS-Port = "Virtual-Access1*" NAS-Port-Type = Virtual User-Name = "kern" Acct-Session-Id = "01C7" MS-CHAP-Challenge = 0x09090acf9e70a853 MS-CHAP-Response = 0x540100 ... ecbb4a Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Address = 192.168.164.164 ... ... Sending Access-Accept of id 167 to 192.168.164.34:1645 Framed-MTU = 576 Service-Type = Framed-User Framed-Protocol = PPP Framed-Compression = Van-Jacobson-TCP-IP MS-CHAP-MPPE-Keys = 0xf03aa0dca9147c4f88a2f3bd8c51e766f90bbd3bcf4ea1e332bb3bf21b7d87cc MS-MPPE-Encryption-Policy = 0x0001 MS-MPPE-Encryption-Types = 0x0006 Framed-IP-Netmask = 255.255.255.128 Framed-IP-Address = 192.168.164.254 ... ... rad_recv: Accounting-Request packet from host 192.168.164.34:1646, id=168, length=114 NAS-IP-Address = 192.168.164.34 NAS-Port = 1 Cisco-NAS-Port = "Virtual-Access1*" NAS-Port-Type = Virtual User-Name = "kern" Acct-Status-Type = Start Acct-Authentic = RADIUS Service-Type = Framed-User Acct-Session-Id = "01C7" Framed-Protocol = PPP Framed-IP-Address = 192.168.164.164 Acct-Delay-Time = 0 ... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Lease IP-Pool
On Thu, 20 Feb 2003, Emilio Arenas wrote: > We have problems with the lease in the ip-pool, alter two > hours working, we receiving a message when the user try connect, > "rlm_ippool: No available ip addresses in pool." > > It is possible establish a lease to ip-pool 1. Use the latest ippool version 2. Make sure you are not loosing accounting packets. 3. Post your ippool configuration along with your ip space requirements. > > Thanks. > > Emilio Arenas > Network Administrator > Spansurf 2000 S.L. > email: [EMAIL PROTECTED] > Telf: +34 952 669 300 > Fax: +34 952 463 955 > > -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Lease IP-Pool
We have problems with the lease in the ip-pool, alter two hours working, we receiving a message when the user try connect, “rlm_ippool: No available ip addresses in pool.” It is possible establish a lease to ip-pool Thanks. Emilio Arenas Network Administrator Spansurf 2000 S.L. email: [EMAIL PROTECTED] Telf: +34 952 669 300 Fax: +34 952 463 955
Re: AS5300, selecting IP pool
Hi Guys, Evren: When looking at the cisco radius debug, There is no mention of cisco-avpair (the dictionary is installed) Im actually using ic-radius, which is almostthe same as free radius. It seems as if radius isnt sending this information, or if it is, the cisco box doesnt know about it. Nader > You just cant get radius send the required attribute or it sends the > attribute but the as5300 somehow doesnt care? > Here is a good example(although this is not actually freeradius) > http://lists.cistron.nl/pipermail/cistron-radius/2001-July/001555.html > Evren On Wed, 8 Jan 2003, Nader Skaros wrote: > > Hi Guys, > > Im a bit of a newbie when it comes to access servers, but we have got a cisco as5300 for our dialup customers and also our admin. We would like two different ip-address pools, and securing users access using ACL's. > > Would anyone be able to give me a quick rundown on how to do this? I have tried many different ways of doing this and in each case I just cant get free radius to send the Cisco-AVPair attribute over. the nas keeps giving ip's from the default pool > > Thanx in advance > =) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ip pool and netmasks with cicso as5400
I have a cisco as5400 with an ip pool setup for dynamic ip address assignment. For ip address assignment I use a script on the radius server to lookup the ip in a file, if there isn't one it assigns 255.255.255.254. Here are the default entries in the users file and the quick and very dirty perl script... DEFAULT Auth-Type := System Fall-Through = 1 DEFAULT Service-Type == Framed-User Framed-IP-Netmask = 255.255.252.0, Framed-MTU = 1500, Service-Type = Framed-User, Exec-Program-Wait = "/usr/local/etc/raddb/getip.pl %u", Fall-Through = Yes DEFAULT Framed-Protocol == PPP Framed-Protocol = PPP, Framed-Compression = Van-Jacobson-TCP-IP #!/usr/bin/perl $user = $ARGV[0]; chop($pass = `grep -w ^$user /path/to/somefile`); ($userid, $f2, $pwd, $ip) = split(' ', $pass); $ip = "255.255.255.254" unless $ip; print "Framed-IP-Address = $ip,\n"; exit 0; === The correct ip address is being assigned to the client but the netmask is not. The addresses are a subnet of a class B and the mask that gets assigned is always 255.255.0.0 instead of the 255.255.252.0 even thought the radius server is sending the correct mask to the as5400. Here is the radius and ppp debugging output on the cisco: *Jan 30 00:16:16.671: RADIUS/ENCODE(0075): ask "Username: " *Jan 30 00:16:16.671: RADIUS/ENCODE(0075): send packet; GET_USER *Jan 30 00:16:16.791: As1/78 PPP: Treating connection as a callin *Jan 30 00:16:16.791: As1/78 PPP: Phase is ESTABLISHING, Passive Open *Jan 30 00:16:16.791: As1/78 LCP: State is Listen *Jan 30 00:16:16.799: As1/78 LCP: I CONFREQ [Listen] id 1 len 23 *Jan 30 00:16:16.799: As1/78 LCP:ACCM 0x000A (0x0206000A) *Jan 30 00:16:16.799: As1/78 LCP:MagicNumber 0x1EA24B6F (0x05061EA24B6F) *Jan 30 00:16:16.799: As1/78 LCP:PFC (0x0702) *Jan 30 00:16:16.799: As1/78 LCP:ACFC (0x0802) *Jan 30 00:16:16.799: As1/78 LCP:Callback 6 (0x0D0306) *Jan 30 00:16:16.799: As1/78 LCP: O CONFREQ [Listen] id 1 len 24 *Jan 30 00:16:16.799: As1/78 LCP:ACCM 0x000A (0x0206000A) *Jan 30 00:16:16.799: As1/78 LCP:AuthProto PAP (0x0304C023) *Jan 30 00:16:16.799: As1/78 LCP:MagicNumber 0x9FF19824 (0x05069FF19824) *Jan 30 00:16:16.799: As1/78 LCP:PFC (0x0702) *Jan 30 00:16:16.799: As1/78 LCP:ACFC (0x0802) *Jan 30 00:16:16.799: As1/78 LCP: O CONFREJ [Listen] id 1 len 7 *Jan 30 00:16:16.799: As1/78 LCP:Callback 6 (0x0D0306) *Jan 30 00:16:16.903: As1/78 LCP: I CONFREQ [REQsent] id 2 len 20 *Jan 30 00:16:16.903: As1/78 LCP:ACCM 0x000A (0x0206000A) *Jan 30 00:16:16.903: As1/78 LCP:MagicNumber 0x1EA24B6F (0x05061EA24B6F) *Jan 30 00:16:16.903: As1/78 LCP:PFC (0x0702) *Jan 30 00:16:16.903: As1/78 LCP:ACFC (0x0802) *Jan 30 00:16:16.903: As1/78 LCP: O CONFACK [REQsent] id 2 len 20 *Jan 30 00:16:16.903: As1/78 LCP:ACCM 0x000A (0x0206000A) *Jan 30 00:16:16.903: As1/78 LCP:MagicNumber 0x1EA24B6F (0x05061EA24B6F) *Jan 30 00:16:16.903: As1/78 LCP:PFC (0x0702) *Jan 30 00:16:16.903: As1/78 LCP:ACFC (0x0802) *Jan 30 00:16:18.795: As1/78 LCP: TIMEout: State ACKsent *Jan 30 00:16:18.795: As1/78 LCP: O CONFREQ [ACKsent] id 2 len 24 *Jan 30 00:16:18.795: As1/78 LCP:ACCM 0x000A (0x0206000A) *Jan 30 00:16:18.795: As1/78 LCP:AuthProto PAP (0x0304C023) *Jan 30 00:16:18.795: As1/78 LCP:MagicNumber 0x9FF19824 (0x05069FF19824) *Jan 30 00:16:18.795: As1/78 LCP:PFC (0x0702) *Jan 30 00:16:18.795: As1/78 LCP:ACFC (0x0802) *Jan 30 00:16:18.883: As1/78 LCP: I CONFACK [ACKsent] id 2 len 24 *Jan 30 00:16:18.883: As1/78 LCP:ACCM 0x000A (0x0206000A) *Jan 30 00:16:18.883: As1/78 LCP:AuthProto PAP (0x0304C023) *Jan 30 00:16:18.883: As1/78 LCP:MagicNumber 0x9FF19824 (0x05069FF19824) *Jan 30 00:16:18.883: As1/78 LCP:PFC (0x0702) *Jan 30 00:16:18.883: As1/78 LCP:ACFC (0x0802) *Jan 30 00:16:18.883: As1/78 LCP: State is Open *Jan 30 00:16:18.883: As1/78 PPP: Phase is AUTHENTICATING, by this end *Jan 30 00:16:18.895: As1/78 PAP: I AUTH-REQ id 1 len 19 from "iptest" *Jan 30 00:16:18.895: As1/78 PAP: Authenticating peer iptest *Jan 30 00:16:18.895: As1/78 PPP: Phase is FORWARDING, Attempting Forward *Jan 30 00:16:18.895: As1/78 PPP: Phase is AUTHENTICATING, Unauthenticated User *Jan 30 00:16:18.895: RADIUS/ENCODE: Attribute has no value set for AAA attribute clid *Jan 30 00:16:18.895: RADIUS: AAA Unsupported [91] 21 *Jan 30 00:16:18.895: RADIUS: 41 73 79 6E 63 31 2F 37 38 2A 53 65 72 69 61 6C [Async1/78*Serial] *Jan 30 00:16:18.895: RADIUS: 37 2F 31 [7/1] *Jan 30 00:16:18.895: RADIUS/ENCODE(0075): Unsupported AAA attribute parent-interface *Jan 30 00:16:18.895: RADIUS/ENCODE(0075): Unsupported AAA attribute parent-interface-type *Jan 30 00:16:18.895: RADIUS/ENCODE(0075): acc
Re: AS5300, selecting IP pool
You just cant get radius send the required attribute or it sends the attribute but the as5300 somehow doesnt care? Here is a good example(although this is not actually freeradius) http://lists.cistron.nl/pipermail/cistron-radius/2001-July/001555.html Evren On Wed, 8 Jan 2003, Nader Skaros wrote: > > Hi Guys, > > Im a bit of a newbie when it comes to access servers, but we have got a cisco as5300 >for our dialup customers and also our admin. We would like two different ip-address >pools, and securing users access using ACL's. > > Would anyone be able to give me a quick rundown on how to do this? I have tried many >different ways of doing this and in each case I just cant get free radius to send the >Cisco-AVPair attribute over. the nas keeps giving ip's from the default pool > > Thanx in advance > =) > > > MyVoice http://www.myvoiceonline.net > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Sql version of IP pool
