proxy-accounting
Hi, my FR is acting as proxy server. What I need to do is next: - when I get accounting from router i need to cut some things of (Acct-Session-Id) How can I do this with FR? Thank you http://www.email.si/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Post-Proxy-Type + rlm_rewrite + rlm_ippool does not work
On Wed, Apr 06, 2005 at 03:30:34PM +0300, Pasi Kärkkäinen wrote:
Hi!
I've tried to get this working for a long time, trying almost every kind of
possible solution.. with no luck yet :(
Scenario: NAS uses freeradius-server (proxy) for authentication. Proxy needs
to also supply Framed-IP-Address back to NAS.
Proxy proxies authentication requests to home servers based on realm.
Now, I _need_ to assign IP-addresses in the _Proxy_ based on realm.
I set up rlm_ippool for each realm. Now, I need to assign Pool-Name
attribute for all requests based on realm. I do this:
I'd like to have some comments to this..
Does *anybody* have solution for this scenario ?
Do I have to write my own module to set up the Pool-Name for proxied
requests?
I also tried setting the Pool-Name in users-file based om Realm.. but that
didn't work either. rlm_ippool still says it cannot find the Pool-Name
attribute.
Thanks for your help!
- Pasi Kärkkäinen
users-file:
DEFAULT Realm == foo.com, Post-Proxy-Type := post.proxy.foo
Fall-Through = 1
radiusd.conf:
post-proxy {
Post-Proxy-Type post.proxy.foo {
rewrite_add_foo_ippool
}
}
attr_rewrite rewrite_add_foo_ippool {
attribute = Pool-Name
searchin = proxy_reply
searchfor =
replacewith = foo_ippool
new_attribute = yes
}
post-auth {
foo_ippool
}
Freeradius debug messages when proxy receives authentication request:
Module: Instantiated attr_rewrite (rewrite_add_foo_ippool)
Module: Instantiated ippool (foo_ippool)
rlm_realm: Looking up realm foo.com for User-Name = [EMAIL PROTECTED]
rlm_realm: Found realm foo.com
rlm_realm: Proxying request from user test to realm foo.com
users: Matched entry DEFAULT at line 154 (this is the Post-Proxy-Type line)
rad_recv: Access-Accept packet from host 1.2.3.4:1812, id=0, length=235
Found Post-Proxy-Type post.proxy.foo
modcall: entering group Post-Proxy-Type for request 0
rlm_attr_rewrite: Illegal value for searchin. Changing to packet.
rlm_attr_rewrite: Added attribute Pool-Name with value 'foo_ippool'
modcall[post-proxy]: module rewrite_add_foo_ippool returns ok for request 0
modcall: group Post-Proxy-Type returns ok for request 0
authorize: Skipping authorize in post-proxy stage
rad_check_password: Auth-Type = Accept, accepting the user
Login OK: [EMAIL PROTECTED] (from client client01 port 0)
Processing the post-auth section of radiusd.conf
modcall: entering group post-auth for request 0
rlm_ippool: Could not find Pool-Name attribute
modcall[post-auth]: module foo_ippool returns noop for request 0
modcall: group post-auth returns noop for request 0
Finished request 0
I'm using freeradius patch by Nicolas Baradakis [EMAIL PROTECTED] which
enables freeradius (1.02) to run modules in post-proxy {} section. The above
Post-Proxy-Type foo {} thing does not work without that patch.
But the problem is now how to get the Pool-Name variable set so that
rlm_ippool works..
Thanks for your help/ideas!
-- Pasi Kärkkäinen
^
. .
Linux
/-\
Choice.of.the
.Next.Generation.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Radius DisconnectRequest
HI,
I am using Cisco NAS for my VoIP Billing. I want to
send DisconnectRequest to the cisco NAS but i don't
know from where i should send it.
Currently i am able to send AccessRequest and
Accounting from the mySQL db. But i am little confiuse
how i should send the Radius DisconnectRequest to the
cisco nas.
