RE: freeradius 2GB problem
Hi, I've got the same issue. The check_item value wraps to -2G. It gives a negative value with counter = 0 (no traffic from the user). With a value of 200,000 of traffic, Check item - counter, becomes positive again: -2147483648 - 200,000 0 as the result reaches the negative limit. Would this be due to a check_item coded on a 32 bit field (eg int) I wonder? Value in the SQL table is an INT(20) and displays correctly with a value 2G. David Roze http://www.netexpertise.eu -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rahul Nakra Sent: 19 March 2008 13:21 To: freeradius-users@lists.freeradius.org Subject: freeradius 2GB problem I am using freeradius 2.0. With the default schema which comes with that. Following is the database entry. It shows a new user never logged in before. If i give value of Max-All-Data 2147483646 it works fine. Anything above it doesnt work. Attached is the radius log where it displays negative value for sqlcounter. mysql select * from radcheck; ++--+--+++ | id | username | attribute| op | value | ++--+--+++ | 1 | rahul| password | == | rahul | | 2 | rahul| Max-All-Data | := | 2147483648 | ++--+--+++ 2 rows in set (0.00 sec) sqlcounter -- sqlcounter usagelimitDOWN { counter-name = Max-All-Session-Data check-name = Max-All-Data reply-name = Mikrotik-Xmit-Limit sqlmod-inst = sql key = User-Name reset = never query=select SUM(acctinputoctets+acctoutputoctets) from radacct where UserName='%{%k}' } User-Name = rahul User-Password = rahul NAS-IP-Address = 127.0.0.1 NAS-Port = 1812 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = rahul, looking up realm NULL rlm_realm: No such realm NULL ++[suffix] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound expand: %{User-Name} - rahul rlm_sql (sql): sql_set_user escaped user -- 'rahul' rlm_sql (sql): Reserving sql socket id: 4 expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'rahul' ORDER BY id WARNING: Found User-Password == WARNING: Are you sure you don't mean Cleartext-Password? WARNING: See man rlm_pap for more information. rlm_sql (sql): User found in radcheck table expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribute, value, op FROM radreply WHERE username = 'rahul' ORDER BY id expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority - SELECT groupname FROM radusergroup WHERE username = 'rahul' ORDER BY priority rlm_sql (sql): Released sql socket id: 4 ++[sql] returns ok rlm_sqlcounter: Entering module authorize code sqlcounter_expand: 'select SUM(acctinputoctets+acctoutputoctets) from radacct where UserName='%{User-Name}'' expand: select SUM(acctinputoctets+acctoutputoctets) from radacct where UserName='%{User-Name}' - select SUM(acctinputoctets+acctoutputoctets) from radacct where UserName='rahul' sqlcounter_expand: '%{sql:select SUM(acctinputoctets+acctoutputoctets) from radacct where UserName='rahul'}' rlm_sql (sql): - sql_xlat expand: %{User-Name} - rahul rlm_sql (sql): sql_set_user escaped user -- 'rahul' expand: select SUM(acctinputoctets+acctoutputoctets) from radacct where UserName='rahul' - select SUM(acctinputoctets+acctoutputoctets) from radacct where UserName='rahul' rlm_sql (sql): Reserving sql socket id: 3 rlm_sql (sql): row[0] returned NULL rlm_sql (sql): Released sql socket id: 3 expand: %{sql:select SUM(acctinputoctets+acctoutputoctets) from radacct where UserName='rahul'} - rlm_sqlcounter: (Check item - counter) is less than zero rlm_sqlcounter: Rejected user rahul, check_item=-2147483648, counter=0 ++[usagelimitDOWN] returns reject Invalid user (rlm_sqlcounter: Maximum never usage time reached): [rahul/rahul] (from client localhost port 1812) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} - rahul attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Reply-Message = Your maximum never usage time has been reached Waking up in 4.9 seconds. Cleaning up request 0
RE: Hello, and a (hopefully) simple question
