Re: MySQL tables for 2.1.1

2008-10-02 Thread A . L . M . Buxey 
Hi,

> I've had to fix permissions on about ten files - various files
> in /usr/local/etc/raddb needed to be made readable by the "radius"

of course you did - thats because you chose to run the radiusd
daemon as 'radius'. its expected that you know how to do some basic
UNIX stuff - and therefore set eg  chmod u+r radius:radius 'raddb directory
location'   (where the directory is whereever you decided it to be).

there is no hard, fixed user or group to run the daemon as, therefore
there is a need to change permissions. its normal.

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: proxy.conf in freeradius 2.1.1

2008-10-02 Thread A . L . M . Buxey 
Hi,

>   It's the users "home".  It's where they are authenticated.  The term
> is widely used in the industry and in the specifications defining RADIUS.

in eduroam parlance, its the 'identity provider', the IdP

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Conditionals in FreeRadius

2008-10-02 Thread Alan DeKok 
Tom Cooper wrote:
> We have ADSL users to authenticate on freeradius which reads the user
> info via an OpenLDAP server. Now when the user has used a certain amount
> of data he must be flagged as blocked. His connection is disconnected
> and upon reconnection he is assigned a different IP address with
> restricted connectivity until he tops up his account. I can see that his
> information needs to be changed in LDAP 

  No.  Don't pollute your LDAP database with connection tracking
information.

  Use an SQL database to track sessions, and reject users who go over
their limit.  Anyone who is over their limit should not be checked
against LDAP.

> Is it maybe better accomplished from freeradius than from LDAP? The
> record needs to be changed in LDAP for our admin portal to make use of
> this to check the client's status.

  Recent versions of the server include an "sqlcounter" module that does
all of this tracking automatically.

> My radius version used is freeradius-1.1.3-1.2.el5

  Upgrade.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: The client does not connect _*_*_*_

2008-10-02 Thread A . L . M . Buxey 
Hi,

> Well, when I want to connect from the notebook to the network radius, asking
> me to configure the profile to the type of authentication, and so on.
> what set everything is ready and when I try to connect but does not connect
> to the server and are not recorded requests.
> 
> What could be the problem?

wheres the debug output - as per asked for EVERY time such a query is asked
of people on this list?

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

R: R: R: Logging level

2008-10-02 Thread Arrigo Savio 
You're right! I was looking at 2.1.0 version of the file.
I checked (and configured) the 2.1.1 and everything is OK.

Thanks, Arrigo

-Messaggio originale-
Da: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Per
conto di Alan DeKok
Inviato: martedì 30 settembre 2008 18.16
A: FreeRadius users mailing list
Oggetto: Re: R: R: Logging level

Arrigo Savio wrote:
> I read all comments, and tried to give some permission on the files, but I
> still receive the error pasted...
> I read in docs that:
> #  If not set, then ANYONE can connect to the control socket,
> #  and have complete control over the server.  This is likely
> #  not what you want.
> I tried to comment out the parameters, but it doesn't work anyway.

  Did you see the "access_mode" parameter?  Are you sure you're using
2.1.1?  Are you sure you're looking at the configuration files that are
included in 2.1.1?

  Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Checking NAS-Identifier in the radgroupcheck table

2008-10-02 Thread super_tomtom 

Ok... so, here is my DB structure :

Table radgroupcheck :
++---+++---+
| id | groupname | attribute  | op | value |
++---+++---+
|  4 | hotel1| Auth-Type  | := | Local | 
|  5 | hotel1| NAS-Identifier | == | LMS1  | 
++---+++---+

Table radusergroup :
+--+---+--+
| username | groupname | priority |
+--+---+--+
| user1| hotel1|1 | 
+--+---+--+

Table radcheck:
++--+++--+
| id | username | attribute  | op | value   
|
++--+++--+
| 33 | user1| Cleartext-Password | := | 5f4dcc3b5aa765d61d8327deb882cf99
| 
++--+++--+

Now when I log in with user1 from a NAS identified by "LMS2", here is the
radius output :

rad_recv: Access-Request packet from host 127.0.0.1 port 32782, id=37,
length=225
Vendor-14559-Attr-8 = 0x312e302e3132
User-Name = "user1"
CHAP-Challenge = 0xdb7c1d07effaa75dc2a70e21957a6c16
CHAP-Password = 0x003d1437701d38d34412b7379d215605df
NAS-IP-Address = 10.101.0.1
Service-Type = Login-User
Framed-IP-Address = 10.101.101.1
Calling-Station-Id = "00-1D-09-50-17-B2"
Called-Station-Id = "00-1E-4F-DF-E2-58"
NAS-Identifier = "LMS2"
Acct-Session-Id = "48e484ab0002"
NAS-Port-Type = Wireless-802.11
NAS-Port = 2
WISPr-Logoff-URL = "http://10.101.0.1:3990/logoff";
Message-Authenticator = 0x88ff270956703c81baa051c0bc3965fc
+- entering group authorize
++[preprocess] returns ok
  rlm_chap: Setting 'Auth-Type := CHAP'
++[chap] returns ok
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "user1", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
  rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
expand: %{User-Name} -> user1
rlm_sql (sql): sql_set_user escaped user --> 'user1'
rlm_sql (sql): Reserving sql socket id: 2
expand: SELECT id, username, attribute, value, op   FROM
radcheck   WHERE username = '%{SQL-User-Name}'   ORDER BY id
-> SELECT id, username, attribute, value, op   FROM radcheck  
WHERE username = 'user1'   ORDER BY id
rlm_sql (sql): User found in radcheck table
expand: SELECT id, username, attribute, value, op   FROM
radreply   WHERE username = '%{SQL-User-Name}'   ORDER BY id
-> SELECT id, username, attribute, value, op   FROM radreply  
WHERE username = 'user1'   ORDER BY id
expand: SELECT groupname   FROM radusergroup   WHERE
username = '%{SQL-User-Name}'   ORDER BY priority -> SELECT
groupname   FROM radusergroup   WHERE username = 'user1'
  
ORDER BY priority
expand: SELECT id, groupname, attribute,   Value, op  
FROM radgroupcheck   WHERE groupname = '%{Sql-Group}'  
ORDER BY id -> SELECT id, groupname, attribute,   Value, op  
FROM radgroupcheck   WHERE groupname = 'hotel1'   ORDER BY
id
rlm_sql (sql): Released sql socket id: 2
++[sql] returns ok
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
++[noresetcounter] returns noop
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
  rad_check_password:  Found Auth-Type CHAP
auth: type "CHAP"
+- entering group CHAP
  rlm_chap: login attempt by "user1" with CHAP password
  rlm_chap: Using clear text password "5f4dcc3b5aa765d61d8327deb882cf99" for
user user1 authentication.
  rlm_chap: chap user user1 authenticated succesfully
++[chap] returns ok
+- entering group post-auth
++[exec] returns noop
Sending Access-Accept of id 37 to 127.0.0.1 port 32782

Now as you can see, the radgroupcheck parameter NAS-Identifier == LMS1 did
not mismatch... why ?


super_tomtom wrote:
> 
> Hi !
> I am actually setting up a freeradius server that will manage
> authentication from different places (hotels actually).
> I am just a beginner toward that technology, and i have one problem :
> I need to create some accounts that can be enabled at different places:
> for example you have an account in a hotel in London, then you could use
> the same account in another hotel of the same chain in ... Madrid for
> example.
> But, you could not not use this account in another hotel using the same
> solution (all my hotels will talk to the same freeradius server).
> ... I hope you understand my English, sorry about that...
> So here is the point:

RE: FW: FreeRadius

2008-10-02 Thread Marcel Grandemange 
>>query = "SELECT SUM(AcctInputOctets - GREATEST((%b -
>UNIX_TIMESTAMP(AcctStartTime)), 0))+ SUM(AcctOutputOctets -GREATEST((%b -
>>UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE UserName='%{%k}'
AND
>UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'"

>What is "GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)" doing in
>data (octet) counter?

No idea to be honest, im a novice.
Many web-sites seem to advice using that and it works for the "most part"

Eg http://cakeforge.org/forum/forum.php?forum_id=631

But advice is welcome!


>Ivan Kalik
>Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: FreeRadius

2008-10-02 Thread Marcel Grandemange 
>Hi Marcel

>I don't know if i'm right, or if it's related to your problem, but if you 
>check the source of rlm_sqlcounter (rlm_sqlcounter.c), you may see that this 
>module >seems really time based (Alan will correct me if i'm wrong). Indeed 
>the module contains a function that make it possible for a user to start using 
>its next >month's quota, if the integer returned by the check-name is greater 
>than the number of seconds untill the reset time. In your case this would 
>suggest you >compare bytes your with seconds, and mso maybe you allow sometime 
>user to use their quota twice a month, or something like this.



You would have to explain to me in really basic terms as im a newbie.

I am aware that the module is mostly time based, but is intended for data usage 
aswell although NOT very well documented.

I struggled for months to get the information to set it up as is.

 

 


>Once again what I say here needs  to be checked, but i'm almost sure 
>sqlcounter mechanism are time related.

Like I said cannot recall where I eventually did find the docs, but know many 
use this function on Chillispot hotspot installs.

>Marcel Grandemange a écrit : 

>I have a working FreeRadius installation used for PPPOE clients using a 
>Mikrotik NAS (Essentialy Linux)

 

 

>I am using Freeradius to limit data a user can send/receive within a month and 
>automatically reset it every month.

 

>I used an example from chilliuspot hotspot for this.

 

>However what im noticing is sometimes a customer gets denied access because he 
>has exceeded he’s monthly allowance, however when I check the

>Db this is not the case cause it’s the beginning of month.

 

 

>This only happens sometimes so im lost!

 

 

>I use sqlcounter.conf for the counter part of things and INCLUDE this from 
>radius.conf.

