Failure: rlm_eap_tls requires: (openssl/ssl.h) libcrypto libssl
Hi FreeRadius users, I've got a problem while compiling rlm_eap_tls on Solaris. It seems that several users have encountered the same pb since I saw many related posts on the mailing-list. My openssl is well installed. I've check /usr/local/ssl/include and /usr/local/ssl/lib and it's ok. I've tried to configure rlm_eap with options: ./configure --with-openssl-includes=/usr/local/ssl/include --with-opensll-librairies=/usr/local/ssl/lib but still the same errors: checking for openssl/ssl.h... no checking for DH_new in -lcrypto... no checking for SSL_new in lssl... no ... configure: warning: silently nont building rlm_eap_tls. configure: warning: FAILURE: rlm_eap_tls requires: (openssl/ssl.h) libcrypto libssl. Does someone know how to fix this pb? Thanks a lot Patrice _ Trouvez l'âme soeur sur MSN Rencontres http://g.msn.fr/FR1000/9551 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Choosing Free Radius (beta?)
On Mar 1, 2004, at 20:05, Matt Bailey wrote: I am currently trying to choose a radius server to evaluate for use. It appears that free radius is going to replace cistron since cistron development has slowed to maintenance. Is the current Free Radius server a viable solution? When will a 'non-beta' version be available? Is any one using Free Radius in production environment succesfully? Thanks for any information, I am having a dificult time finding good comparisons of GPL radius servers. I recently switched from Cistron to version 0.9.3. It has worked very well, but the configuration is quite a bit different from Cistron. There are many more options and ways to set things up than Cistron ever had. I found that the documentation was easy to follow once you understand it. Help is available here which I found necessary. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Passing back LDAP Values
Hi All I want FreeRadius to include with the Access-Accept packet that it sends back some information that it reads from our LDAP directory (which is authenticating our users based on 3 values that could be contained in an attribute at the moment) Is this possible? I did setup (in ldap.attrmap) replyItem testAtrallowedhosts which shows (during user authentication session in a debug load of radiusd): rlm_ldap: Adding allowedhosts as testAtr, value modempool1 & op=11 rlm_ldap: Adding allowedhosts as testAtr, value modempool2 & op=11 but the test program (NTRadPing Test Utility) is not showing that the testAtr is being passed back. Any ideas? Thanks Paul - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Choosing Free Radius (beta?)
I have been using freeradius in a production enviroment for a year and a half with out a flaw. Success rate has been about 95% the other 5% were due to configuration changes that needed tuning. If you would like more details you can email me directly. [EMAIL PROTECTED] Original Message From: "Matt Bailey" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, March 01, 2004 10:05 PM Subject: Choosing Free Radius (beta?) > I am currently trying to choose a radius server to evaluate for use. > It appears that free radius is going to replace cistron since cistron > development has slowed to maintenance. > > Is the current Free Radius server a viable solution? > > When will a 'non-beta' version be available? > > Is any one using Free Radius in production environment succesfully? > > Thanks for any information, I am having a dificult time finding good > comparisons of GPL radius servers. > > Matt > > > > > This message was sent using IMP, the Internet Messaging Program. > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Choosing Free Radius (beta?)
I am currently trying to choose a radius server to evaluate for use. It appears that free radius is going to replace cistron since cistron development has slowed to maintenance. Is the current Free Radius server a viable solution? When will a 'non-beta' version be available? Is any one using Free Radius in production environment succesfully? Thanks for any information, I am having a dificult time finding good comparisons of GPL radius servers. Matt This message was sent using IMP, the Internet Messaging Program. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Customizing accounting KeepAlive Responses
kiel hedjam <[EMAIL PROTECTED]> wrote: > I would like to insert appropriate attributes into KeepAlive Responses. > I tried to use an external script called from the acct_users file but it > didn't work. See the FAQ about statements like "it didn't work." > The script is run but the returned A/V pairs seem to be ignored by > the server, so that a response is sent but without any attributes in > it. So... run the server in debugging mode. You are also aware that other than VSA's, pretty much every attribute is forbidden by the RFC's to be in an accounting response packet? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Customizing accounting KeepAlive Responses
Hi All, I would like to insert appropriate attributes into KeepAlive Responses. I tried to use an external script called from the acct_users file but it didn't work. The script is run but the returned A/V pairs seem to be ignored by the server, so that a response is sent but without any attributes in it. I didn't take a look yet at the source code to see if this functionality was available. Did I miss something or is there another way to do that ? thanks, -- Kiel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: storing encrypted passwords if users are using PEAP
See the NT-Password attribute and the smbencrypt program for creating the necessary hashes. --Mike On Mon, 2004-03-01 at 16:54, kartzman wrote: > hello, > > is it possible in the users file to use the Crypt-Password attribute (or > anything else which stores an encrypted password) instead of the > User-Password attribute (which requires storing the user's password in > clear text) if the users are authenticating using PEAP (which I believe > uses MS-CHAPv2)? > > bz > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- --Mike --- Michael Griego Wireless LAN Project Manager The University of Texas at Dallas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
storing encrypted passwords if users are using PEAP
hello, is it possible in the users file to use the Crypt-Password attribute (or anything else which stores an encrypted password) instead of the User-Password attribute (which requires storing the user's password in clear text) if the users are authenticating using PEAP (which I believe uses MS-CHAPv2)? bz - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
(no subject)
unsubscribe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Multiple realm syntaxes and NULL realm...
This issue has come up a couple times before in the
list archives, but it does not appear to have been
answered or fixed (only worked around):
If a NULL realm is specified in proxy.conf,
you may only have one rlm_realm instance in
your config -- the first rlm_realm instance
will proxy the request in all cases (to a
realm or to NULL), causing any subsequent
instances to ignore the request.
This appears to be the case in both 0.9.3 and in CVS.
