Re: ip pool problem ?

[Oliver Graf]

On Thu, Dec 18, 2003 at 03:49:20PM +0700, [EMAIL PROTECTED] wrote:
> I need help on configuring freeradius , on ip pooling. issue i use mysql as the user 
> as well as ip database. But it seems , radius can works on range ip i gave but i 
> works on ip with "+", but i can control the ip assignment that server gave to user 
> who dials in. Also i previously try using main_ippool with range start & range stop, 
> it seems dont work. Can anyone help me figure out this phenomena ?

As far as I know, freeradius does not store ip pools in sql databases.

Perhaps you can provide some debugging output and confguration you
use (don't send everything, only the 'interesting' parts).

Oliver.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: IP Pool Unused IPs deallocation?

[Oliver Graf]

On Thu, Dec 04, 2003 at 03:27:49PM +0200, m0bius wrote:
> Well you may actually be correct but from what I have read during the
> past months some NAS equipment didn't have any problems with the ip
> management via the radius server so I though this should be a most
> applicable method to setup radius.

It is a nice to manage all ips on the radius, but on the other hand I
do just the same with my pool based setup. All pools and pool
assignments are managed via the radius on our ascend and cisco nas
equipment (they both support nas side ip pools managed via radius very
well).

Oliver.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: IP Pool Unused IPs deallocation?

[m0bius]

> > > On the other hand: why not just let the MAX distribute the IPs?
make a
> > > pools-NAS-NAME entry which assigns your pools to the NAS and
choose
> > > the pool via the Ascend-Assign-IP-Pool attribute. Works fine (I
have
> > > about a dozend MAX 2000/4000/6000/TNT with this setup).
> > 
> > So let me see if I get this straight. I should create something
like:
> > 
> > pools-nas1 Ascend-Assign-IP-Pool := "nas1_pool" ?

> No.

> Example (makes three pools on nas1 and has 3 test users which each get
> an ip from a different pool):

> pools-nas1Auth-Type := Local, User-Password == "ascend"
>   Service-Type = Outbound-User,
>   Ascend-IP-Pool-Definition = "1 10.10.10.1 126",
>   Ascend-IP-Pool-Definition = "2 10.10.20.1 126",
>   Ascend-IP-Pool-Definition = "3 10.10.30.1 126"

> user1 Auth-Type := Local, User-Password == "test1"
>   Service-Type = Framed,
>   Framed-Protocol = MPP,
>   Ascend-Maximum-Channels = 2,
>   Ascend-Assign-IP-Pool = 1,
>   Ascend-Idle-Limit = 3600,
>   Ascend-Client-Primary-DNS = 10.1.1.1,
>   Ascend-Client-Secondary-DNS = 10.2.1.1,
>   Ascend-Client-Assign-DNS = DNS-Assign-Yes
>
> user2 Auth-Type := Local, User-Password == "test2"
>   Service-Type = Framed,
>   Framed-Protocol = MPP,
>   Ascend-Maximum-Channels = 2,
>   Ascend-Assign-IP-Pool = 2,
>   Ascend-Idle-Limit = 3600,
>   Ascend-Client-Primary-DNS = 10.1.1.1,
>   Ascend-Client-Secondary-DNS = 10.2.1.1,
>   Ascend-Client-Assign-DNS = DNS-Assign-Yes

> user3 Auth-Type := Local, User-Password == "test3"
>   Service-Type = Framed,
>   Framed-Protocol = MPP,
>   Ascend-Maximum-Channels = 2,
>   Ascend-Assign-IP-Pool = 3,
>   Ascend-Idle-Limit = 3600,
>   Ascend-Client-Primary-DNS = 10.1.1.1,
>   Ascend-Client-Secondary-DNS = 10.2.1.1,
>   Ascend-Client-Assign-DNS = DNS-Assign-Yes

> This works well with fallback defaults / sql group replies.

I see. I will forward these changes to see whether the problems are
totally solved and let you know of the outcome. This hole issue with the
IP Pools has been in my mind since I first started working along with
Radius.

> > I don't know if I understood exactly what you mean. I've never
worked 
> > with ascend before. If however it's pretty much the above has this 
> > anything to do with the countless auth requests regarding 
> > pools-nas1/ascend I receive or have I screwed everything badly? :-)

> Oh, missed that paragraph...

> Yep. pool defs must go to the pools user of the nas. As soon as the
max 
> powers up, it asks for its pools. If it gets a user reply which has a 
> unknown pool, it should ask again.

Another helpful tip. Browsing the archives this subject had been
mentioned before but the answer was simply to put this user in
Service-Type = REJECT to avoid the logging of these connections. Let
along the manuals of the NAS equipment have been lost through the
centuries making my life much more difficult :-)

> I don't trust freeradius to assign IP addresses, cause the NAS is the
one > who knows if a session is there or if it is not. There is no real
point in > letting the radius assign ip adresses if your NAS equipment
can do it. And > if you are changing pools often, this is also no
problem if your running 
> some sort of dynamic routing protocol, cause the nas will announce
it's 
> learned pools via this way...

Well you may actually be correct but from what I have read during the
past months some NAS equipment didn't have any problems with the ip
management via the radius server so I though this should be a most
applicable method to setup radius.

> Oliver.

Thank you very much for all your help.

Regards, 
Paris




- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: IP Pool Unused IPs deallocation?

[Oliver Graf]

On Thu, Dec 04, 2003 at 11:17:12AM +0200, m0bius wrote:
> I don't know if I understood exactly what you mean. I've never worked
> with ascend before. If however it's pretty much the above has this
> anything to do with the countless auth requests regarding
> pools-nas1/ascend I receive or have I screwed everything badly? :-)

Oh, missed that paragraph...

Yep. pool defs must go to the pools user of the nas. As soon as the
max powers up, it asks for its pools. If it gets a user reply which
has a unknown pool, it should ask again.

I don't trust freeradius to assign IP addresses, cause the NAS is the
one who knows if a session is there or if it is not. There is no real
point in letting the radius assign ip adresses if your NAS equipment
can do it. And if you are changing pools often, this is also no
problem if your running some sort of dynamic routing protocol, cause
the nas will announce it's learned pools via this way...

Oliver.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: IP Pool Unused IPs deallocation?

[Oliver Graf]

On Thu, Dec 04, 2003 at 11:17:12AM +0200, m0bius wrote:
> 
> > > DEFAULT Service-Type == Framed-User,  Pool-Name := "main_pool"
> > > Framed-MTU = 1500,
> > > Service-Type = Framed-User,
> > > Fall-Through = 1,
> > > Ascend-IP-Pool-Definition = "1 111.222.333.97 93"
> 
> > As far as I understand, an Ascend-Pool def is not needed in the
> > described setup. If the radius assigns IPs, the MAX does not need a
> > pool, just route the IPs to it.
> 
> Actually Ascend-IP-Pool-Definition has been there since my early tests
> and hasn't been removed by a mistake.
> 
> > On the other hand: why not just let the MAX distribute the IPs? make a
> > pools-NAS-NAME entry which assigns your pools to the NAS and choose
> > the pool via the Ascend-Assign-IP-Pool attribute. Works fine (I have
> > about a dozend MAX 2000/4000/6000/TNT with this setup).
> 
> So let me see if I get this straight. I should create something like:
> 
> pools-nas1 Ascend-Assign-IP-Pool := "nas1_pool" ?

No.

