Re: Freeradius-Users Digest, Vol 52, Issue 87
Thanks Alan. But we have two accounting sections in default and buffered-sql. Do i need to enable sql module only in buffered-sql? And place buffered-sql in defualt 'accounting' section. am Confused... Thanks, Rams. > > -- > > Message: 2 > Date: Tue, 18 Aug 2009 23:29:47 +0100 > From: Alan Buxey > Subject: Re: accounting through detail module help > To: FreeRadius users mailing list > > Message-ID: <20090818222947.gd32...@lboro.ac.uk> > Content-Type: text/plain; charset=us-ascii > > Hi, > > Thanks Alan. > > I enabled detail module in accounting. details files were created under > > radacct clients directories. > > Just wanted to check if any module already available in freeradius to > scan > > these detail files, parse and put attributes in mysql db every 2-3 mins? > > > sites-available/buffered-sql ? > > just ensure that the sql stuff is configured correctly...link/copy it into > sites-enabled and restart the daemon > > alan > > > -- > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[no subject]
Hi All, I have suffered enough, now I d like to expose my nightmare. Freeradius-server-2.1.6 + OpenLdap. Both of the servers work perfectly, there is no firewall between them or something that can block the traffic: All Correct! but the server still has no response with the weird radclient message ! At the radius debug , authentication is mentioned as successfully (bind was successfully) What's going on ? Best! -- JJohnny R. vasian...@gmail.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Max Monthly Traffic
Hi everyone,
I'm trying to setup a new counter maxmonthlytraffic, but as soon as I
connected, sql_counter sends reply to do a session timout and I get
disconnected.
This is what I've done so far...
I've added to ./raddb/sql/mysql/counter.conf
sqlcounter monthlytraffic {
counter-name = Monthly-Traffic
check-name = Max-Monthly-Traffic
sqlmod-inst = sql
key = User-Name
reset = monthly
query = "SELECT (sum(acctinputoctets)+sum(acctoutputoctets)) \
FROM radacct WHERE username='%{%k}' AND \
Month(acctstoptime) =(Month(NOW())) AND \
Year(acctstoptime) = Year(NOW())"
}
authorize {
..
monthlytraffic
}
instantiate {
monthlytraffic
}
created a dictionary entry in daloradius as..
id 9433
Type integer
Attribute Max-Monthly-Traffic
Value NULL
Format NULL
Vendor dictionary.freeradius.internal
RecommendedOP :=
RecommendedTable check
RecommendedHelper
RecommendedTooltip Check Monthly Traffic Allowance
User created as "testmaxm", with the following attributes set:-
Check
Simultaneous-Use := 1
Pool-Name := tvpool
Cleartext-Password := testmaxm
Max-Monthly-Traffic := 1049 (10Mb) (If this is removed from the Check,
the user connects fine, so everything else is working)
Reply
Framed-MTU = 1400
Framed-Protocol = PPP
Service-Type = Framed-User
Acct-Interim-Interval := 300(Every 5 mins for testing)
Some Debug...
rlm_sqlcounter: Check item is greater than query result
rlm_sqlcounter: Authorized user testmaxm, check_item=1049, counter=80411
rlm_sqlcounter: Sent Reply-Item for user testmaxm, Type=Session-Timeout,
value=11601138
++[monthlytraffic] returns ok
rad_recv: Accounting-Request packet from host aaa.bbb.ccc.ddd port 53637,
id=47, length=140
Acct-Session-Id = "4A8B6FA0721900"
User-Name = "testmaxm"
Acct-Status-Type = Interim-Update
Service-Type = Framed-User
Framed-Protocol = PPP
Acct-Authentic = RADIUS
Acct-Session-Time = 600
Acct-Output-Octets = 37033544
Acct-Input-Octets = 906612
Acct-Output-Packets = 27837
Acct-Input-Packets = 15791
NAS-Port-Type = Async
Framed-IP-Address = 192.168.0.29
NAS-Identifier = "aaa.bbb.ccc.ddd"
NAS-Port = 1
Acct-Delay-Time = 0
+- entering group preacct {...}
++[preprocess] returns ok
[acct_unique] Hashing 'NAS-Port = 1,Client-IP-Address =
193.33.186.190,NAS-IP-Address = aaa.bbb.ccc.ddd,Acct-Session-Id =
"4A8B6FA0721900",User-Name = "testmaxm"'
[acct_unique] Acct-Unique-Session-ID = "049e959019a363e4".
++[acct_unique] returns ok
[suffix] No '@' in User-Name = "testmaxm", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
+- entering group accounting {...}
[detail]expand:
/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d ->
/var/log/radius/radacct/aaa.bbb.ccc.ddd/detail-20090819
[detail] /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to
/var/log/radius/radacct/aaa.bbb.ccc.ddd/detail-20090819
[detail]expand: %t -> Wed Aug 19 03:31:04 2009
++[detail] returns ok
rlm_sql (sql): Reserving sql socket id: 1
[sqlippool] expand: %{User-Name} -> testmaxm
[sqlippool] sql_set_user escaped user --> 'testmaxm'
[sqlippool] expand: START TRANSACTION -> START TRANSACTION
rlm_sql_mysql: query: START TRANSACTION
[sqlippool] expand: UPDATE radippool SET expiry_time = NOW() + INTERVAL
3600 SECOND WHERE nasipaddress = '%{Nas-IP-Address}' AND pool_key =
'%{NAS-Port}' AND username = '%{User-Name}' AND callingstationid =
'%{Calling-Station-Id}' AND framedipaddress = '%{Framed-IP-Address}' -> UPDATE
radippool SET expiry_time = NOW() + INTERVAL 3600 SECOND WHERE nasipaddress =
'aaa.bbb.ccc.ddd' AND pool_key = '1' AND username = 'testmaxm' AND
callingstationid = '' AND framedipaddress = '192.168.0.29'
rlm_sql_mysql: query: UPDATE radippool SET expiry_time = NOW() + INTERVAL
3600 SECOND WHERE nasipaddress = 'aaa.bbb.ccc.ddd' AND pool_key = '1' AND
username = 'testmaxm' AND callingstationid = '' AND framedipaddress =
'192.168.0.29'
[sqlippool] expand: COMMIT -> COMMIT
rlm_sql_mysql: query: COMMIT
rlm_sql (sql): Released sql socket id: 1
++[sqlippool] returns ok
[sql] expand: %{User-Name} -> testmaxm
[sql] sql_set_user escaped user --> 'testmaxm'
[sql] expand: %{Acct-Input-Gigawords} ->
[sql] expand: %{Acct-Input-Octets} -> 906612
[sql] expand: %{Acct-Output-Gigawords} ->
[sql] expand: %{Acct-Output-Octets} -> 37033544
[sql] expand:UPDATE radacct SET
framedipaddress = '%{Framed-IP-Address}', acctsessiontime =
'%{Acct-Session-Time}', acctinputoctets =
'%{%{Acct-Input-Gigawords}:-0}' << 32 |
'%{%{Acct-Input-
Re: RADIUS-LDAPv3.schema not found
Thank you! I finally found it : *ll /usr/local/freeradius-server-2.1.6/share/doc/freeradius/examples/ -rw-r--r-- 1 root root 11087 jui 29 23:42 iplanet.ldif -rw-r--r-- 1 root root 12452 jui 29 23:42 iplanet.schema -rw-r--r-- 1 root root 13814 jui 29 23:42 openldap.schema -rw-r--r-- 1 root root 1005 jui 29 23:42 postgresql_update_radacct_group_trigger.sql* -- JJohnny R. vasian...@gmail.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Unlang Question/Problem
I haven't had much sleep the past few days and just wanted another set of eyes
on an issue I'm having. Also, I won't be able to do more testing until
tomorrow (user/equip. unavailable) and wanted to try to fix it before then.
I'm running FR 2.1.6 with patches to rlm_mschap & rlm_eap_mschapv2 to correct a
problem with case-sensitive userids. Anyway, the patch was working great for
user auth. and failing for machine auth. I used some unlang to get around the
issue. I haven't done a lot with unlang (and yes I read the man page), so I
may be missing something simple. I'm doing 802.1x authentication from Windows
supplicant with PEAP/MS-CHAPv2. Here's the authenticate section of my
inner-tunnel server:
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
if (User-Name =~ /host\/(.*)\.energyeast\.net/i) {
update request {
Ntlm-Auth-Username = "%{1}$"
}
updated
}
else {
update request {
Ntlm-Auth-Username = "%{User-Name}"
}
updated
}
mschap-inner
}
Auth-Type LDAP {
ldap
}
eap-internal
eap-comodo
}
First, if I didn't include "updated" after the "update request" actions, then
it would return reject. Is that normal (I didn't call a module in there)?
