Insert Realm in mysql
Hello, Freeradius-users.
I use freeradius 2.1.8 with MySQL.
Freeradius doesn't insert realm into radacct table.
Config:
iptv:~ # grep -v '#' /etc/raddb/sql/mysql/dialup.conf
.
accounting_start_query = \
INSERT INTO ${acct_table1} \
(acctsessionid,acctuniqueid, username, \
realm,nasipaddress, nasportid, \
nasporttype, acctstarttime,acctstoptime, \
acctsessiontime, acctauthentic,connectinfo_start, \
connectinfo_stop, acctinputoctets, acctoutputoctets, \
calledstationid, callingstationid, acctterminatecause, \
servicetype, framedprotocol, framedipaddress, \
acctstartdelay, acctstopdelay,xascendsessionsvrkey,
service_info) \
VALUES \
('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', \
'%{SQL-User-Name}', \
'%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port-Id}', \
'%{NAS-Port-Type}', '%S', NULL, \
'0', '%{Acct-Authentic}', '%{Connect-Info}', \
'', '0', '0', \
'%{Called-Station-Id}', '%{Calling-Station-Id}', '', \
'%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', \
'%{%{Acct-Delay-Time}:-0}', '0',
'%{X-Ascend-Session-Svr-Key}','%{Cisco-Service-Info}')
.
iptv:~ # grep -v '#' /etc/raddb/sites-enabled/default
authorize {
preprocess
chap
mschap
suffix
sql
expiration
logintime
pap
}
#
Debug:
.
rad_recv: Accounting-Request packet from host xx.xx.64.94 port 1646, id=219,
length=191
Acct-Session-Id = 029D
Framed-Protocol = PPP
User-Name = tux...@un
Cisco-AVPair = connect-progress=Call Up
Acct-Authentic = RADIUS
Acct-Status-Type = Start
Calling-Station-Id = 00-26-b6-11-7b-84
NAS-Port-Type = Virtual
NAS-Port = 0
NAS-Port-Id = 0/0/2/25
Cisco-AVPair = client-mac-address=0026.b611.7b84
Service-Type = Framed-User
NAS-IP-Address = xx.xx.64.94
Acct-Delay-Time = 0
+- entering group preacct {...}
++[preprocess] returns ok
[acct_unique] Hashing 'NAS-Port = 0,Client-IP-Address =
xx.xx.64.94,NAS-IP-Address = xx.xx.64.94,Acct-Session-Id = 029D,User-Name
= tux...@un'
[acct_unique] Acct-Unique-Session-ID = cb3670aee40aafa5.
++[acct_unique] returns ok
[suffix] Looking up realm un for User-Name = tux...@un
[suffix] No such realm un
++[suffix] returns noop
[ntdomain] No '\' in User-Name = tux...@un, looking up realm NULL
[ntdomain] No such realm NULL
++[ntdomain] returns noop
++[files] returns noop
+- entering group accounting {...}
[detail]expand:
/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d -
/var/log/radius/radacct/xx.xx.64.94/detail-20100327
[detail] /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to
/var/log/radius/radacct/xx.xx.64.94/detail-20100327
[detail]expand: %t - Sat Mar 27 12:08:37 2010
++[detail] returns ok
++[unix] returns ok
[radutmp] expand: /var/log/radius/radutmp - /var/log/radius/radutmp
[radutmp] expand: %{User-Name} - tux...@un
++[radutmp] returns ok
[sql] expand: %{User-Name} - tux...@un
[sql] sql_set_user escaped user -- 'tux...@un'
[sql] expand: %{Acct-Delay-Time} - 0
[sql] expand:INSERT INTO radacct (acctsessionid,
acctuniqueid, username, realm,nasipaddress,
nasportid, nasporttype, acctstarttime,acctstoptime,
acctsessiontime, acctauthentic,connectinfo_start,
connectinfo_stop, acctinputoctets, acctoutputoctets,
calledstationid, callingstationid, acctterminatecause,
servicetype, framedprotocol, framedipaddress,
acctstartdelay, acctstopdelay,xascendsessionsvrkey, service_info)
VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}',
'%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}',
'%{NAS-Port-Id}', '%{NAS-Port-Type}', '%S', NULL,
'0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0',
'%{Called-Station-Id}', '%{Calling-Station-Id}', '',
'%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP
[sql] expand: /var/log/radius/sqltrace.sql - /var/log/radius/sqltrace.sql
rlm_sql (sql): Reserving sql socket id: 2
rlm_sql_mysql: query: INSERT INTO radacct
(acctsessionid,acctuniqueid, username, realm,
nasipaddress, nasportid, nasporttype, acctstarttime,
acctstoptime, acctsessiontime, acctauthentic,
connectinfo_start, connectinfo_stop, acctinputoctets,
acctoutputoctets
Re: Insert Realm in mysql
--On 27 March 2010 12:07 +0600 Rabidinov M.A. tux...@mail.ru wrote:
Hello, Freeradius-users.
