Re: Fair usage package implementation
--- On Sat, 5/9/09, Ivan Kalik wrote: > > Yes. You can put if statement before update coa and make it > conditional. > Just like with updating any other list. > OK point gotten. Further to this I have added update coa into preacct, the conditional update coa has no error, but I get a WARNING upon receiving accounting packets from NAS :- begin--- Sending Accounting-Response of id 5 to 192.168.130.220 port 3790 WARNING: Unknown destination 192.168.130.220:3799 for CoA request. Do CoA Fail handler here Finished request 9. end--- For this particular NAS, I have set up the coaport to be 3790, as you can see in the radius reply the radius server is sending Accounting-Response to it. Why there is a warning of 'Unknown destination 192.168.130.220.3799 for CoA request' ? Is it because the NAS is not setup properly to listen to port 3799 ? Where does the figure 3799 come from, a standard port number ? Regards - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Is PEAP/EAP-MSCHAPv2 with certs a reasonable way to keep untrusted computers off the lan?
> Ah, you weren't mentioning AD. With AD you can exercise reasonable > control. And issuing and installing certificates should't be much of a > problem (read about domain member autoenrolement). You should go for AD > integration: Hi, Ivan. I mentioned AD but it was way back in the first email. To recap my setup looks like Active Directory <=> winbind <=> Freeradius <=> NAS <=> Supplicant I set this up by following the link you reference. So that part is good :-) > > http://deployingradius.com/documents/configuration/active_directory.html > > and leave user/machine authentication to AD. Right so user auth is the job of AD. Are you aware of any pointers or howto's on getting autoenrollment working with AD and Freeradius? > No, in your case you should use machine certificates. You have already put > in increased workload into AD - use it. But still, dynamic VLANs would be > much prefered to static ones. And you would save yourself the workload > needed to secure NAS/port combinations from unwanted access with > huntgroups/sqlhuntgroups. Can you explain what you mean by this? Thank you for all of your advice. I really appreciate it! John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: checking authorization in the duration of connection
> Sorry for barging into the thread, but something just caught my > attention. We use Mikrotik throughout our network, and have found them > quite useful and with the right hardware, it performs pretty well in > our setup. > > But, there are guys in this forum who are quite frankly, way ahead > than myself in terms of both knowledge and experience. So, could you > please elaborate why you rate Mikrotik as dumb? Perhaps I am already > in trouble! And plenty other people find it buggy and quirky. It has claims to support many things which then turns out to be half-baked. But with realistic demands - it's great value for money. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re :checking authorization in the duration of connection
> I mean if there is a windows vpn server as a NAS for radius server, could > I > set the session limit at the start of the session (at authentication) > and use methods explained in netexpertise article ? > No. Microsoft has no traffic limiting VSAs. And it doesn't support CoA/PoD. In Windows speak CoA stands for Certificate of Authenticity (that's where their priorities are - in licencing). It supports only time limited sessions (Session-Timeout). Mikrotik can do this. I think that they have also implemented CoA in the latest RouterOS release. Ivan Kalik Kalik Informatika ISP > >> How about vpn windows as NAS? >> > > Is that a joke? Windows server would be useless. It can't terminate adsl, > at least not much more than one line. So, someone else is going to > terminate adsl and send you what via VPN? Accounting? You don't need > Windows at all then - just a freeradius server. Or traffic via L2TP > tunnels? Your Windows server is going to die with any significant ammount > of traffic. Using Windows server as a router is insane. It can work like > that - but very, very badly. Even a cheap dumb $50-$100 router like > Mikrotik will outperform it by miles. > > Ivan Kalik > Kalik Informatika ISP > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fair usage package implementation
> Is it site-available/originate-coa which is what
> you are referring to ? I have read it many times.
>
> Ok, for example, there is a update coa { ..} which
> we put it in somewhere in preacct ?
>
> But I want CoA packet to be sent only upon reaction to
> certain conditions. I don't want it to be chatty
> and heavy on server processing. Furthermore the
> list of attributes in the CoA list could be dynamic
> too. Putting the list into the configuration files,
> if I understand it correctly, will be static,
> and also making things very chatty, ie every
> accounting packets arrive at the server
> will cause a FIXED CoA list to be sent to the NAS ?
>
> I must be seriously wrong somewhere in my understanding !
Yes. You can put if statement before update coa and make it conditional.