Example (makes three pools on nas1 and has 3 test users which each get
an ip from a different pool):

pools-nas1  Auth-Type := Local, User-Password == "ascend"
Service-Type = Outbound-User,
Ascend-IP-Pool-Definition = "1 10.10.10.1 126",
Ascend-IP-Pool-Definition = "2 10.10.20.1 126",
Ascend-IP-Pool-Definition = "3 10.10.30.1 126"

user1   Auth-Type := Local, User-Password == "test1"
Service-Type = Framed,
Framed-Protocol = MPP,
Ascend-Maximum-Channels = 2,
Ascend-Assign-IP-Pool = 1,
Ascend-Idle-Limit = 3600,
Ascend-Client-Primary-DNS = 10.1.1.1,
Ascend-Client-Secondary-DNS = 10.2.1.1,
Ascend-Client-Assign-DNS = DNS-Assign-Yes

user2   Auth-Type := Local, User-Password == "test2"
Service-Type = Framed,
Framed-Protocol = MPP,
Ascend-Maximum-Channels = 2,
Ascend-Assign-IP-Pool = 2,
Ascend-Idle-Limit = 3600,
Ascend-Client-Primary-DNS = 10.1.1.1,
Ascend-Client-Secondary-DNS = 10.2.1.1,
Ascend-Client-Assign-DNS = DNS-Assign-Yes

user3   Auth-Type := Local, User-Password == "test3"
Service-Type = Framed,
Framed-Protocol = MPP,
Ascend-Maximum-Channels = 2,
Ascend-Assign-IP-Pool = 3,
Ascend-Idle-Limit = 3600,
Ascend-Client-Primary-DNS = 10.1.1.1,
Ascend-Client-Secondary-DNS = 10.2.1.1,
Ascend-Client-Assign-DNS = DNS-Assign-Yes

This works well with fallback defaults / sql group replies.

Oliver.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: IP Pool Unused IPs deallocation?

[m0bius]

> > DEFAULT Service-Type == Framed-User,  Pool-Name := "main_pool"
> > Framed-MTU = 1500,
> > Service-Type = Framed-User,
> > Fall-Through = 1,
> > Ascend-IP-Pool-Definition = "1 111.222.333.97 93"

> As far as I understand, an Ascend-Pool def is not needed in the
> described setup. If the radius assigns IPs, the MAX does not need a
> pool, just route the IPs to it.

Actually Ascend-IP-Pool-Definition has been there since my early tests
and hasn't been removed by a mistake.

> On the other hand: why not just let the MAX distribute the IPs? make a
> pools-NAS-NAME entry which assigns your pools to the NAS and choose
> the pool via the Ascend-Assign-IP-Pool attribute. Works fine (I have
> about a dozend MAX 2000/4000/6000/TNT with this setup).

So let me see if I get this straight. I should create something like:

pools-nas1 Ascend-Assign-IP-Pool := "nas1_pool" ?

I don't know if I understood exactly what you mean. I've never worked
with ascend before. If however it's pretty much the above has this
anything to do with the countless auth requests regarding
pools-nas1/ascend I receive or have I screwed everything badly? :-)

> Oliver.


Regards,
Paris




- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: IP Pool Unused IPs deallocation?

[Oliver Graf]

On Thu, Dec 04, 2003 at 03:07:41AM +0200, m0bius wrote:
> DEFAULT Service-Type == Framed-User,  Pool-Name := "main_pool"
> Framed-MTU = 1500,
> Service-Type = Framed-User,
> Fall-Through = 1,
> Ascend-IP-Pool-Definition = "1 111.222.333.97 93"

As far as I understand, an Ascend-Pool def is not needed in the
described setup. If the radius assigns IPs, the MAX does not need a
pool, just route the IPs to it.

On the other hand: why not just let the MAX distribute the IPs? make a
pools-NAS-NAME entry which assigns your pools to the NAS and choose
the pool via the Ascend-Assign-IP-Pool attribute. Works fine (I have
about a dozend MAX 2000/4000/6000/TNT with this setup).

Oliver.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: IP pool problem, please help

[Kostas Kalevras]

On Thu, 10 Oct 2002, Andrew Kelaidis wrote:

> I have installed the freeRADIUS server and I 'm using the rlm_ippool module.
> Everything works fine until one account-stop packet had been lost. The user
> was log out but the dialup admin interface shows him as online and active in
> finger page. I remove the correct record from the radacct table so the user
> went offline. The problem is that the server had assigned him an ip address
> and when the user is trying to login again, the following error message
> appears:
> "The server did not assign an IP Address, error 738"
>
> I know that the ippool module keeps two files (not text files) with
> information about used IP addresses. I think that the "stacked" user can't
> login because the server has already assign him an ipaddress. Is there any
> ways to solve this problem? Please help...
>
> Andrew Kelaidis

I am not sure that is the problem. The ippool modules uses the nas/port
combination as the key not the username. If you login in the same nas/port the
module will deallocate the corresponding IP.
You could run your server in debug mode and watch the output when the user logs
in. That should help you find the problem.

--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED]  National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: IP pool problem, please help

[Tim]

Can someone please post a copy of the output from radiusd -X  when a 
simultaneous login is detected, and freeradius runs the checkrad prog ..

thx ...





Tim Fraser

*
Relax Internet
Internet Service Provider (dial-up & ADSL) / Web Hosting
www.relax.com.au

*



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: ip pool

[Kostas Kalevras]

On Thu, 22 Aug 2002, [iso-8859-1] ho k wrote:

> Hi
>
> The connection is still failed after changing the
> order in radiusd.conf and debug output as:
>
> DEFAULT NAS-IP-Address == 192.168.59.244, Auth-Type :=
> Accept, Pool-Name = "RAS"
> Service-Type = Framed-User,
> Framed-MTU = 1500,
> Service-Type = Framed-User,
> Framed-Protocol = PPP,
> Framed-Compression = Van-Jacobson-TCP-IP

Try changing Pool-Name = "RAS" to
Pool-Name := "RAS"

>
> but there is no problem of the connection for change
> the config to:
>
> DEFAULT Auth-Type := Accept
> Service-Type = Framed-User,
> Framed-IP-Address = 192.168.59.192+,
> Framed-MTU = 1500,
> Service-Type = Framed-User,
> Framed-Protocol = PPP,
> Framed-Compression = Van-Jacobson-TCP-IP
>
> Another question that may it work for this entry in
> "users" config:
> DEFAULT NAS-IP-Address == 192.168.59.244, Auth-Type :=
> System, Pool-Name = "RAS_1"
> Service-Type = Framed-User,
> Framed-MTU = 1500,
> Service-Type = Framed-User,
> Framed-Protocol = PPP,
> Framed-Compression = Van-Jacobson-TCP-IP
>
> DEFAULT NAS-IP-Address == 192.168.59.245, Auth-Type :=
> System, Pool-Name = "RAS_2"
> Service-Type = Framed-User,
> Framed-MTU = 1500,
> Service-Type = Framed-User,
> Framed-Protocol = PPP,
> Framed-Compression = Van-Jacobson-TCP-IP
>
> when I have two RAS which ip 192.168.59.244 and
> 192.168.59.255 are. They would assign separate ip
> range to two group of dialup users
>
> k

If you create two ippool instances named RAS_1 and RAS_2 you shouldn't have any
problems.

--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED]  National Technical University of Athens, Greece
Work Phone: +30 10 7721861
'Go back to the shadow' Gandalf


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: IP Pool Question

[rakesh jha]

Title: RE: IP Pool Question





Thanks for the reply. However after modifying the pool range, I changed the users file as follwoing:
    Normaluser      Auth-Type :=local, password =="y"
    Service-type = framed,
    Framed-protocol = PPP,
    Framed-IP-Address = 255.255.255.254,
    Framed-IP-netmask = 255.255.255.255,
                Framed-Compression = Van-Jacobson-TCP-IP,
                Fall-Through = Yes,
                session-timeout = 1800


With this configuration I tried two PCs simulataneously and all the time I kept on getting IP x.x.x.254 on both PCs. According to the write up users should have been assigned different IP from the pool defined in Cisco 5300. 

Any clue?