 

 

>sqlcounter monthlytraffic {

>counter-name = Monthly-Traffic

> check-name = Max-Monthly-Traffic

> reply-name = Mikrotik-Xmit-Limit-Gigawords

>sqlmod-inst = sql

> key = User-Name

> reset = monthly

>query = "SELECT SUM(AcctInputOctets - GREATEST((%b - 
>UNIX_TIMESTAMP(AcctStartTime)), 0))+ SUM(AcctOutputOctets -GREATEST((%b - 
>>UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE UserName='%{%k}' AND 
>UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'"

>}

 

 

>Anybody for input? I would greately appreciate help here! A Work around is to 
>simply increase he’s allowance till he is allowed to connect!

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Checking NAS-Identifier in the radgroupcheck table

2008-10-02 Thread tnt 
Not only that but Auth-Type Local also wasn't forced. Adding it there is
a mistake in the first place but it still didn't work.

What freeradius version is this? Add Reply-Message to radgroupreply and
see if that shows in the reply.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Checking NAS-Identifier in the radgroupcheck table

2008-10-02 Thread super_tomtom 

Thanks Ivan for your answer.

My freeradius version is 2.0.5.

I added a Reply-Message in the radgroupreply table like this :
++---+---++-+
| id | groupname | attribute | op | value   |
++---+---++-+
|  1 | hotel1| Reply-Message | =  | You are in hotel1 group | 
++---+---++-+

and when I launch the radtest command, it doesn't seems to send it :
#> radtest user1 5f4dcc3b5aa765d61d8327deb882cf99 127.0.0.1 3990 testing123
Sending Access-Request of id 229 to 127.0.0.1 port 1812
User-Name = "user1"
User-Password = "5f4dcc3b5aa765d61d8327deb882cf99"
NAS-IP-Address = 127.0.0.1
NAS-Port = 3990
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=229,
length=26
Idle-Timeout = 60

On the server side, here is what happens :
rad_recv: Access-Request packet from host 127.0.0.1 port 32782, id=141,
length=73
User-Name = "user1"
User-Password = "5f4dcc3b5aa765d61d8327deb882cf99"
NAS-IP-Address = 127.0.0.1
NAS-Port = 3990
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "user1", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
  rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
expand: %{User-Name} -> user1
rlm_sql (sql): sql_set_user escaped user --> 'user1'
rlm_sql (sql): Reserving sql socket id: 2
expand: SELECT id, username, attribute, value, op   FROM
radcheck   WHERE username = '%{SQL-User-Name}'   ORDER BY id
-> SELECT id, username, attribute, value, op   FROM radcheck  
WHERE username = 'user1'   ORDER BY id
rlm_sql (sql): User found in radcheck table
expand: SELECT id, username, attribute, value, op   FROM
radreply   WHERE username = '%{SQL-User-Name}'   ORDER BY id
-> SELECT id, username, attribute, value, op   FROM radreply  
WHERE username = 'user1'   ORDER BY id
expand: SELECT groupname   FROM radusergroup   WHERE
username = '%{SQL-User-Name}'   ORDER BY priority -> SELECT
groupname   FROM radusergroup   WHERE username = 'user1'
  
ORDER BY priority
expand: SELECT id, groupname, attribute,   Value, op  
FROM radgroupcheck   WHERE groupname = '%{Sql-Group}'  
ORDER BY id -> SELECT id, groupname, attribute,   Value, op  
FROM radgroupcheck   WHERE groupname = 'hotel1'   ORDER BY
id
rlm_sql (sql): Released sql socket id: 2
++[sql] returns ok
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
++[noresetcounter] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
  rad_check_password:  Found Auth-Type 
auth: type "PAP"
+- entering group PAP
rlm_pap: login attempt with password "5f4dcc3b5aa765d61d8327deb882cf99"
rlm_pap: Using clear text password "5f4dcc3b5aa765d61d8327deb882cf99"
rlm_pap: User authenticated successfully
++[pap] returns ok
+- entering group post-auth
++[exec] returns noop
Sending Access-Accept of id 141 to 127.0.0.1 port 32782
Idle-Timeout = 60
Finished request 22.

...well... doesn't seems to change anything... I added an Idle-Timeout
parameter in the radreply table, this one works fine, but in the
radgroupreply table, it looks like it ignores it.

Another thing, I didn't really understood the first part of your answer:


> Not only that but Auth-Type Local also wasn't forced. Adding it there is
> a mistake in the first place but it still didn't work.
> 

Could you explain me this please? 
Thanks !


tnt-4 wrote:
> 
> Not only that but Auth-Type Local also wasn't forced. Adding it there is
> a mistake in the first place but it still didn't work.
> 
> What freeradius version is this? Add Reply-Message to radgroupreply and
> see if that shows in the reply.
> 
> Ivan Kalik
> Kalik Informatika ISP
> 
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> 
> 

-- 
View this message in context: 
http://www.nabble.com/Checking-NAS-Identifier-in-the-radgroupcheck-table-tp19763949p19776514.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: FW: FreeRadius

2008-10-02 Thread tnt 
>No idea to be honest, im a novice.
>Many web-sites seem to advice using that and it works for the "most part"
>
>Eg http://cakeforge.org/forum/forum.php?forum_id=631
>

OK. It's wrong. That part of the expression counts time not octets. It
handles sessions that started in one counting period and continue into
next one. Data is counted properly without such additions. Delete it.

query = "SELECT SUM(AcctInputOctets + AcctOutputOctets) FROM radacct
WHERE UserName='%{%k}' AND UNIX_TIMESTAMP(AcctStartTime) +
AcctSessionTime > '%b'"

Remove "+ AcctSessionTime" if you don't want sessions that started in
one counting period and continuing into the next one to count in the new
one.

And tell Dirk and others where you found that information not to mix time
and data counters.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: eap ttls certificate config

2008-10-02 Thread jehan procaccia 

OK, I found why it cored-dump.
I though that CA_file and CA_path needed to be set seperatly.
so when setting CA_path I was commenting CA_file .
Now that both CA_file and CA_path directives are present in eap.conf, it 
doesn't core-dump anymore.


Anyway, I found my real problem. It's from securew2 windows EAP-TTLs client
it doesn't support certificate above 2048 bits, and our 3 level CA chain 
is composed of 3x4096bits CA certificate.
So securew2 was complaining about a wrong  certificate from freeradius, 
beacause it could'nt read such a "large" bundle.


dixit securew2 mailing-list :
Tom Rixom wrote:

At the moment sw2 supports certificate file sizes up to 2048.
This will be upped in the next release candidate.
As soon as we have a release candidate (hopefully end of this month) 
you can test it. 

we are waiting for a securew2 new release to validate that .

Alan DeKok wrote:

Jehan PROCACCIA wrote:
  
Actually I wasn't suggesting that it is a bug, 



  A core dump is a bug.  The files I suggested you read contain
instructions that help us fix the bug.

  

my inital question is how
one can use that CA_path directive
and what the CA_path should contain .
If it's a bug, then I should rather update my freeradius-2.0.3-3.el5 to
2.1.1 or so ?



  I would suggest trying that.

  

but I'am surprise to be the only one having that problem .
indeed I do have a /usr/share/doc/freeradius-2.0.3 directory containing
docs
but nothing on the CA_path directive, neither in bugs,ChangeLog,rlm_eap
or any other file.



  How about eap.conf?  The CA path is a path to a directory containing
certs and CRL's.  This is *documented* in eap.conf.

  

My initial question is: "how to configure eap.conf tls section to load a
multi-level certificate hierarchy (CA bundle)"  ?



  Include the certificates in the CA_path directory.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
  


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Checking NAS-Identifier in the radgroupcheck table

2008-10-02 Thread tnt 
Something is wrong here:

>rlm_sql (sql): Reserving sql socket id: 2
>expand: SELECT id, username, attribute, value, op   FROM
>radcheck   WHERE username = '%{SQL-User-Name}'   ORDER BY id
>-> SELECT id, username, attribute, value, op   FROM radcheck
>WHERE username = 'user1'   ORDER BY id
>rlm_sql (sql): User found in radcheck table
>expand: SELECT id, username, attribute, value, op   FROM
>radreply   WHERE username = '%{SQL-User-Name}'   ORDER BY id
>-> SELECT id, username, attribute, value, op   FROM radreply
>WHERE username = 'user1'   ORDER BY id
>expand: SELECT groupname   FROM radusergroup   WHERE
>username = '%{SQL-User-Name}'   ORDER BY priority -> SELECT
>groupname   FROM radusergroup   WHERE username = 'user1'
>ORDER BY priority
>expand: SELECT id, groupname, attribute,   Value, op
>FROM radgroupcheck   WHERE groupname = '%{Sql-Group}'
>ORDER BY id -> SELECT id, groupname, attribute,   Value, op
>FROM radgroupcheck   WHERE groupname = 'hotel1'   ORDER BY
>id
>rlm_sql (sql): Released sql socket id: 2
>++[sql] returns ok

This is the debug from my 2.0.5 test server:

rlm_sql (sql): Reserving sql socket id: 3
expand: SELECT id, username, attribute, value, op   FROM
radcheck   WHERE username = '%{SQL-User-Name}'   ORDER
BY id -> SELECT id, username, attribute, value, op   FROM
radcheck   WHERE username = 'wifi'   ORDER BY id
rlm_sql_mysql: query:  SELECT id, username, attribute, value, op 
 FROM radcheck   WHERE username = 'wifi'   ORDER BY id
rlm_sql (sql): User found in radcheck table
expand: SELECT id, username, attribute, value, op   FROM
radreply   WHERE username = '%{SQL-User-Name}'   ORDER
BY id -> SELECT id, username, attribute, value, op   FROM
radreply   WHERE username = 'wifi'   ORDER BY id
rlm_sql_mysql: query:  SELECT id, username, attribute, value, op 
 FROM radreply   WHERE username = 'wifi'   ORDER BY id
expand: SELECT groupname   FROM usergroup   WHERE
username = '%{SQL-User-Name}'   ORDER BY priority -> SELECT
groupname   FROM usergroup   WHERE username = 'wifi'  
ORDER BY priority
rlm_sql_mysql: query:  SELECT groupname   FROM usergroup 
 WHERE username = 'wifi'   ORDER BY priority
expand: SELECT id, groupname, attribute,   Value, op 
 FROM radgroupcheck   WHERE groupname = '%{Sql-Group}'
  ORDER BY id -> SELECT id, groupname, attribute,   Value,
op   FROM radgroupcheck   WHERE groupname = 'hs256'   
   ORDER BY id
rlm_sql_mysql: query:  SELECT id, groupname, attribute,   Value,
op   FROM radgroupcheck   WHERE groupname = 'hs256'   
   ORDER BY id
rlm_sql (sql): User found in group hs256
expand: SELECT id, groupname, attribute,   value, op 
 FROM radgroupreply   WHERE groupname = '%{Sql-Group}'
  ORDER BY id -> SELECT id, groupname, attribute,   value,
op   FROM radgroupreply   WHERE groupname = 'hs256'   
   ORDER BY id
rlm_sql_mysql: query:  SELECT id, groupname, attribute,   value,
op   FROM radgroupreply   WHERE groupname = 'hs256'   
   ORDER BY id
rlm_sql (sql): Released sql socket id: 3
++[sql] returns ok

It has calls to rlm_sql_mysql and also reports: rlm_sql (sql): User found
in group hs256. There is no such stuff in your debug.

