Re: Remote access control in freeradius with mysql

[cktan]

Dear all,

Problem solved. Using Auth-Type attribute in radcheck table solve the 
problem.


Cheers.

cktan wrote:

Dear all,

I've a freeradius server running with LDAP as the Authentication and 
Authorization where else Accounting running on Mysql. It was working 
well at the moment and I'm looking to migrate from LDAP to run fully 
in Mysql.


Question is I need to have control on remote access for certain users. 
In LDAP, I used to have "dialupAccess" attribute to control the access 
for user and I can't find it in Mysql. I come across to radreply table 
but not sure which attribute should I use to have authorization for 
user to access. Looking for your kind information in this matter.


Regards



--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Error= Expecting section start brace '{' after "FreeRADIUS Version"

[Yagnesh Dave]

Hi Everyone,

I was trying to set-up mysql for logging the accounting logs for the users. I 
followed the instruction on http://www.frontios.com/freeradius.html and also on 
http://wiki.freeradius.org/SQL_HOWTO. The I tried to run the FreeRadius server. 
It did not start and was giving this error as given below,
###
including configuration file /usr/local/etc/raddb/sites-enabled/default
including configuration file /usr/local/etc/raddb/sites-enabled/inner-tunnel
including configuration file /usr/local/etc/raddb/sites-enabled/control-socket
including configuration file /usr/local/etc/raddb/sites-enabled/nohup.out
/usr/local/etc/raddb/sites-enabled/nohup.out[1]: Expecting section start brace 
'{' after "FreeRADIUS Version"
Errors reading /usr/local/etc/raddb/radiusd.conf
bash-3.00# 


Please help me to overcome this.

Thanks and Regards,
Yagnesh Dave.-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Error= Expecting section start brace '{' after "FreeRADIUS Version"

[Josip Rodin]

On Mon, Nov 30, 2009 at 09:20:32AM -, Yagnesh Dave wrote:
> including configuration file /usr/local/etc/raddb/sites-enabled/nohup.out
> /usr/local/etc/raddb/sites-enabled/nohup.out[1]: Expecting section start 
> brace '{' after "FreeRADIUS Version"
> Errors reading /usr/local/etc/raddb/radiusd.conf

You have a "nohup.out" file in the sites-enabled directory. Remove it?

-- 
 2. That which causes joy or happiness.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: chilli + freeradius + mysql : Password check failed

[David BiTx0]

 

   Hi all,

  Forgive me for not answering but weekends I do not work J
 
 
>t...@kalik.net>Is it well written oon the login page? Try simpler password 
>(something>like 12345 - that will work even with CAPS LOCK on). If it still 
>fails>take it up with chillispot people.
 
I have tried with 1234 :
 
- INICIO 
---
 
Mon Nov 30 10:45:56 2009 : Debug: rlm_sql (sql): Released sql socket id: 4
Mon Nov 30 10:45:56 2009 : Info: ++[sql] returns ok
Mon Nov 30 10:45:56 2009 : Info: ++[expiration] returns noop
Mon Nov 30 10:45:56 2009 : Info: ++[logintime] returns noop
Mon Nov 30 10:45:56 2009 : Info: [pap] Found existing Auth-Type, not changing 
it.
Mon Nov 30 10:45:56 2009 : Info: ++[pap] returns noop
Mon Nov 30 10:45:56 2009 : Debug: rlm_sqlcounter: Entering module authorize code
Mon Nov 30 10:45:56 2009 : Debug: sqlcounter_expand:  'SELECT 
SUM(AcctSessionTime) FROM radacct WHERE UserName='%{User-Name}''
Mon Nov 30 10:45:56 2009 : Info: [noresetcounter]   expand: SELECT 
SUM(AcctSessionTime) FROM radacct WHERE UserName='%{User-Name}' -> SELECT 
SUM(AcctSessionTime) FROM radacct WHERE UserName='9799-8798-3665-6561'
Mon Nov 30 10:45:56 2009 : Debug: sqlcounter_expand:  '%{sql:SELECT 
SUM(AcctSessionTime) FROM radacct WHERE UserName='9799-8798-3665-6561'}'
Mon Nov 30 10:45:56 2009 : Info: [noresetcounter] sql_xlat
Mon Nov 30 10:45:56 2009 : Info: [noresetcounter]   expand: %{User-Name} -> 
9799-8798-3665-6561
Mon Nov 30 10:45:56 2009 : Info: [noresetcounter] sql_set_user escaped user --> 
'9799-8798-3665-6561'
Mon Nov 30 10:45:56 2009 : Info: [noresetcounter]   expand: SELECT 
SUM(AcctSessionTime) FROM radacct WHERE UserName='9799-8798-3665-6561' -> 
SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='9799-8798-3665-6561'
Mon Nov 30 10:45:56 2009 : Debug: rlm_sql (sql): Reserving sql socket id: 3
Mon Nov 30 10:45:56 2009 : Info: [noresetcounter] row[0] returned NULL
Mon Nov 30 10:45:56 2009 : Debug: rlm_sql (sql): Released sql socket id: 3
Mon Nov 30 10:45:56 2009 : Info: [noresetcounter]   expand: %{sql:SELECT 
SUM(AcctSessionTime) FROM radacct WHERE UserName='9799-8798-3665-6561'} -> 
Mon Nov 30 10:45:56 2009 : Debug: rlm_sqlcounter: No integer found in string ""
Mon Nov 30 10:45:56 2009 : Info: ++[noresetcounter] returns noop
Mon Nov 30 10:45:56 2009 : Debug: rlm_sqlcounter: Entering module authorize code
Mon Nov 30 10:45:56 2009 : Debug: rlm_sqlcounter: Could not find Check item 
value pair
Mon Nov 30 10:45:56 2009 : Info: ++[dailycounter] returns noop
Mon Nov 30 10:45:56 2009 : Debug: rlm_sqlcounter: Entering module authorize code
Mon Nov 30 10:45:56 2009 : Debug: rlm_sqlcounter: Could not find Check item 
value pair
Mon Nov 30 10:45:56 2009 : Info: ++[monthlycounter] returns noop
Mon Nov 30 10:45:56 2009 : Info: Found Auth-Type = CHAP
Mon Nov 30 10:45:56 2009 : Info: +- entering group CHAP {...}
Mon Nov 30 10:45:56 2009 : Info: [chap] login attempt by "9799-8798-3665-6561" 
with CHAP password
Mon Nov 30 10:45:56 2009 : Info: [chap] Using clear text password "1234" for 
user 9799-8798-3665-6561 authentication.
Mon Nov 30 10:45:56 2009 : Info: [chap] Password check failed
Mon Nov 30 10:45:56 2009 : Info: ++[chap] returns reject
Mon Nov 30 10:45:56 2009 : Info: Failed to authenticate the user.
Mon Nov 30 10:45:56 2009 : Info: Using Post-Auth-Type Reject
Mon Nov 30 10:45:56 2009 : Info: +- entering group REJECT {...}
Mon Nov 30 10:45:56 2009 : Info: [attr_filter.access_reject]expand: 
%{User-Name} -> 9799-8798-3665-6561
Mon Nov 30 10:45:56 2009 : Debug:  attr_filter: Matched entry DEFAULT at line 11
Mon Nov 30 10:45:56 2009 : Info: ++[attr_filter.access_reject] returns updated
Mon Nov 30 10:45:56 2009 : Info: Delaying reject of request 0 for 1 seconds
Mon Nov 30 10:45:56 2009 : Debug: Going to the next request
Mon Nov 30 10:45:56 2009 : Debug: Waking up in 0.9 seconds.
Mon Nov 30 10:45:57 2009 : Info: Sending delayed reject for request 0
Sending Access-Reject of id 0 to 192.168.65.99 port 38212
Mon Nov 30 10:45:57 2009 : Debug: Waking up in 4.9 seconds.
Mon Nov 30 10:46:02 2009 : Info: Cleaning up request 0 ID 0 with timestamp +40
Mon Nov 30 10:46:02 2009 : Debug: Ready to process requests.
 
--- FIN 
--
 
 
>José Adiel Blandón Rivera canc...@gmail.com
> 
>are you using Crypted password in the database? you have to use clear 
>passwords in the database to successful login through chillispot and 
>freeradius.
> 
>Regards
 
I am using Clear passwords :
 
mysql> select * from radcheck;
++-+++---+
| id | username| attribute  | op | value |
++-+++---+
|  2 | 9799-8798-3665-6561 | Cleartext-Password | := | 1234  | 
++-+--

RE: chilli + freeradius + mysql : Password check failed

[David BiTx0]

   Hi all,

  Forgive me for not answering but weekends I do not work J
 
 
>t...@kalik.net>Is it well written oon the login page? Try simpler password 
>(something>like 12345 - that will work even with CAPS LOCK on). If it still 
>fails>take it up with chillispot people.
 
I have tried with 1234 :
 
