Re: add field in radcheck table
2011/10/31 gary : > Hi there > Is it possible to add check field in radcheck table? Short answer: yes Long answer: yes, but you need to have sufficient knowledge about how FR works and how to design SQL queries. If you don't even know where the queries are stored, then I suggest you don't even bother. > Something look like below,gary.companyA and gary.companyB as user name for > authentication. > +++-+-++-+ > | id | username | secondname |attribute | op | > value | > +++-+-+---+ > | 1 | gary | companyA |Cleartext-Password | := | garypass > | > +++-+-+---+ > | 2 | gary | companyB |Cleartext-Password | := | garypass > | > +++-+-+---+ option 1: just store gary.companyA and gary.companyB in username field. option 2: be more clear in what you want, then maybe others can help you. What's your goal to add the field? Does user send gary.companyA as username, or just gary? How does the server get information about companyA or companyB? username? realm? NAS-IP-Address? -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
add field in radcheck table
Hi there Is it possible to add check field in radcheck table? Something look like below,gary.companyA and gary.companyB as user name for authentication. +++-+-++-+ | id | username | secondname |attribute| op | value | +++-+-+---+ | 1 | gary | companyA|Cleartext-Password | := | garypass | +++-+-+---+ | 2 | gary | companyB|Cleartext-Password | := | garypass| +++-+-+---+ Best Regards Gary - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Huntgroup Checking
On further investigation, I can see that the check works just fine if the
attribute huntgroup-name == xxx is added to radcheck
For what reason can't we add to radgroupcheck?
What's the logic required to modify so we can restrict on a group level?
On 30 Oct 2011, at 17:03, Alan DeKok wrote:
> simonm123 wrote:
>> Am new to freeradius but have it mainly set up just fine. It's a fantastic
>> tool and I'm enjoying using it :)
>
> That's good to hear.
>
>> Just one thing I'm struggling with is the huntgroups. I've followed the wiki
>> to the letter and can see the server checking in the debug log.
>>
>> What I basically want to do is restrict users to certain networks, as per
>> the wiki. If their huntgroup-name matches their huntgroup based on nasip,
>> they can get online, otherwise they're rejected.
>
> OK...
>
>> I've put Huntgroup-Name = NetworkA in my radgroupcheck folder.
>
> Use "==". It does comparisons.
>
>> In my radhuntgroup table, I have the nasip and groupname = NetworkA
>>
>> Then, in the authorize section of my default host, I put:
>>
>> update request {
>>Huntgroup-Name := "%{sql:SELECT `groupname` FROM `radhuntgroup` WHERE
>> nasipaddress='%{NAS-IP-Address}'}"
>> }
>
> No, that won't work. The huntgroups are defined by the "huntgroups"
> file. You can't change them like you're trying to do.
>
> Instead, use another attribute. Invent one. See raddb/dictionary.
>
> Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Huntgroup Checking
I meant Huntgroup-Name == NetworkA in my radgroupcheck table. I'm not using the
huntgroups file - they're all in my db.
The wiki suggests using the query below restrict access per network. If that
query below is not going to work, it's a little misleading. Or is it just
incomplete?
On 30 Oct 2011, at 17:03, Alan DeKok wrote:
> simonm123 wrote:
>> Am new to freeradius but have it mainly set up just fine. It's a fantastic
>> tool and I'm enjoying using it :)
>
> That's good to hear.
>
>> Just one thing I'm struggling with is the huntgroups. I've followed the wiki
>> to the letter and can see the server checking in the debug log.
>>
>> What I basically want to do is restrict users to certain networks, as per
>> the wiki. If their huntgroup-name matches their huntgroup based on nasip,
>> they can get online, otherwise they're rejected.
>
> OK...
>
>> I've put Huntgroup-Name = NetworkA in my radgroupcheck folder.
>
> Use "==". It does comparisons.
>
>> In my radhuntgroup table, I have the nasip and groupname = NetworkA
>>
>> Then, in the authorize section of my default host, I put:
>>
>> update request {
>>Huntgroup-Name := "%{sql:SELECT `groupname` FROM `radhuntgroup` WHERE
>> nasipaddress='%{NAS-IP-Address}'}"
>> }
>
> No, that won't work. The huntgroups are defined by the "huntgroups"
> file. You can't change them like you're trying to do.