Have you copied sql.conf from an older version? And not used sql.conf and
dialup.conf.


>Another thing, I didn't really understood the first part of your answer:
>
>
>> Not only that but Auth-Type Local also wasn't forced. Adding it there is
>> a mistake in the first place but it still didn't work.
>>
>
>Could you explain me this please?

Don't force Auth-Type. It's mentioned in numerous places in
documentation, website and this list. Let server sort it out.

That entry would have diverted the server from doing chap. Good thing it
didn't work.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: FW: FreeRadius

2008-10-02 Thread Marcel Grandemange 

>No idea to be honest, im a novice.
>Many web-sites seem to advice using that and it works for the "most part"
>
>Eg http://cakeforge.org/forum/forum.php?forum_id=631
>

>OK. It's wrong. That part of the expression counts time not octets. It
>handles sessions that started in one counting period and continue into
>next one. Data is counted properly without such additions. Delete it.

>query = "SELECT SUM(AcctInputOctets + AcctOutputOctets) FROM radacct
>WHERE UserName='%{%k}' AND UNIX_TIMESTAMP(AcctStartTime) +
>AcctSessionTime > '%b'"


Thank You, Will Try This!

>Remove "+ AcctSessionTime" if you don't want sessions that started in
>one counting period and continuing into the next one to count in the new
>one.

One counting period meaning beginning of month?

So it should be:

query = "SELECT SUM(AcctInputOctets + AcctOutputOctets) FROM radacct
WHERE UserName='%{%k}' AND UNIX_TIMESTAMP(AcctStartTime) > '%b'"

If I want to allow users say 1Gb per month limit that gets reset every
month.
(In other words no cary over of data)

And:
query = "SELECT SUM(AcctInputOctets + AcctOutputOctets) FROM radacct
WHERE UserName='%{%k}' AND UNIX_TIMESTAMP(AcctStartTime) +
AcctSessionTime > '%b'"

If I want them to be able to use there unused data from previous month + new
data limit?




Please excuse my lack of knowledge! Really appreciate the help though!

>And tell Dirk and others where you found that information not to mix time
>and data counters.

>Ivan Kalik
>Kalik Informatika ISP


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: FW: FreeRadius

2008-10-02 Thread tnt 
>
>One counting period meaning beginning of month?
>

Month, week, day, doesn't matter. Query is the same for all.

>So it should be:
>
>query = "SELECT SUM(AcctInputOctets + AcctOutputOctets) FROM radacct
>WHERE UserName='%{%k}' AND UNIX_TIMESTAMP(AcctStartTime) > '%b'"
>
>If I want to allow users say 1Gb per month limit that gets reset every
>month.
>(In other words no cary over of data)
>
>And:
>query = "SELECT SUM(AcctInputOctets + AcctOutputOctets) FROM radacct
>WHERE UserName='%{%k}' AND UNIX_TIMESTAMP(AcctStartTime) +
>AcctSessionTime > '%b'"
>
>If I want them to be able to use there unused data from previous month + new
>data limit?

No. Not unused but data used in a session that started in one period and
continued into the next one. Lets say today is the last of the month.
User starts the session today and finishes tomorrow morning. Is that
data counting towards the new months limit? Or not? If it does leave
AcctSessionTime in, if it doesn't - take it out.

If you want to carry over unused allowance you alter the check-name
parameter. Instead of that value being constant (1GB in your example)
you would add whatever is left from previous month and insert that as
the value for the counter.

Ivan Kalik
Kalik Infromatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: FW: FreeRadius

2008-10-02 Thread Marcel Grandemange 
>
>One counting period meaning beginning of month?
>

>Month, week, day, doesn't matter. Query is the same for all.

>So it should be:
>
>query = "SELECT SUM(AcctInputOctets + AcctOutputOctets) FROM radacct
>WHERE UserName='%{%k}' AND UNIX_TIMESTAMP(AcctStartTime) > '%b'"
>
>If I want to allow users say 1Gb per month limit that gets reset every
>month.
>(In other words no cary over of data)
>
>And:
>query = "SELECT SUM(AcctInputOctets + AcctOutputOctets) FROM radacct
>WHERE UserName='%{%k}' AND UNIX_TIMESTAMP(AcctStartTime) +
>AcctSessionTime > '%b'"
>
>If I want them to be able to use there unused data from previous month +
new
>data limit?

>No. Not unused but data used in a session that started in one period and
>continued into the next one. Lets say today is the last of the month.
>User starts the session today and finishes tomorrow morning. Is that
>data counting towards the new months limit? Or not? If it does leave
>AcctSessionTime in, if it doesn't - take it out.

Thank you, did test it not fully but isn't resolving my issue im afraid...

A User njale has a limit of 3Gb.
I check via dialupadmin from begging of this month to today

Page Total  17 hours, 2 minutes, 8 seconds  88.01 MBs   274.39 MBs


Hence he has done 362.3Mb

I made the change to my sqlcounter.conf
Restarted radius.
Ensured njele's limit is indeed on 3Gb.
He gets denied

"sqlcounter monthlytraffic {
 counter-name = Monthly-Traffic
 check-name = Max-Monthly-Traffic
 reply-name = Mikrotik-Xmit-Limit-Gigawords
 sqlmod-inst = sql
 key = User-Name
 reset = monthly
#query = "SELECT (sum(AcctInputOctets)+sum(AcctOutputOctets)) FROM radacct
WHERE UserName='%{%k}' AND Month(AcctStopTime) =(Month(NOW())-1) AND
Year(Acct
#query = "SELECT SUM(AcctInputOctets - GREATEST((%b -
UNIX_TIMESTAMP(AcctStartTime)), 0))+ SUM(AcctOutputOctets -GREATEST((%b -
UNIX_TIMESTAMP(AcctStartT
query = "SELECT SUM(AcctInputOctets + AcctOutputOctets) FROM radacct WHERE
UserName='%{%k}' AND UNIX_TIMESTAMP(AcctStartTime) > '%b'"
}



"sqlcounter.conf" 73 lines, 3220 characters
[EMAIL PROTECTED] /usr/local/etc/raddb]# /usr/local/etc/rc.d/radiusd restart
Stopping radiusd.
Waiting for PIDS: 7656.
Starting radiusd.
Thu Oct  2 13:11:42 2008 : Info: Starting - reading configuration files ...
[EMAIL PROTECTED] /usr/local/etc/raddb]# edit sqlcounter.conf
[EMAIL PROTECTED] /usr/local/etc/raddb]# tail -f /var/log/radius.log
Thu Oct  2 13:11:43 2008 : Info: rlm_sql_mysql: Starting connect to MySQL
server for #9
Thu Oct  2 13:11:43 2008 : Info: Ready to process requests.
Thu Oct  2 13:12:18 2008 : Auth: Login incorrect:
[TEST/\025\002\202\216\241\253\244C\221Q\202\027\275\203=(] (from client
OldPPPOES port 0)
Thu Oct  2 13:12:40 2008 : Auth: Login OK: [njale/] (from
client OldPPPOES port 40587 cli 00:0C:29:0B:44:66)
Thu Oct  2 13:13:18 2008 : Auth: Login incorrect:
[TEST/\025\002\202\216\241\253\244C\221Q\202\027\275\203=(] (from client
OldPPPOES port 0)
Thu Oct  2 13:13:53 2008 : Auth: Invalid user (rlm_sqlcounter: Maximum
monthly usage time reached): [njale/] (from client OldPPPOES
port 40588 cli 00:0C:29:0B:44:66)
Thu Oct  2 13:13:58 2008 : Auth: Login OK: [00:80:48:46:E9:CF/] (from client
pbwexnetworkvpn port 0 cli 00-80-48-46-E9-CF)
Thu Oct  2 13:14:02 2008 : Auth: Login OK: [00:80:48:46:E9:CF/] (from client
pbwexnetworkvpn port 0 cli 00-80-48-46-E9-CF)
Thu Oct  2 13:14:04 2008 : Auth: Invalid user (rlm_sqlcounter: Maximum
monthly usage time reached): [njale/] (from client OldPPPOES
port 40589 cli 00:0C:29:0B:44:66)
Thu Oct  2 13:14:18 2008 : Auth: Login incorrect:
[TEST/\025\002\202\216\241\253\244C\221Q\202\027\275\203=(] (from client
OldPPPOES port 0)
^C
[EMAIL PROTECTED] /usr/local/etc/raddb]#

"

Only increasing hes limit to 5Gb Allows him to connect





>If you want to carry over unused allowance you alter the check-name
>parameter. Instead of that value being constant (1GB in your example)
>you would add whatever is left from previous month and insert that as
>the value for the counter.