A trigger on the password field is a workaround. What about if he wants to change a user's password or when it changes back to bring the connection back on? Changing the password is not the right way to reject a connection and everything possible should be done to change the software's behaviour. David Roze --- http://www.netexpertise.eu -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andy Billington Sent: 25 January 2008 18:58 To: FreeRadius users mailing list Subject: Re: Hello, and a (hopefully) simple question Vlad, are the passwords changed _by the billing system_ for any other reason? You could use a trigger on the table to make a corresponding change on the usergroup when the billing system changes the password. Better though might just be to have a Expiry Due? column added to the users, and then have if expiry_due AND if password changed, then change usergroup triggered. You'll have to have a way to keep track of expiration dates and so on Vlad, are the passwords changed by the billing system for any other reason? You could use a trigger on the table to make a corresponding change on the usergroup when a billing system changes the password. Better though might just be to have a Expired Yes/No column added to the users, and then have if expired AND password changed, then change usergroup triggered. You'll have to have a way to keep track of expiration dates and so on but if the renewals are for a standard period (e.g. 12 months) then you could do a. if expiry_due and password changed, change usergroup (and hence ip etc) b. if expired, password changed already and then password changed again, change usergroup back to normal on assumption that billing system has reset password when payment received. Reset expiry_due to today() plus 12 months Then again I'm probably looking at database level stuff when FreeRADIUS will provide a better way using the many bits of it I dont understand ;-) Andy On 25/01/2008, Vlad Sedov [EMAIL PROTECTED] wrote: Well, what I'm trying to do is accept the session whether the password is correct or not, but if it's not correct, assign Framed-IP-Address from a different IP pool, so our firewall downstream from the NAS can redirect their HTTP traffic to a payment site. Vlad On Jan 25, 2008 11:27 AM, JB [EMAIL PROTECTED] wrote: If it's just a message you want to display, you could use the Reply- Message attribute. Of course, your access controler would have to know how handle this attribute. JB Marinko Tarlac wrote: radius will reply whatever you need but you need to tell him what do you want. For example, if you're using mysql, when user account expires you can add him to specific group and group attributes you can set in radgroupreply table. (ip pool, tx, rx limit etc.) On Jan 25, 2008 6:18 PM, Vlad Sedov [EMAIL PROTECTED] wrote: Hey folks. Right now, we use freeradius to authenticate simple pap/chap PPP clients. When a username/password is rejected, radius simply send back a reject message to the NAS. Is it possible to change this behavior so that a failed auth attempt gets accepted with an alternate IP pool instead of being rejected? the idea is to force suspended users through a web proxy that tells them that they have a billing issue, instead of rejecting their connection altogether. Any help would be appreciated Vlad JB - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius Clustering
If your NAS supports several Radius servers, I wouldn't do any clustering, but run them in parallele adding each server's IP in the NAS config. It will detect when a server is unreachable and switch all traffic to other servers. Problem with LVS is you become dependant on your OS. If your NAS does not support multiple servers, I'd go for LVS or Heartbeat David Roze --- http://www.netexpertise.eu -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nicolas Baradakis Sent: 16 October 2007 11:59 To: FreeRadius users mailing list Subject: Re: Freeradius Clustering Fred Zinsli wrote: I am wanting to know if Freeradius can be clustered? and if so can someone point me to some documentation on the subject. I'd suggest to use LVS (Linux Virtual Server) in a direct routing setup. See: http://www.linuxvirtualserver.org/VS-DRouting.html I am also wanting to know how the calculate the new specs for the new servers. Any ordinary PC will do fine. The number of req/s will likely be limited by the backend database. -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Questions on Acct-Interim-Interval
