Re: how to limit users access by groups using radgroucheck
Hi, I finally found what was the problem. I have read the rlm_sql but it doesn't show how to limit access by groups. In fact, what i was trying to do is to run two instances of coova chilli on a machine, create two groups of users on freeradius database, one for the first chilli and one another for the second and finally limit access for each group to only his dedicated chilli. Thx On 20/06/2012 00:24, Alan DeKok wrote: RAZAFIMBELO Faliharinohatra Rindra wrote: I'm new to freeradius and I would like to know if someone can tell me how to limit users access by groups using radgroupcheck. Read doc/rlm_sql. I have made some researchs and I saw that radgroupcheck didn't reject users even if there is a mismatch attribute. No. The group checking is about *matching*. It's up to you to determine what to do when it matches. I'd like to have a confirmation about this thing if it's true or not. I know with radcheck we can specify attribute like NAS-Identifier or NAS-IP-Address ... to limit user's access but i'm searching for a solution using groups. Can someone help me please? What part of the documentation is unclear? Be specific. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- RAZAFIMBELO Faliharinohatra Administrateur réseau et système Blueline Business Service tel: (+261) 34 56 000 85 mail: rin...@bbs.mg - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SV: "Invalid password" on OS-X
Jens W. Skov - JS Consult wrote: > I’m trying to set up external authentication from our router to a > OSX-server. > > I have it working fine if the user is an admin-user on the mac, but if > I try with a normal user I get: > > Auth: rim_opendirectory: User is authorized. > Auth: rim_opendirectory: User [vpntest]: invalid password Are you running FreeRADIUS on the same machine running OpenDirectory? JS: Yes, they have only this one server. I do suspect that I might be missing something in the users file. In the OSX gui I have selected that users and groups that should be allowed, but it seems it not passed on to the radius service. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Would like to stop Interim Accounting being proxied
Steve Brown wrote: > I'm not, and that would explain it nicely; I mentioned in my initial > message "legacy Freeradius 1.1.2 platform". Is there any way of > achieving the same end result in v1.x without Unlang? Unlang isn't in 1.1.x, and is *documented* as not being in 1.1.x. You can't just try random things in the server. > Upgrade is some time away, so this is is what we have to work with. Upgrade. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco WLC - Freeradius Vlan assigment problem
Hi, are you running the preprocess module? if not, then Huntgroups arent looked at or populated alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP fails when proxying to a realm
Hi, upgarde to 2.1.12 - it has fixes for proxy errors as for username - you cannot play with User-Name with EAP - use Stripped-User-Name - see examples alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Update control with redundant sql query
On Fri, Jun 29, 2012 at 12:09 AM, lscrlstld wrote: > Hi, > > I use the policy configs to provide redundant and load-balance to update > the pool-name. > > It´s work fine! Does it? > The policy.conf > policy { > update_ctlr_PN1 { > update control { > Pool-Name := "%{sql01:select poolname from > radpoolname where nasipaddress=\"%{NAS-IP-Address}\"}" > } > } > update_ctlr_PN2 { > update control { > Pool-Name := "%{sql02:select poolname from > radpoolname where nasipaddress=\"%{NAS-IP-Address}\"}" > } > } > update_ctlr_PN { > redundant-load-balance { > update_ctlr_PN1 > update_ctlr_PN2 > } > } > } last time I check the "%{sql" block does NOT return an error if the sql server is dead. So your "load-balance" part definitely works, but I wouldn't be so sure about the "redundant" part. Try killing one of the sql servers and see what happens. IIRC I had to explicitly hack a query so it would return some value (e.g. NOTFOUND, or whatever) when it would usually return zero rows. That way, if the "%{sql" block returns an empty string, I know something is wrong and I need to ask the next server. That method works, but it doesn't provide load balance. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco WLC - Freeradius Vlan assigment problem
> ++- if (!Huntgroup-Name) returns ok ++? if (Huntgroup-Name == "list") > (Attribute Huntgroup-Name was not found) > >the problem seems to be your huntgroup.. Can you post your huntgroup >definitions? >-- >Jens Weibler >IT-Services Hi, In huntgroup I just have: ... # Usuario = xxx xxx list Calling-Station-Id == 0221.6ae0.cef8 Them in sites-available/inner-tunnel I have a script: if(!Huntgroup-Name) { #reject update reply { Tunnel-Type = VLAN Tunnel-Medium-Type = IEEE-802 Tunnel-Private-Group-Id = 249 } } if(Huntgroup-Name == "list") { if( Ldap-Group == "WIFI-Direccion") { update reply { Tunnel-Type = VLAN Tunnel-Medium-Type = IEEE-802 Tunnel-Private-Group-Id = 200 } seems ok. What do you think? Thanks a lot. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: EAP fails when proxying to a realm
Thanks for pointing those things out to me. I am no longer proxying back to myself like that, and I've told the sql module to use stripped user name when possible and it looks like it's all working now. Best wishes, Chris From: freeradius-users-bounces+cmanigan=towerstream@lists.freeradius.org [freeradius-users-bounces+cmanigan=towerstream@lists.freeradius.org] on behalf of Phil Mayers [p.may...@imperial.ac.uk] Sent: Thursday, June 28, 2012 12:49 PM To: freeradius-users@lists.freeradius.org Subject: Re: EAP fails when proxying to a realm On 28/06/12 17:33, Christopher Manigan wrote: > I am trying to use MSCHAPv2 to authenticate users. This works ok, except > when I try to proxy to a realm. Pasted below is the debug of a user trying > to authenticate. The realm is a prefix of the username. What I see buried > in the debug is: > > > # radiusd -X > FreeRADIUS Version 2.1.11, for host i686-pc-linux-gnu, built on Jun 28 2012 > at 11:37:39 Upgrade to 2.1.12 if possible > Sending Access-Request of id 22 to 127.0.0.1 port 1812 Why on earth are you proxying back to yourself, to the same virtual server no less? I suspect this is confusing the server, since it fails inside the handler further down. > [eap] Identity does not match User-Name, setting from EAP Identity. You are rewriting the username. This doesn't work with EAP. Don't do that. If you need to strip realms etc. use "Stripped-User-Name". Leave the original username alone. > [eap] Failed in handler > ++[eap] returns invalid > Failed to authenticate the user. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Update control with redundant sql query