The following patch to the latest CVS version fixes
the behavior: if a request comes in with
Realm = "NULL"
it is treated as a non-proxied request. Additionally,
pairreplace() is used to insert Realm information
to prevent multiple Realm attributes.
--- src/modules/rlm_realm/rlm_realm.c.orig Thu Feb 26 19:04:34 2004
+++ src/modules/rlm_realm/rlm_realm.c Mon Mar 1 20:21:22 2004
@@ -93,9 +93,12 @@
/*
* Check for 'Realm' attribute. If it exists, then we've proxied
* it already ( via another rlm_realm instance ) and should return.
+* If we've proxied it to the "NULL" realm, this means none of
+* the previous rlm_realm instances have found a realm.
*/
- if ( (vp = pairfind(request->packet->vps, PW_REALM)) != NULL ) {
+ if ( (vp = pairfind(request->packet->vps, PW_REALM)) != NULL &&
+strcmp(vp->strvalue, "NULL") ) {
DEBUG2("rlm_realm: Request already proxied. Ignoring.");
return NULL;
}
@@ -195,7 +198,7 @@
/*
* Add the realm name to the request.
*/
- pairadd(&request->packet->vps, pairmake("Realm", realm->realm,
+ pairreplace(&request->packet->vps, pairmake("Realm", realm->realm,
T_OP_EQ));
DEBUG2("rlm_realm: Adding Realm = \"%s\"", realm->realm);
@@ -282,7 +285,7 @@
/*
* Add it, even if it's already present.
*/
- pairadd(vps, vp);
+ pairreplace(vps, vp);
}
/*
--
Chris Mikkelson | Vampireware; n, a project capable of sucking the
[EMAIL PROTECTED] | lifeblood out of anyone unfortunate enough to be
| assigned to it which never actually sees the light
| of day, but nonetheless refuses to die. ([EMAIL PROTECTED])
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Forcing PEAP users to change passwords periodically
Is there anything in PEAP to force a user to change his/her password periodically? There is rumor that with the Cisco Radius server has a way (or protocol?) to make password expire and deal with the password change. Anyone know anything about this? One thing we are considering on doing is changing the authentication query on the mysql side of our freeradius server so it rejects if a password is too old. We would also then have to have some other mechanism to get in the changed password. However if there is an existing protocol or methodology, it would be better to hook into that. Thought and comments? Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple LDAP requests
thanks, I will look at it :) Christopher --- Alan DeKok <[EMAIL PROTECTED]> a écrit : > "=?iso-8859-1?q?C.=20de=20Minguine?=" > <[EMAIL PROTECTED]> wrote: > > I am investigating several RADIUS solutions to > solve > > our autorisation problems. As we prefer using open > > source products, FreeRADIUS crossed my search. > > I have a small question concerning the LDAP search > : > > Can I write a "script" that says : > > "if you cannot find this login/password in this > LDAP, > > go to this LDAP and search again (with a different > > search pattern)" > > Configure two LDAP modules, and read > doc/configurable_failover. > > Alan DeKok. > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Yahoo! Mail : votre e-mail personnel et gratuit qui vous suit partout ! Créez votre Yahoo! Mail sur http://fr.benefits.yahoo.com/ Dialoguez en direct avec vos amis grâce à Yahoo! Messenger !Téléchargez Yahoo! Messenger sur http://fr.messenger.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re[2]: how can i limit traffic use?
Alexander Lunyov <[EMAIL PROTECTED]> wrote: > But, if i've understanded it right, this module reflects only on > logon process, i mean, it won't pass no attributes to NAS, it just > reject user if user's traffic is over, am i right? Still, radius > have to return traffic limit value to NAS (exppp), how can it (or i) do this? Edit the module, or write an external script to track the usage, and enforce it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS-IP-Address
Ruslan A Dautkhanov <[EMAIL PROTECTED]> wrote: > Some my NASes can send defferent NAS-IP-Address attribute (any of > his NIC's IP-addresses). It's why I can't build simple acls (auth logic etc) > based on this attribute - much easier using Client-IP-Address... > > Is exists any method in FreeRADIUS server to substitute attribute > with another one (NAS-IP-ADDRESS := CLIENT_IP-ADDRESS)? That's not a food idea, but it is possible. See the "hints" module. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticate via rlm_pap/rlm_chap/rlm_mschap against external password
Anton Voronin <[EMAIL PROTECTED]> wrote: > Well, then I guess, the problem is to replace User-Password, > NT-Password and LM-Password in request->config_items pairlist (using > some external module) at the authorization stage so that chained > rlm_pap/rlm_chap/rlm_mschap modules could check against them during > authentication stage, like this: Huh? Why? If the user supplies a PAP password (User-Password), and the server has only an NT/LM password, then the PAP module can do the authentication itself. This requires minor code changes to the module. If the user supplies a CHAP password, and the server has only an NT/LM password, then the server CANNOT authenticate the user. If the user supplies an MS-CHAP password, and the server has only an NT/LM password, then the MS-CHAP module already works. In none of these cases is a complex fail-over configuration required. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple LDAP requests
"=?iso-8859-1?q?C.=20de=20Minguine?=" <[EMAIL PROTECTED]> wrote: > I am investigating several RADIUS solutions to solve > our autorisation problems. As we prefer using open > source products, FreeRADIUS crossed my search. > I have a small question concerning the LDAP search : > Can I write a "script" that says : > "if you cannot find this login/password in this LDAP, > go to this LDAP and search again (with a different > search pattern)" Configure two LDAP modules, and read doc/configurable_failover. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Column Descriptions for RADACCT table