Hi, -Original Message- From: [EMAIL PROTECTED] [mailto:freeradius-[EMAIL PROTECTED] On Behalf Of Vinay Wagh Sent: 02 October 2007 20:47 To: FreeRadius users mailing list Subject: Questions on Acct-Interim-Interval Hi, A couple of questions on Acct-Interim-Interval 1. I wanted to know if the Acct-Interim update that comes from the NAS has any relevance as far as the user session maintained in the radius server is concerned. Meaning that is it treated like a keep-alive of some sort. If the Acct-Interim-Interval is configured to be 100 seconds and the NAS sends the Interim-Update after 200 seconds does the freeradius server care ? Acct-Interim-Update is an extrension to the Radius protocol to make it more robust for people who do accounting. It avoids losing the totallity of your session accounting if the stop record gets lost (or the NAS becomes unavailable). Not a keep-alive really... 2. What is the typical value of this attribute, I ask because if this value is configured to be small then it will generate a lot of interim updates from a NAS that supports large number of subscribers. At the same time I am not sure how the service providers who deploy the server use this Attribute and how often do they want the updates. Interim updates increase the load on the NAS, especially with a lot of sessions. 100s sounds very short and could impact your authentication performance. I would send every 60mn or more. Anyone's tried below with a lot of subscribers maybe? Thanks, Vinay - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html David Roze http://www.netexpertise.eu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Limit users traffic quota via radius
You can tell the NAS to send accounting updates every so often (every hour for example with: aaa accounting update periodic 60 on Cisco) and calculate the amount of traffic each user has consumed with an SQL query in the Radius database. Another option is to query the NAS with SNMP. Check this to reset the user's interface with packet of disconnect: http://wiki.freeradius.org/Packet_of_Disconnect I wrote some articles about this on http://www.netexpertise.eu/en/FreeRadius/index.html A small script in shell would do what you want... David Rozé http://www.netexpertise.eu -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Massimiliano Macrì Sent: 19 September 2007 15:09 To: FreeRadius users mailing list Subject: Re: Limit users traffic quota via radius Hi, so basically all I need is a RFC 3576-compliant radius server and the correct vsa specific of cisco device? What I do not understand is if : )the radius check the quota (but how and how often?) and then push the disconnect to the device, or )the device, once the user is authenticathed, get a profile and then it checks with an internal specific process (specified by a vsa), the quota, with the action after the threshold. I'm a bit confused, as snmp/script solution implies that a machine should login/check the virtual interface status and then issue a command like shutdown correct? Is thi the only way to accomplish a QoS task!? Thanks for your help, Massimiliano Peter Nixon wrote: This is not correct. You may use SNMP, or you may use a RADIUS Change of Authority/Packet of Disconnect request... Regards Peter On Wed 19 Sep 2007, Willie Yeo wrote: You need SNMP to disconnect the link, not Radius. The only other way I can think of is that, if you can use an external program/script to check the quota from your accounting records, and then if that quota is reached, then send the program sends to SNMP to disconnect the user. On 18/09/2007, at 6:34 PM, Massimiliano Macrì wrote: I'm trying to close the connection of a pre-paid mobile user, after he reached a limited amount of traffic (ie. 100 megabytes), the network device is a Cisco router. I've found may way to rate-limit the traffic bandwidth but not one to do this. Is radius the correct way to achieve this goal? It'all about vsa? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Interim-Updates
Thanks Peter, really appreciate it I will add the links to the wiki on the pages as per your suggestion. However, I wouldn't add them to the wiki as that's only tricks and tips as you're mentionning, and they're not really part of the development. It needs to be kept separated for maintenance and bug fixes Thanks, David -Original Message- From: Peter Nixon [mailto:[EMAIL PROTECTED] Sent: 17 July 2007 23:11 To: FreeRadius users mailing list; David Roze Subject: Re: Interim-Updates On Tue 17 Jul 2007, David Roze wrote: Hi Peter and Stephan, I will update the page when I get a chance. It isn't the best way to proceed, you're right... One thing though, there's confusing between 2 pages with 2 different problems: Support for Gigawords in Mysql: I'm not using stored procedures, but adding an extra field for the Gigawords value. This will be changed with your solution. Great. Thats the main thing I wanted to see fixed. Daily accounting: This gives the ability to create a new record everytime an interim-update is sent so people can check accounting more frequently and do