Re: Consuming card code
Can i implement user login, consuming of card codes, etc. with only packets (acct) or im missing some crucial points? No idea. What card codes are you talking about? The problem: There is a host that controls internet access for 25 different machines. For having internet access machine user must type prepaid code. (there are 1000 generated prepaid valid codes) With one prepaid code user can use the internet for 1h. If user used only 20min of his current prepaid code he can use it again. on another machine (this code now gives 40min of internet access) My naive solution: Use freeradius on host and special .net app on every user machine to control everything. I hope that i (user, client) can make an behaviour of communicating with freeradius every 10sec and consuming 10sec of currently selected card code. You don't want to send accounting packets to the server every 10s. It's a very bad idea. If you need 10s granularity on accounting, use a local database. Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Force user disconnect on NAS
This works fine for me. It is POD message (packet of disconnect) Check port number and check NAS and radius log files if it doesn't work. If you have some programming skills, you can create schedule script to disconnect all active users at specific time... User-Name = [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] Acct-Status-Type = Start Acct-Session-Id = 12345678.90.123 NAS-Identifier = router NAS-IP-Address = 200.10.50.100 NAS-Port-Type = Virtual Framed-IP-Address = 200.10.50.1 Acct-Delay-Time = 0 Client-IP-Address = 200.10.50.100 Acct-Unique-Session-Id = 8d120506b2972302 I put this in packet.txt I tried : cat packet.txt | radclient -x 200.10.50.100:3799 disconnect mysecret // - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Consuming card code
Hey Juraj, I think that you are over-complicating things. This is rather easy to implement, you simply need to create a pincode-auth scenario and for limiting the time you can use Max-All-Session attribute. Be sure to check daloRADIUS as a management platform for RADIUS and Hotspots deployments (if you're working with SQL databases, MySQL specifically though other are supported too). daloRADIUS http://sourceforge.net/projects/daloradius/- http://sourceforge.net/projects/daloradius/ I'll be glad to be of help if you need assistance in implementing this kind of solution in your network. On Thu, Feb 28, 2008 at 9:50 AM, Juraj Bilic [EMAIL PROTECTED] wrote: The problem: There is a host that controls internet access for 25 different machines. For having internet access machine user must type prepaid code. (there are 1000 generated prepaid valid codes) With one prepaid code user can use the internet for 1h. If user used only 20min of his current prepaid code he can use it again. on another machine (this code now gives 40min of internet access) My naive solution: Use freeradius on host and special .net app on every user machine to control everything. Regards, Liran Tal. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius web administration
hi, i'm using freeradius server like proxy, and i want to administrate it with web mode. please can you give applications or how i can implement the web mode option on my freeradius server. thanks for all. _ Appelez vos amis de PC à PC -- C'EST GRATUIT http://get.live.com/messenger/overview- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Consuming card code
The problem: There is a host that controls internet access for 25 different machines. For having internet access machine user must type prepaid code. (there are 1000 generated prepaid valid codes) With one prepaid code user can use the internet for 1h. If user used only 20min of his current prepaid code he can use it again. on another machine (this code now gives 40min of internet access) My naive solution: Use freeradius on host and special .net app on every user machine to control everything. Use freeradius total (sql)counter instead. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius web administration
Hey Parfait, Are you referring to the management of the FreeRADIUS configuration? (i.e: radiusd.conf, sql.conf, proxy.conf, etc...) or are you talking about the management of users? On Thu, Feb 28, 2008 at 11:22 AM, parfait kouassi nda [EMAIL PROTECTED] wrote: hi, i'm using freeradius server like proxy, and i want to administrate it with web mode. please can you give applications or how i can implement the web mode option on my freeradius server. thanks for all. Regards, Liran Tal. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius web administration
http://www.freeradius.org/dialupadmin.html Ivan Kalik Kalik Informatika ISP Dana 28/2/2008, parfait kouassi nda [EMAIL PROTECTED] piše: hi, i'm using freeradius server like proxy, and i want to administrate it with web mode. please can you give applications or how i can implement the web mode option on my freeradius server. thanks for all. _ Appelez vos amis de PC ŕ PC -- C'EST GRATUIT http://get.live.com/messenger/overview - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: header enrichment
please have a look inline thanks Normally in a mobile services there's no specification into the header about connection type. *Which header? You are assuming that everyone here is familiar with 3g *terminology. You were already told we were not. i didn't mention anything about 3G, i spoke about mobile services, i think you know perfectly wich kind of services I'm talkig about, anyway I can try to support you: Mobile Services: means all the services that a mobile Operator can give to the customers, from SMS to WAP connections, normally when the user connect to Mobile Operator network infrastructure the connection ( mainly if we are talking about WAP connection) is treathed as an internet connection and the mobile browser request contain http header as well as common internet header. Now using some infrastructure is possible to add more parameters to the header.. many sniffing were done but only specific equipment allows to enrich the header with this inofrmation, *Could you describe what you mean in more words? It is meaningless to *say enrich the header. We