- INICIO 
---
 
Mon Nov 30 10:45:56 2009 : Debug: rlm_sql (sql): Released sql socket id: 4
Mon Nov 30 10:45:56 2009 : Info: ++[sql] returns ok
Mon Nov 30 10:45:56 2009 : Info: ++[expiration] returns noop
Mon Nov 30 10:45:56 2009 : Info: ++[logintime] returns noop
Mon Nov 30 10:45:56 2009 : Info: [pap] Found existing Auth-Type, not changing 
it.
Mon Nov 30 10:45:56 2009 : Info: ++[pap] returns noop
Mon Nov 30 10:45:56 2009 : Debug: rlm_sqlcounter: Entering module authorize code
Mon Nov 30 10:45:56 2009 : Debug: sqlcounter_expand:  'SELECT 
SUM(AcctSessionTime) FROM radacct WHERE UserName='%{User-Name}''
Mon Nov 30 10:45:56 2009 : Info: [noresetcounter]   expand: SELECT 
SUM(AcctSessionTime) FROM radacct WHERE UserName='%{User-Name}' -> SELECT 
SUM(AcctSessionTime) FROM radacct WHERE UserName='9799-8798-3665-6561'
Mon Nov 30 10:45:56 2009 : Debug: sqlcounter_expand:  '%{sql:SELECT 
SUM(AcctSessionTime) FROM radacct WHERE UserName='9799-8798-3665-6561'}'
Mon Nov 30 10:45:56 2009 : Info: [noresetcounter] sql_xlat
Mon Nov 30 10:45:56 2009 : Info: [noresetcounter]   expand: %{User-Name} -> 
9799-8798-3665-6561
Mon Nov 30 10:45:56 2009 : Info: [noresetcounter] sql_set_user escaped user --> 
'9799-8798-3665-6561'
Mon Nov 30 10:45:56 2009 : Info: [noresetcounter]   expand: SELECT 
SUM(AcctSessionTime) FROM radacct WHERE UserName='9799-8798-3665-6561' -> 
SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='9799-8798-3665-6561'
Mon Nov 30 10:45:56 2009 : Debug: rlm_sql (sql): Reserving sql socket id: 3
Mon Nov 30 10:45:56 2009 : Info: [noresetcounter] row[0] returned NULL
Mon Nov 30 10:45:56 2009 : Debug: rlm_sql (sql): Released sql socket id: 3
Mon Nov 30 10:45:56 2009 : Info: [noresetcounter]   expand: %{sql:SELECT 
SUM(AcctSessionTime) FROM radacct WHERE UserName='9799-8798-3665-6561'} -> 
Mon Nov 30 10:45:56 2009 : Debug: rlm_sqlcounter: No integer found in string ""
Mon Nov 30 10:45:56 2009 : Info: ++[noresetcounter] returns noop
Mon Nov 30 10:45:56 2009 : Debug: rlm_sqlcounter: Entering module authorize code
Mon Nov 30 10:45:56 2009 : Debug: rlm_sqlcounter: Could not find Check item 
value pair
Mon Nov 30 10:45:56 2009 : Info: ++[dailycounter] returns noop
Mon Nov 30 10:45:56 2009 : Debug: rlm_sqlcounter: Entering module authorize code
Mon Nov 30 10:45:56 2009 : Debug: rlm_sqlcounter: Could not find Check item 
value pair
Mon Nov 30 10:45:56 2009 : Info: ++[monthlycounter] returns noop
Mon Nov 30 10:45:56 2009 : Info: Found Auth-Type = CHAP
Mon Nov 30 10:45:56 2009 : Info: +- entering group CHAP {...}
Mon Nov 30 10:45:56 2009 : Info: [chap] login attempt by "9799-8798-3665-6561" 
with CHAP password
Mon Nov 30 10:45:56 2009 : Info: [chap] Using clear text password "1234" for 
user 9799-8798-3665-6561 authentication.
Mon Nov 30 10:45:56 2009 : Info: [chap] Password check failed
Mon Nov 30 10:45:56 2009 : Info: ++[chap] returns reject
Mon Nov 30 10:45:56 2009 : Info: Failed to authenticate the user.
Mon Nov 30 10:45:56 2009 : Info: Using Post-Auth-Type Reject
Mon Nov 30 10:45:56 2009 : Info: +- entering group REJECT {...}
Mon Nov 30 10:45:56 2009 : Info: [attr_filter.access_reject]expand: 
%{User-Name} -> 9799-8798-3665-6561
Mon Nov 30 10:45:56 2009 : Debug:  attr_filter: Matched entry DEFAULT at line 11
Mon Nov 30 10:45:56 2009 : Info: ++[attr_filter.access_reject] returns updated
Mon Nov 30 10:45:56 2009 : Info: Delaying reject of request 0 for 1 seconds
Mon Nov 30 10:45:56 2009 : Debug: Going to the next request
Mon Nov 30 10:45:56 2009 : Debug: Waking up in 0.9 seconds.
Mon Nov 30 10:45:57 2009 : Info: Sending delayed reject for request 0
Sending Access-Reject of id 0 to 192.168.65.99 port 38212
Mon Nov 30 10:45:57 2009 : Debug: Waking up in 4.9 seconds.
Mon Nov 30 10:46:02 2009 : Info: Cleaning up request 0 ID 0 with timestamp +40
Mon Nov 30 10:46:02 2009 : Debug: Ready to process requests.
 
--- FIN 
--
 
 
>José Adiel Blandón Rivera canc...@gmail.com
> 
>are you using Crypted password in the database? you have to use clear 
>passwords in the database to successful login through chillispot and 
>freeradius.
> 
>Regards
 
I am using Clear passwords :
 
mysql> select * from radcheck;
++-+++---+
| id | username| attribute  | op | value |
++-+++---+
|  2 | 9799-8798-3665-6561 | Cleartext-Password | := | 1234  | 
++-+-

Making certs for Windows users

[Peter Carlstedt]

Hello everyone.

I got some questions regarding how to make a certificate that works towards 
windows clients while running Freeradius with PEAP.

 

Well I have read on the wiki for Freeradius about making a standalone cert for 
windows clients (root cert) but why do i need that installed on the windows 
clients when i want to run peap? Isn´t peap meant to work in the way that you 
shouldnt have to install stand alone certs in the users computers?

 

Anyway... I dont really understand what it is that i need to do to make real 
certificates, I´ve read the "readme" file in raddb/certs but dont understand 
what it says. I have got ca.cnf anf ca.pem etc since i started the radius 
server the first time where it said that it made some certs, which i guess it 
test certificates... the readme file only says that i should remove the old 
ones but when i try to get into the certs folder through the terminal it says i 
do not have permission to go into that folder.. Im using Ubuntu Desktop and I 
dont know a way to get into the folder with the root other than typing "sudo cd 
certs" which do not work. :/

 

Can I ignore the part which says that I need to remove the certs created when i 
run the server the first time and just do changes in the ca.cnf?

 

As a sidenote, I´ve never worked with certificates before, I know what they are 
meant to do but more than that i dont know. 

 

Best regards/ Peter Carlstedt

 
  
_
Windows Live Hotmail: Your friends can get your Facebook updates, right from 
Hotmail®.
http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_4:092009-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

MPD : mpd-drop-user

[cktan]

Dear all,

Is anyone try this attribute /*mpd-drop-user*/ in freeradius with Mysql? 
MPD support this attribute to check the status of account during it 
update the accounting and if the value for this attribute become 
non-zero, it will disconnect the session for the user.


We use MPD to setup a PPPoE server with freeradius to provide 
authentication to users and we have come across to drop the session if 
the user's account suspended but we have no luck to make it work. 
Currently we try to put this attribute in radreply table and it doesn't 
work for us. Looking for your kind information in this matter.


Thanks in advance.


--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Error= Expecting section start brace '{' after "FreeRADIUS Version"

[Alan Buxey]

Hi,
> Hi Everyone,
> 
> I was trying to set-up mysql for logging the accounting logs for the users. I 
> followed the instruction on http://www.frontios.com/freeradius.html and also 
> on http://wiki.freeradius.org/SQL_HOWTO. The I tried to run the FreeRadius 
> server. It did not start and was giving this error as given below,
> ###
> including configuration file /usr/local/etc/raddb/sites-enabled/default
> including configuration file /usr/local/etc/raddb/sites-enabled/inner-tunnel
> including configuration file /usr/local/etc/raddb/sites-enabled/control-socket
> including configuration file /usr/local/etc/raddb/sites-enabled/nohup.out
> /usr/local/etc/raddb/sites-enabled/nohup.out[1]: Expecting section start 
> brace '{' after "FreeRADIUS Version"
> Errors reading /usr/local/etc/raddb/radiusd.conf
> bash-3.00#
> 

as Josip has said - you have a file called 'nohup.out' in your sites-enabled
directory.  this is a special directory that can only contain FreeRADIUS
virtual server files (because it basically loads in sites-enabled/* as 
servers...
this file is messing it up. remove it.

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: mpd-drop-user

[Charles]

Hi cktan,

Was looking for a similar solution and never made it work.

Basically, in my setup i have users  buy airtime for using the internet. I also 
sell access to video clips, when user downloads the video clip, an entry is 
made in 
radacct table. What I wanted to is for the NAS to re-authenticate every minute 
to check if more entries were added to radacct table.

My solution was to us M0n0wall as my NAS, it has an option in the captive 
portal where you set it to re-authenticate every minute and to disconnect if 
user has no more 
credit left.

I hope this helps.

Charles
  - Original Message - 
  From: cktan 
  To: FreeRadius users mailing list 
  Sent: Monday, November 30, 2009 11:51 AM
  Subject: MPD : mpd-drop-user


  Dear all,

  Is anyone try this attribute mpd-drop-user in freeradius with Mysql? MPD 
support this attribute to check the status of account during it update the 
accounting and if the value for this attribute become non-zero, it will 
disconnect the session for the user. 

  We use MPD to setup a PPPoE server with freeradius to provide authentication 
to users and we have come across to drop the session if the user's account 
suspended but we have no luck to make it work. Currently we try to put this 
attribute in radreply table and it doesn't work for us. Looking for your kind 
information in this matter. 

  Thanks in advance.




   5 free 
Domains with Select Hosting Plans. Get yours!

com net org info us name biz cc tv ws mobi   

  -- 
  This message has been scanned for viruses and 
  dangerous content by MailScanner, and is 
  believed to be clean. 


--


  -
  List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
__
 Buy a domain : http://www.1and1.com/?k_id=25085883
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Making certs for Windows users

[Alan DeKok]

Peter Carlstedt wrote:
> I got some questions regarding how to make a certificate that works
> towards windows clients while running Freeradius with PEAP.

  The howto's are detailed, and should be relatively clear.

> Well I have read on the wiki for Freeradius about making a standalone
> cert for windows clients (root cert) but why do i need that installed on
> the windows clients when i want to run peap?

  Because that's how peap works.

> Isn´t peap meant to work in
> the way that you shouldnt have to install stand alone certs in the users
> computers?

  No.

> Anyway... I dont really understand what it is that i need to do to make
> real certificates, I´ve read the "readme" file in raddb/certs but dont
> understand what it says. I have got ca.cnf anf ca.pem etc since i
> started the radius server the first time where it said that it made some
> certs, which i guess it test certificates... the readme file only says
> that i should remove the old ones but when i try to get into the certs
> folder through the terminal it says i do not have permission to go into
> that folder.. Im using Ubuntu Desktop and I dont know a way to get into
> the folder with the root other than typing "sudo cd certs" which do not
> work. :/

  This is Unix 101.  You need to be "root" to edit the files in that
directory.

> Can I ignore the part which says that I need to remove the certs created
> when i run the server the first time and just do changes in the ca.cnf?