Hi, I use the policy configs to provide redundant and load-balance to update the pool-name. It´s work fine! But I have same questions... - Is it the correct way to do it? Is it the better way, considering a performance in high usage? - Why the virtual module created in the policy and control update always return "notfound" ? +- entering group authorize {...} ++- entering policy update_ctlr_PN {...} +++- entering redundant-load-balance group redundant-load-balance {...} - entering policy update01_Pool-Name {...} ... expand: select poolname from radpoolname where nasipaddress="%{NAS-IP-Address}" -select poolname from radpoolname where nasipaddress="X.X.X.X" rlm_sql (sql01): Reserving sql socket id: 4 sql_xlat finished rlm_sql (sql01): Released sql socket id: 4 expand: %{sql01:select poolname from radpoolname where nasipaddress="%{NAS-IP-Address}"} -pool01 +[control] returns notfound - policy update_ctlr_PN1 returns notfound +++- redundant-load-balance group redundant-load-balance returns notfound ++- policy update_ctlr_PN returns notfound The policy.conf policy { update_ctlr_PN1 { update control { Pool-Name := "%{sql01:select poolname from radpoolname where nasipaddress=\"%{NAS-IP-Address}\"}" } } update_ctlr_PN2 { update control { Pool-Name := "%{sql02:select poolname from radpoolname where nasipaddress=\"%{NAS-IP-Address}\"}" } } update_ctlr_PN { redundant-load-balance { update_ctlr_PN1 update_ctlr_PN2 } } } Server conf: ... authorize { update_ctlr_PN pap chap sql01 } ... Thank you. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP fails when proxying to a realm
On 28/06/12 17:33, Christopher Manigan wrote: I am trying to use MSCHAPv2 to authenticate users. This works ok, except when I try to proxy to a realm. Pasted below is the debug of a user trying to authenticate. The realm is a prefix of the username. What I see buried in the debug is: # radiusd -X FreeRADIUS Version 2.1.11, for host i686-pc-linux-gnu, built on Jun 28 2012 at 11:37:39 Upgrade to 2.1.12 if possible Sending Access-Request of id 22 to 127.0.0.1 port 1812 Why on earth are you proxying back to yourself, to the same virtual server no less? I suspect this is confusing the server, since it fails inside the handler further down. [eap] Identity does not match User-Name, setting from EAP Identity. You are rewriting the username. This doesn't work with EAP. Don't do that. If you need to strip realms etc. use "Stripped-User-Name". Leave the original username alone. [eap] Failed in handler ++[eap] returns invalid Failed to authenticate the user. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Would like to stop Interim Accounting being proxied
On 28/06/12 17:13, Steve Brown wrote: On 28/06/12 14:34, Steve Brown wrote: Is there any way of achieving the same end result in v1.x without Unlang? If there was a way to simply respond to an accounting request with an 'Accept', like you can with Auth, could I do something like: You might be able do use the "configurable_failover" in 1.x to achieve this. Something like: preacct { files { ok = return } ... rest of modules ... } ...and in your "files" module, something like you had: DEFAULT Acct-Status-Type == Interim-Update, User-Name =~ "@domain" Fall-Through = No See "doc/configurable_failover" - from the version of the server you are running, obviously. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP does not work with realms
ql_mysql: Starting connect to MySQL server for #40 rlm_sql (sql): Connected new DB handle, #40 rlm_sql (sql): starting 41 rlm_sql (sql): Attempting to connect rlm_sql_mysql #41 rlm_sql_mysql: Starting connect to MySQL server for #41 rlm_sql (sql): Connected new DB handle, #41 rlm_sql (sql): starting 42 rlm_sql (sql): Attempting to connect rlm_sql_mysql #42 rlm_sql_mysql: Starting connect to MySQL server for #42 rlm_sql (sql): Connected new DB handle, #42 rlm_sql (sql): starting 43 rlm_sql (sql): Attempting to connect rlm_sql_mysql #43 rlm_sql_mysql: Starting connect to MySQL server for #43 rlm_sql (sql): Connected new DB handle, #43 rlm_sql (sql): starting 44 rlm_sql (sql): Attempting to connect rlm_sql_mysql #44 rlm_sql_mysql: Starting connect to MySQL server for #44 rlm_sql (sql): Connected new DB handle, #44 rlm_sql (sql): starting 45 rlm_sql (sql): Attempting to connect rlm_sql_mysql #45 rlm_sql_mysql: Starting connect to MySQL server for #45 rlm_sql (sql): Connected new DB handle, #45 rlm_sql (sql): starting 46 rlm_sql (sql): Attempting to connect rlm_sql_mysql #46 rlm_sql_mysql: Starting connect to MySQL server for #46 rlm_sql (sql): Connected new DB handle, #46 rlm_sql (sql): starting 47 rlm_sql (sql): Attempting to connect rlm_sql_mysql #47 rlm_sql_mysql: Starting connect to MySQL server for #47 rlm_sql (sql): Connected new DB handle, #47 rlm_sql (sql): starting 48 rlm_sql (sql): Attempting to connect rlm_sql_mysql #48 rlm_sql_mysql: Starting connect to MySQL server for #48 rlm_sql (sql): Connected new DB handle, #48 rlm_sql (sql): starting 49 rlm_sql (sql): Attempting to connect rlm_sql_mysql #49 rlm_sql_mysql: Starting connect to MySQL server for #49 rlm_sql (sql): Connected new DB handle, #49 rlm_sql (sql): Processing generate_sql_clients rlm_sql (sql) in generate_sql_clients: query is SELECT id, nasname, shortname, type, secret, server FROM nas rlm_sql (sql): Reserving sql socket id: 49 rlm_sql (sql): Read entry nasname=192.168.100.150,shortname=zd,secret=secret rlm_sql (sql): Adding client 192.168.100.150 (zd, server=) to clients list rlm_sql (sql): Read entry nasname=69.38.220.75,shortname=zd,secret=secret rlm_sql (sql): Adding client 69.38.220.75 (zd, server=) to clients list rlm_sql (sql): Read entry nasname=127.0.0.1,shortname=localhost,secret=secret rlm_sql (sql): Adding client 127.0.0.1 (localhost, server=) to clients list rlm_sql (sql): Released sql socket id: 49 Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating module "acct_unique" from file /etc/raddb/modules/acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } Module: Instantiating module "suffix" from file /etc/raddb/modules/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Checking accounting {...