Re: Re :checking authorization in the duration of connection
Hi Arran I have trouble.would you please send me codes? I don't know how those support adsl do ? when users are online during all the days and there is limitation on the traffic amount? It's possible even if the NAS doesn't support PoD, so long as the NAS supports the 802.1X mib, you should be able to fire off an SNMP-SET with the exec module and force re-authentication. All the required information is available in the Accounting Request the server just received. If you're really having trouble and ask nicely i'll write some example code. Arran 802.1x coding is not going to be of much use for adsl. What NAS are you using? Does it support gigawords in accounting and does it have traffic limiting VSAs? Best thing to do is to create a traffic sqlcounter that will set the session limit at the start of the session (at authentication) and use methods explained in netexpertise article to keep collected traffic information more realistic (in that scenario loosing even one stop packet for a session that lasted days would be quite bad). Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius for WiMAX Authentication
Hi All, I was interested in knowing if we can use the Freeradius server for WiMAX Authentication. Some of the additional features that would be required are: 1. Vendor Specific Attributes inclusion in the Radius Messages(I think some amount of this can be done now - but can you tell me how) 2. Generation of WiMAX Session keys 3. Support for MSCHAPv2 inner authentication ?? 4. Support for HA ?? Where does the Freeradius server store the accounting records. Is it stored as a raw file or is there some processing done by the server on these records. Has anyone used Free radius for WiMAX testing before, if so can you give me some pointers on how and what 'more' modifications are needed. Thanks and Regards, Kiran Kumar.B WiMAX Test Engineer - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius for WiMAX Authentication
I was interested in knowing if we can use the Freeradius server for WiMAX Authentication. Some of the additional features that would be required are: 1.Vendor Specific Attributes inclusion in the Radius Messages(I think some amount of this can be done now - but can you tell me how) It always could be done. You add them to the reply - just like any other attribute. It will work as long as freeradius has those attributes in the vendor dictionary. 2.Generation of WiMAX Session keys Read raddb/modules/wimax. 3.Support for MSCHAPv2 inner authentication ?? Is there by default. 4.Support for HA ?? Have a backup (secondary) radius server on standby. Any NAS should be able to handle it. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re :checking authorization in the duration of connection
How about vpn windows as NAS? 802.1x coding is not going to be of much use for adsl. What NAS are you using? Does it support gigawords in accounting and does it have traffic limiting VSAs? Best thing to do is to create a traffic sqlcounter that will set the session limit at the start of the session (at authentication) and use methods explained in netexpertise article to keep collected traffic information more realistic (in that scenario loosing even one stop packet for a session that lasted days would be quite bad). Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re :checking authorization in the duration of connection
How about vpn windows as NAS? Is that a joke? Windows server would be useless. It can't terminate adsl, at least not much more than one line. So, someone else is going to terminate adsl and send you what via VPN? Accounting? You don't need Windows at all then - just a freeradius server. Or traffic via L2TP tunnels? Your Windows server is going to die with any significant ammount of traffic. Using Windows server as a router is insane. It can work like that - but very, very badly. Even a cheap dumb $50-$100 router like Mikrotik will outperform it by miles. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
problem with eap-tls between FR and XP client
hi forum,
I'm trying to connect a Windows XP client (also I'm trying with Vista)
with freeradius with EAP-TLS. I made my set of certificates (from this
site http://www.linuxjournal.com/node/8095/print) and now, I have: CA,
radius_cert.pem, radius_key.pem, radius_keycert.pemradius_req.pem,
cliente_cert.p12, cliente_key.pem, cliente_cert.pem, cliente_req.pem,
dh, random, xpextensions, xpclient_ext, xpserver_ext
I've configured eap.conf of this way:
tls {
certdir = ${confdir}/certs2
cadir = ${confdir}/certs2
private_key_password = ***
private_key_file = ${certdir}/radius_keycert.pem
certificate_file = ${certdir}/radius_keycert.pem
CA_file = ${cadir}/cacert.pem
dh_file = ${certdir}/dh
random_file = ${certdir}/random
cipher_list = DEFAULT
make_cert_command = ${certdir}/bootstrap
And I've installed my cacert.pem and cliente_cert.p12 into mmc into
Trusted Root Certification Authorities and Personal - certificates,
respectively.
