dailup admin and badusers

2006-12-29 Thread [EMAIL PROTECTED] 
hi,
i don't understand why dialup admin need its own sql table badusers and a 
script to get bad logins whereas rejected users can be found in the freeradius 
table radpostauth ?
Regards,
Thomas- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Freeradius, MySQL and unique accounting records.

2006-12-29 Thread Mark J Elkins 
I'm getting multiple accounting_start_query records in my radacct 
table. When a Stop arrives, each gets the same accounting info (time 
online, bytes in, bytes out - etc)...
However - when I run SQL queries - I do not get true stats - which is a 
problem.


My accounting_start_query are stock standard (I'm running an oldish 
version of radius though).


What is happening is that I'm getting multiple Start Records - and 
logging each one.


   accounting_start_query = INSERT into ${acct_table1} 
(AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, 
NASPortType, AcctStartTime, AcctStopTime, AcctSessionTime, 
AcctAuthentic, ConnectInfo_start, ConnectInfo_stop, AcctInputOctets, 
AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, 
ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay, 
AcctStopDelay) values('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', 
'%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', 
'%{NAS-Port-Type}', '%S', '0', '0', '%{Acct-Authentic}', 
'%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', 
'%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', 
'%{Framed-IP-Address}', '%{Acct-Delay-Time}', '0')



INSERT into radacct_rad2 (AcctSessionId, AcctUniqueId, UserName, Realm, 
NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctStopTime, 
AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_stop, 
AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, 
AcctTerminateCause, ServiceType, FramedProtocol, FramedIPAddress, 
AcctStartDelay, AcctStopDelay) values('7/0/3/5.117_18EB0F13', 
'ade8e732c3a7aef6', '[EMAIL PROTECTED]', 'pop.co.za', '196.43.27.19', 
'1929707637', 'Virtual', '2006-12-20 06:03:25', '0', '0', 'RADIUS', 
'AutoShapedVC', '', '0', '0', '', '', '', 'Framed-User', 'PPP', 
'41.242.241.194', '0', '0');


INSERT into radacct_rad2 (AcctSessionId, AcctUniqueId, UserName, Realm, 
NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctStopTime, 
AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_stop, 
AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, 
AcctTerminateCause, ServiceType, FramedProtocol, FramedIPAddress, 
AcctStartDelay, AcctStopDelay) values('7/0/3/5.117_18EB0F13', 
'ade8e732c3a7aef6', '[EMAIL PROTECTED]', 'pop.co.za', '196.43.27.19', 
'1929707637', 'Virtual', '2006-12-20 06:03:29', '0', '0', 'RADIUS', 
'AutoShapedVC', '', '0', '0', '', '', '', 'Framed-User', 'PPP', 
'41.242.241.194', '5', '0');


INSERT into radacct_rad2 (AcctSessionId, AcctUniqueId, UserName, Realm, 
NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctStopTime, 
AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_stop, 
AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, 
AcctTerminateCause, ServiceType, FramedProtocol, FramedIPAddress, 
AcctStartDelay, AcctStopDelay) values('7/0/3/5.117_18EB0F13', 
'e71dbe474c39274d', '[EMAIL PROTECTED]', 'pop.co.za', '196.43.27.19', 
'1929707637', 'Virtual', '2006-12-20 06:03:35', '0', '0', 'RADIUS', 
'AutoShapedVC', '', '0', '0', '', '', '', 'Framed-User', 'PPP', 
'41.242.241.194', '15', '0');


INSERT into radacct_rad2 (AcctSessionId, AcctUniqueId, UserName, Realm, 
NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctStopTime, 
AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_stop, 
AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, 
AcctTerminateCause, ServiceType, FramedProtocol, FramedIPAddress, 
AcctStartDelay, AcctStopDelay) values('7/0/3/5.117_18EB0F13', 
'db5198a07e9ebe18', '[EMAIL PROTECTED]', 'pop.co.za', '196.43.27.19', 
'1929707637', 'Virtual', '2006-12-20 06:03:39', '0', '0', 'RADIUS', 
'AutoShapedVC', '', '0', '0', '', '', '', 'Framed-User', 'PPP', 
'41.242.241.194', '10', '0');