} for more modules to load Module: Instantiating module "detail" from file /etc/raddb/modules/detail detail { detailfile = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Linked to module rlm_radutmp Module: Instantiating module "radutmp" from file /etc/raddb/modules/radutmp radutmp { filename = "/var/log/radius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Linked to module rlm_attr_filter Module: Instantiating module "attr_filter.accounting_response" from file /etc/raddb/modules/attr_filter attr_filter attr_filter.accounting_response { attrsfile = "/etc/raddb/attrs.accounting_response" key = "%{User-Name}" } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Instantiating module "reply_log" from file /etc/raddb/modules/detail.log detail reply_log { detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Instantiating module "attr_filter.access_reject" from file /etc/raddb/modules/attr_filter attr_filter attr_filter.access_reject { attrsfile = "/etc/raddb/attrs.access_reject" key = "%{User-Name}" } } # modules } # server server inner-tunnel { # from file /etc/raddb/sites-enabled/inner-tunnel modules { Module: Checking authenticate {...} for more modules to load Mo
EAP fails when proxying to a realm
lm_sql (sql): starting 44 rlm_sql (sql): Attempting to connect rlm_sql_mysql #44 rlm_sql_mysql: Starting connect to MySQL server for #44 rlm_sql (sql): Connected new DB handle, #44 rlm_sql (sql): starting 45 rlm_sql (sql): Attempting to connect rlm_sql_mysql #45 rlm_sql_mysql: Starting connect to MySQL server for #45 rlm_sql (sql): Connected new DB handle, #45 rlm_sql (sql): starting 46 rlm_sql (sql): Attempting to connect rlm_sql_mysql #46 rlm_sql_mysql: Starting connect to MySQL server for #46 rlm_sql (sql): Connected new DB handle, #46 rlm_sql (sql): starting 47 rlm_sql (sql): Attempting to connect rlm_sql_mysql #47 rlm_sql_mysql: Starting connect to MySQL server for #47 rlm_sql (sql): Connected new DB handle, #47 rlm_sql (sql): starting 48 rlm_sql (sql): Attempting to connect rlm_sql_mysql #48 rlm_sql_mysql: Starting connect to MySQL server for #48 rlm_sql (sql): Connected new DB handle, #48 rlm_sql (sql): starting 49 rlm_sql (sql): Attempting to connect rlm_sql_mysql #49 rlm_sql_mysql: Starting connect to MySQL server for #49 rlm_sql (sql): Connected new DB handle, #49 rlm_sql (sql): Processing generate_sql_clients rlm_sql (sql) in generate_sql_clients: query is SELECT id, nasname, shortname, type, secret, server FROM nas rlm_sql (sql): Reserving sql socket id: 49 rlm_sql (sql): Read entry nasname=127.0.0.1,shortname=localhost,secret=secret rlm_sql (sql): Adding client 127.0.0.1 (localhost, server=) to clients list rlm_sql (sql): Released sql socket id: 49 Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating module "acct_unique" from file /etc/raddb/modules/acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } Module: Instantiating module "suffix" from file /etc/raddb/modules/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Checking accounting {...} for more modules to load Module: Instantiating module "detail" from file /etc/raddb/modules/detail detail { detailfile = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Linked to module rlm_radutmp Module: Instantiating module "radutmp" from file /etc/raddb/modules/radutmp radutmp { filename = "/var/log/radius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Linked to module rlm_attr_filter Module: Instantiating module "attr_filter.accounting_response" from file /etc/raddb/modules/attr_filter attr_filter attr_filter.accounting_response { attrsfile = "/etc/raddb/attrs.accounting_response" key = "%{User-Name}" } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Instantiating module "reply_log" from file /etc/raddb/modules/detail.log detail reply_log { detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Instantiating module "attr_filter.access_reject" from file /etc/raddb/modules/attr_filter attr_filter attr_filter.access_reject { attrsfile = "/etc/raddb/attrs.access_reject" key = "%{User-Name}" } } # modules } # server server inner-tunnel { # from file /etc/raddb/sites-enabled/inner-tunnel modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } # modules } # server radiusd: Opening IP addresses and Ports listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } listen { type = "control" listen { socket = "/var/run/radiusd/radiusd.sock" } } listen { type = "auth" ipaddr = 127.0.0.1 port = 18120 } ... adding new socket proxy address * port 41620 ... adding new socket proxy address * port 46995 ... adding new socket proxy address * port 43755 ... adding new socket proxy address * port 35210 ... adding new socket proxy address * port 53936 ... addin
Re: Would like to stop Interim Accounting being proxied
On 28/06/12 14:34, Steve Brown wrote: Is there any way of achieving the same end result in v1.x without Unlang? If there was a way to simply respond to an accounting request with an 'Accept', like you can with Auth, could I do something like: acct_users: DEFAULT Acct-Status-Type == Interim-Update, User-Name =~ /@domain/ Acct-Type := "IGNORE" radiusd.conf: accounting { Acct-Type IGNORE { Accept } } Can't find a method like 'Accept' in the docs though so maybe that's not possible. Steve - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS SQl Ippool problem -