  Sure.  And then it won't work.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Session-Octets-Limit and sqlcounter

[Charles]

Do you manage to fix your problem?
Kindly share your solution. I am interested in knowing how I can configure my 
freeradius to limit users by both time and  max download size

e.g. 1usd for 1 hour or 20MB (whichever comes first).

charles
  - Original Message - 
  From: Hamid Reza Hasani 
  To: freeradius-users@lists.freeradius.org 
  Sent: Sunday, November 29, 2009 5:45 PM
  Subject: Session-Octets-Limit and sqlcounter


  Hi, 

  I'm using freeradius-2.1.6, and I'm going to make a download limitation for 
my users. I used sqlcounter module and config it as follow: 

  sqlcounter monthlydownload { 

  counter-name = "Monthly-Download-Byte" 

  check-name = "Max-Monthly-Download" 

  reply-name = "Session-Octets-Limit" 

  key = "User-Name" 

  sqlmod-inst = "sql" 

  query = "SELECT SUM(AcctOutputOctets+AcctInputOctets) FROM radacct WHERE 
UserName='%{%k}' AND AcctStartTime > FROM_UNIXTIME('%b')" 

  reset = "monthly" 

  safe-characters = 
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /" 

  } 


  According to the log messages, it shows anything is OK: 


  rlm_sqlcounter: Sent Reply-Item for user hrh, Type=Session-Octets-Limit, 
value=600106145 

  ++[monthlydownload] returns ok 


  But in proceeding it shows me what it sent, and there isn't 
Session-Octets-Limit! as you can see bellow: 


  Sending Access-Accept of id 222 to 127.0.0.1 port 32769 

  Framed-IP-Address := 20.20.20.1 

  Framed-IP-Netmask := 255.255.255.0 

  Session-Timeout = 5460 

  Finished request 0. 


  Where is my problem? 

  more log is available at the end of message. 

  Thanks for you helps. 

  --

  Ya Ali


  Hamid Reza Hasani




  More Log:

  Module: Linked to module rlm_sqlcounter 

  Module: Instantiating monthlydownload 

  sqlcounter monthlydownload { 

  counter-name = "Monthly-Download-Byte" 

  check-name = "Max-Monthly-Download" 

  reply-name = "Session-Octets-Limit" 

  key = "User-Name" 

  sqlmod-inst = "sql" 

  query = "SELECT SUM(AcctOutputOctets+AcctInputOctets) FROM radacct WHERE 
UserName='%{%k}' AND AcctStartTime > FROM_UNIXTIME('%b')" 

  reset = "monthly" 

  safe-characters = 
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /" 

  } 

  rlm_sqlcounter: Reply attribute Session-Octets-Limit is number 3009 

  rlm_sqlcounter: Counter attribute Monthly-Download-Byte is number 11273 

  rlm_sqlcounter: Check attribute Max-Monthly-Download is number 11274 

  rlm_sqlcounter: Current Time: 1259506851 [2009-11-29 18:30:51], Next reset 
1259613000 [2009-12-01 00:00:00] 

  rlm_sqlcounter: Current Time: 1259506851 [2009-11-29 18:30:51], Prev reset 
1257021000 [2009-11-01 00:00:00] 

  Module: Checking preacct {...} for more modules to load 

  . 

  . 

  . 

  rlm_sqlcounter: Entering module authorize code 

  sqlcounter_expand: 'SELECT SUM(AcctOutputOctets+AcctInputOctets) FROM radacct 
WHERE UserName='%{User-Name}' AND AcctStartTime > FROM_UNIXTIME('1257021000')' 

  [monthlydownload] expand: SELECT SUM(AcctOutputOctets+AcctInputOctets) FROM 
radacct WHERE UserName='%{User-Name}' AND AcctStartTime > 
FROM_UNIXTIME('1257021000') -> SELECT SUM(AcctOutputOctets+AcctInputOctets) 
FROM radacct WHERE UserName='hrh' AND AcctStartTime > 
FROM_UNIXTIME('1257021000') 

  sqlcounter_expand: '%{sql:SELECT SUM(AcctOutputOctets+AcctInputOctets) FROM 
radacct WHERE UserName='hrh' AND AcctStartTime > FROM_UNIXTIME('1257021000')}' 

  [monthlydownload] sql_xlat 

  [monthlydownload] expand: %{User-Name} -> hrh 

  [monthlydownload] sql_set_user escaped user --> 'hrh' 

  [monthlydownload] expand: SELECT SUM(AcctOutputOctets+AcctInputOctets) FROM 
radacct WHERE UserName='hrh' AND AcctStartTime > FROM_UNIXTIME('1257021000') -> 
SELECT SUM(AcctOutputOctets+AcctInputOctets) FROM radacct WHERE UserName='hrh' 
AND AcctStartTime > FROM_UNIXTIME('1257021000') 

  [monthlydownload] expand: /usr/var/log/radius/sqltrace.sql -> 
/usr/var/log/radius/sqltrace.sql 

  rlm_sql (sql): Reserving sql socket id: 3 

  rlm_sql_mysql: query: SELECT SUM(AcctOutputOctets+AcctInputOctets) FROM 
radacct WHERE UserName='hrh' AND AcctStartTime > FROM_UNIXTIME('1257021000') 

  [monthlydownload] sql_xlat finished 

  rlm_sql (sql): Released sql socket id: 3 

  [monthlydownload] expand: %{sql:SELECT SUM(AcctOutputOctets+AcctInputOctets) 
FROM radacct WHERE UserName='hrh' AND AcctStartTime > 
FROM_UNIXTIME('1257021000')} -> 100213 

  rlm_sqlcounter: Check item is greater than query result 

  rlm_sqlcounter: Authorized user hrh, check_item=6, counter=100213 

  rlm_sqlcounter: Sent Reply-Item for user hrh, Type=Session-Octets-Limit, 
value=600106145 

  ++[monthlydownload] returns ok 

  . 

  . 

  . 

  Sending Access-Accept of id 222 to 127.0.0.1 port 32769 

  Framed-IP-Address := 20.20.20.1 

  Framed-IP-Netmask := 255.255.255.0 

  Session-Timeout = 5460 

  Finished request 0. 

  Going to the next request 

  Waking up in 4.9 seconds. 




  ___

Re: Re: Error= Expecting section start brace '{' after "FreeRADIUS Version"

[Yagnesh Dave]

Hi,

Thanks for the quick answer. I removed nohup.out and its not throwing that 
error. But now it is throwing this error. It would be great if you can point 
out the solution.

###
bash-3.00# tail  nohup.out
simul_verify_query = "SELECT radacctid, acctsessionid, username,
nasipaddress, nasportid, framedipaddress,   
 callingstationid, framedprotocol   
 FROM radacctWHERE username = 
'%{SQL-User-Name}'AND acctstoptime IS NULL"
postauth_query = "INSERT INTO radpostauth   
(username, pass, reply, authdate)   VALUES (
   '%{User-Name}',   
'%{%{User-Password}:-%{Chap-Password}}',   
'%{reply:Packet-Type}', '%S')"
safe-characters = 
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
  }
Could not link driver rlm_sql_mysql: ld.so.1: radiusd: fatal: rlm_sql_mysql.so: 
open failed: No such file or directory
Make sure it (and all its dependent libraries!) are in the search path of your 
system's ld.
/usr/local/etc/raddb/sql.conf[22]: Instantiation failed for module "sql"
/usr/local/etc/raddb/sites-enabled/default[161]: Failed to find module "sql".
/usr/local/etc/raddb/sites-enabled/default[62]: Errors parsing authorize 
section. 
Errors initializing modules
bash-3.00# 


Thanks and Regards,
Yagnesh Dave.

On Mon, 30 Nov 2009 15:20:18 +0530  wrote
>Hi,
> Hi Everyone,
> 
> I was trying to set-up mysql for logging the accounting logs for the users. I 
> followed the instruction on http://www.frontios.com/freeradius.html and also 
> on http://wiki.freeradius.org/SQL_HOWTO. The I tried to run the FreeRadius 
> server. It did not start and was giving this error as given below,
> ###
> including configuration file /usr/local/etc/raddb/sites-enabled/default
> including configuration file /usr/local/etc/raddb/sites-enabled/inner-tunnel
> including configuration file /usr/local/etc/raddb/sites-enabled/control-socket
> including configuration file /usr/local/etc/raddb/sites-enabled/nohup.out
> /usr/local/etc/raddb/sites-enabled/nohup.out[1]: Expecting section start 
> brace '{' after "FreeRADIUS Version"
> Errors reading /usr/local/etc/raddb/radiusd.conf
> bash-3.00#
> 

as Josip has said - you have a file called 'nohup.out' in your sites-enabled
directory. this is a special directory that can only contain FreeRADIUS
virtual server files (because it basically loads in sites-enabled/* as 
servers...
this file is messing it up. remove it.

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Re: Error= Expecting section start brace '{' after "FreeRADIUS Version"

[Alan Buxey]

Hi,
> Hi,
> 
> Thanks for the quick answer. I removed nohup.out and its not throwing that 
> error. But now it is throwing this error. It would be great if you can point 
> out the solution.

did you build FreeRADIUS from source yourself?  if so, you built it without
mysql support - maybe because the mysql development libraries/headers werent 
installed
and now you've asked the server to do mysql stuff.

if you installed from package manager, you will need to find the mysql support -
some distros split the packet into seperate parts (for obvious reasons) - you'll
need to find eg freeradius-mysql or radiusd-mysql etc package.  this will then
install the required FR parts (and maybe mysql-client etc etc too)

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Session-Octets-Limit and sqlcounter

[Alan DeKok]

Charles wrote:
> Do you manage to fix your problem?
> Kindly share your solution. I am interested in knowing how I can
> configure my freeradius to limit users by both time and  max download size

  As with *ALL* of these questions:

Does your NAS support this?

  Go read the NAS documentation.

  FreeRADIUS is *not* a firewall.  The NAS is a firewall.  FreeRADIUS
simply tells the NAS which rules to apply.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Session-Octets-Limit and sqlcounter

[Charles]

Thanks Alan for your help.

My NAS is m0n0wall (http://m0n0.ch/wall/features.php) and its captive portal 
features are briefly outlined here: http://doc.m0n0.ch/handbook/ch12s06.html 
.

It mentions bandwidth setings.

In my current setup, I use session_timeout and it works very well but I have 
users who download heavily within an hour. So I would like to limit using 
both Session_Timeout and max octes (which ever is reached first).


Kindly help me by checking the features to see if I can use this NAS for 
this purpose. I dont know what they mean by "Bandwidth Settings"


Charles




- Original Message - 
From: "Alan DeKok" 

To: "FreeRadius users mailing list" 
Sent: Monday, November 30, 2009 3:04 PM
Subject: Re: Session-Octets-Limit and sqlcounter



Charles wrote:

Do you manage to fix your problem?
Kindly share your solution. I am interested in knowing how I can
configure my freeradius to limit users by both time and  max download 
size


 As with *ALL* of these questions:

Does your NAS support this?

 Go read the NAS documentation.

 FreeRADIUS is *not* a firewall.  The NAS is a firewall.  FreeRADIUS
simply tells the NAS which rules to apply.