>Ivan Kalik
>Kalik Infromatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Checking NAS-Identifier in the radgroupcheck table

2008-10-02 Thread super_tomtom 

Ok thanks a lot for your answer !
The Reply-Message did not come because of the '==' operator in the
radgroupcheck table.
So, if I set the NAS-Identifier to "LMS2" (the one used by my chillispot
portal), the condition NAS-Identifier == LMS2 matches, so radius puts me to
the "hotel1" group. If it doesn't match (while using radtest command for
example), it continues the login process, but considering that i don't own
any group... So in my problem explained before, the user can log in even if
he's not recognized as coming from the hotel he was expected to come from...
What I would like to find is a way to allow a users to log in, only if they
have been attributed to a group...

About my sql.conf file, it seems to be the one delivered in the release
2.0.5. Here it is :
sql {
database = "mysql"
driver = "rlm_sql_${database}"
server = "localhost"
login = "login"
password = "password"
radius_db = "radius"
acct_table1 = "radacct"
acct_table2 = "radacct"
postauth_table = "radpostauth"
authcheck_table = "radcheck"
authreply_table = "radreply"
groupcheck_table = "radgroupcheck"
groupreply_table = "radgroupreply"
usergroup_table = "radusergroup"
read_groups = yes
deletestalesessions = yes
sqltrace = no
sqltracefile = ${logdir}/sqltrace.sql
num_sql_socks = 5
connect_failure_retry_delay = 60
nas_table = "nas"
$INCLUDE sql/${database}/dialup.conf
}

By the way I removed the Auth-Type as you advised to me, that was one thing
that stayed from the first tutos I followed, that I did not really
understood ;)


tnt-4 wrote:
> 
> Something is wrong here:
> 
>>rlm_sql (sql): Reserving sql socket id: 2
>>expand: SELECT id, username, attribute, value, op   FROM
>>radcheck   WHERE username = '%{SQL-User-Name}'   ORDER BY
id
>>-> SELECT id, username, attribute, value, op   FROM radcheck
>>WHERE username = 'user1'   ORDER BY id
>>rlm_sql (sql): User found in radcheck table
>>expand: SELECT id, username, attribute, value, op   FROM
>>radreply   WHERE username = '%{SQL-User-Name}'   ORDER BY
id
>>-> SELECT id, username, attribute, value, op   FROM radreply
>>WHERE username = 'user1'   ORDER BY id
>>expand: SELECT groupname   FROM radusergroup  
>> WHERE
>>username = '%{SQL-User-Name}'   ORDER BY priority -> SELECT
>>groupname   FROM radusergroup   WHERE username = 'user1'
>>ORDER BY priority
>>expand: SELECT id, groupname, attribute,   Value, op
>>FROM radgroupcheck   WHERE groupname = '%{Sql-Group}'
>>ORDER BY id -> SELECT id, groupname, attribute,   Value, op
>>FROM radgroupcheck   WHERE groupname = 'hotel1'   ORDER BY
>>id
>>rlm_sql (sql): Released sql socket id: 2
>>++[sql] returns ok
> 
> This is the debug from my 2.0.5 test server:
> 
> rlm_sql (sql): Reserving sql socket id: 3
> expand: SELECT id, username, attribute, value, op   FROM
> radcheck   WHERE username = '%{SQL-User-Name}'   ORDER
> BY id -> SELECT id, username, attribute, value, op   FROM
> radcheck   WHERE username = 'wifi'   ORDER BY id
> rlm_sql_mysql: query:  SELECT id, username, attribute, value, op 
>  FROM radcheck   WHERE username = 'wifi'   ORDER BY id
> rlm_sql (sql): User found in radcheck table
> expand: SELECT id, username, attribute, value, op   FROM
> radreply   WHERE username = '%{SQL-User-Name}'   ORDER
> BY id -> SELECT id, username, attribute, value, op   FROM
> radreply   WHERE username = 'wifi'   ORDER BY id
> rlm_sql_mysql: query:  SELECT id, username, attribute, value, op 
>  FROM radreply   WHERE username = 'wifi'   ORDER BY id
> expand: SELECT groupname   FROM usergroup   WHERE
> username = '%{SQL-User-Name}'   ORDER BY priority -> SELECT
> groupname   FROM usergroup   WHERE username = 'wifi'  
> ORDER BY priority
> rlm_sql_mysql: query:  SELECT groupname   FROM usergroup 
>  WHERE username = 'wifi'   ORDER BY priority
> expand: SELECT id, groupname, attribute,   Value, op 
>  FROM radgroupcheck   WHERE groupname = '%{Sql-Group}'
>   ORDER BY id -> SELECT id, groupname, attribute,   Value,
> op   FROM radgroupcheck   WHERE groupname = 'hs256'   
>ORDER BY id
> rlm_sql_mysql: query:  SELECT id, groupname, attribute,   Value,
> op   FROM radgroupcheck   WHERE groupname = 'hs256'   
>ORDER BY id
> rlm_sql (sql): User found in group hs256
> expand: SELECT id, groupname, attribute,   value, op 
>  FROM radgroupreply

RE: FW: FreeRadius

2008-10-02 Thread tnt 
>A User njale has a limit of 3Gb.
>I check via dialupadmin from begging of this month to today
>
>Page Total 17 hours, 2 minutes, 8 seconds  88.01 MBs   274.39 MBs
>
>
>Hence he has done 362.3Mb
>

Post the debug of request processing.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: FW: FreeRadius

2008-10-02 Thread Marcel Grandemange 
tem value pair
  modcall[authorize]: module "monthlycounter" returns noop for request 2
rlm_sqlcounter: Entering module authorize code
sqlcounter_expand:  'SELECT SUM(AcctInputOctets + AcctOutputOctets) FROM
radacct WHERE UserName='%{User-Name}' AND UNIX_TIMESTAMP(AcctStartTime) >
'1222812000''
radius_xlat:  'SELECT SUM(AcctInputOctets + AcctOutputOctets) FROM radacct
WHERE UserName='njale' AND UNIX_TIMESTAMP(AcctStartTime) > '1222812000''
sqlcounter_expand:  '%{sql:SELECT SUM(AcctInputOctets + AcctOutputOctets)
FROM radacct WHERE UserName='njale' AND UNIX_TIMESTAMP(AcctStartTime) >
'1222812000'}'
radius_xlat: Running registered xlat function of module sql for string
'SELECT SUM(AcctInputOctets + AcctOutputOctets) FROM radacct WHERE
UserName='njale' AND UNIX_TIMESTAMP(AcctStartTime) > '1222812000''
rlm_sql (sql): - sql_xlat
radius_xlat:  'njale'
rlm_sql (sql): sql_set_user escaped user --> 'njale'
radius_xlat:  'SELECT SUM(AcctInputOctets + AcctOutputOctets) FROM radacct
WHERE UserName='njale' AND UNIX_TIMESTAMP(AcctStartTime) > '1222812000''
radius_xlat:  '/var/log/sqltrace.sql'
rlm_sql (sql): Reserving sql socket id: 4
rlm_sql_mysql: query:  SELECT SUM(AcctInputOctets + AcctOutputOctets) FROM
radacct WHERE UserName='njale' AND UNIX_TIMESTAMP(AcctStartTime) >
'1222812000'
rlm_sql (sql): - sql_xlat finished
rlm_sql (sql): Released sql socket id: 4
radius_xlat:  '407334542'
rlm_sqlcounter: (Check item - counter) is less than zero
rlm_sqlcounter: Rejected user njale, check_item=-1073741824,
counter=407334542
  modcall[authorize]: module "monthlytraffic" returns reject for request 2
modcall: leaving group authorize (returns reject) for request 2
Invalid user (rlm_sqlcounter: Maximum monthly usage time reached):
[njale/] (from client OldPPPOES port 40596 cli
00:0C:29:0B:44:66)
Delaying request 2 for 1 seconds
Finished request 2
Going to the next request
Waking up in 6 seconds...
rad_recv: Accounting-Request packet from host 192.168.12.4:48774, id=134,
length=195
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 40580
NAS-Port-Type = Ethernet
User-Name = "njale"
Calling-Station-Id = "00:14:A5:B7:6E:D9"
Called-Station-Id = "thavinci"
NAS-Port-Id = "ExternalBridge"
Acct-Session-Id = "8170020d"
Framed-IP-Address = 172.16.1.219
Acct-Authentic = RADIUS
Event-Timestamp = "Oct  2 2008 14:27:30 SAST"
Acct-Session-Time = 10500
Acct-Input-Octets = 5857508
Acct-Input-Gigawords = 0
Acct-Input-Packets = 40738
Acct-Output-Octets = 53312876
Acct-Output-Gigawords = 0
Acct-Output-Packets = 49027
Acct-Status-Type = Interim-Update
NAS-Identifier = "oldPPPOES"
NAS-IP-Address = 192.168.12.4
Acct-Delay-Time = 0
  Processing the preacct section of radiusd.conf
modcall: entering group preacct for request 3
  modcall[preacct]: module "preprocess" returns noop for request 3
rlm_acct_unique: Hashing 'NAS-Port = 40580,Client-IP-Address =
192.168.12.4,NAS-IP-Address = 192.168.12.4,Acct-Session-Id =
"8170020d",User-Name = "njale"'
rlm_acct_unique: Acct-Unique-Session-ID = "a04aa47508857178".
  modcall[preacct]: module "acct_unique" returns ok for request 3
  modcall[preacct]: module "files" returns noop for request 3
modcall: leaving group preacct (returns ok) for request 3
  Processing the accounting section of radiusd.conf
modcall: entering group accounting for request 3
rlm_sql (sql): Reserving sql socket id: 3
radius_xlat:  'njale'
rlm_sql (sql): sql_set_user escaped user --> 'njale'
radius_xlat:  'BEGIN'
rlm_sql_mysql: query:  BEGIN
radius_xlat:  'njale'
rlm_sql (sql): sql_set_user escaped user --> 'njale'
radius_xlat:  'UPDATE radippool   SET expiry_time = NOW() + INTERVAL 3600
SECOND   WHERE NASIPAddress = '192.168.12.4'   AND pool_key = '40580'   AND
UserName = 'njale'   AND CallingStationId = '00:14:A5:B7:6E:D9'   AND
FramedIPAddress = '172.16.1.219''
rlm_sql_mysql: query:  UPDATE radippool   SET expiry_time = NOW() + INTERVAL
3600 SECOND   WHERE NASIPAddress = '192.168.12.4'   AND pool_key = '40580'
AND UserName = 'njale'   AND CallingStationId = '00:14:A5:B7:6E:D9'   AND
FramedIPAddress = '172.16.1.219'
radius_xlat:  'njale'
rlm_sql (sql): sql_set_user escaped user --> 'njale'
radius_xlat:  'COMMIT'
rlm_sql_mysql: query:  COMMIT
rlm_sql (sql): Released sql socket id: 3
  modcall[accounting]: module "sqlippool" returns ok for request 3
radius_xlat:  'njale'
rlm_sql (sql): sql_set_user escaped user --> 'njale'
radius_xlat:  '   UPDATE radacct   SET
FramedIPAddress = '172.16.1.219',  AcctSessionTime =
'10500',  AcctInputOctets = '0'  << 32 |
'5857508',  AcctOutputOctets= '0' << 32 |
'53312876'   WHERE AcctSessionId = '8170020d'   AND UserName
= 'njale'   AND NASIPAddress= '192.168.12.4''
radius_xlat:  '/var/log/sqltrace.sql'
rlm_sql (sql): Reserving sql socket id: 2
rlm_sql_mysql: query: UPDATE radacct   SET
FramedIPAddress = '172.16.1.219',  AcctSessionTime =
'10500',  AcctInputOctets = '0'  << 32 |
'5857508',  AcctOutputOctets= '0' << 32 |
'53312876'   WHERE AcctSessionId = '8170020d'   AND UserName
= 'njale'   AND NASIPAddress= '192.168.12.4'
rlm_sql (sql): Released sql socket id: 2
  modcall[accounting]: module "sql" returns ok for request 3
modcall: leaving group accounting (returns ok) for request 3
Sending Accounting-Response of id 134 to 192.168.12.4 port 48774
Finished request 3
Going to the next request
--- Walking the entire request list ---
Sending Access-Reject of id 133 to 192.168.12.4 port 50168
Reply-Message = "Your maximum monthly usage time has been reached"
Waking up in 2 seconds...
--- Walking the entire request list ---
Cleaning up request 2 ID 133 with timestamp 48e4be2d
Cleaning up request 1 ID 136 with timestamp 48e4be2d
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 3 ID 134 with timestamp 48e4be31
Nothing to do.  Sleeping until we see a request.