Here is full cisco nas example for Radius
DisconnectRequest:
-
Fri Apr 08 01:27:27 2005, (204+53e6fe2a-1000) ,Recv
202.85.241.151:1812 Radius DisconnectRequest {
session id = 95
Cisco VSA( 24): h323-conf-id=F72744AA
A89611D9 91300800 20F0213B
}
-
Actually i wanted to make a buttone in Billing Manager
if admin press this button radius should send the
DisconnectRequest to cisco for the call termination.
__
Do you Yahoo!?
Yahoo! Small Business - Try our new resources site!
http://smallbusiness.yahoo.com/resources/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: different pools for different realms
El vie, 08-04-2005 a las 20:03 +0300, Kostas Kalevras escribió: DEFAULT Realm == myrealm, NAS-IP-Address == 10.10.10.1, Auth-Type = LDAP, Pool-Name := my_pool Thank you. I didn't know I can use Realm attribute in the check line. Is there any list of attribute's names I can use there?, because this attribute isn't in http://www.freeradius.org/rfc/attributes.html -- Angel L. Mateo Martínez Sección de Telemática Área de Tecnologías de la Información _o) y las Comunicaciones Aplicadas (ATICA)/ \\ http://www.um.es/atica _(___V Tfo: 968367590 Fax: 968398337 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radius behavior when DB is down
hi. Can anybody explain me the scenario of rlm_sql_... module actions while DB is inaccessible? I mean what happens whith daemon when 1) it starts and encounters that its sql store is down. 2) the db goes down while radius daemon is running. Does it make an attempt to reconnect or it dies too? Is the scenario the same for oracle and mysql? -- SY, Alexander - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Something
Well, Guys I am back to the list for answers. I am simply tring to prevent more than one instance of one user logged in at once. I know, before you yell at me I have read the FAQ and setup just the way it says in sql.conf. Perhaps I am missing something. I just uncommented the simul_count_query and it still lets more than one login of one username. I am using 1.0.2 and sql 4.1.9. My setup is very very simple. I am not using groups. Everyone is in the same group. This is for a chillispot btw. anything that I am missing? -Blake- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Something
Blake wrote: Well, Guys I am back to the list for answers. I am simply tring to prevent more than one instance of one user logged in at once. I know, before you yell at me I have read the FAQ and setup just the way it says in sql.conf. Perhaps I am missing something. I just uncommented the simul_count_query and it still lets more than one login of one username. I am using 1.0.2 and sql 4.1.9. My setup is very very simple. I am not using groups. Everyone is in the same group. This is for a chillispot btw. anything that I am missing? Have you tried logging in, and then running the query manually against the table to see what results you receive? What happens when you do what 4.7 of the FAQ recommends? (http://www.freeradius.org/faq/#4.7) -Greg - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Anyone using radzap?
Mike Cisar [EMAIL PROTECTED] wrote: Can't say as I've been using it, for the obvious reasons... but I've wanted to several times in the past couple months :-) The latest CVS snapshot should contain fixed radwho radzap. They should work if you copy them to a 1.0.2 distribution, and re-build. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Counters
Okay, all of the counters deals with the using the users file. But how
do I set up a user if I am using a DB backend?
I've uncommented counter in authorize and accounting.
From radiusd.conf:
counter {
filename = ${raddbdir}/db.counter
key = User-Name
count-attribute = Acct-Session-Time
reset = monthly
counter-name = Monthly-Session-Time
check-name = Max-Monthly-Session
allowed-servicetype = Framed-User
cache-size = 5000
}
Ive created in my DB
Radgroupcheck
monthly Auth-Type := Local
Radgroupreply
Monthly Max-Monthly-Session := 600 0
And Ive created a user that belongs to group monthly.
