from:"Alexandre Chapellon"

Re: Access-Accept if user exists in database

2012-01-30 Thread Alexandre Chapellon

Just make your user radcheck sql query return:

User-Name = "scott"
Auth-Type := Accept

That should be enough.

Le 30/01/2012 13:51, Mika a écrit :

Hello.
Running 2.1.10 with virtual-servers configured with many port
configurations, sql modules loaded and working.
The idea for this new port is:
Users authenticating with smartcards that get checked outside the FreeRadius
and we want to permit/deny access if the user-name does or does not exist in
a SQL database.
This means no User-Password checking.
We have the NAS configured so it will send user-name and an empty or a bogus
password in the Access-Request for each User-Name
I would like to add a port configuration that checks the above.
My unlang skill are limited so i am hoping for some good pointers here.
Something like:

authorize {
update request {
TmpString := "%{sql:select User FROM table where }"
if User-Name == %{TmpString}
send Access-Accept
else
send Access-Reject

There are probably easier ways of doing this?
Is this possible or is the User-Password required for every authentication?
Any help appreciated.

Regards
Mika

--
View this message in context:
http://freeradius.1045715.n5.nabble.com/Access-Accept-if-user-exists-in-database-tp5441329p5441329.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

--
<http://www.horoa.net>

Alexandre Chapellon

Ingénierie des systèmes open sources et réseaux.
Follow me on twitter: @alxgomz <http://www.twitter.com/alxgomz>

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius+openvpn disconnect user from radius

2012-01-05 Thread Alexandre Chapellon

First We should know if openvpn is able to create a vpn session for a 
certain amount of time and then disconnect the user once time expired... 
I am not sure openvpn has such a feature... If it doesn't that mean that 
openvpn code would also need to be hacked.


This thread is slightly becomming off-topic, maybe people interessted in 
it should continue discussion elsewhere or via direct mail exchanges?


Le 05/01/2012 14:45, Azfar Hashmi a écrit :

Thanks for clarification. So nobody able to change the code and create
any patch so far? and can we be able to di it via vendor specific
attributes trick?

On 1/5/2012 6:30 PM, Alexandre Chapellon wrote:

 From the ./UserAuth.cpp file in the radiusplugin code:

/**The method send an authentication packet to the radius server and
  * calls the method parseResponsePacket(). The following attributes
are in the packet:
  * - User_Name,
  * - User_Password
  * - NAS_PortCalling_Station_Id,
  * - NAS_Identifier,
  * - NAS_IP_Address,
  * - NAS_Port_Type
  * - Service_Type.
  * @param context The context of the background process.
  * @return An integer, 0 if the authentication succeded, else 1.*/

Nothing about processing timeout...

Le 05/01/2012 14:00, Azfar Hashmi a écrit :

pptp and l2tp working fine, if I see radiusplgin source code then these
things are defined there ie.g session-timeout and idle-timeout but since
I am not good in programing i have no idea why they are there, anyone
confirm why they are in code if not supported? I am on v2.1a b1

1/5/2012 11:17 AM, Azfar Hashmi wrote:I am gonna try it now. On 1/4/2012
5:49 PM, Alexandre Chapellon a

wrote:

pptp does it very well (at least poptop does). Never tried with L2TP
itself but I know ppp sessions inside L2TP tunnels works as
expected... but that inly pppd works ok with session-timeout.

Regards.

Le 04/01/2012 12:19, Azfar Hashmi a écrit :

One more related question. I have to test this with pptp and lt2p
also,
do they support it?

On 1/4/2012 4:14 PM, Azfar Hashmi wrote:

Hi Alexandre,

Thanks for sharing your experience.

On 1/4/2012 4:02 PM, Alexandre Chapellon wrote:

I tried to setup exactly the same things a while ago using the
radiusplugin for openvpn.
It just don't work! Looking at the code of the radiusplugin I could
not find anything that handle Sessiontimeout attribute (I didn't
tried
with Acc-Session-Timeout but didn't see anything either).
Even if You try to ack the plugin (which look quite simple), I'm
not
sure openvpn have anymecanism that would allow it to termitate a
connection after a specified duration (except monitoring connecting
duration with the telent interface a real pain).
I asked on the mailing list of radiusplugin which is even lower
traffic and gave up. Maybe asking about openvpn being able to
disconnect based on time  could be a question for start a thread in
openvpn general ML.

regards.

P.S: I'd be glad to hear about if you succeed in doing that! ;)

Le 04/01/2012 10:41, Azfar Hashmi a écrit :

I did but the list has very low activity. Only few posts in
numerous
days there.

On 1/4/2012 1:32 PM, Fajar A. Nugraha wrote:

On Wed, Jan 4, 2012 at 3:18 PM, Azfar
Hashmi wrote:

Anyone confirm me that openvpn support
session-timout/acct-session-timeout, i want radius to tell my
NAS to
disconnect users if they reached their expiration. Currently its
not
working.

Did you ask in openvpn list? It should be a more suitable
place for
this question, and AFAIK the answer is no.


-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


--
<http://www.horoa.net>

Alexandre Chapellon

Ingénierie des systèmes open sources et réseaux.
Follow me on twitter: @alxgomz <http://www.twitter.com/alxgomz>

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius+openvpn disconnect user from radius

2012-01-05 Thread Alexandre Chapellon


From the ./UserAuth.cpp file in the radiusplugin code:

/**The method send an authentication packet to the radius server and
 * calls the method parseResponsePacket(). The following attributes are 
in the packet:

 * - User_Name,
 * - User_Password
 * - NAS_PortCalling_Station_Id,
 * - NAS_Identifier,
 * - NAS_IP_Address,
 * - NAS_Port_Type
 * - Service_Type.
 * @param context The context of the background process.
 * @return An integer, 0 if the authentication succeded, else 1.*/

Nothing about processing timeout...

Le 05/01/2012 14:00, Azfar Hashmi a écrit :

pptp and l2tp working fine, if I see radiusplgin source code then these
things are defined there ie.g session-timeout and idle-timeout but since
I am not good in programing i have no idea why they are there, anyone
confirm why they are in code if not supported? I am on v2.1a b1

1/5/2012 11:17 AM, Azfar Hashmi wrote:I am gonna try it now. On 1/4/2012
5:49 PM, Alexandre Chapellon a

wrote:

pptp does it very well (at least poptop does). Never tried with L2TP
itself but I know ppp sessions inside L2TP tunnels works as
expected... but that inly pppd works ok with session-timeout.

Regards.

Le 04/01/2012 12:19, Azfar Hashmi a écrit :

One more related question. I have to test this with pptp and lt2p also,
do they support it?

On 1/4/2012 4:14 PM, Azfar Hashmi wrote:

Hi Alexandre,

Thanks for sharing your experience.

On 1/4/2012 4:02 PM, Alexandre Chapellon wrote:

I tried to setup exactly the same things a while ago using the
radiusplugin for openvpn.
It just don't work! Looking at the code of the radiusplugin I could
not find anything that handle Sessiontimeout attribute (I didn't tried
with Acc-Session-Timeout but didn't see anything either).
Even if You try to ack the plugin (which look quite simple), I'm not
sure openvpn have anymecanism that would allow it to termitate a
connection after a specified duration (except monitoring connecting
duration with the telent interface a real pain).
I asked on the mailing list of radiusplugin which is even lower
traffic and gave up. Maybe asking about openvpn being able to
disconnect based on time  could be a question for start a thread in
openvpn general ML.

regards.

P.S: I'd be glad to hear about if you succeed in doing that! ;)

Le 04/01/2012 10:41, Azfar Hashmi a écrit :

I did but the list has very low activity. Only few posts in numerous
days there.

On 1/4/2012 1:32 PM, Fajar A. Nugraha wrote:

On Wed, Jan 4, 2012 at 3:18 PM, Azfar
Hashmiwrote:

Anyone confirm me that openvpn support
session-timout/acct-session-timeout, i want radius to tell my
NAS to
disconnect users if they reached their expiration. Currently its
not
working.

Did you ask in openvpn list? It should be a more suitable place for
this question, and AFAIK the answer is no.


-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


--
<http://www.horoa.net>

Alexandre Chapellon

Ingénierie des systèmes open sources et réseaux.
Follow me on twitter: @alxgomz <http://www.twitter.com/alxgomz>

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius+openvpn disconnect user from radius

2012-01-04 Thread Alexandre Chapellon

pptp does it very well (at least poptop does). Never tried with L2TP 
itself but I know ppp sessions inside L2TP tunnels works as expected... 
but that inly pppd works ok with session-timeout.


Regards.

Le 04/01/2012 12:19, Azfar Hashmi a écrit :

One more related question. I have to test this with pptp and lt2p also,
do they support it?

On 1/4/2012 4:14 PM, Azfar Hashmi wrote:

Hi Alexandre,

Thanks for sharing your experience.

On 1/4/2012 4:02 PM, Alexandre Chapellon wrote:

I tried to setup exactly the same things a while ago using the
radiusplugin for openvpn.
It just don't work! Looking at the code of the radiusplugin I could
not find anything that handle Sessiontimeout attribute (I didn't tried
with Acc-Session-Timeout but didn't see anything either).
Even if You try to ack the plugin (which look quite simple), I'm not
sure openvpn have anymecanism that would allow it to termitate a
connection after a specified duration (except monitoring connecting
duration with the telent interface a real pain).
I asked on the mailing list of radiusplugin which is even lower
traffic and gave up. Maybe asking about openvpn being able to
disconnect based on time  could be a question for start a thread in
openvpn general ML.

regards.

P.S: I'd be glad to hear about if you succeed in doing that! ;)

Le 04/01/2012 10:41, Azfar Hashmi a écrit :

I did but the list has very low activity. Only few posts in numerous
days there.

On 1/4/2012 1:32 PM, Fajar A. Nugraha wrote:

On Wed, Jan 4, 2012 at 3:18 PM, Azfar
Hashmi   wrote:

Anyone confirm me that openvpn support
session-timout/acct-session-timeout, i want radius to tell my NAS to
disconnect users if they reached their expiration. Currently its not
working.

Did you ask in openvpn list? It should be a more suitable place for
this question, and AFAIK the answer is no.


-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


--
<http://www.horoa.net>

Alexandre Chapellon

Ingénierie des systèmes open sources et réseaux.
Follow me on twitter: @alxgomz <http://www.twitter.com/alxgomz>

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius+openvpn disconnect user from radius

2012-01-04 Thread Alexandre Chapellon

I tried to setup exactly the same things a while ago using the 
radiusplugin for openvpn.
It just don't work! Looking at the code of the radiusplugin I could not 
find anything that handle Sessiontimeout attribute (I didn't tried with 
Acc-Session-Timeout but didn't see anything either).
Even if You try to ack the plugin (which look quite simple), I'm not 
sure openvpn have anymecanism that would allow it to termitate a 
connection after a specified duration (except monitoring connecting 
duration with the telent interface a real pain).
I asked on the mailing list of radiusplugin which is even lower traffic 
and gave up. Maybe asking about openvpn being able to disconnect based 
on time  could be a question for start a thread in openvpn general ML.


regards.

P.S: I'd be glad to hear about if you succeed in doing that! ;)

Le 04/01/2012 10:41, Azfar Hashmi a écrit :

I did but the list has very low activity. Only few posts in numerous
days there.

On 1/4/2012 1:32 PM, Fajar A. Nugraha wrote:

On Wed, Jan 4, 2012 at 3:18 PM, Azfar Hashmi  wrote:

Anyone confirm me that openvpn support
session-timout/acct-session-timeout, i want radius to tell my NAS to
disconnect users if they reached their expiration. Currently its not
working.

Did you ask in openvpn list? It should be a more suitable place for
this question, and AFAIK the answer is no.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


--
<http://www.horoa.net>

Alexandre Chapellon

Ingénierie des systèmes open sources et réseaux.
Follow me on twitter: @alxgomz <http://www.twitter.com/alxgomz>

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Radius Client vs. Radius Client-NG

2011-12-08 Thread Alexandre Chapellon


read this: http://freeradius.org/freeradius-client/

from the link below:
In late 2006 it was decided that the FreeRADIUS Project should adopt the 
latest code from radiusclient-ng cvs as the basis of a new FreeRADIUS 
client package.


I personnally use radiusclient-ng

Le 08/12/2011 19:18, Nick Khamis a écrit :

Hello Everyone,

When installing the client, some documentation point to:

radiusclient-ng 0.5.6:
http://developer.berlios.de/projects/radiusclient-ng/, and
freeradius-client-1.1.6.tar: ftp://ftp.freeradius.org/pub/freeradius/

Is there a difference between the two? Is one recommended or have benefits over
the other?

Thanks in Advance,

Nicholas.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


--
<http://www.horoa.net>

Alexandre Chapellon

Ingénierie des systèmes open sources et réseaux.
Follow me on twitter: @alxgomz <http://www.twitter.com/alxgomz>

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: annoying stop retransmissions.

2011-12-01 Thread Alexandre Chapellon




Le 29/11/2011 14:02, Phil Mayers a écrit :

On 29/11/11 12:04, Fajar A. Nugraha wrote:


It may be suitable to workaround some db limitation. If the db can't
do INSERT ... ON DUPLICATE KEY UPDATE, you might get away with INSERT
on the main query and UPDATE on _alt. However we use mysql (which
support the syntax just fine) and don't want the extra query which
adds load to the db server (the _alt part), so I just remove them


We don't use the built-in "sql" module accounting queries; but the 
_alt queries are important for exactly this reason, particularly with 
e.g. postgres. I think using module failover for this would be 
cumbersome; you'd have to have quite a few SQL instances AFAICT to 
replicate this behaviour.
I agree, I originally found a oracle page talking about 'insert on 
duplicate key update' sattement and so supposed oracle supported this... 
Unfortunatelly I didn't noticed that this oracle page was about... mysql 
(now oracle property)!
So Oracle is like postgres and needs the alt_ queries. A similar 
behaviour seems to be achieved using the MERGE statement... need to take 
a look at it.


regards.


Or used stored procedures (which is what we do) but that's a lot of 
overhead.

-
List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html


--
<http://www.horoa.net>

Alexandre Chapellon

Ingénierie des systèmes open sources et réseaux.
Follow me on twitter: @alxgomz <http://www.twitter.com/alxgomz>

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: annoying stop retransmissions.

2011-11-29 Thread Alexandre Chapellon




Le 29/11/2011 10:20, Fajar A. Nugraha a écrit :

On Tue, Nov 29, 2011 at 3:57 PM, Alan DeKok  wrote:

Alexandre Chapellon wrote:

I don't understand what you mean by "writing a detailed state
machine"... state machine?

  Write down what the server receives, and what you want to do with it.
  The server receives accounting on/off start/stop and alive packets.
It can receive those when a session is non-existent, open, or closed.

  How does the server determine the "right" thing to do?  Write down the
logic.  Then, implement it.

For comparison purposes, we currently implement some config and db
schema modifications to better handle accounting packets. For example:
- always return ok on accounting packets that the NAS sends.
Implementing it requires using detail reader/writer and some unlang
blocks to catch some weird corner cases (e.g. Acct-Session-Time=0)
- use unique constraint on acctuniqueid
- remove all *_alt queries
- split "live" accounting table (those with Acct-Status-Type<>
'Stop') and "archive" accounting table
- change most insert/update queries to "INSERT  ON DUPLICATE KEY
UPDATE "
- use "DELETE IGNORE" to delete records from "live" accounting table

Took some effort, but it works. @Alexandre: some of the logic might be
relevant for your situation as well.
Yes indeed, "INSERT... ON DUPLICATE KEY UPDATE" and "DELETE IGNORE" 
really sound like my holy graal.

Will forward this to my dba asap! Thank you!

Regards

@Fajar: I'm eating quite a bit of your time on different mailing lists 
lately :)! thank you again.

--
<http://www.horoa.net>

Alexandre Chapellon

Ingénierie des systèmes open sources et réseaux.
Follow me on twitter: @alxgomz <http://www.twitter.com/alxgomz>

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: annoying stop retransmissions.

2011-11-28 Thread Alexandre Chapellon




Le 28/11/2011 13:53, Alan DeKok a écrit :

Alexandre Chapellon wrote:

This work as epected for most of my NASes. Unfortunately, i have some
NASes that are behind a satelite link, which is a very unreliable link
with regular packets loss. UDP retramission of packet make the systems
work even with that kind of link, but I have one scenario that create
errors:

   This is common in RADIUS.  Accounting is... awkward, to put it politely.


When a stop ticket is transmitted once and reaches correctly the
freradius servers (nas ->  front ->  back), Session record is deleted from
the "live acct" table, packet is then proxied to the 2nd freeradius and
session in Acct table is marked as stoped (acctstoptime=something). If
the front freeradius acks the Stop packet and that Ack is lost on the
link, the NAS retransmit the STOP.

   As it should.  It's the responsibility of the RADIUS server to deal
with retransmissions from the NAS.


Same thing occur,:
- front radius tries to delete the sessions using its acct_stop_query,
wich result in no line being modified and so tries to run its
acct_stop_query_alt (which basicly does the same thind: delete).

   It really should delete the record ONLY if it exists.  Or, UPDATE the
record to say "session stopped".  After a suitable delay (10-20 min),
the "stopped" sessions can safely be deleted.


alt
query also modify no lines but no error is logged. retransmitted packet
is then proxied to the back server, wich in turns tries ti run its
acct_stop_query (tries to update a session with no acctstoptime). That
query fails as the previous Stop ticket for that session already updated
the recod. It then tries to run the acct_stop_query_alt, which is
designed to try to insert a new session record based on the content of
the stop ticket (this is done to deal with the case where start ticket
is lost and only stop ticket is received, i guess). In my case this last
query fails because of some unicity constraint in the oracle database
(to prevent one session from being recorded multiple times), and an
error is logged in freeradius.

   The solution is to fix the queries so that they deal with non-existant
sessions.  This is no different than a NAS sending a STOP for sessions
that *never* existed.


Does anybody have an idea on how to deal with that (minor) problem so I
have no more regular error messages.
I was maybe thinking of not proxying to the back server, packets
retransmitted du to ACK loss, but I can't really find out how to do that...

Thanks for reading that long post (I hope it's understandable enough).

   It is.

   There is no real solution other than building a smarter system to
handle accounting packets.

   I suggest writing a detailed state machine describing what happens for
each session, and how each kind of packet is handled.  Until that's
done, no good solution is possible.
I don't understand what you mean by "writing a detailed state 
machine"... state machine?



   We can take such a state machine and use it to update the handling of
accounting packets for 3.0.

   Alan DeKok.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


--
<http://www.horoa.net>

Alexandre Chapellon

Ingénierie des systèmes open sources et réseaux.
Follow me on twitter: @alxgomz <http://www.twitter.com/alxgomz>

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

annoying stop retransmissions.

