Re: Trimming Off @mydomain.com
OUCH ! yes and no, read the raddb config file I think its there. Why change it if the stupid users do not use the proper password. I mean then, why even authenticate at all. Next your users will want radius to forgive misspelled uid/pwd's No, I would not do that, maybe just strip spaces from uid/pwd's When your stupid users call tech, tactfully suggest they take some classes and get up to speed. Better yet 1-900-FOR-TECH or drop them...they will likely pollute your network with spam and the plague virus not to mention the tech call's you get from stupid user's. How about a poll question: How many times does the tech phone ring but, its a modem on the other end ? Last night about midnight, I should have put the support line on a special box that would let the stupid user online(with any uid/pwd) and redirected them to the stupid user's web page with iptables then I setup radius to drop them after a few minutes. Yes, stupid user's byte and never go away - Original Message - From: Matt [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Saturday, July 31, 2004 6:05 PM Subject: Trimming Off @mydomain.com Is there anyway to have freeRadius trim off the @mydomain.com from the username when the user attempts to authenticate? I have a number of users that still try to use there full email address for there username and it could save me some tech support. Matt - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
advise to differentiate from which dialup number customer is dialing in
is there any way from the packets i can differentiate from which E1 lines are the customers calling from? my scenario is, i have 2 telcos, (Telco A and Telco B)providing 1 E1 line each going to my AS5300 router, is there any way i can know who is online from E1 Telco A and E1 Telco B, if there is, this would also allow me to do separate accounting and log process on individual clients from different E1s. hope i this the right way, anyone can advise an approach? right now, what AS5300 command, freeradius and a simple script can show me is who is online on AS5300 router, regardless they dialed from E1 Telco A or E1 telco B. //milver
Re: advise to differentiate from which dialup number customer is dialing in
On Sun, 1 Aug 2004, Milver S. Nisay wrote: is there any way from the packets i can differentiate from which E1 lines are the customers calling from? my scenario is, i have 2 telcos, (Telco A and Telco B) providing 1 E1 line each going to my AS5300 router, is there any way i can know who is online from E1 Telco A and E1 Telco B, if there is, this would also allow me to do separate accounting and log process on individual clients from different E1s. hope i this the right way, anyone can advise an approach? right now, what AS5300 command, freeradius and a simple script can show me is who is online on AS5300 router, regardless they dialed from E1 Telco A or E1 telco B. //milver -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: advise to differentiate from which dialup number customer is dialing in
On Sun, 1 Aug 2004, Milver S. Nisay wrote: is there any way from the packets i can differentiate from which E1 lines are the customers calling from? my scenario is, i have 2 telcos, (Telco A and Telco B) providing 1 E1 line each going to my AS5300 router, is there any way i can know who is online from E1 Telco A and E1 Telco B, if there is, this would also allow me to do separate accounting and log process on individual clients from different E1s. hope i this the right way, anyone can advise an approach? right now, what AS5300 command, freeradius and a simple script can show me is who is online on AS5300 router, regardless they dialed from E1 Telco A or E1 telco B. //milver Maybe this can be helpful: http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/secur_r/srprt2/srrad.htm especially the aaa nas-port extended part -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Trimming Off @mydomain.com
realm mydomain.com { type= radius authhost= LOCAL accthost= LOCAL strip } realm NULL { type= radius authhost= LOCAL accthost= LOCAL } - Original Message - From: Matt [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, August 01, 2004 12:05 AM Subject: Trimming Off @mydomain.com Is there anyway to have freeRadius trim off the @mydomain.com from the username when the user attempts to authenticate? I have a number of users that still try to use there full email address for there username and it could save me some tech support. Matt - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Group ip pools