On Thu, Jun 28, 2012 at 8:22 PM, Taz Manian wrote: > I did check the wiki , i have been on it for the last 3 days trying to > figure this out > > I did a search for Pool-Name and i got 4 different results as below > > http://wiki.freeradius.org/search?q=Pool-Name > > http://wiki.freeradius.org/Rlm_sqlippool Did you notice I specifically mentioned that page? > http://wiki.freeradius.org/Rlm_ippool > http://wiki.freeradius.org/Users > http://wiki.freeradius.org/Ippool%20and%20radius%20clients > > I checked each one of them and not one said anything about radcheck or > radreply. Did you read this paragraph? " To assign a user an IP from a pool you simply need to have a Pool-Name Attribute (Keep in mind that it is a CONTROL attribute, not a reply attribute) in the required configuration file, which is either in files(users), sql or any other type of configuration schema. " It should be clear enough that Pool-Name should not be in rad(group)reply (since that table holds reply attributes). If you don't know where to put CONTROL attribute (which is in rad(group)check, btw), then we might need to add an entry for that. > I checked on Google and found some pages that said TO USE Framed-Pool , and > i could see that when i ran radiusd -X Your primary source of information should be the included documentation (comments on the config file, man pages, etc). After that, the wiki. After that, this list. If you decide to follow some random page, then no wonder you get random result. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Would like to stop Interim Accounting being proxied
On 28/06/12 14:03, Alan DeKok wrote: Check that you're using version 2? It looks like you're using version 1. "Unlang" is only supported in version 2. I'm not, and that would explain it nicely; I mentioned in my initial message "legacy Freeradius 1.1.2 platform". Is there any way of achieving the same end result in v1.x without Unlang? Upgrade is some time away, so this is is what we have to work with. Steve - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS SQl Ippool problem -
Taz Manian wrote: > I checked each one of them and not one said anything about radcheck or > radreply. Because they give examples for the "users" file. They don't give examples for SQL, LDAP, external programs, Perl, Python, etc. The "users" file example has the Pool-Name on the first line. The documentation for the "users" file says that this makes it a check item. The documentation for the SQL module describes how to map "users" file entries to SQL. It *is* documented. We expect that *some* independent understanding is necessary. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius crash during EAP-TTLS authentication
Hello, After three month having stable situation, the ISP home servers has started again to loose packet and to have slow response time, then our freeradius proxies has began to crash again. We've reproduced the crash with the Git version. Here's the output that I got with gdb Going to the next request rad_recv: Accounting-Request packet from host X.X.X.X port 1812, id=124, length=520 Received conflicting packet from client bas-man72-02 port 1812 - ID: 124 due to unfinished request 715241. Giving up on old request. ASSERT FAILED event.c[2773]: request->ev != NULL Program received signal SIGABRT, Aborted. [Switching to Thread 8012021c0 (LWP 100143)] 0x000800fb978c in kill () from /lib/libc.so.7 (gdb) (gdb) thread apply all bt full Thread 2 (Thread 8012021c0 (LWP 100143)): #0 0x000800fb978c in kill () from /lib/libc.so.7 No symbol table info available. #1 0x000800fb858b in abort () from /lib/libc.so.7 No symbol table info available. #2 0x00420cd4 in rad_assert_fail (file=Variable "file" is not available. ) at util.c:366 No locals. #3 0x00429d9a in received_request (listener=0x801fdcac0, packet=0x8051c1900, prequest=0x7fffe4d0, client=0x801fdaa80) at event.c:2773 when = {tv_sec = 1340876260, tv_usec = 138114} packet_p = Variable "packet_p" is not available. Is there enough information for this bug ? Do you want me to get some more information ? I can provide smokeping graphs that shows packet loss and slow response time (3 seconds) Many thanks Thomas Le 29/03/2012 23:04, Thomas Fagart a écrit : Many thanks, I will test it when available. Thomas Le 28/03/2012 17:15, Alan DeKok a écrit : Thomas Fagart wrote: Here's the debug output this happens specialy when we add a virtual server as a fallback server. OK... it looks like the proxy_reply doesn't exist. I'll push a patch. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRADIUS SQl Ippool problem -
I did check the wiki , i have been on it for the last 3 days trying to figure this out I did a search for Pool-Name and i got 4 different results as below http://wiki.freeradius.org/search?q=Pool-Name http://wiki.freeradius.org/Rlm_sqlippool http://wiki.freeradius.org/Rlm_ippool http://wiki.freeradius.org/Users http://wiki.freeradius.org/Ippool%20and%20radius%20clients I checked each one of them and not one said anything about radcheck or radreply. I checked on Google and found some pages that said TO USE Framed-Pool , and i could see that when i ran radiusd -XI just tried using Pool-Name and it doesnt work nor does it show when i try it with radiusd -X. I appreciate your input , im really stuck on this one. Im also not sure how to use rlm_sqlipool ? Taz > Date: Thu, 28 Jun 2012 19:08:25 +0700 > Subject: Re: FreeRADIUS SQl Ippool problem - > From: l...@fajar.net > To: dj...@iol.ie; freeradius-users@lists.freeradius.org > > On Thu, Jun 28, 2012 at 7:03 PM, Taz Manian wrote: > > Hi Guys, > > > > > > > > Im having a problem with Ippools with freeradius2 and i cant seem to get any > > username to get an address from the pool. > > > > 90% of the usernames will have static IP's but i want a few to be in a pool > > but i really am stumped - i tried putting > > > > > > > > username@realm Framed-Pool := EZPOOL > > > > > > > > into the radreply section and it gives me a reply when i test it # > > > Please check the wiki, IIRC you should put it in radcheck, not > radreply. And the attribute is Pool-Name, not Framed-Pool. > > > so i know is readying that - i then have a pool set up in radippool > > Also, IMHO you should just use rlm_sqlipool. It's easier to setup and debug. > > -- > Fajar > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Would like to stop Interim Accounting being proxied