2011-11-28 Thread Alexandre Chapellon


Hello,

I have a setup wich Is a follow:

NASes FREERADIUS Auth+live acct 
FREERADIUS Acct only


In this setup, users connect to NASes, which authenticate them against 
the front freeradius (Auth + live acct). The front freeradius, maintain 
a db of the connected users using acct tickets. Basicly it does:


INSERT in table upon Start ticket reception
DELETE from table upon Stop ticket reception.

In turns the front freeradius proxies acct tickets to the back 
freeradius (Acct only), which keeps track of all sessions doing:


INSERT in table upon Start ticket reception
UPDATE table upon Stop ticket reception.

This work as epected for most of my NASes. Unfortunately, i have some 
NASes that are behind a satelite link, which is a very unreliable link 
with regular packets loss. UDP retramission of packet make the systems 
work even with that kind of link, but I have one scenario that create 
errors:


When a stop ticket is transmitted once and reaches correctly the 
freradius servers (nas -> front -> back), Session record is deleted from 
the "live acct" table, packet is then proxied to the 2nd freeradius and 
session in Acct table is marked as stoped (acctstoptime=something). If 
the front freeradius acks the Stop packet and that Ack is lost on the 
link, the NAS retransmit the STOP.

Same thing occur,:
- front radius tries to delete the sessions using its acct_stop_query, 
wich result in no line being modified and so tries to run its 
acct_stop_query_alt (which basicly does the same thind: delete). alt 
query also modify no lines but no error is logged. retransmitted packet 
is then proxied to the back server, wich in turns tries ti run its 
acct_stop_query (tries to update a session with no acctstoptime). That 
query fails as the previous Stop ticket for that session already updated 
the recod. It then tries to run the acct_stop_query_alt, which is 
designed to try to insert a new session record based on the content of 
the stop ticket (this is done to deal with the case where start ticket 
is lost and only stop ticket is received, i guess). In my case this last 
query fails because of some unicity constraint in the oracle database 
(to prevent one session from being recorded multiple times), and an 
error is logged in freeradius.


I can't really afford to get rid of the unique constraint, and I think 
changing the acct_stop_query_alt for a non insert statement would not be 
a good idea either.


Does anybody have an idea on how to deal with that (minor) problem so I 
have no more regular error messages.
I was maybe thinking of not proxying to the back server, packets 
retransmitted du to ACK loss, but I can't really find out how to do that...


Thanks for reading that long post (I hope it's understandable enough).
--
<http://www.horoa.net>

Alexandre Chapellon

Ingénierie des systèmes open sources et réseaux.
Follow me on twitter: @alxgomz <http://www.twitter.com/alxgomz>

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius process crash receiving answers from Microsoft NPS Server

2011-11-14 Thread Alexandre Chapellon

the freeradius sitribution ships all the needed file to create a deb 
package from the lastest sources.

This should make your debian system even happier.

regards

Le 14/11/2011 10:55, IT Support a écrit :

Thanks

I will try it, but debian doesn't have the binary package with the
latest version and I do compile the sources.

I will be send us the results.

Toni

2011/11/14 Phil Mayers:

On 11/14/2011 09:04 AM, IT Support wrote:

Hi
Thanks for your answer.
I call the freeradius in debug mode and the result is "segmentation
fault". This is the  lines of log when the FR receives te accept
package from Microsoft NPS server (192.168.120.4).


As I already said, there were bugs which were fixed between 2.1.10 and
2.1.12 in this area.

Upgrade. If the crash still happens, follow the instructions in docs/bugs
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html





-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


--
<http://www.horoa.net>

Alexandre Chapellon

Ingénierie des systèmes open sources et réseaux.
Follow me on twitter: @alxgomz <http://www.twitter.com/alxgomz>

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius process crash receiving answers from Microsoft NPS Server

2011-11-13 Thread Alexandre Chapellon


Are you running freeradius with '-X'?
If not try it, you should get more debug.

regards

Le 12/11/2011 20:35, IT Support a écrit :

Good afternoon

I'm a newbie with freeradius and I'm trying to configure a radius
proxy server that makes to a server microsoft radius nps.

I have a Enterasys C3 switch that sends auth requests to my
Freeradius. If the request is for auth a MAC the FR auth locally, but
if  the request is for auth a windows user (EAP) the FR resend the
request to the Microsoft NPS radius server.

I use Debian 6.0 and the debian package of FR (version is 2.1.10).

The problem is that when the Microsoft RADIUS server returns an accept
packet, the freeradius server process dies. But if the answer is
reject, the process works properly.

When the process dies, only appears in the syslog the following line:

"November 11 16:20:35 debian-radius kernel: [2380.591594] freeradius
[1749]: segfault at 3934c708 b76fd497 ip sp error 4 in libfreeradius
b5ae4970-radius-2.1.10.so
[+1 b76ec000 E000]"

Can anyone help me?

Sorry for my poor English.

Best greetings

Toni

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


--
<http://www.horoa.net>

Alexandre Chapellon

Ingénierie des systèmes open sources et réseaux.
Follow me on twitter: @alxgomz <http://www.twitter.com/alxgomz>

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius Losing packets in Multi-Threads mode

2011-10-26 Thread Alexandre Chapellon


Did the very same test here, with very same results.
I find this a little bit scary to imagine that some accounting packets 
are lost (meaning I have no "proof" the requests was answered and how.


regards

Le 26/10/2011 10:21, Pierre Rondou a écrit :

Hello,

On Tue, 25 Oct 2011 21:09:31 +0100, Alan Buxey

however, as Alan said. in single thread mode, you only have one process
dealing with
requests.so one single open connection to SQL, one single sesion to
LDAP etc etc
(whatever you use) - eg even a local file with PERL.

with multithread mode, you have many threads - all of which can be

hitting

your SQL or LDAP
at same time...or trying to write to the same file in a PERL

moduleso

you have to look
at the speed/ability of your backendthe jump from a single query ata
time to concurrent
queries may have tipped your balance

alan
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

Here is what I had thought about: FreeRadius correctly treats the requests
(answer are always received), but there is a locking problem with the log
files, meaning that basically, only one thread can write inside.

Is there any solution about that? As stated before, there is no
overloading problem on the server.

Running in single thread could be a solution, but it's really slow
compared to multi-thread ...

Regards,

Pierre
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


--
<http://www.horoa.net>

Alexandre Chapellon

Ingénierie des systèmes open sources et réseaux.
Follow me on twitter: @alxgomz <http://www.twitter.com/alxgomz>

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: wiki

2011-10-20 Thread Alexandre Chapellon


Thanks to both of you for tidying my mess :).
And sorry to disturb... godd intentions not always leads to good things.

Regards.

Le 20/10/2011 15:26, Fajar A. Nugraha a écrit :

On Thu, Oct 20, 2011 at 7:36 PM, Arran Cudbard-Bell
  wrote:

There was a ton of other stuff screwed up with the formatting, think I got 90% 
of it

Ah, looking at the history it seems I started with Alexandre's latest
commit, then try to fix it (the dictionary part), but you submitted a
fix (for other stuff as well) before I did. Which made my edit
effectively destroying most of your changes. Interesting result :)

Thanks for fixing it up.



--
<http://www.horoa.net>

Alexandre Chapellon

Ingénierie des systèmes open sources et réseaux.
Follow me on twitter: @alxgomz <http://www.twitter.com/alxgomz>

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

wiki

2011-10-20 Thread Alexandre Chapellon


Hello,

I have tried to update the wiki here: http://wiki.freeradius.org/PopTop

The dictionary file that was here caused problem with the lastest 
radiusplugin-ng and last poptop when using mppe.
I found a correct dictionary on the poptop website that solve the 
problem and wanted to copy it to the wiki.

Unfortunately I messed up things and now this page is not readable anymore.
I haven't found a way to solve this or to get back to previous version

Thank you for your help.
--
<http://www.horoa.net>

Alexandre Chapellon

Ingénierie des systèmes open sources et réseaux.
Follow me on twitter: @alxgomz <http://www.twitter.com/alxgomz>

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

radius/diameter

2011-10-13 Thread Alexandre Chapellon


Even the subject is clearly of topic... sorry about that :)

We are in the process of changing our billing system. As far as I can 
tell most vendors of "billingware" (such sage highdeal etc...), et least 
the one we have met, now prefer using diameter interfaces over radius. 
It seems even more true when it comes to telco specialists.
Unfortunately a lot of our network devices do not supports diameter 
right now (untill we change them).
Does networkradius, also have experience in deploying diameter? Does the 
free implementation of diameter are reliable or proven (may be you have 
your own)?
And at least is it possible to build some kind of gateway between radius 
and diameter?


Bests regards.
--
<http://www.horoa.net>

Alexandre Chapellon

Ingénierie des systèmes open sources et réseaux.
Follow me on twitter: @alxgomz <http://www.twitter.com/alxgomz>

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: about Simultaneous-Use and Multiple NAS

2011-10-09 Thread Alexandre Chapellon

Set simultaneous login limit to 1 for the account and add the NAS IP 
address in there "where" clause of the simul_count_query.
Note that doing so require use of an rlm_sql module in the the session 
section of freeradius config.


Regards.

Le 10/10/2011 04:48, Dagia Dorjsuren a écrit :

Hello,

Anyone advise me for my below problem pls.

How to configure simultaneous login count for each NAS?

for example : there is one account and 2 NAS like NAS1 and NAS2. 
That account's total simultaneous login count is 2.
So, there is that account's first simultaneous login must be from 
NAS1 and second simultaneous login must be from NAS2.



Thanks,




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


--
<http://www.horoa.net>

Alexandre Chapellon

Ingénierie des systèmes open sources et réseaux.
Follow me on twitter: @alxgomz <http://www.twitter.com/alxgomz>

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: AW: Dynamic Attributes Based on NAS Type !

2011-10-09 Thread Alexandre Chapellon

I personnally use post-auth sections of each of my virtual server to 
send diffrenet attributes.

I find It to be very clean way to achieve this.

regards

Le 08/10/2011 20:02, Wegener, Norbert a écrit :
The general idea is to setup a virtual server for each type of NAS and 
make sure, that every NAS is loaded into the correct virtual server.


With best regards,


Norbert Wegener
Siemens IT Solutions and Services
AIS MS NC PSU SDC
Bruchstraße 5
45883 Gelsenkirchen, Germany
Tel.: +49 (209) 94565716
Fax: +49 (201) 8165581284
mailto:norbert.wege...@atos.net


Atos IT Solutions and Services GmbH; Geschäftsführung: Winfried Holz, 
Christian Oecking, Rainer-Christian Koppitz; Vorsitzender des 
Aufsichtsrats: Charles Dehelly; Sitz der Gesellschaft: München, 
Deutschland; Registergericht: München, HRB 184933.


*Von:* 
freeradius-users-bounces+norbert.wegener=atos@lists.freeradius.org 
[freeradius-users-bounces+norbert.wegener=atos@lists.freeradius.org]" 
im Auftrag von "Suman Dash [sumand...@gmail.com]

*Gesendet:* Samstag, 8. Oktober 2011 16:39
*Bis:* FreeRadius users mailing list
*Betreff:* Dynamic Attributes Based on NAS Type !

Hi Everyone ... Currently i am planning to integrate freeradius with 
different NAS like Chillispot , Cisco etc and enable roaming users so 
that they can log in from any of the NAS.


As the reply items are different with different NAS , i am looking for 
ideas how to enable a single user to roam and connect from different NAS.


In my case i think static reply items are not possible per user wise 
or per groupwise so my question is what trick can be used to achieve 
the same.


I had not tried anything as i have no clue on the same so some 
highlights on the approach will be a good starting point for me.


Cheers
Suman




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


--
<http://www.horoa.net>

Alexandre Chapellon

Ingénierie des systèmes open sources et réseaux.
Follow me on twitter: @alxgomz <http://www.twitter.com/alxgomz>

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

radius dhcp

2011-10-05 Thread Alexandre Chapellon


Hello,

I have a setup where th user initiates DHCP request to the NAS. The NAS 
then tries to authenticate the user using regular radius requests 
(basicilly Access-Request with username=macaddr). If authenticated the 
NAS relay the dhcp request to a dhcp server


That works. I want to know if there is any *standardized* way to specify 
the NAS the DHCP server to relay the DHCP request to, using attributes 
in the radius Access-Accept?
I have found dhcp dictionnary (talking about gateway DHCP to RADIUS) but 
am not sure it is intended to do that.


If not does anybody knows if it's possible with redback xxxSE BRAS?

Regards.
--
<http://www.horoa.net>

Alexandre Chapellon

Ingénierie des systèmes open sources et réseaux.
Follow me on twitter: @alxgomz <http://www.twitter.com/alxgomz>

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius for Lan

2011-10-02 Thread Alexandre Chapellon




Le 02/10/2011 17:31, Andreas Rudat a écrit :

Hello,

I use radius for my wlan auth but I also want it for lan but how? I 
use pfsense with radius 2.x It works fine with wlan but how I use it 
for lan? If I connect via lan port on my AP I can reach everything 
without radius auth.



You have to setup 802.1X port authentication... if your Wlan AP supports it.

Thanks
Andreas
-
List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html


--
<http://www.horoa.net>

Alexandre Chapellon

Ingénierie des systèmes open sources et réseaux.
Follow me on twitter: @alxgomz <http://www.twitter.com/alxgomz>

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Limit guest/anonymous users for 15 minutes

2011-09-27 Thread Alexandre Chapellon

Le 27/09/2011 14:08, CyAndrew a écrit :

Hello,

could someone give me a hints about how to reach a configuration when
users with anonymous/guest account are able to access for limited time
only and then blocked for some period of time?

Example:
1. First user log in as guest/guest.
2. Access is granted for FIRST user and his device for let say 15 minutes
only.
3. Second use log in as guest/guest.
4. Access is granted for SECOND user and his device for 15 minutes only.
5. Access for FIRST user expires.
6. Access for SECOND user expires.

Is it possible to configurate such a behaviour with SQL user storage?
Unless I missunderstood, I would say that you must not use simultaneous
checking to set up things. Well at least not the regular way. But
writing a customised simultaneous_query_check would maybe help you
achieve this.
In short, make you simultaneous_check_query check for the pair
user/device in your accounting database no matter if session has ended
or not.

I don't know how clever it is, as if your acct database is large, it may
(or may not) slow down the authentification process to death.

Thank you very much for any hint or configuration example.
CyAndrew

--
View this message in context:
http://freeradius.1045715.n5.nabble.com/Limit-guest-anonymous-users-for-15-minutes-tp4845117p4845117.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

--
<http://www.horoa.net>

Alexandre Chapellon

Ingénierie des systèmes open sources et réseaux.
Follow me on twitter: @alxgomz <http://www.twitter.com/alxgomz>

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problem "expand: %{Acct-Input-Gigawords} ->" always get nothing!

2011-09-27 Thread Alexandre Chapellon




Le 27/09/2011 10:21, Arran Cudbard-Bell a écrit :
Also... Whilst it is a very pretty signature Mr Chapellon I direct you 
to the rules of the FreeRADIUS users list...


http://freeradius.org/list/users.html

The Second rule of the FreeRADIUS users list - 'No HTML on the list'
The Third rule of the FreeRADIUS users list - 'No vcards'


thank you for the reminder.


-Arran

Arran Cudbard-Bell
a.cudba...@freeradius.org <mailto:a.cudba...@freeradius.org>

Betelwiki, Betelwiki, Betelwikihttp://wiki.freeradius.org/ !



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


--
<http://www.horoa.net>

Alexandre Chapellon

Ingénierie des systèmes open sources et réseaux.
Follow me on twitter: @alxgomz <http://www.twitter.com/alxgomz>

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problem "expand: %{Acct-Input-Gigawords} ->" always get nothing!

2011-09-27 Thread Alexandre Chapellon


  
  


Le 27/09/2011 09:52, snan4love a écrit :

  Hello Everybody:
Thanks for opening this topic.
Right now,I have set up the FreeRadius+Mysql+Wifi system, I could get into
the internet via this system on my laptop.
But my problem is :
No matter how long i stay in the connection, the AcctInputOctets and
AcctOutPutOctets are always 0;
the debug information from radiusd -X mode regarding this issue is :

[sql] 	expand: %{User-Name} -> snan4love
[sql] sql_set_user escaped user --> 'snan4love'
[sql] 	expand: %{Acct-Input-Gigawords} -> 
[sql] 	... expanding second conditional
[sql] 	expand: %{Acct-Input-Octets} -> 
[sql] 	... expanding second conditional
[sql] 	expand: %{Acct-Output-Gigawords} -> 
[sql] 	... expanding second conditional
[sql] 	expand: %{Acct-Output-Octets} -> 
[sql] 	... expanding second conditional
[sql] 	expand: %{Acct-Delay-Time} -> 
[sql] 	... expanding second conditional
[sql] 	expand:UPDATE radacct SET  acctstoptime  
= '%S',  acctsessiontime= '%{Acct-Session-Time}', 
acctinputoctets= '%{%{Acct-Input-Gigawords}:-0}' << 32 |  
'%{%{Acct-Input-Octets}:-0}',  acctoutputoctets   =
'%{%{Acct-Output-Gigawords}:-0}' << 32 |  
'%{%{Acct-Output-Octets}:-0}',  acctterminatecause =
'%{Acct-Terminate-Cause}',  acctstopdelay  =
'%{%{Acct-Delay-Time}:-0}',  connectinfo_stop   =
'%{Connect-Info}'   WHERE acctsessionid   = '%{Acct-Session-Id}'  
AND username  = '%{SQL-User-Name}'   AND nasipaddress  =
'%{NAS-IP-Address}' ->UPDATE radacct SET 
acctstoptime   = '2011-09-27 15:45:35',  acctsessiontime   
= '1317',  acctinputoctets= '0' << 32 |  
'0',  acctoutputoctets   = '0' << 32 |   

Every expand:%{Acct-Input-...} will get nothing.
I know,there must be misconfiguration I made, but I dont know where to fix
it.
Please help me, 
Thank you very much.


Well, I guess you don't have those attributes in the accouting
packets sent by your NAS... Have you checked this?


  
--
View this message in context: http://freeradius.1045715.n5.nabble.com/Problem-expand-Acct-Input-Gigawords-always-get-nothing-tp4844371p4844371.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



-- 
  
  
Alexandre Chapellon
Ingénierie des systèmes open sources et
  réseaux.
  Follow me on twitter: @alxgomz
  

  

<>-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Access Accept

2011-09-24 Thread Alexandre Chapellon


  
  
Le 23/09/2011 22:01, Miha a écrit :

  Hi @Alexandre,

here is a copy from me default file:

post-auth {
#  Get an address from the IP Pool.
#   main_pool
update reply {
3GPP2-Prepaid-acct-Capability =
%{request:3GPP2-Prepaid-acct-Capability}

}

  update reply {
  Acct-Multi-Session-Id = %{request:Acct-Multi-Session-Id}

}


IIRC I use double quoted variables in
  my config. Anyway, this is odd it happens for the second
  attributes and not the first one.
  


  
I have also try this way, but still the same:

update reply {
3GPP2-Prepaid-acct-Capability =
%{request:3GPP2-Prepaid-acct-Capability}
Acct-Multi-Session-Id = %{request:Acct-Multi-Session-Id}

}


This sounds better.