Should the unlang be outside of the "Auth-Type MS-CHAP" block? Also,
Ntlm-Auth-Username is expanded, there's a "[request] returns reject". I think
this is the source of the problem, but I don't understand where the reject is
coming from. The mschap module that follows returns OK, but the subsequent
eap-comodo module returns reject with no explanation in the debug. Do I need
something like:
eap-comodo {
ok = return
}
Here's the relevant debug output:
Tue Aug 18 15:41:15 2009 : Info: Found Auth-Type = eap-comodo
Tue Aug 18 15:41:15 2009 : Info: +- entering group authenticate {...}
Tue Aug 18 15:41:15 2009 : Info: [eap-comodo] Request found, released from the
list
Tue Aug 18 15:41:15 2009 : Info: [eap-comodo] EAP/mschapv2
Tue Aug 18 15:41:15 2009 : Info: [eap-comodo] processing type mschapv2
Tue Aug 18 15:41:15 2009 : Info: [mschapv2] +- entering group MS-CHAP {...}
Tue Aug 18 15:41:15 2009 : Info: [mschapv2] ++? if (User-Name =~
/host\/(.*)\.energyeast\.net/i)
Tue Aug 18 15:41:15 2009 : Info: [mschapv2] ? Evaluating (User-Name =~
/host\/(.*)\.energyeast\.net/i) -> TRUE
Tue Aug 18 15:41:15 2009 : Info: [mschapv2] ++? if (User-Name =~
/host\/(.*)\.energyeast\.net/i) -> TRUE
Tue Aug 18 15:41:15 2009 : Info: [mschapv2] ++- entering if (User-Name =~
/host\/(.*)\.energyeast\.net/i) {...}
Tue Aug 18 15:41:15 2009 : Info: [mschapv2] expand: %{1}$ -> US62695C$
Tue Aug 18 15:41:15 2009 : Info: [mschapv2] +++[request] returns reject
Tue Aug 18 15:41:15 2009 : Info: +++[updated] returns updated
Tue Aug 18 15:41:15 2009 : Info: ++- if (User-Name =~
/host\/(.*)\.energyeast\.net/i) returns updated
Tue Aug 18 15:41:15 2009 : Info: ++ ... skipping else for request 124:
Preceding "if" was taken
Tue Aug 18 15:41:15 2009 : Info: [mschap-inner] No Cleartext-Password
configured. Cannot create LM-Password.
Tue Aug 18 15:41:15 2009 : Info: [mschap-inner] No Cleartext-Password
configured. Cannot create NT-Password.
Tue Aug 18 15:41:15 2009 : Info: [mschap-inner] Using MS-CHAP Response Name
(host/US62695C.energyeast.net) to construct MS-CHAPv1 challenge
Tue Aug 18 15:41:15 2009 : Info: [mschap-inner] rlm_mschap:
mschap_authenticate: Creating challenge hash with username:
host/US62695C.energyeast.net
Tue Aug 18 15:41:15 2009 : Info: [mschap-inner] Told to do MS-CHAPv2 for
host/US62695C.energyeast.net with NT-Password
Tue Aug 18 15:41:15 2009 : Info: [mschap-inner] No trailing :- after variable
at %{Ntlm-Auth-UserName:-None}}
Tue Aug 18 15:41:15 2009 : Info: [mschap-inner] WARNING: Deprecated conditional
expansion ":-". See "man unlang" for details
Tue Aug 18 15:41:15 2009 : Info: [mschap-inner] expand:
--username=%{%{Ntlm-Auth-UserName:-None}} -> --username=US62695C$
Tue Aug 18 15:41:15 2009 : Info: [mschap-inner] mschap2: d1
Tue Aug 18 15:41:15 2009 : Info: [mschap-inner] Using MS-CHAP Response Name
(host/US62695C.energyeast.net) to construct MS-CHAPv1 challenge
Tue Aug 18 15:41:15 2009 : Info: [mschap-inner] rlm_mschap: mschap_xlat:
Creating challenge hash with username: host/US62695C.energyeast.net
Tue Aug 18 15:41:15 2009 : Info: [mschap-inner] expand:
--challenge=%{mschap:Challenge:-00} -> --challenge=943b358133b5bcac
Tue Aug 18 15:41:15 2009 : Info: [mschap-inner] expand:
--nt-response=%{mschap:NT-Response:-00} ->
--nt-response=121180cc778e59746acb8c12aa6
Re: accounting through detail module help
Hi, > Thanks Alan. > I enabled detail module in accounting. details files were created under > radacct clients directories. > Just wanted to check if any module already available in freeradius to scan > these detail files, parse and put attributes in mysql db every 2-3 mins? sites-available/buffered-sql ? just ensure that the sql stuff is configured correctly...link/copy it into sites-enabled and restart the daemon alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: two ldap servers in my config
Hi, > Hello > > Using freeradius 2.1.6, my users are authenticated against the Active > Directory. I have a primary and a secondary controller on the network. > > I wonder if you could specify in the configuration of two ldap servers, > when one does not respond due to technical queries are then made my > second controller. this is covered in the wiki - check for the redundancy stuff. what is valid for eg mschap module or sql is just as valid for ldap (the mailing list archive also has many similar recent examples) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic VLAN attribute in LDAP or AD?
Hi, > > > Where coudl I put this code Authorize, autenticate, postatuh, ldap module? > > Authorize postauth ? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: XP client can not authenticate in Radius Server - HELP ME PLEASE!!!!!!!!!!!!!
Hi, > Hi ALL!!! Hi! ignore the tutorials. install latest version from source...ensure /usr/local/etc/raddb or /etc/raddb doesnt exist before 'make install' thenm run the radiusd server...the first time it will make test certs. copy the CA.der server.der to the windows system and install as trusted certificates > I defined users file like: > guaraldi Auth-Type := EAP, Cleartext-Password == "mudar123" wrong! change to guaraldi Cleartext-Password := "mudar123" now, using the SSID of whatever you chose, and the SSL cert you just trusted ...it will.work! alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: segfault with regex and hint
Hello!
You using ProCurve NAS then? Or have other people started using
Service-Type = 'Call-Check' to hint at Mac-Auth?
-Arran
>
> Alan Buxey wrote:
>
>>> It's that time of year to overhaul the cesspool that makes up my
>>> FreeRADIUS config files.
>>>
>>> I am running FreeRADIUS from git[1] about two days ago and found that by
>>> putting the following in my 'hints' file gives me the segfault shown
>>> below[2]. If I remove the end bit[3] then I do not get the segfault,
>>> but then I also do not get my comparison :)
>>>
>> you are doing 2 seperate comparisons for the one attribute. is that
>> correct/allowed?
>>
>>
> /me shrugs
>
> I'm just here to report bugs :)
>
> For mac-auth detection I just moved to a policy, so I really do not care
> if the bug gets fixed or not[1]. I can imagine cases where people want
> to
> use the hints file to 'sanitise' incoming RADIUS packets though in a
> neat one-liner that keeps it out of the virtual host stanza for example:
>
>
> DEFAULT Calling-Station-Id =~
> "/^([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2})$/i"
> Calling-Station-Id := "%{1}%{2}%{3}%{4}%{5}%{6}"
>
>
> For any who is curious/cares for the archives, I use the following
> policy:
>
> mac_auth {
> if ( Realm == NULL && !EAP-Message && NAS-Port-Type == "Ethernet" \
> && Service-Type == Call-Check \
> && Stripped-User-Name == "%{User-Password}" \
> && Stripped-User-Name =~ /^[0-9a-f]{12}$/i \
> && Calling-Station-Id =~
> /^([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2})$/i
> \
> && Stripped-User-Name =~ /^%{1}%{2}%{3}%{4}%{5}%{6}$/i ) {
> ok
> }
> else {
> notfound
> }
> }
>
>
> Cheers
>
> [1] although I guess having a "hey lets copy from address 0x0" path in
> FreeRADIUS is probably considered bad style :)
>
>
signature.asc
Description: OpenPGP digital signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How could I assing an IP a client.
Hello, I want to know if it is possible assign IP to clients with the freeradius. I have tried to do this with a Sql user and setting Framed-IP-Address = 172.16.3.33 Framed-IP-Netmask = 255.255.255.0 values in radreply but i doesnt work. The client always take the IP from a DHCP server. I using freeradius 2.1.6 and validating wifi users with PEAP. The user validation works correctly. Thanks in advance. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS 2.1 proxy error "Inconsistent shared secret for home server"
Adam Bultman wrote:
> I have an existing proxy realm like this:
>
> realm proxydomain.com {
> type= radius
> authhost= x.x.x.x:1812
> accthost= x.x.x.x:1813
In version 2, you should use the "home_server" directive. See
raddb/proxy.conf. This *is* documented.
> I am trying to set up a new proxy realm, which is a different domain
> name, but uses the same authhost and accthost, but a new shared secret:
This is *impossible* to do in RADIUS. By that, I mean *impossible*.
The client sends packets to the server. The server looks up the
shared secret by client IP. It is *impossible* to have two shared
secrets for one client IP.
> The authhost and accthost are reached via a VPN, and they are a
> "clearing house" of sorts - they proxy authentication and accounting for
> multiple companies (not just the one I'm worrying about).
So... list the shared secret for the *proxy*, not for the upstream
servers.
> Is it not possible to have unique shared secrets for unique realms,
> proxied to the same auth and acct hosts?
RADIUS doesn't work like that. It's impossible.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic VLAN attribute in LDAP or AD?
Gary Gatten wrote: > Dude, if it's this easy that would be SWEET! The How To's for TLS/PEAP > are a little outdated so I'm working on getting the CA working now > (CA.all doesn't exist anymore.) See my message to the list of an hour or two ago. In v2, you have to do almost *nothing* to get PEAP working. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRADIUS 2.1 proxy error "Inconsistent shared secret for home server"
Good morning, everybody.
I am setting up a new proxy realm inside proxy.conf.
I have an existing proxy realm like this:
realm proxydomain.com {
type= radius
authhost= x.x.x.x:1812
accthost= x.x.x.x:1813
secret = sharedsecret
nostrip
}
I am trying to set up a new proxy realm, which is a different domain
name, but uses the same authhost and accthost, but a new shared secret:
realm anotherproxydomain.net {
type= radius
authhost= x.x.x.x:1812
accthost= x.x.x.x:1813
secret = differentsharedsecret
nostrip
}
FreeRADIUS is giving me "Inconsistent shared secret for home server
x.x.x.x".