Hi All, If someone has got knowledge could U please reply me about columns in RADACCT table?I need information for columns marked as ??? TABLE `radacct` `RadAcctId` `AcctSessionId` `AcctUniqueId` `UserName` `Realm` ??? `NASIPAddress` `NASPortId` ??? `NASPortType `AcctStartTime` `AcctStopTime` `AcctSessionTime` `AcctAuthentic` ??? `ConnectInfo_start` ??? `ConnectInfo_stop` ??? `AcctInputOctets` `AcctOutputOctets` `CalledStationId` `CallingStationId` ??? `AcctTerminateCause` `ServiceType` ??? `FramedProtocol` `FramedIPAddress` `AcctStartDelay` ??? `AcctStopDelay` ??? Thanks in advance, Sagar Patil �
Re: Authorize section
"Ross Reed" <[EMAIL PROTECTED]> wrote: > I have an entry in the users file that checks for anything coming > from that number, if it does give them certain reply attributes, but > the problem being is, it continues down the line and checks the sql > section ( giving the reply attributes I don't want them to have > yet). I need it to check the files, if it matches, stop everything. doc/configurable_failover Read the version in the latest CVS, though. The one in 0.9.3 is completely opaque to the average human (including me.) Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RES: Conf de grupos ( Portuguese-Brazil )
Hoje eu já determino quem pode acessar os equipamentos pelo servido radius. Achei que era possível determinar qual equipamento o usuário pode acessar. Fábio Oliveira dos Santos -Mensagem original- De: Sérgio José Ferreira [mailto:[EMAIL PROTECTED] Enviada em: Monday, March 01, 2004 2:38 PM Para: [EMAIL PROTECTED] Assunto: RES: Conf de grupos ( Portuguese-Brazil ) Fábio, Com o radius não será possível fazer isso. O que você quer está mais ligado a um firewall do que a servidor radius. []'s Sérgio WGO Internet -Mensagem original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] nome de Fabio Oliveira dos Santos - Claro RJ - Enviada em: segunda-feira, 1 de março de 2004 13:47 Para: '[EMAIL PROTECTED]' Assunto: RES: Conf de grupos ( Portuguese-Brazil ) Na verdade quero que um determinado grupo de usuários só acessem determinados equipamentos de rede. Dessa forma posso ter usuários que acessam todos equipamentos e usuários que acessam apenas equipamentos que estão em sua área. Acho que é possível só não descobri como ainda. Fábio Oliveira dos Santos -Mensagem original- De: Sérgio José Ferreira [mailto:[EMAIL PROTECTED] Enviada em: Monday, March 01, 2004 12:23 PM Para: [EMAIL PROTECTED] Assunto: RES: Conf de grupos ( Portuguese-Brazil ) Fábio, Quer por exemplo : Criar um grupo e definir horario de acesso é isso ? ou então que determinado grupo só acesse pelo RAS tal ? Explica melhor aí pra gente te ajudar. []'s Sérgio José Ferreira WGO Internet -Mensagem original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] nome de Fabio Oliveira dos Santos - Claro RJ - Enviada em: segunda-feira, 1 de março de 2004 12:18 Para: '[EMAIL PROTECTED]' Assunto: Conf de grupos. Alguém sabe se é possível criar grupos de acessos no freeradius ? Gostaria de Criar grupos de usuários de forma que cada grupo tenha restrições de acesso a elementos de rede. Sds, Fábio O conteudo desta mensagem e de uso restrito e confidencial, sendo o seu sigilo protegido por lei. Estas informacoes nao podem ser divulgadas sem previa autorizacao escrita. Se voce nao e o destinatario desta mensagem, ou o responsavel pela sua entrega, apague-a imediatamente e avise ao remetente, respondendo a esta mensagem. Alertamos que esta mensagem transitou por rede publica de comunicacao, estando, portanto, sujeita aos riscos inerentes a essa forma de comunicacao. A CLARO nao se responsabiliza por conclusoes, opinioes, ou outras informacoes nesta mensagem que nao se relacionem com sua linha de negocios. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html O conteudo desta mensagem e de uso restrito e confidencial, sendo o seu sigilo protegido por lei. Estas informacoes nao podem ser divulgadas sem previa autorizacao escrita. Se voce nao e o destinatario desta mensagem, ou o responsavel pela sua entrega, apague-a imediatamente e avise ao remetente, respondendo a esta mensagem. Alertamos que esta mensagem transitou por rede publica de comunicacao, estando, portanto, sujeita aos riscos inerentes a essa forma de comunicacao. A CLARO nao se responsabiliza por conclusoes, opinioes, ou outras informacoes nesta mensagem que nao se relacionem com sua linha de negocios. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html O conteudo desta mensagem e de uso restrito e confidencial, sendo o seu sigilo protegido por lei. Estas informacoes nao podem ser divulgadas sem previa autorizacao escrita. Se voce nao e o destinatario desta mensagem, ou o responsavel pela sua entrega, apague-a imediatamente e avise ao remetente, respondendo a esta mensagem. Alertamos que esta mensagem transitou por rede publica de comunicacao, estando, portanto, sujeita aos riscos inerentes a essa forma de comunicacao. A CLARO nao se responsabiliza por conclusoes, opinioes, ou outras informacoes nesta mensagem que nao se relacionem com sua linha de negocios. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SSL problem