  
I do not see any problem with quotes.

Thank you!

Br,
Miha


--
View this message in context: http://freeradius.1045715.n5.nabble.com/Access-Accept-tp4832711p4834972.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



-- 
  
  
Alexandre Chapellon
Ingénierie des systèmes open sources et
  réseaux.
  Follow me on twitter: @alxgomz
  

  

<>-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Access Accept

2011-09-23 Thread Alexandre Chapellon


  
  


Le 23/09/2011 15:54, Miha Zoubek a écrit :

  
  @Alexandre,
  
  thanks a lot for this
  
  Sending Access-Accept of id 221 to 212.13.228.58 port 57366
      3GPP2-Session-Termination-Capability = 1
      3GPP2-Prepaid-acct-Capability =
0x257b726571756573743a33475050322d507265706169642d616363742d4361706162696c6974797d
      Acct-Multi-Session-Id = "%{request:Acct-Multi-Session-Id}"
  
  Do you have any idea why Acct-Multi-Session-Id is not getting
  value? I thought that it is missing in dictionary but I can see
  that I have it dictionary (dictionary.rfc2866). 

don't you have single quotes somewhere that would prevent variable
expansion?

 
  BR,
  Miha
  
  On 9/23/2011 3:38 PM, Alexandre Chapellon wrote:
  



Le 23/09/2011 15:03, Miha a écrit :

  Hi @Alen and @Alexandra,

Hi,

 in radgroupreplay I have defined attribute 3GPP2-Prepaid-acct-Capability
and put some value to it.
I know this is wrong because this value should be dynamically get from
Access-Request (attribute 3GPP2-Prepaid-acct-Capability).

update reply {
3GPP2-Prepaid-acct-Capability = %{request:attributesValue}
}

What should be attributesValue if I whould like that attributesValue is
value from Access-Request (attribute  3GPP2-Prepaid-acct-Capability)?

Sorry I am not clear in this example:
update reply {
3GPP2-Prepaid-acct-Capability = %{request:3GPP2-Prepaid-acct-Capability}
}
I remember Alan told this was an ugly setup but worked (I use it
somewhere in my config)


  If I am right this must I put in sites-available/default ?


Yep in post-auth I guess.


  I have put it in default but replay is being sent in  Accounting-Response
packet.

Thanks!

BR,
Miha 

--
View this message in context: http://freeradius.1045715.n5.nabble.com/Access-Accept-tp4832711p4833410.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



-- 
  
  
    Alexandre Chapellon
Ingénierie des systèmes open sources
  et réseaux.
  Follow me on twitter: @alxgomz
  




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

  
  
  
  
  
  -
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



-- 
  
  
    Alexandre Chapellon
Ingénierie des systèmes open sources et
  réseaux.
  Follow me on twitter: @alxgomz
  

  

<>-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Access Accept

2011-09-23 Thread Alexandre Chapellon


  
  


Le 23/09/2011 15:03, Miha a écrit :

  Hi @Alen and @Alexandra,

Hi,

 in radgroupreplay I have defined attribute 3GPP2-Prepaid-acct-Capability
and put some value to it.
I know this is wrong because this value should be dynamically get from
Access-Request (attribute 3GPP2-Prepaid-acct-Capability).

update reply {
3GPP2-Prepaid-acct-Capability = %{request:attributesValue}
}

What should be attributesValue if I whould like that attributesValue is
value from Access-Request (attribute  3GPP2-Prepaid-acct-Capability)?

Sorry I am not clear in this example:
update reply {
3GPP2-Prepaid-acct-Capability = %{request:3GPP2-Prepaid-acct-Capability}
}
I remember Alan told this was an ugly setup but worked (I use it
somewhere in my config)


  
If I am right this must I put in sites-available/default ?


Yep in post-auth I guess.


  
I have put it in default but replay is being sent in  Accounting-Response
packet.

Thanks!

BR,
Miha 

--
View this message in context: http://freeradius.1045715.n5.nabble.com/Access-Accept-tp4832711p4833410.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



-- 
  
  
Alexandre Chapellon
Ingénierie des systèmes open sources et
  réseaux.
  Follow me on twitter: @alxgomz
  

  

<>-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Access Accept

2011-09-23 Thread Alexandre Chapellon


  
  
update reply {
          attributesName = %{request:attributesValue}
  }
  
  see man unlang for details
  
  regards

Le 23/09/2011 09:47, Miha a écrit :

  Hi,

I have read freeradius wiki and other topic on this forum concerning this
thread but I did not find anything useful.
I have problems whit Access Accept packet. I have put few attributes in
radgroupreply.
Now I can see attributes in Access Accept packet. Problem is that I have put
manually values for attributes in Accept packet (values should be from
Access-Request) .
How can I add attributes values which was send in Access-Request to be send
back in Access Accept?

Thank you very much!

BR,
Miha

--
View this message in context: http://freeradius.1045715.n5.nabble.com/Access-Accept-tp4832711p4832711.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



-- 
  
  
Alexandre Chapellon
Ingénierie des systèmes open sources et
  réseaux.
  Follow me on twitter: @alxgomz
  

  

<>-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius/Oracle compilation

2010-12-20 Thread Alexandre Chapellon

Alan when you have enough time, may you take a look at it?
And if ok merge it in trunk?

regards.

Le mardi 14 décembre 2010 à 23:30 -1000, alexandre.chapel...@mana.pf a
écrit :

> It works here, is indeed smarter and lighter.
> Hope it's ok.
> 
> --- /tmp/configure.in.orig2010-12-14 23:24:40.019101002 -1000
> +++ /tmp/configure.in 2010-12-14 23:18:25.875101003 -1000
> @@ -86,32 +86,37 @@
>   if test "x$oracle_lib_dir" != "x" ; then
>   ORACLE_LIBDIR_SWITCH="-L${oracle_lib_dir} "
>   fi
> - LIBS="$old_LIBS $ORACLE_LIBDIR_SWITCH -lclntsh -lnnz10"
> - AC_TRY_LINK([#include 
> - 
> - static OCIEnv   *p_env;
> - static OCIError *p_err;
> - static OCISvcCtx*p_svc;
> - static OCIStmt  *p_sql;
> - static OCIDefine*p_dfn= (OCIDefine 
> *) 0;
> - static OCIBind  *p_bnd= (OCIBind *) 
> 0;
> - ],
> - [
> -   int p_bvi;
> -   charp_sli[20];
> -   int rc;
> -   charerrbuf[100];
> -   int errcode;
> - 
> -   rc = OCIInitialize((ub4) OCI_DEFAULT, (dvoid 
> *)0,  /* Initialize OCI */
> -   (dvoid * (*)(dvoid *, size_t)) 0,
> -   (dvoid * (*)(dvoid *, dvoid *, 
> size_t))0,
> -   (void (*)(dvoid *, dvoid *)) 0 );
> -
> - ],
> - ORACLE_LIBS="$ORACLE_LIBDIR_SWITCH -lclntsh -lnnz10",
> - ORACLE_LIBS=
> - )
> + for oracle_version in 10 11 9 ""; do
> + LIBS="$old_LIBS $ORACLE_LIBDIR_SWITCH -lclntsh 
> -lnnz${oracle_version}"
> + AC_TRY_LINK([#include 
> + 
> + static OCIEnv   *p_env;
> + static OCIError *p_err;
> + static OCISvcCtx*p_svc;
> + static OCIStmt  *p_sql;
> + static OCIDefine*p_dfn= 
> (OCIDefine *) 0;
> + static OCIBind  *p_bnd= 
> (OCIBind *) 0;
> + ],
> + [
> +   int p_bvi;
> +   charp_sli[20];
> +   int rc;
> +   charerrbuf[100];
> +   int errcode;
> + 
> +   rc = OCIInitialize((ub4) OCI_DEFAULT, 
> (dvoid *)0,  /* Initialize OCI */
> +   (dvoid * (*)(dvoid *, 
> size_t)) 0,
> +   (dvoid * (*)(dvoid *, 
> dvoid *, size_t))0,
> +   (void (*)(dvoid *, 
> dvoid *)) 0 );
> +
> + ],
> + ORACLE_LIBS="$ORACLE_LIBDIR_SWITCH -lclntsh 
> -lnnz${oracle_version}",
> + ORACLE_LIBS=
> + )
> + if test "x$ORACLE_LIBS" != "x"; then
> + break
> + fi
> + done
>  
>   LIBS="$old_LIBS"
>   CFLAGS="$old_CFLAGS"
> @@ -129,7 +134,7 @@
>  
>   if test "x$ORACLE_LIBS" = "x"; then
>   AC_MSG_WARN([oracle libraries not found.  Use 
> --with-oracle-lib-dir=.])
> - fail="$fail libclntsh libnnz10"
> + fail="$fail libclntsh libnnz${oracle_version}"
>       else
>   sql_oracle_ldflags="${sql_oracle_ldflags} $ORACLE_LIBS"
>   AC_MSG_RESULT(yes)
> 
>  Message original
> >Date: Wed, 15 Dec 2010 07:54:38 +0100
> >From: 
> >freeradius-users-bounces+al

Re: Freeradius/Oracle compilation

2010-12-14 Thread Alexandre Chapellon

Hello I didn't have even a comment about this.
Is there something stupid in the proposed patch?

regards.

Le samedi 11 décembre 2010 à 18:43 -1000, alexandre.chapel...@mana.pf a
écrit :

> Unless I missunderstood the compil process it seems to me that todays source 
> tree is stuck to Oracle 10g. Indeed the configure.in file for the 
> rlm_sql_oracle module has a library name harcoded: libnnz10.
> If you run Oracle instantclient 11g (I guess it's the same with a full 
> installation of Oracle 11g) the library is named libnnz11. As a result, 
> oracle linking test wiil always fail even with a correct 
> --with-oracle-lib-dir set.
> To be able to compile with both version of Oracle (10g and 11g)
> I suggest a new option can be set that would define the version during 
> ./configure.
> If it sounds ok for everyone and can be tested by more people (I only tested 
> it on Debian with instantclient_11.1), here is "works for me" patch that 
> introduce the --with-oracle-version switch.
> 
> --- 
> freeradius-server-2.1.10.orig/src/modules/rlm_sql/drivers/rlm_sql_oracle/configure.in
>  2010-09-28 11:03:56.0 +
> +++ 
> freeradius-server-2.1.10/src/modules/rlm_sql/drivers/rlm_sql_oracle/configure.in
>   2010-12-12 03:58:02.0 +
> @@ -22,6 +22,23 @@
>   dnl # Check for command line options
>   dnl 
>  
> + dnl extra argument: --with-oracle-version=VER
> + oracle_version=
> + AC_ARG_WITH(oracle-version,
> + [AS_HELP_STRING([--with-oracle-version=VER],
> + [Version of Oracle to search for. Should be 10 for 
> Oracle 10g and 11 for 11g])],
> + [case "$withval" in
> +11)
> +oracle_version="$withval"
> +;;
> +10)
> +oracle_version="$withval"
> +;;
> +*)
> +   AC_MSG_ERROR(Need oracle-version)
> +;;
> +esac])
> +
>   dnl extra argument: --with-oracle-include-dir=DIR
>   oracle_include_dir=
>   AC_ARG_WITH(oracle-include-dir,
> @@ -86,7 +103,12 @@
>   if test "x$oracle_lib_dir" != "x" ; then
>   ORACLE_LIBDIR_SWITCH="-L${oracle_lib_dir} "
>   fi
> - LIBS="$old_LIBS $ORACLE_LIBDIR_SWITCH -lclntsh -lnnz10"
> +if test "x$oracle_version" = "x" ; then
> +AC_MSG_RESULT(no)
> +AC_MSG_WARN([oracle version not found.  Use 
> --with-oracle-version={10|11}.])
> +fail="$fail Oracle version"
> +else 
> + LIBS="$old_LIBS $ORACLE_LIBDIR_SWITCH -lclntsh 
> -lnnz${oracle_version}"
>   AC_TRY_LINK([#include 
>   
>   static OCIEnv   *p_env;
> @@ -109,12 +131,13 @@
> (void (*)(dvoid *, dvoid *)) 0 );
>  
>   ],
> - ORACLE_LIBS="$ORACLE_LIBDIR_SWITCH -lclntsh -lnnz10",
> + ORACLE_LIBS="$ORACLE_LIBDIR_SWITCH -lclntsh 
> -lnnz${oracle_version}",
>   ORACLE_LIBS=
>   )
>  
>   LIBS="$old_LIBS"
>   CFLAGS="$old_CFLAGS"
> +fi
>   fi
>  
> 
> @@ -129,7 +152,7 @@
>  
>   if test "x$ORACLE_LIBS" = "x"; then
>   AC_MSG_WARN([oracle libraries not found.  Use 
> --with-oracle-lib-dir=.])
> - fail="$fail libclntsh libnnz10"
> + fail="$fail libclntsh libnnz${oracle_version}"
>   else
>   sql_oracle_ldflags="${sql_oracle_ldflags} $ORACLE_LIBS"
>   AC_MSG_RESULT(yes)
> 
> 
> As you can see the patch modify the configure.in file autogen.sh must be used 
> after patching.
> 
> P.S The patch do not include version of Oracle prior to 10 because the 
> instantclient archive is not available anymore on the Oracle website.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


-- 
Follow us on: twitter https://www.twitter.com/manainternet
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: wifi ip allocation

2010-12-14 Thread Alexandre Chapellon

Le mardi 14 décembre 2010 à 14:25 -0800, pauvre a écrit :

> Hello all, 
> 
> I'm also trying to assign pools of IPs based on LDAP group membership. Since
> your conversation is very technical and not easy to put in place by someone
> who just started with RADIUS, I was looking for a descriptive way to get to
> that end. And I found the following : 
> http://www.anthonymendoza.com/index2.php?option=com_content&do_pdf=1&id=58
> http://www.anthonymendoza.com/index2.php?option=com_content&do_pdf=1&id=58 
> 
> With a brief overview, can you please valid the pdf way can work?


I can't judge the cisco part but the radius part should work if you do
not want to use dhcp
Note that the initial talk we had was about assigning addresss to
non-ppp interface. If what you want to do has to done on ethernet like
network (wifi or wired ethernet) it wont work.

regards


> Or could you point me to a ressource with which I could do it your way?
> 
> Thank you!
> 
> 
> 


-- 
Follow us on: twitter https://www.twitter.com/manainternet
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: wifi ip allocation

2010-12-02 Thread Alexandre Chapellon

Le jeudi 02 décembre 2010 à 07:38 +0100, Alan DeKok a écrit :

> Alexandre Chapellon wrote:
> > Am not sure to understand... Once the wifi user entered the network
> > (level2: no IP yet), I have an entry for its sessions in my accouting
> > database, with username, sessionID, maybe mac_address and so on...
> 
>   Yes.  This often includes NAS IP and port.
> 
> > But when the user sends a DHCP request to obtain IP address (gain level3
> > access), that request may not contain any reference to the username, but
> > to the mac address... that's it?
> 
>   And often the NAS IP and port.

NAS IP and Port in the DHCP request? That's option 82 isn't it? If my
NAS doesn't support relaying DHCP requests adding option 82 fields (my
NASes may be very common wifi access points) is it still safe using such
a setup?
Anyway, it's much more clear now thanks.


> 
> > So the trick would be to get the username from the mac address querying
> > the accouting database?
> 
>   Yes.
> 
> > And then?  Can I use any ippool module in the freeradius DHCP server? or
> > Do I have to use static mapping mac2ip?
> 
>   The ippool module doesn't do allocation for DHCP.  But you could write
> a short Perl program to do it.
> 
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


-- 
Follow us on: twitter https://www.twitter.com/manainternet
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: wifi ip allocation

2010-12-01 Thread Alexandre Chapellon

Le mardi 30 novembre 2010 à 21:01 +0100, Alan DeKok a écrit :

> Alexandre Chapellon wrote:
> > Hi every body,
> > While all the documentation on the web seems to answer *NO*, and because
> > I feel like i need to talk to someone today, I was wondering if there is
> > any way to allocate IP address to wifi user using radius Attributes
> > instead of DHCP?
> 
>   Nope.  The only way this would work is if the AP cached the
> Framed-IP-Address from the Access-Accept, and then grabbed the DHCP
> packet, and put the Framed-IP-Address in it as a DHCP response.
> 
> > Or maybe I should ask... How can i allocate IP address from differents
> > Pools based on login (final goal would be to have transparent squid
> > treat user differently )?
> 
>   Run FreeRADIUS as a DHCP server. :)  It works, and you can put session
> information from RADIUS into an SQL DB, and then query that data when it
> receives a DHCP packet.

Am not sure to understand... Once the wifi user entered the network
(level2: no IP yet), I have an entry for its sessions in my accouting
database, with username, sessionID, maybe mac_address and so on...
But when the user sends a DHCP request to obtain IP address (gain level3
access), that request may not contain any reference to the username, but
to the mac address... that's it?

So the trick would be to get the username from the mac address querying
the accouting database?
And then?  Can I use any ippool module in the freeradius DHCP server? or
Do I have to use static mapping mac2ip?

Hope I am clear enough, Thks

>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-- 
Follow us on: twitter https://www.twitter.com/manainternet
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

wifi ip allocation

2010-11-30 Thread Alexandre Chapellon

Hi every body,
While all the documentation on the web seems to answer *NO*, and because
I feel like i need to talk to someone today, I was wondering if there is
any way to allocate IP address to wifi user using radius Attributes
instead of DHCP?
Or maybe I should ask... How can i allocate IP address from differents
Pools based on login (final goal would be to have transparent squid
treat user differently )?

Thanks.

-- 
Follow us on: twitter https://www.twitter.com/manainternet
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: (Fwd) (Fwd) Re: Accounting Log

2010-11-08 Thread Alexandre Chapellon

Le lundi 08 novembre 2010 à 23:04 +0100, Breuer Nicolas a écrit :
> 
> 
> 
> 
>  Hello Alexandre,
> 
> 
>  Just in that case, if you not send the STOP in case Sess time =0
>  The Session will stay opened in the accounting table.
>  and never be closed


In my case such tickets (acct-stop with session-time=0) are generated by
the nas when auth failure occurs... so the session is never started.
Consequently, there is no pb not stoping it.
But this is exactly why I said relying on session-time=0 may be a bad
idea. Depending on your nas behaviour find another revelant attribute.

Regards.

