Unexpected closed sessions in database
Hi friends. I have small problem with freeradius and accounting (with database). Something is closing opened sessions and I can't see what is the reason. It seems that accounting_onoff_query was triggered by "something" and acctterminatecause field is empty so I don't see anything. accounting_onoff_query = "\ UPDATE ${acct_table1} \ SET \ acctstoptime = '%S', \ acctsessiontime= unix_timestamp('%S') - \ unix_timestamp(acctstarttime), \ acctterminatecause = '%{Acct-Terminate-Cause}', \ acctstopdelay = '%{%{Acct-Delay-Time}:-0}', \ vrijeme= '%S' \ WHERE acctstoptime = 0 \ # WHERE acctstoptime IS NULL \ AND nasipaddress = '%{NAS-IP-Address}' \ AND acctstarttime <= '%S'" Session is still alive in NAS but just like I said, account. doesn't work. I'm using old sql schema so WHERE acctstoptime IS NULL \ is commented and replaced with WHERE acctstoptime = 0 \ in sql.conf i set no for deletestalesessions because I don't need this function. # Remove stale session if checkrad does not see a double login deletestalesessions = no FreeRadius is 2.1.3 Any ideas how to trace and solve this problem ? Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Unexpected closed sessions in database
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Marinko Tarlac wrote: > Hi friends. > > I have small problem with freeradius and accounting (with > database). Something is closing opened sessions and I can't see > what is the reason. It seems that accounting_onoff_query was > triggered by "something" and acctterminatecause field is empty so I > don't see anything. > > accounting_onoff_query = "\ UPDATE ${acct_table1} \ SET \ > acctstoptime = '%S', \ acctsessiontime= > unix_timestamp('%S') - \ unix_timestamp(acctstarttime), \ > acctterminatecause = '%{Acct-Terminate-Cause}', \ acctstopdelay > = '%{%{Acct-Delay-Time}:-0}', \ vrijeme= '%S' \ WHERE > acctstoptime = 0 \ # WHERE acctstoptime IS NULL \ AND > nasipaddress = '%{NAS-IP-Address}' \ AND acctstarttime <= > '%S'" > > Session is still alive in NAS but just like I said, account. > doesn't work. I'm using old sql schema so WHERE acctstoptime IS > NULL \ is commented and replaced with WHERE acctstoptime = 0 \ > > in sql.conf i set no for deletestalesessions because I don't need > this function. > > # Remove stale session if checkrad does not see a double login > deletestalesessions = no > > FreeRadius is 2.1.3 > > Any ideas how to trace and solve this problem ? Could be buggy NAS ? Check detail logs for Accounting-Requests with an Acct-Status-Type of Accounting-On or Accounting-Off. Also check that Accounting-Requests are being sent with the NAS-IP-Address attribute set correctly. Regards, Arran -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.9 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkmWmCUACgkQcaklux5oVKLPeACfdn+6q6qE1XdWUPQBHDk8lRC8 KJYAoJGbgWHWdd2eUnUnDmDUn/JrLoT8 =ruu/ -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRADIUS LDAP HOWTO
I'd just like to make other subscribers / searchers / admins pulling their hair out aware of the FreeRADIUS LDAP HOWTO available here... http://freeradius.org/radiusd/doc/ldap_howto.txt For some reason it doesn't seem to be linked to on any main website or wiki page - bizarrely including the HOWTO page... http://wiki.freeradius.org/HOWTO Perhaps this can be rectified? I wish I'd found it earlier ! Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS LDAP HOWTO
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Andrew Hall wrote: > I'd just like to make other subscribers / searchers / admins > pulling their hair out aware of the FreeRADIUS LDAP HOWTO available > here... > > http://freeradius.org/radiusd/doc/ldap_howto.txt > > For some reason it doesn't seem to be linked to on any main website > or wiki page - bizarrely including the HOWTO page... Maybe because it was written 6 years ago, and very few of the freeRADIUS 1.* examples will still work with 2 > > http://wiki.freeradius.org/HOWTO > > Perhaps this can be rectified? > > I wish I'd found it earlier ! > > Thanks. - List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.9 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkmWorMACgkQcaklux5oVKJasgCfTj9TvK9LXeKHugJ8d3C4711V 0cQAnj/btoBsz+Nu/e47+E/Vd95Xjk5U =nMqf -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Migration from TACACS+ to RADIUS
Alan DeKok schrieb: Nicholas R. Cappelletti wrote: In the recent weeks, I have come across some downfalls to using TACACS+ such as no 802.1x authentication, no WPA integration, and the impossible integration into both Kerberos and LDAP. I hate to sound naive, but like many who need help, I'm new to RADIUS, its configuration, and its capabilities. With that said, I have a few questions concerning functionality that I had with TACACS+ and its equivalence in RADIUS. 1. How granular can I get with command authorization? Currently, TACACS+ is used for VPN authentication and device login, but not all those users should, or need, access to the CLI of the network equipment (We use both Cisco and HP devices). Eventually I would like to use the RADIUS setup for wireless authentication too. The hope is that we can add TACACS+ support to FreeRADIUS in a future version. That will help with migration. Can this be expected in the foreseeable future? Norbert Wegener Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS LDAP HOWTO
Arran Cudbard-Bell wrote... > Maybe because it was written 6 years ago, and very few of the > freeRADIUS 1.* examples will still work with 2 I see your point but why deny users access to this information ? Surely all that's required is a note informing them of this. I administer a legacy 1.x server so this helped me and may help others. Perhaps the original author (are they still about?) or someone else could update this document. On a similar note does anyone know if O'Reilly plan to update their RADIUS book? Both that and the LDAP book are now well out of date. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS LDAP HOWTO