When I try to connect with freeradius my log is this: (it's too long
because I see the same request again and again)
rad_recv: Access-Request packet from host 10.0.0.1 port 3072, id=159,
length=199
User-Name = carlosg...@realmprueba.com
NAS-IP-Address = 10.0.0.1
NAS-Port = 0
Called-Station-Id = 00116b3f0ce5
Calling-Station-Id = 00215d9ade9a
NAS-Identifier = Realtek Access Point. 8181
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Service-Type = Framed-User
Connect-Info = CONNECT 11Mbps 802.11b
EAP-Message = 0x021a016361726c6f7367617269407769746563682e636f6d
Message-Authenticator = 0xc6247c05f7aae962aecbc459c9416907
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] Looking up realm realmprueba.com for User-Name =
carlosg...@realmprueba.com
[suffix] Found realm realmprueba.com
[suffix] Adding Realm = realmprueba.com
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[eap] EAP packet type response id 0 length 26
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
[sql] expand: %{User-Name} - carlosg...@realmprueba.com
[sql] sql_set_user escaped user -- 'carlosg...@realmprueba.com'
rlm_sql (sql): Reserving sql socket id: 4
[sql] expand: SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '%{SQL-User-Name}' ORDER
BY id - SELECT id, username, attribute, value, op FROM
radcheck WHERE username =
'carlosg...@realmprueba.com' ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT groupname FROM usergroup
WHERE username = '%{SQL-User-Name}' ORDER BY id - SELECT
groupname FROM usergroup WHERE username =
'carlosg...@realmprueba.com' ORDER BY id
[sql] expand: SELECT id, groupname, attribute, Value,
op FROM radgroupcheck WHERE groupname =
'%{Sql-Group}' ORDER BY id - SELECT id, groupname,
attribute, Value, op FROM radgroupcheck
WHERE groupname = 'Navega Mes' ORDER BY id
[sql] User found in group Navega Mes
[sql] expand: SELECT id, groupname, attribute, value, op
FROM radgroupreply WHERE groupname = '%{Sql-Group}'
ORDER BY id - SELECT id, groupname, attribute, value, op FROM
radgroupreply WHERE groupname = 'Navega Mes' ORDER BY id
rlm_sql (sql): Released sql socket id: 4
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Requiring client certificate
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 159 to 10.0.0.1 port 3072
EAP-Message = 0x010100060d20
Message-Authenticator = 0x
State = 0x84a02e6384a123686383961ecc8fb910
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.0.0.1 port 3072, id=160,
length=191
User-Name = carlosg...@realmprueba.com
NAS-IP-Address = 10.0.0.1
NAS-Port = 0
Called-Station-Id = 00116b3f0ce5
Calling-Station-Id = 00215d9ade9a
NAS-Identifier = Realtek Access Point. 8181
NAS-Port-Type = Wireless-802.11
Service-Type = Framed-User
Connect-Info = CONNECT 11Mbps 802.11b
EAP-Message = 0x020100060319
State = 0x84a02e6384a123686383961ecc8fb910
Message-Authenticator = 0xe9335e399fadf61413fddd7e717c778f
+- entering group authorize {...}
++[preprocess] returns ok
++[chap]
authcheck vs. groupcheck with FreeRadius 2.1.1
Hello, we're migrated from Freeradius 0.9 to 2.1. We are using the freeradius with a failover MySQL Configuration. Since the migration we have customers which get in trouble, because we configured Simultaneuos Use Check Items on the user (e.g. Value 4) and on the corresponding group (e.g. Value 2). At the old Radius version the value was taken from the User and the Group attribute was ignored. Now the user can't authenticate 4 times, because the server checks the group value. How can I change this behaviour? If you need configuration fragments, please tell and I will supply them. Thanks a lot and best regards Michael Schramm - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
user login once???
how to setup freeradius server to perform user log in to server once in a day or few login in a month.. help please.. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SQL Counters and Realms
Hey,
In my FR1.1.7 setup, I have different realms for the same machine using
different databases for each.