Would it work with two (or n) radius servers and only one IP database? If so, PLEASE let me use it. Thanks Guillermo Allister Maguire wrote: >Hello, > >We have been working on a sql version of the ip pool module for our own >use, a little more testing and it will be done. > >Would anyone else be interested in using it? > >Regards >Allister P Maguire > >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Sql version of IP pool
YES!! - Original Message - From: "Allister Maguire" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, October 11, 2002 4:49 PM Subject: Sql version of IP pool Hello, We have been working on a sql version of the ip pool module for our own use, a little more testing and it will be done. Would anyone else be interested in using it? Regards Allister P Maguire - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Sql version of IP pool
Hello, We have been working on a sql version of the ip pool module for our own use, a little more testing and it will be done. Would anyone else be interested in using it? Regards Allister P Maguire - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IP pool problem, please help
On Thu, 10 Oct 2002, Andrew Kelaidis wrote: > I have installed the freeRADIUS server and I 'm using the rlm_ippool module. > Everything works fine until one account-stop packet had been lost. The user > was log out but the dialup admin interface shows him as online and active in > finger page. I remove the correct record from the radacct table so the user > went offline. The problem is that the server had assigned him an ip address > and when the user is trying to login again, the following error message > appears: > "The server did not assign an IP Address, error 738" > > I know that the ippool module keeps two files (not text files) with > information about used IP addresses. I think that the "stacked" user can't > login because the server has already assign him an ipaddress. Is there any > ways to solve this problem? Please help... > > Andrew Kelaidis I am not sure that is the problem. The ippool modules uses the nas/port combination as the key not the username. If you login in the same nas/port the module will deallocate the corresponding IP. You could run your server in debug mode and watch the output when the user logs in. That should help you find the problem. -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IP pool problem, please help
Can someone please post a copy of the output from radiusd -X when a simultaneous login is detected, and freeradius runs the checkrad prog .. thx ... Tim Fraser * Relax Internet Internet Service Provider (dial-up & ADSL) / Web Hosting www.relax.com.au * - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
IP pool problem, please help
I have installed the freeRADIUS server and I 'm using the rlm_ippool module. Everything works fine until one account-stop packet had been lost. The user was log out but the dialup admin interface shows him as online and active in finger page. I remove the correct record from the radacct table so the user went offline. The problem is that the server had assigned him an ip address and when the user is trying to login again, the following error message appears: "The server did not assign an IP Address, error 738" I know that the ippool module keeps two files (not text files) with information about used IP addresses. I think that the "stacked" user can't login because the server has already assign him an ipaddress. Is there any ways to solve this problem? Please help... Andrew Kelaidis _ MSN Photos is the easiest way to share and print your photos: http://photos.msn.com/support/worldwide.aspx - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ip pool assignment for AS5300
Hi How can user "abc"'s IP be assigned from radius instead of from AS5300 User profile for user "abc": abcAuth-Type := Local, Password == "abc" Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 192.168.59.192, Framed-IP-Netmask = 255.255.255.255, Framed-Routing = Broadcast-Listen, Framed-MTU = 1500 and AS5300 configuration: aaa authentication login default radius aaa authentication ppp default radius aaa authorization exec default if-authenticated radius aaa authorization network default if-authenticated radius aaa accounting update newinfo aaa accounting exec default start-stop radius aaa accounting network default wait-start radius ... interface Group-Async1 ip unnumbered Ethernet0 no ip directed-broadcast encapsulation ppp async default routing async mode interactive no peer default ip address no cdp enable ppp authentication pap group-range 1 30 Regards K ___ Do You Yahoo!? Get your free @yahoo.com.hk address at http://mail.english.yahoo.com.hk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco Ip Pool from LDAP
I agree it sounds crazy!! We will try thanks a lot ___ Gustavo A. Lozano Noldata CTO I know not with what weapons World War III will be fought, but World War IV will be fought with sticks and stones. Albert Einstein On Fri, 6 Sep 2002, Kostas Kalevras wrote: > On Fri, 6 Sep 2002 [EMAIL PROTECTED] wrote: > > > What we want is to Assign the Pool from Ldap. > > The cisco has 3 pools configured with 3 different names. > > > > We want radius to tell the cisco to assign the ip address from > > determinated pool to the users. > > > > > > Radius is authenticauting everything well and sending the String > > CiscoAssigngIpPool as attributte 208, but the cisto says Authorization > > failed. > > > > If we remove the attribute ciscoAssignIpPool then it works. > > > > Regards > > > > Gustavo > > We are using cisco av pair for the same job: > Cisco-AVPair := "ip:addr-pool=dialin_pool" > > We had the same problem and we got the folowing really crazy solution from > cisco: > > Remove Framed-IP-Address = 255.255.255.254 from the reply packet. So try > removing the framed-ip-address attribute from your access-accept. Maybe this > will solve your problem. > > -- > Kostas Kalevras Network Operations Center > [EMAIL PROTECTED]National Technical University of Athens, Greece > Work Phone: +30 10 7721861 > 'Go back to the shadow' Gandalf > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco Ip Pool from LDAP
On Fri, 6 Sep 2002 [EMAIL PROTECTED] wrote: > What we want is to Assign the Pool from Ldap. > The cisco has 3 pools configured with 3 different names. > > We want radius to tell the cisco to assign the ip address from > determinated pool to the users. > > > Radius is authenticauting everything well and sending the String > CiscoAssigngIpPool as attributte 208, but the cisto says Authorization > failed. > > If we remove the attribute ciscoAssignIpPool then it works. > > Regards > > Gustavo We are using cisco av pair for the same job: Cisco-AVPair := "ip:addr-pool=dialin_pool" We had the same problem and we got the folowing really crazy solution from cisco: Remove Framed-IP-Address = 255.255.255.254 from the reply packet. So try removing the framed-ip-address attribute from your access-accept. Maybe this will solve your problem. -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 10 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco Ip Pool from LDAP
What we want is to Assign the Pool from Ldap. The cisco has 3 pools configured with 3 different names. We want radius to tell the cisco to assign the ip address from determinated pool to the users. Radius is authenticauting everything well and sending the String CiscoAssigngIpPool as attributte 208, but the cisto says Authorization failed. If we remove the attribute ciscoAssignIpPool then it works. Regards Gustavo ___ Gustavo A. Lozano Noldata CTO I know not with what weapons World War III will be fought, but World War IV will be fought with sticks and stones. Albert Einstein On Fri, 6 Sep 2002, Kostas Kalevras wrote: > On 5 Sep 2002, Gustavo Lozano wrote: > > > Hello > > > > I want to know if something has managed to obtain the CiscoAssignIpPool > > from LDAP > > > > Dont know why I cant get it working, but seems something with the AV > > Pairs stuff. > > > > Regards > > > > Gustavo > > You really don't provide enough information. What is CiscoAssignIpPool? > Have you added it in the ldap schema and in ldap.attrmap or do you add it > as a generic item? Can you post an entry that contains it? What output do you > get when you run the server in debug mode (radiusd -X)? > > -- > Kostas Kalevras Network Operations Center > [EMAIL PROTECTED]National Technical University of Athens, Greece > Work Phone: +30 10 7721861 > 'Go back to the shadow' Gandalf > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco Ip Pool from LDAP
On 5 Sep 2002, Gustavo Lozano wrote: > Hello > > I want to know if something has managed to obtain the CiscoAssignIpPool > from LDAP > > Dont know why I cant get it working, but seems something with the AV > Pairs stuff. > > Regards > > Gustavo You really don't provide enough information. What is CiscoAssignIpPool? Have you added it in the ldap schema and in ldap.attrmap or do you add it as a generic item? Can you post an entry that contains it? What output do you get when you run the server in debug mode (radiusd -X)? -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 10 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Cisco Ip Pool from LDAP