I use freeradius 2.1.8 with MySQL.
Freeradius doesn't insert realm into radacct table.
[suffix] Looking up realm un for User-Name = tux...@un
[suffix] No such realm un
++[suffix] returns noop
As seen, there is no any data in %{Realm}.
Refer to man rlm_realm
...realms have to be defined in proxy.conf for suffix to recognise them:
realm un {
...
}
Alternatively, use a regex in unlang to split the username as you wish.
-James
--
James J J Hooper
Network Specialist
Information Services
University of Bristol
http://www.wireless.bristol.ac.uk http://www.jamesjj.net
--
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Help with executing accounting!
Hi All,
I am new to using freeradius. I am in the process of integrating freeradius
with ipoque, which is a bandwidth control device. IPOQUE expects to see an
accounting request from the radius server with specific attributes embedded, in
order to control the bandwidth of the logged-in user. The scenario I am trying
to realize is as follows:
1.. For each user wishing to authenticate with freeradius, I have added two
attributes in users.conf file. The first attribute is Framed-IP-Address,
while the second is a VSA ipoque-class.
2.. When the user successfully authenticate with the freeradius, and after
the freeradius sends Access-Accept, I want the radclient.exe to automatically
send Accounting request to ipoque, including the following: User-Name,
Framed-IP-Address, Accounting-Status-Type= Start and ipoque-class as configured
in users.conf file. This should inform ipoque device about the user IP and the
class of that user in order to apply th proper bandwidth rules for that user
category.
I have started by creating a test user in users.conf as follows:
shafzeenAuth-Type := Local, User-Password == 1234
Framed-IP-Address = 192.168.1.12,
ipoque-class = raduser
then I created a text file named ipoquestart.txt with the following content:
User-Name = %{User-Name},
Framed-IP-Address = %{reply:Framed-IP-Address},
Acct-Status-Type = Start,
ipoque-class = %{reply:ipoque-class}
Then in the radiusd.conf, in the modules section I have defined the following
(The ipoque device IP is 192.168.0.1, secret prx):
exec Start {
wait = yes
program = ${bindir}/radclient.exe -d ${raddbdir} -f
${bindir}/ipoquestart.txt -x -s 192.168.1 acct prx
input_pairs = reply
output_pairs = reply
packet_type = Access-Accept
}
and in the instantiate section I have added Start. Also, in the post-auth I
have put Start trying to send the radclient acct request towards ipoque.
I have started freeradius in debug mode, and I noticed that the radclient is
sending Framed-IP-Address as 0.0.0.0, and ipoque-class= ,
and after that it is sending the reply with the needed values of
Framed-IP-Address and ipoque-class. I know there is some where something
wrong I am doing, but I need someone to analyse what is happening and tell me
how to correct it! Thanks-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using Groups to Limit Authentication to Network Devices
On 03/27/2010 01:46 AM, Peter Lambrechtsen wrote: On Sat, Mar 27, 2010 at 3:00 AM, Doug Warner d...@warner.fm mailto:d...@warner.fm wrote: I'm trying to setup freeradius to authenticate users via LDAP but pull group information via MySQL. I currently only need radius for authentication to network devices (switches, PDUs, etc) but want to make sure I set it up so that I don't shoot myself in the foot later. In trying to get the correct attributes assigned to a group I've noticed that I need to set Fall-Through on each group that a user belongs to in order to have later groups evaluated. Is there a better way that I can say something like, this client should check for access from these groups so that I only need to set Fall-Through on certain groups instead of all? Why not just use LDAP all together for your group based auth. This is how I do it and it works well, and doesn't need any schema extensions. http://lists.freeradius.org/mailman/htdig/freeradius-users/2009-November/msg1.html Then all you have to do is modify the hostgroups postauth_users file when you add new NAS's. I don't have control over the LDAP server at all so I can't change what groups people are in. I think I've managed to get things working by setting up a huntgroup with the SQL-Group set to check that the user is in a specific group. I then have the users file set up to assign the appropriate attributes to the huntgroup. -Doug signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius doesn't accept CoA-ACK or CoA-NAK.