"Tom Rixom" <[EMAIL PROTECTED]> wrote: > I am a bit new to FreeRadius and I having the following problem: > > /usr/local/sbin/radiusd: relocation error: = > /usr/local/lib/rlm_eap_tls-1.0.0-pre0.so: undefined symbol: > SSL_set_msg_callback > > I seem to remember this problem popping up before on this list... has > anyone any ideas? You've got two versions of OpenSSL installed, and are linking to an older one, rather than the newer one. I *hate* OpenSSL. Incompatible changes in the API's across minor-minor version numbers is ridiculous. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RES: Conf de grupos ( Portuguese-Brazil )
Fábio, Com o radius não será possível fazer isso. O que você quer está mais ligado a um firewall do que a servidor radius. []'s Sérgio WGO Internet -Mensagem original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] nome de Fabio Oliveira dos Santos - Claro RJ - Enviada em: segunda-feira, 1 de março de 2004 13:47 Para: '[EMAIL PROTECTED]' Assunto: RES: Conf de grupos ( Portuguese-Brazil ) Na verdade quero que um determinado grupo de usuários só acessem determinados equipamentos de rede. Dessa forma posso ter usuários que acessam todos equipamentos e usuários que acessam apenas equipamentos que estão em sua área. Acho que é possível só não descobri como ainda. Fábio Oliveira dos Santos -Mensagem original- De: Sérgio José Ferreira [mailto:[EMAIL PROTECTED] Enviada em: Monday, March 01, 2004 12:23 PM Para: [EMAIL PROTECTED] Assunto: RES: Conf de grupos ( Portuguese-Brazil ) Fábio, Quer por exemplo : Criar um grupo e definir horario de acesso é isso ? ou então que determinado grupo só acesse pelo RAS tal ? Explica melhor aí pra gente te ajudar. []'s Sérgio José Ferreira WGO Internet -Mensagem original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] nome de Fabio Oliveira dos Santos - Claro RJ - Enviada em: segunda-feira, 1 de março de 2004 12:18 Para: '[EMAIL PROTECTED]' Assunto: Conf de grupos. Alguém sabe se é possível criar grupos de acessos no freeradius ? Gostaria de Criar grupos de usuários de forma que cada grupo tenha restrições de acesso a elementos de rede. Sds, Fábio O conteudo desta mensagem e de uso restrito e confidencial, sendo o seu sigilo protegido por lei. Estas informacoes nao podem ser divulgadas sem previa autorizacao escrita. Se voce nao e o destinatario desta mensagem, ou o responsavel pela sua entrega, apague-a imediatamente e avise ao remetente, respondendo a esta mensagem. Alertamos que esta mensagem transitou por rede publica de comunicacao, estando, portanto, sujeita aos riscos inerentes a essa forma de comunicacao. A CLARO nao se responsabiliza por conclusoes, opinioes, ou outras informacoes nesta mensagem que nao se relacionem com sua linha de negocios. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html O conteudo desta mensagem e de uso restrito e confidencial, sendo o seu sigilo protegido por lei. Estas informacoes nao podem ser divulgadas sem previa autorizacao escrita. Se voce nao e o destinatario desta mensagem, ou o responsavel pela sua entrega, apague-a imediatamente e avise ao remetente, respondendo a esta mensagem. Alertamos que esta mensagem transitou por rede publica de comunicacao, estando, portanto, sujeita aos riscos inerentes a essa forma de comunicacao. A CLARO nao se responsabiliza por conclusoes, opinioes, ou outras informacoes nesta mensagem que nao se relacionem com sua linha de negocios. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: help about Accounting message
"Bruno JEREMIE" <[EMAIL PROTECTED]> wrote: > I use freeradius and I want to know if it is possible to send > Accounting_Start and Accounting_Stop messages with freeradius See "radclient", which is included with the server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SSL problem
Hi all, I am a bit new to FreeRadius and I having the following problem: /usr/local/sbin/radiusd: relocation error: /usr/local/lib/rlm_eap_tls-1.0.0-pre0.so: undefined symbol: SSL_set_msg_callback I seem to remember this problem popping up before on this list... has anyone any ideas? I am using the latest snapshot, running debian with openssl 0.9.7c. Thanks. Tom. log --- rad_recv: Access-Request packet from host 192.168.0.37:1645, id=212, length=178 User-Name = "[EMAIL PROTECTED]" Framed-MTU = 1400 Called-Station-Id = "0002.8a9a.b517" Calling-Station-Id = "000d.28cf.f6c0" NAS-Port-Type = Wireless-802.11 Message-Authenticator = 0xdf53dc0384592b660db0591d20c77a42 EAP-Message = 0x020200060315 NAS-Port-Type = Virtual NAS-Port = 255 State = 0xb6497fecffe78ff2f5d27a7a7f287d0d Service-Type = Login-User NAS-IP-Address = 192.168.0.37 NAS-Identifier = "ap1.alfa-ariss.com" modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 modcall[authorize]: module "chap" returns noop for request 1 modcall[authorize]: module "mschap" returns noop for request 1 rlm_realm: Looking up realm "alfa-ariss.com" for User-Name = "[EMAIL PROTECTED]" rlm_realm: Found realm "alfa-ariss.com" rlm_realm: Adding Stripped-User-Name = "tom.rixom" rlm_realm: Proxying request from user tom.rixom to realm alfa-ariss.com rlm_realm: Adding Realm = "alfa-ariss.com" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "suffix" returns noop for request 1 rlm_eap: EAP packet type response id 2 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 1 users: Matched tom.rixom at 80 modcall[authorize]: module "files" returns ok for request 1 modcall: group authorize returns updated for request 1 rad_check_password: Found Auth-Type EAP auth: type "EAP" modcall: entering group authenticate for request 1 rlm_eap: Request found, released from the list rlm_eap: EAP NAK rlm_eap: EAP-NAK asked for EAP-Type/ttls rlm_eap: processing type tls /usr/local/sbin/radiusd: relocation error: /usr/local/lib/rlm_eap_tls-1.0.0-pre0.so: undefined symbol: SSL_set_msg_callback > -Original Message- > From: edward ver Vers [mailto:[EMAIL PROTECTED] > Sent: Monday, March 01, 2004 6:18 PM > To: [EMAIL PROTECTED] > Subject: Re: PEAP using Pocket PC 2003 > > > > > Thanks for the info. Has anyone tried usinga Non-root (CA) so > you don't have to load a CA on to every PDA? The cert would > reside on freeradius. > > Ed Ver Vers > > > > > --- On Fri 02/27, Derek Orpen < [EMAIL PROTECTED] > wrote: > From: Derek Orpen [mailto: [EMAIL PROTECTED] > To: [EMAIL PROTECTED] > Date: Fri, 27 Feb 2004 13:21:26 -0800 > Subject: Re: PEAP using Pocket PC 2003 > > Hi Ed, Yes I've done this. Make sure you get a > recent snapshot of freeradius. Using the MS enrollment > tool to get certs onto the PDA is a pain. Instead, I > had success with the crtimprt utility: > http://www.jacco2.dds.nl/networking/crtimprt.html I > followed the instructions on the page including building > and using the pvktool (to convert to a Microsoft > proprietary format). - DerekOn > 27-Feb-2004 15:31 edward ver Vers wrote:| | I want to > be able to us 802.1X (PEAP) on my PDA running Pocket PC 2003 > (free client that comes with the OS) to authenticate to my > wireless network. My wireless group tried using Funk's SBR > and found out it wouldn't work. Now they want to use my > FreeRadius server to accomplish this task. Has anyone out > there done this with FreeRadius?| | Ed Ver Vers| > | ___| > Join Excite! - http://www.excite.com| The most > personalized portal on the Web!- List > info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html ___ Join Excite! - http://www.excite.com The most personalized portal on the Web! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP using Pocket PC 2003
Thanks for the info. Has anyone tried usinga Non-root (CA) so you don't have to load a CA on to every PDA? The cert would reside on freeradius. Ed Ver Vers --- On Fri 02/27, Derek Orpen < [EMAIL PROTECTED] > wrote: From: Derek Orpen [mailto: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Date: Fri, 27 Feb 2004 13:21:26 -0800 Subject: Re: PEAP using Pocket PC 2003 Hi Ed, Yes I've done this. Make sure you get a recent snapshot of freeradius. Using the MS enrollment tool to get certs onto the PDA is a pain. Instead, I had success with the crtimprt utility: http://www.jacco2.dds.nl/networking/crtimprt.html I followed the instructions on the page including building and using the pvktool (to convert to a Microsoft proprietary format). - DerekOn 27-Feb-2004 15:31 edward ver Vers wrote:| | I want to be able to us 802.1X (PEAP) on my PDA running Pocket PC 2003 (free client that comes with the OS) to authenticate to my wireless network. My wireless group tried using Funk's SBR and found out it wouldn't work. Now they want to use my FreeRadius server to accomplish this task. Has anyone out there done this with FreeRadius?| | Ed Ver Vers| | ___| Join Excite! - http://www.excite.com| The most personalized portal on the Web!- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html ___ Join Excite! - http://www.excite.com The most personalized portal on the Web! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RES: Conf de grupos ( Portuguese-Brazil )
Na verdade quero que um determinado grupo de usuários só acessem determinados equipamentos de rede. Dessa forma posso ter usuários que acessam todos equipamentos e usuários que acessam apenas equipamentos que estão em sua área. Acho que é possível só não descobri como ainda. Fábio Oliveira dos Santos -Mensagem original- De: Sérgio José Ferreira [mailto:[EMAIL PROTECTED] Enviada em: Monday, March 01, 2004 12:23 PM Para: [EMAIL PROTECTED] Assunto: RES: Conf de grupos ( Portuguese-Brazil ) Fábio, Quer por exemplo : Criar um grupo e definir horario de acesso é isso ? ou então que determinado grupo só acesse pelo RAS tal ? Explica melhor aí pra gente te ajudar. []'s Sérgio José Ferreira WGO Internet -Mensagem original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] nome de Fabio Oliveira dos Santos - Claro RJ - Enviada em: segunda-feira, 1 de março de 2004 12:18 Para: '[EMAIL PROTECTED]' Assunto: Conf de grupos. Alguém sabe se é possível criar grupos de acessos no freeradius ? Gostaria de Criar grupos de usuários de forma que cada grupo tenha restrições de acesso a elementos de rede. Sds, Fábio O conteudo desta mensagem e de uso restrito e confidencial, sendo o seu sigilo protegido por lei. Estas informacoes nao podem ser divulgadas sem previa autorizacao escrita. Se voce nao e o destinatario desta mensagem, ou o responsavel pela sua entrega, apague-a imediatamente e avise ao remetente, respondendo a esta mensagem. Alertamos que esta mensagem transitou por rede publica de comunicacao, estando, portanto, sujeita aos riscos inerentes a essa forma de comunicacao. A CLARO nao se responsabiliza por conclusoes, opinioes, ou outras informacoes nesta mensagem que nao se relacionem com sua linha de negocios. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html O conteudo desta mensagem e de uso restrito e confidencial, sendo o seu sigilo protegido por lei. Estas informacoes nao podem ser divulgadas sem previa autorizacao escrita. Se voce nao e o destinatario desta mensagem, ou o responsavel pela sua entrega, apague-a imediatamente e avise ao remetente, respondendo a esta mensagem. Alertamos que esta mensagem transitou por rede publica de comunicacao, estando, portanto, sujeita aos riscos inerentes a essa forma de comunicacao. A CLARO nao se responsabiliza por conclusoes, opinioes, ou outras informacoes nesta mensagem que nao se relacionem com sua linha de negocios. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[2]: pam-radius ?