Thanks


Rakesh


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Kostas
Kalevras
Sent: Wednesday, August 21, 2002 3:10 PM
To: '[EMAIL PROTECTED]'
Subject: Re: IP Pool Question



On Wed, 21 Aug 2002, rakesh jha wrote:


> Hello Radius Gurus,
>
> I need your help. I have just downloaded and installed freeradius 7 with
> rlm_ippool. I have following situation:
> We have defined an ip pool on Cisco 5300 from x.x.x.195 to x.x.x.254 with
> mask 255.255.255.192.
> We want IP from x.x.x.195 to x.x.x.214 statically to the privilege dial-in
> users and IP from x.x.x.215 to x.x.x.254 dynamically to other normal users.
> For normal users duplicate users ID is allowed.


Why not just define an IP pool in the 5300 from x.x.x.215 to x.x.x.254 and just
add a reply item of
Framed-IP-Address = 255.255.255.254 in the normal user entries. There's no real
reason in using the ippool module.
If you have more than one IP pools in your 5300 you could also send back a cisco
avpair like this:
Cisco-AVPair := "ip:addr-pool=my_pool_name"


Hope it helps


--
Kostas Kalevras     Network Operations Center
[EMAIL PROTECTED]  National Technical University of Athens, Greece
Work Phone:     +30 10 7721861
'Go back to the shadow' Gandalf


>
> To achieve this I am doing following.
>
> 1. In radiusd.conf I have added following:
>       usercollide = yes
>       compat = cistron
>
>       Ippool    {
>       Range-start = x.x.x.215
>       Range-stop = x.x.x.254
>       Netmask = 255.255.255.192
>       Cache-size = 800
>       Session-db = ${raddbdir}/db.ippool
>       Ip-index = ${raddbdir}/db.ip-index
>       }
>
> 2. In users file I have added following:
>
>   Privilegeuser   Auth-Type :=local, passwoed =="x"
>   Framed-IP-Address = x.x.x.195
>   Framed-IP-netmask = 255.255.255.255
>       Fall-through = yes
>
>   Normaluser          Auth-Type :=local, passwoed
> =="y"
>   Service-type = framed
>   Framed-protocol = PPP
>   Session-timeout =1800
>
>
>
> The whole idea is that mormaluser should get IP starting from x.x.x.215 till
> x.x.x.254 only and after that which ever is unused in range from 215 - 254.
> In my existing RADIUS server for normal users I have configured
> Framed-IP-Address = x.x.x.215+ and user may get IP beyond our subnet.
>
> Seeing the configuration, please confirm following:
>
>
>
> 1    Will this work OK
> 2.   The normaluser will get IP from range x.x.x.215 - x.x.x.254
>
> Thanks
>
> Rakesh Jha
> Kuwait
>
> ---
> Disclaimer:
> Any non official business related views, opinions  or other information
> presented in this electronic mail  are solely those of the sender/author.
> Burgan Bank does not endorse or accept responsibility for these opinions,
> views or conclusion.
>  If you are not the addressee indicated in this electronic mail or
> responsible for delivering this electronic message to the intended
> recipient,  you should delete this message and notify the sender
> immediately.
>
> Burgan Bank
> 
>



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



If you are not the addressee indicated in this electronic mail or
responsible for delivering this electronic message to the intended
recipient,  you should delete this message and notify the sender
immediately.

Re: ip pool

[ho k]

Hi

The connection is still failed after changing the
order in radiusd.conf and debug output as:

Module: Loaded files
 files: usersfile = "/usr/local/etc/raddb/users"
 files: acctusersfile =
"/usr/local/etc/raddb/acct_users"
 files: compat = "no"
Module: Instantiated files (files)
Module: Loaded IPPOOL
 ippool: session-db = "/usr/local/etc/raddb/db.ippool"
 ippool: ip-index = "/usr/local/etc/raddb/db.ipindex"
 ippool: range-start = 192.168.59.193 IP address
[192.168.59.193]
 ippool: range-stop = 192.168.59.195 IP address
[192.168.59.195]
 ippool: netmask = 255.255.255.0 IP address
[255.255.255.0]
 ippool: cache-size = 3
Module: Instantiated ippool (RAS)
Module: Loaded detail
 detail: detailfile =
"/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail"
 detail: detailperm = 384
 detail: dirperm = 493
 detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded radutmp
 radutmp: filename =
"/usr/local/var/log/radius/radutmp"
 radutmp: username = "%{User-Name}"
 radutmp: perm = 384
 radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
Listening on IP address *, ports 1812/udp and
1813/udp, with proxy on 1814/udp.
Ready to process requests.


rad_recv: Access-Request packet from host
192.168.59.244:1093, id=58, length=73
User-Name = "noki"
User-Password =
"\3713\363tW\257\223^g%\0261A\254\211"
NAS-Port = 0
Framed-Protocol = PPP
NAS-Identifier = "AUD_AGENT"
NAS-Port-Type = Async
modcall: entering group authorize
modcall[authorize]: module "preprocess" returns ok
rlm_realm: Looking up realm NULL for User-Name =
"noki"
rlm_realm: No such realm NULL
 modcall[authorize]: module "suffix" returns noop
users: Matched DEFAULT at 185
users: Matched DEFAULT at 211
users: Matched DEFAULT at 223
 modcall[authorize]: module "files" returns ok
 modcall[authorize]: module "RAS" returns noop
modcall: group authorize returns ok
  rad_check_password:  Found Auth-Type System
auth: type "System"
modcall: entering group authenticate
  modcall[authenticate]: module "unix" returns
notfound
modcall: group authenticate returns notfound
auth: Failed to validate the user.
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 58 to 192.168.59.244:1093
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 58 with timestamp 3d645b5f
Nothing to do.  Sleeping until we see a request.

Here is the context of radiusd.conf:
module {
   pam {...
   }
   unix {...
   }
   eap {...
   }

   ...
   (different modules in here)
   

   ippool RAS {
range-start = 192.168.59.193
range-stop = 192.168.59.195
netmask = 255.255.255.0
cache-size = 3
session-db = ${raddbdir}/db.ippool
ip-index = ${raddbdir}/db.ipindex
}
}

authorize {
preprocess
eap
suffix
files
RAS
}
authenticate {
unix
}
accounting {
detail
#   counter
unix
RAS
radutmp
}

and context of "users":

DEFAULT NAS-IP-Address == 192.168.59.244, Auth-Type :=
Accept, Pool-Name = "RAS"
Service-Type = Framed-User,
Framed-MTU = 1500,
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-Compression = Van-Jacobson-TCP-IP

but there is no problem of the connection for change
the config to:
 
DEFAULT Auth-Type := Accept
Service-Type = Framed-User,
Framed-IP-Address = 192.168.59.192+,
Framed-MTU = 1500,
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-Compression = Van-Jacobson-TCP-IP

Another question that may it work for this entry in
"users" config:
DEFAULT NAS-IP-Address == 192.168.59.244, Auth-Type :=
System, Pool-Name = "RAS_1"
Service-Type = Framed-User,
Framed-MTU = 1500,
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-Compression = Van-Jacobson-TCP-IP

DEFAULT NAS-IP-Address == 192.168.59.245, Auth-Type :=
System, Pool-Name = "RAS_2"
Service-Type = Framed-User,
Framed-MTU = 1500,
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-Compression = Van-Jacobson-TCP-IP

when I have two RAS which ip 192.168.59.244 and
192.168.59.255 are. They would assign separate ip
range to two group of dialup users

k

 --- Kostas Kalevras <[EMAIL PROTECTED]> wrote: > On
Wed, 21 Aug 2002, [iso-8859-1] ho k wrote:
> 
> > Dear All
> >
> > Can you point out the mistake about ip assignment
> from
> > radius side. Parts of radiusd.conf are as follows:
> >
> > 
> > authorize {
> > preprocess
> > suffix
> > files

Re: ip pool

[Kostas Kalevras]

On Wed, 21 Aug 2002, [iso-8859-1] ho k wrote:

> Dear All
>
> Can you point out the mistake about ip assignment from
> radius side. Parts of radiusd.conf are as follows:
>
> 
> authorize {
> preprocess
> suffix
> files
> RAS
> ippool RAS {
> range-start = 192.168.59.193
> range-stop = 192.168.59.195
> netmask = 255.255.255.0
> cache-size = 3
> session-db = ${raddbdir}/db.ippool
> ip-index = ${raddbdir}/db.ipindex
> }
> }
>
> and failure connection output as:
> rad_recv: Access-Request packet from host
> 192.168.59.244:1083, id=49, lengt
> h=71
> User-Name = "bb"
> User-Password =
> "\323\317\322\267\272\330\014t\365\223\337\004i\022
> \273"
> NAS-Port = 0
> Framed-Protocol = PPP
> NAS-Identifier = "AUD_AGENT"
> NAS-Port-Type = Async
> modcall: entering group authorize
>   modcall[authorize]: module "preprocess" returns ok
>   modcall[authorize]: module "RAS" returns noop
> rlm_realm: Looking up realm NULL for User-Name =
> "bb"
> rlm_realm: No such realm NULL
>   modcall[authorize]: module "suffix" returns noop
> users: Matched DEFAULT at 171
> users: Matched DEFAULT at 197
> users: Matched DEFAULT at 209
>   modcall[authorize]: module "files" returns ok
> modcall: group authorize returns ok

>From the modcall[authorize] messages it seems that your authorize section is

authorize{
preprocess
RAS
suffix
files
}

whilst it should be

authorize{
preprocess
suffix
files
RAS
}

>
> and the "usess" file as:
>
> DEFAULT NAS-IP-Address == 192.168.59.244, Auth-Type :=
> Accept, Pool-Name = "RAS"

--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED]  National Technical University of Athens, Greece
Work Phone: +30 10 7721861
'Go back to the shadow' Gandalf


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: IP Pool Question

[Kostas Kalevras]

On Wed, 21 Aug 2002, rakesh jha wrote:

> Hello Radius Gurus,
>
> I need your help. I have just downloaded and installed freeradius 7 with
> rlm_ippool. I have following situation:
> We have defined an ip pool on Cisco 5300 from x.x.x.195 to x.x.x.254 with
> mask 255.255.255.192.
> We want IP from x.x.x.195 to x.x.x.214 statically to the privilege dial-in
> users and IP from x.x.x.215 to x.x.x.254 dynamically to other normal users.
> For normal users duplicate users ID is allowed.

Why not just define an IP pool in the 5300 from x.x.x.215 to x.x.x.254 and just
add a reply item of
Framed-IP-Address = 255.255.255.254 in the normal user entries. There's no real
reason in using the ippool module.
If you have more than one IP pools in your 5300 you could also send back a cisco
avpair like this:
Cisco-AVPair := "ip:addr-pool=my_pool_name"

Hope it helps

--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED]  National Technical University of Athens, Greece
Work Phone: +30 10 7721861
'Go back to the shadow' Gandalf

>
> To achieve this I am doing following.
>
> 1. In radiusd.conf I have added following:
>   usercollide = yes
>   compat = cistron
>
>   Ippool{
>   Range-start = x.x.x.215
>   Range-stop = x.x.x.254
>   Netmask = 255.255.255.192
>   Cache-size = 800
>   Session-db = ${raddbdir}/db.ippool
>   Ip-index = ${raddbdir}/db.ip-index
>   }
>
> 2. In users file I have added following:
>
>   Privilegeuser   Auth-Type :=local, passwoed =="x"
>   Framed-IP-Address = x.x.x.195
>   Framed-IP-netmask = 255.255.255.255
>   Fall-through = yes
>
>   Normaluser  Auth-Type :=local, passwoed
> =="y"
>   Service-type = framed
>   Framed-protocol = PPP
>   Session-timeout =1800
>
>
>
> The whole idea is that mormaluser should get IP starting from x.x.x.215 till
> x.x.x.254 only and after that which ever is unused in range from 215 - 254.
> In my existing RADIUS server for normal users I have configured
> Framed-IP-Address = x.x.x.215+ and user may get IP beyond our subnet.
>
> Seeing the configuration, please confirm following:
>
>
>
> 1Will this work OK
> 2.   The normaluser will get IP from range x.x.x.215 - x.x.x.254
>
> Thanks
>
> Rakesh Jha
> Kuwait
>
> ---
> Disclaimer:
> Any non official business related views, opinions  or other information
> presented in this electronic mail  are solely those of the sender/author.
> Burgan Bank does not endorse or accept responsibility for these opinions,
> views or conclusion.
>  If you are not the addressee indicated in this electronic mail or
> responsible for delivering this electronic message to the intended
> recipient,  you should delete this message and notify the sender
> immediately.
>
> Burgan Bank
> 
>


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: IP Pool questions

[Matias Ezequiel Fabiano]

I'm having a problem like Li Lin has. I need that the radius server assign
an IP address from a pool (172.25.6.2 /24) to each dial up subscriber, and
all the requirements will come from a NAS (There's no LAN behind
subscribers).
I see that the only IP that the server assigns is the one that i configure
in the attribute Framed-IP-Address. The question is: how I configure this
attribute for the user DEFAULT when I want the server do that? The
following doesnt't work

 DEFAULT Auth-Type := Local, User-Password == ""
  Service-Type = Framed-User,
  Framed-IP-Address = 172.25.6.2+,

If I'm wrong, can you explain me how to do what i want to do?.
Thanks

ŠËbú?²æìr¸›{û§²æìr¸›y'ž†Ûiÿü0ÁúÞz¶Šë(®åŠËºÇ«²f

RE: IP Pool questions

[Mark Hennessy]

Here's an example user named foo:

foo Auth-Type := System
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-Address = 192.168.2.21,
Framed-Netmask = 255.255.255.252,
Framed-Route = "192.168.2.20/30 192.168.2.21 1",
Framed-Compression = Van-Jacobson-TCP-IP,
Idle-Timeout = 0,
Framed-MTU = 1500

Note the Framed-Route line.  /30 is equivalent to 255.255.255.252

This is just an example, you could use much larger blocks.

The subscriber would configure their equipment to use the IP address
192.168.2.21.  192.168.2.22 would be an IP usable within their LAN.
Remote gateway could be available in a larger network
specified by a more general netmask for the remote gateway where
appropriate.

Alternately, if you wish, you can do this:

foo Auth-Type := System
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-Address = 192.168.2.2,
Framed-Netmask = 255.255.255.255,
Framed-Route = "192.168.3.0/28 192.168.2.2 1",
Framed-Compression = Van-Jacobson-TCP-IP,
Idle-Timeout = 0,
Framed-MTU = 1500

This would instead of providing a merged LAN IP block provide a
WAN/LAN-style structure, where you could give each dialup device their own
single IP and then forward blocks over those single IPs to their LAN.  In
this example, a /28 (13 usable addresses) is forwarded to this subscriber
for use in their LAN, they would have to have two separate interfaces, a
WAN interface for 192.168.2.2 and a LAN interface where they define one of
the IPs in the 192.168.3.0 block (such as 192.168.3.1).