__ NOD32 3489 (20081002) Information __

This message was checked by NOD32 antivirus system.
http://www.eset.com

--- End Message ---
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Checking NAS-Identifier in the radgroupcheck table

2008-10-02 Thread tnt 
>So, if I set the NAS-Identifier to "LMS2" (the one used by my chillispot
>portal), the condition NAS-Identifier == LMS2 matches, so radius puts me to
>the "hotel1" group. If it doesn't match (while using radtest command for
>example), it continues the login process, but considering that i don't own
>any group... So in my problem explained before, the user can log in even if
>he's not recognized as coming from the hotel he was expected to come from...
>What I would like to find is a way to allow a users to log in, only if they
>have been attributed to a group...
>

Ah, failed check in sql groups won't reject the user. It will just cause
group info to be ignored. This is to allow the user to be a member of
multiple groups - if he doesn't match one, then checks go on to next
one with lower priority etc.

Use radcheck for checks that should reject the user.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: FW: FreeRadius

2008-10-02 Thread tnt 
Your check has a negative value:

check_item=-1073741824

Delete that minus. Of course everything counted will be greater than a
negative number. It starts working on 5GB because the counter rolls over
at 4GB.

Ivan Kalik
Kalik Informatika ISP


Dana 2/10/2008, "Marcel Grandemange" <[EMAIL PROTECTED]> piše:

>
>>A User njale has a limit of 3Gb.
>>I check via dialupadmin from begging of this month to today
>>
>>Page Total17 hours, 2 minutes, 8 seconds  88.01 MBs   274.39 MBs
>>
>>
>>Hence he has done 362.3Mb
>>
>
>>Post the debug of request processing.
>
>I have attached it as attachment because of size...
>
>>Ivan Kalik
>>Kalik Informatika ISP
>
>

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Checking NAS-Identifier in the radgroupcheck table

2008-10-02 Thread super_tomtom 

Ok that brings me back to my initial problem...
My first try was to put in the radcheck table a condition like this :
NAS-Identifier == LMS2
This works very fine, but limits to only one NAS Identifier. I need to allow
some clients to log in from different NAS ids...
Is there a way to put multiple conditions in the radcheck table such as
(NAS-Identifier == LM1) || (NAS-Identifier == LMS2) ?
Thanks 




tnt-4 wrote:
> 
>>So, if I set the NAS-Identifier to "LMS2" (the one used by my chillispot
>>portal), the condition NAS-Identifier == LMS2 matches, so radius puts me
to
>>the "hotel1" group. If it doesn't match (while using radtest command for
>>example), it continues the login process, but considering that i don't own
>>any group... So in my problem explained before, the user can log in even
if
>>he's not recognized as coming from the hotel he was expected to come
from...
>>What I would like to find is a way to allow a users to log in, only if
they
>>have been attributed to a group...
>>
> 
> Ah, failed check in sql groups won't reject the user. It will just cause
> group info to be ignored. This is to allow the user to be a member of
> multiple groups - if he doesn't match one, then checks go on to next
> one with lower priority etc.
> 
> Use radcheck for checks that should reject the user.
> 
> Ivan Kalik
> Kalik Informatika ISP
> 
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> 
> 

-- 
View this message in context: 
http://www.nabble.com/Checking-NAS-Identifier-in-the-radgroupcheck-table-tp19763949p19778765.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: FW: FreeRadius

2008-10-02 Thread Marcel Grandemange 
>Your check has a negative value:

>check_item=-1073741824

>Delete that minus. Of course everything counted will be greater than a
>negative number. It starts working on 5GB because the counter rolls over
>at 4GB.

Excuse the ignorance again, but where will I do that? Where is it getting
that value from?
I checked the radcheck table for that user ...


ID  UserNameAttribute   op  Value
345 njale   Max-Monthly-Traffic :=  3221225472

He has it set on 3gb and gets denied, only when Value = 5368709120 does it
work.

Counter Rolls Over?

Btw, thanks for being patient with me!



>Ivan Kalik
>Kalik Informatika ISP


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Checking NAS-Identifier in the radgroupcheck table

2008-10-02 Thread tnt 
Use huntgroups. You group users into groups and devices into huntgroups.

Ivan Kalik
Kalik Informatika ISP

Dana 2/10/2008, "super_tomtom" <[EMAIL PROTECTED]> piše:

>
>Ok that brings me back to my initial problem...
>My first try was to put in the radcheck table a condition like this :
>NAS-Identifier == LMS2
>This works very fine, but limits to only one NAS Identifier. I need to allow
>some clients to log in from different NAS ids...
>Is there a way to put multiple conditions in the radcheck table such as
>(NAS-Identifier == LM1) || (NAS-Identifier == LMS2) ?
>Thanks
>
>
>
>
>tnt-4 wrote:
>>
>>>So, if I set the NAS-Identifier to "LMS2" (the one used by my chillispot
>>>portal), the condition NAS-Identifier == LMS2 matches, so radius puts me
>to
>>>the "hotel1" group. If it doesn't match (while using radtest command for
>>>example), it continues the login process, but considering that i don't own
>>>any group... So in my problem explained before, the user can log in even
>if
>>>he's not recognized as coming from the hotel he was expected to come
>from...
>>>What I would like to find is a way to allow a users to log in, only if
>they
>>>have been attributed to a group...
>>>
>>
>> Ah, failed check in sql groups won't reject the user. It will just cause
>> group info to be ignored. This is to allow the user to be a member of
>> multiple groups - if he doesn't match one, then checks go on to next
>> one with lower priority etc.
>>
>> Use radcheck for checks that should reject the user.
>>
>> Ivan Kalik
>> Kalik Informatika ISP
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
>>
>
>--
>View this message in context: 
>http://www.nabble.com/Checking-NAS-Identifier-in-the-radgroupcheck-table-tp19763949p19778765.html
>Sent from the FreeRadius - User mailing list archive at Nabble.com.
>
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: FW: FreeRadius

2008-10-02 Thread tnt 
>>Your check has a negative value:
>
>>check_item=-1073741824
>
>>Delete that minus. Of course everything counted will be greater than a
>>negative number. It starts working on 5GB because the counter rolls over
>>at 4GB.
>
>Excuse the ignorance again, but where will I do that? Where is it getting
>that value from?
>I checked the radcheck table for that user ...
>
>
>ID UserNameAttribute   op  Value
>345njale   Max-Monthly-Traffic :=  3221225472
>
>He has it set on 3gb and gets denied, only when Value = 5368709120 does it
>work.
>
>Counter Rolls Over?
>

Yes. It's a 32 bit number so it can go up only to 4GB. That is in the
FAQ.

Hm, it should wrap at 4GB but it wraps at 2GB. I think bug 490 relates to
this.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FW: FreeRadius

2008-10-02 Thread Alan DeKok 
Marcel Grandemange wrote:
> IDUserNameAttribute   op  Value
> 345   njale   Max-Monthly-Traffic :=  3221225472
> 
> He has it set on 3gb and gets denied, only when Value = 5368709120 does it
> work.