Greetings, I think you have what I need backwards. I need pam to authenticate against an external freeradius server. On Mon, 1 Mar 2004 11:09:40 -0500 (EST) Sean O'Malley <[EMAIL PROTECTED]> wrote: > IIRC (I had this set up and working but we had to opt for a different > solution and I don't have a working configuration to use.) > > In your radiusd.conf > you need the pam section uncommented > the pam_auth = radiusd > ^ > this part needs to match up with your systems /etc/pam.d stuff > like linux you need to create a radiusd file in /etc/pam.d/ > or on solaris in the /etc/pam.conf you need to add entries beginning with > "radiusd" or it could be the "radius" in the users section. (I had them > linked to each other which is probably bad =) > > in your "users" file you need: > > DEFAULT Auth-Type := Pam > pam-auth="radius", > Fall-Through = Yes > > > > > > Greetings, > > I need some help with pam-radius and freeradius. I have a server > that I > > need to do raduis Auth from for access to certian programs. I tried > > setting up pam-radius like the instructions state, but it keeps > telling me > > that the radius server has not been specified. I put the configuration > > file where the instructions tell me to (/etc/raddb/server/pam.conf and > > pam_radius_auth.conf) as well as trying some of the alternate locations > > (/usr/local/etc) and it still doesn't detect it. Could someone point > me to > > the right location for this file? > > Thank you in advance. > > > > -- > > ·William Ragsdale ·http://www.netonecom.net > > > > > > > > - > > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > -- ·William Ragsdale ·http://www.netonecom.net ·Server Administrator ·Office Hours ·NetOne Communications, Inc. ·Work: 231-734-2917 10AM - 7PM ·2186 US 10 ·FAX: 231-734-6395 ·Sears, MI 49679 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pam-radius ?
IIRC (I had this set up and working but we had to opt for a different solution and I don't have a working configuration to use.) In your radiusd.conf you need the pam section uncommented the pam_auth = radiusd ^ this part needs to match up with your systems /etc/pam.d stuff like linux you need to create a radiusd file in /etc/pam.d/ or on solaris in the /etc/pam.conf you need to add entries beginning with "radiusd" or it could be the "radius" in the users section. (I had them linked to each other which is probably bad =) in your "users" file you need: DEFAULT Auth-Type := Pam pam-auth="radius", Fall-Through = Yes > Greetings, > I need some help with pam-radius and freeradius. I have a server that I > need to do raduis Auth from for access to certian programs. I tried > setting up pam-radius like the instructions state, but it keeps telling me > that the radius server has not been specified. I put the configuration > file where the instructions tell me to (/etc/raddb/server/pam.conf and > pam_radius_auth.conf) as well as trying some of the alternate locations > (/usr/local/etc) and it still doesn't detect it. Could someone point me to > the right location for this file? > Thank you in advance. > > -- > ·William Ragsdale ·http://www.netonecom.net > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fwd: eap_tls on cisco 1100 with xp and linux
basile, in your log below you can see that radiusd is sending an access accept. so, anything is fine for the radius server. since this is the case, i think your problem is unrelated to FR... also, this config has been set up and discussed several times over the list... i think i can help you with your EAP/TLS, CiscoAP, etc. issues directly, if you want. as i said, it works here since quite a while. so mail me directly and explain the problem if you want. regards artur Sending Access-Accept of id 42 to :21645 MS-MPPE-Recv-Key = 0x04b281fa84f6084e5cb1c4144548cc0a9dd1ab2d0225f43bdf4af8a1bfca891a MS-MPPE-Send-Key = 0x7f2ea4d7e04917986577f337e3515e5cfbcbc9af30e372892fd1c9ecc800287a EAP-Message = 0x03050004 Message-Authenticator = 0x User-Name = "sentinelle" - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
pam-radius ?
Greetings, I need some help with pam-radius and freeradius. I have a server that I need to do raduis Auth from for access to certian programs. I tried setting up pam-radius like the instructions state, but it keeps telling me that the radius server has not been specified. I put the configuration file where the instructions tell me to (/etc/raddb/server/pam.conf and pam_radius_auth.conf) as well as trying some of the alternate locations (/usr/local/etc) and it still doesn't detect it. Could someone point me to the right location for this file? Thank you in advance. -- ·William Ragsdale ·http://www.netonecom.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Windows XP PEAP and FreeRadius Authorization
Pavol, Alan, Regarding: > I don't think there's much you can do on the server to fix a broken > client. I did some more debuging and found a problem: There were no specific bind address of the radius server. The AP sent authentication request to IP1 and received authentication reply from IP2, and of cource did not accept it. I set bind address in radiusd.conf and everithig is running fine. The build in client in Windows XP is running fine. Check this if tou have more than one address on the server host. Nedialko - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RES: Conf de grupos ( Portuguese-Brazil )
Fábio, Quer por exemplo : Criar um grupo e definir horario de acesso é isso ? ou então que determinado grupo só acesse pelo RAS tal ? Explica melhor aí pra gente te ajudar. []'s Sérgio José Ferreira WGO Internet -Mensagem original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] nome de Fabio Oliveira dos Santos - Claro RJ - Enviada em: segunda-feira, 1 de março de 2004 12:18 Para: '[EMAIL PROTECTED]' Assunto: Conf de grupos. Alguém sabe se é possível criar grupos de acessos no freeradius ? Gostaria de Criar grupos de usuários de forma que cada grupo tenha restrições de acesso a elementos de rede. Sds, Fábio O conteudo desta mensagem e de uso restrito e confidencial, sendo o seu sigilo protegido por lei. Estas informacoes nao podem ser divulgadas sem previa autorizacao escrita. Se voce nao e o destinatario desta mensagem, ou o responsavel pela sua entrega, apague-a imediatamente e avise ao remetente, respondendo a esta mensagem. Alertamos que esta mensagem transitou por rede publica de comunicacao, estando, portanto, sujeita aos riscos inerentes a essa forma de comunicacao. A CLARO nao se responsabiliza por conclusoes, opinioes, ou outras informacoes nesta mensagem que nao se relacionem com sua linha de negocios. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Conf de grupos.