>
> Instead, use another attribute. Invent one. See raddb/dictionary.
>
> Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fixed Duration Weekly, Monthly and Daily Accounts
You have the exact solution given by Fajar. See his SQL query and modify as required. Regards Suman On Sun, Oct 30, 2011 at 10:26 PM, JennyBlunt wrote: > Sorry if I wasn't clear. I want to be able to generate a monthly voucher - > 30 > days access from the exact time of first login. A continuous clock ticking > from the start time. > > I'm going to look at Fajar's suggestion now... > > > > -- > View this message in context: > http://freeradius.1045715.n5.nabble.com/Fixed-Duration-Weekly-Monthly-and-Daily-Accounts-tp4950022p4950392.html > Sent from the FreeRadius - User mailing list archive at Nabble.com. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Huntgroup Checking
simonm123 wrote:
> Am new to freeradius but have it mainly set up just fine. It's a fantastic
> tool and I'm enjoying using it :)
That's good to hear.
> Just one thing I'm struggling with is the huntgroups. I've followed the wiki
> to the letter and can see the server checking in the debug log.
>
> What I basically want to do is restrict users to certain networks, as per
> the wiki. If their huntgroup-name matches their huntgroup based on nasip,
> they can get online, otherwise they're rejected.
OK...
> I've put Huntgroup-Name = NetworkA in my radgroupcheck folder.
Use "==". It does comparisons.
> In my radhuntgroup table, I have the nasip and groupname = NetworkA
>
> Then, in the authorize section of my default host, I put:
>
> update request {
> Huntgroup-Name := "%{sql:SELECT `groupname` FROM `radhuntgroup` WHERE
> nasipaddress='%{NAS-IP-Address}'}"
> }
No, that won't work. The huntgroups are defined by the "huntgroups"
file. You can't change them like you're trying to do.
Instead, use another attribute. Invent one. See raddb/dictionary.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fixed Duration Weekly, Monthly and Daily Accounts
Sorry if I wasn't clear. I want to be able to generate a monthly voucher - 30 days access from the exact time of first login. A continuous clock ticking from the start time. I'm going to look at Fajar's suggestion now... -- View this message in context: http://freeradius.1045715.n5.nabble.com/Fixed-Duration-Weekly-Monthly-and-Daily-Accounts-tp4950022p4950392.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Huntgroup Checking
Am new to freeradius but have it mainly set up just fine. It's a fantastic
tool and I'm enjoying using it :)
Just one thing I'm struggling with is the huntgroups. I've followed the wiki
to the letter and can see the server checking in the debug log.
What I basically want to do is restrict users to certain networks, as per
the wiki. If their huntgroup-name matches their huntgroup based on nasip,
they can get online, otherwise they're rejected.
I've put Huntgroup-Name = NetworkA in my radgroupcheck folder.
In my radhuntgroup table, I have the nasip and groupname = NetworkA
Then, in the authorize section of my default host, I put:
update request {
Huntgroup-Name := "%{sql:SELECT `groupname` FROM `radhuntgroup` WHERE
nasipaddress='%{NAS-IP-Address}'}"
}
if (Huntgroup-Name == ''){
reject
}
All as per the tutorial
In my debug log, if there is no match by IP, Huntgroup-Name is blank and the
user is rejected.
However, if the nasip address match but the name is different, the user is
still allowed on.
Do I need a more advanced query in the if section and if so,could you please
advise what it should be
Simon
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/Huntgroup-Checking-tp4950385p4950385.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fixed Duration Weekly, Monthly and Daily Accounts
On Sun, Oct 30, 2011 at 9:59 PM, JennyBlunt wrote:
> that's what I was trying to get to - am happy to set an expiration upon first
> login - just wanted to see if I could achieve the desired with the built in
> functions etc.
You really need to make sure you know EXACTLY what you want, and tell
what that is in a clear manner, so they can help you better.
Anyway, if you just want to set expiration after a user logs in, try
using unlang in post-auth section. See "man unlang" for details.