Steve Brown wrote: > Thanks for the pointer. This is actually what I started with :( > > I still get the error "Error: /etc/raddb/radiusd.conf[1433]: Line is not > in 'attribute = value' format"; line 1433 is this actual 'if ((' line. It works for me. Check that you're using version 2? It looks like you're using version 1. "Unlang" is only supported in version 2. Upgrade. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Probmels with sqlcounter module in FreeRADIUS 2.1.12
On Thu, Jun 28, 2012 at 7:34 PM, Andrei Petru Mura wrote: > id | username | attribute | op | value > > -++++ > 167 | test1 | Password | := | test1 > 168 | test1 | Max-Daily-Session | := | 60 > > The problem is that every time when I authenticate for the first time per > hour (because the sqlcounter is resetted hourly), with username test1, I can > access the services given by freeradius an unlimited time. That's not right. - Did you read the wiki? - Did you try to run FR in debug mode? Did it send Session-Timeout attribute? Was it calculated correctly? - Does your NAS honor Session-Timeout attribute? IIRC some NAS (e.g. chillispot) ignores some attributes (e.g. Acct-Interim-Interval) if it's too small (e.g <= 60 seconds). That might be the case in your setup (although the attribute here is different). -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Probmels with sqlcounter module in FreeRADIUS 2.1.12
Andrei Petru Mura wrote: > Now in my database. I have in "radcheck" table two rows: > >id | username | attribute| op | value > > -++++ > 167 | test1 | Password | := | test1 Please fix that. Really. It's been ~6 years that "Password :=" has been *documented* as being wrong. See the FAQ. > 168 | test1 | Max-Daily-Session | := | 60 > > The problem is that every time when I authenticate for the first time > per hour (because the sqlcounter is resetted hourly), with username > test1, I can access the services given by freeradius an unlimited time. Blame the NAS. > The sqlcounter is ebanled only if after I log in first time, log out and > log in again. If I exceed the time specified in the radcheck table in > the first log in, at the second login (in the same hour), I cannot login > again due to the sqlcounter that says that the time is up. > > Question: can anyone help me how to put the right settings in database > or FR' files so that the sqlcounter module will work from the first login? Read the debug output. If the correct Session-Timeout is being returned, blame the NAS. As *always* read the debug output. We really can't say that enough. Perhaps putting that in the "you have subscribed" notice to the list would make a difference? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS SQl Ippool problem -
On Thu, Jun 28, 2012 at 7:26 PM, Michell wrote: > Hello, > > to some time ago informed me that the ippool not work properly with mysql. It works just fine > As it is now? > I'm not sure what the problems were occurring, but informed me that it > worked better and smoothly only in postgres. IIRC from the discussion, postgres should perform better compared to mysql on the DEFAULT setup due to locking (or lack of it). Function-wise, both work fine. If your load is pretty light, OR you know how to adjust your mysql setup to avoid the locking issue, it should be irrelevant. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Would like to stop Interim Accounting being proxied
Hi Alan, Thanks for the pointer. This is actually what I started with :( I still get the error "Error: /etc/raddb/radiusd.conf[1433]: Line is not in 'attribute = value' format"; line 1433 is this actual 'if ((' line. accounting { if ((Acct-Status-Type == Interim-Update) && (User-Name =~ /@docomo/)) { update control { Proxy-To-Realm := LOCAL } } } On 28/06/12 13:32, Alan DeKok wrote: That's wrong on a number of levels. The documentation says you can just refer to an attribute by name. And use '==': if ((Acct-Status-Type == Interim-Update)&& (User-Name =~ /@domain/)) { ... } Steve - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS SQl Ippool problem -
Michell wrote: > to some time ago informed me that the ippool not work properly with > mysql. As it is now? "someone somewhere said something". That's not helpful. Read the documentation and examples distributed with FreeRADIUS. They give you the CORRECT answers. In this case, raddb/sql/mysql/ippool.* Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Probmels with sqlcounter module in FreeRADIUS 2.1.12
I'm running FreeRADIUS in conjunction with PostgreSQL 9.1. Snippet from radiusd.conf: modules { ... $INCLUDE sql/postgresql/counter.conf ... } in my sql/postgresql/counter.conf, I have the following: sqlcounter dailycounter { counter-name = Daily-Session-Time check-name = Max-Daily-Session reply-name = Session-Timeout sqlmod-inst = sql key = User-Name reset = hourly query = "SELECT SUM(AcctSessionTime - GREATER((%b - AcctStartTime::ABSTIME::INT4), 0)) FROM radacct WHERE UserName='%{%k}' AND AcctStartTime::ABSTIME::INT4 + AcctSessionTime > '%b'" } Attention!!! The "dailycounter" has an hourly reset. in the sites-available/default, under authorize section: authorize { ... dailycounter ... } Now in my database. I have in "radcheck" table two rows: id | username | attribute| op | value -++++ 167 | test1 | Password | := | test1 168 | test1 | Max-Daily-Session | := | 60 The problem is that every time when I authenticate for the first time per hour (because the sqlcounter is resetted hourly), with username test1, I can access the services given by freeradius an unlimited time. The sqlcounter is ebanled only if after I log in first time, log out and log in again. If I exceed the time specified in the radcheck table in the first log in, at the second login (in the same hour), I cannot login again due to the sqlcounter that says that the time is up. Question: can anyone help me how to put the right settings in database or FR' files so that the sqlcounter module will work from the first login? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Would like to stop Interim Accounting being proxied