have no idea what you mean by that. enrich the header as for google search is a particular feature of a system to add specific tag to the header and it's a common way to describe procedure. here below in attach and example of mobile header and the voice Nokia-bearer is that one that gives info about connection type: we need to determinate the type of of the connection to add to the header the needed parameters normally into a mobile operator some particualr equipment are used as well as radius server to get network parameters as connection type ( i mean connection established by7 the user) this is why I asked for i hope is everything clear now! thanks --header example--- GET /wap/ HTTP/1.0 If-None-Match: 0-6f-3e6cf51a Accept: image/gif, text/x-vCalendar, image/vnd.wap.wbmp, application/vnd.wap.wmlscriptc, text/x-vCard, application/vnd.wap.wmlc, application/vnd.wap.wbxml, text/vnd.wap.wml, text/vnd.wap.wmlscript, text/plain Accept-Language: en Accept-Charset: US-ASCII, ISO-8859-1, UTF-8, ISO-10646-UCS-2 profile: http://wap.sonyericssonmobile.com/UAprof/T200.xml User-Agent: SonyEricssonT200/R101 bearer-indication: 0 accept-application: 1,2 X-Nokia-CONNECTION_MODE: CMODE X-Nokia-BEARER: GPRS -- PARAMETER NEEDEDFRRERADIUS CAN HELP?? X-Nokia-gateway-id: NAWG/3.1/Build52 Via: WTP/1.1 Vodafone wap FTC (Nokia WAP Gateway 3.1/ECD9/3.1.52), 1.1 vlsp1:9010 (squid/2.5.STABLE3) X-Forwarded-For: 172.27.9.3 Host: redsox.tcs.auckland.ac.nz L'email della prossima generazione? Puoi averla con la nuova Yahoo! Mail L'email della prossima generazione? Puoi averla con la nuova Yahoo! Mail ___ L'email della prossima generazione? Puoi averla con la nuova Yahoo! Mail: http://it.docs.yahoo.com/nowyoucan.html- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: EAP-PEAP with LDAP for 802.1x authentication
I have installed smbldap-tools and tried to modify existing LDAP records using smbldap-usermod after updating the smbldap.conf and smbldap_bind.conf to connect to the LDAP but I keep getting an error that user cannot be found. Using ldapsearch, syslog shows Feb 28 17:54:42 advert slapd[5679]: connection_get(10) Feb 28 17:54:42 advert slapd[5679]: == bdb_bind: dn: cn=admin,o=com Feb 28 17:54:42 advert slapd[5679]: send_ldap_result: err=0 matched= text= Feb 28 17:54:42 advert slapd[5679]: connection_get(10) Feb 28 17:54:42 advert slapd[5679]: SRCH o=com 2 0 Feb 28 17:54:42 advert slapd[5679]: 0 0 0 Feb 28 17:54:42 advert slapd[5679]: filter: ((objectClass=advert-account)(uid=samba_servers)) Feb 28 17:54:42 advert slapd[5679]: attrs: But using smbldap-usermod, syslog shows Feb 28 17:57:25 advert slapd[5679]: connection_get(10) Feb 28 17:57:25 advert slapd[5679]: == bdb_bind: dn: cn=admin,o=com Feb 28 17:57:25 advert slapd[5679]: send_ldap_result: err=0 matched= text= Feb 28 17:57:25 advert slapd[5679]: connection_get(10) Feb 28 17:57:25 advert slapd[5679]: SRCH o=com 2 2 Feb 28 17:57:25 advert slapd[5679]: 0 0 0 Feb 28 17:57:25 advert slapd[5679]: filter: ((?=undefined)(uid=samba_servers)) Feb 28 17:57:25 advert slapd[5679]: attrs: Feb 28 17:57:25 advert slapd[5679]: Feb 28 17:57:25 advert slapd[5679]: bdb_idl_fetch_key: [b49d1940] Feb 28 17:57:25 advert slapd[5679]: send_ldap_result: err=0 matched= text= Feb 28 17:57:25 advert slapd[5679]: connection_get(10) This is not a freeradius issue but can someone advise what could be the problem? Regards, Ryan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: header enrichment
Mauro, On 28/02/2008, mauro [EMAIL PROTECTED] wrote: please have a look inline thanks Normally in a mobile services there's no specification into the header about connection type. *Which header? You are assuming that everyone here is familiar with 3g *terminology. You were already told we were not. i didn't mention anything about 3G, i spoke about mobile services, i think you know perfectly wich kind of services I'm talkig about, anyway I can try to support you: What makes you believe that people familiar with RADIUS would be guaranteed to know perfectly which kind of services you're talking about? You're clearly familiar with mobile services so I assume that you know perfectly well how to configure a RADIUS server. However, I'm prepared to try to support you! Mobile Services: means all the services that a mobile Operator can give to the customers, from SMS to WAP connections, normally when the user connect to Mobile Operator network infrastructure the connection ( mainly if we are talking about WAP connection) is treathed as an internet connection and the mobile browser request contain http header as well as common internet header. Now using some infrastructure is possible to add more parameters to the header.. many sniffing were done but only specific equipment allows to enrich the header with this inofrmation, *Could you describe what you mean in more words? It is meaningless to *say enrich the header. We have no idea what you mean by that. enrich the header as for google search is a particular feature of a system to add specific tag to the header and it's a common way to describe procedure. here below in attach and example of mobile header and the voice Nokia-bearer is that one that gives info about connection type: we need to determinate the type of of the connection Pointing us to Google when you have not given a clear explanation of which header attributes you wish to enrich is not at all helpful. I have a general understanding of what 'header enrichment' is. You just didn't give me any info regarding what you wanted to enrich your headers with. to add to the header the needed parameters normally into a mobile operator some particualr equipment are used as well as radius server to get network parameters as connection type ( i mean connection established by7 the user) this is why I asked for i hope is everything clear now! thanks If there is a RADIUS attribute/VSA that can be interpreted by the RADIUS client as containing the information required to enrich your headers, and the client then does the right thing with the Value of that AV pair, then yes, it can be done. If the RADIUS client cannot take the information from a specific AVP, then no it cannot be done without development work by your client vendor (nothing