Hello I want to know if something has managed to obtain the CiscoAssignIpPool from LDAP Dont know why I cant get it working, but seems something with the AV Pairs stuff. Regards Gustavo - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ip pool
On Thu, 22 Aug 2002, [iso-8859-1] ho k wrote: > Hi > > The connection is still failed after changing the > order in radiusd.conf and debug output as: > > DEFAULT NAS-IP-Address == 192.168.59.244, Auth-Type := > Accept, Pool-Name = "RAS" > Service-Type = Framed-User, > Framed-MTU = 1500, > Service-Type = Framed-User, > Framed-Protocol = PPP, > Framed-Compression = Van-Jacobson-TCP-IP Try changing Pool-Name = "RAS" to Pool-Name := "RAS" > > but there is no problem of the connection for change > the config to: > > DEFAULT Auth-Type := Accept > Service-Type = Framed-User, > Framed-IP-Address = 192.168.59.192+, > Framed-MTU = 1500, > Service-Type = Framed-User, > Framed-Protocol = PPP, > Framed-Compression = Van-Jacobson-TCP-IP > > Another question that may it work for this entry in > "users" config: > DEFAULT NAS-IP-Address == 192.168.59.244, Auth-Type := > System, Pool-Name = "RAS_1" > Service-Type = Framed-User, > Framed-MTU = 1500, > Service-Type = Framed-User, > Framed-Protocol = PPP, > Framed-Compression = Van-Jacobson-TCP-IP > > DEFAULT NAS-IP-Address == 192.168.59.245, Auth-Type := > System, Pool-Name = "RAS_2" > Service-Type = Framed-User, > Framed-MTU = 1500, > Service-Type = Framed-User, > Framed-Protocol = PPP, > Framed-Compression = Van-Jacobson-TCP-IP > > when I have two RAS which ip 192.168.59.244 and > 192.168.59.255 are. They would assign separate ip > range to two group of dialup users > > k If you create two ippool instances named RAS_1 and RAS_2 you shouldn't have any problems. -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 10 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: IP Pool Question
Title: RE: IP Pool Question Thanks for the reply. However after modifying the pool range, I changed the users file as follwoing: Normaluser Auth-Type :=local, password =="y" Service-type = framed, Framed-protocol = PPP, Framed-IP-Address = 255.255.255.254, Framed-IP-netmask = 255.255.255.255, Framed-Compression = Van-Jacobson-TCP-IP, Fall-Through = Yes, session-timeout = 1800 With this configuration I tried two PCs simulataneously and all the time I kept on getting IP x.x.x.254 on both PCs. According to the write up users should have been assigned different IP from the pool defined in Cisco 5300. Any clue? Thanks Rakesh -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Kostas Kalevras Sent: Wednesday, August 21, 2002 3:10 PM To: '[EMAIL PROTECTED]' Subject: Re: IP Pool Question On Wed, 21 Aug 2002, rakesh jha wrote: > Hello Radius Gurus, > > I need your help. I have just downloaded and installed freeradius 7 with > rlm_ippool. I have following situation: > We have defined an ip pool on Cisco 5300 from x.x.x.195 to x.x.x.254 with > mask 255.255.255.192. > We want IP from x.x.x.195 to x.x.x.214 statically to the privilege dial-in > users and IP from x.x.x.215 to x.x.x.254 dynamically to other normal users. > For normal users duplicate users ID is allowed. Why not just define an IP pool in the 5300 from x.x.x.215 to x.x.x.254 and just add a reply item of Framed-IP-Address = 255.255.255.254 in the normal user entries. There's no real reason in using the ippool module. If you have more than one IP pools in your 5300 you could also send back a cisco avpair like this: Cisco-AVPair := "ip:addr-pool=my_pool_name" Hope it helps -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 10 7721861 'Go back to the shadow' Gandalf > > To achieve this I am doing following. > > 1. In radiusd.conf I have added following: > usercollide = yes > compat = cistron > > Ippool { > Range-start = x.x.x.215 > Range-stop = x.x.x.254 > Netmask = 255.255.255.192 > Cache-size = 800 > Session-db = ${raddbdir}/db.ippool > Ip-index = ${raddbdir}/db.ip-index > } > > 2. In users file I have added following: > > Privilegeuser Auth-Type :=local, passwoed =="x" > Framed-IP-Address = x.x.x.195 > Framed-IP-netmask = 255.255.255.255 > Fall-through = yes > > Normaluser Auth-Type :=local, passwoed > =="y" > Service-type = framed > Framed-protocol = PPP > Session-timeout =1800 > > > > The whole idea is that mormaluser should get IP starting from x.x.x.215 till > x.x.x.254 only and after that which ever is unused in range from 215 - 254. > In my existing RADIUS server for normal users I have configured > Framed-IP-Address = x.x.x.215+ and user may get IP beyond our subnet. > > Seeing the configuration, please confirm following: > > > > 1 Will this work OK > 2. The normaluser will get IP from range x.x.x.215 - x.x.x.254 > > Thanks > > Rakesh Jha > Kuwait > > --- > Disclaimer: > Any non official business related views, opinions or other information > presented in this electronic mail are solely those of the sender/author. > Burgan Bank does not endorse or accept responsibility for these opinions, > views or conclusion. > If you are not the addressee indicated in this electronic mail or > responsible for delivering this electronic message to the intended > recipient, you should delete this message and notify the sender > immediately. > > Burgan Bank > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html If you are not the addressee indicated in this electronic mail or responsible for delivering this electronic message to the intended recipient, you should delete this message and notify the sender immediately.
Re: ip pool
Hi The connection is still failed after changing the order in radiusd.conf and debug output as: Module: Loaded files files: usersfile = "/usr/local/etc/raddb/users" files: acctusersfile = "/usr/local/etc/raddb/acct_users" files: compat = "no" Module: Instantiated files (files) Module: Loaded IPPOOL ippool: session-db = "/usr/local/etc/raddb/db.ippool" ippool: ip-index = "/usr/local/etc/raddb/db.ipindex" ippool: range-start = 192.168.59.193 IP address [192.168.59.193] ippool: range-stop = 192.168.59.195 IP address [192.168.59.195] ippool: netmask = 255.255.255.0 IP address [255.255.255.0] ippool: cache-size = 3 Module: Instantiated ippool (RAS) Module: Loaded detail detail: detailfile = "/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename = "/usr/local/var/log/radius/radutmp" radutmp: username = "%{User-Name}" radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Listening on IP address *, ports 1812/udp and 1813/udp, with proxy on 1814/udp. Ready to process requests. rad_recv: Access-Request packet from host 192.168.59.244:1093, id=58, length=73 User-Name = "noki" User-Password = "\3713\363tW\257\223^g%\0261A\254\211" NAS-Port = 0 Framed-Protocol = PPP NAS-Identifier = "AUD_AGENT" NAS-Port-Type = Async modcall: entering group authorize modcall[authorize]: module "preprocess" returns ok rlm_realm: Looking up realm NULL for User-Name = "noki" rlm_realm: No such realm NULL modcall[authorize]: module "suffix" returns noop users: Matched DEFAULT at 185 users: Matched DEFAULT at 211 users: Matched DEFAULT at 223 modcall[authorize]: module "files" returns ok modcall[authorize]: module "RAS" returns noop modcall: group authorize returns ok rad_check_password: Found Auth-Type System auth: type "System" modcall: entering group authenticate modcall[authenticate]: module "unix" returns notfound modcall: group authenticate returns notfound auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 58 to 192.168.59.244:1093 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 58 with timestamp 3d645b5f Nothing to do. Sleeping until we see a request. Here is the context of radiusd.conf: module { pam {... } unix {... } eap {... } ... (different modules in here) ippool RAS { range-start = 192.168.59.193 range-stop = 192.168.59.195 netmask = 255.255.255.0 cache-size = 3 session-db = ${raddbdir}/db.ippool ip-index = ${raddbdir}/db.ipindex } } authorize { preprocess eap suffix files RAS } authenticate { unix } accounting { detail # counter unix RAS radutmp } and context of "users": DEFAULT NAS-IP-Address == 192.168.59.244, Auth-Type := Accept, Pool-Name = "RAS" Service-Type = Framed-User, Framed-MTU = 1500, Service-Type = Framed-User, Framed-Protocol = PPP, Framed-Compression = Van-Jacobson-TCP-IP but there is no problem of the connection for change the config to: DEFAULT Auth-Type := Accept Service-Type = Framed-User, Framed-IP-Address = 192.168.59.192+, Framed-MTU = 1500, Service-Type = Framed-User, Framed-Protocol = PPP, Framed-Compression = Van-Jacobson-TCP-IP Another question that may it work for this entry in "users" config: DEFAULT NAS-IP-Address == 192.168.59.244, Auth-Type := System, Pool-Name = "RAS_1" Service-Type = Framed-User, Framed-MTU = 1500, Service-Type = Framed-User, Framed-Protocol = PPP, Framed-Compression = Van-Jacobson-TCP-IP DEFAULT NAS-IP-Address == 192.168.59.245, Auth-Type := System, Pool-Name = "RAS_2" Service-Type = Framed-User, Framed-MTU = 1500, Service-Type = Framed-User, Framed-Protocol = PPP, Framed-Compression = Van-Jacobson-TCP-IP when I have two RAS which ip 192.168.59.244 and 192.168.59.255 are. They would assign separate ip range to two group of dialup users k --- Kostas Kalevras <[EMAIL PROTECTED]> wrote: > On Wed, 21 Aug 2002, [iso-8859-1] ho k wrote: > > > Dear All > > > > Can you point out the mistake about ip assignment > from > > radius side. Parts of radiusd.conf are as follows: > > > > > > authorize { > > preprocess > > suffix > > files
