Group Expiration Date
Hi, I was try to find an answer for my question, but without success.. I wanted to ask if it is possible to set expiration date for a group, so all users in this group won't get access after expiration date? Expiration works for single user (as a radcheck table attribute), but when I enter it in radgroupcheck, it doesn't work. Do I make a mistake anywhere, or it is just impossible? There are any other solutions? Please let me know, or send me any link, where I could get those info's. Best regards, CoMeC - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with authentication
Hey, I am not sure, no specialist, but try to make this query in your mysql: SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'test-user' ORDER BY id Make sure, that your mysql server/login/password/database are correct. Take a look how is you password handled... clear-text or what? Maybe that will help you, Best regards, CoMeC On Thu, 13 Dec 2007 16:33:07 -0300, Pablo Lucchetti [EMAIL PROTECTED] wrote: Hi, I've a Freeradius on a Debian Etch with Mysql but when I'm triying to test with NTRadPing always got the same error. The user already exists in database rad_recv: Access-Request packet from host 192.168.1.109:4027, id=2, length=49 User-Name = test-user User-Password = test-pass rlm_sql (sql): Reserving sql socket id: 4 rlm_sql (sql): SQL query error; rejecting user rlm_sql (sql): Released sql socket id: 4 Sending Access-Reject of id 2 to 192.168.1.109 port 4027 Any help please? Thanks in advance, Pablo - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MAC or user auth
Hi, I try to configure such a solution: Authorization via MAC Address (with no username required) - if the machine is using a valid IP Address, it is automatically allowed to surf. (I know there is a Calling-Station-id attribute in radcheck) But I need also a support for username/password authentification (via WWW) too. When I try to log in only with MAC, I get a Radius responce no username, and the machine is denied. How/where in radiusd.conf can I make changes? Thx in advance, Best regards, CoMeC - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: MAC or user auth
Ok, Sorry for unsufficent informations. :) For both authentifications methods there will be 2 separate NAS (one for username/pass auth and one for MAC auth) As NAS I will use Mikrotik routers. The thing is - router will lease DHCP Address to a clients machine. - router sends Calling-Station-id Attribute in Access-Request, so I know the client's MAC In radcheck I have for example a user John with attribute Calling-Station-id := MAC I would like freeradius to ignore username and only check table for MAC. If he found a valid MAC, then it knows that the user is John and it can send an Access-Accept with parameters. I know that radius can authenticate a Username with MAC. But how to make radius ignores the username? So, if Radius found no Calling-Station-id:=MAC attribute, and it has got Username, then it has to authenticate user using username and password. :) Is it possible? And if not would you advice me another solution? Thanks, Best regards, CoMeC :) On Wed, 12 Dec 2007 13:13:34 +0100, Edvin Seferovic [EMAIL PROTECTED] wrote: Authorization via MAC Address (with no username required) This is being done by your NAS ! Username is usually the MAC address. if the machine is using a valid IP Address, it is automatically allowed to surf. (I know there is a Calling-Station-id attribute in radcheck) IP address has to be given by DHCP or your NAS. FreeRADIUS has nothing to do with the firewall rules ( NAT etc ). But I need also a support for username/password authentification (via WWW) too. This also depends on your NAS ! When I try to log in only with MAC, I get a Radius responce no username, and the machine is denied. Run freeradius in debug mode ( freeradius -X ) and see what attribute is used for MAC address and use it as i.e. username. You should send us more information about your NAS. Nobody will be able to help you in other case. Regards, E:S - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC or user auth
Ok, thanks, so in radreply I have to use: some-mac-address Attribute Op Value ? Thx, CoMeC On Wed, 12 Dec 2007 13:17:41 +0100, [EMAIL PROTECTED] wrote: MAC address in mac auth is sent as User-Name not Calling-Station-Id. So, for mac auth: some-mac-add-ress Auth-Type := Accept For a user: username Clertext-Password := hispassword Ivan Kalik Kalik Informatika ISP Dana 12/12/2007, CoMeC [EMAIL PROTECTED] piše: Hi, I try to configure such a solution: Authorization via MAC Address (with no username required) - if the machine is using a valid IP Address, it is automatically allowed to surf. (I know there is a Calling-Station-id attribute in radcheck) But I need also a support for username/password authentification (via WWW) too. When I try to log in only with MAC, I get a Radius responce no username, and the machine is denied. How/where in radiusd.conf can I make changes? Thx in advance, Best regards, CoMeC - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC or user auth