not need to wait the session disconnects. Previous values need to be taken off the new received value to keep total accounting accurate (that's for Hugh's comment :) I use a stored procedure and I don't think I have another option to achieve this !?? Yes. I did read through this and see that you were doing something else also. I think you should be able to do it with a sub select in Postgresql, and AFAIK MySQL recently added support for them also. I could be wrong though, and I have nothing against stored procedures. (I use them extensively myself on postgres) I think you solution is usefull, but I would like to see you explain that we consider the lack of MySQL Gigaword support in FreeRADIUS 1.1.7 to be a bug which has been fixed :-) You may even wish to link to: http://wiki.freeradius.org/FAQ#Why_do_Acct-Input-Octets_and_Acct-Output-Octe ts_wrap_at_4_GB I realise that you have your own site and content is a hard thing to come by, but if you like we would love to have any tips or tricks like this in the official FreeRADIUS wiki. Failing that, please feel free to add links to your articles at appropriate places in the wiki.. Regards -- Peter Nixon http://peternixon.net/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Gigaword support
Hi, Glad to know Gigawords support has been added in the CVS. The method with extra field is quick and easy for most of us but I agree it's always better not to change the backend structure... That's pretty much what I had to do to append accounting values at regular intervals: compute the values first. See http://www.netexpertise.eu/en/FreeRadius/DailyAcct.html Thanks for your input David http://www.netexpertise.eu Hi, Thank you! It would be nice if FreeRadius could have more support for Gigawords built in! FYI: CVS just got a commit that includes Gigawords support for the mySQL backend. It behaves pretty much like the one in postgresql, which, for the record, has had Gigawords support included since long time ago. The behaviour is different from that in the quick-n-dirty HOWTO that was referenced in this thread: the correct octet value is computed out of the two attributes Acct-*-Gigawords and Acct-*-Octets and the result is saved in the Acct*Octets column in radacct. No seperate column to catch the Gigawords is necessary. IOW: it just works now. If the client sends Gigawords, your accounting table will contain the 64-bit value. For FreeRADIUS 2.0, this obsoletes the steps Mysql Table Modification and Freeradius Update in http://www.netexpertise.eu/en/FreeRadius/GigaWords.html I.e.: just configure your NAS, the server side will handle it just fine. Greetings, Stefan Winter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radiusd service hang
Hi Karthik, I used to have the same problem in 2 different cases: - WhenFreeradius was installed on Redhat 9, it used to hang every 3 or 4 days as well but you're on Redhat Ent3 so you should be fine - When the connectionto the MySQL server was dropping Are you sure your connection to AD is reliable? David -http://www.netexpertise.eu - Original Message - From: Karthik R To: freeradius-users@lists.freeradius.org Sent: Thursday, October 26, 2006 6:03 PM Subject: radiusd service hang Am running freeradius on a RHELv3 box, to authenticate802.11 usersagainstAD.All of sudden the802.11 users cant get authenticated against AD, unless i reboot the radius service on linux box.It looks like radius serviceget hangs atleast weekly once for no reason, i couldnt findanything in the log file /var/log/messages. Is anyone facing this issue? everytime when the user complain that wireless i notworking, have to restart the service manually. any help would be appreciated. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: SQL Accounting oddness
Hi John, I would try to run Mysql with error and warning logging like --log-error=/var/log/mysql-errors --log-warnings And check the logs Have you also tried to copy the query sent from Radius and execute it manually? You might get your solution there David -- http://www.netexpertise.eu -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Williams Sent: 12 October 2006 08:26 To: 'FreeRadius users mailing list' Subject: Spam:RE: SQL Accounting oddness All the ports are open. The authentication packets and accounting packets are hitting the server ok. The authentication is being checked against the radcheck table in SQL and authenticates users. But the accounting information isn't being written to the radacct table, even though I can see freeradius sending it if I run radius in debug mode. John -Original Message- From: freeradius-users- [EMAIL PROTECTED] [mailto:freeradius-users- [EMAIL PROTECTED] On Behalf Of Sean Sent: 11 October 2006 17:39 To: freeradius-users@lists.freeradius.org Subject: RE: SQL Accounting oddness Hi, Check that you have all the ports used by FreeRadius open. It looks as if the accounting traffic is not getting through to the server. Let me know if I'm right. Regards, Sean Bracken http://swarmhotspots.