the server can do to force it). Hope that helps, Guy --header example--- GET /wap/ HTTP/1.0 If-None-Match: 0-6f-3e6cf51a Accept: image/gif, text/x-vCalendar, image/vnd.wap.wbmp, application/vnd.wap.wmlscriptc, text/x-vCard, application/vnd.wap.wmlc, application/vnd.wap.wbxml, text/vnd.wap.wml, text/vnd.wap.wmlscript, text/plain Accept-Language: en Accept-Charset: US-ASCII, ISO-8859-1, UTF-8, ISO-10646-UCS-2 profile: http://wap.sonyericssonmobile.com/UAprof/T200.xml User-Agent: SonyEricssonT200/R101 bearer-indication: 0 accept-application: 1,2 X-Nokia-CONNECTION_MODE: CMODE X-Nokia-BEARER: GPRS -- PARAMETER NEEDEDFRRERADIUS CAN HELP?? X-Nokia-gateway-id: NAWG/3.1/Build52 Via: WTP/1.1 Vodafone wap FTC (Nokia WAP Gateway 3.1/ECD9/3.1.52), 1.1 vlsp1:9010 (squid/2.5.STABLE3) X-Forwarded-For: 172.27.9.3 Host: redsox.tcs.auckland.ac.nz L'email della prossima generazione? Puoi averla con la nuova Yahoo! Mail L'email della prossima generazione? Puoi averla con la nuova Yahoo! Mail L'email della prossima generazione? Puoi averla con la nuova Yahoo! Mail - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: header enrichment
Hi, Ah! So you are speaking of *HTML* headers? That was absolutely not clear up to now... This is a RADIUS mailing list though. I assume you would like to see that the RADIUS server sends specific attributes in an Access-Accept message, whose values then get injected into a HTML header by some WAP gateway? Right? Two things then: 1) you can instruct FreeRADIUS to send any attribute you like in its Accept messages. Most are well-known and predefined in the dictionaries, others can be added by yourself (by, well, providing a dictionary file for these attributes). 2) it is not the RADIUS server's business what the WAP gateway (or any other NAS) *does* with those attributes. Read the gateway's documentation whether it can do the kind of magic you speak about here. If the WAP gateway can't do it, then no RADIUS server can help you. If it can do it, the documentation will hopefully reveal the names and values of the attributes that you have to send. Greetings, Stefan Winter -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473 signature.asc Description: This is a digitally signed message part. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
limiting user access by day
Hi all, I'm currently setup freeradius server for hotspot, but right now I have some problem for limiting access user to particular day. As example : user1 accessing on Monday to Friday and user2 only accesing on Saturday or Sunday. And each user is limiting for one day access only, and after that day he/she can't login again. Is there any module or attribute to setup radius for this system. Any help would be appreciated. Thank you Budiono - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: limiting user access by day
Login-Time to restrict user to the days on which he can log in. And set Expiration to the end of the current day (? 24 hours - what's a day) on first login (script). Ivan Kalik Kalik Informatika ISP Dana 28/2/2008, Budiono U. [EMAIL PROTECTED] piše: Hi all, I'm currently setup freeradius server for hotspot, but right now I have some problem for limiting access user to particular day. As example : user1 accessing on Monday to Friday and user2 only accesing on Saturday or Sunday. And each user is limiting for one day access only, and after that day he/she can't login again. Is there any module or attribute to setup radius for this system. Any help would be appreciated. Thank you Budiono - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Two networks: WEP+MAC Filtering and WPA(PEAP)
Hello, I would like to setup two WLAN networks on one AP with different VLAN. From Radius I need MAC authorization for network #1 and WPA(PEAP) authorization for network #2. I have successfully setup both types of authorization separately. Could you please correct me about mac authorization. In my debug log I see mac authorization request : rad_recv: Access-Request packet from host 10.10.10.139:6001, id=7, length=115 User-Name = 00-18-de-4e-8f-1d User-Password = secret NAS-IP-Address = x.x.x.139 Called-Station-Id = 00-20-a6-64-66-a3:A Calling-Station-Id = 00-18-de-4e-8f-1d NAS-Port = 2 NAS-Port-Type = Wireless-802.11 I have this entry in my users file : 00-18-de-4e-8f-1d Auth-Type:=Local, User-Password == secret Is this correct(right) way to control MAC addresses thought radius? Another question is : what is correct way to separate two types(MACPEAP) of requests to radius server? At this moment I have situation when my MAC request tries to authorize thought LDAP and only afterward looks in users file. rad_recv: Access-Request packet from host 89.113.128.139:6001, id=7, length=115 User-Name = 00-18-de-4e-8f-1d User-Password = secret NAS-IP-Address = 89.113.128.139 Called-Station-Id = 00-20-a6-64-66-a3:A Calling-Station-Id = 00-18-de-4e-8f-1d NAS-Port = 2 NAS-Port-Type = Wireless-802.11 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = 00-18-de-4e-8f-1d, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_realm: No '\' in User-Name = 00-18-de-4e-8f-1d, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module ntdomain returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 0 users: Matched entry 00-18-de-4e-8f-1d at line 2 modcall[authorize]: module files returns ok for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for 00-18-de-4e-8f-1d radius_xlat: '((uid=00-18-de-4e-8f-1d)(objectClass=posixAccount))' radius_xlat: 'dc=x,dc=xxx,dc=com' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to localhost:389, authentication 0 rlm_ldap: bind as / to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=x,dc=xxx,dc=com, with filter ((uid=00-18-de-4e-8f-1d)(objectClass=posixAccount)) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns notfound for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type Local auth: type Local auth: user supplied User-Password matches local User-Password Sending Access-Accept of id 7 to xx.xx.xx.139 port 6001 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 7 with timestamp 47c698d Thank a lot Era - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Need to customized the table schema.