Rabidinov M.A. wrote: Could you tell me, how can I set a number of retries to send packet to NAS in freeradius config? Something like as radclient -r 1. Read raddb/proxy.conf. Look for coa. There is a section that documents the retransmit behavior. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help with executing accounting!
Mohamed Abdulla wrote:
I am new to using freeradius. I am in the process of integrating
freeradius with ipoque, which is a bandwidth control device. IPOQUE
expects to see an accounting request from the radius server with
specific attributes embedded,
That device is completely broken. This violates the RADIUS
specifications in a number of ways.
in order to control the bandwidth of the
logged-in user. The scenario I am trying to realize is as follows:
1. For each user wishing to authenticate with freeradius, I have
added two attributes in users.conf file.
Please be careful about terminology. It matters.
There is *no* users.conf file.
The first attribute is
Framed-IP-Address, while the second is a VSA ipoque-class.
2. When the user successfully authenticate with the freeradius, and
after the freeradius sends Access-Accept, I want the radclient.exe
Again... there is no radclient.exe
to automatically send Accounting request to ipoque, including the
following: User-Name, Framed-IP-Address, Accounting-Status-Type=
Start and ipoque-class as configured in users.conf file. This
should inform ipoque device about the user IP and the class of
that user in order to apply th proper bandwidth rules for that
user category.
I have started by creating a test user in users.conf as follows:
shafzeenAuth-Type := Local, User-Password == 1234
Framed-IP-Address = 192.168.1.12,
ipoque-class = raduser
then I created a text file named ipoquestart.txt with the following
content:
User-Name = %{User-Name},
Framed-IP-Address = %{reply:Framed-IP-Address},
Acct-Status-Type = Start,
ipoque-class = %{reply:ipoque-class}
That won't work. radclient does NOT expand variables like %{}.
See scripts/exec-program-wait for an example of how to access the
attributes from a program.
I also suggest asking the ipoque people to contact me. Their device
does NOT implement RADIUS correctly, and there are many *better* ways to
set bandwidth control.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help with executing accounting!
Hi, 1. For each user wishing to authenticate with freeradius, I have added two attributes in users.conf file. The first attribute is Framed-IP-Address, while the second is a VSA ipoque-class. 'users' file 2. When the user successfully authenticate with the freeradius, and after the freeradius sends Access-Accept, I want the radclient.exe to automatically send Accounting request to ipoque, including the following: User-Name, Framed-IP-Address, Accounting-Status-Type= Start and ipoque-class as configured in users.conf file. This should inform ipoque device about the user IP and the class of that user in order to apply th proper bandwidth rules for that user category. why cant the NAS send the thing to this ipoque box? oh well, if you want to use FreeRADIUS to do the work... simply call perl or python...or even exec...in the post-auth section of the FreeRADIUS server and get it to call radclient as you want it to I have started by creating a test user in users.conf as follows: shafzeenAuth-Type := Local, User-Password == 1234 Cleartext-Password := 1234 or are you about to tell me you are using the ancient FreeRADIUS 1.1.7 windows port? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help with executing accounting!
Sorry, I forgot to mention that I am using the FreeRadius from
freeradius.net, and I am using it on windows. I did not know it makes so
much a big difference! What Ipoque has implemented is indeed not a full
RADIUS implementation, but it can understand that Accounting Request sent to
it to extract the user data and traffic class before it applies the
configured rules of user traffic treatment. When I manually use radclient to
send the accounting request to ipoque (I fill a text file with sample data
of one user and use that with radclient), everything successfully works.
