Re: [rad] Re: etc_passwd
On Tue, 28 Jul 2009, Kaz Zurad wrote: Than you, John, for the clue. But I have another question. For RHEL4 is only available version 1.0.1. Can I use version dedicated for Fedora from this site http://koji.fedoraproject.org? You should find your version sufficient for simple needs. Otherwise, I highly recommend installing the latest version directly form source so that any advice you get here is going to 'apply' to you. :) - Charles - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [rad] Re: etc_passwd
On Tue, 28 Jul 2009, Kaz Zurad wrote: Thank you. I meant RHEL 4. I will try to install and implement it. I am using CentOS 4 which is the 'free' version of RHEL 4, You should be able to install the freeradius rpm package via yum (or perhaps already installed with initial install). You don't need to install a more recent version unless you are doing something complicated that needs newer features. Though please undertand that most people on this list know solutions for the newer versions and if you want serious help with things like 'EAP' and 'LDAP' you may need to upgrade. But to just do 'simple' authentication from etc_passwd. /etc/raddb/radiusd.conf needs to be reviewed for things like server IP address and port, etc, but should pretty much work 'out of the box'. /etc/raddb/clients.conf needs an entry listing your NAS (eg. Cisco AS5300) with the 'secret' (password) it will use to talk to radius, To use etc_passwd for authentication, in the /etc/raddb/users file, uncomment and edit the entries (well commented!) that show how to configure a 'default' user with 'Auth-Type = System'. Yes, that easy! - Charles - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: attrs filtering - regex pattern matching
On Thu, 25 Jun 2009, Francisco wrote: I'd like our radius proxy server to allow an A/V pair, but, cannot find any examples where I can apply any regex type rules to allow a range of values. For example, I received the following from a remote radius server : Cisco-AVPair = vpdn:ip-addresses=10.10.1.4 and would want to (using attrs) allow anything that matches: Cisco-AVPair = vpdn:ip-addresses=.* Where ".*" would be anything following the "=" How might I allow this using attrs? I'm running freeradius 1.0.5 I can't upgrade to 2.x yet, so I'm looking for suggestions/feedback for 1.x LOL! Hi Francisco! Fancy meeting you here! ;) Did you try: Cisco-AVPair =~ "vpdn:ip-addresses=.*" ?? I found this in 'man 5 users'. So you're on 1.x too, huh? Funny how many of us are. :) - Charles - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [rad] Cannot Authenticate - Help!
I notice it matching multiple 'DEFAULT' entries in your 'users' file.
Make sure that one of them doesn't enforce an 'auth-type' other than
the one you want to use here.
- Charles
On Wed, 17 Jun 2009, Filipe Scalioni wrote:
I'm new to FreeRadius, and I'm having some hard time to put it to
work. Simply talking: I can authenticate from my linux (Suse 11.1)
using radtest, directly linked to the server (LAN). Here is the
answer:
protagoras:~ # radtest teste teste 192.168.10.113:1812 1812 testing123
Sending Access-Request of id 240 to 192.168.10.113 port 1812
User-Name = "teste"
User-Password = "teste"
NAS-IP-Address = 127.0.0.2
NAS-Port = 1812
rad_recv: Access-Accept packet from host 192.168.10.113 port 1812,
id=240, length=20
So, it works... But then I put the AP to work (Linksys wrt54g),
configured like this:
Security mode: WPA Enterprise
WPA Algorithms: TKIP
RADIUS Server Address: 192.168.10.113 - this is my RADIUS server IP
RADIUS Port: 1812
Shared Key: testing123
Key Renewal Timeout: 3600 seconds
All good, but when I try to connect from Windows XP, Vista or 7,
configured like this
Network Authentication: WPA
Data Encryption: TKIP
EAP Type: PEAP
Authentication Method: MsCHAPv2
Not sending my windows login parameters
It nevers authenticates... No matter what I do. I tried everything I
could find on the list or FAQ before registering. Here goes the log
[r...@testecent raddb]# radiusd -X
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /etc/raddb/proxy.conf
Config: including file: /etc/raddb/clients.conf
Config: including file: /etc/raddb/snmp.conf
Config: including file: /etc/raddb/eap.conf
main: prefix = "/usr"
main: localstatedir = "/var"
main: logdir = "/var/log/radius"
main: libdir = "/usr/lib"
main: radacctdir = "/var/log/radius/radacct"
main: hostname_lookups = no
main: snmp = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 1812
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = "/var/log/radius/radius.log"
main: log_auth = yes
main: log_auth_badpass = yes
main: log_auth_goodpass = yes
main: pidfile = "/var/run/radiusd.pid"
main: bind_address = 192.168.10.113 IP address [192.168.10.113]
main: user = "radiusd"
main: group = "radiusd"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "/usr/sbin/checkrad"
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = no
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/lib
Module: Loaded exec
exec: wait = yes
exec: program = "(null)"
exec: input_pairs = "request"
exec: output_pairs = "(null)"
exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = "clear"
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: with_ntdomain_hack = yes
mschap: passwd = "(null)"
mschap: ntlm_auth = "/path/to/ntlm_auth --request-nt-key
--username=%{Stripped-User-Name:-%{User-Name:-None}}
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00} --domain=%{mschap:NT-Domain}"
Module: Instantiated mschap (mschap)
Module: Loaded System
unix: cache = no
unix: passwd = "(null)"
unix: shadow = "(null)"
unix: group = "(null)"
unix: radwtmp = "/var/log/radius/radwtmp"
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded LDAP
ldap: server = "ldap.your.domain"
ldap: port = 389
ldap: net_timeout = 1
ldap: timeout = 4
ldap: timelimit = 3
ldap: identity = ""
ldap: tls_mode = no
ldap: start_tls = no
ldap: tls_cacertfile = "(null)"
ldap: tls_cacertdir = "(null)"
ldap: tls_certfile = "(null)"
ldap: tls_keyfile = "(null)"
ldap: tls_randfile = "(null)"
ldap: tls_require_cert = "allow"
ldap: password = ""
ldap: basedn = "o=My Org,c=UA"
ldap: filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
ldap: base_filter = "(objectclass=radiusprofile)"
ldap: default_profile = "(null)"
ldap: profile_attribute = "(null)"
ldap: password_header = "(null)"
ldap: password_attribute =
Re: [rad] Re: Problem with external authentication script
On Wed, 17 Jun 2009, Stefan Kuegler wrote:
/etc/freeradius/users
-
DEFAULT Auth-Type = MOTP
Exec-Program-Wait = "/usr/local/bin/otpverify.sh '%{User-Name}'
'%{User-Password}' '%{Secret}' '%{PIN}' '%{Offset}'",
Fall-Through = yes
user1 Secret:=143a5c6fa125ac1f, PIN:=1234, Offset:=0
If this is correctly represents the order of your entries, then your
program execution command is getting 'constructed' on the DEFAULT entry
*before* you assign those values on the 'user1' entry.