--
 Mark P. Hennessy [EMAIL PROTECTED]

On Mon, 19 Aug 2002, Li Lin wrote:

> Date: Mon, 19 Aug 2002 17:43:31 -0400
> From: Li Lin <[EMAIL PROTECTED]>
> To: 'Mark Hennessy' <[EMAIL PROTECTED]>
> Cc: Li Lin <[EMAIL PROTECTED]>
> Subject: RE: IP Pool questions
>
> Hi Mark:
>
>  Yes, I am trying to set up a block of IPs to be passed to a subscriber.
>
>  Thanks
>
>  Li Lin
>
> -Original Message-
> From: Mark Hennessy [mailto:[EMAIL PROTECTED]]
> Sent: Monday, August 19, 2002 5:48 PM
> To: '[EMAIL PROTECTED]'
> Cc: Li Lin
> Subject: Re: IP Pool questions
>
> Are you trying to set up a block of IPs to be passed to a subscriber, or
> dynamically assign an IP from a pool to a subscriber?
>
> --
>  Mark P. Hennessy
> [EMAIL PROTECTED]
>
> On Mon, 19 Aug 2002, Li Lin wrote:
>
> > Date: Mon, 19 Aug 2002 17:38:10 -0400
> > From: Li Lin <[EMAIL PROTECTED]>
> > Reply-To: [EMAIL PROTECTED]
> > To: "'[EMAIL PROTECTED]'"
> > <[EMAIL PROTECTED]>
> > Cc: Li Lin <[EMAIL PROTECTED]>
> > Subject: IP Pool questions
> >
> >
> > Dear Sir/Madam:
> >
> > I have a problem to setup IP pool. (The free radius server only assigns
> one
> > IP address)
> >
> > Could you please tell me:
> >
> > 1.  whether freeradius-0.3 supports IP pool or not?
> > 2.  any document for IP pool?
> >
> > Thanks
> >
> > Li Lin
> >
>


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: IP Pool questions

[Mark Hennessy]

Are you trying to set up a block of IPs to be passed to a subscriber, or
dynamically assign an IP from a pool to a subscriber?

--
 Mark P. Hennessy [EMAIL PROTECTED]

On Mon, 19 Aug 2002, Li Lin wrote:

> Date: Mon, 19 Aug 2002 17:38:10 -0400
> From: Li Lin <[EMAIL PROTECTED]>
> Reply-To: [EMAIL PROTECTED]
> To: "'[EMAIL PROTECTED]'"
> <[EMAIL PROTECTED]>
> Cc: Li Lin <[EMAIL PROTECTED]>
> Subject: IP Pool questions
>
>
> Dear Sir/Madam:
>
> I have a problem to setup IP pool. (The free radius server only assigns one
> IP address)
>
> Could you please tell me:
>
> 1.whether freeradius-0.3 supports IP pool or not?
> 2.any document for IP pool?
>
> Thanks
>
> Li Lin
>


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: IP pool

[Kostas Kalevras]

On Fri, 16 Aug 2002, Matias Ezequiel Fabiano wrote:

>
> Thanks, Kostas. That neither doesn't work.
> And I understand that if I put the attribute Pool-Name in the same line of
> the "User Name" (DEFAULT), the radius server will expect a IP Address, and
> I want that the radius server assigns it.

No, that happens if you use the matching operators ('==','!=' etc). If you set
it like this ('=',':=' etc) it gets added as a check item. Also _remove_ the
Framed-IP-Address from the reply items for the ippool module to work. It will
take care of handing out IP addresses.

> Is the attribute Framed-IP-Address correct? Because the server only assigns
> one address: 172.25.6.3, and if a second user tries to connect, the first
> get kicked out.
>
>

--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED]  National Technical University of Athens, Greece
Work Phone: +30 10 7721861
'Go back to the shadow' Gandalf


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: IP pool

[Matias Ezequiel Fabiano]

Thanks, Kostas. That neither doesn't work.
And I understand that if I put the attribute Pool-Name in the same line of
the "User Name" (DEFAULT), the radius server will expect a IP Address, and
I want that the radius server assigns it.
Is the attribute Framed-IP-Address correct? Because the server only assigns
one address: 172.25.6.3, and if a second user tries to connect, the first
get kicked out.





Kostas Kalevras <[EMAIL PROTECTED]>@lists.cistron.nl con fecha 16/08/2002
10:59:29

Por favor, responda a [EMAIL PROTECTED]

Enviado por:  [EMAIL PROTECTED]


Destinatarios:[EMAIL PROTECTED]
CC:
Asunto: Re: IP pool


On Fri, 16 Aug 2002, Matias Ezequiel Fabiano wrote:

>
> OK, the error in the Service-Type was corrected. But still doesn't work.
My
> users file is configured as follows, and I
> need that the radius server assigns the IP address from the pool
172.25.6.0 / 24. What is missing or wrong?
>
> DEFAULT Auth-Type := Local, User-Password == ""
>   Service-Type = Framed-User,
>   Framed-IP-Address = 172.25.6.2+
>
> Thanks

Please read again my previous email. I wrote:

>
> DEFAULT Auth-Type := Local, User-Password == "", Pool-Name
= "clientes"
^^
>
> Also the Service-Type assignment is wrong. Try reading 'man 5 users'

--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED]  National Technical University of Athens, Greece
Work Phone:   +30 10 7721861
'Go back to the shadow' Gandalf


-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html


.+-Šwèþ˛±ÊâmïîžË›±Êâmäžzm§ÿðÃëyêÚv+¬¢¸?–+-þë®Èmš

Re: IP pool

[Kostas Kalevras]

On Fri, 16 Aug 2002, Matias Ezequiel Fabiano wrote:

>
> OK, the error in the Service-Type was corrected. But still doesn't work. My
> users file is configured as follows, and I
> need that the radius server assigns the IP address from the pool 172.25.6.0 / 24. 
>What is missing or wrong?
>
> DEFAULT Auth-Type := Local, User-Password == ""
>   Service-Type = Framed-User,
>   Framed-IP-Address = 172.25.6.2+
>
> Thanks

Please read again my previous email. I wrote:

>
> DEFAULT Auth-Type := Local, User-Password == "", Pool-Name = "clientes"
^^
>
> Also the Service-Type assignment is wrong. Try reading 'man 5 users'

--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED]  National Technical University of Athens, Greece
Work Phone: +30 10 7721861
'Go back to the shadow' Gandalf


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: IP pool

[Matias Ezequiel Fabiano]

OK, the error in the Service-Type was corrected. But still doesn't work. My
users file is configured as follows, and I
need that the radius server assigns the IP address from the pool 172.25.6.0 / 24. What 
is missing or wrong?

DEFAULT Auth-Type := Local, User-Password == ""
  Service-Type = Framed-User,
  Framed-IP-Address = 172.25.6.2+

Thanks







Kostas Kalevras <[EMAIL PROTECTED]>@lists.cistron.nl con fecha 16/08/2002
00:24:35

Por favor, responda a [EMAIL PROTECTED]

Enviado por:  [EMAIL PROTECTED]


Destinatarios:[EMAIL PROTECTED]
CC:
Asunto: Re: IP pool


On Thu, 15 Aug 2002, Matias Ezequiel Fabiano wrote:

>
> Hello everybody,
>
> Alan, thanks for the answers.
> I have configured this, but still not work:
>
> * radius.conf
>
> ippool cientes {
> range-start = 172.25.6.2
> range-stop = 172.25.6.255
> netmask = 255.255.255.0
> cache-size = 800
> session-db = ${raddbdir}/db.ippool
> ip-index = ${raddbdir}/db.ipindex
> }
>
> * users
>
> DEFAULT Auth-Type := Local, User-Password == ""
> Service-Type == Framed-User,
> Pool-Name = "clientes",
>
> Is it OK? Because I still have the same problem.
> If it's wrong, please tell me how to configure an ip pool for the users.
>
> Thanks a lot
>
> Matias

Try

DEFAULT Auth-Type := Local, User-Password == "", Pool-Name = "clientes"

Also the Service-Type assignment is wrong. Try reading 'man 5 users'

--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED]  National Technical University of Athens, Greece
Work Phone:   +30 10 7721861
'Go back to the shadow' Gandalf


-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html


â²Ø§~ì¹»®&Þþéì¹»®&ÞI硶Úÿ0~·ž­§bºÊ+ƒùb²ßî±êì†Ù¥

Re: IP pool

[Kostas Kalevras]

On Thu, 15 Aug 2002, Matias Ezequiel Fabiano wrote:

>
> Hello everybody,
>
> Alan, thanks for the answers.
> I have configured this, but still not work:
>
> * radius.conf
>
> ippool cientes {
> range-start = 172.25.6.2
> range-stop = 172.25.6.255
> netmask = 255.255.255.0
> cache-size = 800
> session-db = ${raddbdir}/db.ippool
> ip-index = ${raddbdir}/db.ipindex
> }
>
> * users
>
> DEFAULT Auth-Type := Local, User-Password == ""
> Service-Type == Framed-User,
> Pool-Name = "clientes",
>
> Is it OK? Because I still have the same problem.
> If it's wrong, please tell me how to configure an ip pool for the users.
>
> Thanks a lot
>
> Matias

Try

DEFAULT Auth-Type := Local, User-Password == "", Pool-Name = "clientes"

Also the Service-Type assignment is wrong. Try reading 'man 5 users'

--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED]  National Technical University of Athens, Greece
Work Phone: +30 10 7721861
'Go back to the shadow' Gandalf


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: IP pool

[Matias Ezequiel Fabiano]

Hello everybody,

Alan, thanks for the answers.
I have configured this, but still not work:

* radius.conf

ippool cientes {
range-start = 172.25.6.2
range-stop = 172.25.6.255
netmask = 255.255.255.0
cache-size = 800
session-db = ${raddbdir}/db.ippool
ip-index = ${raddbdir}/db.ipindex
}

* users

DEFAULT Auth-Type := Local, User-Password == ""
Service-Type == Framed-User,
Pool-Name = "clientes",

Is it OK? Because I still have the same problem.
If it's wrong, please tell me how to configure an ip pool for the users.

Thanks a lot

Matias




"Alan DeKok" <[EMAIL PROTECTED]>@lists.cistron.nl con fecha 15/08/2002 11:20:41

Por favor, responda a [EMAIL PROTECTED]

Enviado por:  [EMAIL PROTECTED]


Destinatarios:    [EMAIL PROTECTED]
CC:
Asunto: Re: IP pool


"Matias Ezequiel Fabiano" <[EMAIL PROTECTED]> wrote:
> When I start the radius daemon and users try to authenticate, the
> server only assigns one IP address (172.25.6.3), and therefore
> only one user can use the service at the same time.  The users
> file looks like this:

> DEFAULT Auth-Type := Local, User-Password == "adgj"
> Service-Type == Framed-User,
> Framed-IP-Address = 172.25.6.2+,

  That's not an IP pool.  It adds the NAS-Port to the IP address.

> Is the IP pool well defined? Thanks for the answers

  See the 'ippool' module, in radiusd.conf.

  Alan DeKok.

-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html


.+-Šwèþ˛±ÊâmïîžË›±Êâmäžzm§ÿðÃëyêÚv+¬¢¸?–+-þë®Èmš

Re: IP pool

[Alan DeKok]

"Matias Ezequiel Fabiano" <[EMAIL PROTECTED]> wrote:
> When I start the radius daemon and users try to authenticate, the
> server only assigns one IP address (172.25.6.3), and therefore
> only one user can use the service at the same time.  The users
> file looks like this:
 
> DEFAULT Auth-Type := Local, User-Password == "adgj"
> Service-Type == Framed-User,
> Framed-IP-Address = 172.25.6.2+,

  That's not an IP pool.  It adds the NAS-Port to the IP address.

> Is the IP pool well defined? Thanks for the answers

  See the 'ippool' module, in radiusd.conf.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: ip pool again

[Kostas Kalevras]

On Wed, 14 Aug 2002, Guillermo Schimmel wrote:

> Yes, it seems like I have several errors. Now Its working.
>
> Now, I have read that you can use the Pool-Name attribute to select one
> IP Address pool, that's why I started trying this.
> I have to share a NAS for Internet Access and VPN access and I'm going
> to do that by routing and firewalling, assigning different pools based
> on some like group.
>
> So, I define two (or more) pools in radiusd.conf like:
>
> ippool test1 { ...}
> ippool test2 { ...}
> ...
> ippool testn { ...}
>
> And I thought that in the authorization section I had to put "ippool",
> and it would take the Pool-Name attribute to choose a pool.
> But now It seems like I have to put one specific ip pool.
> Could you please tell me which is the correct usage of this feature?

ippool test1 { ... } ippool test2 { ... } are all instances of the ip pool
module. You have to add them all in the authorize and accounting sections in
radiusd.conf and use the Pool-Name attribute to select which one will run.

>
>
> Thank you very very much for your help.

--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED]  National Technical University of Athens, Greece
Work Phone: +30 10 7721861
'Go back to the shadow' Gandalf


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: ip pool again

[Guillermo Schimmel]

Yes, it seems like I have several errors. Now Its working.

Now, I have read that you can use the Pool-Name attribute to select one 
IP Address pool, that's why I started trying this.
I have to share a NAS for Internet Access and VPN access and I'm going 
to do that by routing and firewalling, assigning different pools based 
on some like group.

So, I define two (or more) pools in radiusd.conf like:

ippool test1 { ...}
ippool test2 { ...}
...
ippool testn { ...}

And I thought that in the authorization section I had to put "ippool", 
and it would take the Pool-Name attribute to choose a pool.
But now It seems like I have to put one specific ip pool.
Could you please tell me which is the correct usage of this feature?


Thank you very very much for your help.



Kostas Kalevras wrote:

>On Wed, 14 Aug 2002, Guillermo Schimmel wrote:
>
>  
>
>>Module: Loaded IPPOOL
>> ippool: session-db = "/usr/local/etc/raddb/db.ippool"
>> ippool: ip-index = "/usr/local/etc/raddb/db.ipindex"
>> ippool: range-start = 10.170.201.1 IP address [10.170.201.1]
>> ippool: range-stop = 10.170.200.254 IP address [10.170.200.254]
>> ippool: netmask = 255.255.255.0 IP address [255.255.255.0]
>> ippool: cache-size = 254
>>rlm_ippool: Invalid configuration data given.
>>radiusd.conf[330]: prueba: Module instantiation failed.
>>
>>
>
>Check your range-start. It should probable read 10.170.200.1. In any case it
>should not be an ip number lower than the range-stop.
>
>--
>Kostas KalevrasNetwork Operations Center
>[EMAIL PROTECTED] National Technical University of Athens, Greece
>Work Phone:+30 10 7721861
>'Go back to the shadow'Gandalf
>
>
>- 
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>
>  
>




- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: ip pool again

[Kostas Kalevras]

On Wed, 14 Aug 2002, Guillermo Schimmel wrote:

> Module: Loaded IPPOOL
>  ippool: session-db = "/usr/local/etc/raddb/db.ippool"
>  ippool: ip-index = "/usr/local/etc/raddb/db.ipindex"
>  ippool: range-start = 10.170.201.1 IP address [10.170.201.1]
>  ippool: range-stop = 10.170.200.254 IP address [10.170.200.254]
>  ippool: netmask = 255.255.255.0 IP address [255.255.255.0]
>  ippool: cache-size = 254
> rlm_ippool: Invalid configuration data given.
> radiusd.conf[330]: prueba: Module instantiation failed.

Check your range-start. It should probable read 10.170.200.1. In any case it
should not be an ip number lower than the range-stop.

--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED]  National Technical University of Athens, Greece
Work Phone: +30 10 7721861
'Go back to the shadow' Gandalf


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: ip pool again

[Guillermo Schimmel]

Kostas Kalevras wrote:

>On Wed, 14 Aug 2002, Guillermo Schimmel wrote:
>
>  
>
>>authorize {
>>preprocess
>>files
>>ippool
>>chap
>>group {
>> ldap1 {
>> fail = 1
>> notfound = 2
>> noop = return
>> ok = return
>> updated  = return
>> reject   = return
>> userlock = return
>> invalid  = return
>> handled  = return
>>}
>> ldap2 {
>> fail = 1
>> notfound = 2
>> noop = return
>> ok   = return
>> updated  = return
>> reject   = return
>> userlock = return
>> invalid  = return
>> handled  = return
>>}
>>}
>>}
>>
>>accounting {
>>acct_unique
>>detail
>>sql
>>ippool
>>}
>>
>>
>
>Replace ippool with prueba and everything should work ok.
>  
>
Now the server doesn't start. It gives the following error:

Module: Loaded IPPOOL
 ippool: session-db = "/usr/local/etc/raddb/db.ippool"
 ippool: ip-index = "/usr/local/etc/raddb/db.ipindex"
 ippool: range-start = 10.170.201.1 IP address [10.170.201.1]
 ippool: range-stop = 10.170.200.254 IP address [10.170.200.254]
 ippool: netmask = 255.255.255.0 IP address [255.255.255.0]
 ippool: cache-size = 254
rlm_ippool: Invalid configuration data given.
radiusd.conf[330]: prueba: Module instantiation failed.





