Re: FR-1.1.2 dies with error
Alan DeKok wrote: Alexander Serkin <[EMAIL PROTECTED]> wrote: I'm still trying to investigate the problem with one of my AAA servers. It's a problem with the DB, not with the server. I understand this, Alan. My experiments with hiding assertion strings in request_list.c came into failure. And i feel that Oracle is not good production server for radius accounting. Or the DB structure is not optimal for our application. Does anybody in the list use the FR&Oracle for the systems serving about 4500 simultaneous connections? It's really not much, but... Will the accounting table partitioning help? -- Sincerely Yours, Alexander - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: netflow per connection
"Igor Smitran" <[EMAIL PROTECTED]> wrote: > I have Mikrotik. It can export netflow data but i am not sure what > freeradius can do with that? Nothing. You will need a netflow server. > Is it possible to have all netflow for that > client inserted into database somehow? Please provide some URL because i am > not sure what to search for. "netflow server" ? Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: netflow per connection
Is there a way to have netflow data per session, instead of just total "octets in" and total "octets out"? I am trying to find a relatively easy way to charge users per netflow data, for example: local data is 50% discount, mail is 30% discount etc. Consult the NAS documentation. If it doesn't say it can send that information, then that information won't be available to FreeRADIUS. Alan DeKok. I have Mikrotik. It can export netflow data but i am not sure what freeradius can do with that? Is it possible to have all netflow for that client inserted into database somehow? Please provide some URL because i am not sure what to search for. Igor - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Change RAD_REPLY item in rlm_perl, not add a new pair
On 13/08/06, Boian Jordanov <[EMAIL PROTECTED]> wrote: On Friday 11 August 2006 20:18, Alex French wrote:> Hi,>> Does anyone know if anything was done on the issue below? I'm looking for> this functionality too, and I'd prefer not to have to recompile the module > if the feature is available in HEAD or similar (although I can't see> that...).No sorry,but i can give you a patch if you want off course.Boian,Thanks, if you have a patch that actually implements the hash for the operator etc, that would be great (in fact, why not just submit it as a feature). If it's just to change the operator hardcoded in rlm_perl.c, that's fine, I have that recompiled and installed at the moment, Alex - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: netflow per connection
"Igor Smitran" <[EMAIL PROTECTED]> wrote: > Is there a way to have netflow data per session, instead of just total > "octets in" and total "octets out"? I am trying to find a relatively easy > way to charge users per netflow data, for example: local data is 50% > discount, mail is 30% discount etc. Consult the NAS documentation. If it doesn't say it can send that information, then that information won't be available to FreeRADIUS. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR-1.1.2 dies with error
Alexander Serkin <[EMAIL PROTECTED]> wrote: > I'm still trying to investigate the problem with one of my AAA servers. It's a problem with the DB, not with the server. > Is it possible to tell on wich request assertion fails? No. > We have two servers and use load-balancing between them configured on NASes. > But assertion fails periodically with only one of the servers mostly on > line 1012 of request_list.c, but sometimes on line 1039 of the same file. As you have been told already, the problem is that something is blocking the server, and preventing it from doing work. That is likely the DB used by the server. Any work you do on FreeRADIUS will do little more than hide the problem. You can't make your DB run faster by poking FreeRADIUS. And if the DB is down, there's *nothing* you can do to the server to make it process requests. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: read_groups in cvs
> > On the todo list for Monday, if additional debug output is needed.
>
> I wouldn't have asked for it if I didn't need it...
>
rad_recv: Access-Request packet from host 10.0.0.11 port 1145, id=104, length=56
User-Name = "[EMAIL PROTECTED]"
User-Password = ""
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
rlm_realm: Looking up realm "illicom.net" for User-Name = "[EMAIL
PROTECTED]"
rlm_realm: Found realm "illicom.net"
rlm_realm: Adding Stripped-User-Name = "dcox"
rlm_realm: Proxying request from user dcox to realm illicom.net
rlm_realm: Adding Realm = "illicom.net"
rlm_realm: Authentication realm is LOCAL.
rlm_realm: Request already proxied. Ignoring.