Try moving the user1 line before the DEFAULT (and reverse the 'fall
through' specifications)
- Charles
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [rad] RE: Free Radius users record samples for SmartEdgerouter subcriberauthentication.
On Wed, 17 Jun 2009, Elias Abou Zeid wrote: Just out for sake of completeness. On FreeRADIUS Version 1.1.7 I tried both User-Password == "test" and Cleartext-Password := "test". They both work fine when the user entry is before default setting in users file. Just to let you know. Elias Thank you, Elias. - Charles - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [rad] RE: Free Radius users record samples for SmartEdge router subcriberauthentication.
On Wed, 17 Jun 2009, a.l.m.bu...@lboro.ac.uk wrote: abcUser-Password == "test" that is wrong. wrong and wrong Okay, this isn't just my favorite quibbler jumping on me. So I have to ask, even if there is a 'better' syntax, or a 'preferred' way of doing things, why is this 'standard' old radius check item so 'wrong'? I checked the docs, and it *appears* that checking an input attribute value against a hard-coded constant is still valid syntax. Though I notice that the example that both Elias and I quote is *gone* from the 1.1.7 docs (Elias, please check, I think you have man pages and/or documentation from a version of FR earlier than your 1.1.7! This really confuses things!). So why is Input-Attribute == "value" now wrong? Is it just wrong for the Passwords? Groups? Or is '==' deprecated for all check items past a certain release? If so, why is it still in the 'users' man page for 2.x? I finally noticed that "Cleartext-Password" is not an input attribute, which suggests that there is something 'different' about the way we're now specifying input attribute checking in the users file. I don't doubt that it 'makes sense' according to some new way of doing things, but it looks like an amazing departure from 'classic' Livingston syntax If so, I'm *really* glad I didn't upgrade my live version. :-O - Charles - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [rad] RE: Free Radius users record samples for SmartEdge router subcriberauthentication.
On Tue, 16 Jun 2009, Elias Abou Zeid wrote: Sorry for the :=, == confusion. I was doing it right using ==. Neither is 'right' or 'wrong'. You just need to be sure what you want to achieve with them. I'm not a complete expert on this, so if in doubt, try it *both* ways. (smile) One of them will work. I still suggest: abcUser-Password == "test" Service-Type = Framed-User, Framed-Protocol = PPP ...and make sure there are no default entries to interfere. :) - C - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [rad] RE: Free Radius users record samples for SmartEdgerouter subcriberauthentication.
On Tue, 16 Jun 2009, Elias Abou Zeid wrote: a...@radius Cleartext-Password := "test" Service-Type = Framed-User, Framed-Protocol = PPP Why do you specify a realm (@RADIUS)? Try removing it, or, as suggested by others, specift a default realm. users: Matched entry DEFAULT at line 152 users: Matched entry DEFAULT at line 171 users: Matched entry DEFAULT at line 183 These lines tell us that you have more rules in your users file than the one you list above. Taken at face value, looks like two rules with 'fall through' followed by one without. And it never gets to the rule for 'abc'. Remember that radius looks for the first matching rule in your users file. DEFAULT rules should go at the bottom. - Charles - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [rad] RE: Free Radius users record samples for SmartEdge router subcriberauthentication.
On Tue, 16 Jun 2009, a.l.m.bu...@lboro.ac.uk wrote: abc User-Password == "passwd" huh? abc Cleartext-Password := "passwd" thats true for 1.1.6 (iirc) upwards My turn to 'huh?'. According to the 'users' man page (man 5 users): Attribute := Value Always matches as a check item, and replaces in the configuration items any attribute of the same name. My impression from the OP's first use of "==" was that he was hard-coding the password into the users file. So wouldn't the above code 'replace' the password, producing an 'always authenticates' kind of condition? The example in the users man itself is: EXAMPLES bob User-Password == "hello" Requests containing the User-Name attribute, with value "bob", will be authenticated using the password "bob". Which is, I think, a typo. It should say "authenticated with the password "hello", shouldn't it? - Charles - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [rad] RE: Free Radius users record samples for SmartEdge router subcriberauthentication.
On Tue, 16 Jun 2009, Elias Abou Zeid wrote: I tried the different suggestions but I still get authentication login incorrect eventhough the username and password passed by the Redback router are correct and as filled in subscribers record On Radius server. a...@radius User-Password := "passwd" This syntax SETS the User-Password attribute. It's almost like saying "accept any password and replace it with this value". Please review "man 5 users" for the use of "=", ":=", et al. Have you tried: abc User-Password == "passwd" Service-Type = Framed-User, Framed-Protocol = PPP I don't know what this next line does, so unless *you* do, may I suggest leaving it out while testing? Bind_Auth_Context = RADIUS - Charles - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [rad] Free Radius users record samples for SmartEdge router subcriber authentication.
On Tue, 16 Jun 2009, Elias Abou Zeid wrote: I am trying a simple authenticate pppoe subscriber in radius server (v 1.188.2.4.2.11) for subscribers coming through Redback SmartEdge 800 router. As I am new to this I am looked for some examples for users configuration on RADIUS but could not find. I have tried something out but seems missing certain stuff: abc Auth-Type := Local, Password == "passwd" I notice the example in the comments of the 'users' file references the check item "User-Password" not just "Password". That might make a difference. Another option: Are these users going to be in your local *nix password file (for mail or login)? If so, then don't specify passwords in the users file at all. Just use an Auth-Type += System, and let FR pluck it from the system files. - Charles- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [rad] Re: rlm_exec wiki
On Mon, 15 Jun 2009, a.l.m.bu...@lboro.ac.uk wrote: it would be much beter if there was a full delineation between 1.x and 2.x docs - the web is full of older resources that dont say what version their tweaks and info is good for. (nod) I don't know enough about the differences between 1.x and 2.x to say whether it would be better to have two complete document trees, like the apache server, or annotated with "applies to versions x-y" the way the postfix docs do it. I get the feeling that for the most part features have been *added* to FreeRADIUS, and very little removed. But is that actually the case? if i see one more config with Auth-Type = EAP I'll scream ;-) Had to look that one up. First hit on google explained it all LOL - Charles - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [rad] Re: Problem with external authentication script
On Mon, 15 Jun 2009, Stefan Kuegler wrote:
> exec motp {
>wait = yes
>program = "/usr/local/bin/otpverify.sh %{User-Name}
> %{User-Password} %{reply:Secret} %{reply:PIN} %{reply:Offset}"
>input_pairs = request
>output_pairs = config
> }
Silly thought:
The exec is named 'mopt' with an 'm'.