Not working, what am I missing?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius DisconnectRequest
Abdul Lateef [EMAIL PROTECTED] wrote: Actually i wanted to make a buttone in Billing Manager if admin press this button radius should send the DisconnectRequest to cisco for the call termination. Billing manager isn't part of FreeRADIUS./ I suggest asking them for this functionality. If you want to send a disconnect request from the command line, see radclient. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: different pools for different realms
Angel L. Mateo [EMAIL PROTECTED] wrote: Thank you. I didn't know I can use Realm attribute in the check line. Is there any list of attribute's names I can use there?, because this attribute isn't in http://www.freeradius.org/rfc/attributes.html Those are the RADISU *protocol* attributes, as defined in the RADIUS standards documents. FreeRADIUS defines a number of other attributes, which aren't documented anywhere. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius behavior when DB is down
Alexander Serkin [EMAIL PROTECTED] wrote: Can anybody explain me the scenario of rlm_sql_... module actions while DB is inaccessible? I mean what happens whith daemon when 1) it starts and encounters that its sql store is down. Have you tried checking this yourself? It's not hard. 2) the db goes down while radius daemon is running. Similarly, this isn't hard to do in a test environment. Does it make an attempt to reconnect or it dies too? It tries to reconnect. Is the scenario the same for oracle and mysql? Yes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Counters
Anson [EMAIL PROTECTED] wrote: Okay, all of the counters deals with the using the users file. But how do I set up a user if I am using a DB backend? Exactly the same. The users file is just a way to tell the server WHEN to use the counter. I've created in my DB Radgroupcheck monthly Auth-Type := Local Please don't do that. It's completely unnecessary. Radgroupreply Monthly Max-Monthly-Session := 600 0 Ok... Not working, what am I missing? Read the FAQ. Run the server in debugging mode. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Beginner question: Trying to secure a wlan
Tim Boneko wrote: That still doesn't tell us whether you configured SoftAP to use the RADIUS server ? SoftAP is only the AP piece but not the RADIUS server itself. You have to point to FreeRADIUS instance you are using. That seems to be the part i am missing. How do i do that? Is it a setting for my dhcpd? No. It is all in the AP. SoftAP claims it supports WPA. Read the documentation for it and look for where they mention WPA-RADIUS or WPA-Enterprise and see how to configure it. If they only talk about WPA-Personal or WPA-PSK that is not what you want. WPA config should ask you for 1. RADIUS server IP/hostname ie. 127.0.0.1 2. Shared secret ie. whatever you set, FreeRADIUS defaults to testing123 for 127.0.0.1 3. Optionally it may ask for RADIUS server port ie. 1812 You should be able to get tech support from PCtel since SoftAP is a paid product. Vladimir - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius + Wireless Users (802.X)
Hello, Freeradius-Users. Is there any ability to authentificate Wireless Users with login and password using Freeradius? I use freeradius now for dialup and voip users. But now also need somehow to auth wireless users (we have some hotspots). As i got i need to configure PEAP. May be there is somebody who can give working examples? Or any documentation? Great thnx. -- Best Regards, Victor M. Polukcht System Administrator LANCK Telecom ISP St. Peterburg, Russia Phone: +7 (812) 325 Fax: +7 (812) 325 mailto:[EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + Wireless Users (802.X)
Victor M. Polukcht wrote: Is there any ability to authentificate Wireless Users with login and password using Freeradius? I use freeradius now for dialup and voip users. But now also need somehow to auth wireless users (we have some hotspots). As i got i need to configure PEAP. May be there is somebody who can give working examples? Or any documentation? Read the 802.1X HOWTO http://tldp.org/HOWTO/html_single/8021X-HOWTO/ That should get you going with WPA. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem compiling FreeRADIUS 1.0.1 on Gentoo Linux