The login part is ok, as well as the accounting, which has entries in the
radacct table for account.
I enabled one of the sql counters modules which, as it seems, isn't
returning any results, because I am
suspecting that it's running the query on another realm's database. I have
several of the sql.conf config
files for each realm, so what I'm basically doing is having in accounting {}
section something like this:
Acct-Type SQL_EXAMPLE {
sql_example
}
What do you think is happening?
Here is the relevant debug snippet from freeradius:
Wed May 6 22:47:28 2009 : Debug: modsingle[authorize]: calling
accessperiod (rlm_sqlcounter) for request 0
Wed May 6 22:47:28 2009 : Debug: rlm_sqlcounter: Entering module authorize
code
Wed May 6 22:47:28 2009 : Debug: sqlcounter_expand: 'SELECT
UNIX_TIMESTAMP() - UNIX_TIMESTAMP(AcctStartTime) FROM radacct WHERE UserName
= '%{Stripped-User-Name:-%{User-Name}}' ORDER BY AcctStartTime LIMIT 1'
Wed May 6 22:47:28 2009 : Debug: radius_xlat: 'SELECT UNIX_TIMESTAMP() -
UNIX_TIMESTAMP(AcctStartTime) FROM radacct WHERE UserName = 'access1' ORDER
BY AcctStartTime LIMIT 1'
Wed May 6 22:47:28 2009 : Debug: sqlcounter_expand: '%{sql:SELECT
UNIX_TIMESTAMP() - UNIX_TIMESTAMP(AcctStartTime) FROM radacct WHERE UserName
= 'access1' ORDER BY AcctStartTime LIMIT 1}'
Wed May 6 22:47:28 2009 : Debug: radius_xlat: Running registered xlat
function of module sql for string 'SELECT UNIX_TIMESTAMP() -
UNIX_TIMESTAMP(AcctStartTime) FROM radacct WHERE UserName = 'access1' ORDER
BY AcctStartTime LIMIT 1'
Wed May 6 22:47:28 2009 : Debug: rlm_sql (sql): - sql_xlat
Wed May 6 22:47:28 2009 : Debug: radius_xlat: 'access1'
Wed May 6 22:47:28 2009 : Debug: rlm_sql (sql): sql_set_user escaped user
-- 'access1'
Wed May 6 22:47:28 2009 : Debug: radius_xlat: 'SELECT UNIX_TIMESTAMP() -
UNIX_TIMESTAMP(AcctStartTime) FROM radacct WHERE UserName = 'access1' ORDER
BY AcctStartTime LIMIT 1'
Wed May 6 22:47:28 2009 : Debug: rlm_sql (sql): Reserving sql socket id: 2
Wed May 6 22:47:28 2009 : Debug: rlm_sql (sql): SQL query did not return
any results
Wed May 6 22:47:28 2009 : Debug: rlm_sql (sql): Released sql socket id: 2
Wed May 6 22:47:28 2009 : Debug: radius_xlat: ''
Wed May 6 22:47:28 2009 : Debug: rlm_sqlcounter: (Check item - counter) is
greater than zero
Wed May 6 22:47:28 2009 : Debug: rlm_sqlcounter: Authorized user access1,
check_item=300, counter=0
Wed May 6 22:47:28 2009 : Debug: rlm_sqlcounter: Sent Reply-Item for user
access1, Type=Session-Timeout, value=300
Wed May 6 22:47:28 2009 : Debug: modsingle[authorize]: returned from
accessperiod (rlm_sqlcounter) for request 0
Wed May 6 22:47:28 2009 : Debug: modcall[authorize]: module
accessperiod returns ok for request 0
Regards,
Liran.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authcheck vs. groupcheck with FreeRadius 2.1.1
we're migrated from Freeradius 0.9 to 2.1. We are using the freeradius with a failover MySQL Configuration. Since the migration we have customers which get in trouble, because we configured Simultaneuos Use Check Items on the user (e.g. Value 4) and on the corresponding group (e.g. Value 2). At the old Radius version the value was taken from the User and the Group attribute was ignored. Now the user can't authenticate 4 times, because the server checks the group value. Yes, in current version group values with operator := will override user specific values for the same attribute. How can I change this behaviour? You can alter the source code in rlm_sql. Or override group values with unlang (or perl; or whatever). Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: user login once???