Something like
post-auth {
...
update control {
Tmp-String-0 := "%{sql: SELECT ID FROM radcheck WHERE
username='%{User-Name}' AND attribute='Expiration'}"
}
if (! "%{control.Tmp-String-0}") {
update control {
Tmp-String-0 := "%{sql: INSERT INTO radcheck
(username,atrribute,op,value) values (...)}; SELECT NOW()"
}
}
...
}
The above snippet is just an example from the top of my head and
incomplete. Basically after a succesful login, you check whether an
entry for Expiration already exists in radcheck, and insert it if it
isn't already there. The last "SELECT NOW()" is so that the query
returns a value so FR won't complain.
--
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy decision based on LDAP lookups and Radius_client match.
Frank Skovboel wrote: > Where would I place this (what file under which section?), and do I need to > do some thing special to make sure it does not try to authenticate the user? In the "authorize" section. Look at raddb/sites-available/default. There are examples of using the "ldap" module. > Where can I read about the response codes that I can expect on "found user" > and "user not found" ? $ man unlang > "else proxy it" is that about using update control ? Yes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fixed Duration Weekly, Monthly and Daily Accounts
JennyBlunt wrote: > that's what I was trying to get to - am happy to set an expiration upon first > login - just wanted to see if I could achieve the desired with the built in > functions etc. Yes... your question was also ambiguous. Do you want a TOTAL of X hours after first login, summed only over times they're logged in? Or do you want them to be able to login for only X hours after first login, based on wall-clock time? so if they log out for 2 hours, they "lose" those two hours? > If expiration date is the way forward, presumably I need to write something > in which will set the session-timeout based on end time and start time? The server does that automatically when you set Expiration. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fixed Duration Weekly, Monthly and Daily Accounts
that's what I was trying to get to - am happy to set an expiration upon first login - just wanted to see if I could achieve the desired with the built in functions etc. If expiration date is the way forward, presumably I need to write something in which will set the session-timeout based on end time and start time? J -- View this message in context: http://freeradius.1045715.n5.nabble.com/Fixed-Duration-Weekly-Monthly-and-Daily-Accounts-tp4950022p4950211.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy decision based on LDAP lookups and Radius_client match.
Hi Alan,
Thanks for the quick reply. As I said, I'm quite inexperienced with Freeradius
so I have a few followup questions below.
> Frank Skovboel wrote:
> > I have been asked to build a radius proxy using freeradius, and I'm
> > completely new to freeradius, and with the flexibility in
> > freeradius I'm
> > having a hard time figuring out how to accomplish my goal, or if
> > it's
> > even possible to do.
>
> Pretty much anything is possible. :)
>
> > I imagine the flow is some thing like:
> > 1) User from Company A tries to login
> > 2) Company A's VPN sends a radius request to Freeradius
> > 3) Freeradius looks at the Radius_client IP and finds the right AD.
>
> See "man unlang"
Language seems straight forwards :-)
>
> > 4) Freeradius does an LDAP bind to Company A's AD, and checks if
> > the
> > user exists.
>
> if (Packet-Src-IP-Address == 1.2.3.4) {
> ldap_a
> }
> elsif (Packet-Src-IP-Address = 4.5.6.7) [
> ldap_b
> }
Where would I place this (what file under which section?), and do I need to do
some thing special to make sure it does not try to authenticate the user?
>
> Configure two copies of the LDAP module. See raddb/modules/files
> for
> simple documentation on how this is done. Point ldap_a at the AD for
> company A, and ldap_b at the AD for company B.
>
> > 5) If user exists request is proxied to the OTP radius, if the user
> > does
> > not exists access-reject is sent from Freeradius.
>
> After the above config:
>
> if (!notfound) {
> reject
> }
> ... else proxy it ...
Where can I read about the response codes that I can expect on "found user" and
"user not found" ?
"else proxy it" is that about using update control ?
