Insert Realm in mysql
Hello, Freeradius-users. I use freeradius 2.1.8 with MySQL. Freeradius doesn't insert realm into radacct table. Config: iptv:~ # grep -v '#' /etc/raddb/sql/mysql/dialup.conf . accounting_start_query = \ INSERT INTO ${acct_table1} \ (acctsessionid,acctuniqueid, username, \ realm,nasipaddress, nasportid, \ nasporttype, acctstarttime,acctstoptime, \ acctsessiontime, acctauthentic,connectinfo_start, \ connectinfo_stop, acctinputoctets, acctoutputoctets, \ calledstationid, callingstationid, acctterminatecause, \ servicetype, framedprotocol, framedipaddress, \ acctstartdelay, acctstopdelay,xascendsessionsvrkey, service_info) \ VALUES \ ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', \ '%{SQL-User-Name}', \ '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port-Id}', \ '%{NAS-Port-Type}', '%S', NULL, \ '0', '%{Acct-Authentic}', '%{Connect-Info}', \ '', '0', '0', \ '%{Called-Station-Id}', '%{Calling-Station-Id}', '', \ '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', \ '%{%{Acct-Delay-Time}:-0}', '0', '%{X-Ascend-Session-Svr-Key}','%{Cisco-Service-Info}') . iptv:~ # grep -v '#' /etc/raddb/sites-enabled/default authorize { preprocess chap mschap suffix sql expiration logintime pap } # Debug: . rad_recv: Accounting-Request packet from host xx.xx.64.94 port 1646, id=219, length=191 Acct-Session-Id = 029D Framed-Protocol = PPP User-Name = tux...@un Cisco-AVPair = connect-progress=Call Up Acct-Authentic = RADIUS Acct-Status-Type = Start Calling-Station-Id = 00-26-b6-11-7b-84 NAS-Port-Type = Virtual NAS-Port = 0 NAS-Port-Id = 0/0/2/25 Cisco-AVPair = client-mac-address=0026.b611.7b84 Service-Type = Framed-User NAS-IP-Address = xx.xx.64.94 Acct-Delay-Time = 0 +- entering group preacct {...} ++[preprocess] returns ok [acct_unique] Hashing 'NAS-Port = 0,Client-IP-Address = xx.xx.64.94,NAS-IP-Address = xx.xx.64.94,Acct-Session-Id = 029D,User-Name = tux...@un' [acct_unique] Acct-Unique-Session-ID = cb3670aee40aafa5. ++[acct_unique] returns ok [suffix] Looking up realm un for User-Name = tux...@un [suffix] No such realm un ++[suffix] returns noop [ntdomain] No '\' in User-Name = tux...@un, looking up realm NULL [ntdomain] No such realm NULL ++[ntdomain] returns noop ++[files] returns noop +- entering group accounting {...} [detail]expand: /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d - /var/log/radius/radacct/xx.xx.64.94/detail-20100327 [detail] /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /var/log/radius/radacct/xx.xx.64.94/detail-20100327 [detail]expand: %t - Sat Mar 27 12:08:37 2010 ++[detail] returns ok ++[unix] returns ok [radutmp] expand: /var/log/radius/radutmp - /var/log/radius/radutmp [radutmp] expand: %{User-Name} - tux...@un ++[radutmp] returns ok [sql] expand: %{User-Name} - tux...@un [sql] sql_set_user escaped user -- 'tux...@un' [sql] expand: %{Acct-Delay-Time} - 0 [sql] expand:INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm,nasipaddress, nasportid, nasporttype, acctstarttime,acctstoptime, acctsessiontime, acctauthentic,connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress, acctstartdelay, acctstopdelay,xascendsessionsvrkey, service_info) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port-Id}', '%{NAS-Port-Type}', '%S', NULL, '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP [sql] expand: /var/log/radius/sqltrace.sql - /var/log/radius/sqltrace.sql rlm_sql (sql): Reserving sql socket id: 2 rlm_sql_mysql: query: INSERT INTO radacct (acctsessionid,acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets
Re: Insert Realm in mysql
--On 27 March 2010 12:07 +0600 Rabidinov M.A. tux...@mail.ru wrote: Hello, Freeradius-users. I use freeradius 2.1.8 with MySQL. Freeradius doesn't insert realm into radacct table. [suffix] Looking up realm un for User-Name = tux...@un [suffix] No such realm un ++[suffix] returns noop As seen, there is no any data in %{Realm}. Refer to man rlm_realm ...realms have to be defined in proxy.conf for suffix to recognise them: realm un { ... } Alternatively, use a regex in unlang to split the username as you wish. -James -- James J J Hooper Network Specialist Information Services University of Bristol http://www.wireless.bristol.ac.uk http://www.jamesjj.net -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Help with executing accounting!