> 
> 
>  
> 
> 
> --- Forwarded message follows ---
> From:Breuer Nicolas
> 
> To:freeRadius users mailing list
> 
> Subject: (Fwd) Re: Accounting Log 
> Send reply to: nicolas.bre...@belcenter.biz
> Date sent:      Mon, 08 Nov 2010 23:00:40 +0100
> 
> 
> 
> From: Alexandre Chapellon  
> 
> 
> 
> 
> 
> I have the very same behaviour here on my FR2.1.6 setup with PGSQL
> accoutning. It produce noisy logs but nothing unacceptable.
> You can change this by not doing accouting for Stop Accounting packet
> that show up null session-time:
> 
> in your acccouting section:
> 
> if (Acct-Status-Type == Stop && Session-Time != 0) {
> sql_accounting_module_name
> }
> 
> Maybe relying on Session-Time is not a good idea. Try finding out
> another relevant attribute.
> 
> Cdt
> 
> 
> 
> 
> 
> 
> 
> 
>  Nice idea, i will try :)
>   
> Attachments: C:\Users\Nico\AppData\Local\Temp\WPM$2D83.PM$ 
> --- End of forwarded message ---
> 
> 
> Breuer Nicolas
> Network Supervisor
> Sales Executive
> 
> 
> BELCENTER sprl/bvba
> Avenue Henri Consciencelaan, 94 
> Bruxelles 1140 Brussel
> 
> 
> T. : +32 (0)2 403 04 60
> F. : +32 (0)2 403 04 63
> M. :+32 (0)486 50 27 87
> E. : nicolas.bre...@belcenter.biz
> W. : http://www.BelCenter.be | http://www.BelCenter.net
> 
> 
>   
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


-- 
Follow us on: twitter https://www.twitter.com/manainternet
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Accounting Log

2010-11-08 Thread Alexandre Chapellon

I have the very same behaviour here on my FR2.1.6 setup with PGSQL
accoutning. It produce noisy logs but nothing unacceptable.
You can change this by not doing accouting for Stop Accounting packet
that show up null session-time:

in your acccouting section:

if (Acct-Status-Type == Stop && Session-Time != 0) {
sql_accounting_module_name
}

Maybe relying on Session-Time is not a good idea. Try finding out
another relevant attribute.

Cdt

 Le lundi 08 novembre 2010 à 18:10 +0100, Breuer Nicolas a écrit :
> 
> 
>  Hello All,
> 
> 
>  We used the Freeradius 2.X version.
> 
> 
>  We use  the accounting SQL module and i remark something.
> 
> 
>  When a user is rejected (Wrong password), i always have this error in
> radius.log
> 
> 
> Mon Nov  8 18:07:40 2010 : Auth: Login incorrect: [BCgXXX] 
> Mon Nov  8 18:07:41 2010 : Info: [ACCOUNTING-01] stop packet with zero
> session length. 
> 
> 
> 
> 
> Mon Nov  8 18:07:41 2010 : Info: rlm_sql (ACCOUNTING-02): Attempting
> to connect rlm_sql_mysql #13
> Mon Nov  8 18:07:41 2010 : Info: rlm_sql_mysql: Starting connect to
> MySQL server for #13
> Mon Nov  8 18:07:41 2010 : Info: rlm_sql (ACCOUNTING-02): Connected
> new DB handle, #13
> Mon Nov  8 18:07:41 2010 : Info: [ACCOUNTING-02] stop packet with zero
> session length. 
> 
> 
> 
> 
>  Accounting-01 thinks that stop packet with zero session length is an
> error
>  and tried to connect to Accounting-02 sql server.
> 
> 
>  Is it the correct behaviour ?
> 
> 
>  Is it possible to remove this "logging".
> 
> 
>  Thanks
> 
> 
> 
> 
> Breuer Nicolas
> Network Supervisor
> Sales Executive
> 
> 
> BELCENTER sprl/bvba
> Avenue Henri Consciencelaan, 94 
> Bruxelles 1140 Brussel
> 
> 
> T. : +32 (0)2 403 04 60
> F. : +32 (0)2 403 04 63
> M. :+32 (0)486 50 27 87
> E. : nicolas.bre...@belcenter.biz
> W. : http://www.BelCenter.be | http://www.BelCenter.net
> 
> 
>   
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


-- 
Follow us on: twitter https://www.twitter.com/manainternet
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Setting Service-Type

2010-10-26 Thread Alexandre Chapellon

A solution would be to use the operator ":=" instead of "=" in users
file with the default entry (should work using unlang too).

http://wiki.freeradius.org/Operators


Le mardi 26 octobre 2010 à 19:23 +, Rowley, Mathew a écrit :

> I have a perl module that I want to set the Service-Type attribute, but am 
> getting this error:
> 
> Tue Oct 26 14:54:25 2010 : Debug: rlm_perl: ERROR: Failed to create pair 
> Service-Type = Administrative-User
> 
> I am thinking its due to the request having the Service-Type already set. 
> Does anyone know if its possible to override that?
> 
> I have also tried to just statically set the Service-Type in the users file 
> via:
> DEFAULT
> Service-Type = Administrative-User
> 
> Nothing seems to set it. The request looks like:
> rad_recv: Access-Request packet from host 10.252.152.93 port 32769, id=43, 
> length=79
> User-Name = "user"
> User-Password = "pass"
> Service-Type = NAS-Prompt-User
> NAS-IP-Address = 10.252.152.93
> NAS-Identifier = "Security_lab"
> 
> Anyone have ideas on how I can change the Service-Type?
> 
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


-- 
Follow us on: twitter https://www.twitter.com/manainternet
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

replylog

2010-10-05 Thread Alexandre Chapellon

Hy everybody,

I would like to add the username to the replylog when logging access
replies.
Of course I do not want the attributes to be sent, just to be logged.
I have seen the supress stanza in the example detail.log module. Is
there any add stanza?

regards
-- 
Follow us on: twitter https://www.twitter.com/manainternet
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: deleteing attribute

2010-08-30 Thread Alexandre Chapellon

Le mardi 31 août 2010 à 04:31 +0200, Alan DeKok a écrit :

> Alexandre Chapellon wrote:
> > Hello,
> > 
> > I want to delete an attribute I send to NASes in Access-reply,
> > regardless of its value.
> > Apparently I cannot use '!*' operator which is only for check items, and
> > '-=' doesn't support wilcards (unless i mistaken)
> > How can I do it?
> 
>   update reply {
>   Foo-Bar -= "%{reply:Foo-Bar}"
>   }
> 

Why do you think it is ugly?
Is it performance killer?


>   Ugly, but it works.
> 
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

deleteing attribute

2010-08-30 Thread Alexandre Chapellon

Hello,

I want to delete an attribute I send to NASes in Access-reply,
regardless of its value.
Apparently I cannot use '!*' operator which is only for check items, and
'-=' doesn't support wilcards (unless i mistaken)
How can I do it?

Am using freeradius 2.1.6 on Debian x86_64

P.S: of course I can't change the attributes returned in the authorized
section. :)
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: How to set properly failover ?

2010-07-23 Thread Alexandre Chapellon


Le vendredi 23 juillet 2010 à 20:09 +0200, Jevos, Peter a écrit :

> Hi alex, thank you for your mail, helped a lot : )
> 
> Now it's working, no idea why and how but working : )
> 
> Here is my config:
> Users:
> 
> DEFAULT  Auth-Type := vpn_auth_name,Huntgroup-Name == "vpn"
> Fall-Through = Yes
> 

Setting Auth-Type is discouraged. further more setting 
Auth-Type to a module name sounds like an error to me (but maybe am i
mistaking)

I think you can remove Auth-Type

> Radiusd.conf:
> instantiate {
> 
> redundant vpn_auth_name {
> group {
> ntlm_auth_vpn1 {
> reject = 1
> ok = return
> }
> ntlm_auth_vpn2 {
> reject = 1
> ok = return
> }
> }
> 

Why are you using group inside redundant... I'm not sure this is
usefull.
Using ntlm_auth_vpn1 and ntlm_auth_vpn2 should be enough. Look here for
more infos and example of how redundant modules are set:

 http://wiki.freeradius.org/Fail-over

> And the sites-available/default:
> Authenticate {
>   vpn_auth_name
>   }
> 
> Thanks , have a nice day
> p 
> 
> 
> -Original Message-
> From:
> freeradius-users-bounces+peter.jevos=oriflame@lists.freeradius.org
> [mailto:freeradius-users-bounces+peter.jevos=oriflame@lists.freeradi
> us.org] On Behalf Of alexandre.chapel...@mana.pf
> Sent: Friday, July 23, 2010 7:44 PM
> To: FreeRadius users mailing list
> Subject: Re: How to set properly failover ?
> 
> This how I do, but it's not the only way and may not feet your needs:
> 
> In radiusd.conf, instantiate a redundant module:
> instantiate {
> ...
>   redundant ha_auth_name {
> ntlm_auth_vpn1
> ntlm_auth_vpn2
>}
> ...
> }
> 
> In default sites config, section authorize
> 
> authorize {
> ...
>   ha_auth_name
> ...
> }
> 
> 
> Quite simple and works great here for some other moduls (SQL)
> Hope it helps.
> 
>  Message original
> >Date: Fri, 23 Jul 2010 18:45:30 +0200
> >From:
> freeradius-users-bounces+alexandre.chapellon=mana...@lists.freeradius.or
> g (on behalf of "Jevos, Peter" )
> >Subject: How to set properly failover ?  
> >To: "FreeRadius users mailing list"
> 
> >
> >   Hi guys
> >
> >
> >
> >   I'm really trying but it's not easy to find
> >   somehitng in the documenatiion.
> >
> >   I have 2 modules ntlm_auth_vpn1/2 and I like to do
> >   failover.
> >
> >   I tried this but I was not sucesfull:
> >
> >
> >
> >   In the modules I have 2 files, ntlm_auth_vpn1 and
> >   ntlm_auth_vpn2
> >
> >   In the sites-available/default I have:
> >
> >
> >
> >   #  Allow EAP authentication.
> >
> >   eap
> >
> >   ntlm_auth
> >
> >
> >
> >   ntlm_auth_vpn {
> >
> >   group {
> >
> >  
> >   ntlm_auth_vpn1 {
> >
> >  
> >   reject = 1
> >
> >  
> >   ok = return
> >
> >  
> >   }
> >
> >  
> >   ntlm_auth_vpn2 {
> >
> >  
> >   reject = 1
> >
> >  
> >   ok = return
> >
> >  
> >  
> >   }
> >
> >   }
> >
> > }
> >
> >
> >
> >   In my users file is:
> >
> >
> >
> >   DEFAULT  Auth-Type := ntlm_auth_vpn,
> >
> >   Fall-Through = Yes
> >
> >
> >
> >   What should be the correct syntax ?
> >
> >   Freeradius is great tool , however every step
> >   forward is like a childbirth : )
> >
> >   What I'm really missing is what should be placed
> >   where.
> >
> >
> >
> >   I'd really enjoy the new book .  I hope it will be
> >   released soon : )
> >
> >
> >
> >   Thanks
> >
> >
> >
> >   Pet
> >
> >-
> >List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

attribute name manipulation

2010-06-11 Thread Alexandre Chapellon

Hello,

I want to remove some attribute from my access-accept messages
regardless the value of this attribute.
I tough I could use the "!*" but the wiki says it's not usable as a
reply item. Further more "!*" is not present in unlang(5) if I try to
use it freeradius says config file have a syntax error.
How can i remove an attribute from the reply message (regardless of its
value)?

Additionnally I'd like to rename some attribute  returned by the
radreply query is there anything specific for this job or is it
adding new attribute with the value of the previous one and then
deleting the previous one?

Regards.
-- 
Alexandre Chapellon 
Mana SAS
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

radmin

2010-06-10 Thread Alexandre Chapellon

Hello,

I have to debug some problem from a specific NAS and so I'd like to use
the "debug condition' of radmin.
conditionnal debug is really a great feature for helping quickly find
out problems.
Unfortunately it just doens't work and everythings is debuged and not
only packet matching the condition.

Here what i did:

radmin>debug condition '(NAS-IP-Address == "1.2.3.4")'
radmin> debug level 4
radmin> show debug level
4
radmin> show debug condition
(NAS-IP-Address == "202.3.238.209")

Unfortunately, when looking at the log file I seen stuf like this:

++[preprocess] returns ok
[acct_unique] Hashing 'NAS-Port = 302458251,Client-IP-Address =
192.168.110.45,NAS-IP-Address = 42.123.21.78,Acct-Session-Id =
"0001003F28000B60-4C11A0B6",User-Name = "a4nj...@toto"'

Does anybody uses this feature of radmin successfully? Is it supposed to
be stable?

Thx

-- 
Alexandre Chapellon 
Mana SAS
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re : What is the Class attribute for?

2010-05-25 Thread Alexandre Chapellon

Yes, the attribute you need to return Back to your NAS, might be vendor 
specific (take a look at the dictionnaries). Sending this Attr in 
Access-Accept, should do the trick but I suggest you still use accounting cause 
It's always helpfull, and because It's one A in AAA!

Sent from my HTC.

- Reply message -
De : "weiwei fang" 
Date : Lun, mai 24, 2010 15:09
Objet : Re : What is the Class attribute for?
Pour : "Arran Cudbard-Bell" 
Cc : "FreeRadius users mailing list" 


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re : What is the Class attribute for?

2010-05-24 Thread Alexandre Chapellon

I personnally use it for QoS definition. It works as expected but i can't 
garantee this is the regular use for this attribute.

What's special with the class attribute is that if you send It in 
Access-Accept, It should be added in later accounting packets. This can be very 
usefull and if you don't nées this features i suggest you use another attribute.

Sent from my HTC.

- Reply message -
De : "weiwei fang" 
Date : Dim, mai 23, 2010 23:15
Objet : What is the Class attribute for?
Pour : 

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: openssl

2010-05-04 Thread Alexandre Chapellon

Le mardi 04 mai 2010 à 19:51 +0200, ds14.kornel a écrit :

> hi
> I'm starting with linux and freeradius with peap configuration.
> I'm using debian lenny 2.6.26-2-686, when runnig freeradius -X
> (FreeRADIUS Version 2.0.4, for host i486-pc-linux-gnu, built on Sep  7
> 2008 at 23:35:34) i'm getting those errors
> 
>  Module: Instantiating eap
>   eap {
> default_eap_type = "peap"
> timer_expire = 60
> ignore_unknown_eap_types = no
> cisco_accounting_username_bug = no
>   }
>  Module: Linked to sub-module rlm_eap_md5
>  Module: Instantiating eap-md5
> rlm_eap: Ignoring EAP-Type/tls because we do not have OpenSSL support.
> rlm_eap: Ignoring EAP-Type/peap because we do not have OpenSSL
> support.
> rlm_eap: Ignoring EAP-Type/ttls because we do not have OpenSSL
> support.
>  Module: Linked to sub-module rlm_eap_mschapv2
>  Module: Instantiating eap-mschapv2
>mschapv2 {
> with_ntdomain_hack = no
>}
> rlm_eap: No such sub-type for default EAP type peap
> /etc/freeradius/eap.conf[1]: Instantiation failed for module "eap"
> /etc/freeradius/sites-enabled/inner-tunnel[223]: Failed to find module
> "eap".
> /etc/freeradius/sites-enabled/inner-tunnel[176]: Errors parsing
> authenticate section. 
>  }
> }
> Errors initializing modules
> 
> how should i install openssl ?? only compilation by hand will work
> here ??
> Can anybody give needed advice please?
> 
> Thanks a lot for help! :)


I would say you will have to install openssl developement headers and
recompile freeradius with the corrects switches to enable eap module.

sudo apt-get install libssl-dev

and then recompile with --with-rlm-eap

This is just a guess.

> 
> Kornel
> 
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


-- 
Alexandre Chapellon 
Mana SAS
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Limit Bandwith

2010-03-18 Thread Alexandre Chapellon

Le jeudi 18 mars 2010 à 17:27 +0800, sugiarto tjahyono a écrit :
> Sorry if this topic already posted or on wrong forum
> 
> 
> How can we set speed if the user already over quota ie first day of
> month they get 1Mbps bandwith after spent 1Gig the speed will decrease
> to 512Kbps until end of month without turning off modem and
> re-authenticate.
> 
> 
> is that possible?

If your NAS support it you could use CoA based on events triggerrd by
iterim updates tickets.

> 
> 
> 
> 
> 
> 
> 
> 
> __
> Dapatkan nama yang Anda sukai! 
> Sekarang Anda dapat memiliki email di @ymail.com dan @rocketmail.com.
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Determine number of client requests sent to the free radius server

2010-03-10 Thread Alexandre Chapellon

You can graph this using cacti:
http://forums.cacti.net/viewtopic.php?t=29880

Or just query your freeradius server using radclient if status server is
enabled, or use radmin (which is not always very stable, i would not
recommend using it... at least with version 2.1.6)

Le mercredi 10 mars 2010 à 19:43 +, Alan Buxey a écrit :

> Hi,
> > Hi,
> > 
> > Is there a way to determine how many client requests are being received by 
> > the free radius server?
> 
> stats. use eg radmin. or just check your detail or SQL logs etc etc.
> 
> alan
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: monitoring freeradius

2010-02-23 Thread Alexandre Chapellon

Le mardi 23 février 2010 à 13:39 -0500, Mark Jones a écrit :

> How does one go about monitoring freeradius in that to see if it is reaching 
> process limits or max clients etc..
> 


I have made a cacti template, it won't do any sentry upon max-client or
process-limit as you asked for. But it may help track access
accept/reject... and accounting request.
If your interested in it it can be found here
http://forums.cacti.net/viewtopic.php?t=29880&highlight=freeradius but
needs to be tweaked.
(It uses radius status request instead of snmp)

I know it's not what you asked for , but i thought it could help (And
I'd be glad that someone can test it :p)

regards

> If I run it in debug mode it laces limits on it hat are not in normal mode.I 
> know it 
> 
> 
> Is snmp the only way?
> 
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius running in single server mode?

2009-09-16 Thread Alexandre Chapellon

$ps -eLf | grep '^freerad.*\/usr\/sbin\/freeradius' | wc -l
48

I feel stupid ... thanks

Le jeudi 17 septembre 2009 à 08:57 +0600, vol...@ufamts.ru a écrit :

> Alexandre Chapellon wrote: 
> 
> > I'm running freeradius on  debien 5.0 system.
> > I have noticed that freeradius only fork one process whereas it's
> > not running in single server mode:
> > 
> > ps aux | grep '^freerad.*\/usr\/sbin\/freeradius'
> > freerad   1930  1.6  3.9 833900 82072 ?Ssl  Sep15
> > 25:42 /usr/sbin/freeradius
> > 
> > 
> > 
> > I thought I should have 5 freeradius processes forked at startup...
> > Is there something wrong here?
> > 
> > regards
> 
> By defaults, ps shows only parent process
> Try `ps -eLf` to see threads
> 
> 
> -- 
> 
> Best regards,
>  Denis Volkov
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

freeradius running in single server mode?