[the stop record]
UPDATE radacct_rad2 SET AcctStopTime = '2006-12-20 06:37:09', 
AcctSessionTime = '2040', AcctInputOctets = '2371574', AcctOutputOctets 
= '93521334', AcctTerminateCause = 'User-Request', AcctStopDelay = '0', 
ConnectInfo_stop = 'AutoShapedVC' WHERE  AcctSessionId = 
'7/0/3/5.117_18EB0F13' AND UserName = '[EMAIL PROTECTED]' AND 
NASIPAddress = '196.43.27.19';


The Acct-Delay-Time is different for each record - increases by 5 
seconds - etc.


So what do people do to maintain accurate accounting records?
For example - to get the current monthly data-in+out total for an 
individual - I run


MBYTE=$(mysql -u$USR -p$SQLPASS -h$DBHOST -B --skip-column-names $DB -e \
   SELECT ROUND(SUM((AcctInputOctets + AcctOutputOctets)/1048576)) 
FROM radacct WHERE AcctStartTime  '$monthstart' AND username = 
'[EMAIL PROTECTED]')


Currently - this is quite quick - but would give me the wrong results 
for the above!


What about making the column AcctSessionId unique? (somehow) - or 
maybe a new column which contains AcctSessionId, UserName and 
NASIPAddress - or what do people suggest?


--
 .  . ___. .__  Posix Systems - Sth Africa
/| /|

Can anyone prove that := works as the documentation says it does?

2006-12-29 Thread Mike 

Hi List,


   Can anyone here demonstrate a simple sql configuration that proves
that the := operator will in fact replace any attribute of the same
name, as the documentation says it does? Specfically, I want to see an
attribute set in radreply which is then overwritten in radgroupreply, if
the user belongs to a certain group. I'm only able to demonstrate that
group processing works, but := acts exactly like = for the purposes of
this test.

Mike-

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Possible to define range of users?

2006-12-29 Thread Ran Shenhar 
Hi All,
I was wondering if the users file can hold some definition for a group
of users, for example users with IP 192.168.1.*?
I've seen the group example
(http://wiki.freeradius.org/index.php/FAQ#How_do_I_deny_access_to_a_spec
ific_user.2C_or_group_of_users.3F), but didn't understand if that also
helps to my case.

I've also seen http://www.freeradius.org/doc/users.5.html and the =~ for
regex, but trying to use that with a User-Name attribute (User-Name =~
10.100.0.*, Auth-Type := Local, User-Password == my pass), the config
file couldn't be parsed, with this message:
/usr/local/etc/raddb/users-grande-ATM[1]: Parse error (check) for entry
User-Name: expecting '='
/usr/local/etc/raddb/users[6]: Could not open included file
/usr/local/etc/raddb/users-grande-ATM: Success
Errors reading /usr/local/etc/raddb/users
radiusd.conf[1035]: files: Module instantiation failed.

Am I missing something here, or is this not supported?

TIA,

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: dailup admin and badusers

2006-12-29 Thread Kostas Kalevras 

[EMAIL PROTECTED] wrote:


hi,

i don't understand why dialup admin need its own sql table badusers 
and a script to get bad logins whereas rejected users can be found in 
the freeradius table radpostauth ?



badusers serves a completely different purpose. As for log_badlogins:
1. It was created before post-auth functionality was added in rlm_sql
2. It's able to store records in the radacct table in a convenient 
format for dialupadmin to show bad logins
3. It's able of sending bad login information to other sql servers using 
a buffer file, which is convenient to keep bad login information within 
a replicated infrastructure.


Having a freeradius attribute Reject-Reson which could hold values such 
as Multiple-Login,Invaling-User,Outside-Timestamp and freeradius setting 
it on reject would be a step forward though.



Regards,

Thomas



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html




- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

PostAUth SQL logging

2006-12-29 Thread Cory Robson 

I have freeradius logging failed login attempts to the postauth table, what
in the sql syntax do I need to change to log the reason for the
access-reject (ie password invalid, account expired, or session limit
reached)?

Cory

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html