The authhost and accthost are reached via a VPN, and they are a
"clearing house" of sorts - they proxy authentication and accounting for
multiple companies (not just the one I'm worrying about).
I've checked the FAQ and wiki, and haven't had any luck. I've googled
for the error, and the hits I get related to source code files, which
don't help. I've also looked in the freeradius docs that come with the
binaries/source, etc.
Is it not possible to have unique shared secrets for unique realms,
proxied to the same auth and acct hosts?
Thanks,
Adam
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
two ldap servers in my config
Hello
Using freeradius 2.1.6, my users are authenticated against the Active
Directory. I have a primary and a secondary controller on the network.
I wonder if you could specify in the configuration of two ldap
servers, when one does not respond due to technical queries are then
made my second controller.
This is my autenticate section:
authenticate {
Auth-Type LDAP {
ldap
}
}
Thanks
Michel
--
Webmail, servicio de correo electronico
Casa de las Americas - La Habana, Cuba.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic VLAN attribute in LDAP or AD?
> Where coudl I put this code Authorize, autenticate, postatuh, ldap module?
Authorize
>>> So, I'm trying to use 802.1x dynamic VLAN assignment. I have this
>>> working when I conf the "users" file. However, I don't want to
>>> create/maintain the users file for 2,000 users!
>>>
>>> Is there an attribute in AD / LDAP I can use for the dynamic VLAN?
>>> Ideally I could do this at the "Group" level, such that when a user
>>> moves from one group to another their automagically assigned to the
>>> correct VLAN.
>>
>> If you're using version 2.0.5 or higher you can do this with unlang as
>> follows. This example sets the vlan based on the user's DN, but you
>> should be able to modify it to look at your group membership attribute.
>> Repeat for all relevant ldap groups.
>>
>> if (control:Ldap-UserDn =~ /ou=div,o=org/i) {
>> update reply {
>> Tunnel-Type := "VLAN"
>> Tunnel-Medium-Type := "IEEE-802"
>> Tunnel-Private-Group-Id := 9
>> }
>> }
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic VLAN attribute in LDAP or AD?
Where coudl I put this code Authorize, autenticate, postatuh, ldap module?
2009/8/18 Jason Alderfer :
>
>> So, I'm trying to use 802.1x dynamic VLAN assignment. I have this
>> working when I conf the "users" file. However, I don't want to
>> create/maintain the users file for 2,000 users!
>>
>> Is there an attribute in AD / LDAP I can use for the dynamic VLAN?
>> Ideally I could do this at the "Group" level, such that when a user
>> moves from one group to another their automagically assigned to the
>> correct VLAN.
>
> If you're using version 2.0.5 or higher you can do this with unlang as
> follows. This example sets the vlan based on the user's DN, but you
> should be able to modify it to look at your group membership attribute.
> Repeat for all relevant ldap groups.
>
> if (control:Ldap-UserDn =~ /ou=div,o=org/i) {
> update reply {
> Tunnel-Type := "VLAN"
> Tunnel-Medium-Type := "IEEE-802"
> Tunnel-Private-Group-Id := 9
> }
> }
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Dynamic VLAN attribute in LDAP or AD?
Dude, if it's this easy that would be SWEET! The How To's for TLS/PEAP
are a little outdated so I'm working on getting the CA working now
(CA.all doesn't exist anymore.)
I'm ALL over this ASAP! Thanks!
Gary
-Original Message-
From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org
[mailto:freeradius-users-bounces+ggatten=waddell@lists.freeradius.or
g] On Behalf Of Jason Alderfer
Sent: Tuesday, August 18, 2009 2:18 PM
To: FreeRadius users mailing list
Subject: Re: Dynamic VLAN attribute in LDAP or AD?
> So, I'm trying to use 802.1x dynamic VLAN assignment. I have this
> working when I conf the "users" file. However, I don't want to
> create/maintain the users file for 2,000 users!
>
> Is there an attribute in AD / LDAP I can use for the dynamic VLAN?
> Ideally I could do this at the "Group" level, such that when a user
> moves from one group to another their automagically assigned to the
> correct VLAN.
If you're using version 2.0.5 or higher you can do this with unlang as
follows. This example sets the vlan based on the user's DN, but you
should be able to modify it to look at your group membership attribute.
Repeat for all relevant ldap groups.
if (control:Ldap-UserDn =~ /ou=div,o=org/i) {
update reply {
Tunnel-Type := "VLAN"
Tunnel-Medium-Type := "IEEE-802"
Tunnel-Private-Group-Id := 9
}
}
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
"This email is intended to be reviewed by only the intended recipient
and may contain information that is privileged and/or confidential.
If you are not the intended recipient, you are hereby notified that
any review, use, dissemination, disclosure or copying of this email
and its attachments, if any, is strictly prohibited. If you have
received this email in error, please immediately notify the sender by
return email and delete this email from your system."
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic VLAN attribute in LDAP or AD?
> So, I'm trying to use 802.1x dynamic VLAN assignment. I have this
> working when I conf the "users" file. However, I don't want to
> create/maintain the users file for 2,000 users!
>
> Is there an attribute in AD / LDAP I can use for the dynamic VLAN?
> Ideally I could do this at the "Group" level, such that when a user
> moves from one group to another their automagically assigned to the
> correct VLAN.
If you're using version 2.0.5 or higher you can do this with unlang as
follows. This example sets the vlan based on the user's DN, but you
should be able to modify it to look at your group membership attribute.
Repeat for all relevant ldap groups.
if (control:Ldap-UserDn =~ /ou=div,o=org/i) {
update reply {
Tunnel-Type := "VLAN"
Tunnel-Medium-Type := "IEEE-802"
Tunnel-Private-Group-Id := 9
}
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Dynamic VLAN attribute in LDAP or AD?
Hello, thanks for taking the time to read this. And thanks in advance for the prompt replies! I've read nearly all the docs and How To's I could find and none of them (so far) address this. If I find an answer I'll be more than happy to draft a How To as I would suspect this a desired solution. So, I'm trying to use 802.1x dynamic VLAN assignment. I have this working when I conf the "users" file. However, I don't want to create/maintain the users file for 2,000 users! Is there an attribute in AD / LDAP I can use for the dynamic VLAN? Ideally I could do this at the "Group" level, such that when a user moves from one group to another their automagically assigned to the correct VLAN. If that's not possible, I COULD do it at the user level, but again kinda a hassle to maintain. Any thoughts / opinions would be GREATLY appreciated! In the mean time I'll keep reading! PS: The How To's have helped a LOT so far just getting to the point I'm at! Without them it would've taken me 10x longer! "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: XP client can not authenticate in Radius Server - HELP ME PLEASE!!!!!!!!!!!!!
Hilton Guaraldi wrote: > Hi ALL!!! > > I did more then 20 openssl commands in order to issue a CA for tests... > Howto in http://www.linuxjournal.com/node/8095/print and > http://www.linuxjournal.com/node/8151/print. I DID ALL THE COMMANDS!!! And you didn't use the examples that came with the server. In version 2: 1) install the server 2) run "radiusd -X' 3) EAP will work. See raddb/certs/README > XP client do not authenticate :-( > Do I need users file??? > What the correct sintaxe for login guaraldi and password mudar123? See the FAQ for an example. > I defined users file like: > guaraldi Auth-Type := EAP, Cleartext-Password == "mudar123" That's wrong. See "man users" or "man 5 users" for documentation. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: segfault with regex and hint
Hi,
Alan Buxey wrote:
>>
>> It's that time of year to overhaul the cesspool that makes up my
>> FreeRADIUS config files.
>>
>> I am running FreeRADIUS from git[1] about two days ago and found that by
>> putting the following in my 'hints' file gives me the segfault shown
>> below[2]. If I remove the end bit[3] then I do not get the segfault,
>> but then I also do not get my comparison :)
>
> you are doing 2 seperate comparisons for the one attribute. is that
> correct/allowed?
>
/me shrugs
I'm just here to report bugs :)
For mac-auth detection I just moved to a policy, so I really do not care
if the bug gets fixed or not[1]. I can imagine cases where people want
to
use the hints file to 'sanitise' incoming RADIUS packets though in a
neat one-liner that keeps it out of the virtual host stanza for example:
DEFAULT Calling-Station-Id =~
"/^([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2})$/i"
Calling-Station-Id := "%{1}%{2}%{3}%{4}%{5}%{6}"
For any who is curious/cares for the archives, I use the following
policy:
mac_auth {
if ( Realm == NULL && !EAP-Message && NAS-Port-Type == "Ethernet" \
&& Service-Type == Call-Check \
&& Stripped-User-Name == "%{User-Password}" \
&& Stripped-User-Name =~ /^[0-9a-f]{12}$/i \
&& Calling-Station-Id =~
/^([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2})$/i
\
&& Stripped-User-Name =~ /^%{1}%{2}%{3}%{4}%{5}%{6}$/i ) {
ok
}
else {
notfound
}
}
Cheers
[1] although I guess having a "hey lets copy from address 0x0" path in
FreeRADIUS is probably considered bad style :)
--
Alexander Clouter
.sigmonster says: Debug is human, de-fix divine.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: accounting through detail module help
Did you check sites-available directory? Best regards, Denis Volkov - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
XP client can not authenticate in Radius Server - HELP ME PLEASE!!!!!!!!!!!!!
Hi ALL!!!
I did more then 20 openssl commands in order to issue a CA for tests...