 Alan DeKok.
-
List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html


__
Buy a domain : http://www.1and1.com/?k_id=25085883 



__
Buy a domain : http://www.1and1.com/?k_id=25085883
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Session-Octets-Limit and sqlcounter

[Alan DeKok]

Charles wrote:
> My NAS is m0n0wall (http://m0n0.ch/wall/features.php) and its captive
> portal features are briefly outlined here:
> http://doc.m0n0.ch/handbook/ch12s06.html .
> It mentions bandwidth setings.

  How nice.

> In my current setup, I use session_timeout and it works very well but I
> have users who download heavily within an hour. So I would like to limit
> using both Session_Timeout and max octes (which ever is reached first).

  You already said that.

> Kindly help me by checking the features to see if I can use this NAS for
> this purpose.

  Why?

> I dont know what they mean by "Bandwidth Settings"

  So... ask the Monowall people.  We didn't write Monowall, and we
didn't write it's documentation.  if you don't understand it, ask them
for help.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Re: Making certs for Windows users

[Peter Carlstedt]

> Message: 1
> Date: Mon, 30 Nov 2009 09:43:07 +
> From: Peter Carlstedt 
> Subject: Making certs for Windows users
> To: 
> Message-ID: 
> Content-Type: text/plain; charset="iso-8859-1"
> 
> 
> Hello everyone.
> 
> I got some questions regarding how to make a certificate that works towards 
> windows clients while running Freeradius with PEAP.
> 
> 
> 
> Well I have read on the wiki for Freeradius about making a standalone cert 
> for windows clients (root cert) but why do i need that installed on the 
> windows clients when i want to run peap? Isn?t peap meant to work in the way 
> that you shouldnt have to install stand alone certs in the users computers?
> 
> 
> 
> Anyway... I dont really understand what it is that i need to do to make real 
> certificates, I?ve read the "readme" file in raddb/certs but dont understand 
> what it says. I have got ca.cnf anf ca.pem etc since i started the radius 
> server the first time where it said that it made some certs, which i guess it 
> test certificates... the readme file only says that i should remove the old 
> ones but when i try to get into the certs folder through the terminal it says 
> i do not have permission to go into that folder.. Im using Ubuntu Desktop and 
> I dont know a way to get into the folder with the root other than typing 
> "sudo cd certs" which do not work. :/
> 
> 
> 
> Can I ignore the part which says that I need to remove the certs created when 
> i run the server the first time and just do changes in the ca.cnf?
> 
> 
> 
> As a sidenote, I?ve never worked with certificates before, I know what they 
> are meant to do but more than that i dont know. 
> 
> 
> 
> Best regards/ Peter Carlstedt
> 
> 
> 
> --
> Message: 5
> Date: Mon, 30 Nov 2009 11:15:09 +0100
> From: Alan DeKok 
> Subject: Re: Making certs for Windows users
> To: FreeRadius users mailing list
> 
> Message-ID: <4b139b2d.8000...@deployingradius.com>
> Content-Type: text/plain; charset=ISO-8859-1
> 
> Peter Carlstedt wrote:
> > I got some questions regarding how to make a certificate that works
> > towards windows clients while running Freeradius with PEAP.
> 
> The howto's are detailed, and should be relatively clear.
> 
> > Well I have read on the wiki for Freeradius about making a standalone
> > cert for windows clients (root cert) but why do i need that installed on
> > the windows clients when i want to run peap?
> 
> Because that's how peap works.
> 
> > Isn?t peap meant to work in
> > the way that you shouldnt have to install stand alone certs in the users
> > computers?
> 
> No.
> 
> > Anyway... I dont really understand what it is that i need to do to make
> > real certificates, I?ve read the "readme" file in raddb/certs but dont
> > understand what it says. I have got ca.cnf anf ca.pem etc since i
> > started the radius server the first time where it said that it made some
> > certs, which i guess it test certificates... the readme file only says
> > that i should remove the old ones but when i try to get into the certs
> > folder through the terminal it says i do not have permission to go into
> > that folder.. Im using Ubuntu Desktop and I dont know a way to get into
> > the folder with the root other than typing "sudo cd certs" which do not
> > work. :/
> 
> This is Unix 101. You need to be "root" to edit the files in that
> directory.

Yes I understand that I need root permissions to edit files in that directory 
BUT is there anyway to get those permission without having to login with the 
root account? There are reasons of why you should use "sudo"in the terminal as 
a normal user instead of logging in as the root user. So what i mean is if 
there are some kind of command which gives me the same permissions as the root 
user in the terminal, was thinking about that since you can use the command 
"gksudo nautilus" to browse through directories which has root permission only. 
Is there any command which can give me the same permissions in the terminal?
> 
> > Can I ignore the part which says that I need to remove the certs created
> > when i run the server the first time and just do changes in the ca.cnf?
> 
> Sure. And then it won't work.
> 
> Alan DeKok.
> 
> 

So the only differences between the test cert and a real one is only what is 
written in the ca.cnf?

I dont need to add or remove anything or make an extra file or something like 
that?

Sorry for all (maybe stupid) questions but Im new to the thing of creating 
certs.
> --
Best regards/ Peter Carlstedt
  
_
Windows Live: Make it easier for your friends to see what you’re up to on 
Facebook.
http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_2:092009-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Session-Octets-Limit and sqlcounter

[Charles]

Thanks Allan,

I think you are right, I will ask in the monowall forum.
Just that the forum is not very active on Captive Portal issues.

Could you be kind to suggest a NAS that you know which can help me achieve 
my goal?


Thanks in advance - I know I am asking too much.

Charles

- Original Message - 
From: "Alan DeKok" 

To: "FreeRadius users mailing list" 
Sent: Monday, November 30, 2009 4:08 PM
Subject: Re: Session-Octets-Limit and sqlcounter



Charles wrote:

My NAS is m0n0wall (http://m0n0.ch/wall/features.php) and its captive
portal features are briefly outlined here:
http://doc.m0n0.ch/handbook/ch12s06.html .
It mentions bandwidth setings.


 How nice.


In my current setup, I use session_timeout and it works very well but I
have users who download heavily within an hour. So I would like to limit
using both Session_Timeout and max octes (which ever is reached first).


 You already said that.


Kindly help me by checking the features to see if I can use this NAS for
this purpose.


 Why?


I dont know what they mean by "Bandwidth Settings"


 So... ask the Monowall people.  We didn't write Monowall, and we
didn't write it's documentation.  if you don't understand it, ask them
for help.

 Alan DeKok.
-
List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html


__
Buy a domain : http://www.1and1.com/?k_id=25085883 



__
Buy a domain : http://www.1and1.com/?k_id=25085883
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Making certs for Windows users

[John Dennis]

On 11/30/2009 10:02 AM, Peter Carlstedt wrote:

 > This is Unix 101. You need to be "root" to edit the files in that
 > directory.
Yes I understand that I need root permissions to edit files in that
directory BUT is there anyway to get those permission without having to
login with the root account? There are reasons of why you should use
"sudo"in the terminal as a normal user instead of logging in as the root
user. So what i mean is if there are some kind of command which gives me
the same permissions as the root user in the terminal, was thinking
about that since you can use the command "gksudo nautilus" to browse
through directories which has root permission only. Is there any command
which can give me the same permissions in the terminal?


In a terminal you can become root via "su". Or you can run individual 
commands with root privileges with "sudo" but you must be in the 
/etc/sudoers file which you must edit with sudoedit.


Now that you've got that question answered please do not ask any more 
basic Unix questions on this list. This list is for the discussion of 
FreeRADIUS use and configuration, it is not the appropriate forum to 
learn Unix and Linux skills, there are other more appropriate places for 
those questions.


--
John Dennis 

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Exec and ntlm_auth

[freeradius]

At 11:13 PM 11/29/2009, freerad...@corwyn.net wrote:

A resummary:
Goal: Authenticate and Authorize users that telnet into the switches 
in Groups A and/or B based on their inclusion in a specific AD 
security group for A & B .


Environment:
CentOS 5.2  (IP 10.10.0.1)

freeradius2-2.1.7-2.el5
freeradius2-utils-2.1.7-2.el5
freeradius2-libs-2.1.7-2.el5
freeradius2-ldap-2.1.7-2.el5

Cisco switch running IOS 12.4 in subnet A (10.100.0.0/24)
Cisco switch running IOS 12.4 in subnet B (10.101.0.0/24)

windows Active Directory (example.com) with Security Groups A & B

Add to modules{} inradiusd.conf:
exec ntlm_auth {
wait = yes
program = "/usr/bin/ntlm_auth --request-nt-key 
--domain=example.com --username=%{mschap:User-Name} 
--password=%{User-Password}"

}

Copy:
./raddb/sites-available/default to ./raddb/sites-available/server_A 
and link it to ./raddb/sites-enabled/server_A
./raddb/sites-available/default to ./raddb/sites-available/server_B 
and link it to ./raddb/sites-enabled/server_B


and then surround the contents of those files with
server server_A {..}
and
server server_B {..}
respectively

Add to the authenticate{} section of ./server_A and ./server_B :

ntlm_auth

Edit ./modules/ldap to:
ldap {
server = "example.com"
identity = "CN=user,OU=Enterprise,DC=example,DC=com"
password = xxx
basedn = "OU=Enterprise,DC=example,DC=com"
filter = 
(&(sAMAccountname=%{Stripped-User-Name:-%{User-Name}})(objectClass=person))
groupmembership_filter 
="(&(objectClass=group)(member=%{Ldap-UserDn}))"

groupmembership_attribute = "memberOf"

groupname_attribute = cn
groupmembership_filter = 
"(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))"

groupmembership_attribute = "memberOf"


...
}


Add to top of ./raddb/users:

DEFAULT Ldap-Group == "UserGroup",Service-Type = 
NAS-Prompt-User,cisco-avpair = "shell:priv-lvl=15"

DEFAULT Auth-Type = ntlm_auth


Add to ./raddb/cilents.conf:
clients disambiguate {
client localhost {
#  Allowed values are:
#   dotted quad (1.2.3.4)
#   hostname(radius.example.com)
ipaddr = 127.0.0.1

client Cisco_A {
ipaddr = 10.101.0.0
netmask = 24
secret = testing123
virtual_server = server_A
}
client Cisco_B {
ipaddr = 10.100.0.0
netmask = 24
secret = testing123
virtual_server = server_B
}


Add to the listen{} section of radiusd.conf:
clients = disambiguate


On the cisco switches A & B:

aaa new-model
aaa group server radius RAD
 server 10.10.0.1 auth-port 1812 acct-port 1813
!
aaa authentication login default group radius line
aaa authentication enable default group radius enable
aaa authorization exec default group radius none
radius-server host 10.10.0.1 auth-port 1812 acct-port 1813 timeout 3
radius-server retransmit 2
radius-server key 7 encrypted-secret



that configuration still fails to authorize, even tho the output of 
radiusd -X looks like its working (sanitized)




rad_recv: Access-Request packet from host 10.100.0.8 port 1812, 
id=80, length=79