  It looks like a bug.  The number should be treated as unsigned.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: strange rlm_expiration behavior

2008-10-02 Thread Flamur Rogova 

Nicolas Goutte wrote:
Previous answers to questions about user expiration told to write dates 
like

Expiration := "May 10 2008 21:00:00"

So in your case, you should perhaps try:
Expiration := "Jan 01 2009 00:00:00"

Have a nice day!

Am 01.10.2008 um 11:31 schrieb Flamur Rogova:


Hi,
I am having strange behavior of rlm_expiration where it always returns 
"userlock", no matter what I put as expiration value.


my radius install is latest from git repository, with default 
configuration (unchanged in any way),


rlm_expiration rejects this user, date "10 Jan 2009", although it 
should be accepted...


could somebody confirm working rlm_expiration on latest sources ?


home raddb # cat users
a   Cleartext-Password := a, Expiration := "10 Jan 2009"
Reply-Message = "ok"




Hi,
Nicolas, the date formats you specified is ok, but the one I used is ok 
too, so both "May 10 2008 21:00:00" and "May 10 2008" are valid formats.


On version 2.1.1, on users file rlm_expiration doesn't work. It gives 
userlock on any date value, even on invalid dates, unlike version 2.0.5 
which on invalid dates gives '...failed to parse time string "10 Jan abc"'


But I discovered that on rlm_sql I get correct behavior of expiration 
module, on the same radius version...


also, on the same machine, I have version 2.0.5 with working 
rlm_expiration module on both users file and sql


I have limited knowledge of C but I cant see any difference between 
2.0.5 and 2.1.1 versions of rlm_expiration.c


radius01 raddb # diff 
/home/sysadm/freeradius-server-2.0.5/src/modules/rlm_expiration/rlm_expiration.c 
/home/sysadm/freeradius-serve

r-2.1.1/src/modules/rlm_expiration/rlm_expiration.c
4c4
<  * Version:  $Id: rlm_expiration.c,v 1.16 2007/05/14 22:27:16 nbk Exp $
---
>  * Version:  $Id$
25c25
< RCSID("$Id: rlm_expiration.c,v 1.16 2007/05/14 22:27:16 nbk Exp $")
---
> RCSID("$Id$")
75c75
<   DEBUG("rlm_expiration: Checking Expiration time: 
'%s'",check_item->vp_strvalue);

---
>   RDEBUG("Checking Expiration time: 
'%s'",check_item->vp_strvalue);

80c80
<   DEBUG("rlm_expiration: Account has expired");
---
>   RDEBUG("Account has expired");


Has anybody seen similar behavior of rlm_expiration on v. 2.1.1 ?

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: strange rlm_expiration behavior

2008-10-02 Thread tnt 
>On version 2.1.1, on users file rlm_expiration doesn't work. It gives
>userlock on any date value, even on invalid dates, unlike version 2.0.5
>which on invalid dates gives '...failed to parse time string "10 Jan abc"'
>
>But I discovered that on rlm_sql I get correct behavior of expiration
>module, on the same radius version...
>

The problem would be parsing dates from users file rather than
rlm_expiration. That looks like the same version to me.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Compile Error :FreeRadius v 2.1.1 RPM build error

2008-10-02 Thread Syed Anwarul Hasan 
Hi Ala, Ivan and all,

   Alan as I having backtrace problem in my FreeRadius v 2.0.5. I deleted
all the old binaries and libraries for the  earlier version.Then  I got the
latest FreeRadius v 2.1.1 tarball (Compresses tar.bz2) from
freeradius.orgwebsite and started to build on SLES 10 SP2. And I
copied the
freeradius.spec in SPECS folder.
When I try to compile, I got an rpm build error and compilation stopped.

Please help me in this regard.
SYED

pc1138: /usr/src/packages/SOURCES # *rpmbuild -ba
/usr/src/packages/SPECS/freeradius.spec*
Executing(%prep): /bin/sh -e /var/tmp/rpm-tmp.25117
+ umask 022
+ cd /usr/src/packages/BUILD
+ cd /usr/src/packages/BUILD
+ rm -rf freeradius-server-2.1.1
+ /usr/bin/bzip2 -dc
/usr/src/packages/SOURCES/freeradius-server-2.1.1.tar.bz2
+ tar -xf -
+ STATUS=0
+ '[' 0 -ne 0 ']'
+ cd freeradius-server-2.1.1
++ /usr/bin/id -u
+ '[' 0 = 0 ']'
+ /bin/chown -Rhf root .
++ /usr/bin/id -u
+ '[' 0 = 0 ']'
+ /bin/chgrp -Rhf root .
+ /bin/chmod -Rf a+rX,u+w,g-w,o-w .
++ find . -name CVS
+ rm -rf
+ exit 0
Executing(%build): /bin/sh -e /var/tmp/rpm-tmp.27085
+ umask 022
+ cd /usr/src/packages/BUILD
+ /bin/rm -rf /var/tmp/freeradius-server-2.1.1-build
++ dirname /var/tmp/freeradius-server-2.1.1-build
+ /bin/mkdir -p /var/tmp
+ /bin/mkdir /var/tmp/freeradius-server-2.1.1-build
+ cd freeradius-server-2.1.1
+ export 'CFLAGS=-O2 -g -m32 -march=i586 -mtune=i686 -fmessage-length=0
-D_FORTIFY_SOURCE=2 -fno-strict-aliasing -DLDAP_DEPRECATED -fPIC -DPIC'
+ CFLAGS='-O2 -g -m32 -march=i586 -mtune=i686 -fmessage-length=0
-D_FORTIFY_SOURCE=2 -fno-strict-aliasing -DLDAP_DEPRECATED -fPIC -DPIC'
+ autoreconf
configure.in:1140: warning: AC_CONFIG_SUBDIRS: you should use literals
autoconf/status.m4:1077: AC_CONFIG_SUBDIRS is expanded from...
configure.in:1140: the top level
configure.in:1140: warning: AC_CONFIG_SUBDIRS: you should use literals
autoconf/status.m4:1077: AC_CONFIG_SUBDIRS is expanded from...
configure.in:1140: the top level
configure.in:1140: warning: AC_CONFIG_SUBDIRS: you should use literals
autoconf/status.m4:1077: AC_CONFIG_SUBDIRS is expanded from...
configure.in:1140: the top level
configure.in:547: error: possibly undefined macro: AC_LIB_READLINE
  If this token and others are legitimate, please use m4_pattern_allow.
* * See the Autoconf documentation.*
autoreconf: /usr/bin/autoconf failed with exit status: 1
error: Bad exit status from /var/tmp/rpm-tmp.27085 (%build)*


*RPM build errors:
Bad exit status from /var/tmp/rpm-tmp.27085 (%build)*
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Compile Error :FreeRadius v 2.1.1 RPM build error

2008-10-02 Thread Norbert Wegener 

See:
http://lists.freeradius.org/pipermail/freeradius-users/2008-September/msg00659.html


Norbert Wegener

Syed Anwarul Hasan schrieb:

Hi Ala, Ivan and all,

   Alan as I having backtrace problem in my FreeRadius v 2.0.5. 
 I deleted all the old binaries and libraries for the  
earlier version.Then  I got the latest FreeRadius v 2.1.1 tarball 
(Compresses tar.bz2) from freeradius.org  
website and started to build on SLES 10 SP2. And I copied the 
freeradius.spec in SPECS folder.

When I try to compile, I got an rpm build error and compilation stopped.

Please help me in this regard.
SYED

pc1138: /usr/src/packages/SOURCES # *rpmbuild -ba 
/usr/src/packages/SPECS/freeradius.spec*

Executing(%prep): /bin/sh -e /var/tmp/rpm-tmp.25117
+ umask 022
+ cd /usr/src/packages/BUILD
+ cd /usr/src/packages/BUILD
+ rm -rf freeradius-server-2.1.1
+ /usr/bin/bzip2 -dc 
/usr/src/packages/SOURCES/freeradius-server-2.1.1.tar.bz2

+ tar -xf -
+ STATUS=0
+ '[' 0 -ne 0 ']'
+ cd freeradius-server-2.1.1
++ /usr/bin/id -u
+ '[' 0 = 0 ']'
+ /bin/chown -Rhf root .
++ /usr/bin/id -u
+ '[' 0 = 0 ']'
+ /bin/chgrp -Rhf root .
+ /bin/chmod -Rf a+rX,u+w,g-w,o-w .
++ find . -name CVS
+ rm -rf
+ exit 0
Executing(%build): /bin/sh -e /var/tmp/rpm-tmp.27085
+ umask 022
+ cd /usr/src/packages/BUILD
+ /bin/rm -rf /var/tmp/freeradius-server-2.1.1-build
++ dirname /var/tmp/freeradius-server-2.1.1-build
+ /bin/mkdir -p /var/tmp
+ /bin/mkdir /var/tmp/freeradius-server-2.1.1-build
+ cd freeradius-server-2.1.1
+ export 'CFLAGS=-O2 -g -m32 -march=i586 -mtune=i686 
-fmessage-length=0 -D_FORTIFY_SOURCE=2 -fno-strict-aliasing 
-DLDAP_DEPRECATED -fPIC -DPIC'
+ CFLAGS='-O2 -g -m32 -march=i586 -mtune=i686 -fmessage-length=0 
-D_FORTIFY_SOURCE=2 -fno-strict-aliasing -DLDAP_DEPRECATED -fPIC -DPIC'

+ autoreconf
configure.in:1140 : warning: 
AC_CONFIG_SUBDIRS: you should use literals

autoconf/status.m4:1077: AC_CONFIG_SUBDIRS is expanded from...
configure.in:1140 : the top level
configure.in:1140 : warning: 
AC_CONFIG_SUBDIRS: you should use literals

autoconf/status.m4:1077: AC_CONFIG_SUBDIRS is expanded from...
configure.in:1140 : the top level
configure.in:1140 : warning: 
AC_CONFIG_SUBDIRS: you should use literals

autoconf/status.m4:1077: AC_CONFIG_SUBDIRS is expanded from...
configure.in:1140 : the top level
configure.in:547 : error: possibly undefined 
macro: AC_LIB_READLINE
  If this token and others are legitimate, please use 
m4_pattern_allow.