how to setup freeradius server to perform user log in to server once in a day or few login in a month.. help please.. Radius server doesn't log in users onto the server. Ever! Perhaps you want something else: allow one login per day (or a few per month)? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL Counters and Realms
Hey,
In my FR1.1.7 setup, I have different realms for the same machine using
different databases for each.
The login part is ok, as well as the accounting, which has entries in the
radacct table for account.
I enabled one of the sql counters modules which, as it seems, isn't
returning any results, because I am
suspecting that it's running the query on another realm's database. I have
several of the sql.conf config
files for each realm, so what I'm basically doing is having in accounting
{}
section something like this:
Acct-Type SQL_EXAMPLE {
sql_example
}
What do you think is happening?
sqlcounter module has a config item sqlmod-inst which selects sql instance
(database connection) that counter should use. Are you using the correct
instance for that counter?
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL Counters and Realms
You're correct, I haven't noticed this parameter and it's default
'sql' is a different
database setup indeed.
Thanks,
Liran.
On Wed, May 6, 2009 at 11:16 PM, Ivan Kalik t...@kalik.net wrote:
Hey,
In my FR1.1.7 setup, I have different realms for the same machine using
different databases for each.
The login part is ok, as well as the accounting, which has entries in the
radacct table for account.
I enabled one of the sql counters modules which, as it seems, isn't
returning any results, because I am
suspecting that it's running the query on another realm's database. I
have
several of the sql.conf config
files for each realm, so what I'm basically doing is having in accounting
{}
section something like this:
Acct-Type SQL_EXAMPLE {
sql_example
}
What do you think is happening?
sqlcounter module has a config item sqlmod-inst which selects sql instance
(database connection) that counter should use. Are you using the correct
instance for that counter?
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with FreeRADIUS Active Directory Integration
In our test lab we are working on using FreeRADIUS to authenticate users against their AD credentials. We loaded FreeRADIUS on a Fedora 10. We loaded SAMBA and it works. We loaded freeradius-2.1.3-1.fc10.i386. We followed the http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO. We booted an XP workstation and logged in. It never got a DHCP address and failed authentication. Read the prerequisites in the article! Updated tutorial is at: http://deployingradius.com/documents/configuration/active_directory.html I have added that link to the wiki page. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Regular expression in radcheck
Hi, I know there's hunt groups, but can't I use a reg exp to indicate multiple MAC addresses in a Calling-Station-ID entry on the radcheck table, so users can use multiple computers? Here is what I have: u...@domain Calling-Station-ID =~ 00-1c-b3-b1-3e-00|00-1c-b3-b1-3e-01|00-1c-b3-b1-3e-02 However, any MAC address is accepted...its not working like I think it should. Thanks! Eric - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: user login once???
Thank u ivan, yaps..that's exactly what i mean..give me a clue please.. From: Ivan Kalik t...@kalik.net Subject: Re: user login once??? To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Date: Thursday, May 7, 2009, 3:06 AM how to setup freeradius server to perform user log in to server once in a day or few login in a month.. help please.. Radius server doesn't log in users onto the server. Ever! Perhaps you want something else: allow one login per day (or a few per month)? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