NAS-IP-Address = 10.100.0.8
NAS-Port = 1
NAS-Port-Type = Virtual
User-Name = "testuser"
Calling-Station-Id = "10.100.0.5"
User-Password = "password"
server server_cisco {
+- entering group authorize {...}
++[preprocess] returns ok
++[mschap] returns noop
rlm_ldap: Entering ldap_groupcmp()
[files] expand: OU=Enterprise,DC=example,DC=com -> 
OU=Enterprise,DC=example,DC=com
[files] WARNING: Deprecated conditional expansion ":-".  See "man 
unlang" for details
[files] expand: 
(&(sAMAccountname=%{Stripped-User-Name:-%{User-Name}})(objectClass=person)) 
-> (&(sAMAccountname=testuser)(objectClass=person))

rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to example.com:389, authentication 0
rlm_ldap: bind as 
CN=_radiususer,OU=Enterprise,DC=example,DC=com/wx to example.com:389

rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in OU=Enterprise,DC=example,DC=com, with 
filter (&(sAMAccountname=testuser)(objectClass=person))

rlm_ldap: ldap_release_conn: Release Id: 0
[files] expand: 
(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn}))) 
-> 
(|(&(objectClass=GroupOfNames)(member=CN\3dRick\2cOU\3dUsers\2cOU\3dEnterprise\2cDC\2cDC\3dexample\2cDC\3dcom))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN\3dRickOU\3dUsers\2cOU\3dEnterprise\DC\3dexample\2cDC\3dcom)))

rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in OU=Enterprise,DC=example,DC=com, with 
filter 
(&(cn=Infrastructure)(|(&(obje

RE: TS - custom script for access

[d . tom . schmitt]

You refer to the scripts/exec-program-wait and I read what I could.
It is still vague to me.
Is there a simple example HOW-TO, etc. showing a simple script (bash
shell) 
That is executed by an entry in a flatfile in radius?
I don't need a database for the entries as I build them upon
request in the flatfile.
This works for a standard radius request with radtest.

I found that it must be a 'C' program not a shell script in the
comments.

I am still unclear if I create a script called 'doit.sh':
1.  Do I have to place the script in a certain location?
2.  What permissions are required for the script to execute?
3.  What do I place in the radiusd.conf file to have the script
available and to run it?
4.  What would an entry for a user look like to have just that
user be sent to the 'doit.sh' script?
5.  Is there a location 'default' that would make all users have
to run the code for access?

I am new at freeRADIUS and currently am very confused.

The only thing that needs to come from a radius request is their login -
the rest of the credentials will come from a MySql database entry.
Password is not even required for a user at this point.
I'm sure once this clicks with me, it will go smoothly!

 Thanks,
 
 Tom Schmitt
 Senior IT Staff - R&D
 Phone (801) 594-3030
 d.tom.schm...@l-3com.com
 ||
  \ ~  ~ /  
  | @  @ |   
 --oOo---(_)---oOo--

-Original Message-
From:
freeradius-users-bounces+d.tom.schmitt=l-3com@lists.freeradius.org
[mailto:freeradius-users-bounces+d.tom.schmitt=l-3com@lists.freeradi
us.org] On Behalf Of Alan DeKok
Sent: Tuesday, November 24, 2009 6:30 AM
To: FreeRadius users mailing list
Subject: Re: custom script for access

d.tom.schm...@l-3com.com wrote:
> Just getting back to this project.
> 
> I want the request to come from a standard radius request from another
server (or the same server).
> I was to do some external checks with a bash shell script and then
have the script allow or deny access to the user.
> 
> I am using the flatfile for user entries.
> I currently have external scripts that write entries to the flatfile
for authentication.
> I can create a regular entry and have radtest verify that the entry is
fine.
> 
> I cannot figure what would have to be in that authentication entry to
tell radius to execute the script.

  See scripts/exec-program-wait

  Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: TS - custom script for access

[Alan DeKok]

d.tom.schm...@l-3com.com wrote:
> You refer to the scripts/exec-program-wait and I read what I could.
> It is still vague to me.
> Is there a simple example HOW-TO, etc. showing a simple script (bash
> shell) 

  Umm... that file *is* a simple shell script.  It contains comments
describing how to edit the server configuration in order to run the script.

> That is executed by an entry in a flatfile in radius?

  Yes... the configuration files are "flat files".

  See also "man unlang".  It describes how to run programs directly from
the configuration files.

> I found that it must be a 'C' program not a shell script in the
> comments.

  Uh... no.  The comments do not say that.

> I am still unclear if I create a script called 'doit.sh':
>   1.  Do I have to place the script in a certain location?

  It has to be executable by the radius server.  Use Unix "pathnames" to
point to it.

>   2.  What permissions are required for the script to execute?

  Unix execute permissions?

>   3.  What do I place in the radiusd.conf file to have the script
> available and to run it?

  The comments in the sample script try to explain that.

>   4.  What would an entry for a user look like to have just that
> user be sent to the 'doit.sh' script?

  See "man unlang".  You will need to create a policy stating this.
There are "if" statements, and conditional checks you can do.  This is
programming, but not very complicated programming.

>   5.  Is there a location 'default' that would make all users have
> to run the code for access?

  Yes.  Just follow the comments in the example script.  Or, make the
"if" condition true for all user.

> I am new at freeRADIUS and currently am very confused.

  Many of your questions are "unix 101" questions.  I suggest a larger
familiarity with Unix systems (paths, permissions, etc.)

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Exec and ntlm_auth

[Alan DeKok]

freerad...@corwyn.net wrote:
...
> Add to top of ./raddb/users:
> 
> DEFAULT Ldap-Group == "UserGroup",Service-Type =
> NAS-Prompt-User,cisco-avpair = "shell:priv-lvl=15"

  Are you sure that is correct?

> If I removing authorization from the Cisco config to:
> no aaa authorization exec default group radius none
> 
> and then I can log in.
> 
> At the top of ./users:
> rsteeves   Cleartext-Password := "xxx"
>Service-Type = NAS-Prompt-User,
>cisco-avpair = "shell:priv-lvl=15"

  Why does that entry look so different from the previous one?

  See "man users" for documentation on the format, and how it works.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

separating Users?

[freeradius]

There's a piece of RADIUS that I'm not understanding.

If I have an entry in my ./users file
DEFAULT Auth-Type:=Accept,Ldap-Group == "Group1"
Service-Type=NAS-Prompt-User,cisco-avpair="shell:priv-lvl=15"

And another entry
DEFAULT Auth-Type:=Accept,Ldap-Group == "Group2"
Service-Type=NAS-Prompt-User,cisco-avpair="shell:priv-lvl=15"

where I'm trying to authorize users in Group1 for one set of 
switches, and users in Group2 for another set of switches, how does 
freeradius know which is which?


Rick




Rick Steeves
http://www.sinister.net

In reality nothing is more damaging to the adventurous spirit within 
a man than a secure future -  Alexander Supertramp


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Exec and ntlm_auth

[freeradius]

At 11:21 AM 11/30/2009, freerad...@corwyn.net wrote:

Add to top of ./raddb/users:

DEFAULT Ldap-Group == "UserGroup",Service-Type = 
NAS-Prompt-User,cisco-avpair = "shell:priv-lvl=15"

DEFAULT Auth-Type = ntlm_auth



Hmm, it looks like
DEFAULT Ldap-Group == "UserGroup",Service-Type = 
NAS-Prompt-User,cisco-avpair = "shell:priv-lvl=15"

is not the same as
DEFAULT Ldap-Group == "UserGroup"
Service-Type = NAS-Prompt-User,cisco-avpair = 
"shell:priv-lvl=15"


After some tinkering:
DEFAULT Auth-Type:=Accept,Ldap-Group == "Infrastructure"
Service-Type=NAS-Prompt-User,cisco-avpair="shell:priv-lvl=15"

appears to work with the rest of the config, and users in the 
Infrastructure group can log in, and other users cannot!


However, this means that if you're in ./users you authorize 
(regardless of where I think you're going). Is there a way to 
associate the users data only with a particular virtual server config?


Rick




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: separating Users?

[Tim Sylvester]

Read the comments in the huntgroups file in the raddb directory. This will
show you how to setup a huntgroup which can be used to authorize users based
on the switch (NAS) sending the authentication request.

Tim

> -Original Message-
> From: freeradius-users-
> bounces+tim.sylvester=networkradius@lists.freeradius.org
> [mailto:freeradius-users-
> bounces+tim.sylvester=networkradius@lists.freeradius.org] On Behalf
> Of freerad...@corwyn.net
> Sent: Monday, November 30, 2009 11:54 AM
> To: FreeRadius users mailing list
> Subject: separating Users?
> 
> 
> 
> 
> There's a piece of RADIUS that I'm not understanding.
> 
> If I have an entry in my ./users file
> DEFAULT Auth-Type:=Accept,Ldap-Group == "Group1"
>  Service-Type=NAS-Prompt-User,cisco-avpair="shell:priv-
> lvl=15"
> 
> And another entry
> DEFAULT Auth-Type:=Accept,Ldap-Group == "Group2"
>  Service-Type=NAS-Prompt-User,cisco-avpair="shell:priv-
> lvl=15"
> 
> where I'm trying to authorize users in Group1 for one set of
> switches, and users in Group2 for another set of switches, how does
> freeradius know which is which?
> 
> Rick
> 
> 
> 
> 
> Rick Steeves
> http://www.sinister.net
> 
> In reality nothing is more damaging to the adventurous spirit within
> a man than a secure future -  Alexander Supertramp
> 
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: separating Users?

[John Dennis]

On 11/30/2009 02:54 PM, freerad...@corwyn.net wrote:




There's a piece of RADIUS that I'm not understanding.

If I have an entry in my ./users file
DEFAULT Auth-Type:=Accept,Ldap-Group == "Group1"
Service-Type=NAS-Prompt-User,cisco-avpair="shell:priv-lvl=15"

And another entry
DEFAULT Auth-Type:=Accept,Ldap-Group == "Group2"
Service-Type=NAS-Prompt-User,cisco-avpair="shell:priv-lvl=15"

where I'm trying to authorize users in Group1 for one set of switches,
and users in Group2 for another set of switches, how does freeradius
know which is which?


I assume you're asking how does FreeRADIUS know which switch the request 
is associated with, correct? Typically this is done with huntgroups 
which adds a huntgroup name to the request based on the IP address of 
the NAS. You then perform different operations based on the huntgroup 
name. See the huntgroups file for more documentation or the wiki howto 
for how to implement huntgroups in SQL.