Howto in http://www.linuxjournal.com/node/8095/print and
http://www.linuxjournal.com/node/8151/print. I DID ALL THE COMMANDS!!!
XP client do not authenticate :-(
Do I need users file???
What the correct sintaxe for login guaraldi and password mudar123?
I defined users file like:
guaraldi Auth-Type := EAP, Cleartext-Password == "mudar123"
CA defined in OPENSSL!!! Radius server stop displaying "can not get
issuer certificate" and "unknow CA"
Server certificate signed!!!
Client certificate defined!!!
XP with cacert.pem and client_cert.p12 I did not use ca.der
XP Config with EAP to Smartcard or other certificates TLS and so on...
AP with WPA/TKIP with 802.1x to 192.168.0.254 port 1812. OK!!! It works...
Why XP do not authenticate with radius???
Guaraldi
Ready to process requests.
Threads: total/active/spare threads = 5/0/5
Waking up in 0.9 seconds.
Thread 1 got semaphore
Thread 1 handling request 0, (1 handled so far)
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/192.168.0.1/auth-detail-20090818
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.0.1/auth-detail-20090818
[auth_log] expand: %t -> Tue Aug 18 14:06:40 2009
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "guaraldi", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 0 length 13
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
[files] users: Matched entry guaraldi at line 1
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Requiring client certificate
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Finished request 0.
Going to the next request
Thread 1 waiting to be assigned a request
Waking up in 0.9 seconds.
Thread 2 got semaphore
Thread 2 handling request 1, (1 handled so far)
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/192.168.0.1/auth-detail-20090818
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.0.1/auth-detail-20090818
[auth_log] expand: %t -> Tue Aug 18 14:06:40 2009
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "guaraldi", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 1 length 80
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
[files] users: Matched entry guaraldi at line 1
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
TLS Length 70
[tls] Length Included
[tls] eaptls_verify returned 11
[tls] (other): before/accept initialization
[tls] TLS_accept: before/accept initialization
[tls] <<< TLS 1.0 Handshake [length 0041], ClientHello
[tls] TLS_accept: SSLv3 read client hello A
[tls] >>> TLS 1.0 Handshake [length 002a], ServerHello
[tls] TLS_accept: SSLv3 write server hello A
[tls] >>> TLS 1.0 Handshake [length 0697], Certificate
[tls] TLS_accept: SSLv3 write certificate A
[tls] >>> TLS 1.0 Handshake [length 00d0], CertificateRequest
[tls] TLS_accept: SSLv3 write certificate request A
[tls] TLS_accept: SSLv3 flush data
[tls] TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
[tls] eaptls_process returned 13
++[eap] returns handled
Finished request 1.
Going to the next request
Thread 2 waiting to be assigned a request
Waking up in 0.9 seconds.
Thread 3 got semaphore
Thread 3 handling request 2, (1 handled so far)
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/192.168.0.1/auth-detail-20090818
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /v
Re: accounting through detail module help
Thanks Alan. I enabled detail module in accounting. details files were created under radacct clients directories. Just wanted to check if any module already available in freeradius to scan these detail files, parse and put attributes in mysql db every 2-3 mins? Thanks, Rams. > -- > Message: 7 > Date: Tue, 18 Aug 2009 15:33:09 +0100 > From: Alan Buxey > Subject: Re: accounting through detail module help > To: FreeRadius users mailing list > > Message-ID: <20090818143309.ga32...@lboro.ac.uk> > Content-Type: text/plain; charset=us-ascii > > Hi, > > > At present our radius servers getting traffic of more than 3 million > users. > > We have only two radius servers and one mysql server active. The server > > crashing whenever more traffic comes. Due to mysql overload and slow I'm > > planning to use detail module for accounting and then take these details > and > > parse then put in database using program/script. Does this helps? Is > there > > any script already available in freeradius? > > Does palcing one more radius server and using mysql clustering helps? > > use the detail module and let FR deal with handling the detail module. > > you can speed up the MySQL using eg batter indexing and better storage > engine > > alan > > > > -- > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > > End of Freeradius-Users Digest, Vol 52, Issue 81 > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RADIUS-LDAPv3.schema not found
On 08/18/2009 12:55 PM, RANDRIAMAMPIONONA José Johnny wrote: Hi All, I downloaded and installed freeradius-server-2.1.6 but I can-t find the radius schema to copy it in ldap directory. It depends on the ldap server you're using which schema you'll need, it the src tarball you can find them in: doc/examples/openldap.schema doc/examples/iplanet.schema If you've installed from an rpm the doc directory will be installed under: /usr/share/doc/freeradius-2.1.6/ Note: there isn't a schema file for "Fedora Directory Server" which is now called "389 Directory Server" but since iplanet shares the same lineage the iplanet schema should work, if not it's pretty easy to tweak the schema file to meet the syntatic needs of the LDAP server you're using. The last time I looked in detail at Radius LDAP schemas (a couple of years ago) I seem to recall some minor differences between the schema files in the distribution and the RADIUS-LDAPv3.schema which has been floating arount the net, ymmv. -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: rlm_perl / libtool / libltdl problem
> Did I mention that I hate libtool and libltdl? They're close to > *causing* more problems than they solve. Yes, on several occasions that I recall :) I share your sentiments... > I actually started removing libltdl a while ago. See > src/main/modules.c. Look for WITHOUT_LIBLTDL. I'll bet that if you > spent a bit of time hacking the source, you could get it to build && run > *without* libltldl. At that point, the stupid "can't load library" > issues will go away. If I get some spare time (what's that :)), I'll see what I can do.. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: segfault with regex and hint
Alan Buxey wrote: > you are doing 2 seperate comparisons for the one attribute. is that > correct/allowed? Allowed, yes. Correct... It would be better to shift complex policies to "unlang". Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MSChap via ntlm_auth problem
2009/8/18 Alan Buxey :
> Hi,
>
>> The problem appears in any case - with or without require-membership option.
>>
>> > which version of SAMBA are you running? Latest version is known to have
>> > issues - they've changed things with its output.
>>
>> I use samba 3.0.35 on FreeBSD 7.2 box.
>>
>> > also, recommend you change the command to have this instead
>> >
>> > --username=%{Stripped-User-Name:-%{User-Name:-None}}
>> >
>> > that'll get rid of that annoying output error
>>
>> I have the following command:
>>
>> ntlm_auth = "/usr/local/bin/ntlm_auth --request-nt-key
>> --require-membership-of=CENTAURA+InternetUsers
>> --username=%{Stripped-User-Name:-%{User-Name:-None}}
>> --challenge=%{mschap:Challenge:-00}
>> --nt-response=%{mschap:NT-Response:-00}"
>>
>> If I call it from shell with options from radius request - I get result:
>>
>> # /usr/local/bin/ntlm_auth --request-nt-key
>> --require-membership-of=CENTAURA+InternetUsers --username=BAS
>> --challenge=6b6f49357dccee7c
>> --nt-response=ce2480f1e35c222a4d3481b83ee78854094394517f29d9ec
>>
>> NT_KEY: A9B342EC3E218E54A330556C468415CD
>>
>> What can I do for getting some details about error?
>
>
> maybe escape the + in your command (ie \+ ?
>
>
*The problem appears in any case - with or without require-membership option.*
The command can be looked like
ntlm_auth = "/usr/local/bin/ntlm_auth --request-nt-key
--username=%{Stripped-User-Name:-%{User-Name:-None}}
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}"
And output is the same as in previous case.
Thanks,
Anton
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RADIUS-LDAPv3.schema not found
Hi All, I downloaded and installed freeradius-server-2.1.6 but I can-t find the radius schema to copy it in ldap directory. Help! Best regards! -- JJohnny R. Beginner vasian...@gmail.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: segfault with regex and hint
Hi, > Hi, > > It's that time of year to overhaul the cesspool that makes up my > FreeRADIUS config files. > > I am running FreeRADIUS from git[1] about two days ago and found that by > putting the following in my 'hints' file gives me the segfault shown > below[2]. If I remove the end bit[3] then I do not get the segfault, > but then I also do not get my comparison :) you are doing 2 seperate comparisons for the one attribute. is that correct/allowed? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS IPs
Hello, Sorry the same message (I posted yesterday) was posted today again. My emaiil program acted up. I will try to re-phrase of what I need I was given a set of new NASes (that I need to allow as 'NASNAME' in 'nas' table in MySQL) in the following format xx.xx.xx.112/29 xx.xx.xx.232/29 I am not sure if I can use it as it is in 'nas' table as 'nasname'. Or, do I have to enter each NAS IP individually? Kindest Regards, Irina NetAccess Systems Inc. ir...@nas.net === - Original Message - From: Irina To: freeradius-users@lists.freeradius.org Sent: Monday, August 17, 2009 10:54 AM Subject: NAS IPs Hello, I need to allow a block of 8 IP addresses in 'nasname' column in NAS table. Can I use xx.xx.xx.112/29 Thank you for your help in advance Kindest Regards, Irina === -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius-Users Digest, Vol 52, Issue 81
Martin Silvero wrote: > Hello, > I want to know if it would be possible to debug freeradius while > running to a log file, 1) Use a *useful* subject line 2) edit the post so it's not 100's of lines of unrelated text 3) See "raddebug" Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
segfault with regex and hint
Hi,
It's that time of year to overhaul the cesspool that makes up my
FreeRADIUS config files.
I am running FreeRADIUS from git[1] about two days ago and found that by
putting the following in my 'hints' file gives me the segfault shown
below[2]. If I remove the end bit[3] then I do not get the segfault,
but then I also do not get my comparison :)
Any more information needed, then let me know.