Hi All, I am new to using freeradius. I am in the process of integrating freeradius with ipoque, which is a bandwidth control device. IPOQUE expects to see an accounting request from the radius server with specific attributes embedded, in order to control the bandwidth of the logged-in user. The scenario I am trying to realize is as follows: 1.. For each user wishing to authenticate with freeradius, I have added two attributes in users.conf file. The first attribute is Framed-IP-Address, while the second is a VSA ipoque-class. 2.. When the user successfully authenticate with the freeradius, and after the freeradius sends Access-Accept, I want the radclient.exe to automatically send Accounting request to ipoque, including the following: User-Name, Framed-IP-Address, Accounting-Status-Type= Start and ipoque-class as configured in users.conf file. This should inform ipoque device about the user IP and the class of that user in order to apply th proper bandwidth rules for that user category. I have started by creating a test user in users.conf as follows: shafzeenAuth-Type := Local, User-Password == 1234 Framed-IP-Address = 192.168.1.12, ipoque-class = raduser then I created a text file named ipoquestart.txt with the following content: User-Name = %{User-Name}, Framed-IP-Address = %{reply:Framed-IP-Address}, Acct-Status-Type = Start, ipoque-class = %{reply:ipoque-class} Then in the radiusd.conf, in the modules section I have defined the following (The ipoque device IP is 192.168.0.1, secret prx): exec Start { wait = yes program = ${bindir}/radclient.exe -d ${raddbdir} -f ${bindir}/ipoquestart.txt -x -s 192.168.1 acct prx input_pairs = reply output_pairs = reply packet_type = Access-Accept } and in the instantiate section I have added Start. Also, in the post-auth I have put Start trying to send the radclient acct request towards ipoque. I have started freeradius in debug mode, and I noticed that the radclient is sending Framed-IP-Address as 0.0.0.0, and ipoque-class= , and after that it is sending the reply with the needed values of Framed-IP-Address and ipoque-class. I know there is some where something wrong I am doing, but I need someone to analyse what is happening and tell me how to correct it! Thanks- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using Groups to Limit Authentication to Network Devices
On 03/27/2010 01:46 AM, Peter Lambrechtsen wrote: On Sat, Mar 27, 2010 at 3:00 AM, Doug Warner d...@warner.fm mailto:d...@warner.fm wrote: I'm trying to setup freeradius to authenticate users via LDAP but pull group information via MySQL. I currently only need radius for authentication to network devices (switches, PDUs, etc) but want to make sure I set it up so that I don't shoot myself in the foot later. In trying to get the correct attributes assigned to a group I've noticed that I need to set Fall-Through on each group that a user belongs to in order to have later groups evaluated. Is there a better way that I can say something like, this client should check for access from these groups so that I only need to set Fall-Through on certain groups instead of all? Why not just use LDAP all together for your group based auth. This is how I do it and it works well, and doesn't need any schema extensions. http://lists.freeradius.org/mailman/htdig/freeradius-users/2009-November/msg1.html Then all you have to do is modify the hostgroups postauth_users file when you add new NAS's. I don't have control over the LDAP server at all so I can't change what groups people are in. I think I've managed to get things working by setting up a huntgroup with the SQL-Group set to check that the user is in a specific group. I then have the users file set up to assign the appropriate attributes to the huntgroup. -Doug signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius doesn't accept CoA-ACK or CoA-NAK.