radius_xlat: 'dcox'
radius_xlat: 'dcox'
rlm_sql (sql): sql_set_user escaped user --> 'dcox'
rlm_sql (sql): Reserving sql socket id: 7
radius_xlat: 'select id, username, attribute, value, op
from radcheck
where username = 'dcox' order by id'
rlm_sql (sql): User found in radcheck table
radius_xlat: 'select id, username, attribute, value, op
from radreply where username = 'dcox'
order by id'
rlm_sql (sql): Released sql socket id: 7
modcall: group authorize returns updated for request 1
rad_check_password: Found Auth-Type pap
auth: type "PAP"
Processing the authenticate section of radiusd.conf
modcall: entering group PAP for request 1
rlm_pap: login attempt with password eldon
rlm_pap: Using clear text password.
rlm_pap: User authenticated succesfully
modcall: group PAP returns ok for request 1
Login OK: [EMAIL PROTECTED] (from client webclient port 0)
Processing the post-auth section of radiusd.conf
modcall: entering group post-auth for request 1
rlm_sql (sql): Processing sql_postauth
radius_xlat: 'dcox'
rlm_sql (sql): sql_set_user escaped user --> 'dcox'
radius_xlat: Running registered xlat function of module config for string
'client[%{Packet-Src-IP-Address}].shortname'
radius_xlat: 'client[10.0.0.11]'
radius_xlat: 'exec radpostauth '[EMAIL PROTECTED]',
'XXX','Access-Accept',
'10.0.0.11','','',
'',
'', '','webclient''
rlm_sql (sql) in sql_postauth: query is exec radpostauth '[EMAIL PROTECTED]',
'XXX',
'Access-Accept','10.0.0.11',
'','',
'', '',
'','webclient'
rlm_sql (sql): Reserving sql socket id: 6
rlm_sql (sql): Released sql socket id: 6
modcall: group post-auth returns ok for request 1
Sending Access-Accept of id 104 to 10.0.0.11 port 1145
Service-Type = Authenticate-Only
Session-Timeout = 86400
Finished request 1
Going to the next request
>
> > But I am using a recent (-7 days ago) cvs checkout of 2.0.0pre0
> >
> > I don't have any debug output right now, but it's rather obvious to
> > me that the server doesn't process the radcheckgroup /
> > radreplygroup in rlm_sql unless the fall-through = yes is found in
> > the radreply for the user, which contradicts the docs (3d) as
> > posted below.
>
> That's all well and good, but I need the debug output to see *what*
> the server is doing for/to you and *why* its doing it, especially if
> you want *me* to fix it...
>
>
> > Meanwhile, I have set the fall-through = yes during the radreply
> > for now to get it to process the groups...
>
> Make sure your debug output is *without* having "Fall-Through" set in
> radreply.
done as requested.
>
>
> --Mike
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Does Freeradius support IAPP (802.11f)??
IEEE 802.11f was a Recommended Practice (not a Standard) issued by IEEE Standards Association, 802.11 group.I know it was deprecated due to reading minutes of recent meetings, accessible to participants. They are the ones that maintain it's status. They have websites, but none dedicated to it in particular.http://standards.ieee.org/http://grouper.ieee.org/groups/802/11/ You'll have to ask them, for "official" word.Dave. - Original Message -From: "zhu yunwu" <[EMAIL PROTECTED]>To: "FreeRadius users mailing list" Subject: Re: Does Freeradius support IAPP (802.11f)??Date: Mon, 14 Aug 2006 15:52:33 +0800 On 8/11/06, David Mitton <[EMAIL PROTECTED]> wrote: >One should be aware that 802.11f has been deprecated by the IEEE. >To use it requires support in all your Access Points and the RADIUS >server(s). Thank you very much. This information is very important for me. But would you please tell me where you get it or know about it? I want to get more detail informatioin about it from official website. (Woodland)-List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: assign a value to an attribute via a script
- Original Message -
From: "Philippe Bacquaert" <[EMAIL PROTECTED]>
To: "freeradius-users"
Sent: Wednesday, April 26, 2006 10:46 AM
Subject: assign a value to an attribute via a script
Hello,
I'm searching how to use a script to modify the value of an
attribute.
When I try the example of radiusd.conf : Attribute-Name =
`%{echo:/path/to/program args}`
In my test I try to use a script to assign an IP address to
the Attribute Framed-IP-Address :
Framed-IP-Address = `%{dhcp:/etc/raddb/test %{User-Name}
%{NAS-IP-Address}}`
I've added this in the accounting module with the same result
as I want to fic this value in the attribute Framed-IP-Address
during the time of an active accounting session.
