RE: How to update a MySql table after successfully WIFI
Arran,
/:includetail
Thanks a lot again./:includetail
/:includetail
It works./:includetail
/:includetail
As what you advised,/:includetail
/:includetail
1. edit /:includetail/usr/local/etc/raddb/sites-available/default, uncomment
below sql line./:includetail
post-auth {/:includetail
..
#sql
../:includetail
}/:includetail
2. edit
/:includetail/usr/local/etc/raddb/sql/mysql/dialup.conf/:includetail
updae postauth_query defination./:includetail
/:includetail
Very busy these days. So reply late./:includetail
/:includetail
Tom
-- Original --
From: freeradius-usersfreeradius-users-requ...@lists.freeradius.org;
Date: Fri, Sep 2, 2011 06:11 AM
To: freeradius-usersfreeradius-users@lists.freeradius.org;
Subject: Freeradius-Users Digest, Vol 77, Issue 5
Send Freeradius-Users mailing list submissions to
freeradius-users@lists.freeradius.org
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.freeradius.org/mailman/listinfo/freeradius-users
or, via email, send a message with subject or body 'help' to
freeradius-users-requ...@lists.freeradius.org
You can reach the person managing the list at
freeradius-users-ow...@lists.freeradius.org
When replying, please edit your Subject line so it is more specific
than Re: Contents of Freeradius-Users digest...
Today's Topics:
1. How to update a MySql table after successfully WIFI
authentication? ( 2394263740 )
2. Re: How to update a MySql table after successfully WIFI
authentication? (Arran Cudbard-Bell)
3. Re: Example configuration that proxy PEAP MSCHAPv2 to an IAS
server (Jacob Dawson)
4. Using encrypted passwords in users file (sundoo)
5. cisco 3825 authentication error (Dom)
6. Re: Using encrypted passwords in users file (Paul Bartell)
7. Re: Pre release of 2.1.12 (Alan Buxey)
--
Message: 1
Date: Thu, 1 Sep 2011 22:29:11 +0800
From: 2394263740 2394263...@qq.com
Subject: How to update a MySql table after successfully WIFI
authentication?
To: freeradius-users freeradius-users@lists.freeradius.org
Message-ID: tencent_3b36e2af6f7d0370683c1...@qq.com
Content-Type: text/plain; charset=iso-8859-1
Hello,
I'm using free radius server 2.1.11 on Linux Enterprise Server 6.1.
OS: Linux Enterprise Server 6.1
Radius: free radius server 2.1.11
Database: Mysql
I got a WIFI network, using one radius server.
The whole thing works fine.
I got a requirement, which is, after each successful WIFI connection, one
record need be added into connectionlog table.
CREATE TABLE connectionlog (
radacctid bigint(21) NOT NULL auto_increment,
acctsessionid varchar(64) NOT NULL default '',
acctuniqueid varchar(32) NOT NULL default '',
username varchar(64) NOT NULL default '',
groupname varchar(64) NOT NULL default '',
realm varchar(64) default '',
nasipaddress varchar(15) NOT NULL default '',
nasportid varchar(15) default NULL,
nasporttype varchar(32) default NULL,
acctstarttime datetime NULL default NULL,
acctstoptime datetime NULL default NULL,
acctsessiontime int(12) default NULL,
acctauthentic varchar(32) default NULL,
connectinfo_start varchar(50) default NULL,
connectinfo_stop varchar(50) default NULL,
acctinputoctets bigint(20) default NULL,
acctoutputoctets bigint(20) default NULL,
calledstationid varchar(50) NOT NULL default '',
callingstationid varchar(50) NOT NULL default '',
acctterminatecause varchar(32) NOT NULL default '',
servicetype varchar(32) default NULL,
framedprotocol varchar(32) default NULL,
framedipaddress varchar(15) NOT NULL default '',
acctstartdelay int(12) default NULL,
acctstopdelay int(12) default NULL,
xascendsessionsvrkey varchar(10) default NULL,
PRIMARY KEY (radacctid),
KEY username (username),
KEY framedipaddress (framedipaddress),
KEY acctsessionid (acctsessionid),
KEY acctsessiontime (acctsessiontime),
KEY acctuniqueid (acctuniqueid),
KEY acctstarttime (acctstarttime),
KEY acctstoptime (acctstoptime),
KEY nasipaddress (nasipaddress)
) ;
Can you please kindly advise how to do this?
Which file should be edited?
Where is the context to put in the script?
What is the script?
Thanks!
Tom
-- next part --
An HTML attachment was scrubbed...
