Re: Huntgroups checking in MySQL radgroupcheck
Il giorno mer, 05/06/2013 alle 13.41 -0400, Alan DeKok ha scritto: Marco Marzetti wrote: Also, if i understand it correctly, it makes sense to me since == is a filtering operator while := add the attribute to the list for further checking Anyway, i've updated the record above and putting := and it doesn't work. It depends what you want to do. I thought you had said you wanted to *set* the huntgroups in SQL. If so, := is the correct thing to use. If you're just checking it, == is the right one. Yes. I'm checking for a match between the NAS-IP-Address and the specified username. So, if user foo sends an authentication request through NAS 192.0.2.1, FreeRADIUS should check if that NAS-IP-Address address matches with the ones associated to the Huntgroup named APPARATI. The huntgroups are set in the huntgroups file. Have you looked there? As said, the filter works if the user's Huntgroup-Name is set in the radcheck table and it doesn't if it is set in the radgroupcheck one. Alan DeKok. Thank You Marco - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP error with Freeradius 3.0
Hello, I have a problem with mschap authentication and the external program ntlm_auth. With Freeradius 2.2 I haven't any problem but after upgrade to Freeradius 3, the output of this program was wrong and EAP failed. The output is very strange : Any ideas ?inline: 0E165810.gif- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Service Provisioning Using AAA (FreeRadius)
Greetings Everyone, My goal is to use only ONE A (Authorization Only) as starting of FR implementation. i do have different system to authenticate users. Plan is to replace that with FR but one step at a time. i tried with the following virtual server to accept everyone. With that done, Everyone is accepted, regardless of user exists in MySQL_DB or not. And replay message is sent correctly as well. *Check Items in unlang code:* 1.) Login time is verified correctly - if users attempts to access outside of time slot, then rejected, else accepted. (First Attribute Works) 2.) Everyone is accepted (Second Attribute also Works) 3.) Users are not disconnected after 10 minutes (Third Attribute do not work) *Reply Items **in unlang code**: * 1.) Users are successfully redirected to the URL specified for WISPr-Redirection-URL (First Reply Item Works) 2.) Users are not disconnected after 10 minutes (Second Attribute do not work) server accept_everyone { authorize { # If user not present in MySQL Database still allow them access # Only Between 10:00 and 12:59PM # File Module Retunes noop sql Module Returns notfound #files #if(noop) { sql if(notfound) { update control { Login-Time := 'Any1000-1259' Auth-Type := Accept Max-All-Session := 600 } } # Redirect Everyone To Yale Website update reply { WISPr-Redirection-URL := http://www.yale.edu; Max-All-Session := 600 } } authenticate { Auth-Type PAP { pap } } } pap logintime forevertimecounter ## Authorization Area ENDs Here Can someone give little hint ? Only hint would be enough, i will study the rest. is it even posible to control that (Max-All-Session) using unlang code ? Thanks / Regards --RM On Wed, Jun 5, 2013 at 4:17 PM, Alan DeKok al...@deployingradius.comwrote: Russell Mike wrote: Hi John Alan, Kindly clarify This isn't a private list. Messages should NOT be addressed to individual people. Just reply to a message. It's simpler, and more polite. Does this means, it is posible to use only authorize function of FR and process all authentication requests with following virtual server? Did you try it? What does it do? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP error with Freeradius 3.0
nicolas@ricoh-industrie.fr wrote: Hello, I have a problem with mschap authentication and the external program ntlm_auth. With Freeradius 2.2 I haven't any problem but after upgrade to Freeradius 3, the output of this program was wrong and EAP failed. The output is very strange : Please post text. There is *no* reason to post images. Any ideas ? It means that the system was unable to run ntlm_auth for some reason. Why, I don't know. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
module-failure-message in exec module
Hi all, Trying to use the provided ntlm_auth exec module to authenticate users where the NAS uses pap, which works fine. I just want to improve my error reporting and pick up the return string from the failure of the module, .e.g - Exec plaintext: NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc06a) Looking around on the internet it seems I might use something like: Auth-Type NTLM_AUTH { ntlm_auth if (ok) { } else { update reply { reply-message += %{Module-Failure-Message} } } } But the else statement never seems to get processed : Exec output: NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc06a) Exec plaintext: NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc06a) [ntlm_auth] Exec: program returned: 1 ++[ntlm_auth] returns reject Using Post-Auth-Type REJECT # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group REJECT {...} Questions are - does the exec module return to the Module-Failure-Message variable or another I can use, and why doesn't it process the subsection of the auth-type section on failure? Thanks Andy - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: module-failure-message in exec module
On 06/06/13 16:48, Franks Andy (RLZ) IT Systems Engineer wrote: Questions are – does the exec module return to the Module-Failure-Message variable or another I can use, and why doesn’t No, sorry. mschap does when it does the internal exec, but the exec module does not. You might be able to emulate this by wrapping your script and echoing the VPs on stdout. it process the subsection of the auth-type section on failure? That's the default return codes - see doc/configurable_failover{,.rst} - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