Cheers
[1] at commit 08baab6769fea367bda5dd006b659621bb9aac18 from
yesterday-ish
[2] strlcpy sourced from address 0x0
[3] User-Name =~ "/^%{1}%{2}%{3}%{4}%{5}%{6}$/i"
DEFAULT NAS-Port-Type == "Ethernet", User-Name == "%{User-Password}",
Calling-Station-Id =~
"/^([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2})$/i",
User-Name =~ "/^%{1}%{2}%{3}%{4}%{5}%{6}$/i"
Hint = mac-auth
server dot1x {
modules {
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating preprocess
preprocess {
huntgroups = "/etc/freeradius/huntgroups"
hints = "/etc/freeradius/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = yes
with_alvarion_vsa_hack = no
}
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7f943272eae0 (LWP 3894)]
strlcpy (dst=0x13545e8 "", src=0x0, siz=) at strlcpy.c:50
50 if ((*d++ = *s++) == 0)
(gdb) where
#0 strlcpy (dst=0x13545e8 "", src=0x0, siz=) at
strlcpy.c:50
#1 0x7f9432315164 in pairmake (attribute=, value=0x0,
operator=17)
at valuepair.c:1549
#2 0x7f9432315a39 in pairread (ptr=0x7fff3a7352a8, eol=0x7fff3a7352b4) at
valuepair.c:1703
#3 0x7f9432315b7f in userparse (buffer=,
first_pair=0x7fff3a739470)
at valuepair.c:1804
#4 0x0040ec5c in pairlist_read (file=0x1352140
"/etc/freeradius/hints", list=0x13522b8,
complain=) at files.c:192
#5 0x7f942dd21aeb in preprocess_instantiate (conf=0x1217110,
instance=0x1352108)
at rlm_preprocess.c:497
#6 0x00413bc1 in find_module_instance (modules=,
instname=0x121e0c0 "preprocess", do_link=20259360) at modules.c:506
#7 0x00414fee in do_compile_modsingle (parent=0x0, component=1,
ci=0x121e080, grouptype=0,
modname=0x7fff3a739b38) at modcall.c:1872
#8 0x00412db3 in load_component_section (cs=0x121df00,
components=0x1351ea0, comp=1)
at modules.c:794
#9 0x00413368 in load_byserver (cs=0x121d6d0) at modules.c:993
#10 0x00413697 in virtual_servers_load (config=0x1203030) at
modules.c:1121
#11 0x00414058 in setup_modules (reload=,
config=0x1203030)
at modules.c:1368
#12 0x0041245a in read_mainconfig (reload=) at
mainconfig.c:904
#13 0x00416d1a in main (argc=2, argv=0x7fff3a73a418) at radiusd.c:257
(gdb)
--
Alexander Clouter
.sigmonster says: Keep it short for pithy sake.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MSChap via ntlm_auth problem
Hi,
> The problem appears in any case - with or without require-membership option.
>
> > which version of SAMBA are you running? Latest version is known to have
> > issues - they've changed things with its output.
>
> I use samba 3.0.35 on FreeBSD 7.2 box.
>
> > also, recommend you change the command to have this instead
> >
> > --username=%{Stripped-User-Name:-%{User-Name:-None}}
> >
> > that'll get rid of that annoying output error
>
> I have the following command:
>
> ntlm_auth = "/usr/local/bin/ntlm_auth --request-nt-key
> --require-membership-of=CENTAURA+InternetUsers
> --username=%{Stripped-User-Name:-%{User-Name:-None}}
> --challenge=%{mschap:Challenge:-00}
> --nt-response=%{mschap:NT-Response:-00}"
>
> If I call it from shell with options from radius request - I get result:
>
> # /usr/local/bin/ntlm_auth --request-nt-key
> --require-membership-of=CENTAURA+InternetUsers --username=BAS
> --challenge=6b6f49357dccee7c
> --nt-response=ce2480f1e35c222a4d3481b83ee78854094394517f29d9ec
>
> NT_KEY: A9B342EC3E218E54A330556C468415CD
>
> What can I do for getting some details about error?
maybe escape the + in your command (ie \+ ?
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius-Users Digest, Vol 52, Issue 81
-Service-Activate:1'} = "telesys";
> $RAD_REPLY{'ERX-Service-Statistics:1'} = "time-volume";
> $RAD_REPLY{'ERX-Qos-Parameters'}[0] = "internet_tr_value 2097152";
> $RAD_REPLY{'ERX-Qos-Parameters'}[1] = "internet_tr_value_in 2097152";
> $RAD_REPLY{'ERX-Service-Activate:2'} = "deny";
> $RAD_REPLY{'ERX-Qos-Profile-Name'} = "SP_Tele_Internet";
> $RAD_REPLY{'Framed-IP-Address'} = '10.0.112.2';
> $RAD_REPLY{'Framed-IP-Netmask'}= "255.255.255.255";
> $RAD_REPLY{'ERX-Primary-DNS'} = "1.2.3.4";
> $RAD_REPLY{'ERX-Secondary-DNS'} = "1.2.3.5";
> return RLM_MODULE_OK;
> };
>
>
> This gives following results:
>
> # radtest admin test 10.3.1.252 12 huawei
> Sending Access-Request of id 70 to 10.3.1.252 port 1812
> User-Name = "admin"
> User-Password = "test"
> NAS-IP-Address = 10.1.2.13
> NAS-Port = 12
> rad_recv: Access-Accept packet from host 10.3.1.252 port 1812, id=70,
> length=188
> ERX-Qos-Parameters = "internet_tr_value 2097152"
> ERX-Qos-Parameters = "internet_tr_value_in 2097152"
> ERX-Service-Activate:0 = "deny"
> ERX-Service-Activate:0 = "telesys"
> ERX-Qos-Profile-Name = "SP_Tele_Internet"
> ERX-Service-Statistics:1 = time-volume
> ERX-Primary-Dns = 1.2.3.4
> ERX-Secondary-Dns = 1.2.3.5
> Framed-IP-Address = 10.0.112.2
> Framed-IP-Netmask = 255.255.255.255
>
>
>
> Output from radiusd -X:
>
> rad_recv: Access-Request packet from host 10.3.1.252 port 52845,
> id=70, length=57
> User-Name = "admin"
> User-Password = "test"
> NAS-IP-Address = 10.1.2.13
> NAS-Port = 12
> server radoss {
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[control] returns ok
> rlm_perl: $VAR1 = {};
> rlm_perl: defined
> rlm_perl: Added pair User-Name = admin
> rlm_perl: Added pair User-Password = test
> rlm_perl: Added pair NAS-Port = 12
> rlm_perl: Added pair NAS-IP-Address = 10.1.2.13
> rlm_perl: Added pair ERX-Qos-Profile-Name = SP_Tele_Internet
> rlm_perl: Added pair ERX-Service-Activate:2 = deny
> rlm_perl: Added pair ERX-Qos-Parameters = internet_tr_value 2097152
> rlm_perl: Added pair ERX-Qos-Parameters = internet_tr_value_in 2097152
> rlm_perl: Added pair ERX-Service-Statistics:1 = time-volume
> rlm_perl: Added pair ERX-Secondary-DNS = 1.2.3.5
> rlm_perl: Added pair Framed-IP-Address = 10.0.112.2
> rlm_perl: Added pair Framed-IP-Netmask = 255.255.255.255
> rlm_perl: Added pair ERX-Service-Activate:1 = telesys
> rlm_perl: Added pair ERX-Primary-DNS = 1.2.3.4
> rlm_perl: Added pair Auth-Type = Perl
> ++[perl] returns ok
> Found Auth-Type = Perl
> +- entering group Perl {...}
> rlm_perl: Added pair User-Name = admin
> rlm_perl: Added pair User-Password = test
> rlm_perl: Added pair NAS-IP-Address = 10.1.2.13
> rlm_perl: Added pair NAS-Port = 12
> rlm_perl: Added pair ERX-Qos-Parameters = internet_tr_value 2097152
> rlm_perl: Added pair ERX-Qos-Parameters = internet_tr_value_in 2097152
> rlm_perl: Added pair ERX-Service-Activate = deny
> rlm_perl: Added pair ERX-Service-Activate = telesys
> rlm_perl: Added pair ERX-Qos-Profile-Name = SP_Tele_Internet
> rlm_perl: Added pair ERX-Service-Statistics:1 = time-volume
> rlm_perl: Added pair ERX-Primary-Dns = 1.2.3.4
> rlm_perl: Added pair ERX-Secondary-Dns = 1.2.3.5
> rlm_perl: Added pair Framed-IP-Address = 10.0.112.2
> rlm_perl: Added pair Framed-IP-Netmask = 255.255.255.255
> rlm_perl: Added pair Auth-Type = Perl
> ++[perl] returns ok
> +- entering group post-auth {...}
> ++[exec] returns noop
> } # server radoss
> Sending Access-Accept of id 70 to 10.3.1.252 port 52845
> ERX-Qos-Parameters += "internet_tr_value 2097152"
> ERX-Qos-Parameters += "internet_tr_value_in 2097152"
> ERX-Service-Activate:0 += "deny"
> ERX-Service-Activate:0 += "telesys"
> ERX-Qos-Profile-Name = "SP_Tele_Internet"
> ERX-Service-Statistics:1 = time-volume
> ERX-Primary-Dns = 1.2.3.4
> ERX-Secondary-Dns = 1.2.3.5
> Framed-IP-Address = 10.0.112.2
> Framed-IP-Netmask = 255.255.255.255
> Finished request 0.