>--
>Kostas KalevrasNetwork Operations Center
>[EMAIL PROTECTED] National Technical University of Athens, Greece
>Work Phone:+30 10 7721861
>'Go back to the shadow'Gandalf
>
>
>- 
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>
>  
>




- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: ip pool again

[Kostas Kalevras]

On Wed, 14 Aug 2002, Guillermo Schimmel wrote:

> authorize {
> preprocess
> files
> ippool
> chap
> group {
>  ldap1 {
>  fail = 1
>  notfound = 2
>  noop = return
>  ok = return
>  updated  = return
>  reject   = return
>  userlock = return
>  invalid  = return
>  handled  = return
> }
>  ldap2 {
>  fail = 1
>  notfound = 2
>  noop = return
>  ok   = return
>  updated  = return
>  reject   = return
>  userlock = return
>  invalid  = return
>  handled  = return
> }
> }
> }
>
> accounting {
> acct_unique
> detail
> sql
> ippool
> }

Replace ippool with prueba and everything should work ok.

--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED]  National Technical University of Athens, Greece
Work Phone: +30 10 7721861
'Go back to the shadow' Gandalf


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: ip pool again

[Guillermo Schimmel]

Kostas Kalevras wrote:

>On Wed, 14 Aug 2002, Guillermo Schimmel wrote:
>
>  
>
>>Yes, I have done so.
>>
>>Is this output OK? (The noop part)
>>
>>modcall: entering group authorize
>>  modcall[authorize]: module "preprocess" returns ok
>>  modcall[authorize]: module "files" returns notfound
>>  modcall[authorize]: module "ippool" returns noop
>>rlm_chap: Could not find proper Chap-Password attribute in request
>>  modcall[authorize]: module "chap" returns noop
>>modcall: entering group group
>>
>>Where else should I look?
>>
>>
>
>Please post the authorize and accounting sections of your radiusd.conf
>  
>
authorize {
preprocess
files
ippool
chap
group {
 ldap1 {
 fail = 1
 notfound = 2
 noop = return
 ok = return
 updated  = return
 reject   = return
 userlock = return
 invalid  = return
 handled  = return
}
 ldap2 {
 fail = 1
 notfound = 2
 noop = return
 ok   = return
 updated  = return
 reject   = return
 userlock = return
 invalid  = return
 handled  = return
}
}
}

accounting {
acct_unique
detail
sql
ippool
}

>  
>
>>Is there any documentation for the ippool module?
>>
>>
>
>Apart from the comments in the configuration file, no.
>
>--
>Kostas KalevrasNetwork Operations Center
>[EMAIL PROTECTED] National Technical University of Athens, Greece
>Work Phone:+30 10 7721861
>'Go back to the shadow'Gandalf
>
>
>- 
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>
>  
>




- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: ip pool again

[Kostas Kalevras]

On Wed, 14 Aug 2002, Guillermo Schimmel wrote:

> Yes, I have done so.
>
> Is this output OK? (The noop part)
>
> modcall: entering group authorize
>   modcall[authorize]: module "preprocess" returns ok
>   modcall[authorize]: module "files" returns notfound
>   modcall[authorize]: module "ippool" returns noop
> rlm_chap: Could not find proper Chap-Password attribute in request
>   modcall[authorize]: module "chap" returns noop
> modcall: entering group group
>
> Where else should I look?

Please post the authorize and accounting sections of your radiusd.conf

>
> Is there any documentation for the ippool module?

Apart from the comments in the configuration file, no.

--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED]  National Technical University of Athens, Greece
Work Phone: +30 10 7721861
'Go back to the shadow' Gandalf


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: ip pool again

[Guillermo Schimmel]

Kostas Kalevras wrote:

>On Tue, 13 Aug 2002, Guillermo Schimmel wrote:
>
>  
>
>>It still doesn't work.
>>
>>
>>
>>>Hi list:
>>>
>>>   I'm starting the tests with the ippool module.
>>>
>>>   I added this line on the users file:
>>>
>>>DEFAULT NAS-IP-Address == "10.169.255.11",  Auth-Type :=
>>>Accept, Pool-Name := "prueba"
>>>
>>>   And created an IP pool:
>>>
>>>ippool prueba {
>>>   range-start = 10.170.200.1
>>>   range-stop =  10.170.200.254
>>>   netmask = 255.255.255.0
>>>   cache-size = 800
>>>   session-db = /raddb/db.ippool
>>>   ip-index = /raddb/db.ipindex
>>>}
>>>
>>>  
>>>
>>I can start the server and it works ok, but it doesn't reply with
>>the Framed-IP-Address attribute.
>>
>>
>>
>>>   What am I doing wrong?
>>>
>>>   I'm sorry if this is ANOTHER stupid question.
>>>
>>>   Thanks a lot for your time.
>>>
>>>
>>>Guillermo
>>>  
>>>
>
>Have you added the module in the authorize and accounting sections in
>radiusd.conf? Make sure also that ippool comes after the files module in the
>authorize section.
>  
>
Yes, I have done so.

Is this output OK? (The noop part)

modcall: entering group authorize
  modcall[authorize]: module "preprocess" returns ok
  modcall[authorize]: module "files" returns notfound
  modcall[authorize]: module "ippool" returns noop
rlm_chap: Could not find proper Chap-Password attribute in request
  modcall[authorize]: module "chap" returns noop
modcall: entering group group

Where else should I look?

Is there any documentation for the ippool module?


Thanks


Guillermo







>--
>Kostas KalevrasNetwork Operations Center
>[EMAIL PROTECTED] National Technical University of Athens, Greece
>Work Phone:+30 10 7721861
>'Go back to the shadow'Gandalf
>
>
>- 
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>
>  
>




- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: ip pool again

[Kostas Kalevras]

On Tue, 13 Aug 2002, Guillermo Schimmel wrote:

> It still doesn't work.
>
> >
> > Hi list:
> >
> >I'm starting the tests with the ippool module.
> >
> >I added this line on the users file:
> >
> > DEFAULT NAS-IP-Address == "10.169.255.11",  Auth-Type :=
> > Accept, Pool-Name := "prueba"
> >
> >And created an IP pool:
> >
> > ippool prueba {
> >range-start = 10.170.200.1
> >range-stop =  10.170.200.254
> >netmask = 255.255.255.0
> >cache-size = 800
> >session-db = /raddb/db.ippool
> >ip-index = /raddb/db.ipindex
> > }
> >
> I can start the server and it works ok, but it doesn't reply with
> the Framed-IP-Address attribute.
>
> >What am I doing wrong?
> >
> >I'm sorry if this is ANOTHER stupid question.
> >
> >Thanks a lot for your time.
> >
> >
> > Guillermo

Have you added the module in the authorize and accounting sections in
radiusd.conf? Make sure also that ippool comes after the files module in the
authorize section.

--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED]  National Technical University of Athens, Greece
Work Phone: +30 10 7721861
'Go back to the shadow' Gandalf


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

SOLVED: Sorry: Re: ip pool: Unknown attribute Pool-Name

[Guillermo Schimmel]

I'm sorry.
This was really stupid.

I was using the old dictionary file, from fr 0.4.