Alguém sabe se é possível criar grupos de acessos no freeradius ? Gostaria de Criar grupos de usuários de forma que cada grupo tenha restrições de acesso a elementos de rede. Sds, Fábio O conteudo desta mensagem e de uso restrito e confidencial, sendo o seu sigilo protegido por lei. Estas informacoes nao podem ser divulgadas sem previa autorizacao escrita. Se voce nao e o destinatario desta mensagem, ou o responsavel pela sua entrega, apague-a imediatamente e avise ao remetente, respondendo a esta mensagem. Alertamos que esta mensagem transitou por rede publica de comunicacao, estando, portanto, sujeita aos riscos inerentes a essa forma de comunicacao. A CLARO nao se responsabiliza por conclusoes, opinioes, ou outras informacoes nesta mensagem que nao se relacionem com sua linha de negocios. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Fwd: eap_tls on cisco 1100 with xp and linux
Date: Mon, 01 Mar 2004 15:38:46 +0100
To: [EMAIL PROTECTED]
From: Basile Mathieu <[EMAIL PROTECTED]>
Subject: eap_tls on cisco 1100 with xp and linux
i have a cisco AP 1100
laptop under xp and linux redhat 7.3
a freeradius server
i want the eap_tls method for autenticate
here are the freeradius config files , the ap ( cisco 1100 ) config file
and the xsupplicant config files
nothing works
if someone can tell me what is wrong , i became crazy
thanks a lot
basile mathieu
ps
i did not put the radiusd.conf because my mail was reject
Radius is the log when the xp laptop try to connect
when the laptop under linux redhat 7.3 try to connect nothing happens (
the start EAPOL packet has destination 44:44:44:44:44:44 )
the wifi card on the laptop are cisco 350 series pcmcia
i use http://www.impossiblereflex.com/8021x/eap-tls-HOWTO.htm to
generate the certificats and configure xp
#
# clients.conf - client configuration directives
#
###
###
#
# Definition of a RADIUS client (usually a NAS).
#
# The information given here over rides anything given in the
# 'clients' file, or in the 'naslist' file. The configuration here
# contains all of the information from those two files, and allows
# for more configuration items.
#
# The "shortname" is be used for logging. The "nastype", "login" and
# "password" fields are mainly used for checkrad and are optional.
#
#
# Defines a RADIUS client. The format is 'client [hostname|ip-address]'
#
# '127.0.0.1' is another name for 'localhost'. It is enabled by default,
# to allow testing of the server after an initial installation. If you
# are not going to be permitting RADIUS queries from localhost, we suggest
# that you delete, or comment out, this entry.
#
client 127.0.0.1 {
#
# The shared secret use to "encrypt" and "sign" packets between
# the NAS and FreeRADIUS. You MUST change this secret from the
# default, otherwise it's not a secret any more!
#
# The secret can be any string, up to 32 characters in length.
#
secret = testing123
#
# The short name is used as an alias for the fully qualified
# domain name, or the IP address.
#
shortname = localhost
#
# the following three fields are optional, but may be used by
# checkrad.pl for simultaneous use checks
#
#
# The nastype tells 'checkrad.pl' which NAS-specific method to
# use to query the NAS for simultaneous use.
#
# Permitted NAS types are:
#
# cisco
# computone
# livingston
# max40xx
# multitech
# netserver
# pathras
# patton
# portslave
# tc
# usrhiper
# other # for all other types
#
nastype = other # localhost isn't usually a NAS...
#
# The following two configurations are for future use.
# The 'naspasswd' file is currently used to store the NAS
# login name and password, which is used by checkrad.pl
# when querying the NAS for simultaneous use.
#
# login = !root
# password= someadminpas
}
#client some.host.org {
# secret = testing123
# shortname = localhost
#}
#
# You can now specify one secret for a network of clients.
# When a client request comes in, the BEST match is chosen.
# i.e. The entry from the smallest possible network.
#
client /24 {
secret = basile
shortname = borne_siris
nastype = other
}
#
#client 192.168.0.0/16 {
# secret = testing123-2
# shortname = private-network-2
#}
client 0/24 {
secret = basile
shortname = borne_siris
nastype = other
}
#client 10.10.10.10 {
# # secret and password are mapped through the "secrets" file.
# secret = testing123
# shortname = liv1
# # the following three fields are optional, but may be used by
# # checkrad.pl for simultaneous usage checks
# nastype = livingston
# login = !root
# password= someadminpas
#}
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /usr/local/etc/raddb/proxy.conf
Config: including file: /usr/local/etc/raddb/clients.conf
Config: including file: /usr/local/etc/raddb/snmp.conf
Config: including file: /usr/local/etc/raddb/sql.conf
main: prefix = "/usr/local"
main: localstatedir = "/usr/local/var"
main: logdir = "/usr/local/var/log/radius"
main: libdir = "/usr/local/lib"
main: radacctdir = "/usr/local/var/log/radius/radacct"
main: h
Re: Fw: dynamic wep keys in windows xp
On Mon, 2004-03-01 at 04:28, Alejandro Martínez Marcos wrote: > Hello, > > i am working with freeradius and windows XP,using EAP-TLS and > dynamic wep keys. Do you know how I can I check in Windows XP if the > new wep keys are set? I would like to verify that the wep key is > changing, but i don't know how to see the wep key in windows. http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/wifitrbl.mspx See the section titled "Tracing". -- --Mike --- Michael Griego Wireless LAN Project Manager The University of Texas at Dallas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
help about Accounting message
Hello, I use freeradius and I want to know if it is possible to send Accounting_Start and Accounting_Stop messages with freeradius I have to send Accounting_Start and Accounting_Stop messages to a Cisco router named CSG in order to start the billing. Then, it is necessary to send Accounting_Start message with the ip address of the client. In order to do this, I use NTRadPing, a radius simulator, but I have to do it with freeradius. Can I do it with freeradius Thank you Bruno _ MSN Search, le moteur de recherche qui pense comme vous ! http://search.msn.fr/worldwide.asp - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Fw: dynamic wep keys in windows xp
Hello, i am working with freeradius and windows XP,using EAP-TLS and dynamic wep keys. Do you know how I can I check in Windows XP if the new wep keys are set? I would like to verify that the wep key is changing, but i don't know how to see the wep key in windows. Could you also tell me a wireless forum, chat,etc.where I can ask general questions about wireless, like channel issues, traffic, range, etc? thx Alejandro
Re: how can i limit traffic use?