But your script is 'optverify' with no 'm'.
Just want to be sure that's not a silly typo :)
It seems, that freeradius never uses the "MOTP"-Auth-type:
auth: type "PAP"
+- entering group PAP
Not an expert on motp. But should it be mistaken for 'PAP'? Perhaps
you need to put your check for 'motp' in the auth section *before* PAP?
Or remove the reference to PAP altogether if you never use it?
Do I need to configure something in the authorize-section or somewhere
else ??
A line with the single word 'motp', probably just above the 'pap' line,
if tht is causing trouble
- Charles
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_exec wiki
On Mon, 15 Jun 2009, a.l.m.bu...@lboro.ac.uk wrote: I think the initial idea would be to document what/how you've used exec module to define an attribute - rlm_exec is quite bare on the wiki ;-) Uh, yeah, almost forgot, that was actually one of the places I looked before I posted on the list. :) I think before I write anything I will test my script a bit further and make sure that it has the complete functionality I expect. I'll be doing that this week. I'm gonna get a few shots for this next statement (grin), but of course, if I want to write for the wiki, I'm going to have to install the latest release, to be sure what I write is valid for the most current context. Fortunately I have a test box for stuff like this. :) Thanks. - Charles - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [rad] Re: SOLVED Re: pseudo-newbie exec scripts and session-time
On Mon, 15 Jun 2009, Arran Cudbard-Bell wrote: See the thing is a lot of the documentation pitfalls aren't there in 2.*, a lot of the inconsistencys aren't there in 2.*. I know, because I regularly play the dumb user and pester Alan about niggly bits of syntax and documentation. I try to be a fair person. And I knew that one argument used against me would be that the docs had improved since version 1.x, but when I had a look I found that this 'basic' element remained essentially unchanged. Indeed the one change I spotted was that the references to 'exec-program' had disappeared! But there was nothing more about 'exec' modules. And when I checked the documentation for the latest release, neither the users file itself nor the documentation for it mentions 'exec'. So I would still have found no help there And the docs for freeradisud.conf remained the same. Think of it this way. In the French language, when someone turns a light on they say "make the light OPEN". They *mean* the same thing, but they use a different word. But if you don't *know* that, you can spend a lot of time trying to figure out why someone wants to 'open' something that you just want to turn 'on'. Thus it was with my understanding of config files in FreeRADIUS. I came from a background where config files only contained constants. Nothing dynamic. I had come so far as to realize that we could 'specify' modules in the main config file, but presumed that sub files remained lists of constant specifications. There was no mention of executable code in the users file comments, so I presumed that was just the 'wrong place'. My bad? Well, yes, BUT I would expect that any expert on RADIUS would have long ago encountered this kind of thinking and recognize it for what it is. And if they really wanted to help, they'd be sure to say a few 'basic' things like "what you are looking for is in the README, not the individual files". That was all I was asking for, but instead I get this attitude like I failed to take advice (sigh) I've been following this thread (mostly for its Jerry Springer'esq qualities) and I saw where you stumbled. The documentation in v1 is far from perfect, but if you'd actually read around a bit more then you'd have figured out exactly what was going on. Actually, I *did* exactly that. My only complaint was that I had to hunt at random through files I never imagined containing what I wanted. If someone had grasped that I was 'not getting it' they could have just pointed me where I needed to go. Not saying they were obliged to do so, but I am saying they shouldn't treat their failure to do so with the attitude that they did 'enough' to help. The *only* place in 1.* where the syntax used in the rlm_exec example exists is in the users file. Actually, to the uninitated, that is NOT true. Within the module definitions in the radiusd.conf there are numerous 'assignements' of values to 'variables' that look remarkably similar to attribute assignments. Only once it has been *explained* would I realize that there is something special about the users file 'assignments'. And again, I point out that the syntax of assigning an executable to an attribute is *not* given as an example in the users file. If only it had been, then I would have figured it all out without this mess. But then again, I would also have been using an older technique. But you're not a user, you're a sysadmin/developer. It's assumed that you'll have a modicum of initiative. Certainly. I *did* find my answer on my own. (smile) This is the stumbling point. I thought I had looked in all the obvious and relevant documents. And enough of them were lacking in detail that I don't think anyone can fairly say I didn't bother to look for my answer before I posted my question. And that's why I get angry when people just say I was offered lots of options. No, not really. They were only options for someone who (and I know this happens) posts a question without having read *any* of the documentation. I had hoped my included syntax sample would have desmontrated that I had made progress. :) But really, if no one grasped that I was lacking that key concept, then how would they know to tell me where to look for what I wanted? So who is to blame there? I don't always agree with Alans way of dealing with users on the list, but I understand why he's the way he is. I understand it too. I just figur if he wants to be helpful, then he could try to understand how he wasn't. Yes, it is mostly *my* shortcoming, but when someone like me doesn't *know* he has a shortcoming, just saying 'read the docs' or 'upgrade to 2.x' does not fix this error. I hope my comments lend themselves to increased awareness of ignorance and better handling of it. In all honesty, I don't even know what 'EAP' is. Extensible Authentication Protocol, it's the Authentication protocol used in 802.1X (WPA-Enterprise etc...). Silly
Re: [rad] Re: SOLVED Re: pseudo-newbie exec scripts and session-time
On Mon, 15 Jun 2009, a.l.m.bu...@lboro.ac.uk wrote: Charles, this is an unpaid community support list. you are coming across as a very angry person with no regard that the people on this list arent paid to give you informaation which is probably essential for you to actually do your work, get paid etc. We have nothing to fear but fear itself. The thing which makes me angry is not that people choose to be unhelpful. If Mr. DeKok really thinks I'm not worth his time and just doesn't answer my posts, then I have no problem with that. I end up doing exactly what I *did* do: I worked it out on my own. What angers me is when I get accused of doing things I didn't do, or of rejecting help I didn't receive. This can be subtle. If someone says 'go read the docs' am I 'rejecting' that suggestion when I believe I've alredy read all the relevant documentation I could find? It is even more angering when you consider that the original question was to ask where there might be more docs/examples At any point someone could have said, "did you look in /usr/shar/docs/README. I'd feel like a dummy, but I would have gotten an important clue about one way to do this. Instead, I read the man pages, and read the comments in