On Sun, Aug 01, 2004 at 02:17:41PM +1200, Barry Murphy wrote: Going forward I have looked at the scripts and it shows that TTY is being used and clients are getting a Nas-Port begining with 0, then 1 for the second user as shown below. Sun Aug 1 12:00:49 2004 Acct-Session-Id = 410C2FFA01F0 User-Name = icepick Acct-Status-Type = Start Service-Type = Framed-User Framed-Protocol = PPP Acct-Authentic = RADIUS NAS-Port-Type = Async Framed-IP-Address = 219.88.249.85 NAS-IP-Address = 10.23.19.2 NAS-Port = 0 Acct-Delay-Time = 0 Client-IP-Address = 10.22.19.2 Acct-Unique-Session-Id = 819283b999345e7d Timestamp = 1091318449 Sun Aug 1 13:26:04 2004 Acct-Session-Id = 410C43DA0201 User-Name = neil Acct-Status-Type = Start Service-Type = Framed-User Framed-Protocol = PPP Acct-Authentic = RADIUS NAS-Port-Type = Async Framed-IP-Address = 219.88.249.89 NAS-IP-Address = 10.23.19.2 NAS-Port = 1 Acct-Delay-Time = 0 Client-IP-Address = 10.22.19.2 Acct-Unique-Session-Id = f27a28a784f81cba Timestamp = 1091323564 Those are Accounting-Start packets... To assign an address from an ippool, the port needs to be present in the Access-Request packet. By the time the RADIUS server sees the Accounting-Start packet, the IP address needs to've been already transmitted in the Access-Accept packet. On the other hand, it looks like a Framed-IP-Address _is_ being assigned... Is this still not working? -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Trimming Off @mydomain.com
That's what I said :D -Original Message- From: Thor Spruyt [mailto:[EMAIL PROTECTED] Sent: Sunday, August 01, 2004 4:01 PM To: [EMAIL PROTECTED] Subject: Re: Trimming Off @mydomain.com realm mydomain.com { type= radius authhost= LOCAL accthost= LOCAL strip } realm NULL { type= radius authhost= LOCAL accthost= LOCAL } - Original Message - From: Matt [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, August 01, 2004 12:05 AM Subject: Trimming Off @mydomain.com Is there anyway to have freeRadius trim off the @mydomain.com from the username when the user attempts to authenticate? I have a number of users that still try to use there full email address for there username and it could save me some tech support. Matt - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Odd Cisco LNS Problem...
Hi Folks, Have an odd problem with a VPDN session authenticating from a Cisco LNS to freeradius... Theres a dual login happening for the same user, to eliminate the problem (for now) I changed Password attribute to someone else. It stopped one of the sessions authentication (invalid password error) but the other carried on authenticating (Login OK). I put a reject attribute in for the users accouting and dropped both VPDN sessions off the LNS and then both were unable to authenticate. Upon removing the reject one started authenticating OK and the other bouncing like before. Any ideas what could be causing this? LNS IOS (tm) 7200 Software (C7200-IS-M), Version 12.3(5b), RELEASE SOFTWARE (fc1) -- Kind Regards, Russell Brenner Australia Internet Solutions [EMAIL PROTECTED] Tel: 03 8665 8321 Fax: 03 9639 1897 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Authenticating only one group of users
I have a group on my system, pppusers. This is the one and only group that I want to have access via the radius system. Looking through the meager docs and the users file, this is what I've come up with: ## Original # DEFAULT Auth-Type := System ## ## Modified DEFAULT Group == pppusers, Auth-Type := System Fall-Through = Yes DEFAULT Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 255.255.255.254, Framed-IP-Netmask = 255.255.255.255, Idle-Timeout = 600, Session-Timeout = 28800, Port-Limit = 1 This, from what I understand, shouldn't let anyone except members of pppusers group in. Thanks, Jody L. Whitlock [EMAIL PROTECTED] -- Outgoing mail is certified Virus Free. Checked by AVG Anti-Virus (http://www.grisoft.com). Version: 7.0.261 / Virus Database: 263.4.9 - Release Date: 7/26/2004 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html