> Going to the next request
> Waking up in 4.9 seconds.
> Cleaning up request 0 ID 70 with timestamp +4
> Ready to process requests.
>
> --
> Alexandr Kovalenko
> http://uafug.org.ua/
>
>
>
> --
Re: accounting through detail module help
Hi, > At present our radius servers getting traffic of more than 3 million users. > We have only two radius servers and one mysql server active. The server > crashing whenever more traffic comes. Due to mysql overload and slow I'm > planning to use detail module for accounting and then take these details and > parse then put in database using program/script. Does this helps? Is there > any script already available in freeradius? > Does palcing one more radius server and using mysql clustering helps? use the detail module and let FR deal with handling the detail module. you can speed up the MySQL using eg batter indexing and better storage engine alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
accounting through detail module help
Hi, At present our radius servers getting traffic of more than 3 million users. We have only two radius servers and one mysql server active. The server crashing whenever more traffic comes. Due to mysql overload and slow I'm planning to use detail module for accounting and then take these details and parse then put in database using program/script. Does this helps? Is there any script already available in freeradius? Does palcing one more radius server and using mysql clustering helps? Please suggest. Thanks, Rams. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS Server Version 2.1.6 has been released
On Mon, May 18, 2009 at 2:59 PM, Alan DeKok wrote:
> The following is the change log. Thanks to everyone for testing the
> pre releases.
>
>
> FreeRADIUS 2.1.6 Mon May 18 10:00:00 CEST 2009; , urgency=medium
> Feature improvements
> Bug fixes
> * Make rlm_perl keep tags for tagged attributes in more
> situations
Does not work for situation:
$ radiusd -v | head -1
radiusd: FreeRADIUS Version 2.1.6, for host i386-portbld-freebsd7.2,
built on Aug 18 2009 at 12:31:54
$ perl -V
Summary of my perl5 (revision 5 version 8 subversion 9) configuration:
Platform:
osname=freebsd, osvers=7.2-release-p2, archname=i386-freebsd-64int
uname='freebsd mile.office.tsu 7.2-release-p2 freebsd
7.2-release-p2 #0: fri jun 26 10:01:50 eest 2009
r...@mile.office.tsu:usrobjusrsrcsysmile i386 '
config_args='-sde -Dprefix=/usr/local
-Darchlib=/usr/local/lib/perl5/5.8.9/mach
-Dprivlib=/usr/local/lib/perl5/5.8.9
-Dman3dir=/usr/local/lib/perl5/5.8.9/perl/man/man3
-Dman1dir=/usr/local/man/man1
-Dsitearch=/usr/local/lib/perl5/site_perl/5.8.9/mach
-Dsitelib=/usr/local/lib/perl5/site_perl/5.8.9
-Dscriptdir=/usr/local/bin
-Dsiteman3dir=/usr/local/lib/perl5/5.8.9/man/man3
-Dsiteman1dir=/usr/local/man/man1 -Ui_malloc -Ui_iconv
-Uinstallusrbinperl -Dcc=cc -Duseshrplib -Dinc_version_list=none
-Dccflags=-DAPPLLIB_EXP="/usr/local/lib/perl5/5.8.9/BSDPAN"
-Doptimize=-O2 -fno-strict-aliasing -pipe -march=pentium4 -Ud_dosuid
-Ui_gdbm -Dusethreads=n -Dusemymalloc=y -Duse64bitint'
hint=recommended, useposix=true, d_sigaction=define
usethreads=undef use5005threads=undef useithreads=undef
usemultiplicity=undef
useperlio=define d_sfio=undef uselargefiles=define usesocks=undef
use64bitint=define use64bitall=undef uselongdouble=undef
usemymalloc=y, bincompat5005=undef
Compiler:
cc='cc', ccflags
='-DAPPLLIB_EXP="/usr/local/lib/perl5/5.8.9/BSDPAN" -DHAS_FPSETMASK
-DHAS_FLOATINGPOINT_H -fno-strict-aliasing -pipe
-I/usr/local/include',
optimize='-O2 -fno-strict-aliasing -pipe -march=pentium4',
cppflags='-DAPPLLIB_EXP="/usr/local/lib/perl5/5.8.9/BSDPAN"
-DHAS_FPSETMASK -DHAS_FLOATINGPOINT_H -fno-strict-aliasing -pipe
-I/usr/local/include'
ccversion='', gccversion='4.2.1 20070719 [FreeBSD]', gccosandvers=''
intsize=4, longsize=4, ptrsize=4, doublesize=8, byteorder=12345678
d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=12
ivtype='long long', ivsize=8, nvtype='double', nvsize=8,
Off_t='off_t', lseeksize=8
alignbytes=4, prototype=define
Linker and Libraries:
ld='cc', ldflags =' -Wl,-E -L/usr/local/lib'
libpth=/usr/lib /usr/local/lib
libs=-lgdbm -lm -lcrypt -lutil
perllibs=-lm -lcrypt -lutil
libc=, so=so, useshrplib=true, libperl=libperl.so
gnulibc_version=''
Dynamic Linking:
dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='
-Wl,-R/usr/local/lib/perl5/5.8.9/mach/CORE'
cccdlflags='-DPIC -fPIC', lddlflags='-shared -L/usr/local/lib'
Characteristics of this binary (from libperl):
Compile-time options: MYMALLOC PERL_MALLOC_WRAP USE_64_BIT_INT
USE_FAST_STDIO USE_LARGE_FILES USE_PERLIO
Locally applied patches:
defined-or
Built under freebsd
Compiled at Aug 18 2009 14:56:36
@INC:
/usr/local/lib/perl5/5.8.9/BSDPAN
/usr/local/lib/perl5/site_perl/5.8.9/mach
/usr/local/lib/perl5/site_perl/5.8.9
/usr/local/lib/perl5/5.8.9/mach
/usr/local/lib/perl5/5.8.9
.
Following code is used in sub authorize {} in perl module I'm trying to use
if (($RAD_REQUEST{'User-Name'} eq 'admin') and
($RAD_REQUEST{'User-Password'} eq 'test')) {
$RAD_REPLY{'ERX-Service-Activate:1'} = "telesys";
$RAD_REPLY{'ERX-Service-Statistics:1'} = "time-volume";
$RAD_REPLY{'ERX-Qos-Parameters'}[0] = "internet_tr_value 2097152";
$RAD_REPLY{'ERX-Qos-Parameters'}[1] = "internet_tr_value_in 2097152";
$RAD_REPLY{'ERX-Service-Activate:2'} = "deny";
$RAD_REPLY{'ERX-Qos-Profile-Name'} = "SP_Tele_Internet";
$RAD_REPLY{'Framed-IP-Address'} = '10.0.112.2';
$RAD_REPLY{'Framed-IP-Netmask'}= "255.255.255.255";
$RAD_REPLY{'ERX-Primary-DNS'} = "1.2.3.4";
$RAD_REPLY{'ERX-Secondary-DNS'} = "1.2.3.5";
return RLM_MODULE_OK;
};
This gives following results:
# radtest admin test 10.3.1.252 12 huawei
Sending Access-Request of id 70 to 10.3.1.252 port 1812
User-Name = "admin"
User-Password = "test"
NAS-IP-Address = 10.1.2.13
NAS-Port = 12
rad_recv: Access-Accept packet from host 10.3.1.252 port 1812, id=70, length=188
ERX-Qos-Parameters = "internet_tr_value 2097152"
ERX-Qos-Parameters = "internet_tr_value_in 2097152"
ERX-Service-Activate:0 = "deny"
ERX-Service-Activate:0 = "telesys"
ERX-Qos-Profile-Name = "SP_Tele_Internet"
ERX-Service-Statistics:1 = time-volume
ERX-Primary-Dns = 1.2.3.4
ERX-Secondary-Dns =
NAS IPs
Hello, I need to allow a block of 8 IP addresses in 'nasname' column in NAS table. Can I use xx.xx.xx.112/29 Thank you for your help in advance Kindest Regards, Irina === - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session-Timeout for unlimited?
Hi, > We have prepaid users, where the freeradius server should answer with > some > non null integer Session-Timeout. > > We have also postpaid users, where the session should be unlimited. > > What is the Session-Timeout value corresponding to "unlimited"? If you don't send Session-Timeout at all, the session will not be timing out. Greetings, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Session-Timeout for unlimited?
Hi, (Using freeRadius v2) We have prepaid users, where the freeradius server should answer with some non null integer Session-Timeout. We have also postpaid users, where the session should be unlimited. What is the Session-Timeout value corresponding to "unlimited"? Thank you. -- Architecte Informatique chez Blueline/Gulfsat: Administration Systeme, Recherche & Developpement +261 34 29 155 34 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Huntgroups and SQL not being enforced
Hi. For info, i followed the information in the below link for my Huntgroups, but without Auth-Type since it is not recommended. http://wiki.freeradius.org/SQL_Huntgroup_HOWTO I still can´t get huntgroups to be enforced properly. If i add Huntgroup-Name == VPN-Service to the radcheck table, it works for my local users (the ones with a Cleartext-Password in Freeradius), but not for my proxied users. Any hints? /M -- View this message in context: http://www.nabble.com/Huntgroups-and-SQL-not-being-enforced-tp25019815p25024576.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MSChap via ntlm_auth problem
Hi,
2009/8/18 Alan Buxey :
>
> hmm, not sure about the require-membership bit as I've never used it.
>
The problem appears in any case - with or without require-membership option.
> which version of SAMBA are you running? Latest version is known to have
> issues - they've changed things with its output.