--
Thanks,
Frank
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fixed Duration Weekly, Monthly and Daily Accounts
Hi Alan, I think the poster is asking for a continuous amount of time after login. Setting Expiration will give a max valid period in which the user can login but under no circumstances it can provide a continuous period of usage. Poster is also not clear what will happen if the user disconnects and connects again So i think the question asked here is incomplete. Regards Suman On Sun, Oct 30, 2011 at 7:07 PM, Alan DeKok wrote: > JennyBlunt wrote: > > That's the one we're using. What I don't understand is that if we set up > a > > group with max-all-session = 43200 the user would get in total 43200 > > minutes. When, in reality, we're trying to give them a continuous 43200 > > minutes from first login. > > Then set the expiration date when they first log in. > > Remember: FreeRADIUS authenticates people. It isn't a DB. > > If you want to have it remember something, you need to store that > information in a DB. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fixed Duration Weekly, Monthly and Daily Accounts
JennyBlunt wrote: > That's the one we're using. What I don't understand is that if we set up a > group with max-all-session = 43200 the user would get in total 43200 > minutes. When, in reality, we're trying to give them a continuous 43200 > minutes from first login. Then set the expiration date when they first log in. Remember: FreeRADIUS authenticates people. It isn't a DB. If you want to have it remember something, you need to store that information in a DB. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fixed Duration Weekly, Monthly and Daily Accounts
Re-Correct - Max-All-Session = 43200 ( It's in Seconds , Not in Minutes ) Second, It is not under our control to decide how much time the user users. We can assign a continuous usage of XYZ minutes / Hours but what if the user disconnects early ? What happens when the user logins again ? Will you reject the user or accept the user ? Anyway, to answer your questions, Session-Timeout of 43200 is what needed to give a continuous Session session of 43200. But again when the user disconnects and re-logins , he/she will again get 43200 of time during re-login. Regards Suman On Sun, Oct 30, 2011 at 6:50 PM, JennyBlunt wrote: > That's the one we're using. What I don't understand is that if we set up a > group with max-all-session = 43200 the user would get in total 43200 > minutes. When, in reality, we're trying to give them a continuous 43200 > minutes from first login. > > > -- > View this message in context: > http://freeradius.1045715.n5.nabble.com/Fixed-Duration-Weekly-Monthly-and-Daily-Accounts-tp4950022p4950078.html > Sent from the FreeRadius - User mailing list archive at Nabble.com. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fixed Duration Weekly, Monthly and Daily Accounts
That's the one we're using. What I don't understand is that if we set up a group with max-all-session = 43200 the user would get in total 43200 minutes. When, in reality, we're trying to give them a continuous 43200 minutes from first login. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Fixed-Duration-Weekly-Monthly-and-Daily-Accounts-tp4950022p4950078.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy decision based on LDAP lookups and Radius_client match.
Frank Skovboel wrote:
> I have been asked to build a radius proxy using freeradius, and I'm
> completely new to freeradius, and with the flexibility in freeradius I'm
> having a hard time figuring out how to accomplish my goal, or if it's
> even possible to do.
Pretty much anything is possible. :)
> I imagine the flow is some thing like:
> 1) User from Company A tries to login
> 2) Company A's VPN sends a radius request to Freeradius
> 3) Freeradius looks at the Radius_client IP and finds the right AD.
See "man unlang"
> 4) Freeradius does an LDAP bind to Company A's AD, and checks if the
> user exists.
if (Packet-Src-IP-Address == 1.2.3.4) {
ldap_a
}
elsif (Packet-Src-IP-Address = 4.5.6.7) [
ldap_b
}
Configure two copies of the LDAP module. See raddb/modules/files for
simple documentation on how this is done. Point ldap_a at the AD for
company A, and ldap_b at the AD for company B.
> 5) If user exists request is proxied to the OTP radius, if the user does
> not exists access-reject is sent from Freeradius.
After the above config:
if (!notfound) {
reject
}
... else proxy it ...