Steve Brown wrote: > Reading the unlang man page, I've tried: > > accounting { > >if ( ("%{Acct-Status-Type}" = "Interim-Update") && > ("%{User-Name}" =~ "/@domain/") ) { That's wrong on a number of levels. The documentation says you can just refer to an attribute by name. And use '==': if ((Acct-Status-Type == Interim-Update) && (User-Name =~ /@domain/)) { ... } > But that causes the daemon to error out with > "/etc/raddb/radiusd.conf[1433]: Line is not in 'attribute = value' format" > > What have I misunderstood? Double-check line 1433? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS SQl Ippool problem -
Hello, to some time ago informed me that the ippool not work properly with mysql. As it is now? I'm not sure what the problems were occurring, but informed me that it worked better and smoothly only in postgres. They try to succeed in this scenario freeradius / mysql? Thanks for listening, Michell 2012/6/28 Fajar A. Nugraha > On Thu, Jun 28, 2012 at 7:03 PM, Taz Manian wrote: > > Hi Guys, > > > > > > > > Im having a problem with Ippools with freeradius2 and i cant seem to get > any > > username to get an address from the pool. > > > > 90% of the usernames will have static IP's but i want a few to be in a > pool > > but i really am stumped - i tried putting > > > > > > > > username@realm Framed-Pool := EZPOOL > > > > > > > > into the radreply section and it gives me a reply when i test it # > > > Please check the wiki, IIRC you should put it in radcheck, not > radreply. And the attribute is Pool-Name, not Framed-Pool. > > > so i know is readying that - i then have a pool set up in radippool > > Also, IMHO you should just use rlm_sqlipool. It's easier to setup and > debug. > > -- > Fajar > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Would like to stop Interim Accounting being proxied
Hi all, I need to stop proxying Interim Accounting for a particular domain on our legacy Freeradius 1.1.2 platform. Reading the unlang man page, I've tried: accounting { if ( ("%{Acct-Status-Type}" = "Interim-Update") && ("%{User-Name}" =~ "/@domain/") ) { update control { Proxy-To-Realm := LOCAL } } } But that causes the daemon to error out with "/etc/raddb/radiusd.conf[1433]: Line is not in 'attribute = value' format" What have I misunderstood? Steve - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS SQl Ippool problem -
On Thu, Jun 28, 2012 at 7:08 PM, Fajar A. Nugraha wrote: > On Thu, Jun 28, 2012 at 7:03 PM, Taz Manian wrote: >> so i know is readying that - i then have a pool set up in radippool > > Also, IMHO you should just use rlm_sqlipool. It's easier to setup and debug. Sorry, I somehow read "radippool" as "rlm_ippool". If you use that table then you should use (or at least try to use) rlm_sqlippool already. You probably just need to read the wiki: http://wiki.freeradius.org/Rlm_sqlippool -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS SQl Ippool problem -
On Thu, Jun 28, 2012 at 7:03 PM, Taz Manian wrote: > Hi Guys, > > > > Im having a problem with Ippools with freeradius2 and i cant seem to get any > username to get an address from the pool. > > 90% of the usernames will have static IP's but i want a few to be in a pool > but i really am stumped - i tried putting > > > > username@realm Framed-Pool := EZPOOL > > > > into the radreply section and it gives me a reply when i test it # Please check the wiki, IIRC you should put it in radcheck, not radreply. And the attribute is Pool-Name, not Framed-Pool. > so i know is readying that - i then have a pool set up in radippool Also, IMHO you should just use rlm_sqlipool. It's easier to setup and debug. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRADIUS SQl Ippool problem -
Hi Guys, Im having a problem with Ippools with freeradius2 and i cant seem to get any username to get an address from the pool.90% of the usernames will have static IP's but i want a few to be in a pool but i really am stumped - i tried putting username@realm Framed-Pool := EZPOOL into the radreply section and it gives me a reply when i test it # Standard Framed-Pool"EZPOOL" so i know is readying that - i then have a pool set up in radippool pool_name=EZPOOLFramedIPAddress=192.168.1.200 (i have more) and my radiusd -X reply is : # Executing group from file /etc/raddb/sites-enabled/default +- entering group PAP {...} [pap] login attempt with password "111" [pap] Using clear text password "111" [pap] User authenticated successfully ++[pap] returns ok # Executing section post-auth from file /etc/raddb/sites-enabled/default +- entering group post-auth {...} [sql] expand: %{User-Name} -> user@realm [sql] sql_set_user escaped user --> 'username@realm' [sql] expand: %{User-Password} -> 111 [sql] expand: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'username@realm', '111', 'Access-Accept', '2012-06-28 10:59:37') rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'username@realm', '111', 'Access-Accept', '2012-06-28 10:59:37') rlm_sql (sql): Reserving sql socket id: 2 rlm_sql (sql): Released sql socket id: 2 ++[sql] returns ok ++[exec] returns noop Sending Access-Accept of id 51 to 192.168.1.100 port 52433 Framed-Pool := "EZPOOL" Cisco-AVPair := "lcp:interface-config=ip vrf forwarding BLAH" Cisco-AVPair += "lcp:interface-config=ip unnumbered Loopback1" Cisco-AVPair += "lcp:interface-config=mtu 1492" Service-Type := Framed-User Framed-Protocol := PPP Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 51 with timestamp +5 Ready to process requests. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help needed to configure FreeRADIUS for eduroam