URL:
https://lists.freeradius.org/pipermail/freeradius-users/attachments/20110901/440326d6/attachment.html
--
Message: 2
Date: Thu, 1 Sep 2011 16:36:40 +0200
From: Arran Cudbard-Bell a.cudba...@freeradius.org
Subject: Re: How to update a MySql table after successfully WIFI
authentication?
To: FreeRadius users mailing list
freeradius-users@lists.freeradius.org
Message-ID: c781bd59-4f30-48c4-b6cc-ff4790379...@freeradius.org
Content-Type: text/plain; charset=iso-8859-1
Look in raddb/sql/mysql/dialup.conf
The postauth query is the one you need to edit.
Then
which one to use - Radgroupcheck or Radgroupreply
Hi All; I am using chillispor on a router with dd-wrt and I wanted to use the follwoing parameters, but dont know where to load them in my Freeradius Mysql config, pls: Session-Timeout = 3600Idle-Timeout = 600 Acct-Interim-Interval = 60WISPr-Redirection-URL = http://www.google.com/ WISPr-Bandwidth-Max-Up = 12800WISPr-Bandwidth-Max-Down = 25600 And also if i should use = or any other opertator pls? Thanks lucio === The Home CCTV Security System made easy! http://www.kaduco.com/our-list-products-services/cctv-security-camera-systems-digital-wired-wireless-home-commercial-uk.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: which one to use - Radgroupcheck or Radgroupreply
On 4 Sep 2011, at 14:28, Lucio Godoy wrote: Hi All; I am using chillispor on a router with dd-wrt and I wanted to use the follwoing parameters, but dont know where to load them in my Freeradius Mysql config, pls: Session-Timeout = 3600 Idle-Timeout = 600 Acct-Interim-Interval = 60 WISPr-Redirection-URL = http://www.google.com/ WISPr-Bandwidth-Max-Up = 12800 WISPr-Bandwidth-Max-Down = 25600 And also if i should use = or any other opertator pls? radreply, and either = or := operators. -Arran Arran Cudbard-Bell a.cudba...@freeradius.org RADIUS - Half the complexity of Diameter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: which one to use - Radgroupcheck or Radgroupreply
Thank you very much My biggest wish is make sure of the Acct-Interim-Interval feature Thanks Lucio -Original Message- From: Arran Cudbard-Bell a.cudba...@freeradius.org Date: Sun, 4 Sep 2011 12:45:02 To: freeradius-users@lists.freeradius.org Subject: Re: which one to use - Radgroupcheck or Radgroupreply On 4 Sep 2011, at 14:28, Lucio Godoy wrote: Hi All; I am using chillispor on a router with dd-wrt and I wanted to use the follwoing parameters, but dont know where to load them in my Freeradius Mysql config, pls: Session-Timeout = 3600 Idle-Timeout = 600 Acct-Interim-Interval = 60 WISPr-Redirection-URL = http://www.google.com/ WISPr-Bandwidth-Max-Up = 12800 WISPr-Bandwidth-Max-Down = 25600 And also if i should use = or any other opertator pls? radreply, and either = or := operators. -Arran Arran Cudbard-Bell a.cudba...@freeradius.org mailto:a.cudba...@freeradius.org RADIUS - Half the complexity of Diameter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pre release of 2.1.12
Alexander Clouter wrote:
Would be handy to change Acct-Interim-Interval to something like:
update reply {
Acct-Interim-Interval := 3000 + %{rand:1200}
}
Cute. Added.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pre release of 2.1.12
Alan Buxey wrote: however, i have noticed a bug/change of bahviour which doesnt seem right. Fri Sep 2 17:15:04 2011 : Error: Unauthorized connection to /var/run/radiusd/radiusd.sock from gid 101 Fri Sep 2 17:15:16 2011 : Error: Unauthorized connection to /var/run/radiusd/radiusd.sock from gid 101 Fri Sep 2 17:15:29 2011 : Error: Unauthorized connection to /var/run/radiusd/radiusd.sock from gid 101 GID 101 is munin. OK. munin has been added to the radiusd group which is defined in the control virtual server - and this used to work all okay with 2.1.10 and 2.1.11 - so the change in code for root GID seems to have borked the access to radiusd.sock for other groups. I've committed a fix to the v2.1.x branch of git which should address this. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Radius Access-Challenge and Apache
Hi Alan,
Thank you for your response. I've been having a lot of trouble reaching
the mailing list, my responses are not getting through. Hopefully this
one will!