Re: ip pool
On Wed, 21 Aug 2002, [iso-8859-1] ho k wrote: > Dear All > > Can you point out the mistake about ip assignment from > radius side. Parts of radiusd.conf are as follows: > > > authorize { > preprocess > suffix > files > RAS > ippool RAS { > range-start = 192.168.59.193 > range-stop = 192.168.59.195 > netmask = 255.255.255.0 > cache-size = 3 > session-db = ${raddbdir}/db.ippool > ip-index = ${raddbdir}/db.ipindex > } > } > > and failure connection output as: > rad_recv: Access-Request packet from host > 192.168.59.244:1083, id=49, lengt > h=71 > User-Name = "bb" > User-Password = > "\323\317\322\267\272\330\014t\365\223\337\004i\022 > \273" > NAS-Port = 0 > Framed-Protocol = PPP > NAS-Identifier = "AUD_AGENT" > NAS-Port-Type = Async > modcall: entering group authorize > modcall[authorize]: module "preprocess" returns ok > modcall[authorize]: module "RAS" returns noop > rlm_realm: Looking up realm NULL for User-Name = > "bb" > rlm_realm: No such realm NULL > modcall[authorize]: module "suffix" returns noop > users: Matched DEFAULT at 171 > users: Matched DEFAULT at 197 > users: Matched DEFAULT at 209 > modcall[authorize]: module "files" returns ok > modcall: group authorize returns ok >From the modcall[authorize] messages it seems that your authorize section is authorize{ preprocess RAS suffix files } whilst it should be authorize{ preprocess suffix files RAS } > > and the "usess" file as: > > DEFAULT NAS-IP-Address == 192.168.59.244, Auth-Type := > Accept, Pool-Name = "RAS" -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 10 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ip pool
Dear All Can you point out the mistake about ip assignment from radius side. Parts of radiusd.conf are as follows: authorize { preprocess suffix files RAS ippool RAS { range-start = 192.168.59.193 range-stop = 192.168.59.195 netmask = 255.255.255.0 cache-size = 3 session-db = ${raddbdir}/db.ippool ip-index = ${raddbdir}/db.ipindex } } accounting { # acct_unique detail # counter unix RAS ippool RAS { range-start = 192.168.59.193 range-stop = 192.168.59.195 netmask = 255.255.255.0 cache-size = 3 session-db = ${raddbdir}/db.ippool ip-index = ${raddbdir}/db.ipindex } radutmp # sradutmp and the debug output as: Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = "/usr/local" main: localstatedir = "/usr/local/var" main: logdir = "/usr/local/var/log/radius" main: libdir = "/usr/local/lib" main: radacctdir = "/usr/local/var/log/radius/radacct" main: hostname_lookups = no read_config_files: reading dictionary read_config_files: reading clients read_config_files: reading realms read_config_files: reading naslist main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid" main: user = "(null)" main: group = "(null)" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 security: max_attributes = 200 security: reject_delay = 1 main: debug_level = 0 read_config_files: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded System unix: cache = yes unix: passwd = "/etc/passwd" unix: shadow = "/etc/shadow" unix: group = "/etc/group" unix: radwtmp = "/usr/local/var/log/radius/radwtmp" unix: usegroup = no unix: cache_reload = 600 HASH: Reinitializing hash structures and lists for caching... HASH: user root found in hashtable bucket 11726 HASH: user daemon found in hashtable bucket 11668 HASH: user bin found in hashtable bucket 86651 HASH: user sys found in hashtable bucket 64201 HASH: user adm found in hashtable bucket 26466 HASH: user lp found in hashtable bucket 54068 HASH: user uucp found in hashtable bucket 38541 HASH: user nuucp found in hashtable bucket 74587 HASH: user listen found in hashtable bucket 49327 HASH: user nobody found in hashtable bucket 99723 HASH: user noaccess found in hashtable bucket 80609 HASH: user nobody4 found in hashtable bucket 84789 HASH: user bbuser found in hashtable bucket 55147 HASH: user log found in hashtable bucket 40576 HASH: user mysql found in hashtable bucket 46314 HASH: user nokia found in hashtable bucket 87202 HASH: Stored 16 entries from /etc/passwd HASH: Stored 19 entries from /etc/group Module: Instantiated unix (unix) Module: Loaded preprocess preprocess: huntgroups = "/usr/local/etc/raddb/huntgroups" preprocess: hints = "/usr/local/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = "/usr/local/etc/raddb/users" files: acctusersfile = "/usr/local/etc/raddb/acct_users" files: compat = "no" Module: Instantiated files (files) ERROR: Cannot find a configuration entry for module "RAS". # however, when I put the "ippool RAS" section in "module" section of radiusd.conf. the debug out as Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = "/usr/local" main: localstatedir = "/usr/local/var" main: logdir = "/usr/local/var/log/radius" main: libdir = "/usr/local/lib" main: radacc
Re: IP Pool Question
On Wed, 21 Aug 2002, rakesh jha wrote: > Hello Radius Gurus, > > I need your help. I have just downloaded and installed freeradius 7 with > rlm_ippool. I have following situation: > We have defined an ip pool on Cisco 5300 from x.x.x.195 to x.x.x.254 with > mask 255.255.255.192. > We want IP from x.x.x.195 to x.x.x.214 statically to the privilege dial-in > users and IP from x.x.x.215 to x.x.x.254 dynamically to other normal users. > For normal users duplicate users ID is allowed. Why not just define an IP pool in the 5300 from x.x.x.215 to x.x.x.254 and just add a reply item of Framed-IP-Address = 255.255.255.254 in the normal user entries. There's no real reason in using the ippool module. If you have more than one IP pools in your 5300 you could also send back a cisco avpair like this: Cisco-AVPair := "ip:addr-pool=my_pool_name" Hope it helps -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 10 7721861 'Go back to the shadow' Gandalf > > To achieve this I am doing following. > > 1. In radiusd.conf I have added following: > usercollide = yes > compat = cistron > > Ippool{ > Range-start = x.x.x.215 > Range-stop = x.x.x.254 > Netmask = 255.255.255.192 > Cache-size = 800 > Session-db = ${raddbdir}/db.ippool > Ip-index = ${raddbdir}/db.ip-index > } > > 2. In users file I have added following: > > Privilegeuser Auth-Type :=local, passwoed =="x" > Framed-IP-Address = x.x.x.195 > Framed-IP-netmask = 255.255.255.255 > Fall-through = yes > > Normaluser Auth-Type :=local, passwoed > =="y" > Service-type = framed > Framed-protocol = PPP > Session-timeout =1800 > > > > The whole idea is that mormaluser should get IP starting from x.x.x.215 till > x.x.x.254 only and after that which ever is unused in range from 215 - 254. > In my existing RADIUS server for normal users I have configured > Framed-IP-Address = x.x.x.215+ and user may get IP beyond our subnet. > > Seeing the configuration, please confirm following: > > > > 1Will this work OK > 2. The normaluser will get IP from range x.x.x.215 - x.x.x.254 > > Thanks > > Rakesh Jha > Kuwait > > --- > Disclaimer: > Any non official business related views, opinions or other information > presented in this electronic mail are solely those of the sender/author. > Burgan Bank does not endorse or accept responsibility for these opinions, > views or conclusion. > If you are not the addressee indicated in this electronic mail or > responsible for delivering this electronic message to the intended > recipient, you should delete this message and notify the sender > immediately. > > Burgan Bank > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
IP Pool Question
Title: IP Pool Question Hello Radius Gurus, I need your help. I have just downloaded and installed freeradius 7 with rlm_ippool. I have following situation: We have defined an ip pool on Cisco 5300 from x.x.x.195 to x.x.x.254 with mask 255.255.255.192. We want IP from x.x.x.195 to x.x.x.214 statically to the privilege dial-in users and IP from x.x.x.215 to x.x.x.254 dynamically to other normal users. For normal users duplicate users ID is allowed. To achieve this I am doing following. 1. In radiusd.conf I have added following: usercollide = yes compat = cistron Ippool { Range-start = x.x.x.215 Range-stop = x.x.x.254 Netmask = 255.255.255.192 Cache-size = 800 Session-db = ${raddbdir}/db.ippool Ip-index = ${raddbdir}/db.ip-index } 2. In users file I have added following: Privilegeuser Auth-Type :=local, passwoed =="x" Framed-IP-Address = x.x.x.195 Framed-IP-netmask = 255.255.255.255 Fall-through = yes Normaluser Auth-Type :=local, passwoed =="y" Service-type = framed Framed-protocol = PPP Session-timeout =1800 The whole idea is that mormaluser should get IP starting from x.x.x.215 till x.x.x.254 only and after that which ever is unused in range from 215 - 254. In my existing RADIUS server for normal users I have configured Framed-IP-Address = x.x.x.215+ and user may get IP beyond our subnet. Seeing the configuration, please confirm following: 1 Will this work OK 2. The normaluser will get IP from range x.x.x.215 - x.x.x.254 Thanks Rakesh Jha Kuwait Disclaimer: Any non official business related views, opinions or other information presented in this electronic mail are solely those of the sender/author. Burgan Bank does not endorse or accept responsibility for these opinions, views or conclusion. If you are not the addressee indicated in this electronic mail or responsible for delivering this electronic message to the intended recipient, you should delete this message and notify the sender immediately. Burgan Bank