2009-09-16 Thread Alexandre Chapellon

I'm running freeradius on  debien 5.0 system.
I have noticed that freeradius only fork one process whereas it's not
running in single server mode:

ps aux | grep '^freerad.*\/usr\/sbin\/freeradius'
freerad   1930  1.6  3.9 833900 82072 ?Ssl  Sep15
25:42 /usr/sbin/freeradius

my options for threads pool are set as below:

thread pool {
start_servers = 5
max_servers = 64
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}

I thought I should have 5 freeradius processes forked at startup...
Is there something wrong here?

regards
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: correctly set num_sql_sock in sql accoutnig (Erratum)

2009-09-14 Thread Alexandre Chapellon

Le mardi 15 septembre 2009 à 00:13 +0200, Alan DeKok a écrit :

> Alexandre Chapellon wrote:
> >>   How long do database writes take?
> > insert in acccouting db takes ~ 10ms
> > delete from accouting db takes ~ 25ms
> 
>   So it can handle roughly 40-100 packets per second, depending on the
> traffic.


with a single freeradius process isn't it?
I just notice something strange... I have start_servers set to 5  but
when starting freeradius ps only report one freeradius proccess... is it
something normal?

regards

> 
> > For the authtentication database I have about 10 authentication
> > queries/s but regularly reaches 30/s when problems on BAS or DSLAM
> > outcome (max value since last year is ~80/s).
> 
>   I'd say you're running pretty close to the border of what is stable.
> You're OK for normal traffic, but large spikes might cause problems
> (delays in writes, etc.)
> 
>   If you're planning on growing the number of users you have, I'd take a
> look at upgrading the DB.
> 
> >>   Generally, you should have as many SQL sockets as threads.
> > Thread like in start_servers and max_servers in radiusd.conf?
> 
>   Yes.
> 
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: correctly set num_sql_sock in sql accoutnig (Erratum)

2009-09-14 Thread Alexandre Chapellon

Thanks Alan, I'm using postgresql

Le lundi 14 septembre 2009 à 23:15 +0100, Alan Buxey a écrit :

> Hi,
> 
> > >   How long do database writes take?
> > 
> > insert in acccouting db takes ~ 10ms
> > delete from accouting db takes ~ 25ms
> > 
> > For the authtentication database I have about 10 authentication
> > queries/s but regularly reaches 30/s when problems on BAS or DSLAM
> > outcome (max value since last year is ~80/s). 
> 
> from those details it looks like you could handle 100 inserts
> per seond with a single process and 40 deletes per second. 
> worse case you came up with was 80/s - which is fine for inserts
> but tricky for deletes - so you'd need just 2 sockets on a rainy day.
> 
> - but then you've got things like table locking if using MySQL 
> with eg myISAM engine so you'd have to probably double that to deal
> with the slower queries - make it 4 sockets.
> 
> I've only made FreeRADIUS cry with mySQL when hitting it with
> really big slow queries at which point it choked all its handles
> and started to get really angry but a couple of optimisations later
> with some indexes and a change of DB engine (InnoDB) and things
> were fine - to ensure future happiness a migration to postgres
> was undertaken (pretty painless on the FR side of things...updating
> other code was more ...interesting... lets say) and we then moved
> to buffered_sql for the heavy stuff - that thread chugs along in
> the background inserting/updating table values when it needs to.
> 
> FreeRADIUS and accouting DB took up too much time a while back..
> a distraction that I could have done without but since the move to a 
> better DB (I know..i'm stirring now..) and moving to 'out of band'
> DB updates its 'just done its job(tm)'
> 
> PS there is an upcoming webcast about FreeRADIUS and mysql clusters
> - if you are into MySQL and performance/reliability I'd wholely
> recommend getting onto that.
> 
> alan
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: correctly set num_sql_sock in sql accoutnig (Erratum)

2009-09-14 Thread Alexandre Chapellon

I forgot to include infos in previous mail... sorry about that

Le lundi 14 septembre 2009 à 22:32 +0200, Alan DeKok a écrit : 

> Alexandre Chapellon wrote:
> > Is there a way to know how many sql sockets needs to be open at startup
> > for a particular accounting db?
> 
>   How long do database writes take?

insert in acccouting db takes ~ 10ms
delete from accouting db takes ~ 25ms


>   How many writes can you do
> simultaneously?


As many as simultaneous query I guess... 

> How many packets/s does the server get?
> 


For the authtentication database I have about 10 authentication
queries/s but regularly reaches 30/s when problems on BAS or DSLAM
outcome (max value since last year is ~80/s). 

>   Generally, you should have as many SQL sockets as threads.

Thread like in start_servers and max_servers in radiusd.conf? 

> Any more,
> and they won't be used.  Any less, and the threads might starve.
> 
> > I want to have sufficent number of such sockets but don't want to loose
> > time and ressources opening too much of them.
> 
>   The LDAP && SQL modules really need to move to a dynamic connection
> pool.  It would be much easier for the administrators.


Indeed 

> 
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: correctly set num_sql_sock in sql accoutnig

2009-09-14 Thread Alexandre Chapellon

Le lundi 14 septembre 2009 à 22:32 +0200, Alan DeKok a écrit :

> Alexandre Chapellon wrote:
> > Is there a way to know how many sql sockets needs to be open at startup
> > for a particular accounting db?
> 
>   How long do database writes take?




>   How many writes can you do
> simultaneously?


As many as simultaneous query I guess...

> How many packets/s does the server get?
> 


For the authtentication database I have about 10 authentication
queries/s but regularly reaches 30/s when problems on BAS or DSLAM
outcome (max value since last year is ~80/s).

>   Generally, you should have as many SQL sockets as threads.

Thread like in start_servers and max_servers in radiusd.conf?

> Any more,
> and they won't be used.  Any less, and the threads might starve.
> 
> > I want to have sufficent number of such sockets but don't want to loose
> > time and ressources opening too much of them.
> 
>   The LDAP && SQL modules really need to move to a dynamic connection
> pool.  It would be much easier for the administrators.


Indeed

> 
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

correctly set num_sql_sock in sql accoutnig

2009-09-14 Thread Alexandre Chapellon

Hello,

Is there a way to know how many sql sockets needs to be open at startup
for a particular accounting db?
I want to have sufficent number of such sockets but don't want to loose
time and ressources opening too much of them.

thx
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Copy of accounting packets

2009-08-27 Thread Alexandre Chapellon

You have defined your 2 home server in a single pool
Unfortunately, home_server_pool are only of type fail-over (packet sent
to the second server *ONLY* if first fails) or load-balance (differents
flavours) but not type allow for acct packet to be sent to both server.
You must use detail-file and detail listener vhost (check the sample
vhost config copy-acct-to-home-server ).

Le jeudi 27 août 2009 à 21:28 +0200, kokk...@anonymizer.cz a écrit :

> Hello.
> 
> I am trying to setup FreeRadius server so it proxies all requests to 
> Server1 and also sends copy of accounting packets to Server2.
> Proxying is working fine, but I cant get the copy-acct-to-home-server 
> function to work.
> 
> At the moment, authentication works fine, but accounting packets gets 
> only to Server2.
> 
> Any idea what I do wrong ?
> 
> Thanks in advance for any help, its appreciated.
> 
> ---
> Server log
> ---
> 
> Polling for detail file /var/log/radius/radacct/detail
> detail_recv: Renaming /var/log/radius/radacct/detail -> 
> /var/log/radius/radacct/detail.work
> detail_recv: Read packet from /var/log/radius/radacct/detail.work
>Acct-Session-Id = "606B"
>User-Name = "xxx"
>NAS-Port-Type = Ethernet
>Acct-Status-Type = Start
>Acct-Delay-Time = 1
>NAS-IP-Address = x.x.x.x
>Acct-Unique-Session-Id = "3abb2fc097796361"
>Stripped-User-Name = "xxx"
>Realm = "DEFAULT"
>Packet-Original-Timestamp = "Aug 26 2009 00:27:37 EDT"
> server copy-acct-to-home-server {
> +- entering group preacct {...}
> ++[preprocess] returns ok
> [suffix] Request already proxied.  Ignoring.
> ++[suffix] returns ok
> +- entering group accounting {...}
> ++[ok] returns ok
> } # server copy-acct-to-home-server
> Finished request 1.
> Cleaning up request 1 ID 24938 with timestamp +6
> Going to the next request
> Waking up in 1.0 seconds.
> 
> ---
> proxy.conf
> ---
> 
> proxy server {
>default_fallback = yes
> }
> 
> home_server acct_server1 {
>type = acct
>port= 1813
>ipaddr = x.x.x.x
>secret= 
> }
> 
> home_server acct_server2 {
>type = acct
>port= 1813
>ipaddr = x.x.x.x
>secret= 
> }
> 
> home_server_pool my_acct_pool {
>home_server= acct_server1
>home_server= acct_server2
> }
> 
> realm DEFAULT {
>type= radius
>authhost= server1:1812
>accthost= server1:1813
>acct_pool = my_acct_pool
>secret= 
> }
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: MAX-Monthly-Traffic V2 Post

2009-08-20 Thread Alexandre Chapellon

Le jeudi 20 août 2009 à 01:07 +0100, Neville a écrit :

> Hi Alex,
> 
> > You are expecting an interim update to send session-timeout to your nas
> > so it disconnect your user?
> > If so, two things seems incorrect to me.
> >
> >1- You're measuring traffic volume and want disconnection to set
> > based on time (session-timout)... a bit tricky isn't it?
> 
> So VERY True, Too many late nights and I really do appreciate your input as 
> this gave me food for thought and I now have EVERYTHING Working.
> 
> Both for Traffic & Session USAGE.
> 
> For Usage, I still had to use Max-Monthly-Traffic as a Check := and based on 
> sqlcounter calc, do a Reply = Sessions-Octets-Limit = XX on the 
> Access-Accept as this is supported by the ppp 2.4.4 NAS.


Be aware that sqlcounter were originatly designed to count time . I
remember it has a mechanism to allow user not to be disconnected when
its time left is greater than the time remaining to the 'reset period'.
as an example: if you have 2min left in your account and you connect the
31th of the month at 23h59 (supossing reset period is on the 1st of each
month at OhOO), then your session-timeout will not be 120 sec (2min) but
will be 120sec + the amount of time allowed for the next month (which
starts in 2 minutes)... this allow users not be disconnected stupidly at
end of month.

This mechanism is helpfull for time based counter but is meaningless for
volume based counter. it would means you get the next month quota addded
IF the number of the seconds untill the  end of the month is less than
the number of allowed octet at present time... weird!

Check at the source code but I am sure this code existed in 2.1.1
version.


> 
> What I would like to know now, is how I can use sqlcounter to do a Month 
> Calculation based on the date of the account being registered and NOT the 
> Calander Month?  Anyone?
> 
> >2- I think the attribute "Session-Timeout" cannot be found in
> > interim-updates packets (maybe I'm wrong), rfc 2869 specify that:  "It
> > is envisioned that an Interim Accounting record (with Acct-Status-Type =
> > Interim-Update (3)) would contain all of the attributes normally found
> > in an Accounting Stop message with the exception of the
> > Acct-Term-Cause attribute."
> >
> > What you would need is an attribute known by your nas and representing
> > remaining traffic. That attrbute should be sent at acct-start time and
> > would trigger a disconnection from the NAS when traffic limit is
> > reached. If such a attribute does not exists for your NAS, you should
> > take a look at CoA server.
> > Maybe someone have better idea...?
> >
> > Le mercredi 19 ao?t 2009 ? 15:56 +0100, Neville a ?crit :
> >
> 
> Cheers
> Nev
> 
> 
> CentOS 5.3
> pptpd 1.3.4 / ppp 2.4.4
> freeradius2 2.1.6
> radiusclient-ng 0.5.6
> daloRadius 0.9-8-SVN
> 
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius with oracle

2009-08-20 Thread Alexandre Chapellon

Of course it implies you have installed the oracle  instantclient
provided by oracle in /opt/oracle...
If not point to where the oracle libs are depending on your unix
flavour.
As far as i remember the post you quoted in your mail was about ubuntu
Linux radius server with no oracle instance running on it (only the
client libs)

the equivalent of "sdk/include" directory is a directory that should
contains oci.h and the "instanclient_11_1" dir equivalent should contain
libclntsh.so

regards

Le jeudi 20 août 2009 à 03:35 -0700, shivashankar a écrit :

> hi ,
> 
> when i run radiusd -X 
> 
> facing below problem.
> 
> Could not link driver rlm_sql_oracle: ld.so.1: radiusd: fatal:
> rlm_sql_oracle.so
> Make sure it (and all its dependent libraries!) are in the search path of
> your s
> /usr/local/etc/raddb/sql.conf[22]: Instantiation failed for module "sql"
> /usr/local/etc/raddb/sites-enabled/default[161]: Failed to find module
> "sql".
> /usr/local/etc/raddb/sites-enabled/default[62]: Errors parsing authorize
> section
> Errors initializing modules
> 
> 
> when i do googlin i found 
> =
> $ vi src/modules/rlm_sql/drivers/rlm_sql_oracle/Makefile
> 
>   Set TARGET = rlm_sql_oracle, and edit the CFLAGS && LDFLAGS lines to
> ave the appropriate values:
> -I/opt/oracle/instantclient_11_1/sdk/include, and -L
> /opt/oracle/instantclient_11_1/ -loracle (?)
> 
>   After than, cd to the directory, and type "make".
>  Alan DeKok
> =
> but i don;t have instantclient_11_1/sdk/include  directry struction in
> opt/oracle.
> 
> plz help
> 
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

redback nas

2009-08-19 Thread Alexandre Chapellon

Hello,

This is not really an freeradius related question... sorry about that.

Does anyone know about attributes supported by redback devices that
would allow disconnection of sessions based on the amount of traffic
transfered during the session and which could be set to higher than 4Gb?

thanks to any redback guru! :)
<>-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: MAX-Monthly-Traffic V2 Post

2009-08-19 Thread Alexandre Chapellon

Le jeudi 20 août 2009 à 01:07 +0100, Neville a écrit :

> Hi Alex,
> 
> > You are expecting an interim update to send session-timeout to your nas
> > so it disconnect your user?
> > If so, two things seems incorrect to me.
> >
> >1- You're measuring traffic volume and want disconnection to set
> > based on time (session-timout)... a bit tricky isn't it?
> 
> So VERY True, Too many late nights and I really do appreciate your input as 
> this gave me food for thought and I now have EVERYTHING Working.
> 
> Both for Traffic & Session USAGE.
> 
> For Usage, I still had to use Max-Monthly-Traffic as a Check := and based on 
> sqlcounter calc, do a Reply = Sessions-Octets-Limit = XX on the 
> Access-Accept as this is supported by the ppp 2.4.4 NAS.


Sessions-Octets-Limit!? how lucky you are to have nas devices allowing
such a cool feature! I'd love redback NASes to have the same type of
feature! (I wil query the list.. maybe someone knows more about redback
devices)


> 
> What I would like to know now, is how I can use sqlcounter to do a Month 
> Calculation based on the date of the account being registered and NOT the 
> Calander Month?  Anyone?


More an sql query problematic i guess... I can't help here! :)


> 
> >2- I think the attribute "Session-Timeout" cannot be found in
> > interim-updates packets (maybe I'm wrong), rfc 2869 specify that:  "It
> > is envisioned that an Interim Accounting record (with Acct-Status-Type =
> > Interim-Update (3)) would contain all of the attributes normally found
> > in an Accounting Stop message with the exception of the
> > Acct-Term-Cause attribute."
> >
> > What you would need is an attribute known by your nas and representing
> > remaining traffic. That attrbute should be sent at acct-start time and
> > would trigger a disconnection from the NAS when traffic limit is
> > reached. If such a attribute does not exists for your NAS, you should
> > take a look at CoA server.
> > Maybe someone have better idea...?
> >
> > Le mercredi 19 ao?t 2009 ? 15:56 +0100, Neville a ?crit :
> >
> 
> Cheers
> Nev
> 
> 
> CentOS 5.3
> pptpd 1.3.4 / ppp 2.4.4
> freeradius2 2.1.6
> radiusclient-ng 0.5.6
> daloRadius 0.9-8-SVN
> 
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
<>-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: MAX-Monthly-Traffic V2 Post.

2009-08-19 Thread Alexandre Chapellon

You are expecting an interim update to send session-timeout to your nas
so it disconnect your user?
If so, two things seems incorrect to me.

1- You're measuring traffic volume and want disconnection to set
based on time (session-timout)... a bit tricky isn't it?

2- I think the attribute "Session-Timeout" cannot be found in
interim-updates packets (maybe I'm wrong), rfc 2869 specify that:  "It
is envisioned that an Interim Accounting record (with Acct-Status-Type =
Interim-Update (3)) would contain all of the attributes normally found
in an Accounting Stop message with the exception of the
Acct-Term-Cause attribute."

What you would need is an attribute known by your nas and representing
remaining traffic. That attrbute should be sent at acct-start time and
would trigger a disconnection from the NAS when traffic limit is
reached. If such a attribute does not exists for your NAS, you should
take a look at CoA server.
Maybe someone have better idea...?

Le mercredi 19 août 2009 à 15:56 +0100, Neville a écrit :

> Hi everyone,
> 
> I've decided to submit this question again as it was not quite worded 
> correctly, and to send as PLAIN TEXT.
> 
> I'm trying to setup a new counter maxmonthlytraffic, which uses the same 
> method to disconnect a user by sending the Session-Timout Reply Atrribute as 
> with MAX-ALL-Sessions.
> 
> This is what I've done so far...
> 
> I've added to ./raddb/sql/mysql/counter.conf
> 
> sqlcounter monthlytraffic {
> counter-name = Monthly-Traffic
> check-name = Max-Monthly-Traffic
> sqlmod-inst = sql
> key = User-Name
> reset = monthly
> 
> query = "SELECT (sum(acctinputoctets)+sum(acctoutputoctets)) 
> \
> FROM radacct WHERE username='%{%k}' AND \
> Month(acctstoptime) =(Month(NOW())) AND \
> Year(acctstoptime) = Year(NOW())"
> }
> 
> authorize {
> .
> monthlytraffic
> .
> }
> 
> instantiate {
> .
> monthlytraffic
> .
> }
> 
> created a dictionary entry in daloradius database of:-
> 
> id 9433
> Type integer
> Attribute Max-Monthly-Traffic
> Value NULL
> Format NULL
> Vendor dictionary.freeradius.internal
> RecommendedOP :=
> RecommendedTable check
> RecommendedHelper
> RecommendedTooltip Check Monthly Traffic Allowance
> 
> User created as "testmaxm", with the following attributes set:-
> 
> Check
> Simultaneous-Use := 1
> Pool-Name := tvpool
> Cleartext-Password := testmaxm
> Max-Monthly-Traffic := 1049   (10Mb)   (If this is removed from the 
> Check, the user connects fine, so everything else is working)
> 
> Reply
> Framed-MTU = 1400
> Framed-Protocol = PPP
> Service-Type = Framed-User
> Acct-Interim-Interval := 300(Every 5 mins for testing)
> =
> 
> 
> Although this seems to be working on the initial Connection, it does not 
> send the Session Time Out Reply during the Interim Acct Updates if the Usage 
> has execeed.
> 
> >From the Debug below, the usages is shown as "37940156"  during a Acct 
> Update e.g. 906612 + 3733544 and is more than the initial check value of 
> Max-Monthly-Traffic := 1049, so I would have expected a Session-Timout 
> Reply to be sent.
> 
> However this is working ok on disconnect and reconnect, as I get...
> 
> rlm_sqlcounter: (Check item - counter) is less than zero
> rlm_sqlcounter: Rejected user testmaxm, check_item=1049, 
> counter=89021682
> ++[monthlytraffic] returns reject
> Invalid user (rlm_sqlcounter: Maximum monthly usage time reached): 
> [testmaxm/] (from client VPN1-UK port 1)
> 
> rlm_sqlcounter: (Check item - counter) is less than zero
> rlm_sqlcounter: Rejected user testmaxm, check_item=1049, 
> counter=89021682
> ++[monthlytraffic] returns reject
> Invalid user (rlm_sqlcounter: Maximum monthly usage time reached): 
> [testmaxm/] (from client VPN1-UK port 1)
> 
> Any Ideas why I did not get disconnect during the original session as this 
> is what I'm after.
> 
> 
> FreeRadius2 Debug
> 
> .
> .
> rlm_sqlcounter: Check item is greater than query result
> rlm_sqlcounter: Authorized user testmaxm, check_item=1049, counter=80411
> rlm_sqlcounter: Sent Reply-Item for user testmaxm, Type=Session-Timeout, 
> value=11601138
> ++[monthlytraffic] returns ok
> .
> .
> 
> rad_recv: Accounting-Request packet from host aaa.bbb.ccc.ddd port 53637, 
> id=47, length=140
> Acct-Session-Id = "4A8B6FA0721900"
> User-Name = "testmaxm"
> Acct-Status-Type = Interim-Update
> Service-Type = Framed-User
> Framed-Protocol = PPP
> Acct-Authentic = RADIUS
> Acct-Session-Time = 600
> Acct-Output-Octets = 37033544
> Acct-Input-Octets = 906612
> Acct-Output-Packets = 27837
> Acct-Input-Packets = 15791
> NAS-Port-Type = Async
> Framed-IP-Address = 192.168.0.29
> NAS-Identifier = "aaa.bbb.ccc.ddd"
> NAS-Port = 1
> Acct-Delay-Time = 0
> +- entering group preacc

freeradius upgrade

2009-08-03 Thread Alexandre Chapellon

Hello,

I have to plan an upgrade of my freeradius setup.