Rabidinov M.A. wrote: Could you tell me, how can I set a number of retries to send packet to NAS in freeradius config? Something like as radclient -r 1. Read raddb/proxy.conf. Look for coa. There is a section that documents the retransmit behavior. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help with executing accounting!
Mohamed Abdulla wrote: I am new to using freeradius. I am in the process of integrating freeradius with ipoque, which is a bandwidth control device. IPOQUE expects to see an accounting request from the radius server with specific attributes embedded, That device is completely broken. This violates the RADIUS specifications in a number of ways. in order to control the bandwidth of the logged-in user. The scenario I am trying to realize is as follows: 1. For each user wishing to authenticate with freeradius, I have added two attributes in users.conf file. Please be careful about terminology. It matters. There is *no* users.conf file. The first attribute is Framed-IP-Address, while the second is a VSA ipoque-class. 2. When the user successfully authenticate with the freeradius, and after the freeradius sends Access-Accept, I want the radclient.exe Again... there is no radclient.exe to automatically send Accounting request to ipoque, including the following: User-Name, Framed-IP-Address, Accounting-Status-Type= Start and ipoque-class as configured in users.conf file. This should inform ipoque device about the user IP and the class of that user in order to apply th proper bandwidth rules for that user category. I have started by creating a test user in users.conf as follows: shafzeenAuth-Type := Local, User-Password == 1234 Framed-IP-Address = 192.168.1.12, ipoque-class = raduser then I created a text file named ipoquestart.txt with the following content: User-Name = %{User-Name}, Framed-IP-Address = %{reply:Framed-IP-Address}, Acct-Status-Type = Start, ipoque-class = %{reply:ipoque-class} That won't work. radclient does NOT expand variables like %{}. See scripts/exec-program-wait for an example of how to access the attributes from a program. I also suggest asking the ipoque people to contact me. Their device does NOT implement RADIUS correctly, and there are many *better* ways to set bandwidth control. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help with executing accounting!
Hi, 1. For each user wishing to authenticate with freeradius, I have added two attributes in users.conf file. The first attribute is Framed-IP-Address, while the second is a VSA ipoque-class. 'users' file 2. When the user successfully authenticate with the freeradius, and after the freeradius sends Access-Accept, I want the radclient.exe to automatically send Accounting request to ipoque, including the following: User-Name, Framed-IP-Address, Accounting-Status-Type= Start and ipoque-class as configured in users.conf file. This should inform ipoque device about the user IP and the class of that user in order to apply th proper bandwidth rules for that user category. why cant the NAS send the thing to this ipoque box? oh well, if you want to use FreeRADIUS to do the work... simply call perl or python...or even exec...in the post-auth section of the FreeRADIUS server and get it to call radclient as you want it to I have started by creating a test user in users.conf as follows: shafzeenAuth-Type := Local, User-Password == 1234 Cleartext-Password := 1234 or are you about to tell me you are using the ancient FreeRADIUS 1.1.7 windows port? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help with executing accounting!