the config files, and I'm sorry, but they were confusing to the point of being misleading. I'm not asking that people correct docs for an old version, but please stop accusing me of failing to do my legwork or heed suggestions to read those docs when I've SAID I've done it already. Yes, makes me quite angry. :) if you'd actually like any help/advice in the future from the community its probably best that you realise we are all humans, we too suffer from undocumented bits (and then use the WIKI or the mailing list to disemminate such information) rather than make a big hoo haa out of such a piffling little issue and personally attack people. Actually I'm making a big 'hoo haa' out of being personally attacked with these blatantly false claims. Someone with Mr. Dekok's (now) obvious knowledge and expertise should never say "I have no idea", like I had failed to even lay out the basic intent and method I was trying to use. He made it sound like I had posted little or nothing about what I was trying to do. As near as you can get to lying about me as I think you can with a clever indirect statement. And yes, lying about me really angers me. one day you may need to real help regarding a feature or option With respect, why would that be any different than now? That's my point about making the big fuss. If the people who *could* help don't reflect and refine their understanding of *how* they help, then even if I shut my mouth and was very polite, I would have no expectation of ever getting any help on anything that I could not look up myself in a man page or file. Yes, I'm well aware that I could be shooting myself in the foot by angering the people who might help me, but they *weren't* helping, so really, I lose nothing. While I might stand to gain proper understanding of how I was not helped and by extension, help not only myself but anyone else in a similar 'newbie' position in future. I can't predict the future but i can say the future is always more promising if you can look back and say you've never burnt your bridges. To be honest, if I wanted to burn bridges I would just unsubscribe from the group. Burn and forget. No, I'm still hanging onto the assumption that the people who argue so passionately actually *do* care, and if I can convince them that they fell short in this case, and that not all the blame is mine, then maybe that will be of lasting benefit, rather than leaving things at the status quo, where a certain percentage of people just don't get help (even though others think they are). Thanks for your thoughts Alan. I know I'm an angry argumentative person, but I always do so with the intent to make things BETTER. - Charles - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [rad] Re: SOLVED Re: pseudo-newbie exec scripts and session-time
On Mon, 15 Jun 2009, a.l.m.bu...@lboro.ac.uk wrote: one of the main issues is using a distro version of the code. (nod) Once John mentioned a folder I just didn't have, the light came on (so to speak) :) ...they might have been dumped into somewhere like /usr/share/doc/radiusd or somesuch. (smile) Nope. But good thought. Strictly speaking, all the information I needed was in the various documentation files. I just made an error of presumption from the 'look' of the code and examples and comments in the 'radiusd.conf' file you can get v2.x for CentOS - read the WIKI - theres a repository for it too so it will get updated with new versions. Well, if I had been unable to make the existing package work, it was certainly an option. But it's better the way I have it now. :) as for 'marking you down as yet another stubborn user' - well I thought by singularly attacking the project leaader/manager you were wanting to be thought of like that ;-) I hope I don't set off another round of garbage with this comment, but quite honestly, he has an attitude I've never seen in a project leader. Usually they are the ones who have had years of experience dealing with newbies and *know* the stupid 2+2=3 mistakes that people like me can make, and would be the first one to say, "hey, dummy, that goes in the users file". But instead, I got. what I got. I work in a similar capacity being both the developer/admin for our internet service *and* the helpdesk. And the one thing I've learned in dealing with people on the phone is how differently all sorts of people will think, and how difficult some concepts are to get across even when they seem 'simple' and 'obvious' to me. It takes some time and patience, but I've learned to recognize the signs of the user who 'thinks differently' and know those special things I need to mention to get them back 'on track', and get them thinking the right way. seriously though, most (if not all) support will be for 2.x now - as thats what most of us run - due to wanting the features, stability and speed (yes, lots of speed!) of the new version. we all used to run 1.x and deal with common/similar issueswe now run 2.x and do the same. If I had 'issues' (aka problems) I would quite simply upgrade. It would not be worth my time or effort to try and fight with problematic old code. But FR is *not* problematic. It was just my understanding. I needed to know *how* to do what I wanted to do. It's always been my ignorance. And I've not asked anyone to 'hand hold'. I just figured there had to be some working examples out there from the 1.x days. with EAP, 2.x is almost a must (unless you want your DB etc hit far too many times). In all honesty, I don't even know what 'EAP' is. Maybe it could handle some of what I want to do. I don't know. I have an existing perl script which until now has been functioning strictly as a stand-alone daemon handling radius log output, and sending disconnect commands directly to the NAS. Now we want to set Session-Timeout and eliminate that 'timing' aspect of the script. But all the database handling, time quota management and so on are already coded. I'm just adapting an existing script to work as a module. And I've figured out how radius handles that, so I think I'm okay. The rest of this discussion generally boils down to the helpdesk geek in me analyzing why the people with the knowledge couldn't seem to communicate that knowledge clearly to the newbie ignoramus (me). If I were genuinely lazy and hadn't read a single doc file, then maybe there would be a legitimate complaint that I should 'go read docs', but I indicated right up front that I had read docs, searched archives and so on. I was hoping someone would say "did you look in the doc/README" or something similar that would point me to the doc with the information that I needed. But it didn't happen. (sigh) But if people (particularly Mr. DeKok) are going to have this attitude that amounts to "we tried to help but you ignored us" then I think that serves no one. The next person along with the same lack of comprehension will be no better helped than I was. But if the people with the knowledge admit that their 'help' did not suit the target audience, and that it needs to be clearer and more specific, then future inquiries like mine will be met with a clearer and helpful response. That's what I hope for. That people who mean to help really do help. I have my answer. My problem is solved. I can jsut walk away. But that doesn't help the next person who falls over the same shortfall in the old docs. If nothing else, I will be here to help them if I see their post. :) - Charles - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [rad] Re: SOLVED Re: pseudo-newbie exec scripts and session-time
On Sun, 14 Jun 2009, Alan DeKok wrote:
Charles Gregory wrote:
Five or six huh? Quote them.
1) Read my messages.
That's rich coming from you.