I've created an exec module :
exec dhcp {
wait = yes
input_pairs = request
output_pairs = reply
packet_type = Access-Accept
}
I get an error message when I try to start :
ERROR: Cannot find a configuration entry for module
"Framed-IP-Address".
The rest of the radiusd.conf configuration is pointing to a
MySQL database and works well.
I've tested successfully the script itself alone in the echo
module configuration : program = "/var/log/radius/test
%{User-Name} %{NAS-IP-Address}"
What am I doing wrong ?
Is something missing ?
Sincerely,
Philippe BACQUAERT
If you want to assign fixed ip address to a user add FramedIPAddress field
into radreply table for that user?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Managing connection on Freeradius
Hello all, I am quite new to freeradius and I am with a doubt. I have a PPPoE-Server that authenticate the users into my FreeRadius server. The problem is that if a client, by some reason, get lost of connection the freeradius mantain the log about that connection and, if the client try to connect again, it say that siomultaneos use is not allowed. So I have to delete radutmp and radwtmp, restart radius, and lost the track of connections. There is any tool to make it easier? Or some configuration that if there is no package coming from the cliente for 60 seconds it will disconect the client? Read radzap help - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mikrotik router Tx/Rx attribute and freeradius
Is it possible to limit the data transfer rate with freeradius and mikrotik. If possbile then where should I specify what attribute. For example I want to authenticate the users with freeradius + mysql and mikrotik router and limit the Tx/Rx rate to 64Kbps/32Kbps. How can I do that? http://www.mikrotik.com/Documentation/manual_2.7/Basic/AAA.html#ht37996460 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: (no subject)
From: c k To: freeradius-users@lists.freeradius.org Sent: Tuesday, August 08, 2006 6:33 AM Subject: (no subject) I m using EAP-TLS as an authentication protocol.I want to authorize the clients in my network to access only certain protocol traffics.For some users i want to allow only http,while for others http and ftp.How can i create such kind of profiles and perform access control on routers.Sorry friends i m new to radius...plz help me out. You need router that supports that kind of thing. Something like named access lists. Then you use freeradius to send access list name to router. Try to find what attributes your router can receive from radius. Try googling something like "your router name radius attributes". If not, you can use diferent pools for users that have ftp access and user that don't have ftp access. For those pools you setup diferent access lists. After that you just use freeradius to give diferent IP adresses to users that have ftp access and users that don't have ftp access. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Change RAD_REPLY item in rlm_perl, not add a new pair
On Friday 11 August 2006 20:18, Alex French wrote:
> Hi,
>
> Does anyone know if anything was done on the issue below? I'm looking for
> this functionality too, and I'd prefer not to have to recompile the module
> if the feature is available in HEAD or similar (although I can't see
> that...).
No sorry,
but i can give you a patch if you want off course.
>
> Thanks,
>
> Alex
>
> On 22/06/06, Kenneth Marshall <[EMAIL PROTECTED]> wrote:
> > On Thu, Jun 22, 2006 at 09:58:54AM +0300, Boian Jordanov wrote:
> > > Maybe passing a HASH ref for hash which contains the Operator key and
> >
> > the vp
> >
> > > item too will be a good idea. For example
> > >
> > > $hash{'Tunnel-Id'} = "visitor";
> > > $hash{'Operator'} = ":=";
> > > $RAD_REPLY{'Tunnel-Id'} = \%hash;
> > >
> > > This way we will not change existing behavior.
> >
> > I like this. One key feature missing in rlm_perl was the ability
> > to substitute values in attribute pairs, not just add a new one.
> >
> > Ken
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
--
Best Regards,
Boian Jordanov
SNE
Orbitel - Next Generation Telecom
tel. +359 2 4004 723
tel. +359 2 4004 002
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Does Freeradius support IAPP (802.11f)??
On 8/11/06, David Mitton <[EMAIL PROTECTED]> wrote: >One should be aware that 802.11f has been deprecated by the IEEE. >To use it requires support in all your Access Points and the RADIUS >server(s). Thank you very much. This information is very important for me. But would you please tell me where you get it or know about it? I want to get more detail informatioin about it from official website. (Woodland) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
netflow per connection
Is there a way to have netflow data per session, instead of just total "octets in" and total "octets out"? I am trying to find a relatively easy way to charge users per netflow data, for example: local data is 50% discount, mail is 30% discount etc. Thank you, Igor - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