Re: IP Pool questions
I'm having a problem like Li Lin has. I need that the radius server assign an IP address from a pool (172.25.6.2 /24) to each dial up subscriber, and all the requirements will come from a NAS (There's no LAN behind subscribers). I see that the only IP that the server assigns is the one that i configure in the attribute Framed-IP-Address. The question is: how I configure this attribute for the user DEFAULT when I want the server do that? The following doesnt't work DEFAULT Auth-Type := Local, User-Password == "" Service-Type = Framed-User, Framed-IP-Address = 172.25.6.2+, If I'm wrong, can you explain me how to do what i want to do?. Thanks Ëbú?²æìr¸{û§²æìr¸y'Ûiÿü0ÁúÞz¶ë(®å˺ǫ²f
RE: IP Pool questions
Here's an example user named foo: foo Auth-Type := System Service-Type = Framed-User, Framed-Protocol = PPP, Framed-Address = 192.168.2.21, Framed-Netmask = 255.255.255.252, Framed-Route = "192.168.2.20/30 192.168.2.21 1", Framed-Compression = Van-Jacobson-TCP-IP, Idle-Timeout = 0, Framed-MTU = 1500 Note the Framed-Route line. /30 is equivalent to 255.255.255.252 This is just an example, you could use much larger blocks. The subscriber would configure their equipment to use the IP address 192.168.2.21. 192.168.2.22 would be an IP usable within their LAN. Remote gateway could be available in a larger network specified by a more general netmask for the remote gateway where appropriate. Alternately, if you wish, you can do this: foo Auth-Type := System Service-Type = Framed-User, Framed-Protocol = PPP, Framed-Address = 192.168.2.2, Framed-Netmask = 255.255.255.255, Framed-Route = "192.168.3.0/28 192.168.2.2 1", Framed-Compression = Van-Jacobson-TCP-IP, Idle-Timeout = 0, Framed-MTU = 1500 This would instead of providing a merged LAN IP block provide a WAN/LAN-style structure, where you could give each dialup device their own single IP and then forward blocks over those single IPs to their LAN. In this example, a /28 (13 usable addresses) is forwarded to this subscriber for use in their LAN, they would have to have two separate interfaces, a WAN interface for 192.168.2.2 and a LAN interface where they define one of the IPs in the 192.168.3.0 block (such as 192.168.3.1). -- Mark P. Hennessy [EMAIL PROTECTED] On Mon, 19 Aug 2002, Li Lin wrote: > Date: Mon, 19 Aug 2002 17:43:31 -0400 > From: Li Lin <[EMAIL PROTECTED]> > To: 'Mark Hennessy' <[EMAIL PROTECTED]> > Cc: Li Lin <[EMAIL PROTECTED]> > Subject: RE: IP Pool questions > > Hi Mark: > > Yes, I am trying to set up a block of IPs to be passed to a subscriber. > > Thanks > > Li Lin > > -Original Message- > From: Mark Hennessy [mailto:[EMAIL PROTECTED]] > Sent: Monday, August 19, 2002 5:48 PM > To: '[EMAIL PROTECTED]' > Cc: Li Lin > Subject: Re: IP Pool questions > > Are you trying to set up a block of IPs to be passed to a subscriber, or > dynamically assign an IP from a pool to a subscriber? > > -- > Mark P. Hennessy > [EMAIL PROTECTED] > > On Mon, 19 Aug 2002, Li Lin wrote: > > > Date: Mon, 19 Aug 2002 17:38:10 -0400 > > From: Li Lin <[EMAIL PROTECTED]> > > Reply-To: [EMAIL PROTECTED] > > To: "'[EMAIL PROTECTED]'" > > <[EMAIL PROTECTED]> > > Cc: Li Lin <[EMAIL PROTECTED]> > > Subject: IP Pool questions > > > > > > Dear Sir/Madam: > > > > I have a problem to setup IP pool. (The free radius server only assigns > one > > IP address) > > > > Could you please tell me: > > > > 1. whether freeradius-0.3 supports IP pool or not? > > 2. any document for IP pool? > > > > Thanks > > > > Li Lin > > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IP Pool questions
Are you trying to set up a block of IPs to be passed to a subscriber, or dynamically assign an IP from a pool to a subscriber? -- Mark P. Hennessy [EMAIL PROTECTED] On Mon, 19 Aug 2002, Li Lin wrote: > Date: Mon, 19 Aug 2002 17:38:10 -0400 > From: Li Lin <[EMAIL PROTECTED]> > Reply-To: [EMAIL PROTECTED] > To: "'[EMAIL PROTECTED]'" > <[EMAIL PROTECTED]> > Cc: Li Lin <[EMAIL PROTECTED]> > Subject: IP Pool questions > > > Dear Sir/Madam: > > I have a problem to setup IP pool. (The free radius server only assigns one > IP address) > > Could you please tell me: > > 1.whether freeradius-0.3 supports IP pool or not? > 2.any document for IP pool? > > Thanks > > Li Lin > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
IP Pool questions
Dear Sir/Madam: I have a problem to setup IP pool. (The free radius server only assigns one IP address) Could you please tell me: whether freeradius-0.3 supports IP pool or not? any document for IP pool? Thanks Li Lin
Re: IP pool
On Fri, 16 Aug 2002, Matias Ezequiel Fabiano wrote: > > Thanks, Kostas. That neither doesn't work. > And I understand that if I put the attribute Pool-Name in the same line of > the "User Name" (DEFAULT), the radius server will expect a IP Address, and > I want that the radius server assigns it. No, that happens if you use the matching operators ('==','!=' etc). If you set it like this ('=',':=' etc) it gets added as a check item. Also _remove_ the Framed-IP-Address from the reply items for the ippool module to work. It will take care of handing out IP addresses. > Is the attribute Framed-IP-Address correct? Because the server only assigns > one address: 172.25.6.3, and if a second user tries to connect, the first > get kicked out. > > -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 10 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IP pool
Thanks, Kostas. That neither doesn't work. And I understand that if I put the attribute Pool-Name in the same line of the "User Name" (DEFAULT), the radius server will expect a IP Address, and I want that the radius server assigns it. Is the attribute Framed-IP-Address correct? Because the server only assigns one address: 172.25.6.3, and if a second user tries to connect, the first get kicked out. Kostas Kalevras <[EMAIL PROTECTED]>@lists.cistron.nl con fecha 16/08/2002 10:59:29 Por favor, responda a [EMAIL PROTECTED] Enviado por: [EMAIL PROTECTED] Destinatarios:[EMAIL PROTECTED] CC: Asunto: Re: IP pool On Fri, 16 Aug 2002, Matias Ezequiel Fabiano wrote: > > OK, the error in the Service-Type was corrected. But still doesn't work. My > users file is configured as follows, and I > need that the radius server assigns the IP address from the pool 172.25.6.0 / 24. What is missing or wrong? > > DEFAULT Auth-Type := Local, User-Password == "" > Service-Type = Framed-User, > Framed-IP-Address = 172.25.6.2+ > > Thanks Please read again my previous email. I wrote: > > DEFAULT Auth-Type := Local, User-Password == "", Pool-Name = "clientes" ^^ > > Also the Service-Type assignment is wrong. Try reading 'man 5 users' -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 10 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html .+-wèþ˱Êâmïî˱Êâmäzm§ÿðÃëyêÚv+¬¢¸?+-þë®Èm
Re: IP pool
On Fri, 16 Aug 2002, Matias Ezequiel Fabiano wrote: > > OK, the error in the Service-Type was corrected. But still doesn't work. My > users file is configured as follows, and I > need that the radius server assigns the IP address from the pool 172.25.6.0 / 24. >What is missing or wrong? > > DEFAULT Auth-Type := Local, User-Password == "" > Service-Type = Framed-User, > Framed-IP-Address = 172.25.6.2+ > > Thanks Please read again my previous email. I wrote: > > DEFAULT Auth-Type := Local, User-Password == "", Pool-Name = "clientes" ^^ > > Also the Service-Type assignment is wrong. Try reading 'man 5 users' -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 10 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IP pool
OK, the error in the Service-Type was corrected. But still doesn't work. My users file is configured as follows, and I need that the radius server assigns the IP address from the pool 172.25.6.0 / 24. What is missing or wrong? DEFAULT Auth-Type := Local, User-Password == "" Service-Type = Framed-User, Framed-IP-Address = 172.25.6.2+ Thanks Kostas Kalevras <[EMAIL PROTECTED]>@lists.cistron.nl con fecha 16/08/2002 00:24:35 Por favor, responda a [EMAIL PROTECTED] Enviado por: [EMAIL PROTECTED] Destinatarios:[EMAIL PROTECTED] CC: Asunto: Re: IP pool On Thu, 15 Aug 2002, Matias Ezequiel Fabiano wrote: > > Hello everybody, > > Alan, thanks for the answers. > I have configured this, but still not work: > > * radius.conf > > ippool cientes { > range-start = 172.25.6.2 > range-stop = 172.25.6.255 > netmask = 255.255.255.0 > cache-size = 800 > session-db = ${raddbdir}/db.ippool > ip-index = ${raddbdir}/db.ipindex > } > > * users > > DEFAULT Auth-Type := Local, User-Password == "" > Service-Type == Framed-User, > Pool-Name = "clientes", > > Is it OK? Because I still have the same problem. > If it's wrong, please tell me how to configure an ip pool for the users. > > Thanks a lot > > Matias Try DEFAULT Auth-Type := Local, User-Password == "", Pool-Name = "clientes" Also the Service-Type assignment is wrong. Try reading 'man 5 users' -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 10 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html â²Ø§~ì¹»®&Þþéì¹»®&ÞI硶Úÿ0~·§bºÊ+ùb²ßî±êìÙ¥