I am trying to compile FreeRadius 1.0.1 on Gentoo Linux 2005.0: # USE='-pam -postgres -snmp' emerge -pv freeradius [ebuild N ] net-dialup/freeradius-1.0.1 -frascend -frnothreads -frxp -kerberos -ldap +mysql -pam -postgres -snmp +ssl 0 kB As you can see, the only USE flags in use here are ssl and mysql (I could reproduce the error with all USE flags disabled as well). Im getting the following error: snip gcc -shared rlm_unix.lo cache.lo compat.lo -Wl,--whole-archive /usr/lib/libshadow.a -Wl,--no-whole-archive -lcrypt /usr/lib/libshadow.a -lnsl -lresolv -lpthread -lcrypto -lssl -Wl,-soname -Wl,rlm_unix-1.0.1.so -o .libs/rlm_unix-1.0.1.so /usr/lib/libshadow.a: member /usr/lib/libshadow.a(libmisc.a) in archive is not an object collect2: ld returned 1 exit status gmake[6]: *** [rlm_unix.la] Error 1 gmake[6]: Leaving directory `/var/tmp/portage/portage/freeradius-1.0.1/work/freeradius-1.0.1/src/modules/rlm_unix' /snip Any suggestions? Bryce Porter.Network Administrator . . . . . . . . . . . . . . . . . . . . . . . . . . Heart Technologies, Inc. 3105 N. Main St. E. Peoria,IL61611 p. 309.427.7282 f.309.427.7382 e. [EMAIL PROTECTED] w. www.heart.net
RE: Problem compiling FreeRADIUS 1.0.1 on Gentoo Linux
My apologies, as the original email that I sent was in HTML format. This should be in plain text. Thank you. Bryce Porter.Network Administrator . . . . . . . . . . . . . . . . . . . . . . . . . . Heart Technologies, Inc. 3105 N. Main St. E. Peoria,IL61611 p. 309.427.7282 f.309.427.7382 e. [EMAIL PROTECTED] w. www.heart.net From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bryce Porter Sent: Monday, April 11, 2005 3:55 PM To: freeradius-users@lists.freeradius.org Subject: Problem compiling FreeRADIUS 1.0.1 on Gentoo Linux I am trying to compile FreeRadius 1.0.1 on Gentoo Linux 2005.0: # USE='-pam -postgres -snmp' emerge -pv freeradius [ebuild N ] net-dialup/freeradius-1.0.1 -frascend -frnothreads -frxp -kerberos -ldap +mysql -pam -postgres -snmp +ssl 0 kB As you can see, the only USE flags in use here are ssl and mysql (I could reproduce the error with all USE flags disabled as well). Im getting the following error: snip gcc -shared rlm_unix.lo cache.lo compat.lo -Wl,--whole-archive /usr/lib/libshadow.a -Wl,--no-whole-archive -lcrypt /usr/lib/libshadow.a -lnsl -lresolv -lpthread -lcrypto -lssl -Wl,-soname -Wl,rlm_unix-1.0.1.so -o .libs/rlm_unix-1.0.1.so /usr/lib/libshadow.a: member /usr/lib/libshadow.a(libmisc.a) in archive is not an object collect2: ld returned 1 exit status gmake[6]: *** [rlm_unix.la] Error 1 gmake[6]: Leaving directory `/var/tmp/portage/portage/freeradius-1.0.1/work/freeradius-1.0.1/src/modules/rlm_unix' /snip Any suggestions? Bryce Porter.Network Administrator . . . . . . . . . . . . . . . . . . . . . . . . . . Heart Technologies, Inc. 3105 N. Main St. E. Peoria,IL61611 p. 309.427.7282 f.309.427.7382 e. [EMAIL PROTECTED] w. www.heart.net
Re: Steelbelted Radius Dictionary File
Guy Davies wrote: Hi, No, you can't simply drop that in. You'd need to create a dictionary.waverider that looks like the dictionaries in /usr/local/share/freeradius. Cut and paste the section below in to a file of that name and then add the line $INCLUDE dictionary.waverider In the file /usr/local/share/freeradius/dictionary. Thanks very much! -- A. Clausen - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
NT domain names and SQL authentication
Hi, I've been fighting my ignorance for a week now. I'm trying to setup FreeRadius with a Windows XP SP2 supplicant with mschap2 thru an Orinocco access point. I would like to use the username and password of the NT domain, but the only way I can get logged in is making XP ask me for the credentials. So to make it work, I add a line un users: --8---8-- pirulo User-Password == chicos --8---8-- I also edited radiusd.conf and uncommented the sql lines. User pirulo does not exists in SQL. With this setup, I can get authenticated/authorized. But, If I add a line like my NT username in users, I cant log in. The line looks like this: --8---8-- DOMAIN\\username User-Password == my_nt_domain_password --8---8-- I write down, exactly as I did with user pirulo, DOMAIN\\username and then the password, and it doesnt work! Also I tried asking windows to send my login credentials automatically, but It didnt work. Running radiusd in debug mode (-X) I get: Processing the authorize section of radiusd.conf (all the modules return either noop or ok) Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 19 rlm_eap: EAP Identity rlm_eap: processing type md5 rlm_eap_md5: Issuing Challenge modcall[authenticate]: module eap returns handled for request 19 modcall: group authenticate returns handled for request 19 (everything looks fine) Processing the authorize section of radiusd.conf (again - everyting ok ) And so it goes, processing authorize and authenticate sections, untill it gives this error: Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 25 rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 25 rlm_mschap: NT Domain delimeter found, should we have enabled with_ntdomain_hack? rlm_mschap: Told to do MS-CHAPv2 for DOMAIN\username with NT-Password rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module mschap returns reject for request 25 modcall: group Auth-Type returns reject for request 25 rlm_eap: Freeing handler modcall[authenticate]: module eap returns reject for request 25 modcall: group authenticate returns reject for request 25 auth: Failed to validate the user. Login incorrect: [DOMAIN\\username] (from client localhost port 0) PEAP: Tunneled authentication was rejected. rlm_eap_peap: FAILURE And thus ends. So, my question is: should I set an NT-Password attribute in the users file? Thanks, -- Diego. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NT domain names and SQL authentication
Diego M. Vadell [EMAIL PROTECTED] wrote: Hi, I've been fighting my ignorance for a week now. I'm trying to setup FreeRadius with a Windows XP SP2 supplicant with mschap2 thru an Orinocco access point. I would like to use the username and password of the NT domain, but the only way I can get logged in is making XP ask me for the credentials. So to make it work, I add a line un users: [snip] Go to this link: http://lists.freeradius.org/archives/freeradius-users/2005/03/frm00948.html And follow the thread by clicking Next under Thread Links in the upper left. That may get you what you want. Jim -- Note: My mail server employs *very* aggressive anti-spam filtering. If you reply to this email and your email is rejected, please accept my apologies and let me know via my web form at http://jimsun.linxnet.com/scform.php. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
clients.conf mysql
Hi there, Is there someone who can point me in the direction of achieving this?, I have searched google to find some posts that it is possible. Ultimately it would be nice if we could store our nas information in eDirectory and use ldap. However the mysql is another idea. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Attach mac address to username
Joachim Bloche wrote:
Would your suggestion be automatic or would I need to manually add the
attribute.
I think you can do it automatically, provided your NAS sends
Calling-Station-Id with the authentication request. In this case you
may rewrite the post-auth request to add the row in radcheck (see
sql.conf). But I'm quite new to freeradius, and there may be 2 issues
: I'm not sure wether it's possible to use an INSERT in post-auth, and
I'm not sure wether the NAS will send the calling-station-id with the
authentication-request (but if it doesn't, there will be no
solution...). Anyway, this will be easy to check, but I have no radius
server for the week-end.
If this doesn't work, then you'll have to use a trigger or any other
mean, in order to insert the row in radcheck when the first accounting
start for this user occurs. This would be less convenient, but still
not very complicated.
Joachim
Ok I don't know how to do it.
Am I after something like this and where do I call it in sql.conf
INSERT into ${authcheck_table} (id, UserName, Attribute, op, value)
values('', '%{SQL-User-Name}', 'Calling-Session-Id', '==',
'%{Called-Station-Id}')
Thanks
Shane
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