--
John Dennis 

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: separating Users?

[David Mitchell]

freerad...@corwyn.net wrote:
> 
> 
> 
> There's a piece of RADIUS that I'm not understanding.
> 
> If I have an entry in my ./users file
> DEFAULT Auth-Type:=Accept,Ldap-Group == "Group1"
>
> Service-Type=NAS-Prompt-User,cisco-avpair="shell:priv-lvl=15"
> 
> And another entry
> DEFAULT Auth-Type:=Accept,Ldap-Group == "Group2"
>
> Service-Type=NAS-Prompt-User,cisco-avpair="shell:priv-lvl=15"
> 
> where I'm trying to authorize users in Group1 for one set of switches,
> and users in Group2 for another set of switches, how does freeradius
> know which is which?

You want something like this in huntgroups. It will assign the huntgroup
based on the value of NAS-IP-Address.
cisco   NAS-IP-Address == 10.0.0.1
cisco   NAS-IP-Address == 10.0.0.2


And then in your users file:
DEFAULT Ldap-Group == cisco-admin, Huntgroup-Name == cisco
Service-Type := Administrative-User,
Reply-Message := "Authorized Users Only"
DEFAULT Ldap-Group == cisco-user, Huntgroup-Name == cisco
Service-Type := NAS-Prompt-User,
Reply-Message := "Authorized Users Only"

This gives the different classes of users different levels of access to
the same devices. It should be clear though how to make it do what you want.

I see several potential problems in your config.

1) Don't specify the Auth-Type. You still want to check the password I
assume. I think your config will let in any user who is in group
"Group1" irrespective of the supplied password.

2) You don't specify the requirement to match a huntgroup name. All of
the match clauses should be provided comma separated after DEFAULT.

3) You probably don't want the '=' operator, as it will not replace an
existing entry in the reply. The ':=' will replace an existing entry.
This probably isn't a problem in you case, but I would do it anyway.

4) I never had much luck with that priv-lvl=15 AV pair. I have both
CatOS and IOS devices respecting the Service-Type AV though.

-David Mitchell

> 
> Rick
> 
> 
> 
> 
> Rick Steeves
> http://www.sinister.net
> 
> In reality nothing is more damaging to the adventurous spirit within a
> man than a secure future -  Alexander Supertramp
> 
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html


-- 
-
| David Mitchell (mitch...@ucar.edu)   Network Engineer IV  |
| Tel: (303) 497-1845  National Center for  |
| FAX: (303) 497-1818  Atmospheric Research |
-
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Session-Octets-Limit and sqlcounter

[YvesDM]

On Mon, Nov 30, 2009 at 4:44 PM, Charles  wrote:
> Thanks Allan,
>
> I think you are right, I will ask in the monowall forum.
> Just that the forum is not very active on Captive Portal issues.
>
> Could you be kind to suggest a NAS that you know which can help me achieve
> my goal?
>
> Thanks in advance - I know I am asking too much.
>
> Charles
>


Charles,

m0n0wall has an option in the CP settings to re-authenticate every
minute. It makes your life real easy in setting up radius.
Just set a check item in radcheck containing your datacap and set sql
counter appropiate.
But as suggested, the m0n0wall list will definately help you out.

kind regards
Y.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: chilli + freeradius + mysql : Password check failed

[José Adiel Blandón Rivera]

When I implemented the Hotspot i used 'User-Password' as password 
attribute and it works for me, maybe this can help you.


Regards.

David BiTx0 wrote:

   Hi all,

  Forgive me for not answering but weekends I do not work J

>José Adiel Blandón Rivera canc...@gmail.com 

> 

>are you using Crypted password in the database? you have to use clear 
passwords in the database to successful login through chillispot and 
freeradius.


> 


>Regards

 


I am using Clear passwords :

 


mysql> select * from radcheck;

++-+++---+

| id | username| attribute  | op | value |

++-+++---+

|  2 | 9799-8798-3665-6561 | Cleartext-Password | := | 1234  |

++-+++---+

1 row in set (0.00 sec)

Regards!!



Windows Live: Make it easier for your friends to see what you’re up to 
on Facebook. 
 




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: separating Users?

[freeradius]

At 03:27 PM 11/30/2009, David Mitchell wrote:

1) Don't specify the Auth-Type. You still want to check the password I
assume. I think your config will let in any user who is in group
"Group1" irrespective of the supplied password.


Sigh. Here I was all excited that I had everything working, and was 
merrily working on my docs and making them into a HOWTO. And you're 
right on target. Correct user ID any password permits access.


So here's my users file once I take that out:
DEFAULT Huntgroup-Name == Cisco_Huntgroup, Ldap-Group == 
"Infrastructure"

Service-Type:=NAS-Prompt-User,cisco-avpair:=shell:priv-lvl=15"
DEFAULT Auth-Type = ntlm_auth

And now it doesn't work.
"Authentication failed".

If I switch the order I get:
"Authorization failed"  


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: separating Users?

[John Dennis]

On 11/30/2009 05:07 PM, freerad...@corwyn.net wrote:

At 03:27 PM 11/30/2009, David Mitchell wrote:

1) Don't specify the Auth-Type. You still want to check the password I
assume. I think your config will let in any user who is in group
"Group1" irrespective of the supplied password.


Sigh. Here I was all excited that I had everything working, and was
merrily working on my docs and making them into a HOWTO. And you're
right on target. Correct user ID any password permits access.

So here's my users file once I take that out:
DEFAULT Huntgroup-Name == Cisco_Huntgroup, Ldap-Group == "Infrastructure"
Service-Type:=NAS-Prompt-User,cisco-avpair:=shell:priv-lvl=15"
DEFAULT Auth-Type = ntlm_auth

And now it doesn't work.
"Authentication failed".

If I switch the order I get:
"Authorization failed"


You need to set fall-through so that you still do per user processing. 
This is documented in the raddb/users file and you should also read 
doc/processing_users_file


--
John Dennis 

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: separating Users?

[tnt]

> On 11/30/2009 05:07 PM, freerad...@corwyn.net wrote:
>> At 03:27 PM 11/30/2009, David Mitchell wrote:
>>> 1) Don't specify the Auth-Type. You still want to check the password I
>>> assume. I think your config will let in any user who is in group
>>> "Group1" irrespective of the supplied password.
>>
>> Sigh. Here I was all excited that I had everything working, and was
>> merrily working on my docs and making them into a HOWTO. And you're
>> right on target. Correct user ID any password permits access.
>>
>> So here's my users file once I take that out:
>> DEFAULT Huntgroup-Name == Cisco_Huntgroup, Ldap-Group ==
>> "Infrastructure"
>> Service-Type:=NAS-Prompt-User,cisco-avpair:=shell:priv-lvl=15"
>> DEFAULT Auth-Type = ntlm_auth
>>
>> And now it doesn't work.
>> "Authentication failed".
>>
>> If I switch the order I get:
>> "Authorization failed"
>
> You need to set fall-through so that you still do per user processing.
> This is documented in the raddb/users file and you should also read
> doc/processing_users_file

Or just add Auth-Type := ntlm_auth to the first line (ie. instead of
Accept). Fall-Through is more elegant since you don't have to add
Auth-Type to every DEFAULT entry.

Ivan Kalik

Ivan Kalik

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: MPD : mpd-drop-user

[tnt]

> Is anyone try this attribute /*mpd-drop-user*/ in freeradius with Mysql?
> MPD support this attribute to check the status of account during it
> update the accounting and if the value for this attribute become
> non-zero, it will disconnect the session for the user.
>
> We use MPD to setup a PPPoE server with freeradius to provide
> authentication to users and we have come across to drop the session if
> the user's account suspended but we have no luck to make it work.
> Currently we try to put this attribute in radreply table and it doesn't
> work for us. Looking for your kind information in this matter.

Read what you wrote in the first paragraph. Attribute works when sent in
accounting reply to update packet. radreply table is used for
authentication not accounting. You will have to figure out a way of adding
this to the accounting reply using unlang or perl (if conditions are more
complicated).

Ivan Kalik

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Re: Making certs for Windows users

[tnt]

> So the only differences between the test cert and a real one is only what
> is written in the ca.cnf?

Why do you think that "test" certificates aren't "real"? They also work.
How else would you test things with them.

> I dont need to add or remove anything or make an extra file or something
> like that?

No, all you have to do is follow instructions in certs/README.

> Sorry for all (maybe stupid) questions but Im new to the thing of creating
> certs.

Then just follow simple and precise instructions given to you. You don't
have to invent or design anything, just follow instructions. If you can do
that - everything will be fine. If you can't, because you have an
overwhelming urge to muck about, things will be complicated.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: chilli + freeradius + mysql : Password check failed

[tnt]

>>t...@kalik.net>Is it well written oon the login page? Try simpler password
>> (something>like 12345 - that will work even with CAPS LOCK on). If it
>> still fails>take it up with chillispot people.
>
> I have tried with 1234 :
>
...
> Mon Nov 30 10:45:56 2009 : Info: Found Auth-Type = CHAP
> Mon Nov 30 10:45:56 2009 : Info: +- entering group CHAP {...}
> Mon Nov 30 10:45:56 2009 : Info: [chap] login attempt by
> "9799-8798-3665-6561" with CHAP password
> Mon Nov 30 10:45:56 2009 : Info: [chap] Using clear text password "1234"
> for user 9799-8798-3665-6561 authentication.
> Mon Nov 30 10:45:56 2009 : Info: [chap] Password check failed
> Mon Nov 30 10:45:56 2009 : Info: ++[chap] returns reject
...
>
> I am using Clear passwords :
>
> mysql> select * from radcheck;
> ++-+++---+
> | id | username| attribute  | op | value |
> ++-+++---+
> |  2 | 9799-8798-3665-6561 | Cleartext-Password | := | 1234  |
> ++-+++---+
> 1 row in set (0.00 sec)
>

Authentication failed because password used on chilli end wasn't 1234.
Take it up with them and see if something was misconfigured on the
hotspot.

But something is not quite right on this debug. If this is your radcheck
table, where did the noresetcounter attribute come from? radgroupcheck?

Ivan Kalik

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Session-Octets-Limit and sqlcounter

[tnt]

> I think you are right, I will ask in the monowall forum.
> Just that the forum is not very active on Captive Portal issues.
>
> Could you be kind to suggest a NAS that you know which can help me achieve
> my goal?
>
> Thanks in advance - I know I am asking too much.

Yes you do. Now go and read monowall changelog and all will be answered.

Ivan Kalik

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: separating Users?