Re: IP pool
On Thu, 15 Aug 2002, Matias Ezequiel Fabiano wrote: > > Hello everybody, > > Alan, thanks for the answers. > I have configured this, but still not work: > > * radius.conf > > ippool cientes { > range-start = 172.25.6.2 > range-stop = 172.25.6.255 > netmask = 255.255.255.0 > cache-size = 800 > session-db = ${raddbdir}/db.ippool > ip-index = ${raddbdir}/db.ipindex > } > > * users > > DEFAULT Auth-Type := Local, User-Password == "" > Service-Type == Framed-User, > Pool-Name = "clientes", > > Is it OK? Because I still have the same problem. > If it's wrong, please tell me how to configure an ip pool for the users. > > Thanks a lot > > Matias Try DEFAULT Auth-Type := Local, User-Password == "", Pool-Name = "clientes" Also the Service-Type assignment is wrong. Try reading 'man 5 users' -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 10 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IP pool
Hello everybody, Alan, thanks for the answers. I have configured this, but still not work: * radius.conf ippool cientes { range-start = 172.25.6.2 range-stop = 172.25.6.255 netmask = 255.255.255.0 cache-size = 800 session-db = ${raddbdir}/db.ippool ip-index = ${raddbdir}/db.ipindex } * users DEFAULT Auth-Type := Local, User-Password == "" Service-Type == Framed-User, Pool-Name = "clientes", Is it OK? Because I still have the same problem. If it's wrong, please tell me how to configure an ip pool for the users. Thanks a lot Matias "Alan DeKok" <[EMAIL PROTECTED]>@lists.cistron.nl con fecha 15/08/2002 11:20:41 Por favor, responda a [EMAIL PROTECTED] Enviado por: [EMAIL PROTECTED] Destinatarios: [EMAIL PROTECTED] CC: Asunto: Re: IP pool "Matias Ezequiel Fabiano" <[EMAIL PROTECTED]> wrote: > When I start the radius daemon and users try to authenticate, the > server only assigns one IP address (172.25.6.3), and therefore > only one user can use the service at the same time. The users > file looks like this: > DEFAULT Auth-Type := Local, User-Password == "adgj" > Service-Type == Framed-User, > Framed-IP-Address = 172.25.6.2+, That's not an IP pool. It adds the NAS-Port to the IP address. > Is the IP pool well defined? Thanks for the answers See the 'ippool' module, in radiusd.conf. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html .+-wèþ˱Êâmïî˱Êâmäzm§ÿðÃëyêÚv+¬¢¸?+-þë®Èm
Re: IP pool
"Matias Ezequiel Fabiano" <[EMAIL PROTECTED]> wrote: > When I start the radius daemon and users try to authenticate, the > server only assigns one IP address (172.25.6.3), and therefore > only one user can use the service at the same time. The users > file looks like this: > DEFAULT Auth-Type := Local, User-Password == "adgj" > Service-Type == Framed-User, > Framed-IP-Address = 172.25.6.2+, That's not an IP pool. It adds the NAS-Port to the IP address. > Is the IP pool well defined? Thanks for the answers See the 'ippool' module, in radiusd.conf. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
IP pool
Hello, When I start the radius daemon and users try to authenticate, the server only assigns one IP address (172.25.6.3), and therefore only one user can use the service at the same time. The users file looks like this: DEFAULT Auth-Type := Local, User-Password == "adgj" Service-Type == Framed-User, Framed-IP-Address = 172.25.6.2+, Is the IP pool well defined? Thanks for the answers La información contenida en este correo es para uso exclusivo de los destinatarios del mismo. Está prohibido a las personas o entidades que no sean los destinatarios de este correo, realizar cualquier tipo de modificación, copia o distribución del mismo. Si Ud. recibe este correo por error, tenga a bien notificar al emisor y eliminarlo. This email is confidential and intended solely for the use of the individual to whom it is addressed. Any views or opinions presented are solely those of the author and do not necessarily represent those of Personal. If you are not the intended recipient, be advised that you have received this email in error and that any use, dissemination, forwarding, printing, or copying of this email is strictly prohibited. If you have received this email in error please contact the sender.(Embedded image moved to file: pic01866.pcx) pic01866.pcx Description: Binary data
Re: ip pool again
On Wed, 14 Aug 2002, Guillermo Schimmel wrote: > Yes, it seems like I have several errors. Now Its working. > > Now, I have read that you can use the Pool-Name attribute to select one > IP Address pool, that's why I started trying this. > I have to share a NAS for Internet Access and VPN access and I'm going > to do that by routing and firewalling, assigning different pools based > on some like group. > > So, I define two (or more) pools in radiusd.conf like: > > ippool test1 { ...} > ippool test2 { ...} > ... > ippool testn { ...} > > And I thought that in the authorization section I had to put "ippool", > and it would take the Pool-Name attribute to choose a pool. > But now It seems like I have to put one specific ip pool. > Could you please tell me which is the correct usage of this feature? ippool test1 { ... } ippool test2 { ... } are all instances of the ip pool module. You have to add them all in the authorize and accounting sections in radiusd.conf and use the Pool-Name attribute to select which one will run. > > > Thank you very very much for your help. -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 10 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ip pool again
Yes, it seems like I have several errors. Now Its working. Now, I have read that you can use the Pool-Name attribute to select one IP Address pool, that's why I started trying this. I have to share a NAS for Internet Access and VPN access and I'm going to do that by routing and firewalling, assigning different pools based on some like group. So, I define two (or more) pools in radiusd.conf like: ippool test1 { ...} ippool test2 { ...} ... ippool testn { ...} And I thought that in the authorization section I had to put "ippool", and it would take the Pool-Name attribute to choose a pool. But now It seems like I have to put one specific ip pool. Could you please tell me which is the correct usage of this feature? Thank you very very much for your help. Kostas Kalevras wrote: >On Wed, 14 Aug 2002, Guillermo Schimmel wrote: > > > >>Module: Loaded IPPOOL >> ippool: session-db = "/usr/local/etc/raddb/db.ippool" >> ippool: ip-index = "/usr/local/etc/raddb/db.ipindex" >> ippool: range-start = 10.170.201.1 IP address [10.170.201.1] >> ippool: range-stop = 10.170.200.254 IP address [10.170.200.254] >> ippool: netmask = 255.255.255.0 IP address [255.255.255.0] >> ippool: cache-size = 254 >>rlm_ippool: Invalid configuration data given. >>radiusd.conf[330]: prueba: Module instantiation failed. >> >> > >Check your range-start. It should probable read 10.170.200.1. In any case it >should not be an ip number lower than the range-stop. > >-- >Kostas KalevrasNetwork Operations Center >[EMAIL PROTECTED] National Technical University of Athens, Greece >Work Phone:+30 10 7721861 >'Go back to the shadow'Gandalf > > >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ip pool again
On Wed, 14 Aug 2002, Guillermo Schimmel wrote: > Module: Loaded IPPOOL > ippool: session-db = "/usr/local/etc/raddb/db.ippool" > ippool: ip-index = "/usr/local/etc/raddb/db.ipindex" > ippool: range-start = 10.170.201.1 IP address [10.170.201.1] > ippool: range-stop = 10.170.200.254 IP address [10.170.200.254] > ippool: netmask = 255.255.255.0 IP address [255.255.255.0] > ippool: cache-size = 254 > rlm_ippool: Invalid configuration data given. > radiusd.conf[330]: prueba: Module instantiation failed. Check your range-start. It should probable read 10.170.200.1. In any case it should not be an ip number lower than the range-stop. -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 10 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ip pool again