Then I wanted to do the same on the fly, where depending on the User-Name
and the fact that the user successfully authenticates, the radclient will
populate the Accounting Request data using that User-Name and the configured
attribute in the users file. I was hoping I could find similar script
which does the same or close to it. But I guess as Alan DeKok has
highlighted, I have to go through the scripts and Exec-Program-Wait pages
and try to find a way to do it as radclient doe not expand variables like
%{}. Is the 1.1.7 version, windows port supported here? Where can I find the
suggested scripts/exec-program-wait example?
- Original Message -
From: Alan Buxey a.l.m.bu...@lboro.ac.uk
To: FreeRadius users mailing list freeradius-users@lists.freeradius.org
Sent: Saturday, March 27, 2010 8:31 PM
Subject: Re: Help with executing accounting!
Hi,
1. For each user wishing to authenticate with freeradius, I have added
two attributes in users.conf file. The first attribute is
Framed-IP-Address, while the second is a VSA ipoque-class.
'users' file
2. When the user successfully authenticate with the freeradius, and
after the freeradius sends Access-Accept, I want the radclient.exe to
automatically send Accounting request to ipoque, including the following:
User-Name, Framed-IP-Address, Accounting-Status-Type= Start and
ipoque-class as configured in users.conf file. This should inform ipoque
device about the user IP and the class of that user in order to apply th
proper bandwidth rules for that user category.
why cant the NAS send the thing to this ipoque box? oh well, if you
want to use FreeRADIUS to do the work...
simply call perl or python...or even exec...in the post-auth section of
the FreeRADIUS server and get it to call radclient as you want it to
I have started by creating a test user in users.conf as follows:
shafzeenAuth-Type := Local, User-Password == 1234
Cleartext-Password := 1234
or are you about to tell me you are using the ancient FreeRADIUS 1.1.7
windows port?
alan
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help with executing accounting!
Mohamed Abdulla wrote: Where can I find the suggested scripts/exec-program-wait example? The server has source code. Look there. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem changing secret in clients.conf
Hello!
I'm totally new in Linux, as well as in freeradius...
I've installed version 2.1.8 in Linuxmint 7.
I think everything in installation went ok... I succeed doing:
$ radtest user password 127.0.0.1 10 testing123
with user/password the ones that I use to login in my computer. I get a
response Access-Accept
(I had some problems here because I wasn't able to get an accept using
localhost instead of 127.0.0.1 ...)
I'm now in the next step.
I want to change the secret in clients.conf, so I made the change:
#secret = testing123
secret = abracadabra
I stopped radiusd and started again.
$ radtest user password 127.0.0.1 10 abracadabra
doesn't work any more... and I don't understand why... because I'm using the
same word.
*rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=146,
length=20
rad_verify: Received Access-Reject packet from client 127.0.0.1 port 1812
with invalid signature (err=2)! (Shared secret is incorrect.)*
I get this log:
rad_recv: Access-Request packet from host 127.0.0.1 port 34217, id=146,
length=60
User-Name = mjimenez
User-Password = \353\036\355h\203l\217\362\252\003\203P\270\223\342\231
NAS-IP-Address = 127.0.1.1
NAS-Port = 10
Sat Mar 27 18:59:31 2010 : Info: +- entering group authorize {...}
Sat Mar 27 18:59:31 2010 : Info: ++[preprocess] returns ok
Sat Mar 27 18:59:31 2010 : Info: ++[chap] returns noop
Sat Mar 27 18:59:31 2010 : Info: ++[mschap] returns noop
Sat Mar 27 18:59:31 2010 : Info: [suffix] No '@' in User-Name = mjimenez,
looking up realm NULL
Sat Mar 27 18:59:31 2010 : Info: [suffix] No such realm NULL
Sat Mar 27 18:59:31 2010 : Info: ++[suffix] returns noop
Sat Mar 27 18:59:31 2010 : Info: [eap] No EAP-Message, not doing EAP
Sat Mar 27 18:59:31 2010 : Info: ++[eap] returns noop
Sat Mar 27 18:59:31 2010 : Info: ++[unix] returns updated
Sat Mar 27 18:59:31 2010 : Info: ++[files] returns noop
Sat Mar 27 18:59:31 2010 : Info: ++[expiration] returns noop
Sat Mar 27 18:59:31 2010 : Info: ++[logintime] returns noop
Sat Mar 27 18:59:31 2010 : Info: ++[pap] returns updated
Sat Mar 27 18:59:31 2010 : Info: Found Auth-Type = PAP
Sat Mar 27 18:59:31 2010 : Info: +- entering group PAP {...}
Sat Mar 27 18:59:31 2010 : Info: [pap] login attempt with password
�?�h?l?��??P�?�?