I use samba 3.0.35 on FreeBSD 7.2 box.
> also, recommend you change the command to have this instead
>
> --username=%{Stripped-User-Name:-%{User-Name:-None}}
>
> that'll get rid of that annoying output error
I have the following command:
ntlm_auth = "/usr/local/bin/ntlm_auth --request-nt-key
--require-membership-of=CENTAURA+InternetUsers
--username=%{Stripped-User-Name:-%{User-Name:-None}}
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}"
If I call it from shell with options from radius request - I get result:
# /usr/local/bin/ntlm_auth --request-nt-key
--require-membership-of=CENTAURA+InternetUsers --username=BAS
--challenge=6b6f49357dccee7c
--nt-response=ce2480f1e35c222a4d3481b83ee78854094394517f29d9ec
NT_KEY: A9B342EC3E218E54A330556C468415CD
What can I do for getting some details about error?
Thanks,
Anton.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Comparing live sessions between NAS and freeradius
On Tue, 2009-08-18 at 12:21 +0800, Deepak wrote: > It is called stale session. I am also trying to solve the same. I just > discussed this topic few days back. Check the list archive for > previous detail discussion on how to solve this. > >From my understanding, there is no common solution to this because > every problem is unique (based on your business logic) . You need to > check the "racacct" table periodically to detect such problem (based > on your implementation) and come up with your own SQL to modify this > table (again based on your implementation). Some searching last night has given me a better idea of how to solve my problem. But, I still have a question: does "lease-duration" affect stale sessions? That is, if lease-duration is "3600", any sessions longer than that will be regarded as stale by freeradius, and therefore killed? Regards, Ranbir -- Kanwar Ranbir Sandhu Linux 2.6.27.29-170.2.78.fc10.x86_64 x86_64 GNU/Linux 08:04:15 up 2 days, 9:01, 2 users, load average: 0.60, 0.51, 0.36 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MSChap via ntlm_auth problem
Hi,
> >> Oh, sorry.
> >> I tried to get some about ntlm_auth output and forgot to remove changes.
> >>
> >> I delete pipe but it did't remove problem.
> >
> > ..now post the debug again
>
> Please, find in attachment. Nothing changed.
hmm, not sure about the require-membership bit as I've never used it.
which version of SAMBA are you running? Latest version is known to have
issues - they've changed things with its output.
also, recommend you change the command to have this instead
--username=%{Stripped-User-Name:-%{User-Name:-None}}
that'll get rid of that annoying output error
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MSChap via ntlm_auth problem
>> Oh, sorry. >> I tried to get some about ntlm_auth output and forgot to remove changes. >> >> I delete pipe but it did't remove problem. > > ..now post the debug again Please, find in attachment. Nothing changed. radiusd.out.1 Description: Binary data - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MSChap via ntlm_auth problem
Hi, > Oh, sorry. > I tried to get some about ntlm_auth output and forgot to remove changes. > > I delete pipe but it did't remove problem. ..now post the debug again alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl / libtool / libltdl problem
Garber, Neal wrote: > This does, in fact, work; but, isn’t very satisfying as a permanent > solution. I believe that libtool and libltdl were updated during the > install of the patch and this is the source of the problem. I’m now > running FreeBSD 7.2 with libltdl-2.2.6a & libtool-2.2.6a (they were at > 2.2.5 before). Did I mention that I hate libtool and libltdl? They're close to *causing* more problems than they solve. > Is anyone aware of any compatibility issues with libtool/libltdl 2.2.6a > and FreeRADIUS? They both suck. Depending on the phase of the moon, they might not even cause the *build* process to fail. > Anyone have a more permanent solution that avoids the LD_PRELOAD ugliness? Educate the libltdl / libtool developers so that they write software that works? > I’ve tried rebuilding FR from the port with no subsequent patches and > received the same result (FR wouldn’t start without the LD_PRELOAD). I > also tried using the portdowngrade port to downgrade libtool & libltdl > back to 2.2.5 which didn’t seem to have this problem. However, it only > displayed 2.2.6a (i.e., I couldn’t downgrade). rlm_perl seems to be > pointing to the proper libperl.so as shown below: Yeah... isn't that nice? And libltdl *still* can't get it right. I mean... what the heck? I actually started removing libltdl a while ago. See src/main/modules.c. Look for WITHOUT_LIBLTDL. I'll bet that if you spent a bit of time hacking the source, you could get it to build && run *without* libltldl. At that point, the stupid "can't load library" issues will go away. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Stale Session and Simultaneous-Use Question
ganesh nagpure wrote: > BRAS will send accounting and auth request to free radius server and free > radius server will forward this to proxy radius. > Is it possible to configure free radius server to do the following thing. > 1)Forward the acc/auth request to proxy radius server and wait for > acknowledgement. > 2)If proxy radius server send the acknowledgement then allow the user > session > 3)If proxy radius does not send the acknowledgement then disconnect the > session or do not allow the user session All of this happens by default. > 4)If the session is on going and if proxy radius is sending the stop > session message because of user account modification or some other reason to > free radius then free radius should inform the BRAS to stop current session. The proxy never sends a "stop session message". > 5)Free radius should forward the entire attribute to proxy radius which > is forwarded by BRAS. This is what happens by default. > 6)BRAS are configuring to send periodic accounting update request for > every five minutes. Does free radius forward the periodic accounting request > to proxy radius server? Yes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Volume based reservation
ganesh nagpure wrote: > Hi, > > I have following setup > > BRAS (7206) > Free radius > > How do i configure Bras or free radius to update volume information for > uplink and downlink on frequently basis. > > Cisco-AVpair += "ip:traffic-class=out default drop", > Acct-Interim-Interval=900, > Cisco-AVPair += "subscriber:accounting-list=PPP_ACCOUNTING_LIST" That might work. Does the NAS documentation say that this is what you need to send? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to control users traffic ?
Andrew Paternoster wrote: > Does anyone have any Example policies that they can share. The NAS documentation describes how to create such policies. It is specific to *each* NAS. > I'm trying to work out how to send attributes to my cisco NAS when the suers > reach their traffic limit. See your NAS documentation for how to do that. > I have looked around and cannot find how to make these policies mentioned > below. > > Can any one point me in the right direction? See your NAS documentation. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Huntgroups and SQL not being enforced
Hello.
I need some help to debug my configuration of Huntgroups in SQL and why they
are not being enforced.
Probably missing something obvious here. I´ve been staring myself blind with
this problem.
User gets Access-Accept although NAS-IP-Address is not a match.
Here is the setup:
Freeradius 2.1.6, MySQL.
Tables in MySQL:
RADCHECK
mysql> select * from radcheck;
++--+++--+
| id | username | attribute | op | value|
++--+++--+
| 33 | testuser | Cleartext-Password | := | testuser |
++--+++--+
USERGROUP:
mysql> select * from usergroup;
+--+---+--+
| UserName | GroupName | priority |
+--+---+--+
| testuser | VPN-AUTH |0 |
+--+---+--+
RADGROUPCHECK:
mysql> select * from radgroupcheck;
++---+++-+
| id | groupname | attribute | op | value |
++---+++-+
| 8 | VPN-AUTH | Huntgroup-Name | == | VPN-Service |
++---+++-+
RADHUNTGROUP:
mysql> select * from radhuntgroup;
++-+--+---+
| id | groupname | nasipaddress | nasportid |
++-+--+---+
| 6 | VPN-Service | 10.10.10.10 | NULL |
++-+--+---+
sites-enabled/default:
authorize
# SQL query huntgroups
update request {
Huntgroup-Name := "%{sql:select groupname from radhuntgroup
where nasipaddress=\"%{NAS-IP-Address}\"}"
}
Debug with correct NAS-IP-Address:
rad_recv: Access-Request packet from host x.x.x.x port 1812, id=20,
length=54
User-Name = "testuser"
User-Password = "testuser"
NAS-IP-Address = 10.10.10.10
+- entering group authorize {...}
++[preprocess] returns ok
sql_xlat
expand: %{User-Name} -> testuser
sql_set_user escaped user --> 'testuser'
expand: select groupname from radhuntgroup where
nasipaddress="%{NAS-IP-Address}" -> select groupname from radhuntgroup where
nasipaddress="10.10.10.10"
rlm_sql (sql): Reserving sql socket id: 3
sql_xlat finished
rlm_sql (sql): Released sql socket id: 3
expand: %{sql:select groupname from radhuntgroup where
nasipaddress="%{NAS-IP-Address}"} -> VPN-Service
++[request] returns ok
sql_xlat
expand: %{User-Name} -> testuser
sql_set_user escaped user --> 'testuser'
expand: select authserver from authmethod where username
="%{User-Name}" -> select authserver from authmethod where username
="testuser"
rlm_sql (sql): Reserving sql socket id: 2
sql_xlat finished
rlm_sql (sql): Released sql socket id: 2
expand: %{sql:select authserver from authmethod where username
="%{User-Name}"} -> LOCAL
++[control] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "testuser", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
[sql] expand: %{User-Name} -> testuser
[sql] sql_set_user escaped user --> 'testuser'
rlm_sql (sql): Reserving sql socket id: 1
[sql] expand: SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
-> SELECT id, username, attribute, value, op FROM radcheck
WHERE username = 'testuser' ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op FROM
radreply WHERE username = '%{SQL-User-Name}' ORDER BY id
-> SELECT id, username, attribute, value, op FROM radreply
WHERE username = 'testuser' ORDER BY id
[sql] expand: SELECT groupname FROM usergroup WHERE
username = '%{SQL-User-Name}' ORDER BY priority -> SELECT
groupname FROM usergroup WHERE username = 'testuser'
ORDER BY priority
[sql] expand: SELECT id, groupname, attribute, Value, op
FROM radgroupcheck WHERE groupname = '%{Sql-Group}'
ORDER BY id -> SELECT id, groupname, attribute, Value, op
FROM radgroupcheck WHERE groupname = 'VPN-AUTH' ORDER BY
id
[sql] User found in group VPN-AUTH
[sql] expand: SELECT id, groupname, attribute, value, op
FROM radgroupreply WHERE groupname = '%{Sql-Group}'
ORDER BY id -> SELECT id, groupname, attribute, value, op
FROM radgroupreply WHERE groupname = 'VPN-AUTH' ORDER BY
id
rlm_sql (sql): Released sql socket id: 1
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns u
Re: How to control users traffic ?