Just like with updating any other list.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fair usage package implementation
--- On Sat, 5/9/09, Alan DeKok wrote:
> From: Alan DeKok
> Subject: Re: Fair usage package implementation
> To: "FreeRadius users mailing list"
> Date: Saturday, May 9, 2009, 12:41 PM
> Ming-Ching Tiew wrote:
> > Sorry I have quite an idiot here. I have been reading
> everything
> > radius 2.1.4, but I don't see how this is integrated
> into
> > the radiusd server. Am I missing anything ?
>
> Read doc/ChangeLog. Look for "coa".
>
> > Is this to say
> > that upon receiving accounting packets, spinning off a
> check
> > and if the condition is met then send CoA reply via
> radclient
> > is the way to go now ?
>
> No. That's not what I said at all.
>
> The server can send CoA requests... NOT
> replies. And you don't need
> radclient to do it.
>
> Go read doc/ChangeLog. Look for "coa".
> The go read the file that it
> points you to. All of this is explained in the files
> that are included
> with the server.
>
Thanks for being patient !
Is it site-available/originate-coa which is what
you are referring to ? I have read it many times.
Ok, for example, there is a update coa { ..} which
we put it in somewhere in preacct ?
But I want CoA packet to be sent only upon reaction to
certain conditions. I don't want it to be chatty
and heavy on server processing. Furthermore the
list of attributes in the CoA list could be dynamic
too. Putting the list into the configuration files,
if I understand it correctly, will be static,
and also making things very chatty, ie every
accounting packets arrive at the server
will cause a FIXED CoA list to be sent to the NAS ?
I must be seriously wrong somewhere in my understanding !
Regards.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fair usage package implementation
Ming-Ching Tiew wrote: > Sorry I have quite an idiot here. I have been reading everything > radius 2.1.4, but I don't see how this is integrated into > the radiusd server. Am I missing anything ? Read doc/ChangeLog. Look for "coa". > Is this to say > that upon receiving accounting packets, spinning off a check > and if the condition is met then send CoA reply via radclient > is the way to go now ? No. That's not what I said at all. The server can send CoA requests... NOT replies. And you don't need radclient to do it. Go read doc/ChangeLog. Look for "coa". The go read the file that it points you to. All of this is explained in the files that are included with the server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: checking authorization in the duration of connection
Hi, Sorry for barging into the thread, but something just caught my attention. We use Mikrotik throughout our network, and have found them quite useful and with the right hardware, it performs pretty well in our setup. But, there are guys in this forum who are quite frankly, way ahead than myself in terms of both knowledge and experience. So, could you please elaborate why you rate Mikrotik as dumb? Perhaps I am already in trouble! Regards, HASSAN On 5/6/09, Ivan Kalik wrote: >> How about vpn windows as NAS? >> > > Is that a joke? Windows server would be useless. It can't terminate adsl, > at least not much more than one line. So, someone else is going to > terminate adsl and send you what via VPN? Accounting? You don't need > Windows at all then - just a freeradius server. Or traffic via L2TP > tunnels? Your Windows server is going to die with any significant ammount > of traffic. Using Windows server as a router is insane. It can work like > that - but very, very badly. Even a cheap dumb $50-$100 router like > Mikrotik will outperform it by miles. > > Ivan Kalik > Kalik Informatika ISP > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > -- Sent from my mobile device - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fair usage package implementation
--- On Fri, 5/8/09, Alan DeKok wrote: > From: Alan DeKok > Subject: Re: Fair usage package implementation > To: "FreeRadius users mailing list" > Date: Friday, May 8, 2009, 11:52 AM > Ming-Ching Tiew wrote: > > I wonder if how such a "package" can be implemented, > > > > > >1. Unlimited rate normally > >2. But when downloaded > packets exceed certain defined > > figure, > download rate is trottled. > > Ensure that the NAS can dynamically change download > rate. If it > can't, then no amount of work on the RADIUS server will > help. > > > One way I could think of is to run a batch job which > work out > > per user octet usage and then set the attribute > WISPr-Bandwidth-Max-Down > > accordingly. But this will have to be per day basis, > it might be too late ( after the subscriber have over abused > it ). > > > > Is there way such a thing can be implemented inside > radiusd so that > > everything happens on the fly ? > > You said it yourself... the server is receiving > accounting packets. > You can check *then* whether or not the user is over their > quota. > > In fact, that's *exactly* the use case for the CoA > functionality in > the server. You can check for bandwidth usage, and if > the user is over > the limit, send a CoA or Disconnect packet to the NAS. > > NASes from major vendors are now starting to > implement support for CoA > and Disconnect packets. > Sorry I have quite an idiot here. I have been reading everything radius 2.1.4, but I don't see how this is integrated into the radiusd server. Am I missing anything ? Is this to say that upon receiving accounting packets, spinning off a check and if the condition is met then send CoA reply via radclient is the way to go now ? Best regards. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re :checking authorization in the duration of connection
I mean if there is a windows vpn server as a NAS for radius server, could I set the session limit at the start of the session (at authentication) and use methods explained in netexpertise article ? > How about vpn windows as NAS? > Is that a joke? Windows server would be useless. It can't terminate adsl, at least not much more than one line. So, someone else is going to terminate adsl and send you what via VPN? Accounting? You don't need Windows at all then - just a freeradius server. Or traffic via L2TP tunnels? Your Windows server is going to die with any significant ammount of traffic. Using Windows server as a router is insane. It can work like that - but very, very badly. Even a cheap dumb $50-$100 router like Mikrotik will outperform it by miles. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authentication failed because sqlcounter...