The text you *deleted* pointed you to documentation for the
"users" file, and the SQL module.
Speaking of 'not reading' didn't you catch my comment that the users file
and its documentation contains NOTHING about exec? So the 'option' may
have been offered, but of course, I was talking about options that had the
faintest chance of pointing me in the right direction.
As for SQL, it's utterly irrelvant. Writing the script is not my issue.
I just needed to find the right syntax to call it.
2) See the examples in the "users" file. It contains MANY examples
of setting values for attributes.
Well, let's pretend for a moment that the information is actually in the
users file or its docs, care to quote where someone said "the instructions
for 'exec' are in the users file"? Oh, and this makes #1 and #2 the same
advice. Repeating bad advice is not five or six OPTIONS.
The *hope* is that readers can put 2+2 together. i.e. the "exec"
modules does NOT contain documentation about how to configure all of
the other modules
Actually, the flaw I've noticed is that it *partially* contains just
that. If it had no example of usage at all, but just how to 'code' it, I
would have then started looking for another file where it was 'used'.
3) buy support.
Oh ho! So sarcastic screw-me-if-I-don't-want-to-pay is an option?
Nice one. I think I'll be charitable and give you this one. But it's
really not something I could type into a config file, is it
4) upgrade to 2.x.
I said you could skip that one. But I can tell you're struggling to back
up these ludicrous statements you keep making, so I'll forgive you.
5) install 1.0.x from *source* and look at the examples you were told
to look at.
Uh, actually, I thought of *that* one on my own after people kept
insisting that #2 should have helped. And really, it's not another
'option' for me to try, it was just helping me find #2. And it wasn't
suggested I try the source until AFTER I had figured it out on my own.
OH, and as a side note, I just double-checked the 'users' file and the
users man page, and NEITHER of them contain the word 'exec' ANYWHERE in
any context or usage. So WHERE exactly was I supposed to find the
instructions to do what I wanted to do?
The "exec" module.
Well, let's look for the documentation for the exec module.
r...@york/data/temp/freeradius-1.0.1/doc> ls -a
. MACOSX rlm_digest
.. Makefile rlm_eap
00-OLD misc-nas rlm_fastusers
aaa.txtmodule_interface rlm_krb5
Acct-Type OS2rlm_ldap
ascend performance-testingrlm_pam
Autz-Type Post-Auth-Type rlm_passwd
bayprocessing_users_file rlm_python
bugs proxy rlm_sim_triplets
ChangeLog RADIUS-LDAP.schema rlm_sql
cisco RADIUS-LDAPv3.schema rlm_sqlcounter
coding-methods.txt RADIUS-SQL.schema rlm_x99_token
configurable_failover radrelay Session-Type
CVSREADME Simultaneous-Use
CYGWIN release-method.txt supervise-radiusd.txt
DIFFS rfctuning_guide
duplicate-usersrlm_attr_filtervariables.txt
ldap_howto.txt rlm_dbm
OH well I guess when I was asking someone to help point me in the
right direction maybe I was just asking if someone could tell me WHICH of
these files contains that exec module description. The README file
contains descriptions for 'exec-program'. I suppose *that* would have
sufficed. Though again, with the warnings about it being deprecated, I
preferred to use the exec module.
Did you *really* think that there was an attributed called
"Attribute-Name", as suggested in the comments for the exec module?
Oh yes, absolutely! I take everything I read absolutely literally 100%.
How could you think anything else? Uh, unless of course you read my
attempted syntax in my first posting. Oh wait you did, you're just
trying to be funny... or something
But you *didn't* put 2+2 together, and edit the *users* file
examples containing Session-Timeout to use the same `%{exec:..` text.
The users file does not contain any examples of *executable* code.
Not objecting to this clever use of the file, but for an old progreammer
conditioned to keep his data and his code separate, and an obvious
'section' in the radiusd.conf to defin
Re: [rad] Re: SOLVED Re: pseudo-newbie exec scripts and session-time
On Sun, 14 Jun 2009, Alan DeKok wrote: Charles Gregory wrote: No, I'm offended that you can say things like you have "NO IDEA" when clearly anyone who read my first post would know what I was asking. Yes, but you were given 5-6 options for solving the problem. Five or six huh? Quote them. Paraphrase them. And don't just lamely say "check the archives" because I did that when I double-checked that you 'had no idea'. I've been up and down this thread a few times now. And there is NO posting with clear code like the one I posted in my 'solved' post Just pedantic demands I upgrade, and vague "look at the docs". OH, and as a side note, I just double-checked the 'users' file and the users man page, and NEITHER of them contain the word 'exec' ANYWHERE in any context or usage. So WHERE exactly was I supposed to find the instructions to do what I wanted to do? Yes, yes, version 2.x But given my constraints, 'read the docs' was utterly useless. I await your QUOTE of '5 or 6' options. I'll presume one of them was to upgrade to 2.x so you can skip that one Is a result, I have *no* idea what you were trying to do. Oh, so now it's a word game. You knew what I was trying to do but confused by the manner in which I was trying to do it? Didn't that clue in the big expert that someone had badly misinterpreted the documentation and was trying to do something WRONG and should have been told how to do it right? Did it occur to you that at the start of this thread I had never heard of 'wait program exec'? It's not mentioned in my users file docs. Was that ever in version 1.x? I wouldn't know. If you were trying to solve the problem you *claimed*, the existing documentation and examples should have been sufficient. THEY WEREN'T. That's the whole point. I was asking for MORE. Examples. A working script and config that did what I wanted. If someone asked this question now, I would post my half dozen lines from my config, saying, this is one way to do it and be DONE. Instead, it was clear that you were trying to do nearly everything *except* follow the suggestions on this list, or the examples and documentation shipped with the server. WHICH examples? NAME THEM. I only found ONE after John (?) pointed out I was missing a file. And even that one uses a method that is described as deprecated in the code. Look, you want to dance this dance, I'm game. But you are going to have to face the fact that (1) I'M NEW AT THIS, so don't presume I have that benefit of context. (2) The documentation in 1.x was obviously inadequate, so saying 'look in the docs' is utterly useless unless somehow you expected me to read every single doc file in HOPES of finding the one file that describes exec. Really, why weren't the docs in the radiusd.conf or users documentation? You say you wrote this stuff. How could you leave something out (and then act like it was always there and I failed to read it)? - C - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [rad] Re: SOLVED Re: pseudo-newbie exec scripts and session-time
On Sat, 13 Jun 2009, Alan DeKok wrote: and yet you're frustrated that I'm explaining the *reasons* behind my opinions. No, I'm offended that you can say things like you have "NO IDEA" when clearly anyone who read my first post would know what I was asking. It's one step short of outright *lying* to win your arguments. Oh, I did spot your name all over the docs. Not withstanding this quirk for bad argument, there's no denying the software itself does an excellent job. Now that I know how to do what I want to do, it is working wonderfully. Thanks for that, at least. - Charles - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [rad] Re: SOLVED Re: pseudo-newbie exec scripts and session-time
On Sat, 13 Jun 2009, Ivan Kalik wrote: . I'm really thinking that CentOS screwed up some documentation Could be. They might have packaged server core without examples. .. If you want you can download and unpack your version tarball from the freeradius site Just because I am tenacious, I did this, and lo and behold, there is that 'scripts' directory you mentioned (sigh) If you are planning on working with certificates you can download the current version and use routines in raddb/certs to create certificates. Thanks but my needs are really, really basic. Just a custom timer program that I needed to integrate with radius to send that Session-Timeout. So all's well that ends well. :) - Charles - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [rad] Re: SOLVED Re: pseudo-newbie exec scripts and session-time
On Sat, 13 Jun 2009, Alan DeKok wrote:
No... I had NO IDEA what you were trying to do.