Hi Have you tried using WISPr attributes to control bandwidth. These are set in the Radius database server. 2009/8/18 Andrew Paternoster : > Does anyone have any Example policies that they can share. I'm trying to work > out how to send attributes to my cisco NAS when the suers reach their traffic > limit. > > I have looked around and cannot find how to make these policies mentioned > below. > > Can any one point me in the right direction? > > Thanks > > > -- > Andrew Paternoster > GPK Computers Pty Ltd > T 1300 854 223 > F 1300 854 228 > --- > The information contained in or accompanying this e-mail is intended only for > the use of the stated recipient and may contain information that is > confidential and/or privileged. If the reader is not the intended recipient > or the agent thereof, you are hereby notified that any dissemination, > distribution or copying of this e-mail is strictly prohibited and may > constitute a breach of confidence and/or privilege. If you have received this > e-mail in error, please notify us immediately. Any views or opinions > presented are those solely of the author and do not necessarily represent > those of GPK Computers Pty Ltd.. > Warning: Although the company has taken reasonable precautions to ensure no > viruses are present in this e-mail, the company cannot accept responsibility > for any loss or damage arising from the use of this e-mail or attachments > --- > Senior System Engineer-Original Message- > From: freeradius-users-bounces+andrew=gpk.net...@lists.freeradius.org > [mailto:freeradius-users-bounces+andrew=gpk.net...@lists.freeradius.org] On > Behalf Of Ivan Kalik > Sent: Tuesday, 7 July 2009 7:12 PM > To: FreeRadius users mailing list > Subject: Re: How to control users traffic ? > >> Which is conventional way for checking online users traffic volume and >> disconnecting who reach to the limit of every user in freeradius: > > There are no standard radius attributes for this. Your NAS might have > vendor specific attributes that can be used for data (sql)counters but > many don't. > >> 1- using acct-interim packets to update output or input octets in sql and >> if user reach to the max of its accounting permission disconnect >> him/her.(Is >> there any patch to do this ?) > > Again, this will depend on NAS supporting PoD or CoA. You can make a > policy that sends instructions to NAS to disconnect the user if he goes > over the limit on update packet. If it doesn't, you should still be able > to disconnect the user using SNMP. > >> 2- freeradius sends Session-Octets-Limit to the NAS and NAS can does this? > > If it has such VSA. You can then use standard (sql)counter. > > Ivan Kalik > Kalik Informatika ISP > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- Devinder - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Volume based reservation
Hi, I have following setup BRAS (7206) > Free radius How do i configure Bras or free radius to update volume information for uplink and downlink on frequently basis. Cisco-AVpair += "ip:traffic-class=out default drop", Acct-Interim-Interval=900, Cisco-AVPair += "subscriber:accounting-list=PPP_ACCOUNTING_LIST" Is there any sample configuration on this. Please let us know. BR Ganesh --- On Tue, 8/18/09, ganesh nagpure wrote: > From: ganesh nagpure > Subject: Re: Stale Session and Simultaneous-Use Question > To: "FreeRadius users mailing list" > Date: Tuesday, August 18, 2009, 12:36 PM > Hi All, > > I have following setup and need to configure the setup as > per following requirements. > > BRAS (7206) - Radius (Free radius) - Proxy Radius > (Third party radius) > > BRAS will send accounting and auth request to free radius > server and free radius server will forward this to proxy > radius. > Is it possible to configure free radius server to do the > following thing. > 1) Forward the acc/auth request to proxy > radius server and wait for acknowledgement. > 2) If proxy radius server send the > acknowledgement then allow the user session > 3) If proxy radius does not send the > acknowledgement then disconnect the session or do not allow > the user session > 4) If the session is on going and if > proxy radius is sending the stop session message because of > user account modification or some other reason to free > radius then free radius should inform the BRAS to stop > current session. > 5) Free radius should forward the entire > attribute to proxy radius which is forwarded by BRAS. > 6) BRAS are configuring to send periodic > accounting update request for every five minutes. Does free > radius forward the periodic accounting request to proxy > radius server? > > > Your help on this will be highly appreciable. > > BR > Ganesh > > > > > --- On Tue, 8/18/09, Deepak > wrote: > > > From: Deepak > > Subject: Re: Stale Session and Simultaneous-Use > Question > > To: "FreeRadius users mailing list" > > Date: Tuesday, August 18, 2009, 12:15 PM > > > 3) acctterminatecause - What are > > the possible values here? In my > > > table, I can see "User-Request" and > "Session-Timeout". > > In the link I > > > mentioned in my previous post uses "User-Reset". > This > > is the part I am > > > not sure on what is the appropriate value to use > in > > this field. > > > > Found in http://freeradius.org/rfc/rfc2866.html#Acct-Terminate-Cause. > > My bad I have overlook this :-) > > > > Thanks anyway > > > > > > > > -- > > == > > Registered Linux User #460714 > > Currently Using Fedora 10, CentOS 5.3 > > == > > - > > List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > > > > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: How to control users traffic ?
Does anyone have any Example policies that they can share. I'm trying to work out how to send attributes to my cisco NAS when the suers reach their traffic limit. I have looked around and cannot find how to make these policies mentioned below. Can any one point me in the right direction? Thanks -- Andrew Paternoster GPK Computers Pty Ltd T 1300 854 223 F 1300 854 228 --- The information contained in or accompanying this e-mail is intended only for the use of the stated recipient and may contain information that is confidential and/or privileged. If the reader is not the intended recipient or the agent thereof, you are hereby notified that any dissemination, distribution or copying of this e-mail is strictly prohibited and may constitute a breach of confidence and/or privilege. If you have received this e-mail in error, please notify us immediately. Any views or opinions presented are those solely of the author and do not necessarily represent those of GPK Computers Pty Ltd.. Warning: Although the company has taken reasonable precautions to ensure no viruses are present in this e-mail, the company cannot accept responsibility for any loss or damage arising from the use of this e-mail or attachments --- Senior System Engineer-Original Message- From: freeradius-users-bounces+andrew=gpk.net...@lists.freeradius.org [mailto:freeradius-users-bounces+andrew=gpk.net...@lists.freeradius.org] On Behalf Of Ivan Kalik Sent: Tuesday, 7 July 2009 7:12 PM To: FreeRadius users mailing list Subject: Re: How to control users traffic ? > Which is conventional way for checking online users traffic volume and > disconnecting who reach to the limit of every user in freeradius: There are no standard radius attributes for this. Your NAS might have vendor specific attributes that can be used for data (sql)counters but many don't. > 1- using acct-interim packets to update output or input octets in sql and > if user reach to the max of its accounting permission disconnect > him/her.(Is > there any patch to do this ?) Again, this will depend on NAS supporting PoD or CoA. You can make a policy that sends instructions to NAS to disconnect the user if he goes over the limit on update packet. If it doesn't, you should still be able to disconnect the user using SNMP. > 2- freeradius sends Session-Octets-Limit to the NAS and NAS can does this? If it has such VSA. You can then use standard (sql)counter. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Stale Session and Simultaneous-Use Question
Hi All, I have following setup and need to configure the setup as per following requirements. BRAS (7206) - Radius (Free radius) - Proxy Radius (Third party radius) BRAS will send accounting and auth request to free radius server and free radius server will forward this to proxy radius. Is it possible to configure free radius server to do the following thing. 1) Forward the acc/auth request to proxy radius server and wait for acknowledgement. 2) If proxy radius server send the acknowledgement then allow the user session 3) If proxy radius does not send the acknowledgement then disconnect the session or do not allow the user session 4) If the session is on going and if proxy radius is sending the stop session message because of user account modification or some other reason to free radius then free radius should inform the BRAS to stop current session. 5) Free radius should forward the entire attribute to proxy radius which is forwarded by BRAS. 6) BRAS are configuring to send periodic accounting update request for every five minutes. Does free radius forward the periodic accounting request to proxy radius server? Your help on this will be highly appreciable. BR Ganesh --- On Tue, 8/18/09, Deepak wrote: > From: Deepak > Subject: Re: Stale Session and Simultaneous-Use Question > To: "FreeRadius users mailing list" > Date: Tuesday, August 18, 2009, 12:15 PM > > 3) acctterminatecause - What are > the possible values here? In my > > table, I can see "User-Request" and "Session-Timeout". > In the link I > > mentioned in my previous post uses "User-Reset". This > is the part I am > > not sure on what is the appropriate value to use in > this field. > > Found in http://freeradius.org/rfc/rfc2866.html#Acct-Terminate-Cause. > My bad I have overlook this :-) > > Thanks anyway > > > > -- > == > Registered Linux User #460714 > Currently Using Fedora 10, CentOS 5.3 > == > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