Hi, > For some reason, it is working now, I did only tiny changes though. well..you made changes... obviously they were beneficial > - the differences between the WiKi > https://confluence.terena.org/display/H2eduroam/How+to+deploy+eduroam+on-site+or+on+campus > and the cookbook > http://www.eduroam.org/downloads/docs/GN2-08-230-DJ5.1.5.3-eduroamCookbook.pdf. > The configuration files are slightly different. the wiki is up to date. the cookbook is printed material...and is from GEANT2 days - so older > - the inner logic behind the virtual servers eduroam and server > eduroam-inner-tunnel; how it is working; how packets are passed from > one to the other. eduroam server passes EAP stuff into eduroam inner-tunnel - just like, by default, the default server passes things into the inner-tunnel.. how does stuff go into eduroam VS? well, usually via an entry in client.conf which says to put traffic from a particular NAS into a particualr virtual server > - how to implement anonymous outer identity? What to configure in > Radius? Is there any configuration needed in the suplicant? the RADIUS server will just handle it - it will get to the EAP part and open the tunnel to see the good stuff inside. be aware that if you have made ANY assumptions about ID based on the outerID then those can be abused/miscontrued. anonymous ID ability is based on the supplicant - some supplicants can set it, others cant. some can set a different realm ini the outer ID, some cant. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help needed to configure FreeRADIUS for eduroam
Hi, Thank you to Stefan, Scot and Alan who took time to reply to me. For some reason, it is working now, I did only tiny changes though. What I still don't understand: - the differences between the WiKi https://confluence.terena.org/display/H2eduroam/How+to+deploy+eduroam+on-site+or+on+campus and the cookbook http://www.eduroam.org/downloads/docs/GN2-08-230-DJ5.1.5.3-eduroamCookbook.pdf. The configuration files are slightly different. - the inner logic behind the virtual servers eduroam and server eduroam-inner-tunnel; how it is working; how packets are passed from one to the other. - how to implement anonymous outer identity? What to configure in Radius? Is there any configuration needed in the suplicant? Best regards, Olivier On Thu, Jun 28, 2012 at 1:21 PM, Stefan Winter wrote: > Hi, > >> I am struggling to configure my FreeRADIUS server for eduroam >> (www.eduroam.org), as I understood that some subscribers have done the >> configuration successfully, I come here to get help. >> >> I have been running my FreeRADIUS server with out problem for several >> years, identifying to an openLdap backend. >> >> I managed to configure a test WiFi access point to identify with >> 802.1x against that same radius/ldap server. >> >> But I have a problem to configure eduroam, so I would be glad if I >> could see a working example. > > It would help if you told us *what* the problem is. Looking at what you > write, you have a working FreeRADIUS, working openLDAP backend, and have > configured it to do IEEE 802.1X on a WiFi access point. > > That is 99% of what eduroam needs. So, what's missing? > > Greetings, > > Stefan Winter > > -- > Stefan WINTER > Ingenieur de Recherche > Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et > de la Recherche > 6, rue Richard Coudenhove-Kalergi > L-1359 Luxembourg > > Tel: +352 424409 1 > Fax: +352 422473 > > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Questions on the finer points of CUI
On 28.06.2012 09:07, Scott Armitage wrote: > All, > > I was after some clarification about the implementation of CUI in freeRADIUS. > > > My first point is the use of Client IP Address. I notice that client IP > Address makes a regular appearance but I'm wondering whether it should. > Looking at the cui.conf the post-auth insert adds the Client IP Address. > > postauth_query = "INSERT IGNORE INTO ${cui_table} \ > (clientipaddress, callingstationid, username, cui, lastaccounting) \ > VALUES \ > ('%{Client-IP-Address}', '%{Calling-Station-Id}', '%{User-Name}', > '%{reply:Chargeable-User-Identity}', NULL) ON DUPLICATE KEY UPDATE > lastaccounting='-00-00 00:00:00', > cui='%{reply:Chargeable-User-Identity}'"; > > likewise the schema (in cui.sql) even has the Client IP Address as a primary > key which to me seems wrong. In the world of eduroam my RADIUS server can > proxy off to one of 3 National Proxies each will have a different Client IP > Address, therefore a single client could have 3 entries in the cui table > depending upon which National proxy dealt with the request. I don't see the > point of the Client IP Address being in there. If each home server is using > a salt (together with the operator name) then even the same username and > calling station id will return a different CUI for different home servers. > Maybe some could explain what I'm missing and why the Client IP Address is > there? The $cui_table is merely a helper table to bind returned CUI values from the home server during the *authentication* phase to a possible subsequent Accounting packet for that same session. It is logically maintained at the SP side of the transactions (i.e. towards Access Points and Controllers). When doing auth, Calling-Station-Id and a User-Name are present in the request. The response contains the associated Chargeable-User-Identity, and may or may not contain a User-Name, and that User-Name may or may not be the same as the request had. If the NAS doesn't bin auth-CUI to acct-CUI itself (which is true for most NASes), the SP-side RADIUS server needs to do guesswork to add the CUI attribute to the outgoing accounting request (for all such requests: starts, interims and stops). It can see the binding primarily by observing that the calling-station ID is the same. It can not use the User-Name in Accounting because some NASes use the value of an Access-Accept instead of the original value. In principle, one could stop here. However, if a user moves from one NAS to another, he needs to reauthenticate and has the same Calling-Station-Id. This