I had gotten the impression that you don't read posts thoroughly,
and this only reinforces that perception. My very first post said:
I've been cruising the archives and pages and don't quite see
what I am looking for. I am hoping someone can point me to a nice
simple HOWTO or MAN page for specifying an 'exec' script
in radiusd.conf that will set the Session-Timeout and return
it to the NAS.
I'm thinking:
Session-Timeout := %{exec:timecalc}
It clearly conveys my intention and my first attempt at code.
So with (dwindling) respect, if you can't get the IDEA from that
then you really are a serious waste of time.
Tell you what. You write me off as another stubborn stupid individual who
cannot see the 'common sense' in using the latest version of software, and
I will write you off as someone who cannot appreciate that people who
installed a piece of software when it was NEW would like to keep using
that software as long as it fulfills the needs of the system in a stable
secure fashion. I apologize for my ignorance, but not for sticking with
something that works.
- Charles
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [rad] Re: SOLVED Re: pseudo-newbie exec scripts and session-time
On Fri, 12 Jun 2009, Ivan Kalik wrote:
Nothing to give. You already have it in scripts/exec-program-wait.
I do not have a directory named 'scripts'. And the only reference to
'exec-program-wait' is in the comments of 'experimental.conf' as something
that a 'perl' rlm can 'replace'. I'm really thinking that CentOS screwed
up some documentation
# Attribute-Name = `%{exec:/path/to/program args}`
Notice the complete lack of instruction as to WHERE I would use that
syntax
Well, you don't have to be a genius to figure out where does something
like Attribute = value goes.
Well, whatever I needed to be, I'm not. (weak grin)
Does executable syntax belong in the users file?
Or is there some other place in the radiusd.conf that is obvious
to you but not to me?
... simply listing module name in the configuration (like you have
"discovered") also works - just like with any other module.
(nod) As I said, something *else* was preventing it from functioning
the first time I tried it... (sigh)
Go and read the example script included with the server and then come
back and eat your words.
WHAT # "EXAMPLE SCRIPT"? And if someone finally tells me where it
is (in vers. 1.x) then why should I eat my words for getting the thing I
kept ASKING for?
You know, I won't call this whole thing *your* fault if it turns out that
CentOS put in a crippled installation missing examples
But it ain't mine either
- Charles
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [rad] Re: SOLVED Re: pseudo-newbie exec scripts and session-time
Well, keeping in mind that this is now a philosphical discussion...
On Fri, 12 Jun 2009, Alan DeKok wrote:
Charles Gregory wrote:
I did try to follow the oft-quoted (almost shoved down my throat)
example, right from the comments within the config file
postauth {
Session-Timeout := `%{exec:/usr/local/etc/timecalc %{User-Name}}`
}
No... that won't work. The examples given to you weren't like that.
Well, firstly, no one *gave* me 'examples', they said just to look in my
radiusd.conf, and secondly, yes, it's exactly 'like that':
# put 'exec' into the 'instantiate' section. You can then
# do dynamic translation of attributes like:
#
# Attribute-Name = `%{exec:/path/to/program args}`
#
# The value of the attribute will be replaced with the output
Notice the complete lack of instruction as to WHERE I would use that
syntax Both in the comments AND from you, I might add
No. The 2.x documentation describes how it's used, and where it's
used.
What part of "I'm using 1.x" did you not get? If nothing else, this
statement proves that you were wrong to tell me to look in my 1.x config
files for the documentation which you now say is only in the 2.x files.
Even in 1.x, the radiusd.conf file contained an example module "echo"
that did this.
And it's 'example' of usage was:
# This is a more general example of the execute module.
# This one is called "echo".
#
# Attribute-Name = `%{echo:/path/to/program args}`
#
# If you wish to execute an external program in more than
So there again is this "usage" that gives no hint of WHERE it is used.
Certainly not in the sections of radiusd.conf where the newbie (me)
would expect commands to go. You know, a post-auth command in the
post-auth section. I get the feeling that this comment is a holdover
from some earlier version of FR where the *only* place one could assign
attributes was in the user file, or something like that, so there was no
'need' to define where syntax like that was used (shrug)
While the documentation isn't perfect, a lot of this *is* documented.
And a lot of the unhelpful answers on this list are instructing people
to read the documentation.
And so, hopefully after posting all this garbage yet again, and quoting, I
hope sufficiently, you can see that I *did* read all the comments in the
config file, and what you THINK is there really is not there.
- Charles
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pseudo-newbie exec scripts and session-time
Sure. We'll wait. Alan DeKok. (smile) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SOLVED Re: pseudo-newbie exec scripts and session-time
On Fri, 12 Jun 2009, Ivan Kalik wrote:
Work what out?