hi, I am using free radius 2 with MS Sql 2000. I want to make a database schema of my own to store only username and password in MS Sql. I would like to modify the query so that the radius server reads only this information from my customized table.I've tryied modyfying sql queries from dialup.confto read from my table but it doesn't work. Please help. Here is the piece of output of the radius server after rejecting the username and the password. rad_recv: Access-Request packet from host 127.0.0.1 port 32835, id=208, length=56 User-Name = John User-Password = 1 NAS-IP-Address = 192.168.2.227 NAS-Port = 0 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = John, looking up realm NULL rlm_realm: No such realm NULL ++[suffix] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop expand: %{User-Name} - John rlm_sql (sql): sql_set_user escaped user -- 'John' rlm_sql (sql): Reserving sql socket id: 4 expand: SELECT name,value FROM checking WHERE name = '%{SQL-User-Name}' - SELECT name,value FROM checking WHERE name = 'John' query: SELECT name,value FROM checking WHERE name = 'John' rlm_sql: The 'Attribute' field is empty or NULL, skipping the entire row. rlm_sql (sql): Error getting data from database rlm_sql (sql): SQL query error; rejecting user rlm_sql (sql): Released sql socket id: 4 ++[sql] returns fail Invalid user: [John/1] (from client localhost port 0) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} - John attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 208 to 127.0.0.1 port 32835 Waking up in 4.9 seconds. Cleaning up request 0 ID 208 with timestamp +17 Ready to process requests. With Regards Elangbam Johnson - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Two networks: WEP+MAC Filtering and WPA(PEAP)
Could you please correct me about mac authorization. In my debug log I see mac authorization request : rad_recv: Access-Request packet from host 10.10.10.139:6001, id=7, length=115 User-Name = 00-18-de-4e-8f-1d User-Password = secret NAS-IP-Address = x.x.x.139 Called-Station-Id = 00-20-a6-64-66-a3:A Calling-Station-Id = 00-18-de-4e-8f-1d NAS-Port = 2 NAS-Port-Type = Wireless-802.11 I have this entry in my users file : 00-18-de-4e-8f-1d Auth-Type:=Local, User-Password == secret That's incorrect. On a recent (1.1.7 or 2.x) version of the server, assuming you haven't fiddled with the default config too much, do this: 00-18-de-4e-8f-1d Cleartext-Password := secret However, this system has some disadvantages; specifically if you use another NAS (AP, switch) that doesn't send secret or formats the username differently. Is this correct(right) way to control MAC addresses thought radius? There's no one correct way. It depends on your environment. We (for example) lookup the Calling-Station-Id in SQL and allow or deny based on that. Another question is : what is correct way to separate two types(MACPEAP) of requests to radius server? Yes. You didn't say what version of the server you're using, but in 1.1.x you can do this: modules { files { .. } files macauth { ... } } authorize { preprocess files Autz-Type MACAUTH { files_macauth } Autz-Type OTHER { ldap eap mschap } } ...then in users: # match mac addresses, set autz-type DEFAULT User-Name =~ ..-..-..-..-..-.., Autz-Type := MACAUTH Fall-Through = no # everything else is eap, ldap DEFAULT Autz-Type := OTHER ...see doc/Autz-Type for more info. In 2.x you can make use of the virtual server capabilities. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need to customized the table schema.