I am wondering if I shall upgrade now to 2.1.6 or wait until the next
comming 2.1.7 release.
What are the new features, improvements, or bug fixes that should come
with 2.1.7?
Is there Major leacks in 2.1.6?

thanks
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Re: Restart radiusd after new user added

2009-08-03 Thread Alexandre Chapellon

Yes uncomment thoose lines, then restart freeradius.

Re run radmin and pass it the "hup files" command.

regards

Don't forget to reply to the list it may help some else.

Le lundi 03 août 2009 à 14:14 +, paul.blal...@gmail.com a écrit :

> It looks like the control socket file
> in /etc/freeradius/sites-enabled/ is a short-cut
> to /etc/freeradius/sites-available/, and the file already has uid/gid
> and mode =rw, but they are all commented out. Should I un-comment them
> and then try it again?
> 
> On Jul 31, 2009 5:37pm, Alexandre Chapellon
>  wrote:
> > 
> > 
> > 
> > 
> > Le vendredi 31 juillet 2009 à 16:17 -0500, Paul Blalock a écrit :
> > 
> > 
> > I tried the radmin> hup files, command, with no luck. The command
> was accepted, but it did nothing.
> > 
> > 
> > 
> > 
> > 
> > 
> > What version of freeradius are you runing?
> > 
> > 
> > 
> > If you have 2.1.1 or greater, just activate the control socket as a
> virtual server (see in /etc/freeradius/sites-available) by linking it
> to  /etc/freeradius/sites-enabled/
> > 
> > Check that the soket is in read/write mode (mode =rw) and it has
> correct uid/gid.
> > 
> > Restart freeradius (yeah I know that's what we want to avoid :p)
> > 
> > 
> > 
> > Then run radmin (as root), and try "hup files"
> > 
> > 
> > 
> > This works properly on my setup...
> > 
> > 
> > 
> > 
> > 
> > 
> > -- 
> > 
> > Paul
> > 
> > 
> >
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Restart radiusd after new user added

2009-07-31 Thread Alexandre Chapellon

Please reply to the list.

Le vendredi 31 juillet 2009 à 16:17 -0500, Paul Blalock a écrit :

> I tried the radmin> hup files, command, with no luck. The command was
> accepted, but it did nothing.
> 
> 

What version of freeradius are you runing?

If you have 2.1.1 or greater, just activate the control socket as a
virtual server (see in /etc/freeradius/sites-available) by linking it
to  /etc/freeradius/sites-enabled/
Check that the soket is in read/write mode (mode =rw) and it has correct
uid/gid.
Restart freeradius (yeah I know that's what we want to avoid :p)

Then run radmin (as root), and try "hup files"

This works properly on my setup...


> 
> -- 
> Paul
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Restart radiusd after new user added

2009-07-31 Thread Alexandre Chapellon

Le vendredi 31 juillet 2009 à 14:45 -0500, Blalock, Paul (NCC) a écrit :

> I am setting up freeradius, and am having issues with adding users and
> having to restart radiusd to pick up the new users. Is sql the only
> other way to go, or is there a way to point the users file to another
> directory? Also, is there a way to have username passwords formatted as
> (user pass) or (user, pass)?


Using radmin allow you to pick new users from users files

radmin> hup files

radmin is available from 2.1.1 I think.


> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

load-balance behavior

2009-07-31 Thread Alexandre Chapellon

Hello the list,

Does the "load-balance" type in home_server_pool can handle when one the
home_server of the pool is down?
Does it loose tickets in such a situation or can i consider it as a
"fail-over" pool too?

thx
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: DB Handles & Rejects

2009-07-30 Thread Alexandre Chapellon

Le jeudi 30 juillet 2009 à 22:53 +0100, Dean Smith a écrit :
> During a recent network incident we had some very high churn in PPP
> clients. Our NASes (Multiple Cisco 7200 as VPDN LNS) didn’t appear to
> be able to authenticate as quickly as they needed to. In the Radius
> packet logs we see quite a few Rejects for requests that should have
> been OK – indeed the identical requests were repeated and answered
> correctly seconds afterwards.
> 
>  
> 
> In the radius log itself we have quite a few of these:-
> 
> Mon Jul 27 22:51:24 2009 : Info: rlm_sql (sql): There are no DB
> handles to use! skipped 0, tried to connect 0 
> Mon Jul 27 22:51:25 2009 : Info: rlm_sql (sql): There are no DB
> handles to use! skipped 0, tried to connect 0 
> Mon Jul 27 22:51:29 2009 : Info: rlm_sql (sql): There are no DB
> handles to use! skipped 0, tried to connect 0 
> 
> 
> 
> From the archives the usual reason for the above would seem to be the
> MySQL database not answering quickly enough. The relevant freeradius
> configs are at the defaults – but the box(s) themselves don’t appear
> to have struggled with CPU.
> 
>  


CPU is not the only bottle neck. For SGDB you should take care at IO
more than cpu i think?

> 
> Would getting that error in the logs result in valid authentication
> requests being rejected ?
> 

yes

>  
> 
> Unfortunately I’m not very experienced in MySQL to be able to tune it.
> Would increasing the number  of “num_sql_socks” within the sql.conf
> from the default 5 be a good starting point ? Are there other
> FreeRadius configs I can adjust before moving onto the MySQL database
> itself ?


You could start here. I personnaly have to open 40 sockets to my oracle
database when freeradius starts.
 

> 
> Thanks
> 
> Dean
> 
> 
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

accounting manipulation

2009-03-11 Thread Alexandre Chapellon

I have a working freeradius2 setup, in which I proxy accounting tickets
to many home_servers using details file writing and detail listeners.
For one of this home_server (let's call it HS1) I want to rewrite the
Acct-(In|Out)put-Octets and Acct-(|n|Out)put-Gigawords with a value*
taken from another home_server (let's call it HS2).
I thought I could you use the perl module to do the math in the
pre-proxy section of my HS1 Vhost, but i realised i have to ensure
rewriting of attributes have to be done after and only after proxying
accounting to HS2...
Teh problem remains in the fact proxying to HS2 and proxing to HS1 are
two separates virtualhosts... how can i ensure proxying to HS1 (and so
attribute rewriting) will be done only after proxying to HS2?

I am not a perl guru (either) is it possible to update attrbutes using
rlm_perl? how? (the wiki dind't told me much about it)



* Actually, the value should be the result of snmp or sql or else done
on HS2... with math operation done on it to get the new
Acct-(In|Out)put-Octets and Acct-(|n|Out)put-Gigawords values OMG
i'm not sure it's very clear!
begin:vcard
fn:Alexandre Chapellon
n:Chapellon;Alexandre
org;quoted-printable:Mana;Syst=C3=A8me
adr;quoted-printable:;;;Papeete;;;Polyn=C3=A9sie Fran=C3=A7aise
email;internet:alexandre.chapel...@mana.pf
title;quoted-printable:Administrateur syst=C3=A9mes et r=C3=A9seaux
tel;work:479952
x-mozilla-html:FALSE
url:http://www.mana.pf
version:2.1
end:vcard

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius with Oracle

2009-02-20 Thread Alexandre Chapellon

What is AuthBlock?
An PL/SQL function?
A stored procedure?

Whatever it is, it MUST return data presented as freeradius expect it
(an array that mirror the users file syntax)
Personally, I use a PL/SQL function. Called like this:

authorize_check_query = "SELECT * FROM tables (my_sql_func('param1,
'param2'...))"


Hope it helps.

Le 19.02.2009 11:18, kenshin a écrit :
> Hi,
>
>  I am trying to connect freeradius with Oracle, the catch is that to get the
> information from oracle we need to use a command that is called AuthBlock.
> Is there a way to add this to the oraclesql.conf?
>
> Thanks,
>   
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Simultaneous-Use for roaming wireless user

2009-02-13 Thread Alexandre Chapellon

Well if you know a way to check if the session is really up or no on
your NAS i might not be hard to write a checkrad script to enable stale
session deletion.

Le 12.02.2009 18:33, ST Wong (ITSC) a écrit :
>
> Hi all,
>
> We enabled Simultaneous-Use checking with checking against accouting
> data stored in MySQL database.  However, found that some of the Stop
> records are not received and this makes Simultaneous-Use checking
> fail.   Seems roaming users will always encountered this problem.  I
> wonder if I've to use checkrad instead but seems our AP (Aurba) is not
> permitted as nastype in clients.conf.
>
> Would anyone please advise any solution for this issue?  Thank you
> very much.
>
> Best Regards,
> /ST Wong
>
> 
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: attribute filter prior to prxy

2009-01-29 Thread Alexandre Chapellon

Ugh! My fault i placed it in pre-acct instead of pre-proxy

:p

Le 29.01.2009 10:01, Alexandre Chapellon a écrit :
> Hello,
>
> I want to remove all attributes from packets to proxy except some of
> them i do say are allowed...
>
> I thought the following would do the job in the pre-proxy section, but
> when i check what the freeradius proxies (using tcpdump) i see the
> filter just filters nothing
>
> DEFAULT
> Acct-Status-Type =* ANY,
> User-Name =* ANY,
> Framed-IP-Address =* ANY,
> Qos-Policy-Metering =* ANY,
> Ip_Address_Pool_Name =* ANY,
> Class =* ANY
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>   
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

attribute filter prior to prxy

2009-01-29 Thread Alexandre Chapellon

Hello,

I want to remove all attributes from packets to proxy except some of
them i do say are allowed...

I thought the following would do the job in the pre-proxy section, but
when i check what the freeradius proxies (using tcpdump) i see the
filter just filters nothing

DEFAULT
Acct-Status-Type =* ANY,
User-Name =* ANY,
Framed-IP-Address =* ANY,
Qos-Policy-Metering =* ANY,
Ip_Address_Pool_Name =* ANY,
Class =* ANY
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to load the freeswitch dictionary

2009-01-26 Thread Alexandre Chapellon

there is not two different dictionanries, the support juste told you
that the dictionnary they gave is meant to be used with radclient
standalone installations. If you have a whole freeradius server
installled, most of the attributes contained in this file are already
definec elsewhere.

Just copy/paste the lines in between "BENGIN-VENDOR"  and "END-VENDOR"
to your dictionnary directory in a new file and add it to the list of
dictionnayr to load this should do the job.


Le 26.01.2009 08:28, Apostolos Pantsiopoulos a écrit :
> Hi,
>
> I was trying to load the freeswitch dictionary (see attachment) in
> freeradius and I am getting the following
> error :
>
> "Errors reading dictionary: dict_init:
> /usr/local/share/freeradius/dictionary.freeswitch[257]: unknown option
> "Freeswitch""
>
> I asked this question to the freeswitch mailing list and they
> responded with :
>
> "Don't do that.  The dictionary is for use with the radiusclient
> library.  FreeRADIUS already includes a dictionary for FreeSWITCH VSAs
> ( you may need to uncomment it to have it loaded into FreeRADIUS )."
>
> I was surprised to find out that I needed two different dictionaries.
> One for the server
> and one for the client. I thought it was the same.
>
> Anyway, I tried looking for it in the freeradius distribution (even
> the svn) and could
> not find any reference to Freeswitch at all.
>
> So, how do I load the freeswitch dictionary in freeradius? And how do
> I obtain it (if not from the freeswitch tarball itself)?
>
>
> 
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Best Config

2009-01-23 Thread Alexandre Chapellon

I am at the moment experiencing problem of load with mysql as acct DB
(query failure during database backup of massive radius ticket
injection) for a setup of 15000 concurrent users so I would recommend
its use!

Le 23.01.2009 17:54, tech.subscripti...@shepherdhill.biz a écrit :
> Hi,
>
> From experience, what would be the best server configuration for
> 200,000 users with 75,000 concurrent users throttling 50,000
> connections per second (with 1 NAS Client) in terms of:
>
> 1. Hardware configuration
> 2. Chooise of DB (PostgreSQL or MySQL)
> 3. FreeRadius Configuration (max_request_time, cleanup_delay,
> max_requests, max_servers, min_spare_servers, max_spare_servers, etc)
>
> Regards,
> Chris.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: regular expression problem on 2.1.3

2009-01-23 Thread Alexandre Chapellon

I don't think unlang is used for processing users file (an thus neither
mysql as it's supposed to mirror user file)
but you could add an update clause (which uses unlang) to add your reply
items.
something like:
if (request:NAS-IP-Address =~ /192.168.1.1|10.0.1.1/) {
update reply {
Service-Type := Framed-User
Framed-Protocol := PPP
Fall-Through := Yes
}
}

But i don't know how clever it is as DEFAULT entry in users file are
supposed to do the job, but behaviour related to nas-ip-address is even
more a matter of huntgroups.

Le 23.01.2009 14:45, Tim Lightfoot a écrit :
> Thank you, I tried it as /expr/  and also "/expr/" both have the same result.
>
> I use these regular expressions within both users file and MySQL on my live 
> Radius box, its failing within both modules.
> Would it be unlang processing the expressions here.
>
> 
>
> From: freeradius-users-bounces+tim.lightfoot=sota.co...@lists.freeradius.org 
> [mailto:freeradius-users-bounces+tim.lightfoot=sota.co...@lists.freeradius.org]
>  On Behalf Of Alexandre Chapellon
> Sent: 24 January 2009 00:30
> To: FreeRadius users mailing list
> Subject: Re: regular expression problem on 2.1.3
>
>
> when i use regex, i use it with unlang so it might differ from a users file 
> but here is how i would write it for unlang:
>
>
> DEFAULT NAS-IP-Address =~ /192.168.1.1|10.0.1.1/
>
>
>
>
>
> Le 23.01.2009 14:18, Tim Lightfoot a écrit : 
>
>   Thanks for the suggestion - this also gives the same result:
>   
>   [files] Invalid regular expression : empty (sub)expression 
>   
>   Tim
>   
>   -Original Message-
>   From:
>   freeradius-users-bounces+tim.lightfoot=sota.co...@lists.freeradius.org
>   [mailto:freeradius-users-bounces+tim.lightfoot=sota.co...@lists.freeradi
>   us.org] On Behalf Of a.l.m.bu...@lboro.ac.uk
>   Sent: 24 January 2009 00:07
>   To: FreeRadius users mailing list
>   Subject: Re: regular expression problem on 2.1.3
>   
>   Hi,
> 
>
>   Hi,
>   
>   I have updated my Freeradius from 2.0.5 to 2.1.3 and am having 
> a 
>   problem with the regular expressions I am using in the users 
> file.
>   
>   If I provide a simple example users file I am testing against:
>   
>   DEFAULT NAS-IP-Address =~ "192.168.1.1|10.0.1.1"
>   
>
>   
>   "(192.168.1.1|10.0.1.1)" ?
>   
>   alan
>   -
>   List info/subscribe/unsubscribe? See
>   http://www.freeradius.org/list/users.html
>   
>   
>   -
>   List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html
>   
> 
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>   
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: regular expression problem on 2.1.3

2009-01-23 Thread Alexandre Chapellon

when i use regex, i use it with unlang so it might differ from a users
file but here is how i would write it for unlang:

DEFAULT NAS-IP-Address =~ /192.168.1.1|10.0.1.1/





Le 23.01.2009 14:18, Tim Lightfoot a écrit :
> Thanks for the suggestion - this also gives the same result:
>
> [files] Invalid regular expression : empty (sub)expression 
>
> Tim
>
> -Original Message-
> From:
> freeradius-users-bounces+tim.lightfoot=sota.co...@lists.freeradius.org
> [mailto:freeradius-users-bounces+tim.lightfoot=sota.co...@lists.freeradi
> us.org] On Behalf Of a.l.m.bu...@lboro.ac.uk
> Sent: 24 January 2009 00:07
> To: FreeRadius users mailing list
> Subject: Re: regular expression problem on 2.1.3
>
> Hi,
>   
>> Hi,
>>
>> I have updated my Freeradius from 2.0.5 to 2.1.3 and am having a 
>> problem with the regular expressions I am using in the users file.
>>
>> If I provide a simple example users file I am testing against:
>>
>> DEFAULT  NAS-IP-Address =~ "192.168.1.1|10.0.1.1"
>> 
>
> "(192.168.1.1|10.0.1.1)" ?
>
> alan
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>   
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

deletestalesessions

2009-01-23 Thread Alexandre Chapellon

Hello

I would like to have more informations about the deletestalesessions
option of rlm_sql.

- What does it do?
- What's its behaviour?
- How does it achieve what it does?

regards
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

case sensitivity

2009-01-21 Thread Alexandre Chapellon

HEllo,

Is there a way to make usernames stored n users file be case non-sensitive?

regards.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Bandwidth limit

2009-01-14 Thread Alexandre Chapellon

Do you mean you when to apply QoS on the sessions or do you mean you
want to limit the amount of data a user can xfer during a specified time?