i am using freeradius 1.1.7, not that old rite??? i've tried using := operator and cleartext-password but still doesn't work..this bellow is my radcheck table.. ++--++++ | id | UserName | Attribute | op | Value | ++--++++ | 1 | nizar | Password | == | nizar | | 2 | nizar1 | Password | == | nizar1 | | 6 | tes | Max-All-Session | == | 90 | | 4 | tes | Password | == | tes | | 7 | denizaro | Cleartext-Password | := | 123456 | | 8 | denizaro | Max-All-Session | := | 30 | ++--++++ 6 rows in set (0.00 sec) i try to log in with user denizaro first time before i add attribute max-all-session its succesfully logged in, but after i adding max-all-session attribut its failed.. whats happen?? --- On Sat, 5/9/09, Ivan Kalik wrote: From: Ivan Kalik Subject: Re: authentication failed because sqlcounter... To: "FreeRadius users mailing list" Date: Saturday, May 9, 2009, 2:51 AM > mm confusing..i just enable the sqlcounter in radiusd.conf. i just let it > as default no change i made in noresetcounter module. then i adding > noresetcounter in authorize and instantiate section. > i have defined 1user named tes and password tes has loged in normally > before i add attribut max-all-session in the table radcheck just like > this. > ++--+-+++ > | id | UserName | Attribute | op | Value | > ++--+-+++ > | 1 | nizar | Password | == | nizar | > | 2 | nizar1 | Password | == | nizar1 | > | 6 | tes | Max-All-Session | == | 90 | > | 4 | tes | Password | == | tes | > ++--+-+++ > after i adding the attribut max-all-session the user tes cannot login > anymore. i do running freeradius in debug mode and the following si the > result.. := not ==. And that password attribute Password is deprecated for many years. How old is your freeradius version? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authentication failed because sqlcounter...
i am using freeradius 1.1.7, not that old rite??? i've tried using := operator and cleartext-password but still doesn't work..this bellow is my radcheck table.. ++--++++ | id | UserName | Attribute | op | Value | ++--++++ | 1 | nizar | Password | == | nizar | | 2 | nizar1 | Password | == | nizar1 | | 6 | tes | Max-All-Session | == | 90 | | 4 | tes | Password | == | tes | | 7 | denizaro | Cleartext-Password | := | 123456 | | 8 | denizaro | Max-All-Session | := | 30 | ++--++++ 6 rows in set (0.00 sec) i try to log in with user denizaro first time before i add attribute max-all-session its succesfully logged in, but after i adding max-all-session attribut its failed.. whats happen?? --- On Sat, 5/9/09, Ivan Kalik wrote: From: Ivan Kalik Subject: Re: authentication failed because sqlcounter... To: "FreeRadius users mailing list" Date: Saturday, May 9, 2009, 2:51 AM > mm confusing..i just enable the sqlcounter in radiusd.conf. i just let it > as default no change i made in noresetcounter module. then i adding > noresetcounter in authorize and instantiate section. > i have defined 1user named tes and password tes has loged in normally > before i add attribut max-all-session in the table radcheck just like > this. > ++--+-+++ > | id | UserName | Attribute | op | Value | > ++--+-+++ > | 1 | nizar | Password | == | nizar | > | 2 | nizar1 | Password | == | nizar1 | > | 6 | tes | Max-All-Session | == | 90 | > | 4 | tes | Password | == | tes | > ++--+-+++ > after i adding the attribut max-all-session the user tes cannot login > anymore. i do running freeradius in debug mode and the following si the > result.. := not ==. And that password attribute Password is deprecated for many years. How old is your freeradius version? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