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.0.408 / Virus Database: 268.13.2/471 - Release Date: 10/10/2006 -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.0.408 / Virus Database: 268.13.2/471 - Release Date: 10/10/2006 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Daily accounting
Hi everyone, I have seen a lot of people who are trying to get traffic accounting collected at regular intervals to generate graphs and view per day/month etc... I have made a few modifications in order to achieve this. You can see it at http://www.netexpertise.eu/en/FreeRadius/DailyAcct.html It works on Mysql setup but can be adapted to any db. I'd be grateful to get some feedback on this. A lot of ISPs are running into this problem. Hope this helps Regards, David - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Network of NAS
Hi everyone, I have all my NAS in the same subnet and would like to add the whole range in the list of NAS, not every single IP. It seems it works when doing this in clients.conf, but not in the Mysql NAS table. Is this a bug or have I done something wrong? Clients.conf: client 10.230.0.0/24 { secret = secret shortname = test } Id nasname shortname typeports secret community 7 10.230.0.0/24 10.230.0.0/24 cisco NULLsecret NULL Thanks David - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Network of NAS
Are you using version 1.1.0? I used other versions before but never tried to put the list of NAS in the database. Thanks David -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jonathan De Graeve Sent: 09 March 2006 13:21 To: FreeRadius users mailing list Subject: RE: Network of NAS It works with me J. -- Jonathan De Graeve Network/System Administrator Imelda vzw Informatica Dienst +32 15/50.52.98 [EMAIL PROTECTED] - Always read the manual for the correct way to do things because the number of incorrect ways to do things is almost infinite - -Oorspronkelijk bericht- Van: freeradius-users- [EMAIL PROTECTED] [mailto:freeradius-users- [EMAIL PROTECTED] Namens David Roze Verzonden: donderdag 9 maart 2006 13:36 Aan: FreeRadius users mailing list Onderwerp: Network of NAS Hi everyone, I have all my NAS in the same subnet and would like to add the whole range in the list of NAS, not every single IP. It seems it works when doing this in clients.conf, but not in the Mysql NAS table. Is this a bug or have I done something wrong? Clients.conf: client 10.230.0.0/24 { secret = secret shortname = test } Idnasname shortname typeports secret community 710.230.0.0/24 10.230.0.0/24 cisco NULLsecret NULL Thanks David - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: RADIUS Accounting
It should be sent everytime they connect/disconnect. Don't think you can change it David -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernell Williams Sent: 09 December 2005 04:16 To: FreeRadius users mailing list Subject: Re: RADIUS Accounting Madhuraka Godahewa wrote: Hi All, I have installed freeRADIUS 1.0.5 recently and configured it. It works perfectly for authenticating users connecting through WLAN AP. I have a little problem with RADIUS accounting. I understand that the accounting requests should be sent by the NAS to the RADIUS server. My problem is how can we set the frequency of sending these accounting requests. That is how often the NAS will send accounting requests to the RADIUS server? Can we configure that setting (frequency of sending the accounting requests) through freeRADIUS conf files or do we need to configure it throough the configuration interface of the NAS? Thanking You., Madhuraka Godahewa Telecommunications Engineer Research and Development Unit Electroteks Global Networks (Pvt.) Ltd. Mobile: + 94-777-647055 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html I use freeradius MySQL. I am able to set frequency of acct update by setting attribute Acct-Interim-Interval in rad[group]reply table to number of seconds between updates. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html