Sorry, I forgot to mention that I am using the FreeRadius from freeradius.net, and I am using it on windows. I did not know it makes so much a big difference! What Ipoque has implemented is indeed not a full RADIUS implementation, but it can understand that Accounting Request sent to it to extract the user data and traffic class before it applies the configured rules of user traffic treatment. When I manually use radclient to send the accounting request to ipoque (I fill a text file with sample data of one user and use that with radclient), everything successfully works. Then I wanted to do the same on the fly, where depending on the User-Name and the fact that the user successfully authenticates, the radclient will populate the Accounting Request data using that User-Name and the configured attribute in the users file. I was hoping I could find similar script which does the same or close to it. But I guess as Alan DeKok has highlighted, I have to go through the scripts and Exec-Program-Wait pages and try to find a way to do it as radclient doe not expand variables like %{}. Is the 1.1.7 version, windows port supported here? Where can I find the suggested scripts/exec-program-wait example? - Original Message - From: Alan Buxey a.l.m.bu...@lboro.ac.uk To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Saturday, March 27, 2010 8:31 PM Subject: Re: Help with executing accounting! Hi, 1. For each user wishing to authenticate with freeradius, I have added two attributes in users.conf file. The first attribute is Framed-IP-Address, while the second is a VSA ipoque-class. 'users' file 2. When the user successfully authenticate with the freeradius, and after the freeradius sends Access-Accept, I want the radclient.exe to automatically send Accounting request to ipoque, including the following: User-Name, Framed-IP-Address, Accounting-Status-Type= Start and ipoque-class as configured in users.conf file. This should inform ipoque device about the user IP and the class of that user in order to apply th proper bandwidth rules for that user category. why cant the NAS send the thing to this ipoque box? oh well, if you want to use FreeRADIUS to do the work... simply call perl or python...or even exec...in the post-auth section of the FreeRADIUS server and get it to call radclient as you want it to I have started by creating a test user in users.conf as follows: shafzeenAuth-Type := Local, User-Password == 1234 Cleartext-Password := 1234 or are you about to tell me you are using the ancient FreeRADIUS 1.1.7 windows port? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help with executing accounting!
Mohamed Abdulla wrote: Where can I find the suggested scripts/exec-program-wait example? The server has source code. Look there. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem changing secret in clients.conf
Hello! I'm totally new in Linux, as well as in freeradius... I've installed version 2.1.8 in Linuxmint 7. I think everything in installation went ok... I succeed doing: $ radtest user password 127.0.0.1 10 testing123 with user/password the ones that I use to login in my computer. I get a response Access-Accept (I had some problems here because I wasn't able to get an accept using localhost instead of 127.0.0.1 ...) I'm now in the next step. I want to change the secret in clients.conf, so I made the change: #secret = testing123 secret = abracadabra I stopped radiusd and started again. $ radtest user password 127.0.0.1 10 abracadabra doesn't work any more... and I don't understand why... because I'm using the same word. *rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=146, length=20 rad_verify: Received Access-Reject packet from client 127.0.0.1 port 1812 with invalid signature (err=2)! (Shared secret is incorrect.)* I get this log: rad_recv: Access-Request packet from host 127.0.0.1 port 34217, id=146, length=60 User-Name = mjimenez User-Password = \353\036\355h\203l\217\362\252\003\203P\270\223\342\231 NAS-IP-Address = 127.0.1.1 NAS-Port = 10 Sat Mar 27 18:59:31 2010 : Info: +- entering group authorize {...