hi, I am using free radius 2 with MS Sql 2000. I want to make a database schema of my own to store only username and password in MS Sql. I would like to modify the query so that the radius server reads only this information from my customized table. I assume that this means that you have removed Attribute and op fields from the radcheck table. I've tryied modyfying sql queries from dialup.confto read from my table but it doesn't work. Please help. Here is the piece of output of the radius server after rejecting the username and the password. You will need to fix the value of the password attribute and the appropriate operator in rlm_sql code. It expects to read that from the database. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Two networks: WEP+MAC Filtering and WPA(PEAP)
rad_recv: Access-Request packet from host 10.10.10.139:6001, id=7, length=115 User-Name = 00-18-de-4e-8f-1d User-Password = secret NAS-IP-Address = x.x.x.139 Called-Station-Id = 00-20-a6-64-66-a3:A Calling-Station-Id = 00-18-de-4e-8f-1d NAS-Port = 2 NAS-Port-Type = Wireless-802.11 I have this entry in my users file : 00-18-de-4e-8f-1d Auth-Type:=Local, User-Password == secret Is this correct(right) way to control MAC addresses thought radius? This will work fine considering that mac address will not be used for mschap eap etc. Correct way is not to use Auth-Type and use Cleartext-Password with := as operator (if this is a recent Freeradius version). Another question is : what is correct way to separate two types(MACPEAP) of requests to radius server? There is nothing to do. mac auth wil be a pap request (like the one you posted) and peap will be an eap request. So, your AP will do that for you. At this moment I have situation when my MAC request tries to authorize thought LDAP and only afterward looks in users file. Upgrade to 2.0.2. Than you can process pap and eap requests differently. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Consuming card code
Ive found the answer to my dilemma. With radiusmanager3 i set available online time to 1h and with acct packet subtract seconds from available online time. The main solution lies in two attributes: Acct-Status-Type = Interim-Update and Acct-Session-Time = seconds. thanks for all the support by repliers ;) - Original Message From: Juraj Bilic [EMAIL PROTECTED] To: freeradius-users@lists.freeradius.org Sent: Wednesday, February 27, 2008 6:50:12 PM Subject: Consuming card code Im using freeradius-1.1.7 on my remote unix machine and developing on my client .net application. By now i succesfully made authorization and start/stop accounting request/responses (packet send/recieve logic). With radiusManager3 i generated card series, services .. Can i implement user login, consuming of card codes, etc. with only packets (acct) or im missing some crucial points? I hope that i (user, client) can make an behaviour of communicating with freeradius every 10sec and consuming 10sec of currently selected card code. thank you for your time, Juraj Never miss a thing. Make Yahoo your home page. http://www.yahoo.com/r/hs - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reject user from SQL-DB
I'm sorry, I have to ask again. Have you found a way to let the reply query know that the user has already been rejected in the check-query? I'm trying to avoid executing the same queries twice and also to avoid using temporary tables. Thank you, JB JB (08.02.2008 14:00): Phil Mayers (08.02.2008 12:03): Ok, now I'm returning Auth-Type := Reject from my check-items- query and I hoped to be able to send a little more in depth information along the way in the Reply-Message attribute, but unfortunately this info gets lost. It seems that I have to fill this attribute in the reply-items-query. Does this mean the reply-items-query has to trigger the same functions as the check-items-query again to find out what the reason for the reject was? Or do I have to fill a temporary table with the reply message in the check-items-query which gets then returned in the reply-items-query? Hmm. I guess you're doing something like: authorize_check_query = select myproc('%{SQL-User- Name}','...etc...') ...and are trying to avoid re-calling the same (or another) function in the reply query. That's the problem. How will the reply query be aware that the user has already be rejected without using additional queries? I tried calling the check query with %{control:My-Reply} or % {control:Auth-Type} as attributes but those are empty though set in the check query. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reject user from SQL-DB
JB wrote: I'm sorry, I have to ask again. Have you found a way to let the reply query know that the user has already been rejected in the check-query? I'm trying to avoid executing the same queries twice and also to avoid using temporary tables. I thought I'd answered this? What you could do is place a local attribute in the check items, then copy it to the reply items in an unlang section... Which you said worked in a later email - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius SQL + EAP + Windows client