hi Well, i'm using exppp (http://shs.sumy.ua/, but it's in russian) on FreeBSD box, and exppp understands his own attributes (Exppp-Traffic-Limit and such), and i think it can kick user when traffic exceeds. How can freeradius tell exppp, how much octets user have for session? I mean, if all accounting information is in by adding these specific attributes to the replies and setting them to the needed values. if these attributes are too specific, you'll probably need new dictionary files; well, read the available doc on this issue. mysql base, radius have to do simple SELECT to sql with sum()'s, then substract this value (it will be number of octets) from some fixed value of limit and give the result to exppp as Exppp-Traffic-Limit. Well, or something like that. Can it be done in FreeRadius? I mean, all those sql queries, substraction and all of that? yes, it should be possible to do this in freeradius with sql, sqlcounter and counter modules. But, if i've understanded it right, this module reflects only on logon process, i mean, it won't pass no attributes to NAS, it just reject user if user's traffic is over, am i right? Still, radius have to return traffic limit value to NAS (exppp), how can it (or i) do this? you can add arbitrary reply items to the access-accept. sorry, but i don't know how to set the values dynamically, but it is definitly possible in freeradius. search the archives, there are variables in FR and you can also arbitrarily process the replies (you could right a simple small module doing what you want). ciao artur -- __ Artur Heckerhttp://www.enst.fr/~hecker Groupe Accès et Mobilité / Computer Science and Networks E N S T Paris ___ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how can i limit traffic use?
Hi people, I am working about traffic limitations and all the answers are not complete. As a person said, RADIUS can control the traffic off-line when a user connects and, in the case this user spent all his quota, RADIUS reject him. However, this kind of control has to be done on-line, that is to use a device to throw away users when their quota finish. This characteristic is specific of ecah device and the device has to work with QoS (bandwidth restrictions). In that case RADIUS send the attribute of quota and QoS to the device, and the device controls to users. For instance, I have a AMPHOR@ MTR device from VAYRIS S.L. and it controls users. Santiago _ ¿Vas a comprar algo a través de Internet? Ordénalo por el mejor precio en MSN Compras. http://www.msn.es/compras/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Windows XP PEAP and FreeRadius Authorization
Hello! - Original Message - From: "Alan DeKok" <[EMAIL PROTECTED]> > [EMAIL PROTECTED] wrote: > >I'm trying to get working Windows XP - PEAP - MS-CHAPv2 with > > freeRadius, but I don't know how to configure it correctly. I have > > followed the instructions in the radiusd.conf, it's also seems 'working' > > to me but I don't know now where is the problem (something like mschapv2 > > - messing with tls?). > > The wireless client is sending EAP-MS-CHAPv2 *outside* of the TLS > tunnel, and then ignoring the servers response. Is there any other windows client to use? Or can you imagine what I have done bad when configuring the xp client? I have turned of any certificate validation, can this be a problem? > I don't think there's much you can do on the server to fix a broken > client. Also, when I was changing the default_eap_type of eap, and peap, the server was behaving differently. What should be setted here when I want to use eap - peap and mschapv2 ? (this supports the win xp.). > Alan DeKok. P.Zibrita - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how can i limit traffic use?
On Mon, Mar 01, 2004 at 09:22:56AM +0300, Alexander Lunyov wrote:
> Well, i'm using exppp (http://shs.sumy.ua/, but it's in russian) on
> FreeBSD box, and exppp understands his own attributes
> (Exppp-Traffic-Limit and such), and i think it can kick user when
> traffic exceeds. How can freeradius tell exppp, how much octets
> user have for session? I mean, if all accounting information is in
> mysql base, radius have to do simple SELECT to sql with sum()'s,
> then substract this value (it will be number of octets) from some
> fixed value of limit and give the result to exppp as
> Exppp-Traffic-Limit. Well, or something like that. Can it be done
> in FreeRadius? I mean, all those sql queries, substraction and all
> of that?
You could configure a default entry like this:
DEFAULT Exppp-Traffic-Limit := %{sql:SELECT ...}
assuming you already have an instance of sql module.
> Oh, it's interesting! I think something like this will help
> (rlm_sqlcounter):
>
> sqlcounter monthlytraffic {
> counter-name = Monthly-Traffic
> check-name = Max-Monthly-Traffic
> sqlmod-inst = sql
> key = User-Name
> reset = monthly
>
> query = "SELECT (sum(AcctInputOctets)+sum(AcctOutputOctets))
> FROM radacct WHERE UserName='%{%k}' AND
> Month(AcctStopTime) =(Month(NOW())-1) AND
> Year(AcctStopTime) = Year(NOW())"
> }
No, WHERE UserName = '%k' or WHERE UserName = '%u'.
You could probably use %b - unix time value of begginning of reset period
instead of Month()/Year()/NOW() calculations.
> But, if i've understanded it right, this module reflects only on
> logon process, i mean, it won't pass no attributes to NAS, it just
> reject user if user's traffic is over, am i right? Still, radius
> have to return traffic limit value to NAS (exppp), how can it (or i) do this?
rlm_counter adds Session-Timeout to the reply only if count-attribute is
Acct-Session-Time, but rlm_sqlcounter seems to always add Session-Timeout.
Not sane, really. You could try to patch rlm_sqlcounter to accept a new
configuration value, say reply-attribute defaulting to Session-Timeout.
--
Fduch M. Pravking
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