} Sat Mar 27 18:59:31 2010 : Info: ++[preprocess] returns ok Sat Mar 27 18:59:31 2010 : Info: ++[chap] returns noop Sat Mar 27 18:59:31 2010 : Info: ++[mschap] returns noop Sat Mar 27 18:59:31 2010 : Info: [suffix] No '@' in User-Name = mjimenez, looking up realm NULL Sat Mar 27 18:59:31 2010 : Info: [suffix] No such realm NULL Sat Mar 27 18:59:31 2010 : Info: ++[suffix] returns noop Sat Mar 27 18:59:31 2010 : Info: [eap] No EAP-Message, not doing EAP Sat Mar 27 18:59:31 2010 : Info: ++[eap] returns noop Sat Mar 27 18:59:31 2010 : Info: ++[unix] returns updated Sat Mar 27 18:59:31 2010 : Info: ++[files] returns noop Sat Mar 27 18:59:31 2010 : Info: ++[expiration] returns noop Sat Mar 27 18:59:31 2010 : Info: ++[logintime] returns noop Sat Mar 27 18:59:31 2010 : Info: ++[pap] returns updated Sat Mar 27 18:59:31 2010 : Info: Found Auth-Type = PAP Sat Mar 27 18:59:31 2010 : Info: +- entering group PAP {...} Sat Mar 27 18:59:31 2010 : Info: [pap] login attempt with password �?�h?l?��??P�?�? Sat Mar 27 18:59:31 2010 : Info: [pap] Using CRYPT encryption. Sat Mar 27 18:59:31 2010 : Info: [pap] Passwords don't match Sat Mar 27 18:59:31 2010 : Info: ++[pap] returns reject Sat Mar 27 18:59:31 2010 : Info: Failed to authenticate the user. Sat Mar 27 18:59:31 2010 : Debug: WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS! Sat Mar 27 18:59:31 2010 : Info: Using Post-Auth-Type Reject Sat Mar 27 18:59:31 2010 : Info: +- entering group REJECT {...} Sat Mar 27 18:59:31 2010 : Info: [attr_filter.access_reject] expand: %{User-Name} - mjimenez Sat Mar 27 18:59:31 2010 : Debug: attr_filter: Matched entry DEFAULT at line 11 Sat Mar 27 18:59:31 2010 : Info: ++[attr_filter.access_reject] returns updated Sat Mar 27 18:59:31 2010 : Info: Delaying reject of request 0 for 1 seconds Sat Mar 27 18:59:31 2010 : Debug: Going to the next request Sat Mar 27 18:59:31 2010 : Debug: Waking up in 0.9 seconds. Sat Mar 27 18:59:32 2010 : Info: Sending delayed reject for request 0 Sending Access-Reject of id 146 to 127.0.0.1 port 34217 Sat Mar 27 18:59:32 2010 : Debug: Waking up in 4.9 seconds. Sat Mar 27 18:59:37 2010 : Info: Cleaning up request 0 ID 146 with timestamp +9 When I had testing123 as secret, in User-Password I could see my real password and not \353\036\355h\203l\217\362\252\00...* * I have checked I have this line in radiusd.conf : $INCLUDE clients.conf * * Maybe is a stupid question and I've to change something more in another conf file. I've not started configuring my NAS yet... I was trying to configure radius first and checking with radtest step by step.* * Thank you in advance for any help you can give me, Marta - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Bug fixes on v2.1.8
Hi people, and developers, i can see that you finally fixed a bug that i and others like me mentioned at this forum at least one year ago. I'm glad to see it :) To be precise, i'm talking about the fix that sign client certificates with CA, rather than server certs. And here i was, talking alone one year ago on this thread: cert bootstrap bug? (was Re: definitely, I have a problem with eap-tls) In spite of that, i'd like to say that freeradius is a great job, congratulations to its developers. I think is the most configurable server. OCSP would be great!! bye and thanks :) -- Sergio - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem changing secret in clients.conf
Hi, I'm totally new in Linux, as well as in freeradius... I've installed version 2.1.8 in Linuxmint 7. I think everything in installation went ok... I succeed doing: $ radtest user password 127.0.0.1 10 testing123 with user/password the ones that I use to login in my computer. I get a response Access-Accept (I had some problems here because I wasn't able to get an accept using localhost instead of 127.0.0.1 ...) I'm now in the next step. I want to change the secret in clients.conf, so I made the change: #secret = testing123 secret = abracadabra I stopped radiusd and started again. $ radtest user password 127.0.0.1 10 abracadabra doesn't work any more... and I don't understand why... because I'm using the same word. does 'testing123' still work though? in which case, the server isnt reading the config file or directory you think it is!) you did edit the 127.0.0.1 {} entry in clients.conf? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Help with executing accounting!