Thanks, What I ment with radreply, is the fact, that when the MAC user is authentificated by RADIUS, Radius should send for example bandwith values. So I need to have those some-mac-address Attribute Op Value in radreply table. Am I wrong? All is want to achieve is: I would like to have Abo-Users (time limitation for one month), with a specified bandwidth parameters. The thing is that users can have more computers. That is why I would like to authenticate those computers with MAC, but they should work simultanously using together specified bandwidth. (there is a simultanous option :) ) Practically: one billing user with specified bandwidth, but with no computer limitation, and with no user/password authentification at the same time. Only for real hotspot users, there will be a user and password. But it will be handled by another NAS. Everything will work with the use of Mikrotik routers :) Any other possibilities to solve that problem? :) Best regards, CoMeC On Wed, 12 Dec 2007 14:17:10 +0100, [EMAIL PROTECTED] wrote: No, radcheck. 1. Enable mac auth in hotspot profile (login-by=mac) - mac address will be checked first, if there is no match user will be sent to the login form 2. For mac addresses make such entries in radcheck: UserName Attribute Op Value some-mac-address Auth-Type := Accept 3. For users make stanard radcheck entries: UserName Attribute Op Value someuser Cleartext-Password := somepass Ivan Kalik Kalik Informatika ISP Dana 12/12/2007, CoMeC [EMAIL PROTECTED] piše: Ok, thanks, so in radreply I have to use: some-mac-address Attribute Op Value ? Thx, CoMeC On Wed, 12 Dec 2007 13:17:41 +0100, [EMAIL PROTECTED] wrote: MAC address in mac auth is sent as User-Name not Calling-Station-Id. So, for mac auth: some-mac-add-ress Auth-Type := Accept For a user: username Clertext-Password := hispassword Ivan Kalik Kalik Informatika ISP Dana 12/12/2007, CoMeC [EMAIL PROTECTED] piĹĄe: Hi, I try to configure such a solution: Authorization via MAC Address (with no username required) - if the machine is using a valid IP Address, it is automatically allowed to surf. (I know there is a Calling-Station-id attribute in radcheck) But I need also a support for username/password authentification (via WWW) too. When I try to log in only with MAC, I get a Radius responce no username, and the machine is denied. How/where in radiusd.conf can I make changes? Thx in advance, Best regards, CoMeC - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC or user auth
Hi, thanks for a hint. I do not know detailed possibilities of that thing. Only theoretically... I will get the router next week and I will start some tests... I will let you know what I will find out! :) Bandwith aspect is important, but not critical. It is important to make it easy to manage. I would like to know what possibilities I have, so I could integrate everything in my actual billing/management system. I try to understand the possibilities of groups and how I can use them to efficently manage my clients... Thx, Best regards, CoMeC On Wed, 12 Dec 2007 22:10:55 +0100, [EMAIL PROTECTED] wrote: Everything will work with the use of Mikrotik routers :) I would seriously doubt that. In order to limit aggregate bandwidth on multiple connections you need either to add them into a bundle (I don't that Mikrotik supports multilink) or put the user in a VLAN and limit bandwidth on that (virtual) interface (I am quite sure that Mikrotik doesn't support dynamic VLAN assignment via radius). With simultaneous logins aggregate bandwidth will be the sum of individual ones. Ivan Kalik Kali Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sqlcounter, counting data and large amounts of it
Hey,
I don't know if I understand everything correctly, but just take a look at
this:
http://wiki.freeradius.org/index.php/FAQ#Why_do_Acct-Input-Octets_and_Acct-Output-Octets_wrap_at_4_GB.3F
Maybe that is the solution.
Are you using Mikrotik? Any issues?
I am going to use it too, so I am very curious! :D
Best regards,
CoMeC
On Thu, 13 Dec 2007 15:55:00 +1300, Russell Tester
[EMAIL PROTECTED] wrote:
Hi All,
I am new to the freeradius list but have been running freeradius for
some time. We are changing the way we do some of our accounting here and
have a requirement to provide users with monthly prepaid cards for
specific data values, namely 1,5 and 10GB.
I have no problems making the pass timeout after the month, that bit is
fine using the expiration check value.
Where I am faced with a problem is telling the nas about (we use
Mikrotik's) and counting above the hair pulling 4GB boundary.
An example of my sqlcounter is below, this works perfectly fine anywhere
up to 4GB, note that I run two of these one for up and one for
downloaded data. Not 100% accurate in terms of the user could
theoretically get the max amount of data up and down from their first
session but accurate enough for us for now. I believe Mikrtoik v3 has a
Total-Limit attribute which will fix this when its released.
sqlcounter prepay-data-down {
counter-name = Max-All-Session-Data
check-name = Max-All-Data
reply-name = Mikrotik-Recv-Limit
sqlmod-inst = sql
key = User-Name
reset = never
query = SELECT SUM(AcctInputOctets) + SUM(AcctOutputOctets)
FROM radacct WHERE UserName='%{%k}'
}
Two problems exist with this setup:
1. When I specify a larger than 4GB value in radcheck I get an
Access-Reject.
2. I have no way to send the equivalent gigawords attribute to the NAS
as well, I believe I need to send both the Mikrotik-Recv-Limit and
Mikrtoik-Recv-Limit-Gigawords values.
I have spent some time playing myself and have managed to send the
gigawords attribute by using another sqlcounter, and another radcheck
attribute for gigawords, but get lost somewhere in the middle of
checking both the gigawords and octets values against the radacct data
and getting a sensible reply from them.
The other question I have relates to the action the sqlcounter performs
when the limit is reached. Is there any way to modify the reply
attribute that gets passed to the nas when the limit is reached? Either
by changing the reply message, or passing say a rate-limit value to the
NAS to throttle the user.
Any help to get this working, or examples of existing setups would be
greatly appreciated.
Cheers,
Russell Tester
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
powerfull manager?
Hi, Just wanted to ask if you know any freeware/lowcost billing managers for Radius... I know Radius Manager - is cool, but does not cover some options. PhpMyPrepaid seems to be ok, but it is not being developed for a long time. Any ideas? Thanks in advance, CoMeC - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