noresetcounter
Hello all, I'm trying to use rlm_sqlcounter to disable login once time exceeded together with unlang to set Session-Timeout. I can get either to work but having trouble getting both to work. Right now the Session-Timeout (computed below in the post auth section) works fine. update reply { Session-Timeout := %{expr: %{check:Max-All-Session-Time}-%{sql:select sum(acctsessiontime) from radacct where username='%{User-Name}'}} } The radacct table is populated and the session timeout is computed properly across logins. But the check provide by the below setup fails to prevent login (auth) when the time goes to zero. sqlcounter noresetcounter { counter-name = Max-All-Session-Time check-name = Max-All-Session sqlmod-inst = sql key = User-Name reset = never query = SELECT IFNULL(SUM(AcctSessionTime),0) FROM radacct WHERE UserName='%{%k}' } My test radcheck table looks like: mysql select * from radcheck; ++--+--++-+ | id | username | attribute| op | value | ++--+--++-+ | 1 | wrs | Cleartext-Password | := | test123 | | 2 | wrs | Max-All-Session-Time | := | 600 | ++--+--++-+ I can provide the whole radiusd -X log if this is not enough info; Bill - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: noresetcounter
Never mind. I did not have noresetcounter in the authorize section. This in turn caused me to use the wrong check variable (Max-All-Session-Time instead of Max-All-Session) as the right one wasn't known (because the noresetcounter wasn't known to 'authorize'. Anyway. My apologies for the false alarm. On 6/6/2013 4:20 PM, Bill wrote: Hello all, I'm trying to use rlm_sqlcounter to disable login once time exceeded together with unlang to set Session-Timeout. I can get either to work but having trouble getting both to work. Right now the Session-Timeout (computed below in the post auth section) works fine. update reply { Session-Timeout := %{expr: %{check:Max-All-Session-Time}-%{sql:select sum(acctsessiontime) from radacct where username='%{User-Name}'}} } The radacct table is populated and the session timeout is computed properly across logins. But the check provide by the below setup fails to prevent login (auth) when the time goes to zero. sqlcounter noresetcounter { counter-name = Max-All-Session-Time check-name = Max-All-Session sqlmod-inst = sql key = User-Name reset = never query = SELECT IFNULL(SUM(AcctSessionTime),0) FROM radacct WHERE UserName='%{%k}' } My test radcheck table looks like: mysql select * from radcheck; ++--+--++-+ | id | username | attribute| op | value | ++--+--++-+ | 1 | wrs | Cleartext-Password | := | test123 | | 2 | wrs | Max-All-Session-Time | := | 600 | ++--+--++-+ I can provide the whole radiusd -X log if this is not enough info; Bill - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius with Jradius module
Hi All, Currently we are planning to use FreeRadius with Jradius server. But I find Jradius is not well supported by FreeRadius. We have to copy jradius.conf and rlm_jradius.c from Jradius package to FreeRadius package to build the module. Furthermore many FreeRadius versions do not support Jradius at all. So I'd like to see if any people have the same problem with me? And how do you handle this? And I would like to know if Jradius would be supported in later releases? Thanks, Eric - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius with Jradius module
On 6 Jun 2013, at 22:13, ZHOU Eric JP eric.jp.z...@alcatel-lucent.com wrote: Hi All, Currently we are planning to use FreeRadius with Jradius server. But I find Jradius is not well supported by FreeRadius. We have to copy jradius.conf and rlm_jradius.c from Jradius package to FreeRadius package to build the module. Or you know, build the server from source, that works too. Furthermore many FreeRadius versions do not support Jradius at all. Um. It's been included in releases for the past four years. So I'd like to see if any people have the same problem with me? And how do you handle this? And I would like to know if Jradius would be supported in later releases? Well it's been removed entirely from version 3 pending a rewrite... Would you like to volunteer? Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRadius with Jradius module
I am a little new to this group, so I am afraid I can not do much, but I do like to contribute if I could. Also I might have questions which we can share/study together. -Original Message- From: freeradius-users-bounces+eric.jp.zhou=alcatel-lucent@lists.freeradius.org [mailto:freeradius-users-bounces+eric.jp.zhou=alcatel-lucent@lists.freeradius.org] On Behalf Of Arran Cudbard-Bell Sent: 2013年6月7日 10:59 To: FreeRadius users mailing list Cc: qdlcp-secur...@list.alcatel-lucent.com Subject: Re: FreeRadius with Jradius module On 6 Jun 2013, at 22:13, ZHOU Eric JP eric.jp.z...@alcatel-lucent.com wrote: Hi All, Currently we are planning to use FreeRadius with Jradius server. But I find Jradius is not well supported by FreeRadius. We have to copy jradius.conf and rlm_jradius.c from Jradius package to FreeRadius package to build the module. Or you know, build the server from source, that works too. Furthermore many FreeRadius versions do not support Jradius at all. Um. It's been included in releases for the past four years. So I'd like to see if any people have the same problem with me? And how do you handle this? And I would like to know if Jradius would be supported in later releases? Well it's been removed entirely from version 3 pending a rewrite... Would you like to volunteer? Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html