Hi, I've got some problem when I try to Authorize with SQL and a windows client to Wireless connection. I configure my windowx xp wireless connection to works with PEAP. My freeradius version is 2.0.0 running on RHEL4 AS When I make a test with the command Radtest guillaume passtest localhost 1645 testing123 I've have this result rad_recv: Access-Request packet from host 127.0.0.1 port 34468, id=204, length=61 User-Name = guillaume User-Password = passtest NAS-IP-Address = 127.0.0.1 NAS-Port = 1645 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound rlm_realm: No '@' in User-Name = guillaume, looking up realm NULL rlm_realm: No such realm NULL ++[suffix] returns noop expand: %{User-Name} - guillaume rlm_sql (sql): sql_set_user escaped user -- 'guillaume' rlm_sql (sql): Reserving sql socket id: 4 expand: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id - SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'guillaume' ORDER BY id query: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'guillaume' ORDER BY id rlm_sql (sql): User found in radcheck table expand: SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = '%{SQL-User-Name}' ORDER BY id - SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'guillaume' ORDER BY id query: SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'guillaume' ORDER BY id rlm_sql (sql): Released sql socket id: 4 ++[sql] returns ok rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated rad_check_password: Found Auth-Type auth: type PAP +- entering group PAP rlm_pap: login attempt with password passtest rlm_pap: Using clear text password passtest rlm_pap: User authenticated successfully ++[pap] returns ok Sending Access-Accept of id 204 to 127.0.0.1 port 34468 Finished request 0. So authorize with SQL working for now but it's when I try to connect with the same parameter with my windows client I've got a access-reject and I don't know why. Here's my log when I try to connect. It's a very long log but I prefer to put more than less rad_recv: Access-Request packet from host 172.20.50.202 port 1063, id=0, length=207 Message-Authenticator = 0xc0f8d00a3b3681c80b0404fb1071f81a Service-Type = Framed-User User-Name = guillaume\000 Framed-MTU = 1488 Called-Station-Id = 00-0F-3D-AB-1C-07:testGuillaume Calling-Station-Id = 00-0E-35-99-F3-E9 NAS-Identifier = D-Link Access Point NAS-Port-Type = Wireless-802.11 Connect-Info = CONNECT 54Mbps 802.11g EAP-Message = 0x020e016775696c6c61756d65 NAS-IP-Address = 172.20.50.202 NAS-Port = 1 NAS-Port-Id = STA port # 1 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound rlm_realm: No '@' in User-Name = guillaume, looking up realm NULL rlm_realm: No such realm NULL ++[suffix] returns noop expand: %{User-Name} - guillaume rlm_sql (sql): sql_set_user escaped user -- 'guillaume' rlm_sql (sql): Reserving sql socket id: 4 expand: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id - SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'guillaume' ORDER BY id query: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'guillaume' ORDER BY id rlm_sql (sql): User found in radcheck table expand: SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = '%{SQL-User-Name}' ORDER BY id - SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'guillaume' ORDER BY id query: SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'guillaume' ORDER BY id rlm_sql (sql): Released sql socket id: 4 ++[sql] returns ok rlm_eap: EAP packet type response id 0 length 14 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[expiration] returns noop ++[logintime] returns noop rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type EAP +- entering group authenticate rlm_eap: EAP Identity rlm_eap: processing type md5 rlm_eap_md5: Issuing Challenge ++[eap] returns handled Sending Access-Challenge of id 0 to 172.20.50.202 port 1063 EAP-Message = 0x01010016041092804dde8d0a06d99e5261ceb9722ac7 Message-Authenticator = 0x State = 0x520c3ced520d38a3a459d69bfb6e15b4 Finished request 0. Going to the next request Waking up in 0.9 seconds. rad_recv: Access-Request packet from host 172.20.50.202 port
freeradius 1 mysql Attribute
Im working with dialup provider that is acting as the nas and they are authenticating off my radius server. Authentication works fine. They have this fastnet program that is supposed to make the internet faster. Attached is what they told me to do. I have added it to the dynamic group in mysql and the user is part of that group. But nothing. If you run your own radius server: For those of you that run your own radius server, you must configure your radius server to authenticate the enduser. The authentication will be passed to you, via the same radius servers that authentication currently comes from for pass through radius. The customer must login to the software using their dial-up username and password. You will need to pass back to us the following attribute. (You will need to add this to your dictionary file): VENDORATTR 7000 Slipstream-Auth 1 string Set this equal to 'true' for those that have web acceleration and 'false' for those that do not. By default right now it accepts all users, so be sure to test it with setting one user equal to false and trying to login, it should deny them. Example of how this can be done (using Radiator): Add to your dictionary file at /usr/local/etc/raddb/dictionary: VENDORATTR 7000 Slipstream-Auth 1 string Next, In Radiator you will want to configure like we have listed below. The default entry should be listed after all the webcompress users but before all normal users. Example of how this can be done (Most Radius's): Open up your current dictionary file. Search for the word : cisco- avpair . This is attribute # 1 of vendor 9. You need to create a similar entry, but it should be attribute # 1 of vendor 7000. Follow the example of how the other entry is in your dictionary file. If you cannot find this attribute, it could be under a sub dictionary file. Perhaps something called dictionary.cisco . You may have some INCLUDE lines at the top of your dictionary file that call include dictionary.cisco. If so, you will want to add an INCLUDE line for something like dictionary.slipstream and then follow the example on how dictionary.cisco is setup to make your own dictionary.slipstream file and add that one attribute in it. To Accept a user (this will accept dial-up and accept slipstream): [EMAIL PROTECTED] Auth-Type := Local, User-Password == trial Slipstream-Auth = true To Deny a user from Slipstream. Do not pass back the Slipstream-Auth = true. We deny all customers that do not hae a Slipstream-Auth = true attribute. Dustin Schuemann . Network Engineer . . . . . . . . . . . . . . . . . . . . . . . . . . AMS/The Support Dept 400 Ann St NW Suite 102 Grand Rapids, MI 49504 p. 616.235.0725 ext. 7007 e. [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius SQL + EAP + Windows client