* * See the Autoconf documentation.*
autoreconf: /usr/bin/autoconf failed with exit status: 1
error: Bad exit status from /var/tmp/rpm-tmp.27085 (%build)*


*RPM build errors:
Bad exit status from /var/tmp/rpm-tmp.27085 (%build)*



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: FW: FreeRadius

2008-10-02 Thread Marcel Grandemange 
>>Your check has a negative value:
>
>>check_item=-1073741824
>
>>Delete that minus. Of course everything counted will be greater than a
>>negative number. It starts working on 5GB because the counter rolls over
>>at 4GB.
>
>Excuse the ignorance again, but where will I do that? Where is it getting
>that value from?
>I checked the radcheck table for that user ...
>
>
>ID UserNameAttribute   op  Value
>345njale   Max-Monthly-Traffic :=  3221225472
>
>He has it set on 3gb and gets denied, only when Value = 5368709120 does it
>work.
>
>Counter Rolls Over?
>

>Yes. It's a 32 bit number so it can go up only to 4GB. That is in the
>FAQ.

Hence Why I Use:
reply-name = Mikrotik-Xmit-Limit-Gigawords

Also this explains more detail my kind of setup:
http://forum.mikrotik.com/viewtopic.php?f=6&t=9902

I do interim updates, and haven't noticed the issue you are describing.
I tested an account that was limited to 7Gb and worked successfully.
(All 7Gb Was tranfered in one session)

User was not able to reconnect till I upped the limit.


>Hm, it should wrap at 4GB but it wraps at 2GB. I think bug 490 relates to
>this.

This issue only happens on rare occasions and with this particular user, I
do not know what could be causing...
I think I might test this whole thing manually gig for gig again...

Input Anyone?

>Ivan Kalik
>Kalik Informatika ISP


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Compile Error :FreeRadius v 2.1.1 RPM build error

2008-10-02 Thread Syed Anwarul Hasan 
Thanks Norbert,

  SYED

On Thu, Oct 2, 2008 at 5:12 PM, Norbert Wegener <[EMAIL PROTECTED]
> wrote:

>  See:
>
> http://lists.freeradius.org/pipermail/freeradius-users/2008-September/msg00659.html
>
>
> Norbert Wegener
>
> Syed Anwarul Hasan schrieb:
>
> Hi Ala, Ivan and all,
>
>Alan as I having backtrace problem in my FreeRadius v 2.0.5. I deleted
> all the old binaries and libraries for the  earlier version.Then  I got the
> latest FreeRadius v 2.1.1 tarball (Compresses tar.bz2) from 
> freeradius.orgwebsite and started to build on SLES 10 SP2. And I copied the
> freeradius.spec in SPECS folder.
> When I try to compile, I got an rpm build error and compilation stopped.
>
> Please help me in this regard.
> SYED
>
> pc1138: /usr/src/packages/SOURCES # *rpmbuild -ba
> /usr/src/packages/SPECS/freeradius.spec*
> Executing(%prep): /bin/sh -e /var/tmp/rpm-tmp.25117
> + umask 022
> + cd /usr/src/packages/BUILD
> + cd /usr/src/packages/BUILD
> + rm -rf freeradius-server-2.1.1
> + /usr/bin/bzip2 -dc
> /usr/src/packages/SOURCES/freeradius-server-2.1.1.tar.bz2
> + tar -xf -
> + STATUS=0
> + '[' 0 -ne 0 ']'
> + cd freeradius-server-2.1.1
> ++ /usr/bin/id -u
> + '[' 0 = 0 ']'
> + /bin/chown -Rhf root .
> ++ /usr/bin/id -u
> + '[' 0 = 0 ']'
> + /bin/chgrp -Rhf root .
> + /bin/chmod -Rf a+rX,u+w,g-w,o-w .
> ++ find . -name CVS
> + rm -rf
> + exit 0
> Executing(%build): /bin/sh -e /var/tmp/rpm-tmp.27085
> + umask 022
> + cd /usr/src/packages/BUILD
> + /bin/rm -rf /var/tmp/freeradius-server-2.1.1-build
> ++ dirname /var/tmp/freeradius-server-2.1.1-build
> + /bin/mkdir -p /var/tmp
> + /bin/mkdir /var/tmp/freeradius-server-2.1.1-build
> + cd freeradius-server-2.1.1
> + export 'CFLAGS=-O2 -g -m32 -march=i586 -mtune=i686 -fmessage-length=0
> -D_FORTIFY_SOURCE=2 -fno-strict-aliasing -DLDAP_DEPRECATED -fPIC -DPIC'
> + CFLAGS='-O2 -g -m32 -march=i586 -mtune=i686 -fmessage-length=0
> -D_FORTIFY_SOURCE=2 -fno-strict-aliasing -DLDAP_DEPRECATED -fPIC -DPIC'
> + autoreconf
> configure.in:1140: warning: AC_CONFIG_SUBDIRS: you should use literals
> autoconf/status.m4:1077: AC_CONFIG_SUBDIRS is expanded from...
> configure.in:1140: the top level
> configure.in:1140: warning: AC_CONFIG_SUBDIRS: you should use literals
> autoconf/status.m4:1077: AC_CONFIG_SUBDIRS is expanded from...
> configure.in:1140: the top level
> configure.in:1140: warning: AC_CONFIG_SUBDIRS: you should use literals
> autoconf/status.m4:1077: AC_CONFIG_SUBDIRS is expanded from...
> configure.in:1140: the top level
> configure.in:547: error: possibly undefined macro: AC_LIB_READLINE
>   If this token and others are legitimate, please use m4_pattern_allow.
> * * See the Autoconf documentation.*
> autoreconf: /usr/bin/autoconf failed with exit status: 1
> error: Bad exit status from /var/tmp/rpm-tmp.27085 (%build)*
>
>
> *RPM build errors:
> Bad exit status from /var/tmp/rpm-tmp.27085 (%build)*
>
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Suggestions

2008-10-02 Thread Bert Beaudin 
Hello all
 
I am looking to use Freeradius and Active Directory along with adding
members to a group to secure telnet access to Cisco devices. I am
looking for sugestions on the best way to do this. I have read though
the how to
at:http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HO
WTO
 
But I am not sure this is what I am trying to do. Any input is welcomed.

 
Thanks,
 

Bert Beaudin
Systems Administrator
RelianceGlobalcom Services, Inc.
Office:303-785-6641
Cell:303-478-7789
Fax:415-677-9534
[EMAIL PROTECTED]  
www.relianceglobalcom.com http://www.yipes.com/> 
 

 
<>-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

EAP-TTLS first connection works, other won't

2008-10-02 Thread Giovanni Lovato 
I set up freeradius 2.1.1 for EAP-TTLS, on Debian Lenny. As client I'm 
using Ubuntu. When I try to connect, first user, (on the logs, "heruan") 
connect successfully, but subsequent users (e.g. "jamila") won't. If I 
restart freeradius, and try to connect first with "jamila" and then with 
"heruan", "jamila" connects and "heruan" doesn't. The only error I'm 
able to see on the log is:


798:[ttls] FAIL: Forcibly stopping session resumption as it is not allowed.
799-[eap] Freeing handler
800-++[eap] returns reject
801-Failed to authenticate the user.
802-Using Post-Auth-Type Reject
803-+- entering group REJECT {...}

But I really don't know what it means.
rad_recv: Access-Request packet from host 192.168.22.1 port 3073, id=1, 
length=125
User-Name = "heruan"
NAS-IP-Address = 192.168.22.1
Called-Station-Id = "00c049d3f40e"
Calling-Station-Id = "002268c0eb93"
NAS-Identifier = "00c049d3f40e"
NAS-Port = 184
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020b0168657275616e
Message-Authenticator = 0x4bd473610ad7dcfdcb6b1016a23acb10
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "heruan", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 0 length 11
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
[ldap] performing user authorization for heruan
[ldap] WARNING: Deprecated conditional expansion ":-".  See "man unlang" for 
details
[ldap] WARNING: Deprecated conditional expansion ":-".  See "man unlang" for 
details
[ldap]  expand: 
(|(uid=%{Stripped-User-Name:-%{User-Name}})(cn=%{Stripped-User-Name:-%{User-Name}}))
 -> (|(uid=heruan)(cn=heruan))
[ldap]  expand: dc=aldu,dc=net -> dc=aldu,dc=net
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to ldap.laurelin.aldu.net:389, authentication 0
rlm_ldap: bind as cn=radius,dc=aldu,dc=net/RaD-802.1X to 
ldap.laurelin.aldu.net:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=aldu,dc=net, with filter 
(|(uid=heruan)(cn=heruan))
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
rlm_ldap: sambaNtPassword -> NT-Password == 0x30...
rlm_ldap: sambaLmPassword -> LM-Password == 0x35...
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP.  Are you sure that the 
user is configured correctly?
[ldap] user heruan authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Normalizing NT-Password from hex encoding
[pap] Normalizing LM-Password from hex encoding
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type md5
rlm_eap_md5: Issuing Challenge
++[eap] returns handled
Sending Access-Challenge of id 1 to 192.168.22.1 port 3073
EAP-Message = 0x010100160410faf366dabc0e2d2eada92aed8a1beef5
Message-Authenticator = 0x
State = 0xf46f03b2f46e07fbc157e3e44121daf3
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.22.1 port 3073, id=1, 
length=138
Cleaning up request 0 ID 1 with timestamp +11
User-Name = "heruan"
NAS-IP-Address = 192.168.22.1
Called-Station-Id = "00c049d3f40e"
Calling-Station-Id = "002268c0eb93"
NAS-Identifier = "00c049d3f40e"
NAS-Port = 184
Framed-MTU = 1400
State = 0xf46f03b2f46e07fbc157e3e44121daf3
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020100060315
Message-Authenticator = 0x24f629997ec0167cb1d9418bb69bf17a
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "heruan", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 1 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
[ldap] performing user authorization for heruan
[ldap] WARNING: Deprecated conditional expansion ":-".  See "man unlang" for 
details
[ldap] WARNING: Deprecated conditional expansion ":-".  See "man unlang" for 
details
[ldap]  expand: 
(|(uid=%{Stripped-User-Name:-%{User-Name}})(cn=%{Stripped-User-Name:-%{User-Name}}))
 -> (|(uid=heruan)(cn=heruan))
[ldap]  expand: dc=aldu,dc=net -> dc=aldu,dc=net
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performin

Freeradius, PEAP, Active Directory and --require-membership-of

2008-10-02 Thread Vieri 
Hi,

I'm running freeradius-2.0.5 on Linux.