Kostas Kalevras wrote: >On Wed, 14 Aug 2002, Guillermo Schimmel wrote: > > > >>authorize { >>preprocess >>files >>ippool >>chap >>group { >> ldap1 { >> fail = 1 >> notfound = 2 >> noop = return >> ok = return >> updated = return >> reject = return >> userlock = return >> invalid = return >> handled = return >>} >> ldap2 { >> fail = 1 >> notfound = 2 >> noop = return >> ok = return >> updated = return >> reject = return >> userlock = return >> invalid = return >> handled = return >>} >>} >>} >> >>accounting { >>acct_unique >>detail >>sql >>ippool >>} >> >> > >Replace ippool with prueba and everything should work ok. > > Now the server doesn't start. It gives the following error: Module: Loaded IPPOOL ippool: session-db = "/usr/local/etc/raddb/db.ippool" ippool: ip-index = "/usr/local/etc/raddb/db.ipindex" ippool: range-start = 10.170.201.1 IP address [10.170.201.1] ippool: range-stop = 10.170.200.254 IP address [10.170.200.254] ippool: netmask = 255.255.255.0 IP address [255.255.255.0] ippool: cache-size = 254 rlm_ippool: Invalid configuration data given. radiusd.conf[330]: prueba: Module instantiation failed. >-- >Kostas KalevrasNetwork Operations Center >[EMAIL PROTECTED] National Technical University of Athens, Greece >Work Phone:+30 10 7721861 >'Go back to the shadow'Gandalf > > >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ip pool again
On Wed, 14 Aug 2002, Guillermo Schimmel wrote: > authorize { > preprocess > files > ippool > chap > group { > ldap1 { > fail = 1 > notfound = 2 > noop = return > ok = return > updated = return > reject = return > userlock = return > invalid = return > handled = return > } > ldap2 { > fail = 1 > notfound = 2 > noop = return > ok = return > updated = return > reject = return > userlock = return > invalid = return > handled = return > } > } > } > > accounting { > acct_unique > detail > sql > ippool > } Replace ippool with prueba and everything should work ok. -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 10 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ip pool again
Kostas Kalevras wrote: >On Wed, 14 Aug 2002, Guillermo Schimmel wrote: > > > >>Yes, I have done so. >> >>Is this output OK? (The noop part) >> >>modcall: entering group authorize >> modcall[authorize]: module "preprocess" returns ok >> modcall[authorize]: module "files" returns notfound >> modcall[authorize]: module "ippool" returns noop >>rlm_chap: Could not find proper Chap-Password attribute in request >> modcall[authorize]: module "chap" returns noop >>modcall: entering group group >> >>Where else should I look? >> >> > >Please post the authorize and accounting sections of your radiusd.conf > > authorize { preprocess files ippool chap group { ldap1 { fail = 1 notfound = 2 noop = return ok = return updated = return reject = return userlock = return invalid = return handled = return } ldap2 { fail = 1 notfound = 2 noop = return ok = return updated = return reject = return userlock = return invalid = return handled = return } } } accounting { acct_unique detail sql ippool } > > >>Is there any documentation for the ippool module? >> >> > >Apart from the comments in the configuration file, no. > >-- >Kostas KalevrasNetwork Operations Center >[EMAIL PROTECTED] National Technical University of Athens, Greece >Work Phone:+30 10 7721861 >'Go back to the shadow'Gandalf > > >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ip pool again
On Wed, 14 Aug 2002, Guillermo Schimmel wrote: > Yes, I have done so. > > Is this output OK? (The noop part) > > modcall: entering group authorize > modcall[authorize]: module "preprocess" returns ok > modcall[authorize]: module "files" returns notfound > modcall[authorize]: module "ippool" returns noop > rlm_chap: Could not find proper Chap-Password attribute in request > modcall[authorize]: module "chap" returns noop > modcall: entering group group > > Where else should I look? Please post the authorize and accounting sections of your radiusd.conf > > Is there any documentation for the ippool module? Apart from the comments in the configuration file, no. -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 10 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ip pool again
Kostas Kalevras wrote: >On Tue, 13 Aug 2002, Guillermo Schimmel wrote: > > > >>It still doesn't work. >> >> >> >>>Hi list: >>> >>> I'm starting the tests with the ippool module. >>> >>> I added this line on the users file: >>> >>>DEFAULT NAS-IP-Address == "10.169.255.11", Auth-Type := >>>Accept, Pool-Name := "prueba" >>> >>> And created an IP pool: >>> >>>ippool prueba { >>> range-start = 10.170.200.1 >>> range-stop = 10.170.200.254 >>> netmask = 255.255.255.0 >>> cache-size = 800 >>> session-db = /raddb/db.ippool >>> ip-index = /raddb/db.ipindex >>>} >>> >>> >>> >>I can start the server and it works ok, but it doesn't reply with >>the Framed-IP-Address attribute. >> >> >> >>> What am I doing wrong? >>> >>> I'm sorry if this is ANOTHER stupid question. >>> >>> Thanks a lot for your time. >>> >>> >>>Guillermo >>> >>> > >Have you added the module in the authorize and accounting sections in >radiusd.conf? Make sure also that ippool comes after the files module in the >authorize section. > > Yes, I have done so. Is this output OK? (The noop part) modcall: entering group authorize modcall[authorize]: module "preprocess" returns ok modcall[authorize]: module "files" returns notfound modcall[authorize]: module "ippool" returns noop rlm_chap: Could not find proper Chap-Password attribute in request modcall[authorize]: module "chap" returns noop modcall: entering group group Where else should I look? Is there any documentation for the ippool module? Thanks Guillermo >-- >Kostas KalevrasNetwork Operations Center >[EMAIL PROTECTED] National Technical University of Athens, Greece >Work Phone:+30 10 7721861 >'Go back to the shadow'Gandalf > > >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ip pool again
On Tue, 13 Aug 2002, Guillermo Schimmel wrote: > It still doesn't work. > > > > > Hi list: > > > >I'm starting the tests with the ippool module. > > > >I added this line on the users file: > > > > DEFAULT NAS-IP-Address == "10.169.255.11", Auth-Type := > > Accept, Pool-Name := "prueba" > > > >And created an IP pool: > > > > ippool prueba { > >range-start = 10.170.200.1 > >range-stop = 10.170.200.254 > >netmask = 255.255.255.0 > >cache-size = 800 > >session-db = /raddb/db.ippool > >ip-index = /raddb/db.ipindex > > } > > > I can start the server and it works ok, but it doesn't reply with > the Framed-IP-Address attribute. > > >What am I doing wrong? > > > >I'm sorry if this is ANOTHER stupid question. > > > >Thanks a lot for your time. > > > > > > Guillermo Have you added the module in the authorize and accounting sections in radiusd.conf? Make sure also that ippool comes after the files module in the authorize section. -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 10 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ip pool again
It still doesn't work. > > Hi list: > >I'm starting the tests with the ippool module. > >I added this line on the users file: > > DEFAULT NAS-IP-Address == "10.169.255.11", Auth-Type := > Accept, Pool-Name := "prueba" > >And created an IP pool: > > ippool prueba { >range-start = 10.170.200.1 >range-stop = 10.170.200.254 >netmask = 255.255.255.0 >cache-size = 800 >session-db = /raddb/db.ippool >ip-index = /raddb/db.ipindex > } > I can start the server and it works ok, but it doesn't reply with the Framed-IP-Address attribute. >What am I doing wrong? > >I'm sorry if this is ANOTHER stupid question. > >Thanks a lot for your time. > > > Guillermo > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SOLVED: Sorry: Re: ip pool: Unknown attribute Pool-Name
I'm sorry. This was really stupid. I was using the old dictionary file, from fr 0.4. Guillermo Schimmel wrote: > > Hi list: > >I'm starting the tests with the ippool module. > >I added this line on the users file: > > DEFAULT NAS-IP-Address == "10.169.255.11", Auth-Type := > Accept, Pool-Name := "prueba" > >And created an IP pool: > > ippool prueba { >range-start = 10.170.200.1 >range-stop = 10.170.200.254 >netmask = 255.255.255.0 >cache-size = 800 >session-db = /raddb/db.ippool >ip-index = /raddb/db.ipindex > } > >Now, when I start the server it says: > > /usr/local/etc/raddb/users[144]: Parse error (check) for entry > DEFAULT: Unknown attribute Pool-Name > >What am I doing wrong? > >I'm sorry if this is a stupid question, but I have looked in the > docs and in the list and can't find any hint. > >Thanks a lot for your time. > > > Guillermo > > > > > > > - List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ip pool: Unknown attribute Pool-Name
Hi list: I'm starting the tests with the ippool module. I added this line on the users file: DEFAULT NAS-IP-Address == "10.169.255.11", Auth-Type := Accept, Pool-Name := "prueba" And created an IP pool: ippool prueba { range-start = 10.170.200.1 range-stop = 10.170.200.254 netmask = 255.255.255.0 cache-size = 800 session-db = /raddb/db.ippool ip-index = /raddb/db.ipindex } Now, when I start the server it says: /usr/local/etc/raddb/users[144]: Parse error (check) for entry DEFAULT: Unknown attribute Pool-Name What am I doing wrong? I'm sorry if this is a stupid question, but I have looked in the docs and in the list and can't find any hint. Thanks a lot for your time. Guillermo - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
software IP Pool
Hi all, Is there any configure to limit the IP Pool, of the specific group? coz I used the rlm_ippool but when I consumed all the range, the next time I login it gave me IP address which out of the range. Thanks --ador - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