Guillermo Schimmel wrote:

>
> Hi list:
>
>I'm starting the tests with the ippool module.
>
>I added this line on the users file:
>
> DEFAULT NAS-IP-Address == "10.169.255.11",  Auth-Type := 
> Accept, Pool-Name := "prueba"
>
>And created an IP pool:
>
> ippool prueba {
>range-start = 10.170.200.1
>range-stop =  10.170.200.254
>netmask = 255.255.255.0
>cache-size = 800
>session-db = /raddb/db.ippool
>ip-index = /raddb/db.ipindex
> }
>
>Now, when I start the server it says:
>
> /usr/local/etc/raddb/users[144]: Parse error (check) for entry 
> DEFAULT: Unknown attribute Pool-Name
>
>What am I doing wrong?
>
>I'm sorry if this is a stupid question, but I have looked in the 
> docs and in the list and can't find any hint.
>
>Thanks a lot for your time.
>
>
> Guillermo
>
>
>
>
>
>
> - List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html
>
>




- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: IP POOL

[Jacobo González Simón]

Ok, i found rlm_ippool.

can i use it whith ldap authentication?
how?

Thanks


Jacobo =?iso-8859-1?Q?Gonz=E1lez=20Sim=F3n?= escribió:
> 
> Hi all,
> 
> I´m testing freeradius and ldap( with radtest utility, i have not
> another ras server that one is running whith another radius ), and it
> seems to work fine. Now the problem:
> 
> I had read in users file this:
> 
> #
> # Set up different IP address pools for the terminal servers.
> # Note that the "+" behind the IP address means that this is the "base"
> # IP address. The Port-Id (S0, S1 etc) will be added to it.
> #
> #DEFAULTService-Type == Framed-User, Huntgroup-Name == "alphen"
> #   Framed-IP-Address = 192.168.1.32+,
> #   Fall-Through = Yes
> 
> #DEFAULTService-Type == Framed-User, Huntgroup-Name == "delft"
> #   Framed-IP-Address = 192.168.2.32+,
> #   Fall-Through = Yes
> 
> and in my ldap base i have an entry:
> 
> dn: uid=pepe,ou=miembros,dc=midominio.es,o=miempresa
> objectclass: person
> objectclass: radiusprofile
> cn: JOSE
> uid: pepe
> radiusServiceType: Framed-User
> radiusFramedProtocol: PPP
> radiusFramedIPAddress: 192.168.254.1+
> radiusFramedIPNetmask: 255.255.255.255
> .
> .
> .
> .
> .
> .
> .
> 
> Well, wich is the limit for dinamic IP address?
> 
> 192.168.254.1+ meaning that all of 192.168.254.0/255.255.255.0 is
> available for dynamic ip?
> 
> I need delimit my pool to few ips, how can i do it?
> 
> Thanks at all, and sorry for my poor english
> 
> Jacobo
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: IP POOL

[Chris Parker]

At 06:14 PM 4/10/2002 +0200, Jacobo González Simón wrote:
>Hello again,
>
>  i have freeradius-0.5 from freeradius.org and i haven´t
>src/modules/rlm_ippool, where cai i find it?

CVS, or one of the nightly builds.  It has been added since the 0.5
release.

-Chris
--
\\\|||///  \  StarNet Inc.  \Chris Parker
\ ~   ~ /   \   WX *is* Wireless!\   Director, Engineering
| @   @ |\   http://www.starnetwx.net \  (847) 963-0116
oOo---(_)---oOo--\--
   \ Wholesale Internet Services - http://www.megapop.net



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: IP POOL

[Jacobo González Simón]

Hello again,

 i have freeradius-0.5 from freeradius.org and i haven´t 
src/modules/rlm_ippool, where cai i find it?

Thanks

Kostas Kalevras escribió:
> 
> On Mon, 8 Apr 2002, Jacobo [iso-8859-1] González Simón wrote:
> 
> > Thanks for your reply but i don`t undestand you.
> >
> > I haven´t rlm_ippool module.
> >
> > Kostas Kalevras escribió:
> >
> > >
> > > Try the rlm_ippool module. It will do your job just fine. Check out the
> > > comments in radiusd.conf.
> >  > > rlm_counter module and do s/counter/ippool.
> > ??
> > Where do i copy Makefile?
> >
> > what´s s/counter/ippool?
> >
> > Thanks, Jacobo
> 
> Check out the latest cvs for the rlm_ippool module.
> You will have to copy the Makefile in src/modules/rlm_ippool
> s/counter/ippool means replace all occurences of the word counter in the
> makefile with ippool.
> 
> --
> Kostas Kalevras Network Operations Center
> [EMAIL PROTECTED]  National Technical University of Athens, Greece
> Work Phone: +30 10 7721861
> 'Go back to the shadow' Gandalf
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: IP POOL

[Kostas Kalevras]

On Mon, 8 Apr 2002, Jacobo [iso-8859-1] González Simón wrote:

> Thanks for your reply but i don`t undestand you.
>
> I haven´t rlm_ippool module.
>
> Kostas Kalevras escribió:
>
> >
> > Try the rlm_ippool module. It will do your job just fine. Check out the
> > comments in radiusd.conf.
>  > rlm_counter module and do s/counter/ippool.
> ??
> Where do i copy Makefile?
>
> what´s s/counter/ippool?
>
> Thanks, Jacobo

Check out the latest cvs for the rlm_ippool module.
You will have to copy the Makefile in src/modules/rlm_ippool
s/counter/ippool means replace all occurences of the word counter in the
makefile with ippool.

--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED]  National Technical University of Athens, Greece
Work Phone: +30 10 7721861
'Go back to the shadow' Gandalf


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: IP POOL

[Jacobo González Simón]

Thanks for your reply but i don`t undestand you.

I haven´t rlm_ippool module. 

Kostas Kalevras escribió:

> 
> Try the rlm_ippool module. It will do your job just fine. Check out the
> comments in radiusd.conf. 
 rlm_counter module and do s/counter/ippool.
??
Where do i copy Makefile?

what´s s/counter/ippool?

Thanks, Jacobo


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: IP POOL

[Kostas Kalevras]

On Tue, 2 Apr 2002, Jacobo [iso-8859-1] González Simón wrote:

> Hi all,
>
> I´m testing freeradius and ldap( with radtest utility, i have not
> another ras server that one is running whith another radius ), and it
> seems to work fine. Now the problem:
>
> I had read in users file this:
>
> #
> # Set up different IP address pools for the terminal servers.
> # Note that the "+" behind the IP address means that this is the "base"
> # IP address. The Port-Id (S0, S1 etc) will be added to it.
> #
> #DEFAULTService-Type == Framed-User, Huntgroup-Name == "alphen"
> #   Framed-IP-Address = 192.168.1.32+,
> #   Fall-Through = Yes
>
> #DEFAULTService-Type == Framed-User, Huntgroup-Name == "delft"
> #   Framed-IP-Address = 192.168.2.32+,
> #   Fall-Through = Yes
>
>
> and in my ldap base i have an entry:
>
> dn: uid=pepe,ou=miembros,dc=midominio.es,o=miempresa
> objectclass: person
> objectclass: radiusprofile
> cn: JOSE
> uid: pepe
> radiusServiceType: Framed-User
> radiusFramedProtocol: PPP
> radiusFramedIPAddress: 192.168.254.1+
> radiusFramedIPNetmask: 255.255.255.255
> .
> .
> .
> .
> .
> .
> .
>
> Well, wich is the limit for dinamic IP address?
>
> 192.168.254.1+ meaning that all of 192.168.254.0/255.255.255.0 is
> available for dynamic ip?
>
> I need delimit my pool to few ips, how can i do it?
>
> Thanks at all, and sorry for my poor english
>
> Jacobo

Try the rlm_ippool module. It will do your job just fine. Check out the
comments in radiusd.conf. If it does not compile copy the Makefile from the
rlm_counter module and do s/counter/ippool.

--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED]  National Technical University of Athens, Greece
Work Phone: +30 10 7721861
'Go back to the shadow' Gandalf


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html