Sat Mar 27 18:59:31 2010 : Info: [pap] Using CRYPT encryption.
Sat Mar 27 18:59:31 2010 : Info: [pap] Passwords don't match
Sat Mar 27 18:59:31 2010 : Info: ++[pap] returns reject
Sat Mar 27 18:59:31 2010 : Info: Failed to authenticate the user.
Sat Mar 27 18:59:31 2010 : Debug: WARNING: Unprintable characters in the
password. Double-check the shared secret on the server and the NAS!
Sat Mar 27 18:59:31 2010 : Info: Using Post-Auth-Type Reject
Sat Mar 27 18:59:31 2010 : Info: +- entering group REJECT {...}
Sat Mar 27 18:59:31 2010 : Info: [attr_filter.access_reject] expand:
%{User-Name} - mjimenez
Sat Mar 27 18:59:31 2010 : Debug: attr_filter: Matched entry DEFAULT at line
11
Sat Mar 27 18:59:31 2010 : Info: ++[attr_filter.access_reject] returns
updated
Sat Mar 27 18:59:31 2010 : Info: Delaying reject of request 0 for 1 seconds
Sat Mar 27 18:59:31 2010 : Debug: Going to the next request
Sat Mar 27 18:59:31 2010 : Debug: Waking up in 0.9 seconds.
Sat Mar 27 18:59:32 2010 : Info: Sending delayed reject for request 0
Sending Access-Reject of id 146 to 127.0.0.1 port 34217
Sat Mar 27 18:59:32 2010 : Debug: Waking up in 4.9 seconds.
Sat Mar 27 18:59:37 2010 : Info: Cleaning up request 0 ID 146 with timestamp
+9
When I had testing123 as secret, in User-Password I could see my real
password and not \353\036\355h\203l\217\362\252\00...*
*
I have checked I have this line in radiusd.conf :
$INCLUDE clients.conf
*
*
Maybe is a stupid question and I've to change something more in another conf
file. I've not started configuring my NAS yet... I was trying to configure
radius first and checking with radtest step by step.*
*
Thank you in advance for any help you can give me,
Marta
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Bug fixes on v2.1.8
Hi people, and developers, i can see that you finally fixed a bug that i and others like me mentioned at this forum at least one year ago. I'm glad to see it :) To be precise, i'm talking about the fix that sign client certificates with CA, rather than server certs. And here i was, talking alone one year ago on this thread: cert bootstrap bug? (was Re: definitely, I have a problem with eap-tls) In spite of that, i'd like to say that freeradius is a great job, congratulations to its developers. I think is the most configurable server. OCSP would be great!! bye and thanks :) -- Sergio - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem changing secret in clients.conf
Hi,
I'm totally new in Linux, as well as in freeradius...
I've installed version 2.1.8 in Linuxmint 7.
I think everything in installation went ok... I succeed doing:
$ radtest user password 127.0.0.1 10 testing123
with user/password the ones that I use to login in my computer. I get a
response Access-Accept
(I had some problems here because I wasn't able to get an accept using
localhost instead of 127.0.0.1 ...)
I'm now in the next step.
I want to change the secret in clients.conf, so I made the change:
#secret = testing123
secret = abracadabra
I stopped radiusd and started again.
$ radtest user password 127.0.0.1 10 abracadabra
doesn't work any more... and I don't understand why... because I'm using the
same word.
does 'testing123' still work though? in which case, the server isnt reading
the config
file or directory you think it is!)
you did edit the 127.0.0.1 {} entry in clients.conf?
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Help with executing accounting!
Mohamed,
Your description of the IPOQUE device and how it works is very strange. I
was not able to find any usefully documentation on the IPOQUE device but
here is what I think it is trying to do in a service provider network.