My setup is as follows:

Windows Vista native client - Linksys AP - FreeRadius Linux server 
(PEAP/mschapv2) - Active Directory Windows server

Everything works smoothly with the following ntlm_auth parameters in the mschap 
module:

ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key 
--username=%{Stripped-User-Name:-%{User-Name:-None}} 
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"

However, user authentication is rejected when I add the --domain parameter:

ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=%{mschap:NT-D
omain} --username=%{Stripped-User-Name:-%{User-Name:-None}} 
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"

(from the Windows Vista client I obviously set the DOMAIN filed; besides, if I 
run the freeradius daemon with debug enabled I see that it "correclty" reeives 
'DOMAIN\username')

For starters, I don't understand why authentication fails if I add --domain. 
How can I find out why?

Then, adding --require-membership-of with or without --domain also fails.

ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=%{mschap:NT-D
omain} --username=%{Stripped-User-Name:-%{User-Name:-None}} 
--require-membership-of='DOMAIN\\WIFI' --challenge=%{mschap:Challenge:-00} 
--nt-response=%{mschap:NT-Response:-00}"

Finally, running ntlm_auth from the command line yields:

# ntlm_auth --request-nt-key --domain=DOMAIN --username=myuser 
--require-membership-of='DOMAIN\\WIFI'
password:
NT_STATUS_OK: Success (0x0)

Could it be a "bug" in the freeradius version I'm running?

Can anyone please suggest how I can debug this (not a radius expert ;-) )?

Regards,

Vieri



  
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius, PEAP, Active Directory and --require-membership-of

2008-10-02 Thread tnt 
As with every other freeradius problem - when it doesn't work - debug
(radiusd -X).

Ivan Kalik
Kalik Infromatika ISP

Dana 2/10/2008, "Vieri" <[EMAIL PROTECTED]> piše:

>Hi,
>
>I'm running freeradius-2.0.5 on Linux.
>
>My setup is as follows:
>
>Windows Vista native client - Linksys AP - FreeRadius Linux server 
>(PEAP/mschapv2) - Active Directory Windows server
>
>Everything works smoothly with the following ntlm_auth parameters in the 
>mschap module:
>
>ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key 
>--username=%{Stripped-User-Name:-%{User-Name:-None}} 
>--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
>
>However, user authentication is rejected when I add the --domain parameter:
>
>ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=%{mschap:NT-D
>omain} --username=%{Stripped-User-Name:-%{User-Name:-None}} 
>--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
>
>(from the Windows Vista client I obviously set the DOMAIN filed; besides, if I 
>run the freeradius daemon with debug enabled I see that it "correclty" reeives 
>'DOMAIN\username')
>
>For starters, I don't understand why authentication fails if I add --domain. 
>How can I find out why?
>
>Then, adding --require-membership-of with or without --domain also fails.
>
>ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=%{mschap:NT-D
>omain} --username=%{Stripped-User-Name:-%{User-Name:-None}} 
>--require-membership-of='DOMAIN\\WIFI' --challenge=%{mschap:Challenge:-00} 
>--nt-response=%{mschap:NT-Response:-00}"
>
>Finally, running ntlm_auth from the command line yields:
>
># ntlm_auth --request-nt-key --domain=DOMAIN --username=myuser 
>--require-membership-of='DOMAIN\\WIFI'
>password:
>NT_STATUS_OK: Success (0x0)
>
>Could it be a "bug" in the freeradius version I'm running?
>
>Can anyone please suggest how I can debug this (not a radius expert ;-) )?
>
>Regards,
>
>Vieri
>
>
>
>
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius, PEAP, Active Directory and --require-membership-of

2008-10-02 Thread Vieri 

--- On Thu, 10/2/08, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:

> As with every other freeradius problem - when it doesn't
> work - debug
> (radiusd -X).

That's how I'm running it. Does the list mind if I post the debug lines?



  
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius, PEAP, Active Directory and --require-membership-of

2008-10-02 Thread Vieri 
I forgot to mention that I already tried:

with_ntdomain_hack = yes

I'll try to post the relevant radiusd -X debug lines if the ML doesn't mind.




  
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius, PEAP, Active Directory and --require-membership-of

2008-10-02 Thread Lech Karol Pawłaszek 
Vieri wrote:
> --- On Thu, 10/2/08, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
> 
>> As with every other freeradius problem - when it doesn't
>> work - debug
>> (radiusd -X).
> 
> That's how I'm running it. Does the list mind if I post the debug lines?

You're supposed to do so!

It's even in the FreeRADIUS' FAQ (however IMVHO it should be on the ML
front page).

http://wiki.freeradius.org/FAQ#It_still_doesn.27t_work.21

PS: I followed your Reply-To however I don't think that was necessary -
do you really have to set it that way?

Kind regards,

-- 
Lech Karol Pawłaszek 
"You will never see me fall from grace" [KoRn]
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius, PEAP, Active Directory and --require-membership-of

2008-10-02 Thread Nicolas Goutte 


Am 02.10.2008 um 19:46 schrieb Vieri:



--- On Thu, 10/2/08, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:


As with every other freeradius problem - when it doesn't
work - debug
(radiusd -X).


That's how I'm running it. Does the list mind if I post the debug  
lines?


Asking for the output of radiusd -X is the most frequent answer on  
this mailing list and so it is not  a problem to see such outputs on  
this mailing list.


However please check first by yourself that you do not have missed an  
error message that would bring you in the right direction. (Because  
that is probably the second frequent answer.)







-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ 
users.html



Have a nice day!

Nicolas Goutte


extragroup GmbH - Karlsruhe
Waldstr. 49
76133 Karlsruhe
Germany

Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle
Registergericht: Amtsgericht Münster / HRB: 5624
Steuer Nr.: 337/5903/0421 / UstID: DE 204607841




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

The client does not connect _*_*_*_

2008-10-02 Thread Martin Silvero 
I do not understand what I want to say
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Suggestions

2008-10-02 Thread tnt 
Updated guide:

http://deployingradius.com/documents/configuration/active_directory.html

Since Cisco is going to send pap requests you should also configure AD in
ldap section in order to retrieve (at least) password (NT-Password
attribute) and group (Ldap-Group attribute) information. With them you
should be able to authenticate and authorize Cisco admin access.

Ivan Kalik
Kalik Informatika ISP


Dana 2/10/2008, "Bert Beaudin" <[EMAIL PROTECTED]> piše:

>Hello all
> 
>I am looking to use Freeradius and Active Directory along with adding
>members to a group to secure telnet access to Cisco devices. I am
>looking for sugestions on the best way to do this. I have read though
>the how to
>at:http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HO
>WTO
> 
>But I am not sure this is what I am trying to do. Any input is welcomed.
>
> 
>Thanks,
> 
>
>Bert Beaudin
>Systems Administrator
>RelianceGlobalcom Services, Inc.
>Office:303-785-6641
>Cell:303-478-7789
>Fax:415-677-9534
>[EMAIL PROTECTED]  
>www.relianceglobalcom.com http://www.yipes.com/> 
> 
>
> 
>
>

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius, PEAP, Active Directory and --require-membership-of

2008-10-02 Thread Alan DeKok 
Vieri wrote:
> However, user authentication is rejected when I add the --domain parameter:
> 
> ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=%{mschap:NT-D
> omain} --username=%{Stripped-User-Name:-%{User-Name:-None}} 
> --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"

  And you didn't post the debug output as suggested in the FAQ, README,
INSTALL, and daily on this list.

  Knowing WHY it was rejected, and WHAT ERROR was produced is key
information that is needed to be able to solve the problem.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Suggestions

2008-10-02 Thread Alan DeKok 
Bert Beaudin wrote:
> I am looking to use Freeradius and Active Directory along with adding
> members to a group to secure telnet access to Cisco devices. I am
> looking for sugestions on the best way to do this.

  Configure AD as an LDAP server, and use the LDAP-Group attribute to
check group membership.

  Alan DeKok.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-TTLS first connection works, other won't

2008-10-02 Thread Alan DeKok 
Giovanni Lovato wrote:
> I set up freeradius 2.1.1 for EAP-TTLS, on Debian Lenny. As client I'm
> using Ubuntu. When I try to connect, first user, (on the logs, "heruan")
> connect successfully, but subsequent users (e.g. "jamila") won't. If I
> restart freeradius, and try to connect first with "jamila" and then with
> "heruan", "jamila" connects and "heruan" doesn't. The only error I'm
> able to see on the log is:
> 
> 798:[ttls] FAIL: Forcibly stopping session resumption as it is not allowed.

  ?  Session resumption is done on a per-user basis.  Session resumption
for one user does NOT affect other users.

  The only way that this can happen is if you use one user name for the
first session, and then using the *same* SSL data, try to authenticate
using a different User-Name.

  All I can say is I can't reproduce this on my system.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html