IP Pool assignment
Hello, I've been banging my head on a wall over a simple problem and thought I'd see if anyone had a similar setup or any tips. I am using FreeRADIUS v0.5. It works just peachy except trying to get it to assign IP addesses out of a different IP pool for particular users. We are connecting to a Cisco 2600 with IOS version 12.0. I have tried sending several different attributes to no avail. A couple samples from the 'users' file that failed: test1Auth-Type := System Framed-Pool = "filter_pool" test2Auth-Type := System Cisco-AVPair = "ip:addr-pool=filter_pool" I have also tried other attributes that I have seen in documentation and mailing lists, but I can't seem to get it going. In some instances I can see the attribute being passed by the RADIUS server using "debug radius" on the Cisco router, but it seems to be ignored. I have this same setup working with a different type of router: diffip Auth-Type := System X-Ascend-Assign-IP-Pool = 2 works just fine on this non-cisco router so I know roughly how to do it, just not with Cisco. The IOS line describing the IP pool is: ip local pool filter_pool 10.10.1.2 10.10.1.10 Has anyone tried doing something similar to this or have some basic tips that I am missing thus far? Thanx!! -- [] Steve Tow Systems Engineer Vital Support Systems Email: [EMAIL PROTECTED] Phone: (515) 334-5700 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
group ip pool
I am setting up a multi subnet network. The subnet that a dial in user gets depends on there group. I have 26 groups all over 100 accounts. They are all dialing one modem pool. How can I do this. I read thought the FAQ & archive. Help thx, tmb - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
group ip pool
I am setting up a multi subnet network. The subnet that a dial in user gets depends on there “group”. I have 26 groups all over 100 accounts. They are all dialing one modem pool. How can I do this. I read thought the FAQ & archive. Help thx, tmb
Re: IP POOL
Ok, i found rlm_ippool. can i use it whith ldap authentication? how? Thanks Jacobo =?iso-8859-1?Q?Gonz=E1lez=20Sim=F3n?= escribió: > > Hi all, > > I´m testing freeradius and ldap( with radtest utility, i have not > another ras server that one is running whith another radius ), and it > seems to work fine. Now the problem: > > I had read in users file this: > > # > # Set up different IP address pools for the terminal servers. > # Note that the "+" behind the IP address means that this is the "base" > # IP address. The Port-Id (S0, S1 etc) will be added to it. > # > #DEFAULTService-Type == Framed-User, Huntgroup-Name == "alphen" > # Framed-IP-Address = 192.168.1.32+, > # Fall-Through = Yes > > #DEFAULTService-Type == Framed-User, Huntgroup-Name == "delft" > # Framed-IP-Address = 192.168.2.32+, > # Fall-Through = Yes > > and in my ldap base i have an entry: > > dn: uid=pepe,ou=miembros,dc=midominio.es,o=miempresa > objectclass: person > objectclass: radiusprofile > cn: JOSE > uid: pepe > radiusServiceType: Framed-User > radiusFramedProtocol: PPP > radiusFramedIPAddress: 192.168.254.1+ > radiusFramedIPNetmask: 255.255.255.255 > . > . > . > . > . > . > . > > Well, wich is the limit for dinamic IP address? > > 192.168.254.1+ meaning that all of 192.168.254.0/255.255.255.0 is > available for dynamic ip? > > I need delimit my pool to few ips, how can i do it? > > Thanks at all, and sorry for my poor english > > Jacobo > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IP POOL
At 06:14 PM 4/10/2002 +0200, Jacobo González Simón wrote: >Hello again, > > i have freeradius-0.5 from freeradius.org and i haven´t >src/modules/rlm_ippool, where cai i find it? CVS, or one of the nightly builds. It has been added since the 0.5 release. -Chris -- \\\|||/// \ StarNet Inc. \Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IP POOL
Hello again, i have freeradius-0.5 from freeradius.org and i haven´t src/modules/rlm_ippool, where cai i find it? Thanks Kostas Kalevras escribió: > > On Mon, 8 Apr 2002, Jacobo [iso-8859-1] González Simón wrote: > > > Thanks for your reply but i don`t undestand you. > > > > I haven´t rlm_ippool module. > > > > Kostas Kalevras escribió: > > > > > > > > Try the rlm_ippool module. It will do your job just fine. Check out the > > > comments in radiusd.conf. > > > > rlm_counter module and do s/counter/ippool. > > ?? > > Where do i copy Makefile? > > > > what´s s/counter/ippool? > > > > Thanks, Jacobo > > Check out the latest cvs for the rlm_ippool module. > You will have to copy the Makefile in src/modules/rlm_ippool > s/counter/ippool means replace all occurences of the word counter in the > makefile with ippool. > > -- > Kostas Kalevras Network Operations Center > [EMAIL PROTECTED] National Technical University of Athens, Greece > Work Phone: +30 10 7721861 > 'Go back to the shadow' Gandalf > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IP POOL
On Mon, 8 Apr 2002, Jacobo [iso-8859-1] González Simón wrote: > Thanks for your reply but i don`t undestand you. > > I haven´t rlm_ippool module. > > Kostas Kalevras escribió: > > > > > Try the rlm_ippool module. It will do your job just fine. Check out the > > comments in radiusd.conf. > > rlm_counter module and do s/counter/ippool. > ?? > Where do i copy Makefile? > > what´s s/counter/ippool? > > Thanks, Jacobo Check out the latest cvs for the rlm_ippool module. You will have to copy the Makefile in src/modules/rlm_ippool s/counter/ippool means replace all occurences of the word counter in the makefile with ippool. -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 10 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IP POOL
Thanks for your reply but i don`t undestand you. I haven´t rlm_ippool module. Kostas Kalevras escribió: > > Try the rlm_ippool module. It will do your job just fine. Check out the > comments in radiusd.conf. rlm_counter module and do s/counter/ippool. ?? Where do i copy Makefile? what´s s/counter/ippool? Thanks, Jacobo - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IP POOL
On Tue, 2 Apr 2002, Jacobo [iso-8859-1] González Simón wrote: > Hi all, > > I´m testing freeradius and ldap( with radtest utility, i have not > another ras server that one is running whith another radius ), and it > seems to work fine. Now the problem: > > I had read in users file this: > > # > # Set up different IP address pools for the terminal servers. > # Note that the "+" behind the IP address means that this is the "base" > # IP address. The Port-Id (S0, S1 etc) will be added to it. > # > #DEFAULTService-Type == Framed-User, Huntgroup-Name == "alphen" > # Framed-IP-Address = 192.168.1.32+, > # Fall-Through = Yes > > #DEFAULTService-Type == Framed-User, Huntgroup-Name == "delft" > # Framed-IP-Address = 192.168.2.32+, > # Fall-Through = Yes > > > and in my ldap base i have an entry: > > dn: uid=pepe,ou=miembros,dc=midominio.es,o=miempresa > objectclass: person > objectclass: radiusprofile > cn: JOSE > uid: pepe > radiusServiceType: Framed-User > radiusFramedProtocol: PPP > radiusFramedIPAddress: 192.168.254.1+ > radiusFramedIPNetmask: 255.255.255.255 > . > . > . > . > . > . > . > > Well, wich is the limit for dinamic IP address? > > 192.168.254.1+ meaning that all of 192.168.254.0/255.255.255.0 is > available for dynamic ip? > > I need delimit my pool to few ips, how can i do it? > > Thanks at all, and sorry for my poor english > > Jacobo Try the rlm_ippool module. It will do your job just fine. Check out the comments in radiusd.conf. If it does not compile copy the Makefile from the rlm_counter module and do s/counter/ippool. -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 10 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
IP POOL
Hi all, I´m testing freeradius and ldap( with radtest utility, i have not another ras server that one is running whith another radius ), and it seems to work fine. Now the problem: I had read in users file this: # # Set up different IP address pools for the terminal servers. # Note that the "+" behind the IP address means that this is the "base" # IP address. The Port-Id (S0, S1 etc) will be added to it. # #DEFAULTService-Type == Framed-User, Huntgroup-Name == "alphen" # Framed-IP-Address = 192.168.1.32+, # Fall-Through = Yes #DEFAULTService-Type == Framed-User, Huntgroup-Name == "delft" # Framed-IP-Address = 192.168.2.32+, # Fall-Through = Yes and in my ldap base i have an entry: dn: uid=pepe,ou=miembros,dc=midominio.es,o=miempresa objectclass: person objectclass: radiusprofile cn: JOSE uid: pepe radiusServiceType: Framed-User radiusFramedProtocol: PPP radiusFramedIPAddress: 192.168.254.1+ radiusFramedIPNetmask: 255.255.255.255 . . . . . . . Well, wich is the limit for dinamic IP address? 192.168.254.1+ meaning that all of 192.168.254.0/255.255.255.0 is available for dynamic ip? I need delimit my pool to few ips, how can i do it? Thanks at all, and sorry for my poor english Jacobo - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html