Below is the output from the debug mode:
rad_recv: Access-Request packet from host 127.0.0.1 port 1026, id=60,
length=83
User-Name = dra
User-Password = *
Service-Type = Authenticate-Only
NAS-Identifier = debian-test-dra.vsl.com.au
NAS-IP-Address = 127.0.0.1
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = dra, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[files] users: Matched entry DEFAULT at line 54
++[files] returns ok
rlm_perl: Authorize Function Called
rlm_perl: Authorization for 127.0.0.1 was granted...
rlm_perl: Added pair User-Name = dra
rlm_perl: Added pair NAS-Identifier = debian-test-dra.vsl.com.au
rlm_perl: Added pair User-Password = *
rlm_perl: Added pair Service-Type = Authenticate-Only
rlm_perl: Added pair NAS-IP-Address = 127.0.0.1
rlm_perl: Added pair Auth-Type = Perl
++[perl] returns ok
++[expiration] returns noop
++[logintime] returns noop
Found Auth-Type = Perl
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group Perl {...}
rlm_perl: Log Request Attributes Called
rlm_perl:Request: User-Name = dra
rlm_perl:Request: User-Password = *
rlm_perl:Request: NAS-Identifier = debian-test-dra.vsl.com.au
rlm_perl:Request: Service-Type = Authenticate-Only
rlm_perl:Request: NAS-IP-Address = 127.0.0.1
rlm_perl: Authenticate Function Called
rlm_perl: User: dra Authenticated, now sending access-challenge
rlm_perl: Log Reply Attributes Called
rlm_perl:Reply: Reply-Message = Please Enter Code
rlm_perl:Reply: State = challenge
rlm_perl: Added pair User-Name = dra
rlm_perl: Added pair User-Password = *
rlm_perl: Added pair NAS-Identifier = debian-test-dra.vsl.com.au
rlm_perl: Added pair Service-Type = Authenticate-Only
rlm_perl: Added pair NAS-IP-Address = 127.0.0.1
rlm_perl: Added pair Reply-Message = Please Enter Code
rlm_perl: Added pair State = challenge
rlm_perl: Added pair Response-Packet-Type = Access-Challenge
rlm_perl: Added pair Auth-Type = Perl
++[perl] returns handled
Sending Access-Challenge of id 60 to 127.0.0.1 port 1026
Reply-Message = Please Enter Code
State = 0x6368616c6c656e6765
Finished request 6.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 6 ID 60 with timestamp +148
Ready to process requests.
The output to the browser at this point looks like this: (Firefox 6.0,
but I have tried IE 8.0 too)
http://imageshack.us/photo/my-images/856/authenticationrequired2.png/
I turned-up the logging level for Apache too, the following is a
complete successful login:
[Tue Aug 30 09:25:04 2011] [debug] mod_auth_radius-2.0.c(1185): Radius
Auth for: debian-test-dra.vsl.com.au requests /test/ :
file=/var/www/test/
[Tue Aug 30 09:25:04 2011] [debug] mod_auth_radius-2.0.c(762): Found
Radius Cookie, now check if it's valid...
[Tue Aug 30 09:25:04 2011] [debug] mod_auth_radius-2.0.c(1191): Found
cookie=8115747392e228c2f612d8fce9b384074e5c2035f36809adchallenge for
user=dra :
[Tue Aug 30 09:25:04 2011] [debug] mod_auth_radius-2.0.c(1195): with
RADIUS challenge state set.\n
[Tue Aug 30 09:25:04 2011] [debug] mod_auth_radius-2.0.c(902): Sending
packet on 127.0.0.1:1812
[Tue Aug 30 09:25:04 2011] [debug] mod_auth_radius-2.0.c(): RADIUS
server requested challenge for user dra
[Tue Aug 30 09:25:04 2011] [debug] mod_auth_radius-2.0.c(1232): RADIUS
authentication for user=dra password=* failed\n
[Tue Aug 30 09:25:04 2011] [debug] mod_auth_radius-2.0.c(1239): Sending
failure message to user=dra\n
[Tue Aug 30 09:25:04 2011] [error] [client 10.10.240.240] user dra:
authentication failure for /test/: Password Mismatch
[Tue Aug 30 09:25:04 2011] [debug] mod_deflate.c(615): [client
10.10.240.240] Zlib: Compressed 482 to 324 : URL /test/
[Tue Aug 30 09:25:18 2011] [debug] mod_auth_radius-2.0.c(1185): Radius
Auth for: debian-test-dra.vsl.com.au requests /test/ :
file=/var/www/test/
[Tue Aug 30 09:25:18 2011] [debug] mod_auth_radius-2.0.c(762): Found
Radius Cookie, now check if it's valid...