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fixed Duration Weekly, Monthly and Daily Accounts
Expiration is actually the validity of the account. It does not calculates the amount of time used. If you are looking to limit the session time i.e 100 hrs Monthly or anything , you need rlm_sqlcounter with attributes like Max-Session-Time with a value. In conjunction with Expiration, you can use Max-Session-Time to create packages such as 1 Month 100 Hrs Browsing etc . Feel to send any other query if you are stuck . Regards Suman On Sun, Oct 30, 2011 at 6:28 PM, Fajar A. Nugraha wrote: > On Sun, Oct 30, 2011 at 7:39 PM, JennyBlunt wrote: > > How do I create a group which provides access for a preset amount of > time, > > for instance one day, week or month. I've tried by using expiration but > > don't think thats right. Will the noreset parameter do this? > > > > > In our current system (not freeradius), we'd set this up as a continuous > > account which starts the counter the first time the users logs on. > > I actually suggest you use rlm_sqlcounter instead, which (for me) is > easier to understand and maintain. Use the example noresetcounter from > http://wiki.freeradius.org/Rlm_sqlcounter > > You can see exactly how the module counts whatever-it-uses (in the > example it's SUM(AcctSessionTime)), and you can run the query manually > for debugging purposes. > > -- > Fajar > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fixed Duration Weekly, Monthly and Daily Accounts
On Sun, Oct 30, 2011 at 7:39 PM, JennyBlunt wrote: > How do I create a group which provides access for a preset amount of time, > for instance one day, week or month. I've tried by using expiration but > don't think thats right. Will the noreset parameter do this? > > In our current system (not freeradius), we'd set this up as a continuous > account which starts the counter the first time the users logs on. I actually suggest you use rlm_sqlcounter instead, which (for me) is easier to understand and maintain. Use the example noresetcounter from http://wiki.freeradius.org/Rlm_sqlcounter You can see exactly how the module counts whatever-it-uses (in the example it's SUM(AcctSessionTime)), and you can run the query manually for debugging purposes. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Fixed Duration Weekly, Monthly and Daily Accounts
Looking for some advise regarding accounts with a preset amount of time. I have freeradius setup and working with the sqlcounter module. Am just a little lost. How do I create a group which provides access for a preset amount of time, for instance one day, week or month. I've tried by using expiration but don't think thats right. Will the noreset parameter do this? In our current system (not freeradius), we'd set this up as a continuous account which starts the counter the first time the users logs on. It's only the daily, weekly, monthly plans that work like this. I feel if we set a monthly rule to allow 43200 minutes, the user will get a lot of time online! -- View this message in context: http://freeradius.1045715.n5.nabble.com/Fixed-Duration-Weekly-Monthly-and-Daily-Accounts-tp4950022p4950022.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxy decision based on LDAP lookups and Radius_client match.
Hi, I have been asked to build a radius proxy using freeradius, and I'm completely new to freeradius, and with the flexibility in freeradius I'm having a hard time figuring out how to accomplish my goal, or if it's even possible to do. Objective: I need to verify that the user that tries to login from Company A really is an employee of Company A, and not an employee of Company B. For this purpose I have access each company's AD and of cause I know what radius clients belong to each company. Once I have validated that the user exists in the Company's AD, I then have to proxy it to another radius server where the users OTP will be validated, and from that give an access-accept or access-reject. If the user does not exist in the Company's AD, freeradius should send an access-reject and not proxy it to the OTP radius. I imagine the flow is some thing like: 1) User from Company A tries to login 2) Company A's VPN sends a radius request to Freeradius 3) Freeradius looks at the Radius_client IP and finds the right AD. 4) Freeradius does an LDAP bind to Company A's AD, and checks if the user exists. 5) If user exists request is proxied to the OTP radius, if the user does not exists access-reject is sent from Freeradius. I have freeradius setup to proxy the request to the OTP radius server today, without any checks. As I said I'm completely new to Freeradius, and not sure what files I need to configure or what to put in them, so any help is highly appreciated. -- Thank you, Frank Skovboel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AD integration
Whitlow, Michael wrote: > I just got Freeradius running on Ubuntu and have successfully configured > integration Active Directory using Samba and NTLM_AUTH. That's good to hear. > When I run “radtest” against Freeradius and put in AD credentials, it is > successful. Good... > In other words, users who are a member of ADGROUP1 get assigned vlan # > 111, and users who are a member of ADGROUP2 get assigned vlan #222. Configure Active Directory as an LDAP server. See raddb/modules/ldap. List "ldap" in radius.conf, "instantiate" section Then in the "users" file, do: DEFAULT LDAP-Group == "adgroup1" ... set VLAN 1... DEFAULT LDAP-Group == "adgroup2" ... set VLAN 2 ... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