Andrew Hall wrote: > On a similar note does anyone know if O'Reilly plan to update their RADIUS > book? They don't. The book sold well initially (i.e. the first few months). After that, people realized it was less than helpful. I've been trying to write a book for a while. I've recently found someone who can help, so that should shorten the time frame. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Migration from TACACS+ to RADIUS
Norbert Wegener wrote: >> The hope is that we can add TACACS+ support to FreeRADIUS in a future >> version. That will help with migration. >> > Can this be expected in the foreseeable future? Maybe within 6 months? We've been involved with the RadSec documents (RADIUS over TLS over TCP). Once TCP support is in the server, basic TACACS+ is probably only another 1K LoC. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FW: wimax.c
dave anderson wrote: > However to populate these other variable into the reply such as Session > reply, it is not clear how to do so: > > WiMAX-AAA-Session-ID = ? > WiMAX-HA-RK-SPI = ? > WiMAX-HA-RK-Lifetime = ? The WiMAX specifications really aren't clear how most of those are calculated. i.e. it says "up to local administrator". > How to I get the reply to include these with correct values ? > > Further, putting WiMAX-MN-NAI = “%{User-Name}” in the default config > prior to calling the wimax function still results in the WiMAX module > warning that WiMAX-MN-NAI has not been set. That's fixed in git, and will be in 2.1.4. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: wimax.c
Ok thanks, so for the first item I can just put some function in to calculate it as I want or static code them. -Original Message- From: Alan DeKok [mailto:al...@deployingradius.com] Sent: February 14, 2009 10:32 AM To: FreeRadius users mailing list Subject: Re: FW: wimax.c dave anderson wrote: > However to populate these other variable into the reply such as Session > reply, it is not clear how to do so: > > WiMAX-AAA-Session-ID = ? > WiMAX-HA-RK-SPI = ? > WiMAX-HA-RK-Lifetime = ? The WiMAX specifications really aren't clear how most of those are calculated. i.e. it says "up to local administrator". > How to I get the reply to include these with correct values ? > > Further, putting WiMAX-MN-NAI = %{User-Name} in the default config > prior to calling the wimax function still results in the WiMAX module > warning that WiMAX-MN-NAI has not been set. That's fixed in git, and will be in 2.1.4. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using Exec-Program-Wait for MOTP (mobile OTP) with MSCHAPv2
Alan, Thanks for your answer. Can you point me to a document or website where the following mechanism is described well ? ie MSCHAPv2 Radius Client -> Freeradius does the MSCHAPv2 challenge ? -> auth is delegated to external script receiving attributes like username and password in clear -> external script gives the auth ok answer -> Freeradius gives the auth accepted answer to the MSCHAPv2 Radius client. The part I don't understand is how does this MSCHAPv2 auth work in Freeradius, and how the external script could get the attributes when the MSCHAPv2 challenge password is encrypted ? Does it mean that I have to implement the MSCHAPv2 challenge auth by myself, entirely in the external script ? Concerning the cleartext password; In your previous message, you say : "get it from somewhere" but I can' figure out how... Thanks a lot Best regards Fab Alan DeKok wrote : Fabiano wrote: Hello, Does anyone know where I can find some information on how to use the following in freeradius ? I have an external shell script which awaits arguments (username, clear password, and other arguments) and returns an answer for validation. The problem is that I cannot find any lead on how to do this while using MSCHAPv2... $ man unlang Then, run the script in the post-auth section. And I am not sure how to do this with Exec-Program-Wait. Is this possible without rewriting the module in C ? Is there any way to have the cleartext password sent to the external script ? Sure. Get it from somewhere, and then send it to the script. Alan DeKok. - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: wimax.c
Also the raddact table has empty field for calling station-id for wimax. I know wimax has this field in hex rather than ascii which is a problem addressed wimax.c for auth. Changing the library to octet instead sting solves it for auth. Can you tell me which module or .c to look at for repairing this for accting and I will make the change. DA -Original Message- From: Alan DeKok [mailto:al...@deployingradius.com] Sent: February 14, 2009 10:32 AM To: FreeRadius users mailing list Subject: Re: FW: wimax.c dave anderson wrote: > However to populate these other variable into the reply such as Session > reply, it is not clear how to do so: > > WiMAX-AAA-Session-ID = ? > WiMAX-HA-RK-SPI = ? > WiMAX-HA-RK-Lifetime = ? The WiMAX specifications really aren't clear how most of those are calculated. i.e. it says "up to local administrator". > How to I get the reply to include these with correct values ? > > Further, putting WiMAX-MN-NAI = %{User-Name} in the default config > prior to calling the wimax function still results in the WiMAX module > warning that WiMAX-MN-NAI has not been set. That's fixed in git, and will be in 2.1.4. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: wimax.c
dave anderson wrote: > Also the raddact table has empty field for calling station-id for wimax. > I know wimax has this field in hex rather than ascii which is a problem > addressed wimax.c for auth. Changing the library to octet instead sting > solves it for auth. Don't. Instead, list the "wimax" module in the "authorize" and "preacct" sections. It will re-write the Calling-Station-Id to something sane. This issue has been brought to the attention of the WiMAX forum, and after some pushing, it will be fixed in a future revision of their specifications. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html