Hi, I've got some problem when I try to Authorize with SQL and a windows client to Wireless connection. No, you don't. When I make a test with the command Radtest guillaume passtest localhost 1645 testing123 I've have this result .. Sending Access-Accept of id 204 to 127.0.0.1 port 34468 So authorize with SQL working for now Yes. but it's when I try to connect with the same parameter with my windows client I've got a access-reject and I don't know why. .. +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 +- entering group MS-CHAP rlm_mschap: Told to do MS-CHAPv2 for guillaume with NT-Password expand: --username=%{mschap:User-Name:-None} - --username=guillaume rlm_mschap: No NT-Domain was found in the User-Name. expand: --domain=%{mschap:NT-Domain:-intranet} - --domain=intranet mschap2: c4 expand: --challenge=%{mschap:Challenge:-00} - --challenge=4384da4f07ddf5b1 expand: --nt-response=%{mschap:NT-Response:-00} - --nt-response=b4e365eb0f01c659d845bd177f80139ebbe46ada409725f1 Exec-Program output: Logon failure (0xc06d) Exec-Program-Wait: plaintext: Logon failure (0xc06d) Exec-Program: returned: 1 rlm_mschap: External script failed. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject Well, you have configured it to authenticate against Active Directory. That failed. Comment out ntlm_auth in mschap module and server will use the password from your sql database. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 1 mysql Attribute
Add to your dictionary file at /usr/local/etc/raddb/dictionary: Same file in Freeradius. VENDORATTR 7000 Slipstream-Auth 1 string You will find this in there: #ATTRIBUTE My-Local-String 3000string #ATTRIBUTE My-Local-IPAddr 3001ipaddr #ATTRIBUTE My-Local-Integer3002integer Change the first one to: ATTRIBUTE Slipstream-Auth 3000string Restart the server for this to take effect. Use the attribute as instructed (but correct the first line as per instructions in users file if you are using a recent freeradius version). Attribute should appear in the Access-Accept packet if all goes well. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reject user from SQL-DB
JB wrote: Phil Mayers: JB wrote: I'm sorry, I have to ask again. Have you found a way to let the reply query know that the user has already been rejected in the check-query? I'm trying to avoid executing the same queries twice and also to avoid using temporary tables. I thought I'd answered this? What you could do is place a local attribute in the check items, then copy it to the reply items in an unlang section... Which you said worked in a later email Sorry if I haven't made myself clear enough. These were two different things. On the on hand, I wanted to return a Reply-Message to the user which is set in one of the two queries, which works fine the way you proposed. On the other hand, I wanted to avoid executing unnecessary sub-queries in the reply query (a stored procedure in my case), or the reply query itself, if the user has already been rejected in the check query. It seems that the reply query is always executed. And if I call the stored procedure with attributes like %{control:Auth-Type} or %{control:My-Reply}, they don't get resolved although they're set in the first query. In pseudo-code: Check query: reject user because of reason 'xyz', set My-Attr to 'xyz'. [works] If rejected, don't call reply query (or at least call reply query with resolved attributes to avoid unnecessary sub-queries) [doesn't work] If rejected copy My-Attr to Reply-Message [works] Ah I see. No, the sql module doesn't work that way - if *any* check pairs are returned (and match) the reply query is run, but the pairxlatmove() is done *after* the reply query is done - i.e. it does this: check_items = sql(check_query) if paircompare(request, check_items): reply_items = sql(reply_query) pairxlatmove(request-reply_items, reply_items) pairxlatmove(request-check_items, check_items) The only way you could change this would be with source-code patches or use rlm_perl/python to do the logic you want. Arguably the check items pairxlatmove() should be before the reply query, but then if the xlat of the reply query or reply query itself fail, you'd have added check items without corresponding reply items (but the module would have returned a fail error code, so it's probably not a big deal) You could move the check items pairxlatmove() call - it's line 669 in src/modules/rlm_sql/rlm_sql.c in my copy of 2.0.0, and would need to move to just above line 651 i.e. the radius_xlat of the reply query. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 1 mysql Attribute
I don't have anything like this in my dictionary. This is free radius 1 On Feb 28, 2008, at 5:51 PM, Ivan Kalik wrote: Add to your dictionary file at /usr/local/etc/raddb/dictionary: Same file in Freeradius. VENDORATTR 7000 Slipstream-Auth 1 string You will find this in there: #ATTRIBUTE My-Local-String 3000string #ATTRIBUTE My-Local-IPAddr 3001ipaddr #ATTRIBUTE My-Local-Integer3002integer Change the first one to: ATTRIBUTE Slipstream-Auth 3000string Restart the server for this to take effect. Use the attribute as instructed (but correct the first line as per instructions in users file if you are using a recent freeradius version). Attribute should appear in the Access-Accept packet if all goes well. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Dustin Schuemann . Network Engineer . . . . . . . . . . . . . . . . . . . . . . . . . . AMS/The Support Dept 400 Ann St NW Suite 102 Grand Rapids, MI 49504 p. 616.235.0725 ext. 7007 e. [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 1 mysql Attribute