Assume the service provider network uses DSL, 3G wireless, 802.11, etc.
Users connect to the network via the NAS which could be a BRAS, GGSN,
wireless AP, etc. The NAS sends an access request to the RADIUS server to
authenticate the user. All user traffic going to the Internet goes through
the IPOQUE device. The service provider wants to the IPOQUE device to manage
traffic based on user or groups of users. Devices on the network are
dynamically assigned an IP address. So, the IPOQUE device needs to map the
IP address to the user, group of user and their bandwidth management
policy. The NAS is configured to send RADIUS accounting packets to the
RADIUS server. The RADIUS server is configured to add the IPOQUE attributes
to the accounting request and proxy the request to the IPOQUE device. When
the IPOQUE device receives the Accounting Start packet, it uses the
information in the packet to map the IP address (Framed-IP-Address
attribute) to the IPOQUE bandwidth management policy (ipoque-class
attribute). The bandwidth management policy would then be applied to all
traffic from that particular user/IP address.
What type of network is your customer running (DSL, 3G, 802.11, etc.)? Do
they authenticate user access to the network using a NAS which then contacts
the RADIUS server? Is the IPOQUE device transparent to the user or does the
IPOQUE device require users to authenticate themselves via a web page or
some other mechanism?
Tim
From:
freeradius-users-bounces+tim.sylvester=networkradius@lists.freeradius.or
g
[mailto:freeradius-users-bounces+tim.sylvester=networkradius@lists.freer
adius.org] On Behalf Of Mohamed Abdulla
Sent: Saturday, March 27, 2010 3:26 AM
To: freeradius-users@lists.freeradius.org
Subject: Help with executing accounting!
Hi All,
I am new to using freeradius. I am in the process of integrating freeradius
with ipoque, which is a bandwidth control device. IPOQUE expects to see an
accounting request from the radius server with specific attributes embedded,
in order to control the bandwidth of the logged-in user. The scenario I am
trying to realize is as follows:
1. For each user wishing to authenticate with freeradius, I have added
two attributes in users.conf file. The first attribute is
Framed-IP-Address, while the second is a VSA ipoque-class.
2. When the user successfully authenticate with the freeradius, and
after the freeradius sends Access-Accept, I want the radclient.exe to
automatically send Accounting request to ipoque, including the following:
User-Name, Framed-IP-Address, Accounting-Status-Type= Start and ipoque-class
as configured in users.conf file. This should inform ipoque device about the
user IP and the class of that user in order to apply th proper bandwidth
rules for that user category.
I have started by creating a test user in users.conf as follows:
shafzeenAuth-Type := Local, User-Password == 1234
Framed-IP-Address = 192.168.1.12,
ipoque-class = raduser
then I created a text file named ipoquestart.txt with the following
content:
User-Name = %{User-Name},
Framed-IP-Address = %{reply:Framed-IP-Address},
Acct-Status-Type = Start,
ipoque-class = %{reply:ipoque-class}
Then in the radiusd.conf, in the modules section I have defined the
following (The ipoque device IP is 192.168.0.1, secret prx):
exec Start {
wait = yes
program = ${bindir}/radclient.exe -d ${raddbdir} -f
${bindir}/ipoquestart.txt -x -s 192.168.1 acct prx
input_pairs = reply
output_pairs = reply
packet_type = Access-Accept
}
and in the instantiate section I have added Start. Also, in the post-auth I
have put Start trying to send the radclient acct request towards ipoque.
I have started freeradius in debug mode, and I noticed that the radclient is
sending Framed-IP-Address as 0.0.0.0, and ipoque-class= ,
and after that it is sending the reply with the needed values of
Framed-IP-Address and ipoque-class. I know there is some where something
wrong I am doing, but I need someone to analyse what is happening and tell
me how to correct it! Thanks
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[Exit code]User logging in out from login-time
Hi all, I'm new to freeradius and I've got this question: What is the exit code for a user trying to authenticate outside the Login-time defined parameters? I need to get this code and then trigger an error message... Any help? Thanks a lot in advance. [ ]'s Rod Elias - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help with executing accounting!
Thanks Alan, I will look into the source!