[freeradius]

At 06:12 PM 11/30/2009, t...@kalik.net wrote:

> You need to set fall-through so that you still do per user processing.
> This is documented in the raddb/users file and you should also read
> doc/processing_users_file

Or just add Auth-Type := ntlm_auth to the first line (ie. instead of
Accept). Fall-Through is more elegant since you don't have to add
Auth-Type to every DEFAULT entry.


Yup, both of those work, and I'm to the point I understand why!

What I think is my final problem.  I'm now working to authenticate 
VPN users in the same scenario, using the l2tp client in 
windows.   Looks like everything automatically picks up that it's a 
MSCHAP request.


Using a similar logic:
DEFAULT Huntgroup-Name == VPN_Huntgroup, Ldap-Group == "VPN_Users"

The only problem is that it appears to ignore my LDAP group, and just 
authenticate ANY user (with a valid User ID/ Password) regardless of 
LDAP group.


rad_recv: Access-Request packet from host 10.4.1.2 port 1924, id=55, length=129
User-Name = "notvpnuser"
MS-CHAP-Challenge = 0x85e6507f219630664491c4e1bbeee67b
MS-CHAP2-Response = 
0x0100cc49a55de60f33a16e0afd73fb10d7ddeb6a17be2a61ce216acf7f23fce99bd216afceacc6f81ba4

NAS-IP-Address = 10.4.1.2
NAS-Port = 0
server server_vpn {
+- entering group authorize {...}
++[preprocess] returns ok
[mschap] Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'
++[mschap] returns ok
rlm_ldap: Entering ldap_groupcmp()
[files] expand: OU=Enterprise,DC=int,DC=example,DC=com -> 
OU=Enterprise,DC=int,DC=example,DC=com
[files] WARNING: Deprecated conditional expansion ":-".  See "man 
unlang" for details
[files] expand: 
(&(sAMAccountname=%{Stripped-User-Name:-%{User-Name}})(objectClass=person)) 
-> (&(sAMAccountname=notvpnuser)(objectClass=person))

rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to int.example.com:389, authentication 0
rlm_ldap: bind as CN=_sonicwall,OU=Service Accounts,OU=Special User 
Accounts,OU=Enterprise,DC=int,DC=example,DC=com/wvyjCHCd2LJHcNrmpr0I 
to int.example.com:389

rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in 
OU=Enterprise,DC=int,DC=example,DC=com, with filter 
(&(sAMAccountname=notvpnuser)(objectClass=person))

rlm_ldap: ldap_release_conn: Release Id: 0
[files] expand: 
(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn}))) 
-> (|(&(objectClass=GroupOfNames)(member=CN\3dcisco 
rsteeves\2cOU\3dIS\2cOU\3dUsers\2cOU\3dEnterprise\2cDC\3dint\2cDC\3dexample\2cDC\3dcom))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN\3dcisco 
rsteeves\2cOU\3dIS\2cOU\3dUsers\2cOU\3dEnterprise\2cDC\3dint\2cDC\3dexample\2cDC\3dcom)))

rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in 
OU=Enterprise,DC=int,DC=example,DC=com, with filter 
(&(cn=VPN_Users)(|(&(objectClass=GroupOfNames)(member=CN\3dcisco 
rsteeves\2cOU\3dIS\2cOU\3dUsers\2cOU\3dEnterprise\2cDC\3dint\2cDC\3dexample\2cDC\3dcom))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN\3dcisco 
rsteeves\2cOU\3dIS\2cOU\3dUsers\2cOU\3dEnterprise\2cDC\3dint\2cDC\3dexample\2cDC\3dcom

rlm_ldap: object not found
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in CN=cisco 
rsteeves,OU=IS,OU=Users,OU=Enterprise,DC=int,DC=example,DC=com, with 
filter (objectclass=*)
rlm_ldap: performing search in CN=Infrastructure,OU=Security 
Groups,OU=Enterprise,DC=int,DC=example,DC=com, with filter (cn=VPN_Users)

rlm_ldap: object not found
rlm_ldap::groupcmp: Group VPN_Users not found or user not a member
rlm_ldap: ldap_release_conn: Release Id: 0
++[files] returns noop
[ldap] performing user authorization for notvpnuser
[ldap] WARNING: Deprecated conditional expansion ":-".  See "man 
unlang" for details
[ldap]  expand: 
(&(sAMAccountname=%{Stripped-User-Name:-%{User-Name}})(objectClass=person)) 
-> (&(sAMAccountname=notvpnuser)(objectClass=person))
[ldap]  expand: OU=Enterprise,DC=int,DC=example,DC=com -> 
OU=Enterprise,DC=int,DC=example,DC=com

rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in 
OU=Enterprise,DC=int,DC=example,DC=com, with filter 
(&(sAMAccountname=notvpnuser)(objectClass=person))

[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP.  Are you sure 
that the user is configured correctly?

[ldap] user notvpnuser authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
Found Auth-Type = MSCHAP
+- entering group MS-CHAP {...}
[mschap] Told to do MS-CHAPv2 for notvpnuser with NT-Password
[mschap]expand: --username=%{ms

mySQL table creation file

[James Hankins]

Greetings,

I'm standing up a freeradius server on Centos 5.4 with the yum  
installed version of Freeradius.  Where do I obtain the mysql file to  
create the default tables for the database?  Thank you!


Jim

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Accounting SQL Entries

[Matt Martin]

Hello list.

I have been testing FreeRADIUS for a project we are looking at running
to authenticate users for Giganews.

I have got the authentication part working well, and the
authentication attempts get logged correctly into MySQL.

Now, I am trying to log the session details, such as data to and from
the host. I've tried various configs, FAQs and similar without little
luck.

I am slightly stumped as to where to look now. Can anyone offer any
help or advice.

Thank you.

M

--
freeradius: FreeRADIUS Version 2.0.4, for host i486-pc-linux-gnu,
built on Sep  7 2008 at 23:35:34
Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: mySQL table creation file

[first last]

install freeradius-mysql
and you can find the source in sql/mysql/schema.sql

2009/12/1 James Hankins 

> Greetings,
>
> I'm standing up a freeradius server on Centos 5.4 with the yum installed
> version of Freeradius.  Where do I obtain the mysql file to create the
> default tables for the database?  Thank you!
>
> Jim
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: {Disarmed} Re: mpd-drop-user

[cktan]

Dear Charles,

Thank for your suggestion and in fact I've my last option whereby I will 
write a simple telnet session to terminate the session if the usage is 
over. However, I'm looking to have this option work if possible.


cheers

Charles wrote:

Hi cktan,
 
Was looking for a similar solution and never made it work.
 
Basically, in my setup i have users  buy airtime for using the 
internet. I also sell access to video clips, when user downloads the 
video clip, an entry is made in
radacct table. What I wanted to is for the NAS to re-authenticate 
every minute to check if more entries were added to radacct table.
 
My solution was to us M0n0wall as my NAS, it has an option in the 
captive portal where you set it to re-authenticate every minute and to 
disconnect if user has no more

credit left.
 
I hope this helps.
 
Charles


- Original Message -
*From:* cktan 
*To:* FreeRadius users mailing list

*Sent:* Monday, November 30, 2009 11:51 AM
*Subject:* MPD : mpd-drop-user

Dear all,

Is anyone try this attribute /*mpd-drop-user*/ in freeradius with
Mysql? MPD support this attribute to check the status of account
during it update the accounting and if the value for this
attribute become non-zero, it will disconnect the session for the
user.

We use MPD to setup a PPPoE server with freeradius to provide
authentication to users and we have come across to drop the
session if the user's account suspended but we have no luck to
make it work. Currently we try to put this attribute in radreply
table and it doesn't work for us. Looking for your kind
information in this matter.

Thanks in advance.



5 free Domains with Select Hosting Plans. Get yours!




-- 
This message has been scanned for viruses and

dangerous content by *MailScanner* ,
and is
believed to be clean.


-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html



5 free Domains with Select Hosting Plans. Get yours!




--
This message has been scanned for viruses and
dangerous content by *MailScanner* , and is
believed to be clean.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: MPD : mpd-drop-user

[cktan]

Dear Ivan Kalik,

This is what I though as well. However, I read somewhere MPD was support 
this option but no details on where to put this attribute in.


Regards

t...@kalik.net wrote:

Is anyone try this attribute /*mpd-drop-user*/ in freeradius with Mysql?
MPD support this attribute to check the status of account during it
update the accounting and if the value for this attribute become
non-zero, it will disconnect the session for the user.

We use MPD to setup a PPPoE server with freeradius to provide
authentication to users and we have come across to drop the session if
the user's account suspended but we have no luck to make it work.
Currently we try to put this attribute in radreply table and it doesn't
work for us. Looking for your kind information in this matter.



Read what you wrote in the first paragraph. Attribute works when sent in
accounting reply to update packet. radreply table is used for
authentication not accounting. You will have to figure out a way of adding
this to the accounting reply using unlang or perl (if conditions are more
complicated).

Ivan Kalik

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

  


--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: separating Users?

[tnt]

> What I think is my final problem.  I'm now working to authenticate
> VPN users in the same scenario, using the l2tp client in
> windows.   Looks like everything automatically picks up that it's a
> MSCHAP request.
>
> Using a similar logic:
> DEFAULT Huntgroup-Name == VPN_Huntgroup, Ldap-Group == "VPN_Users"
>
> The only problem is that it appears to ignore my LDAP group, and just
> authenticate ANY user (with a valid User ID/ Password) regardless of
> LDAP group.

Yes, if that DEFAULT entry doesn't match - it will get ignored. If you
want authentication to fail if such conditions are not met you need to add
Auth-Type to it. If there is no Fall-Through to DEFAULT forcing ntlm_auth,
Auth-Type won't be set and authentication will fail.

Ivan Kalik

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Accounting SQL Entries

[tnt]

> I have been testing FreeRADIUS for a project we are looking at running
> to authenticate users for Giganews.
>
> I have got the authentication part working well, and the
> authentication attempts get logged correctly into MySQL.
>
> Now, I am trying to log the session details, such as data to and from
> the host. I've tried various configs, FAQs and similar without little
> luck.
>
> I am slightly stumped as to where to look now. Can anyone offer any
> help or advice.

All you have to do is uncomment sql entry in acconting. And for your NAS
to send accounting packets. You can check if NAS is doing that by running
server in debug mode.

Ivan Kalik

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: MPD : mpd-drop-user

[tnt]

If what you have wrote is correct (and it does make sense) - to
Accounting-Response packet.