Le 13.01.2009 17:48, Gunza a écrit :
> Dear All,
>
>  I have installed Mikrotik Router OS server for PPPoE and I have
> installed Ubuntu Server 8.10 with Freeradius+My Sql server. I want to
> create user with bandwith limit in mysql database. Anybody please help me.
>
>
>
>
>
>
> 
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Is FreeRADIUS 2.1.1 capable of handling NAI decorations

2008-12-08 Thread Alexandre Chapellon

Change sql_user_name = %{User-Name} to sql_user_name =
%{Stripped-User-Name} in dialup.conf

Le 02.12.2008 06:37, Luca Adamo a écrit :
>
> Thank you for the quick reply. 
>
> I've tried this solution but the results are not what I expected. 
>
> In fact i defined the following /realm /module:
>
> realm wimax_decorator { 
> format = prefix 
> delimiter = "}" 
> ignore_default = no 
> ignore_null = no 
> }
>
> and i make FR to call it during authorize phase.
>
> The client show up with this NAI [EMAIL PROTECTED]
>  and the module output  (from radiusd
> -X) is the following.
>
> ..
> ..
> [wimax_decorator] Looking up realm "{am=1" for User-Name =
> "[EMAIL PROTECTED] ";
> [wimax_decorator] Found realm "DEFAULT"
> [wimax_decorator] Adding Stripped-User-Name = "[EMAIL PROTECTED]
> ";
> [wimax_decorator] Adding Realm = "DEFAULT"
> [wimax_decorator] Authentication realm is LOCAL.
> ..
> ..
>
>
> The problem is that all my subsequent queries suppose the Attribute
> User-Name to be /[EMAIL PROTECTED]  /instead
> of /[EMAIL PROTECTED]  /so I
> keep getting /null /result set from the Oracle DB since there aren't
> entries for [EMAIL PROTECTED]  in
> the DB. A possible solution could be making the sql module to use
> Stripped-User-Name instead of the User-Name for the queries but I was
> looking for a solution that doesn't involve the code.
>
> Am i making any mistake above? Any other ideas?
>
> Thank you,
>
> Lu
>
>
>
>
> Il giorno 02/dic/08, alle ore 16:28, [EMAIL PROTECTED]
>  ha scritto:
>> 1) set 'prefix' to be }
>>
>> with this, anything before and including }
>> (which may never appear as a realm or username)
>> would be treated like a NT domain and be stripped
>> off logically
>
> 
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Programatically provision users to server.

2008-12-04 Thread Alexandre Chapellon

http://wiki.freeradius.org/SQL_HOWTO

http://wiki.freeradius.org/Rlm_sql_mysql

Le 04.12.2008 09:03, Matthew Carriere a écrit :
> This is great thank you.
>
> I was trying to find something in the documentation about doing this.
> Could anyone point me in the direction of documentation that outlines
> using a MySQL database for authenticating users?
>
> Is there some kind of schema that the users table must follow?
>
> Thanks
>
> Matthew
>
> On 4-Dec-08, at 1:44 AM, Alan DeKok wrote:
>
>> Matthew Carriere wrote:
>>> I am thinking of adding a FreeRadius server to an existing
>>> infrastructure in order to provision users through an application.
>>
>>  FreeRADIUS authenticates users... databases provision them.
>>
>>> I am
>>> currently running a WLAN controller connecting several access points.
>>> Currently users are added manually through the WLAN controller
>>> interface.
>>>
>>> Could I add a FreeRadius server and be able to programatically add
>>> users
>>> to it? I need to be able to do this through a Ruby on Rails
>>> application.
>>
>>  Install FreeRADIUS *and* MySQL.  Use a RoR app to provision the
>> database.  Use FreeRADIUS to pull user information out of the database,
>> and authenticate the users.
>>
>>  Alan DeKok.
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Check on bytes used

2008-12-02 Thread Alexandre Chapellon



Le 02.12.2008 10:25, Marcel Grandemange a écrit :
>> Its for Time. I want count on bytes used. and one other problem, its return
>> 
> value is Session-Timeout. It represents >remaining time not remaining bytes.
> any clue which attribute will tell remaining bytes???
>   

This attribute is NAS dependant and I've been tols very few nas have
such an attribute.
More over... the counter are time based and embend mechanism that do not
match with behaviour you expect from bytes counter.
>> Regards,
>> 
>
> It is also for data although that is VERY poorly documented and ive had many
> troubles with it.
>   

Reading the source would help as the module (sqlcounter) is quite simple
and code is documented.

>   
>> Saeed Akhtar
>> 
>
>
>   
>> On Sun, Nov 30, 2008 at 8:59 PM, Venkatesh K <[EMAIL PROTECTED]> wrote:
>> Check out http://wiki.freeradius.org/Rlm_sqlcounter
>> 
>
>   
>> Regards,
>> 
>
>   
>> Venkatesh. K
>> 
>
>
>
>   
>> On Sun, Nov 30, 2008 at 9:13 PM, Saeed Akhtar <[EMAIL PROTECTED]>
>> 
> wrote:
>   
>> Hi all,
>>
>> I want to create a check on user monthly usage in (MB/GB etc.). Is
>> 
> there
>   
>> any module available to do so. yes or not what attribute will be sent to
>> client, like session-timeout attribute gives the time in second.
>>
>>waiting for reply. thanks
>>
>> Regards,
>>
>> Saeed Akhtar
>>
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
>> 
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>   
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

broken home server communication

2008-11-28 Thread Alexandre Chapellon

Hy,

I have a weird problem I am proxying accounting to a home server which
is an AIX with kind a fault tolerant setup (HACMP).
In some situations (HACMP in degraded mode) , this home server responds
to my proxied queries with random source IP address.
So freeradius doesn't realise the quey has been received and "replied".
In addition I have radius listeners  (setup as hom servers) on some
machines that do not respond the proxied at all (I use to make it work
with other radius and so i'm sure it's their "normal" behaviour).
How Can I prevent freeradius from checking acknoledgement of proxyed
request and just dumbly sends packets... whatever is the state of the
home server?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

math operation

2008-11-28 Thread Alexandre Chapellon

Is it possible to do math operation upon attribute value and have a
result that is greater than a 32bit number?
(I would like to send this result in an ttribute, to proxy it to a home
server)
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Class attribute

2008-11-28 Thread Alexandre Chapellon



Le 27.11.2008 21:41, Alan DeKok a écrit :
> Alexandre Chapellon wrote:
>   
>> I have noticed that the "Class" attribute as defined in rfc2865 is a
>> string value, but looking at dictionary that comes with freeradius i saw
>> that it's an octet value.
>> 
>
>   FreeRADIUS was the first to mark some attributes as "binary" versus
> "ascii".  The original RFC's didn't make that distinction.  When they
> were updated, they chose different names for the types.
>
>   We chose "string" and "octets" to mean "ascii" and "binary".  They
> chose "text" and "string".
>
>   
>> As far as I know none of the rfc updating 2865 redefine the class attribute.
>> Is there a reason for this, is it safe to make it a string value?
>> 
>
>   I very much suggest leaving it alone.  Editing things just to make the
> "closer" to the RFC's is not a good idea.  The RFC's are well known to
> be wrong in many cases.
>   

Well the aim of switching type is not to be closer to rfc, i'm not
fanatic enough :)!
My problem is I need to send a string to the NASes in the Access-Accept
and want them to sent it back to me as is in Accounting packets.
Is there other attributes of type string that allow such a behaviour
from the NASes?

>   e.g. After a number of similar discussions, RFC 5080 was issued.  It
> fixes a bunch of problems in earlier RFC's, and at one point,  says that
> the FreeRADIUS way of doing things is the best way.  Since I'm a
> co-author, that statement was easy to make.
>
>   I'm currently authoring or co-authoring 4-5 other RADIUS RFC's.  One
> of will update RFC 4282, which is substantially wrong.
>
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>   
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Class attribute

2008-11-27 Thread Alexandre Chapellon

Hello,

This message is more precisely direted to Alan.
I have noticed that the "Class" attribute as defined in rfc2865 is a
string value, but looking at dictionary that comes with freeradius i saw
that it's an octet value.
As far as I know none of the rfc updating 2865 redefine the class attribute.
Is there a reason for this, is it safe to make it a string value?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: PPTP + FreeRadius + LDAP

2008-11-27 Thread Alexandre Chapellon

 string Microsoft
> ATTRIBUTE MS-ARAP-PW-Change-Reason 21 integer Microsoft
>
> ATTRIBUTE MS-Filter 22 string Microsoft
> ATTRIBUTE MS-Acct-Auth-Type 23 integer Microsoft
> ATTRIBUTE MS-Acct-EAP-Type 24 integer Microsoft
>
> ATTRIBUTE MS-CHAP2-Response 25 string Microsoft
> ATTRIBUTE MS-CHAP2-Success 26 string Microsoft
> ATTRIBUTE MS-CHAP2-CPW 27 string Microsoft
>
> ATTRIBUTE MS-Primary-DNS-Server 28 ipaddr Microsoft
> ATTRIBUTE MS-Secondary-DNS-Server 29 ipaddr Microsoft
> ATTRIBUTE MS-Primary-NBNS-Server 30 ipaddr Microsoft
> ATTRIBUTE MS-Secondary-NBNS-Server 31 ipaddr Microsoft
>
> #ATTRIBUTE MS-ARAP-Challenge 33 string Microsoft
>
>
> #
> # Integer Translations
> #
>
> # MS-BAP-Usage Values
>
> VALUE MS-BAP-Usage Not-Allowed 0
> VALUE MS-BAP-Usage Allowed 1
> VALUE MS-BAP-Usage Required 2
>
> # MS-ARAP-Password-Change-Reason Values
>
> VALUE MS-ARAP-PW-Change-Reason Just-Change-Password 1
> VALUE MS-ARAP-PW-Change-Reason Expired-Password 2
> VALUE MS-ARAP-PW-Change-Reason Admin-Requires-Password-Change 3
> VALUE MS-ARAP-PW-Change-Reason Password-Too-Short 4
>
> # MS-Acct-Auth-Type Values
>
> VALUE MS-Acct-Auth-Type PAP 1
> VALUE MS-Acct-Auth-Type CHAP 2
> VALUE MS-Acct-Auth-Type MS-CHAP-1 3
> VALUE MS-Acct-Auth-Type MS-CHAP-2 4
> VALUE MS-Acct-Auth-Type EAP 5
>
> # MS-Acct-EAP-Type Values
>
> VALUE MS-Acct-EAP-Type MD5 4
> VALUE MS-Acct-EAP-Type OTP 5
> VALUE MS-Acct-EAP-Type Generic-Token-Card 6
> VALUE MS-Acct-EAP-Type TLS 13
> 
>
> Thanks in advanced!
>
> Douglas
>
> On Thu, Nov 27, 2008 at 4:06 PM, Alexandre Chapellon
> <[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>> wrote:
>
>
>
> Le 27.11.2008 07:17, Douglas Macedo a écrit :
>> Hey TNT,
>>
>> On Thu, Nov 27, 2008 at 2:54 PM, <[EMAIL PROTECTED]
>> <mailto:[EMAIL PROTECTED]>> wrote:
>>
>> >i force in WIndows Client to use only mschap2, but the
>> problem continue:
>> >
>> >-
>> >Module: Instantiated radutmp (radutmp)
>> >Listening on authentication *:1812
>> >Listening on accounting *:1813
>> >Ready to process requests.
>> >rad_recv: Access-Request packet from host
>> 150.162.67.254:32858 <http://150.162.67.254:32858>, id=109,
>> >length=53
>> >Service-Type = Framed-User
>> >Framed-Protocol = PPP
>> >User-Name = "douglas"
>> >NAS-IP-Address = 1.1.1.1 <http://1.1.1.1>
>> >NAS-Port = 0
>>
>> This is nothing to do with freeradius. I don't see your NAS
>> sending
>> mschap attributes.
>>
>>
>> How I can fix that? Where i configure that?
>>  
>>
>>
>> >In PPTP debug show:
>> >
>> ..
>> >Nov 27 11:35:39 epiderme pppd[12254]: rc_avpair_new: unknown
>> attribute 11
>> >Nov 27 11:35:39 epiderme pppd[12254]: rc_avpair_new: unknown
>> attribute 25
>>
>> Has your radius client got mschap dictionary?
>>
>>
>> I'm using the RadiusClient1 of Debian.
>>
>> --
>> epiderme:/etc/radiusclient# ls -l
>> total 52
>> -rw-r--r-- 1 root root  6502 2008-11-26 13:10 dictionary
>> -rw-r--r-- 1 root root 12388 2006-10-29 08:54 dictionary.ascend
>> -rw-r--r-- 1 root root  1517 2006-10-29 08:54 dictionary.compat
>> -rw-r--r-- 1 root root   599 2006-10-29 08:54 dictionary.merit
>> -rw-r--r-- 1 root root   135 2006-10-29 08:54 issue
>> -rw-r--r-- 1 root root   410 2006-10-29 08:54 port-id-map
>> -rw-r--r-- 1 root root  2630 2008-11-24 15:24 radiusclient.conf
>> -rwxr-xr-x 1 root root  2621 2008-11-24 13:33 radiusclient.conf.EPI
>> -rw--- 1 root root   272 2008-11-24 13:12 servers
>> --
>
> Copy microsoft dictionnary from your freeradius install to your
> pptp server, and add it to the dictionnary list.
> Additionnaly (this may not be related to your problem) having
> multiple  require- in pptpd config is a non-sense, if
> you want to enable multiples protocols for authentications, use
> +pap, +chap, +mschap instead of require-...
>
>
>>
>> --
>> epiderme:/etc/radiusclient# cat radiusclient.conf
>> auth_order  radius,local
>> login_tries 4
>> login_timeout   60
>> nologin /etc/nologin
>>

Re: PPTP + FreeRadius + LDAP

2008-11-27 Thread Alexandre Chapellon



Le 27.11.2008 07:17, Douglas Macedo a écrit :
> Hey TNT,
>
> On Thu, Nov 27, 2008 at 2:54 PM, <[EMAIL PROTECTED]
> > wrote:
>
> >i force in WIndows Client to use only mschap2, but the problem
> continue:
> >
> >-
> >Module: Instantiated radutmp (radutmp)
> >Listening on authentication *:1812
> >Listening on accounting *:1813
> >Ready to process requests.
> >rad_recv: Access-Request packet from host 150.162.67.254:32858
> , id=109,
> >length=53
> >Service-Type = Framed-User
> >Framed-Protocol = PPP
> >User-Name = "douglas"
> >NAS-IP-Address = 1.1.1.1 
> >NAS-Port = 0
>
> This is nothing to do with freeradius. I don't see your NAS sending
> mschap attributes.
>
>
> How I can fix that? Where i configure that?
>  
>
>
> >In PPTP debug show:
> >
> ..
> >Nov 27 11:35:39 epiderme pppd[12254]: rc_avpair_new: unknown
> attribute 11
> >Nov 27 11:35:39 epiderme pppd[12254]: rc_avpair_new: unknown
> attribute 25
>
> Has your radius client got mschap dictionary?
>
>
> I'm using the RadiusClient1 of Debian.
>
> --
> epiderme:/etc/radiusclient# ls -l
> total 52
> -rw-r--r-- 1 root root  6502 2008-11-26 13:10 dictionary
> -rw-r--r-- 1 root root 12388 2006-10-29 08:54 dictionary.ascend
> -rw-r--r-- 1 root root  1517 2006-10-29 08:54 dictionary.compat
> -rw-r--r-- 1 root root   599 2006-10-29 08:54 dictionary.merit
> -rw-r--r-- 1 root root   135 2006-10-29 08:54 issue
> -rw-r--r-- 1 root root   410 2006-10-29 08:54 port-id-map
> -rw-r--r-- 1 root root  2630 2008-11-24 15:24 radiusclient.conf
> -rwxr-xr-x 1 root root  2621 2008-11-24 13:33 radiusclient.conf.EPI
> -rw--- 1 root root   272 2008-11-24 13:12 servers
> --

Copy microsoft dictionnary from your freeradius install to your pptp
server, and add it to the dictionnary list.
Additionnaly (this may not be related to your problem) having multiple 
require- in pptpd config is a non-sense, if you want to
enable multiples protocols for authentications, use +pap, +chap,
+mschap instead of require-...

>
> --
> epiderme:/etc/radiusclient# cat radiusclient.conf
> auth_order  radius,local
> login_tries 4
> login_timeout   60
> nologin /etc/nologin
> issue   /etc/radiusclient/issue
> authserver  ldap.telemedicina.ufsc.br
> 
> acctserver  ldap.telemedicina.ufsc.br
> 
> servers /etc/radiusclient/servers
> dictionary  /etc/radiusclient/dictionary
> login_radius/usr/sbin/login.radius
> seqfile /var/run/radius.seq
> mapfile /etc/radiusclient/port-id-map
> default_realm
> radius_timeout  10
> radius_retries  3
> login_local /bin/login
> --
>
>
> But I don't found the attributes to MS-CHAP:
>
> --
> epiderme:/etc/radiusclient# cat dictionary | grep MS-CHAP
> epiderme:/etc/radiusclient# cat dictionary | grep MSCHAP
> epiderme:/etc/radiusclient# cat dictionary | grep mschap
> --
>
> Just to CHAP:
>
> --
> epiderme:/etc/radiusclient# cat dictionary | grep -i chap
> ATTRIBUTE   CHAP-Password   3   string
> ATTRIBUTE   Chap-Challenge  60  string
> --
>
> That's correct?
No you need MS-CHAP Attributes
>
> Thanks a lot in advanced,
> Douglas
>  
>
>
> Ivan Kalik
> Kalik Informatika ISP
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
>
>
> -- 
> Douglas Macedo
> [EMAIL PROTECTED] 
> --
> Avalia-se a inteligência de um indivíduo pela quantidade de incertezas
> que ele é capaz de suportar.
> (Immanuel Kant)
> 
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: PPTP + FreeRadius + LDAP

2008-11-26 Thread Alexandre Chapellon



Le 26.11.2008 09:32, Douglas Macedo a écrit :
> Alexandre,
>
> if I try mschapv2 in Windons client:
>
> --
> rad_recv: Access-Request packet from host 150.162.67.254:32839
> <http://150.162.67.254:32839>, id=46, length=52
> Service-Type = Framed-User
> Framed-Protocol = PPP
> User-Name = "nobody"
> NAS-IP-Address = 1.1.1.1 <http://1.1.1.1>
> NAS-Port = 0

Did you truncated the Access-request before posting??? there is no
information about CHAP chalenge so there is no way freeradius can handle
with rlm_chap...