Tim, your analysis of ipoque operation is correct. IPOQUE receives the
accounting request as a way to dynamically map a user/IP to a class (where
combination of rules/policy are applied based on protocol and application user
is using). What I am trying to acheive actually is not proxying accounting from
NAS towards IPOQUE, but rather triggering it from radius towards ipoque upon
completion of user authentication and authorization. Ipoque is a Layer-2 bridge
where it transparently sits at the gateway of network to control the use of
Internet bandwidth and usage (p2p control, streaming control, and many
categories of traffic). Users do not have to authenticate to ipoque, and users
are actually within the LAN on wired network, where they authenticate to NAS
which then contacts server. This setup I am trying for a university for
controlling users access to Internet, taking advantage of the powerful
capability of ipoque to discover traffic and categorise it with high precision
- Original Message -
From: Tim Sylvester
To: 'FreeRadius users mailing list'
Sent: Saturday, March 27, 2010 11:03 PM
Subject: RE: Help with executing accounting!
Mohamed,
Your description of the IPOQUE device and how it works is very strange. I was
not able to find any usefully documentation on the IPOQUE device but here is
what I think it is trying to do in a service provider network.
Assume the service provider network uses DSL, 3G wireless, 802.11, etc. Users
connect to the network via the NAS which could be a BRAS, GGSN, wireless AP,
etc. The NAS sends an access request to the RADIUS server to authenticate the
user. All user traffic going to the Internet goes through the IPOQUE device.
The service provider wants to the IPOQUE device to manage traffic based on user
or groups of users. Devices on the network are dynamically assigned an IP
address. So, the IPOQUE device needs to map the IP address to the user, group
of user and their bandwidth management “policy”. The NAS is configured to send
RADIUS accounting packets to the RADIUS server. The RADIUS server is configured
to add the IPOQUE attributes to the accounting request and proxy the request to
the IPOQUE device. When the IPOQUE device receives the Accounting Start packet,
it uses the information in the packet to map the IP address (Framed-IP-Address
attribute) to the IPOQUE bandwidth management policy (ipoque-class attribute).
The bandwidth management policy would then be applied to all traffic from that
particular user/IP address.
What type of network is your customer running (DSL, 3G, 802.11, etc.)? Do
they authenticate user access to the network using a NAS which then contacts
the RADIUS server? Is the IPOQUE device transparent to the user or does the
IPOQUE device require users to authenticate themselves via a web page or some
other mechanism?
Tim
From:
freeradius-users-bounces+tim.sylvester=networkradius@lists.freeradius.org
[mailto:freeradius-users-bounces+tim.sylvester=networkradius@lists.freeradius.org]
On Behalf Of Mohamed Abdulla
Sent: Saturday, March 27, 2010 3:26 AM
To: freeradius-users@lists.freeradius.org
Subject: Help with executing accounting!
Hi All,
I am new to using freeradius. I am in the process of integrating freeradius
with ipoque, which is a bandwidth control device. IPOQUE expects to see an
accounting request from the radius server with specific attributes embedded, in
order to control the bandwidth of the logged-in user. The scenario I am trying
to realize is as follows:
1.. For each user wishing to authenticate with freeradius, I have added two
attributes in users.conf file. The first attribute is Framed-IP-Address,
while the second is a VSA ipoque-class.
2.. When the user successfully authenticate with the freeradius, and after
the freeradius sends Access-Accept, I want the radclient.exe to automatically
send Accounting request to ipoque, including the following: User-Name,
Framed-IP-Address, Accounting-Status-Type= Start and ipoque-class as configured
in users.conf file. This should inform ipoque device about the user IP and the
class of that user in order to apply th proper bandwidth rules for that user
category.
I have started by creating a test user in users.conf as follows:
shafzeenAuth-Type := Local, User-Password == 1234
Framed-IP-Address = 192.168.1.12,
ipoque-class = raduser
then I created a text file named ipoquestart.txt with the following content:
User-Name = %{User-Name},
Framed-IP-Address = %{reply:Framed-IP-Address},
Acct-Status-Type = Start,
ipoque-class = %{reply:ipoque-class}
Then in the radiusd.conf, in the modules section I have defined the following
(The ipoque device IP is 192.168.0.1, secret prx):
exec Start {
wait = yes
program = ${bindir}/radclient.exe -d