Mohamed, Your description of the IPOQUE device and how it works is very strange. I was not able to find any usefully documentation on the IPOQUE device but here is what I think it is trying to do in a service provider network. Assume the service provider network uses DSL, 3G wireless, 802.11, etc. Users connect to the network via the NAS which could be a BRAS, GGSN, wireless AP, etc. The NAS sends an access request to the RADIUS server to authenticate the user. All user traffic going to the Internet goes through the IPOQUE device. The service provider wants to the IPOQUE device to manage traffic based on user or groups of users. Devices on the network are dynamically assigned an IP address. So, the IPOQUE device needs to map the IP address to the user, group of user and their bandwidth management policy. The NAS is configured to send RADIUS accounting packets to the RADIUS server. The RADIUS server is configured to add the IPOQUE attributes to the accounting request and proxy the request to the IPOQUE device. When the IPOQUE device receives the Accounting Start packet, it uses the information in the packet to map the IP address (Framed-IP-Address attribute) to the IPOQUE bandwidth management policy (ipoque-class attribute). The bandwidth management policy would then be applied to all traffic from that particular user/IP address. What type of network is your customer running (DSL, 3G, 802.11, etc.)? Do they authenticate user access to the network using a NAS which then contacts the RADIUS server? Is the IPOQUE device transparent to the user or does the IPOQUE device require users to authenticate themselves via a web page or some other mechanism? Tim From: freeradius-users-bounces+tim.sylvester=networkradius@lists.freeradius.or g [mailto:freeradius-users-bounces+tim.sylvester=networkradius@lists.freer adius.org] On Behalf Of Mohamed Abdulla Sent: Saturday, March 27, 2010 3:26 AM To: freeradius-users@lists.freeradius.org Subject: Help with executing accounting! Hi All, I am new to using freeradius. I am in the process of integrating freeradius with ipoque, which is a bandwidth control device. IPOQUE expects to see an accounting request from the radius server with specific attributes embedded, in order to control the bandwidth of the logged-in user. The scenario I am trying to realize is as follows: 1. For each user wishing to authenticate with freeradius, I have added two attributes in users.conf file. The first attribute is Framed-IP-Address, while the second is a VSA ipoque-class. 2. When the user successfully authenticate with the freeradius, and after the freeradius sends Access-Accept, I want the radclient.exe to automatically send Accounting request to ipoque, including the following: User-Name, Framed-IP-Address, Accounting-Status-Type= Start and ipoque-class as configured in users.conf file. This should inform ipoque device about the user IP and the class of that user in order to apply th proper bandwidth rules for that user category. I have started by creating a test user in users.conf as follows: shafzeenAuth-Type := Local, User-Password == 1234 Framed-IP-Address = 192.168.1.12, ipoque-class = raduser then I created a text file named ipoquestart.txt with the following content: User-Name = %{User-Name}, Framed-IP-Address = %{reply:Framed-IP-Address}, Acct-Status-Type = Start, ipoque-class = %{reply:ipoque-class} Then in the radiusd.conf, in the modules section I have defined the following (The ipoque device IP is 192.168.0.1, secret prx): exec Start { wait = yes program = ${bindir}/radclient.exe -d ${raddbdir} -f ${bindir}/ipoquestart.txt -x -s 192.168.1 acct prx input_pairs = reply output_pairs = reply packet_type = Access-Accept } and in the instantiate section I have added Start. Also, in the post-auth I have put Start trying to send the radclient acct request towards ipoque. I have started freeradius in debug mode, and I noticed that the radclient is sending Framed-IP-Address as 0.0.0.0, and ipoque-class= , and after that it is sending the reply with the needed values of Framed-IP-Address and ipoque-class. I know there is some where something wrong I am doing, but I need someone to analyse what is happening and tell me how to correct it! Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[Exit code]User logging in out from login-time
Hi all, I'm new to freeradius and I've got this question: What is the exit code for a user trying to authenticate outside the Login-time defined parameters? I need to get this code and then trigger an error message... Any help? Thanks a lot in advance. [ ]'s Rod Elias - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help with executing accounting!