Additionnally your pptp config seems strange to me
You *REQUIRE* chap + mschap + mschapv2!!! Shouldn't a requirement be
uniq? I would just keep require mschapv2 (and so force win client to use it)
>   Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 0
>   modcall[authorize]: module "preprocess" returns ok for request 0
> users: Matched entry DEFAULT at line 198
>   modcall[authorize]: module "files" returns ok for request 0
> rlm_ldap: - authorize
> rlm_ldap: performing user authorization for nobody
> radius_xlat:  '(&(objectClass=posixAccount)(uid=nobody))'
> radius_xlat:  'ou=Users,dc=telemedicina,dc=ufsc,dc=br'
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: attempting LDAP reconnection
> rlm_ldap: (re)connect to ldap.telemedicina.ufsc.br:389
> <http://ldap.telemedicina.ufsc.br:389>, authentication 0
> rlm_ldap: bind as cn=Manager,dc=telemedicina,dc=ufsc,dc=br/ckf45c to
> ldap.telemedicina.ufsc.br:389 <http://ldap.telemedicina.ufsc.br:389>
> rlm_ldap: waiting for bind result ...
> rlm_ldap: Bind was successful
> rlm_ldap: performing search in ou=Users,dc=telemedicina,dc=ufsc,dc=br,
> with filter (&(objectClass=posixAccount)(uid=nobody))
> rlm_ldap: Password header not found in password
> 5A88C11C0EDC83D3DEA6AE1A0653E889 for user nobody
> rlm_ldap: looking for check items in directory...
> rlm_ldap: Adding sambaNtPassword as NT-Password, value
> 5A88C11C0EDC83D3DEA6AE1A0653E889 & op=21
> rlm_ldap: Adding sambaLmPassword as LM-Password, value
> 89E0B38AC380D2B8AAD3B435B51404EE & op=21
> rlm_ldap: looking for reply items in directory...
> rlm_ldap: user nobody authorized to use remote access
> rlm_ldap: ldap_release_conn: Release Id: 0
>   modcall[authorize]: module "ldap" returns ok for request 0
>   modcall[authorize]: module "chap" returns noop for request 0
>   modcall[authorize]: module "mschap" returns noop for request 0
> rlm_realm: No '@' in User-Name = "nobody", looking up realm NULL
> rlm_realm: No such realm "NULL"
>   modcall[authorize]: module "suffix" returns noop for request 0
> rlm_pap: Normalizing NT-Password from hex encoding
> rlm_pap: Normalizing LM-Password from hex encoding
> rlm_ldap: looking for reply items in directory...
> rlm_ldap: user nobody authorized to use remote access
> rlm_ldap: ldap_release_conn: Release Id: 0
>   modcall[authorize]: module "ldap" returns ok for request 1
>   modcall[authorize]: module "chap" returns noop for request 1
>   modcall[authorize]: module "mschap" returns noop for request 1
> rlm_realm: No '@' in User-Name = "nobody", looking up realm NULL
> rlm_realm: No such realm "NULL"
>   modcall[authorize]: module "suffix" returns noop for request 1
> rlm_pap: Normalizing NT-Password from hex encoding
> rlm_pap: Normalizing LM-Password from hex encoding
> rlm_pap: No clear-text password in the request.  Not performing PAP.
>   modcall[authorize]: module "pap" returns noop for request 1
> modcall: leaving group authorize (returns ok) for request 1
> auth: No authenticate method (Auth-Type) configuration found for the
> request: Rejecting the user
> auth: Failed to validate the user.
> Login incorrect: [nobody] (from client access-vpn port 0)
> Delaying request 1 for 1 seconds
> Finished request 1
> Going to the next request
> --
>
> Any idea?
>
> Thanks in advanced,
> Douglas
>
> On Wed, Nov 26, 2008 at 5:27 PM, Alexandre Chapellon
> <[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>> wrote:
>
> trying forcing windows pptp client to use mschapv2
>
> Le 26.11.2008 09:15, Douglas Macedo a écrit :
>> Sorry Alan,
>>
>> but the webpage tells that its don't work. Its impossible? Correct?
>>
>> So, how I can fix that the other way?
>>
>> My pptp-options:
>>
>> ==
>> epiderme:/etc/ppp# cat pptpd-options
>> name pptpd
&

Re: PPTP + FreeRadius + LDAP

2008-11-26 Thread Alexandre Chapellon

trying forcing windows pptp client to use mschapv2

Le 26.11.2008 09:15, Douglas Macedo a écrit :
> Sorry Alan,
>
> but the webpage tells that its don't work. Its impossible? Correct?
>
> So, how I can fix that the other way?
>
> My pptp-options:
>
> ==
> epiderme:/etc/ppp# cat pptpd-options
> name pptpd
> refuse-pap
> ##refuse-chap
> require-chap
> ##refuse-mschap
> require-mschap
> require-mschap-v2
> require-mppe-128
> proxyarp
> nodefaultroute
> debug
> lock
> nobsdcomp
> plugin radius.so
> #plugin radattr.so
> radius-config-file /etc/radiusclient/radiusclient.conf
> auth
> ==
>
> And my radiusd.conf:
>
> ==
> prefix = /usr/local
> exec_prefix = ${prefix}
> sysconfdir = ${prefix}/etc
> localstatedir = /var
> sbindir = ${exec_prefix}/sbin
> logdir = /var/log
> raddbdir = ${sysconfdir}/raddb
> radacctdir = ${logdir}/radacct
> confdir = ${raddbdir}
> run_dir = ${localstatedir}/run/radiusd
> log_file = ${logdir}/radius.log
> libdir = ${exec_prefix}/lib
> pidfile = ${run_dir}/radiusd.pid
> max_request_time = 30
> delete_blocked_requests = no
> cleanup_delay = 5
> max_requests = 1024
> bind_address = *
> port = 0
> hostname_lookups = no
> allow_core_dumps = no
> regular_expressions = yes
> extended_expressions= yes
> log_stripped_names = no
> log_auth = yes
> log_auth_badpass = no
> log_auth_goodpass = no
> usercollide = no
> lower_user = no
> lower_pass = no
> nospace_user = no
> nospace_pass = no
> checkrad = ${sbindir}/checkrad
> security {
> max_attributes = 200
> reject_delay = 1
> status_server = no
> }
> proxy_requests  = no
> $INCLUDE  ${confdir}/clients.conf
> snmp= no
> thread pool {
> start_servers = 5
> max_servers = 32
> min_spare_servers = 3
> max_spare_servers = 10
> max_requests_per_server = 0
> }
> modules {
> pap {
> encryption_scheme = crypt
> }
> chap {
> authtype = CHAP
> }
> unix {
> cache = no
> cache_reload = 600
> radwtmp = ${logdir}/radwtmp
> }
> mschap {
> authtype = MS-CHAP
> use_mppe = yes
> require_encryption = no
> require_strong = no
> with_ntdomain_hack = yes
> }
> ldap {
> server = "ldap.telemedicina.ufsc.br
> "
> identity = "cn=Manager,dc=telemedicina,dc=ufsc,dc=br"
> password = "XXX"
> basedn = "ou=Users,dc=telemedicina,dc=ufsc,dc=br"
> filter = "(&(objectClass=posixAccount)(uid=%u))"
>
> start_tls = no
> dictionary_mapping = ${raddbdir}/ldap.attrmap
> ldap_connections_number = 5
> password_header = "{Cleartext-Password}"
> password_attribute = sambaNTPassword
> timeout = 4
> timelimit = 3
> net_timeout = 1
> compare_check_items = no
> }
> realm suffix {
> format = suffix
> delimiter = "@"
> ignore_default = no
> ignore_null = no
> }
> checkval {
> item-name = Calling-Station-Id
> check-name = Calling-Station-Id
> data-type = string
> }
> preprocess {
> huntgroups = ${confdir}/huntgroups
> hints = ${confdir}/hints
> with_ascend_hack = no
> ascend_channels_per_line = 23
> with_ntdomain_hack = no
> with_specialix_jetstream_hack = no
> with_cisco_vsa_hack = no
> }
> files {
> usersfile = ${confdir}/users
> compat = no
> }
> detail {
> detailfile =
> ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
> detailperm = 0600
> }
> acct_unique {
> key = "User-Name, Acct-Session-Id, NAS-IP-Address,
> Client-IP-Address, NAS-Port"
> }
> radutmp {
> filename = ${logdir}/radutmp
> username = %{User-Name}
> case_sensitive = yes
> check_with_nas = yes
> perm = 0600
> callerid = "yes"
> }
> radutmp sradutmp {
> filename = ${logdir}/sradutmp
> perm = 0644
> callerid = "no"
> }
> attr_filter {
> attrsfile = ${confdir}/attrs
> }
> counter daily {
> filename = ${raddbdir}/db.daily
> key = User-Name
> count-attribute = Acct-Session-Time
> reset = daily
> counter-name = Daily-Session-Time
> check-name = Max-Daily-Session
>

Re: Could not link driver rlm_sql_oracle: libclntsh.so.10.1

2008-11-24 Thread Alexandre Chapellon



Le 23.11.2008 17:39, Ilya a écrit :
> hello,
>
> i've got Linux 2.6.9-22 and freeRADIUS server v.2.1.1.
>
> after installing and configured FreeRADIUS i try to to start the
> daemon with -X parametr and get the error:
>
> Could not link driver rlm_sql_oracle: libclntsh.so.10.1: cannot open shared 
> object file: No such file or directory
> Make sure it (and all its dependent libraries!) are in the search path of 
> your system's ld.
> /usr/local/etc/raddb/sql.conf[22]: Instantiation failed for module "sql"
> /usr/local/etc/raddb/sites-enabled/default[152]: Failed to find module "sql".
> /usr/local/etc/raddb/sites-enabled/default[62]: Errors parsing authorize 
> section
>
> can anyone please help to solve this problem or push me to the right
> way?
>
> thanks in advance
>
> ilya
>   

Did you install the oracle instantclient? where? did you add lib path of
this client to your ldpath?
Did the rlm_sql_oracle module compiled successfully when compiling
freeradius (check config.log)?

>
>
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>   
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

oracle stored procédure

2008-11-20 Thread Alexandre Chapellon

I'm still trying to setup freeradius authentication with oracle stored
procedure.
I have a procedure that return data as i expected it to be returned in
an sqlplus client:


SQL> SELECT hss_radcheck_func('[EMAIL PROTECTED]','bas3_SE') FROM DUAL;

HSS_RADCHECK_FUNC('K

CURSOR STATEMENT : 1

CURSOR STATEMENT : 1

ID USERNAME ATTRIBUTES
VALUEOP
--  --
 --
 1 [EMAIL PROTECTED]Cleartest-Password
mudafuka ==
 2 [EMAIL PROTECTED]Simultaneous_Use  
1:=


Unfortunatly, when freeradius calls the procedure, it gives me an error
saying:

rlm_sql_oracle: fetch failed in sql_fetch_row: ORA-00932: inconsistent
datatypes: expected CHAR got DTYCWD

What is weird is that we force the procedure to return data as CHAR
(except for ID which is a NUMBER):
here is the nd of the procedure...

OPEN resultSet FOR
SELECT to_number('1') as ID,
   to_char(name) as username,
   to_char('Cleartest-Password') as attributes,
   to_char(password) as value,
   to_char('==') as operator
FROM dual
union
SELECT to_number('2') as ID,
   to_char(name) as username,
   to_char('Simultaneous_Use') as attributes,
   to_char(loginlimit) as value,
   to_char(':=') as operator
FROM dual

return resultSet;

I know this is very Oracle related but I am totally stuck now wth this
problem, and so trying to find help, where i can...
Someone who already setup oracle auth may help

thx
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Fwd: Re:Re: Fail to disable the Simultanous-use, somebody help me.

2008-11-20 Thread Alexandre Chapellon

It seems like your NAS sends accounting Stop for the previous session (nas-port 
is different) after receiving the response of of the accounting Start (for the 
new session)... this would show your NAS ask the radius to notice a 
disconnection hit has decided...
I don't know how netscreen works, but neither Access-Accept nor Accouting 
request have any Framed-IP-Address or anything ppp related... looks strange to 
me. This can mean that whereas established the vpn connection doesn't work (you 
can easily test this) or netscreen  is managing ip allocation by its ow, and so 
you should take a look at its config to see if it's able to offer different IP 
addresses for one login at the same time (If it tries to give every body the 
same address, no doubt it won't work unless it disconnects the previous 
session)... Or you can ask freeradius to handle ip allocation, depending on 
your config
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problem in setting up radius database in sql

2008-11-20 Thread Alexandre Chapellon

your freeradius seems to be compiled/installed without the mysql extensions 
rlm_sql_mysql
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Fail to disable the Simultanous-use, somebody help me.

2008-11-20 Thread Alexandre Chapellon

I don't your problem have anything to deal with simultaneous-use checking... 
Indeed, when enabled Sim-Use would REJECT NEW users trying to connect to if the 
login used has reached the limit What you say is that new user (same login) 
disconnect existing session... This sounds more like something with netscreen 
for me...eg could be ip allocation pb if managed by netscreen or something like 
this...
May be providing debug of query processing would be more usefull than just the 
startup.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to filter accountings based on the value of a VSA attribute

2008-11-19 Thread Alexandre Chapellon

Having more details about your conf would help but anyway "unlang" can
do this (man unlang).

if (attribute == "value") {
  update control {
Proxy-To-Realm := "realm"
  }
}

P.S: this cannot be done in proxy.conf file.

Le 19.11.2008 08:55, cris miyata a écrit :
> Dear FreeRADIUS users,
>
>  
>
> We configured FreeRADIUS to send accounting to 2 different servers, but for 
> one of them I want to send only the accountings that have a VSA attribute 
> equal to a give value.
>
>  
>
> Does anyone know how to do this configuration?
>
>  
>
> Thanks in advance.
>
>  
>
> Regards,
>
>
> Cristina Miyata
>
>   
> 
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: oracle

2008-11-17 Thread Alexandre Chapellon

ok thanks :) this really makes me happy :)

Can you please explain me in what type of data the procedure return  to
freeradius?

Le 17.11.2008 16:17, Ryan Melendez a écrit :
> Oracle stored procedures have worked fine for me.
>
> Thanks,
> Ryan
>
> -Original Message-
> From:
> [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]
> org] On Behalf Of Alexandre Chapellon
> Sent: Monday, November 17, 2008 7:33 PM
> To: FreeRadius users mailing list
> Subject: oracle
>
> Does anyone already used oracle stored proc as auth queries?
>
> Is it known to worl or known not to work?
>
> regards
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>   
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

oracle

2008-11-17 Thread Alexandre Chapellon

Does anyone already used oracle stored proc as auth queries?

Is it known to worl or known not to work?

regards
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

stored procedures

2008-11-17 Thread Alexandre Chapellon

Hello,

I need to authenticate dial-in users against an sql DB, and to use a
stored procedure to do so (there is a lot of condition to treat before
returning authentications data).*
What is the format the stored procedure can send data to freeradius? Is
there any place where it is documented?

thx
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Compiling git-2.1.1 on debian

2008-11-06 Thread Alexandre Chapellon

Weired because it has been corrected for weeks in the git repository.
maybe you should just update your git tree.


Le 06.11.2008 01:32, rgreiner a écrit :
> Thanks for the tip, but in the mean time I found out why the default
> 2.1.1 package did not compile.
>
> In the debian/patches/01-radiusd-to-freeradius.dpatch file, on line 38,
> the following line:
>
> -pidfile = ${run_dir}/radiusd.pid
>
> Must be changed to
>
> -pidfile = ${run_dir}/${name}.pid
>
> Doing that, the standard 2.1.1 package compiles fine.
>
> Thank you for your help,
>
> Roberto
>
> Alexandre Chapellon wrote:
>   
>> try compiling using bundled libtools
>> remove "--with-system-libtool" from debian/rules
>> then relaunch dpkg-builpackages
>>
>> Le 05.11.2008 09:53, rgreiner a écrit :
>>   
>> 
>>> Hi,
>>>
>>> I'm trying to compile 2.1.1 on debian using the git version (the
>>> standard package stops at the beginning due to the problem with the
>>> patches for debian), and in the middle of the checking part it stopped
>>> with a message about "INSTALL_LTDL"not being definded (full output
>>> below). Could someone please give me a help? A quick googling didn't
>>> come up with anyting useable
>>>
>>> Thanks,
>>>
>>> Roberto
>>>
>>> dpkg-buildpackage: source package is freeradius
>>> dpkg-buildpackage: source version is 2.1.1-0
>>> dpkg-buildpackage: source changed by Alan DeKok <[EMAIL PROTECTED]>
>>> dpkg-buildpackage: host architecture i386
>>> dpkg-buildpackage: source version without epoch 2.1.1-0
>>>  debian/rules clean
>>> dpatch  deapply-all 
>>> 02-dialupadmin-help not applied to ./ .
>>> 01-radiusd-to-freeradius not applied to ./ .
>>> rm -rf patch-stamp patch-stampT debian/patched
>>> dh_testdir
>>> dh_clean
>>> rm -f build-arch-stamp build-indep-stamp libltdl/stamp-h1
>>> rm -f install-arch-stamp install-indep-stamp configure-stamp
>>> [ -f Make.inc ] && make distclean || true
>>> # The make clean forgets to remove this build directory
>>> [ -d src/modules/lib ] && rm -fr src/modules/lib || true
>>> # Put the original autotools files back in place
>>> [ -f config.sub.dist ] && rm config.sub && mv config.sub.dist config.sub
>>> || true
>>> [ -f config.guess.dist ] && rm config.guess && mv config.guess.dist
>>> config.guess || true
>>>  debian/rules build
>>> test -d debian/patched || install -d debian/patched
>>> dpatch  apply-all 
>>> applying patch 01-radiusd-to-freeradius to ./ ... ok.
>>> applying patch 02-dialupadmin-help to ./ ... ok.
>>> dpatch  cat-all  >>patch-stampT
>>> mv -f patch-stampT patch-stamp
>>> dh_testdir
>>> # Update the autotools files if necessary
>>> # Force Build-Depends on autotools-dev for /usr/share/misc/config.*
>>> if [ -e config.sub.dist ]; then rm config.sub; else mv config.sub
>>> config.sub.dist; fi
>>> if [ -e config.guess.dist ]; then rm config.guess; else mv config.guess
>>> config.guess.dist; fi
>>> ln -s /usr/share/misc/config.sub config.sub
>>> ln -s /usr/share/misc/config.guess config.guess
>>> ./configure \
>>> --build i486-linux-gnu \
>>> --config-cache \
>>> --prefix=/usr \
>>> --exec-prefix=/usr \
>>> --mandir=/usr/share/man \
>>> --sysconfdir=/etc \
>>> --libdir=/usr/lib/freeradius \
>>> --datadir=/usr/share \
>>> --localstatedir=/var \
>>> --with-raddbdir=/etc/freeradius \
>>> --with-logdir=/var/log/freeradius \
>>> --with-system-libtool --disable-ltdl-install \
>>> --with-large-files --with-udpfromto --with-edir \
>>> --enable-developer \
>>> --with-rlm-sql-postgresql-lib-dir=`pg_config --libdir` \
>>> --with-rlm-sql-postgresql-include-dir=`pg_config
>>> --includedir`
>>> configure: creating cache config.cache
>>> checking for gcc... gcc
>>> checking for C compiler default output file name... a.out
>>> checking whether the C compiler works... yes
>>> checking whether we are cross compiling... no
>>> checking for suffix of executables...
>>> checking for suf

1 2 >

1 - 100 of 171 matches

Mail list logo