Finally got my 1.x Session-Time script working (as an exec module). The
really strange thing is that it is working *exactly* as I first thought
I should be doing it!!! (see below) I can only guess that somewhere along
the way I had a linux permissions issue with scripts or files, and
thosee got fixed while I was changing things and testing
Here's how it works for me:
I define the exec instance named 'timecalc'
(I've line-wrapped the program line that belongs all on one line)
exec timecalc {
wait = yes
program = "/usr/local/etc/radius_timecalc
%{NAS-IP-Address}:#%{NAS-Port}:%{Service-Type}:%{User-Name}:
%{Framed-IP-Address}:%{Connect-Info}:%{Calling-Station-ID}:
%{Called-Station-ID}"
input_pairs = request
output_pairs = reply
}
Note that the 'packet_type:' has NOT been specified. That
may have been one of the things blocking execution
I then coded the command to execute it in post-auth
post-auth {
timecalc
}
The 'timecalc' perl script prints "Session-Time := 200\n" to standard output.
And I made sure the script was group-executable by the radius user.
Yes, that simple. Could have sworn I tried that combo already.
WHAT DID NOT WORK:
I did try to follow the oft-quoted (almost shoved down my throat) example,
right from the comments within the config file
postauth {
Session-Timeout := `%{exec:/usr/local/etc/timecalc %{User-Name}}`
}
but I kept getting this:
ERROR: Cannot find a configuration entry for module "Session-Timeout".
So I'm not sure why this syntax is offered up as "what to use". At the
very least, perhaps the instruction is missing on WHERE to put that code.
I would think a module should somehow be called in the appropriate section
of the config file, as I've finally done it, but maybe the above syntax
belongs somewhere else, like in the users file?
And sorry, but that thread about 'refresh variable after exec module'
did not actually contain any clear syntax examples. It appears *his*
solution was to use 'wait-program-exec', which, according to what I
read, is a really old/deprecated way of doing things. And I *knew* that
I could do what I wanted to do. It was just figuring the syntax and
getting it right :)
So there you have it. And I thank the people who were doing there best to
help me out, but really, if someone had just posted "try this" and the two
sections of code at the top of this post, I would have *known* that was
what was *supposed* to work, and would have looked for whatever permission
bug was obviously the true culprit. As John rightly points out, the exec
engine hasn't changed in a long time, so version level made no difference.
It was just a matter of getting things right.
I hope this summary benefits others with CentOS or FreeRADIUS 1.0.x...
- Charles
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [rad] Re: pseudo-newbie exec scripts and session-time
On Fri, 12 Jun 2009, Alan DeKok wrote: The CentOS people answer questions about CentOS on the CentOS mailing list. That is the limit of their support. Similarly, the FreeRADIUS people answer questions about FreeRADIUS on the freeradius-users list. What do you mean by "people"? What *I* mean is not just the developers and volunteers, whose time is often quite precious, but the many USERS who have the package installed on many different systems. THAT is the strength of open source. All of *us* banding together. I don't just come to these groups asking questions. I answer them. You better believe that if I 'work it out for myself' I will be coming back to this list with a howto and examples for any other 1.x user who runs into the same situation that I have. - Charles - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [rad] Re: pseudo-newbie exec scripts and session-time
On Fri, 12 Jun 2009, John Dennis wrote: BTW, the philosophy of RHEL (why it's "older"), the philosophy of Fedora (why it's bleeding edge) and CentOS is explained on the FreeRadius FAQ under Red Hat (http://wiki.freeradius.org/Red_Hat_FAQ). It's incumbent upon you when selecting an OS to install to comprehend the associated issues of that choice. Firstly, thank you for the very thoughtful and well-worded reply. Sadly, the problem I am complaining about here is that so many people spend so much time providing answers like this one you gave, when I ALREADY HAVE THAT ANSWER. I'd already read all the FAQ's, and so on. I quoted your above paragraph because it is central to my thinking. I made a CHOICE. I was constrained by budget to 'free' software. But I could have still chosen Debian or another 'newer' OS. I CHOSE CentOS for it's *simplicity* and stability. I KNEW I was also choosing to have fewer/older features. I had (and have) the option to upgrade if it is necessary. But where possible, I try to work within the 'basic' framework of this easily understood 'basic' OS and environment, so that for potential future volunteers life will be simpler. I really believe that the problem here is my understanding of FreeRADIUS. It is NOT a 'shortcoming' of version 1.x (at least I can't imagine why it would be). All I need is a bit of advice or a pointer to a 1.x-specific FAQ/howto. So if I have any legitimate complaint against the "FreeRADIUS team" it is only that with versions so 'close together' in time, there really should either be a repository of documents applying to 1.x (similar to how Apache mainatains its separate document trees for 1.x and 2x), or in the 'main' documentation, there 'should' be those little footnotes that say "applies to 2.1 and later" in the descriptions of commands. I put 'should' in quotes, because I recognize that sometimes volunteers don't have time to do these things, and I always try not to sound like I'm 'demanding' on the time of other volunteers. But yes, John, I *knew* what I was choosing. This is one reason I get so incensed by people who clutter a group with replies that tell me I made a bad choice. Not that their opinions 'hurt' me directly, but I am concerned that people are hanging on the fringes, and perhaps have an answer to my questions, but they see an 'official-sounding' response, and maybe they think they're not "supposed" or "allowed" to answer questions about earlier versions.. Sounds silly, I know, but people are like that. :) Thank you John! - Charles - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [rad] Re: pseudo-newbie exec scripts and session-time
On Fri, 12 Jun 2009, Alan DeKok wrote: Charles Gregory wrote: But CentOS is supposedly still a 'supported' OS, so I think it's fair to ask simple 'how to' questions for that environment. Centos supports their OS. This list answers questions about FreeRADIUS. Quite right. CentOS supports their OS, not the component packages. So I cannto ask *them* a FreeRADIUS question. They tell me to come HERE. Now, in the spirit of the sarcasm with which your comment was offered, I reply, gee, I think I *am* on the wrong list. I am looking for a FreeRADIUS *USERS* forum. Obivously, with FreeRADIUS 1.x in wide deployment in RHEL and CentOS there HAS to be a 'community' of 1.x users, or at the least a community of FreeRADIUS users who, even if they have migrated to later versions themselves, still *remember* the basic syntax of a version of FreeRADIUS that they must have been using *very* recently (for anyone getting a decent life-expectancy out of servers and OS's, three years is 'recent'). I had thought that *this* forum would have many people like this. But maybe people only come here for 'bleeding edge' stuff. If so, could someone be kind enough to direct me to the FreeRADIUS community/forum where 1.x is still discussed and used? Everything is easier and better in 2.1. So, at the risk of sounding like a whiner, why the *HECK* am I stuck with something "not easier and better" in a CURRENT release? Why do you LET RedHat use the old version if it is so unsupported? - Charles - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [rad] Re: pseudo-newbie exec scripts and session-time
On Thu, 11 Jun 2009, John Dennis wrote: No you're not stuck with an old 1.x. See: http://wiki.freeradius.org/Red_Hat_FAQ Go read the thread "Version... Version..."... I posted that thread partly in anticipation that when I started to ask for help with my 'standard' CentOS FreeRadius, people with the luxury of installing from source or other 'bleeding edge' would immediately start nagging me about how and where to install new versions. Begging pardon, but we installed CentOS with a *principle* in mind, to have a simple common *base* installation. I see no reason to use a new version unless the version I have does not have the features I need. I've already got my radius executing one script, so its not like it doesn't run scripts at all. I just need to get the right syntax. So thank you, if you don't know the answer to the question. But CentOS is supposedly still a 'supported' OS, so I think it's fair to ask simple 'how to' questions for that environment. - Charles - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [rad] Re: pseudo-newbie exec scripts and session-time
Okay, I'm banging my head up against the expected proverbial wall.