[Tue Aug 30 09:25:18 2011] [debug] mod_auth_radius-2.0.c(1191): Found
cookie=f94377b91a7b4e30ac0a3910ea54ec194e5c2048f36809adchallenge for
user=dra :
[Tue Aug 30 09:25:18 2011] [debug] mod_auth_radius-2.0.c(1195): with
RADIUS challenge state set.\n
[Tue Aug 30 09:25:18 2011] [debug] mod_auth_radius-2.0.c(902): Sending
packet on 127.0.0.1:1812
[Tue Aug 30 09:25:18 2011] [debug] mod_auth_radius-2.0.c(1256): RADIUS
Authentication for user=dra password= OK. Cookie expiry in 5
minutes\n
[Tue Aug 30 09:25:18 2011] [debug]
Mac OSX FreeRadius EAP Authentication making progress - But still not there
Hi all
I am still determined to make this work and have now reinstalled everything
to start again with prior lessons learned.
However - I am still unable to authenticate wireless clients by PEAP or TTLS
MSCHAPv2 on a cisco access point (IP=192.168.0.98) with radius running on a
MAC OSX server (IP=192.168.0.90)
NOW Radtest works fine returning
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=237,
length=20
AND if clients authenticate using only one protocol LEAP or TLS alone then
authentication is also successful and an IP address assigned
But if the client machine has protocols for authentication as TLS PEAP TTLS
and EAP-FAST then the authentication fails with output as below
Your help/insight would be greatly appreciated Thanks
RADIUSD -X output during failed authentication by a client machine user name
BBB password bbb1 (As mentioned: Cisco access point IP=192.168.0.98 and
freeradius running on a MAC OSX server IP=192.168.0.90)
rad_recv: Access-Request packet from host 192.168.0.98 port 1645, id=216,
length=129
User-Name = BBB
Framed-MTU = 1400
Called-Station-Id = 0023.331c.9680
Calling-Station-Id = 9027.e4f9.25b0
Service-Type = Login-User
Message-Authenticator = 0x97a3bddfd63906e3230b58166cccdbd3
EAP-Message = 0x0201000801424242
NAS-Port-Type = Wireless-802.11
NAS-Port = 2113
NAS-Port-Id = 2113
NAS-IP-Address = 192.168.0.98
NAS-Identifier = ap1250
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = BBB, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] EAP packet type response id 1 length 8
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns updated
[files] users: Matched entry BBB at line 1
++[files] returns ok
rlm_opendirectory: The SACL group com.apple.access_radius does not exist
on this system.
rlm_opendirectory: The host 192.168.0.98 does not have an access group.
rlm_opendirectory: no access control groups, all users allowed.
++[opendirectory] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 216 to 192.168.0.98 port 1645
EAP-Message = 0x010200061520
Message-Authenticator = 0x
State = 0x8da1c3b98da3d6d5f63e6480350916ec
Finished request 63.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.0.98 port 1645, id=217,
length=303
User-Name = BBB
Framed-MTU = 1400
Called-Station-Id = 0023.331c.9680
Calling-Station-Id = 9027.e4f9.25b0
Service-Type = Login-User
Message-Authenticator = 0x90d79354ab3708574c402c920154a72e
EAP-Message =
0x020200a41580009a1603010095019103014e644aee06b1089ec2d1b1077222c6bb2c8d08967a8f07d3c2260773e8342cea56c00ac009c007c008c013c014c011c012c004c005c002c003c00ec00fc00cc00d002f000500040035000a000900030008000600320033003800390016001500140013001200110034003a0018001b001a0017001900010112000a00080006001700180019000b00020100
NAS-Port-Type = Wireless-802.11
NAS-Port = 2113
NAS-Port-Id = 2113
State = 0x8da1c3b98da3d6d5f63e6480350916ec
NAS-IP-Address = 192.168.0.98
NAS-Identifier = ap1250
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = BBB, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] EAP packet type response id 2 length 164
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
TLS Length 154
[ttls] Length Included
[ttls] eaptls_verify returned 11
[ttls] (other): before/accept initialization
[ttls] TLS_accept: before/accept initialization
[ttls] TLS 1.0 Handshake [length 0095], ClientHello
[ttls] TLS_accept: SSLv3 read client hello A
[ttls] TLS 1.0 Handshake [length 002a], ServerHello
[ttls] TLS_accept: SSLv3 write server hello A
[ttls] TLS 1.0 Handshake [length 085e], Certificate
[ttls] TLS_accept: SSLv3 write certificate A
[ttls] TLS 1.0 Handshake [length 0004], ServerHelloDone
[ttls] TLS_accept: SSLv3 write server done A
[ttls] TLS_accept: SSLv3 flush data
[ttls] TLS_accept: Need to read more data: SSLv3 read client certificate
A
In SSL Handshake Phase
In SSL Accept mode
[ttls] eaptls_process returned 13
++[eap] returns handled
Sending