So is this. 1.1.7 file /usr/local/etc/raddb/dictionary. Ivan Kalik Kalik Informatika ISP Dana 28/2/2008, Dustin Schuemann [EMAIL PROTECTED] piše: I don't have anything like this in my dictionary. This is free radius 1 On Feb 28, 2008, at 5:51 PM, Ivan Kalik wrote: Add to your dictionary file at /usr/local/etc/raddb/dictionary: Same file in Freeradius. VENDORATTR 7000 Slipstream-Auth 1 string You will find this in there: #ATTRIBUTE My-Local-String 3000string #ATTRIBUTE My-Local-IPAddr 3001ipaddr #ATTRIBUTE My-Local-Integer3002integer Change the first one to: ATTRIBUTESlipstream-Auth 3000string Restart the server for this to take effect. Use the attribute as instructed (but correct the first line as per instructions in users file if you are using a recent freeradius version). Attribute should appear in the Access-Accept packet if all goes well. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Dustin Schuemann . Network Engineer .. . . . . . . . . . . . . . . . . . . . . . . . . . AMS/The Support Dept 400 Ann St NW Suite 102 Grand Rapids, MI 49504 p. 616.235.0725 ext. 7007 e. [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 1 mysql Attribute
This is version 1.1.3 I don't see this anywhere in this file. #ATTRIBUTE My-Local-String 3000string #ATTRIBUTE My-Local-IPAddr 3001ipaddr #ATTRIBUTE My-Local-Integer3002integer On Feb 28, 2008, at 8:16 PM, Ivan Kalik wrote: So is this. 1.1.7 file /usr/local/etc/raddb/dictionary. Ivan Kalik Kalik Informatika ISP Dana 28/2/2008, Dustin Schuemann [EMAIL PROTECTED] piše: I don't have anything like this in my dictionary. This is free radius 1 On Feb 28, 2008, at 5:51 PM, Ivan Kalik wrote: Add to your dictionary file at /usr/local/etc/raddb/dictionary: Same file in Freeradius. VENDORATTR 7000 Slipstream-Auth 1 string You will find this in there: #ATTRIBUTE My-Local-String 3000string #ATTRIBUTE My-Local-IPAddr 3001ipaddr #ATTRIBUTE My-Local-Integer3002integer Change the first one to: ATTRIBUTE Slipstream-Auth 3000string Restart the server for this to take effect. Use the attribute as instructed (but correct the first line as per instructions in users file if you are using a recent freeradius version). Attribute should appear in the Access-Accept packet if all goes well. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Dustin Schuemann . Network Engineer .. . . . . . . . . . . . . . . . . . . . . . . . . . AMS/The Support Dept 400 Ann St NW Suite 102 Grand Rapids, MI 49504 p. 616.235.0725 ext. 7007 e. [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Dustin Schuemann . Network Engineer . . . . . . . . . . . . . . . . . . . . . . . . . . AMS/The Support Dept 400 Ann St NW Suite 102 Grand Rapids, MI 49504 p. 616.235.0725 ext. 7007 e. [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 1 mysql Attribute
Can I just add it ? On Feb 28, 2008, at 5:51 PM, Ivan Kalik wrote: Add to your dictionary file at /usr/local/etc/raddb/dictionary: Same file in Freeradius. VENDORATTR 7000 Slipstream-Auth 1 string You will find this in there: #ATTRIBUTE My-Local-String 3000string #ATTRIBUTE My-Local-IPAddr 3001ipaddr #ATTRIBUTE My-Local-Integer3002integer Change the first one to: ATTRIBUTE Slipstream-Auth 3000string Restart the server for this to take effect. Use the attribute as instructed (but correct the first line as per instructions in users file if you are using a recent freeradius version). Attribute should appear in the Access-Accept packet if all goes well. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Dustin Schuemann . Network Engineer . . . . . . . . . . . . . . . . . . . . . . . . . . AMS/The Support Dept 400 Ann St NW Suite 102 Grand Rapids, MI 49504 p. 616.235.0725 ext. 7007 e. [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: freeRADIUS+samba3.0.1+AD(multiple domains)
Great news! We are using krb5-1.3.2 and samba-3.0.1. These 2 version support multiple domains? Can you give me some example about how to configure krb5.conf and smb.comf? Thanks. John Joe Vieira [EMAIL PROTECTED] 写道: But there are multiple domains in active-directory. How to configure freeRADIUS or samba can let it support multiple domains? FreeRADIUS just used Samba to do authentication with AD. The winbind ntlm_auth API used in Samba cannot authenticate to multiple domains. that's not entirely true, you can (and i do) get samba to auth to multiple domains. the domains either need to be in the same forest,and or have full trusts back and forth. (i also found that adding them each to your kerberos config helps) basically you join to one of them and you should be able to enumerate all the users from both thru winbind or getent... Joe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - 雅虎邮箱传递新年祝福,个性贺卡送亲朋! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 1 mysql Attribute
On Thu, Feb 28, 2008 at 05:08:46PM -0500, Dustin Schuemann wrote: Im working with dialup provider that is acting as the nas and they are authenticating off my radius server. Authentication works fine. They have this fastnet program that is supposed to make the internet faster. Attached is what they told me to do. I have added it to the dynamic group in mysql and the user is part of that group. But nothing. If you run your own radius server: VENDORATTR 7000 Slipstream-Auth 1 string There is a dictionary.slipstream file in FreeRADIUS 2.x. You could just use that file even if you are on FreeRADIUS 1.x. Just make sure to add the appropriated $INCLUDE to the primary dictionary file. -- Scott LambertKC5MLE Unix SysAdmin [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html