Please remember I'm stuck with old 1.x version. on Centos
I'm trying to get a script to execute and set the 'Session-Timeout'
value. I've defined the script thusly:
exec timecalc {
wait = yes
program = "/usr/local/etc/radius_timecalc %{User-Name}..."
input_pairs = request
output_pairs = reply
# packet_type = Access-Accept
}
(I've tried it with and without the packet_type)
I've tried placing just "timecalc" into the post-auth and
alternately the auth sections. I don't get any errors,
but the script does not run... (I have the script touch a file
to prove it runs, and it doesn't happen).
I tried using the sytax:
update reply {
timecalc
}
And also tried:
update reply {
Session-Time := "200"
}
and got 'rcode' errors under post-auth and 'syntax' errors in auth.
I might have mised a magic combination.
Anyone care to tell me the exact syntax for making this script run
on an access-accept?
- Charles
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [rad] Re: Change of Authorization (RFC 3576 / 5176)
On Thu, 11 Jun 2009, Ivan Kalik wrote: http://freeradius.org/rfc/rfc2869.html#Acct-Interim-Interval Interesting, but I agree I don't like the bandwidth implications. I would only have used them if they were already occuring by default. You would normaly use radius *client* to send CoA for administrative event (like this one). I read about that, but it requires that I have radius 'track' accounting sessions. A layer of complexity that doesn't justify the occasional use. Thanks for the help! - C - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [rad] Re: Change of Authorization (RFC 3576 / 5176)
On Thu, 11 Jun 2009, Fajar A. Nugraha wrote: If I'm reading Alan's post correctly, freeradius supports CoA packets, but you need to write your own rule/policy to send it. For over-bandwidth scenario, the rule should be while examining interim-update acct packets... I've never heard of these... How often are they sent to a radius server during a dialup call (AS5400)? Into what section could I put a script so that it triggers only on interim updates? I wouldn't mind being able to dynamically extend a caller's session if they buy more time online - Charles - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Version... version...
Hello all!
On Fri, 5 Jun 2009, Tim Sylvester wrote:
You should use the latest version of FreeRADIUS...
Not picking on Tim or freeradius in particular, but when I post to various
lists looking for advice on various pieces of software, I often run into
the advice to upgrade to the latest version, instead of sticking with the
default version that comes with CentOS. It makes sense. Sometimes the
desired feature or solution to a bug is in the newer version.
BUT I have a question then: As per the FAQ's, if there is a critical bug
in my CentOS version of software, it will still be patched ('back
ported'), and it will get automatically updated by running the 'yum
update' function. So, if I manually upgrade to the latest (just for
example) freeradius, then will yum continue to update this new software
with patches and bug fixes? My first feeling is that the answer is 'no' -
once I install the new version I will thereafter be responsible for
manually keeping 'watch' for bug fixes and updates.
So unless I'm wrong, and yum can/will track updates on a new version of
software, then it makes more sense to stay with the 'supported' version,
even if it is a bit (or very) old. Yes? No?
Thanks as always.
- Charles
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [rad] Re: pseudo-newbie exec scripts and session-time
Hello again!
Sorry, maybe I should take 'pseudo' out of the subject line...
Firstly, MY BAD. I forgot to post that I'm on CentOS 4, and therefore
limited to whatever syntax applies to "freeradius-1.0.1-3.RHEL4.5"
Hopefully what I want to do is so 'basic' it doesn't change :)
Secondly, anyone noticed that the basic MAN pages are hard to find on the
website? I happened to click the link to 'modular' on the home page and
found a link to man pages at the bottom of that page. So at least now I
can see the full list of manuals and start to RTFM. :)
On Thu, 4 Jun 2009, a.l.m.bu...@lboro.ac.uk wrote:
I'm thinking:
Session-Timeout := %{exec:timecalc}
pretty much
Actually, I can't find a good working example from which to lift
the exact syntax. Is the above correct? Should I use back ticks?
I really don't want hand-holding, but sometimes a good working sample
is worth a thousand posts. :)
you need to set this via the update reply style as
recently posted several times this past month to the list
(nod) Found the posts... thanks...
post-auth section - thats where you should set any return details
(nod) Good point. Thanks. Said I was newb. :)
Hmmm. While I'm here, if I set Session-Timeout to ZERO, what will happen?
;-) it should mean there is no session timeout (ie infinite session)
(smack forehead) Didn't think of that. But I can set a timeout of one
second and that will do the job of dropping someone who is out of time.
Probably better that way so that they don't get a message that their
userid and password are invalid.
Or is there a reply item that a Cisco AS5400 would pass on to the
dialing (probably) Windows PPP and have it display a meaningful
"you are out of time" message to the user during auth?
(Dare I dream? LOL)
Thanks.
- Charles
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
pseudo-newbie exec scripts and session-time
Greetings!
I've been cruising the archives and pages and don't quite see
what I am looking for. I am hoping someone can point me to a nice
simple HOWTO or MAN page for specifying an 'exec' script
in radiusd.conf that will set the Session-Timeout and return
it to the NAS.
I'm thinking:
Session-Timeout := %{exec:timecalc}
Or something like that. Also, where exactly should this go in the
'authorize' section? I'm presuming at the end, but have found no
examples
Our dialups have a couple of diffrent time parameters, including
a user-option file, so while I appreciate any info on the radius
'counter' function, I don't think it will meet all my needs.
Hmmm. While I'm here, if I set Session-Timeout to ZERO, what will happen?
Thanks in advance!
- Charles
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