Thanks Alan, I will look into the source! Tim, your analysis of ipoque operation is correct. IPOQUE receives the accounting request as a way to dynamically map a user/IP to a class (where combination of rules/policy are applied based on protocol and application user is using). What I am trying to acheive actually is not proxying accounting from NAS towards IPOQUE, but rather triggering it from radius towards ipoque upon completion of user authentication and authorization. Ipoque is a Layer-2 bridge where it transparently sits at the gateway of network to control the use of Internet bandwidth and usage (p2p control, streaming control, and many categories of traffic). Users do not have to authenticate to ipoque, and users are actually within the LAN on wired network, where they authenticate to NAS which then contacts server. This setup I am trying for a university for controlling users access to Internet, taking advantage of the powerful capability of ipoque to discover traffic and categorise it with high precision - Original Message - From: Tim Sylvester To: 'FreeRadius users mailing list' Sent: Saturday, March 27, 2010 11:03 PM Subject: RE: Help with executing accounting! Mohamed, Your description of the IPOQUE device and how it works is very strange. I was not able to find any usefully documentation on the IPOQUE device but here is what I think it is trying to do in a service provider network. Assume the service provider network uses DSL, 3G wireless, 802.11, etc. Users connect to the network via the NAS which could be a BRAS, GGSN, wireless AP, etc. The NAS sends an access request to the RADIUS server to authenticate the user. All user traffic going to the Internet goes through the IPOQUE device. The service provider wants to the IPOQUE device to manage traffic based on user or groups of users. Devices on the network are dynamically assigned an IP address. So, the IPOQUE device needs to map the IP address to the user, group of user and their bandwidth management “policy”. The NAS is configured to send RADIUS accounting packets to the RADIUS server. The RADIUS server is configured to add the IPOQUE attributes to the accounting request and proxy the request to the IPOQUE device. When the IPOQUE device receives the Accounting Start packet, it uses the information in the packet to map the IP address (Framed-IP-Address attribute) to the IPOQUE bandwidth management policy (ipoque-class attribute). The bandwidth management policy would then be applied to all traffic from that particular user/IP address. What type of network is your customer running (DSL, 3G, 802.11, etc.)? Do they authenticate user access to the network using a NAS which then contacts the RADIUS server? Is the IPOQUE device transparent to the user or does the IPOQUE device require users to authenticate themselves via a web page or some other mechanism? Tim From: freeradius-users-bounces+tim.sylvester=networkradius@lists.freeradius.org [mailto:freeradius-users-bounces+tim.sylvester=networkradius@lists.freeradius.org] On Behalf Of Mohamed Abdulla Sent: Saturday, March 27, 2010 3:26 AM To: freeradius-users@lists.freeradius.org Subject: Help with executing accounting! Hi All, I am new to using freeradius. I am in the process of integrating freeradius with ipoque, which is a bandwidth control device. IPOQUE expects to see an accounting request from the radius server with specific attributes embedded, in order to control the bandwidth of the logged-in user. The scenario I am trying to realize is as follows: 1.. For each user wishing to authenticate with freeradius, I have added two attributes in users.conf file. The first attribute is Framed-IP-Address, while the second is a VSA ipoque-class. 2.. When the user successfully authenticate with the freeradius, and after the freeradius sends Access-Accept, I want the radclient.exe to automatically send Accounting request to ipoque, including the following: User-Name, Framed-IP-Address, Accounting-Status-Type= Start and ipoque-class as configured in users.conf file. This should inform ipoque device about the user IP and the class of that user in order to apply th proper bandwidth rules for that user category. I have started by creating a test user in users.conf as follows: shafzeenAuth-Type := Local, User-Password == 1234 Framed-IP-Address = 192.168.1.12, ipoque-class = raduser then I created a text file named ipoquestart.txt with the following content: User-Name = %{User-Name}, Framed-IP-Address = %{reply:Framed-IP-Address}, Acct-Status-Type = Start, ipoque-class = %{reply:ipoque-class} Then in the radiusd.conf, in the modules section I have defined the following (The ipoque device IP is 192.168.0.1, secret prx): exec Start { wait = yes program = ${bindir}/radclient.exe -d