new authentication might get the same CUI or another (as you rightly note, the next request can go to a different home server, who might calculate his own CUI). In that case, there are two entries for the same Calling-Station-Id with different CUIs, and the server won't know which one to attach to the next outgoing Accounting-Request -> BAD. That's why the Client-IP-Address is a secondary key: since we're talking SP-side, the client is the Access-Point or Controller, and the tuple of (CSI;Client-IP) makes the CUI value unique: This device *on this client* at a particular point in time. You might argue that the user could close the session and then re-auth on the *same* NAS. That's true, but it is not a problem: if that previous session was closed "in order" with an Accounting-Stop, the temporary entry in $cui_table gets deleted, and the new session gets the new one. If not, since the key of CSI and Client-IP is identical, the new session overwrites the CUI value of the previous one. This should also explain your subsequent queries below. Greetings, Stefan Winter > > Staying with the Client IP Address, my next point surrounds the Accounting. > The cui.conf shows that accounting updates the table using Client IP Address > in the search: > > accounting_start_query = "UPDATE ${cui_table} \ > SET \ > lastaccounting = CURRENT_TIMESTAMP \ > WHERE clientipaddress = '%{Client-IP-Address}' \ > AND callingstationid = '%{Calling-Station-Id}' \ > AND username = '%{User-Name}' \ > AND cui = '%{Chargeable-User-Identity}'"; > > How would this work? The NAS doesn't know what the Client IP Address is and > doesn't send it in Accounting packets. > > Finally, why does the Accounting stop for cui remove the cui from the > database: > > accounting_stop_query = "DELETE FROM ${cui_table} WHERE \ > clientipaddress = '%{Client-IP-Address}' \ > AND callingstationid = '%{Calling-Station-Id}' \ > AND username = '%{User-Name}' \ > AND cui = '%{Chargeable-User-Identity}'"; > > > Surely I'd want to keep this? If 2 weeks later I get a copyright > infringement notice for a client, I'd want the CUI when contacting the home > site of the user. > > > Thanks > > > Scott Armitage > > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/lis
Re: Help needed to configure FreeRADIUS for eduroam
Hi, > I have been running my FreeRADIUS server with out problem for several > years, identifying to an openLdap backend. > > I managed to configure a test WiFi access point to identify with > 802.1x against that same radius/ldap server. > > But I have a problem to configure eduroam, so I would be glad if I > could see a working example. you need to look at the output of 'radiusd -X' so see what is going on with your server and why it is failing. regarding eduroam - if you already have working 802.1X locally (which I'm not sure from your message as your OpenLDAP/RADIUS combo could have been just PAP authentication) - then all you need to do for eduroam is have some unlang which checks the realm and if its not your realm, then send it to a proxy pool (configure proxy.conf) - which will send the request to remote RADIUS servers that you will be told about by your federation operator.and for you to add those remote RADIUS servers as clients (clients.conf or NAS table in SQL) so that requests for you can be sent to you. you might want to also look at the eduroam confluence WIKI for help/advice/pointers https://confluence.terena.org/display/H2eduroam/How+to+deploy+eduroam+on-site+or+on+campus alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Questions on the finer points of CUI
All, I was after some clarification about the implementation of CUI in freeRADIUS. My first point is the use of Client IP Address. I notice that client IP Address makes a regular appearance but I'm wondering whether it should. Looking at the cui.conf the post-auth insert adds the Client IP Address. postauth_query = "INSERT IGNORE INTO ${cui_table} \ (clientipaddress, callingstationid, username, cui, lastaccounting) \ VALUES \ ('%{Client-IP-Address}', '%{Calling-Station-Id}', '%{User-Name}', '%{reply:Chargeable-User-Identity}', NULL) ON DUPLICATE KEY UPDATE lastaccounting='-00-00 00:00:00', cui='%{reply:Chargeable-User-Identity}'"; likewise the schema (in cui.sql) even has the Client IP Address as a primary key which to me seems wrong. In the world of eduroam my RADIUS server can proxy off to one of 3 National Proxies each will have a different Client IP Address, therefore a single client could have 3 entries in the cui table depending upon which National proxy dealt with the request. I don't see the point of the Client IP Address being in there. If each home server is using a salt (together with the operator name) then even the same username and calling station id will return a different CUI for different home servers. Maybe some could explain what I'm missing and why the Client IP Address is there? Staying with the Client IP Address, my next point surrounds the Accounting. The cui.conf shows that accounting updates the table using Client IP Address in the search: accounting_start_query = "UPDATE ${cui_table} \ SET \ lastaccounting = CURRENT_TIMESTAMP \ WHERE clientipaddress = '%{Client-IP-Address}' \ AND callingstationid = '%{Calling-Station-Id}' \ AND username = '%{User-Name}' \ AND cui = '%{Chargeable-User-Identity}'"; How would this work? The NAS doesn't know what the Client IP Address is and doesn't send it in Accounting packets. Finally, why does the Accounting stop for cui remove the cui from the database: accounting_stop_query = "DELETE FROM ${cui_table} WHERE \ clientipaddress = '%{Client-IP-Address}' \ AND callingstationid = '%{Calling-Station-Id}' \ AND username = '%{User-Name}' \ AND cui = '%{Chargeable-User-Identity}'"; Surely I'd want to keep this? If 2 weeks later I get a copyright infringement notice for a client, I'd want the CUI when contacting the home site of the user. Thanks Scott Armitage PGP.sig Description: This is a digitally signed message part - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html