Ivan Kalik

> This is what I though as well. However, I read somewhere MPD was support
> this option but no details on where to put this attribute in.
>
> Regards
>
> t...@kalik.net wrote:
>>> Is anyone try this attribute /*mpd-drop-user*/ in freeradius with
>>> Mysql?
>>> MPD support this attribute to check the status of account during it
>>> update the accounting and if the value for this attribute become
>>> non-zero, it will disconnect the session for the user.
>>>
>>> We use MPD to setup a PPPoE server with freeradius to provide
>>> authentication to users and we have come across to drop the session if
>>> the user's account suspended but we have no luck to make it work.
>>> Currently we try to put this attribute in radreply table and it doesn't
>>> work for us. Looking for your kind information in this matter.
>>>
>>
>> Read what you wrote in the first paragraph. Attribute works when sent in
>> accounting reply to update packet. radreply table is used for
>> authentication not accounting. You will have to figure out a way of
>> adding
>> this to the accounting reply using unlang or perl (if conditions are
>> more
>> complicated).
>>
>> Ivan Kalik
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
>>
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: MPD : mpd-drop-user

[cktan]

Ok, I noted there are ext-accounting script support in MDP and it should 
do some checking against mpd-drop-user information and action taken 
accordingly. trying to locate the sample of script now.


CK
t...@kalik.net wrote:

If what you have wrote is correct (and it does make sense) - to
Accounting-Response packet.

Ivan Kalik

  

This is what I though as well. However, I read somewhere MPD was support
this option but no details on where to put this attribute in.

Regards

t...@kalik.net wrote:


Is anyone try this attribute /*mpd-drop-user*/ in freeradius with
Mysql?
MPD support this attribute to check the status of account during it
update the accounting and if the value for this attribute become
non-zero, it will disconnect the session for the user.

We use MPD to setup a PPPoE server with freeradius to provide
authentication to users and we have come across to drop the session if
the user's account suspended but we have no luck to make it work.
Currently we try to put this attribute in radreply table and it doesn't
work for us. Looking for your kind information in this matter.



Read what you wrote in the first paragraph. Attribute works when sent in
accounting reply to update packet. radreply table is used for
authentication not accounting. You will have to figure out a way of
adding
this to the accounting reply using unlang or perl (if conditions are
more
complicated).

Ivan Kalik

-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html


  

--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

  


--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: separating Users?

[freeradius]

At 09:41 PM 11/30/2009, you wrote:

Yes, if that DEFAULT entry doesn't match - it will get ignored. If you
want authentication to fail if such conditions are not met you need to add
Auth-Type to it. If there is no Fall-Through to DEFAULT forcing ntlm_auth,
Auth-Type won't be set and authentication will fail.


so if ./users:
DEFAULT Huntgroup-Name == Cisco_Huntgroup, 
Auth-Type:=ntlm_auth, Ldap-Group == "Infrastructure"

Service-Type:=NAS-Prompt-User,cisco-avpair:="shell:priv-lvl=15",
DEFAULT Huntgroup-Name == VPN_Huntgroup, 
Auth-Type:=ntlm_auth, Ldap-Group == "VPN_Users"


it should work?  I think even with the Auth-Type specified as 
ntm_auth, a Auth-Type is being set, as it's finding MSCHAP for me:


radiusd -X gives:
Found Auth-Type = MSCHAP
+- entering group MS-CHAP {...}

If I remark out:
#   Auth-Type MS-CHAP {
#   mschap
#   }
from my server config, that stops it from being found, but then I 
lose the password for ntlm_auth I think:


Found Auth-Type = ntlm_auth
+- entering group authenticate {...}
[ntlm_auth] expand: --username=%{mschap:User-Name} -> --username=rsteeves
[ntlm_auth] expand: --password=%{User-Password} -> --password=
Exec-Program output: NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc06a)

Is that going to be a limitation of using MSCHAP/MSCHAP2?

Rick



Ivan Kalik

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: MPD : mpd-drop-user

[cktan]

Dear Ivan,

I read some of the information saying it is possible to insert attribute 
in Accounting Response Packet but RFC said almost no attribute will 
inject into response packet. There is also user ( @ year 2005) change 
some coding in rpm_sql to do query during the accounting update as well 
to check the termination status and response back to NAS for session 
termination.


For MPD, as long as it received a radius reply and noted mpd-drop-user 
attribute the value is non-zero, it will just disconnect the user 
session. Any better suggestion from you?


Thanks in advance.

cktan wrote:
Ok, I noted there are ext-accounting script support in MDP and it 
should do some checking against mpd-drop-user information and action 
taken accordingly. trying to locate the sample of script now.


CK
t...@kalik.net wrote:

If what you have wrote is correct (and it does make sense) - to
Accounting-Response packet.

Ivan Kalik

  

This is what I though as well. However, I read somewhere MPD was support
this option but no details on where to put this attribute in.

Regards

t...@kalik.net wrote:


Is anyone try this attribute /*mpd-drop-user*/ in freeradius with
Mysql?
MPD support this attribute to check the status of account during it
update the accounting and if the value for this attribute become
non-zero, it will disconnect the session for the user.

We use MPD to setup a PPPoE server with freeradius to provide
authentication to users and we have come across to drop the session if
the user's account suspended but we have no luck to make it work.
Currently we try to put this attribute in radreply table and it doesn't
work for us. Looking for your kind information in this matter.



Read what you wrote in the first paragraph. Attribute works when sent in
accounting reply to update packet. radreply table is used for
authentication not accounting. You will have to figure out a way of
adding
this to the accounting reply using unlang or perl (if conditions are
more
complicated).

Ivan Kalik

-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html


  

--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

  


--
This message has been scanned for viruses and
dangerous content by *MailScanner* , and is
believed to be clean.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Session-Octets-Limit and sqlcounter

[Charles]

Thanks YvesDM,

I saw it - the attribute - and my problem is now solved
Many thinks! the Last line !

1.236 (09/30/2009)
 a.. fixed a security issue in the DHCP client (CVE-2009-0692)
 b.. captive portal fixes (jdegraeve):
   a.. changed RADIUS timeout/maxtries from 5/3 to 3/2 reducing failover 
time from 30 to 15 seconds
   b.. added RADIUS attribute support for: 
ChilliSpot-Bandwidth-Max-Up/ChilliSpot-Bandwidth-Max-Down




- Original Message - 
From: "YvesDM" 

To: "FreeRadius users mailing list" 
Sent: Monday, November 30, 2009 11:09 PM
Subject: Re: Session-Octets-Limit and sqlcounter


On Mon, Nov 30, 2009 at 4:44 PM, Charles  
wrote:

Thanks Allan,

I think you are right, I will ask in the monowall forum.
Just that the forum is not very active on Captive Portal issues.

Could you be kind to suggest a NAS that you know which can help me 
achieve

my goal?

Thanks in advance - I know I am asking too much.

Charles




Charles,

m0n0wall has an option in the CP settings to re-authenticate every
minute. It makes your life real easy in setting up radius.
Just set a check item in radcheck containing your datacap and set sql
counter appropiate.
But as suggested, the m0n0wall list will definately help you out.

kind regards
Y.
-
List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html


__
Buy a domain : http://www.1and1.com/?k_id=25085883 



__
Buy a domain : http://www.1and1.com/?k_id=25085883
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Accounting SQL Entries

[Alan DeKok]

Matt Martin wrote:
> Now, I am trying to log the session details, such as data to and from
> the host. I've tried various configs, FAQs and similar without little
> luck.

  If you have the authentication data logged to SQL, then logging
accounting data is easy:

a) create the tables

b) uncomment "sql" from the "accounting" section
   in raddb/sites-enabled/default

  And, as always, run the server in debugging mode to see what it's doing.

  If you get *something* logged, but *no* upload/download counters, then
fix the NAS so that it sends that data.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: separating Users?

[Alan DeKok]

freerad...@corwyn.net wrote:
> so if ./users:
> DEFAULT Huntgroup-Name == Cisco_Huntgroup, Auth-Type:=ntlm_auth,
> Ldap-Group == "Infrastructure"
>
> Service-Type:=NAS-Prompt-User,cisco-avpair:="shell:priv-lvl=15",
> DEFAULT Huntgroup-Name == VPN_Huntgroup, Auth-Type:=ntlm_auth,
> Ldap-Group == "VPN_Users"
> 
> it should work?

  No.

>  I think even with the Auth-Type specified as ntm_auth,
> a Auth-Type is being set, as it's finding MSCHAP for me:

  Because the NAS is sending MS-CHAP requests.

> from my server config, that stops it from being found, but then I lose
> the password for ntlm_auth I think:

  Because you've forced the "ntlm_auth" module to be run.  That module
ONLY checks clear-text passwords, and there is NO clear-text password in
the request.

  Change the line having

... Auth-Type := ntlm_auth, ...

  to
... Auth-Type = ntlm_auth, ...

  And read "man users" to see what the difference is.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Error while trying to make root CA

[Peter Carlstedt]

Hello everyone, it took a while for me to understand how to get root privileges 
in the terminal, i finally decided to login as root though I know I should not 
do that but I couldnt find a way around it since i need to get into raddb/certs 
with the terminal so i can remove some files and stuff that the readme say.

Well I tried to runt the bootstrap command and got an error saying that it has 
problems making the Cert Request.
Here down below is the output from the bootstrap command. 
How do I fix this, have I done something that I shouldnt have done?

Best regards/ Peter Carlstedt
 

r...@peter-desktop:/usr/local/etc/raddb/certs# ./bootstrap
openssl req -new  -out server.csr -keyout server.key -config ./server.cnf
Generating a 2048 bit RSA private key
+++
..+++
writing new private key to 'server.key'
-
openssl req -new -x509 -keyout ca.key -out ca.pem \
-days `grep default_days ca.cnf | sed 's/.*=//;s/^ *//'` -config 
./ca.cnf
Generating a 2048 bit RSA private key
...+++
+++
writing new private key to 'ca.key'
-
problems making Certificate Request
9578:error:0D07A097:asn1 encoding routines:ASN1_mbstring_ncopy:string too 
long:a_mbstr.c:154:maxsize=2
make: *** [ca.key] Error 1
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
..+..+.+..+++..+..+..+...++...+...+...+.+..++.++.+...+..+..++.+.+.++...+.+++.+.+.+..+...+..+...+..+++...++++++.+.+..++...+..+...+.++..+...++...+..++*++*++*
Generating a 2048 bit RSA private key
.+++
..+++
writing new private key to 'server.key'
-
Generating a 2048 bit RSA private key
..+++
...+++
writing new private key to 'ca.key'
-
problems making Certificate Request
9587:error:0D07A097:asn1 encoding routines:ASN1_mbstring_ncopy:string too 
long:a_mbstr.c:154:maxsize=2
_
Windows Live Hotmail: Your friends can get your Facebook updates, right from 
Hotmail®.
http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_4:092009-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html